Information Security Systems
-
Upload
eyad-mhanna -
Category
Technology
-
view
40 -
download
1
Transcript of Information Security Systems
ISS
Overview• MySQL Misconfigurations
• DoS Attack
• DDoS Attack
• Sessions Hijacking
• Sessions Management
MySQL RDBMS• The world's second most widely use
• Open-source relational database management system (RDBMS)
• Owned by Oracle Corporation
• Have used in many applications like: Wordpress, Joomla, ..
• Have used in many large-scale websites like: Facebook, Flicker, ..
MySQL Misconfigurations Threats• Default password for “root” account’s
• Using “root” account in Web Applications
• Listening over TCP/IP without any constraints
• Web Server and Database server on the same system/device
• Default User account’s and databases
• LOAD_FILE function
MySQL Misconfigurations solutions• Set new password for “root” account
• Remove all default user accounts and databases
• Disable LOAD_FILE function
• Disable listening on TCP/IP connections from anonymous sources
• Set maximum number of connections and timeout
• Apply critical patch update fixes without delay
DoS Attack• Denial of Service is an action that prevents or impairs the authorized use of networks, systems, applications by exhausting resources such as CPU, bandwidth, disc space ….
• Categories of resources which can be attacked
• network bandwidth, system resources, application resources
• Typical aims of DoS attacks:
• consuming bandwidth with large traffic volumes
• overload or crash the network handling software
• send specific types of packets to consume limited available resources
Layer 4 DDoS Attack• Sends thousands of packets per second from the attacker directly to the target
• Like throwing a brick through a window
• Takes thousands of participants to bring down a large site
• LOIC (Low Orbit Ion Cannon) is a good tool to get job
• Easily tracked, easy to block, high bandwidth
Layer 7 DDoS Attack• Subtle, concealable attack
• Can be routed through proxies
• Low bandwidth
• Not easily detected, harder to trace
• Can be very difficult to distinguish from normal traffic
Slowloris
Apache Recommendations Key Directives
Maxclients, Timeout, MaxKeepAliveRequests, KeepAlive and KeepAlive Timeout
Traffic Shapingmod_throttle - limit the frequency of requests allowed from a single client within a window of timemod_bwshare - bandwidth throttling by HTTP client IP addressmod_limitipconn - limit the number of simultaneous downloads permitted from a single IP addressmod_dosevasive - detects too many connections and temporaribly block offending IP addressmod_security – WAF, filtering, monitoring, logging
Load/Stressing testinghttp_loadJmeterSlowloris + DoS tools
SQL Wildcard Attacks• Affect MS SQL and other databases (MySQL, PostsgreSQL,Access)
• Query should return few or no results – it must go through theentire data on the database
• OR combinations should be different otherwise db performancealgorithms may optimise query
• Longer query, longer time to execute
• Avoids caching in the database, so every query would bedifferent
Recommendations Perform input validation and filtering based on whitelist
Discard wildcards and other potential characters Limit number of characters on the query Input type strict validation (e.g. number must be a number)
Implement CAPTCHA for advanced searches/queries
Search/Query Limits Set limit of searches/queries per user per day Only authenticated users can run consuming search/queries Limit SQL query execution time
Limit number of records/rows returned by database
Memcached High performance, memory object caching system
Session• A session can be defined as a server-side storage of information.
• A visitor accessing the web site is assigned a unique id, the so-called session id.
• This is either stored in a cookie on the user side or is propagated in the URL.
• The rest of the information and variables are stored on server.
• Session variables hold information about one single user, and are available to all pages in one application.
Session Hijacking• Session hijacking is when an attacker gets access to the session state of a legitimate user.
• The attacker steals a valid session ID which is used to get into the system and retrieve the data.
Session Hijacking types• Predictable Session Token.
• Session Sniffing.
• Client Side Attacks (XSS, Malicious JS codes, Trojans, etc..) .
• Blind Hijack.
• Man-in-the-middle (MITM).
Session management• Session identifiers should be sufficiently randomized.
• Sessions should timeout every while.
• Use HTTPS.
• Regenerate Session ID when move between HTTP and HTTPS.
• Validate Session ID values coming from clients.
• Associating Session Information with SSL information.