1) System Maintenance and Management
a) Core System Maintenance
User Account Control (UAC) – a security feature designed to run in Admin Approval Mode.
b) Virus and Spyware Detection and Management
- Threats to a network security: virus, worms, Trojan horses, logic bombs, zombies & botnets, rootkits, spyware & spam
- Inoculation: A process used by antivirus to calculate and record a checksum to guard against viruses and worms.
- Spam: Unsolicited Bulk E-mail (UBE)/ Unsolicited Commercial E-mail (UCE)
c) Securing the System
Windows Firewall, Windows Update and Junk E-Mail options
2) Application Security and Social Engineering
a) Web Application Security
HTML tags for Java Script <script> and </script>
Main security issues associated with Java Script on web browser: monitoring web browsing, security bugs, reading browser’s preferences
ActiveX: developed by Microsoft that provides tools for linking desktop applications to web content. Attackers can use ActiveX macros to gain access to sensitive information stored on the system. They could also edit the registry settings of the target system or use the target system to launch attacks on other systems as in the case of DDOS attack.
Java Applets: are typically stored on the web servers and are downloaded by clients when accessed for the first time. After that, when the user accesses the server, the applet is already in the client’s cache. So it runs from the cache without needing to be downloaded again.
Sandbox restrictions include deleting files or modifying system information such as registry settings and other Control Panel functions.
Reasons for using code-signing features are:
- to avoid the sandbox restrictions imposed on unsigned code-signing
- to prove that the application source code arrived unaltered from the trusted author
CGI Script: consists of an executable program on the server and an HTML page that feeds input to the executable. Mankind
b) Pop-ups, Cookies and Input Validation
Unwanted pop-ups can cause frustration and multiple pop-ups can decrease your productivity on the web.
Session Cookies: for shopping carts on e-commerce sites
Saved Cookies: for storing login details
An attacker could obtain a victim’s cookie for a given service by generating a script that must execute within a page from that same domain or server. An attacker can execute code on the server that generates an error message which is returned to the user. The attacker can then exploit the insecure error notification to launch an attack on the target server.
Since it is not possible for an attacker to obtain a given cookie directly from a victim’s computer, the attacker convinces user to follow a malicious hyperlink to the targeted server so that the cookie can be obtained through the error handling process on the server. In such sort of attacks, the victim must be logged on to the service during the time the attack takes place.
Types of Input validation security threat:
Cross-site scripting: refers to exploiting the input validation by entering script instead of valid data, where the script steals data and redirects it to the attacker’s server. It is also known as XSS that takes advantage of absence of input validation. XSS can occur in web sites that contain forms or boxes for entering item descriptions. Hackers can use these forms to enter code that redirects input to the original server. After the script has been saved to the original server, anyone who views the item with the malicious script is at risk.
Buffer overflow attacks: Hackers can attack by manipulating the maximum field input size variable for input fields, which could be larger than the database can accept. Applications allocate a certain amount of memory for the amount of data they are expecting to receive. Buffer overflow occurs when the data entered into an input field is too large to fit into its allocated memory buffer. Consequently, the data can overwrite areas of memory reserved for other processes and can eventually crash the application or even the server.
To launch the attack the attacker needs to do so while the user is logged into the service that is being attacked. The attack code is loaded into the user’s buffer. Then the buffer data overflows the area allotted to it, causing the damage inflicted by buffer overflows.
c) Social Engineering
It is the real-world equivalent of hacking. It involves exploiting trust between people to gain information that can then be used to gain access to computer systems. This trust exploitation usually involves a verbal trick, hoax and a believable lie.
Goals of social engineering techniques:
- network intrusion
- industrial espionage
- identity theft
- disrupt a system or network
Social engineering techniques are often used when an attacker cannot find a way to penetrate a system using other means.
Five main social engineering techniques:
- Shoulder surfing: someone attempts to observe secret information over your shoulder
- Dumpster diving: an attacker digging useful information out of an organisation’s trash bin
- Online attacks: using IM and e-mail to exploit trust relationships for executing malicious code
- Phishing: an attacker sending e-mail appearing from a trusted sender and try to direct to the fake website for entering personal information
- Domain kiting: When a domain is registered, there is a 5-day grace period that is designed to be used to test the advertising revenue generated by the site. This is known as domain tasting. If the site proves to be unprofitable, the new domain can be returned and you’re not charged for the site. Some people have their domain deleted during the grace period and then register the name again, hence resetting the grace period and postponing the payment for the domain. This is known as domain kiting. Kited domains are often used as part of a phishing scheme.