Chapter 8 - Application Security
Why are security baselines needed for installing applications?
A complex series of actions is needed for any major application. This requires the checklist of a security baseline
On the testing server?
Developers get extensive permissions on the development server.
What permission does the developer have on the development server
Developers get extensive permissions on the development server.
On the production server?
Developers get no permissions on the production server
What may happen on a compromised computer if a user mistypes the host name in a URL?
Mistyping a URL may send a user to a malicious website, where hostile mobile code is waiting to attack your PC
What is a buffer?
a temporary storage area in memory
What three other web server protections were mentions in the text?
1) website vulnerbility assessment tools like Whisker 2) reading website error logs 3) using a webserver proxy in front of the webse
In staged development, what three severs do companies use?
A development server, a testing server, and a production server
What kinds of external access are needed for e-commerce?
An e-commerce server needs to have network access to a number of systems external to itself, including servers within firms (for order entry, accounting, shipping, and so forth) and servers outside the firm in merchant banks and companies that check credit card numbers for validity. The webmaster or e-commerce master often has no control over the security of other systems.
Why is it important minimize permission for application programs?
Application permissions must be minimized because if a hacker takes over an application, he or she can take over the entire host if the permissions are too great.
Why is application-level authentication superior to operating system authentication ?
Application-level authentication is superior because it requires the hacker to not only have an exploit, but also authenticated access to a server (versus just an exploit).
Why do attackers want to get domain name such as micosoft.com?
Common misspellings of legitimate websites will naturally draw users. Once at the site, the malicious websites can download mobile code to attack the PC.
Why are custom programs especially vulnerable?
Custom programs offer security through obscurity, but because they are often not programmed securely, hackers have automated tools that can find common exploits (such as buffer overflows) to allow them to attack the application.
Distinguish between WWW service and e-commerce service
E-commerce adds functionality to webservice
How can social engineering be used to trick a victim to go to a malicious website?
Hackers can send messages saying something bad (or good) has happened and directs you to a malicious website
Why must you know a server's role to know how to protect it?
Knowing what a server is meant to do allows you to determine what services must be kept on, and all others can be disallowed
Why may malware that allows an attackers to execute a single command on a user's computer not really be limited to executing a single command?
Malware that allows an attacker to execute a single command may be used to initiate another program that provides much greater PC access (such as a command shell)
Does the webmaster or e-commerce administrator have control over the security of other servers?
Neither the webmaster nor e-commerce administrator have control over the security of other systems outside their purview
What is PII ?
PII is Personally Identifiable Information (such as SSN, date of birth, address, etc.)
What can hackers gain by taking over application programs?
They get the privileges of the applications program they take over
Why is it important to minimize both main application and subsidiary application ?
The few applications you have, the fewer security risks there will be.
To where does the overwritten return address point?
The overwritten address will point to data in the buffer, which will actually be program/attack code that will be executed instead of legitimate code
On what server does the tester have access permission ?
The tester should only have access to the test servers.
What software must be patched on an e-commerce server?
The webserver, the e-commerce server, and subsidiary programs must all be up-to-date on their patches.
Why is patching applications more time consuming than patching operating systems?
There are many more applications compared to only one OS, and finding information about application vulnerabilities takes a lot of time
What is a buffer overflow attack?
an attack that writes data longer than the space allocated for it in the buffer
What is the most popular way for hackers to take over hosts?
by taking over an application with root privileges
What danger do cookies create?
can be used to track a user's activity, which could violate privacy. Cookies can also hold PII.
Why is the bad to go to a malicious website ?
can have attack scripts that automatically load an executable on a PC, which is bad.
What impacts can buffer overflows have ?
can rage from nothing to crashing of the server or the ability to execute any command on the server
What is extrusion prevention
certain information from leaving the company
Why is extrusion prevention needed for intellectual property?
it prevents the loss of trade secrets
why must PII prevented from leaving the firm
that must be prevented from leaving a firm in order to avoid lawsuits related to identify theft or credit card theft
In a stack overflow, what is overwritten by the overflow?
the return address in a stack is overwritten in a stack overflow
Why should cryptographic protection be used?
to prevent eavesdropping by unauthorized people
Where is an application proxy firewall placed relative to the webserver?
would be placed in front of the webserver, between the webserver and the border router.
