Upload
lubaale-henty-henry
View
220
Download
0
Embed Size (px)
Citation preview
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 1/24
BIT 3206
VULNERABILITIES
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 2/24
Vulnerabilities
A vulnerability is a weakness or
fault in a system that exposes
information to attack.It allows an attacker to reduce
any system’s Information
Assurance.
7/29/20132 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 3/24
Vulnerabilities
Attackers exploit existing securityvulnerabilities on systems to gain
unauthorized access to systems and
data.
Vulnerabilities can either be of a
technical nature, such as bugs in
software or non-technical, e.g. a user
discloses their password to anunauthorized person.
Keeping on top of information security
vulnerabilities is an essential 7/29/20133 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 4/24
Vulnerability cont’d It is the intersection of three elements:
A system susceptibility or flaw,
Attacker access to the flaw, and
Attacker capab i l ity to exploit the
flaw.
Therefore, understanding your
vulnerabilities is the first step to
managing risk.
7/29/20134 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 5/24
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 6/24
Vulnerability cont’d
To exploit a vulnerability, anattacker must have at least oneapplicable tool or technique that
can connect to a systemweakness. Any Examples?
An exploi t is a method for taking
advantage of a knownvulnerability.
In this frame, vulnerability is also
known as the attack su rface. 7/29/20136 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 7/24
Vulnerability Examples
– An attacker convinces a user toopen an email message withattached malware;
– An insider copies a hardened,encrypted program onto a thumbdrive and cracks it at home;
– A flood damages your computer systems installed at ground floor.
Can you identify the flaws in theseexamples?
7/29/20137 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 8/24
Vulnerability Causes
Complexity: Large, complex systems
increase the probability of flaws and
unintended access points.
Familiarity: Using common, well-
known code, software, operating
systems, and/or hardware.
Connectivity: More physical
connections, privileges, ports,protocols, and services.
7/29/20138 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 9/24
Vulnerability Causes
• Fundamental operating systemdesign flaws: Enforcement of
suboptimal policies on
user/program management, suchas grant every program and every
user full access to the entire
computer. This operating systemflaw allows viruses and malware to
execute commands on behalf of
the administrator. 7/29/20139 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 10/24
Vulnerability Causes
Internet Website Browsing: Someinternet websites may contain
harmful Spyware or Adware that
can be installed automatically on
the computer systems, which might
infect computer systems and
personal information can easily be
passed on to third party individuals.
7/29/201310 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 11/24
Vulnerability Causes
• Password management flaws: Thecomputer user uses weak passwords
that could be discovered by brute
force. The computer user stores the
password on the computer where a
program can access it. Users re-use
passwords between many programs
and websites.
• Software bugs: The programmer
leaves an exploitable bug in a software
program. The software bug may allow 7/29/201311 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 12/24
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 13/24
Vulnerability Classifications
Vulnerabilities are classified accordingto the asset class they are related to:
7/29/201313 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 14/24
Vulnerability Classifications
EmployeesSocial interactionCustomer interactionDiscussing work in public locations
Taking data out of the office (paper,mobile phones, laptops)Emailing documents and dataMailing and faxing documents Installing unauthorized software and
apps
7/29/201314 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 15/24
Vulnerability ClassificationsRemoving or disabling security tools
Letting unauthorized persons into the
office (tailgating)
Opening spam emails
Connecting personal devices to
company networks
Writing down passwords and
sensitive data
Losing security devices such as id
cards
Lack of information security 7/29/201315 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 16/24
Vulnerability Classifications Former Employees
Former employees working for competitors
Former employees retaining companydata
Former employees discussing companymatters
Technology
Social networkingFile sharing
Rapid technological changes
Storing data on mobile devices such as
mobile phones 7/29/201316 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 17/24
Vulerability Classifications
Hardware
Susceptibility to dust, heat and
humidityHardware design flaws
Out of date hardware
Misconfiguration of hardware
7/29/201317 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 18/24
Vulnerability Classifications
Software Insufficient testing
Lack of audit trail
Software bugs and design faults
Unchecked user input
Software complexity (bloatware)Software vendors that go out of
busin
7/29/201318 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 19/24
Vulnerability Classifications
NetworkUnprotected network communications
Open physical connections, IPs and
ports Insecure network architecture
Unused user ids
Excessive privilegesUnnecessary jobs and scripts
executing
Wifi networks 7/29/201319 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 20/24
Vulnerability Classifications
IT Management
Insufficient IT capacityMissed security patches
Insufficient incident and problem
management
Configuration errors and missed security
notices
System operation errors
Lack of regular audits Improper waste disposal
Insufficient change management
Business process flaws 7/29/201320 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 21/24
Vulnerability Classifications
Inadequate business controls
Processes that fail to consider human
factors
Overconfidence in security audits
Lack of risk analysis
Rapid business change
Inadequate continuity planning
Lax recruiting processes
7/29/201321 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 22/24
Vulnerability Classifications
Partners and Suppliers
Disruption of telecom servicesDisruption of utility services such as
electric, gas, water
Hardware failureSoftware failure
Lost mail and courier packages
Supply disruptionsSharing confidential data with
partners and suppliers
7/29/201322 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 23/24
Vulnerability Classifications CustomersCustomers access to secure areasCustomer access to data (ie. customer
portal)
Offices and Data CentersSites that are prone to natural disasters
such as earthquakes Locations that are politically unstable Locations subject to government spyingUnreliable power sources
High crime areasMultiple sites in the same geographical
location
7/29/201323 IAS-13
7/27/2019 Lecture 2 Vulnerability.ppt
http://slidepdf.com/reader/full/lecture-2-vulnerabilityppt 24/24
Vulnerability Management
Having looked at the differentvulnerability classifications, can you
identify and explain ways in which
those vulnerabilities can be
managed?
7/29/201324 IAS-13