Threat ManagementThreat ManagementCase studies of threats that have occurred and how to be prepared for themCase studies of threats that have occurred and how to be prepared for them

Presented byPresented by

Kunal BansalKunal Bansal

kbansal@cs.odu.edukbansal@cs.odu.edu

Threat Management and its ImplicationsThreat Management and its Implications

22

IntroductionIntroduction

Constraints in software due to budget, time and resources Constraints in software due to budget, time and resources pose a problem for applications.pose a problem for applications.

Threat management and analysis are usually ignored till the Threat management and analysis are usually ignored till the “last minute” or until a breach occurs.“last minute” or until a breach occurs.

Thwarting threats requires detailed modeling involving Thwarting threats requires detailed modeling involving identification of scenarios, threats and vulnerabilities, along identification of scenarios, threats and vulnerabilities, along with measures to counter them.with measures to counter them.

There is no single good measure to effectively root out all There is no single good measure to effectively root out all threats.threats.

33

Anatomy of an attackAnatomy of an attack

The fundamental steps an attacker initiates against a web The fundamental steps an attacker initiates against a web application constitute of application constitute of Survey Survey (and Analysis), (and Analysis), exploitation exploitation and penetrationand penetration, , escalation of privilegesescalation of privileges, , maintain accessmaintain access (for (for self use) and self use) and denying accessdenying access to others. to others.

44

Application OverviewApplication OverviewKey steps which can be taken in identifying risks associated Key steps which can be taken in identifying risks associated with threats for an application are with threats for an application are

1. Identification of Security Objectives1. Identification of Security Objectives

2. Creation of overview and attack trees2. Creation of overview and attack trees

3. Decentralizing the application3. Decentralizing the application

4. Identification of threats for the model4. Identification of threats for the model

5. Identification of vulnerabilities5. Identification of vulnerabilities

55

Security ObjectivesSecurity Objectives

AssetsAssets which include data stored in databases or are part of a which include data stored in databases or are part of a system resource.system resource.

ThreatsThreats can be classified as one which harm assets. can be classified as one which harm assets.

VulnerabilityVulnerability can be described as a weakness exploited by a can be described as a weakness exploited by a threat.threat.

ActionAction is a measure taken to harm an asset based on its is a measure taken to harm an asset based on its vulnerability vulnerability

CountermeasuresCountermeasures are one which are taken to protect assets are one which are taken to protect assets against threats and thwart actions of an individual.against threats and thwart actions of an individual.

(Microsoft Strategy)

66

Attack TreesAttack Trees

Concept invented by Bruce Schneir. Concept invented by Bruce Schneir.

Consists of one root, leaves and children.Consists of one root, leaves and children.

Child nodes are conditions whose satisfaction to make parent Child nodes are conditions whose satisfaction to make parent nodes true when the root condition is satisfied leads to the nodes true when the root condition is satisfied leads to the completion of an attack.completion of an attack.

Most effective way to mitigateMost effective way to mitigate

an attack is to stop it at the root.an attack is to stop it at the root.

Desk – Computer exampleDesk – Computer example

77

Decentralizing and Securing the Application Decentralizing and Securing the Application

Securing a web application involves securing the network, host Securing a web application involves securing the network, host along with the application, database and web server.along with the application, database and web server.

Firewalls to prevent malicious Firewalls to prevent malicious

code and unauthorized code and unauthorized

entry is essential.entry is essential.

Weakness in any one of the Weakness in any one of the

tiers makes the entiretiers makes the entire

application prone to attacks.application prone to attacks.

88

Identification of VulnerabilitiesIdentification of Vulnerabilities

Requires a good understanding of the system and the attacks Requires a good understanding of the system and the attacks which are possible against it.which are possible against it.

Threats can be classified as exploits, eavesdropping, social Threats can be classified as exploits, eavesdropping, social engineering and human errors, denial of service attacks, engineering and human errors, denial of service attacks, backdoor attacks, direct access attacks.backdoor attacks, direct access attacks.

Lack of Garbage collection can be considered as a threat too Lack of Garbage collection can be considered as a threat too since memory is not infinite and redundant memory could since memory is not infinite and redundant memory could cause applications to crash in the long term.cause applications to crash in the long term.

99

Security ThreatsSecurity Threats

Network EavesdroppingNetwork Eavesdropping involves capturing of passwords involves capturing of passwords and usernames passed in clear text using network monitoring and usernames passed in clear text using network monitoring software. software.

Dictionary and Brute Force Attacks (Demo)Dictionary and Brute Force Attacks (Demo) using computer using computer hardware and trial and error methods to crack hashed and hardware and trial and error methods to crack hashed and encrypted passwords by using massive dictionaries.encrypted passwords by using massive dictionaries.

Cookie ReplayCookie Replay and and Credential TheftCredential Theft attacks attacks

(Authentication)

1010

Security Threats Security Threats

Elevation of privilegeElevation of privilege using using RevertToSelfRevertToSelf API to run on the local system API to run on the local system with the most power and privilege.with the most power and privilege.

Disclosure of Confidential DataDisclosure of Confidential Data

Checksum SpoofingChecksum Spoofing is possible since hashes such as is possible since hashes such as Secure Hash Secure Hash AlgorithmAlgorithm (SHA1) (SHA1) and and Message Digest CompressionMessage Digest Compression algorithm can be algorithm can be easily changed.easily changed.

Plaintext: Place 10 orders. Hash: T0mUNdEQh13IO9oTcaP4FYDX6pU=

Attackers can capture the message and modify the order resulting in Attackers can capture the message and modify the order resulting in Plaintext: Place 100 orders.Plaintext: Place 100 orders.Hash: oEDuJpv/ZtIU7BXDDNv17EAHeAU=Hash: oEDuJpv/ZtIU7BXDDNv17EAHeAU=

(Authorization and Cryptography)

1111

Breaching Applications in CommerceBreaching Applications in Commerce

Buffer Overflow with data being copied without any checks Buffer Overflow with data being copied without any checks can further cause injection attacks and denial of service. can further cause injection attacks and denial of service.

Not a major problem in managed code, however still a Not a major problem in managed code, however still a problem when managed code calls upon unmanaged API’sproblem when managed code calls upon unmanaged API’s

void SomeFunction( char *pszInput ) {

char szBuffer[10]; // Input is copied straight into the buffer when no type checking is performed strcpy(szBuffer, pszInput); . . . }

(Buffer Overflow)

1212

Breaching Applications in CommerceBreaching Applications in Commerce

Cross site scripting which can enable arbitrary code to execute when Cross site scripting which can enable arbitrary code to execute when the browser is in a trusted zone. the browser is in a trusted zone.

Internet security zones provide no protection and since the attacker’s Internet security zones provide no protection and since the attacker’s code has access to cookies stored on the users computer, his code has access to cookies stored on the users computer, his authentication cookies are targeted.authentication cookies are targeted.

Attack starts when a user clicks on a malicious link disguised as a Attack starts when a user clicks on a malicious link disguised as a genuine one.genuine one.

Legitimate LinkLegitimate Linkwww.yourwebapplication.com/logon.aspx?username=bobwww.yourwebapplication.com/logon.aspx?username=bob

Malicious Link Malicious Link www.yourwebapplication.com/logon.aspx?www.yourwebapplication.com/logon.aspx?username=<script>alert('hacker code')</script>username=<script>alert('hacker code')</script>

(Cross Site Scripting)

1313

Breaching Applications in CommerceBreaching Applications in CommerceArbitrary commands can run in a database. Stored procedure which accept unfiltered Arbitrary commands can run in a database. Stored procedure which accept unfiltered user input can cause unwanted manipulation, destruction and/or retrieval of data.user input can cause unwanted manipulation, destruction and/or retrieval of data.

SqlDataAdapter myCommand = new SqlDataAdapter(SqlDataAdapter myCommand = new SqlDataAdapter(

"SELECT * FROM Users "SELECT * FROM Users

WHERE UserName ='" + txtuid.Text + "'", conn);WHERE UserName ='" + txtuid.Text + "'", conn);

SQL injection occurs when the original statement is terminated by the single quote SQL injection occurs when the original statement is terminated by the single quote character followed by a semicolon to begin a new command (of the attacker’s character followed by a semicolon to begin a new command (of the attacker’s choice).choice).

'; DROP TABLE Customers –'; DROP TABLE Customers –

The original statement has now changed from a simple select statement to a harmful The original statement has now changed from a simple select statement to a harmful drop statement belowdrop statement below

SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'

(SQL Injection)

1414

Countermeasures Countermeasures

Buffer OverflowBuffer Overflow -> Through input validation. Validate length, type, format -> Through input validation. Validate length, type, format and range. Limit Unmanaged Code and use unmanaged API’s should be and range. Limit Unmanaged Code and use unmanaged API’s should be cross examined. cross examined.

Cross ScriptingCross Scripting -> Input Validation, permit only valid form fields and -> Input Validation, permit only valid form fields and cookies, regular expression validations should be used regularly. cookies, regular expression validations should be used regularly. HTMLEncodeHTMLEncode and and URLEncodeURLEncode functions to encode user input (convert functions to encode user input (convert script to HTML).script to HTML).

SQL InjectionSQL Injection -> validate requests from applications before sending them -> validate requests from applications before sending them to databases. Least privilege accounts should be used to connect to the to databases. Least privilege accounts should be used to connect to the database. Check input strings for possible execution. Idle sessions using database. Check input strings for possible execution. Idle sessions using sqlplus /nologsqlplus /nolog or or connectconnect sys /as sysdbasys /as sysdba should be disabled. should be disabled.

(Buffer overflow, Cross Scripting and SQL Injection)

1515

Identification of VulnerabilitiesIdentification of Vulnerabilities

Performance and speed can be effected as C# programs Performance and speed can be effected as C# programs execute faster than C++ programs.execute faster than C++ programs.

C# system can allocate memory by incrementing the pointer C# system can allocate memory by incrementing the pointer from a region of memory set aside for new applications.from a region of memory set aside for new applications.

(Continued)

class A { private int x; public A() { x = 0; x+

+; } }

class Example { public static void Main() {

for(int i = 0; i < 1000000000; i++) { A a = new A();

} System.Console.WriteLine("DING!"); }

}

1616

Performance Issues Performance Issues C++ programs need new blocks of memory to allocate new instances for ‘A’ class.C++ programs need new blocks of memory to allocate new instances for ‘A’ class.

The C++ allocater would need to hunt for free blocks of memory in a fragmented The C++ allocater would need to hunt for free blocks of memory in a fragmented heap for allocation.heap for allocation.

class A {class A { int x;int x; public:public: A() { x = 0; x++; }A() { x = 0; x++; } }; };

int main() {int main() { for(int i = 0; i < 1000000000; i++) {for(int i = 0; i < 1000000000; i++) { A* a = new A();A* a = new A(); delete a;delete a; }} std::cout << "DING!" << std::endl;std::cout << "DING!" << std::endl; }}

1717

CountermeasuresCountermeasures

SpoofingSpoofing -> Strong Authentication, SSL, Strong passwords in -> Strong Authentication, SSL, Strong passwords in encrypted formatencrypted format

Data TamperingData Tampering -> Data Hashing, Digital Signature, Authorization, -> Data Hashing, Digital Signature, Authorization, X.509 Certificates, Trusted Zones.X.509 Certificates, Trusted Zones.

RepudiationRepudiation -> Secure Audit Trails, Digital Signatures. -> Secure Audit Trails, Digital Signatures.

Denial of ServiceDenial of Service -> Resource and Bandwidth throttling techniques -> Resource and Bandwidth throttling techniques along with packet sniffing and filtering input.along with packet sniffing and filtering input.

Privilege ElevationPrivilege Elevation -> Least privilege accounts should perform -> Least privilege accounts should perform operations with higher privilege accounts for accessing resources operations with higher privilege accounts for accessing resources locked.locked.

1818

Additional CountermeasuresAdditional Countermeasures

SniffingSniffing -> Strong physical security and segmentation to prevent -> Strong physical security and segmentation to prevent local collection of information.local collection of information.

Session HijackingSession Hijacking -> Encrypted sessions, platform patches to -> Encrypted sessions, platform patches to prevent TCP/IP vulnerabilities.prevent TCP/IP vulnerabilities.

FootprintingFootprinting -> Lock down unused ports, firewall and configuration -> Lock down unused ports, firewall and configuration settings and and monitoring of suspect ports. settings and and monitoring of suspect ports.

Password CrackingPassword Cracking -> Lock out polices, deny use of default -> Lock out polices, deny use of default passwords, audit multiple failed logins for an account.passwords, audit multiple failed logins for an account.

Arbitrary Code ExecutionArbitrary Code Execution -> configuration of IIS to reject ../ URL’s. -> configuration of IIS to reject ../ URL’s. Prevent idle session logins in Oracle Database withPrevent idle session logins in Oracle Database with sqlnet.ora sqlnet.ora file. file.

1919

Case StudiesCase Studies

Unauthorized access at North Bay Health Care Group by fraudulent Unauthorized access at North Bay Health Care Group by fraudulent alteration of 127 electronic checks by Jessica Sabatia resulting in a loss of alteration of 127 electronic checks by Jessica Sabatia resulting in a loss of $875,035 to the company.$875,035 to the company.

Malicious insider attack at UBS Paine Webber with the use of a ‘logic bomb’ Malicious insider attack at UBS Paine Webber with the use of a ‘logic bomb’ resulting in simultaneous deletion of 1000 documents across 1500 resulting in simultaneous deletion of 1000 documents across 1500 networked branches. Loss of $3 million suffered by the firm.networked branches. Loss of $3 million suffered by the firm.

26.5 million records stolen from the Veterans Administration as a result of 26.5 million records stolen from the Veterans Administration as a result of an employees house being burglarized in May 2006. Data included SSN, an employees house being burglarized in May 2006. Data included SSN, names and addresses.names and addresses.

Melissa Worm in March 1999 infected Microsoft Outlook shutting down mail Melissa Worm in March 1999 infected Microsoft Outlook shutting down mail servers in companies such as Microsoft, Intel, Lockheed Martin and Lucent servers in companies such as Microsoft, Intel, Lockheed Martin and Lucent and causing $400 million in cumulative damages, the costliest in North and causing $400 million in cumulative damages, the costliest in North America to date.America to date.

(Real Life examples)

2020

Attacks on DatabasesAttacks on Databases

Databases such as Oracle and MS SQL are frequently Databases such as Oracle and MS SQL are frequently targeted as they contain large amounts of data.targeted as they contain large amounts of data.

SQL injection attacks, buffer overflow, heap overflow and SQL injection attacks, buffer overflow, heap overflow and code injection are some of the common attacks.code injection are some of the common attacks.

Default passwords can be easily stolen from an Oracle Default passwords can be easily stolen from an Oracle database by querying the database by querying the dba_usersdba_users table. table.

Though the passwords are hashed, they can be decrypted Though the passwords are hashed, they can be decrypted and displayed in clear text in most cases.and displayed in clear text in most cases.

(Demo Prelude)

2121

Demo Demo

Users in an Oracle Database are authenticated by re-computing the Users in an Oracle Database are authenticated by re-computing the hash based on the value stored in hash based on the value stored in passwordpassword column in column in dba_usersdba_users..

A user which can obtain all the hashed passwords can compare A user which can obtain all the hashed passwords can compare them to the ones stored in a single or multiple dictionary resulting in them to the ones stored in a single or multiple dictionary resulting in the a clear text view of the password. the a clear text view of the password.

Oracle in Jan 2006 itself provides an excel sheet which contains all Oracle in Jan 2006 itself provides an excel sheet which contains all the default passwords for locked and unlocked accounts for Oracle the default passwords for locked and unlocked accounts for Oracle databases.databases.

A random user can locate and view all the default passwords in a A random user can locate and view all the default passwords in a database thereby increasing the risk.database thereby increasing the risk.

(Combination of a Dictionary and Brute Force Attack on an Oracle DB)

2222

ReferencesReferences

MSDN – Threats, Causes and BreakageMSDN – Threats, Causes and Breakagehttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/tmwaglance.asphtml/tmwaglance.asp

Wikipedia – Security Threats and ExploitsWikipedia – Security Threats and Exploitshttp://en.wikipedia.org/wiki/Category:Security_exploitshttp://en.wikipedia.org/wiki/Category:Security_exploitshttp://en.wikipedia.org/wiki/Computer_insecurity http://en.wikipedia.org/wiki/Computer_insecurity http://en.wikipedia.org/wiki/Computer_fraud_case_studies http://en.wikipedia.org/wiki/Computer_fraud_case_studies

United States Government – Department of Defense (DITSCAP)United States Government – Department of Defense (DITSCAP)http://iase.disa.mil/ditscap/DITSCAP.html http://iase.disa.mil/ditscap/DITSCAP.html

Practical Threat Analysis – Dealing with ThreatsPractical Threat Analysis – Dealing with Threatshttp://www.securitydocs.com/library/2848 http://www.securitydocs.com/library/2848

2323