Protecting Your Corporation from Hacking Attacks

Protecting Your Corporation from Hacking Attacks

Presented by Roland Cheung HKCERT

Information Security Seminar 2012 (May) - Combat Cyber Attack

Agenda

• Security Threat

• Case Study

• Security Mitigation Strategies



Security Threat


Hacktivism


Cyber Attacks Timeline Apr-2012

Source:http://hackmageddon.com/2012-cyber-attacks-timeline-master-index/


Cyber Attacks Statistics

Source:http://hackmageddon.com/2012/04/16/april-2012-cyber-attacks-timeline-part-i/


Target • Data

– User Information

– Financial data

– Digital certificate

• Resources – Computing power

– Bandwidth

– IP address


Major Threat • Denial of Service

• Website Defacement

• Phishing Website

• Malware Hosting

• Botnet


Denial of Service • Attempt to make a computer or network

resource unavailable to its intended users.

• Data volume excess afforded limit

• Application Vulnerability – Apache Byte Range vulnerability (CVE-2011-3192) Source: http://wiki.apache.org/httpd/CVE-2011-3192


Website Defacement • An attack on a website that changes the visual

appearance of the site or a webpage.

• Zone-H – a website archive of versions of defaced websites. http://www.zone-h.org

http://www.zone-h.org/


Website Defacement • Year to Date (15-May-2012)

– No. of records (.hk): 207

• Source: www.zone-h.org


Phishing Website

Hong Kong Clean PC Day 2011 Seminar (June)

Malware hosting



Botnet Botnet (aka Zombie Network, 殭屍網路)

• A collection of compromised computers (called bots, zombie) under a common command-and-control (called C&C) infrastructure.

http://en.wikipedia.org/wiki/Botnet

Image source: ENISA

http://en.wikipedia.org/wiki/Botnet


Botnet

Flashback Botnet • Targets to Mac OS

• Exploits Java vulnerability

• Infected over 0.6 millions Macs

• Over 50 % in U.S. Source: https://drweb.com/flashback/?lng=en


Case study


1. Mass SQL Injection



1. Mass SQL Injection • SQL injection

– A lack of input validation on a website in order to execute unauthorized database commands on a Web Applications database server.

E.g. http://example.com/app/accountView?id=' or '1'='1

– the query to return all the records from the accounts database

• OWASP - Top 10 Web Application Security Risks 2010

A1: Injection Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project


1. Mass SQL Injection • A recent campaign found over 10,000

legitimate global web sites were affected in Mar 2012 – Abusing an input validation flaw – exploiting vulnerable web application software

Source: http://blog.webroot.com/2012/03/26/tens-of-thousands-of-web-sites-affected-in-ongoing-mass-sql-injection-attack/



1. Mass SQL Injection



1. Mass SQL Injection • Injected malicious website link

– stmyst.com, statsmy.com – server hosted in Russia – serve Fake AV software


2. Conditional Redirection



2. Conditional Redirection • Redirect search engines result to their own

sites • Common method to use .htaccess in Apache • A powerful file that allows you to make

multiple changes to the web server and PHP behavior.

• Hard to find to clean up

Source: http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html











Malicious web sites • 92% of spam email contains a web link

• 82% of malicious web sites are hosted on compromised hosts

Source: Websense

http://www.websense.com/assets/reports/report-2012-threat-report-en.pdf



Common Problems • Weak Access Control

• Weak Password

• Vulnerable server or Application

• Malware Infection

• No dedicated IT staff

Security Mitigation Strategies


Security Mitigation Strategies • Security Policy

• Security Protection

• Security Audit


Security Mitigation Strategies Security policy • Network Access Management • Patch Management • Password Management • Data Management • Log Management • Desktop Management


Patch Managment • Vendor's OS and application update checking

features

• Patch checking tool – Secunia - Personal Software Inspector (PSI) http://secunia.com/vulnerability_scanning/personal/


http://secunia.com/vulnerability_scanning/personal/

Patch Managment


Data Management • Data Classification

– Confidential

• Data Encryption – Server/Workstation

– Database

– Portable storage


Security protection • Anti-Malware

• Network Firewall

• Application Firewall

• Content filtering service


Network Firewall • Malicious Site Blocklist

– ZeuS Blocklist https://zeustracker.abuse.ch/blocklist.php

– Malware Domain Blocklist http://www.malwaredomains.com/files/domains.txt


https://zeustracker.abuse.ch/blocklist.php

http://www.malwaredomains.com/files/domains.txt

Application Firewall

• Type of exploits defense supported

- e.g. OWASP Top 10

• Learning mode

• Self defined rule


Content filtering service

Features

• Anti-DDoS

• Web traffic filtering

Operation

• Change to your domain's DNS settings.

• Route through to service provider for pre-processing


Security Audit • Review Policy and Procedure

• Vulnerability Scanning

• Site Checking


Review Policy and Procedure • Self Assessment

– Sample Audit checklist http://www.ogcio.gov.hk/eng/prodev/download/g51_pub.pdf


http://www.ogcio.gov.hk/eng/prodev/download/g51_pub.pdf

Vulnerability Scanning • Self Assessment

– OpenVAS (System )

http://www.openvas.org

– Samurai Live CD (Web Application)

http://samurai.inguardians.com


http://www.openvas.org/

http://samurai.inguardians.com/


Site Checking

Free site checking tools • Google Safe Browsing http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=domain

• Sucuri http://sitecheck.sucuri.net/scanner/

• URLQuery http://urlquery.net/

• Wepawet http://wepawet.iseclab.org/

• Zscaler http://zulu.zscaler.com/

Site Checking

Google Safe Browsing


Site Checking

Sucuri


Site Checking

URLQuery


Site Checking

Wepawet


Site Checking

Zulu


Q & A Thank you

Email: [email protected]


Documents

Protecting Your Corporation from Hacking Attacks