Archive for 0day

The OWASP Top 10 - 2017 vs. BIG-IP ASM

Posted in security, f5, big-ip, application security, asm, compliance, malware, 0day, owasp by psilva on November 29th, 2017

With the release of the new 2017 Edition of the OWASP Top 10, we wanted to give a quick rundown of how BIG-IP ASM can mitigate these vulnerabilities.

First, here's how the 2013 edition compares to 2017.

13to17.png

  

And how BIG-IP ASM mitigates the vulnerabilities.

 

Vulnerability

BIG-IP ASM Controls

A1

Injection Flaws

Attack signatures

Meta character restrictions

Parameter value length restrictions

A2

Broken Authentication and Session Management

Brute Force protection

Session tracking

HTTP cookie protection

A3

Sensitive Data Exposure

Data Guard

A4

XML External Entities (XXE)

Attack signatures (see below)

A5

Broken Access Control

File types

URL

URL flows

Session tracking

URL flows

Attack signatures (Directory traversal)

A6

Security Misconfiguration

Attack Signatures

A7

Cross-site Scripting (XSS)

Attack signatures

Parameter meta characters

Parameter value length restrictions

Parameter type definitions (such as integer)

A8

Insecure Deserialization

Attack Signatures (see below)

A9

Using components with known vulnerabilities

Attack Signatures integration

A10

Insufficient Logging and Monitoring

BIG-IP ASM can help with the monitoring process to detect, alarm and deter attacks

 

Specifically, we have attack signatures for “A4:2017-XML External Entities (XXE)”:

  • 200018018           External entity injection attempt
  • 200018030           XML External Entity (XXE) injection attempt (Content)

Also, XXE attack could be mitigated by XML profile, by disabling DTDs (and of course enabling the “Malformed XML data” violation):

asmclip.jpg

For “A8:2017-Insecure Deserialization” we have many signatures, which usually include the name “serialization” or “serialized object”, like:

  • 200004188           PHP object serialization injection attempt (Parameter)
  • 200003425           Java Base64 serialized object - java/lang/Runtime (Parameter)
  • 200004282           Node.js Serialized Object Remote Code Execution (Parameter)

A quick run-down thanks to some of our security folks.

ps

Related:




Lightboard Lessons: What is DDoS?

Posted in security, f5, application security, lightboard, DoS attack, basics, scams, devcentral, 0day, botnet, ddos by psilva on November 1st, 2017

Over the last quarter, there were approximately 500 DDoS attacks daily around the world with some lasting as long as 300 hours. In this Lightboard Lesson I light up some #basics about DoS and DDoS attacks. 

ps

Related:

 

Watch Now:



Managing Your Vulnerabilities

Posted in f5, big-ip, application security, cloud computing, compliance, 0day by psilva on December 9th, 2016

vuln_ahead.jpg

I recently recovered from ACDF surgery where they remove a herniated or degenerative disc in the neck and fuse the cervical bones above and below the disk. My body had a huge vulnerability where one good shove or fender bender could have ruptured my spinal cord. I had some items removed and added some hardware and now my risk of injury is greatly reduced.

Breaches are occurring at a record pace, botnets are consuming IoT devices and bandwidth, and the cloud is becoming a de-facto standard for many companies. Vulnerabilities are often found at the intersection of all three of these trends, so vulnerability and risk management has never been a greater or more critical challenge for organizations.

Vulnerabilities come in all shapes and sizes but one thing that stays constant – at least in computer security - is that a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. It is the intersection where a system is susceptible to a flaw; whether an attacker can access that flaw; and whether an attacker can exploit that flaw within the system. For F5, it means an issue that results in a confidentiality, integrity, or availability impact of an F5 device by an unauthorized source. Something that affects the critical F5 system functions - like passing traffic.

You may be familiar with CVE or Common Vulnerabilities and Exposures. This is a dictionary of publicly known information security vulnerabilities and exposures. Each vulnerability or exposure gets a name or CVE ID and allows organizations to reference it in a public way. It enables data exchange between security products and provides a baseline index point for evaluating coverage of tools and services. MITRE is the organization that assigns CVEs. There are also CVE Numbering Authorities (CNA). Instead of sending a vulnerability to MITRE for numbering, a CNA gets a block of numbers and can assign IDs as needed. The total CVE IDs is around 79,398.

Most organizations are concerned about CVEs and the potential risk if one is present in their environment. This is obviously growing with the daily barrage of hacks, breaches and information leaks. Organizations can uncover vulnerabilities from scanner results; from media coverage like Heartbleed, Shellshock, Poodle and others; or from the various security related standards, compliance or internal processes. The key is that scanning results need to be verified for false positives, hyped vulnerabilities might not be as critical as the headline claims and what the CVE might mean for your compliance or internal management.

For F5, we keep a close eye on any 3rd party code that might be used in our systems. OpenSSL, BIND or MySQL are examples. For any software, there may be bugs or researcher’s reports or even non-CVE vulnerabilities that could compromise the system. Organizations need to understand the applicability, impact and mitigation available.

Simply put: Am I affected? How bad is it? What can I do?

vuln chart

With Applicability, research typically determines if an organization should care about the vulnerability. Things like, is the version of software noted and are you running it. Are you running the vulnerable function within the software? Sometimes older or non-supported versions might be vulnerable but you’ve upgraded to the latest supported code or you are simply not using the vulnerable function at all. The context is also important. Is it being used in default, standard or recommended mode? For instance, many people don’t change the default password of their Wi-Fi device and certain functionality is vulnerable. It gets compromised and becomes part of a botnet. But if the password was changed, as recommended, and it becomes compromised some other way, then that is a different situation to address.

cvss calculator

For Impact, there are a couple ways to decide how bad it is. First, you can look at the severity of the vulnerability - is it low, medium, high or critical. You can also see if there is a Common Vulnerability Scoring System (CVSS) score tied to the vulnerability. The CVSS score can give you a gauge to the overall risk. To go a bit deeper, you can look at the CVSS Vector.

There are 3 sections to the CVSS. There are the constant base metrics covering the exploitability of the issue, the impact that it may have and the scope that it is in. There are the temporal metrics, which may change over time, giving the color commentary of the issue. And there are the environmental metrics which look at the specific, individual environment and how that is impacted. Areas explored here include things like the attack vector and complexity; whether elevated privileges are required or any user interaction along with the scope and how it affects the confidentiality, integrity and availability of the system. One can use the CVSS calculator to help determine a vector score. With a few selections you can get a base, temporal and environmental score to get an overall view of the severity. With this, you can get an understanding as to how to handle the vulnerability. Every organization has different levels of risk based on their unique situation. The vulnerability base score may have a critical listing yet based on your environmental score, the severity and risk may be nil.

Lastly, the Mitigation taken is not an exact science and truly depends on the issue and the organization’s situation. Mitigation is not necessarily prevention. For example, compensating controls, such as restricting root level access might mean that a vulnerability simply isn’t exploitable without a privileged account.

Vulnerability management and information security is about managing risk. Risk analysis, risk management, risk mitigation and what that risk means to the business. Patching a vulnerability can introduce other risks, so the old refrain of “patch your $#!+” is not the panacea we’re often led to believe. Risk is not limited to the severity of the vulnerability alone, but also to the required vector for exploiting that vulnerability where it exists within a specific organization’s infrastructure.

It’s important to understand your risk and focus on the important pieces.

ps




RSA 2014: DDoS Protection (feat Bocchino)

Posted in security, f5, big-ip, application security, silva, video, DoS attack, cybercrime, hackers, rsa, infrastructure, 0day, access by psilva on February 25th, 2014

F5 Sr. Systems Architect Ken Bocchino shows me a live demonstration of how F5’s protects the fundamental elements of an application (network, DNS, SSL and HTTP) against aggressively evolving DDoS attacks. Ken is always a fun and interesting guest.

ps

Related

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



GartnerDC 2013: DDoS Reference Architecture

I meet with Sr. TMM David Holmes to get the scoop on F5’s DDoS Reference Architecture. David has circled the globe talking to customers about their security concerns and shares some of that insight along with explaining how F5 can mitigate those attacks.

 

ps

Related:

 

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]





The Top 10, Top 10 Predictions for 2014

This time of year the crystal balls get a viewing and many pundits put out their annual predictions for the coming year.  Rather than thinking up my own, I figured I’d regurgitate what many others are expecting to happen.


Cybersecurity in 2014: A roundup of predictions: ZDNet might have picked up that I have done this for the past two years and Charles McLellan put together his own collection.  This is a good place to start with lists from Symantec, Websense, FireEye, Fortinet and others.  Mobile malware, zero-days, encryption, 'Internet of Things,' and a personal favorite, The Importance of DNS are amongst many predictions.

Eyes on the cloud: Six predictions for 2014: Kent Landry - Senior Consultant at Windstream focuses on Cloud futures in this Help Net Security piece.  Hybrid cloud, mobility and that pesky Internet of Everything make the list.

5 key information security predictions for 2014: InformationWeek has Tarun Kaura, Director, Technology Sales, Symantec discuss the coming enterprise threats for 2014.  Social Networking, targeted attacks, cloud and yet again, The Internet of Things finds a spot.

Top 10 Security Threat Predictions for 2014: This is essentially a slide show of Fortinet's predictions on Channel Partners Telecom but good to review.  Android malware, increased encryption, and a couple botnet predictions are included.

2014 Cyber Security Forecast: Significant healthcare trends: HealthITSecurity drops some security trends for healthcare IT security professionals in 2014.  Interesting take on areas like standards, audit committees, malicious insiders and supply chain are detailed.

14 IT security predictions for 2014: RealBusiness covers 10 major security threats along with four ways in which defenses will evolve.  Botnets, BYOD, infrastructure attacks and of course, the Internet of Things.

4 Predictions for 2014 Networks: From EETimes, this short list looks at the carrier network concerns.   Mobile AAA, NFV, 5G and once again, the Internet of Things gets exposure.

8 cyber security predictions for 2014: InformationAge goes full cybercriminal with exploits, data destruction, weakest links along with some 'offensive' or retaliatory attack information.

Verizon's 2014 tech predictions for the enterprise: Another ZDNet article covering the key trends Verizon believes will brand technology.  Interest includes the customer experience, IT decentralization, cloud and machine-to-machine solutions. 

Research: 41 percent increasing IT security budget in 2014: While not a list of predictions, this article covers a recent Tech Pro Research survey findings focused on IT security.  The report, IT Security: Concerns, budgets, trends and plans, noted that 41 percent of survey respondents said they will increase their IT security budget next year.  Probably to counter all the dire predictions.

A lot to consider as you toast the new year with the Internet of Things making many lists.  The key is to examine your own business and determine your own risks for 2014 and tackle those first.

ps

Related:

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]



Every Day is a 0-Day Nowadays

Posted in Uncategorized, security, f5, big-ip, application security, silva, control, hackers, 0day by psilva on March 19th, 2013

It sure seems like 0-Days are now an every day occurrence.  Headlines containing, 'breach,'  'attack,' 'hack,' 'vulnerability,' 'passwords,' 'compromised,' and 'you' are commonplace in the media these days.  Typically a 0-day is described as a threat or an attack on a (previously) unknown vulnerability - this is day zero of enlightenment.  Often, the developer themselves are not even aware of the vulnerability.  0-days can command multiple zeros after the dollar sign since malicious folks can exploit it immediately.  From plug-ins to extensions to browsers to web apps to SCADA systems, 0-days used to be an every-so-often occurrence yet now, it's almost a once a day adventure.  I propose that we re-define '0-day' to mean when zero vulnerabilities found and exploited or no breaches occur that day.  0-days would instantly become a rare happening.  I should have titled this blog, Eliminate 0-Day Attacks!  ...with a Simple Definition Adjustment.  Now that would be a headline.

March Madness, the NCAA Men's Division 1 Basketball Championship, is also a ripe time for attacks.  As the tournament heats up so do phishing attacks, 0day exploits and malware madness.  From fake wagering sites to score tickers to simple bracket apps, internet scams are all over.  Be on high alert for web sites and emails asking you to enter your predictions, download brackets or any activity that involves clicking a suspicious link and entering info.  Be especially wary of those that ask for your social media credentials to 'share' your predictions.

While 0-days can ruin any day, be especially cautious during these times of the year when internet traffic surges and websites are fighting for your attention - the holidays are another example.  The web app might be the target but you may become the victim.  F5 certainly has solutions that can help organizations protect their critical infrastructures, systems, web apps and visitors.  And with the agility of  iRules, organizations can defend against 0-days in a matter of minutes.  Stay secure and smile all the way through the madness.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1] o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]