THE BASI CS SS389NAS THE BASICS OF INFORMATION SECURITY Understanding the Fundamentals of InfoSec in Theory and Practice Jason Andress
Contents ABOUT THE AUTHOR .ix ABOUT THE TECHNICAL EDITOR ”划 FOREWORD. INTRODUCTION. CHAPTER 1 What Is Information Security? CHAPTER 2 Identification and Authentication. 17 CHAPTER 3 Authorization and Access Control .33 CHAPTER 4 Auditing and Accountability. CHAPTER 5 Cryptography. .63 CHAPTER 6 Operations Security . CHAPTER 7 Physical Security. .97 CHAPTER 8 Network Security. 115 CHAPTER 9 Operating System Security .131 CHAPTER 10 Application Security. 147 INDEX 167
vii ABOUT THE AUTHOR �������������������������������������������������������������������������������ix ABOUT THE TECHNICAL EDITOR ��������������������������������������������������������������xi FOREWORD������������������������������������������������������������������������������������������� xiii INTRODUCTION �������������������������������������������������������������������������������������� xv CHAPTER 1 What Is Information Security? ��������������������������������������������1 CHAPTER 2 Identification and Authentication��������������������������������������17 CHAPTER 3 Authorization and Access Control�������������������������������������33 CHAPTER 4 Auditing and Accountability����������������������������������������������51 CHAPTER 5 Cryptography �������������������������������������������������������������������63 CHAPTER 6 Operations Security ���������������������������������������������������������81 CHAPTER 7 Physical Security �������������������������������������������������������������97 CHAPTER 8 Network Security �����������������������������������������������������������115 CHAPTER 9 Operating System Security ���������������������������������������������131 CHAPTER 10 Application Security�������������������������������������������������������147 INDEX��������������������������������������������������������������������������������������������������167 Contents
About the Author ix Jason Andress(ISSAP,CISSP,GPEN,CEH)is a seasoned security professional with a depth of experience in both the academic and business worlds.He is presently employed by a major software company,providing global informa- tection.He has authored several publications and books,writing on topics including data security,network security,penetration testing,and digital forensics
ix Jason Andress (ISSAP, CISSP, GPEN, CEH) is a seasoned security professional with a depth of experience in both the academic and business worlds. He is presently employed by a major software company, providing global information security oversight, and performing penetration testing, risk assessment, and compliance functions to ensure that the company’s assets are protected. Jason has taught undergraduate and graduate security courses since 2005 and holds a doctorate in computer science, researching in the area of data protection. He has authored several publications and books, writing on topics including data security, network security, penetration testing, and digital forensics. About the Author
About the Technical Editor ogers (CISSP CISM,IAM,IEM,HonScD),author of the popular Hack ork(Syngress,ISBN1-):cauthor of multiple other books including the best-selling Stealing the Network:How to Own a Continent (Syngress,ISBN 1-931836-05-1),Network Security Evaluation Using the NSA IEM (Syngress,1-597490-35-0),and former editor-in-chief of The Security Journal;is currently a penetration tester for a federal agency and the cofounder and chief executive officer of Peak Security,Inc.,a veteran-owned small business based in Colorado Springs,CO.He has been involved in information technology since 1980 and has ent the last 20 vears wo orking professionally as both an Ir and INFOSEC He has worked with thenited States ir F Force (USAF) Nat nal Se ecurity Agency (NSA)Defense Information Systems Agency(DISA), and other federal agencies.He is a globally renowned security expert,speaker and author who has presented at conferences around the world including Amsterdam,Tokyo,Singapore,Sao Paulo,Abu Dhabi,and cities all over the United States. Russ has an honorary doctorate of science in information technology from the sity of Advancings degree in cor ivers n systems from the Un nd,and an as degree in applied communications technology from the Community College of the Air Force.He is currently pursuing a bachelor of science in electri- cal engineering from the University of Colorado at Colorado Springs.He is a member of ISSA and ISC2 (CISSP).He also teaches at and fills the role of pro- fessor of network security for the University of Advancing Technology (http:// www.uat.edu). Russ would like to thank his children,his father,and Tracie for being so sup- McOmie,Curtis Letson,and Eddie Mize
xi Russ Rogers (CISSP, CISM, IAM, IEM, HonScD), author of the popular Hacking a Terror Network (Syngress, ISBN 1-928994-98-9); coauthor of multiple other books including the best-selling Stealing the Network: How to Own a Continent (Syngress, ISBN 1-931836-05-1), Network Security Evaluation Using the NSA IEM (Syngress, 1-597490-35-0), and former editor-in-chief of The Security Journal; is currently a penetration tester for a federal agency and the cofounder and chief executive officer of Peak Security, Inc., a veteran-owned small business based in Colorado Springs, CO. He has been involved in information technology since 1980 and has spent the last 20 years working professionally as both an IT and INFOSEC consultant. He has worked with the United States Air Force (USAF), National Security Agency (NSA), Defense Information Systems Agency (DISA), and other federal agencies. He is a globally renowned security expert, speaker, and author who has presented at conferences around the world including Amsterdam, Tokyo, Singapore, Sao Paulo, Abu Dhabi, and cities all over the United States. Russ has an honorary doctorate of science in information technology from the University of Advancing Technology, a master’s degree in computer systems management from the University of Maryland, a bachelor of science in computer information systems from the University of Maryland, and an associate degree in applied communications technology from the Community College of the Air Force. He is currently pursuing a bachelor of science in electrical engineering from the University of Colorado at Colorado Springs. He is a member of ISSA and ISC2 (CISSP). He also teaches at and fills the role of professor of network security for the University of Advancing Technology (http:// www.uat.edu). Russ would like to thank his children, his father, and Tracie for being so supportive over the years. Thanks and shout-outs go out to Chris Hurley, Mark Carey, Rob Bathurst, Pushpin, Paul Criscuolo, Ping Look, Greg Miles, Ryan Clarke, Luke McOmie, Curtis Letson, and Eddie Mize. About the Technical Editor
Foreword xili Boring,boring,boring Isn't this what immediately comes to mind when one sees books on foundational cor ncepts of information security?Monotonous coverage of theory.dry details of history,brief yet inadequate coverage of every topic known to man,even though you know that you'll never be hired by the NSA as a cryptographer.All you really want is a book that makes you fall asleep every 30 minutes instead of every five.It's all the "necessary evil"that must be endured,right?Not this time,my budding security professional. So let's be honest.You actually do have a strong interest in making security a career and not just a hobby.Why else would you have this book in our hand? But like many of you,I didn't know (and some )what wanted to b e when I grew up.So why this book?Wha t's so great about anothe the bahe rom When my son was 4,I took him to the park down the road from our house. There were kids playing baseball,others chasing their friends through the plas- tic and metal jungle,and even a few climbing the fake rock-climbing wall. Then he saw the boys at the skateboard park.He had a board of his o own but r knew some uld do that! of urse,he wa ted to it immedi- ately.As a respon im launch hi self the top of a 6-fo oot ramp only to end up unconscious waitin to be run ove r by the nex prepubescent wannabe Tony Hawk.But what I could do is require him to show me that he could do something basic like stand on the board and ride it all the way down the driveway at home.As a reward,he could go to the skate park Once there,he didn't feel quite as comfortable as when on the driveway,so he rode down the ramp while sitting.Eventually,he dictated his own path;he set his own goals;he ontrolled the time it took to get where he wanted to be. His path was different fro never went to the park many of少ers at the park野,But imaginef out if he ony sawa b ng t ed an home runs?What if he didn't even get to see the skate park,much less the kids airing the gap?Knowing what is possible can drastically change one's des- tiny.And so it is with a profession in security. Simply wanting a career in information security is not specific enough to con- vey all the possible job descriptions in an industry that now touches every other.What Dr.Andress has do in addition to giving solid foundat is make e you neurons spark.It's th spark e“int ded°co sequence eof giving career advice.How does he do this?Instea of ju st stic ing to the tried and true classroom tactics of presenting the information and requiring rote memorization,he cleverly intermixes hacking,forensics,and
xiii Foreword Boring, boring, boring. Isn’t this what immediately comes to mind when one sees books on foundational concepts of information security? Monotonous coverage of theory, dry details of history, brief yet inadequate coverage of every topic known to man, even though you know that you’ll never be hired by the NSA as a cryptographer. All you really want is a book that makes you fall asleep every 30minutes instead of every five. It’s all the “necessary evil” that must be endured, right? Not this time, my budding security professional. So let’s be honest. You actually do have a strong interest in making security a career and not just a hobby. Why else would you have this book in your hand? But like many of you, I didn’t know (and sometimes still wonder to this day) what I wanted to be when I grew up. So why this book? What’s so great about another extensive volume on information security? How does it help me not only to learn the basics but also to push my career aspirations in the right direction? When my son was 4, I took him to the park down the road from our house. There were kids playing baseball, others chasing their friends through the plastic and metal jungle, and even a few climbing the fake rock-climbing wall. Then he saw the boys at the skateboard park. He had a board of his own but never knew someone could do that! Of course, he wanted to try it immediately. As a responsible Dad, I couldn’t let him launch himself off the top of a 6-foot ramp only to end up unconscious waiting to be run over by the next prepubescent wannabe Tony Hawk. But what I could do is require him to show me that he could do something basic like stand on the board and ride it all the way down the driveway at home. As a reward, he could go to the skate park. Once there, he didn’t feel quite as comfortable as when on the driveway, so he rode down the ramp while sitting. Eventually, he dictated his own path; he set his own goals; he controlled the time it took to get where he wanted to be. His path was different from many others at the park that day. But imagine if we never went to the park. How about if he only saw a baseball being tossed and no home runs? What if he didn’t even get to see the skate park, much less the kids airing the gap? Knowing what is possible can drastically change one’s destiny. And so it is with a profession in security. Simply wanting a career in information security is not specific enough to convey all the possible job descriptions in an industry that now touches every other. What Dr. Andress has done, in addition to giving a solid foundation, is make your neurons spark. It’s those sparks that have the “intended” consequence of giving career advice. How does he do this? Instead of just sticking to the tried and true classroom tactics of presenting the information and requiring rote memorization, he cleverly intermixes hacking, forensics, and
xiv Foreword many other sexy topics (that again being completely honest.got most of us hot about getting into security in the first place),and shows us w where it all fits in the grand sche e of the en pe.So inst ead of what the future o to ics,he oe for the reader su Chapter 3,Authorization and Access Control,where he discusses the con- fused deputy problem with real-world examples of CSRF and clickjacking. Chapter 4,Auditing and Accountability,with the coverage of vulnerability assessments and penetration testing and the difference between the two,an important concept not seen in many introductory security tomes. C oter 5 C hy,with the ugg estion of trying buildi g a DIY project by ir own Enigma machine to cra ck ermany's secret code World during ■ Chapter 8,Network Security,and Chapter 9,Operating System Security where the reader doesn't just read about the concepts but is shown actual screenshots of hacking tools such as Wireshark,Kismet,Nmap,and Metasploit to get the job done. I wasn't sure why lason asked me.the editor-in-chief of an online hacking agazine.to w te the fore ord to a security book that clearly is int in nature. Then as I read the book a nd eve entually shared the les abc t became clear that Jason not only had a s ncere desire to shar nowle ge of information security,but he also wanted to impart the mindset of a hacker. In a word,a hacker is a tinkerer.A hacker is someone who just can't help him self from exploring and getting more out of the object of his attention,whether that be a car,a toaster,a computer,or a network.If you can grasp half of the mindset that Jason shows in this book,you'll be well on your way. Inspiring inspiring inspiring.Each step along the way,Jason brilliantly gem of al-worl applicatic s.In doi only inspires the read rbut also slyly helps you determine e path of your career.Certain tidbits will grab your eye.Many examples will make you jot quick note to explore the topic further.There will even be times when you feel like you can't help but put the book down and research the hell out of what you just read.If Jason makes you do that at any point in this book,please take a moment to really process what it is that made your blood flow.It's a sure sign that this is a topic or irer cou be iDon'take thatyou were in a classroom with him,he wouldn't let you you waiti ing for?Dive into this book,get the foundation you need the hacker mindset in yourself and discover whers your passion li Good luck! Donald C.Donzal,CISSP,MCSE,Security SME Editor-in-Chief The Ethical Hacker Network
xiv Foreword many other sexy topics (that, again being completely honest, got most of us hot about getting into security in the first place), and shows us where it all fits in the grand scheme of the entire information security landscape. So instead of just covering the required topics, he avoids the boredom by giving glimpses of what the future could be for the reader such as in n Chapter 3, Authorization and Access Control, where he discusses the confused deputy problem with real-world examples of CSRF and clickjacking. n Chapter 4, Auditing and Accountability, with the coverage of vulnerability assessments and penetration testing and the difference between the two, an important concept not seen in many introductory security tomes. n Chapter 5, Cryptography, with the suggestion of trying a DIY project by building your own Enigma machine to crack Germany’s secret codes during World War II. n Chapter 8, Network Security, and Chapter 9, Operating System Security, where the reader doesn’t just read about the concepts but is shown actual screenshots of hacking tools such as Wireshark, Kismet, Nmap, and Metasploit to get the job done. I wasn’t sure why Jason asked me, the editor-in-chief of an online hacking magazine, to write the foreword to a security book that clearly is introductory in nature. Then, as I read the book and eventually shared the examples above, it became clear that Jason not only had a sincere desire to share his knowledge of information security, but he also wanted to impart the mindset of a hacker. In a word, a hacker is a tinkerer. A hacker is someone who just can’t help himself from exploring and getting more out of the object of his attention, whether that be a car, a toaster, a computer, or a network. If you can grasp half of the mindset that Jason shows in this book, you’ll be well on your way. Inspiring, inspiring, inspiring. Each step along the way, Jason brilliantly peppers the foundational topics with gems of real-world applications. In doing so, he not only inspires the reader but also slyly helps you determine the path of your InfoSec career. Certain tidbits will grab your eye. Many examples will make you jot down a quick note to explore the topic further. There will even be times when you feel like you can’t help but put the book down and research the hell out of what you just read. If Jason makes you do that at any point in this book, please take a moment to really process what it is that made your blood flow. It’s a sure sign that this is a topic for which a career could be imminent. Don’t take that lightly. I know if you were in a classroom with him, he wouldn’t let you. So what are you waiting for? Dive into this book, get the foundation you need, find the hacker mindset in yourself and discover where your passion lies. Good luck! Donald C. Donzal, CISSP, MCSE, Security SME Editor-in-Chief The Ethical Hacker Network
Introduction BOOK OVERVIEW AND KEY LEARNING POINTS The Basics of Information Security will provide the reader with a basic knowledge of information security in both theoretical and practical aspects.We will first cover the basic knowledge needed to understand the key concepts of informa- tion discussing many of the concepts that underpin the secrity world. We will the n dive into applica ions of these ideas in the areas of oper ations,physical,network,operating system,and application security BOOK AUDIENCE This book will provide a valuable resouce to beginning security professionals s to network and systems administrators. ation provided in this book can be used to develop a better understanding of how we protect our information assets and defend against attacks,as well as how to apply these concepts practically. Those in management positions will find this information useful as well,from the standpoint of developing beter overll secrtypractices for theirorani ions The cone sed to drive security projects and polices.inetmitigate somissues discussed HOW THIS BOOK IS ORGANIZED this book is erstanding of information security oc progression for a underst ing of info atio es in the refer to infor mation located in other chapters in the book,we have endeavored to point out where the information can be found.The following descriptions will provide an overview of the contents of each chapter: Chapter 1:What Is Information Security? In this chapter,we cover some of the most basic concepts of information security. Information security is vital in the era in which data regarding countless indi- viduals and organizations is stored in a variety of computer systems.often no under our direct talk about the diametricaly opposing concepts of security productivity,the models that are helpful in dis cep he integrity,and nd the d rian hexa as wel the and controls to mitigat Lastly,we cover defense in depth and its place in the information security world
xv Book overview and key learning points The Basics of Information Security will provide the reader with a basic knowledge of information security in both theoretical and practical aspects. We will first cover the basic knowledge needed to understand the key concepts of information security, discussing many of the concepts that underpin the security world. We will then dive into practical applications of these ideas in the areas of operations, physical, network, operating system, and application security. Book audience This book will provide a valuable resource to beginning security professionals, as well as to network and systems administrators. The information provided in this book can be used to develop a better understanding of how we protect our information assets and defend against attacks, as well as how to apply these concepts practically. Those in management positions will find this information useful as well, from the standpoint of developing better overall security practices for their organizations. The concepts discussed in this book can be used to drive security projects and policies, in order to mitigate some of the issues discussed. How this book is organized This book is designed to take the reader through a logical progression for a foundational understanding of information security and is best read in the order of the chapters from front to back. In the areas where we refer to information located in other chapters in the book, we have endeavored to point out where the information can be found. The following descriptions will provide an overview of the contents of each chapter: Chapter 1: What Is Information Security? In this chapter, we cover some of the most basic concepts of information security. Information security is vital in the era in which data regarding countless individuals and organizations is stored in a variety of computer systems, often not under our direct control. We talk about the diametrically opposing concepts of security and productivity, the models that are helpful in discussing security concepts, such as the confidentiality, integrity, and availability (CIA) triad and the Parkerian hexad, as well as the basic concepts of risk and controls to mitigate it. Lastly, we cover defense in depth and its place in the information security world. Introduction
xvi Introduction Chapter 2:Identification and Authentication In Chapter 2,we cover the security principles of identification and authentica- tion.We discuss identification as a process by which we assert the identity of pary whether thisis ttWelalk aho he of auen ns of validating whether is true.We o cover multifactor auther and the use of biometisand hardware tokens to enhance surety in the authentication process. Chapter 3:Authorization and Access Control In this chapter,we discuss the use of authorization and access control. Authorization is the next step in the process that we work through in order to allow entities access to resources.We cover the various access control models that we use when putting together such systems like discretionary access con- trol,mandatory access control,and role-based access control.We also talk about multilevel access control models,including Bell LaPadula,Biba,Clark. Wilson and B ewer and Nash.In addition to the monly discussed con of logical ac 080 ofthespedialized ept pplications 1oO。SsW08OO1Os1u Chapter 4:Auditing and Accountability We discuss the use of auditing and accountability in this chapter.We talk abou the need to hold others accountable when we provide access to the resources on which our businesses are based,or to personal information of a sensitive nature. We also go over the processes that we carry out in order to ensure that our environment is compliant with the laws,regulations,and policies that bind it, referred to as auditing.In addition,we address the tools that we use to support audit,accountability,and monitoring activities,such as logging and monitoring. Chapter 5:Cryptography In this chapter,we discuss the use of cryptography.We go over the history of uch tools fr om very simple substitution ciphers to the fairly lex electro s tha e used just beforehe e first mod ern computing systems and how they for rm the our m algorithms.We cover the three main categories of cryptographic algorithms: symmetric key cryptography,also known as private key cryptography,asym- metric key cryptography,and hash functions.We also talk about digital signa- tures that can be used to ensure that data has not been altered and certificates that allow us to link a public key to a particular identity.In addition,we cover the mechanisms that we use to protect data at rest,in motion,and,to a certain extent,in use Chapter 6:Operations Security apter Covere onprational security.We talk about the history tional security,which reaches at least as far back as the writings of Sun
xvi Introduction Chapter 2: Identification and Authentication In Chapter 2, we cover the security principles of identification and authentication. We discuss identification as a process by which we assert the identity of a particular party, whether this is true or not. We talk about the use of authentication as the means of validating whether the claim of identity is true. We also cover multifactor authentication and the use of biometrics and hardware tokens to enhance surety in the authentication process. Chapter 3: Authorization and Access Control In this chapter, we discuss the use of authorization and access control. Authorization is the next step in the process that we work through in order to allow entities access to resources. We cover the various access control models that we use when putting together such systems like discretionary access control, mandatory access control, and role-based access control. We also talk about multilevel access control models, including Bell LaPadula, Biba, ClarkWilson, and Brewer and Nash. In addition to the commonly discussed concepts of logical access control, we also go over some of the specialized applications that we might see when looking specifically at physical access control. Chapter 4: Auditing and Accountability We discuss the use of auditing and accountability in this chapter. We talk about the need to hold others accountable when we provide access to the resources on which our businesses are based, or to personal information of a sensitive nature. We also go over the processes that we carry out in order to ensure that our environment is compliant with the laws, regulations, and policies that bind it, referred to as auditing. In addition, we address the tools that we use to support audit, accountability, and monitoring activities, such as logging and monitoring. Chapter 5: Cryptography In this chapter, we discuss the use of cryptography. We go over the history of such tools, from very simple substitution ciphers to the fairly complex electromechanical machines that were used just before the invention of the first modern computing systems and how they form the basis for many of our modern algorithms. We cover the three main categories of cryptographic algorithms: symmetric key cryptography, also known as private key cryptography, asymmetric key cryptography, and hash functions. We also talk about digital signatures that can be used to ensure that data has not been altered and certificates that allow us to link a public key to a particular identity. In addition, we cover the mechanisms that we use to protect data at rest, in motion, and, to a certain extent, in use. Chapter 6: Operations Security This chapter covers operational security. We talk about the history of operational security, which reaches at least as far back as the writings of Sun Tzu
Introduction xvii business commu We talk about the five major steps of operations security:identifying critical information,analyzing threats,analyzing vulnerabilities,determining risks, and planning countermeasures.We also go over the Laws of OPSEC,as penned by Kurt Haas.In addition to discussing the use of operations security in the worlds of business and government,we also address how it is used in our per sonal lives,although perhaps in a less formal manner. Chapter 7:Physical Security his hapr虹d。Weaddres the categories of physuss how they might be put in place to mitigate physical securit rent detective,and preventive measures We talk about the foremost concern in physical security,ensuring the sa ety of our people and talk about how data and equipment can generally be replaced,when proper precautions are taken,though people can be very difficult to replace.We also cover the protection of data,secondary only to protecting our people,and how this is a highly critical activity in our world of technology-based business.Lastly we discuss protecting our equipment,both outside of and within our facilities. Chapter 8:Network Security In this chapter ect our networks from a variety work design and egmentation prop erly,ensuring that we have the proper choke points to enable control of traffic, and that we are redundant where such is needed.We look into the implemen- tation of security devices such as firewalls and intrusion detection systems, the protection of our network traffic with virtual private networks(VPNs)and security measures specific to wireless networks when we need to use them ind make use of sec ure protocols.We also consider a variety of security tools, such as Kismet,Wireshark,nmap,honeypots,and other simil ar utilitie Chapter 9:Operating System Security the additional security-related software that we might use to secure our sys- tems including anti-malware tools,software firewalls,and host-based intrusion detection systems in order to protect us from a variety of attacks.Lastly,we touch on some of the security tools that we can use from an operating perspec- tive,including port scanners such as nmap,vulnerability analysis tools such as Nessus,and oloit frameworks such as Metasploit. Chapter 10:Application Security In this chapter we consider the various ways s in which we might secure our applications.We go over the vulnerabilities common to the software
Introduction xvii in the sixth century BC to the words of George Washington, writings from the business community, and formal methodologies from the U.S. government. We talk about the five major steps of operations security: identifying critical information, analyzing threats, analyzing vulnerabilities, determining risks, and planning countermeasures. We also go over the Laws of OPSEC, as penned by Kurt Haas. In addition to discussing the use of operations security in the worlds of business and government, we also address how it is used in our personal lives, although perhaps in a less formal manner. Chapter 7: Physical Security In this chapter, we discuss physical security. We address the main categories of physical security controls, to include deterrent, detective, and preventive measures, and discuss how they might be put in place to mitigate physical security issues. We talk about the foremost concern in physical security, ensuring the safety of our people and talk about how data and equipment can generally be replaced, when proper precautions are taken, though people can be very difficult to replace. We also cover the protection of data, secondary only to protecting our people, and how this is a highly critical activity in our world of technology-based business. Lastly, we discuss protecting our equipment, both outside of and within our facilities. Chapter 8: Network Security In this chapter, we examine how we might protect our networks from a variety of different angles. We go over secure network design and segmentation properly, ensuring that we have the proper choke points to enable control of traffic, and that we are redundant where such is needed. We look into the implementation of security devices such as firewalls and intrusion detection systems, the protection of our network traffic with virtual private networks (VPNs) and security measures specific to wireless networks when we need to use them, and make use of secure protocols. We also consider a variety of security tools, such as Kismet, Wireshark, nmap, honeypots, and other similar utilities. Chapter 9: Operating System Security In this chapter, we explore hardening as one of the primary tools for securing the operating system and the steps that we take to do so. We also review the additional security-related software that we might use to secure our systems including anti-malware tools, software firewalls, and host-based intrusion detection systems in order to protect us from a variety of attacks. Lastly, we touch on some of the security tools that we can use from an operating perspective, including port scanners such as nmap, vulnerability analysis tools such as Nessus, and exploit frameworks such as Metasploit. Chapter 10: Application Security In this chapter, we consider the various ways in which we might secure our applications. We go over the vulnerabilities common to the software
xvii Introduction development process.including buffer overflows.race conditions.input vali- dation atacks,athentication,and cryptographic might mi tigate these by following ines.We talk abot curity,the areas conc n on bo nt-s issues and server side of the technology.We introduce database e security an cover protocol issues,unauthenticated access,arbitrary code execution, and privilege escalation,and the measures that we might take to mitigate such issues.Lastly,we examine security tools from an application perspective, including sniffers such as Wireshark,fuzzing tools including some developed by Microsoft,and Web application analysis tools such as Burp Suite in order to better secure our applications. CONCLUSION Writing this book was an adventure for the author,as always.We hope that you enjoy the end result and that w your view into the world of nf Th expand y urity wo an interesting and,at times,hair-raising
xviii Introduction development process, including buffer overflows, race conditions, input validation attacks, authentication attacks, authorization attacks, and cryptographic attacks, and how we might mitigate these by following secure coding guidelines. We talk about Web security, the areas of concern on both the client-side issues and server side of the technology. We introduce database security and cover protocol issues, unauthenticated access, arbitrary code execution, and privilege escalation, and the measures that we might take to mitigate such issues. Lastly, we examine security tools from an application perspective, including sniffers such as Wireshark, fuzzing tools including some developed by Microsoft, and Web application analysis tools such as Burp Suite in order to better secure our applications. Conclusion Writing this book was an adventure for the author, as always. We hope that you enjoy the end result and that we expand your view into the world of information security. The security world can be an interesting and, at times, hair-raising field to work in. Welcome and good luck!