KENNETH KIBATHI

MSCCS//2024/46923
SERVER AND NETWORK SECURITY.

1. Your organization has just discovered that it is using SSL 3.0 for securing
communication between clients and servers. What steps would you take to improve the
security of your infrastructure?
(10 points)
Disable SSL 3.0: Modify server configurations to reject SSL 3.0 connections, preventing
vulnerabilities like POODLE that allow attackers to decrypt encrypted traffic.
Use TLS 1.2 or higher: Enforce the use of TLS 1.2 or TLS 1.3 in server and client configurations
to ensure stronger encryption, improved security, and better performance.
Update server configurations: Remove weak cipher suites such as RC4, MD5, and SHA-1, which
are susceptible to cryptographic attacks, and replace them with stronger ones like AES-GCM.
Enable Perfect Forward Secrecy (PFS): Use key exchange algorithms like ECDHE to generate
unique session keys for each session, ensuring past communications remain secure even if the
private key is compromised.
Apply HTTP Strict Transport Security (HSTS): Add the Strict-Transport-Security
header to enforce HTTPS-only communication, preventing downgrade attacks and ensuring
encrypted connections.
Ensure certificate validity: Use strong encryption certificates (2048-bit RSA or ECC) issued by a
trusted Certificate Authority (CA) and renew them before expiration to maintain security.
Regularly update software and libraries: Keep OpenSSL, web servers, and TLS libraries updated
to patch vulnerabilities that could be exploited in SSL/TLS implementations.
Use Certificate Pinning: Predefine trusted certificates in your application to prevent attackers from
presenting fraudulent certificates and performing MITM attacks.
Monitor logs and traffic: Use security tools like SIEM, IDS, or log analyzers to detect anomalies,
unauthorized access attempts, or SSL/TLS-based attack patterns.
Test security settings: Use tools like SSL Labs’ SSL Test to evaluate protocol versions, cipher
strength, and security misconfigurations to ensure a hardened SSL/TLS setup.

2. What specific settings would you apply to ensure the website is secure and resistant to
common attacks?
(5 points)
Use HTTPS exclusively: Redirect all HTTP traffic to HTTPS using server configurations and
HSTS to ensure secure encrypted communication between clients and servers.
Implement Content Security Policy (CSP): Restrict the sources of executable scripts, images, and
styles to prevent cross-site scripting (XSS) and code injection attacks.
Disable weak ciphers and outdated protocols: Enforce strong encryption like AES-256-GCM and
disable legacy protocols such as TLS 1.0 and 1.1 to reduce cryptographic vulnerabilities.
Apply secure HTTP headers: Use X-Frame-Options to prevent clickjacking, X-XSS-
Protection to mitigate XSS attacks, and X-Content-Type-Options to prevent MIME-
type sniffing.
Sanitize and validate user input: Implement input validation and parameterized queries to prevent
injection-based attacks like SQL Injection and Command Injection.

3. Consider a scenario where a Man-in-the-Middle (MITM) attacker attempts to intercept

SSL/TLS communications. What mechanisms are built into SSL/TLS to prevent this
attack?
(10 points)

Certificate-based authentication: Ensures that servers present valid certificates issued by a trusted
CA, preventing attackers from using fake certificates to impersonate legitimate services.
Encryption: Uses strong cryptographic algorithms like AES-256 to encode data in transit, making
intercepted communication unreadable to unauthorized entities.
Message Integrity (MAC): Uses cryptographic hash functions (HMAC or AEAD) to verify data
integrity, ensuring that transmitted messages are not altered by an attacker.
Key Exchange Security: Uses secure key exchange algorithms like ECDHE and RSA to negotiate
encryption keys without exposing them to potential eavesdroppers.
Perfect Forward Secrecy (PFS): Generates unique session keys for each TLS session, ensuring
that even if a private key is compromised, past communications cannot be decrypted.
Certificate Pinning: Restricts the certificates that a client trusts to a predefined set, preventing
attackers from presenting fraudulent certificates in MITM attacks.
HSTS (Strict Transport Security): Enforces HTTPS connections, ensuring that browsers refuse to
connect via unencrypted HTTP, which can be exploited in downgrade attacks.
OCSP Stapling: Allows servers to provide real-time certificate revocation status updates,
preventing clients from trusting revoked certificates issued by compromised Cas.
TLS Handshake Validation: Ensures the integrity of the TLS handshake process by preventing
attackers from tampering with cryptographic parameters or forcing weaker encryption.
DNSSEC: Protects DNS queries using cryptographic signatures, preventing attackers from
redirecting users to malicious websites through DNS spoofing.