application and infrastructure security

7/27/2019 Application and Infrastructure Security

1/36

Y USI F SU L E I MA N [2308-0703-0223]

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY Page 1

INTERNATIONAL ADVANCE DIPLOMA IN NETWORK &COMPUTER SECURITY

APPLICATION AND INFRASTRUCTURE SECURITY (CSM201)

ASSIGNMENT

TERM 3 2012

Student declaration:

I declare that:

I understand what is meant by plagiarism The implication of plagiarism has been explained to me by my institution This assignment is all my own work and I have acknowledged any use of the published and unpublished works of other people.

Students signature:. Date: 29\10\2012

Total number of pages including this cover page

Submission Date 06/11/2012 Due Date 13/11/2012

Students ID 2308-0703-0223 Class Code GROUP 1

Students Full Name Yusif Suleiman

Lecturers Name Mr. Bashir

OFFICIAL USE ONLY

Markers comments

Markers name Initial mark awarded /100

Penalty on late submission

Penalty for plagiarism

Final mark awarded /100


2/36

Y USI F SU L E I MA N [2308-0703-0223]


Table of Contents

CONTENT PAGESCover ..1

Table of Contents........2

List of Figures..3

List of Tables...3

1.0 Introduction.......5

1.1Description of Vulnerabilities........5What is Vulnerability...5The Web Application Security Gap....5How it Affect the System....6Top Web Application Vulnerabilities & Security Threats..7

1.2Proof of Concept81.2.1 Cookies Poising 71.2.2 Testing for Cookies Poising Attribute Vulnerability.81.2.3 Counter Measures for Cookies Poising ...131.3.1 Brute Force Attack ......141.3.2 Counter Measures for Brute Force....191.4.1 Broken Links....201.4.2 Counter Measures for Broken Links.24

2.1 Explaining Company and Industry25

2.2 Existing Application System.........25

2.3 Current Infrastructure used with Diagram......27

2.4 Defense on Network......28

2.5 Defense on Host Server.28Strong PasswordPerimeter Protection with Firewall

Intrusion Detection SystemContent filteringAntivirusData Encryption

3.1 CIA Triage .......33

4.1 References....35


3/36

Y USI F SU L E I MA N [2308-0703-0223]


List of Figures and Diagrams

1. Figure 1.2.1: Entering Web Address....92. Figure 1.2.2: Target ....103. Figure 1.2.3: Target Detected .....104. Figure 1.2.4: Beginning Web Scan..115. Figure 1.2.5: Vulnerabilities Web Links Shown.....116. Figure 1.2.6: Report Generate......127. Figure 1.3.1: Entering web address...158. Figure 1.3.2: Finding Target......159. Figure 1.3.3: Login Web Scan..1610.Figure 1.3.4: Completing Login Web...1611.Figure 1.3.5: Beginning Web Scan...1712.Figure 1.3.6: Element of Vulnerabilities..1713.Figure 1.3.7: Vulnerabilities Shown....1814.Figure 1.3.8: Vulnerabilities Shown as Cookies......1815.Figure 1.3.9: Final Report for Cookies.....1916.Figure 1.4.1: Starting Point.......2017.Figure 1.4.2: Entering web address...2118.Figure 1.4.3: Finding Target.....2119.Figure 1.4.4: Login Web Scan..2220.Figure 1.4.5: Scan Began.....2221.Figure 1.4.6: Vulnerabilities Shown....2322.Figure 1.3.7: Definition of Broken Links........2323.Figure 1.4.8: Final Report for Broken Links Vulnerability.....2324.Diagram 2.1: Bank Network Infrastructure 2825.Diagram 2.1: CIA Triage .35


4/36

Y USI F SU L E I MA N [2308-0703-0223]


Question 1

Identify three (3) possible web (or cloud computing based) application vulnerabilities.

Write a report with the following headings:

- Description of vulnerabilities- Proof of Concept- Possible Counter Measures

Answer

1.0 INTRODUCTION

1.1 DESCRIPTION OF VULNERABILITIES

What is Vulnerability?

Vulnerability is a flaw or weakness in a system's design, implementation, or operation and

management that could be exploited to violate the system's security policy. A threat is a potential

attack that, by exploiting vulnerability may harm the assets owned by an application (resources

of value, such as the data in a database or in the file system). A test is an action that tends to

show vulnerability in the application. Web application vulnerability also refers to Weakness in

Custom Web Application, Architecture, Design, Configuration, or Code.

The Web ApplicationSecurity Gap (How Does It?)

- There is a lack of awareness of application vulnerabilities in security departments.- Security Departments scrutinize the desktop, the network, and even the web servers, but

the web application escapes their measures.

- Even in departments that want to audit for web application vulnerabilities, the lack ofeffective tools has made it impractical

- As a result, Certification and Accreditation programs rarely examine the web application


5/36

Y USI F SU L E I MA N [2308-0703-0223]


- In fact, the entire development cycle is usually missing from security procedures andcontrols

- This illustrates the fundamental gap between security and development, which createsthese web application vulnerabilities

Many traditional information security practitioners are ill-equipped to mitigate applicationsecurity issues

Little to no experience coding

No experience coding in modern enterprise environments like .NET and J2EE

Understand that there are risks, but not in a position to address them or no resources to managethe issues

How it Affect the System

Web Application vulnerabilities occur in different areas: Platform, Administration andApplication.

-The web server itself is subject to a variety of known vulnerabilities, all of which must bereadily patched for.

-

The actual administration and management of the server and contents is very important- A misconfigured server or poorly managed content can permit system file and sourcecode disclosure

- The application itself is of the utmost importance.- It too can inadvertently reveal source code and system files, and even allow full system

access.- It can mistakenly allow replay attacks against your customers.- It could allow a hacker to impersonate your customers.- In addition it is the web application that interacts with the database to manage and tracks

customer information and store business and transaction information .- One slip-up in the web application can expose the entire system and database, right

through a web browser, right over port 80.


6/36

Y USI F SU L E I MA N [2308-0703-0223]


Top Web Application Vulnerabilities and Security Threats

1. Format String Vulnerabilities

2. Broken access control

3. Cookie poisoning

4. Cross-site scripting (XSS) Flaws

5. Broken authentication and Access Control

6. Injection flaws

7. Buffer overflow

8. Malicious File Execution

9. Insecure Direct Object Reference

10. Cross Site Request Forgery (CSRF)

11. Information Leakage

12.Session Management

13. Insecure Cryptographic Storage

14. Insecure Communications

15. Improper error handling

16. Insecure storage

17. Application denial-of-service

18. Insecure configuration management

19. SQL injection

20. Parameter tampering

21. Buffer overflows

22. Failure to Restrict URL Access

23. Database Server

24.Unvalidated input


7/36

Y USI F SU L E I MA N [2308-0703-0223]


1.2 PROOF OF CONCEPT

I choose to check the following web vulnerabilities for my project

Cookies Poisoning using www.copart.com

Brute-Force Attack www.buk.edu.ng

Broken Links www.apple.com

1.2.1 Cookies Poisoning

Cookies are often a key attack vector for malicious users (typically targeting other users) and, assuch, the application should always take due diligence to protect cookies. The importance ofsecure use of Cookies cannot be understated, especially within dynamic web applications, whichneed to maintain state across a stateless protocol such as HTTP. To understand the importance ofcookies it is imperative to understand what they are primarily used for.

These primary functions usually consist of being used as a session authorization/authenticationtoken or as a temporary data container. Thus, if an attacker were by some means able to acquire asession token (for example, by exploiting a cross site scripting vulnerability or by sniffing anunencrypted session), then he/she could use this cookie to hijack a valid session. Additionally,cookies are set to maintain state across multiple requests. Since HTTP is stateless, the server

cannot determine if a request it receives is part of a current session or the start of a new sessionwithout some type of identifier. This identifier is very commonly a cookie although othermethods are also possible. As you can imagine, there are many different types of applicationsthat need to keep track of session state across multiple requests. The primary one that comes tomind would be an online store. As a user adds multiple items to a shopping cart, this data needsto be retained in subsequent requests to the application. Cookies are very commonly used for thistask and are set by the application using the Set-Cookie directive in the application's HTTPresponse, and is usually in a name=value format (if cookies are enabled and if they aresupported, which is the case for all modern web browsers). Once an application has told thebrowser to use a particular cookie, the browser will send this cookie in each subsequent request.

A cookie can contain data such as items from an online shopping cart, the price of these items,the quantity of these items, personal information, user IDs, etc. Due to the sensitive nature ofinformation in cookies, they are typically encoded or encrypted in an attempt to protect theinformation they contain. Often, multiple cookies will be set (separated by a semicolon) uponsubsequent requests. For example, in the case of an online store, a new cookie could be set asyou add multiple items to your shopping cart. Additionally, you will typically have a cookie forauthentication (session token as indicated above) once you login, and multiple other cookies used


8/36


9/36

Y USI F SU L E I MA N [2308-0703-0223]


here that the trailing "/" must be used after myapp. If it is not used, the browser will sendthe cookie to any path that matches "myapp" such as "myapp-exploited".

Expires Attribute - Verify that, if this attribute is set to a time in the future, that it doesnot contain any sensitive information. For example, if a cookie is set to "; expires=Fri,13-Jun-2010 13:45:29 GMT" and it is currently June 10th 2008, then you want to inspect

the cookie. If the cookie is a session token that is stored on the user's hard drive then anattacker or local user (such as an admin) who has access to this cookie can access theapplication by resubmitting this token until the expiration date passes.

The following screen capture shows the description of how we test www.copart.com web siteto find cookies as vulnerabilities.

Figure 1.2.1 Base on the following figures we will understand the Cookies Poisoning testing onCopart web server using Acunetix web application vulnerability scanner.


10/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.2.2 shows the beginning of how we scan for target

Figure 1.2.3 shows that the target if found


11/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.2.4 beginning of the testing

Figure 1.2.5 Vulnerabilities web links shown


12/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.2.6 the vulnerabilities results that Acunetix web scanner generates finally.

Note that only hosts within the specified domain can set a cookie for that domain. Also thedomain attribute cannot be a top level domain (such as .gov or .com) to prevent servers fromsetting arbitrary cookies for another domain. If the domain attribute is not set, then the hostname

of the server which generated the cookie is used as the default value of the domain.For example, if a cookie is set by an application at app.mydomain.com with no domain attributeset, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com andits subdomains (such as hacker.app.mydomain.com), but not to otherapp.mydomain.com. If adeveloper wanted to loosen this restriction, then he could set the domain attribute tomydomain.com. In this case the cookie would be sent to all requests for app.mydomain.com andits subdomains, such as hacker.app.mydomain.com, and even bank.mydomain.com. If there wasa vulnerable server on a subdomain (for example, otherapp.mydomain.com) and the domainattribute has been set too loosely (for example, mydomain.com), then the vulnerable server couldbe used to harvest cookies (such as session tokens).

Path - In addition to the domain, the URL path can be specified for which the cookie isvalid. If the domain and path match, then the cookie will be sent in the request.Just as with the domain attribute, if the path attribute is set too loosely, then it could leave theapplication vulnerable to attacks by other applications on the same server. For example, if thepath attribute was set to the web server root "/", then the application cookies will be sent to everyapplication within the same domain.


13/36

Y USI F SU L E I MA N [2308-0703-0223]


Expires - This attribute is used to set persistent cookies, since the cookie does not expireuntil the set date is exceeded. This persistent cookie will be used by this browser sessionand subsequent sessions until the cookie expires. Once the expiration date has exceeded,the browser will delete the cookie. Alternatively, if this attribute is not set, then thecookie is only valid in the current browser session and the cookie will be deleted when

the session ends.

1.2.3 COUNTER MEASURES FOR COOKIES POISONING

Remember that all cookies, even the secret ones, will be submitted with every request. Allauthentication tokens will be submitted regardless of whether or not the end-user was tricked intosubmitting the request. Furthermore, session identifiers are simply used by the applicationcontainer to associate the request with a specific session object. The session identifier does notverify that the end-user intended to submit the request.

Only Accepting POST Requests

Applications can be developed to only accept POST requests for the execution of business logic.The misconception is that since the attacker cannot construct a malicious link, a CSRF attackcannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in whichan attacker can trick a victim into submitting a forged POST request, such as a simple formhosted in an attacker's Website with hidden values. This form can be triggered automatically byJavaScript or can be triggered by the victim who thinks the form will do something else.

Multi-Step Transactions

Multi-Step transactions are not an adequate prevention of cookies and CSRF. As long as anattacker can predict or deduce each step of the completed transaction, then cookies and CSRF ispossible.

URL Rewriting

This might be seen as a useful cookies and CSRF prevention technique as the attacker can notguess the victim's session ID. However, the users credential is exposed over the URL.


14/36

Y USI F SU L E I MA N [2308-0703-0223]


1.3.1 BRUTE-FORCE ATTACK

Brute-forcing consists of systematically enumerating all possible candidates for the solution andchecking whether each candidate satisfies the problem's statement. In web application testing, theproblem we are going to face with the most is very often connected with the need of having a

valid user account to access the inner part of the application. Therefore we are going to checkdifferent types of authentication schema and the effectiveness of different brute-force attacks.

A great majority of web applications provide a way for users to authenticate themselves. Byhaving knowledge of user's identity it's possible to create protected areas or more generally, tohave the application behave differently upon the logon of different users. Actually there areseveral methods for a user to authenticate to a system like certificates, biometric devices, OTP(One Time Password) tokens, but in web application we usually find a combination of user IDand password. Therefore it's possible to carry out an attack to retrieve a valid user account andpassword, by trying to enumerate many (ex. dictionary attack) or the whole space of possible

candidates.

After a successful bruteforce attack, a malicious user could have access to:

Confidential information / data;Private sections of a web application, could disclose confidential documents, user's profile data,financialstatus, bank details, user's relationships, etc..

Administration panels;These sections are used by webmasters to manage (modify, delete, add) web application content,

manage user provisioning, assign different privileges to the users, etc..

Availability of further attack vectors;Private sections of a web application could hide dangerous vulnerabilities and contain advancedfunctionalities not available to public users.

Thefollowing sequence of figures describes how I tested the Brute force Vulnerability on BUK

web site.


15/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.3.1 shows entering the buk web address

Figure 1.3.2 finding the target web


16/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.3.3 login the web site

Figure 1.3.4 complete login web site for vulnerability scan


17/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.3.5 scanning web began

Figure 1.3.6 elements of vulnerabilities shows


18/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.3.7 many vulnerabilities element

Figure 1.3.8 vulnerability definition as Brute Force


19/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.3.9 Final Report results

1.3.2 COUNTER MEASURES FOR BRUTE FORCE ATTACKS

In case of an offline attack where the attacker has access to the encrypted material, he can try key

combinations at his leisure without the risk of discovery or interference. However database anddirectory administrators can take countermeasures against online attacks, for example by limiting

the number of attempts that a password can be tried, by introducing time delays between

successive attempts, increasing the answer's complexity (e.g. requiring a CAPTCHA answer or

verification code sent via cellphone), and/or locking accounts out after unsuccessful logon

attempts. Website administrators may prevent a particular IP address from trying more than a

predetermined number of password attempts against any account on the site.

Reverse brute force Countermeasures

In a reverse brute-force attack, a single (usually common) password is tested against multiple

usernames or encrypted files. The process may be repeated for a select few passwords. In such a

strategy, the attacker is generally not targeting a specific user. Reverse brute-force attacks can be

mitigated by establishing a password policy that disallows common passwords.


20/36

Y USI F SU L E I MA N [2308-0703-0223]


1.4.1 BROKEN-LINKS

Apart from making your website look unprofessional, broken links can be a serious issue whenthey point to an important page of your website. For example: if a link pointing to yourProducts page is broken then your customers will be unable to view your online store, meaning

they wont be able to purchase anything from your site. Apart from making your site lookunprofessional, you can also lose customer who might not feel confident shopping from you.

Furthermore, broken links can work against search engines and search engine robots. Searchengines follow the links from your website to other links in order to gather more informationabout your website. As more content is indexed from your website then the ranking willbe higher. Broken links that are no longer in use might reveal path locations and give clues to thedirectory structure of your website, which might reveal information concerning the design andlogic of your site and disclose other important information, or reveal potential websitesecurity vulnerabilities.

Figure 1.4.1 shows the starting point


21/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.4.2 entering the web site to be tested

Figure 1.4.3 target checking


22/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.4.4 complete login web site for vulnerability scan

Figure 1.4.5 beginning of scan


23/36


24/36

Y USI F SU L E I MA N [2308-0703-0223]


Figure 1.4.8 Final vulnerability result report forwww.apple.com

1.4.2 COUNTER MEASURES FOR BROKEN LINKS

There are several ways to repair a broken link. Often web pages have simply moved, either inconnection with a migration to a new server, or through general site maintenance. A site index isa useful place to locate the moved page.

A search engine query using the title of the page, possibly with a search restriction to the samesite, might also finds the page. Use the WebsiteDefender report to identify any broken links andrestore the pages or files which are missing. You should remove all broken links that referencefiles or pages that are no longer present on your site.


25/36

Y USI F SU L E I MA N [2308-0703-0223]


Question 2

Take an existing system and infrastructure.

Explain the company and its industry.

Explain the existing (application) system.

Using a network diagram explain the current infrastructure

Explain your defenses which you will put in place to protect the infrastructure of thisorganization.

Defense for the Network Infrastructure (both wired and wireless).

Defense on the Host server

Answer

2.1 EXPLAINING COMPANY AND ITS INDUSTRY

First Bank of Nigeria PLC is a Nigeria-based financial institute that offers a range of financial

services. The Bank is divided into three business segments: Corporate banking, Personal banking

and e-banking Services. Its products are targeted at corporate and individuals customers. The

Bank operates through several subsidiaries, providing a range of banking services, including

corporate banking, capital market operations, funds management, insurance brokerage,

trusteeship, registrar ship and pension custodianship.

2.2 EXISTING (APPLICATION) SYSTEM

First Bank offer banking services to individuals, consumer banking is also provision of productsand services to meet the financial needs of individuals with a steady and verifiable income flow.Here are some of our Existing Banking Systems;


26/36

Y USI F SU L E I MA N [2308-0703-0223]


U-First

U-First is a suite of retail and consumer loan products designed for individuals and smallbusinesses to enable them meet their business and personal needs.

Generic Savings Account

It is a hybrid savings account that runs on a savings platform with current account features foryour convenience.

Generic Current Account

With FirstBanks current account, you just cant go wrong. You can carry out unlimited 3rdparty transactions seamlessly and enjoy the inherent benefits.

FirstPremium Term Deposit Account

FirstPremium Term Deposit is a value-added term deposit product which offers higher interestrates than the conventional term deposit

First Savings Plus Account

It is a hybrid savings account that runs on a savings platform with current account features foryour convenience.

First Hi-Fi (Children) Account

This is a special account designed for children from age 0 18 years to sensitize and cultivatesavings culture within this age bracket and to help parents plan towards the future of theirchildren and wards.

FirstCurrent Plus (Zero COT Account)

Withdrawal is limited to five (5) times in a month, where a customer exceeds the number ofwithdrawals, the account will default to N5.00/mille COT on the total customer inducedtransactions for that month

FirstCurrent Business Account

A fee-based current account that allows customers carry out numerous transactions withoutpaying COT.

FirstDom Account


27/36

Y USI F SU L E I MA N [2308-0703-0223]


Are you upwardly mobile? Then First Dom Plus is designed for you. It is an account thatencourages you to save your foreign currency while still giving you the opportunity to earnhigher interest on account balances.

FirstInstant Account

The FirstInstant Account is savings product designed for the unbanked and underbanked toenhance financial inclusion

2.3 CURRENT INFRASTRUCTURE USING NETWORK DIAGRAM

Infrastructure is basic physical components of interrelated systems which provide organizationalhardware structure used to enable interconnect computers and users for enhance economyfunction. Infrastructure includes the transmission media, including telephone lines, cable

television lines, and satellites and antennas, and also the routers, and other devices that controltransmission paths. Infrastructure also includes the software used to send, receive, and managethe signals that are transmitted.

In some usages, infrastructure refers to interconnecting hardware and software and not tocomputers and other devices that are interconnected. However, to some information technologyusers, infrastructure is viewed as everything that supports the flow and processing ofinformation. Infrastructure companies play a significant part in evolving the Internet, both interms of where the interrconnections are placed and made accessible and in terms of how muchinformation can be carried how quickly.

Diagram 2.1 Bank Infrastructure Network System

BANK INFRASTRUCTURE NETWORK DIAGRAM

Work stations

Local server

Internet

Head officeBranch office

ATM

ATM

Work stations

Main serverRouterFirewall


28/36

Y USI F SU L E I MA N [2308-0703-0223]


2.4 DEFENCES FOR THE NETWORK INFRASTRUCTURE

Information infrastructures across many public and private domains share several common

attributes regarding information technology (IT) deployments and data communications. This is

particularly true in the industrial control systems domain where an increasing number oforganizations are using modern networking to enhance productivity and reduce costs by

increasing the integration of external, business, and control system networks. However, these

integration strategies often lead to vulnerabilities that greatly reduce the cybersecurity posture of

an organization and can expose mission-critical industrial control systems to cyber threats.

Physical Security: Physical security reviews involve reviewing agreed physical security controls

and procedures to determine their effectiveness and to identify gaps and weaknesses. This may

include reviewing the access control system for doors, CCTV monitoring, and

communications. It may cover procedures for controlling visitor access, deliveries and contractservices, such as cleaning. It can extend to searching for covert cameras and listening devices in

meeting rooms and offices, and may involve investigations into other areas including staff

vetting procedures.

Social engineering tests are typically combined with physical and internal network infrastructuretests, and involve testing the human element of security. Social engineering is the art ofobtaining information by deception, with the aim of gaining unauthorised access to informationor resources. As examples, successful scenarios we have used in the past include posing asjournalists to find out information about an organisations infrastructure, posing as internal ITstaff testing a new system, using phishing emails to harvest passwords and obtaining passwords

from a helpdesk.

2.5 DEFENCES ON HOST SERVER

The policy layer is probably the most overlooked and misunderstood aspect of informationsecurity. Security policies should be the foundation of every Defense in Depthplan. One of themain purposes of security policies is to educate all users oftheir obligation to the protection ofthe technologies and business information. Security policies help protect both businessinformation and employees in many ways:

1. They provide the guidance for what must be done to protect the business informationstored on the corporate network.

2. They establish a set of rules of conduct for all users.3. They provide authorization for the information security personnel to perform various

duties such as monitoring, sniffing, probes, password cracking, etc.4. They are the baseline for measuring compliance and enforcement.5. They define the consequences of violations to the policies.


29/36


30/36

Y USI F SU L E I MA N [2308-0703-0223]


remember it because we know it by the pass phrase. Now in order to satisfy the DO boundary,we come up with a personal form of character substitution. For instance, every time the letter tis used substitute a +. Since your first letter is I, and it is capital, make the other i capital forconsistency and ease of remembering. Keep the proper nouns as capitals and you will have astrong password that looks like this: Iw+F30+bIsMM

System Administrators should enforce strong passwords on all systems with the followingcriteria. Expire after 60 days minimum Lock out account after three failed attempts Log all success and failed login attempts Use password filters to ensure length and character inclusion None of users previous 6 passwords can be reused Passwords should have a minimum use of three days Enable strong encryption of all passwords (/etc/shadow; NTLMv2)

With the Strong Password created above and the enforcement on the server, it would beextremely difficult for an attacker to break in with a valid user name and password. If an attackertrying to crack passwords came up against our example the password would most likely expirebefore they could crack it and use it.

PERIMETER PROTECTION WITH FIREWALLSA critical and essential part of any Information Security plan is undoubtedly the firewall.Firewalls serve as the best protection control mechanism available in the information securityarsenal. Commonly deployed at the perimeter gateway, the firewall stands as a traffic cop,allowing or denying access to and from different attached network segments based on the rulesetapplied. While primarily used as gateway devices, it is not unusual to use firewalls internally to

protect certain networks or individual hosts. Since firewalls play a major role in a Defensestrategy, we will detail the three different types of firewalls. Firewalls come in basically threetypes with various features. Depending on the type and feature set, they will provide some or allof these major elements of protection:

1. Reduce risk by protecting systems from attempts to exploit vulnerabilities.2. Increase privacy by making it harder to gather information about the site.3. Enforce an organizations security policy.4. Log traffic for audit and forensic analysis.5. Provide VPN/Encryption capabilities.6. Perform Network Address Translation (NAT).7. Provide Integration with content filtering systems.8. Filter unwanted traffic

Firewall Type 1 The packet filterThe packet filter firewall is a router (usually Cisco) using access control lists (ACLs). They arefast and generally low cost in comparison to the other types of firewalls. Packet filter firewallsare limited in their capacity to provide security with functionality, and therefore are regarded asnot very useful. This is not a true statement though. Packet filter firewalls look at every packet


31/36

Y USI F SU L E I MA N [2308-0703-0223]


both inbound and outbound and check the source address/port and destination address/portagainst a defined ruleset. Therefore, it is possible to predefine undesirable networks and blocktraffic coming from them. The packet filter firewall can be an effective noise filter andcompliment another more robust firewall solution. Generally they are setup as allow all exceptthat which is explicitly denied. For example, minimally use a packet filter firewall to filter out:

Incoming

The private IP networks (10.0.0.0; 172.16.0.0; 192.168.0.0)Loopback network 127.0.0.0All Broadcasts

OutgoingOutgoing ICMP echo replyAlso, it may be beneficial to use all or part of the Internet Storm Centers blocklist to filter out traffic from hostile networks. Caution is needed as this list changesfrequently resulting in a false sense of security, or causing access to be denied toa network the business deems necessary.

INTRUSION DETECTION SYSTEMSA complement to any Firewall strategy is the use of Intrusion Detection Systems. While theFirewall will act as a shield it is not bullet proof. Subject to attacks themselves the firewallcannot protect against end users, modem access, social engineering, poor configurations, etc. Tomake matters worse, this activity and its effects end up on your network completely unnoticed.Intrusion Detection Systems {Network (NIDS) and Host (HIDS)} monitor and collect activityeither on the network or a host. They examine the data to detect threats, attacks, and othermalicious activity. This is extremely valuable, because without it you are blind to the activity

happening on your network and hosts. Intrusion detection systems come in basically two flavors,Network based (NIDS) and Host based (HIDS). Separation between the two doesnt mean to useone or the other. Both types should be used to create this layer of defense. Network based IDS(NIDS) NIDS are typically hardened systems/appliances, running IDS software, that sit on thewire, monitoring all the network traffic passing by. They do this running in promiscuous modemuch like a sniffer. Some common NIDS are RealSecure and Snort. NIDS match network trafficagainst a database of known or custom attack signatures. A match against the database can behandled in a variety of ways such as a pager alert, email alert, and/or a predetermined course ofaction. Some advantages to NIDS are: Real time detection Neutralize Denial of service attacks and floods

Detects unsuccessful attacks Evidence collection for forensic analysis Detect Port Scans and recon Fairly easy to setup


32/36

Y USI F SU L E I MA N [2308-0703-0223]


CONTENT FILTERING

Today most businesses require, at a minimum, email and web browsing to effectivelycommunicate with internal, as well as external, customers. While this provides the business withan avenue by which to communicate, it also provides a convenient mechanism for malware(i.e. malicious viruses, email, html, etc.) to proliferate and inundate a network, and its systems, in

a matter of minutes. In addition, an increase in Web Surfing for fun and non-business relatedemail results in higher business costs due to lost productivity. Content Filtering is an excellentway to protect the business by proactively keeping viruses, spam, erroneous web surfing, andinappropriate file attachments to a minimum.

ANTIVIRUS

It is unthinkable to not have some kind of Antivirus system in place; but too often it is deployedonly on the desktop, if at all, and not regularly updated. Antivirus should be deployed in fourmain places. Desktops/Laptops File Servers

Email Servers GatewaysAntivirus should also be easy to deploy & configure, unnoticeable, and selfupdating. This willhelp ensure that it can be quickly deployed, users wont try to tamper with it, and it is alwayscurrent. Since every Antivirus vendor has its pros and cons it is a good practice to use a differentvendor for each deployment area in your organization. By doing this you will achieve a greaterlevel of protection against viruses that may slip past a single vendor solution. The followingscenario may fit into your organizations Antivirus needs.

DATA ENCRYPTION

Data encryption provides the last layer of defense, should an attacker break through the outerlayers of yourDefense strategy. Encryption sounds familiar to many and the concept is prettysimple. However, all too often encryption is not implemented for various reasons; one of whichis people dont understand it beneath the surface.


33/36

Y USI F SU L E I MA N [2308-0703-0223]


Question 3

Describe in details the CIA Triage.

Confidentiality.

Integrity.

Availability

Answer

3.1 CIA TRIAGE

The CIA triad refers to an well-known industry standard model in information securitydevelopment. It is applied in various situations to identify problems or weaknesses and establish

security solution, it made up of the three main components: Confidentiality, Integrity andAvailability. Each component represents a fundamental objective of information security.

Information security means protecting information and information systems from unauthorizedaccess, disclosure, disruption, modification, perusal, inspection, recording or destruction.

The terms information security, computer security and information assurance are frequently usedinterchangeably. These fields are interrelated often and share the common goals of protecting theConfidentiality, Integrity and Availability of information; however, there are some subtledifferences between them.

These differences lie primarily in the approach to the subject, the methodologies used, and theareas of concentration. Information security is concerned with the confidentiality, integrity andavailability of data regardless of the form the data may take: electronic, print, or other forms.Computer security can focus on ensuring the availability and correct operation of a computersystem without concern for the information stored or processed by the computer. Informationassurance focuses on the reasons for assurance that information is protected, and is thusreasoning about information security.

The three components of the triad are discussed below:

1. Confidentiality: This component is closely linked with privacy. This means that data areonly available to the appropriate parties, which may be parties that require access to thedata or parties that are trusted. Data that have been kept confidential means that they havenot been compromised by other parties; confidential data are not disclosed to people whodo not require them or who should not have access to them. Ensuring confidentialitymeans that information is organized in terms of who ought to have access as well as itssensitivity. A breach of confidentiality may take place through different means, forinstance hacking orsocial engineering.


34/36

Y USI F SU L E I MA N [2308-0703-0223]


2. Integrity: Data integrity refers to the certainty that the data are not tampered with duringor after submission. It is the certainty that the data will not be modified or destroyed byunauthorized parties. This means there are two points during the transmission process

during which the integrity could be compromised: during the upload ortransmission ofdata; during the storage of the document in the database orcollection.

3. Availability: This means that the information is available when it is needed. In order fora system to demonstrate availability, it must have properly functioning computingsystems, security controls and communication channels. The most available systems areaccessibleat all times and have safeguards against power outages, natural disasters,hardwarefailures andsystemsupgrades.

Availability is a major challenge in collaborative environments as such environments must bestable and continually maintained. Such systems must also allow users to access requiredinformation with little waiting time. Redundant systems may be in place to offer a high levelof fail-over. The concept of availability can also refer to the usability of a system.

Information security refers to the preservation of integrity and secrecy when information isstored or transmitted. Information security breaches occur when information is accessed byunauthorized individuals or parties. Breaches may be the result of actions of hackers, intelligenceagencies, criminals, competitors, employees or others. In addition, individuals who value andwish to preserve their privacy are interested in information security.

Diagram 3.1 CIA Triage

CIA TRIAGE DATA SERVICES

MODEL

AVAILABILITYno single point of failure

CIA TRIAG


35/36

Y USI F SU L E I MA N [2308-0703-0223]


4.1 REFERENCE

1. Justin Seitz (2009). Gray Hat Python: Python Programming for Hackersand Reverse Engineers. Immunity, Inc 1st edition.

2. Marcus Pinto (2011). The Web Application Hacker's Handbook: Findingand Exploiting Security Flaws. 2ndedition

3. Ahmed, N., Matuleviius, R., Mouratidis, H. (2012) A ModelTransformation from Misuse Cases to Secure Tropos. In: Proc of theCAiSE12 Forum at the 24th International Conference

4. Wikipedia the free encyclopedia. (2012)http://en.wikipedia.org/wiki/Infrastructure

5. Wikipedia, the free encyclopedia(2012).http://en.wikipedia.org/wiki/Information_security

6. Wiki Answer Copyright 2012.http://wiki.answers.com/Q/What_is_Denial_of_Service_attackAnswers.com Denial of Service attack. Answers Corporation

7. Webopedia(2012). http://www.webopedia.com/TERM/D/DoS_attack.html8. CERT/CC(2012) http://www.cert.org/tech_tips/denial_of_service.html

CERT Coordination Center, Software Engineering Institute,CarnegieMellon University

9. Mark Dowd, John McDonald, Justin Schuh (2006). The Art of SoftwareSecurity Assessment: Identifying and Preventing Software Vulnerabilities.Addison-Wesley Professional; 1 edition

10.Cadoree, Michelle. (1994). Computer Crime and Security. Washington,D.C.: LC Science Tracer Bullet

11.Cisco Unified Computing System (2012).http://searchdatacenter.techtarget.com/definition/infrastructure

12.Kenneth R. Straub (2003).Information Security Managing Risk withDefense in Depth. SANS Institutes Inforsec Reading Room


36/36

Filename: CSM201Proj

Directory: C:\Users\YUSUF

Template: C:\Users\YUSUF\AppData\Roaming\Microsoft\Templates\Normal.dotm

Title:

Subject:

Author: compaq

Keywords:

Comments:

Creation Date: 10/30/2012 6:33:00 PM

Change Number: 17

Last Saved On: 11/6/2012 10:03:00 AM

Last Saved By: YUSUF

Total Editing Time: 1,581 Minutes

Last Printed On: 11/6/2012 10:04:00 AM

As of Last Complete Printing

Number of Pages: 35

Number of Words: 7,085 (approx.)

Number of Characters: 40,388 (approx.)

application and infrastructure security

Documents