Software Development Security

CISSP Guide to Security Essentials

Chapter 3

Objectives
Operating systems

Types of applications
Application models and technologies
Application threats and countermeasures
Security in the software development life cycle
Application security controls
Databases and data warehouses
2

Operating Systems
Operating system components
Kernel
Process management
Memory management

Hardware resource management

Device drivers
Tools

Operating Systems
Operating system security functions
Authentication
Resource access
Access control
Communication
Event logging

Securing the Operating System

Software
Two approaches to securing operating system
Properly configure operating system after it has been
installed to fortify it
Tighten security during initial design and coding of operating
system.

Five-step process for protecting operating system

Develop the security policy
Perform host software baselining
Configure operating system security and settings
Deploy the settings
Implement patch management

Securing the Operating System

Software Steps 1 & 2
Security policy - Document(s) that clearly define
organizations defense mechanisms
Perform host software baselining (standard or
checklist against which systems can be evaluated)

Configuration settings that are used for each

computer in the organization

Securing the Operating System

Software Step 3
Configure operating system security and settings

Hundreds of different security settings can be

manipulated
Typical configuration baseline:
Changing insecure default settings
Eliminating unnecessary software, services, protocols
Enabling security features such as a firewall

Securing the Operating System

Software Step 4
Deploy settings through security template (collections
of security configuration settings)
Group policy - Windows feature providing centralized
computer management

A single configuration may be deployed to many

users

Securing the Operating System

Software Step 5
Operating systems have increased in size and
complexity
New attack tools have made secure functions
vulnerable

Security patch - General software update to cover

discovered vulnerabilities
Hotfix - Addresses specific customer situation
Service pack - Accumulates security updates and
additional features

Securing the Operating System

Software 5: Updates
Modern operating systems can perform automatic
updates
OS interacts with vendors online update service to
automatically download and install patches
(depending upon configuration option chosen)
Patches can sometimes create new problems
Vendor should thoroughly test before deploying

10

Securing the Operating System

Software 5: Automated Updates
Automated patch update service - Manage patches
locally instead using vendors online update service
Advantages:
Administrators can approve or decline updates for
client systems, force updates to install by specific date,
and obtain reports on what updates each computer
needs.
Administrators can approve updates for "detection"
only (allows them see which computers will require
update without actually installing it)

11

Securing the Operating System

Software 5: Advantages
Downloading patches from local server instead of
using the vendors online update service can save
bandwidth and time because each computer does not
have to connect to an external server
Specific types of updates that organization does not
test (hotfixes) can be automatically installed whenever
they become available
Users cannot disable or circumvent updates as they
can if computer configured to use vendors online
update service

12

Automated Patch Update Service

(Figure 4-8)

13

Security Through Design

Other techniques used instead of managing different
security options on an operating system that has
already been deployed
OS hardening - Necessary to tighten security during
design and coding of OS
Trusted OS - Operating system that has been
designed through OS hardening

14

OS Hardening Techniques

15

Types of applications
Agents
Standalone programs that are part of a larger
application
Examples:
Anti-malware
Patch management
Configuration management

16

Types of applications (cont.)

Applets
Software programs that run within the context of
another program
Example: media players within browser

Client-server
Separate programs on clients and servers
communicate via networks and work together
Few developed now but many are in use

17

Types of applications (cont.)

Distributed
Software components run on several systems
Two-tier, three-tier, multi-tier
Reasons: scalability, performance, geographical

Web
Web browser as client, application server back-end

Client software nearly universal

Application software centralized

18

Application Security
Along with securing the operating system software on
hosts and in static environments, is equally need to
protect applications that run on the devices
Application security:
Application development security
Application hardening and patch management

19

Application Development Security

Security for applications must be considered through
all phases of development cycle
Application configuration baselines:
Standard environment settings can establish a secure
baseline
Includes each development system, build system, and
test system

Must include system and network configurations

20

Secure Coding Concepts

Secure coding concepts
Coding standards increase applications consistency,
reliability, and security
Coding standards useful in code review process

Wrapper functions Used to write error-checking

routines for preexisting system functions (wrapper
function is a substitute for a regular function that is
used in testing)

21

Exceptions
Errors (exceptions) - Faults that occur while
application is running
Response should be based on the error
Improper handling can lead to application failure or
insecurity
Fuzz testing (fuzzing) - Software testing technique
that deliberately provides invalid, unexpected, or
random data as inputs to computer program

22

Error Handling
Error handling practices to avoid:
Failing to check return codes or handle exceptions or
improperly checking them
Handling all return codes or exceptions in the same
manner
Divulging potentially sensitive data in error information

23

Application Attacks
Application hardening intended to prevent exploiting
vulnerabilities

24

Application Patch Management

Application patch management rare until recently

Users unaware of the existence of patches or where

to acquire them
More application patch management systems are
being developed today

25

Attacks Based On Application

Vulnerabilities (Table 4-6)

26

Securing Data
Work today involves electronic collaboration, so data
must flow freely but securely
Data loss prevention (DLP) - System of security tools
used to recognize and identify critical data and
ensure it is protected
Goal is protect data:
Data in-use - Data actions being performed by
endpoint devices
Data in-transit - Actions that transmit the data across a
network

Data at-rest - Stored on electronic media

27

DLP Techniques
Content inspection - Security analysis of transaction
and takes context into account
DLP systems also can use index matching:
Documents identified as needing protection, such as
the program source code for a new software
application, are analyzed by DLP system
Complex computations are conducted based on
analysis

28

DLP Sensors
DLP sensors:
DLP network sensors - Installed on perimeter of
network to protect data in-transit by monitoring all
network traffic
DLP storage sensors - Sensors on network storage
devices are designed to protect data at-rest
DLP agent sensors - Sensors are installed on each
host device (desktop, laptop, tablet, etc.) and protect
data in-use

29

DLP Architecture (Figure 4-9)

30

DLP Report (Figure 4-10)

31

Input Validation
Verify user responses to application:
Could cause program to abort
Necessary to check for XSS, SQL, or XML injection
attacks

Cross-site request forgery (XSRF) - Attack uses the

users web browser settings to impersonate the user

Input validation Verifies a users input to an

application and is performed after data entered but
before destination is known

32

Server and Client Validation

Server-side validation - Input validation generally
uses the server to perform the validation
Client-side validation - Client perform the validation

33

Application environment and security

controls
Controls that must be present in a developed
application
Authentication
Limiting access to only legitimate, approved users

Authorization
Limiting access only to approved functions and data

Role-based access control (RBAC)

Assign authorizations to roles, assign roles to users

Audit logging
Logging of all actions in the application

34

Software Models and Technologies

Control flow languages

Structured languages
Object oriented languages
Knowledge based languages

35

Control flow languages

Linear, sequential

Use of if then else

Branching with go to
Examples:
BASIC, COBOL, Cold Fusion, FORTRAN, Perl, PHP,
Python, VBScript

36

Structured languages
Nested, heavy use of subroutines and functions

Little or no go to
Examples:
C
Pascal

37

Object oriented languages

Utilize concepts of object programming
Classes, objects, instances, and inheritance
Methods, instantiations
Encapsulation, abstraction, polymorphism

Examples
C++, C#, Java, Ruby, Simula, Smalltalk

38

Knowledge based systems

Neural networks
Modeled after biological reasoning processes
Artificial neurons that store pieces of information
Given cases about situations and outcomes, can
predict future outcomes

Expert systems
Inference engine and knowledge base of past
situations and outcomes

39

Threats in the software environment

Reasons for attacks
Industrial espionage
Vandalism and disruption
Denial of service
Political / religious

40

Software attack approaches

Authentication bypass
Access a systems resources without providing
credentials

Privilege escalation
Trick a system into providing a higher level of
privileges, which provides access to more information
and functions

Denial of service
Incapacitate a system

41

Threats to software
Buffer overflow
Covert channel
Side channel attack
Malicious software

Input attacks
Object reuse
Mobile code

Social engineering
Back door
Logic bomb

42

Threats to software (cont.)

Buffer overflow attacks
Disrupt a software application by providing more data
to the application than it was designed to handle
Types
Stack buffer overflow
NOP sled attack
Heap overflow

Jump to register attack

Examples: Morris worm, ping of death, Code Red,

SQL Slammer, Blaster, Sasser, Conficker
43

Threats to software (cont.)

Buffer overflow attack countermeasures
Use safe languages and libraries
Executable space protection
Stack smashing protection
Application firewalls

44

Threats to software (cont.)

Covert channel
Unintended and hidden channel of communications
Types:
Covert storage channel: read a storage location and
learn about the application or other data
Timing channel: observe timings in an application to
determine what is happening in the application

Countermeasures
Careful software analysis, good software engineering

45

Threats to software (cont.)

Side channel attack
An attack on a cryptosystem based upon physical
information gained from the system
Examples: timing, power consumption, emanations,
and even sounds

Countermeasures
Limit release of information through shielding and other
means

46

Threats to software (cont.)

Malicious software
Types: viruses, worms, Trojan horses, rootkits, bots,
spam, pharming, spyware, key loggers
Purpose
Steal, corrupt, or destroy information
Remote control
Denial of service

47

Threats to software (cont.)

Types of malware
Virus: human assisted replication, embed in programs,
files, master boot records
Worm: self replicating, scan for victims, rapid spread

Trojan horse: claims one function, but is malware

Rootkit: hide within or beneath the operating system
Bot: remote control zombie (also known as Remote
Access Trojan (RAT) )
Spam: unsolicited e-mail

48

Threats to software (cont.)

Types of malware (cont.)
Pharming: attack on DNS to redirect traffic to decoy
application
Spyware: collect information about usage, forward to
central server
Key logger: logs keystrokes and mouse movements,
forwards to central server

49

Attacks Using Malware

Malware (malicious software) - Software that enters a
computer system without the owners knowledge or
consent
Refers to a wide variety of damaging or annoying
software

50

Mutating Malware
Attackers can mask the presence of their malware by
having it mutate or change
Three types of mutating malware are:
Oligomorphic malware - Changes its internal code to
one of a set number of predefined mutations whenever
executed
Polymorphic malware - Completely changes from its
original form whenever it is executed
Metamorphic malware - Can actually rewrite its own
code and thus appears different each time it is
executed
51

Malware Traits: 1 & 2

Definitions of the different types of malware are often
confusing and may overlap
One method of classifying various types of malware
is using four primary traits that malware possesses:
Circulation - Some malware has primary trait of
spreading rapidly to other systems to impact large
number users
Infection Some malware has primary trait of infect
or embed itself into that system

52

Malware Traits: 3 & 4

Concealment - Some malware has as its primary trait
avoiding detection by concealing its presence from
scanners
Payload capabilities - When payload capabilities are
the primary focus of malware, the focus is on what
nefarious action(s) the malware performs

53

Virus Types
Computer virus - Malicious computer code that
reproduces itself on the same computer
Program virus - Virus that infects an executable
program file

Macro virus - One of most common data file viruses

written in a script known as a macro (macro is series
of instructions that can be grouped together as single
command)

54

Armored Virus
Different virus infection methods
One common type is appender infection:
Virus appends itself to end of a file
Replaces beginning of file with jump instruction pointing to
the virus code
Armored virus - Viruses that go to great lengths to avoid
detection
Swiss cheese infection Encrypts virus code and then divide
decryption engine into different pieces and inject these pieces
throughout the infected program code

55

Appender Infection (Figure 2-1)

56

Swiss Cheese Infection (Figure 2-2)

57

Split Infection
Split infection - Viruses split the malicious code itself
into several parts:
Also has one main body of code
All parts are placed at random positions throughout the
program code

To make detection even more difficult these parts

may contain unnecessary garbage code to mask
their true purpose

58

Split Infection (Figure 2-3)

59

Virus Actions
When infected program is launched it activates its malicious
payload

Viruses may display an annoying message but usually much

more harmful
Examples of virus actions:

Cause a computer to repeatedly crash

Erase files from or reformat hard drive
Turn off computers security settings
Virus also replicates itself by spreading to another file on same
computer

60

Virus Carriers
Virus cannot automatically spread to another
computer
Relies on user action to spread
Viruses are attached to files
Viruses are spread by transferring infected files
Virus must have two carriers:
File to which it attaches
Human to transport it to other computers

61

Worm
Worm - Malicious program that uses a computer
network to replicate
Sometimes called network viruses
Worm designed to enter computer through network
and then take advantage of vulnerability in
application or operating system on host computer
Once worm exploits vulnerability on one system it
immediately searches for another computer on the
network that has same vulnerability

62

Trojan
Trojan - Program that does something other than
advertised
Example:
User downloads free calendar program

Program scans system for credit card numbers and

passwords
Transmits information to attacker through network

63

Difference Between Viruses, Worms,

and Trojans (Table 2-2)

64

Rootkit
Rootkit - Software tools used by an attacker to hide
actions or presence of other types of malicious
software
Will hide or remove traces of log-in records, log
entries
May alter or replace operating system files with
modified versions specifically designed to ignore
malicious activity
Can be difficult to detect a rootkit or clean it from an
infected system

65

Computer Infected with Rootkit

(Figure 2-4)

66

Spyware
Spyware - Software that gathers information without
user consent
Spyware is tracking software that is deployed without:
Adequate notice

Consent
Control by the user

67

Technologies Used By Spyware

(Table 2-3)

68

Keylogger
Keylogger - Program that captures users keystrokes

Information later retrieved by attacker

Attacker searches for useful information
Can be either small hardware device or software
program
Keyloggers can go beyond capture keystrokes; can
also make screen captures and turn on computers
web camera to record images of user

69

Hardware Keylogger (Figure 2-5)

70

Adware
Adware - Program that delivers advertising content in
manner unexpected and unwanted by the user
Downsides of adware for users:
May display objectionable content

Frequent pop-up ads cause lost productivity

Pop-up ads slow computer or cause crashes
Unwanted ads can be a nuisance

Typically displays advertising banners and pop-up

ads

Can also perform tracking of online activities

71

Ransomware
Ransomware Program that prevents a users
device from properly operating until a fee is paid
Ransomware malware is highly profitable
Variation of ransomware displays a fictitious warning
that there is a problem with the computer
No matter what the condition of the computer, the
ransomware always reports that there is a problem

72

Ransomware Message (Figure 2-6)

73

Ransomware Message (Figure 2-7)

74

Logic Bomb
Logic bomb - Computer code that lies dormant until
triggered by a specific logical event and then
performs malicious activities
Difficult to detect before it is triggered

Logic bombs are often embedded in very large

computer programs
Trusted employee can easily insert a few lines of
computer code into a long program without anyone
detecting it

75

Famous Logic Bombs (Table 2-4)

76

Backdoor
Backdoor - Software code that circumvents normal
security to give program access
Common practice by developers
Intent is to remove backdoors in final application but
often overlooked

77

Zombies and Botnets

Zombie - Infected robot (bot) computer

Botnet Multiple zombie computers gathered into a

logical computer network
Bot herder Attacker who controls bonet
Command and control (C&C or C2) Instructions
from the bot herders regarding which computers to
attack and how
Common C&C mechanism used today is Hypertext
Transport Protocol (HTTP)

78

Uses of Botnets (Table 2-5)

79

Threats to software (cont.)

Malware countermeasures
Anti-malware
Application whitelisting
Process profiling
Spam filters
Patches
Firewalls and application firewalls

Hardened systems
Intrusion prevention systems
Decreased privilege levels

Penetration testing

80

Threats to software (cont.)

Input attacks
Buffer overflow
Integer overflow
Script injection
Cross site scripting
Cross site request forgery

Countermeasures
Input field filtering, application firewall, application
vulnerability scanning, software developer training

81

Conceptual Networked System

Network used to connect different clients and servers
together
Clients and servers run an operating system
Operating system controls applications
Applications manipulate data
Each represents an attack vector to exploit

Attacks on the applications in a networked computer

system can be directed toward the server, the client,
or both

82

Conceptual Networked Computer

System (Figure 3-1)

83

Server-Side Web Application Attacks

Content provided for users who are surfing the Web
is generated by a software application running on a
server
In providing web services to clients, web servers also
expose those same services to attackers
Important characteristic of server-side web
applications to create dynamic content based on
inputs from user

84

Server-Side Web Application

Process
Clients web browser makes a request using the
Hypertext Transport Protocol (HTTP) to a web server
Server may be connected to one or more web
application servers

Application servers run the specific web apps,

which in turn are directly connected to databases on
internal network
Information from databases retrieved and returned to
web server so dynamic information can be sent back
to the users web browser

85

Server-Side Web Application

Infrastructure (Figure 3-2)

86

Securing Web Applications

Securing server-side web applications often
considered more difficult than protecting other
systems
Traditional network security devices cannot always
block web application attacks because many
traditional network security devices ignore the
content of HTTP traffic, which is the vehicle of web
application attacks

87

Zero Day Attacks

Many web application attacks (as well as other
application attacks) exploit previously unknown
vulnerabilities
Zero day attacks - Exploit previously unknown
vulnerabilities so victims have no time to prepare or
defend

88

Common Application Attacks

Many server-side web application attacks target the
input that the applications accept from users
Common web application attacks:
Cross-site scripting

SQL injection
XML injection
Command injection/directory traversal

89

Cross-Site Scripting
Not all attacks on websites are designed to steal
content or deface it
Some attacks use web server as a platform to launch
attacks on other computers that access it

Cross-site scripting (XSS) - Injects scripts into web

application server to direct attacks at unsuspecting
clients
Many web applications are designed to customize
content for user by taking what user enters and then
displaying that input back to user

90

Customized Responses

91

Cross-Site Scripting Platform

Cross-site scripting attacks occur when attacker
takes advantage of web applications that accept user
input without validation and then present back to user
For example:
Input that the user enters for Name is not verified
Instead is automatically added to a code segment that
becomes part of an automated response

An attacker can use this vulnerability in XSS attack by

tricking valid website into feeding malicious script to
another users web browser to execute

92

Bookmark Page That Accepts User

Input

93

Input Used In Response (Figure 3-4)

94

SQL Injection
SQL (Structured Query Language) - Used to
manipulate data stored in relational database
SQL Injection - Targets SQL servers by introducing
malicious commands

95

Forgotten Password Example

Forgotten password example:
Attacker enters incorrectly formatted e-mail address
Response lets attacker know whether input is being
validated

Attacker enters email field in SQL statement

Statement processed by the database
Example statement:
SELECT fieldlist FROM table WHERE field =
whatever or a=a
Result is all user email addresses will be displayed 96

SQL Injection Statements

97

SQL Alternatives
Instead of input validation, more drastic approach to
preventing SQL injection attacks is avoid using SQL
relational databases altogether
NoSQL - New nonrelational databases that are better
tuned for accessing large data sets
NoSQL databases vs. SQL database Argument
over which database technology is better

98

XML (Extensible Markup Language)

Markup language - Method for adding annotations to
text
Example is HTML:
Uses tags surrounded by brackets

Instructs browser to display text in specific format

XML (Extensible Markup Language):

Carries data instead of indicating how to display it
No predefined set of tags
Users define their own tags

99

XML Attack
XML Attack - Similar to SQL injection attack

Attacker discovers Web site that does not filter user

data
Injects XML tags and data into the database
Xpath injection:
Specific type of XML injection attack

Attempts to exploit XML Path Language queries

100

Directory Traversal/Command
Injection
Web server users typically restricted to root directory

Users may be able to access subdirectories but not

parallel or higher level directories
Helps to protect sensitive files
Directory traversal - Uses malformed input or takes
advantage of vulnerability to move from root directory
to restricted directories
Command injection - Attacker enters commands to
execute on server or view confidential files

101

Directory Traversal Attack

102

Client-Side Application Attacks

Web application attacks are server-side attacks

Client-side attacks target vulnerabilities in client

applications:
Interacting with a compromised server

Client initiates connection with server, which could

result in an attack

103

Drive-By Download
Drive-by download:
Client computer compromised simply by viewing a
Web page
Attackers inject content into vulnerable Web server to
gain access to servers operating system
Attackers craft a zero pixel frame to avoid visual
detection

Embed an HTML document inside main document

Clients browser downloads malicious script
Instructs computer to download malware

104

HTTP Header
HTTP header consists of fields that characterize data
being transmitted
Header fields are comprised of:
Field name

Colon
Field value

Example Content-length: 49.

HTTP header field names and values may be any
application-specific strings, but core set standardized
105
by Internet Engineering Task Force

HTTP Header Fields (Table 3-3)

106

Header Manipulation
HTTP header manipulation - Attack modifies HTTP
headers
HTTP header manipulation is not actual attack but
rather vehicle through which other attacks like (XSS)
can be launched.
HTTP header manipulation allows an attacker to pass
malicious instructions from own malicious website or
through an infected site to the web browser via HTTP
headers

107

HTTP Header Attacks

Examples of HTTP header attacks:
Referer - Can bypass security by modifying Referer
field to hide fact came from another site
Accept-Language Because some web applications
pass contents of field directly to database attacker can
inject SQL command by modifying header
Response splitting - Inserting a CRLF in an HTTP
header can give attackers control of the remaining
HTTP headers and body of the response

108

Cookies
Cookies - Store user-specific information on users
local computer
Web sites use cookies to identify repeat visitors
Examples of information:
Travel Web sites may store users travel itinerary
Personal information provided when visiting a site

Only Web site that created a cookie can read it

109

Types of Cookies
First-party cookie - Cookie created by Web site user
currently visiting
Third-party cookie - Site advertisers (third parties)
place cookie to record user preferences

Session cookie - Stored in RAM and expires when

browser is closed
Persistent cookie - Recorded on computers hard
drive and does not expire when browser closes

110

Locally Shared Object (LSO)

Locally shared object (LSO) or Flash cookie - named after the
Adobe Flash player

Different from regular cookies:

Store data more complex
Store up to 100 KB of data from a website (25 times data as
regular cookie)
Cannot be deleted through browser's normal configuration
settings

Saved in multiple locations on hard drive

Can be used to reinstate regular cookies that user deleted or
blocked

111

Risks of Cookies
Cookies have security and privacy risks

First-party cookies can be stolen and used to

impersonate the user
Third-party cookies can be used to track the browsing
or buying habits of a user
When multiple websites are serviced by a single
marketing organization, cookies can be used to track
browsing habits on all clients site

112

Attachments
Attachments - Files that are coupled to email
messages
Malicious attachments commonly used to spread
viruses, Trojans, and other malware when opened

Most users routinely open any email attachment

received even if from an unknown sender
Attackers often include information in the subject line
that entices even reluctant users to open the
attachment, such as a current event

113

Session Token
User accessing secure web application needs be
verified to prevent an imposter from jumping in to
interaction
Session token - Verification through which random
string assigned to interaction between user and web
application currently being accessed (session)
Web application server assigns a unique session
token
Each subsequent request from users web browser to
web application contains session token verifying user
114
identity

Session Hijacking
Session hijacking - Attacker attempts to impersonate
the user by using er session token
Attacker can attempt to obtain session token:
Use XSS or other attacks to steal the session token
cookie from the victims computer
Eavesdropping on the transmission
Guessing the session token (successful if generation of
session tokens not truly random)

115

Session Hijacking Attack (Figure 3-7)

116

Plug-Ins and Add-Ons

Tools be added to enhance users interaction with
website through web browser
Plug-in - Third-party library (Java, Adobe Flash player,
Apple QuickTime, Adobe Acrobat Reader) that
attaches to web browser and can be embedded inside
a webpage (but affects only specific page)
Add-ons or extensions - Tools that add functionality to
the web browser itself

117

Malicious Add-Ons
Attackers can create malicious add-ons to launch
attacks against users computer
ActiveX - Set of rules for how applications under the
Microsoft Windows operating system should share
information
ActiveX controls (add-ons) - Specific way of
implementing ActiveX and are sometimes called
ActiveX applications
ActiveX controls can be invoked from webpages
through the use of a scripting language or directly by
118
HTML command

Impartial Overflow Attacks

Impartial attacks can target either server or client

Many these attacks designed to overflow areas of

memory with instructions from the attacker
Types of attacks:
Buffer overflow attacks
Integer overflow attacks
Arbitrary/remote code execution attacks.

119

Buffer Overflow Attack

Buffer overflow attack - Process attempts to store
data in RAM beyond boundaries of fixed-length
storage buffer
Data overflows into adjacent memory locations

Attacker can change return address of memory

location of code and redirect to memory address
containing malware code

120

Buffer Overflow Attack

121

Integer Overflow
Integer overflow - Condition occurs when result of
arithmetic operation (addition or multiplication)
exceeds the maximum size of the integer type used
to store it
When overflow occurs, the interpreted value then
wraps around from maximum value to minimum value

122

Integer Overflow Attack

Example:
8-bit signed integer has a maximum value of 127 and a
minimum value of 128
If the value 127 is stored in a variable and 1 is added
to it, the sum exceeds the maximum value for this
integer type
Wraps around to become 128.

Integer overflow attack - Attacker changes value of

variable to something outside the range programmer
had intended by using an integer overflow

123

Arbitrary/Remote Code Execution

Heap spray - Targeted to insert data only in certain
parts of memory
Arbitrary/remote code execution - Allows attacker to
run programs and execute commands on different
computer
Once under the attackers control, computer can
perform virtually any command from the attacker

Arbitrary/remote code execution attacks often take

advantage of malicious attachments like Microsoft
Visio file or PDF file

124

Threats to software (cont.)

Object reuse
Use of a resource belonging to another process,
including:
Memory, databases, file systems, temporary files, and
paging space

Object reuse countermeasures

Application isolation

Server virtualization
Developer training

125

Threats to software (cont.)

Mobile code
Executable code, active content, downloadable content
Examples: active website content, downloaded
programs

Some is desired, but some is malicious in nature

Mobile code countermeasures

Anti-malware, mobile code access controls
Application whitelisting
Reduced user privileges

Secure system configuration

126

Threats to software (cont.)

Social engineering
Attack on personnel to gain secrets
People are vulnerable because they want to help

Social engineering countermeasures

Security awareness training that includes
accountability

127

Social Engineering Attacks

Social engineering Means of gathering information
from individuals by relying on their weaknesses
Social engineering attacks can involve:
Psychological approaches

Physical procedures

128

Social Engineering Psychology

Psychology - The mental and emotional approach in
social engineering attack
Social engineering psychological attacks relies on
attackers clever manipulation of human nature to
persuade victim to:
Provide information
Take actions

Several basic principles or reasons make

psychological social engineering effective

129

Social Engineering Effectiveness

130

Social Engineering Psychological

Approaches
Attacker will ask for only small amounts of
information, often from several different victims
Request needs to be believable
Attacker pushes the envelope to get information
before victim suspects anything
Flattery and flirtation often used
Attacker may smile and ask for help

131

Impersonation
Impersonation - Masquerade as a real or fictitious
character and then play out the role of that person on
a victim
Common roles impersonated:
Repairperson
IT support
Manager
Trusted third party
Fellow employee

132

Threats to software (cont.)

Back door / maintenance hook
Access holes deliberately planted by a developer
To facilitate easier testing during development
To facilitate production access

To facilitate a break-in

Back door countermeasures

Code reviews
Source code control

133

Threats to software (cont.)

Logic bombs
Deliberate malfunction that causes harm
Time bombs
Activate on a given date and time

Event bombs
Activate on a specific event

Logic bomb countermeasures

Software source code review, external audits

134

Security in the software development

life cycle (SDLC)
SDLC
The entire collection of processes used to design,
develop, test, implement, and maintain software

Security must be included in each step of the SDLC

Conceptual
Requirements and specifications development
Application design, coding, and testing

135

Security in the software development

life cycle (cont.)
Security in the conceptual stage
Presence of sensitive information must be identified
Access controls (users, administrators, third parties)
Regulatory conditions
Security dependencies

136

Security in the software development

life cycle (cont.)
Security application requirements and specifications
Functional requirements
Standards
Security requirements
Roles, access controls, audit logging, configuration
management

Regulatory requirements
Test plan a byproduct of requirements

137

Security in the software development

life cycle (cont.)
Security in application design
Adhere to all requirements and specifications
Published design documents
Design reviews
Reviewed by all stakeholders including security

Threat risk modeling

Identify threats and risks prior to development
Possible changes to specs, reqs, or design

138

Security in the software development

life cycle (cont.)
Security in application coding
Develop safe code
Free of common vulnerabilities

Use safe libraries that include safe functions for input

validation

Security in testing
Testing should verify correct coding of every
requirement and specification

139

Security in the software development

life cycle (cont.)
Protect the SDLC itself
Source code access control
Protect source code
Record version changes

Protection of software development and testing tools

Protect from unauthorized modifications

Protection of software development systems

Prevent introduction of malware, back doors, logic bombs

140

Database architectures
Hierarchical databases: tree structure (no longer
produced)
Network databases: complex tree structure (no
longer produced)

Object databases: OO, methods stored with data

Distributed databases: physically distributed, any
type
Relational databases (RDBMS): in widest use today
Oracle, SQL Server, DB2, MySQL, etc.

141

Data warehouse
A type of database that is used for decision support
and research purposes
A copy of some or all transaction data
Usually, refreshed periodically (typically daily)

Indexed and tuned differently than a transaction

database
Complex queries into trends do not affect production
transactions

142

Database transactions
Records retrieval

Records update
Records creation
Nested or complex transactions executed as a unit
Begin work <transactions> end work

143

Database security controls

Access controls
Userids, passwords
Table / row / field level access control
Read-only or read/write

Views
Virtual tables that are a subset of individual tables, or a
join between tables
Permission given to views just like real tables

144

Phishing
Phishing - Sending email or display web
announcement claiming to be from legitimate source
May contain legitimate logos and wording
Tries to trick user into giving private information
Passwords
Credit card numbers
Social Security numbers
Bank account numbers

145

Phishing Email Message

146

Common Phishing Features

Common phishing features
Deceptive web links - Use variations of a legitimate
address (www.ebay_secure.com, www.ebay.com,
www.e-baynet.com)
Logos - Include logo of vendor to make request look
genuine
Urgent request - Include instructions requiring
immediate action or else something serious will occur
(users account will be unavailable or a large amount of
money will be deducted from their account)

147

Phishing Variations
Variations of phishing:
Pharming - Automatically redirects user to fraudulent
web site
Spear phishing - Email messages target specific users

Whaling - Going after the big fish by targeting wealthy

individuals
Vishing (voice phishing) - Attacker calls victim with
recorded message with callback number, but number
is actually to attacker

148

Spam
Spam - Unsolicited email

One of primary vehicles for distribution of malware

Sending spam is lucrative business
Spim - Targets instant messaging users
Image spam:
Uses graphical images of text

Circumvents text-based filters

Often contains nonsense text

149

Image Spam (Figure 2-9)

150

Hoaxes
Hoaxes - False warning or claim

May be first step in an attack

Hoax purports that deadly virus circulating through
the Internet and that the recipient should:
Erase specific files
Change security configurations
Forward message to other users

However, changing configurations allow an attacker

to compromise the system

151

Typo Squatting
Typo squatting (URL hijacking) Attacker registers
fake look-alike site to which user is automatically
directed when makes a typing error when entering
URL address in a web browser (goggle.com or
google.net instead of google.com)
Site may contain:
Visitor survey that promises a chance to win prizes (but
the attacker actually captures the entered email
addresses to sell to spammers)
Ads (for which the attacker receives money for traffic
generated to the site)
152

Watering Hole Attack

Similar types of animals congregate around a pool of
water for refreshment
Watering hole attack - Directed toward smaller group
of specific individuals, such as the major executives
working for a manufacturing company
These executives all tend to visit a common website,
so attacker focuses on compromising that site

153

Securing With Antimalware

Operating system software continued to add security
protections to core set of features
Third-party antimalware software packages can
provide added security

Antimalware software:
Antivirus
Antispam
Popup blockers and antispyware
Host-based firewalls

154

Antivirus
Antivirus (AV) - Software that examines computer for
infections
Static analysis - Scan files by attempting to match
known virus patterns against potentially infected files

Host AV software contains virus scanning engine and

database of known virus signatures
By comparing virus signatures against potentially
infected file (string scanning) match may indicate
infected file

155

Antivirus Scanning
Wildcard scanning - Wildcard is allowed to skip bytes
or ranges of bytes instead of looking for an exact
match
Mismatch scanning - Mismatches allow set number of
bytes in string to be any value regardless of their
position in the string
Weakness of static analysis is AV vendor must
constantly be searching for new viruses, extracting
virus signatures, and distributing those updated
databases to all users

156

Antivirus Detection
Dynamic heuristic detection - Uses variety of
techniques to spot characteristics of virus instead of
attempting to make matches
Code emulation - Virtual environment is created that
simulates the central processing unit (CPU) and
memory of the computer
Any questionable program code is executed in virtual
environment (no actual virus code is executed by the
real CPU) to determine if is virus

157

Antispam
Spammers can distribute malware through email
attachments or use for social engineering attacks
Bayesian filtering - Analyzes every word in each
email and determines how frequently a word occurs
in spam pile compared to not-spam pile
Create lists of senders:
Blacklist - Allow everything in unless it appears on the
list
Whitelist - List of approved senders

158

Pop-up Blocker
Pop-up - Small window appearing over webpage
usually created by advertisers
Pop-up blocker - Separate program as part of
antispyware package incorporated within browser
that allows user to limit or block most pop-ups
Alert can be displayed in browser and gives user
option to display pop-up

159

Summary
Operating system components: kernel, device
drivers, tools
Operating system functions: authentication, resource
access, access control, communication, event
logging
Types of applications: agents, applets, client-server,
distributed, web

Application language types: control flow, structured,

object oriented, knowledge based
160

Summary (cont.)
Reasons for threats to applications: industrial
espionage, vandalism and disruption, denial of
service, political / religious
Types of threats
buffer overflow, covert channel, side channel, malware,
input attacks, object reuse, mobile code, social
engineering, back door, logic bomb

161

Summary (cont.)
Software development life cycle (SDLC) steps
Conceptual, requirements / specifications, design,
coding, testing, maintenance
Source code control, configuration management

Software environment security controls

Authentication, access control, role based access
control (RBAC), audit logging

162

Summary (cont.)
Types of databases
Hierarchical, network, distributed, object-oriented,
relational (most common)

Database security controls: userid, access control,

audit logging, views

163