Application Security

  1. pre-validation

    Pre-validation - input controls verifying data is in appropriate format and compliant with application specifications. ex. Form field validation

    Post-validation- Insuring an application's output is consistent with expectations.
  2. Java

    JVM, applet, bytecode, sandbox
    Made up of short programs (applets) - creates intermediate code, byte code, not processor specific. The Java Virtual Machine converts the bytecode to machine code. The virtual machine will work in separate environment - sandbox

    p. 994
  3. ActiveX
    • Set of OOP technologies based on COM and DCOM.
    • ActiveX controls can be reused by many applications within one system, or different systems. Components of i os -

    Security - notifies user of ActiveX
  4. Malware - Virus
    Small application that infects applications. Function is to replicate. It requires a host application.
  5. macro virus
    VBscript virus - office
  6. boot sector virus
    virus move data within the boot sector or overwrite the sector with new information
  7. Compression virus
    appends to executables - when run the system decompresses malicious code
  8. polymorphic virus

    self-garbling virus
    polymorphic virus - varied but operational copies of itself - done to evade anti-virus applicaitons

    self-garbling virus- attempts to hide from antivirus software by garbling its own code
  9. multi-part virus
    Infects both the boot sector and hard drive and executable files. Becomes resident in memory and infects boot sector and entire system.
  10. meme virus
    e-mail messages that are continually forwarded - spread by stupid humans
  11. script viruses
    • scripts are files that are executed by an interpreter - VBScript, Java Script -
    • script viruses has malicious code which the system will carry out the payload (instructions). ex. sending virus to all contacts
  12. tunneling virus
    Installs itself under the anti-virus program - when the program requests a system health check - the virus is installed and receives messages between the system and anti-virus software.
  13. worms
    different from viruses - can replicate itself without a host application - propagates itself by using e-mail, web-site downloads etc.
  14. Anti-virus software

    signature based detection

    heuristic detection
    signature based detection - identifies virus by signature - takes time to update anti-virus software (0 day threats)

    heuristic detection - analyzes structure of malicious code, collects information and assesses the likelihood of being malicious in nature
  15. Heuristic detection methods
    static analysis
    dynamic analysis
    behavior blocking
    • static analysis - reviewing information about a piece of code
    • dynamic analysis - allowing code to run in a virtual machine
    • behavior blocking - allows suspicious code to execute within the OS in unprotected and watches interactions with the system. If detects malicious software - can stop applciation and notify user.

    p. 1005
  16. Bayesian filtering
    Applies statistical modeling - analyzes the the words to determine if the e-mail is SPAM
  17. Patch Management Steps
    • 1. Infrastructure - get all groups involved - create a process in organization
    • 2. Research - Research patches
    • 3. Assess and Test - assess if patch is required - test plan
    • 4. Mitigation (Roll-back)
    • 5. Deployment (Roll-out)
    • 6. Validation, Reporting and Logging
  18. Smurf Attack
    • 1) attacker changes header of ICMP ECHO REQUEST
    • 2) The origination looks like victim system - sent to amplifying network
    • 3) the victim system and network are overwhelmed with ECHO requests

    • Countermeasures:
    • disable direct broadcast functionality on border routers - so not used as amplifying site
    • perimeter routers reject incoming messages from internal address
    • Allow only necessary ICMP traffic into and out of environment
    • IDS - suspicious activity
    • apply patches
  19. fraggle attack
    Similar to smurf, employs UDP

    • Countermeasures:
    • disable direct broadcast functionality on border routers - so not used as amplifying site
    • perimeter routers reject incoming messages from internal address
    • Allow only necessary UDP traffic into and out of environment
    • IDS - suspicious activityapply patches
  20. SYN flood
    Attackers take advantage of 3 way handshake - continually sending the victim SYN messages with spoofed packets. The victim will commit the necessary resources to set up this communications socket, and it wend ints SYN/ACk message, waiting of the AC message in return - setting up resources to a computer that does not exists - the system cannot create any more communication session - DOS for accessing system communication resources

    • Countermeasures
    • Decrease the connection-established timeout period
    • increase the size of the connection queue in the IP stack
    • install vendor specific patches to deal with SYN attacks
    • IDS
    • firewall - watch for these types of attacks
  21. Teardrop attack
    exploits MTU (maximum transmission unit). systems do not check for packets that are too small - the receiving victim, the victim, would receive the fragments and attempt to recombine them, this will force the system to freeze and reboot when trying to recombine them

    • patching
    • disallow malformed fragments of packets into the environment
    • use a router that combines all fragments into a full packet prior to routing it to the destination system.
  22. Distributed Denial of Service DDoS
    Performs Dos attacks from 100's to 1000's of machines - they are typically already infected zombie machines


    • perimeters to restrict ICMP and UPD traffic
    • IDS
    • disable unused subsystems and services
    • rename administrator account - implement strong password management
    • border routers - do not accept incoming packets form internal address
Card Set
Application Security
CISSP - Ch11 - Application Security