slide heading
DESCRIPTION
Slide Heading. Seminar Series: Managing IT Risk In 2010 Understanding End User Attack Vectors . Brian Judd, CISSP SynerComm January 20, 2009. Agenda. Slide Heading. Assure IT- Top 10 Audit Findings. Top 10 Audit Findings. Top 10 Audit Findings. Security Awareness Patch Management - PowerPoint PPT PresentationTRANSCRIPT
Slide HeadingSeminar Series: Managing IT Risk In 2010Understanding End User Attack Vectors
Brian Judd, CISSPSynerComm
January 20, 2009
Agenda
Slide Heading
Top 10 Audit Findings
Client Side Risk
Client Side Exploit- Demonstration
Minimizing Client Side Risks
Questions
Top 10 Audit Findings
1. Security Awareness2. Patch Management3. OS Hardening / Default Configurations / Build Standards4. Excessive Privileges5. Weak Authentication6. Missing Audit Trails7. Database Security8. Web Application Security9. Over-Disclosure of Information10. Lack of Network Visibility & Management
Top 10 Audit Findings- Client Side Risks
1. Security Awareness2. Patch Management 3. OS Hardening / Default Configurations / Build Standards4. Excessive Privileges5. Weak Authentication6. Missing Audit Trails7. Database Security8. Web Application Security9. Over-Disclosure of Information10. Lack of Network Visibility & Management
Vulnerabilities/Threat Areas Common to Client-Side Risk
What are Client-side Vulnerabilities?
• Client-side vulnerabilities include both software weaknesses and end-user security awareness.
• To exploit a client-side vulnerability, the computer end-user must open an infected file/document or browse to a malicious webpage.
– Occasionally, bugs in software such as MS Outlook’s preview feature could execute code with almost no user interaction.
• Client-side attacks often trick users into violating corporate security policies.– Targeted phishing attacks often spoof email headers and known/trusted source
identities.– Policy: Do not open email messages or attachments from unknown sources.– Policy: Do not browse non-business related websites.– Policy: Do not install unapproved software on business machines.
• Client-side attacks may bypass many technical controls including anti-malware software, firewalls and intrusion prevention systems.
Outcomes of Client-side Attacks
• Like network-based attacks, client-side attacks often result in the compromise of computing systems. It is possible for attackers to execute arbitrary code during exploitation.
• Because client-software is being attacked, malicious code will execute in the context of the exploited software.
– Most client software runs with the same privilege as the user who launched the software.
• Do your users have local administrator privileges? If so, the attacker’s malicious payload will also run with administrator privileges.
– Some client software may run with elevated privileges regardless of the computer user’s privilege.
• The payload of a client-side attack often opens a command-and-control (C&C) connection back to the attacker.
– Or worse, C&C could join a botnet.• Any data or system that the compromised end-user has access to, the attacker will also
have access to.
Common Client-side Vulnerabilities
• Internet Browsers– Internet Explorer & Firefox
• Browser Plugins– ActiveX Controls
• Adobe Flash, Acrobat PDF Viewer, Quicktime, Realplayer• Common Applications
– Sun Java Runtime Environment (JRE), Adobe Acrobat and Acrobat Reader, VNC, Microsoft Office (Word, Excel, PPT, etc.), Symantec BackupExec, Thunderbird, WinZip, Windows Media Player, McAfee EPO, etc.
– Biggest Risks: Adobe Acrobat Reader and Sun JRE• Why? Because they are found on most business machines. Critical
vulnerabilities are discovered regularly in each of these applications. Sun’s JRE installer does not remove older (vulnerable) versions automatically.
• Computer End-Users– The security awareness of your users may be your only defense.
1. Security Awareness
• Policies– Employees should be trained on policies at time of hire– A policy training/refresher should be given annually
• Procedures• Standards• Training
– Security awareness training should be given to ALL employees annually• Require testing to ensure that key concepts are retained
– Security administrators should receive certification and information security training regularly
2. Patch Management
• Operating system patches– Microsoft, Linux, Unix, etc.
• Legacy Microsoft software may not get patched by Windows Update or WSUS• Switches, routers, firewalls, embedded devices
• Application patches– Common non-Microsoft applications
• Adobe – Acrobat, Photoshop, etc.• Sun Microsystems – Java Runtime Environment (JRE)• Web browsers (Opera, Safari, Konqueror, etc.)• Commercial off the shelf (COTS)• Custom applications
– Patch management strategy• Weekly, monthly, more??• Patch testing and rollback• Out of cycle patches? Zero day?
3. Operating System Hardening
• Default operating system and application installations are very dangerous– Microsoft Windows 2000, XP, Server, etc. all install many unneeded services– Most security controls are disabled or configured for maximum usability– Cisco routers have vulnerable configurations until hardened
• Remove and/or rename default accounts and set strong passwords– Windows – change “administrator” username and disable “guest” account
• Consider adopting an operating system standard/benchmark– Sources: Center for Internet Security (CIS) or National Institute of Standards and
Technology (NIST)– Use standards to create a “Gold” build
4. Excessive Privileges
• Users have local administrator privileges to their workstations– Especially dangerous for uncontrolled laptops that are used outside of a financial
institution’s networks• File shares not protected with access controls• Employees with access to banking applications and/or GLBA data also have access to
email and Internet– Administrators need to ask themselves whether or not all employees should be
given access to email and Internet– Is web browsing secured and filtered by a proxy?
• Firewall egress should be locked down by strict access control lists
5. Egress Controls
• Principal of Least Privilege– Only Email Server or Gateway should be allowed to transmit outbound using SMTP– Dangerous protocols such as HTTP, HTTPS, FTP, SSH, ICMP, DNS, chat, P2P
should be tightly restricted or blocked• If dangerous protocols are allowed egress to the Internet, the should be
monitored Email Gateways Web Proxy URL Filter Intrusion Prevention System SOCKS Proxy
• Encrypted protocols can be dangerous SSH, HTTPS Botnet C&C over valid HTTP/HTTPS posts and requests