SlideShare a Scribd company logo

IT Infrastrucutre Security

Download as PPTX, PDF
S Periyakaruppan CISM,ISO31000,C-EH,ITILF, profile picture
S Periyakaruppan CISM,ISO31000,C-EH,ITILF

The document discusses various information security threats and countermeasures across infrastructure, systems, databases, and networks. It describes threats like viruses, worms, Trojans, SQL injection, and denial of service attacks. It also explains associated countermeasures like firewalls, intrusion detection, input validation, log monitoring, and defense in depth.

Technology
Related topics:
Risk Mitigation
1 of 27
Downloaded 43 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
IT Infrastrucutre Security
Agenda o Basics – Information Security o Infra Security Threats o Systems Threats & Countermeasures o Database Threats & Countermeasures o Network Threats & Countermeasures o Layered defense o Questions
Basics – Information Security Information Information Information architecture classification assets Data lifecycle Private People Data flow Public Process Data storage Confidential Technology
Infra - Security Threats virus: A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Trojan Horse: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves worm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions
Infra- Security Threats - Contd Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Spyware is considered a malicious program and is similar to a Trojan horse in that users unwittingly install the product when they install something else. Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware Malware is short form of malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. root kit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.
System Threats & Countermeasures  SMB relay – MITM  FTP bouncing  DNS Cache Poisoning  Insider threat – Windows environment
SMB Relay Attack - Explained A SMB Relay attack is a type of man-in-the-middle attack where the attacker asks the victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. Here are the players in this scenario •The attacker is the person trying to break into the target •The victim is the person who has the credentials •The target is the system the attacker wants access to, and that the victim has credentials for And here’s the scenario (see the image at the right for a diagram): 1.Attacker tricks the victim into connecting to him 2.Attacker establishes connection to the target, receives the Counter Measures 8-byte challenge 3.Attacker sends the 8-byte challenge to victim • Preventive : Signed SMBs (NTLM V2) 4.Victim responds to the attacker with the password hash 5.Attacker responds to the target’s challenge with the • Detective : Log monitoring – TCP victim’s hash 139 445 transactions 6.Target grants access to attacker • Compensative : Layered defence
FTP Bouncing - Explained An open port completes the transfer over the specified connection 1. It is a fact that printers are usually installed with all the settings by default. This includes having the A closed port will result with the FTP server informing the default administration password (if any), default source station that the FTP server can't build the connection administrative interfaces enabled, default services running, default SNMP community string, etc. 2. It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT Counter Measures command. 3. The PORT command is sent by the FTP client to • Preventive : Deny FTP establish a secondary channel for data to travel over. Passive, Avoid FTP arbitrary connections. This command can be abused by attacker to network • Detective : IDS Log monitoring scan other hosts on your network, as shown in the • Compensative : Layered defense next
DNS Cache Poisoning DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources
DNS Cache Poisoning - Explained 1. A request is sent to the authoritative server for companyA.com. This is identical to the standard process for an iterative query – with one exception. 2. A cracker has decided to poison the internal DNS server‘s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker‘s DNS server can respond as the authoritative server for companyA.com. Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have built-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible. 3. All that‘s required is time. To slow the response of the real authoritative server, cracker uses a botnet to initiate a Denial of Service (DoS) attack. While the authoritative Counter Measures server struggles to deal with the attack, the attacker‘s DNS server has time to determine the transaction ID. 4. Once the ID is determined, a query response is sent to the • Preventive : Latest version of internal DNS server. But the IP address for DNS software BIND 9.3 Win 2003, DNSSEC farpoint.companyA.com in the response is actually the IP • Detective : IDS log analysis address of the attacker‘s site. The response is placed into • Compensative : Layered defense the server‘s cache
Insider Threat – Unpatched application
Insider Threat – Backdoor & Password crack
Insider Threat – Misuse of Admin privilege Counter Measures • Preventive : Proper Patch updates , Least user privilege, Role based access. • Detective : IDS ,File integrity monitors • Compensative : Layered defense
Database Threats & Countermeasures  Disparate Attack vectors  SQL Injection  XSS Cross Site Scripting  Buffer Overflow  Top 5 Process Gaps
Database Attack Vectors & Vulnerabilities
SQL Injection – Attack Explained 1. SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. 2. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. 3. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account. Privilege Escalation using SQL injection The GRANTEE parameter used in procedures of SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL injection. Exploitation of this vulnerability allows an attacker to execute arbitrary PL/SQL under the elevated privileges of the SYS user Counter Measures • Preventive : Input Validation/ Proper Patch management • Detective : Audit log monitoring of high privilege grants • Compensative : Layered defence
XSS – Cross Site Scripting Basics Counter Measures • Preventive : HTTP Post method, URL randomization • Detective : IDS • Compensative : Layered Defence
Buffer Overflow – Concept Explained Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing 1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sys a program crash or a vulnerability that hackers might exploit. package with Execute privilege has Buffer Overflow in Oracle 9iR1 and 9iR2 2. EXECUTE privilege on DBMS_AQELM : Any Oracle database user with EXECUTE privilege on the package DBMS_AQELM can execute arbitrary code under the security context of the database server. 3. IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow: It is prone to a remote buffer-overflow vulnerability because it fails to properly bounds- check user-supplied data before copying it to an insufficiently sized memory buffer. Counter Measures • Preventive : Input Validation/ Patch updates • Detective : Log monitoring • Compensative : Layered defence
Top 5 Database Security Process Gaps  Poor Privilege management  Poor Patch Management  Lack of SOD  Insecure communication protocol – TNS listener/DB links  Lack of powerful grants audit trigger
Network Threats & Countermeasures  Network Re-direction  Arp-Cache poisoning  Connection Hijacking  SYN flooding  Denial of Services  Distributed Denial of Services
Network Re-direction 1. A port redirection attack is a trust exploitation-based attack that uses a compromised host to pass traffic through a firewall that the firewall would otherwise drop. 2. As an example the diagram ,shows a firewall with three interfaces: Inside, Outside, and DMZ, with Host A on the DMZ interface. A host located on the outside interface can reach Host A, but cannot reach the host on the inside, Host B. Host A can reach both the host on the outside and Host B. 3. If a hacker can compromise Host A, the hacker can install software on the DMZ host that redirects traffic from the outside host directly to the inside host (Host B). Although neither communication violates the rules implemented in the firewall, the outside host now has connectivity to the inside host through the port redirection process on the DMZ host Counter Measures • Preventive : HIPS, Proper Trust model and restricted services • Detective : Log monitoring • Compensative : Layered defence
ARP - Poisoning 1. In normal operation the computers on the LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other. 2. But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses. 3. This "ARP Cache Poisoning" can be used to Counter Measures redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the • Preventive : Use Static IP entries communications stream between any other computers for the purpose of monitoring and even using batch script during login alter the data flowing across the LAN. • Detective : Arp inspection • Compensative : Layered defense
Connection Hijacking 1. The attacker examines the traffic flows with a network monitor and notices traffic from Employee X to a web server. 2. The web server returns or echoes data back to the origination station (Employee X). 3. Employee X acknowledges the packet. 4. The cracker launches a spoofed packet to the server. 5. The web server responds to the cracker. The cracker starts verifying SEQ/ACK numbers to double-check success. At this time, the cracker takes over the session from Employee X, which results in a session hanging for Employee X. 6. The cracker can start sending traffic to the web server. 7. The web server returns the requested data to confirm delivery with the correct ACK number. Counter Measures 8. The cracker can continue to send data (keeping track of the correct SEQ/ACK numbers) until eventually setting the FIN flag to terminate the • Preventive : Anti-Spoofing connection. • Detective : Log monitoring • Compensative : Layered defense
Syn - Flooding Counter Measures • Preventive : Effective Ingress filters. • Detective : IDS • Compensative : Layered defense
DOS & DDOS A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users Counter Measures • Preventive : Threshold/Rate limiting/Peak flow • Detective : IDS/SIEM • Compensative : HA/Load balancers
Layered defense Infrastrucre Layers of Defense Security Tools Network • RSA enVision • Multi Vendor Firewall • Arc Sight • Intrusion Detection System • Log Logic • Monitoring & Management • Log Review • McAfee Suite • Symantec Suite • Trend Micro • CIS – Bench Mark Audit tools System • Computing Environments • WebSense • Server Build Check • Blue Coat • Log Reviews • Tipping Point • FoundStone • Qualysguard Desktop/End Point • AppScan • Desktop Applications • End point Security User Access • User Access Requests • Multiple Applications • Diversified Technology - 26 -
IT Infrastrucutre Security

More Related Content

PDF
Endpoint Detection & Response - FireEye
Prime Infoserv
 
PPTX
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
PDF
ICS Network Security Monitoring (NSM)
Digital Bond
 
PDF
Telecom Security
Priyanka Aash
 
PDF
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
PDF
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
PPTX
OSI Layer Security
Nurkholish Halim
 
PPTX
Ethical Hacking PPT (CEH)
Umesh Mahawar
 
Endpoint Detection & Response - FireEye
Prime Infoserv
 
Introduction To Vulnerability Assessment & Penetration Testing
Raghav Bisht
 
ICS Network Security Monitoring (NSM)
Digital Bond
 
Telecom Security
Priyanka Aash
 
Module 19 (evading ids, firewalls and honeypots)
Wail Hassan
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
OSI Layer Security
Nurkholish Halim
 
Ethical Hacking PPT (CEH)
Umesh Mahawar
 

What's hot (20)

PPT
Disaster Recovery Plan
Emilie Gray
 
PPT
Introduction To OWASP
Marco Morana
 
PPTX
Security Operation Center Fundamental
Amir Hossein Zargaran
 
PPTX
System Security-Chapter 1
Vamsee Krishna Kiran
 
PPT
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
PPTX
Digital signature & PKI Infrastructure
Shubham Sharma
 
PPTX
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
PPTX
Ethical Hacking Overview
Subhoneel Datta
 
PPTX
Cyber Threat Management
Rishi Kant
 
PPTX
Ethical hacking ppt
Nitesh Dubey
 
PDF
Penetration Testing Procedures & Methodologies.pdf
Himalaya raj Sinha
 
PPTX
Fundamentals of Network security
APNIC
 
PPTX
Endpoint Security Pres.pptx
NBBNOC
 
PPTX
Intrusion detection
CAS
 
PPTX
IT Security
Mohsin Laiq
 
PPTX
Cyberextortion
Salim Al Talie
 
PPTX
MITRE ATT&CK framework
Bhushan Gurav
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
PDF
Cybersecurity 140713064844-phpapp01 (1)-converted
Prof .Pragati Khade
 
PPT
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Disaster Recovery Plan
Emilie Gray
 
Introduction To OWASP
Marco Morana
 
Security Operation Center Fundamental
Amir Hossein Zargaran
 
System Security-Chapter 1
Vamsee Krishna Kiran
 
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
 
Digital signature & PKI Infrastructure
Shubham Sharma
 
The Six Stages of Incident Response - Auscert 2016
Ashley Deuble
 
Ethical Hacking Overview
Subhoneel Datta
 
Cyber Threat Management
Rishi Kant
 
Ethical hacking ppt
Nitesh Dubey
 
Penetration Testing Procedures & Methodologies.pdf
Himalaya raj Sinha
 
Fundamentals of Network security
APNIC
 
Endpoint Security Pres.pptx
NBBNOC
 
Intrusion detection
CAS
 
IT Security
Mohsin Laiq
 
Cyberextortion
Salim Al Talie
 
MITRE ATT&CK framework
Bhushan Gurav
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cybersecurity 140713064844-phpapp01 (1)-converted
Prof .Pragati Khade
 
SOC presentation- Building a Security Operations Center
Michael Nickle
 
Ad

Viewers also liked (15)

PPTX
E payment security – pci dss
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
 
PDF
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
PDF
Risks threats and vulnerabilities
Manish Chaurasia
 
PPTX
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PDF
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
PDF
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
PDF
Network infrastructure security management solution - A holistic approach in ...
Twinkle Sebastian
 
PPT
Risk Assessment Process NIST 800-30
timmcguinness
 
PDF
ISO 27005 Risk Assessment
Smart Assessment
 
PPT
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PPTX
Risk assessment
doogstone
 
PPTX
Powerpoint Risk Assessment
Steve Bishop
 
PDF
LinkedIn SlideShare: Knowledge, Well-Presented
SlideShare
 
E payment security – pci dss
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
 
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
Risks threats and vulnerabilities
Manish Chaurasia
 
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Network infrastructure security management solution - A holistic approach in ...
Twinkle Sebastian
 
Risk Assessment Process NIST 800-30
timmcguinness
 
ISO 27005 Risk Assessment
Smart Assessment
 
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Risk assessment
doogstone
 
Powerpoint Risk Assessment
Steve Bishop
 
LinkedIn SlideShare: Knowledge, Well-Presented
SlideShare
 
Ad

Similar to IT Infrastrucutre Security (20)

PPTX
Lec 2- Hardening and whitelisting of devices
BilalMehmood44
 
PDF
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
PDF
20120329 Cybercrime threats on e-world
Luc Beirens
 
PDF
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
DOC
V1_I2_2012_Paper4.doc
praveena06
 
PDF
Day 2 Dns Cert 4a Cache Poisoning
vngundi
 
PPTX
Intrusion detection system
Sweta Sharma
 
PPT
Introduction To Information Security
belsis
 
PPTX
Security Threats to Electronic Commerce
Darlene Enderez
 
PDF
Day 2 Dns Cert 4b Name Server Redirection
vngundi
 
PDF
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
PPT
Ethical Hacking
shahhardik27
 
PPT
Ethical hacking
shahhardik27
 
PPTX
Network And Application Layer Attacks
Arun Modi
 
PDF
Invited Talk - Cyber Security and Open Source
hack33
 
PPTX
Security concepts
artisriva
 
PPTX
[FTP|SQL|Cache] Injections
David Barroso
 
PDF
Intrusion Techniques
Festival Software Livre
 
PPT
Meletis Belsis - Introduction to information security
Meletis Belsis MPhil/MRes/BSc
 
PPT
Web security
Jin Castor
 
Lec 2- Hardening and whitelisting of devices
BilalMehmood44
 
Data Retrieval over DNS in SQL Injection Attacks
Miroslav Stampar
 
20120329 Cybercrime threats on e-world
Luc Beirens
 
Detection of Distributed Denial of Service Attacks
ijdmtaiir
 
V1_I2_2012_Paper4.doc
praveena06
 
Day 2 Dns Cert 4a Cache Poisoning
vngundi
 
Intrusion detection system
Sweta Sharma
 
Introduction To Information Security
belsis
 
Security Threats to Electronic Commerce
Darlene Enderez
 
Day 2 Dns Cert 4b Name Server Redirection
vngundi
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
Aditya K Sood
 
Ethical Hacking
shahhardik27
 
Ethical hacking
shahhardik27
 
Network And Application Layer Attacks
Arun Modi
 
Invited Talk - Cyber Security and Open Source
hack33
 
Security concepts
artisriva
 
[FTP|SQL|Cache] Injections
David Barroso
 
Intrusion Techniques
Festival Software Livre
 
Meletis Belsis - Introduction to information security
Meletis Belsis MPhil/MRes/BSc
 
Web security
Jin Castor
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Approach and Philosophy of On baking technology
30anthuong17
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 

IT Infrastrucutre Security

  • 2. Agenda o Basics – Information Security o Infra Security Threats o Systems Threats & Countermeasures o Database Threats & Countermeasures o Network Threats & Countermeasures o Layered defense o Questions
  • 3. Basics – Information Security Information Information Information architecture classification assets Data lifecycle Private People Data flow Public Process Data storage Confidential Technology
  • 4. Infra - Security Threats virus: A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Trojan Horse: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves worm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions
  • 5. Infra- Security Threats - Contd Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Spyware is considered a malicious program and is similar to a Trojan horse in that users unwittingly install the product when they install something else. Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware Malware is short form of malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. root kit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.
  • 6. System Threats & Countermeasures  SMB relay – MITM  FTP bouncing  DNS Cache Poisoning  Insider threat – Windows environment
  • 7. SMB Relay Attack - Explained A SMB Relay attack is a type of man-in-the-middle attack where the attacker asks the victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. Here are the players in this scenario •The attacker is the person trying to break into the target •The victim is the person who has the credentials •The target is the system the attacker wants access to, and that the victim has credentials for And here’s the scenario (see the image at the right for a diagram): 1.Attacker tricks the victim into connecting to him 2.Attacker establishes connection to the target, receives the Counter Measures 8-byte challenge 3.Attacker sends the 8-byte challenge to victim • Preventive : Signed SMBs (NTLM V2) 4.Victim responds to the attacker with the password hash 5.Attacker responds to the target’s challenge with the • Detective : Log monitoring – TCP victim’s hash 139 445 transactions 6.Target grants access to attacker • Compensative : Layered defence
  • 8. FTP Bouncing - Explained An open port completes the transfer over the specified connection 1. It is a fact that printers are usually installed with all the settings by default. This includes having the A closed port will result with the FTP server informing the default administration password (if any), default source station that the FTP server can't build the connection administrative interfaces enabled, default services running, default SNMP community string, etc. 2. It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT Counter Measures command. 3. The PORT command is sent by the FTP client to • Preventive : Deny FTP establish a secondary channel for data to travel over. Passive, Avoid FTP arbitrary connections. This command can be abused by attacker to network • Detective : IDS Log monitoring scan other hosts on your network, as shown in the • Compensative : Layered defense next
  • 9. DNS Cache Poisoning DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources
  • 10. DNS Cache Poisoning - Explained 1. A request is sent to the authoritative server for companyA.com. This is identical to the standard process for an iterative query – with one exception. 2. A cracker has decided to poison the internal DNS server‘s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker‘s DNS server can respond as the authoritative server for companyA.com. Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have built-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible. 3. All that‘s required is time. To slow the response of the real authoritative server, cracker uses a botnet to initiate a Denial of Service (DoS) attack. While the authoritative Counter Measures server struggles to deal with the attack, the attacker‘s DNS server has time to determine the transaction ID. 4. Once the ID is determined, a query response is sent to the • Preventive : Latest version of internal DNS server. But the IP address for DNS software BIND 9.3 Win 2003, DNSSEC farpoint.companyA.com in the response is actually the IP • Detective : IDS log analysis address of the attacker‘s site. The response is placed into • Compensative : Layered defense the server‘s cache
  • 11. Insider Threat – Unpatched application
  • 12. Insider Threat – Backdoor & Password crack
  • 13. Insider Threat – Misuse of Admin privilege Counter Measures • Preventive : Proper Patch updates , Least user privilege, Role based access. • Detective : IDS ,File integrity monitors • Compensative : Layered defense
  • 14. Database Threats & Countermeasures  Disparate Attack vectors  SQL Injection  XSS Cross Site Scripting  Buffer Overflow  Top 5 Process Gaps
  • 15. Database Attack Vectors & Vulnerabilities
  • 16. SQL Injection – Attack Explained 1. SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. 2. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. 3. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account. Privilege Escalation using SQL injection The GRANTEE parameter used in procedures of SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL injection. Exploitation of this vulnerability allows an attacker to execute arbitrary PL/SQL under the elevated privileges of the SYS user Counter Measures • Preventive : Input Validation/ Proper Patch management • Detective : Audit log monitoring of high privilege grants • Compensative : Layered defence
  • 17. XSS – Cross Site Scripting Basics Counter Measures • Preventive : HTTP Post method, URL randomization • Detective : IDS • Compensative : Layered Defence
  • 18. Buffer Overflow – Concept Explained Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing 1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sys a program crash or a vulnerability that hackers might exploit. package with Execute privilege has Buffer Overflow in Oracle 9iR1 and 9iR2 2. EXECUTE privilege on DBMS_AQELM : Any Oracle database user with EXECUTE privilege on the package DBMS_AQELM can execute arbitrary code under the security context of the database server. 3. IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow: It is prone to a remote buffer-overflow vulnerability because it fails to properly bounds- check user-supplied data before copying it to an insufficiently sized memory buffer. Counter Measures • Preventive : Input Validation/ Patch updates • Detective : Log monitoring • Compensative : Layered defence
  • 19. Top 5 Database Security Process Gaps  Poor Privilege management  Poor Patch Management  Lack of SOD  Insecure communication protocol – TNS listener/DB links  Lack of powerful grants audit trigger
  • 20. Network Threats & Countermeasures  Network Re-direction  Arp-Cache poisoning  Connection Hijacking  SYN flooding  Denial of Services  Distributed Denial of Services
  • 21. Network Re-direction 1. A port redirection attack is a trust exploitation-based attack that uses a compromised host to pass traffic through a firewall that the firewall would otherwise drop. 2. As an example the diagram ,shows a firewall with three interfaces: Inside, Outside, and DMZ, with Host A on the DMZ interface. A host located on the outside interface can reach Host A, but cannot reach the host on the inside, Host B. Host A can reach both the host on the outside and Host B. 3. If a hacker can compromise Host A, the hacker can install software on the DMZ host that redirects traffic from the outside host directly to the inside host (Host B). Although neither communication violates the rules implemented in the firewall, the outside host now has connectivity to the inside host through the port redirection process on the DMZ host Counter Measures • Preventive : HIPS, Proper Trust model and restricted services • Detective : Log monitoring • Compensative : Layered defence
  • 22. ARP - Poisoning 1. In normal operation the computers on the LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other. 2. But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses. 3. This "ARP Cache Poisoning" can be used to Counter Measures redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the • Preventive : Use Static IP entries communications stream between any other computers for the purpose of monitoring and even using batch script during login alter the data flowing across the LAN. • Detective : Arp inspection • Compensative : Layered defense
  • 23. Connection Hijacking 1. The attacker examines the traffic flows with a network monitor and notices traffic from Employee X to a web server. 2. The web server returns or echoes data back to the origination station (Employee X). 3. Employee X acknowledges the packet. 4. The cracker launches a spoofed packet to the server. 5. The web server responds to the cracker. The cracker starts verifying SEQ/ACK numbers to double-check success. At this time, the cracker takes over the session from Employee X, which results in a session hanging for Employee X. 6. The cracker can start sending traffic to the web server. 7. The web server returns the requested data to confirm delivery with the correct ACK number. Counter Measures 8. The cracker can continue to send data (keeping track of the correct SEQ/ACK numbers) until eventually setting the FIN flag to terminate the • Preventive : Anti-Spoofing connection. • Detective : Log monitoring • Compensative : Layered defense
  • 24. Syn - Flooding Counter Measures • Preventive : Effective Ingress filters. • Detective : IDS • Compensative : Layered defense
  • 25. DOS & DDOS A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users Counter Measures • Preventive : Threshold/Rate limiting/Peak flow • Detective : IDS/SIEM • Compensative : HA/Load balancers
  • 26. Layered defense Infrastrucre Layers of Defense Security Tools Network • RSA enVision • Multi Vendor Firewall • Arc Sight • Intrusion Detection System • Log Logic • Monitoring & Management • Log Review • McAfee Suite • Symantec Suite • Trend Micro • CIS – Bench Mark Audit tools System • Computing Environments • WebSense • Server Build Check • Blue Coat • Log Reviews • Tipping Point • FoundStone • Qualysguard Desktop/End Point • AppScan • Desktop Applications • End point Security User Access • User Access Requests • Multiple Applications • Diversified Technology - 26 -