EC Council CASE.NET(312-95)_筆記_Module1專有名詞及定義
在看教材時候常遇到的英文專有名詞
General :
Cont'd (continue的縮寫)
Secure Development Life Cycle (常見縮寫: SDLC,SDL) : 安全開發生命週期
Vulnerabilities : 弱點、漏洞
Confidentiality : 機密性
Integrity : 完整性
Availability : 可(持續)存取使用性
exploit : 漏洞利用
Intrusion : 入侵
Authentication : 驗證、認證(Who you are , Verifies credentials )
Authorization : 授權(Access resource different level roles ,Grants or denies permissions)
defend : 防禦
legitimate : 合法的
hijacking : 劫持
manipulation : 操縱(控)
fraud : 詐欺、舞弊(作弊)
theft : 盜竊
privileges : 特權
tampering : 竄改
Forgery : 偽造(仿冒)
victim : 受害者
negligence : 疏忽
Failure : 失敗
flaws : 缺陷
malware : 惡意軟體
SDL或SDLC (Software Development Life Cycle)
Module 01 Understanding Application Security, Threats, and Attacks
"A vulnerability in an application will allow a malicious user to exploit a network or a host"
It's a common myth that perimeter security controls such as firewall , IDS can secure your application
but it's not true as these controls are not effective to defend application layer attacks.
This is because port 80 , 443 are generally open on perimeter devices for legitimate web traffic , which attackers can use to exploit the application level vulnerabilities and get into the network.
Gartner(IT研究與顧問諮詢公司) report
"Nearly 75% of all attacks on information security are directed to web application layer."
"2/3 of all web applications are vulnerable."
Security Threats : 安全威脅
Attacks : 攻擊手法
Attackers : 攻擊者
malicious : 惡意的
Functional Activities in SDLC : 安全開發生命週期中功能面活動
Security Activities in SDLC : 安全開發生命週期中安全面活動
Reputation : 名譽(聲)
Launch : 發起攻擊的動詞
Exhaust : 用盡,耗盡
disclosure : 泄露
closure : 中斷、關閉、停業,倒閉
fraudulent : 詐欺
fraudulent transactions : 詐欺交易
perimeter security : 週邊安全(Firewall , IDS)
IDS (Intrusion detection system) : 入侵檢測系統
Most Common Application Level Attacks
SQL Injection Attack
dynamic SQL statements or store procedures with arguments from client side
bypass normal security measures or drop db table
Cross-site Scripting (XSS) Attack
invalidated input data included dynamic content inject malicious script for execution
such as javascript , vbscript ...
(Ads in hidden Iframes or pop-ips , Intranet probing ,
Redirectioning to a malicious server , session hijacking ,
Brute force password cracking , Data theft)
Parameter Tampering Attack
(such as URL parameters)
A web parameter tampering attack involves manipulation of parameters exchanged between client and server in order to modify application data (user credentials and permissions price , quantity of products)
Directory Traversal Attack
allows attackers to access restricted directories including source code , configuration file , critical system files ...)
Cross-site Request Forgery (CSRF) Attack
The user who is the victim holds an active session with a trusted site and simultaneously visits a malicious site, which injects an HTTP request for the trusted site into the victim user's session,
compromising its integrity.
屬於一種Session Hijacking
Denial of Service (Dos) Attack
To exhaust available server resources by hundreds of resource-intensive requests.
targets for attack : CPU , Memory , Disk Bandwith , Database Bandith
Session Attacks
分為
1.Cookie Poisoning Attacks
Cookie通常是用於把Session資料保存下來存在Client瀏覽器中
因為HTTP Protocol 是Stateless。
Cookie可能會有被竄改、被覆寫或者inject malicious content等風險
2.Session Fixation(固定 Session ID)
攻擊者使受害者使用特定的 Session ID 登入網站,而攻擊者就能非法存取受害者的身分與相應權限。
攻擊者可能會先註冊好目標平台會員登入後取得session id
再透過社交工程誘使Victim用該組session id 做登入和帳密輸入界間接來取得身分認證的機密資料。
Why applications become vulnerable to attacks
Most of the software development related curriculum or books often do not address security issues
No proper guidance provided to relevant stakeholders at different phases of the project development
Failure to gather application security requirements in the inception phase
Improper application of security principles in the design phase
Insecure coding techniques give space to various vulnerabilities
Lack of security testing in the testing phase
Security negligence in deployment phase
Common Flaws due to insecure coding techniques
- Improper Input validation
- Insufficient Transport Layer Protection
- Improper Error Handling
- Insecure Cryptographic Storage
- Broken Authentication and session management
- Unvalidated Redirects and Forwards
- Failure to Restrict URL Access
- Insecure Direct Object References
1.Improper Input Validation(不合適的輸入驗證)
- Invalidated Input Data(輸入資料無效)
The application receives inputs from various sources such as human users, software agents (browsers), and network/peripheral devices that can be suspicious or untrusted
Processing inputs without proper validation can expose application to numerous threats - Malicious Script Execution(惡意的腳本執行)
Improper validation of input may provide path to the attackers to perform injection attacks such as cross site scripting attacks, SQL injection attacks, etc.
The attacker can use various tricks and techniques to exploit the weaknesses in input validation mechanism of an application. They may submit bogus data to crash the system, maliciously manipulate the database, and corrupt the database of the application
(備註: suspicious 可疑的 , bogus 虛假的)
2.Insufficient Transport Layer Protection(傳輸層保護不足)
- Exposes Data(資料曝光)
This vulnerability exposes user's data to untrusted third parties and can lead to account theft - Launch Attacks(攻擊發起)
Underprivileged SSL setup can also help the attacker to launch phishing and MITM attacks - Supports Weak Algorithm(採用低強低演算法)
Insufficient transport layer protection supports weak algorithms, and uses expired or invalid certificates
(備註: MITM (Man-in-the-middle attack) attacks 中間人攻擊 )
3.Improper Error Handling(不恰當的錯誤處裡)
- Improper error handling gives insight into source code such as logic flaws, default accounts, etc.
- Using the information received from an error message, an attacker identifies vulnerabilities for launching various web application attacks
錯誤訊息若直接暴露會提高攻擊者破解成功的機率
Information Gathered(常見的錯誤訊息收集)
- Out of memory
- Null pointer exceptions
- System call failure
- Database unavailable
- Network timeout Database information
- Web application logical flow
- Application environment
4.Insecure Cryptographic Storage(未加密的儲存設備)
Insecure cryptographic storage refers to an application when it uses poorly written encryption code
to encrypt and store sensitive data in the database
This flaw allows an attacker to steal or modify weakly protected data such as credit card numbers, SSNs, and other authentication credentials.
(備註: SSN, Social Security number 社會安全號碼
美國聯邦政府發給本國公民、永久居民、臨時(工作)居民的一組九位數字號碼目的是為了追蹤個人的賦稅資料,身分證號用途。)
5.Broken Authentication and session management
(身分驗證及Session管理上的缺失)
(身分驗證及Session管理上的缺失)
An attacker uses vulnerabilities in the authentication or session management functions such as exposed accounts, session IDs, logout, password management, timeouts, remember me secret question, account update, and others to impersonate users.
6.Unvalidated Redirects and Forwards
(未經過驗證的Redirect和Forward)
(未經過驗證的Redirect和Forward)
Unvalidated redirects enable attackers to install malware or trick victims into disclosing passwords or other sensitive information, whereas unsafe forwards may allow access control bypass
7.Failure to Restrict URL Access(無法限制URL訪問)
There are certain pages in the application which handles sensitive operations and data. Access to these pages are restricted, given based on authorization. For example, certain functionality of the application needs only administrator rights
During development, the developer tries to hide these pages from others by not providing direct links to them
The attacker uses forceful browsing techniques to find the URL of such sensitive pages to gain unauthorized access
8.Insecure Direct Object References(不安全的直接對象引用)
Direct object reference vulnerability exists when a developer uses internal object implementation directly on the user interface
These objects may include file, directory, database record, or key
Attacker gets the idea about internal implementation and may use these objects as part of URL to access and modify sensitive information without any authorization
In bank application, attacker may use account number directly as an input field in the user interface, as he/she knows that account number is generally the primary key of any bank application
This may give path to the attacker to commit attacks on the bank database
Software application are designed and developed with functionality first in mind and security as a distant second or third.
What Constitutes a Comprehensive Application Security?
由捨麼來構成全面性應用資安
一個應用程式資安區塊示意圖
Coding securely alone does not ensure secure software development, a missed requirement or bad web design or insecure architecture can make application vulnerable to different types of attacks.
記住!只是單獨落實安全寫程式習慣是無法確保整個軟體開發安全性的
通常遺漏的要求或者差勁的web設計、架構整個本身就不安全才是最根本原因。
3W's in Application Security
Why should we care about application security?(為何需在意應用程式資安)
Due to its globally accessible nature, applications are becoming more popular targets for attackers to compromise an organization's security
這可能是個B2C 或者銀行系統
What do we need for application security ?(需要捨麼來達成應用程式資安)
A constant security vigilance at various phase of the application development lifecycle
防火牆架設、導入防毒軟體
Who is responsible for application security?(誰負責?)
Managers, Architects, Developers, Testers, and Administrators
找顧問、請資安專家
Insecure Application: A Software Development Problem
解決方案
整併資安到軟體開發生命週期流程
Integrating Security in Software Development Life Cycle (SDLC)
Security Software Development Process
一般共分六階段(就功能開發而言也是分這幾個階段只是各自注重實踐不同層面)
- Requirement(需求)
明確定義資安需求(比方手機開網頁不允許下載檔案、特殊權限者才准許瀏覽管理頁) - Design(設計)
此時也會定義一些開發時期的coding標準(session不能存機密資料...) - Development(開發)
這階段就會開始落實secure coding 標準並導入特定安全的pattern或框架 - Testing(測試)
進行secure code review (比方某某寫法可能導致Path Traversal,SQL injection)
Vulnerability Assessment 弱點(白箱)掃描
penetration testing滲透測試 - Deployment(佈署)
安全地佈署應用 - Maintenance(維護)
一些環境的補丁或者第三方套件定期做更新
Advantages of Integrating Security in SDLC
- Reduce the presence of software vulnerabilities to great extent
- Ability to comply with regulations, standards or requirements for secure software development
- Reduce costly rework by detecting and eliminating flaws at the earliest phase
- Improves developer job satisfaction
- Improves customer satisfaction
- Embeds security culture to improve quality and reliability
- Reuse of trusted software in future development
- Reduce the maintenance cost
微軟自家本身過去產品全盛階段2004~ (也是客訴最多的時期)
內部資安改正的流程
微軟安全開發周期
Security Development Lifecycle is a program developed by Microsoft for developing secure applications
This program is divided into seven phases and provides information about security practices, guidelines, and technologies
Software Security Standards, Models, and Frameworks
資安國際規範主要有這幾類
The Open Web Application Security Project (OWASP)
The Open Web Application Security Project (OWASP) is an organization focused on improving the security of software
The mission of this organization is to make software security visible, so that individuals and organizations are able to make informed decisions
The Web Application Security Consortium (WASC)
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best practice security standards for the World Wide Web
(備註:Consortium : 財團)
Software Security Framework:
Software Assurance Maturity Model (SAMM)軟體保障成熟度模型
The Software Assurance Maturity Model (SAMM) is an open framework to help organizations formulate and implement a strategy for software security that is tailored for the specific risks faced by the organization.
SAMM helps you:
- Evaluate an organization's existing software security practices
- Build a balanced software security assurance program in well-defined iterations
- Demonstrate concrete improvements in the security assurance program
- Define and measure security-related activities throughout an organization
備註:tailored量身訂做
Software Security Framework: Software Assurance Maturity Model (SAMM) (Cont'd)
The maturity model consists of four business functions:
1.Govenance
Assess the management of application security in an organization.
2.Construction
Assess the software creation process in an organization.
3.Verification
Assess the software testing of the application.
4.Deployment
Assess the deployment (Software release management) and production of the application
Software Security Framework: Building Security In Maturity Model (BSIMM)
構建軟體安全成熟度模型
The main objective of BSIMM is to enable the organization to analyze and implement security features required for the organization by evaluating most frequently implemented security features in other companies
BSIMM is made up of a software security framework used to organize the 113 activities used to assess initiatives
The framework consists of 12 practices organized into four domains
Ref:
軟體安全構建成熟度模型(BSIMM)十年:一文了解BSIMM10
留言
張貼留言