You are on page 1of 18

www.chmag.

in

Aug 2013 | Page - 1

www.chmag.in

Aug 2013 | Page - 2

Oracle Hardening - Part 2

VERSION: Versions
applicable for;

Introduction

COMMAND: The command to help you


make the changes (wherever applicable);

While Oracle is designed "secure by


default," this article explores a variety of
those
defaults
and
administrative
approaches that help to minimize
vulnerabilities. Please remember that the
strategies discussed here are presented as
options to consider rather than definitive
rules to apply. In previous article (June
2013 issue) I went through OS level
permissions for securing Oracle databases; I
will be taking you a step closer towards
Oracle Hardening to make it hard for
perpetrators to break into the system. Focus
will be on the parameters you need to
consider and explanation on what the
parameter does; why it should be changed;
and how it can be done. Oracle security
parameters will be covered in this part.

Abstract
Following template will be used for each
parameter:
WHAT: This will explain what the
parameter is used for and where it can be
found;
WHY: The reason you should consider
changing/not-changing it;

www.chmag.in

of

Oracle

Thumb-rule: The Information


clichs (wherever applicable);

it

is

security

Recommended
settings:
Table
of
recommended settings mostly combined for
multiple parameters that are of similar type.
(wherever applicable);

Solution
As mentioned above lets start with
important OS security parameters in Oracle
Database:
O7_DICTIONARY_ACCESSIBILITY
WHAT: Controls restrictions on
SYSTEM privileges. If the parameter is
set to true, access to objects in the SYS
schema is allowed. The default setting is
false.
P.S: System privileges that allow access
to objects in "any schema" are not
allowed access to objects in the SYS
schema
WHY:
Unauthorized/
Inadvertent
access and changes to SYSTEM
Thumb-rule: Least privileges
VERSION: ALL
Command: Login as SYSDBA and
execute ALTER SYSTEM command as:

Aug 2013 | Page - 3

ALTER
SYSTEM
SET
O7_DICTIONARY_ACCESSIBILITY =
true SCOPE=spfile
_TRACE_FILES_PUBLIC

parameter
to
TRUE.
Newly
generated trace will have read
permission granted to other users
and public.
USER_DUMP_DEST

WHAT: Some errors in Oracle lead to


generation of Trace files. We can
generate them forcefully after enabling
SQL_TRACE parameter. All trace files
are logged in USER_DUMP_DEST or
BACKGROUND_DUMP_DEST
parameter.
In general all trace files have read and
write permission for Oracle software
owner and group of Oracle installation
has permission of read only. Other users
dont have privilege of read. Trace files
can
be
found
at
/opt/oracle/ora11g/admin/orcl/udump.
Oracle applies this permission using
hidden
parameter
called
_TRACE_FILES_PUBLIC. Due to this
parameter trace files dont have read
permission to other users or public.
P.S:
Default
value
of
_TRACE_FILES_PUBLIC is FALSE. It
is not recommended to change value.
WHY: Trace files may contain
important information about database
security or some sensitive details of
data.
Thumb-rule: Need-to-know privileges
VERSION: ALL
Commands: Login as SYSDBA and
execute ALTER SYSTEM command as:
ALTER
SYSTEM
SET
_trace_files_public
=
TRUE
SCOPE=SPFILE
P.S:
After
changing
_TRACE_FILES_PUBLIC

www.chmag.in

WHAT: Specifies the directory where


the server will write debugging trace
files on behalf of a user process. Value
should never be set to *
WHY:
Trace files may contain
important information about database
security or some sensitive details of
data.
VERSION: ALL
Commands: The parameter can be set
in
the
initialisation
file
as
user_dump_dest = 'directory'
e.g.
user_dump_dest
=
'R:\Oracle\Admin\NT92001\udump';
This parameter can be also set at system
level
E.g.
ALTER
SYSTEM
user_dump_dest = 'Q:\Udump';

SET

UTL_FILE_DIR
WHAT: Specifies one or more
directories that Oracle should use for
PL/SQL file I/O. Value should never be
set to *
WHY: All users can read or write to all
files specified by this parameter.
Therefore this value means that the
package UTL_FILE can be used to write
to any directory in the system where
oracle has write permissions. GREAT!!
VERSION: ALL
Commands: The parameter can be set
in the initialisation file as utl_file_dir =
'directory'

Aug 2013 | Page - 4

P.S: Quite often databases have the


utl_file_dir
is
set
to
the
user_dump_dest. If this is the case
then it should be possible to be
able to read trace files you
wouldn't ordinarily have access to
UTL_FILE_DIR
and
USER_DUMP_DEST should not be
same.
RESOURCE_LIMIT
WHAT: Specifies whether resource
limits are enforced in database profiles.
Value should be set to TRUE
WHY: This is not a security issue but a
performance issue. Limits specified in
profiles will not be applied to users.
VERSION: ALL
Commands: This parameter can be set
at system level.
E.g.
ALTER
SYSTEM
RESOURCE_LIMIT = TRUE;

SET

TRANSACTION_AUDITING
WHAT: TRANSACTION_AUDITING
to be set to TRUE. Oracle generates a
special redo record that contains the
user logon name user name the session
ID some operating system information
and client insformation. For each
successive transaction. Oracle generates
a record that contains only the session
ID. These subsequent records link back
to the first record which also contains
the session ID
WHY: Redo log will not be generated if
set to false. Useful if you are using redo
log analysis tools.
VERSION: ALL
Commands: This parameter can be set
at system level
www.chmag.in

E.g.
ALTER
SYSTEM
SET
TRANSACTION_AUDITING = TRUE;
REMOTE_OS_AUTHENT
WHAT:
REMOTE_OS_AUTHENT
specifies whether remote clients will be
authenticated with the value of the
OS_AUTHENT_PREFIX parameter.
WHY: Allowing the OS to control OS
authentication without intervention can
be very risky.
VERSION: ALL
Commands: This parameter can be set
at system level
E.g.
ALTER
SYSTEM
SET
REMOTE_OS_AUTHENT= FALSE;
P.S:
The
remote_os_authent
parameter has been deprecated in
Oracle 11g, and a safer method is
now used.
These are some of the important OS
parameters; we will focus on permissions on
Oracle tables and packages in next article.
About the Author

Ajinkya Patil
http://avsecurity.in

Ajinkya is an Information Security professional


with experience in conducting Web application
security, IT governance reviews, Network
security, Database and OS. He holds a CISA
(Associate of ISACA) certification, Information
Security Management certification. He also listed
in Hall of Fame of Blackberry (RIM).

Aug 2013 | Page - 5

DSCI Security
Framework for ISO
27001 Implementers

security. The discipline centric approach


helps in aligning an organizations thought
process to the market and helps in putting
up a maturity based approach for both
implementation and assessments.

DSCI (Data Security Council of India), a


NASSCOM body, has been setup as an
independent Self-Regulatory organization to
promote data protection, develop security
and privacy best practices & standards and
encourage the Indian industries to
implement the same1.
DSCI has developed best practices for data
protection in the form of two frameworks:1. The Privacy Framework;
2. The Security Framework.
We will discuss the DSCI Security
Framework (DSF from here onwards) for
now (discussion on Privacy Framework will
come in subsequent articles) and its
relevance for ISO 27001 implementers.
The DSF have been developed in the form of
16 disciplines across 4 layers each that need
to be implemented / established in order to
help organizations implement information
1

http://www.dsci.in/about-us

www.chmag.in

The 16 disciplines are as follows:1.


2.
3.
4.
5.
6.
7.
8.
9.
10.

Security Strategy and Policy (SSP)


Security Organizations (SEO)
Asset Management (ASM)
Governance Risk and Compliance
(GRC)
Infrastructure Security (INS)
Application Security (APS)
Secure Content Management (SCM)
Threat
and
Vulnerability
Management (TVM)
User
Access
and
Privilege
Management (UAP)
Business Continuity and Disaster
Recovery Management (BDM)

Aug 2013 | Page - 6

11. Security Audit and Testing (SAT)


12. Security Monitoring and Incident
Management (MIM)
13. Physical and Environmental Security
(PEN)
14. Third Party Security Management
(TSM)
15. Personnel Security (PES)
16. Data Security (DSC)
The four layers in which each
discipline has been divided into are:1) Approach
An attempt has been made to describe
the discipline and to set the expectations
and the rationale behind inclusion of the
same;
2) Strategy
Policy
statements
pertaining
to
implementation of the discipline has
been provided in this section to help
management (senior / middle) in
putting up appropriate direction
towards successful implementation of
the discipline;
3) Best Practices
This section details some of the best
practices that have been observed over a
period of time across industries
pertaining to this discipline;
4) Maturity

Benefits of DSCI Privacy and Security


Frameworks:1. The discipline based approach helps
align an organization to the market
realities;
2. The layered approach helps in
implementation and in client assurance;
in light of the recent regulations,
security and privacy implementations
have been implemented in many
organizations across the country, both
towards due diligence and to provide
appropriate
assurance
to
clients
regarding the security and privacy of
their data.
Improvements Wishlist:1. A maturity model would be a welcome
move (e.g., similar to ISM3 & SSECMM)
2. Awareness on the eco-system needs to
be strengthened (expect more traction in
coming days as the system is new).
DSF and ISO 27001
For ISMS implementers, the framework
puts up important guidance towards
implementation; In other words, the DSF
can be used to implement an ISO
27001:2005 compliant ISMS. A partial
mapping table of DSF disciplines vis--vis
ISO 27001 has been presented below (NB this is not an exhaustive list and has been
provided as an illustration):-

This section identifies & articulates


some characteristics of the discipline
that showcases the evolution of the same
in an organization;

www.chmag.in

Aug 2013 | Page - 7

Image Credits

About the Author

1) DSF (DSCI Security Framework) Book


Image
http://images.nasscom.org/sites/defaul
t/files/imagecache/product_full/researc
hreports/images/DSF.jpg
2) http://www.dsci.in/sites/default/files/S
ecurity_homepage_0.jpg
Information Sources
1) http://www.dsci.in
2) http://www.ism3.com
3) http://csrc.nist.gov/groups/SMA/fasp/
documents/incident_response/SSAIRB
SP/SSECMMv2Final.pdf
Disclaimer
The opinions and viewpoints expressed here
are personal.

www.chmag.in

M.S.Sripati, CISA
maanav.saavadhaan@gmail.com
Sripati is an information security process
consultant & software developer with an overall
experience of 8+ years, doing ISO 27001 & HIPA
compliant
ISMS
Implementation,
Risk
Assessment and Management. He is a self-driven
professional who continuously keeps himself
abreast of the latest happenings & regulations by
being part of & participating in various
information security forums. Check out his site
(www.sripati.info) to know more.

Aug 2013 | Page - 8

Viproy - VoIP Penetration


Testing and Exploitation Kit
Introduction
Viproy is developed to improve quality of
SIP Penetration Tests. It's a collection of
Metasploit Framework modules focused on
SIP tests, it can be used with Metasploit
Framework Github edition or Metasploit
Framework Pro edition. It has 10 different
modules to test target SIP servers with
authentication and fuzzing support. Also
Viproy has a SIP library to extend
Metasploit Framework REX library.

3) INVITE
Invite module is prepared to test call
features of target SIP services. Invite
spoofing, billing or CDR bypass using
custom proxy headers, Invite based DoS
attacks and sample call tests can be
performed using Invite module.
4) ENUMERATOR
Enumerator module is prepared to
enumerate of users and internal
numbers of target SIP servers.
Enumeration step of the SIP pen-test
could be performed with a user list file
or numeric user range.
5) BRUTE FORCE

Description of Modules:
1) OPTION
Options module can be used to discover
target SIP services and devices.
2) REGISTER
Register module can be used to discover
target SIP services and devices too. Also
Register module can register a client, a
service or test a valid account.
www.chmag.in

Brute force module is prepared to


perform advanced password attacks
against SIP services. Password attacks
could be initiated using user list files,
numeric ranges and passwords file.
Password attack operations can be
customized easily, for example It can be
used to initiate password attacks to a
target user with a passwords file, to a
numeric range or user list with a few
specific passwords.

Aug 2013 | Page - 9

6) MESSAGE
Message module is prepared to test
message features of SIP services.
Message support is required to test
value added services and service
operations of SIP operators. It supports
message spoofing, simple fuzz features
and message based DoS attacks.

SIP trunks. When a trusted SIP trunk


detected, it can send spoofed call and
message to target SIP clients. Also it has
simple fuzzing support to test target SIP
clients using trust relationship.
About the Author

7) PORT SCANNER
Port
scanner
module
can
test
registration features of SIP proxies. It
can perform SIP bounce attacks to
discover 3rd party SIP servers using
target SIP services.
8) DDOS AMPLIFICATION
DDoS testing module prepared to
initiate DDoS attack demos based on
SIP error messages. SIP servers send
error messages 10+ times for bogus
requests. DDoS module can send IP
spoofed SIP requests to target SIP
services and initiate an attack to 3rd
party victims.
9) PROXY
Proxy module is prepared to test SIP
clients and SIP services with MITM
proxy features. It supports basic search
& replace functions to test SIP services.
Also it can be used to add new features
to SIP clients, such as invite spoofing,
proxy headers and fuzzing.
10) TRUST ANALYZER
Trust analyzer module is prepared to
test trust relationships of SIP trunks.
SIP trunks trust each other in UDP
based communications. This module can
send IP spoofed invite or message
requests to targets to determine trusted

www.chmag.in

Fatih Ozavci
fatih.ozavci@gamasec.net
Fatih Ozavci is Sr. Security Consultant of
Sense of Security, Australia. He is author of
Viproy VoIP Penetration and Exploitation
Testing Kit, also he has published a paper
about Hacking of SIP Trust Relationships.
He has discovered many unknown private
security vulnerabilities, design and protocol
flaws in VoIP environments for his
customers. Also he analyzes VoIP design and
implementation flaws, and helps to improve
VoIP infrastructures as a service. While
Fatih's primary expertise is in VoIP
penetration testing, mobile application
testing and IPTV testing, he is also well
versed at network penetration testing, web
application testing, reverse engineering,
fuzzing and exploit development. He is one
of the speakers of Defcon 21, Blackhat 2013,
Cluecon 2013 and Athcon 2013.

Aug 2013 | Page - 10

Network Security
Basics Part-2
This section will demonstrate common
information security problems mapped with
OSI seven layers and evaluate the same for
solutions to secure the organisations
information resources.

Layer 1 - Physical Layer


The physical layer is responsible for
the
physical
communication
between end devices .
The logical first step in securing our
information is to insure that the
physical
resources
are
not
compromised.
Quite often, technologists fail to
recognize the importance of the
simple measures, like properly
locking
storage
units,
server
cabinets, equipment rooms and
office spaces.
Gaining access to resources is the
first step in compromising them.
Where is the information stored and
who might have physical access to it?
Typically, efforts to physically secure
information
are
a
shared

www.chmag.in

responsibility between technologists


and those who manage the facility in
which the information resides.
In some organizations, you must
have a card key, hardware key,
biometric access to enter areas
where sensitive information can be
accessed.
Even with the resources physically
locked, they are at risk.
Social engineering is a form of
infiltration that takes advantage of
common social interaction to gain
physical access.
Environmental factors should also
be considered.
In extreme circumstances, a good
disaster recovery plan is essential in
the event that information resources
are compromised.
Off-site
data
storage,
asset
inventories and vendor contacts are
critical to knowing what to replace,
where to get replacements and how
to restore access.

Physical Layer Vulnerabilities

Loss of Power
Loss of Environmental Control
Physical Theft of Data and Hardware

Aug 2013 | Page - 11

Physical Damage or Destruction of


Data And Hardware
Unauthorized changes to the
functional
environment
(data
connections,
removable
media,
adding/removing resources)
Disconnection of Physical Data
Links
Undetectable Interception of Data
Keystroke & Other Input Logging

Physical Layer Controls

Locked perimeters and enclosures


Electronic lock mechanisms for
logging & detailed authorization
Video & Audio Surveillance
PIN & password secured locks
Biometric authentication system
Training users against Social
Engineering
Physical locks, both on equipment
and facilities housing the equipment,
are imperative to keep intruders out.
In order to use information one
must have access to it.
Building up good Disaster Recovery
Plan

A hacker prefers using software to


spoof a MAC address, capturing
traffic destined for a specific
machine. In either event, contained
in the traffic could be important data
or even usernames and passwords
for access to even more sensitive
information.
Data
Link
Examples

Layer 2 - Data Link Layer


Data Link Layer is responsibility is
to place frames on the network
medium and insure that delivery is
error free. This is where the MAC
(hardware)
address
of
communication devices is utilized
and checksums for error in delivery
are applied.
A device that runs on promiscuous
mode when used with packet filter
can be helpful for analysers and
hackers as well to analysis traffic for
flow
analysis,
problem
determination and code debugging.
www.chmag.in

Layer

Vulnerability

MAC Address Spoofing (station


claims the identity of another)
VLAN circumvention (station may
force direct communication with
other stations, bypassing logical
controls such as subnets and
firewalls.)
ARP Poisoning attack.
Spanning Tree errors may be
accidentally
or
purposefully
introduced, causing the layer two
environments to transmit packets in
infinite loops.
In wireless media situations, layer
two protocols may allow free
connection to the network by
unauthorized entities, or weak
authentication and encryption may
allow a false sense of security.
Switches may be forced to flood
traffic to all VLAN ports rather than
selectively
forwarding
to
the
appropriate
ports,
allowing
interception of data by any device
connected to a VLAN.

Data Link Layer Controls

MAC Address Filtering- Identifying


stations by address and crossreferencing physical port or logical
access

Aug 2013 | Page - 12

Layer 2 switches provide the ability


to create logically separate LANs on
the same physical device, called
VLANs. Using traffic and protocol
access control lists or filters provides
us with some form of protection at
this layer.
Quality-of-Service marking and
prioritization control protocols give
us the ability to control and better
utilize existing bandwidth. This is
typically
accomplished
using
appropriate
class-of-service
or
differentiated services code point
(DSCP) values.
Disabling untrusted Layer 2 ports
will reduce traffic to and from hosts.
Disable the default VLAN 1 port [5].
As you tighten up your defences at
Layer 2, you will need to leave a port
open for management purposes,
preferably out-of-band.
Do not always use VLANs to enforce
secure designs. Layers of trust
should be physically isolated from
one another, with policy engines
such as firewalls between.
Wireless applications must be
carefully evaluated for unauthorized
access exposure. Built-in encryption,
authentication, and MAC filtering
may be applied to secure networks.
Telnet
capabilities should be
completely filtered if not required.

allows a system to contact the


outside world and allows the outside
world to contact the host. It is logical
to consider this border to our system
vulnerable.
Network Layer Vulnerabilities

Network Layer Controls

Layer 3 - Network Layer


Network layer is used to determine
the best path from source to
destination host on a network.
IP addresses are assigned and
utilized at this layer for unique
identification. For communication
with internet public IP address
should be assigned. This address
www.chmag.in

Route spoofing - propagation of false


network topology
IP Address Spoofing- false source
addressing on malicious packets
Identity & Resource ID Vulnerability
- Reliance on addressing to identify
resources and peers can be brittle
and vulnerable

Route policy controls - Use strict


anti-spoofing and route filters at
network edges
Firewalls with strong filter & antispoof policy
ARP/Broadcast monitoring software
Implementations that minimize the
ability to abuse protocol features
such as Broadcast
Network Address Translation (NAT)
is a service that temporarily assigns
a private IP address to a public IP
address. In this sense, for a time,
there is a one-to-one relationship
between a private and a public
address. It is necessary to lease a
pool of public IP address for NAT to
work.
Port Address Translations (PAT), on
the other hand, allows a single public
IP address to be bound to multiple
virtual ports. In this way, multiple
networked hosts can share a single
public identity on the Internet,
providing a more cost effective and
secure solution. In either event, the

Aug 2013 | Page - 13

internal IP address is hidden to the


outside world, providing us with
some anonymity.
Remote access through Internet
tunnelling takes place at Layer 3.
Virtual Private Networking (VPN)
allows us to establish credentialed
connections and transmit encrypted
payloads across pre-existing Internet
channels.
This is not a safe assumption
considering only external threat
statistically,
most
information
breeches take place from the inside.
If a system requires an IP address to
participate
in
network
communications, then perhaps we
may need to consider how IP
addresses will be assigned.
Dynamic
Host
Configuration
Protocol (DHCP) has been widely
accepted and used due to its ease of
administration, lower risk of human
error and flexibility.
When securing a network from
unauthorized
access
is
more
important than the benefits of
DHCP, static IP assignment should
be considered.
When identification of specific hosts
on a network is particularly
threatening, then DHCP with a very
short lease length may be more
appropriate.

Layer 4 - Transport Layer


Finding a system on the Internet
requires knowing the public IP
address assigned to it. To target a
specific application on a system, an
intruder would need to know the IP
address to locate the system and the
port number assigned to the
application, collectively referred to
www.chmag.in

as a socket. A computer system has


65535 ports. These ports can be
further broken down into three
categories: well known, registered
and dynamic. This is where Layer 4
security is applied.
Many applications utilize well
known TCP and UDP ports.
An FTP server will, by default, utilize
TCP port 21. If the file server
providing the FTP service is not
meant for public domain, it is best to
change the default port number and
divulge the new port number to
authorized users only.
In this way, we can confuse and stall
potential intruders by using private
ports in place of well-known ports.
Trojans,
malicious
programs
masquerading as benign programs,
tend to target specific TCP and UDP
ports .
An open port that is infected by a
Trojan will require cleaning. Virus
scan software helps to protect
systems at this layer.
Security issues at the Transport
Layer are concerned with availability
of end-to-end data transmissions.
Layer 4 switching provides the
ability to control traffic, not only
utilizing IP addresses and MAC
addresses of the lower layers, but
also
by
specific
application
incorporating the upper layers of the
OSI model.

Transport Layer Vulnerabilities

Mishandling of undefined, poorly


defined, or illegal conditions
Differences in transport protocol
implementation
allow
fingerprinting
and
other
enumeration of host information

Aug 2013 | Page - 14

Overloading
of
transport-layer
mechanisms such as port numbers
limit the ability to effectively filter
and qualify traffic.
Transmission mechanisms can be
subject to spoofing and attack based
on crafted packets and the educated
guessing of flow and transmission
values, allowing the disruption or
seizure
of
control
of
communications.

Transport Layer Controls

Strict firewall rules limiting access to


specific transmission protocols and
subprotocol information such as
TCP/UDP port number or ICMP
type
Stateful inspection at firewall layer,
preventing out-of-state packets,
illegal flags, and other phony
packet profiles from entering the
perimeter
Stronger transmission and layer
session identification mechanisms to
prevent the attack and takeover of
communications
Prioritization based on application
allows us to better control and utilize
our bandwidth. Better control
measures offer a more secure a level
of service.
Further securing of this layer can
take place by using a secure form of
TCP.
Extended Three-way Handshake
extends
traditional
TCP
handshaking techniques to deliver
negotiation data and key exchange
data.
State Transition is a secure TCP
method that utilizes host state to
differentiate
authorized
transmissions.

www.chmag.in

Data integrity can be achieved


through
MAC
(Message
Authentication Code) to identify if
an attacker has modified data.
Data confidentiality can be achieved
through encryption and must be
addressed at the same time as data
integrity.

Layer 5 - Session Layer


Session layer is use to facilitate
communication with a receiving
device by establishing, maintaining,
synchronizing,
controlling
and
terminating connections. In short
deals with session handling between
systems. During this process of
communication,
verification
of
entities can take place.
Also referred to as Transport Layer
Security, Secure Socket Layers (SSL)
is a technology designed to confirm
the identity of hosts and servers.
Although called Transport Layer
Security, this function lies just above
the transport layer and is truly
session layer based.
SSL is often the protocol used for
secure credit card transactions on
the
Internet.
Using
server
authentication, a servers identity
can be verified by a Certificate
Authority (CA) using Public Key
cryptography. The same can be
applied
using
client
side
authentication.
SSL
uses
different
ciphers,
cryptographic algorithms, to provide
encrypted session services. Cipher
suits provide a wide range of
encryption settings.
The SSL Handshake Protocol
enables the authenticated client and
server to negotiate which cipher will
Aug 2013 | Page - 15

be used. This helps reduce


susceptibility to a man-in-themiddle attack, so even if the session
gets intercepted, the data would be
protected by encryption.
Session Layer Vulnerabilities

Weak or non-existent authentication


mechanisms
Passing of session credentials such
as user ID and password in the clear,
allowing intercept and unauthorized
use
Session identification may be subject
to spoofing and hijack
Leakage of information based on
failed authentication attempts
Unlimited failed sessions allow
brute-force attacks on access
credentials

Proper planning is necessary to


calculate security needs and balance
them with resource limitations.
Presentation Layer Vulnerabilities

Presentation Layer Controls

Session Layer Controls

Encrypted password exchange and


storage
Accounts have specific expirations
for credentials and authorization
Protect
session
identification
information
via
random/cryptographic means
Limit failed session attempts via
timing mechanism, not lockout

Layer 6 - Presentation Layer


Presentation Layer deals with
encryption. When the data is
received, what form will it take?
Encryption techniques allow us to
scramble the packet contents,
requiring a special code to reveal
them.
The
more
sophisticated
the
encryption algorithm, the harder it is
to gain access to the data.
www.chmag.in

Poor handling of unexpected input


can lead to application crashes or
surrender of control to execute
arbitrary instructions.
Unintentional or ill-advised use of
externally supplied input in control
contexts
may
allow
remote
manipulation
or
information
leakage.
Cryptographic
flaws
may
be
exploited to circumvent privacy
protections

Careful specification and checking of


received input incoming into
applications or library functions
Separation of user input and
program control functions- input
should be sanitized and sanity
checked before being passed into
functions that use the input to
control operation
Careful and continuous review of
cryptography solutions to ensure
current security versus know and
emerging threats.

Layer 7 Application Layer


Application layer is the layer where
services support user applications,
that authentication takes place.
The most common form of
authentication is username and
password which should have unique
ID and confidential password.
Therefore, it is essential to have
an effective account policy.
Aug 2013 | Page - 16

Encryption of these two credentials,


username and password, is also
feasible at this level. Application
layer encryption adds yet another
element of protection.

Some host-based firewall systems


can regulate traffic by application,
preventing unauthorized or covert
use of the network.

About the Author

Application Layer Vulnerabilities

Open design issues allow free use of


application resources by unintended
parties
Backdoors and application design
flaws bypass standard security
controls
Inadequate security controls force
all-or-nothing approach, resulting
in either excessive or insufficient
access.
Overly complex application security
controls tend to be bypassed or
poorly
understood
and
implemented.
Program logic flaws may be
accidentally or purposely used to
crash programs or cause undesired
behaviour

Application Layer Controls

Application level access controls to


define and enforce access to
application resources.
Controls must be detailed and
flexible, but also straightforward to
prevent complexity issues from
masking policy and implementation
weakness
Standards, testing, and review of
application code and functionality-A
baseline is used to measure
application implementation and
recommend improvements
IDS systems to monitor application
inquiries and activity

www.chmag.in

Anagha Devale-Vartak
http://avsecurity.in
Anagha is an Information Security
professional
with
experience
in
Vulnerability
Assessment,
Web
Application Audit, Database Audit,
Antivirus Review, and Compliance
Audit. She holds CCNA and CEH
certification.

Aug 2013 | Page - 17