Professional Documents
Culture Documents
Objectives
Operating systems
Types of applications
Application models and technologies
Application threats and countermeasures
Security in the software development life cycle
Application security controls
Databases and data warehouses
2
Operating Systems
Operating system components
Kernel
Process management
Memory management
Device drivers
Tools
Operating Systems
Operating system security functions
Authentication
Resource access
Access control
Communication
Event logging
10
11
12
13
14
OS Hardening Techniques
15
Types of applications
Agents
Standalone programs that are part of a larger
application
Examples:
Anti-malware
Patch management
Configuration management
16
Client-server
Separate programs on clients and servers
communicate via networks and work together
Few developed now but many are in use
17
Web
Web browser as client, application server back-end
18
Application Security
Along with securing the operating system software on
hosts and in static environments, is equally need to
protect applications that run on the devices
Application security:
Application development security
Application hardening and patch management
19
20
21
Exceptions
Errors (exceptions) - Faults that occur while
application is running
Response should be based on the error
Improper handling can lead to application failure or
insecurity
Fuzz testing (fuzzing) - Software testing technique
that deliberately provides invalid, unexpected, or
random data as inputs to computer program
22
Error Handling
Error handling practices to avoid:
Failing to check return codes or handle exceptions or
improperly checking them
Handling all return codes or exceptions in the same
manner
Divulging potentially sensitive data in error information
23
Application Attacks
Application hardening intended to prevent exploiting
vulnerabilities
24
25
26
Securing Data
Work today involves electronic collaboration, so data
must flow freely but securely
Data loss prevention (DLP) - System of security tools
used to recognize and identify critical data and
ensure it is protected
Goal is protect data:
Data in-use - Data actions being performed by
endpoint devices
Data in-transit - Actions that transmit the data across a
network
27
DLP Techniques
Content inspection - Security analysis of transaction
and takes context into account
DLP systems also can use index matching:
Documents identified as needing protection, such as
the program source code for a new software
application, are analyzed by DLP system
Complex computations are conducted based on
analysis
28
DLP Sensors
DLP sensors:
DLP network sensors - Installed on perimeter of
network to protect data in-transit by monitoring all
network traffic
DLP storage sensors - Sensors on network storage
devices are designed to protect data at-rest
DLP agent sensors - Sensors are installed on each
host device (desktop, laptop, tablet, etc.) and protect
data in-use
29
30
31
Input Validation
Verify user responses to application:
Could cause program to abort
Necessary to check for XSS, SQL, or XML injection
attacks
32
33
Authorization
Limiting access only to approved functions and data
Audit logging
Logging of all actions in the application
34
Structured languages
Object oriented languages
Knowledge based languages
35
36
Structured languages
Nested, heavy use of subroutines and functions
Little or no go to
Examples:
C
Pascal
37
Examples
C++, C#, Java, Ruby, Simula, Smalltalk
38
Expert systems
Inference engine and knowledge base of past
situations and outcomes
39
40
Privilege escalation
Trick a system into providing a higher level of
privileges, which provides access to more information
and functions
Denial of service
Incapacitate a system
41
Threats to software
Buffer overflow
Covert channel
Side channel attack
Malicious software
Input attacks
Object reuse
Mobile code
Social engineering
Back door
Logic bomb
42
44
Countermeasures
Careful software analysis, good software engineering
45
Countermeasures
Limit release of information through shielding and other
means
46
47
48
49
50
Mutating Malware
Attackers can mask the presence of their malware by
having it mutate or change
Three types of mutating malware are:
Oligomorphic malware - Changes its internal code to
one of a set number of predefined mutations whenever
executed
Polymorphic malware - Completely changes from its
original form whenever it is executed
Metamorphic malware - Can actually rewrite its own
code and thus appears different each time it is
executed
51
52
53
Virus Types
Computer virus - Malicious computer code that
reproduces itself on the same computer
Program virus - Virus that infects an executable
program file
54
Armored Virus
Different virus infection methods
One common type is appender infection:
Virus appends itself to end of a file
Replaces beginning of file with jump instruction pointing to
the virus code
Armored virus - Viruses that go to great lengths to avoid
detection
Swiss cheese infection Encrypts virus code and then divide
decryption engine into different pieces and inject these pieces
throughout the infected program code
55
56
57
Split Infection
Split infection - Viruses split the malicious code itself
into several parts:
Also has one main body of code
All parts are placed at random positions throughout the
program code
58
59
Virus Actions
When infected program is launched it activates its malicious
payload
60
Virus Carriers
Virus cannot automatically spread to another
computer
Relies on user action to spread
Viruses are attached to files
Viruses are spread by transferring infected files
Virus must have two carriers:
File to which it attaches
Human to transport it to other computers
61
Worm
Worm - Malicious program that uses a computer
network to replicate
Sometimes called network viruses
Worm designed to enter computer through network
and then take advantage of vulnerability in
application or operating system on host computer
Once worm exploits vulnerability on one system it
immediately searches for another computer on the
network that has same vulnerability
62
Trojan
Trojan - Program that does something other than
advertised
Example:
User downloads free calendar program
63
64
Rootkit
Rootkit - Software tools used by an attacker to hide
actions or presence of other types of malicious
software
Will hide or remove traces of log-in records, log
entries
May alter or replace operating system files with
modified versions specifically designed to ignore
malicious activity
Can be difficult to detect a rootkit or clean it from an
infected system
65
66
Spyware
Spyware - Software that gathers information without
user consent
Spyware is tracking software that is deployed without:
Adequate notice
Consent
Control by the user
67
68
Keylogger
Keylogger - Program that captures users keystrokes
69
70
Adware
Adware - Program that delivers advertising content in
manner unexpected and unwanted by the user
Downsides of adware for users:
May display objectionable content
71
Ransomware
Ransomware Program that prevents a users
device from properly operating until a fee is paid
Ransomware malware is highly profitable
Variation of ransomware displays a fictitious warning
that there is a problem with the computer
No matter what the condition of the computer, the
ransomware always reports that there is a problem
72
73
74
Logic Bomb
Logic bomb - Computer code that lies dormant until
triggered by a specific logical event and then
performs malicious activities
Difficult to detect before it is triggered
75
76
Backdoor
Backdoor - Software code that circumvents normal
security to give program access
Common practice by developers
Intent is to remove backdoors in final application but
often overlooked
77
78
79
Hardened systems
Intrusion prevention systems
Decreased privilege levels
Penetration testing
80
Countermeasures
Input field filtering, application firewall, application
vulnerability scanning, software developer training
81
82
83
84
85
86
87
88
SQL injection
XML injection
Command injection/directory traversal
89
Cross-Site Scripting
Not all attacks on websites are designed to steal
content or deface it
Some attacks use web server as a platform to launch
attacks on other computers that access it
90
Customized Responses
91
92
93
94
SQL Injection
SQL (Structured Query Language) - Used to
manipulate data stored in relational database
SQL Injection - Targets SQL servers by introducing
malicious commands
95
97
SQL Alternatives
Instead of input validation, more drastic approach to
preventing SQL injection attacks is avoid using SQL
relational databases altogether
NoSQL - New nonrelational databases that are better
tuned for accessing large data sets
NoSQL databases vs. SQL database Argument
over which database technology is better
98
99
XML Attack
XML Attack - Similar to SQL injection attack
100
Directory Traversal/Command
Injection
Web server users typically restricted to root directory
101
102
103
Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a
Web page
Attackers inject content into vulnerable Web server to
gain access to servers operating system
Attackers craft a zero pixel frame to avoid visual
detection
104
HTTP Header
HTTP header consists of fields that characterize data
being transmitted
Header fields are comprised of:
Field name
Colon
Field value
106
Header Manipulation
HTTP header manipulation - Attack modifies HTTP
headers
HTTP header manipulation is not actual attack but
rather vehicle through which other attacks like (XSS)
can be launched.
HTTP header manipulation allows an attacker to pass
malicious instructions from own malicious website or
through an infected site to the web browser via HTTP
headers
107
108
Cookies
Cookies - Store user-specific information on users
local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store users travel itinerary
Personal information provided when visiting a site
109
Types of Cookies
First-party cookie - Cookie created by Web site user
currently visiting
Third-party cookie - Site advertisers (third parties)
place cookie to record user preferences
110
111
Risks of Cookies
Cookies have security and privacy risks
112
Attachments
Attachments - Files that are coupled to email
messages
Malicious attachments commonly used to spread
viruses, Trojans, and other malware when opened
113
Session Token
User accessing secure web application needs be
verified to prevent an imposter from jumping in to
interaction
Session token - Verification through which random
string assigned to interaction between user and web
application currently being accessed (session)
Web application server assigns a unique session
token
Each subsequent request from users web browser to
web application contains session token verifying user
114
identity
Session Hijacking
Session hijacking - Attacker attempts to impersonate
the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token
cookie from the victims computer
Eavesdropping on the transmission
Guessing the session token (successful if generation of
session tokens not truly random)
115
116
117
Malicious Add-Ons
Attackers can create malicious add-ons to launch
attacks against users computer
ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called
ActiveX applications
ActiveX controls can be invoked from webpages
through the use of a scripting language or directly by
118
HTML command
119
120
121
Integer Overflow
Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used
to store it
When overflow occurs, the interpreted value then
wraps around from maximum value to minimum value
122
123
124
Server virtualization
Developer training
125
126
127
Physical procedures
128
129
130
131
Impersonation
Impersonation - Masquerade as a real or fictitious
character and then play out the role of that person on
a victim
Common roles impersonated:
Repairperson
IT support
Manager
Trusted third party
Fellow employee
132
To facilitate a break-in
133
Event bombs
Activate on a specific event
134
135
136
Regulatory requirements
Test plan a byproduct of requirements
137
138
Security in testing
Testing should verify correct coding of every
requirement and specification
139
140
Database architectures
Hierarchical databases: tree structure (no longer
produced)
Network databases: complex tree structure (no
longer produced)
141
Data warehouse
A type of database that is used for decision support
and research purposes
A copy of some or all transaction data
Usually, refreshed periodically (typically daily)
142
Database transactions
Records retrieval
Records update
Records creation
Nested or complex transactions executed as a unit
Begin work <transactions> end work
143
Views
Virtual tables that are a subset of individual tables, or a
join between tables
Permission given to views just like real tables
144
Phishing
Phishing - Sending email or display web
announcement claiming to be from legitimate source
May contain legitimate logos and wording
Tries to trick user into giving private information
Passwords
Credit card numbers
Social Security numbers
Bank account numbers
145
146
147
Phishing Variations
Variations of phishing:
Pharming - Automatically redirects user to fraudulent
web site
Spear phishing - Email messages target specific users
148
Spam
Spam - Unsolicited email
149
150
Hoaxes
Hoaxes - False warning or claim
151
Typo Squatting
Typo squatting (URL hijacking) Attacker registers
fake look-alike site to which user is automatically
directed when makes a typing error when entering
URL address in a web browser (goggle.com or
google.net instead of google.com)
Site may contain:
Visitor survey that promises a chance to win prizes (but
the attacker actually captures the entered email
addresses to sell to spammers)
Ads (for which the attacker receives money for traffic
generated to the site)
152
153
Antimalware software:
Antivirus
Antispam
Popup blockers and antispyware
Host-based firewalls
154
Antivirus
Antivirus (AV) - Software that examines computer for
infections
Static analysis - Scan files by attempting to match
known virus patterns against potentially infected files
155
Antivirus Scanning
Wildcard scanning - Wildcard is allowed to skip bytes
or ranges of bytes instead of looking for an exact
match
Mismatch scanning - Mismatches allow set number of
bytes in string to be any value regardless of their
position in the string
Weakness of static analysis is AV vendor must
constantly be searching for new viruses, extracting
virus signatures, and distributing those updated
databases to all users
156
Antivirus Detection
Dynamic heuristic detection - Uses variety of
techniques to spot characteristics of virus instead of
attempting to make matches
Code emulation - Virtual environment is created that
simulates the central processing unit (CPU) and
memory of the computer
Any questionable program code is executed in virtual
environment (no actual virus code is executed by the
real CPU) to determine if is virus
157
Antispam
Spammers can distribute malware through email
attachments or use for social engineering attacks
Bayesian filtering - Analyzes every word in each
email and determines how frequently a word occurs
in spam pile compared to not-spam pile
Create lists of senders:
Blacklist - Allow everything in unless it appears on the
list
Whitelist - List of approved senders
158
Pop-up Blocker
Pop-up - Small window appearing over webpage
usually created by advertisers
Pop-up blocker - Separate program as part of
antispyware package incorporated within browser
that allows user to limit or block most pop-ups
Alert can be displayed in browser and gives user
option to display pop-up
159
Summary
Operating system components: kernel, device
drivers, tools
Operating system functions: authentication, resource
access, access control, communication, event
logging
Types of applications: agents, applets, client-server,
distributed, web
Summary (cont.)
Reasons for threats to applications: industrial
espionage, vandalism and disruption, denial of
service, political / religious
Types of threats
buffer overflow, covert channel, side channel, malware,
input attacks, object reuse, mobile code, social
engineering, back door, logic bomb
161
Summary (cont.)
Software development life cycle (SDLC) steps
Conceptual, requirements / specifications, design,
coding, testing, maintenance
Source code control, configuration management
162
Summary (cont.)
Types of databases
Hierarchical, network, distributed, object-oriented,
relational (most common)
163