Download
csci 530 lab n.
Skip this Video
Loading SlideShow in 5 Seconds..
CSCI 530 Lab PowerPoint Presentation
Download Presentation
CSCI 530 Lab

CSCI 530 Lab

249 Vues Download Presentation
Télécharger la présentation

CSCI 530 Lab

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. CSCI 530 Lab Software Security

  2. Software Security • In a sense, everything in security can fall under the category of software security • Hardware needs software to do useful things • Firewalls, IDS, etc. are all software or comprise of both hardware and software • For our purposes, we are talking about securing an application that provides a service for users • Normally web applications, but not limited

  3. Operating Systems and Security • Two considerations • Internal Security • Protecting the system from running programs • Examples • Accidentally modifying the ntuser.dat file using Microsoft Word • SubSeven trojan horse making system wide modifications • External • Protecting the system from an external user or program through the use of ports • Examples: • Denial-of-Service Attacks • Port Scanners

  4. Ports and Services • Ports are windows into the system • A program opens a port so that there can be communication between that program and another system • Example: Web Browsers • Runs on port 80 • Allow communication between your system and a web server • What ports are open and what opens them? • Last lab we ran nmap, which is a port scanner, and you were able to see a report as to which ports were open and what programs ran on those ports • This is important because a hacker will try to break into your system through an open port

  5. Modern day hacking techniques • We must understand how hackers think so we can attempt to predict their actions and take the appropriate precautions and countermeasures • Old school: break the operating system • Popular with Windows 95/98, earlier versions of 2000, old versions of linux • Operating systems were not built with security in mind • New school: break the application • Modern operating systems have security as a high priority • Easier to break a program running on a port than it is to break the O.S. • Example: breaking into apache using a cross-site script • Takes advantage of sloppy programming

  6. How do we prevent modern hackers • Keep your systems up-to-date • Service Packs, patches, etc. • Do not run unnecessary programs • They could open ports without you knowing • Regularly try to break into your systems • Using a technique called penetration testing • To be covered in the next lab

  7. How do we protect our software • Be better programmers  • Write your software with a security based mindset • Always validate input in multiple ways • Remove unnecessary code • Clean up your code for easy testing • Test, test, test!!! • Test all possible input ranges • Sloppy programming makes hacking systems easier

  8. This week’s lab • We are going to set up a webserver, running a bank software • The software has some glaring holes, and you are going to practice exploiting these vulnerabilities • This lab is designed for you to understand the necessity to be better programmers