app dis 7

winterishere

CHap13and12.zip

Home >Information Systems homework help >app dis 7

CHap 13 and 12/winsec3e_ppt_ch12(1).pptx

Security Strategies in Windows Platforms and Applications

Lesson 12

Microsoft Application Security

www.jblearning.com

Cover image © Sharpshot/Dreamstime.com

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Learning Objective(s)

Describe threats to Microsoft Windows and applications.

Describe techniques for protecting Windows application software.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Key Concepts

Principles of Microsoft application security

Procedures for securing Microsoft client applications

Procedures for securing Microsoft server applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Principles of Microsoft Application Security

Application security

Covers all activities related to securing application software throughout its lifetime

Application software

Any computer software that allows users to perform specific tasks

Examples: sending and receiving email, browsing the web, creating a document or spreadsheet

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Principles of Microsoft Application Security (Cont.)

Ensuring application software security includes ensuring security during:

Design

Development

Testing

Deployment

Maintenance

Retirement

Protects C-I-A of data

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Client Application Software Attacks

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Malformed input

Inputs that application doesn’t expect

Privilege escalation

Adds more authority to current session than the process should possess

Denial of service (DoS)

Slows application

Inputs that can cause unexpected results

Assuming another user’s identity

Identity spoofing

Direct file or resource access

Extra-application data access

Exploits holes in access controls

Accesses application’s data outside the application

Crashes applications

Application Hardening Process

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Install the application using only the options and features you plan to use.

After installing the application, remove any default user accounts and sample data, along with any unneeded files and features.

Configure the application according to the principle of least privilege.

Ensure your application has all of the latest available security patches applied.

Monitor application performance to verify that your application adheres to security policy.

Minimal install

Unneeded accounts and files

Least privilege

Security patches

Monitoring

Securing Key Microsoft Client Applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Web browser

Internet Explorer

Outlook

Productivity software

Microsoft Office

Email client

File transfer software

File Transfer Protocol/Internet Protocol (TCP/IP)

AppLocker

Software Restriction Policies (SRP)

Group Policy

Web Browser

Web browser attacks:

Infect with malware

Intercept communication

Harvest stored data

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Web browser–This program allows users to access World Wide Web resources. Some application software have embedded web browser capability but stand-alone web browsers are by far the most common. Popular web browsers are:

Microsoft Internet Explorer

Mozilla Firefox

Google Chrome

Apple Safari

Opera

Web Browser

Set Internet zone security level to High

Add specific, trusted sites to Trusted Sites list

Configure setting to prompt for first- party and third-party cookies

Disable third-party browser extensions

Enable show encoded addresses setting

Disable playing of sounds in web pages

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Internet Options Dialog Box in Internet Explorer 11

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Email Client

Limit malicious code that may be attached to email messages

Install anti-malware software on each computer

Will scan all incoming and outgoing messages for malware

Safeguard message privacy by requiring use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) when connecting to your mail server to ensure message exchanges are encrypted

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Email client–This program allows clients to send and receive email. Depending on the type of mail server connection and protocol used, the email client may store email locally on the client. Microsoft Outlook is an example of an email client.

Productivity Software

Install anti-malware software that integrates with productivity software

Use EFS or BitLocker to encrypt folder or drive that contains productivity software documents and databases

Never open a file unless the source is trusted

Ensure productivity software has the latest security patches installed

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Productivity software–Software that supports many office functions. Most workstations allow users to perform some administrative of creative functions and productivity software supports these efforts. Productivity software includes these functions:

Word processing-Microsoft Word

Spreadsheet-Microsoft Excel

Lightweight database-Microsoft Access

Presentation-Microsoft PowerPoint

Project scheduling/management-Microsoft Project

Publishing-Microsoft Publisher

File Transfer Software

File Transfer Protocol (FTP) is insecure

Use:

FTP over a Secure Shell (SSH)

Secure FTP (SFTP)

Virtual private network (VPN)

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

AppLocker

A feature in Windows that allows you to restrict program execution using Group Policy

Provides ability to whitelist applications

Define path rules, hash rules, and publisher rules using Group Policy to restrict which applications computers can run

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Securing Client Applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Update software to the latest patch

Remove or disable unneeded features

Use principle of least privilege

Use encrypted communication

Common Server Applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Web server

Internet Information Services (IIS)

Exchange

Database server

Structured Query Language (SQL) server

Email server

Common Server Applications (Cont.)

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Enterprise Resource Planning (ERP) software

Enterprise project management

Unique user accounts

Strong authentication

Restricted access

Encrypted connections

Line of Business (LoB) software

Workflow control

Service technician tracking and scheduling

Securing Server Applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Use server roles in Windows Server

Update software to the latest patch

Remove or disable unneeded services

Filter network traffic

Encrypt communication

Add Roles Wizard, Windows Server

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Add Roles Wizard for adding Web Server (IIS) role to Windows Server

Select Role Services, Windows Server

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Select Role Services for adding Web Server (IIS) role to Windows Server

Cloud-Based Software

Microsoft cloud-based products: Microsoft Office 365, Microsoft Azure, and Microsoft OneDrive

Many issues related to securing applications are the same on-premises and in the cloud

To secure cloud applications:

Review options and settings, and configure software to run the way you need it to run

Harden software

Do not assume cloud-based software is secure by default

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices for Securing Microsoft Windows Applications

Harden the operating system.

Install only necessary services.

Use server roles when possible.

Use SCT to adhere to Microsoft baseline guidelines.

Remove or disable unneeded services.

Remove or disable unused user accounts.

Remove extra application components.

Open only the minimum required ports at the firewall.

Define unique user accounts.

Use strong authentication.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices for Securing Microsoft Windows Applications (Cont.)

Use encrypted connections for all communication.

Encrypt files, folders, or volumes that contain private data.

Develop and maintain a BCP and DRP.

Disable any unneeded server features.

Ensure every computer has up-to-date anti-malware software and data.

Never open any content or files from untrusted sources.

Validate all input received at the server.

Audit failed logon and access attempts.

Conduct penetration tests to discover vulnerabilities.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Summary

Principles of Microsoft application security

Procedures for securing Microsoft client applications

Procedures for securing Microsoft server applications

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

CHap 13 and 12/winsec3e_ppt_ch13.pptx

Security Strategies in Windows Platforms and Applications

Lesson 13

Microsoft Windows Incident Handling and Management

www.jblearning.com

Cover image © Sharpshot/Dreamstime.com

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Learning Objective(s)

Perform incident handling by using appropriate methods.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Key Concepts

Windows incidents

Windows incident handling tools

Acquiring and managing evidence

Incident response plan

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Handling Security Incidents Involving Microsoft Windows OS and Applications

Event

Any observable occurrence within a computer or network

Incident

Any event that:

Violates security policy

Poses an imminent threat to security policy

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Securing resources involves defining activities that are both appropriate and inappropriate, and ensure that you only allow appropriate activities. Any action that occurs within a computing environment is called an event. Any event that either violates security policy or poses an imminent threat to your security policy is called a security incident.

There are many types of security incidents, from minor to major incidents. An incident can be as simple as too many failed login attempts or as complex as coordinated attempts to compromise a database that contains confidential information. Examples of security incidents include but are not limited to:

Excessive bandwidth use caused by the compromise of a system

Commercial use of IT resources

Compromised computers

Digital harassment

IP spoofing

Intruder activity

Network attack or denial-of-service condition

Virus or Internet worm activity

Handling Security Incidents Involving Microsoft Windows OS and Applications

Examples of incidents

Virus or Internet worm activity

Internet protocol (IP) spoofing

Intruder activity

Network attack or denial of service (DoS) condition

The first step in responding to an incident is to recognize that an incident has occurred.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Handling Security Incidents Involving Microsoft Windows OS and Applications

To minimize number and impact of incidents:

Develop, maintain, and enforce a clear security policy that management supports and promotes.

Conduct routine vulnerability assessments to discover vulnerabilities that could lead to incidents.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Handling Security Incidents Involving Microsoft Windows OS and Applications

To minimize number and impact of incidents:

Ensure all computers and network devices have the latest available patches installed.

Train all computer system users on acceptable and unacceptable behavior.

Establish frequent and visible security awareness reminders.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Handling Security Incidents Involving Microsoft Windows OS and Applications

To minimize number and impact of incidents:

Enforce strong passwords throughout your environment.

Frequently monitor network traffic, system performance, and all available log files to identify any incidents or unusual events.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Handling Security Incidents Involving Microsoft Windows OS and Applications

To minimize number and impact of incidents:

Ensure you have a solid business continuity plan (BCP) and disaster recovery plan (DRP) that you test at least annually.

Create a computer security incident response team (CSIRT).

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Formulating an Incident Response Plan

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Plan

Computer Security Incident Response Team (CSIRT)

Plan for communication

Plan for security

Test plan

Revise procedures

Handling Incident Response

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Preparation

Identification

Containment

Eradication

Recovery

Lessons learned

Sample Incident Reporting Form

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.

You’ll be required to prove to the court that the evidence did not change during the investigation. You’ll have to provide your own evidence that all collected evidence exists without changes as it did when it was collected.

The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.

Since you don’t know if you’ll have to present evidence in court, you should collect all evidence during an incident investigation as if you will take it to court. If you carefully preserve the chain of custody and do not go to court, you just have well documented evidence. This type of information is great for analyzing incidents for the lessons learned step of incident response. On the other hand, if you are careless in the way you collect evidence and then end up going to court, your carelessness will likely result in having your evidence rejected by the court. Without the evidence you need to prove your case you may not be able to prevail. Always treat each investigation as if it will end up in court.

Incident Handling and Management Tools for Microsoft Windows and Applications

Two basic types:

Tools that help manage the CSIRT’s activities and gather information about the incident response process

Tools that collect information about the incident itself

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

CSIRT Responsibilities

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Tracking incidents

Reporting on incidents

Archiving incident reports

Communicating incident information

Investigating Microsoft Windows and Applications Incidents

Collect technical information to support incident investigation and resolution

Collect evidence of incident activity to discover what happened, why it happened, how to stop it from happening again

Discover traces of past activity in memory, stored on disks, or in log files

Find evidence of incident activity

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Questions to Ask During an Investigation

What happened?

Who did it?

When did it happen?

Where did the incident originate and where was its target?

Why did the attacker attack this system?

How did it happen?

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

What happened?—Gather as much information about the incident as possible.

Who did it?—Discover as much information as possible about the source of the attack.

When did it happen?—Collect information on when the incident started and when it stopped.

Where did the incident originate and where was its target?—Discover the source’s location and the target of the attack.

Why did the attacker attack this system?—Discover the attack’s purpose and goal.

How did it happen?—Attempt to understand how the attacker compromised your security controls and accessed your system.

Acquiring and Managing Incident Evidence

Treat investigation as if it will end up in court

Investigation should produce evidence of an incident and possibly support action against an attacker

Evidence may be pictures, executable files, log files, other

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Types of Evidence

Most common types of evidence in computer incidents:

Real evidence–physical object

Documentary evidence–written evidence or file contents

Required to prove accusation

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Chain of Custody

Only original evidence is useful

Evidence that has not changed since the incident

Collection methods can change evidence

Handling methods can change evidence

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

All evidence you present in a court of law must exist in the same condition as it did when you collected it. Evidence cannot change at all once you collect it; it must be in pristine condition.

The documentation that provides details of every move and access of evidence is called the chain of custody. The chain starts when you collect any piece of evidence.

Sample Chain of Custody Log

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Evidence Collection Rules

Each state and local jurisdiction may impose slightly different rules

Familiarize yourself with local laws and policies

Different rules govern different types of evidence

Contact local law enforcement to learn how they approach investigations

Contact your organization’s legal representatives, beginning with your CSIRT team legal representative

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices for Handling Incidents

Harden operating systems and software to avoid incidents.

Assess computers periodically to expose vulnerabilities.

Validate BCPs and DRPs.

Get full management support for a CSIRT.

Create a CSIRT.

Conduct a risk assessment to identify potential incidents that require attention first.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Best Practices for Handling Incidents (Cont.)

Develop an incident response plan around the six steps to handling incidents.

Create an incident reporting form and procedures.

Distribute and publicize the incident reporting form and procedures.

Test the incident response plan before attackers do.

Identify and acquire incident management software.

Identify and acquire incident investigation software.

Train key CSIRT members on proper evidence collection and handling.

Page ‹#›

Security Strategies in Windows Platforms and Applications

www.jblearning.com

Summary

Windows incidents

Windows incident handling tools

Acquiring and managing evidence

Incident response plan

Page ‹#›

Security Strategies in Windows Platforms and Applications