SlideShare une entreprise Scribd logo

IT Infrastrucutre Security

Télécharger en tant que PPTX, PDF
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
S Periyakaruppan CISM,ISO31000,C-EH,ITILF

IT infrastructure security

Technologie
1  sur  27
Agenda o Basics – Information Security o Infra Security Threats o Systems Threats & Countermeasures o Database Threats & Countermeasures o Network Threats & Countermeasures o Layered defense o Questions
Basics – Information Security Information Information Information architecture classification assets Data lifecycle Private People Data flow Public Process Data storage Confidential Technology
Infra - Security Threats virus: A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Trojan Horse: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves worm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions
Infra- Security Threats - Contd Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Spyware is considered a malicious program and is similar to a Trojan horse in that users unwittingly install the product when they install something else. Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware Malware is short form of malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. root kit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.
System Threats & Countermeasures  SMB relay – MITM  FTP bouncing  DNS Cache Poisoning  Insider threat – Windows environment
SMB Relay Attack - Explained A SMB Relay attack is a type of man-in-the-middle attack where the attacker asks the victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. Here are the players in this scenario •The attacker is the person trying to break into the target •The victim is the person who has the credentials •The target is the system the attacker wants access to, and that the victim has credentials for And here’s the scenario (see the image at the right for a diagram): 1.Attacker tricks the victim into connecting to him 2.Attacker establishes connection to the target, receives the Counter Measures 8-byte challenge 3.Attacker sends the 8-byte challenge to victim • Preventive : Signed SMBs (NTLM V2) 4.Victim responds to the attacker with the password hash 5.Attacker responds to the target’s challenge with the • Detective : Log monitoring – TCP victim’s hash 139 445 transactions 6.Target grants access to attacker • Compensative : Layered defence
FTP Bouncing - Explained An open port completes the transfer over the specified connection 1. It is a fact that printers are usually installed with all the settings by default. This includes having the A closed port will result with the FTP server informing the default administration password (if any), default source station that the FTP server can't build the connection administrative interfaces enabled, default services running, default SNMP community string, etc. 2. It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT Counter Measures command. 3. The PORT command is sent by the FTP client to • Preventive : Deny FTP establish a secondary channel for data to travel over. Passive, Avoid FTP arbitrary connections. This command can be abused by attacker to network • Detective : IDS Log monitoring scan other hosts on your network, as shown in the • Compensative : Layered defense next
DNS Cache Poisoning DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources
DNS Cache Poisoning - Explained 1. A request is sent to the authoritative server for companyA.com. This is identical to the standard process for an iterative query – with one exception. 2. A cracker has decided to poison the internal DNS server‘s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker‘s DNS server can respond as the authoritative server for companyA.com. Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have built-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible. 3. All that‘s required is time. To slow the response of the real authoritative server, cracker uses a botnet to initiate a Denial of Service (DoS) attack. While the authoritative Counter Measures server struggles to deal with the attack, the attacker‘s DNS server has time to determine the transaction ID. 4. Once the ID is determined, a query response is sent to the • Preventive : Latest version of internal DNS server. But the IP address for DNS software BIND 9.3 Win 2003, DNSSEC farpoint.companyA.com in the response is actually the IP • Detective : IDS log analysis address of the attacker‘s site. The response is placed into • Compensative : Layered defense the server‘s cache
Insider Threat – Unpatched application
Insider Threat – Backdoor & Password crack
Insider Threat – Misuse of Admin privilege Counter Measures • Preventive : Proper Patch updates , Least user privilege, Role based access. • Detective : IDS ,File integrity monitors • Compensative : Layered defense
Database Threats & Countermeasures  Disparate Attack vectors  SQL Injection  XSS Cross Site Scripting  Buffer Overflow  Top 5 Process Gaps
Database Attack Vectors & Vulnerabilities
SQL Injection – Attack Explained 1. SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. 2. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. 3. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account. Privilege Escalation using SQL injection The GRANTEE parameter used in procedures of SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL injection. Exploitation of this vulnerability allows an attacker to execute arbitrary PL/SQL under the elevated privileges of the SYS user Counter Measures • Preventive : Input Validation/ Proper Patch management • Detective : Audit log monitoring of high privilege grants • Compensative : Layered defence
XSS – Cross Site Scripting Basics Counter Measures • Preventive : HTTP Post method, URL randomization • Detective : IDS • Compensative : Layered Defence
Buffer Overflow – Concept Explained Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing 1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sys a program crash or a vulnerability that hackers might exploit. package with Execute privilege has Buffer Overflow in Oracle 9iR1 and 9iR2 2. EXECUTE privilege on DBMS_AQELM : Any Oracle database user with EXECUTE privilege on the package DBMS_AQELM can execute arbitrary code under the security context of the database server. 3. IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow: It is prone to a remote buffer-overflow vulnerability because it fails to properly bounds- check user-supplied data before copying it to an insufficiently sized memory buffer. Counter Measures • Preventive : Input Validation/ Patch updates • Detective : Log monitoring • Compensative : Layered defence
Top 5 Database Security Process Gaps  Poor Privilege management  Poor Patch Management  Lack of SOD  Insecure communication protocol – TNS listener/DB links  Lack of powerful grants audit trigger
Network Threats & Countermeasures  Network Re-direction  Arp-Cache poisoning  Connection Hijacking  SYN flooding  Denial of Services  Distributed Denial of Services
Network Re-direction 1. A port redirection attack is a trust exploitation-based attack that uses a compromised host to pass traffic through a firewall that the firewall would otherwise drop. 2. As an example the diagram ,shows a firewall with three interfaces: Inside, Outside, and DMZ, with Host A on the DMZ interface. A host located on the outside interface can reach Host A, but cannot reach the host on the inside, Host B. Host A can reach both the host on the outside and Host B. 3. If a hacker can compromise Host A, the hacker can install software on the DMZ host that redirects traffic from the outside host directly to the inside host (Host B). Although neither communication violates the rules implemented in the firewall, the outside host now has connectivity to the inside host through the port redirection process on the DMZ host Counter Measures • Preventive : HIPS, Proper Trust model and restricted services • Detective : Log monitoring • Compensative : Layered defence
ARP - Poisoning 1. In normal operation the computers on the LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other. 2. But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses. 3. This "ARP Cache Poisoning" can be used to Counter Measures redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the • Preventive : Use Static IP entries communications stream between any other computers for the purpose of monitoring and even using batch script during login alter the data flowing across the LAN. • Detective : Arp inspection • Compensative : Layered defense
Connection Hijacking 1. The attacker examines the traffic flows with a network monitor and notices traffic from Employee X to a web server. 2. The web server returns or echoes data back to the origination station (Employee X). 3. Employee X acknowledges the packet. 4. The cracker launches a spoofed packet to the server. 5. The web server responds to the cracker. The cracker starts verifying SEQ/ACK numbers to double-check success. At this time, the cracker takes over the session from Employee X, which results in a session hanging for Employee X. 6. The cracker can start sending traffic to the web server. 7. The web server returns the requested data to confirm delivery with the correct ACK number. Counter Measures 8. The cracker can continue to send data (keeping track of the correct SEQ/ACK numbers) until eventually setting the FIN flag to terminate the • Preventive : Anti-Spoofing connection. • Detective : Log monitoring • Compensative : Layered defense
Syn - Flooding Counter Measures • Preventive : Effective Ingress filters. • Detective : IDS • Compensative : Layered defense
DOS & DDOS A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users Counter Measures • Preventive : Threshold/Rate limiting/Peak flow • Detective : IDS/SIEM • Compensative : HA/Load balancers
Layered defense Infrastrucre Layers of Defense Security Tools Network • RSA enVision • Multi Vendor Firewall • Arc Sight • Intrusion Detection System • Log Logic • Monitoring & Management • Log Review • McAfee Suite • Symantec Suite • Trend Micro • CIS – Bench Mark Audit tools System • Computing Environments • WebSense • Server Build Check • Blue Coat • Log Reviews • Tipping Point • FoundStone • Qualysguard Desktop/End Point • AppScan • Desktop Applications • End point Security User Access • User Access Requests • Multiple Applications • Diversified Technology - 26 -
IT Infrastrucutre Security

Recommandé

kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Soc
SocSoc
Soc
Mukesh Chaudhari
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 

Recommandé

kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
Vicky Fernandes
 
Soc
SocSoc
Soc
Mukesh Chaudhari
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
Sibghatullah Khattak
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development paths
Chelsea Jarvie
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
Sylvain Martinez
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptx
ssuser645549
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
Panda Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
Cloud security
Cloud securityCloud security
Cloud security
BikashPokharel3
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
Nada G.Youssef
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
Lionel Medina
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
E payment security – pci dss
E payment security – pci dssE payment security – pci dss
E payment security – pci dss
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 

Contenu connexe

Tendances

Tendances (20)

Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development paths
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
CISSP-Certified.pptx
CISSP-Certified.pptxCISSP-Certified.pptx
CISSP-Certified.pptx
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Cloud security
Cloud securityCloud security
Cloud security
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 

En vedette

11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
Jeremiah Grossman
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
doogstone
 

En vedette (15)

E payment security – pci dss
E payment security – pci dssE payment security – pci dss
E payment security – pci dss
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
 
Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...Network infrastructure security management solution - A holistic approach in ...
Network infrastructure security management solution - A holistic approach in ...
 
Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
 
Asset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & ControlAsset, Vulnerability, Threat, Risk & Control
Asset, Vulnerability, Threat, Risk & Control
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Powerpoint Risk Assessment
Powerpoint Risk AssessmentPowerpoint Risk Assessment
Powerpoint Risk Assessment
 
LinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-PresentedLinkedIn SlideShare: Knowledge, Well-Presented
LinkedIn SlideShare: Knowledge, Well-Presented
 

Similaire à IT Infrastrucutre Security

what is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfwhat is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdf
brijeshagarwa329898l
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
CSCJournals
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
Sweta Sharma
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Zack Meyers
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
IJNSA Journal
 

Similaire à IT Infrastrucutre Security (20)

Types of Attack in Information and Network Security
Types of Attack in Information and Network SecurityTypes of Attack in Information and Network Security
Types of Attack in Information and Network Security
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
what is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdfwhat is transport layer what are the typical attacks in transport l.pdf
what is transport layer what are the typical attacks in transport l.pdf
 
Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
 
Internet security
Internet securityInternet security
Internet security
 
Internet security
Internet securityInternet security
Internet security
 
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
 
DNS Advanced Attacks and Analysis
DNS Advanced Attacks and AnalysisDNS Advanced Attacks and Analysis
DNS Advanced Attacks and Analysis
 
Intrusion detection system
Intrusion detection systemIntrusion detection system
Intrusion detection system
 
Security concepts
Security conceptsSecurity concepts
Security concepts
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Lecture 2
Lecture 2Lecture 2
Lecture 2
 
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPointBsides-Philly-2016-Finding-A-Companys-BreakPoint
Bsides-Philly-2016-Finding-A-Companys-BreakPoint
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERSENHANCING THE IMPREGNABILITY OF LINUX SERVERS
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
 
Enhancing the impregnability of linux servers
Enhancing the impregnability of linux serversEnhancing the impregnability of linux servers
Enhancing the impregnability of linux servers
 
DoS/DDoS
DoS/DDoSDoS/DDoS
DoS/DDoS
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 

Dernier

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Dernier (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

IT Infrastrucutre Security

  • 1.
  • 2. Agenda o Basics – Information Security o Infra Security Threats o Systems Threats & Countermeasures o Database Threats & Countermeasures o Network Threats & Countermeasures o Layered defense o Questions
  • 3. Basics – Information Security Information Information Information architecture classification assets Data lifecycle Private People Data flow Public Process Data storage Confidential Technology
  • 4. Infra - Security Threats virus: A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Trojan Horse: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves worm: A program or algorithm that replicates itself over a computer network and usually performs malicious actions
  • 5. Infra- Security Threats - Contd Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Spyware is considered a malicious program and is similar to a Trojan horse in that users unwittingly install the product when they install something else. Adware is considered a legitimate alternative offered to consumers who do not wish to pay for software. Programs, games or utilities can be designed and distributed as freeware Malware is short form of malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behaviour. root kit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications.
  • 6. System Threats & Countermeasures  SMB relay – MITM  FTP bouncing  DNS Cache Poisoning  Insider threat – Windows environment
  • 7. SMB Relay Attack - Explained A SMB Relay attack is a type of man-in-the-middle attack where the attacker asks the victim to authenticate to a machine controlled by the attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access. Here are the players in this scenario •The attacker is the person trying to break into the target •The victim is the person who has the credentials •The target is the system the attacker wants access to, and that the victim has credentials for And here’s the scenario (see the image at the right for a diagram): 1.Attacker tricks the victim into connecting to him 2.Attacker establishes connection to the target, receives the Counter Measures 8-byte challenge 3.Attacker sends the 8-byte challenge to victim • Preventive : Signed SMBs (NTLM V2) 4.Victim responds to the attacker with the password hash 5.Attacker responds to the target’s challenge with the • Detective : Log monitoring – TCP victim’s hash 139 445 transactions 6.Target grants access to attacker • Compensative : Layered defence
  • 8. FTP Bouncing - Explained An open port completes the transfer over the specified connection 1. It is a fact that printers are usually installed with all the settings by default. This includes having the A closed port will result with the FTP server informing the default administration password (if any), default source station that the FTP server can't build the connection administrative interfaces enabled, default services running, default SNMP community string, etc. 2. It is interesting to note that some printers run an anonymous FTP server that users (and processes) can use to print documents. A user can upload a document to the FTP server running on the printer and it will be printed. Things get worse when you discover that the FTP server supports the PORT Counter Measures command. 3. The PORT command is sent by the FTP client to • Preventive : Deny FTP establish a secondary channel for data to travel over. Passive, Avoid FTP arbitrary connections. This command can be abused by attacker to network • Detective : IDS Log monitoring scan other hosts on your network, as shown in the • Compensative : Layered defense next
  • 9. DNS Cache Poisoning DNS cache poisoning is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources
  • 10. DNS Cache Poisoning - Explained 1. A request is sent to the authoritative server for companyA.com. This is identical to the standard process for an iterative query – with one exception. 2. A cracker has decided to poison the internal DNS server‘s cache. In order to intercept a query and return malicious information, the cracker must know the transaction ID. Once the transaction ID is known, the attacker‘s DNS server can respond as the authoritative server for companyA.com. Although this would be a simple matter with older DNS software (e.g. BIND 4 and earlier), newer DNS systems have built-in safeguards. In our example, the transaction ID used to identify each query instance is randomized. But figuring out the transaction ID is not impossible. 3. All that‘s required is time. To slow the response of the real authoritative server, cracker uses a botnet to initiate a Denial of Service (DoS) attack. While the authoritative Counter Measures server struggles to deal with the attack, the attacker‘s DNS server has time to determine the transaction ID. 4. Once the ID is determined, a query response is sent to the • Preventive : Latest version of internal DNS server. But the IP address for DNS software BIND 9.3 Win 2003, DNSSEC farpoint.companyA.com in the response is actually the IP • Detective : IDS log analysis address of the attacker‘s site. The response is placed into • Compensative : Layered defense the server‘s cache
  • 11. Insider Threat – Unpatched application
  • 12. Insider Threat – Backdoor & Password crack
  • 13. Insider Threat – Misuse of Admin privilege Counter Measures • Preventive : Proper Patch updates , Least user privilege, Role based access. • Detective : IDS ,File integrity monitors • Compensative : Layered defense
  • 14. Database Threats & Countermeasures  Disparate Attack vectors  SQL Injection  XSS Cross Site Scripting  Buffer Overflow  Top 5 Process Gaps
  • 15. Database Attack Vectors & Vulnerabilities
  • 16. SQL Injection – Attack Explained 1. SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. 2. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. 3. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account. Privilege Escalation using SQL injection The GRANTEE parameter used in procedures of SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL injection. Exploitation of this vulnerability allows an attacker to execute arbitrary PL/SQL under the elevated privileges of the SYS user Counter Measures • Preventive : Input Validation/ Proper Patch management • Detective : Audit log monitoring of high privilege grants • Compensative : Layered defence
  • 17. XSS – Cross Site Scripting Basics Counter Measures • Preventive : HTTP Post method, URL randomization • Detective : IDS • Compensative : Layered Defence
  • 18. Buffer Overflow – Concept Explained Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing 1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sys a program crash or a vulnerability that hackers might exploit. package with Execute privilege has Buffer Overflow in Oracle 9iR1 and 9iR2 2. EXECUTE privilege on DBMS_AQELM : Any Oracle database user with EXECUTE privilege on the package DBMS_AQELM can execute arbitrary code under the security context of the database server. 3. IBM Lotus Domino IMAP Cram-MD5 Buffer Overflow: It is prone to a remote buffer-overflow vulnerability because it fails to properly bounds- check user-supplied data before copying it to an insufficiently sized memory buffer. Counter Measures • Preventive : Input Validation/ Patch updates • Detective : Log monitoring • Compensative : Layered defence
  • 19. Top 5 Database Security Process Gaps  Poor Privilege management  Poor Patch Management  Lack of SOD  Insecure communication protocol – TNS listener/DB links  Lack of powerful grants audit trigger
  • 20. Network Threats & Countermeasures  Network Re-direction  Arp-Cache poisoning  Connection Hijacking  SYN flooding  Denial of Services  Distributed Denial of Services
  • 21. Network Re-direction 1. A port redirection attack is a trust exploitation-based attack that uses a compromised host to pass traffic through a firewall that the firewall would otherwise drop. 2. As an example the diagram ,shows a firewall with three interfaces: Inside, Outside, and DMZ, with Host A on the DMZ interface. A host located on the outside interface can reach Host A, but cannot reach the host on the inside, Host B. Host A can reach both the host on the outside and Host B. 3. If a hacker can compromise Host A, the hacker can install software on the DMZ host that redirects traffic from the outside host directly to the inside host (Host B). Although neither communication violates the rules implemented in the firewall, the outside host now has connectivity to the inside host through the port redirection process on the DMZ host Counter Measures • Preventive : HIPS, Proper Trust model and restricted services • Detective : Log monitoring • Compensative : Layered defence
  • 22. ARP - Poisoning 1. In normal operation the computers on the LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other. 2. But the ARP protocol provides no protection against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses. 3. This "ARP Cache Poisoning" can be used to Counter Measures redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the • Preventive : Use Static IP entries communications stream between any other computers for the purpose of monitoring and even using batch script during login alter the data flowing across the LAN. • Detective : Arp inspection • Compensative : Layered defense
  • 23. Connection Hijacking 1. The attacker examines the traffic flows with a network monitor and notices traffic from Employee X to a web server. 2. The web server returns or echoes data back to the origination station (Employee X). 3. Employee X acknowledges the packet. 4. The cracker launches a spoofed packet to the server. 5. The web server responds to the cracker. The cracker starts verifying SEQ/ACK numbers to double-check success. At this time, the cracker takes over the session from Employee X, which results in a session hanging for Employee X. 6. The cracker can start sending traffic to the web server. 7. The web server returns the requested data to confirm delivery with the correct ACK number. Counter Measures 8. The cracker can continue to send data (keeping track of the correct SEQ/ACK numbers) until eventually setting the FIN flag to terminate the • Preventive : Anti-Spoofing connection. • Detective : Log monitoring • Compensative : Layered defense
  • 24. Syn - Flooding Counter Measures • Preventive : Effective Ingress filters. • Detective : IDS • Compensative : Layered defense
  • 25. DOS & DDOS A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users Counter Measures • Preventive : Threshold/Rate limiting/Peak flow • Detective : IDS/SIEM • Compensative : HA/Load balancers
  • 26. Layered defense Infrastrucre Layers of Defense Security Tools Network • RSA enVision • Multi Vendor Firewall • Arc Sight • Intrusion Detection System • Log Logic • Monitoring & Management • Log Review • McAfee Suite • Symantec Suite • Trend Micro • CIS – Bench Mark Audit tools System • Computing Environments • WebSense • Server Build Check • Blue Coat • Log Reviews • Tipping Point • FoundStone • Qualysguard Desktop/End Point • AppScan • Desktop Applications • End point Security User Access • User Access Requests • Multiple Applications • Diversified Technology - 26 -