Drown Attack Latest Security Vulnerability

Question: Discuss about the case study Drown Attack for Latest Security Vulnerability. Answer: Introduction Security Vulnerability of a system is its weakness that opens a path for the attacker to get the information present within through unauthorized means. One of the latest addition in the list of security vulnerability is the DROWN Attack. Profile of the Threat DROWN Attack Meaning and System it attacks DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption and it is and attack that is a security vulnerability which breaks the encrypted system and acquires the information held within. It affects the internet security by attacking the essential cryptographic protocols such as Secure Socket Layer (SSL), Transport Layer Security (TSL and HTTPS (Leyden, 2016). Security Vulnerability Likelihood Impact Consequence Risk Ranking Risk Level (1 is high on severity and priority and 5 is lowest) DROWN Attack High High Acquiring the sensitive information by hampering the confidentiality, integrity and privacy of the same Critical 1 Table 1: DROWN Attack How it attacks the system DROWN is a cross protocol attack that targets the SSLv2 implementations to break the transport layer security. It works by decrypting the HTTPS connections by sending the malicious packets on the network or with the help of man-in-the-middle attack (Khandelwal, 2016). DROWN Attack Vulnerable Systems (Drownattack.com, 2016) The attacker in this case observes the SSL/TSL session and the RSA exchange that takes place and attempts handshake with the system. The server response is recorded and the brute-forces are used for decryption along with other methods as suggested above. The pre-master secret from the target session is then retrieved (Schneier, 2016). A server is prone to the DROWN attack in two broad scenarios. The first and the more common is that SSLv2 connections are not disabled. The root cause behind the same is errors in the configurations or incorrect default settings. Another major reason that invites DROWN attack is that the private key is allowed to be shared outside of the server. There are many organizations that make use of the same key certificate on their web and email servers. If one of these servers supports the SSLv2 connections and the other does not, even then the attacker may take advantage of the situation and may break in to the security of the connection. There are a total of 33% HTTPS servers that are prone to this security vulnerability. Mitigation Strategies There are measures that the system should adapt to avoid the DROWN attack. The first and the foremost step is to make sure that SSLv2 is disabled in the system and the private keys are not shared anywhere else outside the system. This includes web servers, public servers, SMTP servers and likewise. OpenSSL is a cryptographic library that is used by a number of users and vendors across the system. One of the measures to be secure from the DROWN attack is the usage of latest version of OpenSSL. OpenSSL 1.0.2 users must ensure that they upgrade to the version OpenSSL 1.0.2g and the OpenSSL 1.0.1 users must make sure that they upgrade to the latest version as OpenSSL 1.0.1s. Network Security Service (NSS) is another cryptographic library that is in use in the current world of internet. NSS version 3.13 that was released in the year 2012 and all the versions that came thereafter must make sure that SSLv2 is disabled by default. Conclusion The present era is the era of internet and web based interactions. The same has led to a number of security risks and vulnerability. DROWN attack is an example of one such latest security vulnerability that has affected one third of the HTTPS servers or have made them prone to the same. It allows a remote attacker to target an individual message from a server that does not have SSLv2 connections disabled (www.us-cert.gov, 2016). Use of upgraded versions of the cryptographic libraries such as OpenSSL and NSS along with disabling the SSLv2 connections is the basic mitigation strategies that must be followed. Also, keeping the private keys as private in nature would also aid in mitigating the vulnerability. In the Microsoft IIS versions, SSLv2 connections are not disabled by default in the versions prior to version 7. The same must be kept in mind while using such version and manual intervention must be made to disable the unwanted connection to be safe and secure from the security vuln erabilities. These measures would allow maintaining the confidentiality, integrity, availability and the security of the data and the information present within a system. References Drownattack.com,. (2016). DROWN Attack. Drownattack.com. Retrieved 5 August 2016, from https://drownattack.com/ Khandelwal, S. (2016). DROWN Attack More than 11 Million OpenSSL HTTPS Websites at Risk. The Hacker News. Retrieved 5 August 2016, from https://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html Leyden, J. (2016). One-third of all HTTPS websites open to DROWN attack. Theregister.co.uk. Retrieved 5 August 2016, from https://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw/ Schneier, B. (2016). DROWN Attack - Schneier on Security. Schneier.com. Retrieved 5 August 2016, from https://www.schneier.com/blog/archives/2016/03/drown_attack.html www.us-cert.gov,. (2016). SSLv2 DROWN Attack. Us-cert.gov. Retrieved 5 August 2016, from https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack