Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Protecting Your Corporation from Hacking Attacks
Presented by Roland Cheung HKCERT
Information Security Seminar 2012 (May) - Combat Cyber Attack
Agenda
• Security Threat
• Case Study
• Security Mitigation Strategies
Information Security Seminar 2012 (May) - Combat Cyber Attack
Information Security Seminar 2012 (May) - Combat Cyber Attack
Cyber Attacks Timeline Apr-2012
Source:http://hackmageddon.com/2012-cyber-attacks-timeline-master-index/
Information Security Seminar 2012 (May) - Combat Cyber Attack
Cyber Attacks Statistics
Source:http://hackmageddon.com/2012/04/16/april-2012-cyber-attacks-timeline-part-i/
Information Security Seminar 2012 (May) - Combat Cyber Attack
Target • Data
– User Information
– Financial data
– Digital certificate
• Resources – Computing power
– Bandwidth
– IP address
Information Security Seminar 2012 (May) - Combat Cyber Attack
Major Threat • Denial of Service
• Website Defacement
• Phishing Website
• Malware Hosting
• Botnet
Information Security Seminar 2012 (May) - Combat Cyber Attack
Denial of Service • Attempt to make a computer or network
resource unavailable to its intended users.
• Data volume excess afforded limit
• Application Vulnerability – Apache Byte Range vulnerability (CVE-2011-3192) Source: http://wiki.apache.org/httpd/CVE-2011-3192
Information Security Seminar 2012 (May) - Combat Cyber Attack
Website Defacement • An attack on a website that changes the visual
appearance of the site or a webpage.
• Zone-H – a website archive of versions of defaced websites. http://www.zone-h.org
Information Security Seminar 2012 (May) - Combat Cyber Attack
Website Defacement • Year to Date (15-May-2012)
– No. of records (.hk): 207
• Source: www.zone-h.org
Hong Kong Clean PC Day 2011 Seminar (June)
Malware hosting
Information Security Seminar 2012 (May) - Combat Cyber Attack
Information Security Seminar 2012 (May) - Combat Cyber Attack
Botnet Botnet (aka Zombie Network, 殭屍網路)
• A collection of compromised computers (called bots, zombie) under a common command-and-control (called C&C) infrastructure.
http://en.wikipedia.org/wiki/Botnet
Image source: ENISA
Hong Kong Clean PC Day 2011 Seminar (June)
Botnet
Flashback Botnet • Targets to Mac OS
• Exploits Java vulnerability
• Infected over 0.6 millions Macs
• Over 50 % in U.S. Source: https://drweb.com/flashback/?lng=en
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
1. Mass SQL Injection • SQL injection
– A lack of input validation on a website in order to execute unauthorized database commands on a Web Applications database server.
E.g. http://example.com/app/accountView?id=' or '1'='1
– the query to return all the records from the accounts database
• OWASP - Top 10 Web Application Security Risks 2010
A1: Injection Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
1. Mass SQL Injection • A recent campaign found over 10,000
legitimate global web sites were affected in Mar 2012 – Abusing an input validation flaw – exploiting vulnerable web application software
Source: http://blog.webroot.com/2012/03/26/tens-of-thousands-of-web-sites-affected-in-ongoing-mass-sql-injection-attack/
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
1. Mass SQL Injection
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
1. Mass SQL Injection • Injected malicious website link
– stmyst.com, statsmy.com – server hosted in Russia – serve Fake AV software
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
2. Conditional Redirection • Redirect search engines result to their own
sites • Common method to use .htaccess in Apache • A powerful file that allows you to make
multiple changes to the web server and PHP behavior.
• Hard to find to clean up
Source: http://blog.sucuri.net/2011/05/understanding-htaccess-attacks-part-1.html
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
2. Conditional Redirection
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
2. Conditional Redirection
Information Security Seminar 2012 (May) - Combat Cyber Attack
Hong Kong Clean PC Day 2011 Seminar (June)
2. Conditional Redirection
Information Security Seminar 2012 (May) - Combat Cyber Attack
Malicious web sites • 92% of spam email contains a web link
• 82% of malicious web sites are hosted on compromised hosts
Source: Websense
http://www.websense.com/assets/reports/report-2012-threat-report-en.pdf
Information Security Seminar 2012 (May) - Combat Cyber Attack
Information Security Seminar 2012 (May) - Combat Cyber Attack
Common Problems • Weak Access Control
• Weak Password
• Vulnerable server or Application
• Malware Infection
• No dedicated IT staff
Security Mitigation Strategies • Security Policy
• Security Protection
• Security Audit
Information Security Seminar 2012 (May) - Combat Cyber Attack
Security Mitigation Strategies Security policy • Network Access Management • Patch Management • Password Management • Data Management • Log Management • Desktop Management
Information Security Seminar 2012 (May) - Combat Cyber Attack
Patch Managment • Vendor's OS and application update checking
features
• Patch checking tool – Secunia - Personal Software Inspector (PSI) http://secunia.com/vulnerability_scanning/personal/
Information Security Seminar 2012 (May) - Combat Cyber Attack
Data Management • Data Classification
– Confidential
• Data Encryption – Server/Workstation
– Database
– Portable storage
Information Security Seminar 2012 (May) - Combat Cyber Attack
Security protection • Anti-Malware
• Network Firewall
• Application Firewall
• Content filtering service
Information Security Seminar 2012 (May) - Combat Cyber Attack
Network Firewall • Malicious Site Blocklist
– ZeuS Blocklist https://zeustracker.abuse.ch/blocklist.php
– Malware Domain Blocklist http://www.malwaredomains.com/files/domains.txt
Information Security Seminar 2012 (May) - Combat Cyber Attack
Application Firewall
• Type of exploits defense supported
- e.g. OWASP Top 10
• Learning mode
• Self defined rule
Information Security Seminar 2012 (May) - Combat Cyber Attack
Content filtering service
Features
• Anti-DDoS
• Web traffic filtering
Operation
• Change to your domain's DNS settings.
• Route through to service provider for pre-processing
Information Security Seminar 2012 (May) - Combat Cyber Attack
Security Audit • Review Policy and Procedure
• Vulnerability Scanning
• Site Checking
Information Security Seminar 2012 (May) - Combat Cyber Attack
Review Policy and Procedure • Self Assessment
– Sample Audit checklist http://www.ogcio.gov.hk/eng/prodev/download/g51_pub.pdf
Information Security Seminar 2012 (May) - Combat Cyber Attack
Vulnerability Scanning • Self Assessment
– OpenVAS (System )
http://www.openvas.org
– Samurai Live CD (Web Application)
http://samurai.inguardians.com
Information Security Seminar 2012 (May) - Combat Cyber Attack
Information Security Seminar 2012 (May) - Combat Cyber Attack
Site Checking
Free site checking tools • Google Safe Browsing http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=domain
• Sucuri http://sitecheck.sucuri.net/scanner/
• URLQuery http://urlquery.net/
• Wepawet http://wepawet.iseclab.org/
• Zscaler http://zulu.zscaler.com/
Q & A Thank you
Email: [email protected]
Information Security Seminar 2012 (May) - Combat Cyber Attack