Entries from December 2010 ↓

Security+ Objective 1.4 Carry out the appropriate procedures to establish application security – Scripting

Let’s continue talking about web sites that do more than just display the same data all the time. You can skip to the last paragraph if you just want the thing you need to know for the exam.
Scripting is the way to make that happen. If a programmer writes a script to make their site do something really cool, there are two places where that script can be processed. Client-side scripts send the code to the user’s computer to be run. Server-side scripts work their magic on the web server and send the results to the user. Client-side scripts rely on the users system to have a web browser that understands the script. If you don’t want to rely on the user, you can use server-side scripts that only rely on the server. It’s easier to make sure your server has the right capabilities, rather than all possible users who hit your site.
Real World Example: The most common client-side scripting language is Javascript. Next time you’re browsing the web, right click on the page, choose “view source” and look for some code that says Javascript. The most common server-side scripting languages these days are ASP.Net and PHP. Next time you browse the web look for an “aspx” or a “php” in the web address. You won’t be able to find any ASP.Net or PHP code in the source because the server already processed it and sent the results.
The security risk of server-side scripting lies in the fact that the server does whatever the script tells it to. If a bad guy can get his code onto the server, it will do whatever the bad guy wants it to.

Go back to the Exam Objectives list

Security+ Objective 1.4 Carry out the appropriate procedures to establish application security – Java

Java, like ActiveX, allows web applications that do a lot more than HTML. Unlike ActiveX, it isn’t tied to Microsoft products. This means you can run Java applets on Microsoft systems as well as other platforms, like Linux and Mac OS.
When you install Java on a system, you are giving it a Java virtual machine that will run the Java applet inside itself. The applet doesn’t know what OS you have installed because it is contained in its own virtual computer. This means the program doesn’t have to be customized to work on various operating systems. Security wise, this means that the applet runs in a sandbox. The sandbox is the Java virtual machine that keeps the applet contained and controls its interaction with the host OS and system resources.

Go back to the Exam Objectives list

Security+ Objective 1.4 Carry out the appropriate procedures to establish application security – ActiveX

The next few items are pretty easy to deal with on the Security+ exam. There really isn’t too much that you have to know about them.
ActiveX is basically a way to make web pages do more than HTML is capable of. Let’s say you go to a photo website and want to upload your photos. With traditional web pages you would have to upload one photo at a time. So, that website might have an ActiveX control that you can install which allows you to upload hundreds of photos simultaneously. ActiveX just made life much easier!
But wait… If ActiveX makes web pages do more than HTML is capable of, couldn’t bad guys use it for evil? Absolutely! They could use it to erase all of your photos, or take control of your webcam and take some new photos, or just about anything else a program could do. You need to know this for the exam.
You also need to know that you can disable unauthorized ActiveX controls to protect your organization’s users from malicious code. This means they will have to upload one photo at a time unless an administrator authorizes it, but hey, they shouldn’t be doing that at work anyway!

Go back to the Exam Objectives list

Security+ Objective 1.3 Implement OS hardening practices and procedures to achieve workstation and server security – Configuration Baselines

A baseline is a starting point for measurement or construction.

When we talk about configuration baselines we are usually talking about the starting point for system construction.  Applying a configuration baseline would be the first task performed on new systems.  This is often done by deploying a standard image which is preconfigured with a set of consistent, required security settings.  After that, the system would be updated with the latest patches and receive any additional configuration and software.  Configuration baselines allow for easier security management by standardizing what could otherwise be a chaotic free-for-all.   

You could also use a baseline as a measuring point to track deviations in security configuration.  In this situation, the baseline would be taken after the initial configuration is complete.  If some malware attempts to secretly alter the system it would be detected.  By having a baseline, we have a comparison point to identify these changes.

Go back to the Exam Objectives list