CH3 RESOURCES

ugliestharrasΛογισμικό & κατασκευή λογ/κού

4 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

64 εμφανίσεις

Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
1




Chapter 3


Protecting Systems


Hardening the Operating System


1.

H
ardening the operating system to resist attacks is often a three
-
pronged approach that
involves
:

a.

Managing updates to the operating system

b.

Protecting against buffer overflows

c.

Configuring oper
ating system protections


Managing Operating System Updates


1.

T
he task of writing a secure operating system is daunting. Due to the increased length
and complexity of operating systems,

u
nintentional vulnerabilities were introduced and
then these were explo
ited by attackers
.



2.

A security patch I
s a general software security update intended to cover vulnerabilities
that have been discovered. Hotfix addresses a specific customer situation

a
nd often may
not be distributed outside that customer’s organization
.


3.

A

service pack as
a

cumulative package of all security updates plus additional features
.


4.

P
atch management techniques:

a.

Install updates automatically

b.

Download updates but let me choose whether to install them

c.

Check for updates but let me choose whether to d
ownload and install them

d.

Never check for updates


5.

P
atches can sometimes create new problems
.


6.

A
n automated patch update service is
u
sed to manage patches locally instead of relying
upon the vendor’s online update service
.



7.

A
dvantages to an automated patch

update service
:

a.

Can save bandwidth and time

b.

Computers that do not have Internet access can receive updates

c.

Administrators can approve or decline updates for client systems, force updates
to install by a specific date, and obtain reports on what updates ea
ch computer
needs

d.

Specific types of updates that the organization does not test can be automatically
installed whenever they become available

e.

Administrators can approve updates for “detection” only

f.

Users cannot disable or circumvent updates



Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
2


Buffer Overf
low Protection


1.

A

buffer overflow

o
ccurs when a process attempts to store data in random access
memory (RAM) beyond the boundaries of a fixed
-
length storage buffer
.

This e
xtra data
overflows into the adjacent memory locations and under certain conditions m
ay cause
the computer to stop functioning
.


2.

A
ttackers use a buffer overflow in order to compromise a computer
.



3.

B
asic defenses

against buffer overflow attacks:

a.

Write “defensive” program code that will protect against these attacks

b.

Use a programming langua
ge that makes these attacks more difficult


4.

F
or Windows
-
based systems there are two defenses against buffer overflows
:

a.

Data execution prevention (DEP)

b.

Address space layout randomization (ASLR)


5.

M
ost modern CPUs support an NX (No eXecute) bit to designate a

part of memory for
containing only data.

DEP will not allow code in the memory area to be executed
.


6.

Windows Vista allows software developers to enable NX hardware protection
specifically for the application software that they develop
.



7.

Address Space Lay
out Randomization (ASLR) randomly assigns executable operating
system code to one of 256 possible locations in memory.

This makes it harder for an
attacker to locate and take advantage of any functionality inside these executables
.


8.

ASLR is most effective
when it is used in conjunction with DEP
.


Configuring Operating System Protection


1.

T
asks involved in
configuring operating system protections:

a.

Security policy

b.

Configuration baseline

c.

Security template

d.

Deployment




Preventing Attacks that Target the Web Bro
wser


1.

A
ttacks involve using cookies,

JavaScript, Java, ActiveX, and cross
-
site scripting
.


Cookies


1.

C
ookies a
re

computer files that contain user
-
specific information
.


2.

T
ypes of cookies:

a.

First
-
party cookie

Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
3


b.

Third
-
party cookie


3.

C
ookies can pose a privacy risk
.
Cookies can be used to track the browsing or buying
habits of a user
.


4.

D
efenses against cookies include disabling the creation of cookies or deleting them
once they are created
.


JavaScript


1.

JavaScript i
s a scripting language developed by Netscape that d
oes not create
standalone applications
.


2.

A scripting language i
s
a

computer programming language that is typically interpreted
into a language the computer can understand
.


3.

S
ome of the
defense mechanisms
that
prevent JavaScript programs from causing seriou
s
harm:

a.

JavaScript does not support certain capabilities

b.

JavaScript has no networking capabilities


4.

JavaScript programs can capture and send user information without the user’s
knowledge or authorization
.


5.

T
he defense against JavaScript is to disable it wi
thin the Web browser
.



Java


1.

Java i
s a complete object
-
oriented programming language created by Sun Microsystems
that
c
an be used to create standalone applications
.


2.

Java applet i
s a separate program stored on a Web server and downloaded onto a user’s
com
puter along with HTML code.
Note that Java applets can

be hostile programs
.



3.

A sandbox i
s a defense against a hostile Java applet. It
s
urrounds
a
program and keeps it
away from private data and other resources on a local computer
.


4.

T
wo types of Java apple
ts:

a.

Unsigned Java applet: program that does not come from a trusted source



b.

Signed Java applet: has information proving the program is from a trusted
source and has not been altered



ActiveX


1.

ActiveX i
s a set of technologies developed by Microsoft. Activ
eX is
n
ot a programming
language but a set of rules for how applications should share information
.


Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
4


2.

ActiveX controls,

a
lso called add
-
ons or ActiveX applications
, are

a

speci
fic way of
implementing ActiveX.


3.

A
n ActiveX control can perform many of the same
functions of a Java applet, but do
es

not run in a sandbox. It also
h
a
s

full access to
the
Windows operating system
.


4.

ActiveX poses a number of security concerns
.


5.

N
early all ActiveX control security mechanisms are set in Internet Explorer. ActiveX
controls

do not rely exclusively on Internet Explorer,

b
ut can be installed and executed
independently
.


6.

T
he defense against ActiveX is to disable it within the Web browser
.


Cross Site Scripting (XSS)


1.

Cross Site Scripting (XSS) i
s an attack in which malicious co
de is inserted into a
specific type of dynamic Web page. It typically involves using client
-
side scripts
written in JavaScript

d
esigned to extract information from the victim and then pass
es

the information to the attacker
.


2.

XSS attacks are t
argeted to Web

sites that dynamically generate Web pages that
redisplay (echo) user input that has not been properly validated
.


3.

D
efenses against XSS involve both Web

masters of legitimate sites as well as users.
Webmasters should check that all user input is validated
and that attackers do not have
the ability to inject code.

They also should be sure that all Web services and database
software is patched to prevent XSS
.
Users should never click on embedded links in e
-
mails
.



Hardening Web Servers


1.

B
ecause of their open

exposure, Web servers are prime targets for attackers
.


2.

S
QL (structured query language) i
s a language used to view and manipulate data that is
stored in a relational database.


3.

A
n SQL injection attack hinges on an attacker being able to enter an SQL datab
ase
query into a dynamic Web page.


4.

S
ome of the variations to the SQL injection attack, including

the following
:

a.

Deleting data from the database

b.

Accessing the host operating system through function calls

c.

Retrieving a list of all usernames and passwords




Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
5


Protecting Systems from Communications
-
Based Attacks


1.

C
ommunications protocols and applications can also be vectors for attacks.

Some of the
most common communications
-
based attacks are
:

a.

SMTP open relays

b.

Instant messaging

c.

Peer
-
to
-
peer networks


SMTP Open R
elays


1.

E
-
mail systems use two Transmission Control Protocol/Internet Protocol (TCP/IP)
protocols to send and receive messages. The Simple Mail Transfer Protocol (SMTP)
handles outgoing mail, while the Post Office Protocol (POP, more commonly known as
POP3
for the current version) is responsible for incoming mail
.


2.

IMAP (Internet Mail Access Protocol) as a more advanced protocol that solves many e
-
mail problems. With IMAP, an e
-
mail remains on the e
-
mail server. Also, mail can be
organized into folders and r
ead from any computer.

Current version is IMAP4
.


3.

SMTP servers can forward e
-
mail sent from an e
-
mail client to a remote domain
. This is
known as SMTP relay.
If SMTP relay is not controlled, an attacker can use it to forward
thousands of spam e
-
mail messag
es
. Uncontrolled SMTP relay is known as SMTP open
relay.


4.

D
efenses against SMTP open relay are to turn off mail relay altogether

So that all users
send and receive e
-
mail from the local SMTP server only or limit relays to only local
users.



Instant Messag
ing


1.

Instant messaging (IM) i
s real
-
time communication between two or more users. IM

c
an
also be used to chat between several users simultaneously, to send and receive files, and
to receive real
-
time stock quotes and news.


2.

B
asic IM has several security vu
lnerabilities. IM provides a direct connection
to the
user’s computer;

attackers can use this connection to spread viruses and worms.

IM is
not encrypted by default so attackers could view the content of messages.


3.

S
teps to secure IM, including

the followi
ng
:

a.

Keep the IM server within the organization’s firewall and only permit users to
send and receive messages with trusted internal workers

b.

Enable IM virus scanning

c.

Block all IM file transfers

d.

Encrypt messages


Peer
-
to
-
Peer (P2P) Networks


Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
6


1.

A

peer
-
to
-
peer (P
2P) network uses a direct connection between users. It
d
oes not have
servers, so each device simultaneously functions as both a client and a server to all other
devices connected to the network
.


2.

P2P networks are typically used for connecting devices on an

ad hoc basis

f
or file
sharing of audio, video, and data, or real
-
time data transmission such as telephony
traffic
.


3.

V
iruses, worms, Trojan horses, and spyware can be sent using P2P
.


4.

A

new type of P2P network

is
known as BitTorrent
.


5.

T
orrents a
re

active I
nternet connections that download a specific file that is available
through a tracker,
w
hich is a server program operated by the person or organization that
wants to share the file
.
With BitTorrent
,

files are advertised
.


6.

BitTorrent cannot be used to sprea
d viruses or malware like traditional P2P networks
.



Applying Software Security Applications


1.

S
oftware security applications that are commonly

installed on systems include antivirus,
anti
-
spam, popup blockers, personal software firewalls, and host intrusi
on detection
systems
.


Antivirus


1.

A
ntivirus (AV) software

s
can a computer for infections as well as monitor computer
activity and scan all new documents, such as e
-
mail attachments, that might contain a
virus
.


2.

I
f a virus is detected, options generally inc
lude cleaning the file of the virus,
quarantining the infected file, or deleting the file
.


3.

T
he drawback of AV software is that it must be continuously updated to recognize new
viruses.

AV software use definition files or signature files
.


Popup Blockers


1.

A

popup as
a

small Web browser window that appears over the Web site that is being
viewed
.


2.

A

popup blocker allows the user to limit or block most popups. It
c
an be either a
separate program or a feature incorporated within a browser
.



3.

A
s a separate progr
am, popup blockers are often part of a package known as
antispyware

t
hat helps prevent computers from becoming infected by different types of
spyware
.


Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
7



Anti
-
Spam


1.

T
wo options for installing a corporate spam filter
:

a.

Install the spam filter with the SMTP se
rver


b.

Install the spam filter with the POP3 server


2.

A
nother way to filter spam is for the organization to contract with a third
-
party entity

t
hat filters out spam
.


3.

A
ll e
-
mail is directed to the third
-
party’s remote spam filter where it is cleansed before

it is redirected back to the organization.

This can be accomplished by changing the MX
(mail exchange) record
.


4.

A third method is to filter spam on the local computer.

Typically
,

the e
-
mail client
contains several different features to block spam, such as

the following
:

a.

Level of junk e
-
mail protection

b.

Blocked senders

c.

Allowed senders

d.

Blocked top level domain list


5.

A

final method of spam filtering is to install separate filtering software that works with
the e
-
mail client software
.




Personal Software Firew
alls


1.

A

firewall, sometimes called a packet filter, is designed to prevent malicious packets
from entering or leaving computers. It
c
an be software
-
based or hardware
-
based
.


2.

A

personal software firewall

r
uns as a program on a local system to protect it aga
inst
attacks
.


3.

M
any operating systems now come with personal software firewalls

o
r they can be
installed as separate programs
.



Host Intrusion Detection Systems (HIDS)


1.

Host Intrusion Detection Systems (HIDS) attempt to monitor and possibly prevent
attemp
ts to intrude into a system and network resources.

HIDS are software
-
based and
run on a local computer
.


2.

F
our HIDS groups:

a.

File system monitors

b.

Logfile analyzers

c.

Connection analyzers

d.

Kernel analyzers

Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
8



3.

HIDS work on the principle of comparing new behavior ag
ainst normal behavior
.



Key Terms




Active Directory (AD)
Microsoft’s directory service, which is a central database of all
network resources and is used to manage the network and provide users with access to

resources.



ActiveX
A set of technologies develo
ped by Microsoft that specifies how applications

should share information.



ActiveX controls
A specific way of implementing ActiveX; also called add
-
ons.



add
-
ons
A specific way of implementing ActiveX; also called ActiveX controls.



Address Space Layout Rand
omization (ASLR)
A Windows Vista feature that
randomly

assigns executable operating system code to different possible locations in
memory.



antispyware
Software that helps prevent computers from becoming infected by
different

types of spyware.



antivirus (AV
)
Software that can scan a computer for infections as well as monitor
computer

activity and scan all new documents, such as e
-
mail attachments, that might
contain a virus.



automated patch update service
A locally managed patch update service that is used
t
o

distribute patches instead of relying upon the vendor’s online update service.



Bayesian filtering
An advanced method for detecting spam.



BitTorrent
A type of P2P network that maximizes transfer speeds by gathering pieces

of a file and downloading them se
parately.



blacklist
A list of senders for which the user does not want to receive any e
-
mail.



buffer overflow
A process that attempts to store data in random access memory (RAM)

beyond the boundaries of a fixed length storage buffer.



chat
Instant messaging

between several users simultaneously.



configuration baseline
Operating system configurations settings that will be used for

each computer in the organization.



cookie
User
-
specific information stored in a file on the user’s local computer by a Web
browser.



cross site scripting (XSS)
Using client
-
side scripts typically written in JavaScript that
are

designed to extract information from the victim and then pass the information to the
attacker.



Data Execution Prevention (DEP)
A Windows feature that uses a CPU’
s ability to
mark

sections of a computer’s memory as exclusively for data and not for code.



definition files
Antivirus update files; also known as signature files.



firewall
Hardware or software designed to prevent malicious packets from entering or

leaving

the computers; sometimes called a packet filter.



first
-
party cookie
A cookie that is created from the Web site that a user is currently
viewing.



Group Policies
A Microsoft Windows feature that provides centralized management
and

configuration of computers
.



Host Intrusion Detection Systems (HIDS)
Software that attempts to monitor and
possibly

prevent attempts to intrude into a system and network resources.

Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
9




hotfix
A software update that addresses a specific customer situation and often may not

be distributed

outside that customer’s organization.



IMAP4
The current version of Internet Mail Access Protocol (IMAP).



input validation
Verifying user input.



instant messaging (IM)
Real
-
time communication between two or more users.



Internet Mail Access Protocol (IMAP)
An advanced e
-
mail protocol. IMAP4 is the
current

version.



Java
A complete object
-
oriented programming language created by Sun Microsystems
;
can be used to create standalone applications.



Java applet
A type of smaller Java program.



JavaScript
A programming

scripting language developed by Netscape.



kernel
Part of the operating system that is responsible for managing the system
resources.



MX (mail exchange) record
An entry in the Domain Name System (DNS) that
identifies

the mail server responsible for handlin
g that domain name.



NX (No eXecute)
A bit setting to designate a part of memory to contain only data, not

executable code.



packet filter
Another name for a firewall.



patch
A general software security update intended to cover vulnerabilities that have
been

discovered.



peer
-
to
-
peer (P2P) network
A direct connection between users.



personal software firewall
Software that runs as a program on a local system to protect

it against attacks.



POP3
The current version of Post Office Protocol (POP).



popup
A small Web
browser window that appears over the Web site that is being

viewed.



popup blocker
Either a separate program or a feature incorporated within a browser to
stop popups.



Post Office Protocol (POP)
The TCP/IP protocol that handles incoming mail. POP3 is
the

cu
rrent version.



sandbox
A restrictive fence that surrounds a Java program and keeps it away from
private

data and other resources on a local computer.



scripting language
A computer programming language that is typically interpreted into

a language the compu
ter can understand without the need of a compiler.



security policy
A document or series of documents that clearly defines the defense

mechanisms an organization will employ in order to keep information secure.



security template
A method to configure a suit
e of configuration baseline security

settings.



service pack
A cumulative package of all security updates plus additional features.



signature files
Antivirus update files; also known as definition files.



signed Java applet
A Java applet from a trusted sourc
e.



Simple Mail Transfer Protocol (SMTP)
The TCP/IP protocol that handles outgoing
mail.



SMTP open relay
An uncontrolled SMTP relay.



SMTP relay
Forwarding e
-
mail sent from an e
-
mail client to a remote domain through

an SMTP server.



snap
-
in
A software module

that provides administrative capabilities for a device.



SQL injection
An injection attack that uses Structured Query Language.



swarm
Downloading parts of a BitTorrent file simultaneously from multiple users.

Security+ Guide to Network Security Fundamentals
,

Thir
d Edition

3
-
10




third
-
party cookie
A cookie that is used by a W
eb site other than the site that created
it.



Torrents
Active Internet connections that download a specific file through BitTorrent.



tracker
A server program operated by the person or organization who wants to share a

BitTorrent file.



unsigned Java applet
A

Java applet that does not come from a trusted source.