Expert answer:Software Security

Expert answer:Critical Thinking: Software SecurityAssignment Details:In an essay, review the following statements based on the readings from this week’s module (Attached):Once your operating system is secure, you can focus on securing the software that runs in the operating system. Evaluate some of the most popular Microsoft applications and analyze how to make one more secure to protect your organization’s data. Describe at least three (3) techniques used to secure an application.Provide information from your readings to support your statements.Deliverables:Your well-written essay should be two or three pages in length, incorporating at least two academic resources from the Library in addition to the assigned readings. Cite all sources using academic writing standards and APA style guidelines, citing references as appropriate.
solomon_2014_ch12.pdf

Unformatted Attachment Preview

CHAPTER
Microsoft Application Security
12
O
nce your operating system is secure, you can focus on securing the
software that runs in the operating system. Operating system software
is different from application software. Regardless of how secure your
operating system is, one vulnerable application can put your organization’s data
at risk. This chapter will teach you about the most popular Microsoft applications.
You will also find out how to make each one more secure to protect your
organization’s data.
Chapter 12 Topics
This chapter covers the following topics and concepts:
• What the principles of Microsoft application security are
• How to secure key Microsoft client applications
• How to secure key Microsoft server applications
• What you can learn from case studies in Microsoft application security
• What best practices for securing Microsoft Windows applications are
Chapter 12 Goals
When you complete this chapter, you will be able to:
• Describe the principles of Microsoft application security
• Secure Microsoft client applications
• Secure Microsoft server applications
• Apply lessons learned from application security case studies
279
280   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Principles of Microsoft Application Security
Application security covers all activities related to securing application software
throughout its lifetime. Application software is any computer software that allows
users to perform specific tasks. Examples of these tasks are sending and receiving
e-mail, browsing the Web, creating a document or spreadsheet, or entering orders for
materials. Ensuring application software security includes ensuring security during
design, development, testing, deployment, maintenance, and retirement. All too often,
organizations view application security as a deployment issue. Security must begin
earlier in the design and development process. In this chapter, you’ll study how to
harden software after it has been completed or acquired by your organization.
A secure application is one that protects each of the three C-I-A properties of
data security at all times. The three C-I-A properties are confidentiality, integrity, and
availability. Check that your software, whether developed in-house or licensed, makes
the data it manages available to authorized users on demand while denying access to
unauthorized users. This chapter applies to any application software running on a server
or client computer. Your applications provide access to data. They must also make certain
that only authorized users can view or modify data based on your organization’s specific
security restrictions. In short, application security is all about ensuring that your applications add at least one more layer of controls between users and your data.
Common Application Software Attacks
Understanding the basic principles of securing applications starts with understanding
how attackers damage applications. Hackers have many ways to harm applications.
Several approaches are more common and deserve the most attention. The more
common types of attacks include:
• Malformed input—This is one of the most common types of attack. Computer
criminals provide input to an application that is designed to cause results the
developers did not intend. They use malformed input to crash programs, disclose
or modify data, or hijack connections.
• Privilege escalation—Privilege escalation adds more authority to the current
session than the process should possess. There are several methods to escalate
privileges, and all compromise the access control lists (ACLs) you have in place
to limit data and resource access.
• DoS—Denial of service attacks focus on either making the application or network
slow enough that it can’t respond to user requests in a timely manner or crashing
the application. Either way, users can’t get to the data they need.
• Identity spoofing—This means assuming the identity of another user. Spoofing
means masquerading as another person or process. In most cases, the other user
is one who possesses more privileges, and this greater access allows an attacker
to get into more data and resources. In some cases, hackers use identity spoofing
just to hide their own identities—not to escalate privileges.
CHAPTER 12 | Microsoft Application Security
Many options are available to harden applications. One resource is the Open Web Application
Security Project (OWASP). OWASP is a not-for-profit organization that focuses on improving
application security. OWASP offers many valuable resources related to application security.
You can find many informational videos and the latest Top 10 Web Application Security Risks
list. Although primarily focused on Web applications, information on this site applies to all
application security topics. The OWASP Web page is located at http://www.owasp.org.
• Extra-application data access—This means accessing your application’s data outside
the application. This could be from the operating system or from another program,
or by just taking or copying backup media.
Each of these attacks is preventable. Some of the controls to stop attacks, such as
processing malformed input, for example, depend on the application’s design. You can
implement controls to stop other attacks. Put extra-application data access into operation
outside your application. Just as operating systems need to be hardened to be as secure
as possible, follow steps to harden each application you run on any computer.
Hardening Applications
Hardening applications generally follows several steps. The specific actions differ from
application to application, but the overall strategy remains the same. Here are the
general steps to hardening applications:
• Install the application using only the options and features you plan to use.
• After installing the application, remove any default user accounts and sample data,
along with any unneeded files and features.
• Configure the application according to the principle of least privilege.
• Ensure your application has all of the latest available security patches applied.
• Monitor application performance to verify that your application adheres
to security policy.
Keep general guidelines in mind and follow the recommendations for each type of
application software. You’ll end up with a far more secure environment than when
you started.
12
Microsoft
Application Security
• Direct file or resource access—This refers to exploiting holes in access controls
that allow a user to directly access files or other resources. If your application allows
direct object access, users may be able to bypass normal access controls.
281
282   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Securing Key Microsoft Client Applications
Many applications tend to run as either client or server components. Clients generally
initiate connections and request services from servers. Servers generally listen for
incoming connection and service requests. Your approach to securing each type of
application software will be different. Client applications are often targets because many
workstations, laptops, and mobile devices are not aggressively hardened. With so many
personal computers that are insecure and contain client applications, common applications are attractive to attackers who want to compromise an organization’s data. If an
attacker can compromise a client application that an organization uses to access a server
application, that hacker is one step closer to your data. In this section, you’ll learn about
how to secure, or harden, several of the most popular Microsoft client applications.
Web Browser
Arguably, the most popular and frequently used client application is the Web browser.
A Web browser allows a user to access content from Web servers across a network.
In most cases, users access resources and applications using the Internet. Web browsers
are attractive targets because they are the primary client of Web applications. A compromised Web browser can make it easy for an attacker to access stored server connections
by means of stored credentials. Hackers can even compromise your organization’s data
without attacking the Web browser directory but by intercepting the information your
Web browser sends to the Web server.
Web browsers are attractive targets for several types of attacks, including:
• Infect with malware—Several default Web browser settings allow Web browsers
to run helper programs, such as ActiveX controls or Java applets, to enhance the
user experience. Although many helper programs are useful, attackers can provide
substitute programs that are actually malware.
• Intercept communication—Authorized users can access sensitive organizational
data, often using a Web browser. Any device or computer that sits between the client
and the server sees all traffic passing back and forth between the two. An attacker
who places a proxy server between a Web browser and a Web server can see and
collect all of the traffic, including sensitive data that is intended only for the authorized user. This type of attack is often called a man-in-the-middle attack.
• Harvest stored data—Some versions of Web browsers have vulnerabilities that allow
Web pages to collect information stored on the client computer. This information
includes usernames, passwords, account numbers, and local copies of sensitive
data. This stored information can appear in cookies, application files, and settings.
Criminals can look for this type of information and tell your Web browser to send
it to any location.
CHAPTER 12 | Microsoft Application Security
283
Table 12-1 Securing a Web browser.
Description
Set the security level of the
Internet zone to High from
the Security tab.
Setting the security zone to High in Internet Explorer (IE)
automatically enables many features that block most known
vulnerabilities. Setting the security zone to High will also likely
reduce the Web browser’s functionality.
Add specific sites you trust
as Trusted Sites from the
Security tab.
When you are visiting sites defined as trusted, Internet Explorer
relaxes the restrictions placed on general Internet sites. This
setting allows ActiveX and Java application components to run.
Change the cookie settings
from the Privacy tab. On the
Advanced dialog box, select
to prompt for first-party and
third-party cookies.
This setting will alert you any time a Web site attempts to
access any cookies. This requires user interaction each time
a Web site wants to access a cookie. It gives you the chance
to deny cookie access. You can also add any sites from which
you want to accept all cookies to the list of allowed sites.
You won’t be prompted for cookie access from the listed sites.
You can also select the Delete Browsing History on Exit check
box on the General tab to have IE delete all cookies
and other browsing history each time you exit IE.
Uncheck Enable Third-Party
Browser Extensions from
the Advanced tab.
This setting limits the potential of browser helpers from
disclosing private data.
Check Always Show
Encoded Addresses from
the Advanced tab.
This setting makes it harder to spoof Internet addresses.
Uncheck Play Sounds
in Web Pages from the
Advanced tab.
This setting prevents an attacker from infecting your computer
using a sound file.
These are just a few of the many types of Web browser attacks. You can, however,
harden each Web browser to resist attacks. Some of the hardening suggestions may
reduce the Web browser’s flexibility and functionality, but it will be more secure.
Change settings in any Web browser by opening the settings or options page. Most
of the following suggestions apply to all Web browsers, but the actions in the following
table are specifically oriented toward Internet Explorer. Table 12-1 lists steps to secure
a Web browser.
Figure 12-1 shows the Internet Options dialog box for Internet Explorer.
12
Microsoft
Application Security
Action
284   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Access the Internet Options dialog box by using either of these procedures:
1. Inside Internet Explorer, select Tools > Internet Options.
2. From Windows, launch Control Panel, and then select Network and Internet >
Internet Options.
Figure 12-1
Internet Options
dialog box in
Internet Explorer 8.
Many more settings are available, but the settings in Table 12-1 will harden your
Web browser and will limit the damage an attacker can do using your Web browser.
E-mail Client
E-mail clients are another popular type of client software. Most of today’s e-mail clients
connect to a mail server and either display or download e-mail messages. One of the
most popular e-mail clients is Microsoft Office Outlook. As with Web browsers, there are
other popular e-mail clients.
CHAPTER 12 | Microsoft Application Security
Some attacks on your computer are intended to turn your computer into a zombie.
A zombie may also be called a bot. It is a computer that follows the instructions sent from
another computer. Attackers often use zombies to send spam or malware to all the e-mail
addresses in a zombie’s address book. Outbound malware scanning will catch many of
these attacks.
12
Microsoft
Application Security
Generally, the key to hardening e-mail clients is to limit any malicious code that
may be attached to e-mail messages. Next, take steps to ensure e-mail message privacy.
The first step requires additional software. You should already have anti-malware software
installed on each computer. Select anti-malware software that integrates with your e-mail
client. Many current anti-malware software packages work with e-mail clients to scan all
incoming and outgoing messages for malware. It is important to scan incoming messages
to detect any malware before it infects your computer. It is also important to scan
outgoing messages to ensure your computer is not sending malware to other destinations.
The enterprise solution from Microsoft is Microsoft Forefront. This product fully integrates
with existing Microsoft application software.
The second step to securing an e-mail client is to safeguard message privacy. Require
the use of Secure Sockets Layer/Transport Layer Security (SSL/TLS) when connecting
to your mail server to make certain that all message exchanges are encrypted. This
option will work only if your mail server supports it and is properly configured to handle
encrypted connections. The main drawback is that once your message reaches your mail
server, the message is decrypted and sent on its way. Alternatively, you can encrypt each
message to guarantee your message stays encrypted all the way from your e-mail client
to the recipient’s e-mail client.
Unfortunately, there is no automatic method to encrypt e-mail messages for generic
recipients. Microsoft Office Outlook includes Secure/Multipurpose Internet Mail
Extensions (S/MIME) encryption as long as the recipient has your public key. Several
add-on products work with most e-mail clients to encrypt messages as well. For example,
OpenPGP, GPG, and S/MIME are all examples of e-mail message encryption methods.
Before using any of the methods or software, confirm that the recipient of your e-mail
message uses the same method. Additionally, his or her e-mail client must be capable
of receiving and decrypting the message. Since you have to take special steps for each
recipient to whom you send e-mail, encrypting e-mail messages is not used extensively
for sending messages to large groups of people. It does work very well in situations where
you know you’ll be sending several private messages to the same person or persons.
Most general hardening recommendations are appropriate for other e-mail clients.
The following specific recommendations apply directly to Microsoft Office Outlook 2007
and newer versions. Table 12-2 lists steps to make your e-mail client more secure.
285
286   
PART 3 | Microsoft Windows OS and Application Security Trends and Directions
Table 12-2 Securing an e-mail client.
Action
Description
Install anti-malware software
that integrates with your e-mail
client.
Integrated anti-malware software should scan each
incoming and outgoing message. Have a plan to keep
all anti-malware software and data up to date.
Enable the junk filter function.
Configure your e-mail client to filter suspicious messages
and put them in a junk messages folder. Keep them
separate from your regular messages.
If your mail server supports
secure connections, force your
e-mail client to use only secure
connections when retrieving
or sending e-mail.
Although this setting will encrypt all e-mail messages
between your e-mail client and the mail server, messages
that travel beyond your mail server will be transmitted
in the clear.
Do not preview messages.
Many attackers embed malicious code in images or other
e-mail content. Train users to never open an e-mail message
from an unknown source. Since many types of malware
send e-mail messages using the sender’s address book,
users shouldn’t open any attachment they aren’t expecting.
Change the default mail format
to plaintext.
Plaintext does not contain embedded commands that could
result in malware infections. HTML messages are much
more visually appealing but more dangerous as well.
Use an Encrypting File System
(EFS) or BitLocker to encrypt
the folder or drive that contains
your e-mail data files and
attachments.
Keeping your e-mail messages and attachment folders
encrypted makes it harder for attackers to access the
contents of your e-mail messages without encountering
operating system access controls.
If you need to exchange
private e-mail messages
with a number of recipients,
either use Microsoft’s
e-mail encryption or acquire
additional software to use
another solution.
Ensure both sides of the e-mail exchange use the same
encryption method. Also, each recipient must have the
sender’s public key. In most cases, this is accomplished by
first sending a digitally signed message to the recipient.
The recipient receives the message and adds the public key
to the address book. The recipient can now receive and
decrypt encrypted messages from the sender.
CHAPTER 12 | Microsoft Application Security
287
Productivity Software
Most workstation computers and even mobile devices have some type of productivity
software installed. Productivity software is any software enabling users to accomplish
general work more efficiently. Productivity software may be installed as several separate
programs or as a collection, or suite, of software. Common productivity software
programs include the following, along with Microsoft’s product for each solution:
Word processing—Microsoft Word
Spreadsheet—Microsoft Excel
Lightweight database—Microsoft Access
Presentation—Microsoft PowerPoint
Project scheduling/management—Microsoft Project
Publishing—Microsoft Publisher
Productivity software packages are also targets for attackers, especially the more popular
programs. The main goals for compromising productivity software are malware infection
and private data disclosure. Many types of malware infect computers when users open
infected files. Infected documents, spreadsheets, presentations, and databases can exploit
vulnerabilities in your productivity software and launch malware that infects your
computer. Many successful attacks still introduce malware to computers using productivity software document types that appear to be harmless.
Table 12-3 Securing productivity software.
Action
Description
Install anti-malware software
that integrates with your
productivity software.
Integrated anti-malware software should scan each file
before opening it. Make sure you have a plan to keep
all anti-malware software and data up to date.
Us …
Purchase answer to see full
attachment

How it works

1. Paste your instructions in the instructions box. You can also attach an instructions file
2. Select the writer category, deadline, education level and review the instructions 
3. Make a payment for the order to be assignment to a writer
4.  Download the paper after the writer uploads it 

Will the writer plagiarize my essay?

You will get a plagiarism-free paper and you can get an originality report upon request.

Is this service safe?

All the personal information is confidential and we have 100% safe payment methods. We also guarantee good grades