Title: Information Security Conference
1Information Security Conference ISO 27001
- Vulnerability Assessment
- and
- Relevance of it in
- ISO 27001
- By
- M L. Srinivasan, CISSP, BS7799 LA
- Director Technical CTO
2Session Objectives
- To provide an introduction to the Vulnerability
Assessment requirement in ISO 27001 - To provide and introduction to IT vulnerabilities
- To provide an overview of how vulnerabilities are
distributed - To provide an overview of types of
vulnerabilities and related impacts - To show how vulnerability assessment results are
brought in Risk Assessment exercise.
3Vulnerability Assessment requirement in ISO
27001(BS7799)
- What the standard says
- 1. Identify the risks
- a) Identify the assets within the scope of ISMS
- b) Identify the threats to those assets
- c) Identify the vulnerabilities that might be
exploited by the threats - d) Identify the impacts that losses of
confidentiality, integrity and availability may
have on the assets - 2. Assess the risks
- a) Assess the business harm that might result
from security failure. - b) Assess the realistic likelihood of such
security failure occurring in the light of
prevailing threats and vulnerabilities and
impacts associated with these assets.
4IT Vulnerabilities an Introduction
- Vulnerabilities in IT systems can be considered
as holes or errors - The vulnerabilities may be due to improper
system design or coding or both. - When a vulnerability is exploited, then it
results in security violation or in simple
terms called impact - Denial of service, privilege escalation are
some of the examples of impacts.
5What is Vulnerability Assessment?
- Vulnerability Identification is a process in
which IT systems are scanned for known and
unknown vulnerabilities by using proper tools
(called vulnerability scanners) - Vulnerability Assessment is a process by which
the identified vulnerabilities are analyzed and
assessed for severity based on the criticality of
the system
6Breakdown of IT vulnerabilities
- Generally IT Vulnerabilities are..
- 85 in application software
- 8 in operating systems
- 7 in devices
7About CVE
- CVE is a Names List or Dictionary for all
publicly known vulnerabilities and security
exposures. - The aim of CVE is to standardize the names for
vulnerabilities and security exposure and make it
easier to share across separate vulnerability
databases and security tools. Its a community
wide collaborative effort to provide the content
of CVE as a result. CVE is sponsored by U.S.
Department of Homeland Security. - CVE lives at http//cve.mitre.org or
http//nvd.nist.gov
8CVE in a Nutshell
Day 1Session 4Module 1 2
- One name for one vulnerability or exposure
- One standardized description for each
vulnerability or exposure - A dictionary rather than a database
- How disparate databases and tools can "speak"
the same language - The way to interoperability and better security
coverage - A basis for evaluation among tools and databases
- Accessible for review or download from the
Internet - Industry-endorsed via the CVE Editorial board
- Abstract from www.cve.mitre.org
9Structure of CVE List
Day 1Session 4Module 1 2
- The CVE names or "CVE numbers or "CVE-IDs" or
"CVEs are the standardized identifiers for
publicly known information security
vulnerabilities. - The CVE identifier has an Indication of "entry"
or "candidate" status. - A brief description of the security vulnerability
or exposure. - Any pertinent references
- Example
Name CVE-2005-2830 Description Microsoft
Internet Explorer 5.01, 5.5, and 6, when using an
HTTPS proxy server that requires Basic
Authentication, sends URLs in cleartext, which
allows remote attackers to obtain sensitive
information, aka "HTTPS Proxy Vulnerability."
Status Candidate Reference SECTRACK1015350
Reference SECUNIA15368 Reference
CERTCAN-2005-2830 Reference . Reference
.
10Common Vulnerabilities and Exposures (CVE) Growth
Over Time
- Today the CVE Dictionary comprises of
- Total Unique Names 15459
- Total Unique Entries 3053
- Total Candidates 12406
11CERT Vulnerability Information
Day 1Session 4Module 1 2
- CERT Vulnerability Notes is a comprehensive cyber
security vulnerability database that integrates
all publicly available vulnerabilities and
exposures resources and provides references to
industry resources. It is based on and
synchronized with the CVE vulnerability naming
standard.
- CERT-IN issues Vulnerability Information in the
form of - Advisories
- Vulnerability Notes
- Incident Notes
- Besides, Cert-IN publishes many security
guidelines and whitepapers.
12CERT-IN Vulnerability Advisories
Day 1Session 4Module 1 2
- Cert IN advisories are issued collating multiple
vulnerabilities in a single note during a
particular month.
- For example
- CERT-In Advisory CIAD-2006-02
- (January 12, 2006)
- Vulnerabilities in WMF, Embedded Web Font,
TNEF components of Microsoft Windows, IE, Outlook
and Exchange
13CERT-IN Vulnerability Notes
Day 1Session 4Module 1 2
- Cert IN Vulnerability notes are issued for
single and unique vulnerabilities
- For example
- CERT-In Vulnerability Note CIVN-2006-03
- (12 January, 2006)
- Windows Embedded Web Font Vulnerability
14CERT-IN Incident Notes
Day 1Session 4Module 1 2
- Cert IN Incident notes are issued when a
security incident or vulnerability exploitation
is reported. Examples or Virus outbreaks, Hacking
etc.,
- For example
- CERT-In Incident Note CIIN-2004-09(27th July,
2004 )Win32.MyDoom.M_at_mm Worm - CERT-In Incident Note CIIN-2004-08( 27th Jun,
2004 )(Updated on 03rd July, 2004 )Attacks on
IIS Servers using malicious Java Scripts
15Risk Categorization
Exploitation Access Category
Remotely Exploitable Administrative Access Extremely High
Remotely Exploitable User Access High
Locally exploitable Administrative Access Very High
Locally Exploitable User Access Medium
16Business Criticality
Type of Entity Criticality Rating
Defense, Nuclear installation, secret service, Military, Navy, Air force and related supplier companies Extremely High
Banks, Financial institutions, Hospitals, Software development companies dealing in BFSI products, BPO companies dealing in Knowledge processing, medical transcription, Financial transaction processing, Call centers dealing in outbound calls Very High
Smaller software companies not developing mission critical software, call centers dealing only with inbound calls High
Other companies not falling the above categories Medium
17Types of Vulnerabilities
- Access control error Lack of enforcement
- Authentication error - inadequate identification
mechanisms - Boundary error - inadequate checking/validating
mechanisms - Configuration error - improper configuration
- Exception handling error - improper setup or
coding - Input validation error - lack of verification
mechanisms - Randomization error - mismatch in random data
- Resource error - lack of resources
- State error incorrect process flow
18Access Control Error
- What it is?
- It is an error due to lack of enforcement
pertaining to users or functions that are
permitted or denied access to an object or
resource - Examples
- Improper or no access control list or table
- No privilege model
- Inadequate file permissions
- Improper or weak encoding
- Impact
- Results in a situation wherein a
file/object/process is accessed directly without
authentication or routing.
19Access control error example
The Attacker steals Authentication cookies Of
other user accounts
User Name
Data Posting System
Valid Posting
Invalid Posting
20Authentication Error
- What it is?
- It is an error due to inadequate identification
mechanisms, such that an user or a process are
not correctly identified. - Examples
- Weak or static passwords
- Improper or weak encoding or weak algorithms
- Impact
- Results in a situation wherein a user or a
process gains higher privileges. Example Root
Access to system
21Authentication Error example
'adminnewstrue'
Admin
http//www.host.com/admin.php3
Target Host
Attacker
22Boundary Check error
- What it is?
- It is an error due to inadequate
checking/validating mechanisms, such that the
length of the data is not checked/validated
against the size of the data storage or resource. - Examples
- Buffer overflow
- Overwriting the original data in the memory
- Worms
- Impact
- Results in a situation wherein a memory is
overwritten with some arbitrary code to gain
access to programs. Example Command prompt
access.
23Buffer Overflow
- Example
- Stack Overflow
- Heap Overflow
- Memory management
- user mode
- kernel mode
24Stack memory allocation
- The stack operates similar to a stack of plates
in a cafe - The stack grows up toward lower memory address.
25Over Flow
10
4
4
4
0
Top of memory Bottom of stack
Bottom of memory Top of stack
Buffer
str
ret
sfp
The return address is overwritten with AAAA
(0x41414141) Function exits and goes to execute
instruction at 0x41414141..
26Configuration error
- What it is?
- It is an error due to improper configuration of
system parameters or leaving the default
configuration settings as it is. - Examples
- Windows security policy configuration
- File and print access to internet connections
- Impact
- Results in a situation wherein the system can be
compromised.
27Configuration Error Example
Internet
Remote User
28Exception handling error
- What it is?
- It is an error due to improper setup or coding
such tat the system fails to handle or properly
respond to exceptional or unexpected data or
conditions. - Examples
- SQL Injection
- Impact
- Results in a situation wherein user credentials
can be captured by injecting exceptional data.
29Exception handling error - SQL Injection
By using union clause the SQL query is modified
at the backend process as found below select
from user_details where user_name '' Union
SELECT MIN(User_name), 1,1,1,1,1 FROM
User_details WHERE User_Name gt 'u'--' and
pass_word ''
On submitting the page the arbitrary SQL
command, The backend process will look like
Select from user_details
where user_name 'user1'' and pass_word ''
By using union clause the SQL query is modified
at the backend process as found below select
from user_details where pass_word '' Union
SELECT MIN(User_name), 1,1,1,1,1 FROM
User_details WHERE User_Name gt vijaylourduraj'--
' and pass_word ''
By using group by clause the SQL query is
modified at the backend process as found
below Select from user_details
where user_name 'user1 group by (pass_word)--
The attacker now knows that there is a column
name in the table called password.
This error now gives the attacker a new column
name user_id and also the table name user_details
The attacker uses the Group by Clause to obtain
all the column names in the table
By using the union clause the attacker will
identify username password
By repeatedly applying the group byclause with
every new column name found, the attacker will
be able to know all the column names in a table
The error message gives the attacker the valid
username
The error message gives the attacker the valid
password for username vijaylourduraj
30Input validation error
- What it is?
- It is an error due to lack of verification
mechanisms to validate the input data or
contents. - Examples
- Directory traversal
- ../ malformed URLs
- Impact
- Results in a situation wherein due to poor input
validation, access to system privileged programs
may be obtained.
31Input validation Error example
- http//targethost/application/cgi-bin/errorpage.
cgi/?action startpg ../../../../../
../../../../../../../../ ../../cmd.exe
Remote User
Target Host
32Randomization Error
- What it is?
- It is an error due to mismatch in random data
results in insufficient random data for the
process. - Examples
- Weak encryption key
- Insufficient random data
- Impact
- Results in a situation wherein cryptographic key
can be compromised.
33Randomization Error example
Internet Relay Chat
CheckGroup() function does not properly ensure
that the variable "p" contains a number which is
prime, leading to a weak cryptographic key
12 14 04 06 08 22 46 36 12 14
Weak Encryption Key
Remote user decrypts data determine keys used
Remote User
34Resource Error
- What it is?
- It is an error due to lack of resources available
for correct operations or processes. - Examples
- Memory getting full
- CPU is completely utilized
- Impact
- Results in a situation wherein system becomes
unstable or hangs due lack of resources.
35TCP Connection Establishment
TCP Back-log queue one dimensional array of
slots for waiting SYN message
36TCP Half Open Connection
?spoofed SYN (SeqX)
? SYN-ACK (SeqY, SeqX)
TCP Back-Session log queue
37 Resource Error
Attacker
Spoofed SYN Packet
? Real SYN (SeqX)
Half-Open
Half-Open
Real SYN message is dropped here
Half-Open
Half-Open
Half-Open
TCP Back-Session log queue
38Typical Impacts of IT Vulnerabilities
- Denial of service
- Remote code execution
- Privilege escalation
- Unauthorized User access
- Disclosure of user information
39Denial of Service
- What it is?
- Denial-of-service is a situation wherein
legitimate users of a service are prevented from
using that service. - Examples
- Flooding a network, thereby preventing legitimate
network traffic - disrupting connections between two machines,
thereby preventing access to a service - prevent a particular individual from accessing a
service - disrupt service to a specific system or person
- Impact
- Results in a situation wherein a
file/object/process is not available to
legitimate users.
40Denial of Service - DOS
41Distributed Denial of Service
Attacker
Source
Handler Handler
Agent Agent
Victim
42Remote Code Execution
- What it is?
- Remote code execution is an impact due to
exploitation of a vulnerability, thereby results
in execution of arbitrary code remotely using a
system process or software. - Examples
- Malformed Active X controls
- Trojans creating a backdoor in the systems
- Impact
- Results in a situation wherein system can be
compromised and the data can be corrupted
43Remote Code Execution
Internet Lure the User
Execute Arbitrary Code Remotely
Authenticode
low memory conditions
User System
44Privilege Elevation
- What it is?
- Privilege elevation is an impact due to a
vulnerability in a system such that an
unauthorized or less privileged process or person
obtains higher privileges. - Examples
- Domain controller compromise
- Root access
- File access
- Impact
- By obtaining higher privileges an attacker or
process can compromise the system.
45Privilege Elevation
Attacker compromise system with guest account
DDE Agent runs using the Local System security
context
Windows 2000 Domain Controller
Windows xp
Attacker run code in a restricted context
46Vulnerability Assessment requirement in NSE CTCL
audits
- Application Access Control
- The installed CTCL system provides a system
based access control over the CTCL server as well
as the risk management and front end dealing
applications while providing for security -
- Session Security
- The installed CTCL system provides for session
security for all sessions established with the
CTCL server by the front end application. -
- Database Security
- The installed CTCL system has sufficient
controls over the access to and integrity of the
database -
- Encryption
- The installed CTCL system uses confidentiality
protection measures to ensure session
confidentiality.
47Vulnerability Assessment vs Risk Assessment
- Vulnerability Assessment template
- Risk Assessment Table
48Vulnerability Assessment in other Compliance
audits
- Sarbanes Oxley Act (SOX), USA
- Section.302. CORPORATE RESPONSIBILITY FOR
- FINANCIAL REPORTS
- Section.404. MANAGEMENT ASSESSMENT OF
- INTERNAL CONTROLS
- companies to assess any risk associated with
information technology or internal process that
may affect/impact the accurate and timely
reporting of financial information and to
implement suitable controls - Clause49 of the listing agreement
- Management
- As part of the directors report or as an
addition thereto, a management Discussion and
analysis report should form part of the Annual
Report to the shareholders. This Management
discussion analysis should include discussion
on the following matters within the limits set by
the companys competitive position - Risks and concerns.
- Internal control systems and their adequacy.
49Relevant Weblinks
- http//cve.mitre.org Common Vulnerabilities and
Exposures - http//us-cert.gov USA Computer Emergency
Response Team - http//www.securitytracker.com a popular
vulnerability tracking portal - http//www.cert-in.org.in Indian Computer
Emergency Response Team - http//nvd.nist.gov - National Vulnerability
Database, USA
50Questions?