PowerPoint Presentation
Upcoming SlideShare
Loading in...5

PowerPoint Presentation






Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.slideshare.net 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

PowerPoint Presentation PowerPoint Presentation Presentation Transcript

  • Vulnerability Management Richard Shaw
  • Introduction
    • How vulnerable are you?
    • What you will learn in this session
  • Agenda
    • Security Audits
    • Threat Analysis
    • Countermeasures and Responses
    • Patch Management
  • Overview
  • Security Audits
    • Planning an audit
    • Auditor or Hacker?
    • What Information Can You Obtain
    • Security Audits Questions & Answers
  • Security Audits – Planning an Audit
    • Whether you are a security manager whose company network is being audited or an external auditor, you cannot audit a site without a sound plan.
  • Security Audits – Auditor or Hacker
    • In most cases, no difference exists between a hacker tool and an auditing tool.
  • Security Audits – What Information Can You Obtain
    • Network-level Information
    • Host-level Information
    • Conducting Research
  • Security Audits – Network-level Information
    • Network topology
    • Routers and switches
    • Firewall types
    • IP services
    • Modem banks
  • Security Audits – Host-level Information
    • Active ports and server types
    • Databases
    • Configuration defaults and problems
  • Security Audits – Conducting Research
    • Research can take many different forms, including the following:
      • Live testing, in which auditors test popular network daemons and services for weaknesses.
      • Searching recognized security sites for reports about bugs relevant to a particular daemon, operating system or combination thereof.
      • Networking with known auditors and hackers to learn more about ways daemons are attacked.
      • Studying the source code of the daemon in question.
  • Security Audits –Question 1
    • If you were asked by your company’s managers to inform them about the most pressing threat to their business. What would your answer be?
  • Security Audits – Question 1 Answer
    • You should ask them the following questions in return:
    • What is the nature of their business, and which servers are central to being able to reach their business goals?
    • If the company managers want to know which attacks are the most common, explain that attacks from employees are at least as common as those from outsiders.
    • Arguably, the second-most pressing issue for many ecommerce companies today are powerful, distributed attacks meant to consume Internet bandwidth and crash systems.
  • Security Audits –Question 2
    • You have been asked to audit a mid-sized company that has three distinct departments: Human Resources, Research and Development, and Marketing. Each department has been attacked, resulting in the loss of sensitive information. You are now conducting your audit, and have found problems in all three departments that have led to breaches. The company, however, has limited resources. What can you do to ensure that the company is as protected as possible?
  • Security Audits – Question 2 Answer
    • Meet with management to prioritize resources. If you take this step, you will be able to give advice that protects the most important resources. During this phase, you may find that the company will reconsider its resource allocation strategy and decide to fund all of your suggestions.
  • Security Audits –Question 3
    • Working as an auditor, you learn that a particular department has had problems with employees gaining unauthorized access to a database. As an auditor, how can you solve some of the problems that allowed this unauthorized access?
  • Security Audits – Question 3 Answer
    • First, discover the resource. Conduct scans to determine the location of the resource. Secondly, you can identify potential weaknesses, including system bugs, weak passwords and problems in network implementation that can lead to system penetration. Finally, you can show how the resource was controlled, then propose a solution that helps the company overcome this problem.
  • Discovery Tools & Methods Intro
    • The first step a security auditor or a hacker takes is to discover the network!
  • Discovery Tools & Methods – Security Scans
    • Security scans comes in many varieties:
    • DNS utilities such as whois, nslookup and host
    • Standard applications, including ping, traceroute, Telnet and SNMP
    • Ping, port and share scanners
    • Network and share discovery applications, including NMAP and RedButton
    • Enterprise-grade vulnerability scanners, which combine these methods
    • “ Hacker-in-a-box solutions” (using programming languages, etc.)
  • Discovery Tools & Methods – NSLOOKUP Vulnerabilities
    • Using nslookup, a DNS troubleshooting tool, you can use the information gained from your Whois query to learn more about the network. The nslookup on your system can be configured to imitate secondary DNS servers and do a zone transfer to your system.
  • Discovery Tools & Methods – NSLOOKUP Hardening
    • Configure DNS to deny zone transfers
    • Place the DNS servers inside a firewall and allow zone transfers only to certain host.
  • Ping Scanning and Traceroute
    • Pinging an organization’s Web server can help you learn the entire IP address range used by that organization. This knowledge helps you create a map of the network.
    • The Ping-of-Death!
    • Using traceroute, you can learn a network’s physical layout, including the routers it uses to connect with other networks and the Internet.
  • Port Scans
    • A port scan is similar to a ping scan, except that instead of simply reporting back the IP addresses, the port scanner also discovers any active UDP and TCP ports present on the system. A port scanner is generally used to “drill down” into one host and determine what services or daemon is running on it.
  • Network-Discovery and Server-Discovery Applications
    • Using simple programs such as Ping Pro, RedButton, and NMAP, you can discover network ports open on the physical wire, obtain information from servers that have the Server service enabled, and perform stack fingerprinting and operating system detection.
  • Using Telnet and SNMP
    • You can use Telnet to attach to a system and use the SYST command. Many TCP/IP stacks will reveal important information.
    • SNMP allows you to determine relevant statistics and information from your hosts. You can also use SNMP to actually reprogram an interface or service, including setting router hops, stopping and starting services, interfaces, etc.
  • TCP/IP Services
    • Most SMTP AND POP3 servers still send password in the clear, raising the possibility of a man-in-the-middle attack.
    • LDAP, FTP, SMTP and HTTP servers are vulnerable to buffer overflow attacks.
    • Trivial TCP/IP services such as Finger and TFTP can help divulge important information that hackers use for social engineering and other attacks.
  • Network Penetration
    • After the hacker has determined the scope of your system, a specific target is chosen for penetration. Usually, the target is the one with the weakest security or for which the hacker has the most tools.
  • Attack Signatures and Auditing
    • An attack signature is the particular “fingerprint” of an attack.
    • Intrusion-detection programs and network scanners use attack signatures to identify and foil attacks.
  • Reviewing Common Attacks
    • Dictionary: Testing a security accounts database against a long list of words meant to guess a password
    • Man-in-the-middle: A hacker sniffs passwords and obtains information from legitimate transactions. (Use strong encryption)
    • Hijacking: Two parties engaging in a transaction are intruded upon by a third party (a hacker), who excludes one of the first two participants, then continues the connection. (Use strong authentication)
  • Reviewing Common Attacks cont’d
    • Viruses: A simple program that self-replicates and/or deposits a payload. (Use anti-virus products, as well as recurring user training)
    • Illicit servers: An illicit server is any unauthorized service or daemon running on your system.
    • Denial-of-service: The use of various applications (including viruses and packet generators) to crash systems and/or consume bandwidth.
  • Attack R.U.L.E.S – Ruling Attacks
    • R emove
    • U nload
    • L ock-down
    • E xamine
    • S ecure
  • Preventing Denial-Of-Service Attacks
    • During a Denial-of-service attack, a hacker creates multiple half-open TCP connections. To mitigate:
      • Improving operating system patch level
      • Closely observing the code creation process, if you have employees creating custom applications
      • Obtaining only stable versions of servers, services and applications.
  • Auditing Trojans and Worms
    • A Trojan is a file that operates a specific way, but also has a secret operation that subverts security.
      • Scan for open ports – if you can’t account for a listening or sending port, you might have detected a problem.
    • A Worm is a type of computer virus program that spread itself from system to system, and can crash or make the system permanently unstable.
      • Configure the firewall to exclude specific activities
      • Use intrusion-detection systems and software
      • Educate users
  • Intrusion Detection
    • Intrusion detection is the real-time monitoring of network activity behind the firewall. An IDS detects, logs and sometimes even responds to network activity that it deems objectionable.
  • Intrusion Detection Application Strategies
    • All IDS applications rely on one of two strategies to detect attacks, as follows:
      • Signature detection: The IDS application relies upon pre-defined rules in order to act.
      • Anomaly detection: The IDS application can create a baseline of normative activity. Then, whenever network traffic alters significantly from the baseline, an alert is issued and corrective or secure options are activated.
  • Intrusion Detection Concerns
    • Hackers can coordinate attacks to overburden an IDS. The result is that the IDS becomes an unwitting participant in a denial-of-service attack or cannot perform normal detection activities.
    • Licensing can be expensive!
  • Intrusion Detection Software
    • Computer Associates’ eTrust Intrusion Detection (formerly SessionWall 3)
    • Snort ( www.snort.org )
    • Intruder Alert ( www.symantec.com )
    • ISS RealSecure ( www.iss.net )
    • Computer Misuse Detection System ( www.cmds.net )
    • Network Flight Recorder ( www.nfr.com )
    • Network Associates’ CyberCop Monitor ( www.networkassociates.com )
    • Cisco Secure IDS – Formerly NetRanger ( www.cisco.com )
  • Log Analysis
    • Perhaps one of the most challenging but critical aspects of security auditing is the analysis of log files.
    • Regardless of the efforts you make to secure your network, you must assume that someone at some time will break into it. You need a reliable method for determining whether a breach occurred, as well as precisely how that breach occurred.
  • Log Analysis – Baseline Creation
    • A baseline is “standard activity” for your network(s).
    • Start your log analysis by creating a baseline.
  • Log Analysis – Firewall and Router Logs
    • When observing firewall and router logs, focus on the following tasks
      • Identify the source and the destination interfaces
      • Discovery the source and the destination interfaces
      • Trace usage patterns
      • Discover protocols used
      • Search for connections to suspect ports such as 12345 (the default NetBus port)
    • Log traffic for each firewall interfaces
  • Log Analysis – Operating system Logs
    • Logging in UNIX Systems
      • Syslogd is the daemon that logs activity in Linux systems, as well as most UNIX systems. You can configure by editing the /etc/syslog.conf file.
    • Logging Windows 2000 Systems
      • Use the Event Viewer Utility
      • Use the TCP/IP Services (HTTP, FTP, SNMP, etc.) logs
  • Log Analysis – Best Practices
    • Logs can grow very large quickly. Use log filtering.
    • Utilize additional application and services logs
    • Keep logs in a secure location
    • Logging can affect system performance – use optimal or remote systems
  • Auditing Recommendations
    • Your recommendation could include the following:
      • Specific ways to continue (or in some cases implement) efficient auditing so that you can readily determine the gap between security policy requirements and actual practices.
      • Confronting and correcting viruses, worm and Trojan infections and system weaknesses.
      • Recommending changes and improvements (see sample auditing report)
      • Identifying possible changes in the security policy.
      • Recommending end-user and IT professional training.
      • Informing the client about existing measures that are working well.
  • Creating the Audit Report
    • Elements of a security report might include the following:
      • An overview indicating the level of existing security: low, medium, or high.
      • An estimate of how long it would take casual, experienced and professional hackers to enter the system.
      • A quick summary of your most important recommendations, with supporting material
      • A detailed outline of the procedures you used during the audit.
      • Recommendations about various network elements, including the router, ports, services, login accounts, physical security, and so forth.
      • A discussion of physical security
      • Terms and languages used in the auditing field
      • A careful explanation of your understanding of how problems will be reported
      • Finally, remember your audience when creating the report
  • Improving Compliance Steps for Continued Auditing and Strengthening
    • Steps for organizations that want to continue effective auditing:
      • Define a security policy.
      • Establish an internal organization to assign responsibility for specific task, including a hierarchical change of command.
      • Systematically classify network assets.
      • Create security guidelines for employees.
      • Ensure physical security for personnel and network systems.
      • Secure the services and operating systems of network hosts.
      • Strengthen (or implement) access control measures.
      • Create and maintain systems.
      • Ensure that the network meets business goals.
      • Measure compliance with the security policy
  • Patch Management
  • Summary
    • What has been learned
    • Ways to apply this training
    • Feedback of training session
  • Where to Get More Information
    • Other training sessions
    • Books, articles, electronic sources
    • Consulting services, other sources