Chapter 7: Host, Data, and Application Security Flashcards
Relational Database
Allows data to be viewed in dynamic ways based on your needs. If you need to look up patients who have not had a checkup this year and also have a history of eye surgeries, you can do that.
Structured Query Language (SQL)
Most common query language used to communicate with database servers.
One-Tier vs. Two-Tier vs. Three-Tier model
database
<b>O</b>ne-Tier
-Database and application are located on the same machine
<b>T</b>wo-Tier
-A client system runs an application that communicates with the database
-This is most common
<b>T</b>hree-Tier
-You have a middle-tier server that processes communication requests between the client and the database. Kinda like a proxy database, almost.
NoSQL
A database that’s not relational, and not easily scalable. It can handle less-structured data, but to expand you’ll need to add more servers rather than just upgrading the hardware in existing ones.
Big Data
When you have crazy amounts of data of data, you’ll need to store it on a SAN because that’s the only thing big enough once you get into petabytes of information. Dell will soon have capital on this following their acquisition of EMC.
Storage Area Network (SAN)
A separate network made to look like storage on another network. You probably want to secure it with a firewall, maybe even an IDS. It’s usually connected via fiber, maybe iSCI.
Fuzzing
Flooding an application with unexpected or incompatible information (usually a huge stream of random bits) for the purpose of crashing the application and/or elevating your privileges.
-Avoid these attacks by validating all incoming traffic.
Secure Coding
The best (read: only) way to prevent attacks like SQL injection, XSS, and buffer overflows.
Open Web Application Security Project (OWASP)
A voluntary organization centered around coding standards for web applications.
The most fundamental is input validation (either client side or server side)
Client-side vs. server-side validation
<b>C</b>lient-side validation
-Checking the client inputting information and validating it to make sure nothing shitty is going on.
<b>S</b>erver-side validation
-Validating data as it is being received by the server. It’s not common to <b>only</b> have server-side validation.
Computer Emergency Response Team (CERT) Secure Coding Standards
- CERT has complete language-specific standards for Java, Perl, C, and C++
- They address exception handling
- The best way to address this is to give the user good information about a crash, but log the specifics so a hacker can’t easily access the information
Different kinds of patches
<b>H</b>otfix
-An immediate and urgent fix, generally due to security errors
<b>P</b>atch
-Non-urgent fix or additional functionality. It can be optional.
<b>S</b>ervice pack
-All hotfixes and patches to date. Big overhaul kind of thing.
Access Control Lists (ACLs)
Who can access which resource and at what level?
You can use a whitelist or blacklist system, whichever is more convenient.
How do I harden a web server?
Web servers are popular targets for attackers because of their immense reach.
- Set up filters to make sure only the traffic you need is happening
- Make sure you block out the access to executable scripts as much as you can
How do I harden an email server?
Make sure to run regular virus scans. If you’re running an Exchange server, you’ll need special software for this.
Use ACL to block specific attacking sources.
