1 / 29

Vulnerabilities and Threats

Vulnerabilities and Threats. Topic 7a added by Gerald M. Santoro. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks. Vulnerabilities. 2 flavors bugs – programming mistakes

dgodley
Download Presentation

Vulnerabilities and Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Vulnerabilities and Threats Topic 7a added by Gerald M. Santoro

  2. flaws in systems that allow them to be exploited • provide means for attackers to compromise hosts, servers and networks Vulnerabilities

  3. 2 flavors • bugs – programming mistakes • Errors in code that could cause a system to hang to an insecure state or allow root access • Incorrect firewall/router/IDS rules • flaws – improper design • failing to account for all possibilities in design leads to code with vulnerable ‘features’ Vulnerabilities

  4. 2-edged sword • publishing vulnerabilities and patches is only way to fix problem • once published – the network of hackers is aware of the vulnerability • patch management is a MAJOR security problem! • zero-day vulnerability – a new, or unknown, vulnerability Vulnerabilities

  5. ‘Security by Obscurity’ • attempts to use secrecy to prevent knowledge of vulnerabilities • vendors of proprietary code are often accused of this • zero-day attack • attack takes place during the window before a patch is available for a vulnerability Vulnerabilities

  6. what do you do if you discover a vulnerability in a product and a patch is not available? • do you keep it secret until a patch is developed? • this leaves customers vulnerable • the vendor may not work to fix it since there is no pressure • do you publicize it to put pressure on the vendor? • knowing that by doing so you have notified all of the hacker community Between a ‘rock and a hard place’

  7. Example 1: • In 2009 Microsoft announced vulnerability in SMB subsystem that could leave servers vulnerable to DOS attack • there was no patch yet • IT managers had two choices • disable SMB – meaning some systems would not work • wait for patch and pray there would not be an incident Between a ‘rock and a hard place’

  8. Example 2: • in 2008 a Mass. Dist. Judge ordered MIT students to NOT present information at DefCon regarding a vulnerability in the MTA ‘CharlieTicket’ system • judge said intent was not to silence students but enforce a reasonable period during which a fix could be found • the gag order was overturned, but not until after DefCon had concluded http://www.informationweek.com/news/security/vulnerabilities/210002185 Between a ‘rock and a hard place’

  9. many strategies for managing vulnerabilities • vulnerability scanners • vulnerability notification • vulnerability information online through CERT • vulnerability and penetration testing services • these go hand-in-hand with adequate patch management Vulnerability Management

  10. programs that scan a network, host or application for known vulnerabilities • Types • port scanner – looks for open ports (nmap) • network enumerator – provides information on groups, usernames, shares and services (nmap and nessus) • network vulnerability scanner – looks for vulnerabilities in network resources and servers (nessus, SAINT) • Web application security scanner – looks for vulnerabilities in Web servers and scripts (SAINT, Metasploit Pro) • Database security scanner – Looks for vulnerabilities in DBMS and SQL code (Safety Lab Shadow) Vulnerability Scanners

  11. many vendors will either mail a notification or post to a Web site when a vulnerability has been found and how to patch it • services exist that maintain vulnerability lists for multiple products and will provide notification • with many of these you provide a list of the software and versions in your organization Vulnerability Notification

  12. examples • Vupen Security vulnerability services http://www.vupen.com/english/services/ • SecureNet Solutions vulnerability notification service http://www.securenetsol.com/am_trial_terms.html • Secundia CSI free for home users http://secunia.com/vulnerability_scanning/personal/ Vulnerability Notification

  13. CERT (Computer Emergency Readiness Team) at CMU • provides weekly list of known vulnerabilities • organization security team matches inventory of software and versions to this list http://www.cert.org/advisories/ http://www.us-cert.gov/cas/bulletins/ Vulnerability Notification

  14. Vulnerability Notification

  15. CERT Vulnerability Summary for 12-Sep-2011 • Listed 48 ‘high’ vulnerabilities • 12 in Adobe acrobat • 7 in MS Office • 2 in MS Windows • 2 in Google Chrome • 11 involve buffer overflow • 5 involve SQL injection • All allow attackers to execute ‘arbitrary code’ • All have patches available Vulnerability Notification

  16. Example: Vulnerability in Microsoft Office #CVE-2011-1982 • Microsoft Office 2007 SP2, and 2010 Gold and SP1, does not initialize an unspecified object pointer during the opening of Word documents, which allows remote attackers to execute arbitrary code via a crafted document, aka "Office Uninitialized Object Pointer Vulnerability.“ • CVSS Severity (version 2.0): • CVSS v2 Base Score:9.3 (HIGH)  US-CERT Tech Alert #TA11-256A • Impact Subscore: 10.0 Patch available from Microsoft • Exploitability Subscore: 8.6 Vulnerability Notification

  17. Example: Vulnerability in Microsoft Office #CVE-2011-1982 • CVSS Version 2 Metrics: • Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism • Access Complexity: Medium • Authentication: Not required to exploit • Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service Vulnerability Notification

  18. Example: Vulnerability in Microsoft Office #CVE-2011-1982 • Common Weakness Enumeration: • The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. • Full listing of Common System/Software Weaknesses from CERT • http://nvd.nist.gov/cwe.cfm#cwes Vulnerability Notification

  19. Threats exploit vulnerabilities • vulnerability – you left your car unlocked • threat – criminals going through shopping center parking lots looking for unlocked cars • Fortinet’s FortiGuard Center Threat Research and Response Center provides Threat reports and advisories http://www.fortiguard.com/ • Awareness of threat landscape can help to prioritize vulnerabilities Threats – the counterpart to vulnerabilities

  20. 1 – Buffer overflow • software may not enforce array bounds • can allow buffers (arrays used for I/O) to overflow and overwrite code area • some malware works this way ‘smashing the stack’ • mainly aimed at systems that allow code to be executed with privileged rights • best addressed in design and programming • patches can often fix this in vendor-supplied software http://www.windowsecurity.com/articles/Analysis_of_Buffer_Overflow_Attacks.html http://www.youtube.com/watch?v=kZZgNnhxA_4 (6 min) Top 3 Application Vulnerabilities

  21. 1 – Buffer overflow Top 3 Application Vulnerabilities

  22. 2 – cross-site scripting • code is injected into communications from a Web site • most ‘drive-by’ malware uses this method • often relies on social engineering to get user to follow link (Banks are especially targeted) • Web script writers can validate input and clense output • script disabling (although not always practical) • use of least-privilege account http://www.ibm.com/developerworks/tivoli/library/s-csscript/ Top 3 Application Vulnerabilities

  23. 2 – cross-site scripting Top 3 Application Vulnerabilities

  24. 3 – SQL injection • commands passed through Web form to SQL DBMS • can exploit lack of security and gain control of server • solution is to add code to validate input http://www.youtube.com/watch?v=jMQ2wdOmMIA (3 min) Top 3 Application Vulnerabilities

  25. 3 – SQL injection Code uses: “SELECT name FROM users WHERE name=‘ “ . param(“name”) . “ ‘ AND passwd=‘ “ . param(“passwd”) . “ ‘ “; Entering ‘ OR “=‘ as name will always generate true condition Solution is to check input for special characters before passing string to SQL engine Top 3 Application Vulnerabilities

  26. Gartner defines 6 steps for vulnerability management • Define policy • Baseline the environment • Prioritize vulnerabilities • Mitigate vulnerabilities • Maintain and monitor Vulnerability Management

  27. requires coordinated effort • knowing which patches are available • testing patches • scheduling patch installation http://www.patchmanagement.org/pmessentials.asp • however – many systems remain unpatched • some applications (such as firefox) push patches • others (such as adobe) allow users to decide Patch Management

  28. although recognized as a major security problem – patch management is seen as a burden by traditional IT management • it sucks up resources • it adds nothing to the bottom-line http://www.computerworld.com.au/article/44872/patch_management_burdens_customers/?fp=16&fpid=0 Patch Management

  29. Vulnerability management is mainly an issue of sloppy software/system development and sloppy management of IT • IT budgets need to reflect the proper maintenance of systems • IT development budgets need to provide for security as part of system development life cycle • Security staff can help with penetration and vulnerability testing, prioritization, policy development, auditing, etc. Summary

More Related