1 / 94

Module 3: Common Threats

Module 3: Common Threats. Overview. Root Kits and Boot Kits Cross Site Scripting Hidden Object (Services, Files and Users) Web Application Backdoors (C99.php, etc) Vulnerability Scan DDOS / Application Attack Spoofing DNS, SSL, MAC, etc Man in the middle attack. Overview - Continued.

cassia
Download Presentation

Module 3: Common Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Module 3: Common Threats

  2. Overview • Root Kits and Boot Kits • Cross Site Scripting • Hidden Object (Services, Files and Users) • Web Application Backdoors (C99.php, etc) • Vulnerability Scan • DDOS / Application Attack • Spoofing DNS, SSL, MAC, etc • Man in the middle attack

  3. Overview - Continued • Phishing • Key Logging • SQL Injection • Mail form exploits • Defacing • Social Engineering

  4. Root Kits and Boot Kits

  5. Rootkits • A root kit is software that enables continued privileged access to a computer • The term rootkit is a concatenation of the "root" user account in Unix operating systems • And "kit", which refers to the software components that implement the tool

  6. How to Detect Rootkits • Signature-Based Detection • Detection-By Comparison • Heuristic-Based Detection • Integrity-Based Detection

  7. How to protect from Rootkits • Install a good anti-malware solution on the computer, and always keep it activated and updated. • Install a personal firewall that will protect against unauthorized access to your computer. • Always ensure that the applications installed on computer are kept up-to-date, and make sure to install any security patches supplied by manufacturers. However, the task of protecting against rootkits is not to be taken lightly, and cannot be limited to a series of generic protection measures.

  8. User-mode Rootkits run in Ring 3

  9. Bootkits • A kernel-mode rootkit variant called a bootkit • It is used predominantly to attack full disk encryption systems • A bootkit replaces the legitimate boot loader with one controlled by an attacker typically the mal ware loader persists through the transition to protected mode when the kernel has loaded

  10. Cross Site Scripting

  11. Cross-site scripting (XSS) • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications • It enables malicious attackers to inject client-side script into web pages viewed by other users • Their impact may range from a petty nuisance to a significant security risk

  12. Exploit scenarios Cross-site scripting Non-persistent: • Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information. • Mallory observes that Bob's website contains a reflected XSS vulnerability. • Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect.

  13. Exploit scenarios Cross-site scripting • Alice visits the URL provided by Mallory while logged into Bob's website. • The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). • The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.

  14. Exploit scenarios Cross-site scripting Persistent attack: • Mallory posts a message with malicious payload to a social network. • When Bob reads the message, Mallory's XSS steals Bob's cookie. • Mallory can now hijack Bob's session and impersonate Bob.

  15. Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques.

  16. Cross-site scripting attacks

  17. XSS Can Penetrate Firewalls

  18. How to protect Cross-site scripting attacks • Encode output based on input parameters. • Filter input parameters for special characters. • Filter output based on input parameters for special characters.

  19. How to protect Cross-site scripting attacks • RULE #0-Never Insert Untrusted Data Except in Allowed Locations • RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content • RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

  20. How to protect Cross-site scripting attacks • RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values • RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values • RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values

  21. How to protect Cross-site scripting attacks • RULE #6 - Use an HTML Policy engine to validate or clean user-driven HTML in an outbound way • RULE #7 - Prevent DOM-based XSS

  22. Phishing

  23. Phishing In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by e-mail or instant messaging. 26

  24. An example of a phishing e-mail, disguised as an official e-mail from a (fictional) bank. The sender is attempting to trick the recipient into revealing confidential information by "confirming" it at the phisher's website. Note the misspelling of the words received and discrepancy. Such mistakes are common in most phishing emails. Also note that although the URL of the bank's webpage appears to be legitimate, it actually links to the phisher's webpage. Phishing e-mail- Example

  25. Phishing techniques • Recent phishing attempts • Link manipulation • Filter evasion • Website forgery • Phone phishing • Other techniques

  26. Network-Based Phishing Protection • Vulnerability Filters • Pattern-Matching Signatures • Behavior-Based Protection Techniques • Content Inspection

  27. Phishing Protection Comprehensive Phishing Protection Against: • Initial Web Site Compromises • Mass Phishing E-mails • Click through on Misleading URLs • Displays of Phish Web Sites • Submissions of Personal Information

  28. Hidden Object (Services, Files and Users)

  29. Common Senarios Scenario #1 Your application relies on a powerful framework like ColdFusion or ASP.Net. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaws in your app. Scenario #2 The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.

  30. Common Senarios Scenario #3 Directory listing is not disabled on your server. Attacker discovers she can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she reverses to get all your custom code. She then finds a serious access control flaw in your application. Scenario #4 App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.

  31. How to Protect The primary recommendations are to establish all of the following: A repeatable hardening process that makes it fast and easy to deploy another environment that is properly locked down. Development, QA, and production environments should all be configured identically. This process should be automated to minimize the effort required to setup a new secure environment. A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include all code libraries as well, which are frequently overlooked. A strong application architecture that provides good separation and security between components. Consider running scans and doing audits periodically to help detect future misconfigurations or missing patches.

  32. Web Application Backdoors (C99.php, etc)

  33. Application Backdoors

  34. Common threats to Web Application

  35. Common Senarios Buffer overflow attacks These kind of attacks involves sending overly long input streams to the attacked server, causing the server to overflow parts of the memory and either crash the system or execute the attackers arbitrary code as if it was part of the servers code. The attackers code can inject a backdoor code as well as set the return address of a function within the server code to point to the backdoor. When the function returns, the backdoor is successfully installed.

  36. Common Senarios Remote Administration / Troubleshooting Administrators and sometimes developers directly connect to the application for troubleshooting but after finishing the job they might either forget to stop the related service or while fixing an instant problem in the application they may introduce insecure code; in both the cases attackers get an easy way to inject a backdoor which they later on use for information theft.

  37. How to Protect • Develop documented secure practices for remote administration of server or for troubleshooting the application. • Ideally, development and production environment should be kept separate with no access to production for any programming changes. • Training of developers on secure coding in order to avoid attacks like buffer overflow and XSS. • Test all applications and any modification to application for security risks before rolling into production environment. • Routinely Audit for user accounts, configuration files and system files for the changes if any and ensure such changes have been authorized. • Purge all the logs after fixing a problem in the application.

  38. Vulnerability Scan

  39. Vulnerability scan • A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses • Functionality varies between different types of vulnerability scanners • They share a common, core purpose of enumerating the vulnerabilities present in one or more targets

  40. Types of Vulnerability Scanners • Port scanner • Network enumerator • Network vulnerability scanner • Web application security scanner

  41. DDOS / Application Attack

  42. DDOS/Application attack • A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) • It is an attempt to make a computer resource unavailable to its intended users

  43. Symptoms of denial-of-service attacks • Unusually slow network performance (opening files or accessing web sites) • Unavailability of a particular web site • Inability to access any web site • Dramatic increase in the number of spam emails received—(this type of DoS attack is considered an e-mail bomb)

  44. Modes of Dos attacks • It can include the consumption of resources such as the bandwidth, disk space • It can include the destruction or alteration of configuration information • It can includes destruction or alteration of Network components

  45. DDOS/Application attack

  46. DDOS/Application attack

  47. Measures for Network Admins • Measure I: Prevention of IP Spoofing • Measure 2: Use of Packet Filters for Network agents • Measure 3: Packet filtering • Measure 4: Automatic Attack recognition

  48. Measures for Network agents • Measure 5: Establishment of a contingency plan. • Measure 6: Secure Configuration of the Servers • Measure 7: Restrictive Granting of Rights and Recording • Measure 8: Use of Open Source Products

  49. Measures for Content Providers • Measure 1: Selection of suitable and IT safety-conscious server operators • Measure 2: Prevention of active Content: • Measure 3: Daily checking of files for viruses and attack programs

  50. Spoofing DNS, SSL, MAC, etc

More Related