A. Outline the top five threats to each of the following in the given scenario:
1. The server
2. The workstations
3. The website
Threats - Server
Rootkits – This software, which is malicious in nature, allows hackers to gain and maintain elevated or administrative access to servers. Often times, this type of software come as an attachment shared among e-mail contacts, and is accidently initiated when saved to a local folder. The software can then hold open a gateway to allow the attacker access to the compromised server, without intervention or further initiation from the unsuspecting user. This may have been one possible highway that was used by the attackers to gain access to and delete data from the customer website.
Open Ports & Services – By default, many server type operating systems leave a large quantity of ports open. This allows greater configurability and compatibility for software and server based services. However, leaving these default ports and a multitude of default services in operation, increase the attack surface and overall vulnerability of the server. These vulnerable ports allow for attacks such as ‘Denial of Service’, and this may have been factor in the latency and slowdown experienced by employees and customers alike.
Missed Patches – Every day new attack vectors are discovered, and operating system and software vulnerabilities are identified. Many server type operating systems come with a robust security suite, however these security measures fail to identify new threats if patches are not being kept up to date and installed on a regular interval. By missing updates, hackers utilize the new attacks against the server.
Backdoor Access – Often installed alongside a rootkit or Trojan, backdoor’s leave a permanent route of ingress unknown to the end-user. This access allows the hacker to gain access to the system and remote execute attacks, delete files, or gain further access to the infrastructure. A backdoor could have allowed attackers into the system in which they were able to delete website and customer data. Inattentive Administration – Servers cannot be left to fight for themselves. As with patches mentioned above, system resource monitors and event log must be monitored in order to keep the system running without compromise or failure. If the server is not being monitored, a number of attacks can take place without the company knowing, until the data has been obtained or deleted. Due to fact that the LLP does not employee full-time server administration, many early indicators were missed and data was accessed, destroyed, modified, or all of the above mentioned.
Threats - Workstations
Application & Operating System Patches Missing – Many new attack vectors and application vulnerabilities are identified each day. Attacks occur against common client-based applications and workstation operating systems. As an example, Adobe Reader and Java Runtime client are often the target of attacks as they are used among a vast majority of desktops, workstations, and even mobile devices. If these applications and device are not kept up to date, a multitude of attacks can take place. Without a regular application and operating system patch schedule, the LLP would have an ever increasing vulnerability and attack surface.
Worms, Viruses, & Trojans – This cocktail of malicious software, can execute a multitude of tasks, including denial of services to actively slow down systems, to providing a gateway to allow hackers into an infrastructure, to the theft and destruction of data. These pieces of software are often obtained through mal-intent emails, websites with malicious code, and can spread among computer on the same network. It is highly likely that the entire network of computers at the LLP was infected, due to the staff downloading software and various plugins. Without IT/IS oversite, the LLP was unable to properly validate and verify software before installing or providing user training and awareness.
Compromised Passwords – Passwords are often viewed as a nuisance by end-users. And because of this, passwords are often easy to guess due to the password reuse, age, weakness, or lack of complexity. Additionally, often times a password is used across multiple sites through single sign-on, such as Facebook. This gives the ability to infiltrate multiple systems once a single password has been compromised. Due to the lack of password policies in place with the LLP’s network, sniffers, and packet capture programs are used to identify passwords being used.
Social Engineering – Often times, the goal of an attacker is to gain access to a larger network or infrastructure. In order to see this goal achieved, they initially target the users running systems that have access to the network by taking advantage of human actions and reactions. This done through a wide array of attacks that appeal to the target through the need or want to help (such as donating), or other convincing methods that result in the disclosure of sensitive personal data (such as password, social security number, and birthdates). This provides the attacks with the information needed to reset password, and gain access to the networks as if the hackers were the user. An attacker could have called into the LLP posing as a customer and gained access to the website in a manner that allowed them to further exploit the LLP’s system.
Phishing & Pharming – These attacks are specific e-mail campaign that target users and fool them into clicking on what may appear to be a legit URL, but instead leads to malicious software. These URLs tend to lead to the installation of malware that can then be used to can access to various pieces of personal data such as financial records. Due to the fact that the LLP does not update system software or employ anti-malware / anti-virus software, it possible that emails come across with the appearance of legitimacy but instead of directed to sites with malicious intent, used to capture customer and end-user data, and spread further among the LLP’s network.
Threats - Websites
Distributed Denial of Service(DDoS) – These attacks, target a specific port or service with mullions of requests every minute, in a simultaneous effort coming from many hundreds or even thousands of attack computers. These attacks, cause lag, inaccessibility, and at times complete loss of service. Within the given scenario, it is likely that the client-facing website had been suffering from a DDoS attack due to the customer complaints of speed, availability, and overall sluggish nature of the site.
SQL Injection – Modern day websites often call for the collection of data, or some form of user input or retrieval of records. The site utilizes a backend server with the sole purpose to host a database in order to provide this information. Most often the database server utilizes SQL. A SQL injection attack occurs when rogue and unexpected data, intended to return results beyond the structure of the developed form or input, is inserted into an input field. In this instance, an attack was launched, injecting rogue and malicious code that allowed the hackers to access the backend server, disrupting and destroying data.
Outdated/Insecure Ports & Services – The use of outdated services and process, such as software that is old or unpatched, as well as those that utilize unencrypted data, provide a large target for hackers to attack. When data is transmitted without encryption, hackers can sniff, snoop, and capture data packets that could contain personal information such as financial access, password, and other personal identification information. This is a possible explanation for the need to restore missing/corrupted data.
Cross Site Scripting(XSS) – Cross site scripting occurs when code that is send from the server to the client has been altered, and now executes with malicious intent. The code is typically hidden in a link or call that when the end user unknowingly triggers. An indicator of cross site scripting, is the responsiveness of the website. If XSS is in place, that traffic could be routed through the attacker web server and then back to the client. This allows the attacker to capture data transfer, without the client believing that they are in trouble. In the case of the LLP, the site appeared to be sluggish and slow in the weeks preceding the deletion of the site.
Insecure Authentication – Regardless of transaction, input, or execution, the transmission of data should always exercise secure, encrypted, and authenticated procedures where available. This includes hashing of passwords, SSL/TLS connections, and encrypted file transfers (SFTP). Communication between internal and external sources were not secured or encrypted. The site utilized plain text logins and transmitted data to the backend servers unencrypted. The traffic was susceptible to snooping and sniffing.
B. Create a memo (suggested length of 2 pages) in which you do the following:
1. Evaluate the likelihood of the threats discussed in part A.
2. Recommend security controls and countermeasures that should be instituted to mitigate these threats.
To: Private Investigations LLP
From: David Koltcz
RE: Security Threats
Threats to information security are vast and numerous. Some are common, some are easier to execute, and more often they are extremely damaging. It is extremely important to establish at least a basic security stature to prevent data and identity theft.
Each component of the computer network must be analyzed and examined, holistically and in non-intrusive way. Although the entire network infrastructure is built of smaller components, such as computers, printers, and mobile device; the system as a whole can be affected and extend that effect to each individual piece. For instance, a server may be locked down and hardened, but if a workstation is accessible and is compromised, that becomes a gateway to then compromise the rest of the network including the server due to the trust relationship. To provide an overview to the non-technical staff of the LLP, I have broken down the key threats that may be encountered by each piece of the infrastructure, which is servers, workstations, and website.
Server
The server is the backbone of the infrastructure. It provides services and processes that allow the exchange of data and provide responses to website requests. If the server is compromised, it will mean downtime for the internal and external functions, until a backup solution can be provided. The list of threats have been sorted in order of likelihood.
1. Inattentive Administration – This threat is the most likely to occur in a small business office due to the lack of a full-time IT administration professional. Without the constant oversite of logs and performance monitors, and the regular distribution of patches, it is very likely that the server and consequently the infrastructure could become compromised without detection. Hiring a full-time IT administrator will mitigate this threat.
2. Open Ports & Service – When a server is initially configured, many of the ports and services are left wide open and are often not required. This is done so to maximize configurability and compatibility. In order to harden the server’s security stance, disable unused services, and block open ports using an integrated firewall application.
3. Missing Patches – Many software developers release patches and security updates for their product on a regular basis. As an example, Microsoft releases patched the second Tuesday of the month, otherwise known as ‘Patch Tuesday’. These patches are extremely important in the fight against growing vulnerabilities and threats. Patches and updates should be checked and deployed regularly for all systems.
4. Rootkits & Backdoors – Thought listed separately in the notes above, the security posture against Rookits & Backdoors is the same. All system accounts that are put in place should be done so at a ‘Least Privilege’ level. This implies that the account should only have access to do what is needed and nothing more. There are no circumstances where an end-user should be given administrative permissions. Additionally, system patches should be maintained and services hardened in order to block potential ingress threats.
Workstations
Workstations are the portal for each end-user into the information infrastructure. These are utilized to perform daily tasks, and communicate amongst co-workers, client, and vendors. They are also the easiest target for attackers, as they often have a trust relationship with servers and are less hardened, more prone to social engineering, and sometimes abused in their purpose.
1. Phishing & Pharming – These attacks are common and occur multiple times a day. They typically come in the form of an email that is cleverly crafted to fool the end-user into downloading an attachment, clicking a link, and responding outright collecting personal information or initiating installation of other malicious software. Installing and maintaining anti-malware and anti-virus software on the local system will help mitigate these potential risks
2. Compromised Passwords – Many end-users find password management annoying and an inconvenience. Because of this, they tend to reuse the same password, never change it, or do not use strong passwords; all of which are easy to crack. Password strength, age, history, and complexity rules should be implemented.
3. Worms, Viruses, & Trojans – Malware, software that is often bundled with other legitimate software, or provided free of us, may appear to be harmless, but tend to run in the background consuming system resources and opening ports for access in the future. To combat these threats, the use of anti-malware programs or anti-virus programs, so long as there is an anti-malware component, should be put in place. Additionally, all software should be vetted and tested in a sandbox environment before deploying out to the live network.
4. Social Engineering – Hacking geared toward to the individual, in obtaining fool them into providing access to a system or even worse providing the data outright, this is social engineering. The person is targeted instead of the system. This can at times be much easier of a feat than hacking a system. The only way to mitigate this risk, is to provide the knowledge to end-user through security awareness training so that they are empowered to identify if someone is attempting to take advantage of them.
5. Missing Patches – Similar to the patching of servers, automated system and application patch systems should be activated. This will mitigate the possibility of patches being overlooked.
Website
The website is the storefront, the face of the LLP. It is where the company presents data to the public, it is also where clients can interact with the company and provide case data back to the LLP. As such, it is also a prime target for hackers. The likeliest threats are:
1. SQL Injection – SQL injection is one of the more common types of attack, due to its ease and lack of detection. It can also be one of the most damaging, as it involves direct data exfiltration, manipulation, and theft from the database in which company and client confidential data is stored. The most effective defense against SQL injection hack attempts is proper input validation of user supplied information as to remove the possibility of rogue malicious code execution.
2. Insecure authentication – Another common hacker attack is to intercept, or sniff, traffic that contains unencrypted passwords. Passwords and other sensitive identification and authentication information should be encrypted at rest and during transmission. Additionally, password complexity, age, history, and length policies should be put in place.
3. Cross Site Scripting(XSS) – These highly malicious attacks take control of user sessions, create content to compromise end-user authentication, deface and delete websites, and direct traffic away from the intended website. In order to prevent attacks such as these, as with SQL Injection, input validation is a must. This will prevent unintended, malicious code from being passed to the backend webserver.
4. Outdated/Insecure Ports & Services – Many servers are configured for a single purpose. This can be a fileserver or webserver. However, the server operating system is typically configured out of the box to run many services and leave multiple ports open, of which many will not be utilized. These services may often be set to run in an insecure manner. Any services that are not required should be disabled. Any ports that are not needed to should be blocked using a firewall application. Finally, all services and applications that are required to run, should be monitored through performance monitor and event logs, and should be kept up to date with patches and hotfixes.
5. Distributed Denial of Service(DDoS)– These attacks often cause a loss of service, rather than a loss of data. The attacks flood a server’s services and ports and keep the server at max performance being unable to answer legitimate requests from clients. If it persists, the attack can cause the software or operating system to crash outright. The best way to defend against these types of attacks are is to put firewalls and other traffic throttling appliances in place.