Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities

© 2014 Imperva, Inc. All rights reserved.
Bleeding Servers – How Hackers
Are Exploiting Known Vulnerabilities
Confidential1
Terry Ray, VP of Global Security Engineering, Imperva

Agenda
Confidential2
§  Latest Verizon Data Breach Investigation
Report (DBIR) Stats
§  Examining Vulnerabilities and Exploits
§  HeartBleed Deep-Dive
§  Understanding Data Theft
§  Mitigating HeartBleed and CVEs

Terry Ray, VP of Global Security Engineering
Confidential3
§  Speaker at Industry Events
•  ISSA, IANS, ISACA, Gartner, RSA
§  Designed and deployed data security solutions
for hundreds of customers in various verticals
including:
•  Healthcare
•  Oil and gas
•  Financial services
•  Government
•  eCommerce
§  Lectured on various network and data security
topics and taught numerous security courses in
over 35 countries globally

Latest Breach Statistics
Confidential4
Yay! A New Verizon DBIR to Talk About

The Big Winners
Confidential5

The Big Winners
Confidential6

The Big Winners
Confidential7

The Big Winners
Confidential8

Actual Data Loss – Breach vs Incident
Confidential9

Who’s Attacking – Hactivists vs Criminals
Confidential10
§  “Greed takes a back seat to ideology when it comes to
web app attacks in the 2013 dataset”
§  “74% [of ideology motivated attacks] focus on tried and
true exploits”
•  Adobe PDF with embedded exe – 4 years old
•  Microsoft server stack corruption – 6 years old
•  Microsoft RPC DCOM bug—or MS03-026 – a staggering 10 years
old—you might remember it as Blaster
•  All still in the wild

How You Find Out That You’ve Been Hacked
Confidential11
§  Financially motivated – discovered by customers
§  Hactivists – discovered by external sources
•  “uhh, hey guys, did you know that your webserver is
attacking us”
§  But we’re getting better at detecting breaches
ourselves
•  9%

CVEs Explored
Confidential12

Stay On Top of Vulnerabilities
Confidential13
§  The Common Vulnerabilities and Exposures (CVE)
system provides a reference-method for publicly known
information-security vulnerabilities and exposures.
§  http://cve.mitre.org/cve/

Classic Web Site Hacking
Confidential14
Hacking
1.  Identify Target
2.  Find Vulnerability
3.  Exploit
Single Site Attack

Classic Web Site Hacking
Confidential15
Hacking
3.  Exploit
Hacking
3.  Exploit
Hacking
3.  Exploit
Hacking
3.  Exploit
Hacking
3.  Exploit
Multiple Site Attacks

Exploit Hacking
Confidential16
Hacking
1.  Identify CVE
2.  Weaponize Vulnerability
3.  Exploit
Vulnerability Targeting
Attack

© 2014 Imperva, Inc. All rights reserved.17
The Attacker’s Focus
Server Takeover
Direct Data Theft
Confidential
Source: http://www.mediabistro.com/fishbowldc/suspended-politico-scribe-hacked_b76882
Source: http://www.connectmidmissouri.com/news/story.aspx?id=600968

HeartBleed
Confidential18
Source: http://thequestionconcerningtechnology.blogspot.com/

What Is It and Why Do We Care?
Confidential19
§  The Heartbleed Bug is a serious vulnerability in the
popular OpenSSL cryptographic software library.
§  When it is exploited it leads to the leak of memory
contents from the server to the client and from the client
to the server.
§  According to Netcraft's April 2014 Web Server Survey of
958,919,789 websites, the combined market share of
Apache and nginx products on the Internet was over
66%.

But There’s a Patch, Right?
Confidential20
§  This vulnerability was first included in OpenSSL release
1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released
on 7th of April 2014 fixes the issue
§  Affected Systems: OpenSSL versions 1.0.1 to 1.0.1f

Isn’t It Hard to Exploit?
Confidential21
Metasploit: Easy as pulling a trigger.
Source: http://www.smosh.com/smosh-pit/lists/12-monkeys-guns

Here, We Have a Secure Website
Confidential22

Fire Up a VM of Kali Linux and Try It Out
Confidential23

And We Have Leaked Data
Confidential24

So How Bad Is It?
Confidential25

How Bad Can It Really Get?
Confidential26

Retrieved Private Key
Confidential27

What Can We Do With This?
Confidential28
§  Steal session details and spoof users
§  Steal username and passwords
§  Steal cryptographic keys
•  Man-in-the-middle attacks
•  Spoofed website with valid SSL keys
•  Spear Phishing Attack

Data Theft
Confidential29

An Overlooked Data Security Risk
Confidential30
Databases and file servers, both repositories of
so much valuable information, are targeted
regularly…
Admins unknowingly
make unsupported
database changes.
Malware-compromised
insiders access the
database.
Unpatched vulnerabilities
allow exploit vectors.
2014 Verizon Data Breach Investigations Report

Protecting Your Data
Confidential31
§  “the high number of incidents still offers some insight …
where the victim’s anti-virus (AV) and intrusion prevention
system (IPS) shields could not repel firepower of that
magnitude”

Enterprise Security Is Evolving
Confidential32
1st pillar:
Endpoint Security
Blocks threats
targeting devices
2nd pillar:
Network Security
Blocks threats trying to
access the network
3rd pillar:
Data Center Security
Protects high-value
targets, keeping them
both secure and
accessible
Imperva provides the third pillar of enterprise security

Mitigation
Confidential33
Protecting Your Data From Known Vulnerabilities

Heartbleed Specific
Confidential34
§  Test all servers for vulnerability
§  Patch all affected servers
§  Reissue new certificates
§  Revoke all old certificates
Source: http://www.secnews.gr/archives/78340

Locate and Assess Servers and Apps
3535
§  Scan your network to identify all assets (cloud and
local)
•  Classify assets by information and brand sensitivity to identify
high risk landscapes
•  Prioritize efforts based on risk levels
§  Secure Database Access
•  Scan DBs for vulnerabilities or configuration flaws
•  Remove any default or unnecessary user accounts
•  Disable unneeded services

Perform Vulnerability Assessments
3636
§  Perform Vulnerability Assessments
•  Scan both Network and Application Layers
•  Scan all known Web Assets
•  Scan Concurrently and Continuously
•  Analyze application functionality for DDoS attack potential
and Business Logic based exploits
•  Implement assessment practice across the entire SDLC
Design" Development" QA" Production"

Block Web Attacks and Attack Sources
Web attacks like SQL injection, cross-site
scripting, directory traversal, and CSRF
HTTP protocol violations like extremely long
URLs and malformed Apache URI messages
Malicious sources that have attacked other sites
Known desktop scanners and hacker tools like
Nikto and Paros based on user agent or the
frequency of security violations
37

Webinar Materials
38
Post-Webinar
Discussions
Answers to
Attendee
Questions
Webinar
Recording Link
Join Group
Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…

Learn more
www.imperva.com
39

Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities (20)

More from Imperva (19)

Recently uploaded (20)

Bleeding Servers – How Hackers are Exploiting Known Vulnerabilities