1 00:00:06,830 --> 00:00:08,360 - [Instructor] Understanding the weaknesses 2 00:00:08,360 --> 00:00:10,600 and vulnerabilities in a system or network 3 00:00:10,600 --> 00:00:14,610 is a huge step towards correcting the vulnerability itself, 4 00:00:14,610 --> 00:00:16,197 or putting in appropriate counters 5 00:00:16,197 --> 00:00:19,668 to mitigate threats against those vulnerabilities. 6 00:00:19,668 --> 00:00:22,320 So, potential network vulnerabilities are bound 7 00:00:22,320 --> 00:00:27,320 with many resulting from one or more of the following. 8 00:00:27,703 --> 00:00:31,550 The first is policy flaws, design errors, 9 00:00:31,550 --> 00:00:35,094 protocol weaknesses, and that can be in the form 10 00:00:35,094 --> 00:00:36,990 of the actual protocol standard, 11 00:00:36,990 --> 00:00:39,250 or the specification of that protocol, 12 00:00:39,250 --> 00:00:41,069 or the implementation of that protocol. 13 00:00:41,069 --> 00:00:46,069 So, both a standard or implementation issues. 14 00:00:46,590 --> 00:00:48,977 Misconfigurations of a system contribute, 15 00:00:48,977 --> 00:00:51,410 or can be considered as vulnerabilities, 16 00:00:51,410 --> 00:00:54,900 and goes without saying, software vulnerabilities as well. 17 00:00:54,900 --> 00:00:58,030 The human factor, that's a contributing factor 18 00:00:58,030 --> 00:01:01,770 for vulnerabilities and specifically related to two things, 19 00:01:01,770 --> 00:01:05,040 just normal errors, human errors, 20 00:01:05,040 --> 00:01:07,113 and also social engineering. 21 00:01:08,540 --> 00:01:09,373 Also hardware vulnerabilities, 22 00:01:09,373 --> 00:01:11,410 there are vulnerabilities in hardware as well 23 00:01:11,410 --> 00:01:15,650 not only software, and physical access to network resources. 24 00:01:15,650 --> 00:01:19,410 Now, Cisco and others have actually created databases 25 00:01:19,410 --> 00:01:21,840 that categorize vulnerabilities 26 00:01:21,840 --> 00:01:24,800 and also threats in the public domain. 27 00:01:24,800 --> 00:01:27,070 Now, whenever you actually look at these databases 28 00:01:27,070 --> 00:01:28,890 and the vulnerability reports, 29 00:01:28,890 --> 00:01:33,370 you often see an identifier, a vulnerability identifier, 30 00:01:33,370 --> 00:01:36,610 and that's done using the common vulnerability, 31 00:01:36,610 --> 00:01:40,450 and exposures standard, which is a dictionary 32 00:01:40,450 --> 00:01:44,370 of publicly known security vulnerabilities and exposures. 33 00:01:44,370 --> 00:01:48,260 So, quick search using your favorite search engine 34 00:01:48,260 --> 00:01:50,270 will lead you to the website, 35 00:01:50,270 --> 00:01:53,150 as far as actually the CVE website, 36 00:01:53,150 --> 00:01:54,640 but it's actually maintained by Mitre, 37 00:01:54,640 --> 00:01:56,590 I'm showing the link here. 38 00:01:56,590 --> 00:01:59,060 And again, typically whenever you see disclosures, 39 00:01:59,060 --> 00:02:01,270 you see these type of identifiers, 40 00:02:01,270 --> 00:02:05,340 they start with the acronym CVE, and then dash, 41 00:02:05,340 --> 00:02:08,100 followed by a year, so by the date 42 00:02:08,100 --> 00:02:13,100 when the vulnerability was actually disclosed. 43 00:02:13,910 --> 00:02:16,440 So, again, the year, and then dash, 44 00:02:16,440 --> 00:02:19,293 and then an identifier, a number. 45 00:02:20,150 --> 00:02:25,150 Now, there are also databases or repositories. 46 00:02:25,750 --> 00:02:28,240 The most popular one is the National Vulnerability Database, 47 00:02:28,240 --> 00:02:31,140 or NVD, and I'm actually sharing the link in here, 48 00:02:31,140 --> 00:02:33,810 and a screen share of their site. 49 00:02:33,810 --> 00:02:35,080 And this is actually a repository 50 00:02:35,080 --> 00:02:37,330 of standards based vulnerability information. 51 00:02:38,210 --> 00:02:41,840 Again, there you can actually do quick searches 52 00:02:41,840 --> 00:02:44,060 for vulnerabilities, you can obtain information 53 00:02:44,060 --> 00:02:46,566 about the details of vulnerabilities, 54 00:02:46,566 --> 00:02:51,566 and references to the reports of those vulnerabilities, 55 00:02:51,900 --> 00:02:56,900 and the vendor disclosure of those vulnerabilities. 56 00:02:58,030 --> 00:02:59,331 Now, here are a few examples 57 00:02:59,331 --> 00:03:01,250 of the most common type of vulnerabilities. 58 00:03:01,250 --> 00:03:05,060 So, the first one is API abuse. 59 00:03:05,060 --> 00:03:07,980 And these are vulnerabilities are aimed to attack flaws 60 00:03:07,980 --> 00:03:11,740 in an Application Programmable Interface or an API. 61 00:03:11,740 --> 00:03:13,640 There's also authentication, 62 00:03:13,640 --> 00:03:15,496 and authorization bypass vulnerabilities, 63 00:03:15,496 --> 00:03:19,310 where you can bypass an authentication of a system, 64 00:03:19,310 --> 00:03:24,310 or bypass authorization, a process on that system. 65 00:03:25,076 --> 00:03:27,500 The very popular one, and unfortunately, 66 00:03:27,500 --> 00:03:31,388 one of the most culprit of a lot of vulnerabilities 67 00:03:31,388 --> 00:03:33,420 out there is actually a buffer overflow. 68 00:03:33,420 --> 00:03:36,900 And a buffer overflow is when a program or a software 69 00:03:36,900 --> 00:03:39,510 puts more data in the buffer than it can hold, 70 00:03:39,510 --> 00:03:43,410 or it's actually also when a program tries 71 00:03:43,410 --> 00:03:46,743 to put data in a memory location past that buffer. 72 00:03:47,820 --> 00:03:51,220 This is done so data outside of the bounds of a block 73 00:03:51,220 --> 00:03:54,350 of that allocated memory can corrupt data, 74 00:03:54,350 --> 00:03:58,220 or crash the program, or the operating system as a whole. 75 00:03:58,220 --> 00:04:00,240 And the worst case scenario 76 00:04:00,240 --> 00:04:03,309 is actually leading to code execution, 77 00:04:03,309 --> 00:04:06,000 so execution of malicious code, 78 00:04:06,000 --> 00:04:08,560 and the worst, definitely worst case scenario 79 00:04:08,560 --> 00:04:10,350 is remote code execution, 80 00:04:10,350 --> 00:04:13,885 into the fact that you can manipulate and gain access 81 00:04:13,885 --> 00:04:18,885 to a system remotely, sort of from hops away, 82 00:04:19,160 --> 00:04:20,970 and over the internet. 83 00:04:20,970 --> 00:04:23,930 Now, there's a wide variety of ways 84 00:04:23,930 --> 00:04:27,308 that buffer overflows can occur, and unfortunately, 85 00:04:27,308 --> 00:04:31,290 there are many error prone techniques often used 86 00:04:31,290 --> 00:04:32,556 to prevent them. 87 00:04:32,556 --> 00:04:34,210 So, buffer workflow, 88 00:04:34,210 --> 00:04:37,904 typically involves many memory manipulation functions, 89 00:04:37,904 --> 00:04:42,324 like in languages, like C and C++, 90 00:04:42,324 --> 00:04:45,490 where the actual program do not perform bound checking. 91 00:04:45,490 --> 00:04:49,850 And they can also easily override the allocated bounds 92 00:04:49,850 --> 00:04:52,010 of those buffers. 93 00:04:52,010 --> 00:04:54,140 A perfect example is string copy, 94 00:04:54,140 --> 00:04:56,920 tat can cause vulnerabilities when using correctly. 95 00:04:56,920 --> 00:05:00,136 That's a very typical one that we have seen for the last, 96 00:05:00,136 --> 00:05:01,640 you know, several years. 97 00:05:01,640 --> 00:05:05,290 So, here's an example code that actually shows a buffer. 98 00:05:05,290 --> 00:05:09,780 So, that buffer actually includes a small chunk of data. 99 00:05:09,780 --> 00:05:13,360 And that data is actually Hello World, in my example. 100 00:05:13,360 --> 00:05:15,711 So, an attacker actually can take advantage 101 00:05:15,711 --> 00:05:20,711 of this vulnerability to send data that can put 102 00:05:21,401 --> 00:05:24,381 that data in a memory location past that buffer, 103 00:05:24,381 --> 00:05:25,833 as I'm showing here. 104 00:05:26,896 --> 00:05:28,370 So again, as you can see here 105 00:05:28,370 --> 00:05:32,187 that the actual attacker sent the data, 106 00:05:32,187 --> 00:05:36,820 and in this case, the data is called Every World, and then, 107 00:05:36,820 --> 00:05:40,430 that was more than the buffer actually could hold. 108 00:05:40,430 --> 00:05:41,390 Subsequently, actually, 109 00:05:41,390 --> 00:05:43,640 he's writing to the adjacent memory location. 110 00:05:43,640 --> 00:05:47,000 So, of course in this example is a very simplistic one, 111 00:05:47,000 --> 00:05:49,180 but it represents how an attacker 112 00:05:49,180 --> 00:05:51,640 can then write instructions to the system, 113 00:05:51,640 --> 00:05:55,650 and potentially cause a local or remote core execution. 114 00:05:55,650 --> 00:05:57,504 So, in several of these attacks, 115 00:05:57,504 --> 00:06:01,290 the attacker actually writes what we call shell code. 116 00:06:01,290 --> 00:06:04,570 And, that shell code is actually used to invoke instructions 117 00:06:04,570 --> 00:06:06,123 and manipulate the system. 118 00:06:07,010 --> 00:06:09,423 Now, moving along, there's another type of vulnerabilities 119 00:06:09,423 --> 00:06:12,368 that is very common, and unfortunately, 120 00:06:12,368 --> 00:06:14,820 very pervasive nowadays, 121 00:06:14,820 --> 00:06:17,020 is a Cross-site scripting vulnerability. 122 00:06:17,020 --> 00:06:20,740 So, the short is XSS. 123 00:06:20,740 --> 00:06:23,150 And this is a type of web application vulnerability, 124 00:06:23,150 --> 00:06:26,340 where militia scripts are injected 125 00:06:26,340 --> 00:06:29,260 into legitimate and trusted websites. 126 00:06:29,260 --> 00:06:31,204 So an attacker actually can launch an attack 127 00:06:31,204 --> 00:06:33,890 against a cross-site scripting vulnerability 128 00:06:33,890 --> 00:06:36,260 using a web application, 129 00:06:36,260 --> 00:06:39,710 and does that to send malicious code, 130 00:06:39,710 --> 00:06:43,290 typically in the form of a browser-site script, 131 00:06:43,290 --> 00:06:46,299 you know, this is actually done to a user, 132 00:06:46,299 --> 00:06:49,961 to fool a user to potentially follow a malicious link, 133 00:06:49,961 --> 00:06:51,730 or you know, many other things. 134 00:06:51,730 --> 00:06:53,160 Now, cross-site scripting vulnerabilities 135 00:06:53,160 --> 00:06:57,220 are quite widespread, and occurs anywhere 136 00:06:57,220 --> 00:07:00,084 where web application uses input from a user, 137 00:07:00,084 --> 00:07:02,664 you know, within the output that it generates 138 00:07:02,664 --> 00:07:05,070 without validating or encode it. 139 00:07:05,070 --> 00:07:07,140 So there's several types 140 00:07:07,140 --> 00:07:09,070 of cross-site scripting vulnerabilities. 141 00:07:09,070 --> 00:07:10,070 So you have things 142 00:07:10,070 --> 00:07:13,140 like reflected cross-site scripting vulnerabilities, 143 00:07:13,140 --> 00:07:15,910 stored a cross-site scripting vulnerabilities, 144 00:07:15,910 --> 00:07:20,010 and, you probably don't have to go into that detail 145 00:07:20,010 --> 00:07:24,268 for the exam, but I'll invite you to visit the document 146 00:07:24,268 --> 00:07:26,140 that I'm actually sharing here, 147 00:07:26,140 --> 00:07:29,237 because Cisco actually has documented, 148 00:07:29,237 --> 00:07:32,390 and explained all the different types 149 00:07:32,390 --> 00:07:34,630 of cross-site scripting vulnerabilities available, 150 00:07:34,630 --> 00:07:37,590 and I'm including a link here for your reference. 151 00:07:37,590 --> 00:07:40,810 Another type of web-based vulnerability, 152 00:07:40,810 --> 00:07:42,590 or web application vulnerability 153 00:07:42,590 --> 00:07:46,630 is a Cross-Site Request Forgery or CSRF. 154 00:07:46,630 --> 00:07:49,070 And this is a vulnerability that forces an end-user 155 00:07:49,070 --> 00:07:52,910 to execute malicious steps on a web application. 156 00:07:52,910 --> 00:07:56,506 So, this is typically done after the user is authenticated 157 00:07:56,506 --> 00:08:01,506 in that application, and it generally, this type of attacks, 158 00:08:01,640 --> 00:08:06,640 or CSRF attacks target stage chaining request, 159 00:08:07,060 --> 00:08:09,790 and the the attacker cannot steal data 160 00:08:09,790 --> 00:08:14,190 since he or she has no way to see the response 161 00:08:14,190 --> 00:08:15,220 to the forge request. 162 00:08:15,220 --> 00:08:18,920 So, the CSRF attacks are actually carried with a combination 163 00:08:18,920 --> 00:08:23,780 of course technical implementations, 164 00:08:23,780 --> 00:08:26,490 but also social engineering. 165 00:08:26,490 --> 00:08:27,700 Another type of vulnerabilities 166 00:08:27,700 --> 00:08:29,590 is cryptographic vulnerabilities. 167 00:08:29,590 --> 00:08:31,990 So these are vulnerabilities and flaws 168 00:08:31,990 --> 00:08:36,240 of cryptographic protocols or their implementation. 169 00:08:36,240 --> 00:08:38,610 Another one is that the deserialization 170 00:08:38,610 --> 00:08:40,523 of untrusted data vulnerabilities. 171 00:08:41,360 --> 00:08:46,360 They use or cause malformed data or an expected data 172 00:08:46,530 --> 00:08:49,100 to actually abuse an application logic. 173 00:08:49,100 --> 00:08:51,700 And they can actually cause a denial of service attack 174 00:08:51,700 --> 00:08:53,630 or denial of service condition, 175 00:08:53,630 --> 00:08:56,614 or even execute arbitrary code. 176 00:08:56,614 --> 00:09:00,160 Another type of vulnerabilities, a double free. 177 00:09:00,160 --> 00:09:03,110 And these are vulnerabilities typically in languages 178 00:09:03,110 --> 00:09:06,920 like C and C++ that actually occur 179 00:09:06,920 --> 00:09:11,720 when the actual free function is called more than once, 180 00:09:11,720 --> 00:09:15,540 and with the same memory address as an argument. 181 00:09:15,540 --> 00:09:19,075 So, that's another type of common vulnerabilities 182 00:09:19,075 --> 00:09:22,170 throughout specifically these languages, 183 00:09:22,170 --> 00:09:23,870 I mean, implementations. 184 00:09:23,870 --> 00:09:28,540 Now, insufficient entropy is another type of vulnerability. 185 00:09:28,540 --> 00:09:32,050 And this is a vulnerability when a cryptographic application 186 00:09:32,050 --> 00:09:35,576 does not have proper entropy. 187 00:09:35,576 --> 00:09:39,310 An example of this is whenever a PRNG, 188 00:09:39,310 --> 00:09:42,520 or a Pseudo Random Number Generator 189 00:09:42,520 --> 00:09:46,590 can be susceptible to insufficient entropy. 190 00:09:46,590 --> 00:09:49,460 And this type of vulnerability are leverage by attackers 191 00:09:49,460 --> 00:09:52,400 to actually be able to weaken, 192 00:09:52,400 --> 00:09:56,836 or attack the cryptographic application, 193 00:09:56,836 --> 00:09:59,780 because there's no proper entropy, 194 00:09:59,780 --> 00:10:02,440 and it's very easily to actually be guessable. 195 00:10:02,440 --> 00:10:07,440 And these are typically susceptible whenever these PRNGS, 196 00:10:07,620 --> 00:10:11,100 or the Pseudo Random Numbers Generators 197 00:10:11,100 --> 00:10:13,620 are actually initialized. 198 00:10:13,620 --> 00:10:15,363 Now, there's another type of vulnerability 199 00:10:15,363 --> 00:10:17,470 that is also fairly popular. 200 00:10:17,470 --> 00:10:19,420 This vulnerability is SQL injection. 201 00:10:20,570 --> 00:10:23,938 And this actually is whenever an attacker can insert, 202 00:10:23,938 --> 00:10:28,220 or inject a SQL query via the input data 203 00:10:28,220 --> 00:10:31,700 from either a client to the application, 204 00:10:31,700 --> 00:10:33,680 or to a specific database, 205 00:10:33,680 --> 00:10:37,110 or through a web-base application, 206 00:10:37,110 --> 00:10:38,250 and then, of course subsequently 207 00:10:38,250 --> 00:10:39,830 actually inject this to the database. 208 00:10:39,830 --> 00:10:41,950 So, attackers can actually exploit 209 00:10:41,950 --> 00:10:45,710 SQL injection vulnerabilities to read sensitive data 210 00:10:45,710 --> 00:10:49,970 from the database, or to modify or delete database data. 211 00:10:49,970 --> 00:10:52,829 So, they can also execute administration operations 212 00:10:52,829 --> 00:10:56,610 on the database, and even issue commands 213 00:10:56,610 --> 00:10:58,003 to the operating system. 214 00:10:58,870 --> 00:11:01,653 These are pretty serious type of vulnerabilities, 215 00:11:01,653 --> 00:11:06,350 and, of course, if they're leveraging correctly, 216 00:11:06,350 --> 00:11:07,490 all bets are off, 217 00:11:07,490 --> 00:11:11,660 the sensitive data can definitely be stolen, 218 00:11:11,660 --> 00:11:14,580 and ex filtrated out of their organization, 219 00:11:14,580 --> 00:11:18,820 or completely render the database useless, 220 00:11:18,820 --> 00:11:20,720 or delete the data in the database. 221 00:11:20,720 --> 00:11:24,410 So, there are many many other types of vulnerabilities. 222 00:11:24,410 --> 00:11:28,130 So, if we actually enumerate all of them 223 00:11:28,130 --> 00:11:31,090 we'll be here for a long, long, long time, 224 00:11:31,090 --> 00:11:35,320 but I wanted to share with you a really good reference, 225 00:11:35,320 --> 00:11:37,210 a really good website 226 00:11:37,210 --> 00:11:40,057 that actually has tons of different types 227 00:11:40,057 --> 00:11:45,057 of vulnerabilities, and how they actually are introduced, 228 00:11:45,130 --> 00:11:48,620 but not only that, but how they can be mitigated. 229 00:11:48,620 --> 00:11:52,510 And that is actually the OWASP, or the OWASP Foundation. 230 00:11:52,510 --> 00:11:55,726 And I'm actually sharing their website here. 231 00:11:55,726 --> 00:12:00,726 OWASP is a nonprofit charitable organization 232 00:12:01,070 --> 00:12:04,360 that has been dedicated to educate many organizations 233 00:12:04,360 --> 00:12:09,000 to develop, acquire, operate, and maintain applications 234 00:12:09,000 --> 00:12:10,540 that actually can be trusted. 235 00:12:10,540 --> 00:12:15,540 So, that's actually their motto, or their slogan. 236 00:12:15,650 --> 00:12:18,600 They maintain many different resources 237 00:12:18,600 --> 00:12:22,510 that security professionals actually can use to learn 238 00:12:22,510 --> 00:12:25,580 about different attacks, and different vulnerabilities. 239 00:12:25,580 --> 00:12:28,230 And again, not only learn about these type 240 00:12:28,230 --> 00:12:31,180 of vulnerabilities, but also how to protect them, 241 00:12:31,180 --> 00:12:36,180 and how to proactively not introduce those vulnerabilities 242 00:12:37,250 --> 00:12:38,263 from the beginning.