This chapter talks about application security. Applications need to run on the host, so application security is also important. If an attacker takes over the application, the attacker will be able to attack or control the host through the application’s access rights. According to 8.4 “E-mail Security”, attachments to emails may contain malicious code such as viruses, and scripts in the body may execute malicious code. These emails would be identified as spam, but too much spam filtering would cause more and more legitimate mail to be seen as spam (my legitimate mail gets filtered quite often, I think I’ve figured out why now). Email filtering is done on the client PC, and since users often turn off their antivirus and anti-mail filters, there is still the potential for spam to appear on the system. Therefore both antivirus and antispam programs should be installed.
I find email security interesting and deal with this often in my work. It can be tough to find the right balance between aggressive filtering while allowing legitimate emails to come through.
Lately we’ve been seeing emails being sent from compromised consumer accounts (Gmail, Yahoo, etc.) containing links to documents hosted on services like Dropbox. When the user clicks the link they are directed to a hosted file that resembles a login page. They are then prompted to “sign in” by clicking a link that redirects to a credential harvesting site. This site impersonates the Microsoft login page and prompts the user to sign in. If the user signs in, their credentials are passed to the attacker as plain text. This allows the attacker to take over the account unless MFA is enforced.
The above attack can bypass most email gateways because the email doesn’t have a malicious attachment or content in the body of the message. Blocking services like Dropbox isn’t an option since many businesses rely on this to communicate information to users. MFA is critical in this situation as it helps prevent the attacker from signing in should the user fall for the attack.
Chapter 8 is about application security. The chapter speaks on many different topics including buffers, buffer overflows, how to turn off automatic application booting (which is a point of attack) login screen bypass attacks a many more application security topics.
The key point I thought was interesting was cross site scripting attacks (XSS) This type of attack happens when user’s input can appear on the page of another user. It happens when webpages reflect back to a user. If you type in a username and the on the next page, the webpage states hello username. An example of this would be if an attacker sends a potential victim an email. In the email, there is a legitimate link that does reflection. The link in the email is long, longer than the URL window goes so the user cannot see it. In the URL, there is a script. When the user clicks the link, a GET request goes to the legitimate link. The website then reflects back legitimate information including the script. The script then works without the user even knowing. If the victims browser has a vulnerability the script will exploit and the potential victim becomes an actual victim.
Cross-site scripting (XSS) is an injection attack. Malicious scripts are injected into websites trusted by users. The attackers use web applications to send malicious code to end users in the form of browser-side scripts, and the attackers can obtain The information entered by the user goes through a script. XSS flaws are difficult to identify and remove from web applications. The best way to find bugs is to perform a security review of the code and search for all possible places where input from an HTTP request could go into HTML output. Use a variety of HTML tags to deliver malicious JavaScript. Nessus, Nikto, and a few other tools available can help scan websites for these flaws.
An interesting takeaway from this chapter for me was the 2011 skype attack, Ingenious attack traced to Iranian networks led to fraudulent digital certificates that could impersonate major Web sites including Google, Yahoo, and Skype. Digital certificates are used to prove the origin and authenticity of software programs and data on the Internet, a key requirement for users who are downloading patches or software updates. Comodo, a Jersey City, N.J.-based firm that issues digital certificates, said the nine certificates were fraudulently obtained, including one for Microsoft’s Live.com, have already been revoked.
A fraudulent certificate allows someone to impersonate the secure versions of those Web sites–the ones that are used when encrypted connections are enabled. With these stolen certificates, an attacker could set up fake websites and harvest usernames, passwords, e-mails, and voice calls (via Skype).
The Comodo certificate attack scenario reveals the attackers could in time set up a fake websites with the fraudulent nine (9) certificates to harvest usernames, passwords, e-mails, date of birth and initiate voice calls via skype which is a man-in-the-middle attack. But comodo handled the situation rightly by revoking those fraudulent certificates. Else, the Pishgaman Tose Ertebatat Tehran Network could control and redirect communication infrastructure and traffic within a country. Applicable layered security and encryption would best utilized for communications over the VOIP network and other telecommunication networks.
One section of chapter 8 that I enjoyed was section 8.3 on web browser attacks. Bad actors regularly take advantage of weaknesses in web applications to target servers. In this case, they can use attacks like SQL injection to gain unauthorized access to databases or LDAP injection to attack an LDAP directory service. On the flip side, cybercriminals can use weaknesses in web applications and browsers to take advantage of the browser/client.
Mobile code commands are included in webpages/web applications and can execute automatically on the client when the webpage is downloaded. While this can reduce the computational load on the server-side and reduce the movement of sensitive user information between the client and server, it can also create serious vulnerabilities. Java Applets and ActiveX Controls are both examples of mobile code. Java Applets were created with security in mind and are limited in what they can do on a client but still have known vulnerabilities. ActiveX controls have the ability to do almost anything on the client system. This allows for increased functionality in ActiveX but puts almost all of the burden of security on the web application buiders and user.
Cybercriminals use various other means like malicious links shared through email to attack clients through the browser.
Users can protect themselves from these types of attacks by using web browser plugins that block commands from executing automatically, keeping their browser and security settings updated, avoiding unknown and untrusted websites, and using a HIDS or Antivirus software.
I think its great you included some things users can do to protect themselves against web browser attacks. Its one thing to point out what the attacks are and how they work, but its always great to include some steps to protect against those attacks
In section 8.2.5 Boyle and Panko discuss additional website protections and the importance of reviewing website error logs. Similar to reviewing firewall logs, website logs can help identify malicious behavior patterns. For example, an excessive number of 404 errors might indicate that an attacker is searching blindly for files on the website.
To protect against this, a web server specific application proxy firewall (WAPF) can be deployed. A WAPF sits between the web server and the rest of the network and inspects traffic. The WAPF can be trained to identify specific behavior patterns and then alert administrators when these occur or block the traffic.
Deploying a WAPF adds another layer of protection for web applications and helps ensure traffic is legitimate. This defensive layer is important for web applications processing sensitive data such as medical records and financial information that require an elevated security posture.
Chapter 8 did a nice job touching on where exactly e-mail malware/spam filtering can occur within an organizations network. There are obvious issues with filtering on individual client PC’s because the end users are responsible for maintaining or even updating anti-virus and filtering tools. As we’ve seen in several other chapters humans (i.e. end users) are considered a major risk to an organization and it’s best that dedicated administrators be responsible for maintaining and updating client defense tools. I’m most familiar with filtering e-mail at the corporate mail server level. Typically, the administrators dedicated to filtering spam and malware at the corporate mail server level have the level of expertise to filter out junk e-mail effectively. Finally, e-mail filtering can be performed by a third-party managed service provider who filter e-mails through their own servers. This is a viable option when resources are limited or an organization is trying to reduce labor costs. If possible, it’s best to utilize all three filtering solutions in order to achieve a more effective defense in depth strategy.
Bryan,
I agree with your point e-mail filtering for malware and spam can also be better managed by a third-party vendor to manage plethora of buffer overflow attacks such as phishing emails, spam flooding and denial of service attack to the servers where applicable.
Chapter 8 is about Application Security and Hardening.
A section that stood out to me was 8.1.5.1, Cross-Site Scripting (XSS) attacks.
By definition Cross-Site Scripting (XSS) attacks are attacks in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
This stands out to me because as an IT Professional we try to teach good practice and being cautious, to keep an eye out for anything suspicious, and what we find is many ppl still fall victim to cyber attacks that to us look suspicious enough, but this topic is extra scary because these attacks use genuine trusted sites, so for me this is a topic that stands out.
The takeaway from this chapter are the various different forms of attacks. Attackers exploit the buffer overflow vulnerabilities in application program by flooding the RAM with too much of information to handle to crash the server machine, cross-scripting (XSS) attack where the attacker sends a legitimate link with long and extends past the URL window as an email to the target, once the link is clicked that’s a possible vulnerability cross-scripting attack. SQL Injection is another form of attack used by attackers to inject a SQL string query to the application program and the importance of knowing the susceptible form of attacks to webserver such as website defacement and buffer overflow attack and e-commerce patches for commercial software, vulnerability and assessment controls which limits developers privileges access to the testing and production servers. Adding to the confusion attackers may circumvent filtering designs and system administrators are to have countermeasures, find and install patches to mitigate the broken security.
One of the more interesting topics in this chapter was the discussion of application vulnerabilities in relation to e-mail and voice over IP. Today, email can be a huge vulnerability because you now have to ability to transfer active content through HTML code or email attachments. If this information were to fall in the wrong hands, it could be detrimental to a company in some cases. To protect email data, companies have implemented email encryption, spam filtering, and extrusion prevention tools. Voice over IP can also be susceptible to denial-of-service attacks, impersonation, malware, fraud, or spam.
I agree with you on how email nowadays are used for most attacks and if not enough protected may bring several damages that can harm the company in a bad way. People use spam or spear phishing for attacks so minimizing main applications on servers or giving access privilege to only those that are authorized to use it is a good way to protect your information. Understanding the threat environment is also a good way to start that way you know where to focus and give more security reviews/test than the others.
I found the section on web browser attacks to be the most intriguing in the Boyle and Panko chapter on application security. It seems that there are many client-side attacks that can be executed via the web browser. For instance, using a Java applet you can execute arbitrary code, turn a client’s PC into a file server, and much more. There is also the threat of automatic redirection to an unwanted or malicious website. Even outside these attacks are the use of cookies to track users. This is something that every website uses and isn’t inherently malicious, however, can be when used with ill intention. It’s important as an end user to take steps to help mitigate these types of attacks such as ensuring the security settings in the browser are to the correct settings.
This chapter talks about the hardening application with physical security, backup requirements, application, and OS patching and hardening process. Minimizing application threats, and authentication mechanisms also explain securing custom applications. never trust user input to protect from various threats regarding application security.
Application security threats increase day by day for various reasons, and many mistakes occur in the application development process. Oftentimes, the testing, the patching process, and end-user mistakes are some causes of knowingly and unknowingly leading to compromised security of applications. Users use root privileges to run applications that give root-level access oftentimes to an attacker. Maximum time end users don’t know how to use root privileges smartly, however, attackers know it and use it to their advantage.
There are many applications that have buffers and overflow vulnerability, where the program is stored in the RAM as a temporary process, and the hackers take advantage of it and allocate data from memory. For example, the advantage of stacks is return addresses to execute the code and access unauthorized information.
SQL injection is also one of the common and leading targets for attackers to hack databases, the cross-site scripting attacks reflect the information for another user on the screen. This chapter goes into detail on what type of attack an attacker launches, and how we can be protected. Webservers are most widely used by Nginx, Apache, and IIS, and it has advantages and drawbacks. Webservers are more vulnerable to various attacks like web defacement, buffer overflow, directory traversal attack, etc.
This chapter talks about application hardening and the various attacks that can pose threats towards organizations. One of these threats is the execution of mobile code of which I did not realize now that mobile code is considered mobile because it travels from the webserver to the host computer. I thought this was entirely because it was executed on a mobile device – to which that completely changes my perspective of whatever vulnerability scanning I’m using that tells me about mobile code execution. Another interesting take away that I got from this reading is that ActiveX was initially thought of as “secure” because it required digital signatures from the developer before execution. However, the issue becomes if the developer publishes a digital signature but are not reliable and might release programs littered with vulnerabilities.
I was also previously under the impression that mobile code referred to code executed on a mobile device. The risk with ActiveX is interesting because it showcases that just because something is signed with a digital signature does not necessarily make it secure. We still need to examine the program and ensure the developer is a trustworthy source.
This chapter mentions about Application Security. The authors explained that attacking operation systems is harder than attacking applications. Moreover, patching applications is more time consuming than patching operating systems. Therefore, the firms need to pay attention to application security. One of attack types mentioned in this chapter, the IIS IPP buffer overflow attack, is interesting. One of methods to prevent buffer overflow is use other coding language than C and Assembly ) because these languages do not check the number of bytes to be written or read will actually fit in the buffer in question. That means that these languages allow buffer overflow vulnerabilities through direct access to memory and lack of strong object typing.
The author also wants us to understand the threat environment before anything else. If we do not understand, we cannot find ways to protect them. Patching system before deployment is very important and essential but running applications on those servers are time consuming. That’s why they should minimize main applications on the servers because those are the ones with risks.
In Section 8.4, Boyle and Panko address e-mail security and the protective measures needed to be implemented by companies, such as spam filtering, due to their pervasive nature. Considering spam accounts account for approximately 60-90 percent of all Internet mail traffic, I can safely assume that most of us have experienced spam clogging our mailboxes, slowing down our computers, and spending time deleting unwanted messages. While it may seem trivial, firms are being forced to invest in content filtering since incoming and outgoing messages can contain dangerous or inappropriate content. Some of the more prolific spammers rely on email harvesting techniques such as using bots that “scrape” addresses from pages. Others turn to sellers on underground cybercrime forums or on open-air markets. On page 476 you will find an In-the-news story about the Federal Trade Commission charging 29 defendants with sending over 180 million SMS spam messages promising free gift cards. It is hard to believe that ordinary people still fall for these types of schemes.
This week’s reading of Boyle and Panko was very insightful. Something that stood out to me in this chapter was the section about custom programs and the lack of adequate security in custom e-commerce software. These software/ programs are usually written by the company themselves. However, the oversight of program development is usually lacking. In turn, there are an ample amount of vulnerabilities that can and usually are exploited by hackers / attackers. Moreover, the program languages that are being used “produce programs that have common security failure modes that are well known by hackers.” Moreover, these attackers are also capable of writing their own custom programs which they execute on the victim server to aid in their attacks. It is a misconception that if the company writes their own e-commerce software, then they are less susceptible to their programs being hacked.. this is not the case!
Hey Joshua.
I thought this part of the chapter was interesting as well. I do agree with what you’re saying with misconception of companies writing their own software that they are less susceptible to being hacked. I think that if a company is writing their own software, they might be more susceptible, they may try and cut corners or skips steps that leave the door open for hackers to come in.
Yeah, now that you say that it makes me think that if the organization invested in a industry standard e-commerce software, then maybe known vulnerabilities in it would be patched with updates. I totally understand the point you are trying to make and agree that they are likely to be more susceptible to exploits.
This chapter comes after host hardening because there are related in a certain way and work with one another. We need an operating system to work effectively and be secure as well as the applications that run on those systems. This chapter focuses on the methods and techniques that are used to secure the application programs. It also brought us back to physical security to make us understand that protecting application programs are not important without no policies and procedures in place on how to protect our fences. Minimizing applications on servers or hosts are essential against external attackers because if there is no need to run those applications or if that person has no privilege to use it on the host then there is no need to download the applications on those machines.
I see now that there is a relation between this chapter following up after the host hardening chapter. I believe that it is a good idea to minimize applications on a server to only those being used frequently. Doing this will only lessen the chances an attacker has of successfully breaching a server.
In this week’s reading I found the ‘Airbus and Boeing Software Flaws’ segment under section 8.1.5.2 to be particularly interesting. Airbus notified owners in 2019 that its Airbus A350 planes must be hard rebooted before they reach 149 hours of continuous use, and if this is not performed than certain internal avionics systems will fail, which was seen in 2017 and not disclosed until 2019. Along with Airbus, Boeing also experienced a software flaw in 2019 that affected the angle-of-attack alert system that may have been the reason for some high-profile plane crashes. This flaw led to the cancellation of billions worth of Boeing’s 737 Max aircraft. One security researcher, Chris Roberts, claims that he was able to hack into planes 15-20 times & issue commands such as for the plane to fly sideways. As the segment points out, authorities are worried that some of the flaws seen in Boeing & Airbus could potentially be used for a type of unnecessary evil when in the wrong hands, such as intentionally causing planes to crash. The entire segment is more scary than it is interesting, because the commercial flight industry is something millions of people are entrusting their lives with every day, and there should really be no room for potential attacks in aircraft systems to exist.
As email and data transfer become more confidential day by day, this chapter highlights email security controls. In addition to content filtering that organizations perform to filter incoming and outgoing messages to remove dangerous content, some organizations also require employees to encrypt emails. It helps with confidentiality, authenticity, message integrity, and replay protection.
Another takeaway from the chapter is to understand the server functions and how it plays a role in the threat environment. Some recommendations made to harden the applications include: minimizing applications by subsidiary and security baselines, application program configurations that use baselines to go beyond default installation configurations for high-value targets, installing patched for applications, minimizing the permissions, and adding a layer authentication, authorization, and auditing.
Yangyuan Lin says
This chapter talks about application security. Applications need to run on the host, so application security is also important. If an attacker takes over the application, the attacker will be able to attack or control the host through the application’s access rights. According to 8.4 “E-mail Security”, attachments to emails may contain malicious code such as viruses, and scripts in the body may execute malicious code. These emails would be identified as spam, but too much spam filtering would cause more and more legitimate mail to be seen as spam (my legitimate mail gets filtered quite often, I think I’ve figured out why now). Email filtering is done on the client PC, and since users often turn off their antivirus and anti-mail filters, there is still the potential for spam to appear on the system. Therefore both antivirus and antispam programs should be installed.
Matthew Bryan says
I find email security interesting and deal with this often in my work. It can be tough to find the right balance between aggressive filtering while allowing legitimate emails to come through.
Lately we’ve been seeing emails being sent from compromised consumer accounts (Gmail, Yahoo, etc.) containing links to documents hosted on services like Dropbox. When the user clicks the link they are directed to a hosted file that resembles a login page. They are then prompted to “sign in” by clicking a link that redirects to a credential harvesting site. This site impersonates the Microsoft login page and prompts the user to sign in. If the user signs in, their credentials are passed to the attacker as plain text. This allows the attacker to take over the account unless MFA is enforced.
The above attack can bypass most email gateways because the email doesn’t have a malicious attachment or content in the body of the message. Blocking services like Dropbox isn’t an option since many businesses rely on this to communicate information to users. MFA is critical in this situation as it helps prevent the attacker from signing in should the user fall for the attack.
Corey Arana says
Chapter 8 is about application security. The chapter speaks on many different topics including buffers, buffer overflows, how to turn off automatic application booting (which is a point of attack) login screen bypass attacks a many more application security topics.
The key point I thought was interesting was cross site scripting attacks (XSS) This type of attack happens when user’s input can appear on the page of another user. It happens when webpages reflect back to a user. If you type in a username and the on the next page, the webpage states hello username. An example of this would be if an attacker sends a potential victim an email. In the email, there is a legitimate link that does reflection. The link in the email is long, longer than the URL window goes so the user cannot see it. In the URL, there is a script. When the user clicks the link, a GET request goes to the legitimate link. The website then reflects back legitimate information including the script. The script then works without the user even knowing. If the victims browser has a vulnerability the script will exploit and the potential victim becomes an actual victim.
Yangyuan Lin says
Cross-site scripting (XSS) is an injection attack. Malicious scripts are injected into websites trusted by users. The attackers use web applications to send malicious code to end users in the form of browser-side scripts, and the attackers can obtain The information entered by the user goes through a script. XSS flaws are difficult to identify and remove from web applications. The best way to find bugs is to perform a security review of the code and search for all possible places where input from an HTTP request could go into HTML output. Use a variety of HTML tags to deliver malicious JavaScript. Nessus, Nikto, and a few other tools available can help scan websites for these flaws.
Shubham Patil says
An interesting takeaway from this chapter for me was the 2011 skype attack, Ingenious attack traced to Iranian networks led to fraudulent digital certificates that could impersonate major Web sites including Google, Yahoo, and Skype. Digital certificates are used to prove the origin and authenticity of software programs and data on the Internet, a key requirement for users who are downloading patches or software updates. Comodo, a Jersey City, N.J.-based firm that issues digital certificates, said the nine certificates were fraudulently obtained, including one for Microsoft’s Live.com, have already been revoked.
A fraudulent certificate allows someone to impersonate the secure versions of those Web sites–the ones that are used when encrypted connections are enabled. With these stolen certificates, an attacker could set up fake websites and harvest usernames, passwords, e-mails, and voice calls (via Skype).
Oluwaseun Soyomokun says
The Comodo certificate attack scenario reveals the attackers could in time set up a fake websites with the fraudulent nine (9) certificates to harvest usernames, passwords, e-mails, date of birth and initiate voice calls via skype which is a man-in-the-middle attack. But comodo handled the situation rightly by revoking those fraudulent certificates. Else, the Pishgaman Tose Ertebatat Tehran Network could control and redirect communication infrastructure and traffic within a country. Applicable layered security and encryption would best utilized for communications over the VOIP network and other telecommunication networks.
Amelia Safirstein says
One section of chapter 8 that I enjoyed was section 8.3 on web browser attacks. Bad actors regularly take advantage of weaknesses in web applications to target servers. In this case, they can use attacks like SQL injection to gain unauthorized access to databases or LDAP injection to attack an LDAP directory service. On the flip side, cybercriminals can use weaknesses in web applications and browsers to take advantage of the browser/client.
Mobile code commands are included in webpages/web applications and can execute automatically on the client when the webpage is downloaded. While this can reduce the computational load on the server-side and reduce the movement of sensitive user information between the client and server, it can also create serious vulnerabilities. Java Applets and ActiveX Controls are both examples of mobile code. Java Applets were created with security in mind and are limited in what they can do on a client but still have known vulnerabilities. ActiveX controls have the ability to do almost anything on the client system. This allows for increased functionality in ActiveX but puts almost all of the burden of security on the web application buiders and user.
Cybercriminals use various other means like malicious links shared through email to attack clients through the browser.
Users can protect themselves from these types of attacks by using web browser plugins that block commands from executing automatically, keeping their browser and security settings updated, avoiding unknown and untrusted websites, and using a HIDS or Antivirus software.
Jason Burwell says
Hello Amelia,
I think its great you included some things users can do to protect themselves against web browser attacks. Its one thing to point out what the attacks are and how they work, but its always great to include some steps to protect against those attacks
Matthew Bryan says
In section 8.2.5 Boyle and Panko discuss additional website protections and the importance of reviewing website error logs. Similar to reviewing firewall logs, website logs can help identify malicious behavior patterns. For example, an excessive number of 404 errors might indicate that an attacker is searching blindly for files on the website.
To protect against this, a web server specific application proxy firewall (WAPF) can be deployed. A WAPF sits between the web server and the rest of the network and inspects traffic. The WAPF can be trained to identify specific behavior patterns and then alert administrators when these occur or block the traffic.
Deploying a WAPF adds another layer of protection for web applications and helps ensure traffic is legitimate. This defensive layer is important for web applications processing sensitive data such as medical records and financial information that require an elevated security posture.
Bryan Garrahan says
Chapter 8 did a nice job touching on where exactly e-mail malware/spam filtering can occur within an organizations network. There are obvious issues with filtering on individual client PC’s because the end users are responsible for maintaining or even updating anti-virus and filtering tools. As we’ve seen in several other chapters humans (i.e. end users) are considered a major risk to an organization and it’s best that dedicated administrators be responsible for maintaining and updating client defense tools. I’m most familiar with filtering e-mail at the corporate mail server level. Typically, the administrators dedicated to filtering spam and malware at the corporate mail server level have the level of expertise to filter out junk e-mail effectively. Finally, e-mail filtering can be performed by a third-party managed service provider who filter e-mails through their own servers. This is a viable option when resources are limited or an organization is trying to reduce labor costs. If possible, it’s best to utilize all three filtering solutions in order to achieve a more effective defense in depth strategy.
Oluwaseun Soyomokun says
Bryan,
I agree with your point e-mail filtering for malware and spam can also be better managed by a third-party vendor to manage plethora of buffer overflow attacks such as phishing emails, spam flooding and denial of service attack to the servers where applicable.
Jason Burwell says
Chapter 8 is about Application Security and Hardening.
A section that stood out to me was 8.1.5.1, Cross-Site Scripting (XSS) attacks.
By definition Cross-Site Scripting (XSS) attacks are attacks in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
This stands out to me because as an IT Professional we try to teach good practice and being cautious, to keep an eye out for anything suspicious, and what we find is many ppl still fall victim to cyber attacks that to us look suspicious enough, but this topic is extra scary because these attacks use genuine trusted sites, so for me this is a topic that stands out.
Oluwaseun Soyomokun says
The takeaway from this chapter are the various different forms of attacks. Attackers exploit the buffer overflow vulnerabilities in application program by flooding the RAM with too much of information to handle to crash the server machine, cross-scripting (XSS) attack where the attacker sends a legitimate link with long and extends past the URL window as an email to the target, once the link is clicked that’s a possible vulnerability cross-scripting attack. SQL Injection is another form of attack used by attackers to inject a SQL string query to the application program and the importance of knowing the susceptible form of attacks to webserver such as website defacement and buffer overflow attack and e-commerce patches for commercial software, vulnerability and assessment controls which limits developers privileges access to the testing and production servers. Adding to the confusion attackers may circumvent filtering designs and system administrators are to have countermeasures, find and install patches to mitigate the broken security.
Michael Galdo says
One of the more interesting topics in this chapter was the discussion of application vulnerabilities in relation to e-mail and voice over IP. Today, email can be a huge vulnerability because you now have to ability to transfer active content through HTML code or email attachments. If this information were to fall in the wrong hands, it could be detrimental to a company in some cases. To protect email data, companies have implemented email encryption, spam filtering, and extrusion prevention tools. Voice over IP can also be susceptible to denial-of-service attacks, impersonation, malware, fraud, or spam.
Ornella Rhyne says
Hi Michael,
I agree with you on how email nowadays are used for most attacks and if not enough protected may bring several damages that can harm the company in a bad way. People use spam or spear phishing for attacks so minimizing main applications on servers or giving access privilege to only those that are authorized to use it is a good way to protect your information. Understanding the threat environment is also a good way to start that way you know where to focus and give more security reviews/test than the others.
Ryan Trapp says
I found the section on web browser attacks to be the most intriguing in the Boyle and Panko chapter on application security. It seems that there are many client-side attacks that can be executed via the web browser. For instance, using a Java applet you can execute arbitrary code, turn a client’s PC into a file server, and much more. There is also the threat of automatic redirection to an unwanted or malicious website. Even outside these attacks are the use of cookies to track users. This is something that every website uses and isn’t inherently malicious, however, can be when used with ill intention. It’s important as an end user to take steps to help mitigate these types of attacks such as ensuring the security settings in the browser are to the correct settings.
Mohammed Syed says
This chapter talks about the hardening application with physical security, backup requirements, application, and OS patching and hardening process. Minimizing application threats, and authentication mechanisms also explain securing custom applications. never trust user input to protect from various threats regarding application security.
Application security threats increase day by day for various reasons, and many mistakes occur in the application development process. Oftentimes, the testing, the patching process, and end-user mistakes are some causes of knowingly and unknowingly leading to compromised security of applications. Users use root privileges to run applications that give root-level access oftentimes to an attacker. Maximum time end users don’t know how to use root privileges smartly, however, attackers know it and use it to their advantage.
There are many applications that have buffers and overflow vulnerability, where the program is stored in the RAM as a temporary process, and the hackers take advantage of it and allocate data from memory. For example, the advantage of stacks is return addresses to execute the code and access unauthorized information.
SQL injection is also one of the common and leading targets for attackers to hack databases, the cross-site scripting attacks reflect the information for another user on the screen. This chapter goes into detail on what type of attack an attacker launches, and how we can be protected. Webservers are most widely used by Nginx, Apache, and IIS, and it has advantages and drawbacks. Webservers are more vulnerable to various attacks like web defacement, buffer overflow, directory traversal attack, etc.
Michael Duffy says
This chapter talks about application hardening and the various attacks that can pose threats towards organizations. One of these threats is the execution of mobile code of which I did not realize now that mobile code is considered mobile because it travels from the webserver to the host computer. I thought this was entirely because it was executed on a mobile device – to which that completely changes my perspective of whatever vulnerability scanning I’m using that tells me about mobile code execution. Another interesting take away that I got from this reading is that ActiveX was initially thought of as “secure” because it required digital signatures from the developer before execution. However, the issue becomes if the developer publishes a digital signature but are not reliable and might release programs littered with vulnerabilities.
Ryan Trapp says
Hi Michael,
I was also previously under the impression that mobile code referred to code executed on a mobile device. The risk with ActiveX is interesting because it showcases that just because something is signed with a digital signature does not necessarily make it secure. We still need to examine the program and ensure the developer is a trustworthy source.
Hang Nu Song Nguyen says
This chapter mentions about Application Security. The authors explained that attacking operation systems is harder than attacking applications. Moreover, patching applications is more time consuming than patching operating systems. Therefore, the firms need to pay attention to application security. One of attack types mentioned in this chapter, the IIS IPP buffer overflow attack, is interesting. One of methods to prevent buffer overflow is use other coding language than C and Assembly ) because these languages do not check the number of bytes to be written or read will actually fit in the buffer in question. That means that these languages allow buffer overflow vulnerabilities through direct access to memory and lack of strong object typing.
Ornella Rhyne says
Hi Hang,
The author also wants us to understand the threat environment before anything else. If we do not understand, we cannot find ways to protect them. Patching system before deployment is very important and essential but running applications on those servers are time consuming. That’s why they should minimize main applications on the servers because those are the ones with risks.
Elizabeth Gutierrez says
In Section 8.4, Boyle and Panko address e-mail security and the protective measures needed to be implemented by companies, such as spam filtering, due to their pervasive nature. Considering spam accounts account for approximately 60-90 percent of all Internet mail traffic, I can safely assume that most of us have experienced spam clogging our mailboxes, slowing down our computers, and spending time deleting unwanted messages. While it may seem trivial, firms are being forced to invest in content filtering since incoming and outgoing messages can contain dangerous or inappropriate content. Some of the more prolific spammers rely on email harvesting techniques such as using bots that “scrape” addresses from pages. Others turn to sellers on underground cybercrime forums or on open-air markets. On page 476 you will find an In-the-news story about the Federal Trade Commission charging 29 defendants with sending over 180 million SMS spam messages promising free gift cards. It is hard to believe that ordinary people still fall for these types of schemes.
Joshua Moses says
This week’s reading of Boyle and Panko was very insightful. Something that stood out to me in this chapter was the section about custom programs and the lack of adequate security in custom e-commerce software. These software/ programs are usually written by the company themselves. However, the oversight of program development is usually lacking. In turn, there are an ample amount of vulnerabilities that can and usually are exploited by hackers / attackers. Moreover, the program languages that are being used “produce programs that have common security failure modes that are well known by hackers.” Moreover, these attackers are also capable of writing their own custom programs which they execute on the victim server to aid in their attacks. It is a misconception that if the company writes their own e-commerce software, then they are less susceptible to their programs being hacked.. this is not the case!
Corey Arana says
Hey Joshua.
I thought this part of the chapter was interesting as well. I do agree with what you’re saying with misconception of companies writing their own software that they are less susceptible to being hacked. I think that if a company is writing their own software, they might be more susceptible, they may try and cut corners or skips steps that leave the door open for hackers to come in.
Joshua Moses says
Hello Corey,
Yeah, now that you say that it makes me think that if the organization invested in a industry standard e-commerce software, then maybe known vulnerabilities in it would be patched with updates. I totally understand the point you are trying to make and agree that they are likely to be more susceptible to exploits.
Ornella Rhyne says
This chapter comes after host hardening because there are related in a certain way and work with one another. We need an operating system to work effectively and be secure as well as the applications that run on those systems. This chapter focuses on the methods and techniques that are used to secure the application programs. It also brought us back to physical security to make us understand that protecting application programs are not important without no policies and procedures in place on how to protect our fences. Minimizing applications on servers or hosts are essential against external attackers because if there is no need to run those applications or if that person has no privilege to use it on the host then there is no need to download the applications on those machines.
Michael Galdo says
Hi Ornella,
I see now that there is a relation between this chapter following up after the host hardening chapter. I believe that it is a good idea to minimize applications on a server to only those being used frequently. Doing this will only lessen the chances an attacker has of successfully breaching a server.
Alexander William Knoll says
In this week’s reading I found the ‘Airbus and Boeing Software Flaws’ segment under section 8.1.5.2 to be particularly interesting. Airbus notified owners in 2019 that its Airbus A350 planes must be hard rebooted before they reach 149 hours of continuous use, and if this is not performed than certain internal avionics systems will fail, which was seen in 2017 and not disclosed until 2019. Along with Airbus, Boeing also experienced a software flaw in 2019 that affected the angle-of-attack alert system that may have been the reason for some high-profile plane crashes. This flaw led to the cancellation of billions worth of Boeing’s 737 Max aircraft. One security researcher, Chris Roberts, claims that he was able to hack into planes 15-20 times & issue commands such as for the plane to fly sideways. As the segment points out, authorities are worried that some of the flaws seen in Boeing & Airbus could potentially be used for a type of unnecessary evil when in the wrong hands, such as intentionally causing planes to crash. The entire segment is more scary than it is interesting, because the commercial flight industry is something millions of people are entrusting their lives with every day, and there should really be no room for potential attacks in aircraft systems to exist.
Miray Bolukbasi says
As email and data transfer become more confidential day by day, this chapter highlights email security controls. In addition to content filtering that organizations perform to filter incoming and outgoing messages to remove dangerous content, some organizations also require employees to encrypt emails. It helps with confidentiality, authenticity, message integrity, and replay protection.
Another takeaway from the chapter is to understand the server functions and how it plays a role in the threat environment. Some recommendations made to harden the applications include: minimizing applications by subsidiary and security baselines, application program configurations that use baselines to go beyond default installation configurations for high-value targets, installing patched for applications, minimizing the permissions, and adding a layer authentication, authorization, and auditing.