1 / 86

Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems. Objectives. Explain how to harden operating systems List ways to prevent attacks through a Web browser Define SQL injection and explain how to protect against it

verlee
Download Presentation

Security+ Guide to Network Security Fundamentals, Third Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems

  2. Objectives • Explain how to harden operating systems • List ways to prevent attacks through a Web browser • Define SQL injection and explain how to protect against it • Explain how to protect systems from communications-based attacks • Describe various software security applications

  3. Hardening the Operating System • Hardening the operating system to resist attacks is often a three-pronged approach that involves: • Managing updates to the operating system • Protecting against buffer overflows • Configuring operating system protections

  4. Managing Operating System Updates Due to the increased length and complexity of operating systems unintentional vulnerabilities were introduced and then these were exploited by attackers

  5. Managing Operating System Updates • Operating systems are huge and contain many bugs (errors in code) • Linux contains 0.17 bug per 1,000 lines of code • Typical commercial software contains 20-30 bugs per 1,000 lines of code. • 81 bugs a day were reported for Windows Vista Beta 2. • Some of those bugs create vulnerabilities

  6. Managing Operating System Updates (continued)

  7. Managing Operating System Updates (continued) • Update terminology (continued) • Security patch • A general software security update intended to cover vulnerabilities that have been discovered • Hotfix addresses a specific customer situation • Often may not be distributed outside that customer’s organization • Service pack • A cumulative package of all security updates plus additional features

  8. Managing Operating System Updates (continued) • Patch management techniques • Install updates automatically • Download updates but let me choose whether to install them • Check for updates but let me choose whether to download and install them • Never check for updates • Patches can sometimes create new problems

  9. IS 493 Fall - Eyas El-Qawasmeh

  10. Recommendation • Manage patches locally instead of relying upon the vendor’s online update service. Why? Because it has many advantages.

  11. Manage patches locally instead of relying upon the vendors

  12. Buffer Overflow Protection • Buffer overflow • Occurs when a process attempts to store data in random access memory (RAM) beyond the boundaries of a fixed-length storage buffer • Extra data overflows into the adjacent memory locations and under certain conditions may cause the computer to stop functioning • Attackers also use a buffer overflow in order to compromise a computer

  13. Buffer Overflow Protection (continued) • Basic defenses • Write “defensive” program code that will protect against these attacks • Use a programming language that makes these attacks more difficult • For Windows-based systems, there are two defenses against buffer overflows • Data execution prevention (DEP) • Address space layout randomization (ASLR)

  14. Buffer Overflow Protection (continued) • Data Execution Prevention (DEP) • Most modern CPUs support an NX (No eXecute)bit to designate a part of memory for containing only data. • DEP will not allow code in the memory area to be executed. • Windows Vista allows software developers to enable NX hardware protection specifically for the application software that they develop.

  15. Buffer Overflow Protection (continued) • Address Space Layout Randomization (ASLR) • Randomly assigns executable operating system code to one of 256 possible locations in memory (ASRL moves the function entry point. The chance is 1/256) • This makes it harder for an attacker to locate and take advantage of any functionality inside these executables • ASLR is most effective when it is used in conjunction with DEP

  16. Configuring Operating System Protection • Most organizations take a four-fold approach to configuring operating system protections: • Security policy • Configuration baseline (OS configuration) • Security template ( For all computers instead of one) • Deployment ( deploy security template)

  17. Preventing Attacks That Target the Web Browser • These attacks involve using: • Cookies • JavaScript • Java • ActiveX • Cross-site scripting

  18. What is Cookies - Privacy • A cookie is a piece of text that a web server can store on the hard drive of your computer. • Cookies allow a web site to store information on your computer and later retrieve it.

  19. Web browser client software Get a web page text When you ask to see a particular web site Client Server The web site may put a cookie on your computer’s hard drive

  20. A cookie is simply a piece of data with a name A cookie is not a program A cookie can’t do anything It can retrieve only the information that it has placed on your computer It cannot retrieve information from other cookie files When a website puts a cookie on your hard drive More about cookies

  21. text What else are cookies good for? • Cookies are used by web sites that sell things online • As you click on various items to purchase which are usually on many different pages of the site, you are adding them to your cart • The web site knows who the cart owner is because it left a cookie on your computer as an identifier • So at checkout time, it knows which items you are purchasing

  22. Privacy levels • You can control how internet sites can put cookies on your computer in two ways • By setting a privacy level for allsites you visit • By setting a privacy level for specific sites • In Internet Explorer there are 5 privacy levels

  23. 2 1 To see or set your privacy levels

  24. How to see the levels on the Privacy tab Move this slider up or down to see the five levels

  25. No, you wouldn’t be able to purchase online , unless that website allows you to register and sign in Highest privacy level Question: if I select Block all Cookies can I still purchase items from a website?

  26. It may not be dangerous but you may get more tracking cookies than you want. Lowest privacy level Question: if I select Accept All Cookies is that dangerous?

  27. Pick one of these settings

  28. On a per site basis • You can choose which sites to allow or block cookies

  29. A cookie is simply a piece of data with a name A cookie is not a program A cookie can’t do anything It can retrieve only the information that it has placed on your computer It cannot retrieve information from other cookie files When a website puts a cookie on your hard drive More about cookies

  30. JavaScript • JavaScript is not Java, or even related to Java. • Statements in JavaScript resemble statements in Java, because both languages borrowed heavily from the C language. • JavaScript is seldom used to write complete “programs” • Developed by Netscape company. • JavaScript is reasonably platform-independent IS 493 Fall - Eyas El-Qawasmeh

  31. JavaScript (continued) • Several defense mechanisms prevent JavaScript programs from causing serious harm: • JavaScript does not support certain capabilities • JavaScript has no networking capabilities (Can not use a local computer to launch attacks on other network computers) • Other security concerns remain: • JavaScript programs can capture and send user information without the user’s knowledge or authorization • The defense against JavaScript is to disable it within the Web browser

  32. Quiz: In the last slide, we said that JavaScript does not support certain capabilities. Explain this? • It means that Java script running on a local computer cannot read, write, create, delete, or list the files on that computer. IS 493 Fall - Eyas El-Qawasmeh

  33. Quiz: Give an example of JavaScript? • JavaScript code is included within <script> tags: • <script type="text/javascript"> document.write("<h1>Hello World!</h1>") ;</script> IS 493 Fall - Eyas El-Qawasmeh

  34. Quiz: Where we include Java Script? • JavaScript can be put in the<head>or in the <body>of an HTML document • JavaScript functions can be put in a separate.jsfile • <script src="myJavaScriptFile.js"></script> • JavaScript can be put in an HTML form object, such as a button • This JavaScript will be executed when the form object is used IS 493 Fall - Eyas El-Qawasmeh

  35. Java • Java • A complete object-oriented programming language created by Sun Microsystems. • Can be used to create standalone applications. • Java can be used to create a special type of smaller application called Java applet. • Java applet • A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code • Can also be made into hostile ( غير ودي . خصم) programs IS 493 Fall - Eyas El-Qawasmeh

  36. Java (continued) • Sandbox (software) is a defense against a hostile Java applet • Surrounds program and keeps it away from private data and other resources on a local computer • Two types of Java applets: • Unsigned Java applet: program that does not come from a trusted source • Signed Java applet: has information proving the program is from a trusted source and has not been altered IS 493 Fall - Eyas El-Qawasmeh

  37. ActiveX • Set of technologies developed by Microsoft • Not a programming language but a set of rules for how applications should share information • ActiveX controls • Also called add-ons or ActiveX applications • Represent a specific way of implementing ActiveX • Can perform many of the same functions of a Java applet, but do not run in a sandbox • Have full access to Windows operating system • ActiveX poses a number of security concerns

  38. ActiveX (continued) • Nearly all ActiveX control security mechanisms are set in Internet Explorer • ActiveX controls do not rely exclusively on Internet Explorer • However, can be installed and executed independently • The defense against ActiveX is to disable it within the Web browser IS 493 Fall - Eyas El-Qawasmeh

  39. Video about AtiveX (continued) • http://www.youtube.com/watch?v=ZMdum9J7FdY • http://www.youtube.com/watch?v=wvKq3D71iYo • http://www.youtube.com/watch?v=tI9gL4yjaTM IS 493 Fall - Eyas El-Qawasmeh

  40. Cross Site Scripting (XSS) • Cross Site Scripting (XSS) • An attack in which malicious code is inserted into a specific type of dynamic Web page. • Typically involves using client-side scripts written in JavaScript or ActiveX • Designed to extract information from the victim and then pass the information to the attacker • Targeted to Web sites that dynamically generate Web pages that redisplay (echo) user input that has not been properly validated

  41. Cross-Site Scripting? The three conditions for Cross-Site Scripting: 1. A Web application accepts user input • Well, which Web application doesn't? 2. The input is used to create dynamic content • Again, which Web application doesn't? 3. The input is insufficiently validated • Most Web applications don't validate sufficiently!

  42. Cross-Site Scripting? • Cross-Site Scripting aka „XSS“ or „CSS“ • The players: • An Attacker • Anonymous Internet User • Malicious Internal User • A company’s Web server (i.e. Web application) • External (e.g.: Shop, Information, CRM, Supplier) • Internal (e.g.: Employees Self Service Portal) • A Client • Any type of customer • Anonymous user accessing the Web-Server

  43. Post Forum Message: Subject: GET Money for FREE !!! Body: <script> attack code </script> Get /forum.jsp?fid=122&mid=2241 GET Money for FREE !!! <script> attack code </script> XSS-Attack: General Overview Attacker Web Server Did you know this? ..... GET Money for FREE !!! <script> attack code </script> Re: Error message on startup ..... I found a solution! ..... Can anybody help? ..... Error message on startup ..... This is only one example out of many attack scenarios! 1. Attacker sends malicious code 2.Server stores message 3.User requests message 4.Message is delivered by server Client 5.Browser executes script in message !!! attack code !!!

  44. In other words :Cross-Site Scripting • Scripting: Web Browsers can execute commands • Embedded in HTML page • Supports different languages (JavaScript, VBScript, ActiveX, etc.) • Most prominent: JavaScript • “Cross-Site” means: Foreign script sent via server to client • Attacker „makes“ Web-Server deliver malicious script code • Malicious script is executed in Client’s Web Browser • Attack: • Steal Access Credentials, Denial-of-Service, Modify Web pages • Execute any command at the client machine

  45. Simple XSS Attack http://myserver.com/test.jsp?name=Stefan <HTML> <Body> Welcome Stefan </Body> </HTML> http://myserver.com/welcome.jsp?name=<script>alert("Attacked")</script> <HTML> <Body> Welcome <script>alert("Attacked")</script> </Body> </HTML> (c) 2005, EUROSEC GmbH Chiffriertechnik & Sicherheit

  46. XSS Solution Input Validation But what is to consider “Input”?

More Related