CSCI 530 LabSoftware SecurityOperating Systems and SecurityPorts and ServicesModern day hacking techniquesHow do we prevent modern hackersHow do we protect our softwareThis week’s labCSCI 530 LabSoftware SecuritySoftware SecurityIn a sense, everything in security can fall under the category of software securityHardware needs software to do useful thingsFirewalls, IDS, etc. are all software or comprise of both hardware and softwareFor our purposes, we are talking about securing an application that provides a service for usersNormally web applications, but not limitedOperating Systems and SecurityTwo considerationsInternal SecurityProtecting the system from running programsExamplesAccidentally modifying the ntuser.dat file using Microsoft WordSubSeven trojan horse making system wide modificationsExternalProtecting the system from an external user or program through the use of portsExamples:Denial-of-Service AttacksPort ScannersPorts and ServicesPorts are windows into the systemA program opens a port so that there can be communication between that program and another systemExample: Web BrowsersRuns on port 80Allow communication between your system and a web serverWhat ports are open and what opens them?Last lab we ran nmap, which is a port scanner, and you were able to see a report as to which ports were open and what programs ran on those portsThis is important because a hacker will try to break into your system through an open portModern day hacking techniquesWe must understand how hackers think so we can attempt to predict their actions and take the appropriate precautions and countermeasuresOld school: break the operating systemPopular with Windows 95/98, earlier versions of 2000, old versions of linuxOperating systems were not built with security in mindNew school: break the applicationModern operating systems have security as a high priorityEasier to break a program running on a port than it is to break the O.S.Example: breaking into apache using a cross-site scriptTakes advantage of sloppy programmingHow do we prevent modern hackersKeep your systems up-to-dateService Packs, patches, etc.Do not run unnecessary programsThey could open ports without you knowingRegularly try to break into your systemsUsing a technique called penetration testingTo be covered in the next labHow do we protect our softwareBe better programmers Write your software with a security based mindsetAlways validate input in multiple waysRemove unnecessary codeClean up your code for easy testingTest, test, test!!!Test all possible input rangesSloppy programming makes hacking systems easierThis week’s labWe are going to set up a webserver, running a bank softwareThe software has some glaring holes, and you are going to practice exploiting these vulnerabilitiesThis lab is designed for you to understand the necessity to be better
View Full Document