What is security Why network security is important - Coursework Example

?What is Security? Although there are thousands of definition available on the Internet related to security. The definition available on ‘www.businessdictionary.com’ covers the basics and states it as “Prevention of and protection against assault, damage, fire, fraud, invasion of privacy, theft, unlawful entry, and other such occurrences caused by deliberate action”. In the context of network security definition, it consists of concerns related to network communication privacy, confidentiality of data over the network, accessing unauthorized classified data, access to prohibited network domains and utilizing Internet for concealed communication (Network Security. 2007) It is the twentieth century where improved communication technologies are inventing one after another. Internet has become a powerful and interactive carrier providing extensive activities and web services. Organizations expand their resources with the help of Internet. Websites are created, for informational purposes, advertisement, online shopping etc. In the modernized countries, Internet is utilized for education, electronic shopping, blogs, social networking and information. Even today, where every technology interrelated to Information technology involves the dot com phenomenon; Internet is relatively an evolving field which is persistently changing. The widespread use of computing technology has facilitated small, medium and corporate organizations to achieve goals in an efficient way. The revolution of Information Technology has created new trends of doing business and communication. Moreover, the technology has provided a new approach of operating businesses during the past several years, and continues to provide many benefits as it spreads all over the globe. However, with its widespread adoption, threats and vulnerabilities are also rising. Organizations spent enormous funds to secure their data and network environment. Moreover, hardware security modules taken into consideration for securing highly classified data. However, these modules require frequent updates for virus definitions and new threats, which may affect the network anytime. Every now and then, new threats are designed and developed by hackers or cyber criminals. In spite of securing the networks and data centers, with the most updated and advanced security modules, there is still a probability of a new threat to intrude into the network. In addition, hackers and cyber criminals are exploring efficient codes day by day to improve the hacking software, in order to breach in to classified information, banks, online websites etc. As the threats and vulnerabilities are infinite, no one can memorize them in order to take a measured approach, the initial step is to identify the vulnerability type. An organization named as CVE (Common Vulnerabilities and Exposure) provides a database to search for a particular public known vulnerability. The sponsors for CVE are US-CERT and managed by MITRE Corporation. The goal is to provide common names for all publicly known security threats and exposures. In order to extract information from CVE, access of National Vulnerability Database is mandatory (NVD) (Cve. 2011). Why Network Security is Important This is an era of digital connectivity along with digitized attack of hackers, cyber criminals, electronic eaves dropping and online fraud. Moreover, there is no room for risk and threats in a computing network where thousands of online transactions are in process. The volatile expansion of computer systems and the interconnectivity of these devices via a network have significantly amplified the dependence of organizations on the information systems. Moreover, due to vast dependency of organization on information systems, security and protection of these systems has become a mandatory factor. Furthermore, by considering these factors, the network security is triggered, in terms of protecting data and resources from revelation to ensure the authenticity of digital transmission. The functionality of the network depends on the organizations business processes and priority of these processes. For instance, if an organization operates online in terms of accepting payments from the client and delivering the required product to the doorstep, certainly require secure online security with strict compliance and procedures within the organization as well. If the network is protected with strict compliance and updates security patches along with appropriate software and hardware, then the organization is secure from thousand of threats and risks. Some of the threats consist of viruses, Trojans, malicious codes, hacking, social engineering, viral websites, phishing and much more. Who is Vulnerable? As it is understandable, that the usage of Internet is increasing with pace. Even small companies are integrating their business process with a small computer network. Every now and then, a new business wants its presence on the web. Moreover, services provided on the web are considered value added, in terms of customer satisfaction and feasibility. Furthermore, financial institutions have introduced online banking that is a treat for cyber criminals to achieve massive revenue by intercepting large online transactions. The Internet banking facilities consist of funds transfer, online shopping, credit card transactions, prepaid vouchers of different mobile phone companies and much more. Moreover, an Internet service provider (ISP) provides internet services to corporate organizations, home users and small business. If the security of an ISP is compromised, then the hacker may be able to access all the systems that are ultimately the clients of the company. Likewise, ISP also provides site-to-site VPN connectivity from where all the classified data is encrypted from one end to the other. Furthermore, government based organizations also provides information services on the Internet along with defense agencies that are controlled and monitored by the military, once hacked, the impacts can be devastating if the hackers becomes vulnerable. This can also result in disrupting relations between the two countries. Similarly, a multi-national organization wants to be top of the competition by endearing the competitive advantage, in order to make its presence stronger, several online features made available, providing more opportunities for hackers and cyber criminals. (CVE) The Standard A comprehensive definition is available on the CVE website, which states as “Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities, while its Common Configuration Enumeration (CCE™) provides identifiers for security configuration issues and exposures. CVE’s common identifiers make it easier to share data across separate network security”. One more definition covering the overall concept is defined as the dictionary of common terminologies sharing security threats. Moreover, these threats are divided in to two groups i.e. vulnerabilities and exposures. Vulnerability relates to a identifiable security risk associated with a computer, server or network. On the other hand, exposure relates to an event or fact associated with a vulnerability considered by some people (, What is Common Vulnerabilities and Exposures? - Definition from Whatis.com). The primary objective of CVE is to provide a separate database accessible, in order to find out all the known threats and vulnerabilities currently, with the help of tools and services. What is CVE 3872 ? The main target of this threat is the “Apache HTTP Server”. As CVE 3872 is a threat that operates on web technologies, before understanding CVE 3872, it is vital to focus on some of the web technologies that are associated with CVE 3872. Apache HTTP Server Apache is the most widely used web server because it is powerful and flexible with HTTP 1.1 compliant web server. Moreover, it supports latest protocols. Apache also gives the freedom to integrate with third party applications, due to its high configuration profiles. Developers can write API module with the help of API for customization. Apache web server provides full source code, along with permissive license. Common Gateway Interface A newly developed website providing information must possess a database to store information, which is published on the website. In general, many people on the Internet will visit the website and access information, which is extracted from the database. This is where the importance of Common Gateway Interface (CGI) becomes useful. Dave Chaffy defines it as “A method of processing information on a web server in response to a customer’s request. Typically, a user will fill in a Web-based form and a CGI script (application) will process the results. Active Server Pages (ASP) are an alternative to a CGI script” (Chaffey 2006). Moreover, if the users query the database of the website, the CGI script will transmit the queries to the database and retrieves results on the website. It has become a standard for synchronizing information servers from external web applications. CGI is eminent in the form of a plain HTML file which his static, while CGI operates in a real time environment to display dynamic contents on a website. An executable program is incorporated in order to execute CGI, the inputs are the request of the users from the website. Consequently, CGI displays the required contents on the website. CGI provides many advantages for the web developers as well as web users. It is convenient and executable on wide assortment of web servers. Moreover, CGI is language independent, which is a plus for web developers. It is best recommended for E commerce applications due to its interaction with the database and the web server. CGI is not too expensive and at the same time it is useful for organizations to minimize their development and maintenance cost. Fast Common Gateway Interface The extended version of CGI, which is implemented commonly today, is called Fast Common Gateway Interface (FCGI). Likewise, Fast CGI is not bound to any application of the web server, and it becomes unchanged whenever technological development is conducted for the web server. Consequently, Fast CGI is slightly above the normal CGI due to its distributed computing features that provides organizations to operate Fast CGI from separate machines. Furthermore, distributed computing provides methodologies for scaling systems from more than one, resulting in high availability and reliability of web services. Furthermore, Fast CGI supports modular authentication, authorization checks and performs translation of data from one type to another (, FastCGI). Description of the threat associated with CVE 3872 is available on www.cvedetails.com as “The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytewise pointer arithmetic in certain circumstances, which has unknown impact and attack vectors related to ‘untrusted FastCGI applications’ and a ‘stack buffer overwrite’. The primary goal of this vulnerability is to attack websites with un-trusted Fast CGI based applications and stack buffer overwrite. The threat hits module named as ‘fcgid_module’ with a source file named as ‘mod_fcgid.c’, developed for executing Fast CGI applications. Evaluating ‘mod_fcgid’ ‘Mod_fcgid’ was created by Ryan Pan in 2004 (, mod_fcgid - FastCGI interface module for Apache 2 - The Apache HTTP Server Project).”mod_fcgid is a high performance alternative to mod_cgi or mod_cgid, which starts a sufficient number instances of the CGI program to handle concurrent requests, and these programs remain running to handle further incoming requests. It is favored by the PHP developers, for example, as a preferred alternative to running mod_php in-process, delivering very similar performance” (, mod_fcgid - FastCGI interface module for Apache 2 - The Apache HTTP Server Project). Fast CGI protocol process any application allocated to ‘fcgid-script’ handler. In order to handle concurrent request, ‘mod_fcgid’ initializes adequate number of instances of the application and continuous to operate for handling incoming request that are coming from time to time. Moreover, this process is efficient as compared to the default ‘mod_cgi’ or ‘mod_cgid’ modules, which are operational to initialize the program on each request. This will result in high consumption of CPU and the processes will me much slower. However, on the other hand the efficient ‘mod_fcgid’ continue to consume possessions, proving the administrator to configure setting by evaluating the impact of invalidating each specific application, individual per request adjacent to the resources required. This will allow sufficient instances operating on continuous basis. Furthermore, all the ‘httpd’ workers acquire the pool of invoked programs associated with ‘fcgid’. The two configuration directives allow the administrators to configure the program’s instances that are executed concurrently. The two directives are named as ‘AddHandler’ and ‘SetHandler’. Particular executives are associated to ‘AddHandler’ by allocating a name with an extension, and the override executives, by utilizing the ‘SetHandler’ directives (, mod_fcgid - Apache HTTP Server). CVE 3872 Impact and Functionality The 3872 attacks on the products associated with apache HTTP server. Up till now, there are five releases available, consisting of apache: mod_fcgid 2.3.1, apache: mod_fcgid 2.3.2, apache: mod_fcgid 2.3.3, apache: mod_fcgid 2.3.4, apache: mod_fcgid 2.3.5. As per the National Vulnerability Database, the impact of this threat is ranked to 7.2 (High), Impact sub-score is 10.0 and exploitability sub-score is 3.9. Moreover, the access vector is locally exploitable along with low access convolution and the authentication factor is not required to exploit. Accordingly, the impact type permits unauthorized confession of data. In addition, the impact includes unauthorized modification along with disruption of services (, National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-3872)). The platforms that are vulnerable to this threat are Apache HTTP Server 2.0, Apache HTTP Server 2.2, Apache Software Foundationmod_fcgid 2.3. Furthermore, the products that are vulnerable to this threat are as follows (, Apache 'mod_fcgid' Module Unspecified Stack Buffer Overflow Vulnerability): Red Hat Fedora 14 Red Hat Fedora 13 Red Hat Fedora 12 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0, Furthermore, IBM website illustrates the following impacts related to this threat, which are as follows (, ISS X-Force Database: apache-fcgid-bo(63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow ): Base Score: 4.4 Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial Temporal Score: 3.3 Consequences: Gain Access The threat attacks on mod_fcgid and vulnerable to stack buffer overflow, which is stated as: “The Apache mod_fcgid module is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the fcgid_header_bucket_read() function. By sending specially-crafted FastCGO data, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash” (, ISS X-Force Database: apache-fcgid-bo (63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow ). According to www.CVEdetails.com, vulnerability statistics for CVE 3872 are as follows: Confidentiality Impact Complete There is total information disclosure, resulting in all system files being revealed Integrity Impact Complete There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised Availability Impact Complete There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable Access Complexity Low Specialized access conditions or extenuating circumstances do not exist. Very little knowledge or skill is required to exploit. Authentication Not required Authentication is not required to exploit the vulnerability Gained Access None (, CVE-2010-3872 : The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytew ) Moreover, integrating the apache server with debian, CVE 3872 will provide opportunity for local users to gain escalated privileges. CVE 3872 Exploitation For discussing the exploitation of this threat, a code is analyzed, extracted from (, CVE-2010-3872: Apache mod_fcgid Buffer Overflow « xorl %eax, %eax). static apr_status_t fcgid_header_bucket_read(apr_bucket * b, const char **str, apr_size_t * len, apr_read_type_e block) { fcgid_bucket_ctx *ctx = (fcgid_bucket_ctx *) b->data; apr_status_t rv; apr_size_t hasread, bodysize; FCGI_Header header; apr_bucket *curbucket = b; /* Initialize header */ putsize = fcgid_min(bufferlen, sizeof(header) - hasread); memcpy(&header + hasread, buffer, putsize); hasread += putsize; return apr_bucket_read(b, str, len, APR_BLOCK_READ); In the code above, the routine ‘memcpy(3)’ is executed, to initialize the header for computing the size and copy data from the buffer to the header. The concern is related to ‘hasread’ because it is of ‘apr_size_t’ type, which is representing a header as a pointer. In this way, if ‘hasread’is holding a non-zero value, the results are incorrect for arithmetic pointer. However, to avoid this issue a simplified code is demonstrated below (, CVE-2010-3872: Apache mod_fcgid Buffer Overflow « xorl %eax, %eax): putsize = fcgid_min(bufferlen, sizeof(header) - hasread); memcpy(&header + hasread, buffer, putsize); +memcpy((char*)(&header) + hasread, buffer, putsize); hasread += putsize; Impact on Windows Network / Domain The threat hits initially to the Apache HTTP server that contains the module named as ‘mod_fcgid’. If apache is installed on a Microsoft based server, which is configured on the network, the threat may easily allow unauthorized access of an intruder who can modify unauthorized data along with disruption of services. Moreover, the Microsoft domain server is also vulnerable to ‘mod_fcgid’ stack based buffer overflow attacks that are caused by reprehensible bounds inspection from the module named as ‘fcgid_header_bucket_read()’. A hacker may send a uniquely constructed Fast CGO data, in order to execute the arbitrary code on the apache server running on a windows based server. Consequently, the application will crash (, ISS X-Force Database: apache-fcgid-bo(63303):Apachemod_fcgid module fcgid_header_bucket_read() buffer overflow ). Remedial Action In order to eliminate this threat, whether in windows environment or Linux/Unix environment, Apache HTTP server must be updated to the latest version of ‘mod_fcgid’ 2.3.6 or later. Moreover, for Debian GNU/Linux lenny, administrator must upgrade the module with libapache2-mod-fcgid version 2.2-1+lenny1, for Debian GNU/Linux sid administrator must upgrade the module with libapache2-mod-fcgid version 2.3.6-1 and for Debian GNU/Linux squeeze, administrator must upgrade the module with libapache2-mod-fcgid version 2.3.6-1(, VUPEN - Debian Security Update Fixes mod_fcgid Buffer Overflow Vulnerability / Exploit (Security Advisories - VUPEN/ADV-2011-0031) ). Metasploit Tool Metasploit framework is platform independent and an open-source network security project. Due to its strong penetration testing features, it is considered to analyze the current and potential networks threats and vulnerabilities. A Metasploit Framework contains “both a penetration testing system and a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers worldwide” (, Metasploit Penetration Testing Framework ). Moreover, the framework includes tools, libraries, modules and interfaces for users. The primary objective of the framework is the module launcher that allows a tester to install an exploit module and execute it on the target workstation. If the threat is victorious, the target receives a consignment and the user gets the access to configure the consignment. This tool is recommended for analyzing and removing CVE 3872 at the early stage. Conclusion The CVE 2010-3872 affects on different flavors of Linux/ Unix. Moreover, Apache HTTP server is the first point of contact where the module of apache server, named as ‘mod_fcgid’ is bypassed. The threat also affects windows domain network environments, if apache server is installed on Microsoft products. The threat permits unauthorized confession of data, unauthorized modification, and disruption of services. However, the threat can be eliminated by updating the ‘mod_fcgid’ by 2.3.6 or later. Furthermore, in order to conduct penetration testing on the existing network, metasploit framework is recommended. It helps to exploit existing and potential breaches in terms of network security and CVE 2010-3872. References , security definition . Available: http://www.businessdictionary.com/definition/security.html [3/9/2011, 2011]. Network Security. 2007. Network Dictionary, , pp. 339-339. Cve. 2011. Computer Desktop Encyclopedia, , pp. 1. , security definition . Available: http://www.businessdictionary.com/definition/security.html [3/9/2011, 2011]. , What is Common Vulnerabilities and Exposures? - Definition from Whatis.com . Available: http://searchfinancialsecurity.techtarget.com/definition/Common-Vulnerabilities-and-Exposures [3/10/2011, 2011]. , mod_fcgid - FastCGI interface module for Apache 2 - The Apache HTTP Server Project . Available: http://httpd.apache.org/mod_fcgid/ [3/10/2011, 2011]. CHAFFEY, D., 2006. Internet marketing: strategy, implementation and practice Harlow: Financial Times Prentice Hall. , FastCGI | FastCGI - . Available: http://www.fastcgi.com/drupal/ [3/10/2011, 2011]. , mod_fcgid - Apache HTTP Server . Available: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html [3/10/2011, 2011]. , mod_fcgid - FastCGI interface module for Apache 2 - The Apache HTTP Server Project . Available: http://httpd.apache.org/mod_fcgid/ [3/10/2011, 2011]. , CVE-2010-3872 : The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytew . Available: http://www.cvedetails.com/cve/CVE-2010-3872/ [3/10/2011, 2011]. , National Vulnerability Database (NVD) National Vulnerability Database (CVE-2010-3872) . Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3872 [3/10/2011, 2011]. , Apache 'mod_fcgid' Module Unspecified Stack Buffer Overflow Vulnerability . Available: http://www.securityfocus.com/bid/44900/info [3/10/2011, 2011]. , ISS X-Force Database: apache-fcgid-bo(63303): Apache mod_fcgid module fcgid_header_bucket_read() buffer overflow . Available: http://xforce.iss.net/xforce/xfdb/63303 [3/10/2011, 2011]. , CVE-2010-3872 : The apr_status_t fcgid_header_bucket_read function in fcgid_bucket.c in Apache mod_fcgid before 2.3.6 does not use bytew . Available: http://www.cvedetails.com/cve/CVE-2010-3872/ [3/10/2011, 2011]. , VUPEN - Debian Security Update Fixes mod_fcgid Buffer Overflow Vulnerability / Exploit (Security Advisories - VUPEN/ADV-2011-0031) . Available: http://www.vupen.com/english/advisories/2011/0031 [3/10/2011, 2011]. , Metasploit Penetration Testing Framework . Available: http://www.metasploit.com/framework/ [3/10/2011, 2011]. Read More