116 lines
4.4 KiB
Markdown
116 lines
4.4 KiB
Markdown
Subtopics: Malicious Software, Attacks on Web Applications, Secure System Development
|
|
|
|
# How Computers Get Compromised:
|
|
|
|
- Accessing malicious or infected websites
|
|
- Downloading and installing malware from websites
|
|
- Executing attachments to emails containing exploits and malware
|
|
- Plugging in external devices infected with malware
|
|
- Installing malware/infected software from media
|
|
- Direct attacks from the internet exploiting vulnerabilities in OS or applications
|
|
- Through delivery chain, during assembly or shipment
|
|
|
|
## Malware Types:
|
|
|
|
- Backdoor/Trapdoor
|
|
- Logic bomb
|
|
- Trojan horse
|
|
- Worm
|
|
- Virus (polymorphic, metamorphic)
|
|
- Stealth virus
|
|
- Exploit
|
|
|
|
## Exploits:
|
|
|
|
- Exploit software/hardware vulnerability
|
|
- Carried in common data formats like PDF, office documents, media files
|
|
- Contains corrupt data types
|
|
- Causes unintended behavior on computers
|
|
|
|
## Backdoor/Trapdoor:
|
|
|
|
- Provides remote control capabilities
|
|
- Can reside on the system for long periods before being used
|
|
- Installed by exploit or user (tricked into installing malicious program)
|
|
- Can be installed during design for testing purposes, posing a threat if left in production software
|
|
|
|
# The Cyber Kill Chain (Hutchins Et Al., 2011):
|
|
|
|
- Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command & Control (C&C), Action/Exfiltration
|
|
- Timescale for each phase varies from days, months, hours to seconds.
|
|
- Recon; Weaponisation; Delivery; Exploitation; Installation; Command & Control; Action/Exfil
|
|
|
|
## Web Application Security Challenge:
|
|
|
|
- Firewall, App Server, Web Server, Hardened OS, Databases, Legacy Systems, Web Services, Directories, Human Resources, Billing, Custom-Developed Application Code
|
|
- Network layer and application layer security are crucial
|
|
|
|
# Application Attacks
|
|
|
|
- Application attacks bypass traditional network security measures like firewalls
|
|
|
|
## SQL (Structured Query Language):
|
|
|
|
- Interface to relational databases
|
|
- Used for inserting, updating, deleting, and retrieving data in a database
|
|
|
|
### SQL Injection:
|
|
|
|
- Databases system misinterpretation of input data
|
|
- Attacker disguises SQL commands as data input
|
|
- Vulnerability exists when web application fails to sanitise data input before sending it to the database
|
|
|
|
### Preventing SQL Injection and XSS
|
|
|
|
- Validate all user-entered parameters (data types and lengths)
|
|
- Disallow unwanted data (html tags, JS, SQL commands)
|
|
- Escape questionable characters (ticks, --, semicolons, quotes, etc)
|
|
- Hide information about error handling
|
|
|
|
#### Stored XSS
|
|
|
|
Input script to website disguised as user content
|
|
Store and display script on page
|
|
User accesses page
|
|
Malicious script sent to user
|
|
|
|
## Broken Authentication and Session Management:
|
|
|
|
- User authentication does not necessarily provide continuous assurance
|
|
- Insecure implementation of session control with a static session ID passed in the URL
|
|
- Recommendations for session IDs (OWASP)
|
|
|
|
### Method
|
|
|
|
Log in to application
|
|
Provide service, user stays logged in
|
|
Email info about session ID
|
|
Other user can access website as first user
|
|
|
|
### Fixes
|
|
|
|
- Authentication linked to time
|
|
- OWASP recommendations followed
|
|
- Link session ID to IP address, TLS session, etc.
|
|
Reconnaissance Assignment
|
|
|
|
## [OWASP Top-10](https://owasp.org/Top10/) Web Application Risks (as of 2017):
|
|
|
|
- Injection, Broken Authentication, Sensitive Data Exposure, XML External Entity (XXE), Security Misconfiguration, Cross-Site Scripting (XSS), Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring
|
|
|
|
## Waterfall SDLC vs. Agile Software Development vs. Secure Agile:
|
|
|
|
- Waterfall SDLC: Sequential phases (Design, Requirements, Implementation, Verification, Maintenance)
|
|
- Agile Software Development: Iterative sprint cycles based on user stories
|
|
- Secure Agile: Includes additional security steps during project startup, each sprint cycle, and final test and validation
|
|
- Threat modeling in Secure Agile: Identify, analyze, and describe relevant threats using STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
|
|
|
|
### STRIDE
|
|
|
|
Spoofing - Can an attacker gain access with a false identity?
|
|
Tampering - Can an attacker modify data as an application runs?
|
|
Repudiation - If an attacker denies interaction, can we prove it?
|
|
Information Disclosure - Can an attacker gain PII?
|
|
Denial of Service - Can an attacker crash or reduce availability?
|
|
Elevation of Privilege - Can an attacker assume the identity of a privileged user?
|