2. Slide 2
*Threat and Security
*Security needed when threat is there.
*Need to know threat.
*Need to know the weak points that raises a
threat (vulnerability).
3. Slide 3
*Threats, Vulnerabilities, and
Attacks
*A threat is any potential occurrence, malicious
or otherwise, that could harm an asset.
*In other words, a threat is any bad thing that
can happen to the assets.
4. Slide 4
*Threats, Vulnerabilities, and
Attacks
*A vulnerability is a weakness that makes a
threat possible.
*This may be because of poor design,
configuration mistakes, or inappropriate and
insecure coding techniques.
*Weak input validation is an example of an
application layer vulnerability, which can result
in input attacks.
5. Slide 5
*Threats, Vulnerabilities, and
Attacks
*An attack is an action that exploits a
vulnerability or enacts a threat.
*Examples of attacks include sending malicious
input to an application or flooding a network in
an attempt to deny service.
6. Slide 6
*Threats, Vulnerabilities, and
Attacks
To summarize, a threat is a potential
event that can adversely affect an
asset, whereas a successful attack
exploits vulnerabilities in a system.
7. Slide 7
*Terminology
*Asset: A resource of value such as the data in a
database or on the file system, or a system resource
*Entry/Exit Points: Ways to get at an asset
*Risk: Likelihood that vulnerability could be
exploited
*Mitigation: Something that addresses a specific
vulnerability
*Countermeasure: A safeguard that addresses a
threat and mitigates risk
We can mitigate vulnerabilities…
…but the threat still exists!!!
8. Slide 8
*The Foundations of
Security
Security relies on the following elements:
*Authentication
*Authorization
*Auditing
*Confidentiality
*Integrity
*Availability
9. Slide 9
*Authentication
*Authentication addresses the question: who are
you?
*It is the process of uniquely identifying the
clients of your applications and services.
*These might be end users, other services,
processes, or computers.
*In security parlance, authenticated clients are
referred to as principals.
10. Slide 10
*Authorization
*Authorization addresses the question: what can
you do?
*It is the process that governs the resources and
operations that the authenticated client is
permitted to access.
*Resources include files, databases, tables,
rows, and so on, together with system-level
resources such as registry keys and
configuration data.
*Operations include performing transactions
such as purchasing a product, transferring
money from one account to another, or
increasing a customer’s credit rating.
11. Slide 11
*Auditing
*Effective auditing and logging is the key to
non-repudiation.
*Non-repudiation guarantees that a user cannot
deny performing an operation or initiating a
transaction.
*For example, in an e-commerce system, non-
repudiation mechanisms are required to make
sure that a consumer cannot deny ordering 100
copies of a particular book.
12. Slide 12
*Confidentiality
*Confidentiality, also referred to as privacy, is
the process of making sure that data remains
private and confidential, and that it cannot be
viewed by unauthorized users or eavesdroppers
who monitor the flow of traffic across a
network.
*Encryption is frequently used to enforce
confidentiality. Access control lists (ACLs) are
another means of enforcing confidentiality.
13. Slide 13
*Integrity
*Integrity is the guarantee that data is
protected from accidental or deliberate
(malicious) modification.
*Like privacy, integrity is a key concern,
particularly for data passed across networks.
*Integrity for data in transit is typically provided
by using hashing techniques and message
authentication codes.
14. Slide 14
*Availability
*From a security perspective, availability means
that systems remain available for legitimate
users.
*The goal for many attackers with denial of
service attacks is to crash an application or to
make sure that it is sufficiently overwhelmed
so that other users cannot access the
application.
15. Slide 15
*The Holistic Approach
Securing Web Application takes three
approaches:
•Securing the Network
•Securing the Host (Server environment)
•Securing the Application (Code and techniques)
16. Slide 16
*Securing the Network
The three core elements of a secure network
are:
*Router
*Firewall
*Switch
17. Slide 17
*Securing the Network
Router:
*Routers are your outermost network ring.
*They direct packets to the ports and protocols
that we have prepared our applications to work
with.
*Insecure TCP/IP protocols are blocked at this
ring.
18. Slide 18
*Securing the Network
Firewall:
*The firewall blocks those protocols and ports
that the application does not use.
*Additionally, firewalls enforce secure network
traffic by providing application specific
filtering to block malicious communications.
19. Slide 19
*Securing the Network
Switch:
*Switches are used to separate network
segments.
*They are frequently overlooked or over
trusted.
20. Slide 20
*Securing the Host
*The host includes the operating system and
.NET Framework, together with associated
services and components.
*A Web server running IIS, an application server
running Enterprise Services, or a database
server running SQL Server, all need to adhere
to a general security methodology that is
common across the various server roles and
types.
21. Slide 21
*Securing the
Application
Securing the application goes around following
Vulnerability Categories:
*Input Validation
*Authentication
*Authorization
*Configuration Management
*Sensitive Data
23. Slide 23
*Threats and
Countermeasures
*Become familiar with specific threats that
affect the network host and application.
*Use the threats to identify risk.
*Apply countermeasures to address
vulnerabilities.
*When design, build, and secure new systems,
keep the threats in mind.
24. Slide 24
*Anatomy of an Attack
Survey and assess:
*Surveying and assessing the potential target are
done in tandem.
*The first step an attacker usually takes is to survey
the potential target to identify and assess its
characteristics.
*These characteristics may include its supported
services and protocols together with potential
vulnerabilities and entry points.
*The attacker uses the information gathered in the
survey and assess phase to plan an initial attack.
25. Slide 25
*Anatomy of an Attack
Exploit and penetrate:
*Having surveyed a potential target, the next
step is to exploit and penetrate.
*If the network and host are fully secured, your
application (the front gate) becomes the next
channel for attack.
26. Slide 26
*Anatomy of an Attack
Escalate privileges
*After attackers manage to compromise an
application or network, they immediately
attempt to escalate privileges.
*Specifically, they look for administration
privileges provided by accounts that are
members of the Administrators group.
*They also seek out the high level of privileges
offered by the local system account.
27. Slide 27
*Anatomy of an Attack
Maintain access:
*Having gained access to a system, an attacker takes
steps to make future access easier and to cover his
or her tracks.
*Common approaches for making future access
easier include planting back-door programs or using
an existing account that lacks strong protection.
*Covering tracks typically involves clearing logs and
hiding tools.
*As such, audit logs are a primary target for the
attacker.
28. Slide 28
*Anatomy of an Attack
Deny service:
*Attackers who cannot gain access often mount a
denial of service attack to prevent others from
using the application.
*For other attackers, the denial of service option is
their goal from the outset.
*An example is the SYN flood attack, where the
attacker uses a program to send a flood of TCP SYN
requests to fill the pending connection queue on
the server.
*This prevents other users from establishing network
connections.
29. Slide 29
*Understanding Threat
Categories
•Threats faced by the application can
be categorized based on the goals
and purposes of the attacks.
•STRIDE is the acronym used at
Microsoft to categorize different
threat types.
STRIDE
30. Slide 30
*STRIDESTRIDE stands for:
*Spoofing
*Tampering.
*Repudiation.
*Information disclosure.
*Denial of service.
*Elevation of privilege.
31. Slide 31
*STRIDESpoofing
•Spoofing is attempting to gain access to a system
by using a false identity.
•This can be accomplished using stolen user
credentials or a false IP address.
•After the attacker successfully gains access as a
legitimate user or host, elevation of privileges or
abuse using authorization can begin.
33. Slide 33
*STRIDERepudiation:
•Repudiation is the ability of users (legitimate or
otherwise) to deny that they performed specific
actions or transactions.
•Without adequate auditing, repudiation attacks
are difficult to prove.
34. Slide 34
*STRIDE
Information disclosure:
•Information disclosure is the unwanted exposure of
private data.
•For example, a user views the contents of a table or
file he or she is not authorized to open, or monitors
data passed in plaintext over a network.
•Some examples of information disclosure
vulnerabilities include the use of hidden form fields,
comments embedded in Web pages that contain
database connection strings and connection details,
and weak exception handling that can lead to
internal system level details being revealed to the
client.
•Any of this information can be very useful to the
attacker.
35. Slide 35
*STRIDEDenial of service:
•Denial of service is the process of making a
system or application unavailable.
•For example, a denial of service attack might be
accomplished by bombarding a server with
requests to consume all available system
resources or by passing it malformed input data
that can crash an application process.
36. Slide 36
*STRIDEElevation of privilege:
•Elevation of privilege occurs when a user with
limited privileges assumes the identity of a
privileged user to gain privileged access to an
application.
•For example, an attacker with limited privileges
might elevate his or her privilege level to
compromise and take control of a highly
privileged and trusted process or account.
37. Slide 37
*STRIDE Threats and
Countermeasures
Spoofing user identity
*Use strong authentication.
*Do not store secrets (for example, passwords)
in plaintext.
*Do not pass credentials in plaintext over the
wire.
*Protect authentication cookies with Secure
Sockets Layer (SSL).
38. Slide 38
*STRIDE Threats and
Countermeasures
Tampering with data
*Use data hashing and signing.
*Use digital signatures.
*Use strong authorization.
*Use tamper-resistant protocols across
communication links.
*Secure communication links with protocols that
provide message integrity.
39. Slide 39
*STRIDE Threats and
Countermeasures
Repudiation
*Create secure audit trails.
*Use digital signatures.
40. Slide 40
*STRIDE Threats and
Countermeasures
Information disclosure
*Use strong authorization.
*Use strong encryption.
*Secure communication links with protocols that
provide message confidentiality.
*Do not store secrets (for example, passwords)
in plaintext.
41. Slide 41
*STRIDE Threats and
Countermeasures
Denial of service
*Use resource and bandwidth throttling
techniques.
*Validate and filter input.
42. Slide 42
*STRIDE Threats and
Countermeasures
Elevation of privilege
*Follow the principle of least privilege.
*Use least privileged service accounts to run
processes and access resources.
43. Slide 43
*Network Threats and
Countermeasures
Top network level threats are:
*Information gathering
*Sniffing
*Spoofing
*Session hijacking
*Denial of service
44. Slide 44
*Network Threats and
Countermeasures
Information gathering defined:
*Network devices can be discovered and
profiled in much the same way as other types
of systems.
*Attackers usually start with port scanning.
After they identify open ports, they use banner
grabbing and enumeration to detect device
types and to determine operating system and
application versions.
*Armed with this information, an attacker can
attack known vulnerabilities that may not be
updated with security patches.
45. Slide 45
*Network Threats and
Countermeasures
Information gathering counter-measures:
*Configure routers to restrict their responses to
foot-printing requests.
*Configure operating systems that host network
software (for example, software firewalls) to
prevent foot-printing by disabling unused
protocols and unnecessary ports.
46. Slide 46
*Network Threats and
Countermeasures
Sniffing defined
*Sniffing or eavesdropping is the act of monitoring
traffic on the network for data such as plaintext
passwords or configuration information.
*With a simple packet sniffer, an attacker can easily
read all plaintext traffic.
*Also, attackers can crack packets encrypted by
lightweight hashing algorithms and can decipher the
payload that you considered to be safe.
*The sniffing of packets requires a packet sniffer in
the path of the server/client communication.
47. Slide 47
*Network Threats and
Countermeasures
Sniffing counter-measures:
*Use strong physical security and proper
segmenting of the network.
*This is the first step in preventing traffic from
being collected locally.
*Encrypt communication fully, including
authentication credentials.
*This prevents sniffed packets from being usable
to an attacker.
*SSL and IPSec (Internet Protocol Security) are
examples of encryption solutions.
48. Slide 48
*Network Threats and
Countermeasures
Spoofing defined
*Spoofing is a means to hide one’s true identity
on the network.
*To create a spoofed identity, an attacker uses a
fake source address that does not represent
the actual address of the packet.
*Spoofing may be used to hide the original
source of an attack or to work around network
access control lists (ACLs) that are in place to
limit host access based on source address
rules.
49. Slide 49
*Network Threats and
Countermeasures
Spoofing counter-measures:
*Filter incoming packets that appear to come
from an internal IP address at your perimeter.
*Filter outgoing packets that appear to originate
from an invalid local IP address.
50. Slide 50
*Network Threats and
Countermeasures
Session hijacking defined
*Also known as man in the middle attacks,
session hijacking deceives a server or a client
into accepting the upstream host as the actual
legitimate host.
*Instead the upstream host is an attacker’s host
that is manipulating the network so the
attacker’s host appears to be the desired
destination.
51. Slide 51
*Network Threats and
Countermeasures
Session hijacking counter-measures:
*Use encrypted session negotiation.
*Use encrypted communication channels.
*Stay informed of platform patches to fix
TCP/IP vulnerabilities, such as predictable
packet sequences.
52. Slide 52
*Network Threats and
Countermeasures
Denial of service defined
*Denial of service denies legitimate users access to a
server or services.
*The SYN flood attack is a common example of a
network level denial of service attack.
*It is easy to launch and difficult to track.
*The aim of the attack is to send more requests to a
server than it can handle.
*The attack exploits a potential vulnerability in the
TCP/IP connection establishment mechanism and
floods the server’s pending connection queue.
53. Slide 53
*Network Threats and
Countermeasures
Denial of service counter-measures:
*Apply the latest service packs.
*Harden the TCP/IP stack by applying the
appropriate registry settings to increase the
size of the TCP connection queue, decrease the
connection establishment period, and employ
dynamic backlog mechanisms to ensure that
the connection queue is never exhausted.
*Use a network Intrusion Detection System (IDS)
because these can automatically detect and
respond to SYN attacks.
54. Slide 54
*Host Threats and
Countermeasures
Top host level threats are:
*Viruses, Trojan horses, and worms
*Footprinting
*Profiling
*Password cracking
*Denial of service
*Arbitrary code execution
*Unauthorized access
55. Slide 55
*Host Threats and
Countermeasures
Viruses, Trojan horses, and worms
*A virus is a program that is designed to perform
malicious acts and cause disruption to your
operating system or applications.
*A Trojan horse resembles a virus except that the
malicious code is contained inside what appears to
be a harmless data file or executable program.
*A worm is similar to a Trojan horse except that it
self-replicates from one server to another. Worms
are difficult to detect because they do not regularly
create files that can be seen. They are often
noticed only when they begin to consume system
resources because the system slows down or the
execution of other programs halt.
56. Slide 56
*Host Threats and
Countermeasures
Viruses, Trojan horses, and worms counter-
measures:
*Stay current with the latest operating system
service packs and software patches.
*Block all unnecessary ports at the firewall and host.
*Disable unused functionality including protocols and
services.
*Harden weak, default configuration settings.
57. Slide 57
*Host Threats and
Countermeasures
Footprinting
*Examples of footprinting are port scans, ping
sweeps, and NetBIOS enumeration that can be used
by attackers to glean valuable system-level
information to help prepare for more significant
attacks.
*The type of information potentially revealed by
footprinting includes account details, operating
system and other software versions, server names,
and database schema details.
58. Slide 58
*Host Threats and
Countermeasures
Footprinting counter-measures:
*Disable unnecessary protocols.
*Lock down ports with the appropriate firewall
configuration.
*Use TCP/IP and IPSec filters for defense in depth.
*Configure IIS to prevent information disclosure
through banner grabbing.
*Use an IDS that can be configured to pick up
footprinting patterns and reject suspicious traffic.
59. Slide 59
*Host Threats and
Countermeasures
Password cracking
*If the attacker cannot establish an anonymous
connection with the server, he or she will try to
establish an authenticated connection.
*For this, the attacker must know a valid username and
password combination.
*If you use default account names, you are giving the
attacker a head start.
*Then the attacker only has to crack the account’s
password.
*The use of blank or weak passwords makes the
attacker’s job even easier.
60. Slide 60
*Host Threats and
Countermeasures
Password cracking counter-measures:
*Use strong passwords for all account types.
*Apply lockout policies to end-user accounts to
limit the number of retry attempts that can be
used to guess the password.
*Do not use default account names, and rename
standard accounts such as the administrator’s
account and the anonymous Internet user
account used by many Web applications.
*Audit failed logins for patterns of password
hacking attempts.
61. Slide 61
*Host Threats and
Countermeasures
Denial of service
*Denial of service can be attained by many
methods aimed at several targets within your
infrastructure.
*At the host, an attacker can disrupt service by
brute force against your application, or an
attacker may know of a vulnerability that
exists in the service your application is hosted
in or in the operating system that runs your
server.
62. Slide 62
*Host Threats and
Countermeasures
Denial of service counter-measures:
*Configure your applications, services, and operating
system with denial of service in mind.
*Stay current with patches and security updates.
*Harden the TCP/IP stack against denial of service.
*Make sure your account lockout policies cannot be
exploited to lock out well known service accounts.
*Make sure your application is capable of handling
high volumes of traffic and that thresholds are in
place to handle abnormally high loads.
*Review your application’s failover functionality.
*Use an IDS that can detect potential denial of
service attacks.
63. Slide 63
*Host Threats and
Countermeasures
Arbitrary code execution
*If an attacker can execute malicious code on
your server, the attacker can either
compromise server resources or mount further
attacks against downstream systems.
*The risks posed by arbitrary code execution
increase if the server process under which the
attacker’s code runs is over-privileged.
*Common vulnerabilities include weak IID
configuration and unpatched servers that allow
path traversal and buffer overflow attacks,
both of which can lead to arbitrary code
execution.
64. Slide 64
*Host Threats and
Countermeasures
Arbitrary code execution counter-measures:
*Configure IIS to reject URLs with “../” to
prevent path traversal.
*Lock down system commands and utilities with
restricted ACLs.
*Stay current with patches and updates to
ensure that newly discovered buffer overflows
are speedily patched.
65. Slide 65
*Host Threats and
Countermeasures
Unauthorized access
*Inadequate access controls could allow an
unauthorized user to access restricted
information or perform restricted operations.
*Common vulnerabilities include weak IIS Web
access controls, including Web permissions and
weak NTFS permissions.
66. Slide 66
*Host Threats and
Countermeasures
Unauthorized access counter-measures:
*Configure secure Web permissions.
*Lock down files and folders with restricted
NTFS permissions.
*Use .NET Framework access control
mechanisms within your ASP.NET applications,
including URL authorization and principal
permission demands.
68. Slide 68
*Application Threats and
Countermeasures
Category: Authorization
Threats:
*Elevation of privilege
*Disclosure of confidential data
*Data tampering
*Luring attacks
69. Slide 69
*Application Threats and
Countermeasures
Category: Configuration management
Threats:
*Unauthorized access to administration
interfaces
*Unauthorized access to configuration stores
*Retrieval of clear text configuration data
*Lack of individual accountability
*Overprivileged process and service accounts
70. Slide 70
*Application Threats and
Countermeasures
Category: Sensitive data
Threats:
*Access sensitive data in storage
*Network eavesdropping
*Data tampering
71. Slide 71
*Application Threats and
Countermeasures
Category: Session management
Threats:
*Session hijacking
*Session replay
*Man in the middle
72. Slide 72
*Application Threats and
Countermeasures
Category: Cryptography
Threats:
*Poor key generation or key management
*Weak or custom encryption
74. Slide 74
*Application Threats and
Countermeasures
Category: Exception management
Threats:
*Information disclosure
*Denial of service
75. Slide 75
*Application Threats and
Countermeasures
Category: Auditing and logging
Threats:
*User denies performing an operation
*Attacker exploits an application without trace
*Attacker covers his or her tracks
76. Slide 76
*Way ahead
*Details of Application level threats and
countermeasures.
*Threat Modeling.
*Answers to unanswered questions.