- Slides: 36
COMP 3371 Cyber Security Richard Henson University of Worcester November 2017
Week 7: Breach Prevention Strategies n Objectives: Ø Compare B 2 B and B 2 C use of https to knowledge/ignorance of PKI and differences between “business trust” and “consumer trust” Ø Explain why websites are so often hacked when PKI has been around/trusted for so many years Ø Explain that applications software and even operating systems are flawed and the crucial importance of using “updates” Ø Explain licensing and life-cycle support for software
Global Use of SSL/PKI n Recap of start of PKI as (mis)used by business: n n https: //www. sans. org/readingroom/whitepapers/vpns/business-perspective-pkiimplementations-fail-success-factors-728 Reports from early days of https… (2000): n "Online shopping gets a bad rap in the press, but most of the stories reported are anecdotal tales of companies that haven't put successful defensive measures in place“ n "Web businesses running proper screening of customer information are suffering very little, with average fraud losses held to just over 1%. ” n “Fraud control is clearly possible online, although many companies do not implement stringent screening and prevention measures. ”
Security and Online trading as the Information Society progressed… n More and more businesses bought into PKI n It was expected that these early problems were just “teething troubles” with using new technology and would soon fade away…
Data on the move: Encryption is not enough! n The other aspect of SSL/PKI is the establishment of trust between online vendors and customers Ø usually achieved by using encryption AND providing a digital certificate system: » verifies the identity at each end of the communication link » thereby authenticating the server/user n The savvy user knows about digital certificates and expects to be able to view them online
“Mature” use of PKI? n 15 years on, larger companies use SSL/PKI for secure communications as a matter of course! n Conclusion: PKI is industry-standard technology n But… Ø (1) companies not applying strict security measures correctly are: » being defrauded » skewing the statistics for more responsible online traders Ø(2) human error/computer misuse through software vulnerabilities continue…
So, 16 years on… What is being done… and what COULD be done! n Problem: Øis PKI implemented correctly? ØWhat about smaller companies with less expertise? ØWho bothers to check? » student research… alarming? » action? ? ?
Solution… Google’s Browser n From early 2017, Google Chrome has checked links and highlighted any https link that has flaws… Øhttps: //www. wired. com/2016/11/googleschrome-hackers-flip-webs-security-model/ ØNow explained on Bright. Talk webinar… n Hopefully, other Browser manufacturers will follow this excellent practice!
Security Differences between B 2 B and B 2 C n B 2 B link has “business trust” n set up properly for online trading: Øuse server certificates on web servers Øuse SSL to ensure data is encrypted Øtrain users to be aware of danger signs Øshare data in a limited way between organisations n B 2 C: customer only accesses web pages Øuses shopping cart system to purchase
B 2 C and Website Vulnerability n Small businesses outsource many of their business functions n Including: Ødevelopment of website Øputting website on an Internet-facing webserver
Website Vulnerabilities n The Website must have direct access to the Internet Øso Internet have direct access to website folder on webserver Øwebbots can gather information about the business… » find weak links in the website! » and possibly weaknesses on the server » e. g. “Heartbleed not patched!” n http: //heartbleed. com/
Software Layers and Operating Systems (OS) Applications os functions & user interface os kernel CPU, motherboard
What if the Operating System has software faults? The platform becomes “unstable”!! n Could be errors in n Øhardware control? Øuser interface? Øutilities? n What would happen to: Øapplications running on a poorly designed platform? Øbusinesses depending on such apps?
“Good” and “Bad” programming n Apollo missions to the moon Øfirst use of programming for control “because manual not possible…” n Programming used to: Øput Apollo spacecraft into moon orbit Øland a small craft and two astronauts
Early example of excellent software n Moon landing software (1969)… Ø& final Presidential acclaim for safe coding (2016) » http: //www. floridatoday. com/story/tech/scienc e/space/2016/11/26/o bama-honors-apollosoftware-developermargarethamilton/94477822/ https: //www. youtube. com/watch? v=X 1 PNp_Ygg. AA
“Moon Lander” Program Retro rockets of falling LEM vehicle n Balanced against moon gravity n Limited amount of fuel… n Version written for BASIC n Very popular early microcomputer game n
Is software always safe? Written by humans! n Depends how it is: n Ødesigned Øcoded Øtested n Lots could… and does… go wrong Øtoo much trust? Ønot enough testing?
B 2 C Software n Consumer buys a license to use software during its lifecycle… ØNOT the software itself! n License may become invalid (or useless…) if software no longer supported Øconsumer potentially unaware Øalso applies to operating systems (!)
Publishing of Vulnerabilities n Many disturbing examples of data breaches… Øand software vulnerabilities that provided access for hackers n Records of Internet exploitable vulnerabilities finally kept… ØUS security organisation Mitre » https: //cve. mitre. org/cve. html
Good for Consumers n With Mitre initiative… ØSoftware companies with faulty code named and shamed… ØEmbarrassing… n Over time, software will get better Øi. e. fewer flaws!
Software Faults & CWE n n Lot of recent interest in unreliability of software (even operating systems…) Mitre (US gov)… Ø classified software fault types through Common Weakness/Vulnerability Enumeration (CWE/CVE) » community support » formal published list weaknesses/vulnerabilities n Intended use? Øto better describe software weaknesses in architecture, design, or code 21 [TSI/2012/183] © Copyright 2003 -2012
More about CWE n Full list of CWE entries… Øhttp: //cwe. mitre. org/data Ømore commonly encountered weaknesses usually “repeat offenders” n CWE provides: Østandard measuring stick for software tools targeting software weaknesses Øcommon baseline standard for efforts to identify, mitigate, and prevent software weaknesses Ø Top 25 (most hacked) vulnerabilities… PTO
CWE Top 25 faults (part 1) Rank ID Name 1 CWE-79 2 CWE-89 3 CWE-120 4 5 6 7 CWE-352 CWE-285 CWE-807 CWE-22 8 9 CWE-434 CWE-78 10 11 12 13 CWE-311 CWE-798 CWE-805 CWE-98 Failure to Preserve Web Page Structure ('Cross-site Scripting') Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Cross-Site Request Forgery (CSRF) Improper Access Control (Authorization) Reliance on Untrusted Inputs in a Security Decision Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Unrestricted Upload of File with Dangerous Type Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') Missing Encryption of Sensitive Data Use of Hard-coded Credentials Buffer Access with Incorrect Length Value Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright 2003 -2012
CWE Top 25 faults (part 2) Rank ID 14 15 CWE-129 Improper Validation of Array Index CWE-754 Improper Check for Unusual or Exceptional Conditions CWE-209 Information Exposure Through an Error Message CWE-190 Integer Overflow or Wraparound CWE-131 Incorrect Calculation of Buffer Size CWE-306 Missing Authentication for Critical Function CWE-494 Download of Code Without Integrity Check CWE-732 Incorrect Permission Assignment for Critical Resource CWE-770 Allocation of Resources Without Limits or Throttling CWE-601 URL Redirection to Untrusted Site ('Open Redirect') CWE-327 Use of a Broken or Risky Cryptographic Algorithm CWE-362 Race Condition 16 17 18 19 20 21 22 23 24 25 Name [TSI/2012/183] © Copyright 2003 -2012
Many other System Flaws (software to support OS, networks, etc) n “Recently”: ØHeartbleed – open source webserver software enhancement flawed ØKRACK – Wi. Fi WPA 2 secure implementation had a security flaw n All patched quickly… ØBut does everyone apply the patches?
Not just apps… Example of a operating system flaw n Apple: Ø“dangerous” flaw revealed in i. OS 7 and X (21/2/14) Øhttp: //gizmodo. com/why-apples-hugesecurity-flaw-is-so-scary-1529041062
Dangers of not Updating… n New flaws in software being detected by Mitre and others all the time… n usually published once a fix has been found! » makes sense to update to a version that has had vulnerabilities patched! Øhackers will know all about any vulnerabilities removed by an update, and will be eager to exploit… organisations who haven’t updated (!)
Not just Apple, of course! n Microsoft update regularly, and Windows 10 will receive updates in perpetuity Øexcellent practice! n Earlier versions of Windows have a “cut off date” for updates ØWindows XP’s was April 2014! ØWindows 2003 Server was July 2015…
Update Management n Essential to update all system and application software as soon as possible after release… Øupdates need to be tested… ØAnd roll out planned accordingly! Øe. g. operating system updates will require reboot » so “automatic” updates may cause problems! » generally best for administrator to have an alert and install updates asap (after testing!)
Latest versions of Applications n Same update principles apply to apps Øupdates free Ømay be required to upgrade to later version » Office 2007 “updates” just expired! Øagain… test first… but may also be a cost! n Whether to upgrade Øis cost of upgrade/training justified: » better security? » increased productivity?
Updates and Development Environments n Software, like apps Øcan and do have vulnerabilities Øneed updating like all other software n Use of insecure old version particularly worrying… Ødevelopment environments generate code Øwhat if that code has vulnerabilities…?
Insecure Development Environments n Many web page generator examples available ØJoomla… Word. Press… » more recent versions more likely to be secure and still have updates » older versions no longer supported so code generated is vulnerable! n Java Run-time… Øregular updates » potential knock-on effects for java apps…
Using Windows Registry to check end-point security n Registry settings in memory control the desktop… Øtotally! n In order to establish the security status of a machine… Øjust look in the registry!?
A Software Tool for Checking registry settings against Cyber Essentials recommended values Yes… there is one n Yes… it is free! n Yes… you’ll be able to test it after the break! n
Cyber Smart n A more sophisticated tool has been developed to check the security settings of multiple machines on a network Øunfortunately, it is certainly not free! Øhttps: //cybersmart. co. uk/ n However, it will save a lot of time for analysts wishing to help organisations meet the Cyber Essentials criteria…
Next Week… n Web vulnerabilities & Vulnerability Testing!