Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
13

Video Description

After a discussion on development methodologies, we move on to examining common software architectures. This is an important topic with respect to application security and it's a slightly longer section. The architectures we discuss in this video, along with their advantages and risks, are: - Distributed computing - Terminal services and remote access servers - Peer-to-peer architecture - SOA (Service-Oriented Architecture) - Rich internet applications We then move on to discuss the threats associated with these architectures in terms of both client-side and server-side threats. It's noted that with ubiquitous computing that threats have grown exponentially. The video concludes with a discussion on the vulnerabilities associated with wireless technologies such as: - Wi-Fi - RIFID - NFC - LBS (location-based services) e.g. GPS

Video Transcription

00:04
moving forward. We're gonna look at security and common architectures that Aaron use and we'll take a look. A distributed computing, some ideas behind service oriented architectures, rich Internet applications. We'll talk about the idea of ubiquitous computing and then cloud architecture.
00:23
So as we talk about distributed computing,
00:25
you know, one of the things that we would look at is we look at, um,
00:30
client server environment where we have a server and we have the clients, you know, in comparing this back to the days of main frames. So with mainframes, we had a huge mainframe that was protected. This was the system that did actually all the processing. And then on client desktops, we had
00:49
dumb terminals.
00:51
That's not a distributed environment. That's a centralized environment, because all the processing, all the work, all the effort, everything was being done on the mainframe, and the client simply had the terminals on their desk cop.
01:03
So we moved from there to a distributed environment of client server where we had processing on both ends. So in a client server environment, where we talk about the idea of thin clients versus fat clients, well, if you go back to mainframes. Mainframes gave us
01:19
the ultimate thin clients through the use of terminals.
01:23
And when we talk about thin clients, we talk about low, low, low and functionality.
01:29
You know, apart from the mainframe, what can you do on a terminal?
01:32
Nothing,
01:33
you know. Does the terminal have a drive to input information? No. Doesn't have a drive to export information? No. Doesn't have an operating system on which you can perform various functions? Not really. So the idea of a system that has very low computing capabilities, very low hardware requirements and functions.
01:53
That's it,
01:53
then. Client.
01:55
So what's interesting is, you know, we went from the mainframe environment to a client server environment and the benefit Waas. Let's have these computers on everybody's desktops that air powerful computing machines. You know, let's go out and spend two grand on everybody's individual systems, and let's give them the power to do the processing right there.
02:15
Now the problem with that is the life span of a computer is about a year and 1/2 maybe a little bit more.
02:22
But
02:23
if I've got 200 computers that I've spent two grand apiece and they have to be upgraded every three years. That one's up being very costly.
02:30
So the idea of then clients has come back around in that we do a lot through, um,
02:38
Web forms. We do a lot through terminal service's and remote access, and ultimately, what that allows us to do is to keep our desk cop clients without having to constantly upgrade and update them.
02:54
So when we have this remote access server, that's where the software's actually running or the server form, or whatever that might be.
03:02
That's the these air, the systems that we have to invest the money in. We have to make sure those are robust systems. This is where we patch our software. This is where we control our software. So it really gives us the benefit of centralization. Even though we're in a distributed environment. Having very thin clients saves me money as well.
03:22
It's also benefit from a security means
03:24
because what I could then do is I can take out, um, the media drives on my thin clients. I can take out the USB. I can take out the DVD and rewriteable drives because
03:38
the processing is happening on the remote access servers, so we could make those clients very, very thin. And if you don't have any way of importing or exporting media or information, that certainly provides me benefit security.
03:53
Other things that we think about with client server environments, we think about scale, ability, client server environments, very easy to add host to and can grow in a very large environment. We have to think about availability. So we incorporate redundancy into that client server design
04:11
and usually with client servers again very much a centralized environment. So we maintain the servers. Also, what happens with a client server environment is we create our security policies on the server on the domain, controller, the client's log into the domain controller and get their policy.
04:30
So that's centralized as well. We like centralisation
04:33
because it cuts down on our efforts, and it's easier to secure and manage
04:38
now. Prior to client server environments, we did have a peer to peer networks which were used in the workplace. Now we mostly see peer to peer networks for file sharing, you know, from from end user to end user being able to share files. You know, a lot of the torrent software
04:55
Napster really was one of the first most popular PTP sharing
05:00
mechanisms. So, um,
05:03
we've got both of those means is distributed computing.
05:06
We move on to talking about the idea of service oriented architecture, and this really goes back into the idea that I was talking about earlier. I talked a little bit about modular ization, if you will, and
05:20
what we want is instead of an application that does. Everything is, we think about term functions in terms of service is, and we have each module perform a particular service, and that service can be used again and again, and that could be used in different contexts. So
05:41
basically, when we talk about a service oriented architecture,
05:45
it is a much more efficient means of development. And it's a much more vendor. Neutral means. So,
05:54
um, we get this integration or this communication between multiple vendors because we're using these neutral service is
06:02
I hope that makes sense. So there's some ideas that go along with service oriented architectures. Um, loose coupling means that the individual modules can't be too dependent upon one another. They have to maintain a degree of independence
06:20
abstraction. Usually when we talk about these objects, they're not concerned with all the other details of how everything else works. They perform a specific function of specific service, if you will.
06:32
Ah, and the rest is dealt with. The rest is up dressed. It's abstracted from the specific service.
06:40
Other ideas like reusable, stateless, discoverable. These ideas all come into play with service oriented architecture. And again, the idea is, let's have a means of
06:55
vendor neutral communication functionality that's reusable in modular and design.
07:02
Internet rich applications are rich Internet applications, you know, with all the functionality we have through our Web applications,
07:14
what we're seeing is Adweek. As we add additional functionality, we're seeing threats increase again. That idea of reducing the attack surface will. The tradeoff for that is we have less functionality.
07:27
So if we want a great deal of functionality and interaction, we're likely going to increase the attack surface. So when we talk about these rich Internet applications, we have to look a client side threats and server side threats
07:40
with threats to the client. So essentially, you know we'll go to a Web page and will visit a Web page that will run a script on our system, you know, Java script is very, very powerful.
07:51
Activex controls very, very powerful. So when we visit a trusted website and we allow the scripts to run on their system, that presents a threat.
08:03
Now, just a couple of clients. I'd script threats, cross site scripting and
08:11
the sea surf attack, which is a cross site request. Forgery, sometimes pronounced Ceasar
08:16
uh, these were both threats and the client side.
08:20
What happens with cross site scripting
08:22
is an attacker would taken advantage advantage of a trusted website that does not provide proper input validation.
08:31
So essentially, it's code injection on a Web site that doesn't provide the appropriate validation. And then what they're essentially looking to do is to trick me as a client into going to that website where the malicious code wraps around and runs in my browser.
08:48
Now,
08:48
one way to think about that is a cross site script takes advantage of my trust for a website.
08:56
Hey, a sea surf takes advantage of a Web sites trust in me.
09:01
And here's what I mean when I establish a connection, say, for instance, to my bank, I've got a session and I obsession i d in session related information, and that's how that bank knows that I've already authenticated. I'm already validated. And I should have access. That keeps me from having the wall again, again and again and again
09:22
for every single request that make.
09:24
But the problem with that is,
09:26
if someone
09:28
could possibly compromise that information and use my session, i d maliciously. That's how men in the middle or that's how session hijacks happen.
09:39
And so across site request forgeries Essentially gonna take advantage of me running, uh, having two sessions going at the same time a session going on with my bank and then another application open, Possibly some sort of Internet chat or some sort of message and capability with the attacker.
09:58
So the way this might work might be I'm gonna send you an email until you that your Bank of America account has been compromised. Call this phone number and will assist you with correcting the problem.
10:09
All right, So you call me, and I'm gonna have you log on to your base.
10:11
Okay? Go ahead and log on to your banking application.
10:16
Now, in this other application, I want you to go, and I want you to click a link on an email that I send you, and I'm gonna help you troubleshoot the problems. Well, of course, when you click on that link of the email that I send you, you're launching an application that will maybe steal that session information that might be in cookies that might be stored unencrypted,
10:35
Uh, and even if it is encrypted, if I can use it again, I don't really care that I couldn't decrypt it.
10:41
So ultimately, with the cross site request forgery, I'm gonna steal that authentication that session based information and use it to impersonate a legitimate users.
10:50
So one testable idea cross site scripting takes advantage of a user's trust of a website.
10:58
Cross site request. Forgery takes advantage of a Web sites trust of the user.
11:05
So if you think about that, that should make sense
11:07
now. Those were a couple of threats. The client side application. Certainly the server side has many threats as well. Probably the biggest threat when we talk about Web applications to a backend server is code injection
11:22
and with code injection. You know so many of our applications require user input,
11:28
whether it's your username password, city state address, I may be asking you for customer service feedback, whatever that might be. And we solicit that information through Internet forms.
11:43
Well, the problem is, what goes in those forms is eventually going to go to my back in database. And if it could be entered into the database, the Basin database can process.
11:54
So what we want to make sure is that no one's entering commands like drop table
12:00
into my database, and there is no person out there whose name should be dropped. Johnny drop tables. So we have to cleanse our data. We have to make sure our dad is inspected and we want to validate. Make sure that there is no data control language being entered. We want to regulate the data type so that people aren't using
12:20
um
12:20
Balfa bet for daytime fields. We also want to do things like, um, check for the size the field size, and we do that through an interface. I don't know if you remember me earlier talking about Clark Wilson security model
12:37
that essentially said, keep your protected resource is away from untrusted users
12:43
forced them through an interface. That's exactly what does the inspection with their server side threats, we have something called a common Gateway interface script, the CG I script.
12:54
That interface is what's responsible for doing the input validation.
13:00
So just ideas that kind of all come around and tie in together.
13:03
Other threats against a server aggregation and inference is information is collected.
13:09
Um, that information can be accumulated
13:13
and inference means I pull all this information together. And then I take that next step and I make an assumption.
13:20
So some ways that we can prevent aggregation and inference. We mask out sensitive information like I've already mentioned. We do masking with credit card numbers, Social Security numbers, passwords. So we a limit. What information or we limit when information is is capable of being seen.
13:39
And then the idea with Appalling and Stan she ation pollen Stan, she ation is actually a big word for lying.
13:46
Um, that's exactly what Polly and Stan she ation is multiple instances of an event.
13:52
So the idea is
13:56
if there's information that we want to protect,
13:58
sometimes
14:01
just by saying this is high value information or top secret information
14:07
that really lets an attacker No. Hey, this is good stuff.
14:11
So rather than marking something is top secret What we might do is we might inter false information
14:16
like, for instance, let's say I logged into a database that tracks the whereabout of where our ships are going.
14:22
Okay? And I see that we have a ship that's going to, ah, location that's marked this topsy
14:28
well, all of a sudden, it's intriguing to me that's high value information
14:33
Now, if instead, when I log on with unclassified access, it tells me the ship is delivering food to the coast of Africa.
14:41
All of a sudden, that's not of interest to me.
14:43
But someone who logs in with the higher level of classifications sees that the ship is actually delivering munitions somewhere in the Middle East will. Certainly, that becomes much more meaningful. So the idea is, if you log on with lower access or lower clearance, you get one set of information,
15:01
and if you log on with a higher level of clearance, you might get
15:05
actual events. That's Polly in Stan, she ation. We often see that used with databases,
15:11
all right, a couple of other ideas here. Ubiquitous computing computers are everywhere. Everywhere you look, we see wireless technology, whether it's the controls on our vehicles, whether it's pacemakers and other health related information in a wireless networking
15:31
is everywhere.
15:33
Any time we're communicating wirelessly anytime of computers involved, anytime there's transmission of information across a media but type of media,
15:43
we have the potential for eavesdropping. We have the potential for manipulation and so on.
15:48
Or if I D's, um, with, uh, we're seeing the chips on the credit cards were seeing the chips on the password on the passports we see the R F I D chips on our transponders were going through the easy pass a toll booths, so certainly we see a lot of these.
16:07
The near field communications are becoming very, very popular
16:11
if you have a hotel room key that you no longer feed through the slot, but you just hold it near the slot that's in FC Communications. They're also things like location based service is. There's a GPS that allows tracking. They're all sorts of means of computing that we see out there today.
16:32
So the more computers there are, the more vulnerabilities
16:36
we we go this path for ease of use, and it certainly has its vulnerabilities. But we also have to look at the threats that come as well

Up Next

ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor