1. Lecture Materials for the John Wiley & Sons book: Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions October 8, 2014 DRAFT1 Chapter 2: The Problems: Cyber Antipatterns

2. Antipatterns Concept Patterns were invented by Christopher Alexander in the book A Pattern Language Patterns resolve forces and yield benefits Antipatterns generate mostly consequences, but contain embedded patterns (refactored solutions) that resolve the problems 10/8/2014 DRAFT2 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

3. Forces in Cyber Antipatterns 10/8/2014 DRAFT3 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

4. Cyber Antipatterns Templates Micro Antipattern Template –Minimal structure, similar to Christopher Alexander’s original invention Full Antipattern Template –Antipattern Name –Also Known As –Refactored Solution Names –Unbalanced Primal Forces –Anedotal Evidence –Background –Antipattern Solution 10/8/2014 DRAFT4 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions -Causes, Symptoms, and Consequences -Known Exceptions -Refactored Solution and Examples -Related Solutions

5. Cyber Antipatterns Catalog –Can’t Patch Dumb –Unpatched Applications –Never Read the Logs –Networks Always Play By the Rules –Crunchy on the Outside Gooey in the Middle –Webify Everything –No Time for Security See additional antipatterns in Chapters 1 and 12 10/8/2014 DRAFT5 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

6. Can’t Patch Dumb Human end-users are almost always the greatest vulnerability Human can, for example: –Click on unexpected email attachments –Be susceptible to phishing –Use easily guessed passwords –Visit Drive By Malware websites and malvertisements End user education is the cure – See Chapter 10 10/8/2014 DRAFT6 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

7. Unpatched Applications Security researchers and attackers are constantly searching for new vulnerabilities in software Any software defect is a potential vulnerability –In software testing theory, most any defect can be manipulated to crash the program Typical software applications are shipped with 10’s of thousands of known defects, not to mention latent defects Application patching, particularly on Patch Tuesday is one of the most important defenses 10/8/2014 DRAFT7 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

8. Never Read the Logs Network devices, operating systems, system services, and applications all generate logs = records of events Consolidating and reviewing the logs (i.e. using tools such as Syslog) is a critically important security activity –It is said that “all the evidence is in the logs” –If there is potentially malicious activities such as repeated failed login attempts, that fact must be detected urgently and acted upon See Chapter 9 for Advanced Log Analysis techniques 10/8/2014 DRAFT8 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

9. Networks Always Play by the Rules One key reason why networked services are vulnerable, is because they expect actors using the service to play by the network rules, i.e. the established protocols Malicious actors purposefully disobey the rules when they attack systems, for example: (See Chapter 8) –Sending a very long input value containing code to attempt a buffer overflow –Sending segments of SQL code as an input to try and trigger an SQL Injection Attack –Pretending to be a wireless access point to gain the trust of mobile devices, e.g. Karma, Karmasploit, Wireless Attack Toolkit 10/8/2014 DRAFT9 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

10. Crunchy on the Outside Gooey in the Middle Traditionally, network security for enterprises has focused on the Internet boundary –Hardened front-end servers in the DMZ –Internet-facing firewalls –Internet-facing intrusion detection and prevention Once attackers have penetrated the Internet boundary, defenses are often very weak, for example: –Ready intranet access to servers with restricted data –Restricted data not encrypted –Administrative users who use same username password for multiple mission-critical systems –Mission-critical databases readily accessed from intranet 10/8/2014 DRAFT10 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

11. Webify Everything Some basic web attacks include: –Cross Site Request Forgery –Cross Site Scripted Attack –Man in the Middle Attack When the privileged administrator interface is webified, the system becomes highly vulnerable to these types of attacks –Webified electrical power control system console –Webified heating, ventilating, air conditioning console –Webified network device or system administration console 10/8/2014 DRAFT11 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

12. No Time for Security For software projects to be successful, they often have to gain a ruthless focus on delivering results What is often abandoned in this ruthlessness is security As a security tester, you will encounter this time and time again – Security is first considered immediately before the testers arrive… for example, you may observe: –Developers in a panic creating new accounts because they were all logging in with the same privileged account 10/8/2014 DRAFT12 Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions

13. REVIEW CHAPTER SUMMARY Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions 10/8/2014 DRAFT13