IT Infrastrucutre Security


Published on

IT infrastructure security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IT Infrastrucutre Security

  1. 1. Agendao Basics – Information Securityo Infra Security Threatso Systems Threats & Countermeasureso Database Threats & Countermeasureso Network Threats & Countermeasureso Layered defenseo Questions
  2. 2. Basics – Information SecurityInformation Information Informationarchitecture classification assets Data lifecycle Private People Data flow Public Process Data storage Confidential Technology
  3. 3. Infra - Security Threatsvirus: A program or piece of code that is loadedonto your computer without your knowledge andruns against your wishes.Trojan Horse: A destructive program thatmasquerades as a benign application. Unlikeviruses, Trojan horses do not replicatethemselvesworm: A program or algorithm that replicatesitself over a computer network and usuallyperforms malicious actions
  4. 4. Infra- Security Threats - ContdAdware is considered a legitimate alternative offered to consumers who do notwish to pay for software.Spyware is considered a malicious program and is similar to a Trojan horse inthat users unwittingly install the product when they install something else.Adware is considered a legitimate alternative offered to consumers who do notwish to pay for software. Programs, games or utilities can be designed anddistributed as freewareMalware is short form of malicious software, consists of programming(code, scripts, active content, and other software) designed to disrupt or denyoperation, gather information that leads to loss of privacy or exploitation, gainunauthorized access to system resources, and other abusive behaviour.root kit is software that enables continued privileged access to a computer whileactively hiding its presence from administrators by subverting standardoperating system functionality or other applications.
  5. 5. System Threats & Countermeasures  SMB relay – MITM  FTP bouncing  DNS Cache Poisoning  Insider threat – Windows environment
  6. 6. SMB Relay Attack - ExplainedA SMB Relay attack is a type of man-in-the-middle attackwhere the attacker asks the victim to authenticate to amachine controlled by the attacker, then relays thecredentials to the target. The attacker forwards theauthentication information both ways, giving him access.Here are the players in this scenario•The attacker is the person trying to break into the target•The victim is the person who has the credentials•The target is the system the attacker wants access to, andthat the victim has credentials forAnd here’s the scenario (see the image at the right for adiagram):1.Attacker tricks the victim into connecting to him2.Attacker establishes connection to the target, receives the Counter Measures8-byte challenge3.Attacker sends the 8-byte challenge to victim • Preventive : Signed SMBs (NTLM V2)4.Victim responds to the attacker with the password hash5.Attacker responds to the target’s challenge with the • Detective : Log monitoring – TCPvictim’s hash 139 445 transactions6.Target grants access to attacker • Compensative : Layered defence
  7. 7. FTP Bouncing - Explained An open port completes the transfer over the specified connection1. It is a fact that printers are usually installed with all the settings by default. This includes having the A closed port will result with the FTP server informing the default administration password (if any), default source station that the FTP server cant build the connection administrative interfaces enabled, default services running, default SNMP community string, etc.2. It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT Counter Measures command.3. The PORT command is sent by the FTP client to • Preventive : Deny FTP establish a secondary channel for data to travel over. Passive, Avoid FTP arbitrary connections. This command can be abused by attacker to network • Detective : IDS Log monitoring scan other hosts on your network, as shown in the • Compensative : Layered defense next
  8. 8. DNS Cache PoisoningDNS cache poisoning is a maliciously created or unintendedsituation that provides data to a Domain Name Server thatdid not originate from authoritative DNS sources
  9. 9. DNS Cache Poisoning - Explained 1. A request is sent to the authoritative server for This is identical to the standard process for an iterative query – with one exception. 2. A cracker has decided to poison the internal DNS server‘s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker‘s DNS server can respond as the authoritative server for Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have built-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible. 3. All that‘s required is time. To slow the response of the real authoritative server, cracker uses a botnet to initiate a Denial of Service (DoS) attack. While the authoritative Counter Measures server struggles to deal with the attack, the attacker‘s DNS server has time to determine the transaction ID. 4. Once the ID is determined, a query response is sent to the• Preventive : Latest version of internal DNS server. But the IP address for DNS software BIND 9.3 Win 2003, DNSSEC in the response is actually the IP• Detective : IDS log analysis address of the attacker‘s site. The response is placed into• Compensative : Layered defense the server‘s cache
  10. 10. Insider Threat – Unpatched application
  11. 11. Insider Threat – Backdoor & Password crack
  12. 12. Insider Threat – Misuse of Admin privilege Counter Measures • Preventive : Proper Patch updates , Least user privilege, Role based access. • Detective : IDS ,File integrity monitors • Compensative : Layered defense
  13. 13. Database Threats & Countermeasures  Disparate Attack vectors  SQL Injection  XSS Cross Site Scripting  Buffer Overflow  Top 5 Process Gaps
  14. 14. Database Attack Vectors & Vulnerabilities
  15. 15. SQL Injection – Attack Explained 1. SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. 2. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. 3. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account. Privilege Escalation using SQL injection The GRANTEE parameter used in procedures of SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL injection. Exploitation of this vulnerability allows an attacker to execute arbitrary PL/SQL under the elevated privileges of the SYS user Counter Measures• Preventive : Input Validation/ Proper Patch management• Detective : Audit log monitoring of high privilege grants• Compensative : Layered defence
  16. 16. XSS – Cross Site Scripting Basics Counter Measures • Preventive : HTTP Post method, URL randomization • Detective : IDS • Compensative : Layered Defence
  17. 17. Buffer Overflow – Concept ExplainedBuffer overflow occurs when data is input or written beyondthe allocated bounds of an buffer, array, or other object causing 1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sysa program crash or a vulnerability that hackers might exploit. package with Execute privilege has Buffer Overflow in Oracle 9iR1 and 9iR2 2. EXECUTE privilege on DBMS_AQELM : Any Oracle database user with EXECUTE privilege on the package DBMS_AQELM can execute arbitrary code under the security context of the database server. 3. IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow: It is prone to a remote buffer-overflow vulnerability because it fails to properly bounds- check user-supplied data before copying it to an insufficiently sized memory buffer. Counter Measures • Preventive : Input Validation/ Patch updates • Detective : Log monitoring • Compensative : Layered defence
  18. 18. Top 5 Database Security Process Gaps Poor Privilege management Poor Patch Management Lack of SOD Insecure communication protocol – TNS listener/DB links Lack of powerful grants audit trigger
  19. 19. Network Threats & Countermeasures  Network Re-direction  Arp-Cache poisoning  Connection Hijacking  SYN flooding  Denial of Services  Distributed Denial of Services
  20. 20. Network Re-direction1. A port redirection attack is a trust exploitation-based attackthat uses a compromised host to pass traffic through a firewallthat the firewall would otherwise drop.2. As an example the diagram ,shows a firewall with threeinterfaces: Inside, Outside, and DMZ, with Host A on the DMZinterface. A host located on the outside interface can reach HostA, but cannot reach the host on the inside, Host B. Host A canreach both the host on the outside and Host B.3. If a hacker can compromise Host A, the hacker can installsoftware on the DMZ host that redirects traffic from the outsidehost directly to the inside host (Host B). Although neithercommunication violates the rules implemented in the firewall, theoutside host now has connectivity to the inside host through theport redirection process on the DMZ host Counter Measures • Preventive : HIPS, Proper Trust model and restricted services • Detective : Log monitoring • Compensative : Layered defence
  21. 21. ARP - Poisoning 1. In normal operation the computers on the LAN use ARP protocol to acquire and memorize each others NIC MAC address which they use for sending network data to each other. 2. But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses. 3. This "ARP Cache Poisoning" can be used to Counter Measures redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the• Preventive : Use Static IP entries communications stream between any other computers for the purpose of monitoring and even using batch script during login alter the data flowing across the LAN.• Detective : Arp inspection• Compensative : Layered defense
  22. 22. Connection Hijacking1. The attacker examines the traffic flows with a network monitor and notices traffic from Employee X to a web server.2. The web server returns or echoes data back to the origination station (Employee X).3. Employee X acknowledges the packet.4. The cracker launches a spoofed packet to the server.5. The web server responds to the cracker. The cracker starts verifying SEQ/ACK numbers to double-check success. At this time, the cracker takes over the session from Employee X, which results in a session hanging for Employee X.6. The cracker can start sending traffic to the web server.7. The web server returns the requested data to confirm delivery with the correct ACK number. Counter Measures8. The cracker can continue to send data (keeping track of the correct SEQ/ACK numbers) until eventually setting the FIN flag to terminate the • Preventive : Anti-Spoofing connection. • Detective : Log monitoring • Compensative : Layered defense
  23. 23. Syn - Flooding Counter Measures • Preventive : Effective Ingress filters. • Detective : IDS • Compensative : Layered defense
  24. 24. DOS & DDOS A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users Counter Measures• Preventive : Threshold/Rate limiting/Peak flow• Detective : IDS/SIEM• Compensative : HA/Load balancers
  25. 25. Layered defense Infrastrucre Layers of Defense Security ToolsNetwork • RSA enVision• Multi Vendor Firewall • Arc Sight• Intrusion Detection System • Log Logic• Monitoring & Management• Log Review • McAfee Suite • Symantec Suite • Trend Micro • CIS – Bench Mark Audit toolsSystem• Computing Environments • WebSense• Server Build Check • Blue Coat• Log Reviews • Tipping Point • FoundStone • QualysguardDesktop/End Point • AppScan• Desktop Applications• End point SecurityUser Access• User Access Requests• Multiple Applications• Diversified Technology - 26 -