Upload
subishs
View
8
Download
2
Tags:
Embed Size (px)
Citation preview
Cybersecurity Overview
Kevin Barton, MS, CISSPAssociate Professor
[email protected] 4325
Network Security
Obtain global perspective of network and information security measures
Understand malware threats and trends Examine in detail different types of malware
and their propagation Examine the motivation behind cyber attacks Survey the techniques to counter security
threats
1
Vulnerability – A weakness that allows a threat to inflict loss on an asset
Software vulnerabilities are weaknesses in software
Software vulnerabilities allow attackers access, or to escalate privileges.
Exploit – A software payload that takes advantage of a vulnerability
2
Network Layers
Human Social engineering; Phishing
Application PDF obfuscation; injection attacks; Email spoofing
Presentation PDF encryption
Session SSL Man-in-the-Middle attacks
Transport SYN-Fragment attack; SYN flooding; DDoS
Network Route injection; IP address spoofing
Data Link WEP and WPA attacks; ARP poisoning, Man-in-the-Middle
Physical Jamming attacks
3
MALWARE SIGNATURES
New signatures increasing at an exponential rate
Malware is becoming more and more polymorphic
Difficult for current signature and behavior based detection systems to keep pace
4
MALWARE SIGNATURES
New signatures increasing at an exponential rate
Malware is becoming more and more polymorphic
Difficult for current signature and behavior based detection systems to keep pace
TARGETS & TECHNIQUES
Consumer and business banking accounts
Web-based malware used to attack targets
Use of multistage Trojan “droppers”
Packaged malware products Phishing kits
Botnet deployment kits
5
TECHNIQUES
Disposable malware Lifespan of malware dropping
– average lifespan just 2 hours
PDF files used in 49% of all attacks
“Transitive Trust” from social networking sites
Domain joined computers exposed to greater threat from worms
Trojans much more common in non-domain joined computers
6
BOTNETS
A network of host capable of acting upon a set of instructions Often millions of hosts
Zombie is the software used to control an Internet host
Bot C&C used to manage zombies Often contains authentication
key or password
IRC C&C utilizes chat to make bot communications more stealthy
HTTP also used for C&C C&C server IP addresses
hidden through fast-flux DNS Uses short TTL and multiple
IP addresses
IP addresses are redirects to real C&C server
7
USER MODE
Hooks user or application space so that when an application makes a call, the Windows rootkit hijacks the system
Rootkit is not visible in Windows Explorer
Inefficient method
KERNEL MODE
Hooks or modifies kernel memory space to avoid detection
User applications do not have read privilege to the kernel, and cannot see malware in the kernel
Hidden in: Drivers & system32
User temp folder
8
MASTER BOOT RECORD MODE
Infects the MBR in the first sector of the disk Modifies other sectors
Runs the malware at boot
Disables detection software to protect itself
9
PURPOSE
To evade detection and analysis Polymorphism and
metamorphism change form
Polymorphism uses encryption
Metamorphism changes the virus body by rearranging code or inserting unneeded functions
Mutation common in non-executables
Packing/compression more common with executables Used by software vendors to
protect intellectual property
Used by malware developers to hide malware
Entry Point Obfuscation changes a location in the host code Relies on hooking/inserting to
call malware
11
POLYMORPHISM
The decryptor exposes the malware to detection Decryptors are now mutated
as well
Analysis Standard decryption
Heuristics-examines behavior
Emulation-runs malware in virtualized sandbox
OBFUSCATION
Four step process Obfuscation step
Modeling step
Mutation step
Techniques such as permutation of subroutines, insertion of jump instructions, substitution of instructions, etc.
12
MOTIVATION
Primarily financial Credit cards
Bank accounts
Email addresses & accounts
Identities
Malicious code developers are selling code and tools Like many businesses,
developers are not necessarily the users
TACTICS
Multistage Initial attack gets foothold –
may use a Trojan
Subsequent payloads tailored to the compromised host
13
Asset
Robustness:
Intrusion Detection
Isolation:
Firewall
Redundancy:
Multiple Links
Segregation:
Separate Control & Corporate Networks
The asset is protected by multiple controls
meeting various design criteria.
Asset
Robustness:
Intrusion Detection
Isolation:
Firewall
Redundancy:
Multiple Links
Segregation:
Separate Control & Corporate Networks
Layered security ensures assets
are protected by multiple controls.
Attackers must compromise
multiple controls to attack an
asset.
Robust layered security would
include deterrent, preventive,
detective and corrective
technical, administrative and
physical controls