Attacks & Vulnerabilities PDF

Threats and Vulnerabilities SIO Information Security Measures and their relationship with attacks Threats difficult...

Threats and Vulnerabilities SIO Information Security Measures and their relationship with attacks Threats difficult Discouragement elude potentiate Deception Attacks increase discover Detection cause Vulnerabilities trigger Prevention reduce depends Recovery Impact Value João Paulo Barraca, André Zúquete SIO 2 Measures (and some tools) Discouragement Discouragement ꟷ Punishment ꟷ Honeypots / honeynets Legal restrictions ꟷ Forensic follow-up Forensic evidences ꟷ Security barriers Prevention Firewalls ꟷ Restrictive policies Autentication e.g. least privilege principle Secure communication ꟷ Vulnerability scanning Sandboxing e.g. OpenVAS, metasploit ꟷ Vulnerability patching e.g. regular updates Detection ꟷ Intrusion detection system Recovery e.g. Seek, Bro, Suricata ꟷ Backups ꟷ Auditing ꟷ Redundant systems ꟷ Forensic break-in analysis ꟷ Forensic recovery João Paulo Barraca, André Zúquete SIO 3 Threats and Attacks Threat Actors explore Vulnerabilities ꟷ They will trigger and action, send a crafted payload, to disrupt CIA and existing policies Threat Actors also conduct Attacks without clear Software Vulnerabilities ꟷ Targeting people, processes and resources ꟷ Out of the scope of Information Security, but relevant to the security of Organizations The number vulnerabilities depends on Value and Security Posture ꟷ More popular software will have higher number of vulnerabilities ꟷ Also software with more higher maturity (more tests) https://www.cvedetails.com/top-50-products.php?year=0 João Paulo Barraca, André Zúquete SIO 4 Common Attacks and Threats Only some… more here: https://owasp.org/www-community/attacks/ Denial Of MiTM Phishing Ransomware Service Insider Password Injection Malware Threats João Paulo Barraca, André Zúquete SIO 5 Denial of Service (DoS) Attacker overwhelms the resources of a system to the point where it is unable to reply to legitimate service requests. ꟷ Overwhelms server providing the service ꟷ Overwhelms dependent services such as the Authentication or Database servers ꟷ Frequently executed as a DDoS – Distributed DoS ꟷ Explores software/system vulnerabilities Impact: Clients are unable to access a service ꟷ Financial, brand and operational damage (e.g. Denial of Wallet) ꟷ Popular in relevant moments (exams, elections, public events) ꟷ Popular due to the low cost and low complexity João Paulo Barraca, André Zúquete SIO 6 Denial of Service (DoS) Rustam, Furqan & Mushtaq, Muhammad & Hamza, Ameer & Farooq, Shoaib & Jurcut, Anca & Ashraf, Imran. (2022). Denial of Service João Paulo Barraca, André Zúquete Attack Classification Using Machine Learning with Multi-Features. Electronics. 11. 3817. 10.3390/electronics11223817. SIO 7 MiTM – Man in The Middle Attacks Attacker puts themselves in the middle of two communicating parties ꟷ Eavesdropping: attacker passivelly listens to traffic ꟷ Spoofing: attacker fakes responses to questions (e.g. DNS Spoofing) ꟷ Hijacking: attacker activelly mangles the communication May steal data, inject packets or divert the communication ꟷ Using social engineering, misconfigurations or vulnerabilities Impact: CIA Triad is compromised ꟷ Communications not confidential ꟷ Communications payloads are manipulared/changed ꟷ Sessions are blocked or data is ommitted João Paulo Barraca, André Zúquete SIO 8 MiTM – Man in The Middle Attacks Eve Mallory (Eavesdrop) (Spoofing/Hijacking) Alice Bob https://en.wikipedia.org/wiki/Alice_and_Bob João Paulo Barraca, André Zúquete SIO 9 Phishing Attack Attacker uses fraudulent messages to trick victims ꟷ Objective: provide information, exposing, download malware, pay for something ꟷ Social Engineering attack exploring human vulnerabilities ꟷ Messages resort to urgency, fear, curiosity, authority, greed ꟷ Subtypes: Spear Phishing: crafted to trick a specific person Whaling: targets as executives, and high-net-worth individuals Smishing: Uses SMS Vishing: Uses phone calls Impact: Financial loss, damage to public image, compromise of other systems João Paulo Barraca, André Zúquete SIO 10 Phishing Attack Authority and trust Urgency and fear João Paulo Barraca, André Zúquete SIO 11 Malware Infect systems with malicious software ꟷ Using social engineering or software vulnerabilities ꟷ Variations: Virus: Require some host to exist (binary file, document) Worm: Isolated program that can run without others Trojan: Disguised of another application (popular with keygens/cracks) Impact: Financial loss, information loss, compromise of other systems, participation in attacks João Paulo Barraca, André Zúquete SIO 12 Malware https://www.joesandbox.com/analysis/1513069 João Paulo Barraca, André Zúquete SIO 13 Ransomware Malware that blocks access to system until a ransom is paid ꟷ Cryptoviral Extortion - Encrypts user data and requests a ransom to release a key ꟷ Explores social engineering or software vulnerabilities Social engineering such as phishing Software vulnerabilities allow fast propagation across systems ꟷ Facilitated in systems with no defenses or perimeter defenses Impact: Denial of Resources, Data loss, Severe disruption ꟷ Considered as extremely dangerous as operations may be disrupted for a long time ꟷ Recovery will require Off Site Backups Sometimes Backups with a WORM (Write Once, Read Many) strategy João Paulo Barraca, André Zúquete SIO 14 Ransomware Masoudeh Keshavarzi, Hamid Reza Ghaffary, I2CE3: A dedicated and separated attack chain for ransomware offenses as João Paulo Barraca, André Zúquete SIO 15 the most infamous cyber extortion, Computer Science Review, Volume 36, 2020, 100233, ISSN 1574-0137 Password 1. 123456 2. admin Attacks targeting the discovery of passwords 3. 12345678 4. 123456789 ꟷ Explore social behavior (password reuse) and software vulnerabilities 5. 1234 ꟷ Note: Leaked passwords are compiled and distributed (see rockyou.txt) 6. 12345 7. password ꟷ Types: 8. 123 Brute force: login attempts testing all possibilities 9. Aa123456 Dictionary attack: testing common words 10. 1234567890 11. UNKNOWN Stuffing: testing leaked passwords 12. 1234567 Spraying: testing the same user across multiple services 13. 123123 14. 111111 Keylogging: intercepting keys using malware 15. Password Rainbow table attack: optimized brute force of hashed passwords 16. 12345678910 17. 000000 18. Admin123 Impact: financial loss, system compromise, information 19. ******** loss, impersonation 20. user Most common passwords João Paulo Barraca, André Zúquete SIO 16 Insider and Supplier Threats An insider that uses their authorized access or understanding of an organization to harm that organization ꟷ Collaborators: disgruntled, subverted or simply malicious ꟷ Suppliers or contractors: create a variant named: Supply Chain Attacks ꟷ Explore weaknesses in a Perimeter Defense Model Insiders have wide access to resources (without monitoring?) ꟷ Can be used to escalate attack to other organizations Compromising a software company will potentially compromise their clients Impact: Brand, Information, Total disruption João Paulo Barraca, André Zúquete SolarWinds Attack SIO 17 Source: https://www.rpc.senate.gov/ Injection Exploration of a vulnerability allowing Injection of code into a program or query ꟷ Code is later executed in server or other clients Code is an SQL statement, Javascript/python/bash/powershell/html/css code, Binary instructions… ꟷ Targets Databases, Web applications, binary applications… ꟷ Due to improper handling of untrusted data with is accepted and later used Impact: data loss, total system compromise ꟷ Specific technique: Remote Code Injection – System run new malicious code provided by the attacker Query: SELECT * FROM users WHERE username = “%u” AND pass=“%p” Always true Arguments: u=admin and p=qwerty Result: SELECT * FROM users WHERE username = “admin” AND pass= “qwerty” Comment. Ignores what follows But if: u=admin and p=“ or 1=1 -- Result: SELECT * FROM users WHERE username = “admin” AND pass= ““ or 1=1 --” João Paulo Barraca, André Zúquete SIO 18 Information Security Vulnerabilities are key to attack development! Threats difficult Discouragement elude potentiate Deception Attacks increase discover Detection cause Vulnerabilities trigger Prevention reduce depends Recovery Impact Value João Paulo Barraca, André Zúquete SIO 19 Vulnerability tracking During the development cycle, vulnerabilities are handled as bugs ꟷ May have been handled by a security team or not ꟷ May have a security classification, priority and time to be handled When software is available, vulnerabilities are also tracked at a wider scale ꟷ For every system and software publicly available Public tracking helps… ꟷ focusing the discussion around the same issue Ex: a dependency that is used in multiple applications or distributions ꟷ defenders to easily test their systems, enhancing the security ꟷ (attackers to easily know what vulnerability can be used to a given system) João Paulo Barraca, André Zúquete SIO 20 Vulnerability tracking There is even a market João Paulo Barraca, André Zúquete SIO 21 CVE - Common Vulnerabilities and Exposures What it is Dictionary of publicly known information security vulnerabilities and exposures ─ For vulnerability management ─ For patch management ─ For vulnerability alerting ─ For intrusion detection Uses common identifiers for the same issue in given application (e.g: CVE-2024-1234) ─ Enable data exchange between security products ─ Provide a baseline index point for evaluating coverage of tools and services. ─ Details about a vulnerability can be kept private ─ Part of responsible disclosure: until owner provides a fix João Paulo Barraca, André Zúquete SIO 22 CVE Identifiers …aka CVE names, CVE numbers, CVE-IDs, CVEs Unique, common identifiers for publicly known information security vulnerabilities ─ Have "candidate" or "entry" status ─ Candidate: under review for inclusion in the list ─ Entry: accepted to the CVE List Format ─ CVE identifier number (CVE-Year-Order) ─ Status (Candidate or Entry) ─ Brief description of the vulnerability or exposure ─ References to extra information João Paulo Barraca, André Zúquete SIO 23 Definition: Vulnerability A mistake in software that can be directly used by an attacker to gain access to a system or network A mistake is a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system ꟷ This excludes entirely "open" security policies in which all users are trusted, or where there is no consideration of risk to the system A CVE vulnerability is a state in a computing system (or set of systems) that either: ꟷ Allows an attacker to execute commands as another user ꟷ Allows an attacker to access data that is contrary to the specified access restrictions for that data ꟷ Allows an attacker to pose as another entity ꟷ Allows an attacker to conduct a denial of service João Paulo Barraca, André Zúquete SIO 24 Definition: Exposure A configuration issue or a mistake in software allowing access to information or capabilities used as a stepping-stone into a system or network A configuration issue or a mistake is an exposure if it does not directly allow compromise ꟷ But could be an important component of a successful attack, and is a violation of a reasonable security policy An exposure describes a state in a computing system (or set of systems) that is not a vulnerability, but either: ꟷ Allows an attacker to conduct information gathering activities ꟷ Allows an attacker to hide activities ꟷ Includes a capability that behaves as expected, but can be easily compromised ꟷ Is a primary point of entry that an attacker may attempt to use to gain access to the system or data ꟷ Is considered a problem by some reasonable security policy João Paulo Barraca, André Zúquete SIO 25 CVE number statistics (from cvedetails.com) João Paulo Barraca, André Zúquete SIO 26 Vulnerabilities and Software The number of vulnerabilities always increases ꟷ Even if it is solved for a given software, it is still present in older (non updated) versions May be relevant in systems without updates or due to downgrade attacks Vulnerabilities are a common aspect of software ꟷ They are not only bugs, as there is an impact! ꟷ There should be a process to handle them Vendors: track vulnerabilities and issue fixes to clients Clients: be informed about vulnerabilities and apply updates ꟷ Not all vulnerabilities can be corrected. Sometimes only the attack is mitigated (e.g. segmenting the network, or disabling a feature) João Paulo Barraca, André Zúquete SIO 27 Zero Day (or Zero Hour) Attack/Threat Attack using vulnerabilities which are: ꟷ Unknown to others ꟷ Undisclosed to the software vendor Occurs at the day zero of the knowledge about those vulnerabilities ꟷ For which no security fix is available A single “day zero” may exist for months/years ꟷ Known to attackers, unknown to others ꟷ Frequently part of attack arsenal ꟷ Traded around in specific markets INFORMATION AND ORGANISATIONAL SECURITY SIO 28 Vulnerability Disclosure Disclosure of new vulnerabilities should be coordinated with the vendor ꟷ Typical Coordination: 1. Describe vulnerability to vendor 2. Vendor starts the correction process and agrees on a timeline 3. Updates are issued and a CVE entry is created (Vulnerability is made public) 4. Clients update the software, deploy protections or mitigate the impact 5. The community discuss the root cause of the issue Vital to prevent Zero Day attacks ꟷ Clients will be (mostly) fixed when the vulnerability becomes public Requires collaboration from vendors João Paulo Barraca, André Zúquete SIO 29 Vulnerability detection Specific tools can detect vulnerabilities ꟷ Exploiting known vulnerabilities ꟷ Testing known vulnerability patterns e.g., buffer overflow, SQL injection, XSS, etc. Specific tools can replicate known attacks ꟷ Use known exploits for known vulnerabilities e.g.: MS Samba v1 exploit used by WannaCry ꟷ Can be used to implement countermeasures It is vital to assert the robustness of production systems and applications ꟷ Auditing service often provided by third-party companies INFORMATION AND ORGANISATIONAL SECURITY 30 SIO Vulnerability detection Can be applied to: ꟷ Source code (static analysis) OWASP LAPSE+, RIPS, Veracode, … ꟷ Running application (dynamic analysis) Valgrind, Rational, AppScan, GCC, … ꟷ Externally as a remote client: OpenVAS, Metasploit, … Should not be blindly applied to production systems! ꟷ Potential data loss/corruption ꟷ Potential DoS ꟷ Potential illegal activity INFORMATION AND ORGANISATIONAL SECURITY 31 SIO Vulnerability management Symptoms / Vulnerabilities Discussing and fixing vulnerabilities is important, yet insufficient ꟷ They will just keep appearing, non-stop Vital to discuss the root mistake of each vulnerability ꟷ So that it can be fixed, preventing future vulnerabilities Vulnerabilities exist because of Anti-patterns ꟷ Wrong or fragile implementation of logic structures ꟷ Which exist because of lack of training, wrongly defined features, wrong design, Mistakes / Anti-patterns wrong processes… João Paulo Barraca, André Zúquete SIO CWE - Common Weakness Enumeration Symptoms / Vulnerabilities Represented as CVE Common language for discussing, finding and dealing with the causes of software security vulnerabilities ꟷ Found in code, design, or system architecture ꟷ Each individual CWE represents a single vulnerability type ꟷ Currently maintained by the MITRE Corporation A detailed CWE list is currently available at the MITRE website ꟷ The list provides a detailed definition for each individual CWE Individual CWEs are held within a hierarchical structure ꟷ CWEs at higher levels provide a broad overview of a vulnerability type Mistakes / Anti-patterns Can have many children CWEs associated with them Represented as CWE ꟷ CWEs at deeper levels provide a finer granularity Usually have fewer or no children CWEs João Paulo Barraca, André Zúquete SIO 33 CWE-416: Use After Free https://cwe.mitre.org/data/definitions/416.html The product reuses or references memory after it has been freed. ─ At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. Mitigation Phase: Architecture and Design Strategy: ─ Language Selection: Choose a language that provides automatic memory management. Mitigation Phase: Implementation Strategy: ─ Attack Surface Reduction: When freeing pointers, be sure to set them to NULL once they are freed. However, the utilization of multiple or complex data structures may lower the usefulness of this strategy. ─ Effectiveness: Defense in Depth João Paulo Barraca, André Zúquete Note: check the URL to see the parent CWEs and associated CVEs SIO 34 OWASP Top 10 10 most common vulnerability types found in real systems Reviewed every 4 years from real world security A01 Broken Access Control assessments A02 Cryptographic Failures ─ 2025 Edition being prepared now! A03 Injection A04 Insecure Design Each type contains multiple CWEs to be prevented A05 Security Misconfiguration Industry can focus on the most common problems A06 Vulnerable and Outdated Components ─ Improve training, testing and awareness on this areas A07 Identification and Authentication Failures ─ Improve toolkits, languages and frameworks A08 Software and Data Integrity Failures ─ Create detection and defenses against typical vulnerabilities A09 Security Logging and Monitoring Failures A10 Server Side Request Forgery (SSRF) João Paulo Barraca, André Zúquete https://owasp.org/Top10/ SIO 35 OWASP Top 10 Popular mistakes are prevented, while other arise João Paulo Barraca, André Zúquete https://owasp.org/Top10/ SIO 36

Attacks & Vulnerabilities PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue