Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009.

Similar presentations


Presentation on theme: "Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009."— Presentation transcript:

1 Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009

2 Agenda Slide Heading Top 10 Audit Findings Client Side Risk Client Side Exploit- Demonstration Minimizing Client Side Risks Questions

3 Assure IT- Top 10 Audit Findings Top 10 Audit Findings

4 1.Security Awareness 2.Patch Management 3.OS Hardening / Default Configurations / Build Standards 4.Excessive Privileges 5.Weak Authentication 6.Missing Audit Trails 7.Database Security 8.Web Application Security 9.Over-Disclosure of Information 10.Lack of Network Visibility & Management

5 Top 10 Audit Findings- Client Side Risks 1.Security Awareness 2.Patch Management 3.OS Hardening / Default Configurations / Build Standards 4.Excessive Privileges 5.Weak Authentication 6.Missing Audit Trails 7.Database Security 8.Web Application Security 9.Over-Disclosure of Information 10.Lack of Network Visibility & Management Vulnerabilities/Threat Areas Common to Client-Side Risk

6 Assure IT- Client Side Risk Client Side Risk

7 What are Client-side Vulnerabilities? Client-side vulnerabilities include both software weaknesses and end-user security awareness. To exploit a client-side vulnerability, the computer end-user must open an infected file/document or browse to a malicious webpage. –Occasionally, bugs in software such as MS Outlook’s preview feature could execute code with almost no user interaction. Client-side attacks often trick users into violating corporate security policies. –Targeted phishing attacks often spoof headers and known/trusted source identities. –Policy: Do not open messages or attachments from unknown sources. –Policy: Do not browse non-business related websites. –Policy: Do not install unapproved software on business machines. Client-side attacks may bypass many technical controls including anti-malware software, firewalls and intrusion prevention systems.

8 Outcomes of Client-side Attacks Like network-based attacks, client-side attacks often result in the compromise of computing systems. It is possible for attackers to execute arbitrary code during exploitation. Because client-software is being attacked, malicious code will execute in the context of the exploited software. –Most client software runs with the same privilege as the user who launched the software. Do your users have local administrator privileges? If so, the attacker’s malicious payload will also run with administrator privileges. –Some client software may run with elevated privileges regardless of the computer user’s privilege. The payload of a client-side attack often opens a command-and-control (C&C) connection back to the attacker. –Or worse, C&C could join a botnet. Any data or system that the compromised end-user has access to, the attacker will also have access to.

9 Common Client-side Vulnerabilities Internet Browsers –Internet Explorer & Firefox Browser Plugins –ActiveX Controls Adobe Flash, Acrobat PDF Viewer, Quicktime, Realplayer Common Applications –Sun Java Runtime Environment (JRE), Adobe Acrobat and Acrobat Reader, VNC, Microsoft Office (Word, Excel, PPT, etc.), Symantec BackupExec, Thunderbird, WinZip, Windows Media Player, McAfee EPO, etc. –Biggest Risks: Adobe Acrobat Reader and Sun JRE Why? Because they are found on most business machines. Critical vulnerabilities are discovered regularly in each of these applications. Sun’s JRE installer does not remove older (vulnerable) versions automatically. Computer End-Users –The security awareness of your users may be your only defense.

10 AssureIT- Client-Side Exploit Demonstration Demonstration

11 AssureIT- Client-Side Vulnerability Mitigation Minimizing Client Side Risks

12 1. Security Awareness Policies –Employees should be trained on policies at time of hire –A policy training/refresher should be given annually Procedures Standards Training –Security awareness training should be given to ALL employees annually Require testing to ensure that key concepts are retained –Security administrators should receive certification and information security training regularly

13 2. Patch Management Operating system patches –Microsoft, Linux, Unix, etc. Legacy Microsoft software may not get patched by Windows Update or WSUS Switches, routers, firewalls, embedded devices Application patches –Common non-Microsoft applications Adobe – Acrobat, Photoshop, etc. Sun Microsystems – Java Runtime Environment (JRE) Web browsers (Opera, Safari, Konqueror, etc.) Commercial off the shelf (COTS) Custom applications –Patch management strategy Weekly, monthly, more?? Patch testing and rollback Out of cycle patches? Zero day?

14 3. Operating System Hardening Default operating system and application installations are very dangerous –Microsoft Windows 2000, XP, Server, etc. all install many unneeded services –Most security controls are disabled or configured for maximum usability –Cisco routers have vulnerable configurations until hardened Remove and/or rename default accounts and set strong passwords –Windows – change “administrator” username and disable “guest” account Consider adopting an operating system standard/benchmark –Sources: Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST) –Use standards to create a “Gold” build

15 4. Excessive Privileges Users have local administrator privileges to their workstations –Especially dangerous for uncontrolled laptops that are used outside of a financial institution’s networks File shares not protected with access controls Employees with access to banking applications and/or GLBA data also have access to and Internet –Administrators need to ask themselves whether or not all employees should be given access to and Internet –Is web browsing secured and filtered by a proxy? Firewall egress should be locked down by strict access control lists

16 5. Egress Controls Principal of Least Privilege –Only Server or Gateway should be allowed to transmit outbound using SMTP –Dangerous protocols such as HTTP, HTTPS, FTP, SSH, ICMP, DNS, chat, P2P should be tightly restricted or blocked If dangerous protocols are allowed egress to the Internet, the should be monitored ­ Gateways ­ Web Proxy ­ URL Filter ­ Intrusion Prevention System ­ SOCKS Proxy Encrypted protocols can be dangerous ­ SSH, HTTPS ­ Botnet C&C over valid HTTP/HTTPS posts and requests

17 Questions?


Download ppt "Slide Heading Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors Brian Judd, CISSP SynerComm January 20, 2009."

Similar presentations


Ads by Google