Whether you are a security manager whose company network is being audited or an external auditor, you cannot audit a site without a sound plan.
Security Audits – Auditor or Hacker
In most cases, no difference exists between a hacker tool and an auditing tool.
Security Audits – What Information Can You Obtain
Security Audits – Network-level Information
Routers and switches
Security Audits – Host-level Information
Active ports and server types
Configuration defaults and problems
Security Audits – Conducting Research
Research can take many different forms, including the following:
Live testing, in which auditors test popular network daemons and services for weaknesses.
Searching recognized security sites for reports about bugs relevant to a particular daemon, operating system or combination thereof.
Networking with known auditors and hackers to learn more about ways daemons are attacked.
Studying the source code of the daemon in question.
Security Audits –Question 1
If you were asked by your company’s managers to inform them about the most pressing threat to their business. What would your answer be?
Security Audits – Question 1 Answer
You should ask them the following questions in return:
What is the nature of their business, and which servers are central to being able to reach their business goals?
If the company managers want to know which attacks are the most common, explain that attacks from employees are at least as common as those from outsiders.
Arguably, the second-most pressing issue for many ecommerce companies today are powerful, distributed attacks meant to consume Internet bandwidth and crash systems.
Security Audits –Question 2
You have been asked to audit a mid-sized company that has three distinct departments: Human Resources, Research and Development, and Marketing. Each department has been attacked, resulting in the loss of sensitive information. You are now conducting your audit, and have found problems in all three departments that have led to breaches. The company, however, has limited resources. What can you do to ensure that the company is as protected as possible?
Security Audits – Question 2 Answer
Meet with management to prioritize resources. If you take this step, you will be able to give advice that protects the most important resources. During this phase, you may find that the company will reconsider its resource allocation strategy and decide to fund all of your suggestions.
Security Audits –Question 3
Working as an auditor, you learn that a particular department has had problems with employees gaining unauthorized access to a database. As an auditor, how can you solve some of the problems that allowed this unauthorized access?
Security Audits – Question 3 Answer
First, discover the resource. Conduct scans to determine the location of the resource. Secondly, you can identify potential weaknesses, including system bugs, weak passwords and problems in network implementation that can lead to system penetration. Finally, you can show how the resource was controlled, then propose a solution that helps the company overcome this problem.
Discovery Tools & Methods Intro
The first step a security auditor or a hacker takes is to discover the network!
Discovery Tools & Methods – Security Scans
Security scans comes in many varieties:
DNS utilities such as whois, nslookup and host
Standard applications, including ping, traceroute, Telnet and SNMP
Ping, port and share scanners
Network and share discovery applications, including NMAP and RedButton
Enterprise-grade vulnerability scanners, which combine these methods
Using nslookup, a DNS troubleshooting tool, you can use the information gained from your Whois query to learn more about the network. The nslookup on your system can be configured to imitate secondary DNS servers and do a zone transfer to your system.
Discovery Tools & Methods – NSLOOKUP Hardening
Configure DNS to deny zone transfers
Place the DNS servers inside a firewall and allow zone transfers only to certain host.
Ping Scanning and Traceroute
Pinging an organization’s Web server can help you learn the entire IP address range used by that organization. This knowledge helps you create a map of the network.
Using traceroute, you can learn a network’s physical layout, including the routers it uses to connect with other networks and the Internet.
A port scan is similar to a ping scan, except that instead of simply reporting back the IP addresses, the port scanner also discovers any active UDP and TCP ports present on the system. A port scanner is generally used to “drill down” into one host and determine what services or daemon is running on it.
Network-Discovery and Server-Discovery Applications
Using simple programs such as Ping Pro, RedButton, and NMAP, you can discover network ports open on the physical wire, obtain information from servers that have the Server service enabled, and perform stack fingerprinting and operating system detection.
Using Telnet and SNMP
You can use Telnet to attach to a system and use the SYST command. Many TCP/IP stacks will reveal important information.
SNMP allows you to determine relevant statistics and information from your hosts. You can also use SNMP to actually reprogram an interface or service, including setting router hops, stopping and starting services, interfaces, etc.
Most SMTP AND POP3 servers still send password in the clear, raising the possibility of a man-in-the-middle attack.
LDAP, FTP, SMTP and HTTP servers are vulnerable to buffer overflow attacks.
Trivial TCP/IP services such as Finger and TFTP can help divulge important information that hackers use for social engineering and other attacks.
After the hacker has determined the scope of your system, a specific target is chosen for penetration. Usually, the target is the one with the weakest security or for which the hacker has the most tools.
Attack Signatures and Auditing
An attack signature is the particular “fingerprint” of an attack.
Intrusion-detection programs and network scanners use attack signatures to identify and foil attacks.
Reviewing Common Attacks
Dictionary: Testing a security accounts database against a long list of words meant to guess a password
Man-in-the-middle: A hacker sniffs passwords and obtains information from legitimate transactions. (Use strong encryption)
Hijacking: Two parties engaging in a transaction are intruded upon by a third party (a hacker), who excludes one of the first two participants, then continues the connection. (Use strong authentication)
Reviewing Common Attacks cont’d
Viruses: A simple program that self-replicates and/or deposits a payload. (Use anti-virus products, as well as recurring user training)
Illicit servers: An illicit server is any unauthorized service or daemon running on your system.
Denial-of-service: The use of various applications (including viruses and packet generators) to crash systems and/or consume bandwidth.
Attack R.U.L.E.S – Ruling Attacks
Preventing Denial-Of-Service Attacks
During a Denial-of-service attack, a hacker creates multiple half-open TCP connections. To mitigate:
Improving operating system patch level
Closely observing the code creation process, if you have employees creating custom applications
Obtaining only stable versions of servers, services and applications.
Auditing Trojans and Worms
A Trojan is a file that operates a specific way, but also has a secret operation that subverts security.
Scan for open ports – if you can’t account for a listening or sending port, you might have detected a problem.
A Worm is a type of computer virus program that spread itself from system to system, and can crash or make the system permanently unstable.
Configure the firewall to exclude specific activities
Use intrusion-detection systems and software
Intrusion detection is the real-time monitoring of network activity behind the firewall. An IDS detects, logs and sometimes even responds to network activity that it deems objectionable.
Intrusion Detection Application Strategies
All IDS applications rely on one of two strategies to detect attacks, as follows:
Signature detection: The IDS application relies upon pre-defined rules in order to act.
Anomaly detection: The IDS application can create a baseline of normative activity. Then, whenever network traffic alters significantly from the baseline, an alert is issued and corrective or secure options are activated.
Intrusion Detection Concerns
Hackers can coordinate attacks to overburden an IDS. The result is that the IDS becomes an unwitting participant in a denial-of-service attack or cannot perform normal detection activities.
Perhaps one of the most challenging but critical aspects of security auditing is the analysis of log files.
Regardless of the efforts you make to secure your network, you must assume that someone at some time will break into it. You need a reliable method for determining whether a breach occurred, as well as precisely how that breach occurred.
Log Analysis – Baseline Creation
A baseline is “standard activity” for your network(s).
Start your log analysis by creating a baseline.
Log Analysis – Firewall and Router Logs
When observing firewall and router logs, focus on the following tasks
Identify the source and the destination interfaces
Discovery the source and the destination interfaces
Trace usage patterns
Discover protocols used
Search for connections to suspect ports such as 12345 (the default NetBus port)
Log traffic for each firewall interfaces
Log Analysis – Operating system Logs
Logging in UNIX Systems
Syslogd is the daemon that logs activity in Linux systems, as well as most UNIX systems. You can configure by editing the /etc/syslog.conf file.
Logging Windows 2000 Systems
Use the Event Viewer Utility
Use the TCP/IP Services (HTTP, FTP, SNMP, etc.) logs
Log Analysis – Best Practices
Logs can grow very large quickly. Use log filtering.
Utilize additional application and services logs
Keep logs in a secure location
Logging can affect system performance – use optimal or remote systems
Your recommendation could include the following:
Specific ways to continue (or in some cases implement) efficient auditing so that you can readily determine the gap between security policy requirements and actual practices.
Confronting and correcting viruses, worm and Trojan infections and system weaknesses.
Recommending changes and improvements (see sample auditing report)
Identifying possible changes in the security policy.
Recommending end-user and IT professional training.
Informing the client about existing measures that are working well.
Creating the Audit Report
Elements of a security report might include the following:
An overview indicating the level of existing security: low, medium, or high.
An estimate of how long it would take casual, experienced and professional hackers to enter the system.
A quick summary of your most important recommendations, with supporting material
A detailed outline of the procedures you used during the audit.
Recommendations about various network elements, including the router, ports, services, login accounts, physical security, and so forth.
A discussion of physical security
Terms and languages used in the auditing field
A careful explanation of your understanding of how problems will be reported
Finally, remember your audience when creating the report
Improving Compliance Steps for Continued Auditing and Strengthening
Steps for organizations that want to continue effective auditing:
Define a security policy.
Establish an internal organization to assign responsibility for specific task, including a hierarchical change of command.
Systematically classify network assets.
Create security guidelines for employees.
Ensure physical security for personnel and network systems.
Secure the services and operating systems of network hosts.
Strengthen (or implement) access control measures.
Create and maintain systems.
Ensure that the network meets business goals.
Measure compliance with the security policy
REPEAT THE PROCESS!
USE THE HACKER’S TECHNIQUES AND TOOLS AGAINST THEM!