IBM ICE (Innovation Centre for Education)
Welcome to:
Unit 4 - Operating System and Application security
© Copyright IBM Corporation 2015 9.1
Unit objectives IBM ICE (Innovation Centre for Education)
IBM Power Systems
After completing this unit, you should be able to:
• Understand the need and importance of Operating System
hardening
• Recognize the different protection mechanisms
• Identify the vulnerabilities associated
© Copyright IBM Corporation 2015
Background of Operating Systems IBM ICE (Innovation Centre for Education)
IBM Power Systems
• An operating system is an intermediary between the user
and the hardware of the computer
• The main purpose of an operating system is to provide a
suitable environment such that the programs can be
executed effectively and conveniently
• To understand better it can be said that the operating
system acts like a government
© Copyright IBM Corporation 2015
Types of Operating systems 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Distributed operating system
– Multiple central processors are used in a distributed operating system
such that multiple users and multiple real-time applications can be
served simultaneously
• Batch operating system
– Under this, users cannot interact with the operating system on need
basis. The jobs are often batched together and are run as a single
group which helps to make the processing faster
• Real-time operating systems
– In this type of operating system, the time taken to respond is very less
as the requests are processed in real-time
© Copyright IBM Corporation 2015
Types of Operating systems 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Time-sharing operating system
– This is a technique by which a particular computer system can be used
by many people, who may be located at many terminals
• Network operating system
– The Network Operating System runs only on a server and gives
capability to the server such that it can manage users, data, groups,
security, network functions and other applications
© Copyright IBM Corporation 2015
Operating System Protection controls IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Need of protection
– It must be ensured that the operating systems running on the client
workstations and on the network servers are secure enough and can
prevent security attacks
• Hardening the Operating System
– Operating System hardening refers to the process of making the
operating system secure from possible attacks & intrusions in order to
safeguard information
• There are four universal categories of hardening to follow:
– Disabling services which are unnecessary
– Management interface and applications protection
– Protection of authentication
– Disabling accounts which are unnecessary
© Copyright IBM Corporation 2015
Updating OS for hardening IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Update researching is vital to stay protected from newly
discovered threats; when possible, so is getting feedback
from other users before an individual installs an update so
you can learn from their experiences what difficulties may
be encountered
• There are mainly three different types of updates:
– Hotfixes
– Support Packs and Service Packs
– Patches
© Copyright IBM Corporation 2015
Protecting against malwares IBM ICE (Innovation Centre for Education)
IBM Power Systems
• The operating systems can be highly vulnerable to
malwares, especially those which are connected to an
internet network. Malwares can cause any computing
system to crash irrespective of what kind of OS is installed
on it
• Some types of malware:
– Virus: They are software programs which exist on the local drive. The
viruses reproduce by using a host such as emails, files etc.
– Worms: They are stand alone software application and get reproduced
by itself. It gets spread in the system by exploiting its vulnerabilities
– Trojans: They get into the system disguised as software which is
legitimate in nature and remains hidden. They do no multiply and
remain same in number
© Copyright IBM Corporation 2015
Solutions for protection against malwares 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Hardware firewall
– Packet filtering method is used by the hardware firewall for data
transferring. It determines the source addresses and destination by
comparing the packet headers. The packets are dropped or transferred
on the basis of the rules it compares.
• Antivirus
– Antivirus software is an application that is installed on a system to
protect it and to scan for viruses as well as worms and trojans
• Software Firewall
– Software firewalls are applications based on programs that run on a
computer system. The firewalls work by checking all the information
which is received on them and also by monitoring all ports which are
open on a computer
© Copyright IBM Corporation 2015
Solutions for protection against malwares 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Intrusion Detection System (IDS)
– It analyzes a network for policy violation or activities that are malicious
in nature. After analyzing a report is forwarded to the management by
the IDS. The security personnel are made aware by the IDS about the
packets leaving and entering the network
• The two types of IDS are:
– Network-based IDS (NIDS)
– Host-based IDS (HIDS)
© Copyright IBM Corporation 2015
Application Security IBM ICE (Innovation Centre for Education)
IBM Power Systems
• The workstations and servers in an organization also run
certain services and applications. The services on the
server such as email, media servers and web services
particularly are vulnerable to attack and exploitation. So
there is a need of hardening these applications as well,
such that exploitation becomes almost impossible
© Copyright IBM Corporation 2015
Vulnerabilities in Application IBM ICE (Innovation Centre for Education)
IBM Power Systems
© Copyright IBM Corporation 2015
Application Security techniques 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Fuzzing
– It is possible to enter unexpected values and cause the application to
crash
• Cross-Site Request Forgery
– Cross-Site Request Forgery, also known as XSRF, session riding, and
one-click attack, involves unauthorized commands coming from a
trusted user to the website
• Application Configuration Baselining
– In Baselining, a metric is considered to compare performance.
Baselining can be done with any metric, such as network performance
or CPU usage, as well as with applications
© Copyright IBM Corporation 2015
Application Security techniques 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Application Patch Management
– Just as one needs to keep the operating system patches current,
because they often fix security problems that are discovered with the
OS, you need to do the same with application patches for the same
purpose
© Copyright IBM Corporation 2015
Application Security Tools IBM ICE (Innovation Centre for Education)
IBM Power Systems
• BIG-IP Application Security Manager
• IBM Security AppScan Scanner
• Cenzic Hailstorm Scanner
• QualysGuard WAS
• WhiteHat Sentinel
© Copyright IBM Corporation 2015
Secure Software Development IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Software development is the process of developing
software through successive phases in an orderly way
• This process includes not only the actual writing of code but
also the preparation of requirements and objectives, the
design of what is to be coded, and confirmation that what is
developed has met objectives
• Software Development Life Cycle is a process used by
software industry to design, develop and test high quality
software
• It consists of a detailed plan describing how to develop,
maintain, replace and alter or enhance specific software
© Copyright IBM Corporation 2015
Secure Software Development phases 1 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Identifying the software which is required
– This first step is the identification where a request is initiated by the
user for a software product which is desired. The service provider is
contacted and terms are negotiated
• Analyzing the requirements of the software
– The best suitable software model is then brought up for the project at
this step. Also, a road map is decided by the developers according to
their plan to develop the software
• Detailed specification of the requirements from software
– Information as much possible on the requirements is being brought out
by holding discussions with various stakeholders from problem domain
• Designing the software
– This step involves designing the software by considering the entire
knowledge of analysis and requirements on the desk
© Copyright IBM Corporation 2015
Secure Software Development phases 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Programming
– The steps of programming are also sometimes known as phase of
coding. This steps involve the software design implementation
• Testing
– In this step the software is tested while coding phase is on by the
developers. Testing is done thoroughly by experts of testing at different
code levels such as program testing, product testing, module testing,
testing the product at user’s end and in-house testing
• Maintenance
– According to the changes taking place in the technology or user-end,
the maintenance of software is carried out
© Copyright IBM Corporation 2015
Introduction to Database IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Database
– The usage of computing systems has increased rapidly in the modern
times due to its ability to access, modify and store data. This data
when stored in the computer in a systematic way is known as a
database
• Data Repositories
– A physical and logical grouping of data from related but different
databases is known as a data repository. The data is allowed to be
accessed and stored based on certain attributes or characters by this
approach. Appropriate data must be published to the users by the
directory services
• Directory Services
– The directory service is a method which allows storage, deletion and
access of data from database repositories
© Copyright IBM Corporation 2015
Directory Services IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Lightweight Directory Access Protocol (LDAP)
• Active directory
• eDirectory
© Copyright IBM Corporation 2015
Vulnerabilities in Database IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Failures due to deployment
• Leakage of data
• Database backup are stolen
• Database abuse
• Hopscotch
• SQL injections
• Key-management
© Copyright IBM Corporation 2015
Securing the database IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Database security refers to the collective measures used to
protect and secure a database or database management
software from illegitimate use and malicious threats and
attacks
• Coverage
– Data stored in database
– Database server
– Database management system (DBMS)
– Other database work-flow applications
© Copyright IBM Corporation 2015
Database Security Techniques IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Restricting unauthorized access and use by implementing
strong and multi-factor access and data management
controls
• Load/stress testing and capacity testing of a database to
ensure it does not crash in a distributed denial of service
(D-DoS) attack or user overload
• Physical security of the database server and backup
equipment from theft and natural disasters
• Reviewing existing system for any known or unknown
vulnerabilities and defining and implementing a road
map/plan to mitigate them
© Copyright IBM Corporation 2015
Web Application Security IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Web Security
– Web security is a branch of information security that deals specifically
with security of websites, web application and web services. It
addresses the issues that are specific to how web servers present their
content to web browsers, how the browsers interact with the servers,
and how people interact with the browsers
• Web Application Security
– Web application security falls under the umbrella of web security. It is
the process of securing confidential data stored online from
modification and unauthorized access. Policy measures must be
enforced to accomplish this
© Copyright IBM Corporation 2015
Web Application Security assessment IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Web browser
– The person assessing the site should also browse it using a web
browser which is regular as a user mainly interacts with a web
application through a browser
• Web application security scanner
– The process of locating the vulnerabilities in web application in a faster
manner is accomplished by using web application security scanner.
The vast areas can be covered by an automatic scanner in minutes. It
can traverse sites at a pace much faster than a human
• HTTP editor
– Sometimes manipulations are done on raw HTTP requests when
carrying out an assessment of the security of the web application. A
HTTP request editor must be used as a browser and must not allow
manipulations of such kind
© Copyright IBM Corporation 2015
Mobile Application Security IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Explanation
– The security challenges provided by mobile devices such as iPads,
netbooks, Smartphones, etc. are much above then the servers,
workstations, etc. This is because the mobile devices leave the
organizations and as a result the odds that they would be stolen and
misused
• Types of mobile application
– Web applications
– Native applications
– Hybrid applications
© Copyright IBM Corporation 2015
Threats and Risks on Mobile Applications IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Threat vectors
– Social engineering attacks can bypass antivirus defenses arising threat
vectors for infecting the mobile devices. The users of the mobile
devices are deceived into installing apps that are malicious in nature.
The mobile devices also have more input sources than the desktop
systems which also enhance the threat vectors associated
• Security risks
– Mobile applications have the ability to access security-critical servers,
storage and networking systems. An attacker who can exploit an
application can access or disrupt these systems as well
© Copyright IBM Corporation 2015
Potential Security Risks IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Security risks for web applications
– Web applications involve two main components—the server and the
client. Server-side vulnerabilities such as insufficient screening of client
data may be present in the part of the application that runs on the
server. Vulnerabilities on the client side can potentially be exploited
inside the web page when it is rendered and executed inside a web
browser
• Security risks for native applications
– Native applications have their own set of security concerns, which
generally fall into two categories—risks to the application and risks to
the mobile device
• Security risks for hybrid applications
– Since hybrid applications are part native application and part web
application, they have the combined security risks of the other two
application types
© Copyright IBM Corporation 2015
Preventing vulnerabilities IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Best practices for writing application code
– When creating mobile applications, organizations can benefit from
implementing a set of best practices for writing code
• Detect attacks using taint analysis
– Taint analysis is a specific type of static analysis that is well-suited to
detect integrity violations, such as applications using data from
untrusted users. It is also helpful to identify confidentiality leaks, such
as applications using private user data
© Copyright IBM Corporation 2015
Checkpoint (1 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
1. A term which refers to standard establishment process for
security is:
– Hardening
– Baselining
– Methods research
– Security evaluation
2. What is a bundle of one or more system fixes in a single
product called?
– System install
– Service pack
– Patch
– Hotfix
© Copyright IBM Corporation 2015
Checkpoint Solutions (1 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
1. A term which refers to standard establishment process for
security is:
– Hardening
– Baselining
– Methods research
– Security evaluation
2. What is a bundle of one or more system fixes in a single
product called?
– System install
– Service pack
– Patch
– Hotfix
© Copyright IBM Corporation 2015
Checkpoint (2 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
3. Manual changes are applied to a program under which
process?
– Hotfix
– Service pack
– Patching
– Replacement
4. LDAP is an example of:
– File server
– Directory access protocol
– Tiered model application development environment
– IDS
© Copyright IBM Corporation 2015
Checkpoint Solutions (2 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
3. Manual changes are applied to a program under which
process?
– Hotfix
– Service pack
– Patching
– Replacement
4. LDAP is an example of:
– File server
– Directory access protocol
– Tiered model application development environment
– IDS
© Copyright IBM Corporation 2015
Checkpoint ( 3 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
5. In how many steps is a software developed:
–4
–8
–6
–7
6. Native application is a type of:
– Mobile application
– Web application
– Database
– Data repositories
© Copyright IBM Corporation 2015
Checkpoint Solutions (3 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
5. In how many steps is a software developed:
–4
–8
–6
–7
6. Native application is a type of:
– Mobile application
– Web application
– Database
– Data repositories
© Copyright IBM Corporation 2015
Checkpoint (4 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
7. Which of these attacks replicates by itself?
– Worms
– Virus
– Trojans
– Logic bombs
8. Which of the following tools has integration feature with
some other tools?
– Big-IP Security Manager
– IBM Security AppScan
– WhiteHat Sentinel
– QualysGuard WAS
© Copyright IBM Corporation 2015
Checkpoint Solutions (4 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
7. Which of these attacks replicates by itself?
– Worms
– Virus
– Trojans
– Logic bombs
8. Which of the following tools has integration feature with
some other tools?
– Big-IP Security Manager
– IBM Security AppScan
– WhiteHat Sentinel
– QualysGuard WAS
© Copyright IBM Corporation 2015
Checkpoint (5 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
9. Which of the following is a practice of OS hardening?
– Antivirus
– Firewall
– Patching and Updating
– Data Leakage Prevention
10.Which discipline is responsible to develop the software in
a secure way?
– Application Security
– Secure Coding
– Network Security
– Database Security
© Copyright IBM Corporation 2015
Checkpoint Solutions (5 of 5) IBM ICE (Innovation Centre for Education)
IBM Power Systems
9. Which of the following is a practice of OS hardening?
– Antivirus
– Firewall
– Patching and Updating
– Data Leakage Prevention
10.Which discipline is responsible to develop the software in
a secure way?
– Application Security
– Secure Coding
– Network Security
– Database Security
© Copyright IBM Corporation 2015
Unit summary IBM ICE (Innovation Centre for Education)
IBM Power Systems
Having completed this unit, you should be able to:
• Understand the need and importance of Operating System
hardening
• Recognize the different protection mechanisms
• Identify the vulnerabilities associated
© Copyright IBM Corporation 2015