Category Archives: application security

What does a network scanner bring to the company?

Guest post from Emmanuel Carabott of GFI Software Ltd.

Whenever someone does research on the best methods to secure a company’s network, they are sure to come across articles recommending network scanners. But what value do network scanners really provide any organization?

Network scanners generally provide two distinct important functionalities – information gathering on the network they’re scanning and information on any security issues found on that network.

Information on the network

Administrators need to keep up with the constant changes made to the network. Some might see change management as unnecessary, but this is an essential part of the process to keep a network in excellent shape. There are various reasons why administrators would want to know what software and hardware is running on their network, but the main reasons are security and the need to make sure that the changes administrators make will cause conflicts within the existent network infrastructure. When new software is installed, or updates are made to the existing installation through patching, certain configurations can make the system unusable (blue screens, for example) or unstable. To avoid this from happening, the administrator should keep a test environment which mirrors the network where these changes will be made before they’re pushed onto the live server. If users install new software on their systems without notifying the administrator, the test environments will not match the current network and therefore any pre-deployment tests will be inconclusive and not a true reflection of the current status.

Some hardware can pose a security risk to the network. It is imperative that administrators are immediately notified when a new device is connected to the network so that they can determine if there is a real risk to the company. The company’s security policy might specify that the administrator must be notified before any new hardware is connected to the network but that alone does not guarantee employee compliance. A network scanner, however, can periodically monitor the network for changes and notify the administrator as these happen.

Security issues on the network

A network scanner will also look for a number of security issues on the network it is scanning.

These generally include:

  • Vulnerabilities
  • Missing patches
  • Unwanted open ports

New vulnerabilities affecting the network can arise on a daily basis, often due to changes in configurations, new exploits being discovered, and because of new software being installed on the network. For these reasons alone, an administrator needs a network scanner that can monitor the network for any vulnerability on a regular basis.

Next on the list is patch management.  Vendors continuously fix security issues in their software and then, release patches for the end user to install. Keeping track manually of all patches released can be a daunting task, but a network scanner helps the administrator to stay on top of the problem and apply any patches that are required.

Finally there are applications that communicate through the internet, such as web servers’ open ports for others to connect to. Every open port is a potential security risk because malicious persons will try to find exploits in these connections. It is highly recommended ports that are not in use are closed immediately. An administrator should be informed as soon as a new port is opened on a network machine. This usually happens when an employee may have installed a new application or due to a malware infection. Since the network administrator cannot be everywhere or see everything happening on the network all the time, a network scanner is an essential tool.

A network scanner is a very useful tool for administrator, making his life a lot easier. Having a ‘virtual consultant’ is a much better option that having to check each and every machine manually.

Companies that use network scanners will save time and money, while administrators can focus on more important issues that require manual intervention. Why add more work when tasks can be automated using a network scanner?

 

This guest post was provided by Emmanuel Carabott on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. Read more on the importance of using a network scanner.

All product and company names herein may be trademarks of their respective owners.

Taking a Wider View of Application Security

Bookmark This (opens in new window)

As a software developer, you have a lot to worry about when writing and testing your code. But if you faithfully use secure coding guidelines from the Open Web Application Security Project (OWASP), test your code with security tools, and conduct peer code reviews, then your application will be secure, giving you worry-free sleep at night.

Wrong.

OK, sorry about that. I put that trap there for you, but I didn’t really expect you to step into it. I want to help you expand your thinking about application security.

Read rest of article here (redirects to softwaremag.com)

Logical access controls: subject and service access

Bookmark This (opens in new window)

Logical access controls are used to control whether and how subjects (usually persons) are able to access objects (usually data). Logical access controls work in a number of different ways, primarily:

  • Subject access. Here, a logical access control uses some means to determine the identity of the subject that is requesting access. Once the subject’s identity is known, the access control performs a function to determine if the subject should be allowed access the object. If the access is permitted, the subject is allowed to proceed; if the access is denied, the subject is not allowed to proceed. An example of this type of access control is an application that first authenticates a user by requiring a user ID and password before permitting the user to access the application.
  • Service access. Here, a logical access control is used to control the types of messages that are allowed to pass through a control point. The logical access control is designed to permit or deny messages of specific types (and possibly it will also permit or deny based upon origin and destination) to pass. An example of this type of access control is a firewall or screening router that makes pass/block decisions based upon the type of traffic, origin, and destination.

An analogy of these two types of access is a symphony hall with a parking garage. The parking garage (the “service access”) permits cars, trucks, and motorcycles to enter, but denies oversized vehicles from entering. Upstairs at the symphony box office (the “subject access”), persons are admitted if they possess a photo identification that matches a list of prepaid attendees.

Excerpt from CISA Certified Information Systems Auditor All-In-One Study Guide

Converged Network Security for Dummies

Bookmark This (opens in new window)

Converged Network Security for DummiesThe need to protect your mission-critical communications system and business applications should be considered from the very start of our converged network planning. Is your converged voice, video and data network safe from threats, both internal and external? Download this E-Guide for best practices for converged network security.

Read this paper to learn more about:
*  Best practices to secure your enterprise through a multi-layered security model
*  Understanding the myriad of security approaches and technologies used to protect converged voice, video and data networks
*  Extreme improvements for network security

Find out how to overcome the challenge with converged network security:

http://pp.techtargetpromo.com/c.asp?740943&31be8963c628157b&1

My apologies if this sounds like an ad. This is a cut-and-paste from TechTarget for an e-book I wrote last year.

Going public with website vulnerabilities that expose credit card numbers

Bookmark This (opens in new window)

CybercrimeI am a customer of an international company whose logo is highly recognizable and whose brick-and-mortar services I use frequently. I pay for these services by credit/debit card on their website. I noticed two months ago that the website has a vulnerability that exposes credit card numbers through form field caching, which means that public-access computers could expose credit card numbers (and security codes) to others.

I have contacted the company three times in the past six weeks. Their website makes it impossible to know who their security people are or which continent they work on (this is a company that has presence in over 100 countries). I have written the press office three times. None of my communications have read by a human, as far as I can tell.

I will be giving them another week or two before I go public. I’ve told them so in every way that they make available. After telling them almost two months ago, I logged on today and the vulnerability is still there. It is SO easy to fix – it does not require any changes to their data model, workflow, or processes. All they have to do is add an ‘AUTOCOMPLETE = “off” ‘ to two fields in one form and they’re done.

As a security professional I am duty-bound to inform this organization. I’ve done so many times, and have not heard any response. If they continue to turn a deaf ear, I will go public in April.

Countermeasures for web application parameter tampering attacks

Bookmark This (opens in new window)

A parameter tampering attack is a malicious attack on an application where the attacker is manipulating hidden form variables in an attempt to disrupt the application.

Protect Hidden VariablesCountermeasures for this attack include:

  • Effective input field filtering. Input fields should be filtered to remove all characters that might be a part of an input injection. Which characters are removed will depend upon the types of software used by the application.
  • Application firewall. Network firewalls inspect only the source and destination addresses and the port numbers, but not the contents of network packets. Application firewalls examine the contents of packets and block packets containing input attack code and other unwanted data.
  • Variable integrity checking. If you application uses values in hidden fields to communicate parameters from page to page, you need to consider adding a variable that is a computed hash of other variables. Make sure your algorithm for hashing your hidden variables is not easily guessed – or consider using encryption in addition to hashing. When each page begins to process its variables, compute the hash again and compare it to the hash value variable. If the values are different, you know that your variables have been tampered with and you can exit gracefully after logging the incident.
  • Application vulnerability scanning. Organizations that develop their own applications for online use should scan those applications for input attack vulnerabilities, in order to identify vulnerabilities prior to their being discovered and exploited by outsiders.

These countermeasures lower the risk of parameter tampering by making the application more robust and/or protected from input attacks.

Countermeasures for input injection attacks.

Countermeasures for web application input attacks

Bookmark This (opens in new window)

An input attack is a malicious attack on an application where the attacker is inputting data in an attempt to disrupt the application. Two of the most well-known input attacks are buffer overflow and script injection.

Countermeasures for these include:

  • Effective input field filtering. Input fields should be filtered to remove all characters that might be a part of an input injection. Which characters are removed will depend upon the types of software used by the application.
  • Application firewall. Network firewalls inspect only the source and destination addresses and the port numbers, but not the contents of network packets. Application firewalls examine the contents of packets and block packets containing input attack code and other unwanted data.
  • Application vulnerability scanning. Organizations that develop their own applications for online use should scan those applications for input attack vulnerabilities, in order to identify vulnerabilities prior to their being discovered and exploited by outsiders.

These countermeasures lower the risk of input injection by making the application more robust and/or protected from input attacks.

Countermeasures for parameter tampering attacks.