Lake Point Consulting Services (LPCS) provides security consulting and assurance

Question

Lake Point Consulting Services (LPCS) provides security consulting and assurance services to over 500 clients across a wide range of enterprises in more than 20 states. A new initiative at LPCS is for each of its seven regional offices to provide internships to students who are in their final year of the security degree program at the local college. Like Magic is a national repair shop that specializes in repairing minor car door "dings," windshield repair, interior fabric repair, and scratch repair. Like Magic allows customers to file a claim through a smartphone app and its website. Recently, however, Like Magic was the victim of an SQL injection attack that resulted in customer account information and credit card numbers being stolen. Several security personnel were fired due to this breach. The vice president of LIke Magic is adamant that this will never happen again to them, and has contacted LPSC to help provide training to the technology staff to prevent further attacks. After the presentation LIke Magic asks LPSC to address other weaknesses in their system. You have been placed on the team to examine potential networking-based attacks.

One of your tasks is to create a report for a presentation; you are asked to write a one-page narrative providing an overview of the different types of networking-based attacks of interception and poisoning.

Explanation / Answer

Lake point consulting services

A Presentation on

Data security

Cross – site attacks

ØCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client side scripts into web pages viewed by other users.

ØA cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

Cross – site attacks

Attack Techniques

ØReflected (non-persistent) XSS Flaw

ØPersistent (or stored) flaw

ØServer-side versus DOM-based vulnerabilities

Ø

ØSelf-XSS

ØMutated XSS (mXSS)

Defensive Techniques

ØContextual output encoding/escaping of string input

ØSafely validating untrusted HTML input

ØCookie security

ØDisabling scripts

ØEmerging defensive technologies

Injection Attacks

SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution

SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed.

Injection Attacks

Attack Techniques

ØIncorrectly filtered escape characters

ØIncorrect type handling

ØBlind SQL injection

ØConditional responses

ØSecond order SQL injection

Defensive Techniques

ØTrust no-one

ØEnforcement at the coding level

ØDon't use dynamic SQL when it can be avoided

ØUpdate and patch

ØFirewall

ØReduce your attack surface

ØUse appropriate privileges

ØDon't divulge more information than you need to

ØBuy better software

Related Questions

Navigate

• Browse (All)
• Browse L
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.