Page 366 - StudyBook.pdf
P. 366
350 Chapter 5 • Communication Security: Web Based Services
nothing, so there is no reason to risk your data and the integrity of your system
and network by continuing to run an outdated version of the browser.
Q: I want to FTP a file to a server.When I logged into the FTP server with my
credentials and started to transfer the file, I remembered hearing that FTP is
sent in cleartext. Have I just exposed myself to an attacker?
A: Yes.When you use FTP you can potentially expose yourself to hackers that
may be eavesdropping on the network. Because of this fact, you should always
consider an alternative if you really want to be secure when using FTP. S/FTP
is one such alternative.
Q: Sniffers are used on my network. Is it possible to FTP something securely?
A: Yes, you can use S/FTP, which is a secure form of FTP. It is very similar to
SSH in that it encrypts the traffic sent so that eavesdropping will not pick up
any usable data.
Q: I have a Web server that uses CGI scripting to work with a backend database. I
have learned that there may be problems with code-based exploits. Should I be
concerned when using CGI?
A: CGI scripts can definitely be exploited, especially if they are poorly written.
CGI scripts can be exploited within the browser itself and may open up poten-
tial holes in your Web server or provide access to the database.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions,
answers, and explanations to the Self Test questions in this chapter as well as
the other chapters in this book, see the Self Test Appendix.
1. When performing a security audit on a company’s Web servers, you note that
the Web service is running under the security context of an account that is a
member of the server’s local Administrators group.What is the best recom-
mendation to make in your audit results?
A. Use a different account for the Web service that is a member of the
Domain Administrators group rather than the local Administrators group.
www.syngress.com
