Essay Writing Service

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Approaches to Applying Defence in Depth to Web Applications

Vulnerabilities and Defences
NET512: Database and Web Security

Table of Contents
List of Figures
List of Tables
Introduction
1 DEFENCE IN DEPTH
1.1 Physical Controls
1.2 Technical Controls
1.3 Administrative Controls
2 SECURITY VULNERABILITIES
2.1 Server and Database paradigms
2.2 Generic Vulnerabilities
2.2.1 Session spoofing
2.2.2 Injection attacks
2.2.3 Cross-site scripting
3 SECURITY RECOMMENDATIONS
3.1 Developer Skill
3.2 Database Permissions (Least Privilege)
3.3 Security Obscurity
3.4 Password Usage/Storage
References
Appendix

List of Figures

Figure 1. Defence in Depth Overview………………………………………
Figure 2. Defence in Depth for Web Applications……………………………..
Figure 3. Fortification of host nodes……………………………………….
Figure 4. Session Spoofing……………………………………………..
Figure 5. Http Headers………………………………………………..
Figure 6. OSfuscate – Before…………………………………………….
Figure 7. OSfuscate – After……………………………………………..
Figure 8. URLScan – Before……………………………………………..
Figure 9. URLScan – After………………………………………………
Figure 10. SQL Injection Attack…………………………………………..
Figure 11. SQL Injection Result…………………………………………..

List of Tables

Table 1. Microsoft Server 2019 vs Ubuntu Server 18.04 (2/11/18)………………..16
Table 2. Microsoft IIS 7.5 vs Apache 2.4 (2/11/18)…………………………..16
Table 3. A comparative study of attacks against Corporate IIS and Apache………….16
 

Introduction

The premise for this report is to provide the client with a deeper understanding of the security landscape, by delivering a more comprehensive overview of Defence in Depth, security vulnerabilities in the server and application layers and finally, security recommendations for the client’s website.

1         DEFENCE IN DEPTH

Originally defined as a military strategy, in the 1976 thesis ‘The grand strategy of the Roman Empire from the first century A.D. to the third’ by Edward Luttwak (Luttwak, 1976); the concept ‘Defence in Depth’ was later adopted by the National Security Agency (NSA, 2010), as a suitable ‘best practice’ paradigm for achieving information assurance.
Luttwak elucidates that the basic principle of the strategy is to implement layers of defence around the target of an attacker, rather than to defeat an attack with a single, strong defensive line.  The objective is to slow an advance because, over time, attrition will force the attack to lose momentum, and therefore, will not be as effective.
In terms of information security, Straub (2003) describes that this layered defensive posture (Appendix, Figure. 1) is leveraged by using redundant security mechanisms, so that if one defensive measure fails there are more behind it to continue to protect the data, systems, networks, and users, by buying time.  Time, which can then be utilised, to respond to an incident, minimising the risk of an attack (Shamim, Fayyaz and Balakrishnan, 2014).
An essential principle of the Defence in Depth strategy, develops Skoglund (2014), is a balanced focus on three primary elements: People, Technology and Operations, which can be applied within each layer.
However, it is essential to understand, that implementing a secure defence is always a “best effort”.  No system can ever be 100% secure, affirms Langer and Yorks (2018, p.222) because factors outside of the controls, might introduce vulnerabilities.  An example of this is that software in use may contain 0-day bugs; unknown application vulnerabilities that could be exploited by an attacker.
When considering the primary elements, often overlapping, three types of control can be applied: Physical, Technical, and Administrative.
LO1: Evaluate approaches to applying defence in depth to web applications

1.1         Physical Controls

[84 words max] Describe one area.
Physical controls are anything that physically limits or prevents access to an IT asset for example, fences, guards, dogs, locks, and CCTV systems.
Locks
Often underutilised, most modern computer cases incorporate a holed tab at the rear, to permit the fitting of a lock, thereby delaying the removal of the case cover, denying access to and the removal of, the systems hard drives.

1.2         Technical Controls

[84 words max] Describe one area.
Web Application Firewalls
DSS-PCI Card Transactions
OSI Layer 7, deep packet inspection.  Reverse proxy (Proxy interrogates application, not client)
Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and Windows Active Directory. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

1.3         Administrative Controls

[84 words max] Describe one area.
Security Awareness Training
Administrative controls are an organisation’s policies and procedures.  Their purpose is to ensure that there is proper guidance available regarding security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.

2         SECURITY VULNERABILITIES

Your task is to compare, and contrast, a range of vulnerabilities and their potential effect on your client’s business.
LO2: Compare and contrast security vulnerabilities in dynamic web environments using different development paradigms
This section should cover: –
• Features and comparison of Windows IIS/SQL and Apache/MySQL
• Comparing and contrasting key elements of vulnerabilities in dynamic web environments using different development paradigms
• Definition and analysis of the vulnerabilities listed in the scenario

2.1         Server and Database paradigms

[180 words max] Firstly compare, and contrast, the two main server and database paradigms; i.e. Windows IIS/SQL (WISA) and Apache/MySQL (WAMP) regarding vulnerabilities.

2.2         Generic Vulnerabilities

Secondly, discuss the generic vulnerabilities listed below (additional vulnerabilities could be considered).

2.2.1        Session spoofing

[100 words max] Text goes here.

2.2.2        Injection attacks

[100 words max] Text goes here.
SQL Injection (SQLi) can be used in a range of ways to cause serious problems. By levering SQL Injection, an attacker could bypass authentication, access, modify and delete data within a database. In some cases, SQL Injection can even be used to execute commands on the operating system, potentially allowing an attacker to escalate to more damaging attacks inside of a network that sits behind a firewall.
SQL Injection can be classified into three major categories – In-band SQLi, Inferential SQLi and Out-of-band SQLi.
Both fields, ‘ or 1=1–
Password field, 1’or’1’=’1
(GAO, 2018) Equifax 2017 SQL Injection
(ICO, 2015) TalkTalk – DDoS + SQL Injection

2.2.3        Cross-site scripting

[100 words max] Text goes here.
Vulnerabilities persists in many Web applications due to developers lack of expertise in the problem identification and their unfamiliarity with the current mechanisms (Venkat et al., 2012)
(Mutton, 2017) eBay 2017

3         SECURITY RECOMMENDATIONS

You have previously undertaken some analysis of the static vulnerabilities of the website using penetration testing tools. You are now required to extend this analysis to the susceptibility of the Lanconnnectors site to the vulnerabilities discussed in section 2, and other threats specific to this configuration that you may have identified or discovered.
LO3: Critically analyse the potential security risks for a given web deployment scenario and recommend security mechanisms
This section should cover: –
• Analysis of threats from section 2 contextualised to the client website
• Security recommendations to mitigate threats from section 2
• Analysis of additional areas listed in scenario
• Security recommendations to mitigate threats from additional areas listed in the scenario.

3.1         Developer Skill

[160 words max] Text goes here.  Full stack vs Coder? Security through validation? Do not offer the ability to delete a record.
Password sniffing, spoofing, buffer overflows, and denial of service: these are only a few of the attacks on today’s computer systems and networks. At the root of this epidemic is poorly written, poorly tested, and insecure code that puts everyone at risk.  Developers today need help figuring out how to write code that attackers will not be able to exploit. However, writing such code is surprisingly difficult (Viega and Messier, 2003).
Front End developer + Backend developer = Full Stack developer

3.2         Database Permissions (Least Privilege)

[160 words max] Text goes here.  Default permissions?
(Barnum and Gegick, 2005) Explain that only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of the necessary rights of action can allow that user to obtain or change information in unwanted ways. Therefore, a careful delegation of access rights can limit attackers from damaging a system.

3.3         Security Obscurity

[160 words max] Text goes here.
Gleaning information, by undertaking passive reconnaissance using a product such as Burp Suite (PortSwigger, 2018), helps to narrow the field of possible exploits, thereby saving an attacker time and effort, explains (Skoglund, 2014b).  Figure 5. Illustrates that the Http Headers are exposing
Therefore, understanding that if a web server’s known to be running Apache 2.2 a hacker, or a script that the hacker’s running, knows to look for security holes in Apache 2.2. If the web server software is unknown, they must try everything. So you want to limit exposed information. Don’t report any more information than is absolutely necessary. It’s similar to the idea of least privilege, but this is least information.
It is possible to obscure the identification of the operating system, by anyone using active reconnaissance tools, using an application such as OSfuscate 0.3 (Crenshaw, 2016)
Performing this task prevents a potential hacker from focusing an attack against the known vulnerabilities of a known operating system.
A comparative study of attacks against Corporate IIS and Apache (Wright, 2011)
Figure 5. Illustrates that the Http Headers are exposing ,,,,,,,,,,,,,,,,,,,
To frustrate the attacker

3.4         Password Usage/Storage

[160 words max] Text goes here.
2 step authentication
Hashing/salting

References

Barnum, S. and Gegick, M. (2005) Least privilege.
Cleghorn, L. (2013) ‘Network Defense Methodology: A Comparison of Defense in Depth and Defense in Breadth’, Journal of Information Security, Vol:4, pp. 144–149. doi: 10.4236/jis.2013.43017.
Crenshaw, A. (2016) ‘OSfuscate’. Louisville: IronGeek.
Darknet (2017) Defence In Depth For Web Applications [Image]Countermeasures. Available at: https://www.darknet.org.uk/2016/03/defence-depth-web-applications/ (Accessed: 30 October 2018).
GAO (2018) Actions Taken by Equifax and Federal Agencies in Response to the 2017 Breach.
ICO (2015) TalkTalk cyber attack – how the ICO’s investigation unfoldedNews and Events. Available at: https://ico.org.uk/about-the-ico/news-and-events/talktalk-cyber-attack-how-the-ico-investigation-unfolded/ (Accessed: 25 October 2018).
Langer, A. M. and Yorks, L. (2018) Strategic Information Technology : Best practices to drive digital transformation. 2nd edn. John Wiley & Sons.
Luttwak, E. (1976) The grand strategy of the Roman Empire from the first century A.D. to the third. Johns Hopkins University Press.
Matrix Computer Consulting (2018) Cyber Security 101 [Image]Cyber Security Practice. Available at: http://www.matrixcc.net/cyber-security/ (Accessed: 30 October 2018).
Mitre (2018a) Apache 2.4 Search ResultsCommon Vulnerabilities and Exposures (CVE) List. Available at: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=apache+2.4 (Accessed: 2 November 2018).
Mitre (2018b) IIS 7.5 Search ResultsCommon Vulnerabilities and Exposures (CVE) List. Available at: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=iis+7.5 (Accessed: 2 November 2018).
Mitre (2018c) Microsoft Server 2019 Search ResultsCommon Vulnerabilities and Exposures (CVE) List. Available at: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Microsoft+Server+2019 (Accessed: 2 November 2018).
Mitre (2018d) Ubuntu Server 18.04 Search ResultsCommon Vulnerabilities and Exposures (CVE) List. Available at: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Ubuntu+Server+18.04 (Accessed: 2 November 2018).
Mrd, D. (2018) Redirect someone to a different website (ARP spoofing). [Image]Pentest Tips. Available at: http://pentestfreak.blogspot.com/2013/05/redirect-someone-to-different-website.html (Accessed: 1 November 2018).
Mutton, P. (2017) Hackers still exploiting eBay’s stored XSS vulnerabilities in 2017Security. Available at: https://news.netcraft.com/archives/2017/02/17/hackers-still-exploiting-ebays-stored-xss-vulnerabilities-in-2017.html (Accessed: 28 October 2018).
NSA (2010) Defense in Depth. Fort Meade.
PortSwigger (2018) ‘Burp Suite Professional’.
Shamim, A., Fayyaz, B. and Balakrishnan, V. (2014) ‘Layered Defense in Depth Model for IT Organizations’, in 2nd International Conference on Innovations in Engineering and Technology. Penang, p. 4. doi: 10.15242/IIE.E0914047.
Skoglund, K. (2014a) ‘Defense in depth’, in Programming Foundations: Web Security. Lynda.com. Available at: https://www.lynda.com/Web-Development-tutorials/Defense-depth/133330/163841-4.html (Accessed: 27 October 2018).
Skoglund, K. (2014b) ‘Security through obscurity’, in Programming Foundations: Web Security. Lynda.com. Available at: https://www.lynda.com/Web-Development-tutorials/Security-through-obscurity/133330/163842-4.html (Accessed: 27 October 2018).
Straub, K. R. (2003) Information Security : Managing Risk with Defense in Depth.
Venkat, T., Rao, N., Tejaswini, V. and Preethi, K. (2012) ‘Defending against Web Vulnerabilities and Cross-Site Scripting’, Journal of Global Research in Computer Science, Vol:3(5), p. 4.
Viega, J. and Messier, M. (2003) Secure programming cookbook for C and C++. O’Reilly.
Wright, C. S. (2011) A comparative study of attacks against Corporate IIS and Apache Web Servers.

Appendix

Figure 1. Defence in Depth Overview

(Matrix Computer Consulting, 2018)

Figure 2. Defence in Depth for Web Applications
A screenshot of text
Description generated with very high confidence
(Darknet, 2017)
Figure 3. Fortification of host nodes

(Cleghorn, 2013)
Figure 4. Session Spoofing

(Mrd, 2018)
Figure 5. Http Headers
A screenshot of a cell phone
Description generated with very high confidence
Figure 6. OSfuscate – Before
A screenshot of a cell phone
Description generated with very high confidence
Figure 7. OSfuscate – After
A screenshot of a cell phone
Description generated with very high confidence
Figure 8. URLScan – Before
A screenshot of a cell phone
Description generated with high confidence
Figure 9. URLScan – After
A screenshot of a cell phone
Description generated with high confidence
Figure 10. SQL Injection Attack
A screenshot of a cell phone
Description generated with very high confidence
 
Figure 11. SQL Injection Result
A screenshot of a cell phone
Description generated with very high confidence
Table 1. Microsoft Server 2019 vs Ubuntu Server 18.04 (2/11/18)

CVE O/S Vulnerabilities
Microsoft Server 2019 (Mitre, 2018c) 6
Ubuntu Server 18.04 (Mitre, 2018d) 3

Table 2. Microsoft IIS 7.5 vs Apache 2.4 (2/11/18)

CVE Web Server Vulnerabilities
Microsoft IIS 7.5 (Mitre, 2018b) 7
Apache 2.4 (Mitre, 2018a) 3

Table 3. A comparative study of attacks against Corporate IIS and Apache
A screenshot of a cell phone
Description generated with high confidence
(Wright, 2011)



Recommendation
EssayHub’s Community of Professional Tutors & Editors
Tutoring Service, EssayHub
Professional Essay Writers for Hire
Essay Writing Service, EssayPro
Professional Custom
Professional Custom Essay Writing Services
In need of qualified essay help online or professional assistance with your research paper?
Browsing the web for a reliable custom writing service to give you a hand with college assignment?
Out of time and require quick and moreover effective support with your term paper or dissertation?