Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server.

Slides:

Advertisements

Similar presentations

Lindsey Bleimes Charlie Garrod Adam Meyerson

Advertisements

Haystack: Per-User Information Environment 1999 Conference on Information and Knowledge Management Eytan Adar et al Presented by Xiao Hu CS491CXZ.

MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium,

By Hiranmayi Pai Neeraj Jain

Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.

GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.

Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal.

System and Network Security Practices COEN 351 E-Commerce Security.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.

BY Zoher & Mahmoud. What is WAMP?  - Acronym for Windows/Apache/MySQL/PHP, Python, (and/or) PERL  - WAMP refers to a set of free open source applications,

Additional SugarCRM details for complete, functional, and portable deployment.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

A Framework for Automated Web Application Security Evaluation

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1 Oppliger: Ch. 15 Risk Management. 2 Outline Introduction Formal risk analysis Alternative risk analysis approaches/technologies –Security scanning –Intrusion.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Practical Web Management Christopher Gutteridge IWMW 2009.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Honeypot and Intrusion Detection System

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.

Linux Security LINUX SECURITY. Firewall Linux Security Internet Database Application Web Server Firewall.

 Protocols used by network systems are not effective to distributed system  Special requirements are needed here.  They are in cases of: Transparency.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Attack Tool Repository and Player for ISEAGE May Team:Jeremy Brotherton Timothy Hilby Brett Mastbergen Jasen Stoeker Faculty Advisor:Doug Jacobson.

Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.

A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”

Distributed Information Systems. Motivation ● To understand the problems that Web services try to solve it is helpful to understand how distributed information.

Network Perimeter Defense Josef Pojsl, Martin Macháček, Trusted Network Solutions, Inc.

Small Business Security Keith Slagle April 24, 2007.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

 Abstract  Introduction  Literature Survey  Conclusion on Literature Survey  Threat model and system architecture  Proposed Work  Attack Scenarios.

Presented by Edith Ngai MPhil Term 3 Presentation

Port Knocking Benjamin DiYanni.

MySQL Exploit with Metasploit

Critical Security Controls

Security Testing Methods

Compliance with hardening standards

Topological Vulnerability Analysis

Capacity Analysis, cont. Realistic Server Performance

AppExchange Security Certification

Web Servers / Deployment

Attack Graphs and Attack Surface

Autonomous Network Alerting Systems and Programmable Networks

Designing IIS Security (IIS – Internet Information Service)

Securing web applications Externally

Presentation transcript:

Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server

Exploit pre-condition Exploit post-condition

Pre- and Post-conditions can be used in constructing an attack graph webServer is network-accessible to an attacker The web service is running The vulnerability exists This attack is possible The consequence is that webServer is compromised

This process is completely automated attackerLocated(internet). hacl( internet, webServer, httpProtocol, httpPort ). hacl( H, H, _, _). networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ). vulExists( webServer, cve_apache, httpd ). vulProperty( cve_apache, remoteExploit, privEscalation ). What are your threats? Firewall/netw ork analyzer Vulnerability scanner NVD

But you do need a knowledge base execCode(H, Perm) :- vulExists(H, VulID, Software, remoteExploit, privEscalation), networkServiceInfo(H, Software, Protocol, Port, Perm), netAccess(H, Protocol, Port) The knowledge is completely independent of any site-specific settings.

Combining attack graphs and CVSS Attack graph presents a qualitative view of security problems – It shows what attacks are possible, but does not tell you how bad the problem is. – It captures the interactions among all attack possibilities in your system. CVSS provides a quantitative property of individual vulnerabilities – It tells you how bad an individual vulnerability could be. – But it does not tell you how bad it may be in your system.

Our Approach Use CVSS to produce a component metric --- a numeric measure on the conditional probability of success of an attack step. Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means Pr[c2 = T|c1 = T] This measure does not consider any attacker behavior

High => 0.2 Medium=> 0.6 Low => 0.9 High => 0.2 Medium=> 0.6 Low => 0.9

Our Approach Aggregate the probabilities over the attack-graph structure to provide a cumulative metric --- the probability of attacker success in your system. Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.

Calculation of the cumulative metrics c1 c2 Pr[c2|c1]=0.2 Pr[c2]=? Pr[c1]=? Pr[c1]=1 Pr[c2]=0.2 Pr[execCode(webServer, apache)]=0.2

Example Two CVE was identified on web server Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the dbase server CVE was identified on db server

Exploit pre-condition Exploit post-condition Medium=> 0.6

1:execCode(dbServer,root) 2:remote exploit of a server program 3:netAccess(dbServer,dbProtocol,dbPort) 4:multi-hop access 5:hacl(webServer,dbServer,dbProtocol,dbPort) 6:execCode(webServer,apache) 7:remote exploit of a server program 8:netAccess(webServer,httpProtocol,httpPort) 9:direct network access 10:hacl(internet,webServer,httpProtocol,httpPort) 11:attackerLocated(internet) 12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache) 13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation) 14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root) 15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation) x0.6=0.12

Example Three Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the db server User workstations are allowed to access anywhere CVE was identified on web server CVE was identified on db server CVE was identified on user workstations

Exploit pre-condition Exploit post-condition Low=> 0.9

Possible attack paths

6:execCode(webServer,apache) 11:execCode(workStation,normalAccount) 12:remote exploit of a client program 13:hasAccount(secretary,workStation,norma lAccount) 14:canAccessMaliciousInput(workStation,se cretary,internetExplorer) 15:Browsing a malicious website 17:hacl(workStation,internet,httpProtocol,htt pPort) 21:Browsing a compromised website 24:isUserMachine(workStation) 25:isWebBrowser(internetExplorer) 26:inCompetent(secretary) 27:vulExists(workStation,cve_IE,internetExplorer, remoteExploit,privEscalation) 30:attackerLocated(internet) 34:hacl(workStation,dbServer,dbProtocol,dbPort)

Challenge How to calculate probabilities in an attack graph with shared dependencies and cycles. – Bayesian Network Frigault, et al., 2008, does not allow cycles – Assuming independence among attack paths Wang, et al., 2008 – Customized data-flow algorithm with dynamic programming Homer, et al., 2009

Result execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 Before: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2

Prioritization Given three hardening options: – Patching the web server – Patching the db server – Patching the workstation Which one would you patch first?

Suppose we patch the web server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72

Now let’s patch the db server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

What if we block network access from Group 2 to Internal? Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

Optimizing Security Hardening Let Pr[execCode(dbServer,root)]=p 1 Pr[execCode(webServer,apache)]=p 2 Pr[execCode(workStation,normalAccount)]=p 3 If C 1,C 2,C 3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be LE=C 1 *p 1 +C 2 *p 2 +C 3 *p 3 All the hardening measures H 1,H 2,…H n have costs as well. If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?

Challenges Scalability of metric calculation – Heavily depends on the connectivity of attack graphs – Exponential in the worst case Imprecise input problem – How sensitive is the outcome to the input component metrics? – Approximation algorithms to trade precision for scalability? Optimization techniques

Summary Quantitative security risk metrics are important in making sensible decisions in security hardening – People are already doing it in an ad-hoc way without any scientific basis – We want to transform it from a “black art” to a science

If you cannot measure it, you cannot improve it. ---Lord Kelvin