Comptia SECURITY +

Module 03

Managing Data, Application

and Host Security

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 1

 Managing Data, Application, and Host Security

 Manage Data Security

 Manage Application Security
 Manage Device and Host Security
 Manage Mobile Security

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 2

 Layered Security

Disk Encryption

Router
Industrial Unauthorized
Espionage Access

Firewall

Antivirus Software

Intruder Virus

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 3

 Defense in Depth

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 4

 What Is Data Security?

 Security controls and measures implemented to secure an

organization’s data.
 Protect data storage systems and devices that access them.
 Incorporated into security policies.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 5

 Data Security Vulnerabilities

 Increased cloud computing

 Lack of restricted access to data systems
 Lack of user awareness

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 6

 Data Storage Methods

 DAS
 NAS
 SAN
 Cloud

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 7

 Data Encryption Methods

 Full disk
 Database
 File
 Removable media
 Mobile device
 Email
 Voice

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 8

 Hardware-Based Encryption Devices

 Enforces encryption, decryption, and access control using an

HSM.
 Denies execution of external programs.
 Benefits:
 Prevents unauthenticated storage mapping.
 Prevents copying data without the assigned HSM.
 Self-governed; not affected by malicious code or other OS
issues.
 Proves that all computers are encrypted and that data is secure.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 9

 Types of Hardware-Based Encryption Devices

 TPM
 HSM
 USB
 Hard drive

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 10

 Data States

 Data at rest
 Data in transit
 Data in use

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 11

 Permissions and Access Control Lists

 Permissions:
 Who can read or change data in a file or folder.
 Implemented at individual file and folder level.
 ACLs:
 Who can access files and folders.
 Implemented as MAC address filters on wireless routers and
wireless APs.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 12

 Handling Big Data

 Large, complex data collections.

 Must adapt to new paradigm.
 Restrict visibility to data set as a whole.
 Design big data to work with trusted parties and integrate non-
repudiation.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 13

 Data Policies

 Normally covered under AUP and other general corporate

security policies.
 Can also be developed as a separate policy to guarantee
protection of personal data.
 Data policy types:
 Wiping
 Disposal
 Retention
 Storage

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 14

 Guidelines for Managing Data Security

 Consider implementing layered security.

 Identify forms of data storage, and select security controls to
protect each type.
 Consider implementing controls to protect data in transit, in
use, and at rest.
 Consider developing and enforcing data policies that protect
data while allowing the correct level of accessibility.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 15

 What Is Application Security?

 Proper development, deployment, and maintenance of

applications.
 Protects applications from threats and vulnerabilities.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 16

 Patch Management

Evaluate
Evaluate

Non-Production
System
Test

Implement

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 17

 Application Security Methods

 Configuration baseline
 Application hardening
 Patch management

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 18

 Input Validation

01/01/2014 01/01/2014:DELETE table ‘Users’

Delivered Format:
Expected Format: mm/dd/yyyy:DELETE
mm/dd/yyyy table ‘Users”
Malicious Code

Data Valid: Proceed Data Invalid: Rejected

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 19

 Input Validation Vulnerabilities

 Any type of software.

 Websites and applications are popular targets.
 Requires careful coding to avoid.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 20

 Client-Side and Server-Side Validation

 Client-side validation:
 Input validation and error recovery at the browser
 JavaScript, AJAX, VBScript, and HTML 5 attributes
 Server-side validation:
 Input validation and error recover at the server
 Perl, PHP, ASP, and other scripting languages
 For enhanced user experience, use client-side validation.
 For enhanced security, use server-side validation.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 21

 Error and Exception Handling

Valid User Name

Incorrect Password

Message:
Attacker
Incorrect password

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 22

 XSS

XSS Stored Attack

XSS Reflected Attack

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 23

 XSRF

Trust Established

Attacker Exploits
Trust

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 24

 Cross-Site Attack Prevention Methods

 Restrict HTML formatting in form fields.

 Use input validation.
 Restrict cookie information.
 Encrypt data communications.
 Advise on the Remember Me options.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 25

 Fuzzing

Weaknesses are
found and tracked

Random data is
sent

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 26

 Web Browser Security

 Pop-up blocker
 Parental controls
 Automated updating
 Encryption
 Proxy support
 Web content
 Advanced security

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 27

 Guidelines for Establishing Web Browser
Security

 Harden the host machine.

 Install the latest software.
 Configure security settings.
 Disable scripting.
 Disable auto-complete and password
saving.
 Install anti-malware software.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 28

 NoSQL Databases

 Organize and group data by non-relational means:

 Key-value stores
 Document stores
 Graph stores
 Column stores

 Used for web applications, agile applications, and big data

projects.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 29

 Database Security

 Relational databases support:

 Role-based security configuration
 Encryption
 Access control
 Permissions
 NoSQL databases may or may not support:
 Authentication
 Authorization
 Data encryption

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 30

 Guidelines for Managing Application Security

 Establish security configuration baselines.

 Harden applications, especially web browsers.
 Implement patch management for applications.
 Implement input validation.
 Consider implementing a combination of client-side validation
and server-side validation.
 Implement error and exception handling for applications
developed in-house.
 Protect against XSS and XSRF attacks.
 Protect databases and associated applications.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 31

 Hardening

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 32

 Operating System Security

 Unique vulnerabilities for:

 Different operating systems
 Different vendors
 Client and server systems

 Vendors try to correct; attackers try to exploit.

 Security professionals must stay current.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 33

 Operating System Security Settings

 Manage services
 Configure firewall
 Configure Internet security
 Manage automatic updates
 Enable auditing and logging

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 34

 TCB

Trusted OS

Firmware

Hardware

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 35

 Security Baselines

Compare

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 36

 Software Updates

 Patches:
 Supplemental code
 Hotfixes:
 Address specific security flaws
 Rollups:
 Collection of patches and hotfixes
 Service Packs:
 Comprehensive updates with new features

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 37

 Application Blacklisting and Whitelisting

 Blacklisting: preventing identified programs from running.

 Whitelisting: allowing only identified programs to run.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 38

 Logging

Log files are stored Log files are generated

from the system

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 39

 Auditing

Review security settings

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 40

 Anti-malware Software

Scanning…

Infections detected: 3

Quarantine infected files

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 41

 Types of Anti-malware Software

 Antivirus
 Anti-spam
 Anti-spyware
 Pop-up blockers
 Host-based firewalls

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 42

 Virtualization Security Techniques

 Establish a patch management system.

 Apply the least privilege concept.
 Establish log requirements.
 Establish secure design for virtual components.
 Take consistent snapshots of virtual environments.
 Ensure that virtual hosts are consistently available and elastic.
 Leverage virtual sandboxes for security testing.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 43

 Hardware Security Controls

 Logoff and shutdown procedures

 Wireless device approval
 Properly secured mobile devices
 Cable locks
 Strong password policies

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 44

 Non-standard Hosts

 Hosts and devices with static environments:

 SCADA
 Embedded-software systems
 Mainframe computers
 Some mobile devices

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 45

 Security Controls for Non-standard Hosts

 Layered security:
 Network segmentation
 Application firewalls
 Manual updates:
 Android
 iOS
 Firmware version control:
 SCADA systems
 Embedded systems
 Wrappers
 Controlling redundancy and diversity

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 46

 Strong Passwords

Minimum Length

Special Characters
!Pass1234

Uppercase Letters
Numbers

Lowercase Letters

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 47

 Guidelines for Establishing Device and Host
Security
 Device security:
 Harden the base OS.
 Install firmware updates.
 Follow manufacturers’ security recommendations.
 Restrict access and use strong passwords.
 Secure router configuration files.
 Configure inbound and outbound filters.
 Disable IP source routing.
 Using authentication-based routing protocols.
 Implement firewalls.
 Configure routers to protect against ARP poisoning.
 Implement NAT.
 Close unused TCP and UDP ports.
 Use perimeter networks.
 Disable IP directed broadcasts on servers.
 Implement physical security controls.
 Harden devices, and then test after hardening.
 Document any changes.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 48

 Guidelines for Establishing Device and Host
Security (Cont.)
 Host security:
 Implement strong passwords.
 Follow manufacturers’ security recommendations.
 Implement anti-malware software.
 Disable unneeded services.
 Restrict access.
 Implement security policies.
 Implement physical security controls.
 Implement backup and restore plans.
 Harden and test systems after hardening.
 Use scanning and auditing tools to identify vulnerabilities.
 Identify non-standard hosts and the measures that can and
should be taken to protect them.
 Document any changes.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 49

 Mobile Device Types

 Smartphones
 Wi-Fi enabled devices

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 50

 Mobile Device Vulnerabilities

 Viruses
 Spam
 Lost or stolen devices

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 51

 Mobile Device Security Controls

 Use device management.

 Enable screen lock.
 Require strong passwords.
 Use device encryption if available.
 Require remote wipe/sanitization/lockout.
 Enable GPS tracking if available.
 Enforce access control.
 Enforce application control.
 Track assets and keep inventory.
 Limit removable storage use.
 Implement storage segmentation.
 Disable unused features.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 52

 Mobile Application Security Controls

 Encryption and key management

 Credential management
 Authentication and transitive trust
 Restricted geo-tagging
 Application whitelisting

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 53

 BYOD Controls

 Corporate and acceptable use policies

 On-boarding and off-boarding
 Data/support ownership
 Patch and antivirus management
 Architecture and infrastructure needs
 Forensics
 Privacy
 Control for on-board camera, microphone, and video use

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 54

 Guidelines for Managing Mobile Security

 Become familiar with major mobile devices and operating systems.

 Implement a centralized management system.
 Enforce on-device security features like screen lock and password
requirements.
 Disable unnecessary features.
 Plan for remotely wiping and locking devices.
 Enable device encryption where available.
 Apply access and application control.
 Manage how data is stored and restricted.
 Keep track of devices and keep inventory.
 Consider employees’ BYOD needs.
 Draft rules and regulations that govern BYOD usage.
 On-board and off-board employees properly.
 Consider legal issues associated with BYOD.
 Adjust system architecture and infrastructure as needed.
 Enforce encryption and key management in app development.
 Enforce proper authentication and credential management in app development.
 Restrict communication with third-party apps in app development.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 55

 Reflective Questions

1. What experience have you had securing data, applications, or hosts for your
organization?

2. Have you ever dealt with mobile security issues for your organization? Are
there any security controls that would have prevented these issues?

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 3 - 56