Embed Size (px)
Citation preview
Common System Exploits
Tom Chothia Computer Security, Lecture 19
Common Attacks and Defense
• Common attacks on networks.
• Common defenses.
• Cyber Security Policy – PCI-DSS – ISO 27001
Wi-Fi
A Typical Business Network
WebServer
Comp1
DataBase …
E-mail Server
SSH/RDP Web Proxy …
Comp2
NAT
Some Common Attack Vectors
• Attacks on Web Page
• Attacks from incoming e-mail
• Attacks on all servers
• Local attacks via wi-fi
• Insider attacks.
Check for default/common logins
• Are any services using the default passwords?
• e.g. ssh is used for remote login (port 22)
• Default password for jail broken iPhones was “alpine” (big attack on iPhones 3 years ago).
Known Memory Exploits
• Memory based attacks on services. – E.g. using metasploit
• New unknown exploit, “zero days” are very rare!
• You are much more likely to be attacked
via a known exploit, than a new one.
Phishing Sites
• Phishers setting up fake look a like sites.
• Send spam asking user to connect.
• Redirection by other malware. • http://www.phishtank.com
Viruses & Worms
• A virus is a self replicating program that requires interaction to spread e.g. – autorun.inf on a USB stick. – opening a malware pdf
• Worms are self replicating program than can spread on their own. E.g. – Morris Worm, SQL Slammer, Conficker
• The term “Virus” is often miss-used.
Virus: Pentagon Attack
• Joel Brenner (ex-NSA) alleges that the Pentagon was attack via USB drives left in the car park.
• Employes found, them took them inside and plugged them in.
• autorun.inf ran malware.
• Pentagon superglued up all the USB ports. (USB drives banned until 2011)
Trojans
• Trojans are malware that need a user to download and run them.
• Often malware pretends to be keygens or anti-virus.
• Most attacks against Apple have been Trojans.
Web Attacks Against the Server
• SQL-injection: the most common!
• Many other kinds of injecton: PHP, shell, …
• Most usually leads to data leakage from database, DoS, defaced website.
Web Attacks Against the Client
• Drive-by-downloads are one of the biggest sources of malware.
• Viewing a page with a vulnerable browser and OS will get you infected.
• Often JavaScript based, via XSS.
• Can give attacker complete control of your computer
Attacks Insiders
• Businesses need to consider attacks from their employees. – E.g. Terry Childs, sys. admin., for city of
San Francisco refused to give supervisors the system passwords saying they were "unqualified”. City locked out for 12 days.
– Bradley Manning, Wikileaks.
• Separation of powers, background checks, keep staff happy, fire them quickly,…
Defenses: Firewalls
• Firewalls block Internet traffic.
• May be on the computer (host) or built into a router (network).
• Firewalls can be stateless of statefull
• Stateless firewalls could e.g. block all traffic block all traffic not on port 80.
Defenses: Firewalls
• Statefull Firewalls record the traffic and use it to make future decisions.
• E.g. block incoming connection but allow outgoing connections.
• Can’t firewall services used by outside world.
A Typical Firewall Policy
Wi-Fi
WebServer
Comp1
DataBase … E-mail Server
Comp2
Credit Card Prosessing
DMZ
NAT Proxy
Defenses: Fast Patches
• Most importantly of all
• Make sure all security patches are installed immediately.
• There is almost always a patch to stop any well known exploit.
Defenses: Anti-Virus
• Anti-Virus products scan the computer for known malware.
• Can also scan e-mail and network traffic
• Only as good as the last update.
• Can be disabled by an attacker with admin access.
Defenses: Intrusion Detection Systems
• A good system administrators will monitor their network.
• IDSs look at all packets (like wireshark) and report suspicious behavior.
• Can catch nmap and metasploit.
• E.g. Snort: www.snort.org
Top Defenses:
1. Apply patches 2. Firewall 3. Anti-Virus 4. Intrusion Detection Systems 5. Check file hashes 6. Good password and user policies
First 2 should be fine for Linux or Mac, first 3 for windows. All 6 if you are a sys. admin.
Computer Security Policy
• NIST defines “Policy” as documentation of computer security decisions.
• It’s all about the documentation.
• Usually: needs of the business come first, the security comes second.
• See example policies: http://www.sans.org/security-
resources/policies/computer.php
It’s all about the documentation
Payment Card Industry Data Security Standard (PCI-DSS)
• All organisations that handle credit card data should comply with the PCI-DSS standard.
• Card payments could be refused for non- compliant organisation. – In practice, most of the time, non-compliant
organisation, will only get into trouble if there is a problem or an audit..
A Typical Business Network
Wi-Fi
WebServer
Comp1
DataBase … E-mail Server
Comp2
Credit Card Prosessing
DMZ
Payment Gateway e.g. Authorize.net
NAT Proxy
Information Security Management System
• An ISMS must be continually monitored. – Reports of new faults, IDS monitoring,
Patch policy.
• If a organisation’s activities shift, the ISMS will need an update.
• Maybe the first ISMS missed something. It needs to be regulary reviewed.
ISO 27001
• ISO 27001 is the international standard on how to do a ISMS.
• It provides a guide for what companies need to do.
• It can be audited, so a organisation can prove to others that it has an ISMS.
Getting ISOs
You have to pay for copies of ISO. … but you can get them for free via the University.
Go to the Library webpage: www.elibrary.bham.ac.uk -> Log in -> Find
Resources -> Find by Type -> Standards and Patents then GO -> British Standards Online -> Search for ISO 27001
Taken from ISO 27001
Establish the ISMS
Define the organisation, e.g. • What it does. • The Scope of ISMS,
– What’s in it and what’s not.
• Assets
Identify the risks
• Identify the assets within the scope of the ISMS & their owners.
• Identify the threats to each of those assets.
• Identify the vulnerabilities that might be exploited.
• Identify the impact of loss of each asset – Is it confidentiality, integrity and/or availability.
Example: Purchase history
If Purchase history is a asset we can consider the threats to is: – Lost, Corrupted, Out of date, Stolen
And the possible vulnerabilities:
– Bugs in records system, SQL injection vulnerabilities, faulted access control, malicious/incompetent staff, fire, flood etc.
Impact:
Estimate the impact of the threats: Very hard to know when this is correct,
important to continually review this.
Lost Corrupted Out of date Stolen
Single record 2 3 1 5 Less than %50 4 5 2 6
%50-%100 5 6 4 6
Likeilhood
On a scale of 1 to 10 how likely are the Vulnerabilities. E.g. For data corruption:
Other good measures include: – Probability – Events per year Based on history and good guess work.
Bugs SQL Hackers Insider Fire Flood
2 3 4 5 4 1
Risk
• Risk depends on the likelihood and the impact.
• This depends on the risk assessment methodology.
• For levels of 1 to 10 we can say that:
Risk = Impact x Likelihood
• Other good option is expected cost per year.
Risks
For a large amount of customer data: Out of date Lost Corrupted Stolen
Flood - 5 - - Bugs 16 10 12 -
SQL injection 12 15 18 18
Hackers 10 16 16 24 Fire - 20 - -
Insiders 20 25 30 30
Treating the Risk:
• Avoid it: – take steps to stop it happening
• Mitigate it: – take steps to make the impact less serious
• Transfer it: – Make someone else responsible.
• Accept it: – Decide to live with it.
For example
• Loss of data: – Avoid by not collecting data
• Stolen data: – Mitigate this by encrypting stored data
• Data destroyed by fire: – Transfer it using fire insurance.
• Main and backup disks fail at same time – Accept, probably of this = 0.0000001%
Final Steps:
• Specify the controls: i.e., mitigation and avoidance techniques.
• Obtain Management approval. – of accepted risks and overall ISMS
• Prepare a statement of applicability, i.e. overview of ISMS.
Assurance
ISOs give some assurance to other organisations, that your organisation is secure
Common Attacks and Defense
• Common attacks on networks.
• Common defenses.
• Cyber Security Policy – PCI-DSS – ISO 27001
