Basics of Security and Attack

© 2009 Wipro Ltd – Internal & Restricted

Basics of Security and Attack

2 © 2009 Wipro Ltd – Internal & Restricted2 © 2009 Wipro Ltd – Internal & Restricted

Agenda

3

4 Security Attacks

1 Definitions of Security Terms

2 Security Technologies

VA , PT ,VM & Compliances

5 Software Exploits

3 © 2009 Wipro Ltd – Internal & Restricted

1. Definitions of Security TermsWhen > Where >How


• Protected Resources / Asset: Things to protect • Entry/Exit Points: Ways to get at an asset• Threat: Risks to an asset

– Attack / exploit: An action taken that harms an asset– Vulnerability: Vulnerability is a hole or a weakness in the system, which can

be a design flaw, an implementation bug etc., that allows an attacker to cause harm to the stakeholders of the system. Stakeholders include the application owner, administrators, users, and other entities that rely on the system.

• Risk: Likelihood that vulnerability could be exploited• Mitigation / Countermeasure: Something that addresses a specific

vulnerability

Definitions


• Asset(s):– $5,000,000 under the mattress

in guest bedroom

• Threat(s):– Loosing the $5,000,000

Terminology Example• Entry/Exit Points:

– Front & Side Doors– Windows (guest bedroom &

elsewhere in residence• Note vulnerability can be shared across

attacks(!)

Threat Attack Vulnerability Risk (0-100)

Loosing the $5,000,000

Burglar breaks in and steals money

Plane glass windows 95

Windows can be lifted out of frame 85

No dead bolt on doors / doors can be kicked in

75

No alarm system 100

House Burns Down

No alarm system 100


The term "Hacker" may mean simply a person with mastery of computers; however the mass media most often uses "Hacker" as synonymous with a (usually criminal) computer intruder .

In a security context, a hacker is someone involved in computer security/insecurity, specializing in the discovery of exploits in systems (for exploitation or prevention), or in obtaining or preventing unauthorized access to systems through skills, tactics and detailed knowledge

Hacker


• White hat - Someone who breaks security but who does so for altruistic or at least non-malicious reasons. They generally have a clearly defined code of ethics, and will often attempt to work with a manufacturer or owner to improve discovered security weaknesses.

• Grey hat - A hacker of ambiguous ethics and/or borderline legality, often frankly admitted.• Bluehat - Someone outside computer security consulting firms that are used to bug test a

system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the term Bluehat to represent a series of security briefing events.

• Black hat - Someone who subverts computer security without authorization or who uses technology (usually a computer or the Internet) for terrorism, vandalism, credit card fraud, identity theft, intellectual property theft, or many other types of crime. This can mean taking control of a remote computer through a network, or software cracking.

• Script kiddie - Script kiddie is a pejorative term for a computer intruder with little or no skill; a person who simply follows directions or uses a cook-book approach without fully understanding the meaning of the steps they are performing.

• Hacktivist - A hacktivist is a hacker who utilizes technology to announce a political message. Web vandalism is not necessarily hacktivism.

Types of Hackers


• Criminal Attacks– Basis is in financial gain– Includes fraud, destruction and theft (personal, brand, identity)

• Privacy Violations– Private/personal information acquired by organizations not authorized.– Includes surveillance, databases, traffic analysis

• Publicity Attacks– Attacker wants to get their name(s) in the papers– Can affect ANY system, not just related to profit centers– Denial of service

• Legal Attack– Setup situation to use discovery process to gather information– Rare, but possibly devastating

Types of Attacks


• Password sniffing– Collect first parts of data packet and look for login attempts

• IP Spoofing – Fake packet to “hijack” a session and gain access

• DNS Overrides– Malicious access to a DNS server can compromise a network

• Denial of Service Attacks – Single and Distributed– Large number of “SYN” packets to establish dummy connections

• System gets throttled handling all the “hello” requests– Massive number of e-mail messages will flood a system

Methods of Attacking the Network


• Port scanning – Automated process that looks for open networking ports– Logs positive hits for later exploits

• Buffer overrun packets– Attacker sends carefully built packet to computers on network that support

specific services. (E-mail, IIS)– Packet causes accepting process to abort, leaving system in unknown state,

potentially with root access– Packet contains code that executes to get root access

Methods of Attacking the Network (Contd.)


• Firewalls– Networking devices (routers) that check traffic coming into a private network– Needs to be complete and properly configured to ensure protection– Good protection for general networking traffic, but specific traffic will still get

through.• DMZs

– Network space between two firewalls • VPNs

– Provides encrypted access from outside a network. – Current versions aren’t reliable enough and aren’t useful against “slow”

attacks.

Methods of Defending a Network


• Burglar alarms– Traps set on specific networked objects that go off if accessed

• Honey pots– Dummy objects used to attract attacks. Range from single devices to whole

sub networks.

• Vulnerability scanners– Tools that scan a network periodically for holes/open gateways /

misconfigured routers– Limited in scope because of potential damage to the network

• Cryptography– Has potential, but complexity limits its use to local sites.

Methods of Defending a Network (Contd.)


• Continue to monitor and evolve– Listen to CERT bulletins and evaluate those to your systems– Network with industry acquaintances for possibly new styles of attacks– Try to be proactive– Formalize a security strategy:

• WHO is accessing your data?• WHAT is the key resource(s) you need to protect?• WHEN is data access expected?• WHERE are your users who are accessing your data?

Wrap Up


2. Security Technologies


• A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it; and denies or permits passage based on a set of rules.

• Firewalls make it possible to filter incoming and outgoing traffic that flows through your system.

• A firewall can use one or more sets of “rules” to inspect the network packets as they come in or go out of your network connections and either allows the traffic through or blocks it.

• The rules of a firewall can inspect one or more characteristics of the packets, including but not limited to the protocol type, the source or destination host address and the source or destination port.

Firewalls


• Service control– Type of service: inbound or outbound

• Traffic filtering — based on IP address & TCP port nr– Provides proxy software to receive or interpret service request before

passing it on– Could also host server software (e.g. Web or mail service)

• Not recommended– Complicates it (more code => more vulnerabilities)

• User Control– Control access to service using ACLs

• Behavior Control– E.g. filter e-mail for spam

General Firewall Techniques


• All traffic (incoming / outgoing) must pass through firewall

• Only authorized traffic is allowed to pass

• Firewall itself must be immune to penetration– i.e. It must use trusted system with secure OS (minimum size/complexity)– Usually implemented on dedicated device

• Dedicated = only firewall functions performed on this device– Firewall code must be very well protected

Firewall Characteristics


• Basic kinds of firewalls:– Hardware firewalls

• More common• implemented on router level

– More expensive / more difficult to configure

– Software firewalls• Used in single workstations• less expensive / easier to configure

Firewall Types


Evolution of Firewalls

PacketFilter

StatefulInspection

Stage of Evolution

ApplicationProxy

Deep Packet Inspection


• NAT is a technology that hides the private network.

• It allows a single device to act as an intermediary between the Internet and a local network. This effectively means that a single IP address can be used for an entire group of computers.

• Converts private addresses to legally registered public IP addresses.

• NAT is commonly supported by WAN access routers and firewalls.

Network Address Translation (NAT)


• Lots of vulnerabilities on hosts in network

• Users don’t keep systems up to date– Lots of patches– Lots of exploits in wild (no patch for them)

• Solution?– Limit access to the network

• Don’t trust outsiders• Trust insiders(!!!)

– Put firewalls across the perimeter of the network

Challenges faced


• Firewall inspects traffic through it• Has a pre-defined policy• Allows traffic specified in the policy• Drops everything else• Two Types

– Packet Filters, Proxies

Firewalls (Contd.)

InternetInternet

Internal NetworkFirewall


Packet Filters

• Packet filter selectively passes packets from one network interface to another

• Usually done within a router between external and internal networks– screening router

• Can be done by a dedicated network element– packet filtering bridge– harder to detect and attack than screening routers

• Example filters– Block all packets from outside except for SMTP servers– Block all traffic to a list of domains– Block all connections from a specified domain


Packet Filters (Contd.)

• Data Available– IP source and destination addresses– Transport protocol (TCP, UDP, or ICMP)– TCP/UDP source and destination ports– ICMP message type– Packet options (Fragment Size etc.)

• Actions Available– Allow the packet to go through– Drop the packet (Notify Sender/Drop Silently)– Alter the packet (NAT?)– Log information about the packet


Typical Firewall Configuration

InternetInternet

IntranetIntranet

DMZDMZ

X X

• Internal hosts can access DMZ and Internet

• External hosts can access DMZ only, not Intranet

• DMZ hosts can access Internet only

• Advantages?– If a service gets compromised in

DMZ it cannot affect internal hosts


• Stateless packet filtering firewall• Rule à (Condition, Action)• Rules are processed in top-down order

– If a condition satisfied for a packet – action is taken– All rules checked

Example Firewall Rules


Sample Firewall Rule

Dst Port

Allow

Allow

Yes

Any

> 1023

22

TCP22

TCP> 1023

ExtIntOutSSH-2

IntExtInSSH-1

Dst Addr Proto Ack Set? ActionSrc PortSrc AddrDirRule

• Allow SSH from external hosts to internal hosts– Two rules

• Inbound and outbound

– How to know a packet is for SSH?• Inbound: src-port>1023, dst-port=22• Outbound: src-port=22, dst-port>1023• Protocol=TCP

– Ack Set?– Problems?

SYN

SYN/ACK

ACK

Client Server


• Egress Filtering– Outbound traffic from external address à Drop– Benefits?

• Ingress Filtering– Inbound Traffic from internal address à Drop– Benefits?

• Default Deny– Why?

Default Firewall Rules

Any

Dst Port

Any DenyAnyAnyIntAnyIntInIngress

DenyAnyAnyExtAnyExtOutEgress

Any DenyAnyAnyAnyAnyAnyAnyDefault

Dst Addr Proto Ack Set? ActionSrc PortSrc AddrDirRule


• Advantages– Transparent to application/user– Simple packet filters can be efficient

• Disadvantages– Usually fail open– Very hard to configure the rules– Doesn’t have enough information to take actions

• Does port 22 always mean SSH?• Who is the user accessing the SSH?

• What is the fix?

Packet Filters


• Stateful packet filters– Keep the connection states– Easier to specify rules – connection level– More popular– Problems?

• State explosion• State for UDP/ICMP?

Alternatives


• Proxy Firewalls– Two connections instead of one– Either at transport level

• SOCKS proxy

– Or at application level• HTTP proxy

• Requires applications (or dynamically linked libraries) to be modified to use the proxy

Alternatives (Contd.)


• Data Available– Application level information– User information

• Advantages:– Better policy enforcement– Better logging– Fail closed

• Disadvantages:– Doesn’t perform as well– One proxy for each application– Client modification

Proxy Firewall


• A VPN is a means of carrying private traffic over a public network.• Often used to connect two private networks, over a public network, to

form a virtual network• The word virtual means that, to the users on either end, the two private

networks seem to be seamlessly connected to each other.• That is, they are part of a single virtual private network (although physically

they are two separate networks).à implication? connectivity, security, privacyThe VPN should provide the same connectivity and privacy you would find on a typical local private network.

What is VPN?


• Based on encryption:– Encrypted VPNs– Nonencrypted VPNs

• Based on OSI model:– Data link layer VPNs– Network layer VPNs– Application layer VPNs

• Based on business functionality:– Intranet VPNs– Extranet VPNs

Different Types of VPNs


Brief Overview of How it Works

• Two connections – one is made to the Internet and the second is made to the VPN.

• Datagrams – contains data, destination and source information.• Firewalls – VPNs allow authorized users to pass through the firewalls.• Protocols – protocols create the VPN tunnels.

2 main VPN architectures:

• There are products based on IPSec and Point to Point Tunneling Protocol (PPTP) or L2TP (Layer 2 Tunneling Protocol)

• Although IP sec has become the de facto standard for LAN to LAN VPN’s, PPTP and L2TP are heavily used for single client to LAN connections.

• Therefore, many VPN products support IPSec, PPTP and L2TP.


Technologies


A virtual point-to-point connectionmade through a public network. It transportsencapsulated datagram.

Tunneling

Encrypted Inner Datagram

Datagram Header Outer Datagram Data Area

Original Datagram

Data Encapsulation [From Comer]

Two types of end points: • Remote Access• Site-to-Site


VPN Encapsulation of Packets


• Authentication Header (AH): It is the authenticating protocol

• Encapsulating Security Payload (ESP): ESP is an authenticating and encrypting protocol that provide source authentication, confidentiality, and message integrity.

IPSec uses two Basic Security Protocols


SSL Architecture


Authentication Protocols

• Password Authentication Protocol (PAP)• Challenge Handshake Protocol (Chap)• Extensible Authentication Protocol (EAP)• MPLS – Multi Protocol Label Switching• Terminal Access Controller Access-Control System (TACACS)• Remote Authentication Dial In User Service (RADIUS) • Secured Over Credential-based Kerberos Services - SOCKS


VPN Comparisons


It is better to prevent attack than to detect it after it succeeds, Unfortunately,

not all attacks can be prevented.

Some attackers become intruders — succeed in breaking defenses

Intrusion Prevention — first line of defense

Intrusion Detection — second line of defense

Intrusion Detection System (IDS) - a device (typically a seprate computer)

monitoring system activities to detect malicious / suspicious events like

attacks.

• IDS runs constantly in the background - it alarms when it detects something suspicious.

• IDS should operate in stealth mode - be invisible to outside world

• IDSs attempt to detect

• Outsiders breaking into a system OR

Insiders (legitimate users) performing illegitimate actions accidentally ordeliberately

IDS Definition


• Anomaly — abnormal behavior• Misuse — activity that violates the security policy

(subset of “anomaly”)• Intrusion — misuse by outsiders and insiders • Audit — activity of looking at user/system behavior,

its effects, or collected data• Profiling — looking at users or systems to determine ‘what they

usually do’

IDS Terminology


• Host-based IDS (HIDS)– Runs on a host– Monitors activities on this host only

• Network-based IDS (NIDS)– Stand–alone device– Monitors entire (sub) network

Hybrid types with respect to operationi. Signature-based IDSsii. Anomaly-based IDSs (heristic IDSs)

(a) Misuse intrusion detectioniii. Other IDS types

Types of IDS


• Program on one specific host• Analyses activity on that host

– System calls– file-system modifications– Memory integrity

• Vulnerable to attacks, since they are part ofthe monitored system

• No protection against Do's attacks

Host-based IDS


• Analyze network traffic by inspecting packets– easy in non-switched networks– switched networks:– network tap or port mirroring– only monitor traffic in specific – segments (e.g. traffic via gateway)

• Can become bottlenecks inhigh-speed networks

• Cannot analyze encrypted packets

Network-based IDS


• Mostly for NIDS• Match ongoing activities against known patterns (“signatures”)• Pre-processing may be necessary (E.g. reassemble fragmented packets)• Analyze packet headers: port scans, SYN floods, …• Analyze payload: malicious code, …

Signature Recognition


• Create patterns for normal user activity• Detect deviations from this patterns

– E.g. Secretary uses browser, email-client and text processor between 08.00 and 16.00; using nmap and gcc at 23.00 is abnormal

• Neural nets could be used• Problem: Users’ behavior is analyzed means privacy is compromised

Anomaly Detection


• Attackers use avoidance strategies to avoid detection by IDS• IDS sensitivity is difficult to measure and adjust• Must strike a balance false alarms and missing attacks• Only as good as the process/people using it• HIDS are vulnerable to attacks since they run on the monitored

machine • NIDS can become bottlenecks in high speed networks• NIDS cannot deal with encrypted connections• Only “known” attacks can be detected• Heuristics and neural nets can produce false positives

Limits of IDS


• Intrusion prevention system – It is a computer security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks. When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology. The term "Intrusion Prevention System" was coined by Andrew Plato.

• Host Based

• Network Based– Content Based– Protocol Analysis– Rate Based

IPS


• A host based IPS (HIPS) is one where the intrusion-prevention application is resident on that specific IP address, usually on a single computer

• As with Host IDS systems, the Host IPS relies on agents installed directly on the system being protected. It binds closely with the operating system kernel and services, monitoring and intercepting system calls to the kernel or APIs in order to prevent attacks as well as log them.

• It may also monitor data streams and the environment specific to a particular application (file locations and Registry settings for a Web server, for example) in order to protect that application from generic attacks for which no “signature” yet exists.

• Since a Host IPS agent intercepts all requests to the system it protects, it has certain prerequisites - it must be very reliable, must not negatively impact performance, and must not block legitimate traffic.

Host Based IPS


• A network based IPS is one where the IPS application/hardware and any actions taken to prevent an intrusion on a specific network host(s) is done from a host with another IP address on the network (This could be on a front-end firewall appliance.)

• Network intrusion prevention systems (NIPS) are purpose-built hardware/software platforms that are designed to analyze, detect, and report on security related events. NIPS are designed to inspect traffic and based on their configuration or security policy, they can drop malicious traffic.

Network Based IPS (NIPS)


• A content-based IPS (CBIPS) inspects the content of network packets for unique sequences, called signatures, to detect and hopefully prevent known types of attack such as worm infections and hacks.

Content Based IPS


• Protocol analyzers can natively decode application-layer network protocols, like HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can evaluate different parts of the protocol for anomalous behavior or exploits.

• For example, the existence of a large binary file in the User-Agent field of an HTTP request would be very unusual and likely an intrusion. A protocol analyzer could detect this anomalous behavior and instruct the IPS engine to drop the offending packets.

• Since many vulnerabilities have dozens or even hundreds of exploit variants, pattern recognition-based IPS/IDS engines can be evaded. For example, some pattern recognition engines require hundreds of different signatures (or patterns) to protect against a single vulnerability.

• This is because they must have a different pattern for each exploit variant. Protocol analysis-based products can often block exploits with a single signature that monitors for the specific vulnerability in the network communications.

Protocol Analysis


• Rate based IPS (RBIPS) are primarily intended to prevent Denial of Service and Distributed Denial of Service attacks. They work by monitoring and learning normal network behaviors.

• Through real-time traffic monitoring and comparison with stored statistics, RBIPS can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP packets, connections per second, packets per connection, packets to specific ports etc. Attacks are detected when thresholds are exceeded. The thresholds are dynamically adjusted based on time of day, day of the week etc., drawing on stored traffic statistics.

• Unusual but legitimate network traffic patterns may create false alarms. The system's effectiveness is related to the granularity of the RBIPS rulebase and the quality of the stored statistics.

• Once an attack is detected, various prevention techniques may be used such as rate-limiting specific attack-related traffic types, source or connection tracking, and source-address, port or protocol filtering (black-listing) or validation (white-listing).

Rate Based IPS


• HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data after it has been decrypted on the host.

• NIPS does not use processor and memory on computer hosts but uses its own CPU and memory.

• NIPS is a single point of failure, which is considered a disadvantage; however, this property also makes it simpler to maintain. However, this attribute applies to all network devices like routers and switches and can be overcome by implementing the network accordingly (failover path, etc.).

• A Bypass Switch can be implemented to alleviate the single point of failure disadvantage though. This also allows the NIPS appliance to be moved and be taken off-line for maintenance when needed.

• NIPS can detect events scattered over the network (e.g. low level event targeting many different hosts, like hostscan, worm) and can react, whereas with a HIPS, only the hosts data itself is available to take a decision, respectively it would take too much time to report it to a central decision making engine and report back to block.

Host based VS Network based IPS


• Trap to attract attacks• Assign unused address space to one (dummy) host (“honeypot”)• Simulate services or proxy servers• Legitimate users never communicate with the honeypot• Automated attacks (e.g. worms) cannot distinguish the honeypot from a normal

host• All activity can be logged for evidence• New attacks can be analyzed. Eg:

– Simulate open SMTP relay– Drop all incoming mail without looking at it– Spammers can be identified– Legal measures possible– Spam has been destroyed efficiently

Honeypot


• SIM is the industry-specific term in computer security referring to the collection of data (typically log files; e.g. eventlogs) into a central repository for trend analysis.

• SIM is a solution which allows automated integration of log analysis, event correlation, and reporting of critical security event

information to enable organizations to immediately identify and respond to various threats.

• There are four major components of a SIM. They are client components, correlation engine, signature database and a management console

Security Information Management (SIM)


SIM

TraceabilityConsolidation

Event Event Event Event Event Event

ReportingMeta Alerting

@

Event EventEvent

SIM


The best way to increase the effectiveness of information security architecture for an organization is through better analysis and an increasingly popular analysis technique is event correlation. Unfortunately, conducting correlation without using security event management software is nearly impossible because of these issues:• Event data is logged in a variety of proprietary formats making comparison

difficult.• Event data is stored in multiple information ‘silos’, i.e. proprietary consoles,

syslogs etc.• Manually comparing event data from across the enterprise to find

similarities is time consuming, if not impossible.• No manual method exists that enables correlation to be conducted in real

time.• Constantly evolving threats necessitates continuously adding, modifying and

enhancing correlation techniques.

Need for SIM


• Aggregation is the process by which the events collected from various devices are normalized and indexed.

• The correlation engine then analysis and validate the event logs sent by the log collector components based on rules or statistics stored in the database.

• Once the event is validated then it is passed on to the management console where the security professionals can view the alerts in one single console.

• The security professionals can view and monitor events related to various devices or servers in one single format and in one single console.

Aggregation and Correlation


SIM Architecture - Aggregation


SIM Architecture -CorrelationPolicy RulesRegulatory Asset GroupsHost Info DetailsVulnerability Details

Asset Criticality weighingActive List-Asset GroupsActive List-Business Units

Vulnerability Scanner

Asset Management

Correlation Engine

Statistical Threat Analysis

Rule Based Vulnerability


SIM Architecture – Output


According to Gartner:• "Security information and event management (SIEM) technology delivers two basic

capabilities:• Security information management (SIM) — SIM provides reporting and analysis of

data primarily from host systems and applications, and secondarily from security devices to support regulatory compliance initiatives, internal threat management and security policy compliance management. SIM can be used to support the activities of the IT security, internal audit and compliance organizations.

• Security event management (SEM) — SEM improves security incident response capabilities. SEM processes near-real-time data from security devices, network devices and systems to provide real-time event management for security operations.

• SEM helps IT security operations personnel be more effective in responding to external and internal threats.

• SIM and SEM require a common set of base functions, but they differ both in scope and the time frame for data analysis"

SIM VS SEM


SIM VS SEM


3. VA , PT ,VM & Compliances


Access Control

Authentication

Non-repudiation

Data Confidentiality

Communication Security

Data Integrity

Availability

Privacy

• Limit & control access to network elements, services & applications

• Examples: password, ACL, firewall

• Prevent ability to deny that an activity on the network occurred

• Examples: system logs, digital signatures

• Ensure information only flows from source to destination

• Examples: VPN, MPLS, L2TP

• Ensure network elements, services and application available to legitimate users

• Examples: IDS/IPS, network redundancy, BC/DR

• Provide Proof of Identity• Examples: shared secret,

PKI, digital signature, digital certificate

• Ensure confidentiality of data • Example: encryption

• Ensure data is received as sent or retrieved as stored

• Examples: MD5, digital signature, anti-virus software

• Ensure identification and network use is kept private

• Examples: NAT, encryption

Network Vulnerabilities : Security Perspective

Eight Security Dimensions applied to each Security Perspective (layer and plane)


Vulnerability ManagementVulnerability Management

To overcome the growing risk posed by vulnerabilities, an organization must develop a formal vulnerability management program addressing the entire life cycle of vulnerability management as shown in FIG A. All of these must be supported by an underlying foundation of people, process and technology initiatives.

Asset Management Vulnerability Assessment

Report Information

Asset update

Asset profile

Report information

Prioritized asset list

Prioritization of assets

Remediation

Monitoring

Reporting

Report information

Vulnerabilities list

Detailed report on vulnerability management

FIG A – Vulnerability Management Lifecycle


Asset Management

Asset Management• To get a confident start to a VM process it is very important to have an accurate

inventory and profile of what the infrastructure contains. For an organization of any significant size, this inventory will be complex and constantly changing as new components are added and existing components are retired. The below mentioned steps aid in making a comprehensive asset inventory

• Identification of assets can be done either manually, or by using an automated tool like an asset management software

• Discovered assets must be reviewed to determine business criticality and risk tolerance

• The individuals accountable for the assets must be identified


Vulnerability Assessment

Vulnerability Assessment• Once the identification of the network assets is done, a vulnerability assessment

should be carried out to find the vulnerabilities existing in the network. Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system.

• QualysGuard ,GFI LANguard Network Security Scanner ,Nessus

• Though these tools can provide a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system. Therefore, a proper vulnerability assessment system should make use of vulnerability scanner tools to identify potential vulnerabilities and then carry out a detailed vulnerability analysis to remove false positives.


Penetration Test

– Attack and Penetration Testing is a systematic approach to identifying weaknesses in deployed targets.

– A target may be a network, a collection of hosts, or an application that is part of an organization, function or enterprise segment to be analyzed.

• If a vulnerability is utilized by an unauthorized individual to access company resources, company resources can be compromised.

• A penetration test is used to show where security fails.

• Penetration testing can be performed by anyone who is either knowledgeable in this area and keeps up to date with the latest security news, penetration applications and researching ways of attacks.


Types Of Penetration Testing

Black Box Penetration Testing

Pen tester has no information of the target network. Only the company name or the IP address is known network topology etc..) of the remotenetwork environment

White Box Penetration Testing

Pen tester provided with significant knowledge of the target network. Information about network devices (i.e. Routers, Switches), Web Serverdetails, Operating System type, Database platform ,Load balancers,

Firewalls.


Types of Environment•• Wireless Networks Wireless Networks •• DMZ environmentsDMZ environments•• Internet Data Centers (IDC)Internet Data Centers (IDC)•• Portal EnvironmentPortal Environment•• ExtranetExtranet•• VPN Termination pointsVPN Termination points•• Remote Access pointsRemote Access points•• DialDial--InIn•• Web ApplicationWeb Application•• DatabaseDatabase• Routers, switches, servers, FWs, IDSes• The organization as a whole• Individuals and their workstations• Other networking capable devices


Penetration Testing Methodology

Analysis &Planning

Scope/GoalDefinition

Clean UpReporting

PrivilegeEscalation

InformationGathering Penetration

VulnerabilityDetection Attack


Network Penetration Testing

ØØ Information Gathering & Network SurveyingInformation Gathering & Network SurveyingØØ Foot printing or FingerprintingFoot printing or FingerprintingØØ Ports Scanning & Services IdentificationPorts Scanning & Services IdentificationØØ Automated Vulnerability ScanningAutomated Vulnerability ScanningØØ Exploiting Services for Known VulnerabilitiesExploiting Services for Known VulnerabilitiesØØ Gaining AccessGaining AccessØØ Escalation of PrivilegesEscalation of PrivilegesØØ Exploiting WebExploiting Web--Based AuthorizationBased AuthorizationØØ Password Cracking / Brute ForcingPassword Cracking / Brute ForcingØØ Denial of Services (DoS) TestingDenial of Services (DoS) TestingØØ Report PreparationReport Preparation


Compliances and Standards

•Ever Expanding Regulatory Universe

– Sarbanes – Oxley (SOX)– Payment Card Industry (PCI)– HIPAA– GLBA– FFIEC– FTC Red Flags– Etc.

•Frameworks

– COBIT– ISO– ITIL– BITS– Etc.


Sarbanes-Oxley Act of 2002

• Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws.

• Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an adequate internal control structure, but also to assess its effectiveness on an annual basis.

SOX


Administrative Access to Financial Systems• SOX Section 306 (a)(4) & (D)• Lists all logon and privileged access attempts by the Administrator or SU

accounts.Computer Account Logon Activity • ISO 17799 Section A.9.5.2• Sarbanes Oxley sec 306 (a)(4) & (D)

• Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX Unix, Sun Solaris and Red Hat Linux systems.

Computer Account Logon Activity - Windows Detail• ISO 17799 Section A.9.5.2• Sarbanes Oxley sec 306 (a)(4) & (D)• Lists all logon activity for all monitored Windows domains and systems. This

report is specific to monitored Windows systems, but provides a greater level of detail than the Computer Account Logon Activity report.

SOX


PCI-DSS


Resource :Sensage

Data Sources in PCI


4. Security Attacks


Security Attacks

• Attacks on Different Layers– IP Attacks– ICMP Attacks– Routing Attacks– TCP Attacks– Application Layer Attacks


Why the Flaws?

• TCP/IP was designed for connectivity– Had its origins in an innocent world– Assumed to have lots of trust– Security not intrinsic to design

• Host implementation vulnerabilities– Software bugs– Some elements in the specification were left to the implementers


Security Flaws in IP

• The IP addresses are filled in by the originating host– Address spoofing

• Using source address for authentication– r-utilities (rlogin, rsh, rhosts etc..)

InternetInternet

2.1.1.1 C

1.1.1.1 1.1.1.2A B

1.1.1.3 S

Can A claim it is B to the server S?

ARP SpoofingCan C claim it is B to the server S?

Much harderSource Routing?


Security Flaws in IP

• IP fragmentation attack– End hosts need to keep the fragments till all the fragments arrive

• Traffic amplification attack– IP allows broadcast destination– Problems?


Ping Flood

Attacking System

InternetInternet

Broadcast Enabled Network

Broadcast Enabled Network

Victim System


ICMP Attacks

• No authentication

• ICMP redirect message– Can cause the host to switch gateways

• Man in the middle attack, sniffing

• ICMP destination unreachable– Can cause the host to drop connection

• Many more…– http://www.sans.org/rr/whitepapers/threats/477.php


Routing Attacks

• Distance Vector Routing– Announce 0 distance to all other nodes

• Blackhole traffic• Eavesdrop

• Link State Routing– Can drop links randomly– Can claim direct link to any other router– A bit harder to attack than DV

• BGP– ASes can announce arbitrary prefix– ASes can alter path– Could even happen due to misconfigurations


TCP Attacks

Issues?– Server needs to keep waiting for ACK y+1– Server recognizes Client based on IP address/port and y+1

ClientServer

SYN xSYN y | ACK x+1

ACK y+1


TCP Layer Attacks

• TCP SYN Flooding– Exploit state allocated at server after initial SYN packet– Send a SYN and don’t reply with ACK– Server will wait for 511 seconds for ACK– Finite queue size for incomplete connections (1024)– Once the queue is full it doesn’t accept requests


TCP Layer Attacks

• TCP Session Hijack– When is a TCP packet valid?

• Address/Port/Sequence Number in window– How to get sequence number?

• Sniff traffic• Guess it

– Many earlier systems had predictable ISN– Inject arbitrary data to the connection


TCP Layer Attacks

• TCP Session Poisoning– Send RST packet

• Will tear down connection– Do you have to guess the exact sequence number?

• Anywhere in window is fine• For 64k window it takes 64k packets to reset• About 15 seconds for a T1


Application Layer Attacks

• Applications don’t authenticate properly

• Authentication information in clear– FTP, Telnet, POP

• DNS insecurity– DNS poisoning– DNS zone transfer


An Example

Stephen (S) Trusted (T)

Mahendar

Finger

Finger @Sshowmount –eSend 20 SYN packets to S

Attack when no one is aroundWhat other systems it trusts?Determine ISN behavior

Showmount -e

SYN


An Example

Stephen (S) Trusted(T)

Mahendar

• Finger @S

• showmount –e

• Send 20 SYN packets to S

• SYN flood T

• Attack when no one is around

• What other systems it trusts?

• Determine ISN behavior

Syn flood X


An Example

Stephen (S) trusted (T)

Mahendar(M)

• Finger @S

• showmount –e


• SYN flood T

• Send SYN to S spoofing as T

• Send ACK to S with a guessed number




• T won’t respond to packets

• S assumes that it has a session with T

XSYN

SYN|ACK

ACK


An Example

Stephen (S) Trusted (T)

Mahendar

• Finger @S

• showmount –e


• SYN flood T

• Send SYN to S spoofing as T

• Send ACK to S with a guessed number

• Send “echo + + > ~/.rhosts”




• T won’t respond to packets

• S assumes that it has a session with T

• Give permission to anyone from anywhere

X++ > rhosts


Denial of Service

• Objective à make a service unusable, usually by overloading the server or network

• Consume host resources– TCP SYN floods– ICMP ECHO (ping) floods

• Consume bandwidth– UDP floods– ICMP floods


Denial of Service

• Crashing the victim– Ping-of-Death– TCP options (unused, or used incorrectly)

• Forcing more computation– Taking slow path in processing of packets


Coordinated DoS

Attacker

Victim Victim Victim

Attacker Attacker

• The first attacker attacks a different victim to cover up the real attack• The Attacker usually spoofed source address to hide origin• Harder to deal with


Distributed DoS

Attacker

Handler Handler

Agent Agent Agent Agent Agent

Victim


DDoS Defenses

• Network Capabilities– Destination explicitly decides whether or not to allow packets– Indicate decision by inserting “capabilities” in packets– Routers en route check for valid capabilities in subsequent packets– Issues?

• Traffic Scrubbers– Sink all traffic to a back-end– Scrub, scrub, scrub– Issues?


Attacks

• Denial of Service (DoS)– SYN flood– Smurf– Distributed DoS

• Spoofing– IP spoofing– ARP poisoning– Web spoofing– DNS spoofing


Attacks

• Man-in-the-middle• Replays• TCP Session hijacking• Social Engineering

– Dumpster diving– Online attacks

• Web defacement


Attacks

• Attacks on encrypted data– Weak keys– Birthday attack– Dictionary attack

• Countermeasures


SYN flooding attack

– This exploits how the 3-way handshake of TCP services for opening a session works.

– SYN packets are sent to the target node with incomplete source IP addresses

– The node under attack sends an ACK packet and waits for response– Since the request has not been processed, it takes up memory– Many such SYN packets clog the system and take up memory– Eventually the attacked node is unable to process any requests as it

runs out of memory storage space


TCP 3-way Handshake

PC PC

TCP State TCP StateTCP Packet

Closed

SYN-sent

ACK-received

Established Established

SYN-received

ACK-sent

Listen

SEQ = 1000, CTL = SYN

SEQ = 750, ACK = 1001, CTL = SYN | ACK

SEQ = 1000, ACK = 751, CTL = ACK


Land attack

• Similar to SYN attack• Uses the target address as the source address as well• Causes an infinite loop under the SYN/ACK process


Smurf attack

• A brute force DOS attack and thus a non-OS specific attack• A large number of PING requests with spoofed IP addresses are generated from

within the target network• Each ping request is broadcast, resulting in a large number of responses from all

nodes on the network• Clogs the network and prevents legitimate requests from being processed


Port scanning

• Scanning the source and destination ports for both TCP and UDP for data capture

• TCP ports are commonly monitored but UDP ports are not


Ping of death

• The hacker sends an illegal echo packet with more bytes than allowed, causing the data to be fragmented. This causes the data to be stored causing buffer overflows, kernel dumps, and crashes

• This was made possible by some Windows OSs allowing non-standard ICMP (Internet Control Message Protocol) messages to be generated

• Maximum ICMP packet size is 65507 bytes. Any echo packet exceeding this size will be fragmented by the sender and the receiver will try to reconstitute the packet, when overflow would occur


UDP-flood attack

• Denial of service variant

• Connects the target machine’s chargen and echo services to create an infinite loop between two or more UDP services

• Connectivity to the network is sufficient, no network account required for this attack


Distributed Denial of Service

• Hackers post malicious software on the web• Script kiddies (people who do not fully understand the code) launch the attacks• In DDoS, the hacker (also known as Black hat) identifies computers with weak

security as handlers. The software in the handlers scan for hosts to be used as agents or zombies. Hundreds of thousands of zombies simultaneously launch the DoS attack in a distributed manner.


IP Spoofing

• Exploits trust relationships between routers• This is a difficult attack to launch since the communication set up is based

on an initial sequence number for packets. Systems no longer use numbers sequentially. Identifying the algorithm used for numbering packets during set up is important.


ARP Poisoning

• ARP = Address Resolution Protocol• ARP is used by routers extensively to find the destination node. Routers

have IP addresses (32-bits). In order to deliver the packet to the destination node, the router broadcasts the IP address of the destination and obtains the MAC address (48-bits).

• ARP Poisoning tools are:– ARPoison– Ettercap– Parasite


ARP Poisoning

• Hosts store the IP-to-MAC address mapping in the ARP table. ARP Poisoning means that the ARP communication is intercepted by redirection from a router.

• Example:– Assume router’s IP is 10.1.1.0– Host’s IP is 10.1.1.1– Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to

requests from 10.1.1.0 with its MAC address– From this point on all packets meant for 10.1.1.1 is routed to

10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table


Web Spoofing

• In this attack the malicious site pretends to be authentic• It is a form of man-in-the-middle attack• This is accomplished by accessing the victim website and putting a link to the

malicious site on a legitimate name. For example, www.nybank.com could be linked to www.hacksite.com but the user would not be aware of this unless they pay attention to the actual site linked.


DNS Spoofing

• This is similar to web spoofing• DNS server could be a simple machine placed behind a firewall• Usually it is isolated from the rest of the nodes in functionality• Hacker gets access to the DNS server and changes in the lookup table the

mapping. For example, www.nybank.com is supposed to point to 199.230.116.100. The hacker could redirect it to his web server instead.


Replays

• Replay involves capturing traffic while in transit and use that to gain access to systems.

• Example:– Hacker sniffs login information of a valid user– Even if the information is encrypted, the hacker replays the login

information to fool the system and gains access


Replays

• A sniffer is a program that intercepts and reads traffic on the network• Sniffers work when the NIC is set to communicate in promiscuous mode


Replay Attack Diagram

Valid user

Sniffer Server

Hacker

Sniffed id and pwd

replays id and pwd


TCP Session Hijacking

• This means that the hacker has directed traffic to his server instead of a trusted server that the victim is assuming

• To hijack a session, the hacker ARP poisons the router to route all traffic to his computer before it is delivered to the victim

• See Figure 3-14 (p. 68) in the book for details of IP and MAC addresses needed to understand this type of attack


Dictionary attack

• Has an idea of the message• Has the hashed value from the message• Exhaustive search to find the original corresponding to the hash• Credit cards use 16 digits

– 255 = 1016

– This is within the realm of possibility for today’s computers to do an exhaustive search

• Does not involve any encryption


Birthday attack

• A variation of brute-force attack• Studies have shown that if 23 people are in a room, the probability is

over 50% that two people have the same birthday• The similarity here is, knowing one value can you find the matching

value


Countermeasures

• For SYN-flood attack:– Firewall can withhold or insert packets into the data stream, thus

providing one means from letting the SYN packets get through

– Firewall responds immediately to the SYN with its ACK sent to the spoofed address. This way the inquiry is not in the open queue taking up space. Legitimate addresses would respond immediately and they could be forwarded by the firewall to the internal systems. SYN-flood attack packets would not receive a reply from the spoofed address and so they will be sent a RST (reset) signal after the timeout set.


Countermeasures

• For Smurf attack:– Routers should be configured to drop ICMP messages from outside

the network with a destination of an internal broadcast or multicast– Newer Oss for routers and workstations have protection for known

smurf attacks


Countermeasures

• For IP Spoofing attack:– This is a difficult attack to start with for the hacker– Hacker should be able to guess correctly the Initial Sequence Number

that the spoofed IP would generate– To prevent IP spoofing, disable source routing on all internal routers– Filter entering packets with a source address of the local network


Countermeasures

• For Man in the middle attack:– Routers should be configured to ignore ICMP redirect packets

• Intrusion Detection System (IDS) is a software that can scan traffic in real time and detect anomalies

• Cisco, Computer Associates, Secure Works are some of the companies that provide IDS software

• Availability of IDS is a requirement in the medical and financial industry for the business to get its license

• The industry is now moving towards an Intrusion Prevention System (IPS) as opposed to an IDS


Countermeasures

• For Ping of death attack:– Prohibit creation of ICMP packets of invalid size

• For Denial of Service attack:– Firewalls and routers at network boundaries can use filters to prevent

spoofed packets from leaving the network– Filter incoming packets with a broadcast address– Turning off direct broadcasts on all internal routers– Block known private IP addresses being used as destination IP (e.g.,

10.0.0.0, 172.16.24.0, 192.168.0.0, 224.0.0.0, 127.0.0.1)


5. Software Exploitation


Software Exploitation

• Malicious software, also known as malware, includes worms, viruses, and Trojan horses

• How do these propagate?– Virus is meant to replicate itself into executables (e.g., Melissa)– Worm is meant to propagate itself across the network (e.g., Nimda,

Code Red)– Trojan horse is meant to entice the unsuspecting user to execute a

worm (e.g., I Love You)


Software exploitation

– Malicious software (virus and worm)– Back door– Logic bombs


Malicious code• Type Characteristics

Virus Attaches itself to programs and propagates copies of itself to other programs

Trojan horse Contains unexpected functionalityLogic bomb Triggers action when a condition occursTime bomb Triggers action at a certain timeTrapdoor Allows unauthorized access to functionalityWorm Propagates copies of itself through a networkRabbit Replicates without limit to exhaust resources


Viruses

• Viruses

• String of computer code that attaches to other programs and replicates

– File infectors – Oldest type of virus, now mostly extinct– Boot-sector viruses – Reside on the boot portion of a disk.

Also mostly extinct– Macro viruses – Written in a scripting language and affects data

files, not programs. Future of viruses.• No absolute cure for viruses

– Antivirus programs work, but need continual updating.– Virus makers depend on laziness of users to let virus defs get

out of date.


Virus

• Virus self-replicates• Early viruses (1980s to mid-90s) were placed on boot sector of hard and

floppy drives as they would not show up in the directory listing• Second type of virus is known as ‘parasitic virus.’ This was prevalent in

mid-90s.• Parasitic virus attaches to files and infect files of type exe, sys, com, dll,

bin, drv• Third virus type is ‘multipartite virus’. This infected both boot sector and

files. This was also common in the mid-90s.• Current virus type is known as ‘macro virus.’ These are application

specific as opposed to operating system specific. They propagate rapidly through email. Most macro viruses are written in VB Script and they exploit Microsoft’s applications such as Outlook.


Viruses and Worms

• Virus is a program that reproduces itself by attaching its code to another program– They require human intervention to spread– Melissa, I LOVE YOU spread by e-mail

• Worms actively replicate without a helper program– Is a subclass of virus, but does not require user intervention– Sasser and Blaster targeted machines with out of date software


Antivirus

Antivirus software is a term used to describe a computer program that attempts to identify, neutralize or eliminate malicious software. This type of software is so named because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, rootkits, trojan horses.

Antivirus software typically uses two different techniques to accomplish this:

-Examining (scanning) files to look for known viruses matching definitions in a virus dictionary

-Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.


Worms & Trojan Horses

– Worms• Particular to networked computer systems• Gains access to resources that point to other computers• Replicates itself to multiple systems• Rarely dangerous, mostly annoying

– Trojan Horses• Code that imbeds itself into something useful• Collects information and sends to known site on the network• Also can allow external takeover of your system (Back Orifice)


”Good viruses”

• Are hard to detect• Are hard to destroy• Spread widely• Can re-infect cleaned files• Are easy to create• Are machine independent


Hiding places• Boot sector• Memory- resident viruses• Macro, library etc. viruses

Boot Strap Loader

SystemInitialization

Virus Code SystemInitialization

Boot Strap Loader

Normal Process

Infection


Effects and causes

Effect How caused?Attach to executable · Modify file directoryProgram · Write to executable file

Attach to data or control · Modify directory· Rewrite data· Append to data· Append data to itself


Effects and causes

Effect How caused?Remain in memory · Intercept interrupts and modify handlers

Infect disks · Intercept interrupt· Intercept OS call· Modify system file· Modify ordinary executables

Spread infection · Infect boot sector· Infect system program· Infect ordinary program· Infect data that controls

ordinary programs


Malware

Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Software is considered malware based on the perceived intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, most rootkits, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant.


Malware

• Modern Malicious Code – “Malware”– Around 1999 was first occurrence of large propagation of e-mail infecting

malware– Virus protection is now more reactive– E-mail infections are insidious by bypassing firewalls.– Multi-module programs and plugins increase vulnerability– Dynamic linking increase problems also– Mobile code (Java, JavaScript, ActiveX, Plugins) allows for easier delivery

mechanism


Vulnerability to Malware In this context, as throughout, it should be borne in mind that the “system” under attack may be of various types, e.g. a single computer and operating system, a network or an application.

Various factors make a system more vulnerable to malware:

Homogeneity – e.g. when all computers in a network run the same OS, if you can break that OS, you can break into any computer running it.

Defects – most systems containing errors which may be exploited by malware.

Unconfirmed code – code from a floppy disk, CD-ROM or USB device may be executed without the user’s agreement.

Over-privileged users – some systems allow all users to modify their internal structures.

Over-privileged code – most popular systems allow code executed by a user all rights of that user.


Types of Malware1. Worms and viruses are computer programs that replicate themselves without

human intervention. The difference is that a virus attaches itself to, and becomes part of, another executable (i.e., runnable) program, whereas a worm is self-contained and does not need to be part of another program to replicate itself.

2. A trojan, or trojan horse, is software that is disguised as a legitimate program in order to entice users to download and install it. In contrast to worms and viruses, trojans are not directly self-replicating. They can be designed to do various harmful things, including corrupt files erase data and install other types of malware.

3. A backdoor (usually written as a single word) is any hidden method for obtaining remote access to a computer or other system. Backdoors typically work by allowing someone or something with knowledge of them to use special password(s) and/or other actions to bypass the normal authentication (e.g., user name and password) procedure on a remote machine (i.e., a computer located elsewhere on the Internet or other network) to gain access to the all-powerful root (i.e., administrative) account.


Types of Malware (Contd.)

4.A rootkit is software that is secretly inserted into a computer and which allows an intruder to gain access to the root account and thereby be able to control the computer at will. Rootkits frequently include functions to hide the traces of their penetration, such as by deleting log entries.

They typically include backdoors so that the intruder can easily gain access again at a later date, for example, in order to attack other systems at specific times.

5.Spam is unwanted e-mail which is sent out in large volume. Although people receiving a few pieces of spam per day might not think that it is anything to be too concerned about, it is a major problem for several reasons, including the facts that its huge volume (perhaps half or more of all e-mail) places a great load on the entire e-mail system, it often contains other types of malware and much of its content is fraudulent.

Organizations typically have to devote considerable resources to attempting to filter out and delete spam while not losing legitimate e-mail, thereby distracting them from their primary tasks.


Steps to Counter Malware

There are a number of steps that computer users can take to minimize the chances of becoming infected by malware.

-They include using relatively secure software,

-Providing physical security for computers and networks, enforcing the use of strong passwords,

-Employing firewalls,

-Using malware detection programs,

-Avoiding opening e-mail attachments of unknown origin, avoiding the downloading of dubious programs and avoiding use of the root account except when absolutely necessary.


Trojan Horse

• Malicious program disguised as an innocent one– Could modify/delete user’s file, send important info to cracker,

etc• The program has to get to the computer somehow

– Cracker hides it as a new game, e-card, windows update site, etc.

• When run, Trojan Horse executes with user’s privileges• Examples:

– Hide program in path directory as a common typo: la for ls– Malicious user puts malicious ls in directory, and attracts

superuser• Malicious ls could make user the superuser • Denning’s paper 1999


Login Spoofing

• Specialized case of Trojan Horse– Attacker displays a custom screen that user thinks belong to the

system– User responds by typing in user name and password

– Can be circumvented by key sequence that user programs cannot catch: e.g. CTRL+ALT+DEL in Windows


Logic Bombs

• Piece of code, in the OS or app, which is dormant until a certain time has elapsed or event has occurred– Event could be missing employee record from payroll

• Could act as a Trojan Horse/virus once triggered• Also called “slag code” or “time bomb”• Recovery options for a firm include:

– Calling the police– Rehiring the programmer


Trap Doors

• Code in system inserted by programmer to bypass normal check• Ken Thompson “Reflections on Trusting Trust”

– Hole in UNIX system utility; enforced by C compiler


Buffer Overflow

• C compiler does no array bounds checking– A number of programs a written in C– Cracker can force his routine to run by violating array bounds


Policies, Standards &Baseline

• Security Policy- an overall general statement produced by senior management.

• Standards – Refers to mandatory activities, actions, rules or regulations.

• Baselines – Minimum level of security that is required. A consistent reference point.

• Guidelines – Recommended actions, Industry Best Practices.• Procedures-Detailed step by step task developed to provide

standardization of activities.


Common Threat Classification

Spoofed packets, etc.

Buffer overflows, illicit paths, etc.

SQL injection, XSS, input tampering, etc.

Network Host Application

Threats againstthe network

Threats against the host

Threats against the application


Examples of Network Threats

Threat Examples

Information gathering Port scanning

Using trace routing to detect network topologies

Using broadcast requests to enumerate subnet hosts

Eavesdropping Using packet sniffers to steal passwords

Denial of service (DoS) SYN floods

ICMP echo request floods

Malformed packets

Spoofing Packets with spoofed source addresses


Examples of Host Threats

Threat Examples

Arbitrary code execution Buffer overflows in ISAPI DLLs (e.g., MS01-033)

Directory traversal attacks (MS00-078)

File disclosure Malformed HTR requests (MS01-031)

Virtualized UNC share vulnerability (MS00-019)

Denial of service (DoS) Malformed SMTP requests (MS02-012)

Malformed WebDAV requests (MS01-016)

Malformed URLs (MS01-012)

Brute-force file uploads

Unauthorized access Resources with insufficiently restrictive ACLs

Spoofing with stolen login credentials

Exploitation of open ports and protocols

Using NetBIOS and SMB to enumerate hosts

Connecting remotely to SQL Server


Examples of Application Threats

Threat Examples

SQL injection Including a DROP TABLE command in text typed into an input field

Cross-site scripting Using malicious client-side script to steal cookies

Hidden-field tampering Maliciously changing the value of a hidden field

Eavesdropping Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections

Session hijacking Using a stolen session ID cookie to access someone else's session state

Identity spoofing Using a stolen forms authentication cookie to pose as another user

Information disclosure Allowing client to see a stack trace when an unhandled exceptionoccurs


OWASP Top Ten Web Vulnerabilities

• A1. Unvalidated Input• A2. Broken Access Controls• A3. Broken Authentication and Session Management• A4. Cross Site Scripting Flaws• A5. Buffer Overflows• A6. Injection Flaws• A7. Improper Error Handling• A8. Insecure Storage• A9. Denial of Service• A10. Insecure Configuration Management


• Authentication and Session Management:

• “Session hijacking”

• ‘Hijack’ another user session by intercepting or predicting any cookies sent by the site (allows impersonation by using established/authenticated access)

• How do you protect it?

– Integrity with hash?– Encryption?– Encode it with easily reversible scheme?– Timeouts for length of session ID?– Prohibit predictable session IDs and cookies

• Hackers will test it by:

– Logging on and off over and over again and across different times

Session Management


• Authentication and Session Management: Session Hijacking

1st Try:rbcSetCookie("F100","1/WL2/6a0yKsQJ13A3B4NnSan97lZARQN69zCMZDoezJ5De0AX8b

D5S5HScdvXE2DMuVESNApHR2SE5WNwRs4ngmvuEQ__/XQAAAA__/S0/PB", null, "/");

2nd Try:rbcSetCookie("F100","1/WK2/H2BlqWdlkC28v8o1dYQkeA9l3p5hmAEK3LsHyree7gKBXvu

WQgoGy52i5QDSsmOc4CasIZ7YqOBcUeuac96oyg__/XQAAAA__/S0/PB", null, "/");

• Things to try:– Save code, modify and resubmit with new values– Modify cookie– Re-use same cookie 1 day later– Test limits– Test hidden forms and variables– Change variables– Expiry?

Session Management


Cross Site Scripting

• “Cross-Site Scripting”– a web application takes input from a user but fails to validate the input – the input is echoed directly in a web page. – input could be malicious JavaScript, when echoed and interpreted in

the destination browser any number of issues could result


Cross-Site Scripting (XSS) Attacks

• Modified URL• URL parameters are modified on the URL to contain script code

– Input is not validated and displayed as entered on the resulting dynamic webpage

– XSS – Vulnerable Targets• Weblogs (online journals)• Web bulletin boards• Chat rooms• Guest books• Web mail clients• User confirmation forms in banking applications


XSS: Script Injection Demo


XSS: Script Injection Demo (Contd.)


SQL injection

SQL injection is a security vulnerability that occurs in the database layer of an application.

Trick to inject Structured Query Language (SQL) query or command as an input via web pages

SQL statements “injected” into an existing SQL command

Injection occurs through malformed application input:– Text box– Query string– Manipulated values in HTML


SQL injection• Example of attack:

– SQL Query in Web application code:– “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” +

password + “’;”

– Hacker logs in as: ‘ or ‘’ = ‘’; --• SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --'; and password=‘’;

– Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; --• SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP TABLE users; --'; and

password=‘’;


SQL Injection – The Problem

Expected:Username: AkhiPassword: p@$$w0rd

SELECT COUNT(*)FROM Users WHERE username=‘Akhi' and password='p@$$w0rd'

The unexpected:Username: ' OR 1=1 --Password:

SELECT COUNT(*)FROM UsersWHERE username='' OR 1=1 -- and password=''


• Network Security: A hacker’s perspective by A. Fadia, Course Technology, OH, 2003

• Network Security Fundamentals by P. Campbell, B. Calvert, S. Boswell, Course Technology, OH, 2003

• Cryptography and Network Security, 2nd edition by W. Stallings, Prentice Hall, NJ, 1999

• Web Security Basics by S. Bhasin, Course Technology, OH, 2003• Principles of Information Security by M. Whitman, H. Mattord, Course

Technology, OH, 2003• http://www.cert.org/advisories• louisville.edu/infosec/CIS480/Lectures/Attacks.ppt• pages.cs.wisc.edu/~akella/CS640/F06/.../F06_Lecture25_security.ppt • www.ietf.org/proceedings/05aug/slides/saag-3/saag-3.ppt• www.cs.cornell.edu/Courses/cs414/2005sp/lectures/38-attacks.ppt • VIRTUAL PRIVATE NETWORKS (VPN) by Diana Ashikyan,Nikhil Jerath, Connie

Makalintal, Midori Murata

References

Basics of Security and Attack

Documents

Transcript of Basics of Security and Attack