sodapdf-merged (7).pdf
Document Details
Uploaded by CrispDenouement2592
University of Westminster
Tags
Related
- Week 1 Introduction: The Danger (CS 6353) Network and System Security PDF
- CS 204: Interconnection of Cyber Physical Systems Week 10: Security Lecture Notes PDF
- Network Security Features, Defense Techniques & Solutions PDF
- Network Security Concepts - GuidesDigest Training PDF
- Cyber Security Part 2 PDF
- Cyber Security TM256 Lecture Notes PDF
Full Transcript
Security Controls 6COSC019W- Cyber Security Dr Ayman El Hajjar February 19, 2024 School of Computer Science and Engineering University of Westminster Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security O UTLINE 1. S...
Security Controls 6COSC019W- Cyber Security Dr Ayman El Hajjar February 19, 2024 School of Computer Science and Engineering University of Westminster Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security O UTLINE 1. Security Controls 2. Application layer controls 3. Host to Host/Transport layer Controls 4. Network Layer Security 1 Security Controls Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S ECURITY C ONTROL Control is defned as: “An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.” 1 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security C ONTROL C LASSIFICATIONS Management controls ✺ Focus on security policies, planning, guidelines, and standards that infuence the selection of operational and technical controls to reduce the risk of loss and to protect the organization’s mission ✺ These controls refer to issues that management needs to address Operational controls ✺ Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identifed operational defciencies ✺ These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems ✺ They are used to improve the security of a system or group of systems 2 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security C ONTROL C LASSIFICATIONS Technical controls ✺ Involve the correct use of hardware and software security capabilities in systems ✺ These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions 3 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security C ONTROL C LASSES Each of the control classes may include the following: Supportive controls ✺ Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls Preventative controls ✺ Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability Detection and recovery controls ✺ Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identifed exploit of a vulnerability and by providing means to restore the resulting lost computing resources 4 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T ECHNICAL CONTROLS - TCP/IP SECURITY SOLUTION A number of approaches to providing Internet security are possible. The various approaches that have been considered are similar in the services they provide in relation to to the TCP/IP protocol stack. Relative location of security facilities in the TCP/IP protocol stack 5 Application layer controls Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security E MAIL S ECURITY: MIME AND S/MIME Multipurpose Internet Mail Secure/Multipurpose Internet Extension Mail Extension ✺ Simple heading with To, From, Security enhancement to the Subject MIME Internet e-mail format ✺Assumes ASCII text format ✺ Based on technology Provides a number of new from RSA Data Security header felds that defne Provides the ability to sign information about the body of the and/or encrypt e-mail messages message 6 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S/M IME F UNCTIONS 6 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S IMPLIFIED S/MIME F UNCTIONAL F LOW 6 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security P RETTY G OOD P RIVACY (PGP) C RYPTOGRAPHY ❏ Another standard for electronic-mail encryption and digital signatures ❏ Use a Public Private Keys (PPK) method ❐ Users can sign one another’s public keys, adding some degree of confdence to a key’s validity ❐ Someone who signs another’s public key acts as an introducer for that person to someone else so that if someone trusts the introducer, they should also trust the person who’s being introduced ❐ Pretty Good Privacy (PGP) is often used to encrypt documents that can be shared via e-mail over the open Internet ❏ S/MIME and Open PGP use proprietary encryption techniques and handle digital signatures differently 7 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security DNS THREATS P REVENTION ❏ DNSSEC adds ❏ To prevent DNS Hijacking and considerable load to dns DNS Pharming, DNS Security servers with packet sizes (DNSSEC) is deployed to ensure: considerably larger than ❐ Authenticity of DNS answer 512 byte size of UDP origin packets ❐ Integrity of reply ❐ Authenticity of denial of existence ❐ Accomplishes this by signing DNS replies at each step of the way ❐ Uses public-key cryptography to sign responses DNSSEC Signing 8 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security S ECURE S HELL (SSH) A protocol for secure network communications designed to be relatively simple and inexpensive to implement The initial version, SSH1 was focused on providing a secure remote logon facility to replace TELNET and other remote login schemes that provided no security SSH also provides a more general client/server capability and can be used for such network functions as fle transfer and e-mail SSH client and server applications are widely available for most operating systems SSH2 fxes a number of security faws in the original scheme. 9 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security SSH transport layer packets exchange 10 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security SSH PROTOCOL PACKET EXCHANGE First, the client establishes a TCP connection to the server. This is done via the TCP protocol and is not part of the Transport Layer Protocol. Once the connection is established, the client and server exchange packets in the data feld of a TCP segment. SSH protocol packet exchanges 11 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security SSH PROTOCOL STACK SSH protocol stack 12 Host to Host/Transport layer Controls Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T RANSPORT LAYER S ECURITY - A DEFINITION 13 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security TLS PROTOCOL STACK TLS is designed to make use of TCP to provide a reliable end-to-end secure service. The TLS Record Protocol provides basic security services to various higher layer protocols. Three higher-layer protocols are defned as part of TLS: ✺ The Handshake Protocol; ✺ The Change Cipher Spec Protocol; ✺ and the Alert Protocol. These TLS specifc protocols are used in the management of TLS exchanges. A fourth protocol, the Heartbeat Protocol, is defned in a separate RFC. 14 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security TLS C ONCEPTS Two important TLS concepts are the TLS session and the TLS connection which are defned in the specifcation. ✺ TLS Session: ❍ Created by the Handshake Protocol ❍ Defne a set of cryptographic parameters ❍ Used to avoid the expensive negotiation of new security parameters for each connection ✺ TLS Connection: ❍ A transport layer protocol that provides a suitable type of service ❍ Peer-to-peer relationships ❍ Every connection is associated with one session 15 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security TLS H ANDSHAKE MESSAGES Most complex part of TLS Is used before any application data are transmitted Allows server and client to: ✺ Authenticate Each Other → Negotiate encryption and MAC algorithms → Negotiate cryptographic keys to be used Comprises a series of messages exchanged by client and server Exchange has four phases 16 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security H ANDSHAKE PROTOCOL ACTION 17 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security HTTPS (HTTP OVER TSL) Combination of HTTP and TLS (RFC 2818, HTTP Over TLS) to implement secure communication between a Web browser and a Web server Built into all modern Web browsers ✺ URL addresses begin with https:// Agent acting as the HTTP client also acts as the TLS client Closure of an HTTPS connection requires that TLS close the connection with the peer TLS entity on the remote side, which will involve closing the underlying TCP connection 18 Network Layer Security Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security IP S ECURITY RFC 1636: “Security in the Internet Architecture” issued in 1994 by the Internet Architecture Board (IAB) Security for IP & Networks ✺ Need to secure the network infrastructure from unauthorised monitoring and control of network traffc ✺ Need to secure end-user-to-end-user traffc using authentication and encryption mechanisms 19 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security A PPLICATIONS OF IP SEC IPsec provides the capability to secure communications across a LAN, private and public WANs, and the Internet Examples include: ✺ Secure branch offce connectivity over the Internet ✺ Secure remote access over the Internet ✺ Establishing extranet and intranet connectivity with partners ✺ Enhancing electronic commerce security Principal feature of IPsec is that it can encrypt and/or authenticate all traffc at the IP level ✺ Thus all distributed applications (remote logon, client/server, e-mail, fle transfer, Web access) can be secured 20 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security IP SEC S ERVICES IPsec provides security services at the IP layer by enabling a system to: ✺ Select required security protocols ✺ Determine the algorithm(s) to use for the service(s) ✺ Put in place any cryptographic keys required to provide the requested services RFC 4301 lists the following services: ✺ Access control ✺ Connectionless integrity ✺ Data origin authentication ✺ Rejection of replayed packets (Integrity) ✺ Confdentiality (encryption/confdentiality) 21 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security B ENEFITS OF IPS EC When IPsec is implemented in a frewall or router, it provides strong security that can be applied to all traffc crossing the perimeter Traffc within a company or workgroup does not incur the overhead of security-related processing IPsec is below the transport layer (TCP, UDP) and so is transparent to applications There is no need to train users on security mechanisms This is useful for offsite workers and for setting up a secure virtual subnetwork within an organisation for sensitive applications 22 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T HE SCOPE OF IPS EC Provides two main functions: ✺ A combined authentication/encryption function called Encapsulating Security Payload (ESP) ✺ Key exchange function Also an authentication-only function, implemented using an Authentication Header (AH) ✺ Because message authentication is provided by ESP, the use of AH is included in IPsecv3 for backward compatibility but should not be used in new applications VPNs want both authentication and encryption 23 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T RANSPORT M ODE Provides protection primarily for upper-layer protocols Examples include a TCP or UDP segment or an ICMP packet Typically used for end-to-end communication between two hosts ESP in transport mode encrypts and optionally authenticates the IP payload but not the IP header AH in transport mode authenticates the IP payload and selected portions of the IP header 24 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security T UNNEL M ODE Provides protection to the entire IP packet Used when one or both ends of a security association (SA) are a security gateway A number of hosts on networks behind frewalls may engage in secure communications without implementing IPsec ESP in tunnel mode encrypts and optionally authenticates the entire inner IP packet, including the inner IP header AH in tunnel mode authenticates the entire inner IP packet and selected portions of the outer IP header 25 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security IPS EC : T UNNEL MODE FORMAT Tunnel mode makes use of an IPsec function, a combined authentication/encryption function called Encapsulating Security Payload (ESP), and a key exchange function. For VPNs, both authentication and encryption are generally desired, because it is important both to (1) assure that unauthorised users do not penetrate the VPN, and (2) assure that eavesdroppers on the Internet cannot read messages sent over the VPN. Tunnel mode format 26 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 13- Attack and Defence, CEH v11 Certifed Ethical Hacker Study Guide ❐ SQL Injection on Owasp site Link ❐ Chapter 8, Malicious Software and Attack Vectors, Fundamentals of Information Systems Security ❐ Chapter 15, 16 & 17, CyBOK, The Cyber Security Body of Knowledge 27 Malicious Software 6COSC019W- Cyber Security Dr Ayman El Hajjar February 20, 2024 School of Computer Science and Engineering University of Westminster Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures O UTLINE 1. Malicious Software 2. Malware Taxonomy 3. Malware Types 4. Payload Classifcations 5. Threats & Countermeasures 1 Malicious Software Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE NIST 800-83 defnes malware as: “A program that is inserted into a system, usually covertly, with the intent of compromising the confdentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim.” NCSC defnes malware as: “a term that includes virus, trojans, worms or any code or content that could have an adverse impact on organisations or individuals..” 2 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALICIOUS C ODE AND ACTIVITY ❏ Any program that carries out actions that you (user/System) did not intend to do is considered to be a Malicious software (malware) ❏ Malicious code attacks one or more of the three information security properties: ❐ Confdentiality: Malware can disclose your organisation’s private information ❐ Integrity: Malware can modify database records, either immediately or over a period of time ❐ Availability: Malware can erase or overwrite fles or infict considerable damage to storage media 3 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures C HARACTERISTICS , A RCHITECTURE , AND O PERATIONS OF MA- LICIOUS S OFTWARE ❏ An attacker gains administrative control of a system and uses commands to infict harm ❏ An attacker sends commands directly to a system; the system interprets and executes them ❏ An attacker uses software programs that harm a system or that make the data unusable ❏ An attacker uses legitimate remote administration tools and security probes to identify and exploit security vulnerabilities on a network 4 Malware Classifcations Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ The original approach to classify malware focuses on how they spread or propagate through an information system environment to reach the desired target/s ❏ A more conventional approach was developed to consider all dimensions of malware in order to classify them. ❏ This approach is used by the NCSC and it contains the following dimensions: ❐ Host dependent or independent ❐ persistent or transient ❐ Where it install itself (persistent malware only) ❐ How it is triggered ❐ Static or dynamically updated ❐ Act alone or coordinated attack 5 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ Host dependent or Independent malware ❐ Independent malware or standalone is a complete program that can run on its own once it is installed on a compromised machine and executed. ❐ Host dependent malware requires a host program to run. It cannot run independently, but infect a program on a computer by inserting its instructions into the program or modifying the host code. ❏ Persistent or Transient ❐ Persistent malware are installed in persistent storage such as a fle system (your hard drive) or an external storage device. They can be either standalone or host independent. ❐ Transient malware are installed in volatile memory such as as RAM memory. 6 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ Where it install itself ❐ This dimension generally applies to only persistent malware (Ones that requires installation) ❐ Malware are categorised based on which layer of the system stack the malware is installed and run on ❐ this could the frmware, the boot sector, the operating system level, the driver, the api, or user application ❏ How it is triggered ❐ Auto-spreading malware runs and then looks for other vulnerable machines on the Internet, compromises these machines and installs itself on them; ❐ User-activated malware is run on a computer only because a user accidentally downloads and executes it, e.g., by clicking on an attachment or URL in a received email. 7 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C LASSIFICATION APPROACH ❏ Static or dynamically updated ❐ Malware that are supported by an infrastructure and can still communicate with such infrastructure are dynamically updated with new version regularly. ❐ Static malware or one time malware has no infrastructure to support it and are standalone software with no network connection to an external infrastructure ❏ Act alone or coordinated attack ❐ Act alone malware are isolated malware that runs on their own. They do not participate in a larger scale attack. Such malware usually have a specifc target. ❐ Coordinated malware are attacks that contribute to a larger scale attack as on their own they will not cause much damage. For example, collectively several devices infected by such malware can cause networks or systems to crash (DDoS). 8 Malware Types Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C ONTENTS ❏ Malware are divided into two parts: ❐ Infection mechanism: How it propagates ❐ The Payload: what happens after it reaches the target 9 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures T HE M AIN T YPES OF M ALWARE ❏ Virus ❏ Denial of service attacks ❏ Spam ❏ Spyware ❏ Worms ❏ Adware ❏ Trojan horses ❏ Phishing ❏ Logic bombs ❏ Keystroke loggers ❏ Active content ❏ Hoaxes and myths vulnerabilities ❏ Homepage hijacking ❏ Malicious add-ons ❏ Webpage defacements ❏ Botnets 10 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS ❏ Piece of software that infects programs ❐ Modifes them to include a copy of the virus ❐ Replicates and goes on to infect other content ❐ Easily spread through network environments ❏ When attached to an executable program a virus can do anything that the program is permitted to do ❐ Executes secretly when the host program is run ❏ Specifc to operating system and hardware ❐ Takes advantage of their details and weaknesses 11 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS C OMPONENTS Infection Mechanism ❏ Means by which a virus spreads or propagates ❏ Also referred to as the infection vector Trigger ❏Event or condition that determines when the payload is activated or delivered ❏ Sometimes known as a logic bomb Payload ❏ What the virus does (besides spreading) ❏ May involve damage or benign but noticeable activity 12 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS P HASES 13 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS C LASSIFICATIONS : B Y TARGETS Boot sector infector ❏ Infects a master boot record or boot record and spreads when a system is booted from the disk containing the virus File Infectors ❏ Infects fles that the operating system or shell considers to be executable Macro virus ❏ Infects fles with macro or scripting code that is interpreted by an application Multipartite virus ❏ Infects fles in multiple ways 14 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures V IRUS C LASSIFICATIONS : B Y CONCEALMENT STRATEGY Encrypted virus ❏A portion of the virus creates a random encryption key and encrypts the remainder of the virus Stealth virus ❏ A form of virus explicitly designed to hide itself from detection by anti-virus software Polymorphic virus ❏A virus that mutates with every infection Metamorphic virus ❏ A virus that mutates and rewrites itself completely at each iteration and may change behaviour as well as appearance 15 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALVERTISING ❏ Places malware on websites without actually compromising them ❏ The attacker pays for advertisements that are highly likely to be placed on their intended target websites and incorporate malware in them ❏ Using these malicious ads, attackers can infect visitors to sites displaying them ❏The malware code may be dynamically generated to either reduce the chance of detection or to only infect specifc systems ❏ Has grown rapidly in recent years because they are easy to place on desired websites with few questions asked and are hard to track ❏ Attackers can place these ads for as little as a few hours, when they expect their intended victims could be browsing the targeted websites, greatly reducing their visibility 16 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures C LICKJACKING ❏ Also known as a user-interface (UI) redress attack ❏ Using a similar technique, keystrokes can also be hijacked ❐ A user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker ❏ Vulnerability used by an attacker to collect an infected user’s clicks ❐ The attacker can force the user to do a variety of things from adjusting the user’s computer settings to unwittingly sending the user to Web sites that might have malicious code ❐ A typical attack uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page ❐ The attacker is hijacking clicks meant for one page and routing them to another page 17 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures S OCIAL E NGINEERING ❏ “Tricking” users to assist in the compromise of their own systems 18 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ACRO AND S CRIPTING VIRUS ❏ Macro virus infect scripting code used to support active content in a variety of user document types ❏ Are threatening for a number of reasons: ❐ Is platform independent ❐ Infect documents, not executable portions of code ❐ Are easily spread ❐ Because they infect user documents rather than system programs, traditional fle system access controls are of limited use in preventing their spread, since users are expected to modify them ❐ Are much easier to write or to modify than traditional executable virus 19 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ACRO AND S CRIPTING VIRUS : T RUSTED D OWNLOAD ? 20 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures ACTIVE C ONTENT VIRUS ❏ Active content ❐ Refers to dynamic objects that do something when the user opens a webpage (ActiveX, Java, JavaScript, VBScript, macros, browser plugins, PDF fles, and other scripting languages) ❐ Has potential weaknesses that malware can exploit ❏ Active content threats are considered mobile code because these programs run on a wide variety of computer platforms ❏ Users download bits of mobile code, which gain access to the hard disk and do things like fll up desktop with infected fle icons 21 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures W ORMS ❏ Program that actively seeks out more machines to infect and each infected machine serves as an automated launching pad for attacks on other machines ❏ Exploits software vulnerabilities in client or server programs ❏ Usually carries some form of payload 22 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures W ORM T ECHNOLOGY 1. Multiplatform: Worms are not Operating System specifc. 2. Multi-exploit: Worms penetrate systems using a variety of methods 3. Ultrafast spreading: Exploit various techniques to optimize the rate of spread of the worm 4. Polymorphic: To evade detection, skip past flters, and foil real-time analysis, worms adopt the virus polymorphic technique. 5. Metamorphic: In addition to changing their appearance, metamorphic worms have a collection of behaviour patterns that are unleashed at different stages of propagation. 6. Zero-day exploit : To achieve maximum surprise and distribution, a worm should exploit an unknown vulnerability that is only discovered by the general network community when the worm is launched. 23 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures R OOTKITS ❏ Type of malware that modifes or replaces one or more existing programs to hide the fact that a computer has been compromised ❏ Modify parts of the operating system to conceal traces of their presence ❏ Provide attackers with access to compromised computers and easy access to launching additional attacks ❏ Diffcult to detect and remove 24 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures R OOTKITS C LASSIFICATION C HARACTERISTICS 1. Persistent: Activates each time the system boots. The rootkit must store code in a persistent store, such as the registry or fle system, and confgure a method by which the code executes without user intervention. 2. Memory based: Has no persistent code and therefore cannot survive a reboot. However, because it is only in memory, it can be harder to detect. 3. User mode: Intercepts calls to APIs (application program interfaces) and modifes returned results. 4. Kernel mode: Can intercept calls to native APIs in kernel mode. The rootkit can also hide the presence of a malware process by removing it from the kernel’s list of active processes. 5. External mode: The malware is located outside the normal operation mode of the targeted system, in BIOS or system management mode, where it can directly access hardware. 25 Payload Classifcations Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD ❏ Payload are classifed based on the damage or threat they bring to the system ❏ The different classes of payload are: ❐ System Corruption ❐ Attack Agents Bots ❐ Remote Control Facility ❐ Information Theft- Keyloggers and Spyware ❐ Information Theft- Phishing ❐ Stealthing Backdoor ❐ Stealthing Rootkit System Corruption ❏ Causes damage to physical equipment such as Stuxnet worm ❐ Targets specifc industrial control system software ❏ There are concerns about using sophisticated targeted malware for industrial sabotage 26 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD CLASSES Attack Agents Bots ❏ Takes over another Internet attached computer and uses that computer to launch or manage attacks ❏ Botnet - collection of bots capable of acting in a coordinated manner ❐ For example DDoS botnets Remote Control Facility ❏ Typical means of implementing the remote control facility is on an IRC server ❐ Bots join a specifc channel on this server and treat incoming messages as commands 27 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD CLASSES Information Theft- Keyloggers and Spyware ❏ Keyloggers ❐ Captures keystrokes to allow attacker to monitor sensitive information ❏ Spyware ❐ Subverts the compromised machine to allow monitoring of a wide range of activity on the system Information Theft- Phishing ❏ Phishing exploits social engineering to leverage the user’s trust by masquerading as communication from a trusted source ❐ Include a URL in a spam e-mail that links to a fake Web site that mimics the login page of a banking, gaming, or similar site ❐ Attacker exploits the account using the captured 28 credentials Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures PAYLOAD CLASSES Stealthing Backdoor ❏ Secret entry point into a program allowing the attacker to gain access and bypass the security access procedures ❏ Also called a trapdoor , used by maintenance as well as malicious actors ❏ Diffcult to implement operating system controls for backdoors in applications Stealthing Rootkit ❏ Set of hidden programs installed on a system to maintain covert access to that system ❏ Gives administrator (or root) privileges to attacker ❐ Can add or change programs and fles, monitor processes, send and receive network traffc, and get backdoor access on demand 29 Threats & Countermeasures Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures M ALWARE C OUNTERMEASURE A PPROACHES ❏ Ideal solution to the threat of malware is prevention Four main elements of prevention ❏ Policy ❏ Awareness ❏ Vulnerability mitigation ❏ Threat mitigation ❏ If prevention fails, technical mechanisms can be used to support the following threat mitigation options: ❐ Detection ❐ Identifcation ❐ Removal 30 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures G ENERATIONS OF A NTI -V IRUS S OFTWARE 31 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 8, Malware, CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 8, Malicious Software and Attack Vectors, Fundamentals of Information Systems Security ❐ Chapter 6, Malware and attack Technologies, CyBOK, The Cyber Security Body of Knowledge 32 Software and Web Security 6COSC019W- Cyber Security Dr Ayman El Hajjar March 05, 2024 School of Computer Science and Engineering University of Westminster Web Application Attacks Application Exploitation Countermeasures Software Development Security O UTLINE 1. Web Application Attacks 2. Application Exploitation 3. Countermeasures 4. Software Development Security 1 Web Application Attacks Application Exploitation Countermeasures Software Development Security ❏ Many computer security vulnerabilities result from poor programming practices ❏ The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. ❐ Broken Access Control ❐ Cryptographic Failures ❐ Injection ❐ Insecure Design ❐ Security Misconfguration ❐ Vulnerable and Outdated Components ❐ Identifcation and Authentication Failures ❐ Software and Data Integrity Failures ❐ Security Logging and Monitoring Failures ❐ Server-Side Request Forgery (SSRF) 2 Web Application Attacks Application Exploitation Countermeasures Software Development Security S ECURITY F LAWS ❏ Critical Web application security faws include fve related to insecure software code 1. Handling Program handling 2. Buffer overfow 3. Injection faws 4. Cross-site scripting 5. Improper error handling ❏ These faws occur as a consequence of insuffcient checking and validation of data and error codes in programs ❏ Awareness of these issues is a critical initial step in writing more secure program code ❏ Emphasis should be placed on the need for software developers to address these known areas of concern 3 Web Application Attacks Application Exploitation Countermeasures Software Development Security CWE/SANS TOP 25 M OST DANGEROUS S OFTWARE E RRORS ❏ The CWE/SANS Top 25 Most Dangerous Software Errors list details the consensus view on the poor programming practices that are the cause of the majority of cyber attacks. ❏ These errors are grouped into three categories: ❐ Insecure interaction between components ❐ Risky resource management ❐ Porous defences 4 Web Application Attacks Application Exploitation Countermeasures Software Development Security A BSTRACT V IEW OF P ROGRAM 5 Web Application Attacks Application Exploitation Countermeasures Software Development Security S OFTWARE S ECURITY, Q UALITY AND R ELIABILITY ❏ Software quality and reliability: ❏ Concerned with the accidental failure of program as a result of some theoretically random, unanticipated input, system interaction, or use of incorrect code ❏ Improve using structured design and testing to identify and eliminate as many bugs as possible from a program ❏ Concern is not how many bugs, but how often they are triggered ❏ Software security: ❏ Triggered by inputs different from what is usually expected ❏ Rarely identifed by common testing approaches 6 Web Application Attacks Web Application Attacks Application Exploitation Countermeasures Software Development Security H ANDLING P ROGRAM I NPUT ❏ Unvalidated input, one of the most common failings in Web application security 7 Web Application Attacks Application Exploitation Countermeasures Software Development Security I NTERPRETATION OF P ROGRAM I NPUT ❏ Program input may be binary or text ❏ Binary interpretation depends on encoding and is usually application specifc ❏ There is an increasing variety of character sets being used ❏ Care is needed to identify just which set is being used and what characters are being read ❏ Failure to validate may result in an exploitable vulnerability 8 Web Application Attacks Application Exploitation Countermeasures Software Development Security SQL I NJECTION ATTACKS (SQL I ) ❏ One of the most prevalent and dangerous network-based security threats ❏ Designed to exploit the nature of Web application pages ❏ An SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application ❏ Most common attack goal is bulk extraction of data ❏ A successful SQL injection exploit can: ❐ Read sensitive data from the database ❐ Modify database data (Insert/Update/Delete) ❐ Execute administration operations on the database (such as shutdown the DBMS) ❐ Recover the content of a given fle present on the DBMS fle system ❐ and in some cases issue commands to the operating system. 9 Web Application Attacks Application Exploitation Countermeasures Software Development Security XML E XTERNAL E NTITY P ROCESSING ❏ A common way to pass data back and forth between a client and a server is to use XML to structure the data and transmit that XML. ❏ An XML entity injection attack comes from code on the web server accepting data that comes from the client without doing any data validation. ❏ We can even tamper with an existing XML page and parse different commands through the XML page. Figure 1: XML External Entity Processing Example 10 Web Application Attacks Application Exploitation Countermeasures Software Development Security C ROSS S ITE S CRIPTING (XSS) ATTACKS ❏ A cross-site scripting (XSS) attack is one that uses the web server to attack the client side. ❏ This injects a code fragment from a scripting language into an input feld to have that code executed within the browser of a user visiting a site. For example block ❏ There are three types of cross-site scripting attack. The difference is whether the script is stored somewhere or not. ❐ Persistent cross-site scripting. Stored on the server and displayed for any user visiting a page ❐ Refected cross-site scripting. : The script isn’t stored. Instead, it is included in a URL as a parameter you would send to a victim. ❐ DOM-based XSS attack: Document Object Model (DOM)-based XSS attack allow us to call for objects through the scrip which should result in the object being executed. 11 Web Application Attacks Application Exploitation Countermeasures Software Development Security I NJECTION T ECHNIQUE : SQL I ❏ The SQLi attack typically works by prematurely terminating a text string and appending a new command ❏ Because the inserted command may have additional strings appended to it before it is executed the attacker terminates the injected string with a comment mark “- -” ↓ ❏ Subsequent text is ignored at execution time SQLi Attack Avenues ❏ User input: Attackers inject SQL commands by providing suitable crafted user input ❏ Server variables Attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers 12 Web Application Attacks Application Exploitation Countermeasures Software Development Security T YPE OF SQL I NJECTIONS Tautology ❏ This form of attack injects code in one or more conditional statements so that they always evaluate to true End-of-line comment ❏ After injecting code into a particular feld, legitimate code that follows are nullifed through usage of end of line comments Piggybacked queries ❏ The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request Inferential Attack ❏ There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behaviour of the Website/database 13 server. Web Application Attacks Application Exploitation Countermeasures Software Development Security SQL I ATTACK E XAMPLE : L OGIN AUTHENTICATION Q UERY ❏ Standard query to authenticate users: select * from users where user=’$usern’ AND pwd=’$password’ ❏ Classic SQL injection attacks Server side code sets variables usernameandpasswd from user input to web form Variables passed to SQL query select * from users where user=’$username’ AND pwd=’$password’ ❏ Special strings can be entered by attacker select * from users where user=’M’ OR ’1=1’ AND pwd=’M’ OR ’1=1’ ❏ Result: access obtained without password 14 Web Application Attacks Application Exploitation Countermeasures Software Development Security C OMMAND I NJECTION ATTACK ❏ Similar to an XML external entity injection attack. ❏ The application takes a value from the user and passes it to a system function or an evaluate function. ❏ Focus on the operating system ❐ Pass the parameters to the operating system to handle. ❏ Consequences: If there is no input validation, you can execute any operating system command into the input feld ❏ For example: If I enter ping -c 5 192.168.56.111 && cat /etc/passwd, the result will be the ping and the contents of the passwd fle. ❐ Try this in next week lab: Lab 5- Finding and Exploiting Web Vulnerabilities 15 Web Application Attacks Application Exploitation Countermeasures Software Development Security F ILE T RAVERSAL ❏ File traversal is a way to get out of what the web server wanted you to originally see, and be able to see more. ❏ For example: The default web-server public folder for Apache server on Linux is /var/www/html ❏ If we visit the website of this web-server. the server will point us to the /var/www/html , usually an index.html page (or whatever language the site is written in) ❏ File Traversal is the ability to browse the web server and see fles outside the contents of /var/www/html , for example root folder of the web server ❏ The web-server public folder for Apache server on our OWASP VM is /var/www/ 16 Application Exploitation Web Application Attacks Application Exploitation Countermeasures Software Development Security B UFFER OVERFLOW ATTACK ❏ A very common attack mechanism ❏ Prevention techniques known ❏ Still of major concern ❏ Legacy of buggy code in widely deployed operating systems and applications ❏ Continued careless programming practices by programmers 17 Web Application Attacks Application Exploitation Countermeasures Software Development Security B UFFER OVERFLOW BASICS ❏ Programming error when a process attempts to store data beyond the limits of a fxed-sized buffer ❏ Overwrites adjacent memory locations ❏ Locations could hold other program variables, parameters, or program control fow data ❏ Buffer could be located on the stack, in the heap, or in the data section of the process ❏ Consequences: ❏ Corruption of program data ❏ Unexpected transfer of control ❏ Memory access violations ❏ Execution of code chosen by attacker 18 Web Application Attacks Application Exploitation Countermeasures Software Development Security OVERFLOW ATTACK TYPES ❏ Buffer Overfow in the stack: ❏ This means that values of local variables, function arguments, and return addresses are affected. ❏ Stack overfows corrupt memory on the stack. ❏ Buffer Overfow in the Heap: ❏ Heap overfows refer to overfows that corrupt memory located on the heap. ❏ Typically located above program code ❏ Memory is requested by programs to use in dynamic data structures (such as linked lists of records) ❏ Global variables and other program data are affected ❏ A fnal category of buffer overfows we consider involves buffers located in the program’s global (or static) data area. ❏ This is loaded from the program fle and located in memory above the program code. 19 Web Application Attacks Application Exploitation Countermeasures Software Development Security BASIC B UFFER OVERFLOW E XAMPLE ❏ The attacker exploits an unchecked buffer to perform a buffer overfow attack ❏ The ultimate goal for the attacker is getting a shell that allows to execute arbitrary commands with high privileges Figure 4: Memory contents after the Figure 3: Memory contents Before malicious input, causing the Buffer the malicious input Overfow 20 Web Application Attacks Application Exploitation Countermeasures Software Development Security I NPUT S IZE & B UFFER OVERFLOW ❏ Programmers often make assumptions about the maximum expected size of input ❏ Allocated buffer size is not confrmed ❏ Resulting in buffer overfow ❏ Testing may not identify vulnerability ❏ Test inputs are unlikely to include large enough inputs to trigger the overfow ❏ Safe coding treats all input as dangerous 21 Countermeasures Web Application Attacks Application Exploitation Countermeasures Software Development Security R EDUCING S OFTWARE V ULNERABILITIES ❏ The NIST presents a range of approaches to reduce the number of software vulnerabilities ❏ It recommends: ❐ Stopping vulnerabilities before they occur by using improved methods for specifying and building software ❐ Finding vulnerabilities before they can be exploited by using better and more effcient testing techniques ❐ Reducing the impact of vulnerabilities by building more resilient architectures 22 Web Application Attacks Application Exploitation Countermeasures Software Development Security VALIDATING N UMERIC I NPUT ❏ Additional concern when input data represents numeric values ❏ Internally stored in fxed sized value ❏ 8, 16, 32, 64-bit integers ❏ Floating point numbers depend on the processor used ❏ Values may be signed or unsigned ❏ Must correctly interpret text form and process consistently ❏ Have issues comparing signed to unsigned ❏ Could be used to thwart buffer overfow check 23 Web Application Attacks Application Exploitation Countermeasures Software Development Security W RITING S AFE P ROGRAM C ODE ❏ Second component is processing of data by some algorithm to solve required problem ❏ High-level languages are typically compiled and linked into machine code which is then directly executed by the target processor Security issues ❏ Correct algorithm implementation ❏ Correct machine instructions for algorithm ❏ Valid manipulation of data 24 Web Application Attacks Application Exploitation Countermeasures Software Development Security C ORRECT DATA I NTERPRETATION ❏ Data stored as bits/bytes in computer ❏ Grouped as words or longwords ❏ Accessed and manipulated in memory or copied into processor registers before being used ❏ Interpretation depends on machine instruction executed ❏ Different languages provide different capabilities for restricting and validating interpretation of data in variables ❏ Strongly typed languages are more limited, safer ❏ Other languages allow more liberal interpretation of data and permit program code to explicitly change their interpretation 25 Web Application Attacks Application Exploitation Countermeasures Software Development Security C ORRECT U SE OF M EMORY ❏ Issue of dynamic memory allocation ❏ Unknown amounts of data ❏ Allocated when needed, released when done ❏ Used to manipulate Memory leak ❏ Steady reduction in memory available on the heap to the point where it is completely exhausted ❏ Many older languages have no explicit support for dynamic memory allocation ❏ Use standard library routines to allocate and release memory ❏ Modern languages handle automatically 26 Web Application Attacks Application Exploitation Countermeasures Software Development Security SQL I C OUNTERMEASURES AND PREVENTION ❏ Three Types Defensive coding ❐ Manual defensive coding practices ❐ Parameterised query insertion Detection ❐ Signature based ❐ Anomaly based ❐ Code analysis Run-time prevention ❐ Check queries at runtime to see if they conform to a model of expected queries 27 Web Application Attacks Application Exploitation Countermeasures Software Development Security C OUNTERMEASURES AND PREVENTION ❏ Code Injection Attack- There are several defences available to prevent this type of attack. ❏ The most obvious is to block assignment of form feld values to global variables. Rather, they are saved in an array and must be explicitly be retrieved by name. ❏ Another defence is to only use constant values in include (and require) commands. ❏ This ensures that the included code does indeed originate from the specifed fles. ❏ If a variable has to be used, then great care must be taken to validate its value immediately before it is used. ❏ XSS Attack- To prevent this attack: ❏ any user-supplied input should be examined and any dangerous code removed or escaped to block its execution. 28 Web Application Attacks Application Exploitation Countermeasures Software Development Security B UFFER OVERFLOW D EFENCES C OUNTERMEASURES AND PRE - VENTION ❏ Buffer overfows are widely exploited ❏ Two broad defence approaches ❏ Compile-time ❏Aim to harden programs to resist attacks in new programs ❏ Run-time ❏ Aim to detect and abort attacks in existing programs 29 Software Development Security Web Application Attacks Application Exploitation Countermeasures Software Development Security T HE P RACTICE OF S OFTWARE E NGINEERING ❏ In the early days of software development, software security was little more than a system ID, a password, and a set of rules determining the data access rights of users on the machine ❏ There is a need to discuss the risks inherent in making software systems available to a theoretically unlimited and largely anonymous audience ❏ Security in software is no longer an “add-on” but a requirement that software engineers must address during each phase of the SDLC ❏ Software engineers must build defensive mechanisms into their computer systems to anticipate, monitor, and prevent attacks on their software systems 30 Web Application Attacks Application Exploitation Countermeasures Software Development Security D EFENSIVE P ROGRAMMING ❏ Programmers often make assumptions about the type of inputs a program will receive and the environment it executes in ❏ Assumptions need to be validated by the program and all potential failures handled gracefully and safely ❏ Requires a changed mindset to traditional programming practices ❏ Programmers have to understand how failures can occur and the steps needed to reduce the chance of them occurring in their programs ❏ Conficts with business pressures to keep development times as short as possible to maximize market advantage 31 Web Application Attacks Application Exploitation Countermeasures Software Development Security S ECURITY BY D ESIGN ❏ Security and reliability are common design goals in most engineering disciplines ❏ Software development not as mature ❏ Recent years have seen increasing efforts to improve secure software development processes ❏ Software Assurance Forum for Excellence in Code (SAFECode) ❏ Develop publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development 32 Web Application Attacks Application Exploitation Countermeasures Software Development Security S OFTWARE D EVELOPMENT L IFE C YCLE ❏ Fundamental tasks ❐ Understand the requirements of the system ❐ Analyse the requirements in detail ❐ Determine the appropriate technology for the system based on its purpose and use ❐ Identify and design program functions ❐ Code the programs ❐Test the programs, individually and collectively ❐ Install the system into a secure “production” environment 33 Web Application Attacks Application Exploitation Countermeasures Software Development Security S OFTWARE D EVELOPMENT L IFE C YCLE ❏ Phases of SDLC ❐ Phase zero (project inception) ❐ System requirements ❐ System design ❐ Development ❐ Test ❐ Deployment ❏ To make software secure, security must be built into the development life cycle ❏ The earlier in the development life cycle security is implemented, the cheaper software development will be 34 Web Application Attacks Application Exploitation Countermeasures Software Development Security S ECURE S OFTWARE D EVELOPMENT L IFE C YCLE 35 Web Application Attacks Application Exploitation Countermeasures Software Development Security S ECURE S OFTWARE D EVELOPMENT L IFE C YCLE Requirements: ❏ Map security and privacy requirements ❐ Business system analysis should be familiar with organisational security policies and standards such as organisation privacy policy and regulatory requirements. Development ❏ Threat modelling ❐ Used to determine the technical security posture of the application being developed ❏Design reviews ❐ Carried out by a security subject matter expert and typically iterative in nature 36 Web Application Attacks Application Exploitation Countermeasures Software Development Security S ECURE S OFTWARE D EVELOPMENT L IFE C YCLE Development ❏ Development-related vulnerabilities ❐ Static analysis: Automation fnd issues with source code ❐ Peer review: Developers review each others code and provide feedback Testing ❏Critical step for discovering vulnerabilities not found earlier ❐ Build security test cases ❐ Tests are used during dynamic analysis ❐ Software is loaded and operated in a test environment Deployment ❐ Final security review ❐ Create application security monitoring and response plan ❏ Security training 37 Web Application Attacks Application Exploitation Countermeasures Software Development Security R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 12- Attack and Defence, CEH v11 Certifed Ethical Hacker Study Guide ❐ SQL Injection on Owasp site Link ❐ Chapter 8, Malicious Software and Attack Vectors, Fundamentals of Information Systems Security ❐ Chapter 15, 16 & 17, CyBOK, The Cyber Security Body of Knowledge 38