Transcript Managing IT Risk in 2010 - Understanding End User Attack Vectors

Slide Heading
Seminar Series: Managing IT Risk In 2010
Understanding End User Attack Vectors
Brian Judd, CISSP
SynerComm
January 20, 2009
Agenda
Top 10 Audit Findings
Client Side Risk
Client SideHeading
Exploit- Demonstration
Slide
Minimizing Client Side Risks
Questions
Assure IT- Top 10 Audit Findings
Top 10 Audit Findings
Top 10 Audit Findings
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Security Awareness
Patch Management
OS Hardening / Default Configurations / Build Standards
Excessive Privileges
Weak Authentication
Missing Audit Trails
Database Security
Web Application Security
Over-Disclosure of Information
Lack of Network Visibility & Management
Top 10 Audit Findings- Client Side Risks
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Security Awareness
Patch Management
OS Hardening / Default Configurations / Build Standards
Excessive Privileges
Weak Authentication
Missing Audit Trails
Database Security
Web Application Security
Over-Disclosure of Information
Lack of Network Visibility & Management
Vulnerabilities/Threat Areas Common to Client-Side Risk
Assure IT- Client Side Risk
Client Side Risk
What are Client-side Vulnerabilities?
•
•
•
•
Client-side vulnerabilities include both software weaknesses and end-user security
awareness.
To exploit a client-side vulnerability, the computer end-user must open an infected
file/document or browse to a malicious webpage.
– Occasionally, bugs in software such as MS Outlook’s preview feature could execute
code with almost no user interaction.
Client-side attacks often trick users into violating corporate security policies.
– Targeted phishing attacks often spoof email headers and known/trusted source
identities.
– Policy: Do not open email messages or attachments from unknown sources.
– Policy: Do not browse non-business related websites.
– Policy: Do not install unapproved software on business machines.
Client-side attacks may bypass many technical controls including anti-malware software,
firewalls and intrusion prevention systems.
Outcomes of Client-side Attacks
•
•
•
•
Like network-based attacks, client-side attacks often result in the compromise of
computing systems. It is possible for attackers to execute arbitrary code during
exploitation.
Because client-software is being attacked, malicious code will execute in the context of
the exploited software.
– Most client software runs with the same privilege as the user who launched the
software.
• Do your users have local administrator privileges? If so, the attacker’s
malicious payload will also run with administrator privileges.
– Some client software may run with elevated privileges regardless of the computer
user’s privilege.
The payload of a client-side attack often opens a command-and-control (C&C)
connection back to the attacker.
– Or worse, C&C could join a botnet.
Any data or system that the compromised end-user has access to, the attacker will also
have access to.
Common Client-side Vulnerabilities
•
•
•
•
Internet Browsers
– Internet Explorer & Firefox
Browser Plugins
– ActiveX Controls
• Adobe Flash, Acrobat PDF Viewer, Quicktime, Realplayer
Common Applications
– Sun Java Runtime Environment (JRE), Adobe Acrobat and Acrobat Reader, VNC,
Microsoft Office (Word, Excel, PPT, etc.), Symantec BackupExec, Thunderbird,
WinZip, Windows Media Player, McAfee EPO, etc.
– Biggest Risks: Adobe Acrobat Reader and Sun JRE
• Why? Because they are found on most business machines. Critical
vulnerabilities are discovered regularly in each of these applications. Sun’s
JRE installer does not remove older (vulnerable) versions automatically.
Computer End-Users
– The security awareness of your users may be your only defense.
AssureIT- Client-Side Exploit Demonstration
Demonstration
AssureIT- Client-Side Vulnerability Mitigation
Minimizing Client Side Risks
1. Security Awareness
•
•
•
•
Policies
– Employees should be trained on policies at time of hire
– A policy training/refresher should be given annually
Procedures
Standards
Training
– Security awareness training should be given to ALL employees annually
• Require testing to ensure that key concepts are retained
– Security administrators should receive certification and information security
training regularly
2. Patch Management
•
•
Operating system patches
– Microsoft, Linux, Unix, etc.
• Legacy Microsoft software may not get patched by Windows Update or WSUS
• Switches, routers, firewalls, embedded devices
Application patches
– Common non-Microsoft applications
• Adobe – Acrobat, Photoshop, etc.
• Sun Microsystems – Java Runtime Environment (JRE)
• Web browsers (Opera, Safari, Konqueror, etc.)
• Commercial off the shelf (COTS)
• Custom applications
– Patch management strategy
• Weekly, monthly, more??
• Patch testing and rollback
• Out of cycle patches? Zero day?
3. Operating System Hardening
•
•
•
Default operating system and application installations are very dangerous
– Microsoft Windows 2000, XP, Server, etc. all install many unneeded services
– Most security controls are disabled or configured for maximum usability
– Cisco routers have vulnerable configurations until hardened
Remove and/or rename default accounts and set strong passwords
– Windows – change “administrator” username and disable “guest” account
Consider adopting an operating system standard/benchmark
– Sources: Center for Internet Security (CIS) or National Institute of Standards and
Technology (NIST)
– Use standards to create a “Gold” build
4. Excessive Privileges
•
•
•
•
Users have local administrator privileges to their workstations
– Especially dangerous for uncontrolled laptops that are used outside of a financial
institution’s networks
File shares not protected with access controls
Employees with access to banking applications and/or GLBA data also have access to
email and Internet
– Administrators need to ask themselves whether or not all employees should be
given access to email and Internet
– Is web browsing secured and filtered by a proxy?
Firewall egress should be locked down by strict access control lists
5. Egress Controls
•
Principal of Least Privilege
– Only Email Server or Gateway should be allowed to transmit outbound using SMTP
– Dangerous protocols such as HTTP, HTTPS, FTP, SSH, ICMP, DNS, chat, P2P
should be tightly restricted or blocked
• If dangerous protocols are allowed egress to the Internet, the should be
monitored
- Email Gateways
- Web Proxy
- URL Filter
- Intrusion Prevention System
- SOCKS Proxy
• Encrypted protocols can be dangerous
- SSH, HTTPS
- Botnet C&C over valid HTTP/HTTPS posts and requests
Questions?