bleeding servers – how hackers are exploiting known vulnerabilities

© 2014 Imperva, Inc. All rights reserved.

Bleeding Servers – How Hackers Are Exploiting Known Vulnerabilities

Confidential 1

Terry Ray, VP of Global Security Engineering, Imperva


Agenda

Confidential 2

§  Latest Verizon Data Breach Investigation Report (DBIR) Stats

§ Examining Vulnerabilities and Exploits § HeartBleed Deep-Dive § Understanding Data Theft § Mitigating HeartBleed and CVEs


Terry Ray, VP of Global Security Engineering

Confidential 3

§  Speaker at Industry Events •  ISSA, IANS, ISACA, Gartner, RSA

§  Designed and deployed data security solutions for hundreds of customers in various verticals including: •  Healthcare

•  Oil and gas

•  Financial services •  Government

•  eCommerce

§  Lectured on various network and data security topics and taught numerous security courses in over 35 countries globally


Latest Breach Statistics

Confidential 4

Yay! A New Verizon DBIR to Talk About


The Big Winners

Confidential 5


The Big Winners

Confidential 6


The Big Winners

Confidential 7


The Big Winners

Confidential 8


Actual Data Loss – Breach vs Incident

Confidential 9


Who’s Attacking – Hactivists vs Criminals

Confidential 10

§  “Greed takes a back seat to ideology when it comes to web app attacks in the 2013 dataset”

§  “74% [of ideology motivated attacks] focus on tried and true exploits” •  Adobe PDF with embedded exe – 4 years old •  Microsoft server stack corruption – 6 years old •  Microsoft RPC DCOM bug—or MS03-026 – a staggering 10 years

old—you might remember it as Blaster •  All still in the wild


How You Find Out That You’ve Been Hacked

Confidential 11

§  Financially motivated – discovered by customers § Hactivists – discovered by external sources

•  “uhh, hey guys, did you know that your webserver is attacking us”

§ But we’re getting better at detecting breaches ourselves •  9%


CVEs Explored

Confidential 12


Stay On Top of Vulnerabilities

Confidential 13

§  The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.

§  http://cve.mitre.org/cve/


Classic Web Site Hacking

Confidential 14

Hacking 1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Single Site Attack


Classic Web Site Hacking

Confidential 15

Hacking

1.  Identify Target 2.  Find Vulnerability 3.  Exploit

Hacking


Hacking


Hacking


Hacking


Multiple Site Attacks


Exploit Hacking

Confidential 16

Hacking

1.  Identify CVE 2.  Weaponize Vulnerability 3.  Exploit

Vulnerability Targeting Attack

© 2014 Imperva, Inc. All rights reserved. 17

The Attacker’s Focus

Server Takeover

Direct Data Theft

Confidential

Source: http://www.mediabistro.com/fishbowldc/suspended-politico-scribe-hacked_b76882

Source: http://www.connectmidmissouri.com/news/story.aspx?id=600968


HeartBleed

Confidential 18

Source: http://thequestionconcerningtechnology.blogspot.com/


What Is It and Why Do We Care?

Confidential 19

§  The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

§ When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

§ According to Netcraft's April 2014 Web Server Survey of 958,919,789 websites, the combined market share of Apache and nginx products on the Internet was over 66%.


But There’s a Patch, Right?

Confidential 20

§  This vulnerability was first included in OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the issue

§ Affected Systems: OpenSSL versions 1.0.1 to 1.0.1f


Isn’t It Hard to Exploit?

Confidential 21

Metasploit: Easy as pulling a trigger.

Source: http://www.smosh.com/smosh-pit/lists/12-monkeys-guns


Here, We Have a Secure Website

Confidential 22


Fire Up a VM of Kali Linux and Try It Out

Confidential 23


And We Have Leaked Data

Confidential 24


So How Bad Is It?

Confidential 25


How Bad Can It Really Get?

Confidential 26


Retrieved Private Key

Confidential 27


What Can We Do With This?

Confidential 28

§ Steal session details and spoof users § Steal username and passwords § Steal cryptographic keys

•  Man-in-the-middle attacks •  Spoofed website with valid SSL keys •  Spear Phishing Attack


Data Theft

Confidential 29


An Overlooked Data Security Risk

Confidential 30

Databases and file servers, both repositories of so much valuable information, are targeted regularly…

Admins unknowingly make unsupported database changes.

Malware-compromised insiders access the

database. Unpatched vulnerabilities

allow exploit vectors.

2014 Verizon Data Breach Investigations Report


Protecting Your Data

Confidential 31

§  “the high number of incidents still offers some insight … where the victim’s anti-virus (AV) and intrusion prevention system (IPS) shields could not repel firepower of that magnitude”


Enterprise Security Is Evolving

Confidential 32

1st pillar: Endpoint Security Blocks threats targeting devices

2nd pillar: Network Security Blocks threats trying to access the network

3rd pillar: Data Center Security Protects high-value targets, keeping them both secure and accessible

Imperva provides the third pillar of enterprise security


Mitigation

Confidential 33

Protecting Your Data From Known Vulnerabilities


Heartbleed Specific

Confidential 34

§  Test all servers for vulnerability § Patch all affected servers § Reissue new certificates § Revoke all old certificates

Source: http://www.secnews.gr/archives/78340


Locate and Assess Servers and Apps

35 35

§  Scan your network to identify all assets (cloud and local) •  Classify assets by information and brand sensitivity to identify

high risk landscapes

•  Prioritize efforts based on risk levels

§  Secure Database Access •  Scan DBs for vulnerabilities or configuration flaws

•  Remove any default or unnecessary user accounts

•  Disable unneeded services


Perform Vulnerability Assessments

36 36

§  Perform Vulnerability Assessments •  Scan both Network and Application Layers

•  Scan all known Web Assets

•  Scan Concurrently and Continuously

•  Analyze application functionality for DDoS attack potential and Business Logic based exploits

•  Implement assessment practice across the entire SDLC

Design" Development" QA" Production"


Block Web Attacks and Attack Sources

Web attacks like SQL injection, cross-site scripting, directory traversal, and CSRF

HTTP protocol violations like extremely long URLs and malformed Apache URI messages

Malicious sources that have attacked other sites

Known desktop scanners and hacker tools like Nikto and Paros based on user agent or the frequency of security violations

37


Webinar Materials

38

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…

https://www.linkedin.com/groups?home=&gid=3849609


Learn more www.imperva.com

39

bleeding servers – how hackers are exploiting known vulnerabilities

Technology

exploit vulnerability

serious vulnerability

weaponize vulnerability

data security topics

data confidential24

web server survey

common vulnerabilities

exploits heartbleed