Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploits and Zero-Days Exploits

Published byAurélie Dussault Modified over 6 years ago

Similar presentations

Presentation on theme: "Exploits and Zero-Days Exploits"— Presentation transcript:

1 Exploits and Zero-Days Exploits
Richard Gariboldi, Patrick Jette, Jay Jackson

2 Definitions Vulnerability: A flaw in a computer system that can allow an attacker to compromise that system. Exploit: An attack that takes advantage of a security vulnerability. Zero-Day Vulnerability: An unknown and unpatched vulnerability. Zero-Day Exploit: An exploit to an previously unknown vulnerability. We have not found all vulnerabilities Zero-day exploits are different from zero-day vulnerabilities. a zero-day vulnerability can have multiple exploits

3 What is a Zero-day? Anatomy of a zero day .

4 Dark web & zero-days TheRealDeal Market
Apple iCloud accounts exploit cost $17,000 in bitcoin. Another to hack WordPress’ multisite configuration . Offers multisignature transactions Bitcoins are managed by the buyer, seller, and market admins for buyer and seller protection. Bitcoins are not held by the market itself. We don’t know for sure if these exploits actually work and there is no legal way to test them. Internet explorer exploit

5 NSA Zero-days “Shadow Brokers” days/

6 Types of exploits Latest exploit news! Remote Code Execution
Privilege Escalation Denial of Service  Web Application SQL Injection XSS Buffer Overflow Etc. Latest exploit news! Known & Unknown OWASP – Open Web application security project: organization that provides unbiased and practical, cost-effective information about computer and Internet applications. The exploit DB Fireeye zero day news  Mitre  

7 Statistics db.com/exploit-database- statistics/ “I see you have a Masters in music composition, you're hired!”

8 Vulnerability Protection Measures
Update your systems regularly Implement vulnerability scans into your patch management cycle Know your systems: Frequently update network and configuration maps NIDS/IPS Perform regular security audits (to include Pen. Testing) SANs 0-day whitepaper Patch management only goes so far. Patches are not always made. Some patches may be faulty and break other parts of the system. Some vulnerabilities cannot be fixed by patching -Patch management will not correct vulnerabilities caused by misconfiguration, such as default settings that allow access to systems that should be restricted. Hackers can reverse engineer patches and create a new exploit Cybersecurity experts at Arizona state created a cyberthreat intelligence-gathering operation that uses machine learning to study hacking forums and marketplaces in the dark web and deep net. 

9 Bugcrowd Large community of white hat hackers
All searching for vulnerabilities Submit vulnerabilities for review and compensation Beneficial to enterprises with lack of resources  Increase the chance to find zero-day exploits.  Who uses  bugcrowd: Netgear, Western Union, OWASP, etc.

10 Reporting Department of Justice Framework for Vulnerability Discloser
Cert Disclosure Policies:

11 https://nvd.nist.gov/vuln/detail/CVE-2017-5638
Examples Internet Explorer BlueBorne Microsoft SMB WinXP Apache Struts

12 Metasploit Tutorial

13 Questions?

Download ppt "Exploits and Zero-Days Exploits"

Similar presentations

OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Network Security and its Impact on Network Continuity.

Network Security and its Impact on Network Continuity.
Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.

Penetration Testing Anand Sudula, CISA,CISSP SSA Global Technologies, India Anand Sudula, CISA,CISSP SSA Global Technologies, India.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.

1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
The Business of Penetration Testing

The Business of Penetration Testing
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Application Security

Web Application Security
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
PCI: As complicated as it sounds? Gerry Lawrence CTO

PCI: As complicated as it sounds? Gerry Lawrence CTO

Similar presentations

Ads by Google