Threat Management Case studies of threats that occured

Download Report

Transcript Threat Management Case studies of threats that occured

Threat Management
Case studies of threats that have occurred and how to be prepared for them
Presented by
Kunal Bansal
[email protected]
Introduction
Constraints in software due to budget, time and resources
pose a problem for applications.
Threat management and analysis are usually ignored till the
“last minute” or until a breach occurs.
Thwarting threats requires detailed modeling involving
identification of scenarios, threats and vulnerabilities, along
with measures to counter them.
There is no single good measure to effectively root out all
threats.
Threat Management and its Implications
2
Anatomy of an attack
The fundamental steps an attacker initiates against a web
application constitute of Survey (and Analysis), exploitation
and penetration, escalation of privileges, maintain access (for
self use) and denying access to others.
3
Application Overview
Key steps which can be taken in identifying risks associated
with threats for an application are
1. Identification of Security Objectives
2. Creation of overview and attack trees
3. Decentralizing the application
4. Identification of threats for the model
5. Identification of vulnerabilities
4
Security Objectives
(Microsoft Strategy)
Assets which include data stored in databases or are part of a
system resource.
Threats can be classified as one which harm assets.
Vulnerability can be described as a weakness exploited by a threat.
Action is a measure taken to harm an asset based on its
vulnerability
Countermeasures are one which are taken to protect assets
against threats and thwart actions of an individual.
5
Attack Trees
Concept invented by Bruce Schneir.
Consists of one root, leaves and children.
Child nodes are conditions whose satisfaction to make parent
nodes true when the root condition is satisfied leads to the
completion of an attack.
Most effective way to mitigate
an attack is to stop it at the root.
Desk – Computer example
6
Decentralizing and Securing the Application
Securing a web application involves securing the network, host
along with the application, database and web server.
Firewalls to prevent malicious
code and unauthorized
entry is essential.
Weakness in any one of the
tiers makes the entire
application prone to attacks.
7
Identification of Vulnerabilities
Requires a good understanding of the system and the attacks
which are possible against it.
Threats can be classified as exploits, eavesdropping, social
engineering and human errors, denial of service attacks,
backdoor attacks, direct access attacks.
Lack of Garbage collection can be considered as a threat too
since memory is not infinite and redundant memory could
cause applications to crash in the long term.
8
Security Threats
(Authentication)
Network Eavesdropping involves capturing of passwords
and usernames passed in clear text using network monitoring
software.
Dictionary and Brute Force Attacks (Demo) using
computer hardware and trial and error methods to crack
hashed and encrypted passwords by using massive
dictionaries.
Cookie Replay and Credential Theft attacks
9
Security Threats
(Authorization and Cryptography)
Elevation of privilege using RevertToSelf API to run on the local system
with the most power and privilege.
Disclosure of Confidential Data
Checksum Spoofing is possible since hashes such as Secure Hash
Algorithm (SHA1) and Message Digest Compression algorithm can be
easily changed.
Plaintext: Place 10 orders.
Hash: T0mUNdEQh13IO9oTcaP4FYDX6pU=
Attackers can capture the message and modify the order resulting in
Plaintext: Place 100 orders.
Hash: oEDuJpv/ZtIU7BXDDNv17EAHeAU=
10
Breaching Applications in Commerce
(Buffer Overflow)
Buffer Overflow with data being copied without any checks
can further cause injection attacks and denial of service.
Not a major problem in managed code, however still a
problem when managed code calls upon unmanaged API’s
void SomeFunction( char *pszInput )
{
char szBuffer[10];
// Input is copied straight into the buffer when no type checking is performed
strcpy(szBuffer, pszInput); . . . }
11
Breaching Applications in Commerce
(Cross Site Scripting)
Cross site scripting which can enable arbitrary code to execute when
the browser is in a trusted zone.
Internet security zones provide no protection and since the attacker’s
code has access to cookies stored on the users computer, his
authentication cookies are targeted.
Attack starts when a user clicks on a malicious link disguised as a
genuine one.
Legitimate Link
www.yourwebapplication.com/logon.aspx?username=bob
Malicious Link
www.yourwebapplication.com/logon.aspx?username=<script>alert('h
acker code')</script>
12
Breaching Applications in Commerce
(SQL Injection)
Arbitrary commands can run in a database. Stored procedure which accept
unfiltered user input can cause unwanted manipulation, destruction and/or
retrieval of data.
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT * FROM Users
WHERE UserName ='" + txtuid.Text + "'", conn);
SQL injection occurs when the original statement is terminated by the single
quote character followed by a semicolon to begin a new command (of the
attacker’s choice).
'; DROP TABLE Customers –
The original statement has now changed from a simple select statement to a
harmful drop statement below
SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --'13
Countermeasures
(Buffer overflow, Cross Scripting and SQL Injection)
Buffer Overflow -> Through input validation. Validate length, type, format
and range. Limit Unmanaged Code and use unmanaged API’s should be
cross examined.
Cross Scripting -> Input Validation, permit only valid form fields and
cookies, regular expression validations should be used regularly.
HTMLEncode and URLEncode functions to encode user input (convert
script to HTML).
SQL Injection -> validate requests from applications before sending them
to databases. Least privilege accounts should be used to connect to the
database. Check input strings for possible execution. Idle sessions using
sqlplus /nolog or connect sys /as sysdba should be disabled.
14
Identification of Vulnerabilities
(Continued)
Performance and speed can be effected as C# programs
execute faster than C++ programs.
C# system can allocate memory by incrementing the pointer
from a region of memory set aside for new applications.
class A {
private int x;
public A() { x = 0; x++;
}
}
class Example {
public static void Main() {
for(int i = 0; i < 1000000000; i++) {
A a = new A();
} System.Console.WriteLine("DING!");
}
}
15
Performance Issues
C++ programs need new blocks of memory to allocate new instances for ‘A’
class.
The C++ allocater would need to hunt for free blocks of memory in a
fragmented heap for allocation.
class A {
int x;
public:
A() { x = 0; x++; }
};
int main() {
for(int i = 0; i < 1000000000; i++) {
A* a = new A();
delete a;
}
std::cout << "DING!" << std::endl;
}
16
Countermeasures
Spoofing -> Strong Authentication, SSL, Strong passwords in
encrypted format
Data Tampering -> Data Hashing, Digital Signature, Authorization,
X.509 Certificates, Trusted Zones.
Repudiation -> Secure Audit Trails, Digital Signatures.
Denial of Service -> Resource and Bandwidth throttling techniques
along with packet sniffing and filtering input.
Privilege Elevation -> Least privilege accounts should perform
operations with higher privilege accounts for accessing resources
locked.
17
Additional Countermeasures
Sniffing -> Strong physical security and segmentation to prevent
local collection of information.
Session Hijacking -> Encrypted sessions, platform patches to
prevent TCP/IP vulnerabilities.
Footprinting -> Lock down unused ports, firewall and configuration
settings and and monitoring of suspect ports.
Password Cracking -> Lock out polices, deny use of default
passwords, audit multiple failed logins for an account.
Arbitrary Code Execution -> configuration of IIS to reject ../ URL’s.
Prevent idle session logins in Oracle Database with sqlnet.ora file.
18
Case Studies
(Real Life examples)
Unauthorized access at North Bay Health Care Group by fraudulent
alteration of 127 electronic checks by Jessica Sabatia resulting in a loss of
$875,035 to the company.
Malicious insider attack at UBS Paine Webber with the use of a ‘logic bomb’
resulting in simultaneous deletion of 1000 documents across 1500
networked branches. Loss of $3 million suffered by the firm.
26.5 million records stolen from the Veterans Administration as a result of
an employees house being burglarized in May 2006. Data included SSN,
names and addresses.
Melissa Worm in March 1999 infected Microsoft Outlook shutting down mail
servers in companies such as Microsoft, Intel, Lockheed Martin and Lucent
and causing $400 million in cumulative damages, the costliest in North
America to date.
19
Attacks on Databases
(Demo Prelude)
Databases such as Oracle and MS SQL are frequently
targeted as they contain large amounts of data.
SQL injection attacks, buffer overflow, heap overflow and
code injection are some of the common attacks.
Default passwords can be easily stolen from an Oracle
database by querying the dba_users table.
Though the passwords are hashed, they can be decrypted
and displayed in clear text in most cases.
20
Demo
(Combination of a Dictionary and Brute Force Attack on an Oracle DB)
Users in an Oracle Database are authenticated by re-computing the
hash based on the value stored in password column in dba_users.
A user which can obtain all the hashed passwords can compare
them to the ones stored in a single or multiple dictionary resulting in
the a clear text view of the password.
Oracle in Jan 2006 itself provides an excel sheet which contains all
the default passwords for locked and unlocked accounts for Oracle
databases.
A random user can locate and view all the default passwords in a
database thereby increasing the risk.
21
References
MSDN – Threats, Causes and Breakage
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnpag2/html/tmwaglance.asp
Wikipedia – Security Threats and Exploits
http://en.wikipedia.org/wiki/Category:Security_exploits
http://en.wikipedia.org/wiki/Computer_insecurity
http://en.wikipedia.org/wiki/Computer_fraud_case_studies
United States Government – Department of Defense (DITSCAP)
http://iase.disa.mil/ditscap/DITSCAP.html
Practical Threat Analysis – Dealing with Threats
http://www.securitydocs.com/library/2848
22
23