Securing server-side web applications of often considered more difficult than protecting other systems

  Traditional network security devices can block traditional network attacks, but cannot always block web application attacks

• Many network security devices ignore the content of HTTP traffic

  Zero-day attack - an attack that exploits previously unknown vulnerabilities, victims have not time to prepare for or defend against the attack

  Many server-side web application attacks target the input that the applications accept from users

  Such common web application attacks are:

• Cross-site scripting
• SQL injection
• XML injection
• Command injection/directory traversal

Cross-site scripting

   Injecting scripts into a Web application server to direct attacks at unsuspecting clients.

   When victim visits injected Website:

• Malicious instructions are sent to victim’s browser

   Some XSS attacks are designed to steal information:

• Retained by the browser when visiting specific sites

   An XSS attack requires a website meets two criteria:

• Accepts user input without validating it
• Uses input in a response

Client-Side Application Attacks

• Web application attacks are server-side attacks

• Client-side attacks target vulnerabilities in client applications that interact with a compromised server or process malicious data

• The client initiates connection with the server, which could result in an attack.

Client-Side Attacks

 Cookies

    •Cookies store user-specific information on user’s local computer

 Types of cookies:

    • First-party cookie - cookie created by Web site user is currently viewing.

    • Third-party cookie - site advertisers place a cookie to record user preferences.

    • Session cookie - stored in RAM and expires when browser is closed.

    • Persistent cookie - recorded on computer’s hard drive and does not expire when the browser closes

         •Also called a tracking cookie

    • Locally shared object (LSO) - can store up to 100 KB of data form a website

         •More complex than the simple text found in a regular cookie

         •Also called a Flash cookie

Denial of Service (DoS)

 Denial of service (DoS)

        • A deliberate attempt to prevent authorized users from accessing a system by overwhelming it with requests

 Most DoS attacks today are distributed denial of service (DDoS)

        • Using hundreds or thousands of zombie computers in a botnet to flood a device with requests

 Ping flood attack

• The ping utility is used to send large number of ICMP echo request messages
•  In a ping flood attack, multiple computers rapidly send a large number of ICMP echo requests to a server

              •Server will drop legitimate connections and refuse new connections

 Smurf attack

• Tricks devices into responding to false requests to an unsuspecting victim
• An attacker broadcasts a ping request to all computers on the network but changes the address from which the request came from (called spoofing)
• Appears as if victim’s computer is asking for response from all computers on the network
• All computers send a response to the victim’s computer so that it is overwhelmed and crashes or becomes unavailable to legitimate users

 SYN flood attack

• •Takes advantage of procedures for initiating a session

 In a SYN flood attack against a web server:

• The attacker sends SYN segments in IP packets to the server
• Attacker modifies the source address of each packet to computer addresses that do not exist or cannot be reached

Poisoning

 Poisoning

• The act of introducing a substance that harms or destroys

 Two types of attacks inject “poison” into a normal network process to facilitate an attack:

• ARP poisoning
• DNS poisoning

 ARP Poisoning

• Attacker modifies MAC address in ARP cache to point to a different computer

1. Viruses

   Viruses perform two actions:

           Unloads a payload to perform a malicious action.

           Reproduces itself by inserting its code into another file on the same computer.

    Examples of virus actions:

           Cause a computer to repeatedly crash.

           Erase files from or reformat hard drive.

           Turn off computer’s security settings.

           Reformat the hard disk drive.

    Viruses cannot automatically spread to another computer.

           Relies on user action to spread.

    Viruses are attached to files.

    Viruses are spread by transferring infected files.

2. Worms

    Worm - malicious program that uses a computer network to replicate

    Sends copies of itself to other network devices

    Worms may:

           Consume resources or

           Leave behind a payload to harm infected systems

    Examples of worm actions

           Deleting computer files

           Allowing remote control of a computer by an attacker

3. Trojans

    Trojan horse (Trojan) - an executable program that does something other than advertised

         Contain hidden code that launches an attack

         Sometimes made to appear as data file

    Example

         User downloads “free calendar program”

              Program scans system for credit card numbers and passwords

              Transmits information to attacker through network

Concealment

   Rootkits - software tools used by an attacker to hide actions or presence of other types of malicious software.

                  •Hide or remove traces of log-in records, log entries.

Collect Data

   Ransomware - prevents a user’s device from properly operating until a fee is paid

        • Is highly profitable

        • Nearly 3 percent of those users who have been infected pay the ransom without questions, generating almost $5 million annually

Social Engineering Attacks

  •Social engineering - a means of gathering information for an attack by relying on the weaknesses of individuals

  •Social engineering attacks can involve psychological approaches as well as physical procedures

Phishing

   Phishing - sending an email claiming to be from legitimate source

            –Tries to trick user into giving private information

   Many phishing attacks have these common features:

           • Deceptive web links

           • Logos

           • Urgent request

   Variations of phishing attacks

           • Pharming - automatically redirects user to a fraudulent Web site

           • Spear phishing - email messages target specific users

           • Whaling - going after the “big fish”

                  Targeting wealthy individuals

           • Vishing (voice phishing)

                  Attacker calls victim with recorded “bank” message with callback number

                  Victim calls attacker’s number and enters private information

  - Three types of information protection: often called CIA 

       1. Confidentiality

             Only approved individuals may access information.

       2. Integrity 

             Information is correct and unaltered.

       3. Availability 

             Information is accessible to authorized users.
 - Protections implemented to secure information. 

       1. Authentication 

            • Ensures the individual is who they claim to be. 

       2. Authorization 

            • Provides permission or approval to specific technology resources. 

       3. Accounting 

           • Provides tracking of events.

Who Are the Attackers?

  Hacker: The person who uses computer skills to attack computers. 

• Blackhat hackers: Violate computer security for personal gain and the goal is to inflict malicious damage. 
• White hat hackers: Goal to expose security flaws, not to steal or corrupt data.
• Gray hat hackers: Goal is to break into a system without owner ’s permission, but not for their own advantage.

Categories of attackers

1. Cybercriminals

   A network of attackers, identity thieves, spammers, financial fraudsters. 

            - More highly motivated.

            - Willing to take more risk. 

            - Well-funded 

            - More tenacious 

  The goal of a cybercriminal is financial gain. 

  Cybercrime - targeted attacks against financial networks and the theft of personal information.

  Financial cybercrime is divided into two categories:

          • Individuals and businesses. 

             • Use stolen data, credit card numbers, online financial account information, or Social Security numbers to profit from victims. 

          • Businesses and governments.

                   • Attempt to steal research on a new product so they can sell it to an unscrupulous foreign supplier. 

  Advanced Persistent Threat (APT) - multiyear intrusion campaign that targets highly sensitive economic, proprietary, or national security information.

2. Script kiddies
  Script kiddies - individuals who want to attack computers yet they lack the knowledge  of computers and network needed to do so. 

  They download automated hacking software (scripts) from websites. 

  Over 40 percent of attacks require low or no skills. 

  Exploit kits - automated attack package that can be used without an advanced knowledge   of computers.

     • Script kiddies either rent or purchase them.

3. Brokers

   Brokers-attackers who sell knowledge of a vulnerability to other attackers or governments. 

   Often hired by the vendor to uncover vulnerabilities. 

      • Instead, they do not report it to the vendor but sell the information about the vulnerabilities to the highest bidder.

4. Insiders

   Employees, contractors, and business partners.

   Over 48 percent of breaches attributed to insiders. 

   Examples of insider attacks: 

        • Health care worker may publicize celebrities’ health records.

                - Disgruntled over an upcoming job termination. 

        • A stock trader might conceal losses through fake transactions.

        • Employees may be bribed or coerced into stealing data before moving to a new job.

5. Cyberterrorists

   Cyberterrorists    - an attacker whose motivation may be ideological or for the sake of principles or beliefs.

       • Almost impossible to predict when or where the attack may occur.

   Targets may include: 

       • A small group of computers or networks that can affect the largest number of users.   

   Example:    

      • Computers that control the electrical power grid of a state or region.

6. Hacktivists

   Hacktivists    - attackers who attack for ideological reasons that are generally not as well-defined as a cyberterrorist ’s motivation. 

   Examples of hacktivist attacks: 

• Breaking into a website and changing the contents on the site to make a political statement. 
• Disabling a website belonging to a bank because the bank stopped accepting payments that were deposited into accounts belonging to the hacktivists.

7. State-sponsored attackers 

   State-sponsored attacker - an attacker commissioned by the governments to attack enemies’ information systems.

• May target foreign governments or even citizens of government who are considered hostile or threatening. 

   Examples of attacks: 

• Malware targeting government or military computers. 
• Citizens having their email messages read without their knowledge.
   

Defenses Against Attacks

 Five fundamental security principles for defenses. 

1. Layering 

   Information security must be created in layers. 

• A single defense mechanism may be easy to circumvent.
• Making it unlikely that an attacker can break through all defense layers. 

   Layered security approach.

• Can be useful in resisting a variety of attacks. 
• Provides the most comprehensive protection.

2. Limiting 

   Limiting access to information: 

• Reduces the threat of it. 

   Only those who must use data should be granted access. 

• Should be limited to only what they need to do their job. 

   Methods of limiting access. 

• Technology-based    --> such as file permissions. 
• Procedural    --> such as prohibiting document removal from premises.

3. Diversity 

   Closely related to layering 

• Layers must be different (diverse) 

   If attackers penetrate one layer: 

• Same techniques will be unsuccessful in breaking through other layers.

   Breaching one security layer does not compromise the whole system.
   Example of diversity 

• Using security products from different manufacturers.

4. Obscurity 

   Obscuring inside details to outsiders. 

   Example: not revealing details. 

• Type of computer. 
• Operating system version. 
• Brand of software used.

   Difficult for an attacker to devise attack if system details are unknown.

5. Simplicity

   Nature of information security is complex. 

   Complex security systems: 

•  Can be difficult to understand and troubleshoot.
•  Are often compromised for ease of use by trusted users.

   A secure system should be simple from the inside.

• But complex from the outside.