Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Threat Update - The Newest Threats and How to Protect Against Them Faculty: Scott Greene of Evidence Solutions, Inc.

Similar presentations


Presentation on theme: "Security Threat Update - The Newest Threats and How to Protect Against Them Faculty: Scott Greene of Evidence Solutions, Inc."— Presentation transcript:

1 Security Threat Update - The Newest Threats and How to Protect Against Them Faculty: Scott Greene of Evidence Solutions, Inc. Scott@EvidenceSolutions.com Scott@EvidenceSolutions.com www.EvidenceSolutions.com

2 ► If builders built houses the way programmers built programs, the first woodpecker to come along would destroy civilization.  - Gerald Weinberg

3 Protect the Information Provide Access

4 RankSecurities Technology ASIM86Daily FinanceSANS 1Mobile DevicesDefault or Weak Passwords Targeted AttacksMobile ThreatsTargeted Malware 2C-Level TargetsSQL InjectionSocial Media ScamsEmbedded HardwareLack of Incident Response 3Social Media Cyber Threats Excessive Priveledges Mobile MalwareVirtual CurrencyIPv6 4You are infectedToo many DBMS features on Third Party ExploitsOS Advances Steer Hackers ARM (Mobile) Hacking 5Physical Can Be Digital Broken Configuration Management Exploit Kits & Malware URL HijackingSocial Engineering 6Cloud ComputingBuffer Overflows Compromised Websites Rogue CertsSocial Media 7Breaches will be shared Prviledge Escalation BotnetsCyber WarCompliance 8Zero Day Threats will increase Denial of Service Malware SpamHactivismMonitoring 9InsidersUnpatched DBMS Sporting Event Scams Legalized SpamWireless Security 10Greater RegulationUnencrpyted data Cloud Service Attacks Industrial AttacksCloud Computing

5 Threats ► March 30, 2012:  Utah Department of Health ► Records leak ► 780,000 personal health records exposed  Cause: ► Weak password on server

6

7 Spam & Attack Mitigation

8 ► Log unsuccessful email attempts, both incoming and outgoing. Spear phishers often have to guess the mail format (i.e. firstname.lastname@xyz.com, lastname@xyz.com, FLastname@xyz.com, etc) therefore it is likely the mail server will reject mis-formatted emails.

9 Spam & Attack Mitigation ► This is likely the first sign your organization may be targeted. ► By reviewing logs shortly after trigger events, it is possible to learn whether attempts are being made and thus new rule sets can be created to block the sender and alert the individual they are being targeted.

10 Spam & Attack Mitigation ► If it is determined there is an attack against an individual or group occurring, notify the individual or group.

11 Spam Mitigation

12

13 ► http://www.spamhaus.org/statistics/networ ks/ http://www.spamhaus.org/statistics/networ ks/ http://www.spamhaus.org/statistics/networ ks/

14

15 Mobile Devices ► Including, but not limited to:  Cellular phones  Smartphones  Tablets  Laptops

16 Mobile Device Dangers

17

18

19

20 ► What Happens when a Smartphone is lost:  Symantec did a study where they “lost” 50 cell phones in 5 cities…. ► 72% of people tried to access photos ► 57% tried to open a file named "Saved Passwords“ ► 43% tried to open an app named "Online Banking.“  Only 50% of the finders attempted to reunite the phone with its owner.

21 Mobile Device Dangers ► There is a dramatic increase in malware designed to attack mobile devices that run Android. Android ► The total number of identified threats to Android devices more than quadrupled in the first quarter of 2012, reaching 8,000. ► Part of that increase, however, came from improved detection.

22 Mobile Phone Dangers ► Most mobile malware aimed at Android did not come from apps offered through the Google Play app marketplace.

23 Smart Phone Management ► Mobile Device Management (MDM)  This product line secures, monitors, manages and supports mobile devices deployed across mobile operators, service providers and enterprises.  MDM typically includes over-the-air distribution of applications, data and configuration settings for all types of mobile devices: mobile phones, smartphones, tablets, etc.

24 Smart Phone Management ► This applies to both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers. BYOD

25 Smart Phone Management ► MDM abilities include:  Inventory  Updates  Diagnostics  Backup & Restore  Asset Tracking  Password Enforcement  Encryption  Remote Control / Management  Remote Lock  Remote Wiping  Software Installation  Locating and Bread- crumbing  Software Whitelist / Blacklist  Corp Data Tracking

26 Smart Phone Management ► Issues:  User Consent / Policy ► General Policy ► Eligibility ► Acceptable Use ► Financial Responsibility ► Program Management ► Equipment

27 Smart Phone Management ► Acceptable use:  While driving a motor vehicle  Personal Use  Use in Accordance with COMPANY Code of Conduct

28 Smart Phone Management ► Issues:  Sandboxing of corporate data ► Makes employees feel good  Rooting ( some systems try to detect it )

29 Solutions ► Microsoft Exchange Active Synch (EAS) ► Websense ► Blackberry Enterprise Server

30

31 Instant Messaging (IM) ► Text ► Webcams ► Voice ► Files

32 Instant Messaging (IM) ► Vulnerabilities  Sending / Receiving sensitive data  Viruses aimed at IM ( Choke Virus ) ► Antivirus tools at the gateway do not detect IM traffic and there for will not see viruses that are received by users.  Hackers have used IM networks to deliver: ► Phishing attempts ► Poison URL's ► Virus-laden files  These deliveries are done by: ► Sending of Files that users execute  Could be viruses, trojans or spyware ► The use of "socially engineered" text & web addresses that entice the recipient to open a URL that then downloads malicious code.

33 Instant Messaging (IM) ► ► The IM Security Center, a collaboration between security companies and corporations, has tracked attacks over IM since 2003 and shows well over 1000 distinct attacks over the public IM networks. ► ► Since 2007 there has been a steady increase in IM attacks ► ► While still small, IM attacks continue to growth with the increased usage of IM. ► ► Couple that with the adoption of IM in the workplace makes IM an attractive vector for hackers ► ► Individuals and companies must take precautions to avoid infection.

34 Peer to Peer Networks (P2P) ► Peer to peer:  Local shared network resources ► Location specific  Wide area peer to peer networking software ► Anywhere in the world

35 Peer to Peer Networks (P2P) ► Many peer-to-peer networks are under constant attack in a variety of ways:  Poisoning attacks by supplying files with enticing names.  Man-in-Middle (the attacker intercepts files by obtaining the communication between two different users. Attackers can go on to change the information or simply pass it on untouched. This is all done undetected)

36 Peer to Peer Networks (P2P)  Polluting attacks by inserting "bad" chunks/packets into a valid file on the network ( sometimes done by man in the middle )  Defection attacks (attaching to networks where security is lax)  Malware in the peer-to-peer network software itself. The software is distributed containing spyware or trojans  Denial of service attacks

37 Peer to Peer Networks (P2P)  Identity attacks ( tracking down the users of the network and harassing or legally attacking them)  Spamming (sending unsolicited information across the network--not necessarily as a denial of service attack and not necessarily e-mail)  Sybil attacks (one malicious identity that can be presented as multiple identities allowing the attacker to control a whole portion of the network)

38 Peer to Peer Networks (P2P)   Personal information is at risk because users expose certain files by putting them in shared document folders.   These documents are at risk are due to misplaced files, confusing interface design, Incentive to share a large number of files, general laziness on the part of the user, wizards designed to determine media folders, and poor organization habits.

39 Peer to Peer Networks (P2P) ► ► Future Risks:   Second generation Peer-to-Peer file sharing software now has the ability to search indexes using file names and information that is associated with the files. This makes it easy for the searching of “Bank Account” information.   These can also search using Regular Expressions: ► ► 1=\

40

41 RSA InsecureIDs & Lockheed ► Lockheed said:  “our systems remain secure”  No customer data was compromised  No Employee personal data has been compromised.  No such assurance was given for ► proprietary data ► military systems data

42 RSA InsecureIDs ► As reported by The Christian Science Monitor, a DOD document states: "Any computer-based attack by an adversary nation that damages US critical infrastructure or US military readiness could be an 'act of war,' according to new Defense Department cyberwarfare policies that have yet to be officially unveiled." reported by The Christian Science Monitorreported by The Christian Science Monitor

43 RSA InsecureIDs ► Going back to just passwords, but making them strong ones and authenticating the endpoint  Making sure that the machine being signed in from by a user is the normal machine used by the user.

44 Google Hack ► Google announced that hackers have gone after specifically targeted U.S. government officials and military personnel Gmail users. ► Why would government leaders use Gmail in the first place? U.S. government officials, after all, have access to official government email systems that have layer after layer of security. ► So how does Gmail, Google's cloud-based email service, come into play?

45 Google Vulnerabilities ► Eight vulnerabilities in Google services were revealed during the Hack in the Box conference in Amsterdam on Thursday 5/24/2012 ► That same group claims to have discovered more than 100 such bugs over the past few months.

46 Bot Nets ► ► "bots" are a type of malware that allows an attacker to take control over an affected computer. ► ► Also known as "Web robots", bots are usually part of a network of infected machines linked by the internet. ► ► These victim machines make up a “Bot Net” that stretch across the globe.

47 Bot Nets ► ► Since a bot infected computer follows its master's orders and are generally referred to as "zombies". ► ► Cybercriminals that control these bots are called bot-herders or bot-masters. ► ► It is hard to detect bots on your network. Until they leap into action.

48 Bot Nets ► ► Bot Nets might have a few hundred or a couple thousand computers, but others have tens and even hundreds of thousands of zombies at their disposal. ► ► Conficker / Downadup Worm

49 Bot Nets ► "Botnets are one of the greatest facilitators of cybercrime these days. Really the cybercrime arena is wrapped around botnets."  --Wendi Whitmore, special agent, Air Force Office of Special Investigations

50 In October 2006, a foreign hacker broke into a system at a water-filtration plant in Harrisburg, Pa., after an employee's laptop computer was compromised via the Internet and then used as an entry point to install malware on the plant's computer

51

52 BYOD Policy ► Allowing employees to use their personal mobile devices for work-related tasks provides advantages:  less laptop lugging  easier connectivity  potentially better interfaces

53 BYOD Policy ► It can also help an organization financially when the organization doesn’t have to pay for:  Smartphones  Tablets  Data plans

54 BYOD Policy ► The risks of BYOD  including security vulnerabilities  support costs  liability issues

55 BYOD Policy ► Organization that allow employees to bring devices to work should have a well-defined BYOD policy and mechanisms to enforce it.

56 BYOD Policy ► Defining a BYOD policy:  1) define the scope of control the business expects to maintain over employee-owned devices.

57 BYOD Policy ► 2) Acceptable use  corporate IT resources on mobile devices  Require VPN access  minimal security controls on the device  the need for company-provided components ► Secure Sockets Layer (SSL) certificates for authentication  rights of the organization to alter the device (e.g., to remotely wipe a lost or stolen device).

58 BYOD Policy ► 2) acceptable use  Encryption of data  Prohibit storage of business data  Prohibit storage of passwords  etc

59

60 Unauthorized Hardware ► Hackers are constantly looking for targets. Unprotected systems that are attached to networks. ► Do you know what’s on your network?  Users add things to networks all the time.  Inventory often  Control what is attached  Do not hook up a system until it is configured

61 Unauthorized Hardware ► Solutions  Maintain accurate inventory of physical systems as they relate to your Asset Inventory ► Include:  IP Address  Mac Address  Device Name  Purpose  Owner / Manager responsible

62 Unauthorized Hardware ► Solutions  Use and test Network Inventory software and / or hardware  Test the operation often with a known rogue machine  Test the delay before the machines are quarantined and users confronted.

63 Unauthorized Hardware ► Solutions  When alerts are received treat them as important  Safeguard the accurate database created by the software.  Compare the software database with the physical asset list.  Implement configuration management systems to ensure that all systems are safely patched.

64 Unauthorized Software ► Hackers & Bots are looking for software to compromise as well. ► Do you know what is on your user’s machines?  Have and manage to a White List of accepted software  Document all exceptions

65 Unauthorized Software ► Solutions  Maintain accurate inventory of acceptable software ► Include:  Manufacturer  Version If an exception:  Device Name  Purpose  Owner / Manager responsible

66 Unauthorized Software ► Solutions:  Install software inventory & Management tools ► Requirements should be:  For Operating Systems ► Version ► Patches installed  For Applications ► Type ► Manufacturer ► Version ► Patch Level

67 Unauthorized Software ► Solutions  Install software inventory & management tools ► The most effective tools include:  Hash of known good versions  Can prevent execution of anything not on the ‘White List’  Can validate the location of the file in the file system  Allowed users

68 Unauthorized Software ► Solutions  Operating Systems ► Consistency is key ► Drivers should all be signed  Should only be from the manufacturers of the device installed.

69 Harden Workstations & Servers ► Systems that are installed, hooked up and not properly secured pose a significant threat.

70 Harden Workstations & Servers ► Solutions  Ideally have your hardware vendor setup the machines with an image that is created / updated on a regular basis.  Install from a secure server that contains updated images of what should be on a machine.

71 Harden Workstations & Servers ► Solutions  Remove all extraneous users that come with the OS  Shutdown and remove all extra services  Shut down all unused ports  Install local Firewall software & configure

72 Harden Workstations & Servers ► Solutions  Run assessment programs regularly  Test with systems that aren’t configured correctly  Test by injecting systems that are configured correctly

73 Harden Devices ► Secure configurations of network devices such as firewalls, routers, and switches. While on the radar are rarely double checked after configuration. ► Hackers have automated tools looking for holes in the perimeter as well as in internal devices.

74 Harden Devices ► ► Secure Firewall Configurations   Auditing   75% of firewalls have rules that are not required   50% of those are dangerous

75 Harden Devices ► Solutions  Create a standard configuration document  Follow the standard configuration document  Filter all un-needed services  Exceptions, when required, should have a time limit or a review period  Log log log  Monitor & review

76 Harden Devices ► Solutions  Use penetration tools regularly ► Test from the outside world & the inside world  All devices should use encrypted configuration logins  Use separate physical networks where possible  Use VLANs where physically separating the networks is not possible.

77 ► "A network of hackers, most based in China, have been making up to 70,000 attempts a day to break into the NYPD's computer system, the city's Commissioner, Raymond Kelly, revealed Wednesday.”

78 Log Log Log ► Many incidents can be readily revealed with a bit of logging and analysis those logs.

79 Logs ► Solutions  Almost everything that has a log should have the log turned on.  Logs should include: ► Date/time ► Source IP ► Destination IP ► Port ► Etc

80 Logs ► Solutions  Use standard SYSLOG entries or use software that converts logs to a common log format.  Store logs for a while – space & DVDs are cheap  Create systems & procedures for analyzing logs. ► These systems should have ‘normal’ items and ‘abnormal’ items

81 Logs ► Solutions  All remote access logging: ► should be in detail ► Should be rigorously analyzed.  All security alerts should be logged. ► Workstation ► Servers ► Devices

82 Logs ► Solutions  Use unified time ► This allows logs to be matched up across many devices and / or networks.  Border devices ► Should log verbosely ► Should log all traffic  Blocked  Allowed

83 Logs ► Solutions  Logs should be secured  Logs should be exported & saved on Write Once devices. or  Logs should be written to dedicated logging servers.  The dedicated logging servers with separate security credentials

84 Logs ► Solutions  Test the logs and review after: ► Normal / acceptable traffic ► Push the system ► Attempt to penetrate the network.  Inside  Outside ► Compare and correlate the data on all of the logs for validity.

85 Logs ► Solutions  Review ► Logs everyday ► Use automated tools to analyze large amounts of data.  Test ► Attack a system ► Test the response time.  Discovery  Action taken to attack

86

87 Malware ► 6 million+ unique malware samples were identified in the first quarter of 2011, a 26% increase from Q1 of 2010 and far exceeding any first quarter in malware history. ► 70,000 new malware strains are detected every day.

88 Malware ► McAfee says that PC malware had its "busiest quarter in recent history," in their quarterly security report released Wednesday 5/23/2012.

89 Malware ► Malware targeting Apple computers also continued to rise steadily. New malware for the Mac exploded in the second quarter of 2011, but this last quarter saw the most new cases since then with about 250.

90 What exactly is a RootKit? ► A rootkit is a software/hardware application that enables continued priveileged access to a computer while actively concealing its presence from authorized users and administrators.

91 What exactly is a RootKit? ► The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

92 Persistent Rootkits ► Persistent rootkits activate each time the system boots. ► Persistant RootKits start automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and they execute without user intervention.

93 Memory-Based Rootkits ► Memory-based rootkits have no persistent code and therefore does not survive a reboot.

94 User-mode Rootkits ► These rootkits usually intercept user centered Operating System information and provide results that prevent the user from seeing the RootKit executable files and libraries. ► In this case Windows native API serves as the interface between user-mode client software and kernel-mode services. ► The most sophisticated user-mode rootkits intercept File System, Registry, and System Process functions of the Native Winows API preventing the detection of the RootKit.

95 Kernel-mode Rootkits ► These RootKits are usually the most powerful since they can intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data. ► Kernal RootKits hiding their presence by removing the process from the kernel's list of active processes. These Rootkits will be normally be absent from the Task Manager.

96 A Brief History of RootKits ► The first Windows RootKit called NTRootkit appeared in 1999 in NT ► HackerDefender followed in 2003. ► The first Mac rootkit targeting OS X appeared in 2009 ► And the Stuxnet worm was the first to target programmable logic controllers (PLC).

97 And then there was: ► The Sony BMG copy protection rootkit

98

99 Our protected environments ► Classic Perimeter  Firewall  ACL (port and web filter)  IDS / NIPS / HIDS  Proxy ► Patch Control ► Personal Fire Walls

100 Our Protected Environments… ► Rootkits still penetrate ► Even proxies, Websense, IE lockdowns are not a perfect solution ► Volume so high and attackers so sophisticated, that a tiny percentage gets through…

101 Our Protected Environments… ► It is estimated that:  In a 24 hour period  Of 44K web sessions  Accessing 10K hosts  Approx 20 web exploits were discovered ► So What?.04%? Big deal!

102 Limit Administrators ► All too often users are granted “Administrator” privileges on networks, servers & workstations. When they do have this access associated with one of their accounts, they tend to use the account with Administrative privileges.

103 Limit Administrators ► Solutions  Monitor and log all users that need ‘administrator’ ( and Super User ) access.  Create multiple accounts for such users and encourage them to use the ‘administrator’ capable user only when required by their job.  Require such users to have STRONG passwords.

104 Limit Administrators ► Solutions  Remote ‘administrator’ access should be prevented. ► Once connected with a non-administrator account users can login to additional systems with their ‘administrator’ account.  Audit / confirm ► Audit all users with ‘Administrator’ capabilities often. ► Remove such privileges when they are no longer needed by the user.

105 Limit Administrators ► Solutions  Audit / confirm ► Review logs to ensure that users are not abusing the rules:  Reading e-mail with their privileged accounts  Browsing the Internet  Educate ‘Administrator’ users about social engineering techniques  Attempt to Social Engineer ‘Administrator’ users.

106 Limit Administrators ► Solutions  Require two factor authentication for all Administrator accounts  Use roles / groups to segregate responsibilities ► Workstation Administrators only have access to administration of workstations, laptops, etc ► Domains administrators only have administrator access to servers

107 Limit Administrators ► Solutions  Audit Processes ► Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required. ► Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

108 Limit Administrators ► Solutions  Audit Processes ► Look at all processes that have ‘Administrator’ privileges. Reduce to only what is required. ► Review logs that have detailed entries often to determine if any Rogue ‘Administrators’ or ‘Administrator’ privilege software exist in your domain

109 Limit Administrators ► Make being logged in as an administrator as annoying as you can  No email access  No Web Access  1 minute to lock machine in Screen Saver

110

111 People People People ► Organizations with educated users have fewer problems.  Threats to organizations ► Social engineering ► Sloppy users  End users are fooled into opening attachments and loading software from untrusted sites, visiting web sites where they are infected and more.  System administrators are also fooled like normal users but are also tested when: ► unauthorized accounts are set up on their systems, when unauthorized equipment is attached, when large amounts of data are exfiltrated.

112 People People People  Threats to organizations ► Sloppy users  System administrators are also fooled like normal users but are also tested when: ► unauthorized accounts are set up on their systems ► unauthorized equipment is attached ► when large amounts of data are exfiltrated.  Security operators and analysts are hit with new and innovative attacks with: ► sophisticated privilege escalation ► Redirection ► other attacks along with a continuous stream of more traditional attacks. ( They get distracted )

113 People People People  Threats to organizations ► Sloppy users  Application programmers are tested by criminals who find and exploit the vulnerabilities they leave in their code. ► Stubborn Organizations  System owners are tested when they are asked to invest in cyber security but are unaware or refuse to accept the devastating impact a compromise and data exfiltration or data alteration would have on their mission

114 Social Engineering ► Methods  1) call help desk to find out the secret questions with a non target  2) They gather up the target’s secret question answers.  3) once they have that they get the help desk to change the password  4) then they call the target and inform them about the change

115 Social Engineering ► Methods  QUICK CHANGE ► 1) help the user change their password by intimating that you are from the help desk ► 2) and then tell the user not to reveal their current password for security purposes

116 Social Engineering ► Methods  give out usb flash drive with malicious code  get a keylogger with bluetooth

117 Social Media ► Policy  Single person or limited persons who can post  Policy about what they can post

118 ► On the Internet….  Nobody knows you’re a dog.  And increasingly, nobody knows you’re a hacker.

119 Events & Social Engineering ► Just over one year ago:  Osama Bin Laden's Death a Party for Spammers, Fake AV Scammers

120 Events & Social Engineering ► This year: MonthDateEventLocation May18-19G8 SummitCamp David May20-21NATO SummitChicago, IL June18-20G-20 SummitLos Cabos, Mexico July August 27 to 12 Summer OlympicsLondon August27-30Republican National Conv.Tampa, FL September03-06Democratic National Conv.Charlotte, NC November18-19Asia Pacific Economic Summit Russky Island

121 Events & Social Engineering ► Based on history, malicious persons will capitalize on these high profile events to collect intelligence, distribute spam and/or draw attention to ideological causes. ► Some foreign intelligence services will likely use socially engineered spear-phishing emails to masquerade as a trustworthy entity and target individuals affiliated with these events.

122 Events & Social Engineering ► Normally targeting begins as early as months before the event and may continue until weeks after the event concludes.

123 Events & Social Engineering ► These targeted activities are an effort to collect economic and political strategies, talking points, and related intelligence related to the event of countries and key personalities in attendance in order to negotiate and compete from a position of strength.

124 Events & Social Engineering ► These events may also become prime spam content for criminals seeking financial gain. ► The spam may be used to distribute malware or phish PII or financial information. ► Phishing and scams imitating official 2012 Olympic correspondence or offering tickets have already begun circulating in the wild.

125 Events & Social Engineering ► Lastly, hacktivists have defaced and disrupted the websites of conference related financial, corporate, and government entities to promote their ideological positions. ► It is probable that hacktivists will conduct similar activities during the summits.

126 Mitigation ► Train user to be wary of unsolicited attachments, even from people you know - Just because an email message looks like it came from a familiar source, malicious persons often "spoof" the return address, making it look like the message came from someone else.

127 Mitigation ► Check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. This also includes email messages that appear to be from your Internet Service Provider (ISP) or software vendor claiming to include patches or anti-virus software. ISPs and software vendors do not send patches or software in email.

128 Mitigation ► Keep software up to date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities (see US-CERT Security Tip ST04-006, Understanding Patches for more information). Many operating systems offer automatic updates. If this option is available, you should enable it.

129 Mitigation ► Teach your employees to trust their instincts - If email or attachment seem suspicious, don't open it, even if your antivirus software indicates that the message is virus free. ► Attackers are constantly releasing “zero- days” and most likely your anti-virus software does not have a signature for it yet.

130 Top 25 Programming Errors ► CATEGORY: Insecure Interaction Between Components  CWE-20: Improper Input Validation ► It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations.  CWE-116: Improper Encoding or Escaping of Output ► Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days.  CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') ► If attackers can influence the SQL that you use to communicate with your database, then they can.  CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') ► Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications.  CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection') ► When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers.

131 Top 25 Programming Errors ► CATEGORY: Insecure Interaction Between Components  CWE-319: Cleartext Transmission of Sensitive Information ► If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many systems and components. If Sent in clear text is it intercept-able.  CWE-352: Cross-Site Request Forgery (CSRF) ► With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim sends data from his browser to your site for someone else.  CWE-362: Race Condition ► Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable.  CWE-209: Error Message Information Leak ► If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data that allows a hacker entry into your database.

132 Top 25 Programming Errors ► CATEGORY: Risky Resource Management  CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer ► Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're asking for trouble.  CWE-642: External Control of Critical State Data ► There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can access temporary data and modify it, they may be able to pass parameters and information that they should not be able to.  CWE-73: External Control of File Name or Path ► When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could send files and information that they should not normally be able to send.  CWE-426: Untrusted Search Path ► If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time.  CWE-94: Failure to Control Generation of Code (aka 'Code Injection') ► For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when you can pass additional ‘dynamic’ code to the application for it to run.

133 Top 25 Programming Errors ► CATEGORY: Risky Resource Management  CWE-494: Download of Code Without Integrity Check ► You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious.  CWE-404: Improper Resource Shutdown or Release ► When your precious system resources have reached their end-of-life, you need to remove, release, shut down properly to allow the system to use those resources.  CWE-665: Improper Initialization ► Just as you should start your day with a healthy breakfast, proper initialization helps to ensure that code will run properly.  CWE-682: Incorrect Calculation ► When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. Over flows etc.

134 Top 25 Programming Errors ► CATEGORY: Porous Defenses  CWE-285: Improper Access Control (Authorization) ► If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise unauthorized functionality that you only intended for restricted users.  CWE-327: Use of a Broken or Risky Cryptographic Algorithm ► You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers. Use Standard Encryption routines and algorithms  CWE-259: Hard-Coded Password ► Hard-coding a secret account and password into your software's authentication module is an easy thing to hack. Further it prevents readily changeable passwords.  CWE-732: Insecure Permission Assignment for Critical Resource ► If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become accessible to the world.

135 Top 25 Programming Errors ► CATEGORY: Porous Defenses  CWE-330: Use of Insufficiently Random Values ► If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank. Imagine how quickly a Las Vegas casino would go out of business if gamblers could predict the next roll of the dice, spin of the wheel, or turn of the card.  CWE-250: Execution with Unnecessary Privileges ► Spider Man said “With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky.  CWE-602: Client-Side Enforcement of Server-Side Security ► Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls. Servers should have the same security as the client.

136 Top 25 Programming Errors ► Resources to Help Eliminate The Top 25 Errors ► cwe.mitre.org/top25/

137 Multi Factor Authentication ► Biometrics ► Key cards ► RSA Keys

138 Miscellaneous topics ► Internal hackers ► filtering of e-mail at the border or beyond ► flash drives ► Open Source applications ► user level threats

139 Resources ► Microsoft’s Web Application Configuration Analyzer (just released 2.0)  Scans IIS servers  Hosted applications  SQL Server instances for common security issues and mis-configurations.

140 Resources ► Foundstone ( a McAfee organization ) ► Google diggity ► Bing diggity ► Stach & Liu used Google trends: ► Stachliu.com/index.php/resources/tools/goo glehackingtools

141 Resources ► Free Windows rootkit detection tools:  Sysinternals Rootkit Revealer  Avast! Antivirus  Sophos Anti-Rootkit  F-Secure Blacklight  MalwareBytes  HijackThis  Kaspersky removal tool

142 Resources ► Infragard ► NIST

143 Disclaimer ► Scott Greene, Evidence Solutions are not recommending that you leave your current job to find one of the following jobs:

144 Top 20 Coolest Jobs in IT ► 1 Information Security Crime Investigator/Forensics Expert ► 2 System, Network, and/or Web Penetration Tester ► 3 Forensic Analyst ► 4 Incident Responder ► 5 Security Architect ► 6 Malware Analyst ► 7 Network Security Engineer ► 8 Security Analyst ► 9 Computer Crime Investigator

145 Top 20 Coolest Jobs in IT ► 10 CISO/ISO or Director of Security ► 11 Application Penetration Tester ► 12 Security Operations Center Analyst ► 13 Prosecutor Specializing in Information Security Crime ► 14 Technical Director and Deputy CISO ► 15 Intrusion Analyst ► 16 Vulnerability Researcher/ Exploit Developer ► 17 Security Auditor ► 18 Security-savvy Software Developer ► 19 Security Maven in an Application Developer Organization ► 20 Disaster Recovery/Business Continuity Analyst/Manager

146 ► Computers are like Old Testament gods; lots of rules and no mercy.  - Joseph Campbell

147 ► The Million Dollar Homepage is a website conceived in 2005 by 21-year-old student Alex Tew from Wiltshire, England, to raise money for his university education. The home page consists of a million pixels arranged in a 1000 × 1000 pixel grid; the image-based links on it were sold for $1 per pixel in 10 × 10 blocks.

148 Evalution ► I value your comments. Please fill in your evaluation form found at the end of your packet.

149 Scott Greene: Other topics available ► Computer Forensics ► Computer Forensics for Defense Attorneys ► Personal Privacy in the Information Age ► High Technology: Just where is technology going? ► Bypassing Security: How They Steal Company Data ► Fundamentals of Digital Forensics ► Technology Forensics: Theory & Potential... is it Science or Art? ► Technology Forensics: Case Examples ► Technology Forensics: Intellectual property and identity theft ► Technology Forensics: Hardware and Software tools / Show and Tell ► Portable Devices Issues and Answers: A discussion about cell phones and the stories they can tell. ► Anti-Digital Forensics. Or is it Digital Anti-Forensics? ► Data Security and Confidentiality Issues ► E-mail: The digital Smoking Gun

150 Contact Information Scott Greene, SCFE Evidence Solutions, Inc 866-795-7166 Scott@EvidenceSolutions.com


Download ppt "Security Threat Update - The Newest Threats and How to Protect Against Them Faculty: Scott Greene of Evidence Solutions, Inc."

Similar presentations


Ads by Google