Application Security

E.R. Ramesh, M.C.A., M.Sc., M.B.A.,

1
 Unit - 3 Application
Security

Threats and Countermeasures

Overview: Anatomy of an attack

o Survey and Assess
o Exploit and Penetrate
o Escalate Privileges
o Maintain Access
o Deny Service
Understanding Threat Categories
o STRIDE
o STRIDE Threats and Countermeasures
Network Threats and Countermeasures
o Information Gathering
o Sniffing
o Spoofing
o Session Hijacking
o Denial of Service

2
 Unit - 3 Application
Security

Host Threats and Countermasures

o Viruses, Trojan Horses and Worms
o Foot printing
o Password cracking
o Denial of Service
o Arbitrary Code execution
o Unauthorized Access
Application Threats and Countermeasures
o Input validation
o Buffer overflows
o Cross-site Scripting
o SQL Injection
o Canonicalization
Authentication
o Network Eavesdropping
o Brute Force Attacks
o Dictionary Attacks
o Cookie Replay Attacks
o Credential Theft
3
 Unit - 3 Application
Security

Authorization
o Elevation of Privilege
o Disclosure of confidential data
o Data tampering
o Luring attacks
Configuration Management
o Unauthorized Access to Administration Interfaces
o Unauthorized Access to Configuration Stores
o Retrieval of Plaintext Configuration Secrets
o Lack of Individual Accountability
o Over-privileged Application and Service Accounts
Sensitive Data
o Access to Sensitive Data in Storage
o Network Eavesdropping
o Data Tampering
Session Management
o Session Hijacking
o Session Replay
o Man in the Middle Attacks
4
 Unit - 3 Application
Security

Cryptography
o Poor Key Generation or Key Management
o Weak or Custom Encryption
o Checksum Spoofing
Parameter Manipulation
o Query String Manipulation
o Form Field Manipulation
o Cookie Manipulation
o HTTP Header Manipulation
Exception Management
o Attacker Reveals Implementation Details
o Denial of Service
Auditing and Logging
o User Denies Performing an Operation
o Attackers Exploit an Application Without Leaving a Trace
o Attackers Covers their tracks

5
 Application
Introduction Security

• Many organizations are attacked for sensitive data or

ransom. And, hackers are consistently working on
new malware and cyber attack techniques to find
loopholes in current cyber security standards.

• Hence, every organization is prone to cyber threats.

• To prevent these attacks, organizations must first

understand the anatomy of a cyber attack, and the
motives behind it.

6
 Application
Steps in Anatomy of Cyber attack Security

• Reconnaissance
• Scanning
• Access and Escalation
• Exfiltration
• Sustainment
• Assault
• Obfuscation
7
 Application
Steps in Anatomy of Cyber attack Security

Reconnaissance

• Before launching an attack, hackers first identify a

vulnerable target and explore the best ways to
exploit it. The initial target can be anyone in an
organization, whether an executive or an admin.

• The attackers simply need a single point of entrance

to start. Targeted phishing emails are common in this
step as an effective method of distributing malware.

8
 Application
Steps in Anatomy of Cyber attack Security

Scanning

• Once the target is identified, the next step is to identify a

weak point that allows the attackers to gain access.

• This is usually accomplished by scanning an organization’s

network – with tools easily found on the Internet – to find
entry points.

• This step of the process normally goes slowly, sometimes

lasting months, as the attackers search for vulnerabilities.

9
 Application
Steps in Anatomy of Cyber attack Security

Access and Escalation

• Now that weaknesses in the target network are identified, the

next step in the cyber attack is to gain access and then escalate.

• In almost all such cases, privileged access is needed because it

allows the attackers to move freely within the environment.
Rainbow Tables and similar tools help intruders steal
credentials, escalate privileges to admin, and then get into any
system on the network that’s accessible via the administrator
account.

• Once the attackers gain elevated privileges, the network is

taken over and is now “owned” by the intruders.
10
 Application
Steps in Anatomy of Cyber attack Security

Exfiltration

• With the freedom to move around the network, the attackers

can access systems with an organization’s most sensitive data
– and extract it at will.

• But stealing private data is not the only action intruders can
take. They can also change or erase files on compromised
systems.

11
 Application
Steps in Anatomy of Cyber attack Security

Sustainment

• The attackers have now gained unrestricted access throughout

the target network. Next is sustainment, or staying in place
quietly.

• To accomplish this, the hackers may secretly install malicious

programs like root kits. This allows them to return whenever
they want.

• And with the elevated privileges acquired earlier, dependence

on a single access point is no longer necessary. The attackers
can come and go as they please.

12
 Application
Steps in Anatomy of Cyber attack Security

Assault

• Fortunately, this step is not taken in every cyber attack,

because the assault is the stage of an attack when things
become particularly nasty.

• This is when the hackers might alter the functionality of the

victim’s hardware, or disable the hardware. The Stuxnet attack
on Iran’s critical infrastructure is a classic example. During the
assault phase, the attack ceases to be stealth.

• However, the attackers have already taken control of the

environment. So it’s generally too late for the breached
organization to defend itself.
13
 Application
Steps in Anatomy of Cyber attack Security

Obfuscation

• Usually the attackers want to hide their tracks, but this is not
universally the case – especially if the hackers want to leave a
“calling card” behind to boast about their exploits.

• The purpose of trail obfuscation is to confuse, disorientate

and divert the forensic examination process.

• Trail obfuscation covers a variety of techniques and tools

including log cleaners, spoofing, misinformation, zombied
accounts, trojan commands, and more.

14
 Application
Protection from Cyber Attacks Security

• Understanding the motive behind Cyber Attacks

• Preventing the Organization from Cyber Attacks

• Creating damage reduction and recovery strategies

15
 Application
Protection from Cyber Attacks Security

Understanding the motive behind Cyber Attacks

• To effectively protect your organization from cyber attacks, it

is essential to understand the motive behind cyber attacks.

• The motives of a hacker can help find flaws in the anatomy of

a cyber attack.

16
 Application
Protection from Cyber Attacks Security

Preventing the Organization from Cyber Attacks

• To protect the organization, business leaders such as CIOs and

CTOs need to hire skilled cyber security professionals.

• Cyber security experts spend years in researching and

studying the anatomy of a cyber attack, and they know how
to prevent or at least minimize the impact of cyber attacks.

• Cyber security experts can maintain the security standards in

your organization through multiple steps and measures such
as follows:

17
 Application
Protection from Cyber Attacks Security

• Cyber security experts test the systems and the network for
vulnerabilities and fix them pre-emptively.

• Intrusion prevention technology is capable of detecting

reconnaissance attempts. And, URL filtering and reputation-
based security services can block suspicious links that may
contain viruses or malware.

• Cyber security experts install firewalls and malware scanners

to block malware and viruses. Malware is constantly
redesigned by attackers to avoid being detected by traditional
signature-based systems. Hence, advanced persistent threat
protection needs to be used to detect malware based on
malware behaviour.
18
 Application
Protection from Cyber Attacks Security

• Organizations need to pay close attention to the outgoing

traffic and apply egress filter to monitor and restrict outgoing
traffic.

• Cyber security experts must conduct regular audits of

hardware and software to monitor the health and security
strength of their IT systems.

• Organizations should consider training employees and

educating them about cyber attacks as one of their top
priorities.

19
 Application
Protection from Cyber Attacks Security

Creating damage reduction and recovery strategies

• Organizations have to realize that even after following all the

security protocols, hackers can still attack their networks and
systems.

• With the help of cyber security experts, organizations can

analyze the anatomy of a cyber attack to find flaws in the
attacks, and exploit the weaknesses to reduce the damage.

• Various organizations only plan for protection from cyber

threats, completely avoiding recovery mechanisms, which can
lead to dire consequences in case of an attack.

20
 Application
Protection from Cyber Attacks Security

• To reduce the damage from cyber attacks, organizations

should consider the following steps:

• The first step would be encrypting all the data that your
organization owns. Even if an attacker infiltrates the network,
decrypting the data will need hours, which may buy some
time for the security experts to find the source of the attack.

• Organizations must adopt two-factor authentication system,

as passwords can get leaked easily. With two-factor
authentication, the attacker cannot access the data even after
acquiring the leaked passwords.

21
 Application
Protection from Cyber Attacks Security

• For better data loss prevention, cybersecurity systems should

set up alerts for outgoing data. The alerts can notify the
organization about their data being stolen after a data breach.

• Hackers control the systems and networks with malware-

based communication systems. Hence, blocking outgoing
command and control connections can effectively stop
outgoing malware communication.

22
 Applying modern technologies Application
Security
for better Cyber Security
• Artificial intelligence is playing a pivotal role in cyber security.
Machine learning has the ability to analyze the anatomy of a
cyber attack, and learn from the behaviour patterns of
malware.

• Moreover, artificial intelligence can automate threat

detection and data recovery mechanisms. Hence, AI-powered
applications can find security threats and implement recovery
strategies more efficiently when compared to software-based
solutions.

23
 Applying modern technologies Application
Security
for better Cyber Security
• And, big players such as Microsoft, Google, Palo Alto
Networks, Fortinet and Cisco Systems are already developing
cyber security solutions using artificial intelligence and
machine learning.

• With the exponential development of artificial intelligence,

numerous security software have started adopting machine
learning to provide more effective cyber security solutions.

• Likewise, blockchain technology has the potential to improve

cyber security. Blockchain can effectively detect a data
breach, and disrupt the process that forms the anatomy of a
cyber attack.
24
 Applying modern technologies Application
Security
for better Cyber Security
• With blockchain, organizations can distribute their data over the
network, which will simplify the process of data recovery. And, the
changes in data would be transparent.

• Hence, if the data is altered or deleted, tracking the changes will

be an easy process. Furthermore, multiple cyber security firms are
working on developing blockchain-powered security solutions for
mainstream applications.

• For example, Acronis, a cyber security organization, is applying

blockchain technology to generate a cryptographic hash, that is
unique for every data file. The hash can be used to verify the
authenticity of every file. And, it is almost impossible for a hacker.
25
 Applying modern technologies Application
Security
for better Cyber Security
• With blockchain, organizations can distribute their data over
the network, which will simplify the process of data recovery.
And, the changes in data would be transparent.

• Hence, if the data is altered or deleted, tracking the changes

will be an easy process. Furthermore, multiple cyber security
firms are working on developing blockchain-powered security
solutions for mainstream applications.

• For example, Acronis, a cyber security organization, is

applying blockchain technology to generate a cryptographic
hash, that is unique for every data file. The hash can be used
to verify the authenticity of every file.
26
 Applying modern technologies Application
Security
for better Cyber Security
• And, it is almost impossible for a hacker to compute the
cryptographic hash. Thus, AI and blockchain are
revolutionizing the cyber security landscape.

• Although the technology and methods to fight cyber attacks

are getting better, hackers are also developing their
techniques to execute stronger attacks. And, with new
malware and ransomware being developed, these attacks can
lead to bigger data breaches than any we’ve seen before.

• Hence, organizations need to become aware of the anatomy

of a cyber attack to be able to tackle cyber security issues
better.
27
 Application
Basic steps in Attacker Methodology Security

• By understanding the basic approach used by attackers to

target your Web application, you will be better equipped to
take defensive measures because you will know what you are
up against.

• The basic steps in attacker methodology are summarized

below and illustrated in next slide:

• Survey and assess

• Exploit and penetrate
• Escalate privileges
• Maintain access
• Deny service
28
 Application
Basic steps in Attacker Methodology Security

Basic steps for attacking methodology

29
 Application
Basic steps in Attacker Methodology Security

Survey and Access

• The first step an attacker usually takes is to survey the

potential target to identify and assess its characteristics.
These characteristics may include its supported services and
protocols together with potential vulnerabilities and entry
points.

• The attacker uses the information gathered in the survey and

assess phase to plan an initial attack. For example, an attacker
can detect a cross-site scripting (XSS) vulnerability by testing
to see if any controls in a Web page echo back output.

30
 Application
Basic steps in Attacker Methodology Security

Exploit and Penetrate

• Having surveyed a potential target, the next step is to exploit

and penetrate. If the network and host are fully secured, your
application (the front gate) becomes the next channel for
attack.

• For an attacker, the easiest way into an application is through

the same entrance that legitimate users use—for example,
through the application’s logon page or a page that does not
require authentication.

31
 Application
Basic steps in Attacker Methodology Security

Escalate Privileges

• After attackers manage to compromise an application or

network, perhaps by injecting code into an application or
creating an authenticated session with the Microsoft®
Windows® 2000 operating system, they immediately attempt
to escalate privileges.

• Specifically, they look for administration privileges provided

by accounts that are members of the Administrators group.
They also seek out the high level of privileges offered by the
local system account.

32
 Application
Basic steps in Attacker Methodology Security

Escalate Privileges

• Using least privileged service accounts throughout your

application is a primary defense against privilege escalation
attacks. Also, many network level privilege escalation attacks
require an interactive logon session.

33
 Application
Basic steps in Attacker Methodology Security

Maintain Access

• Having gained access to a system, an attacker takes steps to

make future access easier and to cover his or her tracks.
Common approaches for making future access easier include
planting back-door programs or using an existing account that
lacks strong protection.

• Covering tracks typically involves clearing logs and hiding

tools. As such, audit logs are a primary target for the attacker.
Log files should be secured, and they should be analyzed on a
regular basis. Log file analysis can often uncover the early
signs of an attempted break-in before damage is done.
34
 Application
Basic steps in Attacker Methodology Security

Deny service

• Attackers who cannot gain access often mount a denial of

service attack to prevent others from using the application.
For other attackers, the denial of service option is their goal
from the outset.

• An example is the SYN flood attack, where the attacker uses a

program to send a flood of TCP SYN requests to fill the
pending connection queue on the server.

• This prevents other users from establishing network

connections.
35
 Application
STRIDE Security

• Threats faced by the application can be categorized based on

the goals and purposes of the attacks.

• A working knowledge of these categories of threats can help

you organize a security strategy so that you have planned
responses to threats.

• STRIDE is the acronym used at Microsoft to categorize

different threat types.

• STRIDE stands for: Spoofing, Tampering, Repudiation,

Information disclosure, Denial of Service, Elevation of
privilege.
36
 Application
STRIDE Security

Spoofing

• Spoofing is attempting to gain access to a system by using a

false identity. This can be accomplished using stolen user
credentials or a false IP address. After the attacker
successfully gains access as a legitimate user or host,
elevation of privileges or abuse using authorization can begin.

Tampering

• Tampering is the unauthorized modification of data, for exam

ple as it flows over a network between two computers.

37
 Application
STRIDE Security

Repudiation

• Repudiation is the ability of users (legitimate or otherwise) to

deny that they performed specific actions or transactions.
Without adequate auditing, repudiation attacks are difficult to
prove.

Information disclosure

• Information disclosure is the unwanted exposure of private

data. For example, a user views the contents of a table or file
he or she is not authorized to open, or monitors data passed
in plaintext over a network.
38
 Application
STRIDE Security

• Some examples of information disclosure vulnerabilities

include the use of hidden form fields, comments embedded in
Web pages that contain database connection strings and
connection details, and weak exception handling that can lead
to internal system level details being revealed to the client.
Any of this information can be very useful to the attacker.
Denial of service
• Denial of service is the process of making a system or
application unavailable. For example, a denial of service
attack might be accomplished by bombarding a server with
requests to consume all available system resources or by
passing it malformed input data that can crash an application
process.
39
 Application
STRIDE Security

Elevation of privilege

• Elevation of privilege occurs when a user with limited

privileges assumes the identity of a privileged user to gain
privileged access to an application.

• For example, an attacker with limited privileges might elevate

his or her privilege level to compromise and take control of a
highly privileged and trusted process or account.

40
 STRIDE – Application
Security
Threats and Countermeasures

41
 STRIDE – Application
Security
Threats and Countermeasures

42
 Network Threats and Application
Security
Countermeasures
Introduction

• The primary components that make up your network

infrastructure are routers, firewalls, and switches. They act as
the gate keepers guarding your servers and applications from
attacks and intrusions.

• An attacker may exploit poorly configured network devices.

Common vulnerabilities include weak default installation
settings, wide open access controls, and devices lacking the
latest security patches.

• Top network level threats include:

43
 Network Threats and Application
Security
Countermeasures
• Information gathering

• Sniffing

• Spoofing

• Session hijacking

• Denial of service

44
 Network Threats and Application
Security
Countermeasures
Information gathering

• Network devices can be discovered and profiled in much the

same way as other types of systems. Attackers usually start
with port scanning.

• After they identify open ports, they use banner grabbing and
enumeration to detect device types and to determine
operating system and application versions.

• Armed with this information, an attacker can attack known

vulnerabilities that may not be updated with security patches.
Countermeasures to prevent information gathering include:
45
 Network Threats and Application
Security
Countermeasures
• Configure routers to restrict their responses to foot printing
requests.

• Configure operating systems that host network software (for

example, software firewalls) to prevent foot printing by
disabling unused protocols and unnecessary ports.

46
 Network Threats and Application
Security
Countermeasures
Sniffing Attacks

• Sniffing attack means capturing the data packets when it flows

through a computer network. Packet sniffer is the device or
medium used to do this sniffing attack. They are called
network protocol analyzer.

• Unless the packets are encrypted with strong network

security, any hacker might steal the data and analyze it. There
are different packet sniffers such as wireshark, Dsniff,
Etherpeek etc.

47
 Network Threats and Application
Security
Countermeasures
Types of Sniffing Attacks

There are various types of sniffing attack such as –

• LAN Sniff – The sniffer attacks the internal LAN and scans the
entire IP gaining access to live hosts, open ports, server
inventory etc. A port specific vulnerability attacks happens in
LAN sniffing.

• Protocol Sniff – Based on the network protocol used, the

sniffer attacks occurs. The different protocol such as ICMP,
UDP, Telnet, PPP, DNS etc. or other protocols might be used.

48
 Network Threats and Application
Security
Countermeasures
Types of Sniffing Attacks

There are various types of sniffing attack such as –

• ARP Sniff – ARP Poisoning attacks or packet spoofing attacks

occur based on the data captured to create a map of IP
address and associated MAC addresses.

• TCP Session stealing – TCP session stealing is used to monitor

and acquire traffic details between the source & destination
IP address. All details such as port number, service type, TCP
sequence numbers, and data are stolen by the hackers.

49
 Network Threats and Application
Security
Countermeasures
Types of Sniffing Attacks

There are various types of sniffing attack such as –

• Application level sniffing – Applications running on the server

are attacked to plan an application specific attack.

• Web password sniffing – HTTP session created by users are

stolen by sniffers to get the user ID, password and other
sensitive information.

50
 Application
Tools used for Packet sniffing Security

• Wireshark – Widely used network protocol analyzer to

monitor network and packet flows in the network. It is free
and works in multi platforms.

• Tcpdump – It has less security risk, requires few resource only.

In windows it runs as WinDump.

• Dsniff – Used to sniff different protocols in UNIX and Linux

systems only, to sniff and reveal passwords.

• NetworkMiner – Makes network analysis simple, to detect

host and open ports through packet sniffing. It can operate
offline.
51
 Application
Tools used for Packet sniffing Security

• Kismet – Specifically used to sniff in wireless networks, even

from hidden networks and SSIDs. KisMac is used for MAC and
OSX environment.

• There are various other packet sniffing tools such as

EtherApe, Fiddler, OmniPeek, PRTG Network monitor and so
on

52
 Sniffing Detection and Prevention Application
Security
techniques
• Detecting sniffers can be difficult since they are mostly
passive (collects data only) especially in a shared Ethernet.

• When he is functioning on a switched ethernet network

segment it is easier to detect the sniffing using the following
techniques, they are –

• Ping method – Sending ping request of the IP address of the

affected machine, the sniffer machine might respond to the
ping if the suspect machine is still running. It is a not strongly
reliable method.

53
 Sniffing Detection and Prevention Application
Security
techniques
• ARP method – Machines always captures and caches ARP.
Upon sending a non-broadcast ARP, the sniffer/promiscuous
machine will cache the ARP and it will respond to our
broadcast ping.

• On Local Host – Logs can be used to find if the machine is

running on a sniffer attack or not.

• Latency method – Ping time is used to detect the sniffing, the

time is generally short. If the load is heavy by sniffer, it takes
long time to reply for pings.

54
 Sniffing Detection and Prevention Application
Security
techniques
• ARP Watch – Used to trigger alarms when it sees a duplicate
cache of the ARP.

• Using IDS – Intrusion detection systems monitors for ARP

spoofing in the network. It records packets on network with
spoofed ARP addresses.

• The better way to prevent sniffing is usage of encryption

tools, adding MAC address of gateway permanently to ARP
cache, switching to SSH, https instead of http and so on.

55
 Application
Spoofing Attacks Security

Spoofing

• A spoofing attack is when a malicious party impersonates

another device or user on a network in order to launch
attacks against network hosts, steal data, spread malware or
bypasses access controls.

• There are several different types of spoofing attacks that

malicious parties can use to accomplish this. Some of the
most common methods include IP address spoofing attacks,
ARP spoofing attacks and DNS server spoofing attacks.

56
 Application
Spoofing Attacks Security

ARP Spoofing Attacks

• ARP is short for Address Resolution Protocol, a protocol that is

used to resolve IP addresses to MAC (Media Access Control)
addresses for transmitting data.

• In an ARP spoofing attack, a malicious party sends spoofed

ARP messages across a local area network in order to link the
attacker’s MAC address with the IP address of a legitimate
member of the network.

• This type of spoofing attack results in data, that is intended

for the host’s IP address getting sent to the attacker instead.
57
 Application
Spoofing Attacks Security

ARP Spoofing Attacks

• Malicious parties commonly use ARP spoofing to steal

information, modify data-in-transit or stop traffic on a LAN.
Normally, your computer communicates with a wireless
router on a private network: emails, searches, you name it.

• With address resolution protocol (ARP) spoofing, the attacker

“sits” (quietly) on the network too, attempting to crack the
network’s IP address. Once in, using spoofing techniques, the
hacker plays both roles: you and the router.

58
 Application
Spoofing Attacks Security

ARP Spoofing Attacks

• The attacker intercepts—and yes, even modifies or stops—

information to and from your computer and the router. Unless
you use ARP spoofing detection software, you most likely
aren’t aware that this malicious activity is happening.

• To overwhelm your system and cause a shutdown, the

attacker may mix up and direct several IP addresses to you.
These denial-of-service (DoS) attacks can crash business
servers and potentially suspend operations. Unfortunately,
such attacks are frequent.

59
 Application
Spoofing Attacks Security

ARP Spoofing Attacks

• As many as onethird of networks suffered at least one DoS

attack within the last two years, according to a
2017 study. ARP spoofing attacks can also be used to facilitat
e other types of attacks, including denial-of-service, session
hijacking and man-in-the-middle attacks.

• ARP spoofing only works on local area networks that use the
Address Resolution Protocol. Routinely checking your
website’s stats for unexpected traffic spikes and paying
attention to multiple “service unavailable” messages can help
you predict possible DoS attacks.
60
 Application
Spoofing Attacks Security

IP Spoofing

• IP address spoofing is one of the most frequently used

spoofing attack methods. In an IP address spoofing attack, an
attacker sends IP packets from a false (or “spoofed”) source
address in order to disguise itself.

• Denial-of-service attacks often use IP spoofing to overload

networks and devices with packets that appear to be from
legitimate source IP addresses. There are two ways that IP
spoofing attacks can be used to overload targets with traffic.

61
 Application
Spoofing Attacks Security

IP Spoofing

• One method is to simply flood a selected target with packets

from multiple spoofed addresses. This method works by
directly sending a victim more data than it can handle. The
other method is to spoof the target’s IP address and send
packets from that address to many different recipients on the
network.

• When another machine receives a packet, it will automatically

transmit a packet to the sender in response. Since the
spoofed packets appear to be sent from the target’s IP
address, all responses to the spoofed packets will be sent to
(and flood) the target’s IP address.
62
 Application
Spoofing Attacks Security

IP Spoofing

63
 Application
Spoofing Attacks Security

IP Spoofing

• IP spoofing attacks can also be used to bypass IP address-

based authentication. This process can be very difficult and is
primarily used when trust relationships are in place between
machines on a network and internal systems.

• Trust relationships use IP addresses (rather than user logins)

to verify machines identities when attempting to access
systems. This enables malicious parties to use spoofing
attacks to impersonate machines with access permissions and
bypass trust-based network security measures.

64
 Application
Spoofing Attacks Security

DNS Server Spoofing Attacks

• The Domain Name System (DNS) is a system that associates

domain names with IP addresses.

• Devices that connect to the internet or other private networks

rely on the DNS for resolving URLs, email addresses and other
human-readable domain names into their corresponding IP
addresses.

• In a DNS server spoofing attack, a malicious party modifies

the DNS server in order to reroute a specific domain name to
a different IP address.
65
 Application
Spoofing Attacks Security

DNS Server Spoofing Attacks

• In many cases, the new IP address will be for a server that is

actually controlled by the attacker and contains files infected
with malware.

• DNS server spoofing attacks are often used to

spread computer worms and viruses.

66
 Application
Spoofing Attack Prevention and Mitigation Security

• There are many tools and practices that organizations can

employ to reduce the threat of spoofing attacks. Common
measures that organizations can take for spoofing attack
prevention include:

Packet filtering:

• Packet filters inspect packets as they are transmitted across a

network. Packet filters are useful in IP address spoofing attack
prevention because they are capable of filtering out and
blocking packets with conflicting source address information
(packets from outside the network that show source
addresses from inside the network and viceversa).
67
 Application
Spoofing Attack Prevention and Mitigation Security

Avoid trust relationships:

• Organizations should develop protocols that rely on trust

relationships as little as possible. It is significantly easier for
attackers to run spoofing attacks when trust relationships are
in place because trust relationships only use IP addresses for
authentication.

68
 Application
Spoofing Attack Prevention and Mitigation Security

Use spoofing detection software:

• There are many programs available that help organizations

detect spoofing attacks, particularly ARP Spoofing. These
programs work by inspecting and certifying data before it is
transmitted and blocking data that appears to be spoofed.

Use cryptographic network protocols:

• Transport Layer Security (TLS), Secure Shell (SSH), HTTP

Secure (HTTPS) and other secure communications protocols
bolster spoofing attack prevention efforts by encrypting data
before it is sent and authenticating data as it is received.
69
 Application
Session Hijacking Security

• Session hijacking is the act of taking control of a user session

after successfully obtaining or generating an authentication
session ID.

• Session hijacking involves an attacker using captured, brute

forced or reverse-engineered session IDs to seize control of a
legitimate user’s Web application session while that session is
still in progress.

• A session is a series of interactions between two

communication end points that occurs during the span of a
single connection.

70
 Application
Session Hijacking Security

• When a user logs into an application a session is created on

the server in order to maintain the state for other requests
originating from the same user.

• Applications use sessions to store parameters which are

relevant to the user. The session is kept “alive” on the server
as long as the user is logged on to the system. The session is
destroyed when the user logs-out from the system or after a
predefined period of inactivity.

• When the session is destroyed, the user’s data should also be

deleted from the allocated memory space. Hijacking at
network layer captures TCP and UDP sessions.
71
 Application
Session Hijacking Security

• When a TCP session is seized between two systems, it is

known as TCP Hijacking. The problem is that authentication
only occurs at initial level, which helps hackers to gain access
to a machine.

• UDP session hijacking is easy to execute than TCP session

hijacking, since UDP does not allow synchronization and
packet sequencing. Therefore, hijacker may simply forge
server’s UDP reply before the response.

72
 Application
Countermeasures Security

Countermeasures to help prevent session hijacking include

o Use encrypted session negotiation.

o Use encrypted communication channels.

o Stay informed of platform patches to fix TCP/IP

vulnerabilities, such as predictable packet sequences.

73
 Application
Denial of Service Security

• Denial of service denies legitimate users access to a server or

services. The SYN flood attack is a common example of a
network level denial of service attack. It is easy to launch and
difficult to track.

• The aim of the attack is to send more requests to a server

than it can handle. The attack exploits a potential vulnerability
in the TCP/IP connection establishment mechanism and floods
the server’s pending connection queue.

74
 Application
Countermeasures Security

Countermeasures to prevent denial of service include:

• Apply the latest service packs.

• Harden the TCP/IP stack by applying the appropriate registry

settings to increase the size of the TCP connection queue,
decrease the connection establishment period, and employ
dynamic backlog mechanisms to ensure that the connection
queue is never exhausted.

• Use a network Intrusion Detection System (IDS) because these

can automatically detect and respond to SYN attacks.

75
 Application
Host and Application Threats Security

Introduction

• Host threats are directed at the system software upon which

your applications are built. Top host level threats include:

o Viruses, Trojan horses, and worms

o Footprinting
o Profiling
o Password cracking
o Denial of service
o Arbitrary code execution
o Unauthorized access

76
 Application
Viruses, Trojan horses and Worms Security

77
 Application
Countermeasures Security

• Stay current with the latest operating system service packs

and software patches.

o Block all unnecessary ports at the firewall and host.

o Disable unused functionality including protocols and

services.

o Harden weak, default configuration settings

78
 Application
Footprinting Security

• Footprinting is the first and most convenient way that hackers

use to gather information about computer systems and the
companies they belong to.

• The purpose of Footprinting is to learn as much as you can

about a system, its remote access capabilities, its ports and
services, and the aspects of its security.

• Examples of Footprinting are port scans, ping sweeps, and

NetBIOS enumeration that can be used by attackers to glean
valuable system–level information to help prepare for more
significant attacks.

79
 Application
Footprinting Security

• The type of information potentially revealed by Footprinting

includes account details, operating system and other software
versions, server names, and database schema details.

• Footprinting helps to

Know Security Posture -

• The data gathered will help us to get an overview of the

security posture of the company such as details about the
presence of a firewall, security configurations of applications
etc.

80
 Application
Footprinting Security

Reduce Attack Area –

• Can identify a specific range of systems and concentrate on

particular targets only. This will greatly reduce the number of
systems we are focussing on.

Identify vulnerabilities -

• We can build an information database containing the

vulnerabilities, threats, loopholes available in the system of
the target organization.

81
 Application
Footprinting Security

Draw Network map –

• Helps to draw a network map of the networks in the tar

get organization covering topology, trusted routers, presence
of server and other information.

82
 Application
Countermeasures Security

• Disable unnecessary protocols.

• Lock down ports with the appropriate firewall configuration.

• Use TCP/IP and IPSec filters for defense in depth.

• Configure IIS to prevent information disclosure through

banner grabbing.

• Use an IDS that can be configured to pick up Footprinting

patterns and reject suspicious traffic

83
 Application
Password Cracking Security

• If the attacker cannot establish an anonymous connection

with the server, he or she will try to establish an
authenticated connection. For this, the attacker must know a
valid username and password combination.

• If you use default account names, you are giving the attacker a
head start. Then the attacker only has to crack the account’s
password.

• The use of blank or weak passwords makes the attacker’s job

even easier.

84
 Application
Countermeasures Security

• Use strong passwords for all account types.

• Apply lockout policies to end-user accounts to limit the

number of retry attempts that can be used to guess the
password.

• Do not use default account names, and rename standard

accounts such as the administrator’s account and the
anonymous Internet user account used by many Web
applications.

• Audit failed logins for patterns of password hacking attempts.

85
 Application
Denial of Service Security

• Denial of service can be attained by many methods aimed at

several targets within your infrastructure.

• At the host, an attacker can disrupt service by brute force

against your application, or an attacker may know of a
vulnerability that exists in the service your application is
hosted in or in the operating system that runs your server.

86
 Application
Countermeasures Security

• Configure your applications, services, and operating system

with denial of service in mind.
• Stay current with patches and security updates.
• Harden the TCP/IP stack against denial of service.
• Make sure your account lockout policies cannot be exploited
to lock out well known service accounts.
• Make sure your application is capable of handling high
volumes of traffic and that thresholds are in place to handle
abnormally high loads.
• Review your application’s failover functionality.
• Use IDS that can detect potential denial of service attacks

87
 Application
Arbitrary code execution Security

• If an attacker can execute malicious code on your server, the

attacker can either compromise server resources or mount
further attacks against downstream systems.

• The risks posed by arbitrary code execution increase if the

server process under which the attacker’s code runs is over-
privileged.

• Common vulnerabilities include weak ID configuration and

unpatched servers that allow path traversal and buffer
overflow attacks, both of which can lead to arbitrary code
execution.

88
 Application
Countermeasures Security

• Configure IIS to reject URLs with “../” to prevent path

traversal.

• Lock down system commands and utilities with restricted

ACLs.

• Stay current with patches and updates to ensure that newly

discovered buffer overflows are speedily patched.

89
 Application
Unauthorized access Security

• Inadequate access controls could allow an unauthorized user

to access restricted information or perform restricted
operations.

• Common vulnerabilities include weak IIS Web access controls,

including Web permissions and weak NTFS permissions.

90
 Application
Countermeasures Security

• Configure secure Web permissions.

• Lock down files and folders with restricted NTFS permissions.

• Use .NET Framework access control mechanisms within your

ASP.NET applications, including URL authorization and
principal permission demands.

91
 Application
Application Threats Security

• A good way to analyze application-level threats is to organize

them by application vulnerability category.

• The various categories used in the subsequent sections of this

module and throughout the guidance, together with the main
threats to your application, are summarized in Table in next
slide.

92
 Application
Application Threats Security

93
 Application
Application Threats Security

94
 Application
Input validation Security

• Input validation is a security issue if an attacker discovers that

your application makes unfounded assumptions about the
type, length, format, or range of input data. The attacker can
then supply carefully crafted input that compromises your
application.

• When network and host level entry points are fully secured;
the public interfaces exposed by your application become the
only source of attack.

• The input to your application is a means to both test your

system and a way to execute code on an attacker’s behalf.
Does your application blindly trust input? If it does, your
application may be susceptible to the following:
95
 Application
Input validation Security

• Does your application blindly trust input?

• If it does, your application may be susceptible to the

following:

o Buffer overflows

o Cross-site scripting

o SQL injection

o Canonicalization

96
 Application
Buffer overflows Security

• A buffer overflow happens when a program tries to fill a block

of memory (a memory buffer) with more data than the buffer
was supposed to hold.

• By sending suitably crafted user inputs to a vulnerable

application, attackers can force the application to execute
arbitrary code to take control of the machine or crash the
system.

• Buffer overflow vulnerabilities are caused by programmer

mistakes that are easy to understand but much harder to
avoid and protect against.

97
 Application
Buffer overflows Security

• Buffer overflow vulnerabilities can lead to denial of service

attacks or code injection.

• A denial of service attack causes a process crash; code

injection alters the program execution address to run an
attacker’s injected code.

98
 Application
Countermeasures Security

Countermeasures to help prevent buffer overflows include:

• Perform thorough input validation. This is the first line of

defense against buffer overflows. Although a bug may exist in
your application that permits expected input to reach beyond
the bounds of a container, unexpected input will be the
primary cause of this vulnerability. Constrain input by
validating it for type, length, format and range.

• When possible, limit your application’s use of unmanaged

code, and thoroughly inspect the unmanaged APIs to ensure
that input is properly validated.

99
 Application
Countermeasures Security

• Inspect the managed code that calls the unmanaged API to

ensure that only appropriate values can be passed as
parameters to the unmanaged API.

• Use the /GS flag to compile code developed with the

Microsoft Visual C++® development system. The /GS flag
causes the compiler to inject security checks into the
compiled code. This is not a fail-proof solution or a
replacement for your specific validation code; it does,
however, protect your code from commonly known buffer
overflow attacks.

• Example of Code Injection Through Buffer Overflows.

100
 Application
Countermeasures Security

• An attacker can exploit a buffer overflow vulnerability to inject

code. With this attack, a malicious user exploits an unchecked
buffer in a process by supplying a carefully constructed input
value that overwrites the program’s stack and alters a
function’s return address.

• This causes execution to jump to the attacker’s injected code.

The attacker’s code usually ends up running under the process
security context. This emphasizes the importance of using
least privileged process accounts.

• If the current thread is impersonating, the attacker’s code

ends up running under the security context defined by the
thread impersonation token.
101
 Application
Countermeasures Security

• The first thing an attacker usually does is call the

RevertToSelf API to revert to the process level security context
that the attacker hopes has higher privileges.

• Make sure you validate input for type and length, especially
before you call unmanaged code because unmanaged code is
particularly susceptible to buffer overflows.

102
 Application
Cross-site Scripting Security

• An XSS attack can cause arbitrary code to run in a user’s

browser while the browser is connected to a trusted Web site.

• The attack targets your application’s users and not the

application itself, but it uses your application as the vehicle for
the attack.

• Because the script code is downloaded by the browser from a

trusted site, the browser has no way of knowing that the code
is not legitimate. Internet Explorer security zones provide no
defense.

103
 Application
Cross-site Scripting Security

• Since the attacker’s code has access to the cookies associated

with the trusted site and are stored on the user’s local
computer, a user’s authentication cookies are typically the
target of attack.

104
 Application
Examples of Cross-site Scripting Security

• To initiate the attack, the attacker must convince the user to

click on a carefully crafted hyperlink, for example, by
embedding a link in an email sent to the user or by adding a
malicious link to a newsgroup posting. The link points to a
vulnerable page in your application that echoes the
unvalidated input back to the browser in the HTML output
stream. For example, consider the following two links.

Here is a legitimate link:

• www.yourwebapplication.com/logon.aspx?username=bob

Here is a malicious link:

• www.yourwebapplication.com/logon.aspx?username=
105
 Application
Examples of Cross-site Scripting Security

• If the Web application takes the query string, fails to properly

validate it, and then returns it to the browser, the script code
executes in the browser.

• The preceding example displays a harmless pop-up message.

With the appropriate script, the attacker can easily extract the
user’s authentication cookie, post it to his site, and
subsequently make a request to the target Web site as the
authenticated user.

106
 Application
Countermeasures Security

• Perform thorough input validation. Your applications must

ensure that input from query strings, form fields, and cookies
are valid for the application. Consider all user input as
possibly malicious, and filter or sanitize for the context of the
downstream code.

• Validate all input for known valid values and then reject all
other input. Use regular expressions to validate input data
received via HTML form fields, cookies, and query strings.

• Use HTMLEncode and URLEncode functions to encode any out

put that includes user input. This converts executable script
into harmless HTML.
107
 Application
SQL Injection Security

• A SQL injection attack exploits vulnerabilities in input

validation to run arbitrary commands in the database. It can
occur when your application uses input to construct dynamic
SQL statements to access the database.

• It can also occur if your code uses stored procedures that are
passed strings that contain unfiltered user input. Using the
SQL injection attack, the attacker can execute arbitrary
commands in the database.

• The issue is magnified if the application uses an over-

privileged account to connect to the database.

108
 Application
SQL Injection Security

• In this instance it is possible to use the database server to run

operating system commands and potentially compromise
other servers, in addition to being able to retrieve,
manipulate, and destroy data.

109
 Application
Example of SQL Injection Security

• Your application may be susceptible to SQL injection attacks

when you incorporate invalidated user input into database
queries. Particularly susceptible is code that constructs
dynamic SQL statements with unfiltered user input.

Consider the following code:

SqlDataAdapter myCommand = new SqlDataAdapter(

“SELECT * FROM Users

WHERE UserName =’” + txtuid.Text + “‘“, conn);

110
 Application
Example of SQL Injection Security

• Your application may be susceptible to SQL injection attacks

when you incorporate invalidated user input into database
queries. Particularly susceptible is code that constructs
dynamic SQL statements with unfiltered user input.

Consider the following code:

SqlDataAdapter myCommand = new SqlDataAdapter(

“SELECT * FROM Users

WHERE UserName =’” + txtuid.Text + “‘“, conn);

111
 Application
Example of SQL Injection Security

• Attackers can inject SQL by terminating the intended SQL

statement with the single quote character followed by a
semicolon character to begin a new command, and then
executing the command of their choice.

• Consider the following character string entered into the

txtuid field.

• ‘; DROP TABLE Customers– This results in the following

statement being submitted to the database for execution.
SELECT * FROM Users WHERE UserName=’’; DROP
TABLE Customers —’ This deletes the Customers table,
assuming that the application’s login has sufficient
permissions in the database (another reason to use a
112
least privileged login in the database). The double dash
 Application
Example of SQL Injection Security

‘; DROP TABLE Customers–

This results in the following statement being submitted to the

database for execution.

SELECT * FROM Users WHERE UserName=’’; DROP TABLE

Customers —’

• This deletes the Customers table, assuming that the

application’s login has sufficient permissions in the database
(another reason to use a least privileged login in the
database). The double dash (—) denotes a SQL comment and
is used to comment out any other characters added by the
programmer, such as the trailing quote.
113
 Application
Example of SQL Injection Security

• Note: The semicolon is not actually required. SQL Server will

execute two commands separated by spaces. Other more
subtle tricks can be performed.

• Supplying this input to the txtuid field:

• ‘ OR 1=1–

• Builds this command:

• SELECT * FROM Users WHERE UserName=’’ OR 1=1–

• Because 1=1 is always true, the attacker retrieves every row of

data from the Users table.
114
 Application
Countermeasures Security

• Perform thorough input validation. Your application should

validate its input prior to sending a request to the database.

• Use parameterized stored procedures for database access to

ensure that input strings are not treated as executable
statements. If you cannot use stored procedures, use SQL
parameters when you build SQL commands.

• Use least privileged accounts to connect to the database

115
 Application
Canonicalization Security

• Different forms of input that resolve to the same standard

name (the canonical name), is referred to as canonicalization.
Code is particularly susceptible to canonicalization issues if it
makes security decisions based on the name of a resource
that is passed to the program as input.

• Files, paths, and URLs are resource types that are vulnerable
to canonicalization because in each case there are many
different ways to represent the same name. File names are
also problematic.

• For example, a single file could be represented as:

116
 Application
Canonicalization Security

• c:\temp\somefile.dat

• somefile.dat

• c:\temp\subdir\..\somefile.dat

• c:\ temp\ somefile.dat

• ..\somefile.dat

• Ideally, your code does not accept input file names. If it does,
the name should be converted to its canonical form prior to
making security decisions, such as whether access should be
granted or denied to the specified file.
117
 Application
Countermeasures Security

• Avoid input file names where possible and instead use

absolute file paths that cannot be changed by the end user.
Make sure that file names are well formed (if you must accept
file names as input) and validate them within the context of
your application.

• For example, check that they are within your application’s

directory hierarchy. Ensure that the character encoding is
set correctly to limit how input can be represented.

• Check that your application’s Web.config has set the request

Encoding and response Encoding attributes on the element

118
 Application
Authentication and Authorization Security

• Depending on your requirements, there are several available

authentication mechanisms to choose from.

• If they are not correctly chosen and implemented, the

authentication mechanism can expose vulnerabilities that
attackers can exploit to gain access to your system.

• The top threats that exploit authentication vulnerabilities include:

o Network eavesdropping
o Brute force attacks
o Dictionary attacks
o Cookie replay attacks
o Credential theft
119
 Application
Network Eavesdropping Security

• If authentication credentials are passed in plaintext from client to

server, an attacker armed with rudimentary network monitoring
software on a host on the same network can capture traffic and
obtain user names and passwords.

Countermeasures

• Use authentication mechanisms that do not transmit the

password over the network such as Kerberos protocol or
Windows authentication.

• Make sure passwords are encrypted (if you must transmit

passwords over the network) or use an encrypted communication
channel, for example with SSL/TLS.
120
 Application
Bruteforce Attacks Security

• Brute force attacks rely on computational power to crack hashed

passwords or other secrets secured with hashing and encryption.
To mitigate the risk, use strong passwords.

121
 Application
Dictionary Attacks Security

• This attack is used to obtain passwords. Most password systems

do not store plaintext passwords or encrypted passwords. They
avoid encrypted passwords because a compromised key leads to
the compromise of all passwords in the data store.

• Lost keys mean that all passwords are invalidated. Most user store
implementations hold password hashes (or digests). Users are
authenticated by re-computing the hash based on the user-
supplied password value and comparing it against the hash value
stored in the database.

• If an attacker manages to obtain the list of hashed passwords, a

brute force attack can be used to crack the password hashes.
122
 Application
Dictionary Attacks Security

• With the dictionary attack, an attacker uses a program to

iterate through all of the words in a dictionary (or multiple
dictionaries in different languages) and computes the hash for
each word.

• The resultant hash is compared with the value in the data

store. Weak passwords such as “Yankees” (a favorite team) or
“Mustang” (a favorite car) will be cracked quickly. Stronger
passwords such as “?You’LlNevaFiNdMeyePasSWerd!”, are less
likely to be cracked.

• Note: Once the attacker has obtained the list of password has
hes, the dictionary attack can be performed offline and does
not require interaction with the application.
123
 Application
Dictionary Attacks Security

Countermeasures to prevent dictionary attacks include:

• Use strong passwords that are complex, are not regular words,
and contain a mixture of upper case, lower case, numeric, and
special characters.

• Store non-reversible password hashes in the user store. Also

combine a salt value (a cryptographically strong random
number) with the password hash.

124
 Application
Cookie Replay Attacks Security

• With this type of attack, the attacker captures the user’s

authentication cookie using monitoring software and replays it
to the application to gain access under a false identity.

Countermeasures to prevent cookie replay include:

• Use an encrypted communication channel provided by SSL

whenever an authentication cookie is transmitted.

• Use a cookie timeout to a value that forces authentication

after a relatively short time interval.

125
 Application
Cookie Replay Attacks Security

• Although this doesn’t prevent replay attacks, it reduces the

time interval in which the attacker can replay a request
without being forced to re-authenticate because the session
has timed out.

126
 Application
Credential Theft Security

• If your application implements its own user store containing

user account names and passwords, compare its security to
the credential stores provided by the platform, for example, a
Microsoft Active Directory® directory service or Security
Accounts Manager (SAM) user store.

• Browser history and cache also store user login information for
future use. If the terminal is accessed by someone other than
the user who logged on, and the same page is hit, the saved
login will be available.

127
 Application
Credential Theft Security

• Countermeasures to help prevent credential theft include:

• Use and enforce strong passwords.

• Store password verifiers in the form of one way hashes with

added salt.

• Enforce account lockout for end-user accounts after a set

number of retry attempts.

• To counter the possibility of the browser cache allowing login

access, create functionality that either allows the user to
choose to not save credentials, or force this functionality as a
default policy.
128
 Application
Authorization Security

• Based on user identity and role membership, authorization to

a particular resource or service is either allowed or denied.

• Top threats that exploit authorization vulnerabilities include:

o Elevation of privilege
o Disclosure of confidential data
o Data tampering
o Luring attacks

129
 Application
Elevation of Privilege Security

• When you design an authorization model, you must consider

the threat of an attacker trying to elevate privileges to a
powerful account such as a member of the local administrators
group or the local system account.

• By doing this, the attacker is able to take complete control over

the application and local machine.

• For example, with classic ASP programming, calling the

RevertToSelf API from a component might cause the executing
thread to run as the local system account with the most power
and privileges on the local machine.

130
 Application
Elevation of Privilege Security

• The main countermeasure that you can use to prevent

elevation of privilege is to use least privileged process, service,
and user accounts.

131
 Application
Disclosure of confidential data Security

• The disclosure of confidential data can occur if sensitive data

can be viewed by unauthorized users. Confidential data
includes application specific data such as credit card numbers,
employee details, financial records and so on together with
application configuration data such as service account
credentials and database connection strings.

• To prevent the disclosure of confidential data you should

secure it in persistent stores such as databases and
configuration files, and during transit over the network. Only
authenticated and authorized users should be able to access
the data that is specific to them.

132
 Application
Disclosure of confidential data Security

• Access to system level configuration data should be restricted

to administrators.

• Countermeasures to prevent disclosure of confidential data

include:

o Perform role checks before allowing access to the

operations that could potentially reveal sensitive data.
o Use strong ACLs to secure Windows resources.
o Use standard encryption to store sensitive data in
configuration files and databases.

133
 Application
Data tampering Security

• Data tampering refers to the unauthorized modification of

data.

Countermeasures to prevent data tampering include:

• Use strong access controls to protect data in persistent stores

to ensure that only authorized users can access and modify
the data.

• Use role-based security to differentiate between users who

can view data and users who can modify data.

134
 Application
Luring Attacks Security

• A luring attack occurs when an entity with few privileges is

able to have an entity with more privileges perform an action
on its behalf.

• To counter the threat, you must restrict access to trusted code

with the appropriate authorization.

• Using .NET Framework code access security helps in this

respect by authorizing calling code whenever a secure
resource is accessed or a privileged operation is performed.

135
 Application
Configuration Management Security

• Many applications support configuration management

interfaces and functionality to allow operators and
administrators to change configuration parameters, update
Web site content, and to perform routine maintenance.

Top configuration management threats include:

o Unauthorized access to administration interfaces

o Unauthorized access to configuration stores
o Retrieval of plaintext configuration secrets
o Lack of individual accountability
o Over-privileged process and service accounts

136
 Application
Unauthorized access to administration interfaces Security

• Administration interfaces are often provided through

additional Web pages or separate Web applications that allow
administrators, operators, and content developers to managed
site content and configuration.

• Administration interfaces such as these should be available

only to restricted and authorized users. Malicious users able to
access a configuration management function can potentially
deface the Web site, access downstream systems and
databases, or take the application out of action altogether by
corrupting configuration data.

137
 Application
Unauthorized access to administration interfaces Security

Countermeasures to prevent unauthorized access to

administration interfaces include:

• Minimize the number of administration interfaces.

• Use strong authentication, for example, by using certificates.

• Use strong authorization with multiple gatekeepers.

• Consider supporting only local administration.

138
 Application
Unauthorized access to administration interfaces Security

• If remote administration is absolutely essential, use encrypted

channels, for example, with VPN technology or SSL, because of
the sensitive nature of the data passed over administrative
interfaces.

• To further reduce risk, also consider using IPSec policies to

limit remote administration to computers on the internal
network.

139
 Application
Unauthorized access to configuration stores Security

• Because of the sensitive nature of the data maintained in

configuration stores, you should ensure that the stores are
adequately secured.

Countermeasures to protect configuration stores include:

• Configure restricted ACLs on text-based configuration files

such as Machine.config and Web.config.

• Keep custom configuration stores outside of the Web space.

This removes the potential to download Web server
configurations to exploit their vulnerabilities.

140
 Application
Retrieval of Plain text from configuration secrets Security

• Restricting access to the configuration store is a must. As an

important defense in depth mechanism, you should encrypt
sensitive data such as passwords and connection strings.

• This helps prevent external attackers from obtaining sensitive

configuration data. It also prevents rogue administrators and
internal employees from obtaining sensitive details such as
database connection strings and account credentials that
might allow them to gain access to other systems.

141
 Application
Lack of individual accountability Security

• Lack of auditing and logging of changes made to configuration

information threatens the ability to identify when changes
were made and who made those changes.

• When a breaking change is made either by an honest operator

error or by a malicious change to grant privileged access,
action must first be taken to correct the change. Then apply
preventive measures to prevent breaking changes to be
introduced in the same manner.

• Keep in mind that auditing and logging can be circumvented by

a shared account; this applies to both administrative and user/
application/service accounts.
142
 Application
Lack of individual accountability Security

• Administrative accounts must not be shared. User/application/

service accounts must be assigned at a level that allows the
identification of a single source of access using the account,
and that contains any damage to the privileges granted that
account.

143
 Application
Over privileged application and service accounts Security

• If application and service accounts are granted access to

change configuration information on the system, they may be
manipulated to do so by an attacker.

• The risk of this threat can be mitigated by adopting a policy of

using least privileged service and application accounts.

• Be wary of granting accounts the ability to modify their own

configuration information unless explicitly required by design.

144
 Application
Sensitive Data Security

• Sensitive data is subject to a variety of threats. Attacks that

attempt to view or modify sensitive data can target persistent
data stores and networks.

Top threats to sensitive data include:

o Access to sensitive data in storage

o Network eavesdropping

o Data tampering

145
 Application
Q&A Security

E.R. Ramesh, M.C.A., M.Sc., M.B.A.,

98410 59353, 98403 50547
[email protected]
146