Professional Documents
Culture Documents
Lecture 2
Mudassar Mahmood Mirza
Anatomy of buffer overflow vulnerabilities
Network-based IPSs
Network-based IPSs are deployed on the network and inspect
packets. They differ from firewalls in that they use deep packet
inspection technologies.
Deep packet inspection
Deep packet inspection is a general description of any technology
that looks further into the packets beyond the TCP/IP level.
Securing the core
This has been the result of several factors, including the “porous
perimeter” (the realization that with e-business and various other
technologies that have been massively adopted, there really is no such
thing as a perimeter), the fact that the most damage occurs from attacks
that are initiated from insiders, and more.
One approach to securing the core is to use the same products that are
used to secure the perimeter within your internal network.
In the same way, IDS/IPS systems can be used within the internal
network.
IDS sensors can be deployed internally to monitor intrusions from
insiders or outsiders who have managed to breach the perimeter.
But most important, pushing into the core is usually associated with more
granular access control rules, deep packet inspection, and advanced
technologies such as application security and database security products.
Application security
Primary initiative in securing the core involves
application security—and more specifically Web
application security.
The Web application model is inherently insecure. For
example, Web applications run most of their
processing on the server and the browser merely
presents a page, collects information from the user, and
communicates this data (and action request) back to
the server.
Application security
On the deployment side, application security gateways
and application firewalls help secure application
endpoints, perform URL filtering, and protect against
denial-of-service attacks.
A Web application must be accessible from the
worldwide Internet, and the traffic on port 80 or 443.
Application security is first and foremost about
securing application data.
Public key infrastructure (PKI)
Cryptography is perhaps one of the most well-known techniques within
the security landscape and is often viewed by many as synonymous with
security.
Cryptography became practical for everyday worldwide usage with the
invention of public key cryptography algorithms (rather than symmetric
key algorithms).
This is perhaps the single most important breakthrough in the world of
security, which owes a lot to three researchers named Rivest, Shamir, and
Adelman (from which emerged the name of the RSA algorithm and the
name for the main vendor for PKI—RSA Security).
With symmetric algorithms, the same key that is used to encrypt data is
also used to decrypt the data. With public key algorithms, a pair of keys is
used: a public key that is normally known to everybody is used to encrypt
the data, and a private key that is known only to one party is used to
decrypt the data.
Vulnerability management
Vulnerability management is a broad term.
Why are there so many vulnerabilities?
Configuration errors
Unnecessary (and dangerous) services
Access administration errors
Software defects
Software defects.
Software defects are built into the code during development and
include design flaws and coding mistakes. Gartner estimates that
35% of successful attacks exploit these types of errors.
Design flaws
o involve design decisions that create an inherently insecure
system.
Coding errors
o include both bugs as well as features that were put in not by
design but through oversight.
o Coding errors include buffer overflows, race conditions,
back doors into systems, and even nonrandom random-
number generators.
Configuration Errors
Configuration errors
o If software defects account for 35% of vulnerabilities,
configuration errors account for a whopping 65% of
vulnerabilities. This means that the biggest bang for the buck
in terms of avoiding vulnerabilities is an investment in
configuration management, assessments of configurations,
and repeatable (safe) configurations.
Unnecessary (and dangerous) services
o Systems are often configured to bring up services and allow
connections that are not required. It is usually easier to install
a system with its default configuration rather than define
precisely what is and is not required. Vendors always prefer to
have an all-enabling starting configuration because it avoids
problems that can be interpreted as “the system not working.”
Configuration Errors
Access administration errors
When access control includes configuration errors, entire security
models fall apart. Because most complex systems have elaborate
access control schemes that are based on groups, roles,
permissions, delegation, and more, there are many errors in
access control configuration.
Vulnerability scanners
Vulnerability scanners (also called vulnerability
assessment products) scan systems and try to locate
exposures and vulnerabilities.
Scanners also come in many types, including host-
based assessments, network-based assessments, target-
based assessments, and any combination of these.
Monitoring and baselining
Many vulnerabilities are caused by mistakes and
configuration errors. Once companies set policies and
define compliance targets, they need to continuously
monitor compliance. This is hard to do unless you
define a baseline against which can be continuously
compared.