CITS1003 Introduction to

Cybersecurity
[6] Vulnerabilities and Controls
Dr David Glance
A unit about cats
cybersecurity
Cats generated by a Generative
Adverserial Network (GAN)
https://ajolicoeur.wordpress.com/cats/
 1 2 3
Understand Know the OWASP top Understand how
vulnerabilities and how 10 vulnerabilities vulnerabilities can be
they are rated and mitigated using controls
reported

3 things
 Vulnerability

 Vulnerability: weakness in an organisation’s assets that when exploited by a threat will lead to economic loss
 ISO27005 Information Security Risk Management in the following areas:
 Organization
 Processes and procedures
 Management routines
 Personnel
 Physical environment
 Information system configuration
 Hardware, software or communications equipment Dependence on external parties
 We are mainly interested in the last 2
 Cybersecurity Vulnerability Ontology

Syed, R. (2020) https://www.sciencedirect.com/science/article/pii/S0378720620302718

 Vulnerability Reporting

 When a vulnerability is discovered, it is usually reported to the organisation responsible for the product and they are
given time to fix
 Zero Day vulnerability is one that is unknown (or unfixed) by the manufacturer of the product when it is exploited
 Vulnerabilities that are reported and then fixed, by a patch or upgrade of the software or product, is then reported for
inclusion in public databases:
 CVE Common Vulnerabilities and Exposures (https://cve.mitre.org/index.html)
 NVD National Vulnerability Database (https://nvd.nist.gov/)
 VulDB (https://vuldb.com/)
 Disclosure comes with problems because it may help disseminate and promote exploits
 There is a market for bug finding (Bug Bounties) and also for selling Zero Days
 Vulnerability Scoring

 Vulnerability scoring measures (NVD):

 Attack vector: network, local, physical
 Privileges required: None, low, high
 User interaction: None, required
 Impact on CIA: None, low, high
 CWSS: more complex and based on 3 measures:
 Base Findings: captures the inherent risk of the weakness, confidence in the accuracy of the finding, and strength of
controls.
 Attack Surface:: the barriers that an attacker must overcome in order to exploit the weakness.
 Environmental :: characteristics of the weakness that are specific to a particular environment or operational context
 Exploits and Proofs of Concept

 Vulnerabilities are not really risks unless they are exploitable. In part, proving a
vulnerability relies on showing how it can be exploited
 Researchers often develop a proof of concept: a working way of exploiting a
vulnerability
 There are databases of known exploits to vulnerabilities: SearchSploit (and others)
https://www.exploit-db.com/searchsploit
 Vulnerability Sharing

 Countries have Computer Emergency Response Teams (CERTs), but this term was
trade marked by Carnegie Mellon University who started the first one in 1988
 AusCERT is Australia’s but all countries have their own
 Responsible for alerting organisations about specific vulnerabilities and threats
 Example
AusCERT Security Bulletin Summary
Product: SpamAssassin
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1946
SpamAssassin vulnerability 01 April 2021
SpamAssassin could be made to run programs if it opened a specially crafted file.
Releases o Ubuntu 20.04 LTS
Example NVD
 Network Vulnerabilities and Attacks 1
 Vulnerabilities that directly involve networks and their protocols:
 Network traffic is vulnerable to interception, being read and manipulated
 Network services are vulnerable to poor availability by being overloaded
 Sniffing: listening to traffic on a wired or wireless network (WiFi, Bluetooth, NFC)
 May involve a “man-in-the-middle” attack
 Wireless can be passively sniffed because it is broadcast
 Spoofing: altering communications to pretend to be a different sender
 e.g. Caller ID on an SMS or phone call, senders of emails
 Usually done at the network level altering TCP/IP packets
 Part of a man-in-the-middle attack
 Network Vulnerabilities and Attacks 2
 Denial of service
 Flooding a service with fake requests so that real users can not access the service
 Distributed Denial of Service (DDoS)
 Using many sources for denial of service attacks including Internet of Things (IoT) devices
 Man-in-the-middle attacks
 Intercept network traffic to sniff the packets before passing them to the legitimate destination or to a destination
under the attacker’s control
 Hacking: Initial Access and Lateral Movement
 Access a machine through the use of remote access services or through exploitation of vulnerabilities in a
network service
 Use a machine to “pivot” to other machines on the same, or different networks
Network Vulnerabilities
Network Sniffing
 This 7 year old took 11
minutes to hack the WiFi in a
Café after watching the howto
on YouTube
 Web Vulnerabilities
 Some of the most common applications we use are web applications that are run by web servers.
Examples include:
 Banking website
 Netflix
 Amazon
 They communicate with browsers and send code and media to display.
 Some functionality is run on the browser, but important things like “transfer this money to my
friend” are done on the server
 There are numerous places where vulnerabilities can exist and there are common ones that occur
 OWASP Top 10
 Open Web Application Security project maintains a list of top 10 vulnerabilities:
 They can be split into the following types of error:
 Programming errors
 Authentication
 Input sanitization: Injection, Cross-Site Scripting (XSS)
 Security and access
 Configuration errors
 Insufficient logging or monitoring
 Security configuration
 3rd party programming errors
 Using components with known vulnerabilities
 Finding Vulnerabilities: Scanning
 Vulnerability scanning
 Use tools that carry out an automated scan of the network and its services::
 nmap
 OpenVAS
 BurpSuite
 Nessus
 These will look for vulnerabilities based on a database. They rely on being able to version software
discovered accurately to be able to check if there are known vulnerabilities. i.e. it doesn’t try and
exploit vulnerabilities
 Finding Vulnerabilities: Penetration Testing
 Penetration Testing (Ethical Hacking)
 Professionals who use tools and their skills to look for vulnerabilities
 Will operate within an agreed scope regarding what they can and can’t do
 May be done as White Box, Grey Box or Black Box depending on how much information is provided about the
network and the applications that are running on them
 Red Teams
 Teams of ethical hackers that will try and penetrate a network, sometimes adopting Tactics, Techniques and
Procedures of known hacker groups
 They may operate against a Blue Team that tries to defend against the attack
 The purpose again is to highlight vulnerabilities
 Sometimes Blue and Red teams are combined to form Purple teams
 Implementing Controls
 Implement Defense in Depth: i.e. have multiple layers of controls that implement security at each level
 Traditionally, people implemented a perimeter firewall to protect company
 This doesn’t work so well when everyone is working remotely
 Partition the network into different functional concerns e.g. Departments in an organisation, servers from
the administration network, staff from students.
 Externally facing services like web servers put into a DMZ (Demilitarized Zone)
 Network DMZ

Company Employee Public

www.uwa.edu.au

DM
Z
 Computers
 Computers are built up using a secure baseline image: configuration of Windows (for example) that has default
user, system and security settings, certain software profiles
 Can implement Australian Signals Directorate (ASD) Essential Eight:
1. Application control: prevent the execution of unapproved/malicious programs
2. Configure Microsoft Office macro settings
3. Restrict administration privileges
4. Multi-factor Authentication
5. Daily backups
6. Patching applications
7. Application hardening
8. Patch Operating Systems
 Application Control
 Vulnerability
 Windows has a variety of scripting languages that can be used for malicious purposes
 They can be run from the command line applications cmd.exe, powershell.exe and applications such as Microsoft
Office (Word, Excel, PowerPoint) which runs VBScript and JScript (a form of JavaScript)
 Although many attacks require a person to click on a link and allow a program or script to run, some do not need
this.
 Controls
 General users should be prevented from running scripts in PowerShell and another scripting environment Windows
Script Host (WSH)
 Launching applications on Windows (anything with a file extension of .exe) can be checked against a AllowList and
BlockList
 Microsoft Office Macros
 Vulnerability
 Office has the ability to automate actions by running a Macro which is a piece of script that is labelled and
associated with a key combination or some action such as opening a document
 Malicious users can craft macros that steal information (C) or run malware (C,I, A)
 Controls
 Microsoft has made it harder to run macros because you need to agree to running them but that is not too hard with
some users
 Block macros in Office and train users

Declare PtrSafe Function GetUserNameA Lib "advapi32" ( _

ByVal NameType As Long, _
ByVal lpBuffer As String, _
ByRef nSize As Long _
) As Boolean

Sub GetUsername()
Dim Username As String * 256
GetComputerNameExA ComputerNameDnsDomain, DomainName, 256
Debug.Print “Username: “ & Username
End Sub
 Restrict Administration Privileges
 A user with administrator privileges can normally carry out all actions on a computer including installing programs and device
drivers (software for printers, peripheral devices), managing user accounts, managing logging and auditing functions
 On Linux and Windows there are special users root and Administrator but on consumer products main user is usually an
administrator as well
 Windows will now make explicit when a user needs to use administrative privileges
 Vulnerability
 Users are given administrator privileges when they don’t need these privileges for everyday use
 Attackers who get access to these accounts then have increased access thanks to the privileges (C,I,A)
 Controls
 Limit the number of users who have administrator rights
 Train users to use them judiciously
 Monitor actions of anyone who uses these privileges
 Multi-Factor Authentication
 Normal authentication uses a single factor: a password (often referred to as “something you
know” authentication type)
 Factors sometimes defined as:
 Type 1: Something you know
 Type 2: Something you have
 Type 3: Something you are or something you do
 Somewhere you are
 Context-Aware Authentication
 Vulnerability
 Attacker obtains username and password and uses it to gain unauthorised access (C – possibly I, A)
 Controls
 Multi-factor authentication makes it harder for attacker to use a username and password.
 However, some second factors like SMS codes are relatively easy to get around
 Daily Backups
 Vulnerability
 Access to files and information stored on a disk because of:
 Disk failure
 Lost device
 Ransomware or deletion

 Control
 Daily backup
 Cloud storage
 Issues
 Problems with how frequently you backup
 Overheads of backups: storage, network use
 Time to restore
 Backup confidentiality, integrity and availability
 Patching Applications and Operating System
 A patch is a small update to application and operating system software that usually fixes bugs rather than
introduces major features (referred to as an upgrade)
 Vulnerability
 Known vulnerabilities in software can be exploited by attackers
 Issuing a patch tells attackers about vulnerabilities
 Control
 Update applications and operating system with patches as soon as they are available
 Issues
 Patches are often complicated and can impact the availability of systems themselves
 Issuing a patch informs attackers about vulnerabilities and increases the attacks
 User fatigue in constantly updating their systems
 Application Hardening
 Vulnerability
 Many applications come with features and default settings that are insecure
 Default passwords that are the same for each product
 Examples are IoT devices, Routers, server software
 Control
 Harden application by removing default features and settings, setting new passwords
 Anti-Malware Software
 Anti-Malware software (AKA Anti-Virus) can be installed at endpoints (computers, mobile devices,
tablets) or on edge devices like routers
 Works in real-time scanning network traffic, scan file changes and can do disk scans
 Works by looking for a range of indicators such as file signatures based on file hashes, presence of certain
strings (text), use of system functionality that is not normal for applications
 More recently anti-malware operates on behavioural analysis (anomaly-based): behaviour typical of
malware, unexpected network traffic, attempts to change memory or other applications
 This is increasingly done using machine learning techniques
 Software also does other things now like looking for suspicious browsing, blocking websites that are
known malware sites
 Malware adapted and tries to evade (including anomaly-based software) and even disable anti-malware
software
 Intrusion Detection Systems
 Intrusion detection system (IDS) can be network-based or host-based
 Like anti-malware, uses knowledge-based and behavioural-based approaches to detection
 Behavioural based approaches take a baseline of network traffic and other factors and looks
for changes
 IDS systems report back to a Security Information and Event Manager (SIEM) which can
alert security staff of issues
 IDS may take some active measure such as blocking traffic on finding an anomaly
 Intrusion Protection Systems
 Intrusion protection system (IPS) is usually placed inline in the network
 Like IDS, uses knowledge-based and behavioural-based approaches to detection
 IPS will take active measures to block malicious activity
 Sometimes combined as IDPS
 Open Source example Snort
 Honeypots
 A Honeypot is a system that is put on the network to lure attackers to attack it and not the
real network
 The honeypot is often isolated from any other network meaning that the attackers spend
time trying to escape
 Can be sophisticated and replicate multiple machines, services and users
 Monitors attempts at probing and attacking
 Gives a geographical picture of where attacks are originating from
 Data Loss Prevention (DLP)
 Systems that try and prevent data from being exfiltrated from an organisation
 Monitor amount of encrypted data being sent out of an organisation
 Watermark documents and check if they are being sent out of the organisation
 Monitor email from users and warn them if they are about to violate a policy by sending
data out of the organisation
 Theorized that DLP would have detected the exfiltration of 25 GB of emails and
documents from Sony Pictures when they were hacked in 2014