Decarbonising Buildings: Making a net-zero built environment a reality
IT Infrastrucutre Security
1.
2. Agenda
o Basics – Information Security
o Infra Security Threats
o Systems Threats & Countermeasures
o Database Threats & Countermeasures
o Network Threats & Countermeasures
o Layered defense
o Questions
3. Basics – Information Security
Information Information Information
architecture classification assets
Data lifecycle Private People
Data flow Public Process
Data storage Confidential Technology
4. Infra - Security Threats
virus: A program or piece of code that is loaded
onto your computer without your knowledge and
runs against your wishes.
Trojan Horse: A destructive program that
masquerades as a benign application. Unlike
viruses, Trojan horses do not replicate
themselves
worm: A program or algorithm that replicates
itself over a computer network and usually
performs malicious actions
5. Infra- Security Threats - Contd
Adware is considered a legitimate alternative offered to consumers who do not
wish to pay for software.
Spyware is considered a malicious program and is similar to a Trojan horse in
that users unwittingly install the product when they install something else.
Adware is considered a legitimate alternative offered to consumers who do not
wish to pay for software. Programs, games or utilities can be designed and
distributed as freeware
Malware is short form of malicious software, consists of programming
(code, scripts, active content, and other software) designed to disrupt or deny
operation, gather information that leads to loss of privacy or exploitation, gain
unauthorized access to system resources, and other abusive behaviour.
root kit is software that enables continued privileged access to a computer while
actively hiding its presence from administrators by subverting standard
operating system functionality or other applications.
6. System Threats & Countermeasures
SMB relay – MITM
FTP bouncing
DNS Cache Poisoning
Insider threat – Windows environment
7. SMB Relay Attack - Explained
A SMB Relay attack is a type of man-in-the-middle attack
where the attacker asks the victim to authenticate to a
machine controlled by the attacker, then relays the
credentials to the target. The attacker forwards the
authentication information both ways, giving him access.
Here are the players in this scenario
•The attacker is the person trying to break into the target
•The victim is the person who has the credentials
•The target is the system the attacker wants access to, and
that the victim has credentials for
And here’s the scenario (see the image at the right for a
diagram):
1.Attacker tricks the victim into connecting to him
2.Attacker establishes connection to the target, receives the Counter Measures
8-byte challenge
3.Attacker sends the 8-byte challenge to victim • Preventive : Signed SMBs (NTLM V2)
4.Victim responds to the attacker with the password hash
5.Attacker responds to the target’s challenge with the • Detective : Log monitoring – TCP
victim’s hash 139 445 transactions
6.Target grants access to attacker • Compensative : Layered defence
8. FTP Bouncing - Explained
An open port completes the transfer over the specified
connection
1. It is a fact that printers are usually installed with all
the settings by default. This includes having the
A closed port will result with the FTP server informing the
default administration password (if any), default
source station that the FTP server can't build the connection
administrative interfaces enabled, default services
running, default SNMP community string, etc.
2. It is interesting to note that some printers run an
anonymous FTP server that users (and processes)
can use to print documents. A user can upload a
document to the FTP server running on the printer
and it will be printed. Things get worse when you
discover that the FTP server supports the PORT Counter Measures
command.
3. The PORT command is sent by the FTP client to • Preventive : Deny FTP
establish a secondary channel for data to travel over. Passive, Avoid FTP arbitrary connections.
This command can be abused by attacker to network • Detective : IDS Log monitoring
scan other hosts on your network, as shown in the • Compensative : Layered defense
next
9. DNS Cache Poisoning
DNS cache poisoning is a maliciously created or unintended
situation that provides data to a Domain Name Server that
did not originate from authoritative DNS sources
10. DNS Cache Poisoning - Explained
1. A request is sent to the authoritative server for
companyA.com. This is identical to the standard process
for an iterative query – with one exception.
2. A cracker has decided to poison the internal DNS server‘s
cache. In order to intercept a query and return malicious
information, the cracker must know the transaction ID.
Once the transaction ID is known, the attacker‘s DNS
server can respond as the authoritative server for
companyA.com. Although this would be a simple matter
with older DNS software (e.g. BIND 4 and earlier), newer
DNS systems have built-in safeguards. In our example, the
transaction ID used to identify each query instance is
randomized. But figuring out the transaction ID is not
impossible.
3. All that‘s required is time. To slow the response of the
real authoritative server, cracker uses a botnet to initiate
a Denial of Service (DoS) attack. While the authoritative
Counter Measures server struggles to deal with the attack, the attacker‘s
DNS server has time to determine the transaction ID.
4. Once the ID is determined, a query response is sent to the
• Preventive : Latest version of
internal DNS server. But the IP address for
DNS software BIND 9.3 Win 2003, DNSSEC
farpoint.companyA.com in the response is actually the IP
• Detective : IDS log analysis
address of the attacker‘s site. The response is placed into
• Compensative : Layered defense the server‘s cache
16. SQL Injection – Attack Explained
1. SQL Injection is an attack method that targets the data residing in a
database through the firewall that shields it.
2. It attempts to modify the parameters of a Web-based application in
order to alter the SQL statements that are parsed to retrieve data
from the database.
3. Enter the string as both user name and password in the frame on the
right. This should get you logged in as a user (jake happens to be the
first user in the table). This tells you that Jake is a user and it allows
you to access his account.
Privilege Escalation using SQL injection
The GRANTEE parameter used in procedures of
SYS.DBMS_STREAMS_AUTH PL/SQL Package is vulnerable to SQL
injection. Exploitation of this vulnerability allows an attacker to execute
arbitrary PL/SQL under the elevated privileges of the SYS user
Counter Measures
• Preventive : Input Validation/ Proper Patch
management
• Detective : Audit log monitoring of high privilege
grants
• Compensative : Layered defence
18. Buffer Overflow – Concept Explained
Buffer overflow occurs when data is input or written beyond
the allocated bounds of an buffer, array, or other object causing 1. SYS.OLAPIMPL_T.ODCITABLESTART Procedure in sys
a program crash or a vulnerability that hackers might exploit. package with Execute privilege has Buffer Overflow
in Oracle 9iR1 and 9iR2
2. EXECUTE privilege on DBMS_AQELM : Any Oracle
database user with EXECUTE privilege on the
package DBMS_AQELM can execute arbitrary code
under the security context of the database server.
3. IBM Lotus Domino IMAP Cram-MD5 Buffer
Overflow: It is prone to a remote buffer-overflow
vulnerability because it fails to properly bounds-
check user-supplied data before copying it to an
insufficiently sized memory buffer.
Counter Measures
• Preventive : Input Validation/ Patch
updates
• Detective : Log monitoring
• Compensative : Layered defence
19. Top 5 Database Security Process Gaps
Poor Privilege management
Poor Patch Management
Lack of SOD
Insecure communication protocol – TNS
listener/DB links
Lack of powerful grants audit trigger
20. Network Threats & Countermeasures
Network Re-direction
Arp-Cache poisoning
Connection Hijacking
SYN flooding
Denial of Services
Distributed Denial of Services
21. Network Re-direction
1. A port redirection attack is a trust exploitation-based attack
that uses a compromised host to pass traffic through a firewall
that the firewall would otherwise drop.
2. As an example the diagram ,shows a firewall with three
interfaces: Inside, Outside, and DMZ, with Host A on the DMZ
interface. A host located on the outside interface can reach Host
A, but cannot reach the host on the inside, Host B. Host A can
reach both the host on the outside and Host B.
3. If a hacker can compromise Host A, the hacker can install
software on the DMZ host that redirects traffic from the outside
host directly to the inside host (Host B). Although neither
communication violates the rules implemented in the firewall, the
outside host now has connectivity to the inside host through the
port redirection process on the DMZ host
Counter Measures
• Preventive : HIPS, Proper Trust
model and restricted services
• Detective : Log monitoring
• Compensative : Layered defence
22. ARP - Poisoning
1. In normal operation the computers on the
LAN use ARP protocol to acquire and
memorize each other's NIC MAC address
which they use for sending network data to
each other.
2. But the ARP protocol provides no
protection against misuse. An attacking
computer on the same LAN can simply
send spoofed ARP Replies to any other
computers, telling them that its MAC
address should receive the traffic bound
for other IP addresses.
3. This "ARP Cache Poisoning" can be used to
Counter Measures redirect traffic throughout the LAN, allowing any
malicious computer to insert itself into the
• Preventive : Use Static IP entries communications stream between any other
computers for the purpose of monitoring and even
using batch script during login alter the data flowing across the LAN.
• Detective : Arp inspection
• Compensative : Layered defense
23. Connection Hijacking
1. The attacker examines the traffic flows with a
network monitor and notices traffic from
Employee X to a web server.
2. The web server returns or echoes data back to the
origination station (Employee X).
3. Employee X acknowledges the packet.
4. The cracker launches a spoofed packet to the
server.
5. The web server responds to the cracker. The
cracker starts verifying SEQ/ACK numbers to
double-check success. At this time, the cracker
takes over the session from Employee X, which
results in a session hanging for Employee X.
6. The cracker can start sending traffic to the web
server.
7. The web server returns the requested data to
confirm delivery with the correct ACK number. Counter Measures
8. The cracker can continue to send data (keeping
track of the correct SEQ/ACK numbers) until
eventually setting the FIN flag to terminate the • Preventive : Anti-Spoofing
connection. • Detective : Log monitoring
• Compensative : Layered defense
25. DOS & DDOS
A denial-of-service attack (DoS attack) or distributed
denial-of-service attack (DDoS attack) is an attempt to make
a computer resource unavailable to its intended users
Counter Measures
• Preventive : Threshold/Rate
limiting/Peak flow
• Detective : IDS/SIEM
• Compensative : HA/Load balancers
26. Layered defense
Infrastrucre Layers of Defense Security Tools
Network • RSA enVision
• Multi Vendor Firewall • Arc Sight
• Intrusion Detection System
• Log Logic
• Monitoring & Management
• Log Review • McAfee Suite
• Symantec Suite
• Trend Micro
• CIS – Bench Mark Audit tools
System
• Computing Environments • WebSense
• Server Build Check • Blue Coat
• Log Reviews • Tipping Point
• FoundStone
• Qualysguard
Desktop/End Point • AppScan
• Desktop Applications
• End point Security
User Access
• User Access Requests
• Multiple Applications
• Diversified Technology
- 26 -