common system exploits - cs.bham.ac.uk filesome common attack vectors • attacks on web page •...
TRANSCRIPT
![Page 1: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/1.jpg)
Common System Exploits
Tom Chothia Computer Security, Lecture 19
![Page 2: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/2.jpg)
Common Attacks and Defense
• Common attacks on networks.
• Common defenses.
• Cyber Security Policy – PCI-DSS – ISO 27001
![Page 3: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/3.jpg)
Wi-Fi
A Typical Business Network
WebServer
Comp1
DataBase …
E-mail Server
SSH/RDP Web Proxy …
Comp2
NAT
![Page 4: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/4.jpg)
Some Common Attack Vectors
• Attacks on Web Page
• Attacks from incoming e-mail
• Attacks on all servers
• Local attacks via wi-fi
• Insider attacks.
![Page 5: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/5.jpg)
Check for default/common logins
• Are any services using the default passwords?
• e.g. ssh is used for remote login (port 22)
• Default password for jail broken iPhones was “alpine” (big attack on iPhones 3 years ago).
![Page 6: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/6.jpg)
Known Memory Exploits
• Memory based attacks on services. – E.g. using metasploit
• New unknown exploit, “zero days” are very rare!
• You are much more likely to be attacked
via a known exploit, than a new one.
![Page 7: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/7.jpg)
Phishing Sites
• Phishers setting up fake look a like sites.
• Send spam asking user to connect.
• Redirection by other malware. • http://www.phishtank.com
![Page 8: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/8.jpg)
Viruses & Worms
• A virus is a self replicating program that requires interaction to spread e.g. – autorun.inf on a USB stick. – opening a malware pdf
• Worms are self replicating program than can spread on their own. E.g. – Morris Worm, SQL Slammer, Conficker
• The term “Virus” is often miss-used.
![Page 9: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/9.jpg)
Virus: Pentagon Attack
• Joel Brenner (ex-NSA) alleges that the Pentagon was attack via USB drives left in the car park.
• Employes found, them took them inside and plugged them in.
• autorun.inf ran malware.
• Pentagon superglued up all the USB ports. (USB drives banned until 2011)
![Page 10: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/10.jpg)
Trojans
• Trojans are malware that need a user to download and run them.
• Often malware pretends to be keygens or anti-virus.
• Most attacks against Apple have been Trojans.
![Page 11: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/11.jpg)
![Page 12: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/12.jpg)
Web Attacks Against the Server
• SQL-injection: the most common!
• Many other kinds of injecton: PHP, shell, …
• Most usually leads to data leakage from database, DoS, defaced website.
![Page 13: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/13.jpg)
Web Attacks Against the Client
• Drive-by-downloads are one of the biggest sources of malware.
• Viewing a page with a vulnerable browser and OS will get you infected.
• Often JavaScript based, via XSS.
• Can give attacker complete control of your computer
![Page 14: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/14.jpg)
Attacks Insiders
• Businesses need to consider attacks from their employees. – E.g. Terry Childs, sys. admin., for city of
San Francisco refused to give supervisors the system passwords saying they were "unqualified”. City locked out for 12 days.
– Bradley Manning, Wikileaks.
• Separation of powers, background checks, keep staff happy, fire them quickly,…
![Page 15: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/15.jpg)
Defenses: Firewalls
• Firewalls block Internet traffic.
• May be on the computer (host) or built into a router (network).
• Firewalls can be stateless of statefull
• Stateless firewalls could e.g. block all traffic block all traffic not on port 80.
![Page 16: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/16.jpg)
Defenses: Firewalls
• Statefull Firewalls record the traffic and use it to make future decisions.
• E.g. block incoming connection but allow outgoing connections.
• Can’t firewall services used by outside world.
![Page 17: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/17.jpg)
A Typical Firewall Policy
Wi-Fi
WebServer
Comp1
DataBase … E-mail Server
Comp2
Credit Card Prosessing
DMZ
NAT Proxy
![Page 18: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/18.jpg)
Defenses: Fast Patches
• Most importantly of all
• Make sure all security patches are installed immediately.
• There is almost always a patch to stop any well known exploit.
![Page 19: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/19.jpg)
Defenses: Anti-Virus
• Anti-Virus products scan the computer for known malware.
• Can also scan e-mail and network traffic
• Only as good as the last update.
• Can be disabled by an attacker with admin access.
![Page 20: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/20.jpg)
Defenses: Intrusion Detection Systems
• A good system administrators will monitor their network.
• IDSs look at all packets (like wireshark) and report suspicious behavior.
• Can catch nmap and metasploit.
• E.g. Snort: www.snort.org
![Page 21: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/21.jpg)
Top Defenses:
1. Apply patches 2. Firewall 3. Anti-Virus 4. Intrusion Detection Systems 5. Check file hashes 6. Good password and user policies
First 2 should be fine for Linux or Mac, first 3 for windows. All 6 if you are a sys. admin.
![Page 22: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/22.jpg)
Computer Security Policy
• NIST defines “Policy” as documentation of computer security decisions.
• It’s all about the documentation.
• Usually: needs of the business come first, the security comes second.
• See example policies: http://www.sans.org/security-
resources/policies/computer.php
![Page 23: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/23.jpg)
It’s all about the documentation
![Page 24: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/24.jpg)
Payment Card Industry Data Security Standard (PCI-DSS)
• All organisations that handle credit card data should comply with the PCI-DSS standard.
• Card payments could be refused for non- compliant organisation. – In practice, most of the time, non-compliant
organisation, will only get into trouble if there is a problem or an audit..
![Page 25: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/25.jpg)
A Typical Business Network
Wi-Fi
WebServer
Comp1
DataBase … E-mail Server
Comp2
Credit Card Prosessing
DMZ
Payment Gateway e.g. Authorize.net
NAT Proxy
![Page 26: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/26.jpg)
Information Security Management System
• An ISMS must be continually monitored. – Reports of new faults, IDS monitoring,
Patch policy.
• If a organisation’s activities shift, the ISMS will need an update.
• Maybe the first ISMS missed something. It needs to be regulary reviewed.
![Page 27: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/27.jpg)
ISO 27001
• ISO 27001 is the international standard on how to do a ISMS.
• It provides a guide for what companies need to do.
• It can be audited, so a organisation can prove to others that it has an ISMS.
![Page 28: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/28.jpg)
Getting ISOs
You have to pay for copies of ISO. … but you can get them for free via the University.
Go to the Library webpage: www.elibrary.bham.ac.uk -> Log in -> Find
Resources -> Find by Type -> Standards and Patents then GO -> British Standards Online -> Search for ISO 27001
![Page 29: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/29.jpg)
![Page 30: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/30.jpg)
Taken from ISO 27001
![Page 31: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/31.jpg)
Establish the ISMS
Define the organisation, e.g. • What it does. • The Scope of ISMS,
– What’s in it and what’s not.
• Assets
![Page 32: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/32.jpg)
Identify the risks
• Identify the assets within the scope of the ISMS & their owners.
• Identify the threats to each of those assets.
• Identify the vulnerabilities that might be exploited.
• Identify the impact of loss of each asset – Is it confidentiality, integrity and/or availability.
![Page 33: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/33.jpg)
Example: Purchase history
If Purchase history is a asset we can consider the threats to is: – Lost, Corrupted, Out of date, Stolen
And the possible vulnerabilities:
– Bugs in records system, SQL injection vulnerabilities, faulted access control, malicious/incompetent staff, fire, flood etc.
![Page 34: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/34.jpg)
Impact:
Estimate the impact of the threats: Very hard to know when this is correct,
important to continually review this.
Lost Corrupted Out of date Stolen
Single record 2 3 1 5 Less than %50 4 5 2 6
%50-%100 5 6 4 6
![Page 35: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/35.jpg)
Likeilhood
On a scale of 1 to 10 how likely are the Vulnerabilities. E.g. For data corruption:
Other good measures include: – Probability – Events per year Based on history and good guess work.
Bugs SQL Hackers Insider Fire Flood
2 3 4 5 4 1
![Page 36: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/36.jpg)
Risk
• Risk depends on the likelihood and the impact.
• This depends on the risk assessment methodology.
• For levels of 1 to 10 we can say that:
Risk = Impact x Likelihood
• Other good option is expected cost per year.
![Page 37: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/37.jpg)
Risks
For a large amount of customer data: Out of date Lost Corrupted Stolen
Flood - 5 - - Bugs 16 10 12 -
SQL injection 12 15 18 18
Hackers 10 16 16 24 Fire - 20 - -
Insiders 20 25 30 30
![Page 38: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/38.jpg)
Treating the Risk:
• Avoid it: – take steps to stop it happening
• Mitigate it: – take steps to make the impact less serious
• Transfer it: – Make someone else responsible.
• Accept it: – Decide to live with it.
![Page 39: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/39.jpg)
For example
• Loss of data: – Avoid by not collecting data
• Stolen data: – Mitigate this by encrypting stored data
• Data destroyed by fire: – Transfer it using fire insurance.
• Main and backup disks fail at same time – Accept, probably of this = 0.0000001%
![Page 40: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/40.jpg)
Final Steps:
• Specify the controls: i.e., mitigation and avoidance techniques.
• Obtain Management approval. – of accepted risks and overall ISMS
• Prepare a statement of applicability, i.e. overview of ISMS.
![Page 41: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/41.jpg)
Assurance
ISOs give some assurance to other organisations, that your organisation is secure
![Page 42: Common System Exploits - cs.bham.ac.uk fileSome Common Attack Vectors • Attacks on Web Page • Attacks from incoming e-mail • Attacks on all servers • Local attacks via wi-fi](https://reader030.vdocuments.us/reader030/viewer/2022041219/5e083acd21d268106f745c24/html5/thumbnails/42.jpg)
Common Attacks and Defense
• Common attacks on networks.
• Common defenses.
• Cyber Security Policy – PCI-DSS – ISO 27001