Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

Slides:



Advertisements
Similar presentations
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Advertisements

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Vulnerability Assessments
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
John Prisco President and CEO Triumfant, Inc. Our defenses are designed to defeat threats we have seen before. We have very little protection against.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.
Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
CS 4010 Hacking Samba Server Vulnerabilities. Recon Telnet headers claim the following: –Red Hat Linux release 9 (Shrike) –Kernel smp on an i686.
Operating system Security By Murtaza K. Madraswala.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
MANAGED SECURITY TESTING PROACTIVELY MANAGING VULNERABILITIES.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Protection.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Washington State Auditor’s Office Cybersecurity Preparing for the Inevitable Washington State Auditor’s Office Peg Bodin, CISA, Local IS Audit Manager.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Sophos Intercept X Matt Cooke – Senior Product Marketing Manager.
Application Communities
SQL Injection.
Ilija Jovičić Sophos Consultant.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Chapter 7: Identifying Advanced Attacks
Protecting Memory What is there to protect in memory?
Software Security Testing
Protecting Memory What is there to protect in memory?
Some Methods Phishing Database & Password Exploits Social Engineering & Networking Weak Controls Default Accounts & Passwords Dated Software & Patch.
Operating system Security
Secure Software Development: Theory and Practice
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Shifting from “Incident” to “Continuous” Response
Software Security Lesson Introduction
Lecture 2 - SQL Injection
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
CULLEN ACHESON Samuel Garcia Zachary Blum
Understanding and Preventing Buffer Overflow Attacks in Unix
Presentation transcript:

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development

2 Tripwire delivers advanced threat protection, security, and compliance solutions 9,000+ Customers in 96 Countries $$$ Profitable 450+ Employees $195M+ Annual

3 Threat Landscape Percentage of breaches that could be prevented by remediating known vulnerabilities US-CERT Average time to detect an advanced persistent threat on a corporate network Mandiant Percentage of unauthorized data access was through compromised servers Verizon DBIR Days the average malicious data breach took to resolve Ponemon

4 Solution: Adaptive Threat Protection Adaptive Threat Protection Endpoint Intelligence Vulnerability Intelligence Threat Intelligence Threat Analytics Forensics Zero-Day Detection Threat Response Log & Event Intelligence

PRIMARYSECONDARYTERTIARY Vulnerabilities

PRIMARYSECONDARYTERTIARY Most Common Programmatic Vulnerability Types Buffer Overflow Format String Race Condition Privilege Escalation Denial of Service

PRIMARYSECONDARYTERTIARY Buffer Overflows Program requires first name input Developer writes char firstName[10] User’s name is ‘Christopher’. Program Crashes Attacker exploits this to control the return address (EIP) Images from Wikipedia: Stack buffer overflowWikipedia: Stack buffer overflow

PRIMARYSECONDARYTERTIARY Format String Injection Often involves improper use of printf Allows potential disclosure and manipulation of memory Can allow privilege escalation, arbitrary execution of commands

PRIMARYSECONDARYTERTIARY Race Condition Program that checks and then uses something. Sometimes referred to as TOCTTOU (TOCK-too) > “Time Of Check vs. Time Of Use” E.g. > SUID program checks to see if a user has permissions to access a file, then accesses the file with SUID permissions. > Program checks to see if a file exists, then writes data to that file. In either situation, there’s a race between the attacker and the software to attempt to manipulate access between the check and the use.

PRIMARYSECONDARYTERTIARY Privilege Escalation The ability to take yourself from a regular user to Administrator/root to SYSTEM (or any single step). Program abc.exe runs as a service as LocalSystem. User replaces abc.exe with cmd.exe. Cmd.exe now runs as LocalSystem instead of running as User.

PRIMARYSECONDARYTERTIARY Denial of Service Attacks which prevent a system or program from providing service. E.g. > Resource Utilization > E.g. HTTP Post Attacks > Crash Condition > E.g. Buffer Overflow

PRIMARYSECONDARYTERTIARY Finding Vulnerabilities Five primary ways: Fuzzing Reverse Engineering Static Code Analysis Manual Testing Accidental Discovery

PRIMARYSECONDARYTERTIARY What Do We Do With Them?

PRIMARYSECONDARYTERTIARY MITRE & NIST – Vulnerability Normalization CVE > Dictionary of publicly known vulnerabilities > E.g. CVE or CVE CPE > Dictionary of Platforms (Apps & OSs) > E.g. cpe:/o:microsoft:windows_xp::gold > E.g. cpe:/a:microsoft:windows_explorer CWE > Dictionary of publicly known weaknesses (programming flaws) > E.g. CWE-120 (Classic Buffer Overflow)

PRIMARYSECONDARYTERTIARY CVE – CWE Why Vulnerabilities, Exposures & Weaknesses A vulnerability is a unique instance of a flaw that leads to access to a system or network An exposure is a unique instance of a flaw that reveals information about a system or network A weakness is the generic flaw that lead to the unique instance described by a vulnerability or exposure. In other words, each CVE is based on at least one CWE.

PRIMARYSECONDARYTERTIARY 16

PRIMARYSECONDARYTERTIARY Responsible Disclosure

PRIMARYSECONDARYTERTIARY 18 Responsible Disclosure Allows entities to correct “Zero Day” vulnerabilities prior to public disclosure Essentially a “code of ethics” for white hat researchers Process (typical): > Researcher discovers vulnerability > Researcher reports vulnerability to vendor / creator > Dialog occurs between researcher and vendor > Fix is made available (typically in a patch) > Vulnerability is publicly disclosed > Note: Some organizations pay for responsible disclosure via “bug bounties” or similar programs

PRIMARYSECONDARYTERTIARY Q&A