Applied Information Security

Similar documents
X.media.publishing. Multimedia Systems. Bearbeitet von Ralf Steinmetz, Klara Nahrstedt

The Cinderella.2 Manual

Discrete, Continuous, and Hybrid Petri Nets

Payment Technologies for E-Commerce

Enabling Flexibility in Process-Aware Information Systems

IEC : Programming Industrial Automation Systems

Concurrent Programming: Algorithms, Principles, and Foundations

Model-Driven Design Using Business Patterns

SCI: Scalable Coherent Interface

VLSI-Design of Non-Volatile Memories

Springer Monographs in Mathematics. Set Theory. The Third Millennium Edition, revised and expanded. Bearbeitet von Thomas Jech

Object-Process Methodology

Model Driven Architecture and Ontology Development

Group-based Cryptography

A Study on Radio Access Technology Selection Algorithms

Handbook of Conceptual Modeling

Ajax in Oracle JDeveloper

Computational Biology

UML The Unified Modeling Language, Modeling Languages and Applications

Abstract Computing Machines

Introductory Operations Research

Ruby on Rails for PHP and Java Developers

Wireless Algorithms, Systems, and Applications

Introduction to Reliable and Secure Distributed Programming

Guerrilla Capacity Planning

Information Retrieval for Music and Motion

Embedded Robotics. Mobile Robot Design and Applications with Embedded Systems. Bearbeitet von Thomas Bräunl

Earth System Modelling - Volume 5

Monte Carlo Methods and Applications

Image and Geometry Processing for 3-D Cinematography

Advanced Man-Machine Interaction

Dynamic Taxonomies and Faceted Search

Conceptual Modelling in Information Systems Engineering

System Earth via Geodetic-Geophysical Space Techniques

Object-Oriented Metrics in Practice

Advances in Information Systems

Web Archiving. Bearbeitet von Julien Masanès

Web Component Development with Zope 3

Developments in 3D Geo-Information Sciences

Evolutionary Multi-Criterion Optimization

Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer

Preference Learning. Bearbeitet von Johannes Fürnkranz, Eyke Hüllermeier

Mastering Linux. Paul S. Wang. CRC Press. Taylor & Francis Group. Taylor & Francis Croup an informa business. A CHAPMAN St HALL BOOK

Introduction To Linux. Rob Thomas - ACRC

Information Processing in Medical Imaging

Linux Fundamentals (L-120)

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Perspectives on Projective Geometry

Algorithms -- ESA 2004

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

CS 460 Linux Tutorial

X.media.publishing. 3D Computer Vision. Efficient Methods and Applications. von Christian Wöhler. 1. Auflage

WHY CSRF WORKS. Implicit authentication by Web browsers

Application. Security. on line training. Academy. by Appsec Labs

Network Security - ISA 656 Review

Advanced Numerical Methods to Optimize Cutting Operations of Five Axis Milling Machines

Overview of Web Application Security and Setup

LINUX FUNDAMENTALS (5 Day)

Introduction p. 1 Who Should Read This Book? p. 1 What You Need to Know Before Reading This Book p. 2 How This Book Is Organized p.

(CNS-301) Citrix NetScaler 11 Advance Implementation

OWASP March 19, The OWASP Foundation Secure By Design

CPTE: Certified Penetration Testing Engineer

The student will have the essential skills needed to be proficient at the Unix or Linux command line.

A Developer s Guide to the Semantic Web


Computer Security Coursework Exercise CW1 Web Server and Application Security

Test Harness for Web Application Attacks

Protocol engineering hartmut konig. Protocol engineering hartmut konig.zip

Embedded Software and Systems

2. UDP Client, UDP Server

COL100 Lab 2. I semester Week 2, Open the web-browser and visit the page and visit the COL100 course page.

Part 1: Basic Commands/U3li3es

bash Scripting Introduction COMP2101 Winter 2019

Web Penetration Testing

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

TECNIA INSTITUTE OF ADVANCED STUDIES

Certified Linux Administrator 11 Exam.

ANATOMY OF AN ATTACK!

On successful completion of the course, the students will be able to attain CO: Experiment linked. 2 to 4. 5 to 8. 9 to 12.

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

CSCE 548 Building Secure Software SQL Injection Attack

cs642 /introduction computer security adam everspaugh

Table of contents. Our goal. Notes. Notes. Notes. Summer June 29, Our goal is to see how we can use Unix as a tool for developing programs

Unix as a Platform Exercises. Course Code: OS-01-UNXPLAT

"Charting the Course... MOC B Active Directory Services with Windows Server Course Summary

.NET Secure Coding for Client-Server Applications 4-Day hands on Course. Course Syllabus

Introduction to Linux

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Online Intensive Ethical Hacking Training

IB047. Unix Text Tools. Pavel Rychlý Mar 3.

Strategic Infrastructure Security

Citrix NetScaler Basic and Advanced Administration Bootcamp

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transcription:

Applied Information Security A Hands-on Approach Bearbeitet von David Basin, Patrick Schaller, Michael Schläpfer 1. Auflage 2011. Buch. xiv, 202 S. Hardcover ISBN 978 3 642 24473 5 Format (B x L): 15,5 x 23,5 cm Gewicht: 491 g Weitere Fachgebiete > EDV, Informatik > Hardwaretechnische Grundlagen > Computersicherheit Zu Leseprobe schnell und portofrei erhältlich bei Die Online-Fachbuchhandlung beck-shop.de ist spezialisiert auf Fachbücher, insbesondere Recht, Steuern und Wirtschaft. Im Sortiment finden Sie alle Medien (Bücher, Zeitschriften, CDs, ebooks, etc.) aller Verlage. Ergänzt wird das Programm durch Services wie Neuerscheinungsdienst oder Zusammenstellungen von Büchern zu Sonderpreisen. Der Shop führt mehr als 8 Millionen Produkte.

Contents 1 Security Principles... 1 1.1 Objectives... 1 1.2 ProblemContext... 1 1.3 ThePrinciples... 2 1.3.1 Simplicity... 3 1.3.2 OpenDesign... 3 1.3.3 Compartmentalization... 4 1.3.4 Minimum Exposure.................................. 5 1.3.5 LeastPrivilege... 6 1.3.6 Minimum Trust and Maximum Trustworthiness........... 7 1.3.7 Secure, Fail-Safe Defaults............................. 9 1.3.8 CompleteMediation... 10 1.3.9 NoSinglePointofFailure... 11 1.3.10 Traceability......................................... 12 1.3.11 Generating Secrets................................... 13 1.3.12 Usability........................................... 13 1.4 Discussion... 14 1.5 Assignment... 14 1.6 Exercises... 14 2 The Virtual Environment... 17 2.1 Objectives... 17 2.2 VirtualBox... 18 2.2.1 Setting up a New Virtual Machine...................... 18 2.2.2 TheNetwork... 19 2.3 TheLabEnvironment... 21 2.3.1 TheHosts... 22 2.4 Installing the Virtual Machines............................... 24 2.4.1 Installing host alice... 24 2.4.2 Installing host bob... 25 2.4.3 Installing host mallet... 26 xi

xii Contents 3 Network Services... 27 3.1 Objectives... 27 3.2 Networking Background..................................... 28 3.2.1 Internet Layer....................................... 29 3.2.2 Transport Layer..................................... 29 3.3 TheAdversary spointofview... 31 3.3.1 InformationGathering... 31 3.3.2 Finding Potential Vulnerabilities....................... 33 3.3.3 Exploiting Vulnerabilities............................. 35 3.3.4 Vulnerable Configurations............................. 36 3.4 TheAdministrator spointofview... 38 3.5 ActionstoBeTaken... 39 3.5.1 Deactivating Services................................. 39 3.5.2 RestrictingServices... 42 3.6 Exercises... 45 4 Authentication and Access Control... 47 4.1 Objectives... 47 4.2 Authentication... 47 4.2.1 Telnet and Remote Shell.............................. 48 4.2.2 Secure Shell........................................ 49 4.3 UserIDsandPermissions... 52 4.3.1 File Access Permissions.............................. 52 4.3.2 SetuidandSetgid... 55 4.4 Shell Script Security........................................ 57 4.4.1 SymbolicLinks... 58 4.4.2 TemporaryFiles... 59 4.4.3 Environment... 60 4.4.4 DataValidation... 61 4.5 Quotas... 62 4.6 Change Root.............................................. 63 4.7 Exercises... 66 5 Logging and Log Analysis... 69 5.1 Objectives... 69 5.2 Logging Mechanisms and Log Files........................... 70 5.2.1 Remote Logging..................................... 72 5.3 Problems with Logging..................................... 72 5.3.1 TamperingandAuthenticity... 72 5.3.2 Tamper-Proof Logging................................ 73 5.3.3 Input Validation..................................... 73 5.3.4 Rotation... 74 5.4 IntrusionDetection... 74 5.4.1 LogAnalysis... 75 5.4.2 SuspiciousFilesandRootkits... 76

Contents xiii 5.4.3 Integrity Checks..................................... 77 5.5 Exercises... 79 6 Web Application Security... 81 6.1 Objectives... 81 6.2 Preparatory Work.......................................... 82 6.3 Black-Box Audit........................................... 82 6.4 Attacking Web Applications................................. 84 6.4.1 Remote File Upload Vulnerability in Joomla!............. 84 6.4.2 RemoteCommandExecution... 85 6.4.3 SQLInjections... 86 6.4.4 PrivilegeEscalation... 88 6.5 User Authentication and Session Management.................. 89 6.5.1 A PHP-Based Authentication Mechanism................ 89 6.5.2 HTTPBasicAuthentication... 90 6.5.3 Cookie-Based Session Management.................... 92 6.6 Cross-SiteScripting(XSS)... 94 6.6.1 Persistent XSS Attacks............................... 94 6.6.2 Reflected XSS Attacks................................ 95 6.6.3 DOM-Based XSS Attacks............................. 96 6.7 SQLInjectionsRevisited... 97 6.8 Secure Socket Layer........................................ 98 6.9 Further Reading............................................ 100 6.10 Exercises...100 7 Certificates and Public Key Cryptography...103 7.1 Objectives...103 7.2 Fundamentals of Public Key Cryptography..................... 103 7.3 Distribution of Public Keys and Certificates..................... 105 7.4 Creating Keys and Certificates................................ 107 7.5 Running a Certificate Authority............................... 108 7.6 Certificate-Based Client Authentication........................ 111 7.7 Exercises...112 8 Risk Management...117 8.1 Objectives...117 8.2 Risk and Risk Management.................................. 117 8.3 TheCoreElementsofRiskAnalysis...120 8.4 RiskAnalysis:AnImplementation...129 8.4.1 SystemDescription...130 8.4.2 Stakeholders........................................ 132 8.4.3 Assets and Vulnerabilities............................. 132 8.4.4 Vulnerabilities....................................... 137 8.4.5 Threat Sources...................................... 138 8.4.6 Risks and Countermeasures............................ 139

xiv Contents 8.4.7 Summary...144 A Using This Book in a Lab Course...147 A.1 CourseStructure...147 A.2 Project...148 B Report Template...155 B.1 SystemCharacterization...155 B.1.1 SystemOverview...155 B.1.2 System Functionality................................. 155 B.1.3 Components and Subsystems.......................... 156 B.1.4 Interfaces........................................... 156 B.1.5 Backdoors.......................................... 156 B.1.6 Additional Material.................................. 156 B.2 Risk Analysis and Security Measures.......................... 156 B.2.1 InformationAssets...156 B.2.2 Threat Sources...................................... 156 B.2.3 Risks and Countermeasures............................ 157 B.3 ReviewoftheExternalSystem...158 B.3.1 Background......................................... 158 B.3.2 Completeness in Terms of Functionality................. 158 B.3.3 Architecture and Security Concepts..................... 158 B.3.4 Implementation...158 B.3.5 Backdoors.......................................... 159 B.3.6 Comparison...159 C Linux Basics and Tools...161 C.1 System Documentation...................................... 161 C.2 Tools...163 C.2.1 Variables...163 C.2.2 Quoting and Wildcards............................... 164 C.2.3 Pipelining and Backquotes............................ 164 C.2.4 ls, find and locate...165 C.2.5 wc, sort, uniq, head and tail...165 C.2.6 ps, pgrep, kill and killall...165 C.2.7 grep...166 C.2.8 awk and sed...167 C.2.9 Tcpdump........................................... 168 D Answers to Questions...169 References...197 Index...199

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback