Module 1: Introduction
to Web Security
Contents
Overview
1
Lesson: Why Build Secure Web
Applications?
2
Lesson: Using the STRIDE Model to
Determine Threats
17
Lesson: Implementing Security: An
Overview
26
Review
38
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no
part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2002 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail,
JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and
Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Module 1: Introduction to Web Security
Instructor Notes
Presentation:
75 minutes
Lab:
00 minutes
This module provides students with an overview of the terms and concepts of,
along with the justification for, Web security. This explanation includes an
introduction of the STRIDE model, which can be used to categorize threats to
Web applications. This module also provides an overview of the technologies
and best practices that can be used to build a secure solution for Web
applications. After completing this module, students will be able to define the
basic principals of, and motivations for, Web security.
After completing this module, students will be able to:
!
Describe why it is essential to consider security during Web application
development.
!
Explain the STRIDE model.
!
Identify the technologies and best practices that can be used to build a
secure environment for running Web applications.
Required materials
To teach this module, you need Microsoft® PowerPoint® file 2300A_01.ppt.
Preparation tasks
To prepare for this module:
!
Read all of the materials for this module.
!
Complete the practices.
!
Read Module 11, “Configuring Internet Access for a Network,” in Course
2153, Implementing a Microsoft Windows 2000 Network Infrastructure.
!
Read the TechNet article, “Secure Internet Information Services 5
Checklist,” which is available at />security/tools/iis5chk.asp.
!
Read the available information about current worms and viruses, which is
available on the />default.asp Web site.
!
Read about the current security issues on the
Web site.
!
For information about the monetary loss incurred by companies from
viruses, search the Internet for “cost virus.”
!
Read Hacking Exposed Windows 2000: Network Security Secrets &
Solutions by Joel Scambray and Stuart McClure (New York,
Osborne/McGraw-Hill), 2001.
iii
iv
Module 1: Introduction to Web Security
How to Teach This Module
This section contains information that will help you to teach this module.
Lesson: Why Build Secure Web Applications?
This section describes the instructional methods for teaching each topic in this
lesson.
Why Is Security So
Important?
Begin the lesson with a story about a recent security scare or virus.
You can learn about current worms and viruses at />technet/security/virus/default.asp.
You can also receive recent virus information at ,
which is a mailing list for the discussion of security exploits.
To find information about the cost of not securing a Web application and being
attacked, search the Internet for “cost virus.” According to many articles,
billions of dollars were lost in 2001.
Here are some virus examples from 2002:
!
DoubleTap virus
A Microsoft SQL Server™ virus was found on May 20, 2002. The virus,
named DoubleTap or Spida.a.worm, targets SQL Server Web sites that have
the system administrator account, sa, set to blank. The virus, written in
JavaScript, adds the guest account to the administrator group and then
changes the password of the administrator. Finally, this virus sends the
server’s password list to an e-mail address on a central service.
!
Benjamin virus
A virus known as Benjamin, found in May 2002, is initiating itself from the
KaZaa music file swapping service. The virus masquerades as popular
songs, videos, and games. Upon infecting a computer, Benjamin creates a
new directory, opens that directory to the KaZaa network, and then tries to
entice others to download it. The virus is interesting because its author
apparently hoped to make money from its propagation. Infected computers
are instructed to visit a Web page that is clearly designed to register
advertising hits.
!
Code Red Internet Information Services (IIS) worm
A malicious piece of code, operating as a computer worm, exploits
unpatched IIS servers on the Internet. This worm, called Code Red, exploits
a security vulnerability in the Microsoft Windows NT® version 4.0 and
Microsoft Windows® 2000 Index Services, and may result in one of several
outcomes, including Web site defacement and installation of Denial of
Service (DoS) tools. The defaced Web page may contain the words “Hacked
by Chinese!” and a link to , whereas the DDoS code
appears to prepare the system to launch an attack against
www.whitehouse.gov. Upon comprising the system, the worm attempts to
propagate itself to other unpatched IIS systems on the Internet.
A patch for this vulnerability was released on June 18th, 2001, and it is
discussed in Microsoft Security Bulletin MS01-033.
Module 1: Introduction to Web Security
!
v
Nimda worm
The official name of the worm is W32/Nimda@MM, but it is generally
referred to as the “Nimda” worm. This virus attempts to spread through
three different means:
• E-mail. Infected computers attempt to spread the infection to other users
by sending copies of the worm through e-mail.
• Web servers. Infected computers attempt to pass the infection to Web
servers by either locating an already compromised server, or by
exploiting a known security vulnerability in IIS. After it is infected, a
Web server will attempt to infect the computers of any users that visit it.
• File shares. Infected computers will search for computers that have been
configured to allow anyone to add files to these computers and, upon
finding such a computer, will insert infected files onto it.
!
VBS/Loveletter virus
The VBS/Loveletter virus circulates through e-mail. If run, the virus
attempts to overwrite .jpg, .mp3, and other file types, and to send a copy of
itself to everyone in the recipient’s address book. The e-mail message that
contains the virus typically carries a subject line of “ILOVEYOU.” Inside
the e-mail message is a short text message that says “Kindly check the
attached LOVELETTER coming from me” and an attachment named
LOVE-LETTER-FOR-YOU.txt.vbs. The attachment is the virus payload. It
is important to note that the virus payload cannot run by itself. For the
payload to run, the recipient must open the e-mail message, launch the
payload by double-clicking it, and click Yes in a dialog box that warns of
the dangers of running untrusted programs.
Challenges Involved in
Implementing Security
This topic discusses some of the challenges that businesses face when
implementing security. One of the major issues is that security is often
considered only after the Web application is complete, instead of during the
initial design process. Relegating security to an afterthought often makes Web
applications more costly to develop and less secure.
Threats to WebAccessible Assets
Define the term threat and then discuss the different types of Web-accessible
assets: tangible and intangible.
Who Are Attackers?
Note that attackers do not always come from outside the organization. Attackers
are sometimes internal to the organization and can take the form of either
ignorant or disgruntled employees. Discuss the different skill levels of novice,
intermediate, and advanced attackers.
What Are Attacks?
Discuss attacker motivation, justification, and opportunity.
Common Types of
Attacks
Ask students to think of examples of each type of attack. Students may have
heard about attacks in the news or through a security bulletin, or they may have
experienced attacks at their own organizations.
vi
Module 1: Introduction to Web Security
How Do Attacks Occur?
If you have an Internet connection in the classroom, you can go to the MSNBC
Web site and run the interactive video that demonstrates how a “honey pot” was
used to watch an attacker hacking into a system. Go to />news/437641.asp and click //HACK.
You can learn more about the HoneyNet project at the
Web site.
Common Types of
Vulnerabilities
Note that students will learn how to address only a few of these vulnerabilities
during class. Solutions for some vulnerabilities are discussed in the topic “Best
Practices in Building Secure Web Applications,” which appears later in this
module.
Lesson: Using the STRIDE Model to Determine Threats
This lesson provides an overview of the STRIDE model. Define each category
of threat and provide examples of each category:
!
!
Tampering with data: The “loveletter” virus changes all .jpg files into
copies of itself.
!
Repudiability: Attackers often delete event logs after they attack a system so
that there is no record of the attackers accessing the system.
!
Information disclosure: IIS version 4.0 had a weakness that allowed
Uniform Resource Locators (URLs) ending in special characters (a trailing
"." or a trailing "::$DATA") to return the script source of Active Server
Pages (ASP).
!
Denial of Service: The Code Red virus attacked unpatched IIS Web servers
and installed Denial of Service tools.
!
Practice: Identifying
Threats Using STRIDE
Spoofing identity: If Basic authentication is used in IIS without requiring
Secure Sockets Layer (SSL), the user name and password of an
authenticated user are sent in clear text over the Internet. If an attacker
obtains the user name and password, the attacker can pose as the
authenticated user and access the system.
Elevation of privilege: The DoubleTap SQL Server virus adds the guest
account to the Administrator group and then changes the password of the
administrator. By doing this, attackers can log on as a guest and have the
access privileges of the Administrators group.
This practice provides an opportunity for students to apply the STRIDE model
to some common scenarios. The scenarios are actual vulnerabilities that were
found in earlier versions of IIS.
Students will learn more about the STRIDE model in the context of designing
secure Web applications and will apply this model to the design of the lab
solution in Module 2, “Planning for Web Application Security,” in Course
2300, Developing Secure Web Applications.
Module 1: Introduction to Web Security
vii
Lesson: Implementing Security: An Overview
Security Technology
Overview
This topic introduces the technologies that support the various security
technology fields: authentication, authorization, auditing, privacy, integrity, and
nonrepudiation. Students will learn more about these technologies throughout
Course 2300, Developing Secure Web Applications.
Best Practices in
Building Secure Web
Applications
In addition to the coding best practices that the students will learn about in
class, there are also best practices that typically fall under the Information
Technology (IT) Professional job category. The purpose of this topic is to
identify a few IT Professional best practices that can be employed immediately
to increase the security of existing Web applications.
Enabling Logging
Another best practice that the students should be aware of is event logging and
auditing. These tools provide defense against nonrepudiation threats.
Practice: Securing the
IIS Default Installation
In this practice, students will make their default installation of IIS more secure
by disabling some unneeded subcomponents.
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
There are no labs in this module, and as a result, there are no lab setup
requirements or configuration changes that affect replication or customization.
Module 1: Introduction to Web Security
1
Overview
!
Why Build Secure Web Applications?
!
Using the STRIDE Model to Determine Threats
!
Implementing Security: An Overview
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
This module provides an overview of the terms and concepts of, along with the
justification for, Web security. This information forms the basis for the
presentation of Web security, which will be expanded upon throughout the rest
of Course 2300, Developing Secure Web Applications.
This module also provides an overview of the technologies and best practices
that can be used to build a secure solution for Web applications. This overview
of technologies and best practices is the foundation for further discussions
throughout the rest of Course 2300, Developing Secure Web Applications.
Objectives
After completing this module, you will be able to:
!
Describe why it is essential to consider security during Web application
development.
!
Explain the STRIDE model.
!
Identify the technologies and best practices that can be used to build a
secure environment for Web applications.
2
Module 1: Introduction to Web Security
Lesson: Why Build Secure Web Applications?
!
Why Is Security So Important?
!
Challenges Involved in Implementing Security
!
Threats to Web-Accessible Assets
!
Who Are Attackers?
!
What Are Attacks?
!
Common Types of Attacks
!
How Do Attacks Occur?
!
Common Types of Vulnerabilities
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
This lesson defines the term security as it applies to Web-accessible assets.
Security can be separated into several categories, and each will be defined and
explained in this lesson. This lesson also presents the concepts of
vulnerabilities, threats, and attacks, and explains how these concepts interrelate.
Finally, you will learn why security is so important by looking at some of the
reasons that motivate attackers to attack a Web application, and the
corresponding consequences of inadequate Web application security.
Lesson objectives
After completing this lesson, you will be able to:
!
Describe the importance of securing a Web application.
!
Identify the challenges that are involved in implementing Web application
security.
!
Describe some of the motivations for attacker intrusion and the
consequences of inadequate Web security.
!
Define the terms threat, attack, and vulnerability, and explain the
interrelationship among them.
Module 1: Introduction to Web Security
3
Why Is Security So Important?
!
E-mail viruses, financial fraud, network sabotage, and
other security intrusions result in:
"
Stolen intellectual property
"
System downtime
"
Lost productivity
"
Damage to business reputation
"
Lost consumer confidence
"
Severe financial losses due to lost revenue
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
Although the Internet makes remarkable things possible, such as e-commerce,
information sharing, and business productivity, it is also a very hostile
environment for businesses. The vast majority of business-related Web sites
have become victims at some point to damaging security breaches, such as
e-mail viruses, financial fraud, network sabotage, and more.
Even as the amount of money that is spent on securing corporate networks
increases, so do the losses that are accrued by businesses in terms of stolen
intellectual property, system downtime, lost productivity, damage to reputation,
and lost consumer confidence.
If a business has an Internet presence, with either a business-to-business or
business-to-consumer e-commerce Web site, the business is twice as likely to
have its Web servers attacked as businesses that do not participate in
e-commerce.
It is possible, however, to defend your business’s Web application in this
hostile environment by adding the appropriate authentication and authorization
schemes, ensuring data integrity with encryption, and performing data
validation.
4
Module 1: Introduction to Web Security
Challenges Involved in Implementing Security
Challenges
Attackers
vs.
Defenders
Security
vs.
Usability
Do I need
security…
Security As
An Afterthought
Reasons
# Attacker needs to understand one
vulnerability; defender needs to secure all
entry points
# Attackers outnumber defenders
# Attackers have unlimited time
# Secure systems become harder to use
# Complex and strong passwords are difficult
to remember
# Users prefer simple passwords
# Developers and management think that
security does not add any business value
# Managers do not build time for security
implementation into schedule
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
It is likely that all Web applications would be secure if implementing security
were easy for businesses. Implementing security does not apply only to Web
applications, but to the entire system on which the Web application runs. The
system includes all of the components that work together to complete user
requests for the Web application, including Microsoft® Windows® 2000,
Internet Information Services (IIS), Microsoft SQL Server™, and COM+
components. Implementing security into this system involves several
challenges, such as the following:
!
!
The usability of a system is inversely proportional to its security.
!
Attackers vs. defenders
An attacker needs to find only one weak point to enter the system;
correspondingly, a defender needs to make sure that all possible entry points
are defended.
Security is often added to a Web application as an afterthought, after the
Web application development is complete.
You can secure your system by employing several security mechanisms, such
as firewalls, proxies, secure channels, and authentication schemes. However, all
it takes for a security breach is for an attacker to find one weak point to access
your system. Securing all of the possible entry points to the system makes
security a complex proposition. Securing your system requires you to keep
abreast of the environment, risks, business drivers, and the state-of-the-art
security attacks that may affect your system. Failure to have this securityrelated knowledge will render your Web applications vulnerable to attack.
Module 1: Introduction to Web Security
Usability vs. security
As a system becomes more secure, it also becomes harder to use. The common
example of ease-of-use versus security is the use of passwords. If you force
users to use complex passwords, such as T^1Qam-Za9, they tend to write them
down to remember them. A simple password, although easy to remember, is
also easy to guess, and therefore, it is completely insecure.
Balancing usability and security is difficult, but a compromise enables you to
satisfy your business requirements.
Security as an
afterthought
Security is often an afterthought in Web application development because
developers and management usually consider it as a technology that adds no
business value. Adding security after the Web application development is
completed makes security solutions even more difficult to create. Most
developers know that adding a component to an existing technology is far more
difficult than designing it into the system during the early stages of design and
development.
5
6
Module 1: Introduction to Web Security
Threats to Web-Accessible Assets
!
A threat is a possibility that poses danger to business
assets, such as sales data or account information
!
Tangible assets
"
!
Money, source code, data, business plan, and ideas
Intangible assets
"
Identity, privacy, reputation, and name
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
A threat is a possibility that poses danger to business assets, such as privacy or
data integrity. An example of a threat is the possibility that an unauthorized
person might get access to confidential company data or maliciously adjust
account details. All threats are determined in relation to business risk. The
greater the risk—that is, the greater the impact on the business should the threat
be realized—the greater the threat. High-risk outcomes from threats that have
been realized include public embarrassment, loss of credibility or good will,
death or injury, and loss of money.
Business assets
Every business has assets, such as money, business plans, source code, ideas,
and reputation, which it wants to protect against attacks. Some assets are
tangible and have a monetary value. Other assets are intangible, but are still
valuable, such as a organization’s reputation. Business assets are more prone to
attack when businesses partake in e-business. Securing a Web application
involves protecting the tangible and intangible assets from attackers:
!
Tangible assets
Tangible assets have a monetary value associated with them, and therefore,
these assets should be protected from any type of attack. Tangible assets
include money (actual or electronic), source code, data, business plans, and
ideas.
!
Intangible assets
It is easy to understand the need for protecting the tangible assets, because
you can measure their worth. Although it is difficult to place a value on
intangible assets, certain intangible assets, such as the reputation associated
with your organization, are equally important to protect. Intangible assets
include identity, privacy, reputation, and name.
Module 1: Introduction to Web Security
7
Who Are Attackers?
External
Attacker
Corporate Headquarters
Corporate Headquarters
Internet
Internal
Attacker
Ability
Characteristics of attackers
Novice
# Possesses little programming experience
# Uses automated tools that are made by others
Intermediate
# Possesses significant programming skills
# Automates tools that are created by others
Advanced
# Is an expert programmer
# Develops tools that others use to attack networks
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
Attacks on Web applications and networks can come from both nonemployees
and employees. Security threats posed by humans can be broadly divided into
the following two categories:
!
!
Internal attackers
Internal attackers
External attackers
Internal threats consist of possible attacks by employees or former employees.
Employees are the people who are most familiar with an organization’s network
and applications, and they are also the people who are most likely to know what
actions might cause the most damage. Internal threats are posed by two kinds of
employees:
!
Malicious employees
Malicious employees are those who are disgruntled with the organization
and want to cause harm to it. Attacks by such employees are often the most
dangerous because these employees know many of the codes and security
measures that are in place to protect the assets. Such employees are likely to
have specific goals and objectives for attack, and they also have legitimate
access to the system. Some of the possible attacks caused by malicious
employees can include:
• Planting viruses, Trojan horses, or worms.
• Accessing and revealing confidential information.
• Causing the system to overload or crash.
8
Module 1: Introduction to Web Security
!
Nonmalicious employees
Nonmalicious threats usually come from employees who are unaware of the
security threats and vulnerabilities. These employees are authorized users
who are not aware of the actions that they are performing. Errors and
omissions can cause valuable data to be lost, damaged, or altered. Often,
users, data entry clerks, system operators, and programmers make
unintentional errors that contribute to security problems, directly or
indirectly. Sometimes the error is a threat, such as a data entry error or a
programming error that crashes that system.
External attackers
External threats are caused by outsiders who want to acquire information to
cause harm to the organization. Often, such outsiders are known as hackers or
crackers. Hackers or crackers are people who illegally gain access to systems
for which they have no authorization. The methods that are used for gaining
access to a system include the following:
!
Password cracking
Password cracking is running an application that tries all password
combinations to guess a user's password.
!
Network spoofing
Network spoofing is intercepting network packets between an authorized
user and the organization, and then copying these packets to in order to
obtain access to the organization in the same way.
!
Exploiting known security weaknesses
As hackers and security consultants find bugs in operating system and
application software, they publish the security hole. If an organization is not
quick about applying patches, other hackers can discover the software
running and exploit known bugs.
Module 1: Introduction to Web Security
Types of attackers
9
In general, there are three types of attackers: novice attackers, intermediate
attackers, and advanced, attackers. Each of these attackers presents a unique
challenge to Web application security:
!
Novice attackers
Novice attackers, also frequently called script kiddies, do not possess
significant programming skills. These attackers generally use the tools and
exploits that are developed by more experienced and skilled attackers.
Novice attackers present a significant danger to Web applications because
they are large in number. Most of the attacks that are originated by novice
attackers are not meant to cause harm to businesses, but for the attacker to
merely have fun.
!
Intermediate attackers
Intermediate attackers possess more programming skills than novice
attackers, but to a certain extent, these attackers still depend on the tools and
exploits that are developed by more experienced attackers. Intermediate
attackers often automate tools and exploits to replicate the attacks that are
developed by experienced attackers. Intermediate attackers present a
significant danger to Web applications because they often plan attacks to
raise their skill level or status in attacker communities.
!
Advanced attackers
Advanced attackers are fewer in numbers than intermediate and novice
attackers. However, advanced attackers possess significant programming
skills with both high-level languages, such as Perl, and lower-level
languages, such as C, C++, and Assembler. Advanced attackers generally
make their livelihood in developing attacks or as security consultants.
Advanced attackers present a significant danger to network security because
of their expertise, resources, and skills.
10
Module 1: Introduction to Web Security
What Are Attacks?
!
A threat that is brought to fruition through the
exploitation of a vulnerability
!
To instigate an attack, the attacker must have motive,
justification, and opportunity
"
Revenge
"
Espionage
"
Publicity
"
Monetary gain
"
Exposure of vulnerabilities
"
Personal satisfaction
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
An attack is a threat that is brought to fruition through the exploitation of a
vulnerability (or vulnerabilities) in the system.
What instigates an
attack?
For an attack to take place, the following must occur:
!
The attacker must have a motive.
For example, an attacker might attack your business’s Web application
because he or she dislikes your stance on trade policy. Other attack
motivations include revenge, espionage, publicity, monetary gain, exposure
of vulnerabilities, and personal satisfaction.
!
The attacker must be able to justify the attack.
For example, an attacker might believe that by attacking your Web
application with antitrade policy graffiti, he or she will heighten awareness,
among the public, of your policies. The justification might also be as simple
as “because I can” in the case of script kiddies.
!
An opportunity must arise.
For example, an attacker finds a weakness in the system by which he or she
can attack your Web application. When a server is on the Internet, the
opportunity for attack is 24 hours a day; therefore, the risk is vulnerability
based, rather than time based.
Module 1: Introduction to Web Security
11
Common Types of Attacks
Organizational
Organizational
Attacks
Attacks
Social
Social
Automated
Automated
Engineering Engineering
Attacks
Attacks
Acquire Technology
Improper permissions can
Bypasses confidential to
Harmful code, malicious
Blocks access to gain
Uses software
data
information toselftoaccess
result in accessaccess
gain or gain a
network restricted
programs,servicesbusiness
network replicating
Restricted or competitive advantage
data
Data
FC
DoS
Accidental Breaches
Accidental Breaches
In Security
in Security
Viruses, Trojan Horses,
Viruses,
Trojan Horses,
and Worms
User
and Worms
1
2
2
DoS
Denial of
Connection Fails
Service (DoS)
Denial of
Service (DoS)
3
3
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
Attacks can range from nontechnological attacks to technological attacks:
!
Nontechnological attacks use deception to gain access to a network and
include ocial engineering or attacks from another organization.
!
Technological attacks include denial of service (DoS) attacks, automated
computer attacks, viruses, worms, Trojan horses, and accidental breaches in
security.
Organizational attacks
Organizational attacks include attacks by a competitor to acquire confidential
information to gain a business or competitive advantage.
Social engineering
Social engineering is a common form of password cracking and it can be used
by both outsiders and by people within an organization. Social engineering is an
attacker term for deceiving people into revealing their password or some form
of security information. For example, an attacker can pose as a support
engineer, call a company employee, and ask for the employee’s password. A
trusting employee might disclose a password, thereby allowing an attacker to
access a organization’s resources.
Automated attacks
Automated attacks come from scripts that are launched at network computers
that have known vulnerabilities. The scripts can install viruses that
automatically propagate themselves when they are launched.
Denial of service (DoS)
attacks
A DoS attack exploits the need to have a service available. DoS attacks are a
growing trend on the Internet because Web applications, in general, are
accessible to the public, and therefore, they are vulnerable to attack. People can
easily overload the Web server with communication to keep it busy. Therefore,
companies that are connected to the Internet should be prepared for DoS
attacks.
12
Module 1: Introduction to Web Security
Viruses
Attackers can also develop harmful code that is known as a virus. A virus is a
program that searches out other programs and infects them by embedding a
copy of itself into the programs, so that they become Trojan horses. When these
programs are executed, the embedded virus is executed too, thus propagating
the infection. This infection normally happens invisibly to the user. A virus
cannot infect other computers without assistance.
Using hacking techniques, attackers can break into systems and install a virus.
Viruses, in general, are a threat to any computer environment. Viruses can
cause different types of damage—such as deleting files or consuming hard disk
space—to a system, and they can be spread through e-mail and disks.
Trojan horses
Trojan horses are malicious software programs or software code that is hidden
inside what looks like a normal program. When a user runs a normal program,
the hidden code also runs. The hidden code then starts deleting files and causing
other damage to the system. Trojan horses are normally spread by e-mail
attachments. For example, the Melissa virus that caused DoS attacks throughout
the Information Technology (IT) world in 1999 was a type of a Trojan horse
attack.
Worms
Worms are programs that run independently from other applications and move
from computer to computer across network connections. Worms may have
portions of themselves running on many different computers. Worms
themselves do not change other programs, although they may carry additional
code that does.
Accidental breaches in
security
If a system administrator configures a network computer with improper
permissions or weak passwords, an accidental breach in security can occur, and
attackers can then gain access to restricted data. To assist attackers, there are
software programs that are available that can crack a weak password in a short
amount of time.
Module 1: Introduction to Web Security
13
How Do Attacks Occur?
Corporate Headquarters
1
1
Attacker
Stages of attack
2
2
3
3
5
5
4
4
Examples of attacker actions
1. Footprint
Runs a port scan on the firewall
2. Penetration
Exploits an unpatched Web server
3. Elevation of privilege
Creates an account with administrator rights
4. Exploit
Uploads unlicensed software to the Web server
5. Cover-up
Erases the audit trail of the exploit
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
Whereas some attacks are passive, meaning that information is monitored, other
attacks are active, meaning that the information is altered with the intent to
corrupt or destroy the data or the network itself. The important point in reacting
to these attacks is that you need to be aware of how these different types of
attack occur.
Stages of attack
Often, attacks occur in five stages. These stages of attack represent only
common stages in most attacks and are not necessarily followed in all attacks.
The five stages of attacks are:
1. Footprint
During this stage, an attacker gains as much information about the target
system as possible, including both technical and nontechnical information.
The attacker researches the target network by running automated scans on
open ports to detect any security weaknesses. The goal of this stage is to
gain as much information about a target as possible, including knowledge of
the operating system and the services that the target is running.
2. Penetration
During this stage, an attacker will use well-known techniques to penetrate
networks. Penetration to networks often happens when attackers discover a
known vulnerability in the network. For example, if an attacker finds out
about a service running on an unpatched Web server, he or she will use a
known exploit to gain control of the server.
3. Elevation of privilege
During this stage, an attacker gains privileged access and thereby has
sufficient access to compromise or destroy the entire system. For example,
the attacker creates an account with administrator access privileges and logs
on to the Web server or database sever by using that account.
14
Module 1: Introduction to Web Security
4. Exploit
During this stage, after an attacker gains entry into the system, the attacker
can start exploiting his or her privileged access. For example, the attacker
can place packaged software titles on the server for other nonprivileged uses
to download and use without purchasing licenses for the software.
5. Cover-up
During this stage, the attacker attempts to remove all traces of the attack.
For example, the attacker removes the audit trail that was created by the
intrusion.
Note For more information on how attacks occur, see the HoneyNet Project
Web site at .
Module 1: Introduction to Web Security
15
Common Types of Vulnerabilities
Vulnerability
Examples
Weak passwords
# Employees use blank or default passwords
Unpatched software
# Patches are not updated
# Security hotfixes are not applied
Misconfigured software
# Services have more privileges than required
$ Services run as the Local System account
Social engineering
# Help desk administrator resets a password without
verifying the identity of the caller
Weak security on Internet
connections
# Unused services and ports are not secured
# Firewalls are used improperly
Unencrypted data transfer
# Authentication packets are sent in clear text
# Important data is sent over the Internet in clear text
Buffer overrun
# A trusted process runs untrusted code
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
A malicious attacker uses various methods to exploit system vulnerabilities to
achieve his or her goal. Vulnerabilities are weak points or loopholes in security
that an attacker exploits to gain access to an organization’s network or to
resources on the network. Some of the vulnerabilities that are covered in this
topic include weak passwords, unpatched software, misconfigured software,
social engineering, weak security on Internet connections, and unencrypted data
transfer.
Weak passwords
Users often choose passwords that are easy to remember—for example,
anything from their birthdays to the names of loved ones. However, these weak
passwords create a vulnerability, because they give attackers a good chance to
guess the correct password.
A password, which is much sought-after by attackers, is a key to a computer. A
weak password may give an attacker access not only to a computer, but to the
entire network to which the computer is connected.
Unpatched software
Some common vulnerabilities come from unpatched software, where users of
software do not keep their software updated with the latest patches, service
packs, and hotfixes. A failure by users to install the patches makes the software
vulnerable to attack. Without the latest patches and hotfixes, attackers can take
advantage of the weak features or security holes in the software to access
application resources or to cause harm to the system.
Misconfigured software
Often, the way software is configured makes the system vulnerable. If services
are configured to use Local System account or are given more permissions than
required, attackers can exploit the services to gain access to the system and
perform malicious actions on the system.
Social engineering
Social engineering is a common form of cracking a password. Mostly, it occurs
because users are not aware of the security issues and can be deceived easily to
reveal their passwords. An example of social engineering is that a help desk
administrator resets a password without verifying the identity of a caller.
16
Module 1: Introduction to Web Security
Weak security on
Internet connections
The default installation of IIS often enables more services and ports than are
necessary for operation. These additional services and ports provide more
opportunities for potential attacks.
Often, users will use modems to not just access the Internet, but also to connect
to their corporate network. The problem with modem connection is that a
modem is a means of bypassing a firewall that protects the network from
outside intruders. If an attacker, by using a password-cracking tool, identifies
the modem telephone number and password, the attacker can connect to any
computer on the network.
Unencrypted data
transfer
Most Web applications accept user input, process the user request based on the
input, and then return the response to the user. If the data is sent to the Web
server and back to the user in a clear text, there is a possibility that the data can
be altered, during transmission, by an attacker. If the data contains
authentication information or any other sensitive information, such as
confidential sales numbers, and it is sent without encryption, an attacker can
easily access that information and use it to perform malicious actions on the
Web application or the organization.
Buffer overrun
A buffer overrun occurs when a buffer declared on the stack is overwritten by
copying data into it that is larger than the buffer. The return address for the
function gets overwritten by an address contained in the copied data, one
chosen by the attacker. This can result in running the attacker’s code in the
context of the program. Buffer overruns can occur when compiled code does
not check the size of data being copied onto the stack.
Note Buffer overrun errors have been found in IIS versions 4.0 and 5.0, and
have been patched. To learn more about known buffer overrun vulnerabilities,
search the Microsoft Knowledge Base for “buffer security bulletin” at
/>
Module 1: Introduction to Web Security
17
Lesson: Using the STRIDE Model to Determine Threats
S
S
Spoofing identity
T
T
Tampering with data (integrity)
R
R
Repudiability
II
Information disclosure
D
D
Denial of Service
E
E
Elevation of Privilege
*****************************ILLEGAL FOR NON-TRAINER USE******************************
Introduction
To conduct a thorough risk assessment that reflects your organization’s
business requirements and enables you to deploy secure Web applications, you
must understand the categories of threats. You can use the STRIDE model to
categorize and prioritize the threats that exist in your organization’s
environment. The STRIDE model, which was developed by Microsoft, is a
comprehensive taxonomy that includes categories that are applicable to the
current era of Internet Web application development.
Lesson objectives
After completing this lesson, you will be able to:
!
Describe spoofing identity threats.
!
Describe data integrity threats.
!
Describe repudiation threats.
!
Describe information disclosure threats.
!
Describe denial of service threats.
!
Describe elevation of privilege threats.