Upload
seamus
View
32
Download
0
Tags:
Embed Size (px)
DESCRIPTION
MBA 560 Security 101. Automated Attacks Defined Microsoft’s Approach to Vulnerabilities How to Protect Your P.C. Automated Attack Vectors. Automated Attack Vectors Viruses. A computer program file capable of attaching to disks or other files Necessary characteristics of a virus: - PowerPoint PPT Presentation
Citation preview
1
MBA 560 Security 101MBA 560 Security 101
Automated Attacks DefinedAutomated Attacks Defined
Microsoft’s Approach to VulnerabilitiesMicrosoft’s Approach to Vulnerabilities
How to Protect Your P.C.How to Protect Your P.C.
2
Automated Attack VectorsAutomated Attack Vectors
3
Automated Attack VectorsAutomated Attack Vectors VirusesViruses
A computer program file capable of A computer program file capable of attaching to disks or other files attaching to disks or other files
Necessary characteristics of a virus:Necessary characteristics of a virus:It is able to replicateIt is able to replicate
It requires a host program as a carrierIt requires a host program as a carrier
It is activated by external actionIt is activated by external action
4
Automated Attack VectorsAutomated Attack Vectors Viruses: Polymorphic virusesViruses: Polymorphic viruses
Creates copies during replication that Creates copies during replication that are functionally equivalent but have are functionally equivalent but have distinctly different byte streamsdistinctly different byte streams
Randomly insert superfluous instructionsRandomly insert superfluous instructions
Interchange order of independent Interchange order of independent instructionsinstructions
Use encryption schemesUse encryption schemes
This variable quality makes difficult to This variable quality makes difficult to locate, identify, or removelocate, identify, or remove
5
Automated Attack VectorsAutomated Attack Vectors WormsWorms
A self-replicating computer program, A self-replicating computer program, similar to a virussimilar to a virus
A virus attaches itself to, and becomes A virus attaches itself to, and becomes part of, another executable programpart of, another executable program
A worm is self-contained and does not A worm is self-contained and does not need to be part of another program to need to be part of another program to propagate itselfpropagate itself
6
Automated Attack VectorsAutomated Attack Vectors WormsWorms
Necessary characteristics of a worm:Necessary characteristics of a worm:It is able to replicate without user interventionIt is able to replicate without user intervention
It is self-contained and does not require a hostIt is self-contained and does not require a host
It is activated by creating process It is activated by creating process
If it is a network worm, it can replicate across If it is a network worm, it can replicate across communication linkscommunication links
Some customers like to distinguish between Some customers like to distinguish between worms that use buffer overruns to propagate worms that use buffer overruns to propagate and those that use e-mailand those that use e-mail
7
Automated Attack VectorsAutomated Attack Vectors Worms: ExamplesWorms: Examples
SQL SlammerSQL Slammer
BlasterBlaster
MyDoomMyDoom
SasserSasser
8
Automated Attack VectorsAutomated Attack Vectors BotsBots
Derived from the word RobotDerived from the word Robot
Program designed to search for Program designed to search for information Internet with little human information Internet with little human interventionintervention
Search engines, such as Yahoo and Search engines, such as Yahoo and Altavista, typically use bots to gather Altavista, typically use bots to gather information for their databasesinformation for their databases
9
Automated Attack VectorsAutomated Attack Vectors BotsBots
Bots analogous to agentBots analogous to agentTypically an exeTypically an exeBots are not exploits themselvesBots are not exploits themselves
They are payloads delivered by worms, They are payloads delivered by worms, viruses and hackersviruses and hackersInstalled after compromiseInstalled after compromise
Infect system and maintain access for Infect system and maintain access for attackers to control themattackers to control them
Botnets – thousands of system controlledBotnets – thousands of system controlled
10
Automated Attack VectorsAutomated Attack Vectors BotsBots
Thousands of highly configurable bot Thousands of highly configurable bot packages available on Internetpackages available on Internet
Some use IRC channels to Some use IRC channels to communicatecommunicate
Easy to useEasy to use
Control thousands of systemsControl thousands of systems
Obscures traffic among legitimate IRC Obscures traffic among legitimate IRC traffic (TCP port 6667)traffic (TCP port 6667)
Obscures attacker’s identityObscures attacker’s identity
11
Automated Attack VectorsAutomated Attack Vectors Bots: usesBots: uses
DDoS attacksDDoS attacks
Information theftInformation theftkeyboard logging, network monitoring, etckeyboard logging, network monitoring, etc
Trade Bandwidth between hacker Trade Bandwidth between hacker communitiescommunities
Warez i.e. host illegal dataWarez i.e. host illegal dataPirated software, movies, games, etc.Pirated software, movies, games, etc.
12
Automated Attack VectorsAutomated Attack Vectors Bots: prime targetsBots: prime targets
High bandwidth (“cable bots”)High bandwidth (“cable bots”)
High availability systemsHigh availability systems
Low user sophisticationLow user sophistication
System located in geography providing System located in geography providing low likelihood of law enforcement low likelihood of law enforcement effectivenesseffectiveness
13
Automated Attack VectorsAutomated Attack Vectors Bots: examplesBots: examples
Agobot = Gaobot = Phatbot = PolybotAgobot = Gaobot = Phatbot = PolybotThousands of variantsThousands of variants
Uses MS03-001 and MS03-026/MS03-039 Uses MS03-001 and MS03-026/MS03-039 to propagateto propagate
TCP port 135 and TCP port 445TCP port 135 and TCP port 445
Probes admin shares using hard coded Probes admin shares using hard coded list of user names and passwordslist of user names and passwords
14
Automated Attack VectorsAutomated Attack Vectors Bots: examplesBots: examples
Agobot = Gaobot = Phatbot = PolybotAgobot = Gaobot = Phatbot = PolybotSteals CD keys for hard coded list of Steals CD keys for hard coded list of popular gamespopular games
Inventories running processesInventories running processesKills processes in hard coded list Kills processes in hard coded list
FirewallsFirewalls
AV softwareAV software
Other wormsOther worms
15
Automated Attack VectorsAutomated Attack Vectors BackdoorsBackdoors
Provides user access without using normal Provides user access without using normal authorization or vulnerability exploitation authorization or vulnerability exploitation Typically run under system contextTypically run under system contextOnce installed, allows anyone or any Once installed, allows anyone or any program that knows listening port number program that knows listening port number (and password) to remotely control host(and password) to remotely control hostIntruders access backdoor server using Intruders access backdoor server using either text or graphics based clienteither text or graphics based clientAllows intruders to run any command or Allows intruders to run any command or processprocess
16
Automated Attack VectorsAutomated Attack Vectors TrojansTrojans
Term borrowed from Greek historyTerm borrowed from Greek history
Malicious program disguised as Malicious program disguised as something benignsomething benign
Screen saver, game, etc.Screen saver, game, etc.
exe, com, vbs, bat, pif, scr, lnk, js, etc.exe, com, vbs, bat, pif, scr, lnk, js, etc.
It seems to function as user expectsIt seems to function as user expects
17
Automated Attack VectorsAutomated Attack Vectors TrojansTrojans
May or may not appear in process listMay or may not appear in process list
May install a backdoorMay install a backdoor
Generally spread through e-mail and Generally spread through e-mail and exchange of disks and filesexchange of disks and files
Worms also spread Trojan horses, IRC Worms also spread Trojan horses, IRC channels, P2P applications, porn sites, channels, P2P applications, porn sites, etc. etc.
18
Security at MicrosoftSecurity at Microsoft
19
Vulnerability LifecycleVulnerability Lifecycle Presentation ContentPresentation Content
Overview of security teams at MicrosoftOverview of security teams at Microsoft
Security Bulletin Development Walk-thruSecurity Bulletin Development Walk-thruVulnerability ReportedVulnerability Reported
InvestigationInvestigation
Bulletin releaseBulletin release
SupportSupport
20
Security Teams at MicrosoftSecurity Teams at Microsoft
PSS Security – Microsoft Services and Our Customers
Trustworthy Computing SecurityStrategy for Trustworthy Computing
Microsoft SecurityResponse Center
(MSRC)
Corporate SecurityOperations, Network Security
Security Business & Technology Unit(SBTU)
Microsoft ConsultingNational Practice TWC
Premier Support ServicesSecurity Solutions Architects
Secure Windows Initiative (SWI)
Security Center of Excellence(SCOE)
MSN, MS.com, etc.
21
Vulnerability ReportedVulnerability Reported
Is the reported problem really a Is the reported problem really a vulnerabilityvulnerability??
A security vulnerability is a flaw in a product A security vulnerability is a flaw in a product that makes it infeasible – even when using that makes it infeasible – even when using the product properly – to prevent an the product properly – to prevent an attacker from usurping privileges on the attacker from usurping privileges on the user's system, regulating its operation, user's system, regulating its operation, compromising data on it, or assuming compromising data on it, or assuming ungranted trust.ungranted trust.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/vulnrbl.asphttp://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/security/essays/vulnrbl.asp
22
Vulnerability ReportedVulnerability Reported
23
Vulnerability ReportedVulnerability Reported
Security vulnerabilities are reported toSecurity vulnerabilities are reported toMSRCMSRChttps://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/alertus.asphttps://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/alertus.asp
PSS SecurityPSS Security
Other PSS support teamsOther PSS support teams
Third partiesThird parties
Reporters include:Reporters include:CustomersCustomers
Security consulting companiesSecurity consulting companies
MSRC actively looks for reportsMSRC actively looks for reports
24
Vulnerability ReportedVulnerability Reported
25
Bulletin ReleaseBulletin Release
MSRC writes bulletin and associated KB MSRC writes bulletin and associated KB article(s)article(s)
Microsoft Security Notification Service Microsoft Security Notification Service http://www.microsoft.com/technet/security/bulletin/notify.mspxhttp://www.microsoft.com/technet/security/bulletin/notify.mspx
26
Bulletin ReleaseBulletin Releasehttp://www.microsoft.com http://www.microsoft.com http://www.microsoft.com/securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/officehttp://www.microsoft.com/officehttp://www.microsoft.com/exchangehttp://www.microsoft.com/exchangehttp://www.microsoft.com/sqlhttp://www.microsoft.com/sqlhttp://www.microsoft.com/servershttp://www.microsoft.com/servershttp://msdn.microsoft.com/securityhttp://msdn.microsoft.com/securityhttp://www.microsoft.com/technet http://www.microsoft.com/technet http://www.microsoft.com/windowshttp://www.microsoft.com/windowshttp://www.microsoft.com/windows/iehttp://www.microsoft.com/windows/iehttp://www.microsoft.com/windowsXPhttp://www.microsoft.com/windowsXPhttp://www.microsoft.com/windows2000/serverhttp://www.microsoft.com/windows2000/serverhttp://www.microsoft.com/windows2000/professionalhttp://www.microsoft.com/windows2000/professionalhttp://www.microsoft.com/NTServerhttp://www.microsoft.com/NTServerhttp://www.microsoft.com/ntserver/ProductInfo/terminalhttp://www.microsoft.com/ntserver/ProductInfo/terminalhttp://www.microsoft.com/windowsMehttp://www.microsoft.com/windowsMehttp://www.microsoft.com/windowsserver2003 http://www.microsoft.com/windowsserver2003 http://www.microsoft.com/protecthttp://www.microsoft.com/protect
27
SupportSupportAfter release PSS Security responsible for:After release PSS Security responsible for:
Bulletin – accuracy and correctionsBulletin – accuracy and corrections
Related KB articles – accuracy and Related KB articles – accuracy and correctionscorrections
Download links – accuracy and correctionsDownload links – accuracy and corrections
Security update installation and functionalitySecurity update installation and functionality
Consulting on patch management strategyConsulting on patch management strategy
Windows Update issuesWindows Update issues
Software Updates Services (SUS)Software Updates Services (SUS)
MSsecure.xml issuesMSsecure.xml issues
Hacking, worms, viruses and Trojans using Hacking, worms, viruses and Trojans using vulnerabilityvulnerability
28
Patches proliferatingPatches proliferating
Time to exploit decreasingTime to exploit decreasing
Exploits are more Exploits are more sophisticated sophisticated
Current approach is not Current approach is not sufficientsufficient
Security is our #1 PrioritySecurity is our #1 PriorityThere is no silver bulletThere is no silver bullet
Change requires innovationChange requires innovation
151151180180
331331
Blaster
Blaster
Welchia/ Nachi
Welchia/ Nachi
NimdaNimda
2525
SQL Slammer
SQL Slammer
Days between patch Days between patch and exploitand exploit
SupportSupportHelping Customers Avoid a CrisisHelping Customers Avoid a Crisis
29
Protecting Your P.C.Protecting Your P.C.
30
How To Protect Your PCHow To Protect Your PC
Three primary ways to exploit you:Three primary ways to exploit you:Weak passwordsWeak passwords
Unpatched vulnerabilitiesUnpatched vulnerabilities
Social EngineeringSocial Engineering
31
How To Protect Your PCHow To Protect Your PC Use Complex PasswordsUse Complex Passwords
At least eight characters longAt least eight characters long
Does not contain all or part of user's account Does not contain all or part of user's account namename
Contain characters from three of following Contain characters from three of following four categories:four categories:
English uppercase characters (A through Z)English uppercase characters (A through Z)
English lowercase characters (a through z)English lowercase characters (a through z)
Base-10 digits (0 through 9)Base-10 digits (0 through 9)
Non-alphanumeric (for example, !, $, #, %) Non-alphanumeric (for example, !, $, #, %) extended ASCII, symbolic, or linguistic charactersextended ASCII, symbolic, or linguistic characters
32
How To Protect Your PCHow To Protect Your PC Other OptionsOther Options
Use a pass phrase instead of passwordUse a pass phrase instead of password
Use non-English words in passwordUse non-English words in password
Rename accounts including Rename accounts including Administrator accountAdministrator account
33
How To Protect Your PCHow To Protect Your PC Keep Your PC UpdatedKeep Your PC Updated
Use Windows Update AND Office Use Windows Update AND Office UpdateUpdate
Use automatic update clientUse automatic update client
XP SP2XP SP2
Run antivirus and anti-spyware Run antivirus and anti-spyware softwaresoftware
34
How To Protect Your PCHow To Protect Your PC Social EngineeringSocial Engineering
Do not open e-mail from people you Do not open e-mail from people you don’t knowdon’t know
Do not open e-mail attachmentsDo not open e-mail attachments
Do not follow URLs sent in e-mailDo not follow URLs sent in e-mail
Do not go to web sites that you cannot Do not go to web sites that you cannot trusttrust
35
How To Protect Your PCHow To Protect Your PC http://www.microsoft.com/protecthttp://www.microsoft.com/protect