Application Security

UNIT 2
 Application Security
• Application security is the use of software,
hardware, and procedural methods to protect
applications from external threats.
• It has become necessary to secure the applications
evolved or used by the organization.
• Attackers in the last decades, not only targeted
the servers and operation systems but also
attacked the client applications
• Security professionals are aware that
applications, especially client side, third party
applications must be secured
 Application Security contd…
• The internet is a highly vulnerable place; any
application interacting with the web is always
under threat.
• Attackers try to take advantage of any
vulnerability through which they can affect
the normal operations of a user.
• Most OS Vendors used patched systems to
keep vulnerability to minimum but even the
patched systems are devoid of attacks.
 Application security
• Attackers targets-
– Servers
– Operating Systems
– Client-side Applications(Browsers, Multimedia,
Document Readers)
– Third Party Applications
 Challenges in Application Security
• Verification of users: Needs to verify that only
genuine users are trying to use them.
• Authorization: The application needs to
determine if the identified user is allowed to
access the requested functionality.
• Encryption of data: Data stored by applications
needs to be safeguarded from potential attacks.
• Data Integrity and non-repudiation: Neither the
sender nor the receiver should be able to deny
the authenticity of the message.
 Challenges in Application Security
• Safeguarding applications from the attacks:
• Guarding privacy of applications:
i) Information generated from the applications and
how it is used, distributed, shared or dispensed
with third parties.
ii) How application services themselves expose the
personal information of the users.
iii)Various laws have been framed regarding data
privacy.
 Application security threats
Integrity:
Threats Consequences Countermeasures
 Modification of user  Loss of Cryptographic
data information checksums
 Trojan horse browser  Compromise of
 Modification of machine
memory  Vulnerability to
 Modification of all other
message traffic in threats
transit
 Vendors Challenges for Application
Security
• Biggest challenges for software vendors is the
availability of various OS platform and
different versions of software applications
• Compatibility-Already existing platforms have
their own security considerations
• Some applications are browser specific
• Development related issues
 Users Challenges for Application
Security

• Non standardization of policies

• No knowledge of up gradation
• Lack of knowledge for existing policies
• Risk analysis is not done properly
• No planning and management of threats and
risks to client side application security issues.
 Guidelines to secure client side
applications
• Collaborating with vendors in sharing
knowledge and experience will help in making
application more secure
• Improving client side security of application
through sandboxing(restricting rights of
executing programs to work in limited
environment)
• Use some standardizing applications
• Using software to newer versions
 Sandboxing
• Sandboxing is a software management
strategy that isolates applications from critical
system resources and other programs. It
provides an extra layer of security that
prevents malware or harmful applications
from negatively affecting your system.
 Data Security
• Data is any type of stored digital information.
• Security is about the protection of assets.
• Prevention: measures taken to protect your
assets from being damaged.
• Detection: measures taken to allow you to
detect when an asset has been damaged, how it
was damaged and who damaged it.
• Reaction: measures that allow you to recover
your assets.
 Data security considerations
• Security of data means maintaining its
confidentiality - Integrity- Availability (CIA)
properties, which requires certain points to be
considered
• These data security considerations are related
to
– Data backup,
– Data archival, and
– Data disposal
 Data backup security
• To manage data properly, we must consider
data backup, which is the primarily used for
the purpose of data security against any kind
of accident and loss of data due to some
malicious activities.
• Backup of data is nothing ,but storage of
snapshot of data at certain points, and in case
of data is loss due to some reason ,you could
restore the most recent form of data.
 Some reasons of data lost
• Failure of hardware or faults in the hardware
system
• Fault in the media or software
• Hacking of data or infection of viruses causing
loss of data
• Failure of power, resulting in data loss
• Erroneous human activities such as changes in
or deletion of files
 Data backup security
considerations
• Should you consider backing up your entire system or
only a specific set of files
• Does the organization you are working for has some
backup policy
• How frequently should your data be backed up
• Which storage media should you use for data backup
• In which format should you store your files
• Should you back up your files incrementally or
differentially
• How should you validate your backup copies.
 Data archival
• The process separating older(or currently inactive)data from
currently active ,new, and fresh data is known as archival of data
• The separated old data is moved to a different storage device so
that data can be retained for a long time and reference
whenever required.
• The process of data archival requires moving selected part of
data to different location to reduce cost ,save storage space in
online system, reduce access complexity and improve system
performance.
• Archived data is stored according to the object context and
indexed so that finding them become easy whenever required in
future
 Data Archival Security Considerations
• Longevity of storage solution
– long term objective be kept in mind. Changes should be incorporated
easily
• Manageability of storage solution
• Amount of focus on intelligence of content
– importance to certain data is a critical matter.
• Optimization of total cost of ownership
– should provide technical and administrative functionalities that help
in reducing cost
• Type of available solution
– should be able to accommodate scaling needs and support third
party product integration
 Data Disposal
• Destruction of data means to completely wipe out the
data from the storage media. This process of wiping
out the data completely is called data disposal
• Data disposal is an act of permanently deleting or
destroying the data stored in media.
• Sometimes require destroying the data permanently
for some security or compliance reasons.
• Whenever legacy or obsolete system and device are
replaced ,removal of data stored in those system and
device at present is must.
 Data Disposal Security Considerations
• Data stored in legacy and obsolete systems must be
removed carefully.
• Data disposal methods are as follows:-
– Overwriting hard drives- device could be reused.
– Degaussing hard drives and backup tapes
– Destroying storage media-should be done with the help
of scrappers only. All devices should be converted into
metal scrap.
• Formatting is not a good option since the data may
be recovered with the help of certain tools.
Security Threats

UNIT 2
 Viruses
• A virus refers to piece of software that is
designed and developed with purpose of
infecting a computer system and performs
illegal operations.
• A virus infected system can hamper data
stored on a drive, crash the OS.
• Virus can attack via infected media like CD,
USB drives, internet, etc
 Virus categories
• Trojan horse
– It is transmitted to a system under disguise (mask) of any
legitimate (genuine) application or program. Like
attachment to a program or as a part of installation
process.
• Logic bombs -A logic bomb is a piece of code inserted
into an operating system or software application that
implements a malicious function after a certain amount of
time, or specific conditions are met. Logic bombs are often
used with viruses, worms, and trojan horses to time them to
do maximum damage before being noticed.
– Code executed when a pre-defined event occurs.
• Worms - It is self-sufficient to replicate themselves. It
target to RAM.
 Worms - It is self-sufficient to replicate
themselves. It target to RAM.
• A computer worm is a standalone malware
computer program that replicates itself in
order to spread to other computers. Often, it
uses a computer network to spread itself,
relying on security failures on the target
computer to access it. Unlike a computer
virus, it does not need to attach itself to an
existing program.
Antivirus Software
Antivirus software is designed to detect, prevent, and remove
malicious software.

• Norton
• McAfee
• Kaspersky
• Avast
• Quick heal
• AVG
 Spoofing
• Spoofing means to provide false information
about your identity to gain unauthorized access
of other computers. Types of Spoofing
• IP spoofing
– Connection hijacking through a fake IP address.
• Content spoofing
– Ask your personal information
• Caller ID spoofing the actual originating station.
– Caller ID display which is not actual.
• Email spoofing
– Originating from someone
 IP Spoofing
Definition:
Attacker uses IP address of another computer to acquire
information or gain access

Replies sent back to 10.10.20.30

Spoofed Address John

10.10.20.30 10.10.5.5

From Address: 10.10.20.30

• Attacker changes his own IP address To Address: 10.10.5.5
to spoofed address
• Attacker can send messages to a
machine masquerading as spoofed
machine
• Attacker can not receive messages
Attacker
from that machine
10.10.50.50
 Content Spoofing
Use dynamic HTML and frames to create a website
with the expected URL and a similar appearance
and then prompt the user for personal information.
This is also common with email alerts, account
notifications etc.
Caller ID Spoofing
Practice of causing the telephone network to display
a number on the recepient’s caller ID display which
is not the actual originating statiom.
 Email Spoofing
Definition:
Attacker sends messages masquerading as some one else

Types of Email Spoofing:

1. Create an account with similar email address
– Sanjaygoel@yahoo.com: A message from this account can
perplex the students
2. Modify a mail client
– Attacker can put in any return address he wants to in the mail
he sends
3. Telnet to port 25
– Most mail servers use port 25 for SMTP. Attacker logs on to this
port and composes a message for the user.
 Denial of Service (DOS) Attack
Definition:
Attack through which a person can render a system unusable or
significantly slow down the system for legitimate users by overloading
the system so that no one else can use it.
Types:
1.Crashing the system or network
– Send the victim data or packets which will cause system to crash or
reboot.
2.Exhausting the resources by flooding the system or network with
information
– Since all resources are exhausted others are denied access to the
resources
3.Distributed DOS attacks are coordinated denial of service attacks
involving several people and/or machines to launch attacks
 Backdoor or Trapdoor
• Secret entry point Into a program.
• Allows those who know access bypassing
usual security procedures.
• Have been commonly used by developers
• A threat when left in production programs
allowing exploited by attackers.
• Very hard to block in O/S.
• Requires good s/w development & update.
 Email Virus
• Spread using email with attachment
containing a macro virus
– Cf melissa
• Triggered when user opens attachment
• Or worse even when mail viewed by using
scripting features in mail agent
• Hence propagate very quickly
• Usually targeted at microsoft outlook mail
agent & word/excel documents
– Need better O/S & application security
 Malicious software
• Malicious software (malware) is any software that
gives partial to full control of your computer to do
whatever the malware creator wants.
• Malware can be a virus, worm, trojan, adware,
spyware, root kit, etc.
• The damage done can vary from something slight as
changing the author's name on a document to full
control of your machine without your ability to easily
find out.
 Malicious Software

– Various malicious programs

– Trapdoor, logic bomb, trojan horse
– Viruses
– Worms
– Distributed denial of service attacks
Malicious Software