Attack Vectors in Computer Security

Similar documents
Ranking Vulnerability for Web Application based on Severity Ratings Analysis

CIS 5373 Systems Security

ANATOMY OF AN ATTACK!

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Unforgivable Vulnerabilities Steve Christey The MITRE Corporation August 2, 2007

Engineering Your Software For Attack

Our sponsors Zequi V Autopsy of Vulnerabilities

Risk Analysis and Measurement with CWRAF

Software Assurance Ecosystem Knowledge Architecture. 1 Wednesday, December 31, 2008

Developing Secure Systems. Associate Professor

Ethical Hacking and Prevention

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Security Solutions. Overview. Business Needs

WEB APPLICATION VULNERABILITIES

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CMSC 414 Computer and Network Security

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

The tale of one thousand and one ADSL modems

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Endpoint Security - what-if analysis 1

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

A (sample) computerized system for publishing the daily currency exchange rates

Cyber Security Advisory

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

EXAMINATION [The sum of points equals to 100]

Security Testing. Who, What, When and How of Security Testing. Heidi Harmes-Campbell.

COMPUTER NETWORK SECURITY

P2_L12 Web Security Page 1

Trustwave Managed Security Testing

How to perform the DDoS Testing of Web Applications

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Chapter 9. Firewalls

Security: Internet of Things

Penetration testing.

Security Concerns in Automotive Systems. James Martin

The OWASP Foundation

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Chapter 5: Vulnerability Analysis

Measuring Similarity for Security Vulnerabilities

Business Continuity Management

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Application vulnerabilities and defences

Kaspersky Enterprise Cybersecurity. Kaspersky Security Assessment Services. #truecybersecurity

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Inline Reference Monitoring Techniques

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

SOAP: SENSITIVE OPERATIONAL ATTRIBUTE PATTERN BASED VULNERABILITY ANALYSIS FOR BUSINESS INTELLIGENCE USING RULE SETS

Security Advisory IP Camera Vulnerability December

Payment Card Industry (PCI) Executive Report 11/01/2016

Security Issues Formalization


Web Security. Outline

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Client Side Injection on Web Applications

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Computer Security: Cyber Essentials KAMI VANIEA 1

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Vulnerability Management From B Movie to Blockbuster Rahim Jina

Lecture 4: Threats CS /5/2018

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Bank Infrastructure - Video - 1

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

P1_L3 Operating Systems Security Page 1

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

NET 311 INFORMATION SECURITY

Vulnerabilities. To know your Enemy, you must become your Enemy. Information security: Vulnerabilities & attacks threats. difficult.

Mitigating Security Breaches in Retail Applications WHITE PAPER

Cyber Moving Targets. Yashar Dehkan Asl

Exploring CVE , a Skeleton key in DNS. Jaime Cochran, Marek Vavrusa

Hackveda Training - Ethical Hacking, Networking & Security

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Cybersecurity Technical Risk Indicators:

CyberP3i Hands-on Lab Series

Computer Security Fall 2006 Joseph/Tygar MT 3 Solutions

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Building Secure Systems

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

Integrity attacks (from data to code): Cross-site Scripting - XSS

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Combating Today s Cyber Threats Inside Look at McAfee s Security

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

BIG-IP Application Security Manager : Getting Started. Version 12.1

CNT4406/5412 Network Security Introduction

QUARTERLY TRENDS AND ANALYSIS REPORT

10 FOCUS AREAS FOR BREACH PREVENTION

n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Synology Security Whitepaper

SQL Injection. Meganadha Reddy K. Technical Trainer NetCom Learning Meganadha Reddy K., 2015

SECURITY TESTING. Towards a safer web world

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Scribe Notes -- October 31st, 2017

Shellbased Wargaming

Copyright

Transcription:

Attack Vectors in Computer Security

Who Am I @WillGoard My first proper hacksoc talk I speak fluent greek Sell more pizzas have more fun

Why attack vectors? Didn t know what to do for my dissertation Started looking at a few ideas Lack of information available was annoying Kept finding network reported as an attack vector and wanted to know what it meant

Vulnerability In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.

Attack vector An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element.

Attack surface The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment.

Attack Patterns In computer science, attack patterns are a group of rigorous methods for finding bugs or errors in code related to computer security. Attack patterns are often used for testing purposes and are very important for ensuring that potential vulnerabilities are prevented Attack patterns define a series of repeatable steps that can be applied to simulate an attack against the security of a system

Initial research Information regarding attack vectors is very dated No general consensus on how they should be reported Current websites in use for vulnerability reporting aren t easy to use

CVE

CWE

CAPEC

NVD

Example NVD Entry

NVD Attack Vectors Network: The vulnerability is remotely exploitable by a machine that is not part of the target machines network Adjacent network: The vulnerability requires the attacker to have access to the broadcast or collision domain in order to exploit it. Local: The vulnerability is only exploitable locally meaning the attacker needs to have physical access to the target machine or a local account on the machine

NVD Attack Vectors Purely used to calculate CVSS score No actual information provided about the attack vector Depending on the attack vector the CVSS score changes drastically

Now to tell you what I actually did Attack vector mitigations Better definitions for attack vectors

Attack vector mitigations Examined vulnerabilities and then looked at their attack vectors Mitigated the attack vector then retested the vulnerability No longer possible to exploit the vulnerability

Things to take away Mitigating attack vectors can help improve security Vulnerabilities are still there so should only be a temporary fix Properly defining the attack vector can lead to a better understanding of the vulnerability

Attack vector definitions SQL Injection Phishing Cross-site scripting Malware attacks Buffer overflows Weak authentication Known vulnerabilities

SQL Injection Actually an attack vector Pretty well defined Would be useful to identify where the injection takes place

Phishing Also an attack vector More data could be included: Type of phishing attack Means of attack What entity was being impersonated

Cross-Site scripting Definition provided was more applicable to the vulnerability Could include information about where the scripts are injected

Malware attacks Type of attack not the attack vector How was the malware infection accomplished

Buffer Overflows Vulnerability not an attack vector When defining the attack vector include: Application where the vulnerability is present What type of overflow is caused

Weak Authentication Also not an attack vector How was the weak authentication exploited

Known Vulnerabilities

Summary Attack vectors are not well defined Being more specific can provide a lot of useful information Easier to fix issues if exact point of attack is known

How can attack vectors improve security More accurate trends monitored Provides information to tester about what areas to focus on when testing Developers will know how certain features can impact security Training courses can be better targeted

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback