280 likes | 294 Views
This session focuses on ethical hacking principles, vulnerability testing, and protocols essential for cybersecurity. Topics include the difference between vulnerability scanning and penetration testing, the importance of Cyber Essentials certification, financial benefits of information assurance, and the real costs involved in achieving cybersecurity compliance. Learn how to use testing software effectively and ensure your organization remains secure in a digital landscape fraught with threats.
E N D
COMP3371Cyber SecurityWeek 10 Richard Henson University of Worcester December2017
Learning Objectives… • Explain the different ways external hackers can find their way into an organisation via its website • Use vulnerability testing software within the law to check access to the organisation’s network (and information about it!) from outside • Explain the difference between vulnerability scanning and penetration testing and advise on appropriateness of each
Software and System Vulnerabilities • As previously stated: • unpatched software is manna from heaven for hackers • Anyone can assess fairly quickly whether operating systems, applications, or development environments are up-to-date • In this final session, we’ll look a little closer at how “ethical hacking” can help keep organisations free of exploitable software
Ethical Hacking Principles • As already stated, but worth re-stating!!! • hacking is a criminal offence in the UK • covered through The Computer Misuse Act (1990) & additions in 2006 • Entering someone else’s computer system can only legally be done by a trained (or trainee) professional
Asking Permission… • This is the crucial factor in UK law • no one should ever penetrate a computer system without permission • A computing student would be considered in this context under the law • and if they didn’t ask permission, they would be acting illegally!
Ethical Hacking principles • Even if a practice is currently legal, doesn’t mean it is ethical! • even passive scanning without permission could be categorised as “snooping” (i.e. unethical) • Hacking without permission… is a job for professionals… • given police/home secretary permission • only if there is reason to believe a law is being broken
Vulnerability Testing & Penetration Testing • There is a difference! • a vulnerability test will use software to scan around the organisation boundary • many potential vulnerabilities… • report could be lengthy! • a penetration test seeks to exploit the vulnerability/ies revealed by the scan • actual report <10 pages!
CE and CE+ • CE is obtained by correctly answering questions in a self-assessment test • some regard it as of limited value because the organisation may answer wrongly • however, if/when they get hacked and are shown to have lied they are unlikely to get another certificate for some time! • CE+ requires real evidence • regarded as more rigorous… • but much more expensive!
Cyber Essentials Plus and Vulnerability Scanning • The requirement is for a scan report… that shows no obvious vulnerabilities • Many tools available • Titania’s RAT is a very simple example • lots of free tools on the Internet to test organisational defences • permission is needed for use (!)
Active Scanning & Passive Scanning • Both types of vulnerability scanning • Only active scanning crosses the barrier into potential penetration and therefore misuse Passive scanning organisation Active Scanning
Application-Transport Layer • Vulnerabilities through the web… especially http but also through poor web app programming Myapp/ http HTTP HTTPS NFS DNS SNMP X X X X ports X X TCP UDP IP
Use of a Quality Standard to justify spending on security • Whatever the business… • any new work will have a cost • cost needs to be qualified • More cost means less profit… • what is the ROI of achieving a high level of information security • At least with information assurance (assuming they get certified) there is a positive outcome…
Potential Financial Benefits of Information Assurance • Need to be sold to senior mgt… • less risk of losing valuable (even strategically important…) data • less likely to get embarrassing leaks, which could even get to the media (!) • less likely to fall foul of the law (!) • an ever growing set of examples of businesses who have done both of the above • evidence that they lost customers and share price dropped…
Real costs of CE (level 1) • £300 self-assessment test • Cost of GAP analysis… • what’s missing? • Cost of correction of “gaps” • update software • reconfigure software • update policy and documentation • Offered for Worcs B2B SMEs • Be Cyber Secure assistance… worth £1500
Real costs of CE+ (level 2) • Cost of qualifying for CE • Plus… • total cost of external vulnerability report • £500-1000 • cost of implementing report • usually reconfiguration of software e.g. firewall • Advantage: industry-recognised IA (!)
Testing Software • Final version tested for vulnerabilities… • with typical input data • known as “run-time” or “blackbox” testing • according to coding expectations (e.g. branching and looping) • known as whitebox testing • If all tests passed… • software ready for rollout? • could be “risk assessed” first?
Further Testing for Websites • Two more types of testing… • historically more emphasis on “accessibility” of content (W3C) • website had to be available to all users to meet requirements of 2004 Legislation • testing tended to focus on this aspect • only later did testing for “security” become mainstream… • still some confusion • need to test for both!!!
OWASP (Open Web Applications Security Project) • Core purpose: • “Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.”
OWASP’s top 3 vulnerabilities • A1 Injection • Through: SQL, OS, XXE, LDAP • Untrusted data is sent to an interpreter as part of a command or query. • Hostile data can trick the interpreter into • executing unintended commands • accessing data without proper authorization. • A2 Broken Authentication • Authentication/session management implemented incorrectly • Allows attackers to • compromise passwords, keys, or session tokens, • or to exploit other implementation flaws to assume other users’ identities • A3 Sensitive Data Exposure • XSS allows attackers to execute scripts in the victim’s browser • which can hijack user sessions, deface web sites, • or redirect the user to malicious sites. • XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, • or updates an existing web page with user supplied data • using a browser API that can create JavaScript.
OWASP: Next 3 • A4 XML External Entities (XXE) • Restrictions on what authenticated users allowed to do not properly enforced. • Attackers exploit these flaws to access unauthorized functionality and/or data, (e.g. access other users accounts, view sensitive files, modify other users data, change access rights, etc.) • A5 Broken Access Control • Secure configuration should be defined/deployed for the application, frameworks, application server, web server, database server, platform, etc. • Secure settings should be defined, implemented & maintained (defaults often insecure). Software should be kept up to date • A6 Security Misconfiguration • Many web applications and APIs do not properly protect sensitive (financial, healthcare, PII) data • such data stolen/modified to conduct credit card fraud, identity theft, or other crimes. Sensitive data needs encryption at rest or in transit, as well as special precautions when exchanged with the browser.
OWASP: Next 2 • A7 Cross-Site Scripting (XSS) • Many applications/APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks • attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, even blocking exploit attempts • application owners need to deploy patches quickly to protect against attacks • A8 Insecure Deserialization • A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request - including the victim’s session cookie & any other automatically included authentication information - to a vulnerable web application • Such an attack allows the attacker to force a victim’s browser to generate requests the vulnerable application thinks are legitimate
OWASP: Final 2 • A9 Using Components with Known Vulnerabilities • components, such as libraries, frameworks, and other software modules, run with the same privileges as the application • vulnerable component exploited.. can result in serious data loss , even server takeover • applications and APIs using components with known vulnerabilities may undermine application defences and enable various attacks and impacts • A10 Insufficient_Logging & Monitoring • Modern applications may have rich client applications and APIs • e.g. JavaScript & mobile apps • These connect to an API (SOAP/XML, REST/JSON, RPC, GWT, etc.) • Apps often unprotected and contain numerous vulnerabilities.
Vulnerability Testing Tools • Many Website tools… • many free to download (!?) • best to use one recommended by a professional (!) • OWASP (Open Web Applications Security Project) • Worldwide… make security “visible” • Vulnerability testing tool called ZAP
OWASP/ZAP • ZAP has evolved over many years, thanks to the efforts of enthusiastic experts wishing to put their expertise to good use • mostly used for passive scanning but also active components • All that is needed is the URL of the website… • results of scan need careful interpretation
Using ZAP • Open source & versions for all major platforms • needs Java Environment to run • described as a “man-in-the-middle proxy” • Stands between the tester’s browser and the web application • can intercept and inspect messages sent between browser and web application.. • modify the contents if needed • forward packets on to the destination
Output from ZAP • I tried it on a site… four vulnerabilities detected: • Prone to “clickjacking” • Solution: use the X-frames-options http header • AUTOCOMPLETE attribute not disabled • ngood practice for password fields • Could allow proxies to cache content • Cache-control and pragma http header not set correctly • Prone to XXS • Protection not fully engaged
Now over to you… • ZAP may not run on university machines • If not, download and try on your own machine • The application you will test is quite old, but demonstrates various principles of (not…) secure web applications • it is harmless but modern browsers offer protection against all unsigned .exe files
That’s all for 2017! Have a Great Christmas! See you in the New Year