WEBVTT

00:00.750 --> 00:06.790
This security plus exam is filled with scenario questions and there are plenty of scenario questions

00:06.790 --> 00:11.470
that talk about vulnerability impact now in lots of episodes.

00:11.470 --> 00:17.380
We've covered all types of vulnerabilities and their impacts but there's a few that I want to hit a

00:17.380 --> 00:18.130
little bit harder.

00:18.130 --> 00:24.070
So really what I'm doing is I'm grabbing directly from the security plus objectives some of the vulnerability

00:24.070 --> 00:27.040
impact scenarios that you're probably going to be seen.

00:27.040 --> 00:29.570
So we're just going to put them up on the screen here.

00:29.680 --> 00:33.850
And I'm going to come up with scenarios that you should be considering for the exam.

00:33.880 --> 00:34.400
You ready.

00:34.510 --> 00:35.580
Let's get started.

00:35.590 --> 00:40.280
Race conditions a race condition simply means that something is running out of control.

00:40.300 --> 00:43.200
We can have ports on switches that run out of control.

00:43.240 --> 00:48.470
We can have applications that are running out of control whatever is running out of control.

00:48.550 --> 00:56.170
We are denied the use and facility of that also in a race condition certain types of resources like

00:56.170 --> 00:59.840
memory or storage can be eaten up very very quickly.

00:59.860 --> 01:05.200
So when we see a race condition scenario the impact of that vulnerability is going to be at the very

01:05.200 --> 01:13.000
minimum we are denied of the usage of whatever that device or software is and equally it can begin to

01:13.000 --> 01:15.530
impact the stuff around it.

01:15.550 --> 01:21.250
Other programs if it's a physical device it can start affecting other switches maybe and it's something

01:21.250 --> 01:23.910
that we need to turn off and isolate as quickly as possible.

01:23.980 --> 01:30.940
Embedded systems and embedded system is simply an immutable system that never changes.

01:30.940 --> 01:36.760
That can still be it's still a full system it's going to have storage in ACP you add an operating system

01:36.760 --> 01:38.230
and input output.

01:38.230 --> 01:43.680
The problem with embedded systems more than anything else is because they're immutable.

01:43.720 --> 01:50.560
We tend to forget about them a lot and we don't remember that they can have situations where they can

01:50.560 --> 01:56.740
be patched so I guess not totally immutable but they are set aside and far away.

01:57.160 --> 02:00.510
They need patches they need anti-malware.

02:00.520 --> 02:06.370
They need firewalls they need everything that we would use with a regular system but because they tend

02:06.370 --> 02:11.890
to be tucked away and forgotten sometimes we forget that the danger with embedded systems more than

02:11.890 --> 02:16.300
anything else is we forget to take care of them the same way that we would take care of any regular

02:16.300 --> 02:17.250
device.

02:17.380 --> 02:18.700
Lack of vendor support.

02:18.790 --> 02:19.760
OK.

02:19.780 --> 02:24.610
There's lots of vendors out there selling lots of kinds of different stuff and lack of vendor support

02:24.940 --> 02:28.320
is a big issue primarily with hardware.

02:28.390 --> 02:31.020
There's some software situations too.

02:31.240 --> 02:35.770
If a vendor is no longer supporting whatever it might be there's one of two reasons.

02:35.800 --> 02:41.630
Either a the device or software has become obsolescent and the vendor is trying to move on.

02:41.740 --> 02:44.760
Or number two the vendor is completely out of business.

02:44.800 --> 02:51.870
In either case the biggest downside the biggest vulnerability is that we can no longer patch these devices

02:51.880 --> 02:53.830
we can no longer keep them updated.

02:53.830 --> 02:56.810
In some cases we can no longer get parts.

02:56.830 --> 02:59.010
If that is the particular case.

02:59.170 --> 03:05.580
So the impact there is that the device becomes open to potential problems.

03:05.590 --> 03:11.470
And in that case usually the right answer is as we throw that stuff away and we go ahead and get something

03:11.470 --> 03:16.630
new that has proper vendor support mis configured or weak configuration.

03:16.630 --> 03:22.630
Now to me these are two very different things so first of all we configuration probably the ultimate

03:22.820 --> 03:25.890
configuration is a default configuration.

03:25.930 --> 03:31.750
So every piece of hardware and software out there have big list entire web sites that tell us what the

03:31.750 --> 03:35.530
default usernames and passwords are for just about everything in there.

03:35.530 --> 03:41.000
So it's really important for us to provide the best possible configurations we can change and usernames

03:41.080 --> 03:46.090
and passwords but we configuration can also mean things like if I have four or five different types

03:46.090 --> 03:47.660
of wireless encryption.

03:47.730 --> 03:53.350
There's still plenty of wireless access points out there that still use WEP and I did a recent personal

03:53.350 --> 03:58.240
study here in the Houston area discovered something like eight percent of all wireless networks out

03:58.240 --> 04:03.160
there still run WEP that could be easily reconfigured to a stronger configuration.

04:03.160 --> 04:09.220
The downside is as you create some form of exposure to some type of threat actor who will take advantage

04:09.550 --> 04:11.740
of that configuration.

04:11.830 --> 04:14.980
Now misconfiguration to me is a different animal altogether.

04:15.160 --> 04:21.100
When we say misconfiguration that means we do have a configuration but we have done something incorrect.

04:21.100 --> 04:27.250
So most the time when I'm thinking of this configuration is that we haven't turned on a service that

04:27.250 --> 04:34.390
we might be wanting to take advantage of we didn't turn on a statelets firewall for example or it could

04:34.390 --> 04:40.240
also mean something like we failed to turn off default services.

04:40.240 --> 04:45.740
My home router has a wonderful S-sh server built into it but I don't want anybody using that.

04:45.760 --> 04:50.830
It would certainly be in my opinion a misconfiguration to have that turned on.

04:50.830 --> 04:57.460
So any time we do a misconfiguration we're exposing that device of that piece of software to potential

04:57.460 --> 04:59.890
threats that shouldn't be there in the first place.

05:00.230 --> 05:02.030
Improperly configured accounts.

05:02.030 --> 05:09.230
OK so an improperly configured account basically means that we have a user or a system account that

05:09.290 --> 05:15.590
isn't being provided the rights and privileges and permissions that it needs from the permission standpoint

05:15.590 --> 05:21.020
it's either going to mean you're going to expose a particular account to far more than it should have

05:21.320 --> 05:29.180
and the impacts there could be a regular user deleting a hard drive or something like that to the opposite

05:29.210 --> 05:33.770
where they don't have enough permissions and then those types of situations they're unable to do their

05:33.770 --> 05:34.670
job.

05:34.670 --> 05:38.500
Also keep in mind that we it's not just permissions it's also rights.

05:38.510 --> 05:45.410
For example if we were to accidentally turn off people's rights to access a system remotely we might

05:45.410 --> 05:51.380
be preventing them from being able to do their jobs so in either case the impact is going to be the

05:51.380 --> 05:56.450
potential that they can do something far more naughty than they should be able to or on the other side

05:56.450 --> 05:56.910
of it.

05:56.990 --> 05:59.780
They're not going to be able to do their job the way they need to do it.

05:59.780 --> 06:04.890
Voltaren business processes so of alterable business process to me.

06:04.940 --> 06:09.010
Every business process has some degree of vulnerability.

06:09.050 --> 06:13.700
You know we always have a meteorite hit the building and those processes disappear.

06:13.970 --> 06:22.720
But what we're talking about are unconsidered business processes that leave us open to potential impacts

06:23.170 --> 06:24.420
from those vulnerabilities.

06:24.420 --> 06:28.630
So one might consider something like storing non-essential information.

06:28.630 --> 06:35.560
So for every customer for our sneakers we store not only their shoe size and their address and their

06:35.560 --> 06:40.830
phone number but we're also getting all kinds of information about their birthday and things like that

06:40.840 --> 06:45.820
in their Facebook account and things like that that don't really affect our business directly.

06:45.840 --> 06:51.640
Anytime we're storing personal identifiable information and that could possibly be exposed the impact

06:51.640 --> 06:58.360
could be massive in terms of the things that could go against us in terms of money and reputation to

06:58.360 --> 07:07.730
say nothing of legal OK memory buffer vulnerabilities Well any time we use memory we have lots of vulnerabilities

07:07.730 --> 07:08.180
in there.

07:08.180 --> 07:17.470
But the list basically they say resource exhaustion memory leak Integer Overflow buffer overflow pointer

07:17.510 --> 07:20.260
difference and DML injection.

07:20.290 --> 07:22.160
And to me there's really three different groups in here.

07:22.160 --> 07:28.220
First of all resource exhaustion or a memory leak in that particular case what we're talking about is

07:28.220 --> 07:30.470
you're running out of memory.

07:30.650 --> 07:32.000
In that case you've got two choices.

07:32.000 --> 07:39.500
Number one you get more of that resource or add more RAM or never to use stop the thing that is doing

07:39.500 --> 07:40.160
this.

07:40.160 --> 07:45.560
So for example a memory leak is because we have an application that isn't written properly that it has

07:45.560 --> 07:46.760
some type of problem.

07:46.760 --> 07:51.470
This talks about a recode or a patch and you're going to have to go through and dig it up.

07:51.470 --> 07:55.090
Memory leaks are one of the most notorious problems that we can get.

07:55.100 --> 08:01.760
The bottom line is that if you run out of memory on a system even with virtual memory that the system

08:01.760 --> 08:05.530
is going to lockup you will be deprived of that service completely.

08:05.570 --> 08:13.010
Now a little bit different than that is integer overflow or a buffer overflow overflows will not necessarily

08:13.280 --> 08:14.680
turn the system off.

08:14.840 --> 08:21.680
But what they can do is they can make the system do weird things that it wasn't anticipating their famous

08:21.680 --> 08:28.700
buffer overflows on a particular type of server where if you forced a buffer overflow you basically

08:28.700 --> 08:30.690
got yourself to a terminal prompt.

08:30.710 --> 08:35.960
So we're really putting ourselves in a lot of danger with these types of things simply because it could

08:35.960 --> 08:41.090
allow a bad actor to take higher control of the system that we anticipated.

08:41.340 --> 08:46.280
Now pointer dereferences and deal l injections to me those kind of fit into a different world.

08:46.280 --> 08:52.700
In this particular case the system still up and running fine but we're sneaking behind a back door to

08:52.700 --> 08:54.630
do potential naughty things.

08:54.660 --> 09:02.910
So there's not a big clue with a pointer dereference or a deal o injection that something bad happened

09:03.180 --> 09:07.720
with an integer overflow or a buffer overflow usually the service itself is turned off.

09:07.830 --> 09:13.080
Suddenly the web server stops working or something like that these other two can be more nefarious.

09:13.080 --> 09:15.800
The bottom line is that we have to have good firewalling.

09:15.810 --> 09:21.440
We're going to have to have good code that is robust against these types of problems primarily input

09:21.450 --> 09:27.540
validation and we're going to be watching these systems very very closely and specially if we're using

09:27.840 --> 09:32.790
third party libraries for anything that tends to be are those types of problems come from System sprawl

09:32.790 --> 09:34.680
or undocumented assets.

09:34.680 --> 09:40.480
Wow I can't even begin to start to talk about the impact of the vulnerabilities of something like that.

09:40.800 --> 09:41.850
Let's start with the easy stuff.

09:41.850 --> 09:48.090
Number one it's not under my control as an administrator is it being patched is it being is it being

09:48.090 --> 09:51.420
properly controlled is it being plugged into the right place.

09:51.470 --> 09:56.160
It what are we using it for what are the user accounts being used for on that.

09:56.310 --> 10:03.210
So at the very least sprawling systems that are undocumented because system sprawl and undocumented

10:03.210 --> 10:09.690
assets tend to go hand in hand meaning that there is stuff that's outside the umbrella of administration

10:10.050 --> 10:16.440
that unless the person who's decided to take care of it is just as good as I am we can be left open

10:16.440 --> 10:23.640
to any type of vulnerability that you'd see with any individual host or application or VM or whatever

10:23.640 --> 10:25.450
this sprawled device is.

10:25.590 --> 10:30.310
And it could cause disastrous results.