Security Threat Update The Newest Threats & How to Protect
advertisement
Security Threat Update - The Newest Threats
and How to Protect Against Them
Faculty:
Scott Greene
of
Evidence Solutions, Inc.
Scott@EvidenceSolutions.com
www.EvidenceSolutions.com
► If
builders built houses the way
programmers built programs, the first
woodpecker to come along would destroy
civilization.
- Gerald Weinberg
Protect the Information
Provide Access
Rank
Securities
Technology
ASI
M86
Daily Finance
SANS
1
Mobile Devices
Default or Weak
Passwords
Targeted Attacks
Mobile Threats
Targeted Malware
2
C-Level Targets
SQL Injection
Social Media Scams
Embedded Hardware
Lack of Incident
Response
3
Social Media Cyber
Threats
Excessive
Priveledges
Mobile Malware
Virtual Currency
IPv6
4
You are infected
Too many DBMS
features on
Third Party Exploits
OS Advances Steer
Hackers
ARM
(Mobile) Hacking
5
Physical Can Be
Digital
Broken
Configuration
Management
Exploit Kits &
Malware
URL Hijacking
Social Engineering
6
Cloud Computing
Buffer
Overflows
Compromised
Websites
Rogue Certs
Social Media
7
Breaches will be
shared
Prviledge
Escalation
Botnets
Cyber War
Compliance
8
Zero Day Threats
will increase
Denial of
Service
Malware Spam
Hactivism
Monitoring
9
Insiders
Unpatched
DBMS
Sporting Event
Scams
Legalized Spam
Wireless Security
10
Greater Regulation
Unencrpyted
data
Cloud Service
Attacks
Industrial Attacks
Cloud Computing
Threats
► March
30, 2012:
Utah Department of Health
►Records
leak
►780,000 personal health records exposed
Cause:
►Weak
password on server
Spam & Attack Mitigation
Spam & Attack Mitigation
► Log
unsuccessful email attempts, both
incoming and outgoing. Spear phishers
often have to guess the mail format (i.e.
firstname.lastname@xyz.com,
lastname@xyz.com, FLastname@xyz.com,
etc) therefore it is likely the mail server will
reject mis-formatted emails.
Spam & Attack Mitigation
► This
is likely the first sign your organization
may be targeted.
► By reviewing logs shortly after trigger
events, it is possible to learn whether
attempts are being made and thus new rule
sets can be created to block the sender and
alert the individual they are being targeted.
Spam & Attack Mitigation
► If
it is determined there is an attack against
an individual or group occurring, notify the
individual or group.
Spam Mitigation
Spam Mitigation
Spam Mitigation
► http://www.spamhaus.org/statistics/networ
ks/
Mobile Devices
► Including,
but not limited to:
Cellular phones
Smartphones
Tablets
Laptops
Mobile Device Dangers
Mobile Device Dangers
► What
Happens when a Smartphone is lost:
Symantec did a study where they “lost” 50 cell
phones in 5 cities….
►72%
of people tried to access photos
►57% tried to open a file named "Saved Passwords“
►43% tried to open an app named "Online Banking.“
Only 50% of the finders attempted to reunite
the phone with its owner.
Mobile Device Dangers
► There
is a dramatic increase in malware
designed to attack mobile devices that run
Android.
► The total number of identified threats to
Android devices more than quadrupled in
the first quarter of 2012, reaching 8,000.
► Part of that increase, however, came from
improved detection.
Mobile Phone Dangers
► Most
mobile malware aimed at Android did
not come from apps offered through the
Google Play app marketplace.
Smart Phone Management
► Mobile
Device Management (MDM)
This product line secures, monitors, manages
and supports mobile devices deployed across
mobile operators, service providers and
enterprises.
MDM typically includes over-the-air distribution
of applications, data and configuration settings
for all types of mobile devices: mobile phones,
smartphones, tablets, etc.
Smart Phone Management
► This
applies to both company-owned and
employee-owned (BYOD) devices across the
enterprise or mobile devices owned by consumers.
Smart Phone Management
► MDM
abilities include:
Inventory
Updates
Diagnostics
Backup & Restore
Asset Tracking
Password Enforcement
Encryption
Remote Control /
Management
Remote Lock
Remote Wiping
Software Installation
Locating and Breadcrumbing
Software Whitelist /
Blacklist
Corp Data Tracking
Smart Phone Management
► Issues:
User Consent / Policy
►General
Policy
►Eligibility
►Acceptable Use
►Financial Responsibility
►Program Management
►Equipment
Smart Phone Management
► Acceptable
use:
While driving a motor vehicle
Personal Use
Use in Accordance with COMPANY Code of
Conduct
Smart Phone Management
► Issues:
Sandboxing of corporate data
►Makes
employees feel good
Rooting ( some systems try to detect it )
Solutions
► Microsoft
Exchange Active Synch (EAS)
► Websense
► Blackberry Enterprise Server
Instant Messaging (IM)
► Text
► Webcams
► Voice
► Files
Instant Messaging (IM)
►
Vulnerabilities
Sending / Receiving sensitive data
Viruses aimed at IM ( Choke Virus )
► Antivirus
tools at the gateway do not detect IM traffic and there for will
not see viruses that are received by users.
Hackers have used IM networks to deliver:
► Phishing
attempts
► Poison URL's
► Virus-laden files
These deliveries are done by:
► Sending
of Files that users execute
Could be viruses, trojans or spyware
► The
use of "socially engineered" text & web addresses that entice the
recipient to open a URL that then downloads malicious code.
Instant Messaging (IM)
The IM Security Center, a collaboration between security
companies and corporations, has tracked attacks over IM
since 2003 and shows well over 1000 distinct attacks over
the public IM networks.
► Since 2007 there has been a steady increase in IM attacks
► While still small, IM attacks continue to growth with the
increased usage of IM.
► Couple that with the adoption of IM in the workplace
makes IM an attractive vector for hackers
► Individuals and companies must take precautions to avoid
infection.
►
Peer to Peer Networks (P2P)
► Peer
to peer:
Local shared network resources
►Location
specific
Wide area peer to peer networking software
►Anywhere
in the world
Peer to Peer Networks (P2P)
► Many
peer-to-peer networks are under
constant attack in a variety of ways:
Poisoning attacks by supplying files with
enticing names.
Man-in-Middle (the attacker intercepts files by
obtaining the communication between two
different users. Attackers can go on to change
the information or simply pass it on untouched.
This is all done undetected)
Peer to Peer Networks (P2P)
Polluting attacks by inserting "bad"
chunks/packets into a valid file on the network (
sometimes done by man in the middle )
Defection attacks (attaching to networks where
security is lax)
Malware in the peer-to-peer network software
itself. The software is distributed containing
spyware or trojans
Denial of service attacks
Peer to Peer Networks (P2P)
Identity attacks ( tracking down the users of the
network and harassing or legally attacking
them)
Spamming (sending unsolicited information
across the network--not necessarily as a denial
of service attack and not necessarily e-mail)
Sybil attacks (one malicious identity that can be
presented as multiple identities allowing the
attacker to control a whole portion of the
network)
Peer to Peer Networks (P2P)
Personal information is at risk because users
expose certain files by putting them in shared
document folders.
These documents are at risk are due to
misplaced files, confusing interface design,
Incentive to share a large number of files,
general laziness on the part of the user, wizards
designed to determine media folders, and poor
organization habits.
Peer to Peer Networks (P2P)
► Future
Risks:
Second generation Peer-to-Peer file sharing
software now has the ability to search indexes
using file names and information that is
associated with the files. This makes it easy for
the searching of “Bank Account” information.
These can also search using Regular
Expressions:
►1=\<5\d\d\d[\-\.
](\d\d\d\d[\-\. ]){2}\d\d\d\d\>
RSA InsecureIDs & Lockheed
► Lockheed
said:
“our systems remain secure”
No customer data was compromised
No Employee personal data has been
compromised.
No such assurance was given for
►proprietary
data
►military systems data
RSA InsecureIDs
reported by The Christian Science
Monitor, a DOD document states: "Any
computer-based attack by an adversary
nation that damages US critical
infrastructure or US military readiness could
be an 'act of war,' according to new
Defense Department cyberwarfare policies
that have yet to be officially unveiled."
► As
RSA InsecureIDs
► Going
back to just passwords, but making
them strong ones and authenticating the
endpoint
Making sure that the machine being signed in
from by a user is the normal machine used by
the user.
Google Hack
► Google
announced that hackers have gone after
specifically targeted U.S. government officials and
military personnel Gmail users.
► Why would government leaders use Gmail in the
first place? U.S. government officials, after all,
have access to official government email systems
that have layer after layer of security.
► So how does Gmail, Google's cloud-based email
service, come into play?
Google Vulnerabilities
► Eight
vulnerabilities in Google services were
revealed during the Hack in the Box
conference in Amsterdam on Thursday
5/24/2012
► That same group claims to have discovered
more than 100 such bugs over the past few
months.
Bot Nets
► "bots"
are a type of malware that allows an
attacker to take control over an affected
computer.
► Also known as "Web robots", bots are
usually part of a network of infected
machines linked by the internet.
► These victim machines make up a “Bot Net”
that stretch across the globe.
Bot Nets
► Since
a bot infected computer follows its
master's orders and are generally referred
to as "zombies".
► Cybercriminals that control these bots are
called bot-herders or bot-masters.
► It is hard to detect bots on your network.
Until they leap into action.
Bot Nets
► Bot
Nets might have a few hundred or a
couple thousand computers, but others
have tens and even hundreds of thousands
of zombies at their disposal.
► Conficker / Downadup Worm
Bot Nets
► "Botnets
are one of the greatest facilitators
of cybercrime these days. Really the
cybercrime arena is wrapped around
botnets."
--Wendi Whitmore, special agent, Air Force
Office of Special Investigations
In October 2006, a foreign hacker broke into
a system at a water-filtration plant in
Harrisburg, Pa., after an employee's laptop
computer was compromised via the Internet
and then used as an entry point to install
malware on the plant's computer
BYOD Policy
► Allowing
employees to use their personal
mobile devices for work-related tasks
provides advantages:
less laptop lugging
easier connectivity
potentially better interfaces
BYOD Policy
► It
can also help an organization financially
when the organization doesn’t have to pay
for:
Smartphones
Tablets
Data plans
BYOD Policy
► The
risks of BYOD
including security vulnerabilities
support costs
liability issues
BYOD Policy
► Organization
that allow employees to bring
devices to work should have a well-defined
BYOD policy and mechanisms to enforce it.
BYOD Policy
► Defining
a BYOD policy:
1) define the scope of control the business
expects to maintain over employee-owned
devices.
BYOD Policy
► 2)
Acceptable use
corporate IT resources on mobile devices
Require VPN access
minimal security controls on the device
the need for company-provided components
►Secure
Sockets Layer (SSL) certificates for
authentication
rights of the organization to alter the device
(e.g., to remotely wipe a lost or stolen device).
BYOD Policy
► 2)
acceptable use
Encryption of data
Prohibit storage of business data
Prohibit storage of passwords
etc
Unauthorized Hardware
► Hackers
are constantly looking for targets.
Unprotected systems that are attached to
networks.
► Do you know what’s on your network?
Users add things to networks all the time.
Inventory often
Control what is attached
Do not hook up a system until it is configured
Unauthorized Hardware
► Solutions
Maintain accurate inventory of physical systems
as they relate to your Asset Inventory
►Include:
IP Address
Mac Address
Device Name
Purpose
Owner / Manager responsible
Unauthorized Hardware
► Solutions
Use and test Network Inventory software and /
or hardware
Test the operation often with a known rogue
machine
Test the delay before the machines are
quarantined and users confronted.
Unauthorized Hardware
► Solutions
When alerts are received treat them as
important
Safeguard the accurate database created by the
software.
Compare the software database with the
physical asset list.
Implement configuration management systems
to ensure that all systems are safely patched.
Unauthorized Software
► Hackers
& Bots are looking for software to
compromise as well.
► Do you know what is on your user’s
machines?
Have and manage to a White List of accepted
software
Document all exceptions
Unauthorized Software
► Solutions
Maintain accurate inventory of acceptable
software
►Include:
Manufacturer
Version
If an exception:
Device Name
Purpose
Owner / Manager responsible
Unauthorized Software
► Solutions:
Install software inventory & Management tools
►Requirements
should be:
For Operating Systems
► Version
► Patches installed
For Applications
► Type
► Manufacturer
► Version
► Patch Level
Unauthorized Software
► Solutions
Install software inventory & management tools
►The
most effective tools include:
Hash of known good versions
Can prevent execution of anything not on the ‘White List’
Can validate the location of the file in the file system
Allowed users
Unauthorized Software
► Solutions
Operating Systems
►Consistency
is key
►Drivers should all be signed
Should only be from the manufacturers of the device
installed.
Harden Workstations & Servers
► Systems
that are installed, hooked up and
not properly secured pose a significant
threat.
Harden Workstations & Servers
► Solutions
Ideally have your hardware vendor setup the
machines with an image that is created /
updated on a regular basis.
Install from a secure server that contains
updated images of what should be on a
machine.
Harden Workstations & Servers
► Solutions
Remove all extraneous users that come with the
OS
Shutdown and remove all extra services
Shut down all unused ports
Install local Firewall software & configure
Harden Workstations & Servers
► Solutions
Run assessment programs regularly
Test with systems that aren’t configured
correctly
Test by injecting systems that are configured
correctly
Harden Devices
► Secure
configurations of network devices
such as firewalls, routers, and switches.
While on the radar are rarely double
checked after configuration.
► Hackers have automated tools looking for
holes in the perimeter as well as in internal
devices.
Harden Devices
► Secure
Firewall Configurations
Auditing
75% of firewalls have rules that are not
required
50% of those are dangerous
Harden Devices
► Solutions
Create a standard configuration document
Follow the standard configuration document
Filter all un-needed services
Exceptions, when required, should have a time
limit or a review period
Log log log
Monitor & review
Harden Devices
► Solutions
Use penetration tools regularly
►Test
from the outside world & the inside world
All devices should use encrypted configuration
logins
Use separate physical networks where possible
Use VLANs where physically separating the
networks is not possible.
► "A
network of hackers, most based in China,
have been making up to 70,000 attempts a
day to break into the NYPD's computer
system, the city's Commissioner, Raymond
Kelly, revealed Wednesday.”
Log Log Log
► Many
incidents can be readily revealed with
a bit of logging and analysis those logs.
Logs
► Solutions
Almost everything that has a log should have
the log turned on.
Logs should include:
►Date/time
►Source
IP
►Destination IP
►Port
►Etc
Logs
► Solutions
Use standard SYSLOG entries or use software
that converts logs to a common log format.
Store logs for a while – space & DVDs are
cheap
Create systems & procedures for analyzing logs.
►These
systems should have ‘normal’ items and
‘abnormal’ items
Logs
► Solutions
All remote access logging:
►should
be in detail
►Should be rigorously analyzed.
All security alerts should be logged.
►Workstation
►Servers
►Devices
Logs
► Solutions
Use unified time
►This
allows logs to be matched up across many
devices and / or networks.
Border devices
►Should
log verbosely
►Should log all traffic
Blocked
Allowed
Logs
► Solutions
Logs should be secured
Logs should be exported & saved on Write Once
devices.
or
Logs should be written to dedicated logging
servers.
The dedicated logging servers with separate
security credentials
Logs
► Solutions
Test the logs and review after:
►Normal
/ acceptable traffic
►Push the system
►Attempt to penetrate the network.
Inside
Outside
►Compare
validity.
and correlate the data on all of the logs for
Logs
► Solutions
Review
►Logs
everyday
►Use automated tools to analyze large amounts of
data.
Test
►Attack
a system
►Test the response time.
Discovery
Action taken to attack
Malware
►6
million+ unique malware samples were
identified in the first quarter of 2011, a 26%
increase from Q1 of 2010 and far exceeding
any first quarter in malware history.
► 70,000 new malware strains are detected
every day.
Malware
► McAfee
says that PC malware had its
"busiest quarter in recent history," in their
quarterly security report released
Wednesday 5/23/2012.
Malware
► Malware
targeting Apple computers also
continued to rise steadily. New malware for
the Mac exploded in the second quarter of
2011, but this last quarter saw the most
new cases since then with about 250.
What exactly is a RootKit?
►A
rootkit is a software/hardware
application that enables continued
priveileged access to a computer while
actively concealing its presence from
authorized users and administrators.
What exactly is a RootKit?
► The
term rootkit is used to describe the
mechanisms and techniques whereby
malware, including viruses, spyware, and
trojans, attempt to hide their presence from
spyware blockers, antivirus, and system
management utilities. There are several
rootkit classifications depending on whether
the malware survives reboot and whether it
executes in user mode or kernel mode.
Persistent Rootkits
► Persistent
rootkits activate each time the
system boots.
► Persistant RootKits start automatically each
system start or when a user logs in, they
must store code in a persistent store, such
as the Registry or file system, and they
execute without user intervention.
Memory-Based Rootkits
► Memory-based
rootkits have no persistent
code and therefore does not survive a
reboot.
User-mode Rootkits
►
These rootkits usually intercept user centered Operating
System information and provide results that prevent the
user from seeing the RootKit executable files and libraries.
►
In this case Windows native API serves as the interface
between user-mode client software and kernel-mode
services.
►
The most sophisticated user-mode rootkits intercept File
System, Registry, and System Process functions of the
Native Winows API preventing the detection of the RootKit.
Kernel-mode Rootkits
► These
RootKits are usually the most
powerful since they can intercept the native
API in kernel-mode, but they can also
directly manipulate kernel-mode data.
► Kernal RootKits hiding their presence by
removing the process from the kernel's list
of active processes. These Rootkits will be
normally be absent from the Task Manager.
A Brief History of RootKits
► The
first Windows RootKit called NTRootkit
appeared in 1999 in NT
► HackerDefender followed in 2003.
► The first Mac rootkit targeting OS X
appeared in 2009
► And the Stuxnet worm was the first to
target programmable logic controllers (PLC).
And then there was:
► The
Sony BMG copy protection rootkit
Our protected environments
► Classic
Perimeter
Firewall
ACL (port and web filter)
IDS / NIPS / HIDS
Proxy
► Patch
Control
► Personal Fire Walls
Our Protected Environments…
► Rootkits
still penetrate
► Even proxies, Websense, IE lockdowns are
not a perfect solution
► Volume so high and attackers so
sophisticated, that a tiny percentage gets
through…
Our Protected Environments…
► It
is estimated that:
In a 24 hour period
Of 44K web sessions
Accessing 10K hosts
Approx 20 web exploits were discovered
► So
What? .04%? Big deal!
Limit Administrators
► All
too often users are granted
“Administrator” privileges on networks,
servers & workstations. When they do have
this access associated with one of their
accounts, they tend to use the account with
Administrative privileges.
Limit Administrators
► Solutions
Monitor and log all users that need
‘administrator’ ( and Super User ) access.
Create multiple accounts for such users and
encourage them to use the ‘administrator’
capable user only when required by their job.
Require such users to have STRONG passwords.
Limit Administrators
► Solutions
Remote ‘administrator’ access should be
prevented.
►Once
connected with a non-administrator account
users can login to additional systems with their
‘administrator’ account.
Audit / confirm
►Audit
all users with ‘Administrator’ capabilities often.
►Remove such privileges when they are no longer
needed by the user.
Limit Administrators
► Solutions
Audit / confirm
►Review
rules:
logs to ensure that users are not abusing the
Reading e-mail with their privileged accounts
Browsing the Internet
Educate ‘Administrator’ users about social
engineering techniques
Attempt to Social Engineer ‘Administrator’ users.
Limit Administrators
► Solutions
Require two factor authentication for all
Administrator accounts
Use roles / groups to segregate responsibilities
►Workstation
Administrators only have access to
administration of workstations, laptops, etc
►Domains administrators only have administrator
access to servers
Limit Administrators
► Solutions
Audit Processes
►Look
at all processes that have ‘Administrator’
privileges. Reduce to only what is required.
►Review logs that have detailed entries often to
determine if any Rogue ‘Administrators’ or
‘Administrator’ privilege software exist in your
domain
Limit Administrators
► Solutions
Audit Processes
►Look
at all processes that have ‘Administrator’
privileges. Reduce to only what is required.
►Review logs that have detailed entries often to
determine if any Rogue ‘Administrators’ or
‘Administrator’ privilege software exist in your
domain
Limit Administrators
► Make
being logged in as an administrator as
annoying as you can
No email access
No Web Access
1 minute to lock machine in Screen Saver
People People People
► Organizations
problems.
with educated users have fewer
Threats to organizations
► Social
engineering
► Sloppy users
End users are fooled into opening attachments and loading
software from untrusted sites, visiting web sites where they are
infected and more.
System administrators are also fooled like normal users but are
also tested when:
► unauthorized accounts are set up on their systems, when
unauthorized equipment is attached, when large amounts of
data are exfiltrated.
People People People
Threats to organizations
►Sloppy users
System administrators are also fooled like normal users but
are also tested when:
► unauthorized accounts are set up on their systems
► unauthorized equipment is attached
► when large amounts of data are exfiltrated.
Security operators and analysts are hit with new and
innovative attacks with:
► sophisticated privilege escalation
► Redirection
► other attacks along with a continuous stream of more
traditional attacks. ( They get distracted )
People People People
Threats to organizations
►Sloppy
users
Application programmers are tested by criminals who find
and exploit the vulnerabilities they leave in their code.
►Stubborn
Organizations
System owners are tested when they are asked to invest in
cyber security but are unaware or refuse to accept the
devastating impact a compromise and data exfiltration or
data alteration would have on their mission
Social Engineering
► Methods
1) call help desk to find out the secret questions
with a non target
2) They gather up the target’s secret question
answers.
3) once they have that they get the help desk
to change the password
4) then they call the target and inform them
about the change
Social Engineering
► Methods
QUICK CHANGE
►1)
help the user change their password by intimating
that you are from the help desk
►2) and then tell the user not to reveal their current
password for security purposes
Social Engineering
► Methods
give out usb flash drive with malicious code
get a keylogger with bluetooth
Social Media
► Policy
Single person or limited persons who can post
Policy about what they can post
► On
the Internet….
Nobody knows you’re a dog.
And increasingly, nobody knows you’re a
hacker.
Events & Social Engineering
► Just
over one year ago:
Osama Bin Laden's Death a Party for
Spammers, Fake AV Scammers
Events & Social Engineering
► This
year:
Month
Date
Event
Location
May
18-19
G8 Summit
Camp David
May
20-21
NATO Summit
Chicago, IL
June
18-20
G-20 Summit
Los Cabos, Mexico
July
August
27 to
12
Summer Olympics
London
August
27-30
Republican National Conv.
Tampa, FL
September 03-06
Democratic National Conv.
Charlotte, NC
November
Asia Pacific Economic
Summit
Russky Island
18-19
Events & Social Engineering
► Based
on history, malicious persons will
capitalize on these high profile events to
collect intelligence, distribute spam and/or
draw attention to ideological causes.
► Some foreign intelligence services will likely
use socially engineered spear-phishing
emails to masquerade as a trustworthy
entity and target individuals affiliated with
these events.
Events & Social Engineering
► Normally
targeting begins as early as
months before the event and may continue
until weeks after the event concludes.
Events & Social Engineering
► These
targeted activities are an effort to
collect economic and political strategies,
talking points, and related intelligence
related to the event of countries and key
personalities in attendance in order to
negotiate and compete from a position of
strength.
Events & Social Engineering
► These
events may also become prime spam
content for criminals seeking financial gain.
► The spam may be used to distribute
malware or phish PII or financial
information.
► Phishing and scams imitating official 2012
Olympic correspondence or offering tickets
have already begun circulating in the wild.
Events & Social Engineering
► Lastly,
hacktivists have defaced and
disrupted the websites of conference related
financial, corporate, and government
entities to promote their ideological
positions.
► It is probable that hacktivists will conduct
similar activities during the summits.
Mitigation
► Train
user to be wary of unsolicited
attachments, even from people you know Just because an email message looks like it
came from a familiar source, malicious
persons often "spoof" the return address,
making it look like the message came from
someone else.
Mitigation
► Check
with the person who supposedly sent
the message to make sure it's legitimate
before opening any attachments. This also
includes email messages that appear to be
from your Internet Service Provider (ISP) or
software vendor claiming to include patches
or anti-virus software. ISPs and software
vendors do not send patches or software in
email.
Mitigation
► Keep
software up to date - Install software
patches so that attackers can't take
advantage of known problems or
vulnerabilities (see US-CERT Security Tip
ST04-006, Understanding Patches for more
information). Many operating systems offer
automatic updates. If this option is
available, you should enable it.
Mitigation
► Teach
your employees to trust their instincts
- If email or attachment seem suspicious,
don't open it, even if your antivirus software
indicates that the message is virus free.
► Attackers are constantly releasing “zerodays” and most likely your anti-virus
software does not have a signature for it
yet.
Top 25 Programming Errors
►
CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input Validation
►
It's the number one killer of healthy software, so you're just asking for trouble if you don't
ensure that your input conforms to expectations.
CWE-116: Improper Encoding or Escaping of Output
►
Computers have a strange habit of doing what you say, not what you mean. Insufficient
output encoding is the often-ignored sibling to poor input validation, but it is at the root of
most injection-based attacks, which are all the rage these days.
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
►
If attackers can influence the SQL that you use to communicate with your database, then
they can.
CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
►
Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous
vulnerabilities in web applications.
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
►
When you invoke another program on the operating system, but you allow untrusted inputs
to be fed into the command string that you generate for executing the program, then you
are inviting attackers.
Top 25 Programming Errors
►
CATEGORY: Insecure Interaction Between Components
CWE-319: Cleartext Transmission of Sensitive Information
►
If your software sends sensitive information across a network, such as private
data or authentication credentials, that information crosses many systems and
components. If Sent in clear text is it intercept-able.
CWE-352: Cross-Site Request Forgery (CSRF)
►
With cross-site request forgery, the attacker gets the victim to activate a
request that goes to your site. Thanks to scripting and the way the web works
in general, the victim sends data from his browser to your site for someone
else.
CWE-362: Race Condition
►
Attackers will consciously look to exploit race conditions to cause chaos or get
your application to cough up something valuable.
CWE-209: Error Message Information Leak
►
If you use chatty error messages, then they could disclose secrets to any
attacker who dares to misuse your software. The secrets could cover a wide
range of valuable data that allows a hacker entry into your database.
Top 25 Programming Errors
►
CATEGORY: Risky Resource Management
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
►
Buffer overflows are Mother Nature's little reminder of that law of physics that says if you
try to put more stuff into a container than it can hold, you're asking for trouble.
CWE-642: External Control of Critical State Data
►
There are many ways to store user state data without the overhead of a database.
Unfortunately, if you store that data in a place where an attacker can access temporary
data and modify it, they may be able to pass parameters and information that they should
not be able to.
CWE-73: External Control of File Name or Path
►
When you use an outsider's input while constructing a filename, you're taking a chance. If
you're not careful, an attacker could send files and information that they should not
normally be able to send.
CWE-426: Untrusted Search Path
►
If a resource search path is under attacker control, then the attacker can modify it to point
to resources of the attacker's choosing. This causes the software to access the wrong
resources at the wrong time.
CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
►
For ease of development, sometimes you can't beat using a couple lines of code to employ
lots of functionality. It's even cooler when you can pass additional ‘dynamic’ code to the
application for it to run.
Top 25 Programming Errors
►
CATEGORY: Risky Resource Management
CWE-494: Download of Code Without Integrity Check
► You
don't need to be a guru to realize that if you download code and
execute it, you're trusting that the source of that code isn't malicious.
CWE-404: Improper Resource Shutdown or Release
► When
your precious system resources have reached their end-of-life,
you need to remove, release, shut down properly to allow the system
to use those resources.
CWE-665: Improper Initialization
► Just
as you should start your day with a healthy breakfast, proper
initialization helps to ensure that code will run properly.
CWE-682: Incorrect Calculation
► When
attackers have some control over the inputs that are used in
numeric calculations, this weakness can lead to vulnerabilities. It could
cause you to make incorrect security decisions. Over flows etc.
Top 25 Programming Errors
►
CATEGORY: Porous Defenses
CWE-285: Improper Access Control (Authorization)
►
If you don't ensure that your software's users are only doing what they're
allowed to, then attackers will try to exploit your improper authorization and
exercise unauthorized functionality that you only intended for restricted users.
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
►
You may be tempted to develop your own encryption scheme in the hopes of
making it difficult for attackers to crack. This kind of grow-your-own
cryptography is a welcome sight to attackers. Use Standard Encryption routines
and algorithms
CWE-259: Hard-Coded Password
►
Hard-coding a secret account and password into your software's authentication
module is an easy thing to hack. Further it prevents readily changeable
passwords.
CWE-732: Insecure Permission Assignment for Critical Resource
►
If you have critical programs, data stores, or configuration files with permissions
that make your resources accessible to the world - well, that's just what they'll
become accessible to the world.
Top 25 Programming Errors
►
CATEGORY: Porous Defenses
CWE-330: Use of Insufficiently Random Values
► If
you use security features that require good randomness, but you
don't provide it, then you'll have attackers laughing all the way to the
bank. Imagine how quickly a Las Vegas casino would go out of
business if gamblers could predict the next roll of the dice, spin of the
wheel, or turn of the card.
CWE-250: Execution with Unnecessary Privileges
► Spider
Man said “With great power comes great responsibility." Your
software may need special privileges to perform certain operations, but
wielding those privileges longer than necessary can be extremely risky.
CWE-602: Client-Side Enforcement of Server-Side Security
► Remember
that underneath that fancy GUI, it's just code. Attackers
can reverse engineer your client and write their own custom clients
that leave out certain inconvenient features like all those pesky
security controls. Servers should have the same security as the client.
Top 25 Programming Errors
► Resources
to Help Eliminate The Top 25
Errors
► cwe.mitre.org/top25/
Multi Factor Authentication
► Biometrics
► Key
cards
► RSA Keys
Miscellaneous topics
► Internal
hackers
► filtering of e-mail at the border or beyond
► flash drives
► Open Source applications
► user level threats
Resources
► Microsoft’s
Web Application Configuration
Analyzer (just released 2.0)
Scans IIS servers
Hosted applications
SQL Server instances for common security
issues and mis-configurations.
Resources
► Foundstone
( a McAfee organization )
► Google diggity
► Bing diggity
► Stach
& Liu used Google trends:
► Stachliu.com/index.php/resources/tools/goo
glehackingtools
Resources
► Free
Windows rootkit detection tools:
Sysinternals Rootkit Revealer
Avast! Antivirus
Sophos Anti-Rootkit
F-Secure Blacklight
MalwareBytes
HijackThis
Kaspersky removal tool
Resources
► Infragard
► NIST
Disclaimer
► Scott
Greene, Evidence Solutions are not
recommending that you leave your current
job to find one of the following jobs:
Top 20 Coolest Jobs in IT
►
►
►
►
►
►
►
►
►
1
2
3
4
5
6
7
8
9
Information Security Crime Investigator/Forensics Expert
System, Network, and/or Web Penetration Tester
Forensic Analyst
Incident Responder
Security Architect
Malware Analyst
Network Security Engineer
Security Analyst
Computer Crime Investigator
Top 20 Coolest Jobs in IT
10 CISO/ISO or Director of Security
11 Application Penetration Tester
► 12 Security Operations Center Analyst
► 13 Prosecutor Specializing in Information Security Crime
► 14 Technical Director and Deputy CISO
► 15 Intrusion Analyst
► 16 Vulnerability Researcher/ Exploit Developer
► 17 Security Auditor
► 18 Security-savvy Software Developer
► 19 Security Maven in an Application Developer
Organization
► 20 Disaster Recovery/Business Continuity Analyst/Manager
►
►
► Computers
are like Old Testament gods; lots
of rules and no mercy.
- Joseph Campbell
► The
Million Dollar Homepage is a website
conceived in 2005 by 21-year-old student
Alex Tew from Wiltshire, England, to raise
money for his university education. The
home page consists of a million pixels
arranged in a 1000 × 1000 pixel grid; the
image-based links on it were sold for $1 per
pixel in 10 × 10 blocks.
Evalution
►I
value your comments. Please fill in your
evaluation form found at the end of your
packet.
Scott Greene: Other topics available
Computer Forensics
Computer Forensics for Defense Attorneys
Personal Privacy in the Information Age
High Technology: Just where is technology going?
Bypassing Security: How They Steal Company Data
Fundamentals of Digital Forensics
Technology Forensics: Theory & Potential... is it Science or Art?
Technology Forensics: Case Examples
Technology Forensics: Intellectual property and identity theft
Technology Forensics: Hardware and Software tools / Show and Tell
Portable Devices Issues and Answers: A discussion about cell phones and the stories
they can tell.
► Anti-Digital Forensics. Or is it Digital Anti-Forensics?
► Data Security and Confidentiality Issues
► E-mail: The digital Smoking Gun
►
►
►
►
►
►
►
►
►
►
►
Contact Information
Scott Greene, SCFE
Evidence Solutions, Inc
866-795-7166
Scott@EvidenceSolutions.com
