Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009.

Published byAshlynn Brisker Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009."— Presentation transcript:

1 Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009

2 Agenda Slide Heading Top 10 Audit Findings Client Side Risk Client Side Exploit- Demonstration Minimizing Client Side Risks Questions

3 Assure IT- Top 10 Audit Findings Top 10 Audit Findings

4 1.Security Awareness 2.Patch Management 3.OS Hardening / Default Configurations / Build Standards 4.Excessive Privileges 5.Weak Authentication 6.Missing Audit Trails 7.Database Security 8.Web Application Security 9.Over-Disclosure of Information 10.Lack of Network Visibility & Management

5 Top 10 Audit Findings- Client Side Risks 1.Security Awareness 2.Patch Management 3.OS Hardening / Default Configurations / Build Standards 4.Excessive Privileges 5.Weak Authentication 6.Missing Audit Trails 7.Database Security 8.Web Application Security 9.Over-Disclosure of Information 10.Lack of Network Visibility & Management Vulnerabilities/Threat Areas Common to Client-Side Risk

6 Assure IT- Client Side Risk Client Side Risk

7 What are Client-side Vulnerabilities? Client-side vulnerabilities include both software weaknesses and end-user security awareness. To exploit a client-side vulnerability, the computer end-user must open an infected file/document or browse to a malicious webpage. –Occasionally, bugs in software such as MS Outlook’s preview feature could execute code with almost no user interaction. Client-side attacks often trick users into violating corporate security policies. –Targeted phishing attacks often spoof email headers and known/trusted source identities. –Policy: Do not open email messages or attachments from unknown sources. –Policy: Do not browse non-business related websites. –Policy: Do not install unapproved software on business machines. Client-side attacks may bypass many technical controls including anti-malware software, firewalls and intrusion prevention systems.

8 Outcomes of Client-side Attacks Like network-based attacks, client-side attacks often result in the compromise of computing systems. It is possible for attackers to execute arbitrary code during exploitation. Because client-software is being attacked, malicious code will execute in the context of the exploited software. –Most client software runs with the same privilege as the user who launched the software. Do your users have local administrator privileges? If so, the attacker’s malicious payload will also run with administrator privileges. –Some client software may run with elevated privileges regardless of the computer user’s privilege. The payload of a client-side attack often opens a command-and-control (C&C) connection back to the attacker. –Or worse, C&C could join a botnet. Any data or system that the compromised end-user has access to, the attacker will also have access to.

9 Common Client-side Vulnerabilities Internet Browsers –Internet Explorer & Firefox Browser Plugins –ActiveX Controls Adobe Flash, Acrobat PDF Viewer, Quicktime, Realplayer Common Applications –Sun Java Runtime Environment (JRE), Adobe Acrobat and Acrobat Reader, VNC, Microsoft Office (Word, Excel, PPT, etc.), Symantec BackupExec, Thunderbird, WinZip, Windows Media Player, McAfee EPO, etc. –Biggest Risks: Adobe Acrobat Reader and Sun JRE Why? Because they are found on most business machines. Critical vulnerabilities are discovered regularly in each of these applications. Sun’s JRE installer does not remove older (vulnerable) versions automatically. Computer End-Users –The security awareness of your users may be your only defense.

10 AssureIT- Client-Side Exploit Demonstration Demonstration

11 AssureIT- Client-Side Vulnerability Mitigation Minimizing Client Side Risks

12 1. Security Awareness Policies –Employees should be trained on policies at time of hire –A policy training/refresher should be given annually Procedures Standards Training –Security awareness training should be given to ALL employees annually Require testing to ensure that key concepts are retained –Security administrators should receive certification and information security training regularly

13 2. Patch Management Operating system patches –Microsoft, Linux, Unix, etc. Legacy Microsoft software may not get patched by Windows Update or WSUS Switches, routers, firewalls, embedded devices Application patches –Common non-Microsoft applications Adobe – Acrobat, Photoshop, etc. Sun Microsystems – Java Runtime Environment (JRE) Web browsers (Opera, Safari, Konqueror, etc.) Commercial off the shelf (COTS) Custom applications –Patch management strategy Weekly, monthly, more?? Patch testing and rollback Out of cycle patches? Zero day?

14 3. Operating System Hardening Default operating system and application installations are very dangerous –Microsoft Windows 2000, XP, Server, etc. all install many unneeded services –Most security controls are disabled or configured for maximum usability –Cisco routers have vulnerable configurations until hardened Remove and/or rename default accounts and set strong passwords –Windows – change “administrator” username and disable “guest” account Consider adopting an operating system standard/benchmark –Sources: Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) –Use standards to create a “Gold” build

15 4. Excessive Privileges Users have local administrator privileges to their workstations –Especially dangerous for uncontrolled laptops that are used outside of a financial institution’s networks File shares not protected with access controls Employees with access to banking applications and/or GLBA data also have access to email and Internet –Administrators need to ask themselves whether or not all employees should be given access to email and Internet –Is web browsing secured and filtered by a proxy? Firewall egress should be locked down by strict access control lists

16 5. Egress Controls Principal of Least Privilege –Only Email Server or Gateway should be allowed to transmit outbound using SMTP –Dangerous protocols such as HTTP, HTTPS, FTP, SSH, ICMP, DNS, chat, P2P should be tightly restricted or blocked If dangerous protocols are allowed egress to the Internet, the should be monitored ­ Email Gateways ­ Web Proxy ­ URL Filter ­ Intrusion Prevention System ­ SOCKS Proxy Encrypted protocols can be dangerous ­ SSH, HTTPS ­ Botnet C&C over valid HTTP/HTTPS posts and requests

17 Questions?

Download ppt "Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.

Desktop Value - Introducing Windows XP Service Pack 2 with Advanced Security Technologies Presenter: James K. Murray Title: Information Technologies Consultant.
10 Things You Can do to Secure Your PC Presented by Peter Nowak OIS Client Services Manager.

10 Things You Can do to Secure Your PC Presented by Peter Nowak OIS Client Services Manager.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Windows 7 Project and Heartbleed Update Sian Shumway Director, IT Customer Service.

Windows 7 Project and Heartbleed Update Sian Shumway Director, IT Customer Service.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.

Similar presentations

Ads by Google