information security systems
TRANSCRIPT
![Page 1: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/1.jpg)
ISS
![Page 2: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/2.jpg)
Overview• MySQL Misconfigurations
• DoS Attack
• DDoS Attack
• Sessions Hijacking
• Sessions Management
![Page 3: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/3.jpg)
MySQL RDBMS• The world's second most widely use
• Open-source relational database management system (RDBMS)
• Owned by Oracle Corporation
• Have used in many applications like: Wordpress, Joomla, ..
• Have used in many large-scale websites like: Facebook, Flicker, ..
![Page 4: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/4.jpg)
MySQL Misconfigurations Threats• Default password for “root” account’s
• Using “root” account in Web Applications
• Listening over TCP/IP without any constraints
• Web Server and Database server on the same system/device
• Default User account’s and databases
• LOAD_FILE function
![Page 5: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/5.jpg)
MySQL Misconfigurations solutions• Set new password for “root” account
• Remove all default user accounts and databases
• Disable LOAD_FILE function
• Disable listening on TCP/IP connections from anonymous sources
• Set maximum number of connections and timeout
• Apply critical patch update fixes without delay
![Page 6: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/6.jpg)
DoS Attack• Denial of Service is an action that prevents or impairs the authorized use of networks, systems, applications by exhausting resources such as CPU, bandwidth, disc space ….
• Categories of resources which can be attacked
• network bandwidth, system resources, application resources
• Typical aims of DoS attacks:
• consuming bandwidth with large traffic volumes
• overload or crash the network handling software
• send specific types of packets to consume limited available resources
![Page 7: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/7.jpg)
Layer 4 DDoS Attack• Sends thousands of packets per second from the attacker directly to the target
• Like throwing a brick through a window
• Takes thousands of participants to bring down a large site
• LOIC (Low Orbit Ion Cannon) is a good tool to get job
• Easily tracked, easy to block, high bandwidth
![Page 8: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/8.jpg)
Layer 7 DDoS Attack• Subtle, concealable attack
• Can be routed through proxies
• Low bandwidth
• Not easily detected, harder to trace
• Can be very difficult to distinguish from normal traffic
![Page 9: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/9.jpg)
Slowloris
![Page 10: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/10.jpg)
Apache Recommendations Key Directives
Maxclients, Timeout, MaxKeepAliveRequests, KeepAlive and KeepAlive Timeout
Traffic Shapingmod_throttle - limit the frequency of requests allowed from a single client within a window of timemod_bwshare - bandwidth throttling by HTTP client IP addressmod_limitipconn - limit the number of simultaneous downloads permitted from a single IP addressmod_dosevasive - detects too many connections and temporaribly block offending IP addressmod_security – WAF, filtering, monitoring, logging
Load/Stressing testinghttp_loadJmeterSlowloris + DoS tools
![Page 11: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/11.jpg)
SQL Wildcard Attacks• Affect MS SQL and other databases (MySQL, PostsgreSQL,Access)
• Query should return few or no results – it must go through theentire data on the database
• OR combinations should be different otherwise db performancealgorithms may optimise query
• Longer query, longer time to execute
• Avoids caching in the database, so every query would bedifferent
![Page 12: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/12.jpg)
Recommendations Perform input validation and filtering based on whitelist
Discard wildcards and other potential characters Limit number of characters on the query Input type strict validation (e.g. number must be a number)
Implement CAPTCHA for advanced searches/queries
Search/Query Limits Set limit of searches/queries per user per day Only authenticated users can run consuming search/queries Limit SQL query execution time
Limit number of records/rows returned by database
Memcached High performance, memory object caching system
![Page 13: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/13.jpg)
Session• A session can be defined as a server-side storage of information.
• A visitor accessing the web site is assigned a unique id, the so-called session id.
• This is either stored in a cookie on the user side or is propagated in the URL.
• The rest of the information and variables are stored on server.
• Session variables hold information about one single user, and are available to all pages in one application.
![Page 14: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/14.jpg)
Session Hijacking• Session hijacking is when an attacker gets access to the session state of a legitimate user.
• The attacker steals a valid session ID which is used to get into the system and retrieve the data.
![Page 15: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/15.jpg)
Session Hijacking types• Predictable Session Token.
• Session Sniffing.
• Client Side Attacks (XSS, Malicious JS codes, Trojans, etc..) .
• Blind Hijack.
• Man-in-the-middle (MITM).
![Page 16: Information Security Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b46fb9bb61ebc3778b463d/html5/thumbnails/16.jpg)
Session management• Session identifiers should be sufficiently randomized.
• Sessions should timeout every while.
• Use HTTPS.
• Regenerate Session ID when move between HTTP and HTTPS.
• Validate Session ID values coming from clients.
• Associating Session Information with SSL information.