CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan horses, bombs, and worms Software designed to undermine the security of a system Many different types Many different objectives Two characteristics Propagation Payload delivery 2 1
Virus Malicious code that requires some user action to propagate Designed to deliver a payload Variants Stealth virus: avoid detection by masking itself from applications Polymorphic virus: change form in order to avoid detection Encrypted virus Melissa virus brought the entire Internet down for a few days in March 1999 The best defense against a virus attack is up-to-date antivirus software installed and running. The software should be on all workstations as well as the server. 3 Worms A worm is different from a virus in that it can reproduce itself, it's self-contained, and it doesn't need a host application to be transported Often search the local network for systems with vulnerabilities "rtm" worm took down the Internet in 1988 4 2
Trojan Horses Programs that enter a system or network under the appearance of another program. Designed to trick the user into installing by masquerading as another application Once installed, perform as advertised but also deliver a malicious payload 5 Logic Bombs Programs or snippets of code that execute when a certain predefined event occurs. Designed to lay in wait and deliver their payload when logical conditions are met Conditions may include Date Time Stock price Removal of a user account 6 3
Backdoors An opening left in a program application (by developer) that allows additional access to data. Typically, these are created for debugging purposes and aren't documented. Before the product ships, the backdoors are closed; when they aren't closed, security loopholes exist Security bypass mechanisms created by software developers Not always created with malicious intent Always introduce a security vulnerability 7 Rootkits Software programs that have the ability to hide certain things from OS May be a number of processes running on a system that do not show up in Task Manager May be connections established that do not appear in a netstat display 8 4
Botnets Collection of systems controlled by a botnet master Usually amassed through other forms of malicious code Often number in the thousands of systems Useful for DDoS attacks 9 Spyware Malicious code specifically designed to monitor user activity and report back to the source Often looks for sensitive personal information Passwords SSNs Credit card numbers 10 5
Social Engineering Attacks that target upon the human weak link in the security chain Examples of social engineering include Dumpster diving Shoulder surfing Phishing Hoaxes 11 Phishing Sending fake email messages designed to trick a user into providing sensitive information Variants Vishing - voice phishing Spear phishing - highly targeted phishing Whaling - phishing with VIP targets Pharming - fake websites 12 6
Dumpster Diving Looking through the trash for sensitive information May be directly useful Also may provide information for other social engineering attacks 13 Shoulder Surfing Monitoring a user's activity at the keyboard May also be done remotely via video surveillance 14 7
Denial of Service (DoS) Attacks Designed to undermine the vulnerability of a system "Sniper style" aim to crash a system "Brute force" aim to use all available resources Botnets often connected to perform Distributed DoS (DDoS) attacks Very difficult to identify and prevent 15 Smurf Attack Form of DDoS attack Attacker sends a spoofed ICMP Echo Request packet Source: Victim Destination: Broadcast address 16 8
Man in the Middle Attack Based on the principle that a system can be placed between two legitimate users to capture or exploit the information being sent between them Intercepting communications and acting as an intermediary 17 Replay Attack Monitor the network looking for tokens or other authentication credentials Hacker creates a separate connection to the server using the same credentials and masquerades as the real user Prevent by encrypting cookies and other credentials 18 9
DNS Cache Poisoning Attacks designed to inject false information into a DNS server Can be used to redirect users dependent upon that DNS server to fake sites 19 Insider Threat Most dangerous security risks come from inside your organization Unauthorized activity by legitimate users Insiders in best position to bypass your security controls Requires diligent, auditing and monitoring 20 10
Transitive Access In a Discretionary Access Control (DAC) system, users can grant access to other users Transitive access problem A grants access to B, B grants access to C B leaves C retains the permission without A's knowledge 21 Privilege Escalation Attacks designed to take a limited privilege account and obtain greater privileges Often try to take a standard user account and upgrade it to superuser administrative access Commonly referred to as "root escalation" or attacks that "gain root" 22 11
Buffer Overflows Programmers allocate memory for variables and use addresses to access If a user puts more data in the space than the programmer allocated, overflow occurs Can overwrite sensitive portions of memory, including where programs are stored Requires input validation 23 Session Hijacking Relies upon the use of insecure authentication practices Often, user logs in once and then receives a cookie Future communications use the cookie for authentication If the cookie is sent unencrypted, session is vulnerable to hijacking 24 12
Root Cause of Session Hijacking Session hijacking can be prevented with a simple fix: encrypting cookies Often not done because of Lack of awareness Expense of encryption Inattention of developers/administrators 25 Exploiting Session Hijacking Attacker can monitor network activity using a protocol analyzer Watching for unencrypted cookies When detected, open a new connection to the remote server Allows complete impersonation 26 13
Firesheep Session hijacking for the masses Free software that monitors sessions on unencrypted wireless networks Reports all available sessions that can be stolen Session stealing requires only a click of the mouse 27 Vulnerability Scanning Designed to detect issues with system security Misconfigured firewalls Application security issues Missing operating system patches Unexpected services Two major variants Port scanning Vulnerability scanning 28 14
Port Scanning Looks for open ports on a system and reports the results Useful to detect problems with firewall configurations Don't tell you if the service is secure, but do enumerate services Most popular tool is nmap 5 29 30 15
Vulnerability Scanning Run a software program that contains a database of known vulnerabilities against a system to identify weaknesses Usually start with a port scan but then go deeper Check existing services for vulnerabilities Identify missing patches Check for default passwords Probe encryption methods Most popular tool is Nessus 4 31 32 16
Penetration Testing The best way to tell what services are really running on a system Tests the security of a system from the perspective of a hacker Testers use the same tools that hackers use and actually try to break into a system or application Sometimes required components of an audit or assessment Most popular tool is Backtrack 5 33 34 17
Black Box Testing No prior knowledge of the system, network or infrastructure Testers begin with reconnaissance attacks designed to gather information about the system Identify potential footholds and look for vulnerabilities to exploit Simulate an outside hacker try to break into the organization computer systems 35 White Box Testing Attackers begin with detailed information about the system, including Network layout Operating systems Application infrastructure Security controls Also called "full disclosure" testing Simulate an insider attack 36 18
Grey Box Testing Attackers have some basic information about the environment "Partial disclosure" penetration test 37 Risks of Penetration Tests Risk inherent in attacking production systems Scans associated with penetration tests can easily cause denial or degradation of service In the worst case, an attack could shut down a system If you can do it, a hacker could also 38 19
Honeypots A bogus system set up to attract and slow down a hacker. It can be used to learn of the hacking techniques and methods used by hackers. Systems deliberately set up to tempt hackers Often contain obvious security vulnerabilities may appear to be part of a large environment but are carefully isolated Serve no legitimate purpose, so any connection attempt is suspicious 39 Why Set Up a Honeypot? Provide advance knowledge of an attacker trying to gain access to your network Offer insight into evolving hacking techniques Open SMTP relays can identify spammers and provide information for spam detection tools 40 20
Honeynets Multiple honeypots running on the same network Spread out to cover multiple parts of a large environment Add credibility to each other Often run on the same physical machine using virtualization 41 Risks of Honeypots/Honeynets Must be carefully isolated from all production systems Improperly configured honeypot could expose your production systems 42 21