Server side attacks
aka Service side attacks are launched directly from an attacker to a listening service. Conficker worm spread via a number of methods, including service side attack on TCP port 445 exploiting a weakness on RPC service. Patching, system hardening, firewalls, and other forms of defense-in-depth mitigate server side attacks.
Client side attacks
Occur when a user downloads malicious content. Attacks are initiated from the victim who downloads content from the attacker. Client side attacks are difficult to mitigate for organizations that allow internet access. Clients include, word processors, spreadsheets, web browsers – within them, flash players, media players etc.
All client-side software must be patched, a challenge many organizations struggle with.
Web architecture and attacks
The advent of Web 2.0 with dynamic content, multimedia, and user-created data has increased attack surface of the web; creating more attack vectors. Dynamic web languages such as PHP make web pages far more powerful and dynamic, but also more susceptible to security attacks.
Applets
Small pieces of mobile code that are embedded in other software such as web browsers. The primary security concern is that applets are downloaded from servers, and then run locally. Malicious applets may be able to compromise the security of the client.
- Java – Runs in a sandbox which segregates code from the operating system. Interpreted by the JVM and available for many OSes
- Active X – Uses digital certificates instead of sandbox to provide security. Tied more to OS allowing functionality such as installing patches via Windows updates but runs on Windows only
OWASP
The open web application security project represents one of the best application security resources. OWASP provides a number of free resources dedicated to improving organization’s application security posture. The OWASP Top 10 project provides consensus guidance on what are considered to be the ten most significant application security risk.
XML
Extensible markup language is a markup language designed as a standard way to encode documents and data. XML can be used to store application configuration, output from auditing tools, and many other users.
Service Oriented Architecture (SOA)
Attempts to reduce application architecture down to a functional unit of service. SOA is intended to allow multiple heterogenous applications to be consumers of services. ExamplesL XML or JSON (JavaScript Object Notation) is commonly used for underlying data structures. SOAP or REST (representational state transfer) provides the connectivity and the WSDL (Web Services Description Language) provides details about how the web services are to be invoked.
Database Security
Polyinstantiation
Polyinstantiation allows two different objects to have the same name. In databases it means two rows may have the same primary key but different data. Databases normally require that all rows in a table contain unique primary key so a normal database would generate an error like “duplicate” entry.
Inference and Aggregation
Inference and aggregation occur when a user is able to use lower level access to learn restricted information. Inference requires deduction: there is a mystery to be solved, and a lower level details provide the clues. Aggregation is a mathematical process: a user asks every question, receives every answer, and derives restricted information.
Example: Pentagon Pizza Inference: The Pentagon ordered a lot of pizza on the evening of January 16, 1991, far more than normal. There were a lot more pizza delivery cars delivering pizza, so one can infer that something big was going on. The fact was, Operation Dessert Storm (Gulf War) was about to launch.
Inference and Aggregation Controls
Database inference control is polyinstatiation. Database aggregation control include restricting normal users to a limited amount of queries.
Data Mining
Data Mining searches large amounts of data to determine patterns that would otherwise get “lost in the noise”. Ex. Credit card issuers scour over transactions to detect fraud. Data mining raises privacy concerns.
Data Analytics
Improves security by analyzing a typical use cases in the database to provide a baseline. This potentially allows an organization to proactively identify abuse from insider threats or compromised accounts.
Countermeasures
The primary countermeasure is defense-in-depth: multiple overlapping controls spanning across multiple domain, which enhance and support each other. Any one control may fail; defense in depth mitigates the issue.
- Technical Countermeasures – Router, switches, firewalls, system hardening, removing unnecessary services, patching, VPN and others.
- Administrative Countermeasures – Policies, procedures, guidelines, standards, and related documents.
- Physical Countermeasures – building and office security, locks, security guards, mobile device encryption and others.
Mobile Device Attacks
Laptops get infected with malware outside of a security perimeter and carried into an organization – traditional network based protections are powerless to prevent the initial attack. USB flash drives can infect hosts systems via autorun capability.
Mobile device defense
- Administrative controls such as restricting use of mobile devices via policy. Suspend use of USB thumb drives, CDs, flash media cards, and all other removable media.
- Technical controls to mitigate infected drives include disabling auto-run via group policy.
- Technical controls to mitigate infected mobile computers include requiring authentication at layer 2 via 802.1x and NAC.
- Technical control to mitigate loss of backups or mobile device – use Full Disk encryption, remote wipe
