-
pre-validation
post-validation
Pre-validation - input controls verifying data is in appropriate format and compliant with application specifications. ex. Form field validation
Post-validation- Insuring an application's output is consistent with expectations.
-
Java
JVM, applet, bytecode, sandbox
Made up of short programs (applets) - creates intermediate code, byte code, not processor specific. The Java Virtual Machine converts the bytecode to machine code. The virtual machine will work in separate environment - sandbox
p. 994
-
ActiveX
- Set of OOP technologies based on COM and DCOM.
- ActiveX controls can be reused by many applications within one system, or different systems. Components of i os -
Security - notifies user of ActiveX
-
Malware - Virus
Small application that infects applications. Function is to replicate. It requires a host application.
-
macro virus
VBscript virus - office
-
boot sector virus
virus move data within the boot sector or overwrite the sector with new information
-
Compression virus
appends to executables - when run the system decompresses malicious code
-
polymorphic virus
self-garbling virus
polymorphic virus - varied but operational copies of itself - done to evade anti-virus applicaitons
self-garbling virus- attempts to hide from antivirus software by garbling its own code
-
multi-part virus
Infects both the boot sector and hard drive and executable files. Becomes resident in memory and infects boot sector and entire system.
-
meme virus
e-mail messages that are continually forwarded - spread by stupid humans
-
script viruses
- scripts are files that are executed by an interpreter - VBScript, Java Script -
- script viruses has malicious code which the system will carry out the payload (instructions). ex. sending virus to all contacts
-
tunneling virus
Installs itself under the anti-virus program - when the program requests a system health check - the virus is installed and receives messages between the system and anti-virus software.
-
worms
different from viruses - can replicate itself without a host application - propagates itself by using e-mail, web-site downloads etc.
-
Anti-virus software
signature based detection
heuristic detection
signature based detection - identifies virus by signature - takes time to update anti-virus software (0 day threats)
heuristic detection - analyzes structure of malicious code, collects information and assesses the likelihood of being malicious in nature
-
Heuristic detection methods
static analysis
dynamic analysis
behavior blocking
- static analysis - reviewing information about a piece of code
- dynamic analysis - allowing code to run in a virtual machine
- behavior blocking - allows suspicious code to execute within the OS in unprotected and watches interactions with the system. If detects malicious software - can stop applciation and notify user.
p. 1005
-
Bayesian filtering
Applies statistical modeling - analyzes the the words to determine if the e-mail is SPAM
-
Patch Management Steps
- 1. Infrastructure - get all groups involved - create a process in organization
- 2. Research - Research patches
- 3. Assess and Test - assess if patch is required - test plan
- 4. Mitigation (Roll-back)
- 5. Deployment (Roll-out)
- 6. Validation, Reporting and Logging
-
Smurf Attack
- 1) attacker changes header of ICMP ECHO REQUEST
- 2) The origination looks like victim system - sent to amplifying network
- 3) the victim system and network are overwhelmed with ECHO requests
- Countermeasures:
- disable direct broadcast functionality on border routers - so not used as amplifying site
- perimeter routers reject incoming messages from internal address
- Allow only necessary ICMP traffic into and out of environment
- IDS - suspicious activity
- apply patches
-
fraggle attack
Similar to smurf, employs UDP
- Countermeasures:
- disable direct broadcast functionality on border routers - so not used as amplifying site
- perimeter routers reject incoming messages from internal address
- Allow only necessary UDP traffic into and out of environment
- IDS - suspicious activityapply patches
-
SYN flood
Attackers take advantage of 3 way handshake - continually sending the victim SYN messages with spoofed packets. The victim will commit the necessary resources to set up this communications socket, and it wend ints SYN/ACk message, waiting of the AC message in return - setting up resources to a computer that does not exists - the system cannot create any more communication session - DOS for accessing system communication resources
- Countermeasures
- Decrease the connection-established timeout period
- increase the size of the connection queue in the IP stack
- install vendor specific patches to deal with SYN attacks
- IDS
- firewall - watch for these types of attacks
-
Teardrop attack
exploits MTU (maximum transmission unit). systems do not check for packets that are too small - the receiving victim, the victim, would receive the fragments and attempt to recombine them, this will force the system to freeze and reboot when trying to recombine them
- patching
- disallow malformed fragments of packets into the environment
- use a router that combines all fragments into a full packet prior to routing it to the destination system.
-
Distributed Denial of Service DDoS
Performs Dos attacks from 100's to 1000's of machines - they are typically already infected zombie machines
Countermeasures
- perimeters to restrict ICMP and UPD traffic
- IDS
- disable unused subsystems and services
- rename administrator account - implement strong password management
- border routers - do not accept incoming packets form internal address
|
|
