1 / 59

Intelligent Cyber security for the Real World

Intelligent Cyber security for the Real World. Ismeet Singh . PSE - Security. March 10, 2014. Changing Applications and Devices. Blurred distinction between personal and productive. Plus. Equals. What is cyber security?.

melora
Télécharger la présentation

Intelligent Cyber security for the Real World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intelligent Cyber security for the Real World Ismeet Singh PSE - Security March 10, 2014

  2. Changing Applications and Devices Blurred distinction between personal and productive Plus Equals

  3. What is cyber security? Cyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. Cyber security refers to the technologies and processes designed to protect computers, networks and data from unauthorized access, vulnerabilities and attacks delivered via the Internet by cyber criminals. Though, cyber security is important for network, data and application security.

  4. What is…? Communication security-protecting organization communication media , technology , and content. Network security-is the protection of networking components, connection and content. Information security-protection of information and its critical elements , including the systems and hardware that use , store or transmit that information.

  5. History The first recorded cyber crime was recorded in the year 1820. The first spam email took place in 1978 when it was sent over the Arpanet. The first Virus was installed on an Apple Computer in 1982.

  6. Some Types of Attacks • What are some common attacks? • Network Attacks • Packet sniffing, man-in-the-middle, DNS hacking • Web attacks • Phishing, SQL Injection, Cross Site Scripting • OS, applications and software attacks • Virus, Trojan, Worms, Rootkits, Buffer Overflow • Social Engineering • (NOT social networking) • Not all hackers are evil wrongdoers trying to steal your info • Ethical Hackers, Consultants, Penetration testers, Researchers Need to know: Networking,Web Programming, Operating Systems, Programming languages and compilers.

  7. Network Attacks

  8. Attacks on the Protocol Stack

  9. Network Attacks • Packet Sniffing • Internet traffic consists of data “packets”, and these can be “sniffed” • Leads to other attacks such aspassword sniffing, cookie stealing session hijacking, information stealing • Man in the Middle • Insert a router in the path between client and server, and change the packets as they pass through • DNS hijacking • Insert malicious routes into DNS tables to send traffic for genuine sites to malicious sites Need to know: Networking protocols, routing, TCP-IP

  10. Application & Web Attacks

  11. Web Attacks • Phishing • An evil website pretends to be a trusted website • Example: • You type, by mistake, “mibank.com” instead of “mybank.com” • mibank.com designs the site to look like mybank.com so the user types in their info as usual • BAD! Now an evil person has your info! • SQL Injection • Interesting Video showing an example • Cross Site Scripting • Writing a complex Javascript program that steals data left by other sites that you have visited in same browsing session Need to know: Web Programming, Javascript,SQL

  12. OWASP Top 10 Security Vulnerabilities • 1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's browser which can hijack user sessions, deface web sites, possibly introduce worms, etc. • 2 - Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the interpreter into executing unintended commands or changing data. • 3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP, XML and any framework which accepts filenames or files from users. • 4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. • 5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks. • 6 - Information Leakage and Improper Error Handling Applications can unintentionally leak information about their configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this weakness to steal sensitive data, or conduct more serious attacks. • 7 - Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. • 8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud. • 9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. • 10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized operations by accessing those URLs directly.

  13. OWASP Top 1: Cross Site Scripting • What is Cross Site Scripting? • In it’s simplest form, it’s a process that can occur anywhere a web application uses input from a malicious user to generate output without validating or encoding the input. • During a Cross Site Scripting attack, a malicious source sends a script that is executed by the end user’s browser. It allows attackers to embed code from one webpage into another webpage by changing its HTML code. • It’s been used to deface web sites, conduct phishing attacks, or it can take over a user’s browser and force them to execute commands they’re unaware of. • Cross Site Scripting attacks usually come in the form of JavaScript however, any active content poses a potential danger. • Prevention • Validate the users input against what is expected • Encode user supplied output • After you believe you’ve done the right things during code development, inspect your code with a scan.

  14. OWASP Top 2: Injection Flaws (SQL Injection) • What is SQL Injection • SQL injection is the actual injection of SQL commands into web applications through user input fields. • When an application uses internal SQL commands and you also have user input capabilities (like a login screen), SQL commands can be injected that can create, read, update, or delete any data available to the application. • Prevention • You can put tight constraints on user inputs. But the best method of preventing SQL injection is to avoid the use of dynamically generated SQL in your code. Instead use stored or canned procedures. • And then again, run a scan to make sure your application is not vulnerable to SQL injections.

  15. OWASP Top 3: Malicious File Execution • What is Malicious File Execution • When Developers program applications to use input files provided by the user and the bad guy is the one entering the file, a malicious file is executed unknowingly, thus we have malicious file execution. • Malicious file execution attacks can occur anytime the application accepts filenames or files from a users. • When these files are executed, they can be used to do just about anything from stealing data to taking over the entire system. • Prevention • Strongly validate user input using "accept known good" as a strategy, or isolate incoming files and check them legitimacy before executing them. • Disable certain PHP commands: I suggest that you visit the OWASP website to see what commands to disable.

  16. OS and Software Attack

  17. Virus • Definition • Piece of code that automatically reproduces itself. It’s attached to other programs or files, but requires user intervention to propagate. • Infection (targets/carriers) • Executable files • Boot sectors • Documents (macros), scripts (web pages), etc. • Propagation is made by the user. The mechanisms are storage elements, mails, downloaded files or shared folders Infection Propagation Payload Need to know: Computer Architecture, programming

  18. Worm • Definition • Piece of code that automatically reproduces itself over the network. It doesn’t need the user intervention to propagate (autonomous). • Infection • Via buffer overflow, file sharing, configuration errors and other vulnerabilities. • Target selection algorithm • Email addresses, DNS, IP, network neighborhood • Payload • Malicious programs • Backdoor, DDoS agent, etc. Infection Propagation engine Target Selection algorithm Scanning engine Payload

  19. Backdoor, trojan, rootkits • Goal • The goal of backdoor, Trojan and rootkits is to take possession of a machine subsequently through an infection made via a backdoor. • Backdoor • A backdoor is a program placed by a black-hacker that allows him to access a system. A backdoor have many functionalities such as keyboard-sniffer, display spying, etc. • Trojan • A Trojan is a software that seems useful or benign, but is actually hiding a malicious functionality. • Rootkits (the ultimate virus) • Rootkits operate like backdoor and Trojan, but also modify existing programs in the operating system. That allows a black-hacker to control the system without being detected. A rootkit can be in user-mode or in kernel-mode.

  20. Key Loggers • Records every key stroke/press • Some models can capture screen shots • Monitor IM, chat, and ICQ messages • Monitor web surfing and AOL activity • Can be Software or Hardware!

  21. Can You Identify The Spy?

  22. Social Engineering

  23. Social Engineering *http://bash.org/?244321

  24. Social Engineering • Why is this social engineering? • Manipulating a person or persons into divulging confidential information • I am not dumb, so does this really apply to me? • YES! Attackers are ALSO not dumb. • Social Engineers are coming up with much better and much more elaborate schemes to attack users. • Even corporate executives can be tricked into revealing VERY secret info • What can I do to protect myself? • NEVER give out your password to ANYBODY. • Any system administrator should have the ability to change your password without having to know an old password Need to know: How to win friends (victims) and influence (scam) people (not CS).

  25. Password Attacks • Password Guessing • Ineffective except in targeted cases • Dictionary Attacks • Password are stored in computers as hashes, and these hashes can sometimes get exposed • Check all known words with the stored hashes • Rainbow Tables • Trade off storage and computation – uses a large number of pre-computed hashes without having a dictionary • Innovative algorithm, that can find passwords fast! • e.g. 14 character alphanumeric passwords are found in about 4-10 minutes of computing using a 1GB rainbow table Need to know: Data structures, algorithms, cryptography

  26. Steganography

  27. Steganography A Picture Can Hide a Million Words

  28. Attack Scenarios

  29. Attack Scenario Reconnaissance Gaining Access Cyber Attack Taking Control Covering traces

  30. Hackers Success

  31. More Scareware Spyware Trickery

  32. Malware Development Well Funded & Devious Commercial Spyware Developer

  33. Legitimate email? PHISH

  34. An ‘Anti-Virus’ site SpywareIncreasingly Devious & Sophisticated • ‘Free AV’ program is actually a • a spyware application • Covert download and installation • begins without any advance • warning • Closing the window has no effect

  35. Criminal SaaS Offerings Expand Service dedicated to checking if a malware executable is detectable by AV engines

  36. The Attacker’s Life is Not Easy Competition is tough

  37. Hacking – Does it Still Pay? • When your goods are limited to copied data how do you maintain value?

  38. Malware Trend

  39. Changing Threat Landscape Countermeasures are less effective 1,111,399 web sites compromised 4 pieces of new malware per second

  40. The Industrialization of Hacking Enterprise Response Anti-virus(Host) IDS/IPS (Network) Anti-malware (Host+Network) Intelligence and Analytics (Host+Network+Cloud) APTs Cyberware Spyware & Rootkits Worms Viruses 2005 2010 Today + 2000

  41. If you knew you were going to be compromised, would you do security differently?

  42. IT’S A CYBER GENERATION NOW DUDE!!!

  43. The New Security Model Attack Continuum BEFORE DURING AFTER Detect Block Defend Scope Contain Remediate Discover Enforce Harden Network Endpoint Mobile Virtual Cloud Point in Time Continuous

  44. Mapping Technologies to the Model Attack Continuum BEFORE DURING AFTER Detect Block Defend Scope Contain Remediate Discover Enforce Harden Firewall Patch Mgmt IPS IDS AMD App Control Vuln Mgmt Antivirus FPC Log Mgmt VPN IAM/NAC Email/Web Forensics SIEM Visibility and Context

  45. Covering the Entire Attack Continuum Attack Continuum BEFORE DURING AFTER Detect Block Defend Scope Contain Remediate Discover Enforce Harden Firewall VPN NGIPS Advanced Malware Protection NGFW UTM Web Security Network Behavior Analysis NAC + Identity Services Email Security Visibility and Context

  46. Cisco Security Intelligence Operations Outstanding Cloud-based Global Threat Intelligence 24x7x365operations 40+languages More than US$100 millionspent on dynamic research and development 600+engineers, technicians, and researchers 80+PH.D., CCIE, CISSP, and MSCE users Cisco® SIO WWW Cisco CWS Cisco IPS Cisco AnyConnect® Email Devices Web WWW Actions IPS Networks Endpoints Cisco ESA Cisco ASA Cisco WSA Visibility Control Information 3- to 5-minute updates 5,500+IPS signatures produced 8 million+rules per day 200+parameters tracked 70+publications produced 35%worldwide email traffic 13 billionweb requests 1.6 millionglobal sensors 100 TBof data received per day 150 million+ deployed endpoints

  47. ASA-X Cisco ASA Next-Generation Firewalls (NGFW)Security Without Compromise Cisco® SIO Complete protection and policy Granular device-level visibility Support for both active and passive user authentication • Reputation-based web security and robust content-based URL filtering Deepest control of applications and micro-applications Proactive threat intelligence and protection Exceptional management visibility for end-to-end network intelligence Comprehensive, Next-Generation Security Services Proven Stateful Inspection Firewall Network Integrated Security Network-wide identity and deviceaccess policy Stateful inspection firewall and class-leading AnyConnect® VPN Industry-leading web reputationfor malware protection ONLY CISCO ONLY CISCO ONLY CISCO Data Center, Cloud Mobile Campus Branch

More Related