YUSIF SULEIMAN

[2308-0703-0223]

INTERNATIONAL ADVANCE DIPLOMA IN NETWORK &COMPUTER SECURITY APPLICATION AND INFRASTRUCTURE SECURITY (CSM201) ASSIGNMENT TERM 3 2012 Student declaration: I declare that: I understand what is meant by plagiarism The implication of plagiarism has been explained to me by my institution This assignment is all my own work and I have acknowledged any use of the published and unpublished works of other people. Students signature:. Total number of pages including this cover page 06/11/2012 Submission Date Due Date 2308-0703-0223 Students ID Class Code Students Full Name Yusif Suleiman Mr. Bashir Lecturers Name OFFICIAL USE ONLY Markers comments Date: 29\10\2012

13/11/2012 GROUP 1

Markers name

Initial mark awarded Penalty on late submission Penalty for plagiarism Final mark awarded

/100

/100

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 1

YUSIF SULEIMAN

[2308-0703-0223]

Table of Contents
CONTENT PAGES Cover ..1 Table of Contents........2 List of Figures..3 List of Tables...3 1.0 Introduction.......5 1.1 Description of Vulnerabilities........5 What is Vulnerability...5 The Web Application Security Gap....5 How it Affect the System....6 Top Web Application Vulnerabilities & Security Threats..7 1.2 Proof of Concept8 1.2.1 Cookies Poising 7 1.2.2 Testing for Cookies Poising Attribute Vulnerability.8 1.2.3 Counter Measures for Cookies Poising ...13 1.3.1 Brute Force Attack ......14 1.3.2 Counter Measures for Brute Force....19 1.4.1 Broken Links....20 1.4.2 Counter Measures for Broken Links.24

2.1 Explaining Company and Industry25 2.2 Existing Application System.........25 2.3 Current Infrastructure used with Diagram......27 2.4 Defense on Network......28 2.5 Defense on Host Server.28 Strong Password Perimeter Protection with Firewall Intrusion Detection System Content filtering Antivirus Data Encryption 3.1 CIA Triage .......33 4.1 References....35
CSM201 APPLICATION AND INFRASTRUCTURE SECURITY Page 2

YUSIF SULEIMAN
List of Figures and Diagrams

[2308-0703-0223]

1. Figure 1.2.1: Entering Web Address....9 2. Figure 1.2.2: Target ....10 3. Figure 1.2.3: Target Detected .....10 4. Figure 1.2.4: Beginning Web Scan..11 5. Figure 1.2.5: Vulnerabilities Web Links Shown.....11 6. Figure 1.2.6: Report Generate......12 7. Figure 1.3.1: Entering web address...15 8. Figure 1.3.2: Finding Target......15 9. Figure 1.3.3: Login Web Scan..16 10. Figure 1.3.4: Completing Login Web...16 11. Figure 1.3.5: Beginning Web Scan...17 12. Figure 1.3.6: Element of Vulnerabilities..17 13. Figure 1.3.7: Vulnerabilities Shown....18 14. Figure 1.3.8: Vulnerabilities Shown as Cookies......18 15. Figure 1.3.9: Final Report for Cookies.....19 16. Figure 1.4.1: Starting Point.......20 17. Figure 1.4.2: Entering web address...21 18. Figure 1.4.3: Finding Target.....21 19. Figure 1.4.4: Login Web Scan..22 20. Figure 1.4.5: Scan Began.....22 21. Figure 1.4.6: Vulnerabilities Shown....23 22. Figure 1.3.7: Definition of Broken Links........23 23. Figure 1.4.8: Final Report for Broken Links Vulnerability.....23 24. Diagram 2.1: Bank Network Infrastructure 28 25. Diagram 2.1: CIA Triage .35

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 3

YUSIF SULEIMAN Question 1

[2308-0703-0223]

Identify three (3) possible web (or cloud computing based) application vulnerabilities. Write a report with the following headings: Description of vulnerabilities Proof of Concept Possible Counter Measures

Answer

1.0
1.1

INTRODUCTION
DESCRIPTION OF VULNERABILITIES

What is Vulnerability? Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. A threat is a potential attack that, by exploiting vulnerability may harm the assets owned by an application (resources of value, such as the data in a database or in the file system). A test is an action that tends to show vulnerability in the application. Web application vulnerability also refers to Weakness in Custom Web Application, Architecture, Design, Configuration, or Code.

The Web Application Security Gap (How Does It?) There is a lack of awareness of application vulnerabilities in security departments. Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their measures. Even in departments that want to audit for web application vulnerabilities, the lack of effective tools has made it impractical As a result, Certification and Accreditation programs rarely examine the web application
Page 4

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

YUSIF SULEIMAN
-

[2308-0703-0223]

In fact, the entire development cycle is usually missing from security procedures and controls

This illustrates the fundamental gap between security and development, which creates these web application vulnerabilities

Many traditional information security practitioners are ill-equipped to mitigate application security issues Little to no experience coding No experience coding in modern enterprise environments like .NET and J2EE Understand that there are risks, but not in a position to address them or no resources to manage the issues

How it Affect the System Web Application vulnerabilities occur in different areas: Platform, Administration and Application. -The web server itself is subject to a variety of known vulnerabilities, all of which must be readily patched for. The actual administration and management of the server and contents is very important A misconfigured server or poorly managed content can permit system file and source code disclosure The application itself is of the utmost importance. It too can inadvertently reveal source code and system files, and even allow full system access. It can mistakenly allow replay attacks against your customers. It could allow a hacker to impersonate your customers. In addition it is the web application that interacts with the database to manage and tracks customer information and store business and transaction information . One slip-up in the web application can expose the entire system and database, right through a web browser, right over port 80.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 5

YUSIF SULEIMAN
Top Web Application Vulnerabilities and Security Threats 1. Format String Vulnerabilities 2. Broken access control 3. Cookie poisoning 4. Cross-site scripting (XSS) Flaws 5. Broken authentication and Access Control 6. Injection flaws 7. Buffer overflow 8. Malicious File Execution 9. Insecure Direct Object Reference 10. Cross Site Request Forgery (CSRF) 11. Information Leakage 12.Session Management 13. Insecure Cryptographic Storage 14. Insecure Communications 15. Improper error handling 16. Insecure storage 17. Application denial-of-service 18. Insecure configuration management 19. SQL injection 20. Parameter tampering 21. Buffer overflows 22. Failure to Restrict URL Access 23. Database Server 24. Unvalidated input

[2308-0703-0223]

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 6

YUSIF SULEIMAN

[2308-0703-0223]

1.2

PROOF OF CONCEPT

I choose to check the following web vulnerabilities for my project Cookies Poisoning using www.copart.com Brute-Force Attack www.buk.edu.ng Broken Links www.apple.com

1.2.1 Cookies Poisoning Cookies are often a key attack vector for malicious users (typically targeting other users) and, as such, the application should always take due diligence to protect cookies. The importance of secure use of Cookies cannot be understated, especially within dynamic web applications, which need to maintain state across a stateless protocol such as HTTP. To understand the importance of cookies it is imperative to understand what they are primarily used for. These primary functions usually consist of being used as a session authorization/authentication token or as a temporary data container. Thus, if an attacker were by some means able to acquire a session token (for example, by exploiting a cross site scripting vulnerability or by sniffing an unencrypted session), then he/she could use this cookie to hijack a valid session. Additionally, cookies are set to maintain state across multiple requests. Since HTTP is stateless, the server cannot determine if a request it receives is part of a current session or the start of a new session without some type of identifier. This identifier is very commonly a cookie although other methods are also possible. As you can imagine, there are many different types of applications that need to keep track of session state across multiple requests. The primary one that comes to mind would be an online store. As a user adds multiple items to a shopping cart, this data needs to be retained in subsequent requests to the application. Cookies are very commonly used for this task and are set by the application using the Set-Cookie directive in the application's HTTP response, and is usually in a name=value format (if cookies are enabled and if they are supported, which is the case for all modern web browsers). Once an application has told the browser to use a particular cookie, the browser will send this cookie in each subsequent request. A cookie can contain data such as items from an online shopping cart, the price of these items, the quantity of these items, personal information, user IDs, etc. Due to the sensitive nature of information in cookies, they are typically encoded or encrypted in an attempt to protect the information they contain. Often, multiple cookies will be set (separated by a semicolon) upon subsequent requests. For example, in the case of an online store, a new cookie could be set as you add multiple items to your shopping cart. Additionally, you will typically have a cookie for authentication (session token as indicated above) once you login, and multiple other cookies used

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 7

YUSIF SULEIMAN

[2308-0703-0223]

to identify the items you wish to purchase and their auxiliary information (i.e., price and quantity) in the online store type of application. Now that we have understanding of how cookies are set, when they are set, what they are used for, why they are used, and their importance, let's take a look at what attributes can be set for a cookie and how to test if they are secure. The following is a list of the attributes that can be set for each cookie and what they mean. Secure - This attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS. This will help protect the cookie from being passed over unencrypted requests. If the application can be accessed over both HTTP and HTTPS, then there is the potential that the cookie can be sent in clear text. HttpOnly - This attribute is used to help prevent attacks such as cross-site scripting, since it does not allow the cookie to be accessed via a client side script such as JavaScript. Note that not all browsers support this functionality. Domain - This attribute is used to compare against the domain of the server in which the URL is being requested. If the domain matches or if it is a sub-domain, then the path attribute will be checked next.

1.2.2 TESTING FOR COOKIE ATTRIBUTE VULNERABILITIES: By using an intercepting proxy or traffic intercepting browser plug-in, trap all responses where a cookie is set by the application (using the Set-cookie directive) and inspect the cookie for the following: Secure Attribute - Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. For example, after logging into an application and a session token is set using a cookie, then verify it is tagged using the ";secure" flag. If it is not, then the browser believes it safe to pass via an unencrypted channel such as using HTTP. HttpOnly Attribute - This attribute should always be set even though not every browser supports it. This attribute aids in securing the cookie from being accessed by a client side script so check to see if the ";HttpOnly" tag has been set. Domain Attribute - Verify that the domain has not been set too loosely. As noted above, it should only be set for the server that needs to receive the cookie. For example if the application resides on server app.mysite.com, then it should be set to "; domain=app.mysite.com" and NOT "; domain=.mysite.com" as this would allow other potentially vulnerable servers to receive the cookie. Path Attribute - Verify that the path attribute, just as the Domain attribute, has not been set too loosely. Even if the Domain attribute has been configured as tight as possible, if the path is set to the root directory "/" then it can be vulnerable to less secure applications on the same server. For example if the application resides at /myapp/ then verify that the cookies path is set to "; path=/myapp/" and NOT "; path=/" or "; path=/myapp". Notice
Page 8

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

YUSIF SULEIMAN

[2308-0703-0223]

here that the trailing "/" must be used after myapp. If it is not used, the browser will send the cookie to any path that matches "myapp" such as "myapp-exploited". Expires Attribute - Verify that, if this attribute is set to a time in the future, that it does not contain any sensitive information. For example, if a cookie is set to "; expires=Fri, 13-Jun-2010 13:45:29 GMT" and it is currently June 10th 2008, then you want to inspect the cookie. If the cookie is a session token that is stored on the user's hard drive then an attacker or local user (such as an admin) who has access to this cookie can access the application by resubmitting this token until the expiration date passes.

The following screen capture shows the description of how we test www.copart.com web site to find cookies as vulnerabilities.

Figure 1.2.1 Base on the following figures we will understand the Cookies Poisoning testing on Copart web server using Acunetix web application vulnerability scanner.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 9

YUSIF SULEIMAN
Figure 1.2.2 shows the beginning of how we scan for target

[2308-0703-0223]

Figure 1.2.3 shows that the target if found

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY Page 10

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.2.4 beginning of the testing

Figure 1.2.5 Vulnerabilities web links shown

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY Page 11

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.2.6 the vulnerabilities results that Acunetix web scanner generates finally. Note that only hosts within the specified domain can set a cookie for that domain. Also the domain attribute cannot be a top level domain (such as .gov or .com) to prevent servers from setting arbitrary cookies for another domain. If the domain attribute is not set, then the hostname of the server which generated the cookie is used as the default value of the domain. For example, if a cookie is set by an application at app.mydomain.com with no domain attribute set, then the cookie would be resubmitted for all subsequent requests for app.mydomain.com and its subdomains (such as hacker.app.mydomain.com), but not to otherapp.mydomain.com. If a developer wanted to loosen this restriction, then he could set the domain attribute to mydomain.com. In this case the cookie would be sent to all requests for app.mydomain.com and its subdomains, such as hacker.app.mydomain.com, and even bank.mydomain.com. If there was a vulnerable server on a subdomain (for example, otherapp.mydomain.com) and the domain attribute has been set too loosely (for example, mydomain.com), then the vulnerable server could be used to harvest cookies (such as session tokens). Path - In addition to the domain, the URL path can be specified for which the cookie is valid. If the domain and path match, then the cookie will be sent in the request.

Just as with the domain attribute, if the path attribute is set too loosely, then it could leave the application vulnerable to attacks by other applications on the same server. For example, if the path attribute was set to the web server root "/", then the application cookies will be sent to every application within the same domain.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 12

YUSIF SULEIMAN

[2308-0703-0223]

Expires - This attribute is used to set persistent cookies, since the cookie does not expire until the set date is exceeded. This persistent cookie will be used by this browser session and subsequent sessions until the cookie expires. Once the expiration date has exceeded, the browser will delete the cookie. Alternatively, if this attribute is not set, then the cookie is only valid in the current browser session and the cookie will be deleted when the session ends.

1.2.3 COUNTER MEASURES FOR COOKIES POISONING Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request. Only Accepting POST Requests Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else. Multi-Step Transactions Multi-Step transactions are not an adequate prevention of cookies and CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then cookies and CSRF is possible. URL Rewriting This might be seen as a useful cookies and CSRF prevention technique as the attacker can not guess the victim's session ID. However, the users credential is exposed over the URL.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 13

YUSIF SULEIMAN
1.3.1 BRUTE-FORCE ATTACK

[2308-0703-0223]

Brute-forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement. In web application testing, the problem we are going to face with the most is very often connected with the need of having a valid user account to access the inner part of the application. Therefore we are going to check different types of authentication schema and the effectiveness of different brute-force attacks. A great majority of web applications provide a way for users to authenticate themselves. By having knowledge of user's identity it's possible to create protected areas or more generally, to have the application behave differently upon the logon of different users. Actually there are several methods for a user to authenticate to a system like certificates, biometric devices, OTP (One Time Password) tokens, but in web application we usually find a combination of user ID and password. Therefore it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (ex. dictionary attack) or the whole space of possible candidates. After a successful bruteforce attack, a malicious user could have access to: Confidential information / data; Private sections of a web application, could disclose confidential documents, user's profile data, financial status, bank details, user's relationships, etc.. Administration panels; These sections are used by webmasters to manage (modify, delete, add) web application content, manage user provisioning, assign different privileges to the users, etc.. Availability of further attack vectors; Private sections of a web application could hide dangerous vulnerabilities and contain advanced functionalities not available to public users. The following sequence of figures describes how I tested the Brute force Vulnerability on BUK web site.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 14

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.3.1 shows entering the buk web address

Figure 1.3.2 finding the target web

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 15

YUSIF SULEIMAN
Figure 1.3.3 login the web site

[2308-0703-0223]

Figure 1.3.4 complete login web site for vulnerability scan

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 16

YUSIF SULEIMAN
Figure 1.3.5 scanning web began

[2308-0703-0223]

Figure 1.3.6 elements of vulnerabilities shows

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 17

YUSIF SULEIMAN
Figure 1.3.7 many vulnerabilities element

[2308-0703-0223]

Figure 1.3.8 vulnerability definition as Brute Force

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 18

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.3.9 Final Report results

1.3.2 COUNTER MEASURES FOR BRUTE FORCE ATTACKS In case of an offline attack where the attacker has access to the encrypted material, he can try key combinations at his leisure without the risk of discovery or interference. However database and directory administrators can take countermeasures against online attacks, for example by limiting the number of attempts that a password can be tried, by introducing time delays between successive attempts, increasing the answer's complexity (e.g. requiring a CAPTCHA answer or verification code sent via cellphone), and/or locking accounts out after unsuccessful logon attempts. Website administrators may prevent a particular IP address from trying more than a predetermined number of password attempts against any account on the site.

Reverse brute force Countermeasures In a reverse brute-force attack, a single (usually common) password is tested against multiple usernames or encrypted files. The process may be repeated for a select few passwords. In such a strategy, the attacker is generally not targeting a specific user. Reverse brute-force attacks can be mitigated by establishing a password policy that disallows common passwords.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 19

YUSIF SULEIMAN
1.4.1 BROKEN-LINKS

[2308-0703-0223]

Apart from making your website look unprofessional, broken links can be a serious issue when they point to an important page of your website. For example: if a link pointing to your Products page is broken then your customers will be unable to view your online store, meaning they wont be able to purchase anything from your site. Apart from making your site look unprofessional, you can also lose customer who might not feel confident shopping from you. Furthermore, broken links can work against search engines and search engine robots. Search engines follow the links from your website to other links in order to gather more information about your website. As more content is indexed from your website then the ranking will be higher. Broken links that are no longer in use might reveal path locations and give clues to the directory structure of your website, which might reveal information concerning the design and logic of your site and disclose other important information, or reveal potential website security vulnerabilities.

Figure 1.4.1 shows the starting point

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 20

YUSIF SULEIMAN
Figure 1.4.2 entering the web site to be tested

[2308-0703-0223]

Figure 1.4.3 target checking

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 21

YUSIF SULEIMAN
Figure 1.4.4 complete login web site for vulnerability scan

[2308-0703-0223]

Figure 1.4.5 beginning of scan

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 22

YUSIF SULEIMAN
Figure 1.4.6 vulnerabilities shown

[2308-0703-0223]

Figure 1.4.7 definition of broken links find on the Apple web site

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 23

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.4.8 Final vulnerability result report for www.apple.com

1.4.2 COUNTER MEASURES FOR BROKEN LINKS There are several ways to repair a broken link. Often web pages have simply moved, either in connection with a migration to a new server, or through general site maintenance. A site index is a useful place to locate the moved page. A search engine query using the title of the page, possibly with a search restriction to the same site, might also finds the page. Use the WebsiteDefender report to identify any broken links and restore the pages or files which are missing. You should remove all broken links that reference files or pages that are no longer present on your site.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 24

YUSIF SULEIMAN Question 2

Take an existing system and infrastructure.

[2308-0703-0223]

Explain the company and its industry. Explain the existing (application) system. Using a network diagram explain the current infrastructure

Explain your defenses which you will put in place to protect the infrastructure of this organization. Defense for the Network Infrastructure (both wired and wireless). Defense on the Host server

Answer
2.1 EXPLAINING COMPANY AND ITS INDUSTRY

First Bank of Nigeria PLC is a Nigeria-based financial institute that offers a range of financial services. The Bank is divided into three business segments: Corporate banking, Personal banking and e-banking Services. Its products are targeted at corporate and individuals customers. The Bank operates through several subsidiaries, providing a range of banking services, including corporate banking, capital market operations, funds management, insurance brokerage, trusteeship, registrar ship and pension custodianship.

2.2

EXISTING (APPLICATION) SYSTEM

First Bank offer banking services to individuals, consumer banking is also provision of products and services to meet the financial needs of individuals with a steady and verifiable income flow. Here are some of our Existing Banking Systems;

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 25

YUSIF SULEIMAN
U-First

[2308-0703-0223]

U-First is a suite of retail and consumer loan products designed for individuals and small businesses to enable them meet their business and personal needs. Generic Savings Account It is a hybrid savings account that runs on a savings platform with current account features for your convenience. Generic Current Account With FirstBanks current account, you just cant go wrong. You can carry out unlimited 3rd party transactions seamlessly and enjoy the inherent benefits. FirstPremium Term Deposit Account FirstPremium Term Deposit is a value-added term deposit product which offers higher interest rates than the conventional term deposit First Savings Plus Account It is a hybrid savings account that runs on a savings platform with current account features for your convenience. First Hi-Fi (Children) Account This is a special account designed for children from age 0 18 years to sensitize and cultivate savings culture within this age bracket and to help parents plan towards the future of their children and wards. FirstCurrent Plus (Zero COT Account) Withdrawal is limited to five (5) times in a month, where a customer exceeds the number of withdrawals, the account will default to N5.00/mille COT on the total customer induced transactions for that month FirstCurrent Business Account A fee-based current account that allows customers carry out numerous transactions without paying COT. FirstDom Account

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 26

YUSIF SULEIMAN

[2308-0703-0223]

Are you upwardly mobile? Then First Dom Plus is designed for you. It is an account that encourages you to save your foreign currency while still giving you the opportunity to earn higher interest on account balances. FirstInstant Account The FirstInstant Account is savings product designed for the unbanked and underbanked to enhance financial inclusion

2.3

CURRENT INFRASTRUCTURE USING NETWORK DIAGRAM

Infrastructure is basic physical components of interrelated systems which provide organizational hardware structure used to enable interconnect computers and users for enhance economy function. Infrastructure includes the transmission media, including telephone lines, cable television lines, and satellites and antennas, and also the routers, and other devices that control transmission paths. Infrastructure also includes the software used to send, receive, and manage the signals that are transmitted. In some usages, infrastructure refers to interconnecting hardware and software and not to computers and other devices that are interconnected. However, to some information technology users, infrastructure is viewed as everything that supports the flow and processing of information. Infrastructure companies play a significant part in evolving the Internet, both in terms of where the interrconnections are placed and made accessible and in terms of how much information can be carried how quickly. Diagram 2.1 Bank Infrastructure Network System

BANK INFRASTRUCTURE NETWORK DIAGRAM

Branch office
Work stations Work stations Internet

Head office

Local server

Firewall

Router

Main server

ATM

ATM

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 27

YUSIF SULEIMAN
2.4 DEFENCES FOR THE NETWORK INFRASTRUCTURE

[2308-0703-0223]

Information infrastructures across many public and private domains share several common attributes regarding information technology (IT) deployments and data communications. This is particularly true in the industrial control systems domain where an increasing number of organizations are using modern networking to enhance productivity and reduce costs by increasing the integration of external, business, and control system networks. However, these integration strategies often lead to vulnerabilities that greatly reduce the cybersecurity posture of an organization and can expose mission-critical industrial control systems to cyber threats. Physical Security: Physical security reviews involve reviewing agreed physical security controls and procedures to determine their effectiveness and to identify gaps and weaknesses. This may include reviewing the access control system for doors, CCTV monitoring, and communications. It may cover procedures for controlling visitor access, deliveries and contract services, such as cleaning. It can extend to searching for covert cameras and listening devices in meeting rooms and offices, and may involve investigations into other areas including staff vetting procedures. Social engineering tests are typically combined with physical and internal network infrastructure tests, and involve testing the human element of security. Social engineering is the art of obtaining information by deception, with the aim of gaining unauthorised access to information or resources. As examples, successful scenarios we have used in the past include posing as journalists to find out information about an organisations infrastructure, posing as internal IT staff testing a new system, using phishing emails to harvest passwords and obtaining passwords from a helpdesk.

2.5

DEFENCES ON HOST SERVER

The policy layer is probably the most overlooked and misunderstood aspect of information security. Security policies should be the foundation of every Defense in Depth plan. One of the main purposes of security policies is to educate all users of their obligation to the protection of the technologies and business information. Security policies help protect both business information and employees in many ways: 1. They provide the guidance for what must be done to protect the business information stored on the corporate network. 2. They establish a set of rules of conduct for all users. 3. They provide authorization for the information security personnel to perform various duties such as monitoring, sniffing, probes, password cracking, etc. 4. They are the baseline for measuring compliance and enforcement. 5. They define the consequences of violations to the policies.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 28

YUSIF SULEIMAN

[2308-0703-0223]

6. They act as a starting point to establish periodic review and updates for new threats and vulnerabilities, as well as improvements in meeting business needs and employee awareness. When the security policy and its operational health are overlooked, information security is left to focus on the use of technology to prevent, and/or react to, security incidents. This is a backwards approach because poor policy decisions or operational practices can lead to circumvention of even the most robust technology put in place. STRONG PASSWORDS Many companies rely only on passwords as their defense, and since the password is in essence the key by which authorized access exists, it warrants its own section as a defense layer. Strong Passwords will typically be specified and enforced with a Password security policy. Our goal is to make it difficult for an attacker to gain access, of any level, to a system with the use of an authorized username and password. Since usernames are typically easy to guess we will set out to make the password impossible to guess. The do(s) and dont(s) below, along with the guidelines that follow, will help accomplish this. Strong Password DONT list DONT use any part of your username. DONT use any dictionary words in any language. DONT use any word associated with you or your interests. DONT use a word with character substitution i.e. p@ssw0rd. DONT write your password down on paper. DONT store your password on any computer. DONT use the remember my password option. DONT share your password with anybody. Strong Password DO list Use a minimum of 8 characters Use at least three of the four classes listed below 1. Upper case letters 2. Lower case letters 3. Numbers 4. Special Characters (!@#$%^&*(){}<>,.;:\+=-_) Change passwords every 60 days at a minimum Guidelines The easiest way to pick a strong password that is within the boundaries listed above, and easy to remember, is to use a pass phrase. A pass phrase is a phrase of words that you can easily remember. Then take the first letter of each word to create the password. Once you have it figured out, and at your discretion, use some form of character and/or number substitution. For example the pass phrase I went to Florida 30 times before I saw Mickey Mouse would yield a password of IwtF30tbisMM without the quotes. As you can see this is the beginning of a very strong password. It has 12 characters, its not a dictionary word of any kind, it has no meaning to anyone and cannot have a meaning derived from it. We do not have to write it down to
CSM201 APPLICATION AND INFRASTRUCTURE SECURITY Page 29

YUSIF SULEIMAN

[2308-0703-0223]

remember it because we know it by the pass phrase. Now in order to satisfy the DO boundary, we come up with a personal form of character substitution. For instance, every time the letter t is used substitute a +. Since your first letter is I, and it is capital, make the other i capital for consistency and ease of remembering. Keep the proper nouns as capitals and you will have a strong password that looks like this: Iw+F30+bIsMM System Administrators should enforce strong passwords on all systems with the following criteria. Expire after 60 days minimum Lock out account after three failed attempts Log all success and failed login attempts Use password filters to ensure length and character inclusion None of users previous 6 passwords can be reused Passwords should have a minimum use of three days Enable strong encryption of all passwords (/etc/shadow; NTLMv2) With the Strong Password created above and the enforcement on the server, it would be extremely difficult for an attacker to break in with a valid user name and password. If an attacker trying to crack passwords came up against our example the password would most likely expire before they could crack it and use it. PERIMETER PROTECTION WITH FIREWALLS A critical and essential part of any Information Security plan is undoubtedly the firewall. Firewalls serve as the best protection control mechanism available in the information security arsenal. Commonly deployed at the perimeter gateway, the firewall stands as a traffic cop, allowing or denying access to and from different attached network segments based on the ruleset applied. While primarily used as gateway devices, it is not unusual to use firewalls internally to protect certain networks or individual hosts. Since firewalls play a major role in a Defense strategy, we will detail the three different types of firewalls. Firewalls come in basically three types with various features. Depending on the type and feature set, they will provide some or all of these major elements of protection: 1. Reduce risk by protecting systems from attempts to exploit vulnerabilities. 2. Increase privacy by making it harder to gather information about the site. 3. Enforce an organizations security policy. 4. Log traffic for audit and forensic analysis. 5. Provide VPN/Encryption capabilities. 6. Perform Network Address Translation (NAT). 7. Provide Integration with content filtering systems. 8. Filter unwanted traffic Firewall Type 1 The packet filter The packet filter firewall is a router (usually Cisco) using access control lists (ACLs). They are fast and generally low cost in comparison to the other types of firewalls. Packet filter firewalls are limited in their capacity to provide security with functionality, and therefore are regarded as not very useful. This is not a true statement though. Packet filter firewalls look at every packet
CSM201 APPLICATION AND INFRASTRUCTURE SECURITY Page 30

YUSIF SULEIMAN

[2308-0703-0223]

both inbound and outbound and check the source address/port and destination address/port against a defined ruleset. Therefore, it is possible to predefine undesirable networks and block traffic coming from them. The packet filter firewall can be an effective noise filter and compliment another more robust firewall solution. Generally they are setup as allow all except that which is explicitly denied. For example, minimally use a packet filter firewall to filter out: Incoming The private IP networks (10.0.0.0; 172.16.0.0; 192.168.0.0) Loopback network 127.0.0.0 All Broadcasts Outgoing Outgoing ICMP echo reply Also, it may be beneficial to use all or part of the Internet Storm Centers block list to filter out traffic from hostile networks. Caution is needed as this list changes frequently resulting in a false sense of security, or causing access to be denied to a network the business deems necessary.

INTRUSION DETECTION SYSTEMS A complement to any Firewall strategy is the use of Intrusion Detection Systems. While the Firewall will act as a shield it is not bullet proof. Subject to attacks themselves the firewall cannot protect against end users, modem access, social engineering, poor configurations, etc. To make matters worse, this activity and its effects end up on your network completely unnoticed. Intrusion Detection Systems {Network (NIDS) and Host (HIDS)} monitor and collect activity either on the network or a host. They examine the data to detect threats, attacks, and other malicious activity. This is extremely valuable, because without it you are blind to the activity happening on your network and hosts. Intrusion detection systems come in basically two flavors, Network based (NIDS) and Host based (HIDS). Separation between the two doesnt mean to use one or the other. Both types should be used to create this layer of defense. Network based IDS (NIDS) NIDS are typically hardened systems/appliances, running IDS software, that sit on the wire, monitoring all the network traffic passing by. They do this running in promiscuous mode much like a sniffer. Some common NIDS are RealSecure and Snort. NIDS match network traffic against a database of known or custom attack signatures. A match against the database can be handled in a variety of ways such as a pager alert, email alert, and/or a predetermined course of action. Some advantages to NIDS are: Real time detection Neutralize Denial of service attacks and floods Detects unsuccessful attacks Evidence collection for forensic analysis Detect Port Scans and recon Fairly easy to setup

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 31

YUSIF SULEIMAN

[2308-0703-0223]

CONTENT FILTERING Today most businesses require, at a minimum, email and web browsing to effectively communicate with internal, as well as external, customers. While this provides the business with an avenue by which to communicate, it also provides a convenient mechanism for malware (i.e. malicious viruses, email, html, etc.) to proliferate and inundate a network, and its systems, in a matter of minutes. In addition, an increase in Web Surfing for fun and non-business related email results in higher business costs due to lost productivity. Content Filtering is an excellent way to protect the business by proactively keeping viruses, spam, erroneous web surfing, and inappropriate file attachments to a minimum. ANTIVIRUS It is unthinkable to not have some kind of Antivirus system in place; but too often it is deployed only on the desktop, if at all, and not regularly updated. Antivirus should be deployed in four main places. Desktops/Laptops File Servers Email Servers Gateways Antivirus should also be easy to deploy & configure, unnoticeable, and selfupdating. This will help ensure that it can be quickly deployed, users wont try to tamper with it, and it is always current. Since every Antivirus vendor has its pros and cons it is a good practice to use a different vendor for each deployment area in your organization. By doing this you will achieve a greater level of protection against viruses that may slip past a single vendor solution. The following scenario may fit into your organizations Antivirus needs. DATA ENCRYPTION Data encryption provides the last layer of defense, should an attacker break through the outer layers of your Defense strategy. Encryption sounds familiar to many and the concept is pretty simple. However, all too often encryption is not implemented for various reasons; one of which is people dont understand it beneath the surface.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 32

YUSIF SULEIMAN Question 3

Describe in details the CIA Triage. Confidentiality. Integrity. Availability

[2308-0703-0223]

Answer
3.1 CIA TRIAGE

The CIA triad refers to an well-known industry standard model in information security development. It is applied in various situations to identify problems or weaknesses and establish security solution, it made up of the three main components: Confidentiality, Integrity and Availability. Each component represents a fundamental objective of information security. Information security means protecting information and information systems from unauthorized access, disclosure, disruption, modification, perusal, inspection, recording or destruction. The terms information security, computer security and information assurance are frequently used interchangeably. These fields are interrelated often and share the common goals of protecting the Confidentiality, Integrity and Availability of information; however, there are some subtle differences between them. These differences lie primarily in the approach to the subject, the methodologies used, and the areas of concentration. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Computer security can focus on ensuring the availability and correct operation of a computer system without concern for the information stored or processed by the computer. Information assurance focuses on the reasons for assurance that information is protected, and is thus reasoning about information security. The three components of the triad are discussed below: 1. Confidentiality: This component is closely linked with privacy. This means that data are only available to the appropriate parties, which may be parties that require access to the data or parties that are trusted. Data that have been kept confidential means that they have not been compromised by other parties; confidential data are not disclosed to people who do not require them or who should not have access to them. Ensuring confidentiality means that information is organized in terms of who ought to have access as well as its sensitivity. A breach of confidentiality may take place through different means, for instance hacking or social engineering.

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 33

YUSIF SULEIMAN

[2308-0703-0223]

2. Integrity: Data integrity refers to the certainty that the data are not tampered with during or after submission. It is the certainty that the data will not be modified or destroyed by unauthorized parties. This means there are two points during the transmission process during which the integrity could be compromised: during the upload or transmission of data; during the storage of the document in the database or collection.

3. Availability: This means that the information is available when it is needed. In order for a system to demonstrate availability, it must have properly functioning computing systems, security controls and communication channels. The most available systems are accessible at all times and have safeguards against power outages, natural disasters, hardware failures and systems upgrades. Availability is a major challenge in collaborative environments as such environments must be stable and continually maintained. Such systems must also allow users to access required information with little waiting time. Redundant systems may be in place to offer a high level of fail-over. The concept of availability can also refer to the usability of a system. Information security refers to the preservation of integrity and secrecy when information is stored or transmitted. Information security breaches occur when information is accessed by unauthorized individuals or parties. Breaches may be the result of actions of hackers, intelligence agencies, criminals, competitors, employees or others. In addition, individuals who value and wish to preserve their privacy are interested in information security. Diagram 3.1 CIA Triage

CIA TRIAG

CIA TRIAGE DATA SERVICES MODEL

AVAILABILITY
no single point of failure

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 34

YUSIF SULEIMAN 4.1 REFERENCE

[2308-0703-0223]

1. Justin Seitz (2009). Gray Hat Python: Python Programming for Hackers and Reverse Engineers. Immunity, Inc 1st edition. 2. Marcus Pinto (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. 2nd edition 3. Ahmed, N., Matuleviius, R., Mouratidis, H. (2012) A Model Transformation from Misuse Cases to Secure Tropos. In: Proc of the CAiSE12 Forum at the 24th International Conference 4. Wikipedia the free encyclopedia. (2012) http://en.wikipedia.org/wiki/Infrastructure 5. Wikipedia, the free encyclopedia(2012). http://en.wikipedia.org/wiki/Information_security 6. Wiki Answer Copyright 2012. http://wiki.answers.com/Q/What_is_Denial_of_Service_attack Answers.com Denial of Service attack. Answers Corporation 7. Webopedia(2012). http://www.webopedia.com/TERM/D/DoS_attack.html 8. CERT/CC(2012) http://www.cert.org/tech_tips/denial_of_service.html CERT Coordination Center, Software Engineering Institute,Carnegie Mellon University 9. Mark Dowd, John McDonald, Justin Schuh (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley Professional; 1 edition 10. Cadoree, Michelle. (1994). Computer Crime and Security. Washington, D.C.: LC Science Tracer Bullet 11. Cisco Unified Computing System (2012). http://searchdatacenter.techtarget.com/definition/infrastructure 12. Kenneth R. Straub (2003). Information Security Managing Risk with Defense in Depth. SANS Institutes Inforsec Reading Room

CSM201 APPLICATION AND INFRASTRUCTURE SECURITY

Page 35

Filename: CSM201Proj Directory: C:\Users\YUSUF Template: C:\Users\YUSUF\AppData\Roaming\Microsoft\Templates\Normal.dotm Title: Subject: Author: compaq Keywords: Comments: Creation Date: 10/30/2012 6:33:00 PM Change Number: 17 Last Saved On: 11/6/2012 10:03:00 AM Last Saved By: YUSUF Total Editing Time: 1,581 Minutes Last Printed On: 11/6/2012 10:04:00 AM As of Last Complete Printing Number of Pages: 35 Number of Words: 7,085 (approx.) Number of Characters: 40,388 (approx.)