One of the key takeaways from chapter-8 regarding application security is minimizing applications a host run to mitigate cyber risks. Installed applications are potential point of attack and consume computer resources. Therefore, unnecessary services should be disabled. Other controls that help to safeguard applications are:
• Creating a secure configuration; create a secure configuration based on baselines such as removing default passwords.
• Installing application patches and updates; make sure to install all application patches against new vulnerabilities and new versions of software.
• Minimizing the permission of application; only necessary programs should run with root privileges. Other programs can run with the min. privileges principle.
• Adding application-level authentication, authorizations, and auditing; appropriate access and authentications methods should be applied. Application-level authentication may be difficult to apply for every application, so it should be applied for highly sensitive applications
• Implementing cryptographic systems; cryptographic systems should be used between the user and applications such as SSL/TLS.
Hello,
After going over your takeaways from reading chapter eight o the Corporate Computer Security textbook, my understanding of some of the more important mitigation strategies in application security was affirmed. It is important to note that hosts should only be running applications that are necessary to perform business functions, as every additional application creates a new threat landscape. And something people don’t often mention is how the introduction of these new threat landscapes also means having to consider to the monetary costs of mitigating the new risks posed by this landscape.
One thing to remember from this chapter is that it’s necessary for us to understand the environment to be protected, and in doing this, we should consider providing adequate physical security for servers and clients and hardening the operating systems with patches and high-security configuration settings. It is also our duty to advise the firms we’ll work with to avoid loading too many applications on a single host, because fewer applications mean fewer opportunities to take over the computer.
Also, It’s critical to control the deployment of newer server-side applications. According to this chapter, firms with rigorous deployment policies use three types of servers: development servers, testing servers, and production servers. This provides higher level of security and restricts developers from freely accessing development servers and/or preventing developers from creating backdoors or last-minute changes to testing servers.
Great opening points here Innocent. I agree that as auditors we will need to look at an organization from a macro point of view from the start. Knowing how their physical environment directly impacts their virtual environment is key. Then, by securing the physical we add another layer to their virtual information assets before anything is even turned on. In turn, I agree that uploading the most up to date applications to mitigate the security flaws is also a great step to fully securing the information asset.
This chapter provides information of multiple threats in applications and servers. One interesting key point which I picked from the chapter is security issues related to the web service and E-commerce service. Hackers use webserver attack techniques as following;
– Website defacement: Take over computer and put up a fake page produced by hackers instead of the normal homepage
– Buffer overflow attack: Hackers use IIS IPP and jill.c program to exploit the vulnerability
– Directory Traversal attack: allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
To establish controls over these issues, organization should patch the webserver and e-commerce software, use website vulnerability assessment tool, detect website error logs, and implement webserver-specific application proxy firewalls.
Understanding the threat environment is a good guideline: basics hardening of OS, patch, separation of applications, minimize permission and config, adding AAA, especially Audit log in the application, and encrypted remote access and remote policy.
End-to-end email encryption is very easy, open-source, quite simple to implement and it works well. PGP is my favorite one. It might solve phishing issues and malicious attachments.
Website vulnerability assessment tools like Nikto, Paros Proxy, Acunetix, and IBM’s Rational AppScan should be part of the yearly maintenance routine including Pen testing important application and e-commerce applications.
In my opinion, what PGP does is that it will help your email encrypted, not leaking data to others when someone tries to access your email when it is on its way to the receiver. But it will not solve phishing issues as if the attacker knows your email address, they can just send it.
The unique thing I learned about this week’s reading as regards to applications is that its much easier to gain root access through application exploits than through attacks on traditional operating systems and that this is also the most dominant attacking vector today. More so, application hardening is harder than operating system hardening. It’s also important to note that baselines are used when creating secure application program configurations, stuff like easy passwords and default passwords should not be used.
Good points, Percy. It is also important to note that firms with rigorous deployment policies use three types of servers: development servers, testing servers, and production servers. This provides higher level of security and restricts developers from freely accessing development servers, and also prevents developers from gaining access to testing servers because doing so might give them the opportunity to create backdoors or make last-minute changes to testing servers.
After reading through the eighth chapter of the Corporate Computer Security textbook, which focused primarily on informing and cautioning readers about the vast array of threats faced at different parts of an organization’s information system, I found myself almost overwhelmed with how many potential vulnerabilities need to be considered when securing applications. One of the first and most important quotes within the chapter that stuck with me is when Boyle writes about how securing applications is exponentially harder than securing a host. He justifies this statement by stating how each system is usually running multiple applications and each application can be about as difficult to secure as an operating system. However, there were some parts of the chapter that were more easily digestible, such as the section on Data Loss Prevention and Data Destruction which I had covered in a previous course. It is important to note that data destruction is not as simple as pressing the delete key or emptying the recycle bin, but also requires cleanly wiping or even destroying the physical drive depending on what you plan to do with the drive afterwards.
Hi Imran,
We share the same sentiment in this chapter, its harder to protect applications than hosts because “each system is usually running multiple applications and each application can be about as difficult to secure as an operating system” as you have mentioned above.
It requires extra effort, technical abilities and time to secure and monitor applications running on a single system.
Thanks for pointing out what is involved in destruction of data. According to this chapter, the choice of one data deletion method depends on the reason for deleting the data, and sometimes, properly deleting data may take as much as it took to presearve it.
However, data destruction is necessary because undestroyed data like sensitive personal information, corporate business secrets or a nations security data could get into the wrong hands.
One key element of this chapter is minimizing the permissions of applications. Certain applications require root or admin privileges to run on systems but often times the privilege can be better tailored to fit the the task. For example a program might use use an a dedicated application service account in active directory to access other servers or update data bases. If that account has full privileges across the network then a hacker who may exploit the application would be able to gain a very strong foot hold in the network. What should be done is analyze exactly what the application needs and give it only those permissions to reduce access and permissions of the application. Often time developers just want admin access in the programs because its easier for them but in term of security it opens a massive flaw.
This chapter shed light on various attacks that can be conducted on web applications as well as the approaches that can be followed for hardening a web application. One interesting point from this chapter was the rise in infamy of email as a security threat for organizations. Some of the threats arising from emails are malicious links, spam, inappropriate content as well as leakage of sensitive data and trade secrets. Extensive efforts are taken by organization to filter the emails at multiple locations (PC, email server, cloud). To further protect the information, many a times email data is often encrypted which not only causes traffic overhead on networks but also is expensive for organizations to implement. This can be partly attributed to the rise in use of email by organizations to conduct business. In the early days, email body consisted of a simple text, however there is a huge increase in the types of documents which can be sent within an email and thus this leads to the encryption overhead.
A takeaway from this chapter is the importance of understanding the environment and how to go about protecting it. Whether its through host hardening, firewalls, anti-security software, etc., Personally, I feel as though an organization should analyze all risk areas and build from there what could be done to prevent a breach from occurring.
One bit that I found interesting in Chapter 8 was the section on Voice Over IP and the possible risks associated with using VoIP services. While there are many advantages associated with using VoIP, such as cost benefit and convenience, there are still many risks to consider since calls are made via internet connection. DoS attacks, eavesdropping, and even malware, are some of the main risks associated with VoIP, with new threats still being discovered. For example, there is an RTP exploit that hackers can use to inject their voice into a conversation without the real speaker ever knowing. I found this interesting because it’s similar to the man-in-the-middle attacks that we studied in previous units and classes, and allows us to understand that while using VoIP maybe be more convenient than analog, there are now new or additional risks that should be considered prior to implementation.
You are right,
I want to mention a VoIP security advises.
Use strong passwords: Do not use the default admin password for the device, and do not use weak passwords such as “123456”.Encryption:If the VoIP phone over the Internet is not encrypted, a malicious attacker can easily hijack a packet or call log. So it is recommended that you encrypt at every node. Using VPN:To some extent, VPNS can enhance the security of VoIP. It is difficult for an attacker to capture the data passing through the network with network analysis tools.
In Chapter 8 of Boyle and Panko, the most relevant point to our course work thus far was on page 468 of the chapter on Malicious links. Malicious links have show up in many of our units thus far. The section that I see as most pertinent is the part on malicious links in emails. This relates directly to the phishing section of our case studies and minisections. In the section of Boyle and Panko, the malicious link are directly referenced to “how attackers gain access to the systems”. They gain access through the social engineering of the users on the inside of where they are trying to get to. By clicking on the link, users unknowingly give the attacker their credentials and thus give them a way in through the “front door” of the system — oftentimes, undetected.
Good observation on the connection of malicious links, email security and social engineering. Individually even though an organization, can provide or adopt requisite technology to fight them, a combination of them can be presented to office staff or other users, who often succumb to these attacks and thus provide undetected, front door access to attackers. This is one of the reasons that email security is vital for an organization as simply giving training to users is never going to be enough as people are ignorant and lazy by nature. It is vital that emails are blocked at the entry point of organization’s network if they are deemed as malicious.
This section explains the hacks that web applications bring. The application is often the core of the company, which controls the company’s business processes and connects to the database. Among the control requirements are the minimization of the number of applications (to facilitate checking the operation of unknown programs). Minimize application permissions and update application patches in a timely manner. In addition, there are security of e-commerce, attacks from web browsers, and email attack methods that we are familiar with.We should apply what we have learned to the prevention of malicious mail, firewall, encryption technology, as well as the detection of DOS, to protect the diversity of applications.
The key takeaway for me is that there are so many ways for attackers to approach from web browser attacks. They can either catch you off guard when you are simply allowing the website to access cookies, or they can trick you with malicious links. There are also other client side attacks like automatic redirecting to unwanted webpages which might trap you there. But with frequently updating patches and increased security awareness, risks can be mitigated.
One of the key takeaways from chapter-8 regarding application security is minimizing applications a host run to mitigate cyber risks. Installed applications are potential point of attack and consume computer resources. Therefore, unnecessary services should be disabled. Other controls that help to safeguard applications are:
• Creating a secure configuration; create a secure configuration based on baselines such as removing default passwords.
• Installing application patches and updates; make sure to install all application patches against new vulnerabilities and new versions of software.
• Minimizing the permission of application; only necessary programs should run with root privileges. Other programs can run with the min. privileges principle.
• Adding application-level authentication, authorizations, and auditing; appropriate access and authentications methods should be applied. Application-level authentication may be difficult to apply for every application, so it should be applied for highly sensitive applications
• Implementing cryptographic systems; cryptographic systems should be used between the user and applications such as SSL/TLS.
Hello,
After going over your takeaways from reading chapter eight o the Corporate Computer Security textbook, my understanding of some of the more important mitigation strategies in application security was affirmed. It is important to note that hosts should only be running applications that are necessary to perform business functions, as every additional application creates a new threat landscape. And something people don’t often mention is how the introduction of these new threat landscapes also means having to consider to the monetary costs of mitigating the new risks posed by this landscape.
One thing to remember from this chapter is that it’s necessary for us to understand the environment to be protected, and in doing this, we should consider providing adequate physical security for servers and clients and hardening the operating systems with patches and high-security configuration settings. It is also our duty to advise the firms we’ll work with to avoid loading too many applications on a single host, because fewer applications mean fewer opportunities to take over the computer.
Also, It’s critical to control the deployment of newer server-side applications. According to this chapter, firms with rigorous deployment policies use three types of servers: development servers, testing servers, and production servers. This provides higher level of security and restricts developers from freely accessing development servers and/or preventing developers from creating backdoors or last-minute changes to testing servers.
Great opening points here Innocent. I agree that as auditors we will need to look at an organization from a macro point of view from the start. Knowing how their physical environment directly impacts their virtual environment is key. Then, by securing the physical we add another layer to their virtual information assets before anything is even turned on. In turn, I agree that uploading the most up to date applications to mitigate the security flaws is also a great step to fully securing the information asset.
This chapter provides information of multiple threats in applications and servers. One interesting key point which I picked from the chapter is security issues related to the web service and E-commerce service. Hackers use webserver attack techniques as following;
– Website defacement: Take over computer and put up a fake page produced by hackers instead of the normal homepage
– Buffer overflow attack: Hackers use IIS IPP and jill.c program to exploit the vulnerability
– Directory Traversal attack: allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
To establish controls over these issues, organization should patch the webserver and e-commerce software, use website vulnerability assessment tool, detect website error logs, and implement webserver-specific application proxy firewalls.
Hi Numneung,
There are some great points mentioned here. Knowing how to counteract these attacks is key for efficient cyber protection for organizations..
Best,
Natalie
Understanding the threat environment is a good guideline: basics hardening of OS, patch, separation of applications, minimize permission and config, adding AAA, especially Audit log in the application, and encrypted remote access and remote policy.
End-to-end email encryption is very easy, open-source, quite simple to implement and it works well. PGP is my favorite one. It might solve phishing issues and malicious attachments.
Website vulnerability assessment tools like Nikto, Paros Proxy, Acunetix, and IBM’s Rational AppScan should be part of the yearly maintenance routine including Pen testing important application and e-commerce applications.
Hi Joseph,
In my opinion, what PGP does is that it will help your email encrypted, not leaking data to others when someone tries to access your email when it is on its way to the receiver. But it will not solve phishing issues as if the attacker knows your email address, they can just send it.
The unique thing I learned about this week’s reading as regards to applications is that its much easier to gain root access through application exploits than through attacks on traditional operating systems and that this is also the most dominant attacking vector today. More so, application hardening is harder than operating system hardening. It’s also important to note that baselines are used when creating secure application program configurations, stuff like easy passwords and default passwords should not be used.
Good points, Percy. It is also important to note that firms with rigorous deployment policies use three types of servers: development servers, testing servers, and production servers. This provides higher level of security and restricts developers from freely accessing development servers, and also prevents developers from gaining access to testing servers because doing so might give them the opportunity to create backdoors or make last-minute changes to testing servers.
After reading through the eighth chapter of the Corporate Computer Security textbook, which focused primarily on informing and cautioning readers about the vast array of threats faced at different parts of an organization’s information system, I found myself almost overwhelmed with how many potential vulnerabilities need to be considered when securing applications. One of the first and most important quotes within the chapter that stuck with me is when Boyle writes about how securing applications is exponentially harder than securing a host. He justifies this statement by stating how each system is usually running multiple applications and each application can be about as difficult to secure as an operating system. However, there were some parts of the chapter that were more easily digestible, such as the section on Data Loss Prevention and Data Destruction which I had covered in a previous course. It is important to note that data destruction is not as simple as pressing the delete key or emptying the recycle bin, but also requires cleanly wiping or even destroying the physical drive depending on what you plan to do with the drive afterwards.
Hi Imran,
We share the same sentiment in this chapter, its harder to protect applications than hosts because “each system is usually running multiple applications and each application can be about as difficult to secure as an operating system” as you have mentioned above.
It requires extra effort, technical abilities and time to secure and monitor applications running on a single system.
Hello Imran,
Thanks for pointing out what is involved in destruction of data. According to this chapter, the choice of one data deletion method depends on the reason for deleting the data, and sometimes, properly deleting data may take as much as it took to presearve it.
However, data destruction is necessary because undestroyed data like sensitive personal information, corporate business secrets or a nations security data could get into the wrong hands.
One key element of this chapter is minimizing the permissions of applications. Certain applications require root or admin privileges to run on systems but often times the privilege can be better tailored to fit the the task. For example a program might use use an a dedicated application service account in active directory to access other servers or update data bases. If that account has full privileges across the network then a hacker who may exploit the application would be able to gain a very strong foot hold in the network. What should be done is analyze exactly what the application needs and give it only those permissions to reduce access and permissions of the application. Often time developers just want admin access in the programs because its easier for them but in term of security it opens a massive flaw.
This chapter shed light on various attacks that can be conducted on web applications as well as the approaches that can be followed for hardening a web application. One interesting point from this chapter was the rise in infamy of email as a security threat for organizations. Some of the threats arising from emails are malicious links, spam, inappropriate content as well as leakage of sensitive data and trade secrets. Extensive efforts are taken by organization to filter the emails at multiple locations (PC, email server, cloud). To further protect the information, many a times email data is often encrypted which not only causes traffic overhead on networks but also is expensive for organizations to implement. This can be partly attributed to the rise in use of email by organizations to conduct business. In the early days, email body consisted of a simple text, however there is a huge increase in the types of documents which can be sent within an email and thus this leads to the encryption overhead.
A takeaway from this chapter is the importance of understanding the environment and how to go about protecting it. Whether its through host hardening, firewalls, anti-security software, etc., Personally, I feel as though an organization should analyze all risk areas and build from there what could be done to prevent a breach from occurring.
One bit that I found interesting in Chapter 8 was the section on Voice Over IP and the possible risks associated with using VoIP services. While there are many advantages associated with using VoIP, such as cost benefit and convenience, there are still many risks to consider since calls are made via internet connection. DoS attacks, eavesdropping, and even malware, are some of the main risks associated with VoIP, with new threats still being discovered. For example, there is an RTP exploit that hackers can use to inject their voice into a conversation without the real speaker ever knowing. I found this interesting because it’s similar to the man-in-the-middle attacks that we studied in previous units and classes, and allows us to understand that while using VoIP maybe be more convenient than analog, there are now new or additional risks that should be considered prior to implementation.
You are right,
I want to mention a VoIP security advises.
Use strong passwords: Do not use the default admin password for the device, and do not use weak passwords such as “123456”.Encryption:If the VoIP phone over the Internet is not encrypted, a malicious attacker can easily hijack a packet or call log. So it is recommended that you encrypt at every node. Using VPN:To some extent, VPNS can enhance the security of VoIP. It is difficult for an attacker to capture the data passing through the network with network analysis tools.
In Chapter 8 of Boyle and Panko, the most relevant point to our course work thus far was on page 468 of the chapter on Malicious links. Malicious links have show up in many of our units thus far. The section that I see as most pertinent is the part on malicious links in emails. This relates directly to the phishing section of our case studies and minisections. In the section of Boyle and Panko, the malicious link are directly referenced to “how attackers gain access to the systems”. They gain access through the social engineering of the users on the inside of where they are trying to get to. By clicking on the link, users unknowingly give the attacker their credentials and thus give them a way in through the “front door” of the system — oftentimes, undetected.
Hello Alex,
Good observation on the connection of malicious links, email security and social engineering. Individually even though an organization, can provide or adopt requisite technology to fight them, a combination of them can be presented to office staff or other users, who often succumb to these attacks and thus provide undetected, front door access to attackers. This is one of the reasons that email security is vital for an organization as simply giving training to users is never going to be enough as people are ignorant and lazy by nature. It is vital that emails are blocked at the entry point of organization’s network if they are deemed as malicious.
This section explains the hacks that web applications bring. The application is often the core of the company, which controls the company’s business processes and connects to the database. Among the control requirements are the minimization of the number of applications (to facilitate checking the operation of unknown programs). Minimize application permissions and update application patches in a timely manner. In addition, there are security of e-commerce, attacks from web browsers, and email attack methods that we are familiar with.We should apply what we have learned to the prevention of malicious mail, firewall, encryption technology, as well as the detection of DOS, to protect the diversity of applications.
The key takeaway for me is that there are so many ways for attackers to approach from web browser attacks. They can either catch you off guard when you are simply allowing the website to access cookies, or they can trick you with malicious links. There are also other client side attacks like automatic redirecting to unwanted webpages which might trap you there. But with frequently updating patches and increased security awareness, risks can be mitigated.