sodapdf-merged (7).pdf

Full Transcript

Security Controls
6COSC019W- Cyber Security

Dr Ayman El Hajjar
February 19, 2024
School of Computer Science and Engineering
University of Westminster
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

O UTLINE

1. Security Controls

2. Application layer controls

3. Host to Host/Transport layer Controls

4. Network Layer Security

1
Security Controls
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S ECURITY C ONTROL

Control is defned as:
“An action, device, procedure, or other
measure that reduces risk by eliminating or
preventing a security violation, by
minimizing the harm it can cause, or by
discovering and reporting it to enable
corrective action.”

1
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

C ONTROL C LASSIFICATIONS

Management controls
✺ Focus on security policies, planning, guidelines, and
standards that infuence the selection of operational and
technical controls to reduce the risk of loss and to protect
the organization’s mission
✺ These controls refer to issues that management needs to
address
Operational controls
✺ Address the correct implementation and use of security
policies and standards, ensuring consistency in security
operations and correcting identifed operational defciencies
✺ These controls relate to mechanisms and procedures that
are primarily implemented by people rather than systems
✺ They are used to improve the security of a system or
group of systems
2
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

C ONTROL C LASSIFICATIONS

Technical controls
✺ Involve the correct use of hardware and software security
capabilities in systems
✺ These range from simple to complex measures that work
together to secure critical and sensitive data, information,
and IT systems functions

3
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

C ONTROL C LASSES

Each of the control classes may include the following:
Supportive controls
✺ Pervasive, generic, underlying technical IT security
capabilities that are interrelated with, and used by, many
other controls
Preventative controls
✺ Focus on preventing security breaches from occurring, by
inhibiting attempts to violate security policies or exploit a
vulnerability
Detection and recovery controls
✺ Focus on the response to a security breach, by warning of
violations or attempted violations of security policies or the
identifed exploit of a vulnerability and by providing means to
restore the resulting lost computing resources
4
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T ECHNICAL CONTROLS - TCP/IP SECURITY SOLUTION

A number of approaches to providing Internet security are
possible.
The various approaches that have been considered are similar in
the services they provide in relation to to the TCP/IP protocol
stack.

Relative location of security facilities in the TCP/IP protocol stack

5
Application layer controls
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

E MAIL S ECURITY: MIME AND S/MIME

Multipurpose Internet Mail
Secure/Multipurpose Internet
Extension
Mail Extension
✺ Simple heading with To, From,
Security enhancement to the
Subject
MIME Internet e-mail format
✺Assumes ASCII text format
✺ Based on technology
Provides a number of new from RSA Data Security
header felds that defne
Provides the ability to sign
information about the body of the
and/or encrypt e-mail messages
message

6
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S/M IME F UNCTIONS

6
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S IMPLIFIED S/MIME F UNCTIONAL F LOW

6
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

P RETTY G OOD P RIVACY (PGP) C RYPTOGRAPHY

❏ Another standard for electronic-mail encryption and digital
signatures
❏ Use a Public Private Keys (PPK) method
❐ Users can sign one another’s public keys, adding some
degree of confdence to a key’s validity
❐ Someone who signs another’s public key acts as an
introducer for that person to someone else so that if
someone trusts the introducer, they should also trust the
person who’s being introduced
❐ Pretty Good Privacy (PGP) is often used to encrypt
documents that can be shared via e-mail over the open
Internet
❏ S/MIME and Open PGP use proprietary encryption techniques
and handle digital signatures differently

7
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

DNS THREATS P REVENTION

❏ DNSSEC adds
❏ To prevent DNS Hijacking and considerable load to dns
DNS Pharming, DNS Security servers with packet sizes
(DNSSEC) is deployed to ensure: considerably larger than
❐ Authenticity of DNS answer 512 byte size of UDP
origin packets
❐ Integrity of reply
❐ Authenticity of denial of
existence
❐ Accomplishes this by signing
DNS replies at each step of the
way
❐ Uses public-key cryptography
to sign responses DNSSEC Signing

8
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

S ECURE S HELL (SSH)

A protocol for secure network communications designed to be
relatively simple and inexpensive to implement
The initial version, SSH1 was focused on providing a secure
remote logon facility to replace TELNET and other remote login
schemes that provided no security
SSH also provides a more general client/server capability and
can be used for such network functions as fle transfer and e-mail
SSH client and server applications are widely available for
most operating systems
SSH2 fxes a number of security faws in the original scheme.

9
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

SSH transport layer packets exchange

10
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

SSH PROTOCOL PACKET EXCHANGE

First, the client establishes
a TCP connection to the
server.
This is done via the TCP
protocol and is not part of the
Transport Layer Protocol.
Once the connection is
established, the client and
server exchange packets in
the data feld of a TCP
segment.

SSH protocol packet exchanges
11
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

SSH PROTOCOL STACK

SSH protocol stack
12
Host to Host/Transport layer
Controls
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T RANSPORT LAYER S ECURITY - A DEFINITION

13
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

TLS PROTOCOL STACK

TLS is designed to make use of TCP to provide a reliable
end-to-end secure service.
The TLS Record Protocol provides basic security services to
various higher layer protocols.
Three higher-layer protocols are defned as part of TLS:
✺ The Handshake Protocol;
✺ The Change Cipher Spec Protocol;
✺ and the Alert Protocol.
These TLS specifc protocols are used in the management of
TLS exchanges.
A fourth protocol, the Heartbeat Protocol, is defned in a
separate RFC.

14
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

TLS C ONCEPTS

Two important TLS concepts are the TLS session and the TLS
connection which are defned in the specifcation.
✺ TLS Session:
❍ Created by the Handshake Protocol
❍ Defne a set of cryptographic parameters
❍ Used to avoid the expensive negotiation of new
security parameters for each connection
✺ TLS Connection:
❍ A transport layer protocol that provides a suitable
type of service
❍ Peer-to-peer relationships
❍ Every connection is associated with one session

15
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

TLS H ANDSHAKE MESSAGES

Most complex part of TLS
Is used before any application data are transmitted
Allows server and client to:
✺ Authenticate Each Other → Negotiate encryption and
MAC algorithms → Negotiate cryptographic keys to be used
Comprises a series of messages exchanged by client and
server
Exchange has four phases

16
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

H ANDSHAKE PROTOCOL ACTION

17
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

HTTPS (HTTP OVER TSL)

Combination of HTTP and TLS (RFC 2818, HTTP Over TLS)
to implement secure communication between a Web browser
and a Web server
Built into all modern Web browsers
✺ URL addresses begin with https://
Agent acting as the HTTP client also acts as the TLS client
Closure of an HTTPS connection requires that TLS close the
connection with the peer TLS entity on the remote side, which
will involve closing the underlying TCP connection

18
Network Layer Security
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

IP S ECURITY

RFC 1636: “Security in the Internet Architecture” issued in
1994 by the Internet Architecture Board (IAB)

Security for IP & Networks
✺ Need to secure the network infrastructure from unauthorised
monitoring and control of network traffc
✺ Need to secure end-user-to-end-user traffc using
authentication and encryption mechanisms

19
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

A PPLICATIONS OF IP SEC

IPsec provides the capability to secure communications
across a LAN, private and public WANs, and the Internet
Examples include:
✺ Secure branch offce connectivity over the Internet
✺ Secure remote access over the Internet
✺ Establishing extranet and intranet connectivity with
partners
✺ Enhancing electronic commerce security
Principal feature of IPsec is that it can encrypt and/or
authenticate all traffc at the IP level
✺ Thus all distributed applications (remote logon,
client/server, e-mail, fle transfer, Web access) can be
secured

20
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

IP SEC S ERVICES

IPsec provides security services at the IP layer by enabling a
system to:
✺ Select required security protocols
✺ Determine the algorithm(s) to use for the service(s)
✺ Put in place any cryptographic keys required to provide
the requested services
RFC 4301 lists the following services:
✺ Access control
✺ Connectionless integrity
✺ Data origin authentication
✺ Rejection of replayed packets (Integrity)
✺ Confdentiality (encryption/confdentiality)

21
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

B ENEFITS OF IPS EC

When IPsec is implemented in a frewall or router, it provides
strong security that can be applied to all traffc crossing the
perimeter
Traffc within a company or workgroup does not incur the
overhead of security-related processing
IPsec is below the transport layer (TCP, UDP) and so is
transparent to applications
There is no need to train users on security mechanisms
This is useful for offsite workers and for setting up a secure
virtual subnetwork within an organisation for sensitive
applications

22
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T HE SCOPE OF IPS EC

Provides two main functions:
✺ A combined authentication/encryption function called
Encapsulating Security Payload (ESP)
✺ Key exchange function
Also an authentication-only function, implemented using an
Authentication Header (AH)
✺ Because message authentication is provided by ESP, the
use of AH is included in IPsecv3 for backward compatibility
but should not be used in new applications
VPNs want both authentication and encryption

23
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T RANSPORT M ODE

Provides protection primarily for upper-layer protocols
Examples include a TCP or UDP segment or an ICMP packet
Typically used for end-to-end communication between two
hosts
ESP in transport mode encrypts and optionally authenticates
the IP payload but not the IP header
AH in transport mode authenticates the IP payload and
selected portions of the IP header

24
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

T UNNEL M ODE

Provides protection to the entire IP packet
Used when one or both ends of a security association (SA) are
a security gateway
A number of hosts on networks behind frewalls may engage in
secure communications without implementing IPsec
ESP in tunnel mode encrypts and optionally authenticates the
entire inner IP packet, including the inner IP header
AH in tunnel mode authenticates the entire inner IP packet and
selected portions of the outer IP header

25
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

IPS EC : T UNNEL MODE FORMAT

Tunnel mode makes use of an IPsec function, a combined
authentication/encryption function called Encapsulating Security
Payload (ESP), and a key exchange function.
For VPNs, both authentication and encryption are generally
desired, because it is important both to (1) assure that
unauthorised users do not penetrate the VPN, and (2) assure
that eavesdroppers on the Internet cannot read messages sent
over the VPN.

Tunnel mode format

26
 Security Controls Application layer controls Host to Host/Transport layer Controls Network Layer Security

R EFERENCES

❏ The lecture notes and contents were compiled from my own
notes and from various sources.
❏ Figures and tables are from the recommended books
❏ The lecture notes are very detailed. If you attend the
lecture, you should be able to understand the topics.
❏ You can use any of the recommended readings! You do
not need to read all the chapters!
❏ Recommended Readings note: Focus on what was covered
in the class.
❐ Chapter 13- Attack and Defence, CEH v11 Certifed
Ethical Hacker Study Guide
❐ SQL Injection on Owasp site Link
❐ Chapter 8, Malicious Software and Attack Vectors,
Fundamentals of Information Systems Security
❐ Chapter 15, 16 & 17, CyBOK, The Cyber Security Body of
Knowledge 27
Malicious Software
6COSC019W- Cyber Security

Dr Ayman El Hajjar
February 20, 2024
School of Computer Science and Engineering
University of Westminster
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

O UTLINE

1. Malicious Software

2. Malware Taxonomy

3. Malware Types

4. Payload Classifcations

5. Threats & Countermeasures

1
Malicious Software
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE

NIST 800-83 defnes malware as:
“A program that is inserted into a system, usually covertly, with the
intent of compromising the confdentiality, integrity, or availability of
the victim’s data, applications, or operating system or otherwise
annoying or disrupting the victim.”

NCSC defnes malware as:
“a term that includes virus, trojans, worms or any code or content that
could have an adverse impact on organisations or individuals..”

2
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALICIOUS C ODE AND ACTIVITY

❏ Any program that carries out actions that you (user/System)
did not intend to do is considered to be a Malicious software
(malware)
❏ Malicious code attacks one or more of the three information
security properties:
❐ Confdentiality: Malware can disclose your organisation’s
private information
❐ Integrity: Malware can modify database records, either
immediately or over a period of time
❐ Availability: Malware can erase or overwrite fles or infict
considerable damage to storage media

3
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

C HARACTERISTICS , A RCHITECTURE , AND O PERATIONS OF MA-
LICIOUS S OFTWARE

❏ An attacker gains administrative control of a system and uses
commands to infict harm
❏ An attacker sends commands directly to a system; the system
interprets and executes them
❏ An attacker uses software programs that harm a system or
that make the data unusable
❏ An attacker uses legitimate remote administration tools and
security probes to identify and exploit security vulnerabilities on a
network

4
Malware Classifcations
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ The original approach to classify malware focuses on how they
spread or propagate through an information system environment
to reach the desired target/s
❏ A more conventional approach was developed to consider all
dimensions of malware in order to classify them.
❏ This approach is used by the NCSC and it contains the
following dimensions:
❐ Host dependent or independent
❐ persistent or transient
❐ Where it install itself (persistent malware only)
❐ How it is triggered
❐ Static or dynamically updated
❐ Act alone or coordinated attack

5
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ Host dependent or Independent malware
❐ Independent malware or standalone is a complete
program that can run on its own once it is installed on a
compromised machine and executed.
❐ Host dependent malware requires a host program to
run. It cannot run independently, but infect a program on a
computer by inserting its instructions into the program or
modifying the host code.
❏ Persistent or Transient
❐ Persistent malware are installed in persistent storage
such as a fle system (your hard drive) or an external storage
device. They can be either standalone or host independent.
❐ Transient malware are installed in volatile memory such
as as RAM memory.

6
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ Where it install itself
❐ This dimension generally applies to only persistent
malware (Ones that requires installation)
❐ Malware are categorised based on which layer of the
system stack the malware is installed and run on
❐ this could the frmware, the boot sector, the operating
system level, the driver, the api, or user application
❏ How it is triggered
❐ Auto-spreading malware runs and then looks for other
vulnerable machines on the Internet, compromises these
machines and installs itself on them;
❐ User-activated malware is run on a computer only
because a user accidentally downloads and executes it, e.g.,
by clicking on an attachment or URL in a received email.

7
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C LASSIFICATION APPROACH

❏ Static or dynamically updated
❐ Malware that are supported by an infrastructure and can
still communicate with such infrastructure are dynamically
updated with new version regularly.
❐ Static malware or one time malware has no infrastructure
to support it and are standalone software with no network
connection to an external infrastructure
❏ Act alone or coordinated attack
❐ Act alone malware are isolated malware that runs on
their own. They do not participate in a larger scale attack.
Such malware usually have a specifc target.
❐ Coordinated malware are attacks that contribute to a
larger scale attack as on their own they will not cause much
damage. For example, collectively several devices infected
by such malware can cause networks or systems to crash
(DDoS). 8
Malware Types
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C ONTENTS

❏ Malware are divided into two parts:
❐ Infection mechanism: How it propagates
❐ The Payload: what happens after it reaches the target

9
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

T HE M AIN T YPES OF M ALWARE

❏ Virus
❏ Denial of service attacks
❏ Spam
❏ Spyware
❏ Worms
❏ Adware
❏ Trojan horses
❏ Phishing
❏ Logic bombs
❏ Keystroke loggers
❏ Active content
❏ Hoaxes and myths
vulnerabilities
❏ Homepage hijacking
❏ Malicious add-ons
❏ Webpage defacements
❏ Botnets

10
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS

❏ Piece of software that infects programs
❐ Modifes them to include a copy of the virus
❐ Replicates and goes on to infect other content
❐ Easily spread through network environments
❏ When attached to an executable program a virus can do
anything that the program is permitted to do
❐ Executes secretly when the host program is run
❏ Specifc to operating system and hardware
❐ Takes advantage of their details and weaknesses

11
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS C OMPONENTS

Infection Mechanism
❏ Means by which a virus spreads or propagates
❏ Also referred to as the infection vector

Trigger
❏Event or condition that determines when the payload is
activated or delivered
❏ Sometimes known as a logic bomb

Payload
❏ What the virus does (besides spreading)
❏ May involve damage or benign but noticeable activity

12
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS P HASES

13
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS C LASSIFICATIONS : B Y TARGETS

Boot sector infector
❏ Infects a master boot record or boot record and spreads when
a system is booted from the disk containing the virus

File Infectors
❏ Infects fles that the operating system or shell considers to be
executable

Macro virus
❏ Infects fles with macro or scripting code that is interpreted by
an application

Multipartite virus
❏ Infects fles in multiple ways

14
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

V IRUS C LASSIFICATIONS : B Y CONCEALMENT STRATEGY

Encrypted virus
❏A portion of the virus creates a random encryption key and
encrypts the remainder of the virus

Stealth virus
❏ A form of virus explicitly designed to hide itself from detection
by anti-virus software

Polymorphic virus
❏A virus that mutates with every infection

Metamorphic virus
❏ A virus that mutates and rewrites itself completely at each
iteration and may change behaviour as well as appearance

15
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALVERTISING

❏ Places malware on websites without actually compromising
them
❏ The attacker pays for advertisements that are highly likely to
be placed on their intended target websites and incorporate
malware in them
❏ Using these malicious ads, attackers can infect visitors to sites
displaying them
❏The malware code may be dynamically generated to either
reduce the chance of detection or to only infect specifc systems
❏ Has grown rapidly in recent years because they are easy to
place on desired websites with few questions asked and are hard
to track
❏ Attackers can place these ads for as little as a few hours, when
they expect their intended victims could be browsing the targeted
websites, greatly reducing their visibility
16
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

C LICKJACKING

❏ Also known as a user-interface (UI) redress attack
❏ Using a similar technique, keystrokes can also be hijacked
❐ A user can be led to believe they are typing in the
password to their email or bank account, but are instead
typing into an invisible frame controlled by the attacker
❏ Vulnerability used by an attacker to collect an infected user’s
clicks
❐ The attacker can force the user to do a variety of things
from adjusting the user’s computer settings to unwittingly
sending the user to Web sites that might have malicious
code
❐ A typical attack uses multiple transparent or opaque layers
to trick a user into clicking on a button or link on another
page when they were intending to click on the top level page
❐ The attacker is hijacking clicks meant for one page and
routing them to another page 17
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

S OCIAL E NGINEERING

❏ “Tricking” users to assist in the compromise of their own
systems

18
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ACRO AND S CRIPTING VIRUS

❏ Macro virus infect scripting code used to support active
content in a variety of user document types
❏ Are threatening for a number of reasons:
❐ Is platform independent
❐ Infect documents, not executable portions of code
❐ Are easily spread
❐ Because they infect user documents rather than system
programs, traditional fle system access controls are of
limited use in preventing their spread, since users are
expected to modify them
❐ Are much easier to write or to modify than traditional
executable virus

19
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ACRO AND S CRIPTING VIRUS : T RUSTED D OWNLOAD ?

20
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

ACTIVE C ONTENT VIRUS

❏ Active content
❐ Refers to dynamic objects that do something when the
user opens a webpage (ActiveX, Java, JavaScript, VBScript,
macros, browser plugins, PDF fles, and other scripting
languages)
❐ Has potential weaknesses that malware can exploit
❏ Active content threats are considered mobile code because
these programs run on a wide variety of computer platforms
❏ Users download bits of mobile code, which gain access to the
hard disk and do things like fll up desktop with infected fle icons

21
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

W ORMS

❏ Program that actively seeks out more machines to infect and
each infected machine serves as an automated launching pad
for attacks on other machines
❏ Exploits software vulnerabilities in client or server programs
❏ Usually carries some form of payload

22
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

W ORM T ECHNOLOGY

1. Multiplatform: Worms are not Operating System specifc.
2. Multi-exploit: Worms penetrate systems using a variety of
methods
3. Ultrafast spreading: Exploit various techniques to optimize the
rate of spread of the worm
4. Polymorphic: To evade detection, skip past flters, and foil
real-time analysis, worms adopt the virus polymorphic technique.
5. Metamorphic: In addition to changing their appearance,
metamorphic worms have a collection of behaviour patterns that
are unleashed at different stages of propagation.
6. Zero-day exploit : To achieve maximum surprise and
distribution, a worm should exploit an unknown vulnerability that
is only discovered by the general network community when the
worm is launched.
23
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

R OOTKITS

❏ Type of malware that modifes or replaces one or more existing
programs to hide the fact that a computer has been compromised
❏ Modify parts of the operating system to conceal traces of their
presence
❏ Provide attackers with access to compromised computers and
easy access to launching additional attacks
❏ Diffcult to detect and remove

24
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

R OOTKITS C LASSIFICATION C HARACTERISTICS

1. Persistent: Activates each time the system boots. The rootkit
must store code in a persistent store, such as the registry or fle
system, and confgure a method by which the code executes
without user intervention.
2. Memory based: Has no persistent code and therefore cannot
survive a reboot. However, because it is only in memory, it can
be harder to detect.
3. User mode: Intercepts calls to APIs (application program
interfaces) and modifes returned results.
4. Kernel mode: Can intercept calls to native APIs in kernel mode.
The rootkit can also hide the presence of a malware process by
removing it from the kernel’s list of active processes.
5. External mode: The malware is located outside the normal
operation mode of the targeted system, in BIOS or system
management mode, where it can directly access hardware.
25
Payload Classifcations
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD

❏ Payload are classifed based on the damage or threat they
bring to the system
❏ The different classes of payload are:
❐ System Corruption
❐ Attack Agents Bots
❐ Remote Control Facility
❐ Information Theft- Keyloggers and Spyware
❐ Information Theft- Phishing
❐ Stealthing Backdoor
❐ Stealthing Rootkit
System Corruption
❏ Causes damage to physical equipment such as Stuxnet worm
❐ Targets specifc industrial control system software
❏ There are concerns about using sophisticated targeted
malware for industrial sabotage 26
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD CLASSES

Attack Agents Bots
❏ Takes over another Internet attached computer and uses that
computer to launch or manage attacks
❏ Botnet - collection of bots capable of acting in a coordinated
manner
❐ For example DDoS botnets

Remote Control Facility
❏ Typical means of implementing the remote control facility is on
an IRC server
❐ Bots join a specifc channel on this server and treat
incoming messages as commands

27
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD CLASSES

Information Theft- Keyloggers and Spyware
❏ Keyloggers
❐ Captures keystrokes to allow attacker to monitor sensitive
information
❏ Spyware
❐ Subverts the compromised machine to allow monitoring of
a wide range of activity on the system

Information Theft- Phishing
❏ Phishing exploits social engineering to leverage the user’s trust
by masquerading as communication from a trusted source
❐ Include a URL in a spam e-mail that links to a fake Web
site that mimics the login page of a banking, gaming, or
similar site
❐ Attacker exploits the account using the captured
28
credentials
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

PAYLOAD CLASSES

Stealthing Backdoor
❏ Secret entry point into a program allowing the attacker to gain
access and bypass the security access procedures
❏ Also called a trapdoor , used by maintenance as well as
malicious actors
❏ Diffcult to implement operating system controls for backdoors
in applications

Stealthing Rootkit
❏ Set of hidden programs installed on a system to maintain
covert access to that system
❏ Gives administrator (or root) privileges to attacker
❐ Can add or change programs and fles, monitor
processes, send and receive network traffc, and get
backdoor access on demand
29
Threats & Countermeasures
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

M ALWARE C OUNTERMEASURE A PPROACHES

❏ Ideal solution to the threat of malware is prevention

Four main elements of prevention
❏ Policy
❏ Awareness
❏ Vulnerability mitigation
❏ Threat mitigation

❏ If prevention fails, technical mechanisms can be used to
support the following threat mitigation options:
❐ Detection
❐ Identifcation
❐ Removal

30
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

G ENERATIONS OF A NTI -V IRUS S OFTWARE

31
 Malicious Software Malware Taxonomy Malware Types Payload Classifcations Threats & Countermeasures

R EFERENCES

❏ The lecture notes and contents were compiled from my own
notes and from various sources.
❏ Figures and tables are from the recommended books
❏ The lecture notes are very detailed. If you attend the
lecture, you should be able to understand the topics.
❏ You can use any of the recommended readings! You do
not need to read all the chapters!
❏ Recommended Readings note: Focus on what was covered
in the class.
❐ Chapter 8, Malware, CEH v11 Certifed Ethical Hacker
Study Guide
❐ Chapter 8, Malicious Software and Attack Vectors,
Fundamentals of Information Systems Security
❐ Chapter 6, Malware and attack Technologies, CyBOK,
The Cyber Security Body of Knowledge
32
Software and Web Security
6COSC019W- Cyber Security

Dr Ayman El Hajjar
March 05, 2024
School of Computer Science and Engineering
University of Westminster
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

O UTLINE

1. Web Application Attacks

2. Application Exploitation

3. Countermeasures

4. Software Development Security

1
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

❏ Many computer security vulnerabilities result from poor
programming practices
❏ The OWASP Top 10 is a standard awareness document for
developers and web application security. It represents a broad
consensus about the most critical security risks to web
applications.
❐ Broken Access Control
❐ Cryptographic Failures
❐ Injection
❐ Insecure Design
❐ Security Misconfguration
❐ Vulnerable and Outdated Components
❐ Identifcation and Authentication Failures
❐ Software and Data Integrity Failures
❐ Security Logging and Monitoring Failures
❐ Server-Side Request Forgery (SSRF)

2
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S ECURITY F LAWS

❏ Critical Web application security faws include fve related to
insecure software code
1. Handling Program handling
2. Buffer overfow
3. Injection faws
4. Cross-site scripting
5. Improper error handling

❏ These faws occur as a consequence of insuffcient checking
and validation of data and error codes in programs
❏ Awareness of these issues is a critical initial step in writing
more secure program code
❏ Emphasis should be placed on the need for software
developers to address these known areas of concern

3
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

CWE/SANS TOP 25 M OST DANGEROUS S OFTWARE E RRORS

❏ The CWE/SANS Top 25 Most Dangerous Software Errors list
details the consensus view on the poor programming practices
that are the cause of the majority of cyber attacks.
❏ These errors are grouped into three categories:
❐ Insecure interaction between components
❐ Risky resource management
❐ Porous defences

4
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

A BSTRACT V IEW OF P ROGRAM

5
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S OFTWARE S ECURITY, Q UALITY AND R ELIABILITY

❏ Software quality and reliability:
❏ Concerned with the accidental failure of program as a
result of some theoretically random, unanticipated input,
system interaction, or use of incorrect code
❏ Improve using structured design and testing to identify
and eliminate as many bugs as possible from a program
❏ Concern is not how many bugs, but how often they are
triggered
❏ Software security:
❏ Triggered by inputs different from what is usually expected
❏ Rarely identifed by common testing approaches

6
Web Application Attacks
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

H ANDLING P ROGRAM I NPUT

❏ Unvalidated input, one of the most common failings in Web
application security

7
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

I NTERPRETATION OF P ROGRAM I NPUT

❏ Program input may be binary or text
❏ Binary interpretation depends on encoding and is usually
application specifc
❏ There is an increasing variety of character sets being used
❏ Care is needed to identify just which set is being used and
what characters are being read
❏ Failure to validate may result in an exploitable vulnerability

8
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

SQL I NJECTION ATTACKS (SQL I )

❏ One of the most prevalent and dangerous network-based
security threats
❏ Designed to exploit the nature of Web application pages
❏ An SQL injection attack consists of insertion or “injection” of a
SQL query via the input data from the client to the application
❏ Most common attack goal is bulk extraction of data
❏ A successful SQL injection exploit can:
❐ Read sensitive data from the database
❐ Modify database data (Insert/Update/Delete)
❐ Execute administration operations on the database (such
as shutdown the DBMS)
❐ Recover the content of a given fle present on the DBMS
fle system
❐ and in some cases issue commands to the operating
system.
9
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

XML E XTERNAL E NTITY P ROCESSING

❏ A common way to pass data back and forth between a client
and a server is to use XML to structure the data and transmit that
XML.
❏ An XML entity injection attack comes from code on the web
server accepting data that comes from the client without doing
any data validation.
❏ We can even tamper with an existing XML page and parse
different commands through the XML page.

Figure 1: XML External Entity Processing Example

10
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

C ROSS S ITE S CRIPTING (XSS) ATTACKS

❏ A cross-site scripting (XSS) attack is one that uses the web
server to attack the client side.
❏ This injects a code fragment from a scripting language into an
input feld to have that code executed within the browser of a
user visiting a site. For example block
❏ There are three types of cross-site scripting attack. The
difference is whether the script is stored somewhere or not.
❐ Persistent cross-site scripting. Stored on the server
and displayed for any user visiting a page
❐ Refected cross-site scripting. : The script isn’t stored.
Instead, it is included in a URL as a parameter you would
send to a victim.
❐ DOM-based XSS attack: Document Object Model
(DOM)-based XSS attack allow us to call for objects through
the scrip which should result in the object being executed.
11
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

I NJECTION T ECHNIQUE : SQL I

❏ The SQLi attack typically works by prematurely terminating a
text string and appending a new command
❏ Because the inserted command may have additional strings
appended to it before it is executed the attacker terminates the
injected string with a comment mark “- -”

↓
❏ Subsequent text is ignored at execution time

SQLi Attack Avenues
❏ User input: Attackers inject SQL commands by providing
suitable crafted user input
❏ Server variables Attackers can forge the values that are placed
in HTTP and network headers and exploit this vulnerability by
placing data directly into the headers 12
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

T YPE OF SQL I NJECTIONS
Tautology
❏ This form of attack injects code in one or more conditional
statements so that they always evaluate to true

End-of-line comment
❏ After injecting code into a particular feld, legitimate code that
follows are nullifed through usage of end of line comments

Piggybacked queries
❏ The attacker adds additional queries beyond the intended
query, piggy-backing the attack on top of a legitimate request

Inferential Attack
❏ There is no actual transfer of data, but the attacker is able to
reconstruct the information by sending particular requests and
observing the resulting behaviour of the Website/database
13
server.
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

SQL I ATTACK E XAMPLE : L OGIN AUTHENTICATION Q UERY

❏ Standard query to authenticate users:
select * from users where user=’$usern’ AND
pwd=’$password’
❏ Classic SQL injection attacks
Server side code sets variables usernameandpasswd from
user input to web form
Variables passed to SQL query
select * from users where user=’$username’ AND
pwd=’$password’
❏ Special strings can be entered by attacker
select * from users where user=’M’ OR ’1=1’ AND pwd=’M’
OR ’1=1’
❏ Result: access obtained without password

14
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

C OMMAND I NJECTION ATTACK

❏ Similar to an XML external entity injection attack.
❏ The application takes a value from the user and passes it to a
system function or an evaluate function.
❏ Focus on the operating system
❐ Pass the parameters to the operating system to handle.
❏ Consequences: If there is no input validation, you can
execute any operating system command into the input feld
❏ For example: If I enter ping -c 5 192.168.56.111 && cat
/etc/passwd, the result will be the ping and the contents of the
passwd fle.
❐ Try this in next week lab: Lab 5- Finding and Exploiting
Web Vulnerabilities

15
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

F ILE T RAVERSAL

❏ File traversal is a way to get out of what the web server wanted
you to originally see, and be able to see more.
❏ For example: The default web-server public folder for Apache
server on Linux is /var/www/html
❏ If we visit the website of this web-server. the server will point
us to the /var/www/html , usually an index.html page (or
whatever language the site is written in)
❏ File Traversal is the ability to browse the web server and see
fles outside the contents of /var/www/html , for example root
folder of the web server
❏ The web-server public folder for Apache server on our
OWASP VM is /var/www/

16
Application Exploitation
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

B UFFER OVERFLOW ATTACK

❏ A very common attack mechanism
❏ Prevention techniques known
❏ Still of major concern
❏ Legacy of buggy code in widely deployed operating
systems and applications
❏ Continued careless programming practices by
programmers

17
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

B UFFER OVERFLOW BASICS

❏ Programming error when a process attempts to store data
beyond the limits of a fxed-sized buffer
❏ Overwrites adjacent memory locations
❏ Locations could hold other program variables, parameters,
or program control fow data
❏ Buffer could be located on the stack, in the heap, or in the data
section of the process
❏ Consequences:
❏ Corruption of program data
❏ Unexpected transfer of control
❏ Memory access violations
❏ Execution of code chosen by attacker

18
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

OVERFLOW ATTACK TYPES

❏ Buffer Overfow in the stack:
❏ This means that values of local variables, function
arguments, and return addresses are affected.
❏ Stack overfows corrupt memory on the stack.
❏ Buffer Overfow in the Heap:
❏ Heap overfows refer to overfows that corrupt memory
located on the heap.
❏ Typically located above program code
❏ Memory is requested by programs to use in dynamic data
structures (such as linked lists of records)
❏ Global variables and other program data are affected
❏ A fnal category of buffer overfows we consider involves
buffers located in the program’s global (or static) data area.
❏ This is loaded from the program fle and located in
memory above the program code.
19
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

BASIC B UFFER OVERFLOW E XAMPLE

❏ The attacker exploits an unchecked buffer to perform a buffer
overfow attack
❏ The ultimate goal for the attacker is getting a shell that allows
to execute arbitrary commands with high privileges

Figure 4: Memory contents after the
Figure 3: Memory contents Before
malicious input, causing the Buffer
the malicious input
Overfow
20
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

I NPUT S IZE & B UFFER OVERFLOW

❏ Programmers often make assumptions about the maximum
expected size of input
❏ Allocated buffer size is not confrmed
❏ Resulting in buffer overfow
❏ Testing may not identify vulnerability
❏ Test inputs are unlikely to include large enough inputs to
trigger the overfow
❏ Safe coding treats all input as dangerous

21
Countermeasures
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

R EDUCING S OFTWARE V ULNERABILITIES

❏ The NIST presents a range of approaches to reduce the
number of software vulnerabilities
❏ It recommends:
❐ Stopping vulnerabilities before they occur by using
improved methods for specifying and building software
❐ Finding vulnerabilities before they can be exploited by
using better and more effcient testing techniques
❐ Reducing the impact of vulnerabilities by building more
resilient architectures

22
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

VALIDATING N UMERIC I NPUT

❏ Additional concern when input data represents numeric values
❏ Internally stored in fxed sized value
❏ 8, 16, 32, 64-bit integers
❏ Floating point numbers depend on the processor used
❏ Values may be signed or unsigned
❏ Must correctly interpret text form and process consistently
❏ Have issues comparing signed to unsigned
❏ Could be used to thwart buffer overfow check

23
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

W RITING S AFE P ROGRAM C ODE

❏ Second component is processing of data by some algorithm to
solve required problem
❏ High-level languages are typically compiled and linked into
machine code which is then directly executed by the target
processor

Security issues
❏ Correct algorithm implementation
❏ Correct machine instructions for algorithm
❏ Valid manipulation of data

24
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

C ORRECT DATA I NTERPRETATION

❏ Data stored as bits/bytes in computer
❏ Grouped as words or longwords
❏ Accessed and manipulated in memory or copied into
processor registers before being used
❏ Interpretation depends on machine instruction executed

❏ Different languages provide different capabilities for restricting
and validating interpretation of data in variables
❏ Strongly typed languages are more limited, safer
❏ Other languages allow more liberal interpretation of data
and permit program code to explicitly change their
interpretation

25
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

C ORRECT U SE OF M EMORY

❏ Issue of dynamic memory allocation
❏ Unknown amounts of data
❏ Allocated when needed, released when done
❏ Used to manipulate Memory leak
❏ Steady reduction in memory available on the heap to the
point where it is completely exhausted
❏ Many older languages have no explicit support for dynamic
memory allocation
❏ Use standard library routines to allocate and release
memory
❏ Modern languages handle automatically

26
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

SQL I C OUNTERMEASURES AND PREVENTION

❏ Three Types

Defensive coding
❐ Manual defensive coding practices
❐ Parameterised query insertion

Detection
❐ Signature based
❐ Anomaly based
❐ Code analysis

Run-time prevention
❐ Check queries at runtime to see if they conform to a model of
expected queries

27
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

C OUNTERMEASURES AND PREVENTION

❏ Code Injection Attack- There are several defences available
to prevent this type of attack.
❏ The most obvious is to block assignment of form feld
values to global variables. Rather, they are saved in an array
and must be explicitly be retrieved by name.
❏ Another defence is to only use constant values in include
(and require) commands.
❏ This ensures that the included code does indeed originate
from the specifed fles.
❏ If a variable has to be used, then great care must be taken
to validate its value immediately before it is used.
❏ XSS Attack- To prevent this attack:
❏ any user-supplied input should be examined and any
dangerous code removed or escaped to block its execution.

28
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

B UFFER OVERFLOW D EFENCES C OUNTERMEASURES AND PRE -
VENTION

❏ Buffer overfows are widely exploited
❏ Two broad defence approaches
❏ Compile-time
❏Aim to harden programs to resist attacks in new programs
❏ Run-time
❏ Aim to detect and abort attacks in existing programs

29
Software Development Security
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

T HE P RACTICE OF S OFTWARE E NGINEERING

❏ In the early days of software development, software security
was little more than a system ID, a password, and a set of rules
determining the data access rights of users on the machine
❏ There is a need to discuss the risks inherent in making
software systems available to a theoretically unlimited and
largely anonymous audience
❏ Security in software is no longer an “add-on” but a requirement
that software engineers must address during each phase of the
SDLC
❏ Software engineers must build defensive mechanisms into
their computer systems to anticipate, monitor, and prevent
attacks on their software systems

30
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

D EFENSIVE P ROGRAMMING

❏ Programmers often make assumptions about the type of
inputs a program will receive and the environment it executes in
❏ Assumptions need to be validated by the program and all
potential failures handled gracefully and safely
❏ Requires a changed mindset to traditional programming
practices
❏ Programmers have to understand how failures can occur
and the steps needed to reduce the chance of them
occurring in their programs
❏ Conficts with business pressures to keep development times
as short as possible to maximize market advantage

31
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S ECURITY BY D ESIGN

❏ Security and reliability are common design goals in most
engineering disciplines
❏ Software development not as mature
❏ Recent years have seen increasing efforts to improve secure
software development processes
❏ Software Assurance Forum for Excellence in Code
(SAFECode)
❏ Develop publications outlining industry best practices for
software assurance and providing practical advice for
implementing proven methods for secure software
development

32
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S OFTWARE D EVELOPMENT L IFE C YCLE

❏ Fundamental tasks
❐ Understand the requirements of the system
❐ Analyse the requirements in detail
❐ Determine the appropriate technology for the system
based on its purpose and use
❐ Identify and design program functions
❐ Code the programs
❐Test the programs, individually and collectively
❐ Install the system into a secure “production” environment

33
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S OFTWARE D EVELOPMENT L IFE C YCLE

❏ Phases of SDLC
❐ Phase zero (project inception)
❐ System requirements
❐ System design
❐ Development
❐ Test
❐ Deployment
❏ To make software secure, security must be built into the
development life cycle
❏ The earlier in the development life cycle security is
implemented, the cheaper software development will be

34
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S ECURE S OFTWARE D EVELOPMENT L IFE C YCLE

35
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S ECURE S OFTWARE D EVELOPMENT L IFE C YCLE

Requirements:
❏ Map security and privacy requirements
❐ Business system analysis should be familiar with
organisational security policies and standards such as
organisation privacy policy and regulatory requirements.

Development
❏ Threat modelling
❐ Used to determine the technical security posture of the
application being developed
❏Design reviews
❐ Carried out by a security subject matter expert and
typically iterative in nature

36
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

S ECURE S OFTWARE D EVELOPMENT L IFE C YCLE
Development
❏ Development-related vulnerabilities
❐ Static analysis: Automation fnd issues with source code
❐ Peer review: Developers review each others code and
provide feedback

Testing
❏Critical step for discovering vulnerabilities not found earlier
❐ Build security test cases
❐ Tests are used during dynamic analysis
❐ Software is loaded and operated in a test environment

Deployment
❐ Final security review
❐ Create application security monitoring and response plan
❏ Security training 37
 Web Application Attacks Application Exploitation Countermeasures Software Development Security

R EFERENCES

❏ The lecture notes and contents were compiled from my own
notes and from various sources.
❏ Figures and tables are from the recommended books
❏ The lecture notes are very detailed. If you attend the
lecture, you should be able to understand the topics.
❏ You can use any of the recommended readings! You do
not need to read all the chapters!
❏ Recommended Readings note: Focus on what was covered
in the class.
❐ Chapter 12- Attack and Defence, CEH v11 Certifed
Ethical Hacker Study Guide
❐ SQL Injection on Owasp site Link
❐ Chapter 8, Malicious Software and Attack Vectors,
Fundamentals of Information Systems Security
❐ Chapter 15, 16 & 17, CyBOK, The Cyber Security Body of
Knowledge 38