SlideShare a Scribd company logo

Improving web application security, part i

Download as PPTX, PDF
Kangkan Goswami
Kangkan Goswami

Approach paper on Web Application Security.

Technology
1 of 77
Architecture Evangelist Kangkan Goswami *Improving Web Application Security
Slide 2 *Threat and Security *Security needed when threat is there. *Need to know threat. *Need to know the weak points that raises a threat (vulnerability).
Slide 3 *Threats, Vulnerabilities, and Attacks *A threat is any potential occurrence, malicious or otherwise, that could harm an asset. *In other words, a threat is any bad thing that can happen to the assets.
Slide 4 *Threats, Vulnerabilities, and Attacks *A vulnerability is a weakness that makes a threat possible. *This may be because of poor design, configuration mistakes, or inappropriate and insecure coding techniques. *Weak input validation is an example of an application layer vulnerability, which can result in input attacks.
Slide 5 *Threats, Vulnerabilities, and Attacks *An attack is an action that exploits a vulnerability or enacts a threat. *Examples of attacks include sending malicious input to an application or flooding a network in an attempt to deny service.
Slide 6 *Threats, Vulnerabilities, and Attacks To summarize, a threat is a potential event that can adversely affect an asset, whereas a successful attack exploits vulnerabilities in a system.
Slide 7 *Terminology *Asset: A resource of value such as the data in a database or on the file system, or a system resource *Entry/Exit Points: Ways to get at an asset *Risk: Likelihood that vulnerability could be exploited *Mitigation: Something that addresses a specific vulnerability *Countermeasure: A safeguard that addresses a threat and mitigates risk We can mitigate vulnerabilities… …but the threat still exists!!!
Slide 8 *The Foundations of Security Security relies on the following elements: *Authentication *Authorization *Auditing *Confidentiality *Integrity *Availability
Slide 9 *Authentication *Authentication addresses the question: who are you? *It is the process of uniquely identifying the clients of your applications and services. *These might be end users, other services, processes, or computers. *In security parlance, authenticated clients are referred to as principals.
Slide 10 *Authorization *Authorization addresses the question: what can you do? *It is the process that governs the resources and operations that the authenticated client is permitted to access. *Resources include files, databases, tables, rows, and so on, together with system-level resources such as registry keys and configuration data. *Operations include performing transactions such as purchasing a product, transferring money from one account to another, or increasing a customer’s credit rating.
Slide 11 *Auditing *Effective auditing and logging is the key to non-repudiation. *Non-repudiation guarantees that a user cannot deny performing an operation or initiating a transaction. *For example, in an e-commerce system, non- repudiation mechanisms are required to make sure that a consumer cannot deny ordering 100 copies of a particular book.
Slide 12 *Confidentiality *Confidentiality, also referred to as privacy, is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic across a network. *Encryption is frequently used to enforce confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.
Slide 13 *Integrity *Integrity is the guarantee that data is protected from accidental or deliberate (malicious) modification. *Like privacy, integrity is a key concern, particularly for data passed across networks. *Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.
Slide 14 *Availability *From a security perspective, availability means that systems remain available for legitimate users. *The goal for many attackers with denial of service attacks is to crash an application or to make sure that it is sufficiently overwhelmed so that other users cannot access the application.
Slide 15 *The Holistic Approach Securing Web Application takes three approaches: •Securing the Network •Securing the Host (Server environment) •Securing the Application (Code and techniques)
Slide 16 *Securing the Network The three core elements of a secure network are: *Router *Firewall *Switch
Slide 17 *Securing the Network Router: *Routers are your outermost network ring. *They direct packets to the ports and protocols that we have prepared our applications to work with. *Insecure TCP/IP protocols are blocked at this ring.
Slide 18 *Securing the Network Firewall: *The firewall blocks those protocols and ports that the application does not use. *Additionally, firewalls enforce secure network traffic by providing application specific filtering to block malicious communications.
Slide 19 *Securing the Network Switch: *Switches are used to separate network segments. *They are frequently overlooked or over trusted.
Slide 20 *Securing the Host *The host includes the operating system and .NET Framework, together with associated services and components. *A Web server running IIS, an application server running Enterprise Services, or a database server running SQL Server, all need to adhere to a general security methodology that is common across the various server roles and types.
Slide 21 *Securing the Application Securing the application goes around following Vulnerability Categories: *Input Validation *Authentication *Authorization *Configuration Management *Sensitive Data
Slide 22 *Securing the Application Vulnerability Categories continued: *Session Management *Cryptography *Parameter Manipulation *Exception Management *Auditing and Logging
Slide 23 *Threats and Countermeasures *Become familiar with specific threats that affect the network host and application. *Use the threats to identify risk. *Apply countermeasures to address vulnerabilities. *When design, build, and secure new systems, keep the threats in mind.
Slide 24 *Anatomy of an Attack Survey and assess: *Surveying and assessing the potential target are done in tandem. *The first step an attacker usually takes is to survey the potential target to identify and assess its characteristics. *These characteristics may include its supported services and protocols together with potential vulnerabilities and entry points. *The attacker uses the information gathered in the survey and assess phase to plan an initial attack.
Slide 25 *Anatomy of an Attack Exploit and penetrate: *Having surveyed a potential target, the next step is to exploit and penetrate. *If the network and host are fully secured, your application (the front gate) becomes the next channel for attack.
Slide 26 *Anatomy of an Attack Escalate privileges *After attackers manage to compromise an application or network, they immediately attempt to escalate privileges. *Specifically, they look for administration privileges provided by accounts that are members of the Administrators group. *They also seek out the high level of privileges offered by the local system account.
Slide 27 *Anatomy of an Attack Maintain access: *Having gained access to a system, an attacker takes steps to make future access easier and to cover his or her tracks. *Common approaches for making future access easier include planting back-door programs or using an existing account that lacks strong protection. *Covering tracks typically involves clearing logs and hiding tools. *As such, audit logs are a primary target for the attacker.
Slide 28 *Anatomy of an Attack Deny service: *Attackers who cannot gain access often mount a denial of service attack to prevent others from using the application. *For other attackers, the denial of service option is their goal from the outset. *An example is the SYN flood attack, where the attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. *This prevents other users from establishing network connections.
Slide 29 *Understanding Threat Categories •Threats faced by the application can be categorized based on the goals and purposes of the attacks. •STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE
Slide 30 *STRIDESTRIDE stands for: *Spoofing *Tampering. *Repudiation. *Information disclosure. *Denial of service. *Elevation of privilege.
Slide 31 *STRIDESpoofing •Spoofing is attempting to gain access to a system by using a false identity. •This can be accomplished using stolen user credentials or a false IP address. •After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.
Slide 32 *STRIDETampering. •Tampering is the unauthorized modification of data. •For example as it flows over a network between two computers
Slide 33 *STRIDERepudiation: •Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. •Without adequate auditing, repudiation attacks are difficult to prove.
Slide 34 *STRIDE Information disclosure: •Information disclosure is the unwanted exposure of private data. •For example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. •Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. •Any of this information can be very useful to the attacker.
Slide 35 *STRIDEDenial of service: •Denial of service is the process of making a system or application unavailable. •For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.
Slide 36 *STRIDEElevation of privilege: •Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. •For example, an attacker with limited privileges might elevate his or her privilege level to compromise and take control of a highly privileged and trusted process or account.
Slide 37 *STRIDE Threats and Countermeasures Spoofing user identity *Use strong authentication. *Do not store secrets (for example, passwords) in plaintext. *Do not pass credentials in plaintext over the wire. *Protect authentication cookies with Secure Sockets Layer (SSL).
Slide 38 *STRIDE Threats and Countermeasures Tampering with data *Use data hashing and signing. *Use digital signatures. *Use strong authorization. *Use tamper-resistant protocols across communication links. *Secure communication links with protocols that provide message integrity.
Slide 39 *STRIDE Threats and Countermeasures Repudiation *Create secure audit trails. *Use digital signatures.
Slide 40 *STRIDE Threats and Countermeasures Information disclosure *Use strong authorization. *Use strong encryption. *Secure communication links with protocols that provide message confidentiality. *Do not store secrets (for example, passwords) in plaintext.
Slide 41 *STRIDE Threats and Countermeasures Denial of service *Use resource and bandwidth throttling techniques. *Validate and filter input.
Slide 42 *STRIDE Threats and Countermeasures Elevation of privilege *Follow the principle of least privilege. *Use least privileged service accounts to run processes and access resources.
Slide 43 *Network Threats and Countermeasures Top network level threats are: *Information gathering *Sniffing *Spoofing *Session hijacking *Denial of service
Slide 44 *Network Threats and Countermeasures Information gathering defined: *Network devices can be discovered and profiled in much the same way as other types of systems. *Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions. *Armed with this information, an attacker can attack known vulnerabilities that may not be updated with security patches.
Slide 45 *Network Threats and Countermeasures Information gathering counter-measures: *Configure routers to restrict their responses to foot-printing requests. *Configure operating systems that host network software (for example, software firewalls) to prevent foot-printing by disabling unused protocols and unnecessary ports.
Slide 46 *Network Threats and Countermeasures Sniffing defined *Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. *With a simple packet sniffer, an attacker can easily read all plaintext traffic. *Also, attackers can crack packets encrypted by lightweight hashing algorithms and can decipher the payload that you considered to be safe. *The sniffing of packets requires a packet sniffer in the path of the server/client communication.
Slide 47 *Network Threats and Countermeasures Sniffing counter-measures: *Use strong physical security and proper segmenting of the network. *This is the first step in preventing traffic from being collected locally. *Encrypt communication fully, including authentication credentials. *This prevents sniffed packets from being usable to an attacker. *SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.
Slide 48 *Network Threats and Countermeasures Spoofing defined *Spoofing is a means to hide one’s true identity on the network. *To create a spoofed identity, an attacker uses a fake source address that does not represent the actual address of the packet. *Spoofing may be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.
Slide 49 *Network Threats and Countermeasures Spoofing counter-measures: *Filter incoming packets that appear to come from an internal IP address at your perimeter. *Filter outgoing packets that appear to originate from an invalid local IP address.
Slide 50 *Network Threats and Countermeasures Session hijacking defined *Also known as man in the middle attacks, session hijacking deceives a server or a client into accepting the upstream host as the actual legitimate host. *Instead the upstream host is an attacker’s host that is manipulating the network so the attacker’s host appears to be the desired destination.
Slide 51 *Network Threats and Countermeasures Session hijacking counter-measures: *Use encrypted session negotiation. *Use encrypted communication channels. *Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet sequences.
Slide 52 *Network Threats and Countermeasures Denial of service defined *Denial of service denies legitimate users access to a server or services. *The SYN flood attack is a common example of a network level denial of service attack. *It is easy to launch and difficult to track. *The aim of the attack is to send more requests to a server than it can handle. *The attack exploits a potential vulnerability in the TCP/IP connection establishment mechanism and floods the server’s pending connection queue.
Slide 53 *Network Threats and Countermeasures Denial of service counter-measures: *Apply the latest service packs. *Harden the TCP/IP stack by applying the appropriate registry settings to increase the size of the TCP connection queue, decrease the connection establishment period, and employ dynamic backlog mechanisms to ensure that the connection queue is never exhausted. *Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.
Slide 54 *Host Threats and Countermeasures Top host level threats are: *Viruses, Trojan horses, and worms *Footprinting *Profiling *Password cracking *Denial of service *Arbitrary code execution *Unauthorized access
Slide 55 *Host Threats and Countermeasures Viruses, Trojan horses, and worms *A virus is a program that is designed to perform malicious acts and cause disruption to your operating system or applications. *A Trojan horse resembles a virus except that the malicious code is contained inside what appears to be a harmless data file or executable program. *A worm is similar to a Trojan horse except that it self-replicates from one server to another. Worms are difficult to detect because they do not regularly create files that can be seen. They are often noticed only when they begin to consume system resources because the system slows down or the execution of other programs halt.
Slide 56 *Host Threats and Countermeasures Viruses, Trojan horses, and worms counter- measures: *Stay current with the latest operating system service packs and software patches. *Block all unnecessary ports at the firewall and host. *Disable unused functionality including protocols and services. *Harden weak, default configuration settings.
Slide 57 *Host Threats and Countermeasures Footprinting *Examples of footprinting are port scans, ping sweeps, and NetBIOS enumeration that can be used by attackers to glean valuable system-level information to help prepare for more significant attacks. *The type of information potentially revealed by footprinting includes account details, operating system and other software versions, server names, and database schema details.
Slide 58 *Host Threats and Countermeasures Footprinting counter-measures: *Disable unnecessary protocols. *Lock down ports with the appropriate firewall configuration. *Use TCP/IP and IPSec filters for defense in depth. *Configure IIS to prevent information disclosure through banner grabbing. *Use an IDS that can be configured to pick up footprinting patterns and reject suspicious traffic.
Slide 59 *Host Threats and Countermeasures Password cracking *If the attacker cannot establish an anonymous connection with the server, he or she will try to establish an authenticated connection. *For this, the attacker must know a valid username and password combination. *If you use default account names, you are giving the attacker a head start. *Then the attacker only has to crack the account’s password. *The use of blank or weak passwords makes the attacker’s job even easier.
Slide 60 *Host Threats and Countermeasures Password cracking counter-measures: *Use strong passwords for all account types. *Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to guess the password. *Do not use default account names, and rename standard accounts such as the administrator’s account and the anonymous Internet user account used by many Web applications. *Audit failed logins for patterns of password hacking attempts.
Slide 61 *Host Threats and Countermeasures Denial of service *Denial of service can be attained by many methods aimed at several targets within your infrastructure. *At the host, an attacker can disrupt service by brute force against your application, or an attacker may know of a vulnerability that exists in the service your application is hosted in or in the operating system that runs your server.
Slide 62 *Host Threats and Countermeasures Denial of service counter-measures: *Configure your applications, services, and operating system with denial of service in mind. *Stay current with patches and security updates. *Harden the TCP/IP stack against denial of service. *Make sure your account lockout policies cannot be exploited to lock out well known service accounts. *Make sure your application is capable of handling high volumes of traffic and that thresholds are in place to handle abnormally high loads. *Review your application’s failover functionality. *Use an IDS that can detect potential denial of service attacks.
Slide 63 *Host Threats and Countermeasures Arbitrary code execution *If an attacker can execute malicious code on your server, the attacker can either compromise server resources or mount further attacks against downstream systems. *The risks posed by arbitrary code execution increase if the server process under which the attacker’s code runs is over-privileged. *Common vulnerabilities include weak IID configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution.
Slide 64 *Host Threats and Countermeasures Arbitrary code execution counter-measures: *Configure IIS to reject URLs with “../” to prevent path traversal. *Lock down system commands and utilities with restricted ACLs. *Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched.
Slide 65 *Host Threats and Countermeasures Unauthorized access *Inadequate access controls could allow an unauthorized user to access restricted information or perform restricted operations. *Common vulnerabilities include weak IIS Web access controls, including Web permissions and weak NTFS permissions.
Slide 66 *Host Threats and Countermeasures Unauthorized access counter-measures: *Configure secure Web permissions. *Lock down files and folders with restricted NTFS permissions. *Use .NET Framework access control mechanisms within your ASP.NET applications, including URL authorization and principal permission demands.
Slide 67 *Application Threats and Countermeasures Category: Input Validation Threats: *Buffer overflow *Cross-site scripting *SQL injection *canonicalization
Slide 68 *Application Threats and Countermeasures Category: Authorization Threats: *Elevation of privilege *Disclosure of confidential data *Data tampering *Luring attacks
Slide 69 *Application Threats and Countermeasures Category: Configuration management Threats: *Unauthorized access to administration interfaces *Unauthorized access to configuration stores *Retrieval of clear text configuration data *Lack of individual accountability *Overprivileged process and service accounts
Slide 70 *Application Threats and Countermeasures Category: Sensitive data Threats: *Access sensitive data in storage *Network eavesdropping *Data tampering
Slide 71 *Application Threats and Countermeasures Category: Session management Threats: *Session hijacking *Session replay *Man in the middle
Slide 72 *Application Threats and Countermeasures Category: Cryptography Threats: *Poor key generation or key management *Weak or custom encryption
Slide 73 *Application Threats and Countermeasures Category: Parameter manipulation Threats: *Query string manipulation *Form field manipulation *Cookie manipulation *HTTP header manipulation
Slide 74 *Application Threats and Countermeasures Category: Exception management Threats: *Information disclosure *Denial of service
Slide 75 *Application Threats and Countermeasures Category: Auditing and logging Threats: *User denies performing an operation *Attacker exploits an application without trace *Attacker covers his or her tracks
Slide 76 *Way ahead *Details of Application level threats and countermeasures. *Threat Modeling. *Answers to unanswered questions.
Slide 77 *Thanks a lot… Reach me at http://www.geekays.net/

Recommended

Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part ii
Kangkan Goswami
 
Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part i
Kangkan Goswami
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Cyber Threats on the Industrial Environment
Cyber Threats on the Industrial EnvironmentCyber Threats on the Industrial Environment
Cyber Threats on the Industrial Environment
Eduardo Arriols Nuñez
 
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeThreat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
Joel Aleburu
 
02.security systems
02.security systems02.security systems
02.security systems
Sri Lanka Institute of Information Technology
 

Recommended

Improving web application security, part ii
Improving web application security, part iiImproving web application security, part ii
Improving web application security, part ii
Kangkan Goswami
 
Improving web application security, part i
Improving web application security, part iImproving web application security, part i
Improving web application security, part i
Kangkan Goswami
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
Antonio Fontes
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
Cyber Threats on the Industrial Environment
Cyber Threats on the Industrial EnvironmentCyber Threats on the Industrial Environment
Cyber Threats on the Industrial Environment
Eduardo Arriols Nuñez
 
Threat Modeling - Writing Secure Code
Threat Modeling - Writing Secure CodeThreat Modeling - Writing Secure Code
Threat Modeling - Writing Secure Code
Caleb Jenkins
 
Architecting for Security Resilience
Architecting for Security ResilienceArchitecting for Security Resilience
Architecting for Security Resilience
Joel Aleburu
 
02.security systems
02.security systems02.security systems
02.security systems
Sri Lanka Institute of Information Technology
 
Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
Eric Vanderburg
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
Ajit Dadresa
 
System of security controls
System of security controlsSystem of security controls
System of security controls
S.E. CTS CERT-GOV-MD
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
Dawn Yankeelov
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
Wail Hassan
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
SHIVA101531
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
S.E. CTS CERT-GOV-MD
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
Nigel Hanson
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
SHIVA101531
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
Naveed Ahmed Siddiqui
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
Chapter006
Chapter006Chapter006
Chapter006
Jeanie Delos Arcos
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
Ben Rothke
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
Sergey Kochergan
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
Barry Shteiman
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101
Imperva
 
Web App Audit Ppt
Web App Audit PptWeb App Audit Ppt
Web App Audit Ppt
Aung Khant
 
Web Development Ppt
Web Development PptWeb Development Ppt
Web Development Ppt
Bruce Tucker
 

More Related Content

What's hot

Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
7wounders
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
Information Technology
 

What's hot (20)

Computer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOVComputer Security Primer - Eric Vanderburg - JURINNOV
Computer Security Primer - Eric Vanderburg - JURINNOV
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
Mandatory access control for information security
Mandatory access control for information securityMandatory access control for information security
Mandatory access control for information security
 
System of security controls
System of security controlsSystem of security controls
System of security controls
 
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability AssessmentTALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
TALK Cybersecurity Summit 2017 Slides: Chris Goggans on Vulnerability Assessment
 
Module 4 (enumeration)
Module 4 (enumeration)Module 4 (enumeration)
Module 4 (enumeration)
 
Security architecture principles isys 0575general att
Security architecture principles isys 0575general attSecurity architecture principles isys 0575general att
Security architecture principles isys 0575general att
 
Solvit identity is the new perimeter
Solvit identity is the new perimeterSolvit identity is the new perimeter
Solvit identity is the new perimeter
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
 
Residency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resiResidency research makeup project acme enterprise scenario resi
Residency research makeup project acme enterprise scenario resi
 
6 e commerce security
6 e commerce security6 e commerce security
6 e commerce security
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
Chapter006
Chapter006Chapter006
Chapter006
 
Ch07 Access Control Fundamentals
Ch07 Access Control FundamentalsCh07 Access Control Fundamentals
Ch07 Access Control Fundamentals
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
CMS Hacking
CMS Hacking CMS Hacking
CMS Hacking
 
CMS Hacking 101
CMS Hacking 101CMS Hacking 101
CMS Hacking 101
 

Viewers also liked

Web App Audit Ppt
Web App Audit PptWeb App Audit Ppt
Web App Audit Ppt
Aung Khant
 
Ppt of web development
Ppt of web developmentPpt of web development
Ppt of web development
bethanygfair
 

Viewers also liked (12)

Web App Audit Ppt
Web App Audit PptWeb App Audit Ppt
Web App Audit Ppt
 
Web Development Ppt
Web Development PptWeb Development Ppt
Web Development Ppt
 
Web Engineering
Web EngineeringWeb Engineering
Web Engineering
 
Using 8051 microcontroller based washing machine control ppt
Using 8051 microcontroller based washing machine control pptUsing 8051 microcontroller based washing machine control ppt
Using 8051 microcontroller based washing machine control ppt
 
Washing machine
Washing machineWashing machine
Washing machine
 
Web Development on Web Project Presentation
Web Development on Web Project PresentationWeb Development on Web Project Presentation
Web Development on Web Project Presentation
 
Applications of 8051 microcontrollers
Applications of 8051 microcontrollersApplications of 8051 microcontrollers
Applications of 8051 microcontrollers
 
Ppt of web development
Ppt of web developmentPpt of web development
Ppt of web development
 
Internet
InternetInternet
Internet
 
Slides chapter 16
Slides chapter 16Slides chapter 16
Slides chapter 16
 
Ppt on internet
Ppt on internetPpt on internet
Ppt on internet
 
Web Hr latest ppt
Web Hr latest pptWeb Hr latest ppt
Web Hr latest ppt
 

Similar to Improving web application security, part i

SEMINAR ON CYBER SECURITY.pptx
SEMINAR ON CYBER SECURITY.pptxSEMINAR ON CYBER SECURITY.pptx
SEMINAR ON CYBER SECURITY.pptx
GauravWankar2
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
shahadd2021
 

Similar to Improving web application security, part i (20)

Unit - 4(2).pdf
Unit - 4(2).pdfUnit - 4(2).pdf
Unit - 4(2).pdf
 
CS PPT CHP 1 PART 1-Types of attacks and basics of computer security.pptx
CS PPT CHP 1 PART 1-Types of attacks and basics of computer security.pptxCS PPT CHP 1 PART 1-Types of attacks and basics of computer security.pptx
CS PPT CHP 1 PART 1-Types of attacks and basics of computer security.pptx
 
ANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdfANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdf
 
ANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdfANS_Ch_05_Handouts.pdf
ANS_Ch_05_Handouts.pdf
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
SEMINAR ON CYBER SECURITY.pptx
SEMINAR ON CYBER SECURITY.pptxSEMINAR ON CYBER SECURITY.pptx
SEMINAR ON CYBER SECURITY.pptx
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
I MSc CS CNS Day 1.pptx
I MSc CS CNS Day 1.pptxI MSc CS CNS Day 1.pptx
I MSc CS CNS Day 1.pptx
 
CNS - Chapter1
CNS - Chapter1CNS - Chapter1
CNS - Chapter1
 
Analysis on Common Network Attacks & Vulnerability Scanners
Analysis on Common Network Attacks & Vulnerability ScannersAnalysis on Common Network Attacks & Vulnerability Scanners
Analysis on Common Network Attacks & Vulnerability Scanners
 
Ak03402100217
Ak03402100217Ak03402100217
Ak03402100217
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
 
IRJET- An Overview of Ethical Hacking
IRJET- An Overview of Ethical HackingIRJET- An Overview of Ethical Hacking
IRJET- An Overview of Ethical Hacking
 
cryptographic security
cryptographic securitycryptographic security
cryptographic security
 
2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx2.1 Web Vulnerabilities.pptx
2.1 Web Vulnerabilities.pptx
 
Chapter 15
Chapter 15Chapter 15
Chapter 15
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
Cloud computing final show
Cloud computing final showCloud computing final show
Cloud computing final show
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Improving web application security, part i

  • 2. Slide 2 *Threat and Security *Security needed when threat is there. *Need to know threat. *Need to know the weak points that raises a threat (vulnerability).
  • 3. Slide 3 *Threats, Vulnerabilities, and Attacks *A threat is any potential occurrence, malicious or otherwise, that could harm an asset. *In other words, a threat is any bad thing that can happen to the assets.
  • 4. Slide 4 *Threats, Vulnerabilities, and Attacks *A vulnerability is a weakness that makes a threat possible. *This may be because of poor design, configuration mistakes, or inappropriate and insecure coding techniques. *Weak input validation is an example of an application layer vulnerability, which can result in input attacks.
  • 5. Slide 5 *Threats, Vulnerabilities, and Attacks *An attack is an action that exploits a vulnerability or enacts a threat. *Examples of attacks include sending malicious input to an application or flooding a network in an attempt to deny service.
  • 6. Slide 6 *Threats, Vulnerabilities, and Attacks To summarize, a threat is a potential event that can adversely affect an asset, whereas a successful attack exploits vulnerabilities in a system.
  • 7. Slide 7 *Terminology *Asset: A resource of value such as the data in a database or on the file system, or a system resource *Entry/Exit Points: Ways to get at an asset *Risk: Likelihood that vulnerability could be exploited *Mitigation: Something that addresses a specific vulnerability *Countermeasure: A safeguard that addresses a threat and mitigates risk We can mitigate vulnerabilities… …but the threat still exists!!!
  • 8. Slide 8 *The Foundations of Security Security relies on the following elements: *Authentication *Authorization *Auditing *Confidentiality *Integrity *Availability
  • 9. Slide 9 *Authentication *Authentication addresses the question: who are you? *It is the process of uniquely identifying the clients of your applications and services. *These might be end users, other services, processes, or computers. *In security parlance, authenticated clients are referred to as principals.
  • 10. Slide 10 *Authorization *Authorization addresses the question: what can you do? *It is the process that governs the resources and operations that the authenticated client is permitted to access. *Resources include files, databases, tables, rows, and so on, together with system-level resources such as registry keys and configuration data. *Operations include performing transactions such as purchasing a product, transferring money from one account to another, or increasing a customer’s credit rating.
  • 11. Slide 11 *Auditing *Effective auditing and logging is the key to non-repudiation. *Non-repudiation guarantees that a user cannot deny performing an operation or initiating a transaction. *For example, in an e-commerce system, non- repudiation mechanisms are required to make sure that a consumer cannot deny ordering 100 copies of a particular book.
  • 12. Slide 12 *Confidentiality *Confidentiality, also referred to as privacy, is the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized users or eavesdroppers who monitor the flow of traffic across a network. *Encryption is frequently used to enforce confidentiality. Access control lists (ACLs) are another means of enforcing confidentiality.
  • 13. Slide 13 *Integrity *Integrity is the guarantee that data is protected from accidental or deliberate (malicious) modification. *Like privacy, integrity is a key concern, particularly for data passed across networks. *Integrity for data in transit is typically provided by using hashing techniques and message authentication codes.
  • 14. Slide 14 *Availability *From a security perspective, availability means that systems remain available for legitimate users. *The goal for many attackers with denial of service attacks is to crash an application or to make sure that it is sufficiently overwhelmed so that other users cannot access the application.
  • 15. Slide 15 *The Holistic Approach Securing Web Application takes three approaches: •Securing the Network •Securing the Host (Server environment) •Securing the Application (Code and techniques)
  • 16. Slide 16 *Securing the Network The three core elements of a secure network are: *Router *Firewall *Switch
  • 17. Slide 17 *Securing the Network Router: *Routers are your outermost network ring. *They direct packets to the ports and protocols that we have prepared our applications to work with. *Insecure TCP/IP protocols are blocked at this ring.
  • 18. Slide 18 *Securing the Network Firewall: *The firewall blocks those protocols and ports that the application does not use. *Additionally, firewalls enforce secure network traffic by providing application specific filtering to block malicious communications.
  • 19. Slide 19 *Securing the Network Switch: *Switches are used to separate network segments. *They are frequently overlooked or over trusted.
  • 20. Slide 20 *Securing the Host *The host includes the operating system and .NET Framework, together with associated services and components. *A Web server running IIS, an application server running Enterprise Services, or a database server running SQL Server, all need to adhere to a general security methodology that is common across the various server roles and types.
  • 21. Slide 21 *Securing the Application Securing the application goes around following Vulnerability Categories: *Input Validation *Authentication *Authorization *Configuration Management *Sensitive Data
  • 22. Slide 22 *Securing the Application Vulnerability Categories continued: *Session Management *Cryptography *Parameter Manipulation *Exception Management *Auditing and Logging
  • 23. Slide 23 *Threats and Countermeasures *Become familiar with specific threats that affect the network host and application. *Use the threats to identify risk. *Apply countermeasures to address vulnerabilities. *When design, build, and secure new systems, keep the threats in mind.
  • 24. Slide 24 *Anatomy of an Attack Survey and assess: *Surveying and assessing the potential target are done in tandem. *The first step an attacker usually takes is to survey the potential target to identify and assess its characteristics. *These characteristics may include its supported services and protocols together with potential vulnerabilities and entry points. *The attacker uses the information gathered in the survey and assess phase to plan an initial attack.
  • 25. Slide 25 *Anatomy of an Attack Exploit and penetrate: *Having surveyed a potential target, the next step is to exploit and penetrate. *If the network and host are fully secured, your application (the front gate) becomes the next channel for attack.
  • 26. Slide 26 *Anatomy of an Attack Escalate privileges *After attackers manage to compromise an application or network, they immediately attempt to escalate privileges. *Specifically, they look for administration privileges provided by accounts that are members of the Administrators group. *They also seek out the high level of privileges offered by the local system account.
  • 27. Slide 27 *Anatomy of an Attack Maintain access: *Having gained access to a system, an attacker takes steps to make future access easier and to cover his or her tracks. *Common approaches for making future access easier include planting back-door programs or using an existing account that lacks strong protection. *Covering tracks typically involves clearing logs and hiding tools. *As such, audit logs are a primary target for the attacker.
  • 28. Slide 28 *Anatomy of an Attack Deny service: *Attackers who cannot gain access often mount a denial of service attack to prevent others from using the application. *For other attackers, the denial of service option is their goal from the outset. *An example is the SYN flood attack, where the attacker uses a program to send a flood of TCP SYN requests to fill the pending connection queue on the server. *This prevents other users from establishing network connections.
  • 29. Slide 29 *Understanding Threat Categories •Threats faced by the application can be categorized based on the goals and purposes of the attacks. •STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE
  • 30. Slide 30 *STRIDESTRIDE stands for: *Spoofing *Tampering. *Repudiation. *Information disclosure. *Denial of service. *Elevation of privilege.
  • 31. Slide 31 *STRIDESpoofing •Spoofing is attempting to gain access to a system by using a false identity. •This can be accomplished using stolen user credentials or a false IP address. •After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.
  • 32. Slide 32 *STRIDETampering. •Tampering is the unauthorized modification of data. •For example as it flows over a network between two computers
  • 33. Slide 33 *STRIDERepudiation: •Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. •Without adequate auditing, repudiation attacks are difficult to prove.
  • 34. Slide 34 *STRIDE Information disclosure: •Information disclosure is the unwanted exposure of private data. •For example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. •Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. •Any of this information can be very useful to the attacker.
  • 35. Slide 35 *STRIDEDenial of service: •Denial of service is the process of making a system or application unavailable. •For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.
  • 36. Slide 36 *STRIDEElevation of privilege: •Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. •For example, an attacker with limited privileges might elevate his or her privilege level to compromise and take control of a highly privileged and trusted process or account.
  • 37. Slide 37 *STRIDE Threats and Countermeasures Spoofing user identity *Use strong authentication. *Do not store secrets (for example, passwords) in plaintext. *Do not pass credentials in plaintext over the wire. *Protect authentication cookies with Secure Sockets Layer (SSL).
  • 38. Slide 38 *STRIDE Threats and Countermeasures Tampering with data *Use data hashing and signing. *Use digital signatures. *Use strong authorization. *Use tamper-resistant protocols across communication links. *Secure communication links with protocols that provide message integrity.
  • 39. Slide 39 *STRIDE Threats and Countermeasures Repudiation *Create secure audit trails. *Use digital signatures.
  • 40. Slide 40 *STRIDE Threats and Countermeasures Information disclosure *Use strong authorization. *Use strong encryption. *Secure communication links with protocols that provide message confidentiality. *Do not store secrets (for example, passwords) in plaintext.
  • 41. Slide 41 *STRIDE Threats and Countermeasures Denial of service *Use resource and bandwidth throttling techniques. *Validate and filter input.
  • 42. Slide 42 *STRIDE Threats and Countermeasures Elevation of privilege *Follow the principle of least privilege. *Use least privileged service accounts to run processes and access resources.
  • 43. Slide 43 *Network Threats and Countermeasures Top network level threats are: *Information gathering *Sniffing *Spoofing *Session hijacking *Denial of service
  • 44. Slide 44 *Network Threats and Countermeasures Information gathering defined: *Network devices can be discovered and profiled in much the same way as other types of systems. *Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions. *Armed with this information, an attacker can attack known vulnerabilities that may not be updated with security patches.
  • 45. Slide 45 *Network Threats and Countermeasures Information gathering counter-measures: *Configure routers to restrict their responses to foot-printing requests. *Configure operating systems that host network software (for example, software firewalls) to prevent foot-printing by disabling unused protocols and unnecessary ports.
  • 46. Slide 46 *Network Threats and Countermeasures Sniffing defined *Sniffing or eavesdropping is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information. *With a simple packet sniffer, an attacker can easily read all plaintext traffic. *Also, attackers can crack packets encrypted by lightweight hashing algorithms and can decipher the payload that you considered to be safe. *The sniffing of packets requires a packet sniffer in the path of the server/client communication.
  • 47. Slide 47 *Network Threats and Countermeasures Sniffing counter-measures: *Use strong physical security and proper segmenting of the network. *This is the first step in preventing traffic from being collected locally. *Encrypt communication fully, including authentication credentials. *This prevents sniffed packets from being usable to an attacker. *SSL and IPSec (Internet Protocol Security) are examples of encryption solutions.
  • 48. Slide 48 *Network Threats and Countermeasures Spoofing defined *Spoofing is a means to hide one’s true identity on the network. *To create a spoofed identity, an attacker uses a fake source address that does not represent the actual address of the packet. *Spoofing may be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.
  • 49. Slide 49 *Network Threats and Countermeasures Spoofing counter-measures: *Filter incoming packets that appear to come from an internal IP address at your perimeter. *Filter outgoing packets that appear to originate from an invalid local IP address.
  • 50. Slide 50 *Network Threats and Countermeasures Session hijacking defined *Also known as man in the middle attacks, session hijacking deceives a server or a client into accepting the upstream host as the actual legitimate host. *Instead the upstream host is an attacker’s host that is manipulating the network so the attacker’s host appears to be the desired destination.
  • 51. Slide 51 *Network Threats and Countermeasures Session hijacking counter-measures: *Use encrypted session negotiation. *Use encrypted communication channels. *Stay informed of platform patches to fix TCP/IP vulnerabilities, such as predictable packet sequences.
  • 52. Slide 52 *Network Threats and Countermeasures Denial of service defined *Denial of service denies legitimate users access to a server or services. *The SYN flood attack is a common example of a network level denial of service attack. *It is easy to launch and difficult to track. *The aim of the attack is to send more requests to a server than it can handle. *The attack exploits a potential vulnerability in the TCP/IP connection establishment mechanism and floods the server’s pending connection queue.
  • 53. Slide 53 *Network Threats and Countermeasures Denial of service counter-measures: *Apply the latest service packs. *Harden the TCP/IP stack by applying the appropriate registry settings to increase the size of the TCP connection queue, decrease the connection establishment period, and employ dynamic backlog mechanisms to ensure that the connection queue is never exhausted. *Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.
  • 54. Slide 54 *Host Threats and Countermeasures Top host level threats are: *Viruses, Trojan horses, and worms *Footprinting *Profiling *Password cracking *Denial of service *Arbitrary code execution *Unauthorized access
  • 55. Slide 55 *Host Threats and Countermeasures Viruses, Trojan horses, and worms *A virus is a program that is designed to perform malicious acts and cause disruption to your operating system or applications. *A Trojan horse resembles a virus except that the malicious code is contained inside what appears to be a harmless data file or executable program. *A worm is similar to a Trojan horse except that it self-replicates from one server to another. Worms are difficult to detect because they do not regularly create files that can be seen. They are often noticed only when they begin to consume system resources because the system slows down or the execution of other programs halt.
  • 56. Slide 56 *Host Threats and Countermeasures Viruses, Trojan horses, and worms counter- measures: *Stay current with the latest operating system service packs and software patches. *Block all unnecessary ports at the firewall and host. *Disable unused functionality including protocols and services. *Harden weak, default configuration settings.
  • 57. Slide 57 *Host Threats and Countermeasures Footprinting *Examples of footprinting are port scans, ping sweeps, and NetBIOS enumeration that can be used by attackers to glean valuable system-level information to help prepare for more significant attacks. *The type of information potentially revealed by footprinting includes account details, operating system and other software versions, server names, and database schema details.
  • 58. Slide 58 *Host Threats and Countermeasures Footprinting counter-measures: *Disable unnecessary protocols. *Lock down ports with the appropriate firewall configuration. *Use TCP/IP and IPSec filters for defense in depth. *Configure IIS to prevent information disclosure through banner grabbing. *Use an IDS that can be configured to pick up footprinting patterns and reject suspicious traffic.
  • 59. Slide 59 *Host Threats and Countermeasures Password cracking *If the attacker cannot establish an anonymous connection with the server, he or she will try to establish an authenticated connection. *For this, the attacker must know a valid username and password combination. *If you use default account names, you are giving the attacker a head start. *Then the attacker only has to crack the account’s password. *The use of blank or weak passwords makes the attacker’s job even easier.
  • 60. Slide 60 *Host Threats and Countermeasures Password cracking counter-measures: *Use strong passwords for all account types. *Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to guess the password. *Do not use default account names, and rename standard accounts such as the administrator’s account and the anonymous Internet user account used by many Web applications. *Audit failed logins for patterns of password hacking attempts.
  • 61. Slide 61 *Host Threats and Countermeasures Denial of service *Denial of service can be attained by many methods aimed at several targets within your infrastructure. *At the host, an attacker can disrupt service by brute force against your application, or an attacker may know of a vulnerability that exists in the service your application is hosted in or in the operating system that runs your server.
  • 62. Slide 62 *Host Threats and Countermeasures Denial of service counter-measures: *Configure your applications, services, and operating system with denial of service in mind. *Stay current with patches and security updates. *Harden the TCP/IP stack against denial of service. *Make sure your account lockout policies cannot be exploited to lock out well known service accounts. *Make sure your application is capable of handling high volumes of traffic and that thresholds are in place to handle abnormally high loads. *Review your application’s failover functionality. *Use an IDS that can detect potential denial of service attacks.
  • 63. Slide 63 *Host Threats and Countermeasures Arbitrary code execution *If an attacker can execute malicious code on your server, the attacker can either compromise server resources or mount further attacks against downstream systems. *The risks posed by arbitrary code execution increase if the server process under which the attacker’s code runs is over-privileged. *Common vulnerabilities include weak IID configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution.
  • 64. Slide 64 *Host Threats and Countermeasures Arbitrary code execution counter-measures: *Configure IIS to reject URLs with “../” to prevent path traversal. *Lock down system commands and utilities with restricted ACLs. *Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched.
  • 65. Slide 65 *Host Threats and Countermeasures Unauthorized access *Inadequate access controls could allow an unauthorized user to access restricted information or perform restricted operations. *Common vulnerabilities include weak IIS Web access controls, including Web permissions and weak NTFS permissions.
  • 66. Slide 66 *Host Threats and Countermeasures Unauthorized access counter-measures: *Configure secure Web permissions. *Lock down files and folders with restricted NTFS permissions. *Use .NET Framework access control mechanisms within your ASP.NET applications, including URL authorization and principal permission demands.
  • 67. Slide 67 *Application Threats and Countermeasures Category: Input Validation Threats: *Buffer overflow *Cross-site scripting *SQL injection *canonicalization
  • 68. Slide 68 *Application Threats and Countermeasures Category: Authorization Threats: *Elevation of privilege *Disclosure of confidential data *Data tampering *Luring attacks
  • 69. Slide 69 *Application Threats and Countermeasures Category: Configuration management Threats: *Unauthorized access to administration interfaces *Unauthorized access to configuration stores *Retrieval of clear text configuration data *Lack of individual accountability *Overprivileged process and service accounts
  • 70. Slide 70 *Application Threats and Countermeasures Category: Sensitive data Threats: *Access sensitive data in storage *Network eavesdropping *Data tampering
  • 71. Slide 71 *Application Threats and Countermeasures Category: Session management Threats: *Session hijacking *Session replay *Man in the middle
  • 72. Slide 72 *Application Threats and Countermeasures Category: Cryptography Threats: *Poor key generation or key management *Weak or custom encryption
  • 73. Slide 73 *Application Threats and Countermeasures Category: Parameter manipulation Threats: *Query string manipulation *Form field manipulation *Cookie manipulation *HTTP header manipulation
  • 74. Slide 74 *Application Threats and Countermeasures Category: Exception management Threats: *Information disclosure *Denial of service
  • 75. Slide 75 *Application Threats and Countermeasures Category: Auditing and logging Threats: *User denies performing an operation *Attacker exploits an application without trace *Attacker covers his or her tracks
  • 76. Slide 76 *Way ahead *Details of Application level threats and countermeasures. *Threat Modeling. *Answers to unanswered questions.
  • 77. Slide 77 *Thanks a lot… Reach me at http://www.geekays.net/