Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Published byCharleen Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks."— Presentation transcript:

1 Vulnerabilities

2 flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks

3 Vulnerabilities 2 flavors bugs – programming mistakes Errors in code that could cause a system to hang to an insecure state or allow root access Incorrect firewall/router/IDS rules flaws – improper design failing to account for all possibilities in design leads to code with vulnerable ‘features’

4 Vulnerabilities 2-edged sword publishing vulnerabilities and patches is only way to fix problem once published – the network of hackers is aware of the vulnerability patch management is a MAJOR security problem!

5 Vulnerabilities ‘Security by Obscurity’ attempts to use secrecy to prevent knowledge of vulnerabilities vendors of proprietary code are often accused of this zero-day attack attack takes place during the window between when a vulnerability becomes known and a patch is discovered

6 Between a ‘rock and a hard place’ what do you do if you discover a vulnerability in a product and a patch is not available? do you keep it secret until a patch is developed? this leaves customers vulnerable the vendor may not work to fix it since there is no pressure do you publicize it to put pressure on the vendor? knowing that by doing so you have notified all of the hacker community

7 Between a ‘rock and a hard place’ Example 1: In 2009 Microsoft announced vulnerability in SMB subsystem that could leave servers vulnerable to DOS attack there was no patch yet IT managers had two choices disable SMB – meaning some systems would not work wait for patch and pray there would not be an incident

8 Between a ‘rock and a hard place’ Example 2: in 2008 a Mass. Dist. Judge ordered MIT students to NOT present information at DefCon regarding a vulnerability in the MTA ‘CharlieTicket’ system judge said intent was not to silence students but enforce a reasonable period during which a fix could be found the gag order was overturned, but not until after DefCon had concluded http://www.informationweek.com/news/security/vulnerabilities/210002185

9 Vulnerability Management many strategies for managing vulnerabilities vulnerability scanners vulnerability notification vulnerability information online through CERT vulnerability and penetration testing services these go hand-in-hand with adequate patch management

10 Vulnerability Scanners programs that scan a network, host or application for known vulnerabilities Types port scanner – looks for open ports (nmap) network enumerator – provides information on groups, usernames, shares and services (nmap and nessus) network vulnerability scanner – looks for vulnerabilities in network resources and servers (nessus, SAINT) Web application security scanner – looks for vulnerabilities in Web servers and scripts (SAINT, Metasploit Pro) Database security scanner – Looks for vulnerabilities in DBMS and SQL code (Safety Lab Shadow)

11 Vulnerability Notification many vendors will either mail a notification or post to a Web site when a vulnerability has been found and how to patch it services exist that maintain vulnerability lists for multiple products and will provide notification with many of these you provide a list of the software and versions in your organization

12 Vulnerability Notification examples Vupen Security vulnerability services http://www.vupen.com/english/services/ SecureNet Solutions vulnerability notification service http://www.securenetsol.com/am_trial_term s.html Secundia CSI free for home users http://secunia.com/vulnerability_scanning/p ersonal/

13 Vulnerability Notification CERT (Computer Emergency Response Team) at CMU provides weekly list of known vulnerabilities organization security team matches inventory of software and versions to this list http://www.cert.org/advisories/ http://www.us-cert.gov/cas/bulletins/

14 Threats – the counterpart to vulnerabilities Threats exploit vulnerabilities vulnerability – you left your car unlocked threat – criminals going through shopping center parking lots looking for unlocked cars Fortinet’s FortiGuard Center Threat Research and Response Center provides Threat reports and advisories http://www.fortiguard.com/ Awareness of threat landscape can help to prioritize vulnerabilities

15 Top 3 Application Vulnerabilities 1 – Buffer overflow software may not enforce array bounds can allow buffers (arrays used for I/O) to overflow and overwrite code area some malware works this way ‘smashing the stack’ mainly aimed at systems that allow code to be executed with privileged rights best addressed in design and programming patches can often fix this in vendor-supplied software http://www.windowsecurity.com/articles/Analysis_of_Buffer_O verflow_Attacks.html http://www.youtube.com/watch?v=kZZgNnhxA_4http://www.youtube.com/watch?v=kZZgNnhxA_4 (6 min)

16 Top 3 Application Vulnerabilities According to CERT 2 – cross-site scripting code is injected into communications from a Web site most ‘drive-by’ malware uses this method often relies on social engineering to get user to follow link (Banks are especially targeted) Web script writers can validate input and clense output script disabling (although not always practical) use of least-privilege account http://www.ibm.com/developerworks/tivoli/library/s-csscript/

17 Top 3 Application Vulnerabilities According to CERT 3 – SQL injection commands passed through Web form to SQL DBMS can exploit lack of security and gain control of server solution is to add code to validate input http://www.youtube.com/watch?v=jMQ2wdOmMIAhttp://www.youtube.com/watch?v=jMQ2wdOmMIA (3 min)

18 Vulnerability Management Gartner defines 6 steps for vulnerability management Define policy Baseline the environment Prioritize vulnerabilities Mitigate vulnerabilities Maintain and monitor

19 Patch Management requires coordinated effort knowing which patches are available testing patches scheduling patch installation http://www.patchmanagement.org/pmessentials.asp however – many systems remain unpatched some applications (such as firefox) push patches others (such as adobe) allow users to decide

20 Patch Management although recognized as a major security problem – patch management is seen as a burden by traditional IT management it sucks up resources it adds nothing to the bottom-line http://www.computerworld.com.au/article/44872/p atch_management_burdens_customers/?fp=16& fpid=0

Download ppt "Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks."

Similar presentations

By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.

Penetration Testing & Countermeasures Paul Fong & Cai Yu CS691 5 May 2003.
4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/14/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
A Security Analysis of the PHP language By Jonas Heineson Mattias Österberg.

A Security Analysis of the PHP language By Jonas Heineson Mattias Österberg.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.

Greg Williams. IT Security Program  Objective is to maintain integrity of University systems  Minimum Security Standard 12/5/2010Greg Williams CS591.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
The Business of Penetration Testing

The Business of Penetration Testing
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Similar presentations

Ads by Google