Compare and contrast common vulnerabilities found in the following targets within an organization.CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives Version 3.0
There are many kinds of servers (server applications) in Enterprise networks. The most common vulnerabilities are for web servers and database servers.
Web servers may have vulnerabilities in the actual service or the web application. Server software can include IIS, Apache, and NGIX among others. Each of these can include various modules that may also have vulnerabilities. It is important to keep web services patched and to only enable modules that are needed to lower the attack surface.
The web applications themselves may also have vulnerabilities. These could be things like cross site scripting attacks or unvalidated input. They can also have vulnerabilities caused by backdoors and maintenance hooks put into the application by programmers for testing that were not removed in the production version.
Database servers are also vulnerable both directly and through web applications that use them. One way that they can be exploited is through data sent to web applications without validation. If input is not validated, SQL commands can be sent to expose data that shouldn’t be accessible from the application. These are called SQL Injection attacks.
Endpoints are one of the weakest targets within an organization. Often times they have many different software packages that all may have vulnerabilities. Endpoints also have the human factor. Attack vectors based on this can include various social engineering attacks or malware. Endpoints should have up to date antivirus and potentially host IPS and host firewalls. Updates to the software and operating system must also be regularly done.
Infrastructure devices like routers, switches and wireless controllers all need to be kept secure. An infrastructure device that is compromised could be used to further execute attacks against the enterprise by rerouting or altering traffic that passes through the device. Compromised devices may also be used as platforms to attack other devices.
One potential sign of possible compromise is a network infrastructure device that reboots unexpectedly. When this happens, logs, crash files and the OS files themselves should be checked. Vendors usually provide hashes of the OS files to allow for verification. Some attacks can even alter the boot loader on the device to allow for a more persistent compromise.
Network infrastructure devices should be hardened using best practices such as those from NIST or DHS. Only services that are needed should be enabled. In addition all devices should have their logs sent to a central syslog or SIEM.
Network appliances, often those used for securing the network, can also have vulnerabilities. Some common ones to look for are listed below:
- Management Interfaces with no brute force protection
- Cross Site Scripting (XSS) flaws
- Unauthenticated users can find model and version information.
VMWare, KVM, XenApp and other virtualization software has revolutionized IT over the last decade. As with physical infrastructure there are security issues associated with virtual infrastructure.
- VM escape: In this attack, the attacker is able to leave the isolation of the virtual machine and interact directly with the hypervisor. This can lead to other guests on the same host being accessed by the attacker.
- Data Remnants: Data can be left behind on a host when a guest is moved to another host, any such data must be protected.
Virtual network switches can be vulnerable to the same attacks as physical infrastructure. The software that runs them also must be protected and kept updated to prevent against exploits.
Virtual infrastructure must be managed and there are some attacks that can use that management interface as a vector.
- Privilege Elevation: A privilege elevation on a hypervisor could compromise all of the guests on a host.
- Live VM Migration: During a vMotion, the data between hosts must be protected as not to reveal the contents of memory or the machine’s storage to an attacker.
Mobile devices have become ubiquitous in today’s world. Because these devices move between the corporate network and public networks, their security is extremely important. Some of the problems that must be addressed include:
- Insecure web surfing
- Insecure wifi (coffee shops, etc)
- Lost or stolen devices and the data that is on them
- Trojan horse applications
- Unpatched software.
- Unknown devices (BYOD)
A mixture of policies and tools must be used to provide a secure environment while still allowing the flexibility that these devices provide.
Virtual Private Networks (VPNs)
Virtual Private Networks (VPNs) are used to assure the integrity and confidentiality of data being sent across non-secured media including the Internet. Primarily VPNs are either based on IPSec or TLS/SSL technology
IP Security (IPSec) was originally developed as part of the IPv6 protocol. It was brought to IPv4 as a VPN technology. A VPN connection using IPSec is composed of two phases. The first phase creates the keys used for the session. The Internet Key Exchange (IKE) protocol is used to securely exchange the keys over the Internet.
The second phase creates the actual tunnels for the data. Internet Security Association and Key Management Protocol (ISAKMP) is used to create the security association based on the keys exchanged by phase one using IKE.
Using the same technology as secure websites (HTTPS), a VPN can be created. This type of VPN has the advantage that HTTPS is a standard protocol that is almost always allowed through firewalls.
Industrial Control Systems/SCADA Systems
Industrial Control Systems are used to control processes such as assembly lines and power plants. These systems are often running software that if compromised could cause serious physical damage. Due to their specialization, they are often not designed with security in mind or the ability to be patched. Because of these limitations, both physical and network segmentation is a must to secure ICS.