ISMN 5730 Exam 3 - Dr. C

application security

- domain addresses the important security concepts that apply to the software application development

availability

programs, data, processing, and resources

resources include

bandwidth, memory, disk spaces, mail queues, etc.

subtopics of application security

- applications environment

database environment

- environment threats

- system life cycle

- change management

applications environment

operating system (OS)

2 objectives of OS

control use of system resources and provide a convenient, easy to undsertant view of the computer to users

applications software

comprises of programs, processes, utilities, drivers etc. to provide user functionality and support business activities

applications software allows

users t execute and perform computerized tasks

databases

developed to manage information from many sources in one location

database characteristics

- eliminates the need for duplication of information in the system

- preserves storage space

- prevents inconsistency in data by making changes in one central location

major elements of databases

database, hardware, software, and users

users should be

on top of everything because everything starts and involves them

DBMS should provide

- transaction persistence

- fault tolerance and recovery

- sharing by multiple users

- security controls

relational database security issues

- ensuring integrity of input data

- preventing deadlocking

- access controls ensuring only authorized users are performing authorized tasks

deadlocking

stalemate when 2 or more processes are each waiting for the other to do something before they can proceed

database security issues

- unauthorized access

- data contamination

- query attacks

interference

-aggregation

unauthorized access

Ability to appropriately login and have too much authority in an application (editing capability, admin access, data breaches)

data contamination

Can corrupt queries made off contamintaed databses

query attacks

- SQL attacks

- Setting up an account on an application can be configured incorrectly from frontend to backend and can be compromised by bots autofilling - can prevent this with character limits, filters, etc., to prevent the bot data from enetering the databse

lock controls

- Used ot control reas and write access to specific rows of data in relational systems or objects in object-oriented systems

- Locks ensure only one user at a time can alter data

- Better programming logic and testing reduce deadlocking problems

the ACID test

Atomicity

- Either all changes take effect or none do

Consistency

- A transaction is allowed only if it meets owner/system-defined integrity constraints

Isolation

- The results of the transaction are not visible until the transaction is complete

Durability

- A completed transaction is permanent

online transaction processing (OLTP)

Records transactions as they occur (in real time).

OLTP security concerns

Concurrency controls ensure that two users cannot simultaneously change the same data

Atomicity ensures that if one step fails, then alls teps should not complete

OLTP systems should

- Detect when individual processes abort

- Automatically restart an aborted process

- Back out of a transaction if necessary

view based access controls

- Security achieved through the appropriate use of "views"

- Allows the database to be logically divided into pieces - sensitive data is hidden from unauthorized users

- Controls are located in the front-end application that the user interfaces with and not the back-end query engine

- Also called stored procedures

- E.g., a pharmsist shouldnt be able to see a patients diagnosis so the configuration should prevent them from seeing back-end data

enterprise

multiple internal networks, internal areas or domains, and various internal devices and systems, applications, and a diverse user presence as a single collective unit

architecture

the highest level concep of a system in its environment

security architecture

a high-level design used ot satisfy a systems security requirements as defined in an organizations security policy

enterprise security architecture

defines the information security strategy that consists of layers of policy, standards, and procedures and the way they are linked across an enterprise

infrastructure versus architecture

Infrastructure refers to the supporting elements needed for functionality

Architecture refers to the cohesive design of the elements

infrastructure includes

Hardware

Software

Operating system and all associated functions

Applications

Utilities

Network environment

architecture includes

Principles

Concepts

Methods

Practices

Standards

telecomm, network, and internet security discuss

Network structures

Transmission methods

Transport formats

securit y measures used to provide availability, integrity, and confidentiality **

Authentication for transmission over private and public communications networks and media **

data network structures

LAN

Personal Area Network (bluetooth)

WAN

Internet

Intranet

Extranet

wireless radio frequency band

- Data is imbedded in sound waves to the wireless access point and then through wiring, cables, and finally to your ISP

wireless radio frequency band is

Primary mechanism for confidentiality for wireless is to encrypt data passing through sound waves

network protocol

A standard set of rules that governs the exchange of data between hardware and/or software components in a communications network

A network protocol also describes the format of a message and how it is exchanged

When computers communicate with one another, they exchange a series of messages

To understand and act on these messages, computers must agree on what a message means

OSI Model

7 layers

internet model

4 layers

ISO 7478

Describes the OSI model

Defines the security services that are available and where they fit in the layered model

data encapsulation

To transmit data across a layered network, the data passes through each layer of the protocol stack

It begins at the application layer with the application software passing the data to the next lower protocol in the stack

At each layer the data is encapsulated - the protocol processes the data in the format that the next protocol layer requires

TCP/IP

To transmit data across a layered network, the data passes through each layer of the protocol stack

It begins at the application layer with the application software passing the data to the next lower protocol in the stack

At each layer the data is encapsulated - the protocol processes the data in the format that the next protocol layer requires

IP Address

Composed of 32-bit addresses that are often displayed in the form of four groups of decimal digits separated by a period/dot

Each group of numbers cannot be larger than 254

URLs and IP Addresses

8 values that are either 0 or 1

Values are arranged as: 128, 64, 32, 16, 8, 4, 2, 1 and are represented by 1 or 0 (on or off)

1 represents the number is counted (turned on)

0 represents the number should not be counted (turned off)

Ex: 11011000 = 128 + 64 + 0 + 16 + 8 + 0 + 0 + 0 = 216

IP security issues

IP Fragmentation Attacks

Tiny fragment attack

Overlapping fragment attack

Teardrop Denial of Service Attack

IP Address Spoofing

Source Routing

Smurf and Fraggle

IP Tunneling over other protocols (seen a lot in denial of service)

TCP (Transmission Control Protocol)

Provides reliable data transmission

Retransmits lost/damaged data segments

Sequences incoming segments to match original order

Marks every TCP packet with a source host and port number, as well as a destination host and port number

DNS (Domain Name System)

Yellow pages for internet

Distributed Internet directory service

Global network of “name servers” that translate host names to numerical IP addresses

www.ISC2.org = 209.164.6.194

Internet services rely on DNS to work, if DNS fails, websites cannot be located and email delivery stalls

It is tree structured

Contains two elements:

Name server

Resolver

ARP(Address Resolution Protocol)

Used when a node knows the network layer address, but needs the data link layer address to forward the encapsulating frame

The ARP software maintains a table of translations between IP addresses and data link addresses

remote access services

Typically conducted over an untrusted network

Increased risk to disclosure, modification, and denial of service

Remote access security minimums

remote access qualities

Strong identification and authentication services

Rapid growth of remote access via the Internet

Wide availability

Economical

employees do not actually use ___________ as much as they say they will

remote access

remote access technologies allow users to

access network information through a dial in or wireless connection

internet connection allows remote workers to

access network information through an ISP connection

General Remote Access Safeguards

Publish a clear/definitive remote access policy and enforce it through audit

Justify all remote users and review regularly, such as yearly **

Identify and periodically audit all remote access facilities, lines, and connetions

Consolidate all general user dial-up facilities into a central bank that is positioned on a DMZ

Implement two-factor authentication

VPNs

secure shell (SSH and SSH2)

Powerful method of performing client authentication and

Safeguards multiple service sessions between two systems

SSH provides support for

Host and user authentication

Data compression

Data confidentiality and integrity

SSH credentials are validated by

digital signature exchange using RSA

network threats and attacks examples

Denial of Service (DoS)

Mobile code

Malicious code

Wireless LAN vulnerabilities

spoofing

remote access threat targets of opportunity

Insecure internet connections

Unsecured modem access

Diagnostic ports on various network devices

Administrative ports on voice mail systems, PBX, fax servers

Unauthenticated sessions

the target of remote access attacks

Sensitive and critical information

Computing services, such as storage space and other resources

Toll telephone services

Voice mail

Network access to interconnected networks, such as customers or business partners

Wireless LAN Vulnerabilities Subtopics

• Detection

• Eavesdropping

• Modification

• Injection

• Hijacking

• WLAN Architecture

• Radio Frequency Management

detection

WLAN will generally broadcast detectable radio waves for a great distance

eavesdropping

WLAN signals extend beyond physical security boundaries

Standard Wired Equiavlent Privacy (WEP) encryption is often not used

When used, WEP is flawed and vulnerable

No user authentication in WEP

IM security issues

- Most lack encryption capabilities

- Most have features to bypass traditional corporate firewalls

- Insecure password management

- Increased exposure to account hijacking and spoofing

intrusion prevention systems (IPS)

Intrusions are prevented

Ability to block attacks in real time

Actively intercept and forward packages

Considered "access control" and "policy enforcement" whereas IDS is considered "network monitoring" and "audit"

Preventative control

Intrusion Detection System (IDS)

Intrusion attempts and any set of actions that attempt to gaun unauthorized access are detected

Auditing for intrusion attempts in a timely basis

how can IDS and IPS be used together

to train each other