Client-Side Attacks and Defense

Authors: Rob Shimonski and Sean-Philip Oriyano
Pages: 296
Publisher: Syngress
ISBN: 1597495905

Introduction

Whether it’s security vulnerabilities in software used by millions of home users and employees, or the natural human tendency to trust what comes at us, but even the most complex and far-reaching attacks today start with the compromise of a single endpoint.

Unfortunately, this trend will continue until we either all learn to avoid these threats, or software and hardware developers churn out completely secure solutions – which means never. But, let’s do what we can, shall we? Educating ourselves shouldn’t be a chore, but a welcome option.

About the authors

Sean-Philip Oriyano has spent his time in the field working with nearly all aspects of IT and management with special emphasis on Information Security concepts, techniques, and practices.

Rob Shimonski is a best-selling author and editor with over 15 years experience developing, producing and distributing print media in the form of books, magazines and periodicals.

Inside the book

It is natural for attackers to choose to strike where defenses are poorest. Servers and networks have become well-defended, so attackers are going for the users and their computers and devices. Client-side attacks are many and varied, and this books addresses them all.

Using Cross-Site Scripting (XSS) as an introductory example, the authors have thoroughly dissected the attack and get readers through it step by step. Without getting into too many details at first, they explained simply the environment in which it is deployed, how it’s planned, and the main types of vulnerabilities this and other client-side attacks depend on for success.

Client-side attacks can be aimed at popular computer software such as browsers and mail clients, web applications, active content technologies, and mobile devices. Each of these attack types get a chapter, but browser attacks encompasses four. It is understandable, as they are the users’ main door to the Internet.

After a brief explanation of the common functions and features of modern browsers, the authors addressed those of Internet Explorer, Firefox, Chrome, Safari and Opera, along with their known flaws and security issues, then followed up with advanced web browser defenses.

Peppered with tips, warnings and screenshots, this last chapter is a great source of information on how to “lock down” each of the browsers and their various active content elements such as Java, Flash, ActiveX, and others introduced and explained beforehand.

Email client attacks – spam, malware, malicious code, DoS, hoaxes and phishing – are detailed and accompanied with concrete and theoretical examples. The chapters dedicated to web application and mobile attacks are thorough, and the latter should be compulsory reading for everyone owning a “smart” mobile device – whether it is one of Apple’s iDevices, those running on Google’s Android OS, or RIM’s Blackberry.

Finally, the authors address the necessity of security planning (security policies), and of considering security needs from the very start. The pros for securing apps and infrastructure with things like digital signatures, certificates and PKI are explained, as well as these solutions’ limitations, and the book finishes with methods for securing clients (AV, patching, etc.)

Final thoughts

I really enjoyed how the authors eased gently into the subject, each new chapter offering enough new information to make it interesting, but not too much to prevent readers from feeling overwhelmed. They explained things in a way that should be understandable to anyone using the software and apps daily and looking for ways to make their computer use safer.

I would recommend this book to inquisitive home users, but have to say that security professionals – apart from those only beginning their work in the field – will not find much to hold their interest.