Application and Web Security · •Application Hardening: is a security feature design to prevent...

Application and Web Security•Application Hardening: is a security feature design to prevent exploitation of various types of variability in software application.

•Application hardening can be done by chaining default application configuration, implementing latest software patches, hotfixes and updates using latest and secured version of protocols and following procedures and policies to reduces attacks and system down time .

• Application hardening is the process of securing an application against local and internet base attacks.

• Application hardening is possible by removing the functions or components that you don't required, you can restrict access and make sure the application is kept up to date with patches.

Marathwada Mitra Mandal's Polytechnic,Pune

Steps to hardening Windows Operating System

• Rename Administrator account: Administrator has number of permissions.

• Objective is to prevent intruders to gain access of administrator rights from administrator account.

• So change name of administrator account, change password.

• Password Management: most operating systems enforce to provide strong password.

• As an additional security it include regular change of password and disable account if repeated login failed login.

• Password should be 8 character long.

• Use NTFS File system: Windows XP will be installed in separate file system called NTFS rather then old FAT file system.

• NTFS allow you to access which user want to access which data, which can perform what kind of operation.


• Disable all unnecessary services

• Permission on file and access to the registry.

• Remove unnecessary programs.

• Enabling Logging : it is important to ensure that the operating system is configured to log all activities ,errors and warning.

• File sharing : disable any unnecessary file sharing.

• Apply latest patches and fixes.

• Remove unnecessary user account and insure password guidelines.


Patches / application Patches• Patches is a piece of program / software design to fix problem

with, or update a computer program.

• Patches including fixing security vulnerabilities and other bugs. And improve the usability or performance.

• Application patches are likely to come with three varieties: Hotfixes, patches and upgrades.– Hotfix is a small piece of code designed to fix a specific problem.

– Patches are collection of fixes they are much larger and released after a periodic basis. Or when enough problems have been addressed to warrant to patches released.

– Upgrade is a popular method to upgrade system by moving up to better, more functions and more secure application.

– Application patches can be downloaded from vender’s website .

– A service pack (SP) is a Windows update, often combining previously released updates, that helps make Windows more reliable.


Web servers• A server that delivers web pages.• Every web page has an IP and a domain name.• Web server is a computer program that delivers content, such as

web pages.• Using protocol Hyper Text Transfer Protocol HTTP, over World

Wide Web [WWW].• A client, commonly a web browser send a communication request

to server, server respond with contents.• While primary function is to serve content , a full implementation

of HTTP also way to receive data from client like application form or uploaded data etc.

• Some server also support server side scripting this means that the behavior of web server can be scripted in separate file so thetserver remain unchanged.

• Server also connected to devices like printers, routers, webcams and serving for local network only.


Active Directory• Active directory is used to store information and data

about network and domain.

• Active directory allow only single login to multiple applications data sources and systems.

• An active does a variety of functions including the ablityto provide information on objects; help organize these objects for easy retrieval and access by end user.

• Features of Active Directory: Due to implementation of active directory there is a significant improvement over windows NT server.

• Active directory has a central centralized administrator mechanism over entire network.


• Active directory automatically manages the communication between domain controller to insure the network remain viable.

• User can access all resources on the network for which they are authorized through single sign on.

• Active directory improve security and control over the network

• Active directory offer a easily promoting domain controls.

• System can be managed and secure via group policies.

• Active directory is capable of managing millions of objects within a single domain.


Web security• World Wide Web is not just a browsers, but also to web

components that enable services for end users through there browsers interface.

• Main threats to web systems are

– Physical Threats.: it include loss or damage to equipment through fire, smoke, water, dust, theft and physical impact.

– Physical impact ay be due to collision or result of malicious or accidental damage by people.

– Power loss will affect the ability for server and network equipment.

– Malfunction: Both equipment and software malfunction threats can impact upon the operation of a web site or web application.


– Malfunction of software is due to poor development practices where security has not been build into a software.

– Malware :Malware or malicious software installed many ways in computer, web server are popular targets of such code.

– Spoofing : Spoofing where a computer assume identity of another.

– Eavesdropping: monitoring of data on network or user’s screen. This method is used for getting password or sensitive data.

Computer Threats on Web

Threats Consequences Countermeasures

Intigrity • Modification of User Data.

• Modification of Memory.

• Modification of Message Traffic.

• Loss of Information • Compromise of

machine .• Vulnerability to all

other threats

• CryptographicChecksums.



Confidentiality • Eavesdropping on the net.

• Theft of information/data on/ from server.

• Information about network server.

• Information about communication between client and server.

• Loss of information.

• Loss of privacy

Encryption, web proxies.

Denial of service • Killing of user threads.

• Floodingmachine with bogus request,

• Filling of Disk of memory.

• Disruptive• Annoying• Prevent user

from getting work done.

Difficult to Privent.



Authentication Data Forgery Misrepresentation of user.Belief that false information is valid

Cryptographic Technique.


Web security Approach

• A number of approached to web security is possible.

• Different approaches are similar in services but differ in scope of ability and location within TCP/IP protocal.


• In fig. (a). The advantage of using IPSec are that it is transparent to end users and application and provide a general purpose solution.

• It also include a filtering capability so that only selected traffic need incur the overhead of IPsec processing.

• fig(b). Another approach is to implement just above the TCP/IP, Example is Secure Socket Layer(SSL)

• And follow internet standard known as Transport Layer Security(TLS).

• SSL can be can be embedded in specific packages For Ex.Netscape, Microsoft Explorer browsers.

• Fig(c). Security is embedded with particular application for example Mail.

• The advantages of this approach is to service can be tailored to the specific needs of a given application.


Secure Electronic Transaction (SET)• Secure Electronic Transaction (SET) is a system for ensuring

the security of financial transactions on the Internet.

• It was supported initially by Mastercard, Visa, Microsoft, Netscape, and others.

• With SET, a user is given an electronic wallet (digital certificate) and a transaction is conducted and verified using a combination of digital certificates and digital signatures among the purchaser, a merchant, and the purchaser's bank in a way that ensures privacy and confidentiality.

• SET makes use of Netscape's Secure Sockets Layer (SSL), Microsoft's Secure Transaction Technology (STT), and TerisaSystem's Secure Hypertext Transfer Protocol (S-HTTP). SET uses some but not all aspects of a public key infrastructure (PKI)


http://searchsecurity.techtarget.com/definition/digital-certificate

http://searchsecurity.techtarget.com/definition/digital-signature

http://searchsecurity.techtarget.com/definition/Secure-Sockets-Layer-SSL

http://searchsoftwarequality.techtarget.com/definition/S-HTTP

http://searchsecurity.techtarget.com/definition/PKI

1. The customer opens a Mastercard or Visa bank account. Any issuer of a credit card is some kind of bank.

2. The customer receives adigital certificate. This electronic file functions as a credit card for online purchases or other transactions. It includes apublic key with an expiration date. It has been through a digital switch to the bank to ensure its validity.

3. Third-party merchants also receive certificates from the bank. These certificates include the merchant's public key and the bank's public key.

4. The customer places an order over a Web page, by phone, or some other means.

5. The customer's browser receives and confirms from the merchant's certificate that the merchant is valid.

6. The browser sends the order information. This message is encrypted with the merchant's public key.


http://searchsecurity.techtarget.com/definition/digital-certificate

http://searchsecurity.techtarget.com/definition/public-key

http://searchnetworking.techtarget.com/definition/digital-switch

the payment information, which is encrypted with the bank's public key (which can't be read by the merchant), and information that ensures the payment can only be used with this particular order.

7. The merchant verifies the customer by checking the digital signature on the customer's certificate. This may be done by referring the certificate to the bank or to a third-party verifier.

8 The merchant sends the order message along to the bank. This includes the bank's public key, the customer's payment information (which the merchant can't decode), and the merchant's certificate.

9 The bank verifies the merchant and the message. The bank uses the digital signature on the certificate with the message and verifies the payment part of the message.

10 The bank digitally signs and sends authorization to the merchant, who can then fill the order.


Security Socket Layer (SSL)

• Security socket layer is a protocol that provides

•


SSL developed for NETSCAPE NAVIGATOR • Provides secure & authenticated communication between BROWSER & SERVER • SSL provide transport layer security (TLS) • SSL provide either server only authentication or client server authentication

In server only authentication client receives the server certificate, verify it & generate KEY & encrypt it with server‟s public key • Client sends this encrypted secret Key to the server • Server decrypt it with his private key & use the client generated key to encrypt the message to be sent to the client

In SERVER / CLIENT authentication client sends it‟s certificate along with secret Key so client can be authenticated • SSL consists of following protocols: • SSL Handshake Protocol • SSL Change Cipher Spec Protocol


• SSL Alert Protocol • SSL Record Protocol • SSL Handshake Protocol: • Used to initiate session between client & server • Authenticate both parties to each other

Algorithm & key used for encryption are negotiated • SSL Change Cipher Spec Protocol: • Used to choose cryptographic key between client & server • Key exchange method • Encryption algorithm used


Application and Web Security · •Application Hardening: is a security feature design to prevent...

Documents

Transcript of Application and Web Security · •Application Hardening: is a security feature design to prevent...