FINAL EXAM 3423
Truly Random Password
- Almost impossible to memorize - Must be written down - Long - Password policies
Key implementation areas for secure software
- Architecture - Authentication - Session Management - Access Controls and Authorization - Event Logging - Data Validation
How to prevent Buffer Overflow?
- Avoid using library files - Filter user input - Test applications
These can increase the number of possible passwords combinations
- Broader character set - Password length
How to counter SQL injection attack?
- Constrain and sanitize input data - Use type-safe SQL parameters for data access - Use an account w/ restricted permissions in database - Avoid disclosing database error info to user
Image Backup
- Everything, including programs and settings - Very slow - Data files change rapidly, so do several file data backups for each image backup
Characteristics of RAID
- Increased reliability and performance A single hard drive failure won't always cause data loss Multiple disks can be written to simultaneously
Scripting languages for mobile code
- JavaScript (not scripted form of Java) - VBScript (Visual Basic scripting from Microsoft
Appropriate Use of a Super User Account
- Log in as ordinary user - Switch to super user when needed - Revert to ordinary when super privileges are no longer needed
The Key Principle in Application Security Threats
- NEVER trust user input - Filter user input for inappropriate content
How to assign permissions in Windows
- Rightclick on file/directory - Select Properties -> Security - Select user/group - Select 6 standard permissions (permit/deny) - 13 special permissions for better control
Characteristics of a script
- Series of commands in scripting language - Usually invisible to users
Webserver Attacks
- Website Defacement - IIS buffer overflow (can take over computer) - IIS directory traversal AKA ../ attack AKA directory climbing (exploits lack of security rather than bug in code)
Custom Applications
- Written by a firm's programmers - Not securely coded - SECURITY THREAT
Current Top 5 Issues
1. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting Flaws 5. Buffer Overflows
Shadowing
A backup copy of each file being worked on is written every few minutes to the hard drive, or to another location
What is a Host?
Anything with an IP address (it can be attacked)
Dictionary Attacks
Attacker encrypts every word in a dictionary - Common words are cracked instantly (people, pets, music, profanity, slang, dates, etc.)
What is Mirroring?
Creating an exact copy of a disk at the same time; normal speed, no data loss but more costly
Destroying
Data Recoverable?: No Media Reusable?: No Data Deletion Method: Shred, melt, pulverize, etc.
Wiping/Clearing
Data Recoverable?: No Media Reusable?: Yes Data Deletion Method: Disk wiping software or encrypt
Nominal Deletion
Data Recoverable?: Yes Media Reusable?: Yes Data Deletion Method: Delete key
Basic File Deletion
Data Recoverable?: Yes, with software Media Reusable?: Yes Data Deletion Method: Empty Recycle Bin
RAID Level NONE
Disks Needed: 1 Parity: No Striping: No Redundancy: No Data Transfer Speed: Normal
RAID Level 1 (Mirroring)
Disks Needed: 2 Parity: No Striping: No Redundancy: Yes Data Transfer Speed: Normal
RAID Level 0 (Striping)
Disks Needed: 2 Parity: No Striping: Yes Redundancy: No Data Transfer Speed: Very fast
RAID Level 5 (Distributed Parity)
Disks Needed: 3 Parity: Yes Striping: Yes Redundancy: Yes Data Transfer Speed: Fast read, slow write
An ___ takes advantage of a vulnerability
Exploit
Scope of Backup
Fraction of information on the hard drive that is backed up
Restoration Order
Full backup goes first, then restore incremental backups in the order created
What is Active-X from Microsoft?
Highly dangerous because it can do almost everything
Inheritance of Permission
If 'include inheritable permissions from object's parent' is checked in the security tab, the directory receives permissions of the parent directory (checked by default)
Full Backups
Includes all files and directories and is slow so is done weekly
Cross-site scripting (XSS) attack
Injects scripts into a web application server that will then direct attacks at clients.
Buffer Overflow Attack
Inputting so much data that the input buffer overflows, overwriting an adjacent section of RAM
Client-Side Scripting (Mobile Code) include
Java applets and Active X
Advantage/disadvantage of rainbow tables
Less time to crack, more memory used
Rainbow Tables
List of pre-computed password hashes
What is a redundant array of independent disks (RAID)?
Multiple hard drives within a single system
Types of Deletion
Nominal Deletion Basic File Deletion Wiping/Cleaning Destroying
Incremental Backups
Only records changes made since last backup and is FAST so is done daily; do these between full backups
What does OWASP stand for?
Open Web Application Security Project
What does OWASP provide?
Publications, Software, and Local Chapters
RAID
Redundant Array of Independent Disks
Generations
Save several generations of full backups; do not save incremental backups after the next full backup
Vulnerabilities
Security weaknesses that open a program to attack
File/Directory Data Backup
Select data files and directories to be backed up; not good for programs
Examples of Hosts
Servers, clients (cellphone), Routers/Switches, Firewalls
What are Java applets?
Small Java programs that run in a sandbox to not affect system
Why are PC's major targets?
They have interesting information and can be attacked through the browser
Brute-Force
Try all possible passwords - Try 1-char passwords (e.g. a, b, c) - Try 2-char passwords (e.g. aa, ab, bb)
RAID levels
Ways of configuring multi-disk arrays
What kind of software does OWASP provide?
WebGoat, WebScarab, oLabs Projects, .NET Projects
How to switch to super user
Windows - RunAs UNIX - su
What is Striping?
Writing data simultaneously across multiple disks; very fast but not reliable, one disk failure causes complete data loss
How to prevent XSS attack?
an application needs to ensure that all variable output in a page is encoded before being returned to the end user
Information Triangulation
combination of two pieces of personal info can be used to create a third info to identify that person
Zero-day exploits
exploits that occur before fixes are released
SQL Injection Attack
inserting a malicious SQL query in input such that it is passed to and executed by an application program
Permissions
specify what the user or group can do or not do to files, directories, and subdirectories
Personally Identifiable Information (PII)
the name, postal address, SSN, photo, addresses, or any other information that allows tracking down the specific person who owns a device
Hybrid Dictionary Attacks
try simple modifications (mangling rules) of common words contained in a dictionary file - adding nums, l33tspeak, key patterns (qwertyuiop), deleting chars (pswrd)