Technology Vulnerabilities Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
4 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hi, and welcome to Module 1.
00:00
In this module, we're going to talk
00:00
about The Threat Landscape.
00:00
Essentially what the threat landscape is,
00:00
it's a combination of all of those vulnerabilities and
00:00
those risks out there to our infrastructure.
00:00
All of the things that could go wrong in
00:00
the infrastructure as far as security is concerned.
00:00
Whenever we talk about the threat landscape it's
00:00
important that we start off by
00:00
talking about the attack surface.
00:00
The attack surface is, it's conceptual.
00:00
You can visualize the attack surface as a plane and on
00:00
that plane is everything in
00:00
our infrastructure that's vulnerable to attack.
00:00
We're talking about all
00:00
of the systems in the environment,
00:00
so all of the PCs and laptops,
00:00
and databases and servers,
00:00
and even badge readers and video conferencing systems.
00:00
Basically, any technology system that's
00:00
attached to our environment is on this attack surface.
00:00
We're also talking about all of the networks
00:00
that link all of those systems together,
00:00
the routers and switches,
00:00
and all of
00:00
the other network components behind the scenes.
00:00
Also on that surface is the people.
00:00
A lot of times we forget about the people as
00:00
being part of the attack surface
00:00
but it's a very big part of it.
00:00
People are human beings.
00:00
Human beings make mistakes and a lot of
00:00
times they're taken advantage of
00:00
to gain access to an environment.
00:00
Finally on that attack surface is all of the processes,
00:00
all of those things that we do that
00:00
regulate our people and technology.
00:00
We could have the best tech in
00:00
the world and the best
00:00
>> people in the world but if we have
00:00
>> a broken process someone can find a gap in
00:00
that process and can
00:00
exploit it to gain information they shouldn't have.
00:00
The word vulnerability simply means
00:00
open to attack or damage.
00:00
When we talk about vulnerabilities we can really
00:00
break it down into three different groups.
00:00
There are software vulnerabilities,
00:00
configuration vulnerabilities,
00:00
and hardware vulnerabilities.
00:00
Let's start off by talking about
00:00
software vulnerabilities.
00:00
By software vulnerability,
00:00
we're talking about the flaws in the way
00:00
the application code is actually written.
00:00
We're talking about the code level itself,
00:00
the way the code is written,
00:00
just bugs in the way it's written that allow
00:00
attackers to do things that they shouldn't be able to do.
00:00
Now when it comes to software vulnerabilities
00:00
there's a non-profit organization called OWASP,
00:00
which stands for Open Web Application Security Project.
00:00
They maintain a top 10 list of
00:00
the top 10 most common software vulnerabilities.
00:00
A few examples are here.
00:00
This isn't the whole top 10 list,
00:00
this is just a few examples.
00:00
There's injection where code
00:00
allows a user to inject
00:00
something that they shouldn't be able to.
00:00
There's broken authentication management maybe
00:00
the system doesn't request credentials or
00:00
maybe it requests credentials in
00:00
a way that's not very safe or a way it
00:00
shouldn't or there's
00:00
even sensitive data exposure maybe there's a flaw in
00:00
the way the code is written that allows somebody to gain
00:00
access to some data that they shouldn't have.
00:00
We'll take a look at an example of one of the injections.
00:00
Now, this is just one example so we
00:00
can get an idea of how software vulnerabilities work.
00:00
The one we're going to talk about is
00:00
SQL injection but before we can talk about SQL injection,
00:00
we need to talk about how a normal SQL query works.
00:00
We've got this situation where we've got
00:00
our end-user Bob over here on the left,
00:00
and Bob wants to
00:00
interact with a form out there on the web.
00:00
Maybe he's logged into some application
00:00
and he wants to pull
00:00
his own profile information from that application.
00:00
Bob sends a request,
00:00
he types his name in
00:00
the field in the form and says give me my data.
00:00
The form is like,
00:00
it says what data do you want?
00:00
Bob puts his name in there and he says give me my data.
00:00
The application passes that back to
00:00
the database and the database says that's
00:00
a valid request so I'm going to hand back Bob
00:00
the data and the application passes Bob's data to him.
00:00
Pretty straightforward. Bob put his name in the form,
00:00
Bob's data came back.
00:00
In the case of a SQL injection,
00:00
instead of Bob requesting his name in the form,
00:00
Bob's going to inject some code in the form.
00:00
Now, this is not
00:00
actual code this is just a visual representation.
00:00
But Bob can inject some code in the form and maybe
00:00
this code is in the form of a SQL query.
00:00
If the application is not written properly,
00:00
if it's a vulnerability in the application it
00:00
may not realize that what Bob entered
00:00
into the field is not actually his name but
00:00
a SQL query and it simply
00:00
passes it back to the SQL database and says, hey.
00:00
In this case, Bob's SQL query says,
00:00
hey give me everyone's data.
00:00
The SQL database says I've got a valid request from
00:00
a trusted entity which is
00:00
the application itself not from Bob.
00:00
I'm going to go ahead and pass that back and
00:00
then the application simply passes that back to Bob.
00:00
Now Bob's got everybody's data because he injected
00:00
a query into the form
00:00
and the application allowed him to do that.
00:00
Another example of SQL injection
00:00
could be the same situation.
00:00
Instead of this time the code that Bob
00:00
injects into the form instead of it being
00:00
a SQL query maybe it's a command that deletes
00:00
the entire SQL database and now the database is gone.
00:00
That's an example of SQL injection as I said that's
00:00
just one example of one type of software vulnerability.
00:00
We could spend months
00:00
and months talking about
00:00
the different types of vulnerabilities
00:00
but I want to give one example so that you can
00:00
have some context as we go through this course.
00:00
How do we mitigate vulnerabilities in software?
00:00
The best way to do it is by regular patching.
00:00
The software vendors out there are
00:00
constantly reviewing their software internally.
00:00
There's also a lot of companies that have
00:00
bug bounty programs where they actually will pay people,
00:00
just random people out there on the Internet if they
00:00
find a bug and a piece of software,
00:00
vendors will pay them for that
00:00
because they use that information to then
00:00
create a patch that they
00:00
can pass on to the general public
00:00
and mitigate that vulnerability
00:00
so regular patching is critical.
00:00
Also regular scanning.
00:00
Not only should we just patch when
00:00
the vendor tells us
00:00
to patch but we should be scanning the environment.
00:00
There's a number of scanners out there
00:00
both commercial and open-source that allow you to scan
00:00
an environment and it gives you
00:00
a nice report on what the environment looks like,
00:00
where the vulnerabilities exist,
00:00
and you can use that to help prioritize how you patch.
00:00
This is a big one too.
00:00
You need to sunset your end-of-life applications.
00:00
What I mean by that is get rid of them.
00:00
A lot of organizations have
00:00
these applications that maybe they're
00:00
a revenue-generating applications so they're really
00:00
important but the vendor stopped supporting it.
00:00
You haven't updated the application in forever,
00:00
the vendor stops supporting
00:00
that version of the application so that as
00:00
vulnerabilities are found that software vendor
00:00
is not going to continue to put out regular patches.
00:00
Yes this application may be making
00:00
money for your organization but the longer you
00:00
go with that end-of-life application
00:00
the more vulnerabilities that pile up and
00:00
the more exploits that are developed against
00:00
that vulnerability and your risk
00:00
starts to exponentially increase.
00:00
When you have an application out there and
00:00
its end of life you should either
00:00
upgrade it to the latest version but create
00:00
a plan to upgrade it to the latest version or in
00:00
cases where the vendor went
00:00
out of business and it doesn't exist anymore
00:00
you need to create a plan to get rid of it
00:00
altogether and replace it with a new application.
00:00
Keeping up to date is critical when you're talking
00:00
about mitigating software vulnerabilities.
00:00
The software vulnerabilities are
00:00
scored according to a system known
00:00
as CVSS which stands for
00:00
the Common Vulnerability Scoring System.
00:00
Essentially it's an industry-wide system
00:00
that gives a score.
00:00
It attempts to score
00:00
the criticality of the vulnerability
00:00
so we can prioritize it.
00:00
It uses a lot of different methods to do that.
00:00
There's a lot of artifacts
00:00
that it looks at for vulnerability.
00:00
For example, what's the attack vector?
00:00
Is this something that can be attacked via the network
00:00
or do you have to have physical access to the device?
00:00
Does it require user interaction or not?
00:00
All of those types of things go into the CVSS score
00:00
and that score is a mechanism that can be
00:00
used to prioritize vulnerabilities in the environment.
00:00
CVE is another common term,
00:00
and that stands for Common Vulnerabilities and Exposure.
00:00
A lot of times you'll hear the two together.
00:00
CVE is just a way to identify the vulnerability itself.
00:00
It's a unique identifier,
00:00
so in this case, we've got CVE-2019-16701.
00:00
It looks like some vulnerability in PF sense.
00:00
There's hundreds of thousands of these CVEs
00:00
out there but a CVE is just a way to identify
00:00
the vulnerability so that you can link
00:00
mitigation actions and it can be
00:00
referenced by lots of different products.
00:00
Whenever they identify a vulnerability
00:00
they'll put the vulnerability ID so you know
00:00
what you're talking about and there's
00:00
usually links you can
00:00
click to understand what
00:00
you need to do to mitigate those vulnerabilities.
00:00
CVE is the identification and CVSS is the scoring system.
Up Next