Top 20 Inspection Finds

1
Top 20 Inspection Finds

• Based on ISAM inspections conducted
• February 2004 to December 2005

Presented by Mike Morrison (morrisonm_at_missouri.ed
u) IATS/ISAM University of Missouri-Columbia
2
Top 20 Inspection Finds

• 20. Client Side or Weak Input Validation

3
Client Side or Weak Input Validation

• Primary source of application vulnerabilities
• All data should be validated to eliminate
  unexpected characters
• Zip Code 5 or 9 digits
• SSN 9 digits
• Name set max length, allow needed characters
• Dont forget hidden, dropdown and radio button
  fields!

4
Client Side or Weak Input Validation

• Client side validation can be bypassed and must
  reoccur on the server side
• Unvalidated input will open the application to
  many types of attacks
• SQL Injection
• Cross-site Scripting (XSS)
• Command Injection

5
Top 20 Inspection Finds

• 20. Client Side or Weak Input Validation
• 19. Database Errors Visible

6
Database Errors Visible

• Web application DB errors usually display in web
  browser for the development process
• In production environments, these errors disclose
  more information than desired about the DB
  environment

7
Database Errors Visible
8
Database Errors Visible

• Info gathered can be used to perform more devious
  attacks on the database
• unintended information disclosure
• data modification and deletion
• Setup database server to log error events instead
  of displaying them

9
Top 20 Inspection Finds

• 20. Client Side or Weak Input Validation
• 19. Database Errors Visible
• 18. Vulnerable to SQL Injection

10
Vulnerable to SQL Injection

• Malicious user could potentially
• Create, modify or delete Databases
• Bypass authentication mechanisms
• In extreme cases, user could execute commands
  from operating system shell

11
Vulnerable to SQL Injection
Bypassing Authentication with SQL Injection
Username or 11 Database will find user with
the name NULL or 11, which is always true. The
database pulls up the first record (usually the
admin account) and authenticates the hacker.
12
Vulnerable to SQL Injection

• Causes
• Improperly validated user input on forms
• Use of plain text and stored queries
• How to avoid SQL Injection
• Proper input validation on server side
• Use parameterized or bind variable queries

13
Top 20 Inspection Finds

• 20. Client Side or Weak Input Validation
• 19. Database Errors Visible
• 18. Vulnerable to SQL Injection
• 17. Product with Known Vulnerabilities

14
Product with Known Vulnerabilities

• Third-party server web products
• Frequently vulnerable to attack
• Trivial to find vulnerabilities for products and
  exploit code is usually obtained easily
• Countermeasure
• Monitor all third party products for patches
• Upgrade to new versions as available

15
Top 20 Inspection Finds

• 20. Client Side or Weak Input Validation
• 19. Database Errors Visible
• 18. Vulnerable to SQL Injection
• 17. Product with Known Vulnerabilities
• 16. Accounts with Too Many Privileges

16
Accounts with Too Many Privileges

• Follow the rule of least privilege
• Every program and every user of the system
  should operate using the least set of privileges
  necessary to complete the job.
• Helps limit
• Unauthorized/unintentional information disclosure
• damaging user errors

17
Top 20 Inspection Finds

• 15. SSL not being utilized

18
SSL Not Being Utilized

• SSL encryption must be used for applications that
  access or require sensitive data such as
• Social Security Numbers
• Student Numbers
• Race/Nationality/Ethnicity
• Gender
• Grades
• Other personally identifiable information without
  explicit consent or when covered by an exception

19
SSL Not Being Utilized

• Install a certificate from an authority such as
  UM or Verisignhttp//iatservices.missouri.edu/sec
  ure-certificates/
• Direct forms or pages through the secure HTTP
  channel

20
Top 20 Inspection Finds

• 15. SSL not being utilized
• 14. Inadequate Separation of Duties

21
Inadequate Separation of Duties

• Industry Best Practice suggests separate roles
  for
• backup operations
• systems administration
• database administration
• development
• use of the application

22
Inadequate Separation of Duties

• Why separate these roles?
• provide redundancy in function
• protection from staff-turnover
• specialists in each role provide better support
• No budget for more staff?
• Consider using third party services (database
  hosting, tape backups, server hosting, etc)

23
Top 20 Inspection Finds

• 15. SSL not being utilized
• 14. Inadequate Separation of Duties
• 13. FrontPage Extensions Installed

24
FrontPage Extensions Installed

• Used for remote web administration
• Frequent source of vulnerabilities
• Dangerous security holes when configured
  improperly
• Rarely used these days and should be disabled if
  not required

25
Top 20 Inspection Finds

• 15. SSL not being utilized
• 14. Inadequate Separation of Duties
• 13. FrontPage Extensions Installed
• 12. Local Passwords Not Reset Recently

26
Local Passwords Not Reset Recently

• Passwords should be reset at least every 90 days
  
• Passwords should meet a best practice password
  policy

27
Top 20 Inspection Finds

• 15. SSL not being utilized
• 14. Inadequate Separation of Duties
• 13. FrontPage Extensions Installed
• 12. Local Passwords Not Reset Recently
• 11. Directory Listing Allowed

28
Directory Listing Allowed

• Lists all files within a directory
• Discloses too much information
• Could reveal backup files
• risk code disclosure
• example filename.bak will not be processed the
  same as filename.asp
• Disable directory listing or use index files in
  each directory

29
Top 20 Inspection Finds

• 10. Unused or Shared User Accounts

30
Unused or Shared User Accounts

• Sharing user accounts
• Complicates audit trail in the event of an
  incident
• Individual accounts and group rights should be
  implemented instead
• Unused accounts
• act as additional points of intrusion for hackers
  
• should be removed or disabled
• Periodic Account Review
• user accounts permissions should be reviewed at
  least quarterly
• inactive accounts should be disabled or removed

31
Top 20 Inspection Finds

• 10. Unused or Shared User Accounts
• 9. Inadequate or Weak Password Policy

32
Inadequate or Weak Password Policy

• At the very least, a local password policy should
  require
• Password reset at least every 90 days
• Use of complexity rules
• Remember the last password
• At least an 8 character password

33
Top 20 Inspection Finds

• 10. Unused or Shared User Accounts
• 9. Inadequate or Weak Password Policy
• 8. No Security Awareness Training

34
No Security Awareness Training

• On-going training opportunities should be made
  available to
• Managers
• System Administrators
• Developers
• Important for these positions to keep current
  with constantly changing security and regulatory
  issues.

35
Top 20 Inspection Finds

• 10. Unused or Shared User Accounts
• 9. Inadequate or Weak Password Policy
• 8. No Security Awareness Training
• 7. Trace/Track Allowed

36
Trace/Track Allowed

• Trace - rarely used portion of HTTP
• akin to ping
• Enabled by default on most servers
• Sending TRACE command to server returns echo of
  what was sent
• Often contains sensitive information in the
  headers, such as cookies and credentials

37
Trace/Track Allowed

• Cross-Site Tracing Attacks (XST)
• Similar to Cross-Site Scripting
• Code must be run on end-users browser
• Bypasses any encryption
• Countermeasure Disable Trace/Track
• Easily disabled in configuration files

38
Top 20 Inspection Finds

• 10. Unused or Shared User Accounts
• 9. Inadequate or Weak Password Policy
• 8. No Security Awareness Training
• 7. Trace/Track Allowed
• 6. FTP Servers

39
FTP Servers

• FTP vulnerable by nature
• All data sent unencrypted (like telnet)
• Use a secure channel like SSH or SSL
• Many 3rd party FTP servers vulnerable to attack
• 3rd party FTP products are a frequent source of
  critical vulnerabilities
• Keep all 3rd party software up to date

40
Top 20 Inspection Finds

• 5. Patches Not Applied

41
Patches Not Applied

• All patches for a systems hardware and software
  should be applied
• Security related or not
• Patch even if application is disabled
• Security patches should be applied immediately
• Administrators should strive to maintain a 0-day
  vulnerability policy
• Actively monitor all relevant patch releases

42
Top 20 Inspection Finds

• 5. Patches Not Applied
• 4. Cross Site Scripting Vulnerabilities

43
Cross Site Scripting Vulnerabilities

• Also known as XSS
• Hacker passes malicious code through a website to
  the user
• Commonly used to steal credentials
• Frequently used in phishing attacks
• Countermeasure Properly validate ALL forms of
  input.

44
Cross Site Scripting Vulnerabilities
XSS Example 1. Hacker enters malicious code into
web application.
2. Anyone who views the message from the hacker
unknowingly executes the malicious code.
45
Top 20 Inspection Finds

• 5. Patches Not Applied
• 4. Cross Site Scripting Vulnerabilities
• 3. No Audit Logs or Logs Not Reviewed

46
No Audit Logs or Logs Not Reviewed

• Adequate logging is critical!
• For diagnosing problems
• Following forensic trail of compromised system
• Web applications as well as servers must be able
  to adequately log events
• Time must be allotted to review these logs each
  day

47
No Audit Logs or Logs Not Reviewed

• For multiple servers, centralized logging should
  be considered
• many 3rd party products available.
• Best-practice Windows Logging

48
Top 20 Inspection Finds

• 5. Patches Not Applied
• 4. Cross Site Scripting Vulnerabilities
• 3. No Audit Logs or Logs Not Reviewed
• 2. Improper File/Share Permissions

49
Improper File/Share Permissions

• Like user accounts, file and share permissions
  should follow the rule of least privilege
• The Everyone group should never be used when
  sharing folders and files
• Shares and file permissions should be reviewed on
  a regular basis
• Full Control permission should not be granted
  where Read/Write is sufficient

50
Top 20 Inspection Finds

• 1
• Services widely available and Unused services
  running

51
Services widely available and Unused services
running

• Available services that are not in use
• Unnecessarily expose server to attack
• Should be uninstalled or disabled
• Services that are widely available
• Should be restricted to only those computers
  requiring access
• Restrict using Firewalls, IPSEC or IPTABLES

52
Services widely available and Unused services
running

• Services that have exposed ports are the biggest
  security threat to servers
• Finding an open, vulnerable service and
  exploiting it gets easier every day
• SecurityFocus BugTraq
• Find vulnerabilities in products
• Exploit code often available

53
Services widely available and Unused services
running

• Exploiting
• Windows
• LSASS
• (MS04-044)

54
Questions?

• Mike Morrison
• IAT Services ISAM
• morrisonm_at_missouri.edu

10. Unused or Shared User Accounts 9. Inadequate
or Weak Password Policy 8. No Security Awareness
Training 7. Trace/Track Allowed 6. FTP
Servers 5. Patches Not Applied 4. Cross Site
Scripting Vulnerabilities 3. No Audit Logs or
Logs Not Reviewed 2. Improper File/Share
Permissions 1. Services widely available and
Unused services running
20. Client Side or Weak Input Validation 19.
Database Errors Visible 18. Vulnerable to SQL
Injection 17. Product with Known
Vulnerabilities 16. Accounts with Too Many
Privileges 15. SSL not being utilized 14.
Inadequate Separation of Duties 13. FrontPage
Extensions Installed 12. Local Passwords Not
Reset Recently 11. Directory Listing Allowed