Cyber and Data Security Fusion Center

Defend Your Business from Cyber Risk with a 24/7 SOC
(Under Development)

Cyber is all of the risks that emanate from external threat vectors, from DOS to ransom to theft to destruction (Stuxnet, as an example). Data Security are all the causes and events that cause private or confidential information to get into the wrong hands, no matter the cause. (i.e. it doesn’t have to be digital cause). The union of these two classes of risk has considerable overlap; and whether they are insured or insurable is not important. This is a basket of risks that all have a common root: protecting the information of an enterprise from threats.

COMPLETE CONTROL OF CYBER MONITORING AND MANAGEMENT

Manage all aspects of cyber risk and data security in a single solution with 24/7 monitoring and defense.

CUTTING-EDGE DEFENSES FOR MINIMAL COSTS

Our SOC is the least expensive, least intrusive, and most effective way to protect against cyber attacks and significantly reduce vulnerabilities.

SOFTWARE CUSTOMIZED FOR YOUR UNIQUE SYSTEMS

Deploy a suite of controls in an architecture that will minimize vulnerabilities specific to your systems.

24/7 DEFENSES FROM CYBER ATTACKS

Flag a series of actions or events that call the attention to the human experts who work in the control center 24/7

LOG, TRACK, AND MONITOR ALL ACTIVITY

Log all actions or events that might be needed in the future if there is a serious event or reach

Caerleon’s Cyber Fusion Center proactively defends against all known forms of modern intrusion. Our systems are built on top of self-learning AI (artificial intelligence) that is working behind the scenes to adapt and defend against new attacks. This ensures our systems are equipped to defend against new attacks before they potentially happen.

DETERMINE YOUR NEEDSEXPERIENCING AN INCIDENT?

Caerleon Defends Against…

Ransomware is a type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction. The cryptovirology form of the attack has ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without paying the ransom for the decryption key. Caerleon offers a revolutionary new way to eliminate the effect of ransomware attacks and completely mitigate any potential losses.

DNS spoofing (or DNS cache poisoning) is a computer hacking attack, whereby data is introduced into a Domain Name System (DNS) resolver’s cache, causing the name server to return an incorrect IP address, diverting traffic to the attacker’s computer (or any other computer).

Cross-user defacement is where an attacker can make a single request to a vulnerable server that will cause the sever to create two responses, the second of which may be misinterpreted as a response to a different request, possibly one made by another user sharing the same TCP connection with the sever. This can be accomplished by convincing the user to submit the malicious request themselves, or remotely in situations where the attacker and the user share a common TCP connection to the server, such as a shared proxy server. In the best case, an attacker can leverage this ability to convince users that the application has been hacked, causing users to lose confidence in the security of the application. In the worst case, an attacker may provide specially crafted content designed to mimic the behavior of the application but redirect private information, such as account numbers and passwords, back to the attacker.

A technique where a hacker uses a mobile app (a mobile game for example) to infiltrate an employee’s mobile phone to gain access to vulnerable WiFi networks and Bluetooth connections that could compromise the security of their systems.

Also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”, a path traversal attack aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system).

A buffer overflow is an exploit that takes advantage of a program that is waiting on a user’s input. There are two main types of buffer overflow attacks: stack based and heap based. Heap-based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts through the user’s web browser.

A Trojan virus is a malicious computer program which is used to hack into a computer by misleading users of its true intent. A prime example of this is a suspicious email from a friend or loved one asking for money or claiming you’ve won a prize worth millions.

In an account lockout attack, an attacker attempts to lock out user accounts by purposely failing the authentication process as many times as needed to trigger the account lockout functionality. This in turn prevents even the valid user from obtaining access to their account. For example, if an account lockout policy states that users are locked out of their accounts after three failed login attempts, an attacker can lock out accounts by deliberately sending an invalid password three times. On a large scale, this attack can be used as one method in launching a denial of service attack on many accounts. The impact of such an attack is compounded when there is a significant amount of work required to unlock the accounts to allow users to attempt to authenticate again.

Execution After Redirect (EAR) is an attack where an attacker ignores redirects and retrieves sensitive content intended for authenticated users. A successful EAR exploit can lead to complete compromise of the application.

Session Hijacking consists of the exploitation of the web session control mechanism, which is normally managed for a session token. This attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.

A session prediction attack focuses on predicting session ID values that permit an attacker to bypass the authentication schema of an application. By analyzing and understanding the session ID generation process, an attacker can predict a valid session ID value and get access to the application.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.

PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.

Similar to SQL Injection, XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to. He may even be able to elevate his privileges on the web site if the XML data is being used for authentication (such as an XML based user file).

A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response. For the sake of efficiency, an attacker may use a dictionary attack (with or without mutations) or a traditional brute-force attack (with given classes of characters e.g.: alphanumerical, special, case (in)sensitive). Considering a given method, number of tries, efficiency of the system which conducts the attack, and estimated efficiency of the system which is attacked the attacker is able to calculate approximately how long it will take to submit all chosen predetermined values.

A DoS Attack is a Denial of Service attack. This means that one computer and one internet connection is used to flood a server with packets (TCP / UDP). The point of such a denial of service attack is to overload the targeted server’s bandwidth and other resources. This will make the server inaccessible to others, thereby blocking the website or whatever else is hosted there. A DDoS Attack is a Distributed Denial of Service Attack. In most respects it is similar to a DoS attack but the results are much, much different. Instead of one computer and one internet connection the DDoS attack utilises many computers and many connections. The computers behind such an attack are often distributed around the whole world and will be part of what is known as a botnet. The main difference between a DDoS attack vs a DoS attack, therefore, is that the target server will be overload by hundreds or even thousands of requests in the case of the former as opposed to just one attacker in the case of the latter.

Traffic Flood is a type of DoS attack targeting web servers. The attack explores the way that the TCP connection is managed. The attack consists of the generation of a lot of well-crafted TCP requisitions, with the objective to stop the Web Server or cause a performance decrease. The attack explores a characteristic of the HTTP protocol, opening many connections at the same time to attend a single requisition. This special feature of the http protocol, which consists of opening a TCP connection for every html object and closing it, could be used to make two different kinds of exploitations. The Connect attack is done during the establishment of the connection, and the Closing attack is done during the connection closing.

An HTTP request tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.

Encoding, closely related to Escaping is a powerful mechanism to help protect against many types of attack, especially injection attacks and Cross-site Scripting (XSS). Essentially, encoding involves translating special characters into some equivalent that is no longer significant in the target interpreter. So, for example, using HTML entity encoding before sending untrusted data into a browser will protect against many forms of Cross-site Scripting (XSS).

Spyware is a program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history. Spyware can also install other software, display advertisements, or redirect the web browser activity. Spyware differs from a virus, worm, and adware in various ways. Spyware does not self-replicate and distribute itself like viruses and worms, and does not necessarily display advertisements like adware. The common characteristics between spyware and viruses, worms, and adware are:

  1. Exploitation of the infected computer for commercial purposes
  2. The display, in some cases, of advertisements

Sniffing application traffic simply means that the attacker is able to view network traffic and will try to steal credentials, confidential information, or other sensitive data. Anyone with physical access to the network, whether it is switched or via a hub, is likely able to sniff the traffic. (See dsniff and arpspoof tools). Also, anyone with access to intermediate routers, firewalls, proxies, servers, or other networking gear may be able to see the traffic as well.

    The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server, as shown in figure 1. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

    CORS stands for Cross-Origin Resource Sharing. Is a feature offering the possbility for:

    • A web application to expose resources to all or restricted domain,
    • A web client to make AJAX request for resource on other domain than is source domain.

    CSP is a W3C specification offering the possibility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use “directive” where a directive defines a loading behavior for a target resource type.

    Credential brute-forcing is the process of trying to guess all the passwords with CPU power anywhere in a comapnies servers / networks

    The process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to try guesses repeatedly for the password and check them against an available cryptographic hash of the password.

    This attack consists of a script that does not properly validate user inputs in the page parameter. A remote user can supply a specially crafted URL to pass arbitrary code to an eval() statement, which results in code execution.

    The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application. In this way, the attacker could execute code, read the stack, or cause a segmentation fault in the running application, causing new behaviors that could compromise the security or the stability of the system.

    HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be used to perform cross-site scripting attacks, cross-user defacement, web cache poisoning, and similar exploits.

    LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it’s possible to modify LDAP statements using a local proxy. This could result in the execution of arbitrary commands such as granting permissions to unauthorized queries, and content modification inside the LDAP tree. The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

    ASP .NET applications can be configured to produce debug binaries. These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether compiled binaries should include debugging information. Symbols (.pdb files) tell the debugger how to find the original source files for a binary, and how to map breakpoints in code to lines in those source files.

    Denial of Service (DoS) attack that is designed to bring a network or service down by flooding it with large amounts of traffic. Flood attacks occur when a network or service becomes so weighed down with packets initiating incomplete connection requests that it can no longer process genuine connection requests. By flooding a server or host with connections that cannot be completed, the flood attack eventually fills the host��s memory buffer. Once this buffer is full no further connections can be made, and the result is a Denial of Service.

    SSL DDoS attacks and SSL DoS attacks target the SSL handshake mechanism, send garbage data to the SSL server, or abuse functions related to the SSL encryption key negotiation process. SSL attacks in the form of a DoS attack can also be launched over SSL-encrypted traffic, making it extremely difficult to identify.

    The use of a hard-coded password has many negative implications – the most significant of these being a failure of authentication measures under certain circumstances. Hard-coded password increases the possibility of password guessing tremendously.

    Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. Such details can provide hackers important clues on potential flaws in the site and such messages are also disturbing to normal users.

    An integer overflow condition exists when an integer, which has not been properly sanity checked, is used in the determination of an offset or size for memory allocation, copying, concatenation, or similarly. If the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value.

    Using existing credentials from a social networking service such as Facebook, Twitter or Google+ (etc.) to access a third party web service.

    A memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed.

    Vulnerability created by poor or weak security encryption methods.

    Programs that run with root privileges have caused innumerable Unix security disasters. It is imperative that you carefully review privileged programs for all kinds of security problems, but it is equally important that privileged programs drop back to an unprivileged state as quickly as possible in order to limit the amount of damage that an overlooked vulnerability might be able to cause.

    An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.

    Traffic Flood is a type of DoS attack targeting web servers. The attack explores the way that the TCP connection is managed. The attack consists of the generation of a lot of well-crafted TCP requisitions, with the objective to stop the Web Server or cause a performance decrease. The attack explores a characteristic of the HTTP protocol, opening many connections at the same time to attend a single requisition. This special feature of the http protocol, which consists of opening a TCP connection for every html object and closing it, could be used to make two different kinds of exploitations. The Connect attack is done during the establishment of the connection, and the Closing attack is done during the connection closing.

    When considering the vulnerabilities of a system, the hardware is usually ignored. Software certainly presents the biggest target—fairly easily exploited as we have seen—but a new class of attacks goes directly at the hardware, specifically network cards. The results can range from a permanent denial-of-service to a complete compromise of the card’s function.

    Session Variable Overloading (also known as Session Puzzling) is an application level vulnerability which can enable an attacker to perform a variety of malicious actions not limited to:

    • Bypass efficient authentication enforcement mechanisms, and impersonate legitimate users.
    • Elevate the privileges of a malicious user account, in an environment that would otherwise be considered foolproof.
    • Skip over qualifying phases in multiphase processes, even if the process includes all the commonly recommended code level restrictions.
    • Manipulate server-side values in indirect methods that cannot be predicted or detected.
    • Execute traditional attacks in locations that were previously unreachable, or even considered secure.

    A stack overflow condition is a buffer overflow condition, where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

      The use of self-reported DNS names as authentication is flawed and can easily be spoofed by malicious users.

        The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

          A Cash Overflow attack is a Denial of Service attack specifically aimed at exceeding the hosting costs for a cloud application, either essentially bankrupting the service owner or exceeding the application cost limits, leading the cloud service provider to disable the application.


            Unsure of What Solutions You May Need?


            If you’re currently aware of exactly what your unique needs are regarding total IT security and response, we look forward to learning how Caerleon can help to better serve and defend your organization. If you do not fully understand what solutions you may need, the team at Caerleon are experts in identifying the unique challenges, technical vulnerabilities, and exact solutions specific to each client’s unique needs and organizations, and are happy to assist you in discovering your current standing and ideal solution.