Comptia CASP Notes – Module 7 (Final)

December 19, 2016 | Views: 3093

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Technical Integration of Enterprise Components
MODULE 7: Host & Application Security

Security Controls for Hosts

Trusted OS – provides sufficient support for multilevel security & evidence of correctness to meet a particular set of standards

  • CC (Common Criteria) – international standard created to rate OS for level of security using “evaluation levels”

    • EAL1: Functionally tested

    • EAL2: Structurally tested

    • EAL3: Methodically tested & checked

    • EAL4: Methodically designed, tested, & reviewed

    • EAL5: Semi-formally designed & tested

    • EAL6: Semi-formally verified design & tested

    • EAL7: Formally verified design & tested

Patch Management

  • Hot fixes: should be applied immediately to solve a security issue (if relevant to system)

  • Updates: issues with functionality are solved

  • Service packs: roll-up of all updates & hotfixes since OS release

DLP (Data Loss Prevention) – attempts to prevent data leakage through either a network or endpoint DLP

Host-Based Firewalls

  • Iptables are a common HBF which uses rules like a firewall

    • iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP

    • iptables -A INPUT – eth1 -s 10.0.0.0/8 -j DROP

    • iptables -A INPUT -eth1 -s 178. -j DROP

  • Windows Firewall – GUI interface already present in system, must be configured

Host Hardening – reduce attack surface of a device

  • Remove any unnecessary applications, services, accounts, ports

  • When possible use GPOs (Group Policies) as well as standard images ‘baseline systems/settings’

  • Restrict access to Admin consoles, restrict command shell access

  • Configure & secure all management interfaces

  • Restrict peripheral i.e USB ports disabled or restricted, removable devices, Bios, FireWire

  • Use MDM (mobile device management) solutions to secure these devices

  • Use boot loader protections

  • Measured launch – software & platform components have been identified using cryptographic means

    • IMA (Integrity Measurement Architecture) – attempts to measure the runtime environment

Full Disk Encryption

  • EK (Endorsement key): contains public/private key pair installed in persistent memory

  • SRK (Storage root key): Persistent memory that stores keys in the TPM (trusted platform module)

  • AIK (Attestation identity key): versatile memory that ensures integrity of the EK.

  • PCR (Platform configuration register): stores data hashes for the sealing function

  • Storage Keys: memory that contains the keys used to encrypt storage

VM Escape – exploit where vm map ‘escape’ and are able to access other VMs

VDI (Virtual Desktop Infrastructure) – desktop OS contained in a virtual environment on a centralized server

VTPM (virtual trusted platform module – enables trusted computing on VMs on a single hardware platform using a software object that acts like a physical TPM.

Application Vulnerabilities and Security Controls

Specific Application Issues

  • Insecure Direct Object References – the application doesn’t verify that a user is authorized for the object

  • XSS (Cross-site scripting) – attacker injects malicious code into a web application after finding vulnerability

  • CSRF (Cross-Site Request Forgery) – attack that causes the end user to execute unwanted actions on a web application that she is currently authenticated by exploiting the website’s trust of the browser

  • Click-jack attack – transparent frame or page crafted over a legitimate looking page to entice the user

  • Session hijacking – user authenticating to website then hijacked by attacker

  • Input Validation – checking input for things such as proper format & length. Length should be checked and validators used to check either blacklisting or whitelisting characters or patterns

  • SQL Injection – Attack that injects a SQL query as input data from the client application. To prevent use proper input validation, prepared statements, & blacklisting or whitelisting of characters.

  • Buffer Overflow – occurs when the amount of data that is submitted is larger than the buffer can handle. Applications should be properly tested for overflow conditions,  input validation is a must.

  • Memory Leaks – memory is exhausted when all allocated memory is not returned to the OS

  • Integer Overflows – Math operations tyr to create a value that is too large for the available space

  • Race Conditions – Hacker inserts between instructions, introduces changes & alters the order of execution

  • TOCTOU (Time of Check/Time of Use) – a system is changed between a condition check and the display of the check’s results

  • Resource Exhaustion – goal of DoS/DDoS attacks

Industry Accepted Approaches

  • WASC (Web Application Security Consortium) – Organization that provides best practices for web-based applications

  • OWASP (Open Web Application Security Project) – Group that monitors attacks, specifically web attacks

  • BSI (Build Security In/Initiative) – promotes a process agnostic approach that makes security recommendations

  • ISO/IEC 2700 – Standards that provide guidance to organizations in integrating security into the development and maintenance of software applications.

  • WS-Security (WebServices Security) – extension to SOAP used to apply security to web services

    • How to sign SOAP msgs to ensure integrity

    • How to encrypt SOAP msgs to ensure confidentiality

    • How to attach security tokens to ascertain the sender’s identity

Software Development Methods

  • Waterfall – breaks up software development into distinct phases: Idea → Analysis → Design → Development → Test

  • V-Shaped -similar to waterfall but verification and validation is performed at each step

  • Spiral – iterative approach that places more emphasis on risk analysis at each stage

  • RAD (Rapid Application Development) – less time spent upfront based on trial & error to produce a prototype

  • Agile – attempts to be nimble to react to situations as they arise and take advantage of lessons learned in later phases

  • JAD – (Joint Analysis or Application Development) – uses team approach

Monitoring Mechanisms

  • WAF (Web Application Firewall) – applies rule sets to HTTP conversations

  • DAM (Database Activity Monitoring) – monitors transactions and the activity of DB services.

Client-Side Vs Server Side Process

  • Client-Side – The client makes a request, it is retrieved from the server and execution is performed in the client browser

  • Server-Side – all processing happens on the server

JSON/REST

  • REST (Representational State Transfer) – client/server model for interacting with content on remote systems, mainly using HTTP

  • JSON – simple text-based message format often used with REST web services

    • Advantages over SOAP/XML – smaller in size, more efficient, provides improved response times (uses cache), easier to design and implement

Browser Extensions

  • Active X – Server Side MS tech that uses OOP (object-oriented programming) and is based on COM (Component Object Model) & DCOM (Distributed Component Object Model

  • Java applet- server-side component created using Java that runs in the browser and is platform independent

  • Flash – Client-side program used to create content that is played in the Adobe Flash Player

SOAP (Simple Object Access Protocol) – protocol specification for exchanging structured information in the implementation of web services.

AJAX (Asynchronous JavaScript and XML (client-side) – group of interrelated web development techniques used to create asynchronous web applications

Host, Storage, Network, & Application Integration

Interoperability Issues

  • Implement in a protected network or DMZ

  • Limit access to Admins, virtualize if possible

  • Use ACLs and use the highest level of encryption and authentication

  • For Windows Applications, try compatibility mode

There are vulnerabilities associated with Cloud & Virtual Models

  • Weak Access between VMs | Physical server resource depletion

  • Server crash or compromise affects all VMs on that physical server

  • Host to Host attacks may be possible with compromise of platform

  • If single platform is used all systems are vulnerable to the same attack

  • Ensure data in multi-tenant solution is isolated from other tenants’ data.

Storage Security Considerations

  • Limit physical access

  • Manage the storage solution on a private network

  • Implement ACLs for all data, paths, subnets & networks (at the port level if possible)

  • Use multi-factor authentication

Enterprise Application Integration Enablers

  • CRM (Customer Relationship Management) – deploy a VPN if remote access is required

  • ERP (Enterprise Resource Planning) – should be deployed in a DMZ

  • GRC (Governance, Risk, & Compliance) – Access should be tightly controlled

  • ESB (Enterprise Service Bus) designs and implements communication between mutually interacting software application in a service-oriented architecture

  • SOA (Service-Oriented Architecture) – uses software pieces to provide application functionality as services to other applications

  • Directory Services – Stores, organizes, and provides access to information in a computer operating system’s directory

  • DNS (Domain Name System)

    • Enable DNSSEC (Domain Name System Security Extensions)

    • Configure internal DNS servers to communicate only with root servers

    • Use a longer TTL so the resource record is read less frequently to lessen possibility of poisoning

  • CMDB (Configuration Management DataBase) – Keeps track of the state of assets, and the relationships between them

  • CMS ( Content Management System) – publishes, edits, modifies, organizes, deletes, and maintains content from a central interface. Maintains versioning while allowing teams to work together.

Good Luck on the Exam!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
4 Comments
  1. Good Job 😉

  2. Thanks Bro

  3. WHere I Found other notes of previus modules

  4. Good job and a nice series!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel