Vulnerability Assessment & Mitigating Vulnerabilities of Security Architectures- Part I
One of the most important topics in CISSP course is vulnerability assessment. In this section, we discuss the techniques used to identify and fix vulnerabilities in systems.
Server-Client based systems
We begin the discussion of vulnerability assessment by talking about various aspects of Server-Client based systems. Client-side major vulnerabilities are often involve defects in client-side code that is present in browsers and applications. The defects most often found are:
1- Sensitive data left behind in the file system: This consists of temporary files and cache files, which may be accessible by other users and processes on the system. But not every user is aware of these files and the impact of leaving these files in the file system.
2- Unprotected local data: Data stores in local directories may have loose permissions and lack encryption. Disk Encryption can secure files and directories by converting into an encrypted format. This process encrypt every bit on disk to prevent unauthorized access to data storage.
3- Unprotected or weakly protected communications: Data transmitted between the client and other systems may use weak encryption or use no encryption at all.
4- Weak or non-existent authentication: This allows an adversary to access the application, local data, or server data without first authenticating.
5- Vulnerable applets: Many Applications and browsers often employ applets for viewing video files. Usually, this applets themselves have exploitable weaknesses.
Server-side attacks are the attacks launched directly by the attacker to a listening service. So, servers should be deployed in a DMZ zone. Direct access should be blocked to server ports from an untrusted network.
Similarly, Denial of Service (DoS) attack, operating system vulnerabilities, pending patch, & updates are the other vulnerabilities on the server side.
Vulnerabilities in database management systems include these:
1- LDAP Injection: This is a technique takes advantage of non-validated input vulnerability. So, an attacker may access the database using LDAP filter.
2- Database connectivity attack: This attack is focused on exploiting the data connectivity between the application and its database. Database connection requires a connection string to initiate a connection to the database. Data connectivity attack includes:
- Connection String Injection
- Connection String Parameters Pollution (CSPP)
- Connection Pool DoS
3- Excessive retention of sensitive data: Keeping sensitive data longer than necessary increases the impact of a security breach.
4- SQL Injection: This attack is indeed the injection of malicious SQL queries. These vulnerabilities can be detected by using application vulnerability scanners. Attacker extracts the valuable information from its database using SQL injection. Using SQL queries, attacker interrupts the process, manipulates the database, and executes the commands and so on.
5- Command Injection: It can be done by any of the following methods:
- Shell Injection
- File Injection
- HTML Embedding
6- Aggregation of personally identifiable information: It is a potentially risky undertaking that can result in an organization possessing sensitive personal information. Sometimes, this happens when an organization deposits historic data from various sources into a data warehouse. It can is a gold mine or a time bomb.
7- Loose access permissions: Database management systems have schemes of access controls that are usually designed far too loosely. Another aspect of loose access permissions is an excessive number of persons with privileged access that this is actually like a time bomb.
Cryptographic systems are apt to contain vulnerabilities. Like any powerful tool, if the operator doesn’t know how to use it, it can be useless at best and dangerous at its worst.
The ways in which a cryptographic system may be vulnerable include these:
- Use of outdated algorithm: Developers and engineers must be careful to select encryption algorithms that are robust.
- Failure to encrypt encryption keys
- Weak cryptographic keys
- Insufficient protection of cryptographic keys: If too many people have access to keys, or if the keys are not sufficiently protected, an intruder may be able to compromise the system simply by stealing and using the keys.
Cryptography attacks are intended to recover the encryption key. Once an attacker has the encryption key, he can decrypt all messages. The process of finding vulnerabilities in code, an encryption algorithm, or key management scheme is called Cryptanalysis.
1- Known Plaintext Attack: It is a cryptographic attack type where a cryptanalyst has access to plaintext and the corresponding ciphertext and seeks to discover a correlation between them.
2- Chosen Cipher-text Attack: It is a cryptographic attack type where a cryptanalyst chooses a ciphertext and attempts to find the corresponding plaintext.
3– Cipher-text Only Attack: this, is a cryptographic attack type where a cryptanalyst has access to only a ciphertext . So, attacker attempts to extract the plain text or key by recovering plain text messages as much as possible to guess the key.
4- Chosen Plaintext Attack: This attack is a cryptographic attack type where a cryptanalyst can encrypt a plaintext of his choosing and observe the resulting ciphertext. It is the most common attack against asymmetric cryptography. Attacker can expose sensitive information.
5- Adaptive Chosen Cipher-text Attack: This is an interactive type of chosen plaintext attack where an attacker sends some ciphertexts to be decrypted and observe the results of decryption.
6- Adaptive Chosen Plaintext Attack: This is a form of Chosen plaintext cryptographic attack where the cryptanalyst issues a series of interactive queries.
7- Code Breaking Methodologies: It includes several tricks and techniques, which are helpful to break encryption and expose the information in it (like cryptographic keys and message). The following are some effective techniques and methodologies:
- Brute Force
- Frequency Analysis
- One-Time Pad
8- Rubber Hose Attack: It is a technique of gaining information about cryptographic secrets (like passwords, keys, and encrypted files) by torturing a person.
Industrial Control Systems (ICS)
ICS is a general term that incorporates several types of control systems used in industrial production. The most common is Supervisory Control and Data Acquisition (SCADA). SCADA is a system working with coded signals over communication channels to provide control of remote equipment.
Disable unnecessary ports & services such as
- FTP & TFTP
- Dual-Homed Computer/Dual Network Interface Cards (NIC)
- Firewall between Corporate Network and Control Network
- Firewall and Router between Corporate Network and Control Network
- Firewall with DMZ between Corporate Network and Control Network
- Paired Firewalls between Corporate Network and Control Network
- Enforce Encryption where applicable
- Enforce patch management
- Risk management application to ICS
- Implementation of least privileges policy
- Redundancy & Fault Tolerance
Rread more about vulnerability assessment here.