Prevent Attacks by Mitigating Threats

Previous page
Table of content
Next page


Once you have identified the threats to your application, you should take preventative measures to mitigate or eliminate the high-priority threats you’ve identified. If you can’t completely eliminate a threat—such as denial of service (DoS) attacks—you should design your application with the goal of reducing the consequences of an attack. For example, in the case of a Web application, you could present a “Sorry the Web site is experiencing heavy volumes” lightweight Web page as opposed to sending the user no response from your Web site—although if your application gets bogged down because of an unusually high volume (high customer demand) unrelated to an attack, you should work toward making your application more scalable.

Mitigating Threats

Table 14-2 lists examples of some common types of attacks and the techniques demonstrated throughout this book that you can use to mitigate each attack.

Table 14-2: Example of Common Attacks and Techniques to Mitigate Them

Type of Attack

Description

Mitigating Techniques

Bypassing UI

The attacker attempts to connect directly to a server object or database by bypassing the application UI.

  • In all Public methods, check that the logged- on user has been authenticated by the application before performing any authorized task, as presented in Chapter 1 and Chapter 4.

  • Reduce the attack surface of the server application by making only those functions that are necessary Public.

  • In the case of a Web server application, lock down the Web server, as presented in Chapter 11.

  • Lock down the back-end database that
    the Web server utilizes, as presented in Chapter 12.

Data or input tampering

The attacker attempts to pass data to force a crash or use the input to reveal secrets or tamper with data. The SQL- injection and cross-site scripting attacks are examples of techniques that can be used to tamper with data.

  • Validate all input, as presented in Chapter 7, including direct user input, input files, and registry-key values that your Microsoft Visual Basic .NET application uses.

  • Mitigate all input-related threats, as presented in Chapter 6, using techniques from Chapter 7, such as SQL-injection and cross- site scripting threats.

Denying service

An attacker attempts to crash your application or force it to consume a large amount of resources such as memory. This is also known as a denial of service (DoS) attack.

  • Provide a logon dialog box in which only authorized users are allowed to enter information.

  • Limit all user input to a reasonable length.

  • Design your application to handle many more users than projected. In the case of Web applications, present a lightweight introduction HTML page to the user, or detect when more requests are coming in than can be dealt with and show a “Sorry, the application is experiencing heavy volumes” message followed by references to other means for the user to get the information.

  • Monitor and log the total number of object allocations, frequency of requests, system memory usage, database connection allocations, and disk-space usage over time. Analyze the logs, identify any performance or scalability bottlenecks in the application, and resolve the bottlenecks.

Intercepting data

The attacker is able to intercept and modify data being sent between the client and server computer.

  • Use encryption or hashing techniques (as presented in Chapter 1) to protect data or detect that it had been tampered with as shown in the preceding item.

  • Use secure, encrypted channels such as SSL (see Chapter 5) to pass sensitive data.

Password-cracking

The attacker attempts to use brute force to guess a user name and password combination to log on.

  • Enforce a password policy where the password must contain at least 8 characters, mixed-letter case, numbers, and symbols.

  • If a user fails to enter the correct password after a fixed number of attempts (such as three attempts), prevent additional logons by that user name for a period of time. For example, Windows will occasionally pause for several seconds after a number of successive failed logon attempts, making it more difficult for password-cracking tools to repeatedly try random passwords in rapid succession. In addition you can lock a user account after a certain number of failed logon attempts, which is similar to how a bank machine might eat your debit card after a number of failed attempts to enter the correct PIN number.

  • Log all failed logon attempts (as well as successful logon attempts), and notify the user of failed logon attempts. You could also present the user the date and time of the last successful logon as a means of alerting the user to a logon by someone else occurring at a time when the user wasn’t using the computer.

Posing as another user

An attacker is able to carry out an attack by posing as another user. The attack is carried out in such a manner that the user cannot prove that she didn’t perform the resulting actions. This is also known as a repudiation attack.

  • Secure against password-cracking, as previously shown in this table under “Password- cracking.”

  • Log all activity, including the time the transgression happened, as presented in Chapter 5.

  • Request additional credentials such as a secret PIN number when a user performs a sensitive activity such as initiating a stock trade or purchasing a product.



Previous page
Table of content
Next page
Security for Microsoft Visual Basic .NET
Security for Microsoft Visual Basic .NET
ISBN: 735619190
EAN: N/A
Year: 2003
Pages: 168
BUY ON AMAZON
Project Management JumpStart
ERP and Data Warehousing in Organizations: Issues and Challenges
Information Dashboard Design: The Effective Visual Communication of Data
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy