bleeding servers – how hackers are exploiting known vulnerabilities
DESCRIPTION
Today’s hackers ruthlessly target Common Vulnerabilities and Exposures (CVEs) to launch multi-site attacks that take control of Web servers and allow their perpetrators to flee with valuable data assets. HeartBleed stands as the most notorious example of a known vulnerability attack, but with a CVE database running in the thousands, attackers have ample opportunity to profit from unsecure Web applications. This presentation will: - Discuss the latest data breach stats to identify where the most dangerous attacks are coming from - Explore the attack perpetrators and reveal how they’re being successful - Present the anatomy of a HeartBleed attack - Provide mitigation techniques to protect against known vulnerabilitiesTRANSCRIPT
© 2014 Imperva, Inc. All rights reserved.
Bleeding Servers – How Hackers Are Exploiting Known Vulnerabilities
Confidential 1
Terry Ray, VP of Global Security Engineering, Imperva
© 2014 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ Latest Verizon Data Breach Investigation Report (DBIR) Stats
§ Examining Vulnerabilities and Exploits § HeartBleed Deep-Dive § Understanding Data Theft § Mitigating HeartBleed and CVEs
© 2014 Imperva, Inc. All rights reserved.
Terry Ray, VP of Global Security Engineering
Confidential 3
§ Speaker at Industry Events • ISSA, IANS, ISACA, Gartner, RSA
§ Designed and deployed data security solutions for hundreds of customers in various verticals including: • Healthcare
• Oil and gas
• Financial services • Government
• eCommerce
§ Lectured on various network and data security topics and taught numerous security courses in over 35 countries globally
© 2014 Imperva, Inc. All rights reserved.
Latest Breach Statistics
Confidential 4
Yay! A New Verizon DBIR to Talk About
© 2014 Imperva, Inc. All rights reserved.
The Big Winners
Confidential 5
© 2014 Imperva, Inc. All rights reserved.
The Big Winners
Confidential 6
© 2014 Imperva, Inc. All rights reserved.
The Big Winners
Confidential 7
© 2014 Imperva, Inc. All rights reserved.
The Big Winners
Confidential 8
© 2014 Imperva, Inc. All rights reserved.
Actual Data Loss – Breach vs Incident
Confidential 9
© 2014 Imperva, Inc. All rights reserved.
Who’s Attacking – Hactivists vs Criminals
Confidential 10
§ “Greed takes a back seat to ideology when it comes to web app attacks in the 2013 dataset”
§ “74% [of ideology motivated attacks] focus on tried and true exploits” • Adobe PDF with embedded exe – 4 years old • Microsoft server stack corruption – 6 years old • Microsoft RPC DCOM bug—or MS03-026 – a staggering 10 years
old—you might remember it as Blaster • All still in the wild
© 2014 Imperva, Inc. All rights reserved.
How You Find Out That You’ve Been Hacked
Confidential 11
§ Financially motivated – discovered by customers § Hactivists – discovered by external sources
• “uhh, hey guys, did you know that your webserver is attacking us”
§ But we’re getting better at detecting breaches ourselves • 9%
© 2014 Imperva, Inc. All rights reserved.
CVEs Explored
Confidential 12
© 2014 Imperva, Inc. All rights reserved.
Stay On Top of Vulnerabilities
Confidential 13
§ The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.
§ http://cve.mitre.org/cve/
© 2014 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
Confidential 14
Hacking 1. Identify Target 2. Find Vulnerability 3. Exploit
Single Site Attack
© 2014 Imperva, Inc. All rights reserved.
Classic Web Site Hacking
Confidential 15
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Hacking
1. Identify Target 2. Find Vulnerability 3. Exploit
Multiple Site Attacks
© 2014 Imperva, Inc. All rights reserved.
Exploit Hacking
Confidential 16
Hacking
1. Identify CVE 2. Weaponize Vulnerability 3. Exploit
Vulnerability Targeting Attack
© 2014 Imperva, Inc. All rights reserved. 17
The Attacker’s Focus
Server Takeover
Direct Data Theft
Confidential
Source: http://www.mediabistro.com/fishbowldc/suspended-politico-scribe-hacked_b76882
Source: http://www.connectmidmissouri.com/news/story.aspx?id=600968
© 2014 Imperva, Inc. All rights reserved.
HeartBleed
Confidential 18
Source: http://thequestionconcerningtechnology.blogspot.com/
© 2014 Imperva, Inc. All rights reserved.
What Is It and Why Do We Care?
Confidential 19
§ The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
§ When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.
§ According to Netcraft's April 2014 Web Server Survey of 958,919,789 websites, the combined market share of Apache and nginx products on the Internet was over 66%.
© 2014 Imperva, Inc. All rights reserved.
But There’s a Patch, Right?
Confidential 20
§ This vulnerability was first included in OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the issue
§ Affected Systems: OpenSSL versions 1.0.1 to 1.0.1f
© 2014 Imperva, Inc. All rights reserved.
Isn’t It Hard to Exploit?
Confidential 21
Metasploit: Easy as pulling a trigger.
Source: http://www.smosh.com/smosh-pit/lists/12-monkeys-guns
© 2014 Imperva, Inc. All rights reserved.
Here, We Have a Secure Website
Confidential 22
© 2014 Imperva, Inc. All rights reserved.
Fire Up a VM of Kali Linux and Try It Out
Confidential 23
© 2014 Imperva, Inc. All rights reserved.
And We Have Leaked Data
Confidential 24
© 2014 Imperva, Inc. All rights reserved.
So How Bad Is It?
Confidential 25
© 2014 Imperva, Inc. All rights reserved.
How Bad Can It Really Get?
Confidential 26
© 2014 Imperva, Inc. All rights reserved.
Retrieved Private Key
Confidential 27
© 2014 Imperva, Inc. All rights reserved.
What Can We Do With This?
Confidential 28
§ Steal session details and spoof users § Steal username and passwords § Steal cryptographic keys
• Man-in-the-middle attacks • Spoofed website with valid SSL keys • Spear Phishing Attack
© 2014 Imperva, Inc. All rights reserved.
Data Theft
Confidential 29
© 2014 Imperva, Inc. All rights reserved.
An Overlooked Data Security Risk
Confidential 30
Databases and file servers, both repositories of so much valuable information, are targeted regularly…
Admins unknowingly make unsupported database changes.
Malware-compromised insiders access the
database. Unpatched vulnerabilities
allow exploit vectors.
2014 Verizon Data Breach Investigations Report
© 2014 Imperva, Inc. All rights reserved.
Protecting Your Data
Confidential 31
§ “the high number of incidents still offers some insight … where the victim’s anti-virus (AV) and intrusion prevention system (IPS) shields could not repel firepower of that magnitude”
© 2014 Imperva, Inc. All rights reserved.
Enterprise Security Is Evolving
Confidential 32
1st pillar: Endpoint Security Blocks threats targeting devices
2nd pillar: Network Security Blocks threats trying to access the network
3rd pillar: Data Center Security Protects high-value targets, keeping them both secure and accessible
Imperva provides the third pillar of enterprise security
© 2014 Imperva, Inc. All rights reserved.
Mitigation
Confidential 33
Protecting Your Data From Known Vulnerabilities
© 2014 Imperva, Inc. All rights reserved.
Heartbleed Specific
Confidential 34
§ Test all servers for vulnerability § Patch all affected servers § Reissue new certificates § Revoke all old certificates
Source: http://www.secnews.gr/archives/78340
© 2014 Imperva, Inc. All rights reserved.
Locate and Assess Servers and Apps
35 35
§ Scan your network to identify all assets (cloud and local) • Classify assets by information and brand sensitivity to identify
high risk landscapes
• Prioritize efforts based on risk levels
§ Secure Database Access • Scan DBs for vulnerabilities or configuration flaws
• Remove any default or unnecessary user accounts
• Disable unneeded services
© 2014 Imperva, Inc. All rights reserved.
Perform Vulnerability Assessments
36 36
§ Perform Vulnerability Assessments • Scan both Network and Application Layers
• Scan all known Web Assets
• Scan Concurrently and Continuously
• Analyze application functionality for DDoS attack potential and Business Logic based exploits
• Implement assessment practice across the entire SDLC
Design" Development" QA" Production"
© 2014 Imperva, Inc. All rights reserved.
Block Web Attacks and Attack Sources
Web attacks like SQL injection, cross-site scripting, directory traversal, and CSRF
HTTP protocol violations like extremely long URLs and malformed Apache URI messages
Malicious sources that have attacked other sites
Known desktop scanners and hacker tools like Nikto and Paros based on user agent or the frequency of security violations
37
© 2014 Imperva, Inc. All rights reserved.
Webinar Materials
38
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2014 Imperva, Inc. All rights reserved.
Learn more www.imperva.com
39