COMP1321 Digital Infrastructure Richard Henson University of Worcester May 2018
Week 24: End-Point Security Objectives: Explain that applications software and even operating systems are flawed and the crucial importance of using “updates” Explain licensing and life-cycle support for software Explain how the registry controls end-point security Explain why Cyber Essentials is useful for businesses
Network Security and Computer Security Not the same thing! network protected from external threats using firewall and savvy internal users! End-point devices protected at the desktop… registry needs correct settings… GCHQ agreement on “best practice” registry settings for security. Why not do it?
The changing security model “Castle and Moat” approach no longer sufficient End-users access servers via web need protection as well SSL protocol introduced for e-commerce PKI introduced right across the web (1999) most people hadn’t heard of it in 2016…
Data on the move: Encryption is not enough! The other aspect of SSL/PKI is the establishment of trust between online vendors and customers usually achieved by using encryption AND providing a digital certificate system: verifies the identity at each end of the communication link thereby authenticating the server/user The savvy user knows about digital certificates and expects to be able to view them online in 2015 many users still not … savvy!
“Mature” use of PKI? But… 16 years on from KPI, larger companies were using SSL/PKI for secure communications as a matter of course! But… (1) companies not applying strict security measures correctly according to PKI guidelines: being defrauded skewing the statistics for more responsible online traders (2) human error/computer misuse through software vulnerabilities continued…
Solution… Google’s Browser From early 2017 onwards, Google Chrome has checked links and highlighted any https link that has flaws… https://www.wired.com/2016/11/googles-chrome-hackers-flip-webs-security-model/ Now explained on BrightTalk webinar… Other Browser manufacturers are now following this excellent practice!
B2C and Website Vulnerability Small businesses outsource many of their business functions Including: development of website putting website on an Internet-facing webserver
Website Vulnerabilities The Website must have direct access to the Internet so Internet have direct access to website folder on webserver webbots can gather information about the business… find weak links in the website! and possibly weaknesses on the server e.g. “Heartbleed not patched!” http://heartbleed.com/
Software Layers and Operating Systems (OS) Applications os functions & user interface os kernel CPU, motherboard
What if the Operating System has software faults? The platform becomes “unstable”!! Could be errors in hardware control? user interface? utilities? What would happen to: applications running on a poorly designed platform? businesses depending on such apps?
“Good” and “Bad” programming Apollo missions to the moon first use of programming for control “because manual not possible…” Programming used to: put Apollo spacecraft into moon orbit land a small craft and two astronauts
Early example of excellent software Moon landing software (1969)… & final Presidential acclaim for safe coding (2016) http://www.floridatoday.com/story/tech/science/space/2016/11/26/obama-honors-apollo-software-developer-margaret-hamilton/94477822/ https://www.youtube.com/watch?v=X1PNp_YggAA
“Moon Lander” Program Retro rockets of falling LEM vehicle Balanced against moon gravity Limited amount of fuel… Version written for BASIC Very popular early microcomputer game
Is software always safe? Written by humans! Depends how it is: designed coded tested Lots could… and does… go wrong too much trust? not enough testing?
B2C Software Consumer buys a license to use software during its lifecycle… NOT the software itself! License may become invalid (or useless…) if software no longer supported consumer potentially unaware also applies to operating systems (!)
Publishing of Vulnerabilities Many disturbing examples of data breaches… and software vulnerabilities that provided access for hackers Records of Internet exploitable vulnerabilities finally kept… US security organisation Mitre https://cve.mitre.org/cve/cve.html
Good for Consumers With Mitre initiative… Software companies with faulty code named and shamed… Embarrassing… Over time, software will get better i.e. fewer flaws!
Software Faults & CWE Lot of recent interest in unreliability of software (even operating systems…) Mitre (US gov)… classified software fault types through Common Weakness/Vulnerability Enumeration (CWE/CVE) community support formal published list weaknesses/vulnerabilities Intended use? to better describe software weaknesses in architecture, design, or code [TSI/2012/183] © Copyright 2003-2012
More about CWE Full list of CWE entries… CWE provides: http://cwe.mitre.org/data more commonly encountered weaknesses usually “repeat offenders” CWE provides: standard measuring stick for software tools targeting software weaknesses common baseline standard for efforts to identify, mitigate, and prevent software weaknesses Top 25 (most hacked) vulnerabilities… PTO
CWE Top 25 faults (part 1) 1 CWE-79 Rank ID Name 1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting') 2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4 CWE-352 Cross-Site Request Forgery (CSRF) 5 CWE-285 Improper Access Control (Authorization) 6 CWE-807 Reliance on Untrusted Inputs in a Security Decision 7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8 CWE-434 Unrestricted Upload of File with Dangerous Type 9 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10 CWE-311 Missing Encryption of Sensitive Data 11 CWE-798 Use of Hard-coded Credentials 12 CWE-805 Buffer Access with Incorrect Length Value 13 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright 2003-2012
CWE Top 25 faults (part 2) 14 CWE-129 Rank ID Name 14 CWE-129 Improper Validation of Array Index 15 CWE-754 Improper Check for Unusual or Exceptional Conditions 16 CWE-209 Information Exposure Through an Error Message 17 CWE-190 Integer Overflow or Wraparound 18 CWE-131 Incorrect Calculation of Buffer Size 19 CWE-306 Missing Authentication for Critical Function 20 CWE-494 Download of Code Without Integrity Check 21 CWE-732 Incorrect Permission Assignment for Critical Resource 22 CWE-770 Allocation of Resources Without Limits or Throttling 23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm 25 CWE-362 Race Condition [TSI/2012/183] © Copyright 2003-2012
Many other System Flaws (software to support OS, networks, etc) “Recently”: Heartbleed – open source webserver software enhancement flawed KRACK – WiFi WPA2 secure implementation had a security flaw All patched quickly… But does everyone apply the patches?
Not just apps… Many examples of operating system flaws Apple: “dangerous” flaw revealed in iOS 7 and X (21/2/14) http://gizmodo.com/why-apples-huge-security-flaw-is-so-scary-1529041062 Microsoft: Windows flaw that led to “Wannacry” (May 2017)
Dangers of not Updating… New flaws in software being detected by Mitre and others all the time… usually published once a fix has been found! makes sense to update to a version that has had vulnerabilities patched! hackers will know all about any vulnerabilities removed by an update, and will be eager to exploit… organisations who haven’t updated (!)
Update Management Essential to update all system and application software as soon as possible after release… updates need to be tested… And roll out planned accordingly! e.g. operating system updates will require reboot so “automatic” updates may cause problems! generally best for administrator to have an alert and install updates asap (after testing!)
Latest versions of Applications Same update principles apply to apps updates free may be required to upgrade to later version Office 2007 “updates” just expired! again… test first… but may also be a cost! Whether to upgrade is cost of upgrade/training justified: better security? increased productivity?
Updates and Development Environments Software, like apps can and do have vulnerabilities need updating like all other software Use of insecure old version particularly worrying… development environments generate code what if that code has vulnerabilities…?
Insecure Development Environments Many web page generator examples available Joomla… WordPress… more recent versions more likely to be secure and still have updates older versions no longer supported so code generated is vulnerable! Java Run-time… regular updates potential knock-on effects for java apps…
Using Windows Registry to check end-point security Registry settings in memory control the desktop… totally! In order to establish the security status of a machine… just look in the registry!?
A Software Tool for Checking registry settings against GCHQ’s recommended values Yes… there is one Yes… it is free! and it is produced by a local company Yes… you’ll be able to test it after the break!
Cyber Smart A more sophisticated tool has been developed to check the security settings of multiple machines on a network unfortunately, it is certainly not free! https://cybersmart.co.uk/ However, it will save a lot of time for analysts wishing to help organisations meet GCHQ’s “Cyber Essential” criteria…
Next Week… All about Linux!