Vulnerabilità e Attacchi alle Infrastrutture IT Simone Riccetti Sr. IT Security Architect
Agenda Team di Ricerca X-Force Vulnerabilità e Minacce Tecnologie di Protezione Attack Lifecycle Live Demo 2
The mission of the IBM Internet Security Systems X-Force research and development team is to: Research and evaluate threat and protection issues Develop assessment and countermeasure technology Educate the media and user communities 3
4 X-Force
Agenda Team di Ricerca X-Force Vulnerabilità e Minacce Tecnologie di Protezione Attack Lifecycle Live Demo 5
Vulnerability Highlights Overall number of disclosed vulnerabilities increased in comparison to previous years 5% increase over the first half of year 2007 6
Patch Availability Date Y-Axis gg tra la patch e l annuncio della vulnerabilità X-Axis Data di annuncio della vulnerabilità Data 1,551 patches 15% Prima dell annuncio 54% All annuncio 31% Dopo l annuncio Courtesy: Stefan Frei, ETH Zurich http://www.techzoom.net/risk/
Exploit Availability Date Exploit Availability Date Y-Axis Giorni trascorsi tra l annuncio della vulnerabilità e l exploit X-Axis Data di annuncio della vulnerabilità Data 3,428 exploits 23% disp. prima dell annuncio 58% disp. all annuncio 19% disp. dopo l annuncio Courtesy: Stefan Frei, ETH Zurich http://www.techzoom.net/risk/
Browser Vulnerabilities Memory corruption is the main vulnerability. No substantial difference. 9
Primary Exploit Target: Browser Plug-Ins The majority of publicly released exploits are for browser plug-ins The top five most exploited browser vulnerabilities all target plug-ins Although most active exploitation focuses on older vulnerabilities, newer attack tools have automatic methods to incorporate the most recent exploits 10
Web Server Application Vulnerabilities Three newcomers to the top ten vendor list were web server application software vendors Web server application vulnerabilities account for 54% of all 2008 H1 disclosures and 51% since 2006 11
Agenda Team di Ricerca X-Force Vulnerabilità e Minacce Tecnologie di Protezione Attack Lifecycle Live Demo 12
ISS Preemptive Protection
Vulnerability Focused Protection
Agenda Team di Ricerca X-Force Vulnerabilità e Minacce Tecnologie di Protezione Attack Lifecycle Live Demo 15
How do you get owned these days? The Attach Lifecycle The initial culprits in owning a system can be as innocent as an email from Mom or as malicious as a hacker set to steal valuable information. 16
The Attack Lifecycle Inherent in any computer program are vulnerabilities, or small cracks in the code, that allow things in that were not originally intended. 17
The Attack Lifecycle Inherent in any computer program are vulnerabilities, or small cracks in the code, that allow things in that were not originally intended. A proof of concept, or exploit, is created to take advantage of the lowered defenses from the vulnerability 18
The Attack Lifecycle Inherent in any computer program are vulnerabilities, or small cracks in the code, that allow things in that were not originally intended. Shellcode is then injected to enable remote code execution A proof of concept, or exploit, is created to take advantage of the lowered defenses from the vulnerability 19
The Attack Lifecycle Inherent in any computer program are vulnerabilities, or small cracks in the code, that allow things in that were not originally intended. Shellcode is then injected to enable remote code execution A proof of concept, or exploit, is created to take advantage of the lowered defenses from the vulnerability Shell code is executed to create a buffer overflow that opens the back door to the system 20
The Attack Lifecycle Inherent in any computer program are vulnerabilities, or small cracks in the code, that allow things in that were not originally intended. Shellcode is then injected to enable remote code execution Malcode, such as a trojan or rootkit is executed to wreak havoc on the system A proof of concept, or exploit, is created to take advantage of the lowered defenses from the vulnerability Shell code is executed to create a buffer overflow that opens the back door to the system 21
The Attack Lifecycle Inherent in any computer program are vulnerabilities, or small cracks in the code, that allow things in that were not originally intended. Shellcode is then injected to enable remote code execution Malcode, such as a trojan or rootkit is executed to wreak havoc on the system A proof of concept, or exploit, is created to take advantage of the lowered defenses from the vulnerability Shell code is executed to create a buffer overflow that opens the back door to the system 22
X-Force Protection Engines Cobion Cobion e-mail and content filtering technology has analyzed over 8.7B URLs and images and 1B unique spam messages. Over 100k web/700k spams analyzed daily. Shellcode Heuristics This engine uses generic shellcode detection to block shellcode payloads, one of the most prevalent method of infecting non-binary files like html, docs, and images. BOEP Buffer Overflow Exploit Prevention (BOEP) blocks execution payloads delivered through buffer overflow exploits, providing 0-day protection for this class of threats. PAM The Protocol Analysis Module (PAM) is the network IPS component in IBM ISS desktop, server, and network products. PAM uses behavioral and vulnerability-centric methods to detect and block network-based exploits affecting more than 7,400 vulnerabilities. VPS The Virus Prevention System (VPS) is a behavioral anti-virus technology that can stop not only new malware variants, but also new malware families. VPS uses pre-execution behavioral analysis to stop malware before it can run and do damage. 23
Conclusions The costs of data loss are significant but hard to calculate: the whole company is at risk. Collaboration brings complexity and with it many new risks. Statistics are showing how the endpoint and the data are targeted. A complete solutions must entail intrusion and extrusion prevention, as well as proper Authentication, Authorization and Accounting. 24
Agenda Team di Ricerca X-Force Vulnerabilità e Minacce Tecnologie di Protezione Attack Lifecycle Live Demo 25
GRAZIE! Domande? Simone Riccetti simone.riccetti@it.ibm.com