CH 03

Security+ Guide to Network Security
Fundamentals, Third Edition
Chapter 3
Protecting Systems
1
Objectives
• Explain how to harden operating systems

• List ways to prevent attacks through a Web browser
• Define SQL injection and explain how to protect
against it
• Explain how to protect systems from
communications-based attacks
• Describe various software security applications
2
Hardening the Operating System
• Hardening the operating system to resist attacks is often

a three-pronged approach that involves:
– Managing updates to the operating system
– Protecting against buffer overflows
– Configuring operating system protections
3
Managing Operating System Updates
Due to the increased length and complexity of operating

systems  unintentional vulnerabilities were introduced and
then these were exploited by attackers
4
(continued)
IS 493 Fall - Eyas El-Qawasmeh 5

(continued)

(continued)
• Patch management techniques
– Install updates automatically
– Download updates but let me choose whether to install them
– Check for updates but let me choose whether to download
and install them
– Never check for updates
• Patches can sometimes create new problems

Win 10 update options 8
automated patch update service
There are several advantages to an automated patch

update service. These include:
•Downloading patches from a local server instead of using the vendor’s online update
service can save bandwidth and time because each computer does not have to
connect to an external server.
•Computers that do not have Internet access can receive updates.
•Administrators can approve or decline updates for client systems, force updates to
install by a specific date, and obtain reports on what updates each computer needs.
•Specific types of updates that the organization does not test, such as hotfixes, can be
automatically installed whenever they become available.
•Administrators can approve updates for “detection” only, which allows them to see
which computers will require the update without actually installing it.
•Users cannot disable or circumvent updates as they can if their computer is configured
to use the vendor’s online update service.
9
Manage patches locally instead of relying upon the vendors 10
Buffer Overflow Protection
• Buffer overflow
– Occurs when a process attempts to store data in
random access memory (RAM) beyond the
boundaries of a fixed-length storage buffer
– Extra data overflows into the adjacent memory
locations and under certain conditions may cause the
computer to stop functioning
• Attackers also use a buffer overflow in order to
compromise a computer

Buffer Overflow

Buffer Overflow Protection (continued)
• Basic defenses
– Write “defensive” program code that will protect against
these attacks
– Use a programming language that makes these attacks
more difficult
• For Windows-based systems, there are two defenses
against buffer overflows
– Data execution prevention (DEP)
– Address space layout randomization (ASLR)

• Data Execution Prevention (DEP)

– Most modern CPUs support an NX (No eXecute) bit to
designate a part of memory for containing only data.
– DEP will not allow code in the memory area to be executed.
– Windows Vista allows software developers to enable NX

hardware protection specifically for the application software
that they develop.
15
DEP on Win 10
• Address Space Layout Randomization (ASLR)
– Randomly assigns executable operating system code to one

of 256 possible locations in memory (ASRL moves the
function entry point. The chance is 1/256)
– This makes it harder for an attacker to locate and take

advantage of any functionality inside these executables
– ASLR is most effective when it is used in conjunction with

DEP
Configuring Operating System
for Max Protection
• Most organizations take a four-fold approach to configuring
operating system protections:
• Security policy: A security policy is a document or series of documents that

clearly defines the defense mechanisms an organization will employ in order to keep
information secure.
• Configuration baseline (OS configuration) is the operating system
configuration settings that will be used for each computer in the organization (based on
the Security Policy)
• Security template: is a method to configure a suite of configuration baseline
security settings. After the security settings are configured in a security template, it can be
imported into the computer systems for which it applies
– Deployment ( deploy security template) Manually or using group
Policies
17
Preventing Attacks That Target the Web
Browser
• These attacks involve using:

– Cookies
– JavaScript
– Java
– ActiveX
– Cross-site scripting

What is Cookies - Privacy
• A cookie is a piece of text that a web server can store on

the hard drive of your computer.
• Cookies allow a web site to store information on your

computer and later retrieve it.

When you ask to see a particular web site
Web browser client software
Get a web page
Client Server
The web site may

text put a cookie on
your computer’s
hard drive
20
Sheridan Institute of Technology and Advanced Learning
More about cookies
• A cookie is simply a piece of data with a name

• A cookie is not a program
• A cookie can’t do anything
When a website puts a cookie on your hard drive
• It can retrieve only the information that it

has placed on your computer
• It cannot retrieve information from other
cookie files
21
What else are cookies good for?
text
• Cookies are used by web sites that sell things

online
• As you click on various items to purchase
which are usually on many different pages of
the site, you are adding them to your cart
• The web site knows who the cart owner is
because it left a cookie on your computer as
an identifier
• So at checkout time, it knows which items you
are purchasing
22
Privacy levels
• You can control how internet sites can put cookies on

your computer in two ways
– By setting a privacy level for all sites you visit
– By setting a privacy level for specific sites
• In Internet Explorer there are 5 privacy levels
23
To see or set your privacy levels
24
How to see the levels on the Privacy tab
Move this slider up

or down to see the
five levels
25
Highest privacy level
No, you wouldn’t

be able to
purchase online ,
Question: if I select unless that website
Block all Cookies allows you to
can I still purchase register and sign in
items from a
website?
26
Lowest privacy level
It may not be
dangerous but
you may get more
Question: if I tracking cookies
select Accept than you want.
All Cookies is
that
dangerous?
27
Pick one of these settings
28
On a per site basis
• You can choose which sites to allow or block cookies
29
More about cookies
• A cookie is simply a piece of data with a name

• A cookie is not a program
• A cookie can’t do anything
When a website puts a cookie on your hard drive
• It can retrieve only the information that it

has placed on your computer
• It cannot retrieve information from other
cookie files
30
JavaScript
 JavaScript is not Java, or even related to Java.
 Statements in JavaScript resemble statements in

Java, because both languages borrowed heavily from
the C language.
 JavaScript is seldom used to write complete

“programs”
 Developed by Netscape company.
 JavaScript is reasonably platform-independent

32
JavaScript (continued)
• Several defense mechanisms prevent JavaScript

programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities (Can not use a local
computer to launch attacks on other network computers)
• Other security concerns remain:
– JavaScript programs can capture and send user
information without the user’s knowledge or authorization
• The defense against JavaScript is to disable it within the

Web browser

Quiz: In the last slide, we said that JavaScript
does not support certain capabilities. Explain
this?
• It means that Java script running on a local computer

cannot read, write, create, delete, or list the files on that
computer.

Quiz: Give an example of JavaScript?
• JavaScript code is included within <script> tags:

– <script type="text/javascript">
document.write("<h1>Hello World!</h1>") ;
</script>

Quiz: Where we include Java Script?
• JavaScript can be put in the <head> or in the <body> of an

HTML document
• JavaScript functions can be put in a separate .js file
– <script src="myJavaScriptFile.js"></script>
• JavaScript can be put in an HTML form object, such as a
button
– This JavaScript will be executed when the form object is used

Java
• Java
– A complete object-oriented programming language created
by Sun Microsystems.
– Can be used to create standalone applications.
– Java can be used to create a special type of smaller
application called Java applet.
• Java applet
– A separate program stored on a Web server and
downloaded onto a user’s computer along with HTML code
– Can also be made into hostile ( ‫ خصم‬.‫ )غير ودي‬programs

38
Java (continued)
• Sandbox (software) is a defense against a hostile Java

applet
– Surrounds program and keeps it away from private data and
other resources on a local computer
• Two types of Java applets:

– Unsigned Java applet: program that does not come from a
trusted source
– Signed Java applet: has information proving the program is
from a trusted source and has not been altered

40
ActiveX
• Set of technologies developed by Microsoft
• Not a programming language but a set of rules for how

applications should share information
• ActiveX controls
– Also called add-ons or ActiveX applications
– Represent a specific way of implementing ActiveX
– Can perform many of the same functions of a Java applet, but do
not run in a sandbox
– Have full access to Windows operating system
• ActiveX poses a number of security concerns
41
ActiveX (continued)
• Nearly all ActiveX control security mechanisms are set in
Internet Explorer
• ActiveX controls do not rely exclusively on Internet

Explorer
– However, can be installed and executed independently
• The defense against ActiveX is to disable it within the Web

browser

Video about AtiveX (continued)
• http://www.youtube.com/watch?v=ZMdum9J7FdY
• http://www.youtube.com/watch?v=wvKq3D71iYo
• http://www.youtube.com/watch?v =tI9gL4yjaTM

Cross Site Scripting (XSS)
• Cross Site Scripting (XSS)
– An attack in which malicious code is inserted into a specific
type of dynamic Web page.
– Typically involves using client-side scripts written in

JavaScript or ActiveX
• Designed to extract information from the victim and then pass
the information to the attacker
– Targeted to Web sites that dynamically generate Web pages

that redisplay (echo) user input that has not been properly
validated
44
Cross-Site Scripting?
The three conditions for Cross-Site Scripting:
1. A Web application accepts user input

– Well, which Web application doesn't?
2. The input is used to create dynamic content

– Again, which Web application doesn't?
3. The input is insufficiently validated

– Most Web applications don't validate sufficiently!
Cross-Site Scripting?
• Cross-Site Scripting aka „XSS“ or „CSS“

• The players:
– An Attacker
• Anonymous Internet User
• Malicious Internal User
– A company’s Web server (i.e. Web application)
• External (e.g.: Shop, Information, CRM, Supplier)
• Internal (e.g.: Employees Self Service Portal)
– A Client
• Any type of customer
• Anonymous user accessing the Web-Server
46
XSS-Attack: General Overview
Attacker Web Server
Post Forum Message: Did you know this?
Subject: GET Money for FREE !!! GET Money for FREE !!!
.....
Body: <script> attack code </script>
Re: Error message on startup
<script> attack code </script>
I found a solution!
.....
Can anybody help?
.....
Error message on startup
.....
Get /forum.jsp?fid=122&mid=2241
.....
1. Attacker sends malicious code

2. Server stores message GET Money for FREE !!!
This is only one example <script> attack code </script>
3. User
outrequests
of many
message attack
4. Message scenarios!
is delivered by server Client
5. Browser executes script in message !!! attack code !!!
47
In other words :Cross-Site Scripting
• Scripting: Web Browsers can execute commands

– Embedded in HTML page
– Supports different languages (JavaScript, VBScript, ActiveX, etc.)
– Most prominent: JavaScript
• “Cross-Site” means: Foreign script sent via server to client

– Attacker „makes“ Web-Server deliver malicious script code
– Malicious script is executed in Client’s Web Browser
• Attack:
– Steal Access Credentials, Denial-of-Service, Modify Web pages
– Execute any command at the client machine
XSS Solution
Input Validation
But what is to consider “Input”?

How to perform Input Validation
• Check if the input is what you expect

– Do not try to check for "bad input"
• Black list testing is no solution

– Black lists are never complete!
• White list testing is better

– Only what you expect will pass
– (correct) Regular expressions
Cross Site Scripting Video
• http://www.youtube.com/watch?v=r79ozjCL7DA

Quiz: What are the steps for Cross Site
Scripting (XSS) attack
• Cross Site Scripting (XSS) attack steps
1. An attacker searches for a Web site that redisplays a bad
login (See Figures 3-8 and 3-9)
2. The attacker then creates an attack URL that contains the
embedded JavaScript commands
3. A fake e-mail is sent to unsuspecting users with the attack
URL as a modified embedded link in the e-mail
4. The unsuspecting victim clicks on the attack URL and
enters his username and password

53
Cross Site Scripting (XSS) (continued)
54
55
Hardening Web Servers
• Because of their open exposure, Web servers are prime
targets for attackers
• SQL injection
– One of the most common types of attacks
– Uses a form of injection like XSS
– Hinges on an attacker being able to enter an SQL database
query into a dynamic Web page

Hardening Web Servers (continued)

• Variations to the SQL injection attack

– Deleting data from the database
– Accessing the host operating system through function calls
– Retrieving a list of all usernames and passwords

Video
http://www.youtube.com/watch?v=0z1rt9Y-http://www.youtube.com/watch?
v=0z1rt9Y-ON0N0


Protecting Systems from Communications-
Based Attacks
• Communications protocols and applications can also be
vectors for attacks
• Some of the most common communications-based
attacks are:
– SMTP open relays
– Instant messaging
– Peer-to-peer networks

What is an Open Relay
Open
Relay
Destination
domain
(ex: Gmail)
Client
An open relay is an SMTP

server configured in such a way
that it allows anyone on the Internet
to relay e-mail through it.
62
Quiz : What is an open email relay ?
• An open mail relay is an SMTP server configured in

such a way that it allows anyone on the Internet to send l
through it, not just mail destined to or originating from
known users

SMTP Open Relays
• E-mail systems use two TCP/IP protocols to send and

receive messages
– Simple Mail Transfer Protocol (SMTP) handles outgoing
mail
– Post Office Protocol (POP3 for the current version)
handles incoming mail
• IMAP (Internet Mail Access Protocol)
– A more advanced protocol that solves many problems
– E-mail remains on the e-mail server
– Mail can be organized into folders and read from any
computer
– Current version is IMAP4
SMTP Open Relays (continued)

• SMTP relay
– SMTP servers can forward e-mail sent from an e-mail client
to a remote domain
• SMTP open relay
– If SMTP relay is not controlled (open), an attacker can use it
to forward thousands of spam e-mail messages
• The defenses against SMTP open relay are to turn off mail
relay altogether
– So that all users send and receive e-mail from the local
SMTP server only or limit relays to only local users

• SMTP mail relay should not accept and forward arbitrary
e-mails from non-local IP addresses to non-local
mailboxes by an unauthenticated or unauthorized user.

Instant Messaging
• Instant messaging (IM)
– Real-time communication between two or more users
– Can also be used to chat between several users
simultaneously, to send and receive files, and to receive
real-time stock quotes and news
• Basic IM has several security vulnerabilities
– IM provides a direct connection to the user’s computer;
attackers can use this connection to spread viruses and
worms
– IM is not encrypted by default so attackers could view the
content of messages

Instant Messaging (continued)
• Steps to secure IM include:

– Keep the IM server within the organization’s firewall and only
permit users to send and receive messages with trusted
internal workers
– Enable IM virus scanning
– Block all IM file transfers
– Encrypt messages

Peer-to-Peer (P2P) Networks
• Peer-to-peer (P2P) network
– Uses a direct connection between users
– Does not have servers, so each device simultaneously
functions as both a client and a server to all other devices
connected to the network
• P2P networks are typically used for connecting devices on
an ad hoc basis
– For file sharing of audio, video, and data, or real-time data
transmission such as telephony traffic
• Viruses, worms, Trojan horses, and spyware can be sent
using P2P

Peer-to-Peer (P2P) Networks (continued)
• A new type of P2P network has emerged known as

BitTorrent
• Torrents are active Internet connections that download a
specific file available through a tracker
• Server program operated by the person or organization that
wants to share the file
• With BitTorrent, files are advertised
• BitTorrent cannot be used to spread viruses or malware
like traditional P2P networks

Applying Software Security Applications
• Software security applications that are commonly

installed on systems include:
– Antivirus
– Anti-spam
– Popup blockers
– Personal software firewalls
– Host intrusion detection systems

Antivirus
• Antivirus (AV) software

– Scan a computer for infections as well as monitor
computer activity and scan all new documents, such as e-
mail attachments, that might contain a virus
• If a virus is detected, options generally include cleaning
the file of the virus, quarantining the infected file, or
deleting the file
• The drawback of AV software is that it must be
continuously updated to recognize new viruses
– AV software use definition files or signature files

Popup Blockers
• Popup
– A small Web browser window that appears over the Web site
that is being viewed
• Popup blocker
– Allows the user to limit or block most popups
– Can be either a separate program or a feature incorporated
within a browser
• As a separate program, popup blockers are often part of a
package known as antispyware
– Helps prevent computers from becoming infected by
different types of spyware

Anti-Spam
• Two different options for installing a corporate spam

filter
– Install the spam filter with the SMTP server
• See Figure 3-14
– Install the spam filter with the POP3 server
• See Figure 3-15

Anti-Spam (continued)


• Another way to filter spam is for the organization to

contract with a third-party entity
– That filters out spam
• All e-mail is directed to the third-party’s remote spam filter
– Where it is cleansed before it is redirected back to the
organization
– This can be accomplished by changing the MX (mail
exchange) record

• A third method is to filter spam on the local computer
• Typically, the e-mail client contains several different
features to block spam, such as:
– Level of junk e-mail protection
– Blocked senders
– Allowed senders
– Blocked top level domain list
• A final method of spam filtering is to install separate
filtering software that works with the e-mail client software

Personal Software Firewalls
• Firewall, sometimes called a packet filter

– Designed to prevent malicious packets from entering or
leaving computers
– Can be software-based or hardware-based
• Personal software firewall
– Runs as a program on a local system to protect it against
attacks
• Many operating systems now come with personal software
firewalls
– Or they can be installed as separate programs

Host Intrusion Detection Systems (HIDS)
• Host Intrusion Detection Systems (HIDS)

– Attempt to monitor and possibly prevent attempts to intrude
into a system and network resources
– HIDS are software-based and run on a local computer
• These systems can be divided into four groups:
– File system monitors
– Logfile analyzers
– Connection analyzers
– Kernel analyzers
• HIDS work on the principle of comparing new behavior
against normal behavior
Summary
• Hardening the operating system is key in resisting attacks

• A buffer overflow occurs when a process attempts to store
data in random access memory (RAM) beyond the
boundaries of a fixed-length storage buffer
• Most organizations use a four-fold approach to protecting
operating systems: security policies, configuration
baselines, security templates, and deployment
• Systems must also be protected from attacks that attempt
to enter through a Web browser

Summary (continued)
• Attacks can also be based on communications

protocols and applications
• Additional security-based software, whose sole
purpose is to fend off attacks, is another important
layer of security
• A firewall is designed to prevent malicious packets
from entering or leaving the computer

CH 03

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 03

Uploaded by

Copyright:

Available Formats

Security+ Guide to Network Security

Fundamentals, Third Edition

• Explain how to harden operating systems

• Hardening the operating system to resist attacks is often

– Managing updates to the operating system

– Protecting against buffer overflows

– Configuring operating system protections

Due to the increased length and complexity of operating

IS 493 Fall - Eyas El-Qawasmeh 5

IS 493 Fall - Eyas El-Qawasmeh 6

IS 493 Fall - Eyas El-Qawasmeh 7

There are several advantages to an automated patch

IS 493 Fall - Eyas El-Qawasmeh 11

IS 493 Fall - Eyas El-Qawasmeh 12

IS 493 Fall - Eyas El-Qawasmeh 13

• Data Execution Prevention (DEP)

– DEP will not allow code in the memory area to be executed.

– Windows Vista allows software developers to enable NX

• Address Space Layout Randomization (ASLR)

– Randomly assigns executable operating system code to one

– This makes it harder for an attacker to locate and take

– ASLR is most effective when it is used in conjunction with

• Security policy: A security policy is a document or series of documents that

• These attacks involve using:

IS 493 Fall - Eyas El-Qawasmeh 18

• A cookie is a piece of text that a web server can store on

• Cookies allow a web site to store information on your

IS 493 Fall - Eyas El-Qawasmeh 19

Web browser client software

Get a web page

The web site may

• A cookie is simply a piece of data with a name

When a website puts a cookie on your hard drive

• It can retrieve only the information that it

• Cookies are used by web sites that sell things

• You can control how internet sites can put cookies on

Move this slider up

No, you wouldn’t

• A cookie is simply a piece of data with a name

When a website puts a cookie on your hard drive

• It can retrieve only the information that it

 Statements in JavaScript resemble statements in

 JavaScript is seldom used to write complete

 Developed by Netscape company.

 JavaScript is reasonably platform-independent

• Several defense mechanisms prevent JavaScript

• The defense against JavaScript is to disable it within the

IS 493 Fall - Eyas El-Qawasmeh 33

• It means that Java script running on a local computer

IS 493 Fall - Eyas El-Qawasmeh 34

• JavaScript code is included within <script> tags:

IS 493 Fall - Eyas El-Qawasmeh 35

• JavaScript can be put in the <head> or in the <body> of an

IS 493 Fall - Eyas El-Qawasmeh 36

IS 493 Fall - Eyas El-Qawasmeh 37

• Sandbox (software) is a defense against a hostile Java

• Two types of Java applets:

IS 493 Fall - Eyas El-Qawasmeh 39

• Not a programming language but a set of rules for how

• ActiveX controls do not rely exclusively on Internet

• The defense against ActiveX is to disable it within the Web

IS 493 Fall - Eyas El-Qawasmeh 42