Upload
prtk-nayak
View
219
Download
0
Embed Size (px)
Citation preview
8/6/2019 IT Security Trends
1/44
Data Leak PreventionData leak prevention (DLP) is a suite of technologies
aimed at stemming the loss of sensitive information that
occurs in enterprises across the globe. By focusing on
the location, classification and monitoring of
information at rest, in use and in motion, this solution
can go far in helping an enterprise get a handle on what
information it has, and in stopping the numerous leaksof information that occur each day. DLP is not a plug-
and-play solution. The successful implementation of
this technology requires significant preparation and
diligent ongoing maintenance. Enterprises seeking to
integrate and implement DLP should be prepared for a
significant effort that, if done correctly, can greatly
reduce risk to the organization. Those implementing thesolution must take a strategic approach that addresses
risks, impacts and mitigation steps, along with
appropriate governance and assurance measures
RE: Trends in Security
I am writing a proposal for reconsidering hardware
controls over software controls, when such controls canbe made practical and usable. We need to return to the
discussions of the early 1980's, because we are now
seeing so many targeted viruses in environments that
cannot keep track of all changes to their code.
8/6/2019 IT Security Trends
2/44
We need to ask operating systems vendors to harden
and stabilize their code, with a goal of eventually
having parts that will never need to change again.
We need hardware manufacturers to synchronize with
the operating systems vendors, to make sure that a
common set of device drivers can be permanent, and
that new features will be added that is segregated/apart
from the unchanging base.
We need software that maintains its layer integrity and
reliably fixes itself to it's own work area. We need a
temporary work area and data area strategy that can be
applied across platforms, but keeps software and data
separate and verifiable as secure.
We need to be able to reinstall software from scratch
easily, so as to eliminate unaccountable invading
malware apart from a base of accountable software.
And then, we need to use the EPROM to PROM
strategy to fix stable base of software as a solid
unchangeable base. This last part is what I am
proposing as the new solution to keep viruses from
invading online systems. Software as long as it is
changeable, is subject to viruses, but once it can be
fixed in place, then progress in anti-virus strategies can
again go forward. With some AV packages catching
8/6/2019 IT Security Trends
3/44
only 18% of the malware, strategies from the 1980's
should again be considered.
Security Assessment
Security Compass offers a broad range of information
security assessment and remediation services to fit your
needs. Our world-class consultants bring years of
expertise and deep domain knowledge to all of our
offerings.
y Application Runtime Security Assessment Asattackers increasingly focus on exploiting software
vulnerabilities, insecure applications leave your
data at risk. Allow Security Compass to test your
applications from a hacker's perspective.
y Application Source Code Security Assessment Find vulnerabilities in the underlying source code
and know exactly what to fix. Source code review
is one of the most cost-effective methods of
finding vulnerabilities. Let our seasoned experts
assess the security of your source. Fulfill PCI DSS
Requirement 6.6.
y Threat Modelling Analyze your application'sdesign to find vulnerabilities before development.
Prioritize source code reviews and penetration
tests. We use our extensive experience in threat
8/6/2019 IT Security Trends
4/44
modelling to bring security to the early phases of
development.
y SDLC Security Looking for a holistic approach to
building secure applications? We can help youenhance your existing software development life
cycle waterfall, agile, or proprietary to
include security.
y Network Security Assessments With simplepoint-and-click tools attackers can own your
network. How secure is your infrastructure? We'll
assess your network with a combination ofautomated and manual techniques from the
perspective of an expert hacker.
Other Enterprise Assessment Services
y Wireless Assessment Rouge access points and
insecure wireless protocols anywhere in yourfacility can expose confidential data. We can help
you determine if you have any wireless network
risks.
y Policy Assessment Information securitygovernance is critical to compliance with standards
like ISO27002, COBIT, and others. Our security
experts can assess your policies, procedures,standards, baselines, and guidelines for
compliance with common standards
-www.securitycompass.com
8/6/2019 IT Security Trends
5/44
1. Session ReplicationLoad balancing is a must have for applications with a
large user base. While serving static content in this way
is relatively easy, challenges start to arise when yourapplication maintains state information across multiple
requests. There are many ways to tackle session
replication here are some of the most common:
Allow the client to maintain state so that servers dont
have to
Persist state data in the database rather than in server
memory Use application servers built-in session replication
technology
Use third party products, such as Terra-Cotta
Tying each session to a particular server by modifying
the session cookie
Out of these, maintaining state on the client is often the
easiest to implement. Unfortunately, this single decision
is often one the most serious you can make for the
security of any client-server application. The reason is
that clients can modify any data that they send to you.
Inevitably, some of the state data shouldnt be
modifiable by an end user such as a price for a product,
user permissions, etc. Without sufficient safeguards,
client-side state can leave your application open to
parameter manipulation at every transaction. Luckily,
some frameworks provide protection in the form of
client-side state encryption; however, as weve seen
with the recent Oracle Padding attacks, this method
isnt always foolproof and can leave you with a false
8/6/2019 IT Security Trends
6/44
sense of security. Another technique involves hashing
and signing read-only state data (i.e. the parameters that
the client shouldnt modify), however trying to decide
which parameters should be modifiable and which onesshouldnt can be particularly time consuming often to
the point that developers just ignore it altogether when
deadlines become pressing. If you have the choice, elect
to maintain state on the server and use one of the many
techniques at your disposal to handle session
replication.
2. Authorization ContextMany senior developers and architects weve spoken to
understand that authorization is a challenging topic.
Enterprise applications often perform a basic level of
authorization: ensuring that the user has sufficient
access rights to view a certain page. The problem is that
authorization is a multi-layer, domain-specific problem
that you cant easily delegate to the application serveror access management tools. For example, an
accounting application user has access to the accounts
payable module but theres no server-side check to see
which accounts the user should be able to issue
payments for. Often the code that has sufficient context
to see a list of available accounts is so deep in the call
stack that it doesnt have any information about the enduser. The workarounds are often ugly: for example,
tightly coupling presentation & business logic such that
the application checks the list of accounts in a view
page where it does have context information about the
8/6/2019 IT Security Trends
7/44
end user.
A more elegant solution is to anticipate the need for
authorization far into the call stack and design
appropriately. In some cases this means explicitlypassing user context several layers deeper than you
normally would; other approaches include having some
type of session / thread-specific lookup mechanism that
allows any code to access session-related data. The key
is to think about this problem upfront so that you dont
waste unnecessary time down the road trying to hack
together a solution. See our pattern-level securityanalysis of Application Controller for more details on
this idea.
3. Tags vs. Code in ViewsOver the years, most web application development
frameworks have made it practical to code entire
views/server-pages completely with tags. Dot Nets
ASPX or Javas JSF pages are examples of this.Building exclusively with tags can sometimes be
frustrating when you need to quickly add functionality
inside of a view and you dont have a ready-made tag
for that function at your disposal. Some architects and
lead developers impose a strict decision that all views
must be composed entirely of tags; other architects and
lead developers are more liberal in their approach.Inevitably the applications that allow developers to
write in-line coding (e.g. PHP, classic ASP, or
Scriptlets in Java) have an incredibly tough time
eradicating Cross Site Scripting. Rather than
8/6/2019 IT Security Trends
8/44
augmenting tags with output encoding, developers need
to manually escape every form of output in every view.
A single decision can lead to tedious, error-prone work
for years to come. If you do elect to offer the flexibilityof one-off coding, make sure you use static analysis
tools to find potential exposures as early as possible.
4. Choice of Development FrameworkCall us biased, but we really believe that the framework
you choose will dramatically affect the speed at which
you can prevent and remediate security vulnerabilities.
Building anti-CSRF controls in Django is a matter ofturning on adding @csrf_protect to your view
method. In most Java frameworks you need to build
your own solution or use a third party library such as
OWASPs CSRFguard. Generally speaking, the more
security features built into the framework the less time
you have to spend adding these features into your own
code or trying to integrate third party components.Choosing a development framework that takes security
seriously will lead to savings down the road. The
Secure Web Application Framework Manifesto is an
OWASP project designed to help you make that
decision.
5.
Logging and Monitoring ApproachMost web applications implement some level of
diagnostic logging. From a design perspective,
however, it is important to leverage logging as a
measure of self defense rather than purely from a
debugging standpoint. The ability to detect failures and
8/6/2019 IT Security Trends
9/44
retrace steps can go a long way towards first spotting
and then diagnosing a breach. Weve found that
security-specific application logging is not standardized
and, as a result, any security-relevant applicationlogging tends to be done inconsistently. When
designing your logging strategy, we highly recommend
differentiating security events from debugging or
standard error events to expedite the investigative
process in the event of compromise. We also
recommend using standard error codes for security
events in order to facilitate monitoring. OWASPsESAPI logging allows for event types to distinguish
security events from regular logging events. The
AppSensor project allows you to implement intrusion
detection and automated responses into your
application.
FOR ISSUES AND SOLUTIONS
http://www.isaca.org/KNOWLEDGE-
CENTER/RESEARCH/ISSUES/Pages/default.aspx
LATEST SECURITY ISSUES
Top Cyber Security Risks - Vulnerability Exploitation Trends
y Executive Summaryy Vulnerability Exploitation Trendsy Origin and Destination Analysis for 4 Key Attacksy Application vs. Operating System Patchingy Tutorial: HTTP Client-Side Exploitation Exampley Zero-Day Vulnerability Trendsy Best Practices in Mitigation and Controly HTTP Server Threats
8/6/2019 IT Security Trends
10/44
September 2009
Application Vulnerabilities Exceed OS Vulnerabilities
During the last few years, the number of vulnerabilities being discovered in applications is far
greater than the number of vulnerabilities discovered in operating systems. As a result, more
exploitation attempts are recorded on application programs. The most "popular" applicationsfor exploitation tend to change over time since the rationale for targeting a particular
application often depends on factors like prevalence or the inability to effectively patch. Due
to the current trend of converting trusted web sites into malicious servers, browsers andclient-side applications that can be invoked by browsers seem to be consistently targeted.
Figure 1: Number of Vulnerabilities in Network, OS and Applications
Web Application Attacks
There appear to be two main avenues for exploiting and compromising web servers: brute
force password guessing attacks and web application attacks. Microsoft SQL, FTP, and SSH
servers are popular targets for password guessing attacks because of the access that is gained
if a valid username/password pair is identified. SQL Injection, Cross-site Scripting and PHP
File Include attacks continue to be the three most popular techniques used for compromising
web sites. Automated tools, designed to target custom web application vulnerabilities, make
it easy to discover and infect several thousand web sites.
Windows: Conficker/Downadup
Attacks on Microsoft Windows operating systems were dominated by Conficker/ Downadup
worm variants. For the past six months, over 90% of the attacks recorded for Microsoft
targeted the buffer overflow vulnerability described in the Microsoft Security Bulletin MS08-
067. Although in much smaller proportion, Sasser and Blaster, the infamous worms from
2003 and 2004, continue to infect many networks.
8/6/2019 IT Security Trends
11/44
Figure 2: Attacks on Critical Microsoft Vulnerabilities (last 6 months)
Figure 3: Attacks on Critical Microsoft Vulnerabilities (last 6 months)
Apple: QuickTime and Six More
Apple has released patches for many vulnerabilities in QuickTime over the past year.
QuickTime vulnerabilities account for most of the attacks that are being launched againstApple software. Note that QuickTime runs on both Mac and Windows Operating Systems.
The following vulnerabilities should be patched for any QuickTime installations: CVE-2009-0007, CVE-2009-0003, CVE-2009-0957
8/6/2019 IT Security Trends
12/44
Figure 4: Attacks on Critical Apple Vulnerabilities (la st 6 months)
Next Section: Origin and Destination Analysis for 4 Key Attacks
Origin and Destination Analysis for Four Key Attacks
Over the past six months, we have seen some very interesting trends when comparing the
country where various attacks originate to the country of the attack destination. In order to
show these results, we have characterized and presented the data in relation to the most
prevalent attack categories. The analysis performed for this report identified these attack
categories as high-risk threats to most if not all networks, and as such, should be at the
forefront of security practitioners' minds. These categories are Server-Side HTTP attacks,
Client-Side HTTP attacks, PHP Remote File Include, Cross-site Scripting attacks, and finallySQL Injection attacks. As you might expect, there is some overlap in these categories, withthe latter three being subsets of the first two categories. However, the trends we see in
separating this data is worth pointing out.
The SQL Injection attacks that compose this category include "SQL Injection using SELECTSQL Statement", "SQL Injection Evasion using String Functions", and "SQL Injection using
Boolean Identity". The most prominent "PHP Remote File Include attack" is one that looks
for a very small HTTP request that includes a link to another website as a parameter that
contains a very specific evasion technique used by a number of attacks to increase the
reliability of their attacks. Also of note is a very specific attack against the "Zeroboard PHP"
application, the only single application that made the top attacks. The final type of attack
included in these statistics is one of the more popular "HTTP Connect Tunnel" attacks, whichremains a staple in the Server-Side HTTP category. The HTTP connect tunnels are used for
sending spam emails via mis-configured HTTP servers.
Looking at the breakdown by country we see that the United States is by far the major attacktarget for the Server-Side HTTP attack category (Figure 5).
8/6/2019 IT Security Trends
13/44
Figure 5: Server-Side HTTP Attacks by Destination Country (last 6 months)
For years, attack targets in the United States have presented greater value propositions for
attackers, so this statistic really comes as no surprise.
An interesting spike in Server-Side HTTP attacks occurred in July 2009. This was entirelydue to SQL Injection attacks using the SELECT command. Upon looking at the data, we saw
a massive campaign by a range of IP addresses located at a very large Internet ServerProvider (ISP). In this case, there were a number of machines located at a single collocation
site that may have all been compromised with the same vulnerability due to the machinesbeing at the same patch level. In addition, a number of gambling sites took part in this attack
which peaked after hours on July Fourth, a major holiday in the United States.
8/6/2019 IT Security Trends
14/44
Figure 6: Server-Side HTTP Attacks (last 6 months)
Finally let's turn to the source of these HTTP Server-Side Attacks (Figure 7).
Figure 7: Server-Side HTTP Attacks by Source Country (last 6 months)
Here we see the United States as by far the largest origin, which is a pattern that hascontinued for some time. In many cases we believe these to be compromised machines that
are then being used for further nefarious purposes. The next four offenders on the HTTPServer-Side attacking countries list are Thailand, Taiwan, China, and the Republic of Korea.
They also show up in other portions of this report, so this graph will be a useful reference in
comparing some of the other attack categories and their relative magnitude.
The last six months have seen a lot of activity with SQL injection attacks. Some typical
patterns emerge with the United States being both the top source of and destination for SQLInjection events.
SQL Injection on the internet can more or less be divided into two sub-categories: LegitimateSQL Injection and Malicious SQL Injection. Many web applications on the Internet still use
"SQL Injection" for their normal functionality. It should be noted that this is only a differencein intent. The web applications that legitimately use SQL Injection are guaranteed to be
vulnerable to the tools and techniques used by attackers to perform Malicious SQL Injections.The servers that house these applications may have a higher compromise rate not only
because they are known to be vulnerable, but also because they need to distinguish betweenlegitimate and malicious injects to identify attacks.
8/6/2019 IT Security Trends
15/44
Figure 8: SQL Injection Attacks by Destination Country (last 6 months)
Looking at the magnitude of these attacks broken down by month (Figure 9), we see the
large-scale SQL Injection campaign pointed out in the Server-Side HTTP Attack section.
A very large spike in SQL Injection attacks in July was caused mostly by an online advertiser
who distributed code to many affiliates using SQL injection as functionality. The application
was quickly pulled, resulting in a large drop in events for the month of August.
Figure 9: SQL Injection Attacks (last 6 months)
8/6/2019 IT Security Trends
16/44
The source distribution of many of these attacks is much more diverse than the destination.China is now the single largest source outside of the United States. Again the overwhelming
destination for these events is in the United States. (Figure 10).
Figure 10: SQL Injection Attacks by Source Country (last 6 months)
In conclusion, we cannot overstate the importance of protecting DMZ-based web applications
from SQL Injection attacks. Increasingly, the ultimate objective of attackers is the acquisitionof sensitive data. While the media may consistently report attacker targets as being credit
cards and social security numbers, that is more due to the popular understanding of the
marketability of this data. They are not the only valuable data types that can be compromised.
Since SQL Injection attacks offer such easy access to data, it should be assumed that anyvaluable data stored in a database accessed by a web server is being targeted.
Although "PHP File Include" attacks have been popular, we have seen a notable decline in
the overall number of attacks that have taken place. With the exception of a major attacks
originating from Thailand in April, the number of PHP File Include attacks in August is less
than half the March/May average.
There are many ways to protect against these attacks. Apache configuration, input
sanitization, and network security equipment are all very good at deterring these attacks, so it
seems likely that the drop in total attacks is at least partly due to a positive response by
application developers, system administrators, and security professionals. However, due to
the extreme ease with which these attacks are carried out, and the enormous benefit of asuccessful attack (arbitrary PHP code is executed.), attacks such as these are likely to remain
popular for some time.
8/6/2019 IT Security Trends
17/44
Figure 11: PHP Remote File Include Attacks (last 6 months)
Let us look at the sources of "PHP Remote File Include" attacks. A major attack campaign
was launched out of Thailand in April that caused Thailand to show up at number 1 in thislist.
Figure 12: PHP Remote File Include Attacks by Source Country (last 6 months)
Cross Site Scripting (XSS) is one of the most prevalent bugs in today's web applications.
Unfortunately, developers often fall in the trap of introducing XSS bugs while creating
custom code that connects all of the diverse web technologies that are so prevalent in today's
Web 2.0 world. Another very common "use" of XSS is by various advertisers' analytic
systems. For example, an advertiser's banner might be embedded in a web page which is set
8/6/2019 IT Security Trends
18/44
up to reflect some JavaScript off of the advertiser's HTTP server for tracking purposes.However, in this case, there is little risk because the site in question (usually) has full control
over his/her page, so this request to the advertiser is not generally malicious. It is the"reflection" attacks, along with attacks that leverage flaws in form data handling, that make
up the vast majority of XSS attacks that we have seen in the last six months.
Figure 13: XSS Attacks by Source Country (last 6 months)
Attacks sourced from the United States have been on a steady decline month-over-month.
The Republic of Korea has seen a 50% reduction in the last 30 days. These two events
however have been offset by a sudden 20% increase in the last 30 days in attacks from
Australia. The other three major players, namely, Hong Kong, China and Taiwan haveremained stable over the past three month periods in this category.
Application Patching is Much Slower than
Operating System Patching
Qualys scanners collect anonymized data of detected vulnerabilities to capture the changing
dynamics in the vulnerability assessment field. The data documents changes such as the
decline of server side vulnerabilities and the corresponding rise of vulnerabilities on the client
side, both in operating system components and applications. A Top 30 ranking is used often
to see if major changes occur in the most frequent vulnerabilities found. Here is the rankingfor the first half of 2009 TH edited to remove irrelevant data points such as 0-dayvulnerabilities.
Description
1. WordPad and Office Text Converters Remote Code Execution Vulnerability (MS09-010)
2. Sun Java Multiple Vulnerabilities (244988 and others)
8/6/2019 IT Security Trends
19/44
3. Sun Java Web Start Multiple Vulnerabilities May Allow Elevation ofPrivileges(238905)
4. Java Runtime Environment Virtual Machine May Allow Elevation of Privileges(238967)
5. Adobe Acrobat and Adobe Reader Buffer Overflow (APSA09-01)6. Microsoft SMB Remote Code Execution Vulnerability (MS09-001)7. Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability8. Microsoft Excel Remote Code Execution Vulnerability (MS09-009)9. Adobe Flash Player Update Available to Address Security Vulnerabilities (APSB09-
01)
10.Sun Java JDK JRE Multiple Vulnerabilities (254569)11.Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-
067)
12.Microsoft Office PowerPoint Could Allow Remote Code Execution (MS09-017)13.Microsoft XML Core Services Remote Code Execution Vulnerability (MS08-069)14.Microsoft Visual Basic Runtime Extended Files Remote Code Execution
Vulnerability (MS08-070)15.Microsoft Excel Multiple Remote Code Execution Vulnerabilities (MS08-074)16.Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution
(MS09-028)
17.Microsoft Word Multiple Remote Code Execution Vulnerabilities (MS08-072)18.Adobe Flash Player Multiple Vulnerabilities (APSB07-20)19.Adobe Flash Player Multiple Security Vulnerabilities (APSB08-20)20.Third Party CAPICOM.DLL Remote Code Execution Vulnerability21.Microsoft Windows Media Components Remote Code Execution Vulnerability
(MS08-076)
22.Adobe Flash Player Multiple Vulnerabilities (APSB07-12)23.Microsoft Office Remote Code Execution Vulnerability (MS08-055)24.Adobe Reader JavaScript Methods Memory Corruption Vulnerability (APSA09-02
and APSB09-06)
25.Microsoft PowerPoint Could Allow Remote Code Execution (MS08-051)26.Processing Font Vulnerability in JRE May Allow Elevation of Privileges(238666)27.Microsoft Office Could Allow Remote Code Execution (MS08-016)28.Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (APSB08-19)29.Adobe Acrobat and Adobe Reader Multiple Vulnerabilities (APSB08-15)30.Windows Schannel Security Package Could Allow Spoofing Vulnerability (MS09-
007)
Table 1: Qualys Top 30 in H1 2009
Some of the vulnerabilities listed in the table get quickly addressed by IT administrators TH
vulnerabilities in the base operating system class, for example, show a significant drop ineven the first 15 days of their lifetime:
8/6/2019 IT Security Trends
20/44
Figure 14: Microsoft OS Vulnerabilities
But at least half of the vulnerabilities in the list, primarily vulnerabilities found in
applications, receive less attention and get patched on a much slower timeline. Some of these
applications, such as Microsoft Office and Adobe Reader are very widely installed and so
expose the many systems they run on to long lived threats. The following graphs plot thenumber of vulnerabilities detected for Microsoft Office and Adobe Reader normalized to the
maximum number of vulnerabilities detected in the timeframe. Periodic drops in detection
rates occur during the weekends when scanning focuses on servers rather than desktop
machines and the detection rates of vulnerabilities related to desktop software fall
accordingly.
Figure 15: Microsoft PowerPoint and Adobe Vulnerabilities Patching Cycles
Attackers have long picked up on this opportunity and have switched to different types of
attacks in order to take advantage of these vulnerabilities, using social engineering techniques
to lure end-users into opening documents received by e-mail or by infecting websites with
links to documents that have attacks for these vulnerabilities embedded. These infecteddocuments are not only placed on popular web sites that have a large number of visitors, but
increasingly target the "long-tail", the thousands of specialized websites that have smaller but
very faithful audiences. By identifying and exploiting vulnerabilities in the ContentManagement Systems used by these sites, attackers can automate the infection process andreach thousands of sites in a matter of hours. Attacks using PDF vulnerabilities have seen a
large increase in late 2008 and 2009 as it became clear to attackers how easy it is to use thismethod of getting control over a machine.
Adobe Flash has similar problems with the applications of its updates TH there are four Flash
vulnerabilities in our Top 30 list that date back as far as 2007:
8/6/2019 IT Security Trends
21/44
Figure 16: Flash Vulnerabilities
Flash presents additional challenges: it does not have its automatic update mechanism and
one needs to patch Internet Explorer in a separate step from other browsers. For users thathave more than one browser installed, it is quite easy to forget to completely close Flashvulnerabilities and continue to be unwillingly vulnerable.
One of the other software families that is high on the Top 30 list is Java, which is widely
installed for running Java applets in the common browsers and also increasingly for normalapplications. It is quite slow in the patch cycle, with actually increasing numbers of total
vulnerabilities as the introduction of new vulnerabilities outweighs the effect of patching.
Java has the additional problem that until recently new versions did not uninstall the older
code, but only pointed default execution paths to the new, fixed version; attack code could be
engineered to take advantage of the well-known paths and continue to use older and
vulnerable Java engines.
Figure 17: Sun Java Vulnerabilities
8/6/2019 IT Security Trends
22/44
Zero-Day Vulnerability Trends
A zero-day vulnerability occurs when a flaw in software code is discovered and code
exploiting the flaw appears before a fix or patch is available. Once a working exploit of the
vulnerability has been released into the wild, users of the affected software will continue to
be compromised until a software patch is available or some form of mitigation is taken by the
user.
The "File Format Vulnerabilities" continue to be the first choice for attackers to conduct zero-
day and targeted attacks. Most of the attacks continue to target Adobe PDF, Flash Player andMicrosoft Office Suite (PowerPoint, Excel and Word) software. Multiple publicly available
"fuzzing" frameworks make it easier to find these flaws. The vulnerabilities are often foundin 3rd party add-ons to these popular and wide-spread software suites, making the patching
process more complex and increasing their potential value to attackers.
The notable zero-day vulnerabilities during past 6 months were:
y Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)
y Microsoft Office Web Components ActiveX Control Code Execution Vulnerability (CVE-2009-1136)
y Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (CVE-2008-0015)
y Microsoft DirectX DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2009-1537)
y Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)y Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556)
The ease of finding zero-day vulnerabilities is a direct result of an overall increase in the
number of people having skills to discover vulnerabilities world-wide. This is evidenced by
the fact that TippingPoint DVLabs often receives the same vulnerabilities from multiple
sources.
For example, MS08-031 (Microsoft Internet Explorer DOM Object Heap Overflow
Vulnerability) was discovered independently by three researchers. The first researcher
submitted remote IE 6/7 critical vulnerability on Oct 22, 2007. A second independent
researcher submitted the same vulnerability on April 23, 2008. A third independent
researcher submitted the same vulnerability on May 19, 2008. All three submissions outlined
different approaches of auditing and finding the same vulnerability.
The implication of increasing duplicate discoveries is fairly alarming, in that the main
mitigation for vulnerabilities of this type is patching, which is an invalid strategy forprotecting against zero-day exploits. There is a heightened risk from cyber criminals, whocan discover zero-day vulnerabilities and exploit them for profit. Add to this that software
vendors have not necessarily lowered their average time for patching vulnerabilities reportedto them, and that TippingPoint is aware of a number of vulnerabilities that were reported to
vendors two years ago and are still awaiting a patch.
http://www.zerodayinitiative.com/advisories/upcoming/
8/6/2019 IT Security Trends
23/44
This makes zero-day exploits in client-side applications one of the most significant threats toyour network, and requires that you put in place additional information security measures and
controls to complement your vulnerability assessment and remediation activities.
DEFENCE PRACTISES
These controls reflect the consensus of many of the nation's top cyber defenders and attackers
on which specific controls must be implemented first to mitigate known cyber threats.
One of the most valuable uses of this report is to help organizations deploying the Twenty
Critical Security Controls to be certain that no critical new attacks have been found thatwould force substantial changes in the Twenty Controls and at the same time to help people
who are implementing the Twenty Critical Security Controls to focus their attention on theelements of the controls that need to be completed most immediately.
The Key Elements of these attacks and associated Controls:
y User applications have vulnerabilities that can be exploited remotely,o Controls 2 (Inventory of Software), 3 (Secure Configurations), and 10
(Vulnerability Assessment and Remediation) can ensure that vulnerable
software is accounted for, identified for defensive planning, and remediated in
a timely manner. Control 5 (Boundary Defenses) can provide some
prevention/detection capability when attacks are launched.
y There is an increasing number of zero-days in these types of applications,o Control 12 (Malware Defenses) is the most effective at mitigating many of
these attacks because it can ensure that malware entering the network is
effectively contained. Controls 2, 3, and 10 have minimal impact on zero-day
exploits and Control 5 can provide some prevention/detection capabilities
against zero-days as well as known exploits.y Successful exploitation grants the attacker the same privileges on the network as the
user and/or host that is compromised,
o Control 5 (Boundary Defenses) can ensure that compromised host systems(portable and static) can be contained. Controls 8 (Controlled Use ofAdministrative Privileges) and 9 (Controlled Access) limit what access the
attacker has inside the enterprise once they have successfully exploited a userapplication.
y The attacker is masquerading as a legitimate user but is often performing actions thatare not typical for that user.
o Controls 6 (Audit Logs) and 11 (Account Monitoring and Control) can helpidentify potentially malicious or suspicious behavior and Control 18 (Incident
Response Capability) can assist in both detection and recovery from acompromise.
CRITICAL CONTROLS FOR PREVENTING ATTACKS
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
8/6/2019 IT Security Trends
24/44
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based onNeed to Know
10. Continuous Vulnerability Assessment and Remediation
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control ofNetwork Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention
Insider Threats vs. Outsider Threats
A quick review of the critical controls may lead some readers to think that they are heavily
focused on outsider threats and may, therefore, not fully deal with insider attacks. In reality,
the insider threat is well covered in these controls in two ways. First, specific controls suchas
maintenance of security audit logs, control of administrative privileges, controlled access
based
on need to know, data loss prevention, and effective incident response all directly address
the
key ways that insider threats can be mitigated. Second, the insider and outsider threats
sometimes merge as outsiders penetrate security perimeters and effectively become
insiders.
All of the controls that limit unauthorized access within the organization work to mitigate
both
insider and outsider threats. It is important to note that these controls are meant to dealwith
multiple kinds of computer attackers, including but not limited to malicious internal
employees
and contractors, independent individual external actors, organized crime groups, terrorists,
and
nation state actors, as well as mixes of these different threats. While these controls are
designed to provide protection against each of these threats, very sophisticated, well -
funded.
Critical Control 1: Inventory of Authorized and
Unauthorized DevicesHow do attackers exploit the lack of this control?
Many criminal groups and nation states deploy systems that continuously scan address
spaces
of target organizations waiting for new, unprotected systems to be attached to the network.
The attackers also look for laptops not up to date with patches because they are not
frequently
connected to the network. One common attack takes advantage of new hardware that is
8/6/2019 IT Security Trends
25/44
installed on the network one evening and not configured and patched with appropriate
security
updates until the following day. Attackers from anywhere in the world may quickly find and
exploit such systems that are Internet-accessible. Furthermore, even for internal network
systems, attackers who have already gained internal access may hunt for and compromise
additional improperly secured internal computer systems. Some attackers use the local
nighttime window to install backdoors on the systems before they are hardened.
Additionally, attackers frequently look for experimental or test systems that are briefly
connected to the network but not included in the standard asset inventory of an
organization.
Such experimental systems tend not to have as thorough security hardening or defensive
measures as other systems on the network. Although these test systems do n ot typically
hold
sensitive data, they offer an attacker an avenue into the organization, and a launching point
for
deeper penetration.
How can this control be implemented, automated, and its effectiveness
measured?An accurate and up-to-date inventory, controlled by active monitoring and configuration
management, can reduce the chance of attackers finding unauthorized and unprotected
systems to exploit.
1. QW: Deploy an automated asset inventory discovery tool and use it to build a
preliminary asset inventory of systems connected to the enterprise network. Both
active tools that scan through network address ranges, and passive tools that identify
hosts based on analyzing their traffic should be employed.
2. Vis/Attrib: Maintain an asset inventory of all systems connected to the network and the
network devices themselves, recording at least the network addresses, machine
name(s), purpose of each system, an asset owner responsible for each device, and the
department associated with each device. The inventor y should include every systemthat has an IP address on the network, including, but not limited to desktops, laptops,
servers, network equipment (routers, switches, firewalls, etc.), printers, Storage Area
Networks, Voice-over-IP telephones, etc.
3. Vis/Attrib: Ensure that network inventory monitoring tools are operational and
continuously monitoring, keeping the asset inventory up to date on a real -time basis,
12
looking for deviations from the expected inventory of assets on the network, and
alerting security and/or operations personnel when deviations are discovered.
4. Config/Hygiene: Secure the asset inventory database and related systems, ensuring that
they are included in periodic vulnerability scans and that asset information is encrypted.
Limit access to these systems to authorized personnel only, and carefully log all suchaccess. For additional security, a secure copy of the asset inventory may be kept in an
off-line system air-gapped from the production network.
5. Config/Hygiene: In addition to a n inventory of hardware, organizations should develop
an inventory of information assets, which identifies their critical information, and maps
critical information to the hardware assets (including servers, workstations, and laptops)
on which it is locate d. A department and individual responsible for each information
asset should be identified, recorded, and tracked.
8/6/2019 IT Security Trends
26/44
6. Config/Hygiene: To evaluate the effectiveness of automated asset inventory tools,
periodically attach several hardened computer systems not already included in asset
inventories to the network and measure the delay before each device connection is
disabled or the installers confronted.
7. Advanced: The organizations asset inventory should include removable media devices,
including USB tokens, external hard drives, and other related information storage
devices.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
CM-8 (a, c, d, 2, 3, 4), PM -5, PM-6
Procedures and tools for implementing and automating this control:
Organizations must first establish information owners and asset owners, deciding and
documenting which organizations and individuals are responsible for each component of
information and device. Some organizations maintain asset inventories using specific
largescale
enterprise commercial products dedicated to the task or they use free solutions to track
and then sweep the network periodically for new assets connected to the network. In
particular, when effective organizations acquire new systems, they record the owner and
features of each new asset, including its network interface MAC address, a unique identifierhard-coded into most network interface cards and devices.This mapping of asset attributes
and owner-to-MAC address can be stored in a free or commercial database management
system.
Then, with the asset inventory assembled, many organizations use tools to pull information
from network assets such as switches and routers regarding the machines connected to the
network. Using securely authenticated and encrypted network management protocols, tools
can retrieve MAC addresses and other information from network devices that can be
reconciled
with the organizations asset inventory of servers, workstations, laptops, and other devices.
13
Going further, effective organizations configure free or commercial network scanning toolsto
perform network sweeps on a regular basis, such as every 12 hours, sending a variety of
different packet types to identify devices connected to the network. Before such scanning
can
take place, organizations should verify that they have adequate bandwidth for such periodic
scans by consulting load history and capacities for their networks. In conducting inventory
scans, scanning tools could send traditional ping packets (ICMP Echo Request), looking fo r
ping
responses to identify a system at a given IP address. Because some systems block inbound
ping
packets, in addition to traditional pings, scanners can also identify devices on the networkusing
TCP SYN or ACK packets. Once they have identified IP addresses of devices on the network,
some scanners provide robust fingerprinting features to determine the operating system
type
of the discovered machine.
In addition to active scanning tools that sweep the network, other ass et identification tools
passively listen on network interfaces looking for devices to announce their presence by
8/6/2019 IT Security Trends
27/44
sending traffic. Such passive tools can be connected to switch span ports at critical places in
the network to view all data flowing through su ch switches, maximizing the chance of
identifying systems communicating through those switches.
Wireless devices (and wired laptops) may periodically join a network and then disappear
making the inventory of currently available systems churn significantly. Likewise, virtual
machines can be difficult to track in asset inventories when they are shut down or paused,
because they are merely files in some host machines file system. Additionally, remote
machines accessing the network using VPN technology may appear on the network for a
time,
and then be disconnected from it. Each machine, whether physical or virtual, directly
connected to the network or attached via VPN, currently running or shut down, should be
included in an organizations asset inventory.
To evaluate the effectiveness of the asset inventory and its monitoring, an organization
should
connect a fully patched and hardened machine to the network on a regular basis, such as
monthly, to determine whether that asset appears as a new item in the networ k scan, the
automated inventory, and/or asset management database.
Sandia National Labs takes the inventory a step further by requiring the name and contact
information of a system administrator responsible for each element in its inventory. Such
information provides near instantaneous access to the people in a position to take action
when
a system at a given IP address is found to have been compromised.
Critical Control 2: Inventory of Authorized andUnauthorized SoftwareHow do attackers exploit the lack of this control?14
Computer attackers deploy systems that continuously scan address spaces of target
organizations looking for vulnerable versions of software that can be remotely exploited.
Some
attackers also distribute hostile web pages, document files, media files, and other content
via
their own web pages or otherwise trustworthy third-party sites. When unsuspecting victims
access this content with a vulnerable browser or other client-side program, attackers
compromise their machines, often installing backdoor programs and bots that give the
attacker
long-term control of the system. Some sophisticated attackers may use zero-day exploits,
which take advantage of previously unknown vulnerabilities for whi ch no patch has yet been
released by the software vendor. Without proper knowledge or control of the software
deployed in an organization, defenders cannot properly secure their assets.
Without the ability to inventory and control which programs are instal led and allowed to
run on
their machines, enterprises make their systems more vulnerable. Such poorly controlled
machines are more likely to be either running software that is unneeded for business
purposes,
introducing potential security flaws, or running malware introduced by a computer attacker
after system compromise. Once a single machine has been exploited, attackers often use it
as a
8/6/2019 IT Security Trends
28/44
staging point for collecting sensitive information from the compromised system and from
other
systems connected to it. In addition, compromised machines are used as a launching point
for
movement throughout the network and partnering networks. In this way, attackers may
quickly turn one compromised machine into many. Organizations that do not have complete
software inventories are unable to find systems running vulnerable or malicious software to
mitigate problems or root out attackers.
How can this control be implemented, automated, and its effectivenessmeasured?
1. QW: Devise a list of authorized software that is required in the enterprise for each type
of system, including servers, workstations, and laptops of various kinds and uses.
2. Vis/Attrib: Deploy software inventory tools throughout the organization covering each
of the operating system types in use, including s ervers, workstations, and laptops. The
software inventory system should track the version of the underlying operating system
as well as the applications installed on it. Furthermore, the tool should record not only
the type of software installed on each system, but also its version number and patch
level. The tool should also monitor for unauthorized software installed on eachmachine. This unauthorized software also includes legitimate system administration
software installed on inappropriate systems where there is no business need for it.
3. Config/Hygiene: To evaluate the effectiveness of automated software inventory tools,
periodically install several software updates and new packages on hardened control
machines in the network and measure the delay before the software inventory indicates
the changes. Such updates should be chosen for the control machines so that they do
not negatively impact production systems on the network.
4. Advanced: Deploy software white-listing technology that allows systems to run only
approved applications and prevents execution of all other software on the system.
15
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:CM-1, CM-2 (2, 4, 5), CM-3, CM-5 (2, 7), CM-7 (1, 2), CM-8 (1, 2, 3, 4, 6), CM-9, PM-6, SA-6,
SA-7
Procedures and tools for implementing and automating this control:
Commercial software and asset inventory tools are widely available and in use in many
enterprises today. The best of these tools provide an inventory check of hund reds of
common
applications used in enterprises, pulling information about the patch level of each installed
program to ensure that it is the latest version and leveraging standardized application
names,
such as those found in CPE.
Features that implement whitelists and blacklists of programs allowed to run or blockedfrom
executing are included in many modern end -point security suites. Moreover, commercial
solutions are increasingly bundling together anti -virus, anti-spyware, personal firewall, and
host-based Intrusion Detection Systems and Intrusion Prevention Systems (IDS and IPS),
along
with software white listing and black listing. In particular, most endpoint security solutions
can
8/6/2019 IT Security Trends
29/44
look at the name, file system location, and/or cryptographic hash of a given executable to
determine whether the application should be allowed to run on the protected machine.The
most effective of these tools offer custom whitelists and blacklists based on executable
path,
hash, or regular expression matching. Some even include a graylist function that allows
administrators to define rules for execution of specific programs only by certain users and at
certain times of day, and blacklists based on specific signatures.
Once software inventory and execution control products are deployed, they can be
evaluated
by attempting to run a black listed program or a program that is not on the whitelist. To test
whitelist or blacklist solutions, the organization can define a specific benign executable for
which the blacklist or whitelist would block execution, such as a simple benign single EXE
file.
They can then attempt to run the program and test whether execution is blocked and
whether
an alert is generated.
Critical Control 3: Secure Configurations for Hardware andSoftwareon Laptops, Workstations, and ServersHow do attackers exploit the lack of this control?
On both the Internet and internal networks that attackers have already compromised,
automated computer attack programs constantly search target networks looking for
systems
that were configured with vulnerable software installed the way it was delivered from
manufacturers and resellers, thereby being immediately vulnerable to exploitation. Default
configurations are often geared to ease -of-deployment and ease-of-use and not security,
16
leaving some systems exploitable in their default state. Attackers attempt to exploit bothnetwork-accessible services and browsing client software using such techniques.
Defenses against these automated exploits include procuring computer and network
components with the secure configurations already implemented, deploying such
preconfigured
hardened systems, updating these configurations on a regular basis, and tracking
them in a configuration management system.
How can this control be implemented, automated, and its effectiveness
measured?
1. QW: System images must have documented security settings that are tested before
deployment, approved by an agency change control board, and registered with a central
image library for the agency or multiple agencies.T
hese images should be validated andrefreshed on a regular basis (such as every six months) to update their security
configuration in light of recent vulnerabilities and attack vectors.
2. QW: Standardized images should represent hardened versions of the underlying
operating system and the applications installed on the system, such as those released by
NIST, NSA, DISA, the Center for Internet Security (CIS), and others. This hardening
would typically include removal of unnecessary accounts, as well as the disabling or
removal of unnecessary services. Such hardening also involves, among other measures,
applying patches, closing open and unused network ports, implementing intrusion
8/6/2019 IT Security Trends
30/44
detection systems and/or intrusion prevention systems, and hos t-based firewalls.
3. QW: Any deviations from the standard build or updates to the standard build should be
documented and approved in a change management system.
4. QW: Government agencies should negotiate contracts to buy systems configured
securely out of the box using standardized images, which should be devised to avoid
extraneous software that would increase their attack surface and susceptibility to
vulnerabilities.
5. QW: The master images themselves must be stored on securely configured servers, wi th
integrity checking tools and change management to ensure only authorized changes to
the images are possible. Alternatively, these master images can be stored in off-line
machines, air-gapped from the production network, with images copied via secure
media to move them between the image storage servers and the production network.
6. Config/Hygiene: At least once per month, run assessment programs on a varying sample
of systems to measure the number that are and are not configured according to the
secure configuration guidelines.
7. Config/Hygiene: Utilize file integrity checking tools on at least a weekly basis to ensure
that critical system files (including sensitive system and application executables,
libraries, and configurations) have not been altered. All alterations to such files should
be automatically reported to security personnel.The reporting system should have the
ability to account for routine and expected changes, highlighting unusual or unexpected
alterations.
17
8. Config/Hygiene: Implement and test an automated configuration monitoring system
that measures all secure configuration elements that can be measured through remote
testing, using features such as those included with SCAP -compliant tools to gather
configuration vulnerability inform ation. These automated tests should analyze both
hardware and software changes, network configuration changes, and any other
modifications affecting security of the system.
9. Config/Hygiene: Provide senior executives with charts showing the number of syst emsthat match configuration guidelines versus those that do not match, illustrating the
change of such numbers month by month for each organizational unit.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
CM-1, CM-2 (1, 2), CM-3 (b, c, d, e, 2, 3), CM -5 (2), CM-6 (1, 2, 4), CM -7 (1), SA-1 (a), SA-4
(5), SI-
7 (3), PM-6
Procedures and tools for implementing this control:
Organizations can implement this control by developing a series of images and secure
storage
servers for hosting these standard images . Then, commercial and/or free configuration
management tools can be employed to measure the settings of managed machinesoperating
system and applications to look for deviations from the standard image configurations used
by
the organization. Some configuration management tools require that an agent be installed
on
each managed system, while others remotely login to each managed machine using
8/6/2019 IT Security Trends
31/44
administrator credentials. Either approach or combinations of the two approaches can
provide
the information needed for this control.
Critical Control 4: Secure Configurations for NetworkDevices such as
Firewalls, Routers, and SwitchesHow do attackers exploit the lack of this control?
Attackers take advantage of the fact that network devices may become less securely
configured
over time as users demand exceptions for specific and temporary business needs, the
exceptions are deployed, and those exceptions are not undone when the business need is
no
longer applicable. Making matters worse, in some cases, the security risk of the exception is
never properly analyzed, nor is this risk measured against the associated business need.
Attackers search for electronic holes in firewalls, routers, and switches and u se those to
penetrate defenses. Attackers have exploited flaws in these network devices to gain access
totarget networks, redirect traffic on a network (to a malicious system masquerading as a
trusted
system), and to intercept and alter information while in transmission. Through such actions,
18
the attacker gains access to sensitive data, alters important information, or even uses one
compromised machine to pose as another trusted system on the network.
How can this control be implemented, automated, and its effectiveness
measured?
1. QW: Compare firewall, router, and switch configuration against standard secure
configurations defined for each type of network device in use in the organization.The
security configuration of such devices should be documented , reviewed, and approvedby an agency change control board. Any deviations from the standard configuration or
updates to the standard configuration should be documented and approved in a change
control system.
2. QW: At network interconnection points, such as Internet gateways, inter-agency
connections, and internal network segments with different security controls, implement
ingress and egress filtering to allow only those ports and protocols with a documented
business need. All other ports and protocols b esides those with an explicit need should
be blocked with default-deny rules by firewalls, network-based IPSs, and/or routers.
3. QW: Network devices that filter unneeded services or block attacks (including firewalls,
network-based Intrusion Prevention Sy stems, routers with access control lists, etc.)
should be tested under laboratory conditions with each given organizationsconfiguration to ensure that these devices exhibit failure behavior in a closed/blocking
fashion under significant loads with traffi c including a mixture of legitimate, allowed
traffic for that configuration intermixed with attacks at line speeds.
4. Config/Hygiene: All new configuration rules beyond a baseline -hardened configuration
that allow traffic to flow through network security devices, such as firewalls and
network-based IPSs, should be documented and recorded in a configuration
management system, with a specific business reason for each change, a specific
individuals name responsible for that business need, and an expected duration of the
8/6/2019 IT Security Trends
32/44
need. At least once per quarter, these rules should be reviewed to determine whether
they are still required from a business perspective. Expired rules should be removed.
5. Config/Hygiene: Network filtering technologies employed between networks with
different security levels (firewalls, network-based IPS tools, and routers with ACLs)
should be deployed with capabilities to filter IPv6 traffic. Even if IPv6 is not explicitly
used on the network, many operating systems today ship with IPv6 support activated,
and therefore filtering technologies need to take it into account.
6. Config/Hygiene: Network devices should be managed using two-factor authentication
and encrypted sessions. Only true two-factor authentication mechanisms should be
used, such as a password and a hardware token, or a password and biometric device.
Requiring two different passwords for accessing a system is not two -factor
authentication.
7. Advanced: The network infrastructure should be managed across network connections
that are separated from the business use of that network, relying on separate VLANs or
preferably relying on entirely different physical connectivity for management sessions
for network devices.19
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:AC-4 (7, 10, 11, 16), CM -1, CM-2 (1), CM-3 (2), CM-5 (1, 2, 5), CM-6 (4), CM-7 (1, 3), IA-2 (1,
6),
IA-5, IA-8, RA-5, SC-7 (2, 4, 5, 6, 8, 11, 13, 14, 18), SC -9
Procedures and tools for implementing this control:
Port scanners and most vulnerability scanning tools can be used to attempt to launch
packets
through the device, measuring all TCP and UDP ports allowed through. This measures the
effectiveness of the filters configuration and implementation. A sniffer can be set up on the
other side of the filtering device to determine which packets are allowed through, and
which
are blocked. The results of the test can be matched against the list of traffic t ypes andnetwork
services that should be allowed through the device both inbound and outbound according
to
policy (defined by the documented business needs for each allowed service), thereby
identifying misconfigured filters. Such measurement should be con ducted at least every
quarter, and also when significant changes are made to firewall rule sets and router access
control lists.
Going further, some organizations use commercial tools that evaluate the rule set of
network
filtering devices to determine whe ther they are consistent or in conflict, providing an
automated sanity check of network filters and search for errors in rule sets or ACLs that mayallow unintended services through the device. Such tools should be run each time significant
changes are made to firewall rule sets, router ACLs, or other filtering technologies.
Critical Control 5: Boundary DefenseHow do attackers exploit the lack of this control?
Attackers focus on exploiting systems that they can reach across the Internet, which include
not
only DMZ systems, but also workstation and laptop computers that pull content from the
8/6/2019 IT Security Trends
33/44
Internet through network boundaries. Threats such as organized crime groups and nation
states use configuration and architectural weaknesses found on perimeter systems, network
devices, and Internet-accessing client machines to gain initial access into an organization.
Then,
with a base of operations on these machines, attackers often pivot to get deeper inside the
boundary to steal or change information or to set up a pe rsistent presence for later attacks
against internal hosts. Additionally, many attacks occur between business partner networks,
sometimes referred to as extranets, as attackers hop from one organizations network to
another, exploiting vulnerable systems o n extranet perimeters.
To control the flow of traffic through network borders and to police its content looking for
attacks and evidence of compromised machines, boundary defenses should be multi -
layered,
20
relying on firewalls, proxies, DMZ perimeter networks, and network -based Intrusion
Prevention
Systems and Intrusion Detection Systems.
It should be noted that boundary lines between internal and external networks are
diminishing
through increased interconnectivity within and between organizations, as well as the rapid
rise
in deployment of wireless technologies.These blurring lines sometimes allow attackers to
gain
access inside networks while bypassing boundary systems. However, even with this blurring,
effective security deployments still rely on carefully configured boundary defenses that
separate networks with different threat levels, different sets of users, and different levels of
control. Even with the blurring of internal and external networks, effective m ulti-layered
defenses of perimeter networks help to lower the number of successful attacks, allowing
security personnel to focus on attackers who have devised methods to bypass boundary
restrictions.How can this control be implemented, automated, and its effectivenessmeasured?
The boundary defenses included in this control build on Critical Control 4, with these
additional
recommendations focused on improving the overall architecture and implementation of
both
Internet and internal network boundary points . Internal network segmentation is central to
this control because once inside a network, many intruders attempt to target the most
sensitive
machines. Usually, internal network protections are not set up to defend against an internal
attacker. Setting up even a basic level of security segmentation across the network andprotecting each segment with a proxy and a firewall will greatly reduce the intruders access
to
the other parts of the network.
1. QW: Organizations should deny communications with (or lim it data flow to) known
malicious IP addresses (blacklists) or limit access to trusted sites (whitelists).
Periodically, test packets from bogon source IP addresses should be sent into the
network to verify that they are not transmitted through network peri meters. Lists of
8/6/2019 IT Security Trends
34/44
bogon addresses (unroutable or otherwise unused IP addresses) are publicly available
on the Internet from various sources, and indicate a series of IP addresses that should
not be used for legitimate traffic traversing the Internet.
2. QW: Deploy IDS sensors on Internet and extranet DMZ systems and networks that look
for unusual attack mechanisms and detect compromise of these systems.These IDS
sensors may detect attacks through the use of signatures, network behavior analysis, or
other mechanisms to analyze traffic.
3. QW: On DMZ networks, monitoring systems (which may be built -in to the IDS sensors or
deployed as a separate technology) should be configured to record at least packet
header information, and preferably full packet header and payloads of the traffic
destined for or passing through the network border.
4. Vis/Attrib: Define a network architecture that clearly separates internal systems from
DMZ systems and extranet systems. DMZ systems are machines that need to21
communicate with the internal network as well as the Internet, while extranet systems
are systems whose primary communication is with other systems at a business partner.
5. Vis/Attrib: Design and implement network perimeters so that all outgoing web, FTP, and
secure shell traffic to the Internet must pass through at least one proxy on a DMZ
network. The proxy should support logging individual TCP sessions; blocking specific
URLs, domain names, and IP addresses to implement a blacklist; and applying whitelists
of allowed sites that can be accessed through the proxy while blocking all other sites.
6. Vis/Attrib: Require all remote login access (including VPN, dial -up, and other forms of
access that allow login to internal systems) to use two-factor authentication.
7. Config/Hygiene: All devices remotely logging into the internal network should be
managed by the enterprise, with remote control of their configuration, installed
software, and patch levels.
8. Config/Hygiene: Organizations should periodically scan for back -channel connections to
the Internet that bypass the DMZ, including unauthorized VPN connections and dualhomed
hosts connected to the enterprise network and to other networks via wireless,dial-up modems, or other mechanisms.
9. Config/Hygiene: To limit access by an insider or malware spreading on an internal
network, organizations should devise internal network segmentation schemes to limit
traffic to only those services needed for business use across the internal network.
10. Config/Hygiene: Organizations should develop plans for rapidly deploying filters on
internal networks to help stop the spread of malware or an intruder.
11. Advanced: Organizations should force outbound traffic to the Internet through an
authenticated proxy server on the enterprise perimeter.
12. Advanced: To help identify covert channels exfiltrating data through a firewall, built -in
firewall session tracking mechanisms included in many commercial firewalls should be
configured to identify long-term TCP sessions that last an unusually long time for thegiven organization and firewall device, alerting personnel about the source and
destination addresses associated with these long -term sessions.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
AC-17 (1), AC-20, CA-3, IA-2 (1, 2), IA-8, RA-5, SC-7 (1, 2, 3, 8, 10, 11, 14), SC -18, SI-4 (c, 1, 4,
5,
11), PM-7
Procedures and tools for implementing this control:
8/6/2019 IT Security Trends
35/44
One element of this control can be implemented using free or commercial IDSs and sniffers
to
look for attacks from external sources directed at DMZ and internal systems, as well as
attacks
originating from internal systems against the DMZ or Internet. Security personnel should
regularly test these sensors by launching vulnerability -scanning tools against them to verify
that
the scanner traffic triggers an appropriate alert. The captured packets of the IDS sensors
should be reviewed using an automated script each day to ensure that log volumes are
within
expected parameters and that the logs are formatted properly and have not been
corrupted.
22
Additionally, packet sniffers should be deployed on DMZs to look for HTTP traffic that
bypasses
HTTP proxies. By sampling traffic regularly, such as over a 3 -hour period once per week,
information security personnel search for HTTP traffic that is neither sourced by nor
destined
for a DMZ proxy, implying that the requirement for proxy use is being bypassed.
To identify back-channel connections that bypass approved DMZs, network security
personnel
can establish an Internet-accessible system to use as a receiver for testing outbound access.
This system is configured with a free or commercial packet sniffer. Then, security personnel
connect a sending test system to various points on the organizations in ternal network,
sending
easily identifiable traffic to the sniffing receiver on the Internet.These packets can be
generated using free or commercial tools with a payload that contains a custom file used for
the test. When the packets arrive at the receiver system, the source address of the packets
should be verified against acceptable DMZ addresses allowed for the organization. If sourceaddresses are discovered that are not included in legitimate, registered DMZs, more detail
can
be gathered by using a traceroute tool to determine the path packets take from the sender
to
the receiver system.
Critical Control 6: Maintenance, Monitoring, and AnalysisofAudit LogsHow do attackers exploit the lack of this control?
Deficiencies in security logging and analysis allow attackers to hide their location, malicioussoftware used for remote control, and activities on victim machines. Even if the victims
know
that their systems were compromised, without protected and complete logging records, the
victim is blind to the details of the attack and to the subsequent actions taken by the
attackers.
Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages
done may be irreversible.
Sometimes logging records are the only evidence of a succes sful attack. Many organizations
8/6/2019 IT Security Trends
36/44
keep audit records for compliance purposes but attackers rely on the fact that such
organizations rarely look at the audit logs so they do not know that their systems have been
compromised. Because of poor or non -existent log analysis processes, attackers sometimes
control victim machines for months or years without anyone in the target organization
knowing, even though the evidence of the attack has been recorded in unexamined log files.
How can this control be implemented, automated, and its effectiveness
measured?23
1. QW: Validate audit log settings for each hardware device and the software installed on
it, ensuring that logs include a date, timestamp, source addresses, destination
addresses, and various other useful elements of each packet and/or transaction.
Systems should record logs in a standardized format such as syslog entries or those
outlined by the Common Event Expression (CEE) initiative. If systems cannot generate
logs in a standardized format, deploy log n ormalization tools to convert logs into a
standardized format.
2. QW: Ensure that all systems that store logs have adequate storage space for the logs
generated on a regular basis, so that log files will not fill up between log rotation
intervals.3. QW: System administrators and security personnel should devise profiles of common
events from given systems, so that they can tune detection to focus on unusual activity,
avoid false positives, more rapidly identify anomalies, and prevent overwhelming
analysts with insignificant alerts.
4. QW: All remote access to an internal network, whether throughVPN, dial -up, or other
mechanism, should be logged verbosely.
5. QW: Operating systems should be configured to log access control events associated
with a user attempting to access a resource (e.g., a file or directory) without the
appropriate permissions.
6. QW: Security personnel and/or system administrators should run bi -weekly reports that
identify anomalies in logs. They should then actively review the anomalies,documenting their findings.
7. Vis/Attrib: Each agency network should include at least two synchronized time sources,
from which all servers and network equipment retrieve time information on a regular
basis, so that timestamps in logs are consistent.
8. Vis/Attrib:Network boundary devices, including firewalls, network -based IPSs, and
inbound and outbound proxies should be configured to log verbosely all traffic (both
allowed and blocked) arriving at the device.
9. Vis/Attrib: For all servers, organizations should ensure logs are written to write -only
devices or to dedicated logging servers running on separate machines from hosts
generating the event logs, lowering the chance that an attacker can manipulate logs
stored locally on compromised machines.10. Config/Hygiene: Organizations should periodically test the audit analysis process by
creating controlled, benign events in logs and monitoring devices and measuring the
amount of time that passes before the events are discovered and action is taken.
Ensure that a trusted person is in place to coordinate activities between the incident
response team and the personnel conducting such tests.
11. Advanced: Organizations should deploy a Security Event/Information Management
(SEIM) system tool for log aggregation and consolidation from multiple machines and
8/6/2019 IT Security Trends
37/44
for log correlation and analysis. Deploy and monitor standard government scripts for
analysis of the logs, as well as using customized local scripts. Furthermore, event logs
should be correlated with information from vulnerability scans to fulfill two goals. First,
personnel should verify that the activity of the regular vulnerability scanning tools24
themselves is logged. And, secondly, personnel should be able to correlate attack
detection events with earlie r vulnerability scanning results to determine whether the
given exploit was used against a known -vulnerable target.
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
AC-17 (1), AC-19, AU-2 (4), AU-3 (1,2), AU-4, AU-5, AU-6 (a, 1, 5), AU-8, AU-9 (1, 2), AU-12
(2),
SI-4 (8)
Procedures and tools for implementing this control:
Most free and commercial operating systems, network services, and firewall technologies
offer
logging capabilities. Such logging should be activated, with logs sent to centralized logg ing
servers. Firewalls, proxies, and remote access systems (VPN, dial -up, etc.) should all be
configured for verbose logging, storing all the information available for logging should afollowup
investigation be required. Furthermore, operating systems, esp ecially those of servers,
should be configured to create access control logs when a user attempts to access resources
without the appropriate privileges. To evaluate whether such logging is in place, an
organization should periodically scan through its logs and compare them with the asset
inventory assembled as part of Critical Control 1, to ensure that each managed item actively
connected to the network is periodically generating logs.
Analytical programs for reviewing logs can be useful, but the capabilities employed to
analyze
audit logs is quite wide-ranging, including just a cursory examination by a human. Actual
correlation tools can make audit logs far more useful for subsequent manual inspection bypeople. Such tools can be quite helpful in identifying subtle attacks. However, these tools
are
neither a panacea nor a replacement for skilled information security personnel and system
administrators. Even with automated log analysis tools, human expertise and intui tion are
often required to identify and understand attacks.
Critical Control 7: Application Software SecurityHow do attackers exploit the lack of this control?
Attacks against vulnerabilities in web-based and other application software have been a top
priority for criminal organizations in recent years. Application software that does not
properly
check the size of user input, fails to sanitize user input by filtering out unneeded butpotentially
malicious character sequences, or does not initialize and cle ar variables properly could be
vulnerable to remote compromise. Attackers can inject specific exploits, including buffer
overflows, SQL injection attacks, and cross-site scripting code to gain control over
vulnerable
machines. In one attack in 2008, more than 1 million web servers were exploited and turned25
8/6/2019 IT Security Trends
38/44
into infection engines for visitors to those sites using SQL injection. During that attack,
trusted
websites from state governments and other organizations compromised by attackers were
used
to infect hundreds of thousands of browsers that accessed those websites. Many more web
and non-web application vulnerabilities are discovered on a regular basis.
To avoid such attacks, both internally developed and third -party application software must
be
carefully tested to find security flaws. For third -party application software, enterprises
should
verify that vendors have conducted detailed security testing of their products. For in -house
developed applications, enterprises must conduct such testing themselves or engage an
outside
firm to conduct such testing.
How can this control be implemented, automated, and its effectivenessmeasured?
1. QW: Organizations should protect web applications by deplo ying web application
firewalls that inspect all traffic flowing to the web application for common webapplication attacks, including but not limited to Cross -Site Scripting, SQL injection,
command injection, and directory traversal attacks. For application s that are not web
based, deploy specific application firewalls if such tools are available for the given
application type.
2. Config/Hygiene: Organizations should test in-house developed and third-party procured
web and other application software for codi ng errors and malware insertion, including
backdoors prior to deployment using automated static code analysis software. If source
code is not available, these organizations should test compiled code using static binary
analysis tools. In particular, input validation and output encoding routines of
application software should be carefully reviewed and tested.
3. Config/Hygiene: Organizations should test in-house developed and third-party procuredweb applications for common security weaknesses using automate d remote web
application scanners prior to deployment, whenever updates are made to the
application, and on a regular recurring basis, such as weekly.
4. Config/Hygiene: For applications that rely on a database, organizations should conduct a
configuration review of both the operating system housing the database and the
database software itself, checking settings to ensure that the database system has been
hardened using standard hardening templates.
5. Config/Hygiene: Organizations should verify that secur ity considerations are taken into
account throughout the requirements, design, implementation, testing, and other
phases of the application development life cycle of all applications.
6. Config/Hygiene: Organizations should ensure that all software development personnelreceive training in writing secure code for their specific development environment.
7. Config/Hygiene: Require that all in-house developed software include white-list filtering
capabilities for all data input and output associated with the system. These whitelists
should be configured to allow in or out only the types of data needed for the system,
blocking other forms of data that are not required.
26
Associated NIST SP 800-53 Rev 3 Priority 1 Controls:
8/6/2019 IT Security Trends
39/44
CM-7, RA-5 (a, 1), SA-3, SA-4 (3), SA-8, SI-3, SI-10
Procedures and tools for implementing this control:
Source code testing tools, web application security scanning tools, and object code testing
tools
have proven useful in securing application software, along with manual application security
penetration testing by testers who have extensive programming knowledge as well as
application penetration testing expertise.The Common Weakness Enumeration (CWE)
initiative is utilized by many such too ls to identify the weaknesses that they find.
Organizations
can also use CWE to determine which types of weaknesses they are most interested in
addressing and removing. A broad community effort to identify the Top 25 Most
Dangerous
Programming Errors is also available as a minimum set of important issues to investigate
and
address during the application development process. When evaluating the effectiveness of
testing for these weaknesses, the Common Attack Pattern Enumeration and Classification
(CAPEC) can be used to organize and record the breadth of the testing for the CWEs as well
as a
way for testers to think like attackers in their development of test c