• No results found

Why The Security You Bought Yesterday, Won t Save You Today

N/A
N/A
Protected

Academic year: 2021

Share "Why The Security You Bought Yesterday, Won t Save You Today"

Copied!
43
0
0

Loading.... (view fulltext now)

Full text

(1)

Why The Security You Bought

Yesterday, Won’t Save You Today

Ian Robertson – Director of Information Security Michael Gough – Sr. Risk Analyst

9th Annual Courts and Local

(2)

About Us

Ian Robertson - CISSP, CCNP

www.cybersecurityguy.com

ian@cybersecurityguy.com

Michael Gough - CISSP, CISA

www.HackerHurricane.com

(3)

Agenda

• Common Attacks Today

• Typical Network Security Controls

• Why the Typical Controls Won’t Work Against

Today’s Common Attacks

– Why The Security You Bought Yesterday Won’t

Save You Today

• What You Can Do To Shore Up Your Defenses

– Many for Little or No Money!

(4)

Agenda

• Common Attacks Today

• Typical Network Security Controls

• Why the Typical Controls Won’t Work Against

Today’s Common Attacks

– Why The Security You Bought Yesterday Won’t

Save You Today

• What You Can Do To Shore Up Your Defenses

(5)

Security Research and Statistics

HackerHurricane.com 5

• Verizon Data Breach Report

• PandaLabs Reports

(6)

Breach Threats

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Physical* Partner Agents Error Social Misuse Internal Agents Malware Hacking External Agents 1% 1% 1% 3% 3% 3% 94% 94% 98%

(7)

Breach Threat Vectors

HackerHurricane.com 7

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% Web User-Initiated Exploit

Web Drive-By Downloads SQL Injection

9%

19%

89%

Top Hacking and Malware Vectors by % Records Breached

(8)
(9)

Who’s Behind It?

HackerHurricane.com 9

• Highly motivated

• Has time and resources

• Wants what you have

(10)

What Do They Want?

• Anything they can use to get

or make money

– Financial Accounts

– Sensitive Personal Information

– Confidential Records

(11)

Who’s Discovering It?

(12)

How Long Does It Take to Discover?

(13)

How Long Does It Take to Discover?

156 Days

on Average

HackerHurricane.com 13

(14)

But Don’t We Have Logs?

• Absolutely!

• Useful for SQL Injection

• Less useful for malware

• Not really being

leveraged – who wants to

look at them?

(15)

Typical Attacks Today

• Organized Crime for Financial Gain

• SQL Injection

• User Web-Based Attacks

• USB Flash Drives

• We Aren’t Catching Them (Until It’s Too Late)

(16)

Agenda

• Common Attacks Today

• Typical Network Security Controls

• Why the Typical Controls Won’t Work Against

Today’s Common Attacks

– Why The Security You Bought Yesterday Won’t

Save You Today

• What You Can Do To Shore Up Your Defenses

(17)

Typical Network Security Controls

• Firewall

• Intrusion Detection/Prevention System

• Web Filter

• SPAM Blocker (SMTP E-mail Gateway)

• Anti-Virus (Anti-Malware)

• Account Passwords (Old School)

(18)

Typical Network Security Controls

• Firewall

– Allows only certain traffic to come into and go out

of your network from/to the Internet

– Typically allows web, email and DNS in/out of your

network from/to the Internet

• Intrusion Detection/Prevention System

– Monitors your network traffic for suspicious

activity

(19)

Typical Network Security Controls

• Web Filter

– Blocks websites based upon categorical filter

(gambling, sex, social websites, etc.)

– Typically blocks websites that would violate HR

policies

• SPAM Blocker

– Blocks e-mail based upon keywords (e.g. v!agra),

sender info, block list, or heuristical analysis

– Typically blocks incoming e-mail at the Internet

perimeter (SMTP e-mail gateway)

(20)

Typical Network Security Controls

• Anti-Malware

– Blocks software which is identified in a signature

database from running

– Typically scans for signature patterns when files

are accessed, with full scans on occasion.

• Account Passwords

– Allows authorized users to log in

(21)

Perimeter Controls

(Firewall, IDS, Web Filter, SPAM Blocker)

Typical Network Security Controls from

a Hacker’s Perspective

Internal Controls (Anti-Malware) Your Data

(22)

Agenda

• Common Attacks Today

• Typical Network Security Controls

• Why the Typical Controls Won’t Work Against

Today’s Common Attacks

– Why The Security You Bought Yesterday Won’t

Save You Today

• What You Can Do To Shore Up Your Defenses

(23)

SQL Injection Attacks

• Involves tricking a web application into

executing database commands it wasn’t

intended to by using user-input form fields.

(24)

SQL Injection Example

SELECT (FIRST_NAME, LAST_NAME, ADDRESS) FROM

(25)

SQL Injection Example

SELECT (FIRST_NAME, LAST_NAME, ADDRESS) FROM

MASTER_DATABASE WHERE LAST_NAME = ‘*’;--’ AND RECORD_TYPE = ‘PUBLIC’;

(26)

SQL Injection vs. Common Controls

Firewall X

Access is allowed to your web application.

Intrusion

Detection/Prevention

System X

Most won’t detect this, and those that do generate nearly constant alerts and are ignored. Most are completely blind to HTTPS websites.

Web Filter X

Access is allowed to your web application.

SPAM Blocker X Not e-mail based. Anti-Malware X Not malware.

(27)

User Web-Based Attacks

• Exploits a vulnerability in software that automatically

runs when you browse a website

– Java, Flash, Acrobat, QuickTime, IE, FireFox…

• Frequently uses 0-Day exploits (new and unknown)

• Exploits are hosted on the attacker’s website or on

legitimate, compromised websites

• Legitimate advertising used (big $’s involved –

organized crime)

• Initial download grabs other malware after the initial

infection (which is what your anti-virus is often

detecting, if anything)

• 100% User initiated – result of user clicking/browsing

(28)

User Web-Based Attacks

vs. Common Controls

Firewall X

Users are allowed to access websites through the firewall.

Intrusion

Detection/Prevention

System X

Looks like normal web browsing and doesn’t have signatures for new

malware. Most are completely blind to HTTPS websites.

Web Filter X

Approved sites are compromised and hosting malware.

SPAM Blocker X Not e-mail based.

Anti-Malware X Doesn’t detect 0-day malware.

(29)

USB Flash Drives

• USB Flash Drives are easily infected on home and

third party computers with lesser security

controls

• By default, Windows XP and Vista will

automatically execute files when they are

plugged in (Windows 7 default is disabled)

• Executes using the logged-in user permissions

• Known to have been intentionally planted to gain

access to systems

– Would your users pick them up and plug them in?

Show of hands!

(30)

USB Flash Drives vs. Common Controls

Firewall X

The firewall doesn’t see this as it’s not network-based.

Intrusion

Detection/Prevention

System X

This IDS doesn’t see this as it’s not network-based. Host-based IDS/IPS aren’t likely to have signatures for it. Web Filter X

The web filter doesn’t see this as it’s not network-based.

SPAM Blocker X Not e-mail based. Anti-Malware ?

Doesn’t detect 0-day malware. May detect “older” malware.

(31)

Agenda

• Common Attacks Today

• Typical Network Security Controls

• Why the Typical Controls Won’t Work Against

Today’s Common Attacks

– Why The Security You Bought Yesterday Won’t

Save You Today

• What You Can Do To Shore Up Your Defenses

– Many for Little or No Money!

(32)

SQL Injection – What To Do

• Find out where your weaknesses are

• Fix and/or monitor them (in priority order)

• Prevent future coding errors from getting

introduced

(33)

SQL Injection – Action Plan

1. Find out where your weaknesses are.

A. Make a list of your applications that are

Internet-facing and use database credentials that allow

them to access Sensitive Personal Information.

B. Use security professionals to perform

penetration tests against these applications.

C. Check the password recovery/reset functionality

on these applications to see if they can be easily

recovered/reset.

(34)

SQL Injection – Action Plan

2. Fix and/or monitor them (in priority order)

A. Remove unnecessary access to the SPI if the

application doesn’t need it by changing database

credentials and permissions (easiest)

B. Have developers re-write the code

C. Log, alert and respond to critical messages (SQL

syntax errors, administrator account login failures,

etc.)

(35)

SQL Injection – Action Plan

3. Prevent future coding errors from getting introduced

A. Train developers on secure code development (Google, local OWASP chapter, and OWASP resources, SANS

courses, Austin BSides and LASCON conferences)

B. Ensure database administrators are assigning unique accounts with limited privileges for each application C. Implement a code review process to include security

D. Have developers perform security testing as part of code unit testing (IBM AppScan, HP WebInspect, FindBugs, manual, etc.)

E. Have security professionals perform penetration testing prior to production implementation

(36)

SQL Injection – Action Plan

4. Test on a regular basis.

A. Have security professionals perform penetration

testing of all your Internet-facing web

(37)

User Web-Based Attacks –

What You Should Do

• Find out where your weaknesses are

• Fix your weaknesses

• Prevent future infections

(38)

User Web-Based Attacks –

Action Plan

1. Find out where your weaknesses are

A. Perform a full malware scan on all your systems and

identify those that are infected

B. Maintain an accurate hardware and software

inventory for every machine on your network

C. Make a list of all the web-executable software you

have (Java, QuickTime, Adobe Reader, Flash,

RealPlayer, etc.)

D. Identify all users who have Administrative privileges

E. Identify all the categories of websites that are

(39)

User Web-Based Attacks –

Action Plan

2. Fix your weaknesses

A. Re-image any computer which is suspected or

confirmed to have an infection – no exceptions!

B. Patch all web-executable software immediately

C. Remove Administrative rights from user accounts (as

much as possible)

D. Block websites that aren’t needed for business

purposes (especially advertising sites)

E. Limit user’s time on the web

F. Harden your systems (start with the Federal Desktop

Core Configuration standard – USGCB or CIS)

(40)

User Web-Based Attacks –

Action Plan

3. Prevent future infections

A. Perform routine full malware scans on all your systems

B. Monitor security and vendor mailing lists for vulnerabilities, workarounds and patches and apply them immediately

(absolutely no less than once a month)

C. Harden all systems before they are ever deployed

D. Don’t deploy new users with Administrative privileges (unless you must)

E. Consider using FireFox and/or Chrome browsers w/ add-ons such as NoScript and AdBlock (requires user training)

F. Train users to avoid clicking on bad links (bad search results, spoofed links) –

(41)

USB Flash Drives –

What You Should Do

Follow the User Web-Based Action Plan items, plus… 4. Disable AutoRun/AutoPlay on all of your Windows

systems (part of system hardening)

5. Identify all users who require the use of USB Flash Drives. 6. Disable the USB ports for all users those who don’t (a

Windows registry key)

7. Provide all those who do with an encrypted flash drive (e.g. IronKey)

8. Implement a policy prohibiting the use of personal flash drives in your organization’s computers, and vice-versa

(42)

In Closing…

You now know the major issues…

…and how to fix them

…in priority order

…some for little or no money.

So it’s up to you.

(43)

Q & A

This presentation, along with other valuable

security tips, can be found at:

www.HackerHurricane.com

References

Related documents

Renewable sources of energy such as wind power, water power, and solar power are in constant supply and create cleaner energy than fossil fuels. Nuclear power is also a clean

– Once you have a good payment record, the credit card company will offer to increase your limit. – You can request to increase your limit, which is often a better choice than

decreased maximal aerobic capacity in healthy volunteers (lowest observed adverse effect level (LOAEL) COHb 4.3%), increased myocardial ischaemia in patients with coronary

When there is no delay or trajectory rotation the model correctly predicts the sensory consequences of the move- ment, so no sensory discrepancy ensues between the predicted and

The sturdy design, the flexible installation and the high performance make Series 6PF suitable for use in applications with tensioning cylinders, positioning cylinders and

Now pull the cards apart, show the upper parts, then your right hand turns over the one in that hand and shows it blank, then this card is placed underneath the other one, and

defend you and defending you meant fighting a case and making the government prove it’s case beyond a reasonable doubt, challenging the evidence, putting the client on the

Fehling`s test:- Honey + 1mL each of Fehling`s solution A and Fehling`s solution B Red precipitate is observed Reducing sugar is present. Tollen’s test:- Honey + 2-3mL