Information Security Report: DROWN Bug and Mitigation Techniques

Verified

Added on  2020/03/07

|6
|883
|177
Report
AI Summary
This report focuses on the DROWN attack, a significant cross-protocol security vulnerability affecting HTTPS and other services relying on TLS and SSL. It explores the various types of threats, including DROWN, Logjam, FREAK, Bar Mitzvah, and POODLE, detailing their vulnerabilities and mitigation strategies. The report provides an in-depth analysis of the DROWN attack, explaining its exploitation of SSLv2 and its potential to compromise sensitive data. It also outlines crucial mitigation techniques, such as disabling SSLv2, patching OpenSSL, and ensuring private keys are not reused across different servers, IMAP, POP, SMTP servers, and other unmanaged software that can provide support to the SSL or TLS. The report emphasizes the importance of network administrators implementing these measures to safeguard systems from the DROWN vulnerability and other associated cyber security threats, offering a comprehensive understanding of the issue and its resolution.
Document Page
Running head: INFORMATION SECURITY
Information Security
Name of the student
Name of the University
Author Note
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
1INFORMATION SECURITY
Table of Contents
Introduction......................................................................................................................................2
Different types of threats.................................................................................................................2
DROWN..........................................................................................................................................3
Conclusion.......................................................................................................................................4
References........................................................................................................................................6
Document Page
2INFORMATION SECURITY
Introduction
Information security is a major concern for most of the organizations today. This helps in
protecting the integrity, confidentiality and the availability of data of computer system from the
malicious systems. Information security is all about dealing with risk management. Some
effective cryptographic tools are able to maintain the security of the different systems and
mitigate the issues. The organizations take various precautionary measures in keeping their data
secured and safe from the attackers. Still, there are chances that the machines will be attacked by
bugs and malicious devices. The report takes into consideration the effects of the bug, DROWN
and the mitigating options.
Different types of threats
There are various types of vulnerabilities that have come up in the recent years. Some of
them have been mentioned in the table below.
Year Name Vulnerability Mitigation
2016 DROWN Sites supporting
SSLv2 and EXPORT
cipher suites
Disabling SSLv2 and/or
updating OpenSSL.
2015 Logjam Servers that use
Duffie-hellman key
exchange are very
much vulnerable to
having the sessions
Mitigation can be done by
disabling the
DHE_EXPORT ciphers
and clients must upgrade
their browsers.
Document Page
3INFORMATION SECURITY
downgraded to
extremely week 512-
bit k
2015 FREAK Clients are forced to
downgrade from
strong RSA to export
RSA since both the
browser and the
server are vulnerable.
Mitigation is possible by
disabling the export
ciphers in the
configuration of servers.
Patching of the OpenSSL
is also an option of
mitigation.
2015 Bar Mitzvah Attack Exploits the
encryption of RC4.
The mitigation option is
the disability of RC4.
2014 POODLE The server has the
chance to fall back to
SSLv3.
Disability of the SSLv3
and the implementation of
TLS_FALLBACK_SCSV.
DROWN
One of the most recent attack is the DROWN attack which is a cross-protocol security
bug (Aviram et al., 2016). It is a serious threat that has the capability to affect HTTPS and
several other services that depend on TLS and SSL, two significant cryptographic protocols for
maintaining the security of internet. DROWN breaks the encryption and read as well as steal the
sensitive information, communication, credit card numbers, passwords, trade secrets and
tabler-icon-diamond-filled.svg

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4INFORMATION SECURITY
financial data. As per the research, around 33% of all the HTTPS servers are able to be attacked
by the bug (Tian et al., 2014).
Figure 1.: Working of DROWN
(Source: Chowdhury, Karmakar & Kamruzzaman, 2017)
It can affect all types of servers offering services encrypted with TLS but supporting the
SSLv2. DROWN helps in exploitation of risks for a combination of protocols that are used as
well as configuration of servers (Bozic et al., 2017). This exploitation takes into account a
chosen-ciphertext attack with the help of SSLv2 server as Bleichenbacher oracle.
Conclusion
The report has inferred various mitigation techniques of DROWN. Other techniques have
been included like the network administrators have to ensure that apart from the application of
the patches, the private keys are not reused on any types of Web servers, IMAP and POP servers,
Document Page
5INFORMATION SECURITY
SMTP servers and any other unmanaged software that can provide support to the SSL or TLS.
As per the analysis, this will help in establishing the connection of SSLv2. The IPS devices must
be set in such a way that it can filter out SSLv2 traffic. The embedded devices should use
different RSA private keys to keep the systems protected. The report gives an in-depth insight
into how the effects of DROWN can be mitigated to keep the systems safe in home and offices.
chevron_up_icon
1 out of 6
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]