web application attacks, host security

Open web application security project (OWASP)

maintains a top ten list of common web security issues

injection flaws

unwanted transaction code is inserted

most common is SQL injection

request forgery

tricks servers into requesting URLs

SQL injection

an attack in which malicious code is inserted into strings that are later passed to an instance of the SQL Server Database Engine for parsing and execution.

protecting against SQL injections

• input validation- protects against unsafe user input by checking it on the server before executing commands

• parameterized SQL- precompiles SQL code on the database server to prevent user input from altering query structure

cross site scripting (XSS)

occur when an attacker embeds malicious scripts in a third party website that are later run by innocent visitors to that site

• exploits HTML

cross site request forgery (CSRF, XSRF, ‘sea surf’)

leverages the fact that users often log in to multiple sites at the same time and use on site to trick the browser into sending malicious requests to another site without the user’s knowledge

• often uses fake image tags

• client side attack

defending against CSRF

• rearchitect web applications

• prevent use of HTTP GET requests

• advise users to log out of sites

• automatically log out users after an idle period

server side request forgery (SSRF)

request forgery attack that targets servers, rather than users, by manipulating servers into retrieving malicious data from what they believe to be a trusted source

directory traversal attack

when an attacker uses directory navigation references to search for unsecured files on a server

can be prevented by

• using input validitation to prevent the inclusion of periods in user requests

• setting strict file system access controls

buffer overflow

use input larger than the buffer

cookies

data stored by websites in user browsers, particularly useful to recognize users, and are used to remember information

session hijacking

attackers steal a web user’s active session by acquiring their unique session ID. This lets them impersonate the user, accessing data or performing actions as if they were the legitimate user. The breach disrupts the session and poses significant risks to personal and organizational data security.

code execution attacks

occurs when an attacker exploits a vulnerability in a system that allows the attacker to run commands on that system

• arbitrary- code execution attacks where the attacker runs commands of his or her choice

• remote- code execution attacks that take place over a network connection

• objectives could be installing malicious code, adding system to botnet, stealing info, or creating accounts for later access

signature detection

antivirus software method that watches for known patterns of malware activity

behavior detection

watches for deviations from normal patterns of activity

Endpoint Detection and Response (EDR)

offers real time, advanced protection

application control 2 main approaches

whitelisting- admin creates a list of all applications that may run on a system

blacklisting- admins create a list of applications that are prohibited on a system

host software baselining

identifies expected system software

default deny rule

firewalls, by default, block any network connection attempts that are not explicitly allowed by a firewall rule

network firewalls

hardware devices that regulate connections between two networks

host firewalls

software components of an operating system that limit connections to a server

next generation firewalls (NGFW)

inorporate advanced security features such as contextual information about the user and application

IDS and IPS

IDS- alert admins to sus network activtiy

IPS- take proactive measures to block suspicious network activity

file integrity monitoring systems

watches for unexpected file modifications

• uses hash functions (one way functions that transform a variable length input into a unique fixed length output)

data loss prevention

technology solutions that search systems and monitor networks for sensitive information that is unsecured and provide the ability to remove the information, block the transmission, or encrypt the stored data

-host based DLP- uses software agents installed on a single system

-network based DLP- scans network transmissions for sensitive info

2 mechanisms of action:

-pattern matching- recognizes known patterns of sensitive info, such as SSNs

-watermarking-identifies sensitive info using electronic tags

user and entitiy behavior analytics (UEBA)

compares user activity to individual baselines

What command is used to apply operating system updates on some Linux distributions?

upgrade

file integrity monitoring tool

Tripwire