Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

Slides:



Advertisements
Similar presentations
Chapter ADCS CS262/0898/V1 Chapter 1 An Introduction To Computer Security TOPICS Introduction Threats to Computer Systems –Threats, Vulnerabilities.
Advertisements

Keep Your PC Safe (Windows 7, Vista or XP) Nora Lucke 02/05/2012 Documents - security.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
WARNING ! The system is either busy or has been unstable. You can wait and See if it becomes available again, or you can restart your computer. *
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.
Security Issues and Challenges in Cloud Computing
CSA 223 network and web security Chapter one
Security+ Guide to Network Security Fundamentals
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Chapter 7 HARDENING SERVERS.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Web server security Dr Jim Briggs WEBP security1.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Protecting ICT Systems
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Cyber crime & Security Prepared by : Rughani Zarana.
Chapter 9: Novell NetWare
The Microsoft Baseline Security Analyzer A practical look….
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
 Chapter 14 – Security Engineering 1 Chapter 12 Dependability and Security Specification 1.
Windows NT Based Web Security COSC 573 By:Ying Li.
Small Business Security Keith Slagle April 24, 2007.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Securing the Linux Operating System Erik P. Friebolin.
WebCCTV 1 Contents Introduction Getting Started Connecting the WebCCTV NVR to a local network Connecting the WebCCTV NVR to the Internet Restoring the.
Computer Security By Duncan Hall.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.
NETWORK SECURITY LAB 1170 REHAB ALFALLAJ CT1406. Introduction There are a number of technologies that exist for the sole purpose of ensuring that the.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 40 Internet Security.
CS457 Introduction to Information Security Systems
CSCE 548 Student Presentation By Manasa Suthram
Chapter 6 Application Hardening
HARDENING CLIENT COMPUTERS
Introduction to Networking
Using SSL – Secure Socket Layer
What Makes a Network Vulnerable?
Lesson 16-Windows NT Security Issues
Chapters 5 & 6 of Web security. pp
Security.
Chapter 8, pp 171 – pp 200 Web Security, by Lincoln D. Stein
Operating System Concepts
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein 2019/2/24 Y K Choi Server Site Security Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

Overview Why are Web sites Vulnerable? (“vulnerable” means that it is easily attacked) Common questions about web site security Steps to create a secure web site 2019/2/24 Y K Choi

Introduction Installing a Web server such as Linux is very simple. All you need to do is to load the software and configure the parameters. However, if your server is connected to the Internet, hackers, customers, employees might visit your site to learn more about it. It might be a target for attack. Sites that have been attacked (vandalized) past year are US Department of Justice CIA Microsoft US Air Force Republic of Indonesia British Labour Party examples 2019/2/24 Y K Choi

Why are Web sites invulnerable? The following are the causes There are bugs in software System software is incorrectly configured The server hardware is not secure Networks are not secure (sniffer you learnt in the lab.) Remote authoring and administration tools (such as legion you have learnt in lab.) Insider threats are overlooked Denial of service (DOS) threats are ignored Lack of security policy – such as keep log, change passwrod 8 reasons 2019/2/24 Y K Choi

Bugs in system software This is an obvious cause. Even a simple software might cause a disaster if the bug causes “back doors” for the hacker to crack the system or load the unauthorised information. Please note that if there is a bug in the application, it simply crashes the application or produces incorrect data. If the bug occurs to the server, it loses more, even the whole oragnisation’s information. Use software Engineering to thoroughly test your software. 2019/2/24 Y K Choi

The known holes Don’t memorise Unix web server: 1.0-1.5a allows remote users to execute Unix commands with server’s privileges Apache: 1.0-1.1.1 allows remote users to execute Unix commands with server’s privileges, remote users can obtain directory listings Windows NT web servers: allows remote users to execute NT commands with server’s privileges. 2019/2/24 Y K Choi

The known holes Microsoft IIS: 1.0 allows remote users to execute NT commands with server’s privileges Microsoft IIS: 1.0-3.0 allows remote users to obtain CGI script contents CGI scripts and server extension: 1.0-1.2 allows remote users to execute Unix commands with server’s privileges. 2019/2/24 Y K Choi

System Software is incorrectly configured Even there is no bug in the server, a web server is still insecure if the operating system, underlying networks and other servers are incorrectly configured. In the Linux system, a common mis-configuration is the file permissions. (read write execute rwx). If a file is mis-configured to have a write permission, it allows others to modify the content. The fix is to change to read only 2019/2/24 Y K Choi

(you can create a bootable floppy disk for later use.) Secure hardware The server is physically insecure. The server is located in a unlocked computer room. The telephone lines are insecure. Some can reboot the server with a floppy disk. (you can create a bootable floppy disk for later use.) 2019/2/24 Y K Choi

You learnt the use of capture utility Network is insecure You learnt the use of capture utility It is very easy to use sniffer such as packet boy, Ethereal (learnt in the lab.) to intercept messages. This means that Web documents, e-mails and interactive login sessions are all vulnerable (easily damaged) to eavesdropping (attack) The user’s names and passwords can be intercepted as well. A cracker simply uses sniffer to steal information. 2019/2/24 Y K Choi

Remote Authoring & Administration Tools Legion is an example Sometimes, the administer will not sit in front of the server to modify the configuration, examine the log files and tune the performance factors, but might be in a remote location over the Internet. This information might be intercepted by cracker if a remote authoring tool has HOLES. Check log files 2019/2/24 Y K Choi

Insider threats are overlooked Most people look at computer crimes from outsiders, a few look at it the threats from the insiders. Intranets servers needs attention about internal users. Intranet is quite secure Employees, not loyal! 2019/2/24 Y K Choi

Security Policy If there is no security policy, you are not sure whether your site is secure. It is a list of what is and is not permissible. For example, in the lab, you are not allowed to install illegal software. Note that a security system consists of: Technology, Policy and Law Policy: Change your password every two months 2019/2/24 Y K Choi

Common questions about web server security Which operating system is most secure: It is Macintosh OS, as it does not have a command interpreter. AS400, the proprietary product, is more secure. Unix and XP: Both have their share of security problems. Will a firewall system makes a web server more secure: By itself, it will not, in fact, it may make it less. If the server is configured well, there is no need to use a firewall system. 2019/2/24 Y K Choi

Steps to secure a web site – there are 7 steps Secure the operating system and web server – use and install the vendor’s security related patches and remove unnecessary services. Monitor the server for suspicious activity – please note that some attacks are less obvious. Set the proper access to confidential documents – use SSL capable servers SSL encrypts the message 2019/2/24 Y K Choi

Steps to secure a web site Write safe CGI scripts – even there is a secure network and server, if we don’t have a safe CGI script, there might be holes in the server Set up safe remote authoring and administrative facilities Protect the LAN against the web server. Don’t make the Web server by the cracker to attack other more critical servers. Keep a security list. 2019/2/24 Y K Choi

Summary There many reasons why Web sites are vulnerable: software bug, mis-configuration, insecure network, lack of policy, use incorrect remote tool 7 steps to make the server most secure Try to avoid them 2019/2/24 Y K Choi