Module 4: The Problems:

Cyber Antipatterns

Cyber Security: Managing Networks, Conducting

Tests, and Investigating Intrusions

April 30, 2021 DRAFT 1

 Antipatterns Concept

• Patterns were invented by Christopher

Alexander in the book A Pattern Language
• Patterns resolve forces and yield benefits
• Antipatterns generate mostly
consequences, but contain embedded
patterns (refactored solutions) that resolve
the problems

4/30/2021 DRAFT 2
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Forces in Cyber Antipatterns

4/30/2021 DRAFT 3
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Cyber Antipatterns Templates
• Micro Antipattern Template
– Minimal structure, similar to Christopher
Alexander’s original invention
• Full Antipattern Template
– Antipattern Name - Causes, Symptoms, and
– Also Known As Consequences
– Refactored Solution Names - Known Exceptions
- Refactored Solution and
– Unbalanced Primal Forces
Examples
– Anedotal Evidence - Related Solutions
– Background
– Antipattern Solution

4/30/2021 DRAFT 4
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Cyber Antipatterns Catalog
– Can’t Patch Dumb
– Unpatched Applications
– Never Read the Logs
– Networks Always Play By the Rules
– Crunchy on the Outside Gooey in the Middle
– Webify Everything
– No Time for Security

See additional antipatterns in Chapters 1 and 12

4/30/2021 DRAFT 5
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Can’t Patch Dumb
• Human end-users are almost always the
greatest vulnerability
• Human can, for example:
– Click on unexpected email attachments
– Be susceptible to phishing
– Use easily guessed passwords
– Visit Drive By Malware websites and
malvertisements
• End user education is the cure – See
Chapter 10
4/30/2021 DRAFT 6
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Unpatched Applications
• Security researchers and attackers are
constantly searching for new vulnerabilities in
software
• Any software defect is a potential vulnerability
– In software testing theory, most any defect can be
manipulated to crash the program
• Typical software applications are shipped with
10’s of thousands of known defects, not to
mention latent defects
• Application patching, particularly on Patch
Tuesday is one of the most important defenses
4/30/2021 DRAFT 7
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Never Read the Logs
• Network devices, operating systems, system
services, and applications all generate logs =
records of events
• Consolidating and reviewing the logs (i.e. using
tools such as Syslog) is a critically important
security activity
– It is said that “all the evidence is in the logs”
– If there is potentially malicious activities such as
repeated failed login attempts, that fact must be
detected urgently and acted upon
• See Chapter 9 for Advanced Log Analysis
techniques
4/30/2021 DRAFT 8
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Networks Always Play by the
Rules
• One key reason why networked services are
vulnerable, is because they expect actors using the
service to play by the network rules, i.e. the established
protocols
• Malicious actors purposefully disobey the rules when
they attack systems, for example: (See Chapter 8)
– Sending a very long input value containing code to attempt a
buffer overflow
– Sending segments of SQL code as an input to try and trigger
an SQL Injection Attack
– Pretending to be a wireless access point to gain the trust of
mobile devices, e.g. Karma, Karmasploit, Wireless Attack Toolkit

4/30/2021 DRAFT 9
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Crunchy on the Outside
Gooey in the Middle
• Traditionally, network security for enterprises has
focused on the Internet boundary
– Hardened front-end servers in the DMZ
– Internet-facing firewalls
– Internet-facing intrusion detection and prevention
• Once attackers have penetrated the Internet boundary,
defenses are often very weak, for example:
– Ready intranet access to servers with restricted data
– Restricted data not encrypted
– Administrative users who use same username password for
multiple mission-critical systems
– Mission-critical databases readily accessed from intranet

4/30/2021 DRAFT 10
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 Webify Everything
• Some basic web attacks include:
– Cross Site Request Forgery
– Cross Site Scripted Attack
– Man in the Middle Attack
• When the privileged administrator interface is
webified, the system becomes highly vulnerable
to these types of attacks
– Webified electrical power control system console
– Webified heating, ventilating, air conditioning
console
– Webified network device or system administration
console
4/30/2021 DRAFT 11
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions
 No Time for Security
• For software projects to be successful, they
often have to gain a ruthless focus on delivering
results
• What is often abandoned in this ruthlessness is
security
• As a security tester, you will encounter this time
and time again – Security is first considered
immediately before the testers arrive… for
example, you may observe:
– Developers in a panic creating new accounts
because they were all logging in with the same
privileged account
4/30/2021 DRAFT 12
Cyber Security: Managing Networks, Conducting Tests, and Investigating Intrusions