IT INFRASTRUCUTURE SECURITY

S.PERIYAKARUPPAN (PK)

Agenda

o Basics – Information Securityo Infra Security Threatso Systems Threats & Countermeasureso Database Threats & Countermeasureso Network Threats & Countermeasureso Layered defenseo Questions

Basics – Information Security

Information architecture

Data lifecycle

Data flow

Data storage

Information classification

Private

Public

Confidential

Information assets

People

Process

Technology

Infra - Security Threats

virus: A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes.Trojan Horse: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselvesworm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions

Infra- Security Threats - ContdAdware is considered a legitimate alternative offered to consumers who do not wish to pay for software.

Spyware is considered a malicious program and is similar to a Trojan horse in that users unwittingly install the product when they install something else.

Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware

Malware is short form of malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour.

root kit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.

SMB relay – MITM FTP bouncing DNS Cache Poisoning Insider threat – Windows environment

System Threats & Countermeasures

SMB Relay Attack - Explained

Counter Measures

• Preventive : Signed SMBs (NTLM V2)

• Detective : Log monitoring – TCP 139 445 transactions

• Compensative : Layered defence

A SMB Relay attack is a type of man-in-the-middle attack where the attacker asks the victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. Here are the players in this scenario

•The attacker is the person trying to break into the target•The victim is the person who has the credentials•The target is the system the attacker wants access to, and that the victim has credentials forAnd here’s the scenario (see the image at the right for a diagram):

1.Attacker tricks the victim into connecting to him2.Attacker establishes connection to the target, receives the 8-byte challenge3.Attacker sends the 8-byte challenge to victim4.Victim responds to the attacker with the password hash5.Attacker responds to the target’s challenge with the victim’s hash6.Target grants access to attacker

FTP Bouncing - Explained

• Preventive : Deny FTP Passive, Avoid FTP arbitrary connections.

• Detective : IDS Log monitoring• Compensative : Layered defense

Counter Measures

1. It is a fact that printers are usually installed with all the settings by default. This includes having the default administration password (if any), default administrative interfaces enabled, default services running, default SNMP community string, etc.

2. It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT command.

3. The PORT command is sent by the FTP client to establish a secondary channel for data to travel over. This command can be abused by attacker to network scan other hosts on your network, as shown in the next

An open port completes the transfer over the specified connection

A closed port will result with the FTP server informing the source station that the FTP server can't build the connection

DNS Cache Poisoning

DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources

DNS Cache Poisoning - Explained

• Preventive : Latest version of DNS software BIND 9.3 Win 2003, DNSSEC

• Detective : IDS log analysis• Compensative : Layered defense

Counter Measures

1. A request is sent to the authoritative server for companyA.com. This is identical to the standard process for an iterative query – with one exception.

2. A cracker has decided to poison the internal DNS server‘s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker‘s DNS server can respond as the authoritative server for companyA.com. Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have built-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible.

3. All that‘s required is time. To slow the response of the real authoritative server, cracker uses a botnet to initiate a Denial of Service (DoS) attack. While the authoritative server struggles to deal with the attack, the attacker‘s DNS server has time to determine the transaction ID.

4. Once the ID is determined, a query response is sent to the internal DNS server. But the IP address for farpoint.companyA.com in the response is actually the IP address of the attacker‘s site. The response is placed into the server‘s cache

Insider Threat – Unpatched application

Insider Threat – Backdoor & Password crack

Pass the hash - Attack

Insider Threat – Misuse of Admin privilege

• Preventive : Proper Patch updates , Least user privilege, Role based access.

• Detective : IDS ,File integrity monitors• Compensative : Layered defense

Counter Measures

Disparate Attack vectors SQL Injection XSS Cross Site Scripting Buffer Overflow Top 5 Process Gaps

Database Threats & Countermeasures

Database Attack Vectors & Vulnerabilities

• Preventive : Input Validation/ Proper Patch management• Detective : Audit log monitoring of high privilege grants• Compensative : Layered defence

Counter Measures

1. SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it.

2. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database.

3. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account.

Privilege Escalation using SQL injectionThe GRANTEE parameter used in procedures of SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL injection. Exploitation of this vulnerability allows an attacker to execute arbitrary PL/SQL under the elevated privileges of the SYS user

SQL Injection – Attack Explained

• Preventive : HTTP Post method, URL randomization

• Detective : IDS• Compensative : Layered Defence

Counter Measures

XSS – Cross Site Scripting Basics

Counter Measures• Preventive : Input Validation/ Patch updates• Detective : Log monitoring• Compensative : Layered defence

Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing a program crash or a vulnerability that hackers might exploit.

1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sys package with Execute privilege has Buffer Overflow in Oracle 9iR1 and 9iR2

2. EXECUTE privilege on DBMS_AQELM : Any Oracle database user with EXECUTE privilege on the package DBMS_AQELM can execute arbitrary code under the security context of the database server.

3. IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow: It is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

Buffer Overflow – Concept Explained

Poor Privilege management Poor Patch Management Lack of SOD Insecure communication protocol – TNS

listener/DB links Lack of powerful grants audit trigger

Top 5 Database Security Process Gaps

Network Re-direction Arp-Cache poisoning Connection Hijacking SYN flooding Denial of Services Distributed Denial of Services

Network Threats & Countermeasures

1. A port redirection attack is a trust exploitation-based attack that uses a compromised host to pass traffic through a firewall that the firewall would otherwise drop.

2. As an example the diagram ,shows a firewall with three interfaces: Inside, Outside, and DMZ, with Host A on the DMZ interface. A host located on the outside interface can reach Host A, but cannot reach the host on the inside, Host B. Host A can reach both the host on the outside and Host B.

3. If a hacker can compromise Host A, the hacker can install software on the DMZ host that redirects traffic from the outside host directly to the inside host (Host B). Although neither communication violates the rules implemented in the firewall, the outside host now has connectivity to the inside host through the port redirection process on the DMZ host

Counter Measures

• Preventive : HIPS, Proper Trust model and restricted services

• Detective : Log monitoring• Compensative : Layered defence

Network Re-direction

1. In normal operation the computers on the LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other.

2. But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses.

3. This "ARP Cache Poisoning" can be used to redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the communications stream between any other computers for the purpose of monitoring and even alter the data flowing across the LAN.

• Preventive : Use Static IP entries using batch script during login

• Detective : Arp inspection• Compensative : Layered defense

Counter Measures

ARP - Poisoning

1. The attacker examines the traffic flows with a network monitor and notices traffic from Employee X to a web server.

2. The web server returns or echoes data back to the origination station (Employee X).

3. Employee X acknowledges the packet.4. The cracker launches a spoofed packet to the

server.5. The web server responds to the cracker. The

cracker starts verifying SEQ/ACK numbers to double-check success. At this time, the cracker takes over the session from Employee X, which results in a session hanging for Employee X.

6. The cracker can start sending traffic to the web server.

7. The web server returns the requested data to confirm delivery with the correct ACK number.

8. The cracker can continue to send data (keeping track of the correct SEQ/ACK numbers) until eventually setting the FIN flag to terminate the connection.

• Preventive : Anti-Spoofing• Detective : Log monitoring• Compensative : Layered defense

Counter Measures

Connection Hijacking

• Preventive : Effective Ingress filters.

• Detective : IDS • Compensative : Layered defense

Counter Measures

Syn - Flooding

DOS & DDOS

• Preventive : Threshold/Rate limiting/Peak flow

• Detective : IDS/SIEM• Compensative : HA/Load

balancers

Counter Measures

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users

Layered defense

- 26 -

• RSA enVision• Arc Sight• Log Logic• McAfee Suite• Symantec Suite• Trend Micro• CIS – Bench Mark Audit tools• WebSense• Blue Coat• Tipping Point• FoundStone• Qualysguard• AppScan

Infrastrucre Layers of Defense Security Tools

Network• Multi Vendor Firewall• Intrusion Detection System• Monitoring & Management• Log Review

System• Computing Environments• Server Build Check• Log Reviews

Desktop/End Point • Desktop Applications• End point Security

User Access• User Access Requests• Multiple Applications• Diversified Technology