Information Security Conference - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

Information Security Conference

Description:

Information Security Conference ISO 27001 Vulnerability Assessment and Relevance of it in ISO 27001 By M L. Srinivasan, CISSP, BS7799 LA Director Technical & CTO – PowerPoint PPT presentation

Number of Views:129
Avg rating:3.0/5.0
Slides: 51
Provided by: MLS58
Category:

less

Transcript and Presenter's Notes

Title: Information Security Conference


1
Information Security Conference ISO 27001
  • Vulnerability Assessment
  • and
  • Relevance of it in
  • ISO 27001
  • By
  • M L. Srinivasan, CISSP, BS7799 LA
  • Director Technical CTO

2
Session Objectives
  • To provide an introduction to the Vulnerability
    Assessment requirement in ISO 27001
  • To provide and introduction to IT vulnerabilities
  • To provide an overview of how vulnerabilities are
    distributed
  • To provide an overview of types of
    vulnerabilities and related impacts
  • To show how vulnerability assessment results are
    brought in Risk Assessment exercise.

3
Vulnerability Assessment requirement in ISO
27001(BS7799)
  • What the standard says
  • 1. Identify the risks
  • a) Identify the assets within the scope of ISMS
  • b) Identify the threats to those assets
  • c) Identify the vulnerabilities that might be
    exploited by the threats
  • d) Identify the impacts that losses of
    confidentiality, integrity and availability may
    have on the assets
  • 2. Assess the risks
  • a) Assess the business harm that might result
    from security failure.
  • b) Assess the realistic likelihood of such
    security failure occurring in the light of
    prevailing threats and vulnerabilities and
    impacts associated with these assets.

4
IT Vulnerabilities an Introduction
  • Vulnerabilities in IT systems can be considered
    as holes or errors
  • The vulnerabilities may be due to improper
    system design or coding or both.
  • When a vulnerability is exploited, then it
    results in security violation or in simple
    terms called impact
  • Denial of service, privilege escalation are
    some of the examples of impacts.

5
What is Vulnerability Assessment?
  • Vulnerability Identification is a process in
    which IT systems are scanned for known and
    unknown vulnerabilities by using proper tools
    (called vulnerability scanners)
  • Vulnerability Assessment is a process by which
    the identified vulnerabilities are analyzed and
    assessed for severity based on the criticality of
    the system

6
Breakdown of IT vulnerabilities
  • Generally IT Vulnerabilities are..
  • 85 in application software
  • 8 in operating systems
  • 7 in devices

7
About CVE
  • CVE is a Names List or Dictionary for all
    publicly known vulnerabilities and security
    exposures.
  • The aim of CVE is to standardize the names for
    vulnerabilities and security exposure and make it
    easier to share across separate vulnerability
    databases and security tools. Its a community
    wide collaborative effort to provide the content
    of CVE as a result. CVE is sponsored by U.S.
    Department of Homeland Security.
  • CVE lives at http//cve.mitre.org or
    http//nvd.nist.gov

8
CVE in a Nutshell
Day 1Session 4Module 1 2
  • One name for one vulnerability or exposure
  • One standardized description for each
    vulnerability or exposure
  • A dictionary rather than a database
  • How disparate databases and tools can "speak"
    the same language
  • The way to interoperability and better security
    coverage
  • A basis for evaluation among tools and databases
  • Accessible for review or download from the
    Internet
  • Industry-endorsed via the CVE Editorial board
  • Abstract from www.cve.mitre.org

9
Structure of CVE List
Day 1Session 4Module 1 2
  • The CVE names or "CVE numbers or "CVE-IDs" or
    "CVEs are the standardized identifiers for
    publicly known information security
    vulnerabilities.
  • The CVE identifier has an Indication of "entry"
    or "candidate" status.
  • A brief description of the security vulnerability
    or exposure.
  • Any pertinent references
  • Example

Name CVE-2005-2830 Description Microsoft
Internet Explorer 5.01, 5.5, and 6, when using an
HTTPS proxy server that requires Basic
Authentication, sends URLs in cleartext, which
allows remote attackers to obtain sensitive
information, aka "HTTPS Proxy Vulnerability."
Status Candidate Reference SECTRACK1015350
Reference SECUNIA15368 Reference
CERTCAN-2005-2830 Reference . Reference
.
10
Common Vulnerabilities and Exposures (CVE) Growth
Over Time
  • Today the CVE Dictionary comprises of
  • Total Unique Names 15459
  • Total Unique Entries 3053
  • Total Candidates 12406

11
CERT Vulnerability Information
Day 1Session 4Module 1 2
  • CERT Vulnerability Notes is a comprehensive cyber
    security vulnerability database that integrates
    all publicly available vulnerabilities and
    exposures resources and provides references to
    industry resources. It is based on and
    synchronized with the CVE vulnerability naming
    standard.
  • CERT-IN issues Vulnerability Information in the
    form of
  • Advisories
  • Vulnerability Notes
  • Incident Notes
  • Besides, Cert-IN publishes many security
    guidelines and whitepapers.

12
CERT-IN Vulnerability Advisories
Day 1Session 4Module 1 2
  • Cert IN advisories are issued collating multiple
    vulnerabilities in a single note during a
    particular month.
  • For example
  • CERT-In Advisory CIAD-2006-02
  • (January 12, 2006)
  • Vulnerabilities in WMF, Embedded Web Font,
    TNEF components of Microsoft Windows, IE, Outlook
    and Exchange

13
CERT-IN Vulnerability Notes
Day 1Session 4Module 1 2
  • Cert IN Vulnerability notes are issued for
    single and unique vulnerabilities
  • For example
  • CERT-In Vulnerability Note CIVN-2006-03
  • (12 January, 2006)
  • Windows Embedded Web Font Vulnerability

14
CERT-IN Incident Notes
Day 1Session 4Module 1 2
  • Cert IN Incident notes are issued when a
    security incident or vulnerability exploitation
    is reported. Examples or Virus outbreaks, Hacking
    etc.,
  • For example
  • CERT-In Incident Note CIIN-2004-09(27th July,
    2004 )Win32.MyDoom.M_at_mm Worm
  • CERT-In Incident Note CIIN-2004-08( 27th Jun,
    2004 )(Updated on 03rd July, 2004 )Attacks on
    IIS Servers using malicious Java Scripts

15
Risk Categorization
Exploitation Access Category
Remotely Exploitable Administrative Access Extremely High
Remotely Exploitable User Access High
Locally exploitable Administrative Access Very High
Locally Exploitable User Access Medium
16
Business Criticality
Type of Entity Criticality Rating
Defense, Nuclear installation, secret service, Military, Navy, Air force and related supplier companies Extremely High
Banks, Financial institutions, Hospitals, Software development companies dealing in BFSI products, BPO companies dealing in Knowledge processing, medical transcription, Financial transaction processing, Call centers dealing in outbound calls Very High
Smaller software companies not developing mission critical software, call centers dealing only with inbound calls High
Other companies not falling the above categories Medium
17
Types of Vulnerabilities
  1. Access control error Lack of enforcement
  2. Authentication error - inadequate identification
    mechanisms
  3. Boundary error - inadequate checking/validating
    mechanisms
  4. Configuration error - improper configuration
  5. Exception handling error - improper setup or
    coding
  6. Input validation error - lack of verification
    mechanisms
  7. Randomization error - mismatch in random data
  8. Resource error - lack of resources
  9. State error incorrect process flow

18
Access Control Error
  • What it is?
  • It is an error due to lack of enforcement
    pertaining to users or functions that are
    permitted or denied access to an object or
    resource
  • Examples
  • Improper or no access control list or table
  • No privilege model
  • Inadequate file permissions
  • Improper or weak encoding
  • Impact
  • Results in a situation wherein a
    file/object/process is accessed directly without
    authentication or routing.

19
Access control error example
The Attacker steals Authentication cookies Of
other user accounts
User Name

Data Posting System
Valid Posting
Invalid Posting
20
Authentication Error
  • What it is?
  • It is an error due to inadequate identification
    mechanisms, such that an user or a process are
    not correctly identified.
  • Examples
  • Weak or static passwords
  • Improper or weak encoding or weak algorithms
  • Impact
  • Results in a situation wherein a user or a
    process gains higher privileges. Example Root
    Access to system

21
Authentication Error example
'adminnewstrue'
Admin
http//www.host.com/admin.php3
Target Host
Attacker
22
Boundary Check error
  • What it is?
  • It is an error due to inadequate
    checking/validating mechanisms, such that the
    length of the data is not checked/validated
    against the size of the data storage or resource.
  • Examples
  • Buffer overflow
  • Overwriting the original data in the memory
  • Worms
  • Impact
  • Results in a situation wherein a memory is
    overwritten with some arbitrary code to gain
    access to programs. Example Command prompt
    access.

23
Buffer Overflow
  • Example
  • Stack Overflow
  • Heap Overflow
  • Memory management
  • user mode
  • kernel mode

24
Stack memory allocation
  • The stack operates similar to a stack of plates
    in a cafe
  • The stack grows up toward lower memory address.

25
Over Flow
10
4
4
4
0
Top of memory Bottom of stack
Bottom of memory Top of stack
Buffer
str
ret
sfp
The return address is overwritten with AAAA
(0x41414141) Function exits and goes to execute
instruction at 0x41414141..
26
Configuration error
  • What it is?
  • It is an error due to improper configuration of
    system parameters or leaving the default
    configuration settings as it is.
  • Examples
  • Windows security policy configuration
  • File and print access to internet connections
  • Impact
  • Results in a situation wherein the system can be
    compromised.

27
Configuration Error Example
Internet
Remote User
28
Exception handling error
  • What it is?
  • It is an error due to improper setup or coding
    such tat the system fails to handle or properly
    respond to exceptional or unexpected data or
    conditions.
  • Examples
  • SQL Injection
  • Impact
  • Results in a situation wherein user credentials
    can be captured by injecting exceptional data.

29
Exception handling error - SQL Injection
By using union clause the SQL query is modified
at the backend process as found below select
from user_details where user_name '' Union
SELECT MIN(User_name), 1,1,1,1,1 FROM
User_details WHERE User_Name gt 'u'--' and
pass_word ''
On submitting the page the arbitrary SQL
command, The backend process will look like
Select from user_details
where user_name 'user1'' and pass_word ''
By using union clause the SQL query is modified
at the backend process as found below select
from user_details where pass_word '' Union
SELECT MIN(User_name), 1,1,1,1,1 FROM
User_details WHERE User_Name gt vijaylourduraj'--
' and pass_word ''
By using group by clause the SQL query is
modified at the backend process as found
below   Select from user_details
where user_name 'user1 group by (pass_word)--
The attacker now knows that there is a column
name in the table called password.
This error now gives the attacker a new column
name user_id and also the table name user_details
The attacker uses the Group by Clause  to obtain
all the column names in the table
By using the union clause the attacker will
identify username password
 By repeatedly applying the group byclause with
every new column name found, the attacker will
be able to know all the column names in a table
The error message gives the attacker the valid
username
The error message gives the attacker the valid
password for username vijaylourduraj
30
Input validation error
  • What it is?
  • It is an error due to lack of verification
    mechanisms to validate the input data or
    contents.
  • Examples
  • Directory traversal
  • ../ malformed URLs
  • Impact
  • Results in a situation wherein due to poor input
    validation, access to system privileged programs
    may be obtained.

31
Input validation Error example
  • http//targethost/application/cgi-bin/errorpage.
    cgi/?action startpg ../../../../../
    ../../../../../../../../ ../../cmd.exe

Remote User
Target Host
32
Randomization Error
  • What it is?
  • It is an error due to mismatch in random data
    results in insufficient random data for the
    process.
  • Examples
  • Weak encryption key
  • Insufficient random data
  • Impact
  • Results in a situation wherein cryptographic key
    can be compromised.

33
Randomization Error example
Internet Relay Chat
CheckGroup() function does not properly ensure
that the variable "p" contains a number which is
prime, leading to a weak cryptographic key
12 14 04 06 08 22 46 36 12 14
Weak Encryption Key
Remote user decrypts data determine keys used
Remote User
34
Resource Error
  • What it is?
  • It is an error due to lack of resources available
    for correct operations or processes.
  • Examples
  • Memory getting full
  • CPU is completely utilized
  • Impact
  • Results in a situation wherein system becomes
    unstable or hangs due lack of resources.

35
TCP Connection Establishment
TCP Back-log queue one dimensional array of
slots for waiting SYN message
36
TCP Half Open Connection
?spoofed SYN (SeqX)

? SYN-ACK (SeqY, SeqX)
TCP Back-Session log queue
37
Resource Error
Attacker
Spoofed SYN Packet
? Real SYN (SeqX)
Half-Open
Half-Open
Real SYN message is dropped here
Half-Open
Half-Open
Half-Open
TCP Back-Session log queue
38
Typical Impacts of IT Vulnerabilities
  • Denial of service
  • Remote code execution
  • Privilege escalation
  • Unauthorized User access
  • Disclosure of user information

39
Denial of Service
  • What it is?
  • Denial-of-service is a situation wherein
    legitimate users of a service are prevented from
    using that service.
  • Examples
  • Flooding a network, thereby preventing legitimate
    network traffic
  • disrupting connections between two machines,
    thereby preventing access to a service
  • prevent a particular individual from accessing a
    service
  • disrupt service to a specific system or person
  • Impact
  • Results in a situation wherein a
    file/object/process is not available to
    legitimate users.

40
Denial of Service - DOS
41
Distributed Denial of Service

Attacker
Source
Handler Handler
Agent Agent
Victim
42
Remote Code Execution
  • What it is?
  • Remote code execution is an impact due to
    exploitation of a vulnerability, thereby results
    in execution of arbitrary code remotely using a
    system process or software.
  • Examples
  • Malformed Active X controls
  • Trojans creating a backdoor in the systems
  • Impact
  • Results in a situation wherein system can be
    compromised and the data can be corrupted

43
Remote Code Execution
Internet Lure the User
Execute Arbitrary Code Remotely
Authenticode
low memory conditions
User System
44
Privilege Elevation
  • What it is?
  • Privilege elevation is an impact due to a
    vulnerability in a system such that an
    unauthorized or less privileged process or person
    obtains higher privileges.
  • Examples
  • Domain controller compromise
  • Root access
  • File access
  • Impact
  • By obtaining higher privileges an attacker or
    process can compromise the system.

45
Privilege Elevation
Attacker compromise system with guest account
DDE Agent runs using the Local System security
context
Windows 2000 Domain Controller
Windows xp
Attacker run code in a restricted context
46
Vulnerability Assessment requirement in NSE CTCL
audits
  • Application Access Control
  • The installed CTCL system provides a system
    based access control over the CTCL server as well
    as the risk management and front end dealing
    applications while providing for security
  •   
  • Session Security
  • The installed CTCL system provides for session
    security for all sessions established with the
    CTCL server by the front end application.
  •   
  • Database Security
  • The installed CTCL system has sufficient
    controls over the access to and integrity of the
    database
  •   
  • Encryption
  • The installed CTCL system uses confidentiality
    protection measures to ensure session
    confidentiality.

47
Vulnerability Assessment vs Risk Assessment
  • Vulnerability Assessment template
  • Risk Assessment Table

48
Vulnerability Assessment in other Compliance
audits
  • Sarbanes Oxley Act (SOX), USA
  • Section.302. CORPORATE RESPONSIBILITY FOR
  • FINANCIAL REPORTS
  • Section.404. MANAGEMENT ASSESSMENT OF
  • INTERNAL CONTROLS
  • companies to assess any risk associated with
    information technology or internal process that
    may affect/impact the accurate and timely
    reporting of financial information and to
    implement suitable controls
  • Clause49 of the listing agreement
  • Management
  • As part of the directors report or as an
    addition thereto, a management Discussion and
    analysis report should form part of the Annual
    Report to the shareholders. This Management
    discussion analysis should include discussion
    on the following matters within the limits set by
    the companys competitive position
  • Risks and concerns.
  • Internal control systems and their adequacy.

49
Relevant Weblinks
  1. http//cve.mitre.org Common Vulnerabilities and
    Exposures
  2. http//us-cert.gov USA Computer Emergency
    Response Team
  3. http//www.securitytracker.com a popular
    vulnerability tracking portal
  4. http//www.cert-in.org.in Indian Computer
    Emergency Response Team
  5. http//nvd.nist.gov - National Vulnerability
    Database, USA

50
Questions?
  • Thank You!
Write a Comment
User Comments (0)
About PowerShow.com