Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

System and Application Security

No description
by

Faham Usman

on 22 May 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of System and Application Security

Information Security
System and Application Security
Awareness Campaign
Agenda
Salim is your Cyber Security Advisor.
Aims at promoting, building and ensuring a safer & secure cyber environment and culture in the UAE.
About aeCERT
One of the initiatives of the UAE Telecommunications Regulatory Authority.
aeCERT is the United Arab Emirates Computer Emergency Response Team.
About aeCERT
Security Models and Architecture
Operating System Security
Windows Security Architecture
Linux Security Model
Securing Application
Application Security
File System Security
System Hardening
Conclusion
aeCERT
Salim (aeCERT)
@salim_aecert
For more information
www.aecert.ae
info@aecert.ae
Questions
Security Models and Architecture
Security Models and Architecture
Security Models and Architecture
Bell LaPadula Security Model
Biba Security Model
Biba Security Model
Comparing Bell-Lapadula and Biba Model
Clark-Wilson Security Model
Chinese Wall / Brewer and Nash Security Model
Operating System Security
Background: Operating System Market Share (2013)
Background: Windows
Background: Linux
Windows Security Architecture
Windows Security Architecture
Security Reference Monitor (SRM)
Local Security Authority (LSA)
Security Account Manager (SAM)
Active Directory
WinLogon & NetLogon
Local vs. Domain Accounts
Workgroup Joined
Domain Joined
Windows Login Example
Windows Login Example
Review Question
Answer
Windows Privileges
Access Control List (ACL)
Access Control List (ACL)
Integrity Control
Six Integrity Levels
User Account Controls
User Account Controls (continued)
UAC Consent UI: Type 1
UAC Consent UI: Type 2
UAC Consent UI: Type 3
UAC: What’s Really Happening?
Review Question
Answer: Biba Model
Linux Security Model
Overview of Linux Security Model
Overview of Linux Security Model
Linux Security Transactions
File System Security
Users and Groups
Understanding: /etc/password
Understanding: /etc/password
Understanding: /etc/password
Understanding of /etc/group
File Permissions
Numeric File Permissions
Directory Permissions
Sticky Bit
SetUID and SetGID
SetGID and Directories
Kernel Space and User Space
Mandatory Access Controls
Mandatory Access Controls
Windows Vulnerabilities
Windows Vulnerabilities Example
Windows Vulnerabilities Example
Linux Vulnerabilities
Buffer Overflow
Buffer Overflow
SetUID Root Vulnerabilities
Web Application Vulnerabilities
Rootkit Attacks
Rootkit Attacks
System Hardening
Windows Defenses
Account Defenses
Network Defenses
Browser Defenses
Cryptographic Services
Linux System Hardening
OS-Level Security Tools and Techniques
OS Installation
Patch Management
Network Access Controls
Using IP-tables for “Local Firewall” Rules
Antivirus Software
User Management
Password Aging
Root Delegation
Logging
Application Security (Hardening)
Running As Unprivileged User/Group
Running in “chroot” Jail
Modularity
Encryption
Logging
Introduction to Application Security?
Applications under Attack
Application Security Threats
Application Security Threats
Why Is Application Security Important?
Why Application Security is Ignored?
Application Security Goal?
What is a Web Application?
How Web Application Works?
How Web Application Works?

How Web Application Works?
Securing the Application
What is Web Application Security?
What is Web Application Security?
Web Application Security Misconceptions
Simplified Web Application Architecture
2013’s Top Web Application Hacks
2013’s Top Web Application Hacks
2013’s Top Web Application Hacks
Web Application Security Program
Education & Strategic Planning
Security Testing
Development
Development
Microsoft SDLC
Microsoft SDLC
Building Security into SDLC – Touch-points
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
Web Application Threats
In the past, lots of security breaches have occurred due to buffer overflows
Shoring up defenses, reducing exposed functionality, disabling less-used features
SSL and TLS protocols in OpenSSL library used
Web application security is not specifically:
Yahoo! Mail Hacked
User Account Hijacking (3)
Cookie/Session Poisoning – Cookie Refresher
A General may write orders to a Colonel, who can issue these orders to a Major
In this method, the General's original orders are kept intact and the mission of the military is protected
Conversely, a Private can never issue orders to his Sergeant, who may never issue orders to a Lieutenant, also protecting the integrity of the mission
User friendly
Enhancements can help millions of users
Defects found quickly because of widespread use
Security defects can leave millions vulnerable
Non-technical user-base
Industry dominance leaves MS handcuffed - any move to expand capabilities seen as anticompetitive
Stability
Free Software
Runs on old hardware
Security
Learning curve
Equivalent programs
More technical capability needed
Not all hardware are compatible
Administrator creates a user account (fullname, username, password, group, privileges)
Windows creates an SID in the form of
S-1-5-21-AAA-BBB-CCC-RRR
Windows creates an SID in the form of
SAM format: supported by all versions of Windows (legacy format)
Form: DOMAIN/username
User Principle Name (UPN) and looks more like RFC822 email address
Example: username@domain.company.com
Read, Write, Create, Delete, Modify, etc.
Access Control Example
Example: malware no longer runs in the privileged level of the logged-on user, as it does in XP
It runs in the integrity level of the object that spawned it
Windows needs your permission to continue
You attempt to change a potentially unsafe system setting, such as a running a Control Panel
A program needs your permission to continue
An external application with a valid digital signature is attempting to run with admin privileges
An unidentified program wants access to your computer
An external application without a valid digital signature is trying to run
Linux Security Model
People or processes with “root” privileges can do anything
Other accounts can do lot less
Many system Admin fail to use the security features
Add-on tools like sudo and Tripwire available
Example: /dev/cdrom points to /dev/hdb which is a special file
A conduit between processes / programs
Someone or something capable of using files
Can be human or process
e.g. lpd (Linux Printer Daemon) runs as user lp
List of user accounts
User’s main group membership specified in /etc/password
User can be added to additional groups by editing /etc/group
Command line -> user add, user mod, and user del
UID 100-999 are reserved by system for administrative and system accounts/groups
Allows you to add extra information about the users such as user's full name, phone # etc
This field is used by finger command
If this directory does not exist then user’s directory becomes ‘ / ’
Typically, this is a shell. Please note that it does not have to be a shell.
Files have two owners: a user & a group
Each with its own set of permissions
With a third set of permissions for other
Permissions used for granting read/write/execute in order of user/group/other
rw-rw -r-- 1 maestro user 35414 Mar 25 01:38 aeCERT.txt
Permissions can be changed using chmod command
Instead of manually changing its group
Users may not set controls weaker than policy
Normal admin done with accounts without authority to change the global security policy
But MAC systems have been found hard to manage
Windows Vulnerabilities
Most severe of these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application

An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability
The vulnerability could not be exploited remotely or by anonymous users
Security update resolves several privately reported vulnerabilities in Microsoft Windows
Rated important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and the original release version of Windows Vista
Rated Moderate for all supported versions of Windows Vista Service Pack 1 and Windows Vista Service Pack 2, Windows Server 2008, Windows 7, and Windows Server 2008 R2
Most likely result in a denial of service condition
Linux Vulnerabilities
The extra data overwrites on top of another portion of memory that was meant to hold something else, like part of the program's instructions
This allows an attacker to overwrite data that controls the program and takeover control of the program to execute the attacker's code instead of the program
Hiding attacker’s files, directories, processes
Intercepts system calls in kernel-space
Hides attacker from user
May be able to detect with chkrootkit
Generally have to wipe and rebuild system
System Hardening
Servers easier to harden
Called attack surface reduction
80/20 rule of functionality
Not always achievable
Used for specific and controlled purposes
Administrative users with better skills than workstation users
Operate with just enough privileges for task
Users prompted to perform privileged operations
Preliminary Planning

Physical System Security

Operating System Installation

Securing Local File Systems

Configuring and Disabling Services
Securing the root account

User Authentication and User Account Attributes

Securing Remote Authentication

Setup Ongoing System Monitoring

Backups
Network, a key attack vector to secure
Libwrappers & TCP Wrappers, a key tool to check access
Before allowing connection to service, tcpd first evaluate access control
Defined in /etc/hosts.allow
Defined in /etc/hosts.deny
Less scope of being
exploited
Various commercial and
free Linux A/V
A large topic, covered in next section
Many security features are implemented in similar ways across different applications
More difficult to run as an unprivileged user
Harder to locate / fix security bugs in source
Harder to disable unnecessary functionality
Providing a much smaller attack surface
Can generate/sign using openssl command
May use commercial/own/free CA
Application Security
Enterprise assets
Identifying what each application does with respect to these assets
Creating a security profile for each application
Identifying and prioritizing potential threats
Document the events and take actions in each case
Commonly structured as a three-tiered application
Web application security safeguards:
Twitter Suffers Cyber Attack
LinkedIn Accounts Password Hacked
The SDL Optimization Model
User Account Hijacking (5)
Cookie/Session Poisoning – Cookie Refresher
Buffer Overflow
Buffer Overflow (print “a” 500 times):
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
Web Application Countermeasures
A Fix for XSS:
Check and Scrub All User Input…!!!
What Can I Do as a Developer?
Conclusion
Secure Session States
Full transcript