ЛОМАТЬ И СТРОИТЬ, И СНОВА ЛОМАТЬ

  • Published on
    24-Jul-2015

  • View
    85

  • Download
    0

Embed Size (px)

Transcript

<p> PowerPoint</p> <p> , </p> <p>" , " . " " , "" , . , , , , .</p> <p>1</p> <p>104</p> <p> 3 </p> <p>4 ?</p> <p> 6</p> <p>/ 7</p> <p> / : 2012 2014 </p> <p> ? / , -: () , , , </p> <p> .. .. 10 *: ?27.05.201511 * </p> <p> ? ------------------------------------------------------ </p> <p> TM </p> <p> , , : , : - , - / , , : , </p> <p> ** SIEM, , </p> <p>16 ( , , ) / ( ) , (, PoCE) </p> <p> - () : </p> <p> / </p> <p> ? ? , , / , : , , </p> <p> : </p> <p>22 : ?24</p> <p> . 3D</p> <p> : , ( ) ( ) 26 ? , , , </p> <p>26</p> <p> ( )27 / </p> <p>27</p> <p>28 2.0 (Window of Vulnerability) () , </p> <p>29 </p> <p>: </p> <p> () </p> <p> ? </p> <p> 33</p> <p>The CVE IdentifierCVE-2014-0160was released on April 7, 2014the same day the Heartbleed bug was made public. This type of weakness is described in detail byCWE-130: Improper Handling of Length Parameter Inconsistency. The second weakness is an out-of-bounds memory read, which is described inCWE-125: Out-of-Bounds Read. These CWEs were first defined more than eight years ago CAPEC-540: Overread Buffers defines the general pattern commonly used by an attacker including how the attack is crafted, its potential severity and consequencesCybersecuritySecurity Standards Help Stop HeartbleedMay 7, 2014Software Assurance: Post by Drew ButtnerPRINTThe Heartbleed bug (CVE-2014-0160) is a critical vulnerability that first came to the attention of the public in early April and has been making headlines ever since. The vulnerability exists in certain versions of OpenSSL where it enables remote attackers to obtain sensitive information, such as passwords and encryption keys. Many popular websites have been affected or are at risk, which in turn, puts countless users and consumers at risk.Cybersecurity experts have mounted an aggressive and multi-faceted global response to Heartbleed, and security automation standards have played an important role in this effort. These standards were created to categorize and share information about system vulnerabilities and attacks to help the security community communicate consistently. Having a common language helps in understanding these issues and determining appropriate mitigation strategies. Effective communication about bugs also helps developers prevent them from reappearing in other applications. Specifically, these three security automation standards have been particularly helpful in dealing with Heartbleed:Common Vulnerabilities and Exposures (CVE)provides unique identifiers for known information security vulnerabilities. CVE enables the fast, efficient, and effective correlation and sharing of information related to critical and time sensitive vulnerability.Common Weakness Enumeration (CWE)provides an index of different types of software code weaknesses and serves as an information repository for the types of security problems found in a software applications architecture, design, code, and setup. CWE helps developers prevent these mistakes from being repeated.Common Attack Pattern Enumeration and Classification (CAPEC)is a publicly available catalogue of common attack patterns, along with a classification taxonomy that identifies relationships among attack patterns. An attack pattern is an abstraction mechanism for describing how an attack is executed. Many successful attacks are conducted in multiple, discrete, identifiable steps.CVE and HeartbleedThe CVE IdentifierCVE-2014-0160was released on April 7, 2014the same day the Heartbleed bug was made public. The existence of this identifier has enabled the worldwide community to converse and share information about this bug at an astonishingly rapid pace. The CVE Identifier (ID) quickly became so ubiquitous (with more than 100,000 lookups in the first few days alone) that simply entering its name into any search engine resulted in thousands of hits and a range of useful information including the officialOpenSSL Security Advisory, major application vendors, details from industry experts, and guidance from security organizations. All of these search results underscores the main purpose of CVE: to allow people to correlate information.For example, using the CVE identifier in a search engine could lead system administrators to the blog post at Fox-It with information on how to test for the Heartbleed vulnerability and what to do if it they find it. The CVE identifier could also further help system administrators ensure that they are using the appropriate security tools and vendor patches to address the issue.Without CVE, there would likely be a surfeit of proprietary and non-standard namessuch as Heartbleed, Heartbeat, and SOL15159making it difficult to track down critical information in a timely manner. For example, the officialOpenSSL Security Advisorydoesn't even mention the term Heartbleed.CWE and HeartbleedThe Heartbleed bug exists because of two separate mistakes in the code. The first is an inconsistency between the stated length of the message body and its actual length. This type of weakness is described in detail byCWE-130: Improper Handling of Length Parameter Inconsistency. The second weakness is an out-of-bounds memory read, which is described inCWE-125: Out-of-Bounds Read. These CWEs were first defined more than eight years ago and both provide information about the respective problemhow to detect it, why it occurs, how to fix it, and how to prevent it from happening again.In the case of Heartbleed, developers could use CWE to quickly determine if they have the types of code analysis tools needed to ferret out these types of mistakes. Many tools can check for instances ofCWE-125.CWE also helps developers know why Heartbleed occurred and how to avoid this type of mistake in future development. Without CWE, developers would be forced to perform hours of research to understand the root of the issue and how to correct it in their code. If you don't want your software to have the same issue as Heartbleed, ask your vendors about these weaknesses and educate your developers aboutCWE-130andCWE-125.CAPEC and HeartbleedTo prevent future attacks, security professionals need to know how an attacker thinks and operates. CAPEC helps expose the attacker mindset by shedding light on how a particular vulnerability has been exploited to launch an attack. Without CAPEC, organizations are likely to be stuck in a reactionary mode, addressing known vulnerabilities, while being blind-sided when the next "Heartbleed" arrives.Software designers, testers, and assessment teams can use CAPEC to sleuth out the next piece of software that might be similarly susceptible and eliminate it as a target. They can also look for the underlying weaknesses that make such attacks possible.CAPEC-540: Overread Buffersdefines the general pattern commonly used by an attacker including how the attack is crafted, its potential severity and consequences, as well as possible solutions and mitigating factors. CAPEC continually adds new attack patterns, such as the specific pattern used in Heartbleed, so be sure to visit thewebsitefor updates.Future HeartbleedsSecurity automation efforts such as CVE, CWE, and CAPEC can help reduce the possibility of similar severe vulnerabilities such as Heartbleed in the future. But it is incumbent upon developers and other security professionals to actively leverage resources such as these to be better prepared for the next Heartbleed.About Drew ButtnerDrew Buttner leads a software assurance group at MITRE specializing in secure code review. He has worked on improving application security for both MITRE and its customers since joining the organization in 2001. An expert in the field of source code weaknesses, Drew is also involved in a number of research efforts related to secure software development and</p> <p>33</p> <p> 34 ( ) </p> <p> @kchln Kachalin@advancedmonitoring.ru</p>

Recommended

View more >