Dear Friends,
I have attended in an awareness programme on “IT Security Aspects”
held in my company last week. I would like to share the informations
which were gathered from there. I may not be able to answer if
someone asks questions. I am, however, sure that the experts in our
list can answer, if someone asks clarifications. I have its detailed
presentation with vedio clippings. If anyone needs, please send an
Email personally to [email protected] or [email protected].
OVERVIEW OF EMERGING THREATS AND RISK MITIGATION IN CYBER SPACE
Top 6 Emerging Threats
Employees are selling their company out -1
Employees are selling their company out -2
Laptops / Storage devices on the Loose
Unintentional Access & Disgruntled Ex-Employees
Missing Security Patches
Cyber Terrorism
Emerging Threats
Employees are selling their company out -1
Unwitting employees disclosing confidential information, from password
to financial data, to ill-intentioned intruders. Unable to identify
fraudulent websites and counterfeit email messages and thereby opening
company’s close doors to criminals
Remedy
Implementing anti-phishing toolbar that displays website real domain
name (In-built feature in Internet Explorer 8)
Training IT personals (Corporate Awareness)
Employees are selling their company out -2
Serious data leaks caused by either malicious employee activity or
non-malicious employee error. Even the most innocent correspondence
can create trouble.
Remedy
Strict usage policies prohibiting employees from sending sensitive
information via unsecured email.
Corporate awareness.
Laptops / Storage devices on the Loose
Theft or loss of a laptop containing sensitive data
Theft or loss of portable storage devices like USB Drives, i-Pod,
CDs, DVDs, Memory sticks that contain sensitive information
Remedy
Employees should protect their laptops with a startup password.
Make practice of deleting old emails and unwanted files from all
portable devices.
Unintentional access & Disgruntled Ex-employees
Research has revealed that it can take up to 4 months for a company
to remove the user rights of the former employee. Within that time
span a disgruntled employee can create havoc and can weaken a
company’s critical business system.
Remedy
User provision should be upgraded and access should be modify soon
as even a single employee leaves the company.
Missing Security Patches
Vendors are not always quick to produce the necessary patches for a
security hole. Further complicating the matter IT administrators are
too over burdened to ensure that they have latest patches and updates.
This may result in virus penetration
Remedy
Regular updates and patches with automated patch management should
be maintained in all network computers.
Cyber Terrorism
Cyber Terrorism is the convergence of Cyberspace and terrorism. It
refers to unlawful attacks and threats against computers, networks and
the internet with an intention of exerting harm to finance, society or
infrastructure to generate fear
Classes of attack
A. Authentication
1. Brute Force
2. Insufficient Authentication
3. Weak Password Recovery Validation
B. Authorization
1. Insufficient Authorisation
2. Credential/Session Prediction
3. Insufficient Session Expiration
4. Session Fixation
C. Client-side Attacks
1. Content Spoofing
2. Cross-site Scripting
D. Command Execution (Programming Side)
1. Buffer Overflow
2. Format String Attack
3. LDAP Injection
4. OS Commanding
a. SQL Injection
b. SSI Injection
c. XPath Injection
E. Information Disclosure (Programming Side)
1. Directory Indexing
2. Information Leakage
3. Path Traversal
4. Predictable Resource Location
5. Logical Attacks (Programming Side)
a. Abuse of Functionality
b. Denial of Service
c. Insufficient Anti-Automation
d. Insufficient Process Validation
Authentication:
A mechanism whereby systems may securely identify their users.
Brute Force Attack
1. Automated process of trial and error to guess a person’s username,
password, credit card # etc.
2. Cycles through the dictionary word by word and generates millions
of incorrect guesses
3. Types of Brute Force Attacks
a. Normal Brute Force
b. Reverse Brute Force
Authentication
Example of Brute Force Attack
Demo MS-Office Password recovery software
Person Name – Ramesh Shah
Username - Ramesh
Password – shah, rameshshah, ramesh_shah, [car no.], [birth date],
[pet name], ramesh123
Insufficient Authentication
Occurs when a website permits an attacker to access sensitive content
without proper authentication
Example of Insufficient Authentication
Administrative functionalities have been designed in such a way that
the directory or page is not linked anywhere but still can be accessed
using web browser
e.g. www.ashakta.com/admin
Weak Password Recovery Validation
It is difficult for user to remember passwords of various websites
he regularly visits. In such cases automated password recovery process
is required. This includes…
Requiring the user to answer a “Secret Question” defined as part of
the registration process.
Having the user providing a “Hint” during registration
Requiring the user to provide personal data such as home address, zip
code etc. to validate their identity
Examples of Weak Password Recovery
Information verification
Many website only require the user to provide their email address in
combination with some telephone number which can easily obtained. This
makes the verification information not very secret.
Authorisation:
A mechanism by which a system determines what level of access a
particular authenticated user should have to secure resources.
Many websites allow certain users to access specific content or
functionalities. The user access to other resources might be
restricted. Using various techniques an attacker can fool a website
into increasing their privileges to protected areas.
Credential/Session Prediction
Many websites are designed to authenticate and track a user when a
session is established. For this, users must provide their identity by
supplying username/password. Rather than passing these credentials
back and forth with each transaction, website will generate a unique
session id to identify the user session as authenticated. If an
attacker is able to predict the session id of another user fraudulent
activity is possible
Example of Credential/Session Prediction
Many websites attempts session IDs using custom methodologies. This
may include simple incrementing static numbers or other complex
procedures.
The session ID is then stored in a cookie, hidden form-field or URL.
If an attacker can determine this methodology then an attacker can…
Connect to a web application
Calculate or Brute Force the next session ID
Switch the current value in the cookie/ hidden form-field/ URL and
assumes the Identity of the next user
Insufficient Authorisation
Insufficient Authorisation is when a website permits access to
sensitive content or functionality that should require access control
restrictions.
Example of Insufficient Authorisation
Many websites have stored administrative content and/ or
functionality in hidden directories such as /admin or /logs. If an
attacker directly requests this directories, he would be allowed
access.
e.g. www.rmip99.com/admin
Insufficient Session Expiration
Insufficient session expiration is when a web site permits an
attacker to reuse old session credentials or session IDs for
authorisation.
Since HTTP is a stateless protocol, web sites use session IDs to
uniquely identify a user. These session IDs are stored as cookies. The
lack of proper session expiration may attract fraudulent attack. A
Long expiration time increases an attacker’s chance of successfully
guessing a valid session ID.
Example of Insufficient Expiration
In a shared computing environment insufficient session expiration
can be exploited to view another users web activities. If a website’s
logout function merely sends the victim to the site’s homepage without
ending the session, another user can go through the browser’s page
history and view pages access by the victim because the session ID has
not been expired.
Session Fixation
Session fixation is an attack technique that forces a user’s session
ID to an explicit value. Depending on the functionality of the target
web site, a number of techniques can be utilised to “Fix” the session
ID value.
Examples of Session Fixation
The attacker sets up a “Trap-Session” for the target website to
obtain that session’s ID. This session ID must be maintain with
repeated website contact.
The attacker waits until the user logs in to the target website.
When the user does so, the fixed session ID value will be used and the
attacker may takeover.
Client-side attack
When a user visits a website, trust is established between the two
parties both technologically and psychologically. A user expects
websites they visit to deliver valid content. A user also expects the
website not to attack them during their stay. By leveraging these
trust relationship expectations, an attacker may employ several
techniques to exploit the user.
Content Spoofing
Content spoofing is an attack technique used to trick a user into
believing that certain content appearing on a website is legitimate
and not from an external source.
Example of Content Spoofing
Some web pages are served using dynamically build HTML content
sources. For Example, the source location of a frame
(<frame src=http://foo.example/file.html>)
could be specified by a URL parameter value.
Example of Content Spoofing
by a URL parameter value
(http://foo.example/page?frame_src=http://foo.example/file.html)
An attacker may be able to replace the “frame_src” parameter value
with “frame_src=http://attacker.example/spoof.html”. When the
resulting web page is served, the browser location bar visibly remains
under the user expected domain (foo.example.com), but the foreign data
(attacker.example) is shrouded by legitimate content
Cross-site Scripting
Cross-site Scripting (XSS) is an attack technique that forces a
website to echo attacker-supplied executable code, which loads in a
user’s browser. The code will run within the security context of the
hosting website the code has the ability to read, modify and transmit
any sensitive data accessible by the browser. It may hijack account
(cookie theft), redirect browser to another location.
Example of Cross-site scripting
Many websites greet a logged in user with “Welcome, <Username>”. If
an attacker were to modify the username field inserting a
cookie-stealing JavaScript, it would be possible to gain control of
the user’s account.
Malicious code (Virus, Worms, Trojans and Spy wares)
Virus
A computer virus is a computer program that can copy itself and
infect the computer without the permission or knowledge of the owner.
A True virus can spread from one computer to another.
It can spread through a floppy disk, CD, DVD, USB drive or Network
file system.
Macro viruses have become common in mid-1990s.
These viruses are written in scripting languages for Microsoft
Programs such as Word, Excel and even in PowerPoint and spread through
MS-Office by infecting documents and spreadsheet.
Virus infection strategy
In order to replicate itself virus must be permitted to execute code
and write to memory.
Many viruses attached themselves to executable files.
There are two types of viruses
1. Non Resident Viruses
Consists of a finder module and replication module.
2. Resident Viruses
Contains a replication module only. The virus loads the replication
module into memory when it is executed. This module is executed each
time the operating system is called to perform a certain operation.
Methods to avoid detection
Keeping the last modified date same
Keeping the file size same (Cavity Virus)
Killing the task associated with Anti-virus software
Avoiding bait files
Stealth
Self modification
Polymorphic code
Metamorphic code
Worms
A Computer worm is self replicating computer program. It uses the
network to send copies of itself to other nodes.
It does not need to attach itself to existing program.
Causes harm the network by consuming bandwidth.
Malware
How to identify an infected computer?
System becomes too slow
Freezing of Applications
Application runs abnormally
Unwanted and unexplained files
Change in Icons
Drives do not open on double click
System frequently reboots automatically
Slow booting process
Registry Editor and / or Task Manager are disabled
Trojan
A Trojan Horse is a malware that facilitates unauthorised access to
the user’s computer.
It is not self replicating.
It is designed to allow a hacker remote access to a target computer
system.
Hacker can gain access and perform various actions in the target
computer.
E.g. Data theft, Deleting files, modifying files etc.
Remote Access Trojans (RATs)
It is designed to provide attacker with complete control of victim’s
system.
Data Sending Trojans
Designed to provide attacker with sensitive data such as password,
credit card information or email addresses etc.
Destructive Trojans
Designed to destroy and delete files.
Proxy Trojans
Designed to use victim’s computer as a proxy server. This gives the
attacker the opportunity to do everything from your computer including
Credit card fraud and other illegal activities.
E.g. Win32.Small.aap
FTP Trojans
Designed to open Port 21 (The port for FTP transfer) and lets the
attacker connect to your computer using FTP.
Spyware
Spyware is a type of malware that is installed surreptitiously on a
computer to collect information about users, their browser’s habits
without their consents.
Creates significant unwanted CPU activity, disk usage and network
traffic.
It causes application freezing, failure to reboot, system crash and
difficulties in connecting internet.
Some spywares display advertisements simply as popup at regular basis.
E.g. Downloader.Win32.INService is known to show pornography,
keygens and illegal software popups.
Some spywares known as “Stealwares” diverts the payment of revenues
from the legitimate affiliate to the spyware vendor.
SPAM
SPAM is the abuse of electronic messaging system to send bulk
messages indiscriminately. The most recognised one is an Email spam.
It is also known as junk mail.
It is sent via Zombie network.
Phishing and keylogger
Phishing
In a Phishing attack victim receives by email a request to complete
an online form with sensitive information which is then sent to the
attacker.
The Online form is placed on a fraudulent website.
SmartScreen filter is a feature in IE8 that helps you avoid phishing
websites.
Keylogger
Often used by employers to ensure employees use work computers for
business purposes only.
Type of surveillance software that has the capability to record
every keystroke you make to a log file.
Records instant messages, emails, password etc. which is then sent
to a specify receiver.
Can also record screen shots.
How to avoid malware?
Anti-virus,
Never download games or cracks.
Never open pornographic contents.
Never open unknown email or its attachment.
Never click unreliable links on websites.
Never insert unknown USB devices, CDs etc.
Never install unrecognised / unsigned / unreliable softwares.
Never boot system while CD or USB device inserted.
Keep your Anti-virus / OS updated.
Keep fire-wall protection on.
How to avoid keylogger?
Anti-virus
Use virtual keyboard, if available.
E.g. www.hdfcindia.com
Always do financial transaction on secured site.
Roles and Responsibilities of Computer Users and Desktop Policy
Roles and responsibilities of Computer users
1. Corporate Purposes
a. Always use company’s technology resources in ways that are
consistent with the company’s mission.
b. Never use IT resources for private financial gain.
2. Secure Usage
a. Never share your passwords with anyone including friends, family or
other employees.
b. Select a strong password and change it regularly.
c. Honour and maintain all of company’s system security procedures and
confidential information
d. Always logout off account on computers / email / network
e. Take steps to understand computer viruses and other destructive
softwares.
3. Legal Usage
a. Use accounts for legal purposes only.
b. Share music and other media files only if you have appropriate
permission.
c. Never use a technology to harass others.
d. Never damage softwares or data belonging to others
e. Never monitor or disrupt the communications of others.
f. Never use computers to view or distribute pornography.
4. Ethical Usage
a. Use IT resources in ways that maintains high ethical standards of
the company.
b. Never violate computer system security or make unauthorised use of
accounts / networks.
c. Never use IT resources including Network / Hardware / Software for
dishonesty / cheating.
Desktop Security Policy
Local access must be controlled via individual, password protected
account for each user.
Password protection screen saver should be set to activate after a
certain period of idle time.
File and printer sharing should only be enabled after consulting
with local support provider.
For everyday use a non-administratively enabled account should be
used to minimize possible destructive impact of malwares.
Endusers should not have administrative access.
(Continued…)
Local Administrator account should be set to have a lengthy, complex
password.
Only NTFS (New Technology File System) partition should be used.
IIS should not be installed if absolutely not needed.
Unneeded network service should be disabled
Autoplay option for removable devices should be disabled.
Anti-virus with Firewall protection is mandatory.
File encryption software should be used to encrypt the data.
Network Security Policies
Firewall should be the only entry point to your network.
Wireless router should be password protected (Concept of IANA
[International Assigned Number Authority], Gateways, ISPs and
Individual Internet Account).
Assign static IP address to each network device.
Use strong passwords for all accounts.
Storing sensitive data
There are few questions you need to ask yourself in order to store
sensitive data
Do you really need to access the sensitive data?
Do you really need to make a copy of the sensitive data?
Do you really need to share sensitive data with someone else?
How long do you need to keep the copy of sensitive data?
Do you really need to print your sensitive data?
Use of password protected folder.
Storing data as password protected ZIP or RAR file.
Improper disposal of CDs that contain sensitive data.
Regular backups and securing backup devices.
Avoid mailing sensitive data.
Good Password Sense
Password should be at least 8-10 characters in length.
Password should include at least 1 character from 3 of the following
4 classes: lowercase letters, uppercase letters, numbers and special
characters.
Password should not contain a dictionary word.
Password should not contain any part of your full name or other
personal information.
Don’t use same password for all systems.
Do hope that it may be useful.
With best regards,
Anil.
To unsubscribe send a message to [email protected] with
the subject unsubscribe.
To change your subscription to digest mode or make any other changes, please
visit the list home page at
http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
