Network Security PowerPoint


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Security PowerPoint

  1. 1. Penetration Testing The Importance of Your Bank’s Perimeter Security Presented by: Brian Hunter & Philip Diekhoff BKD Risk Management Group
  2. 2. A Brief History of Hacking
  3. 3. The Penetration Tester <ul><li>Testing done by an Ethical Hacker who attempts to circumvent security of computer system or network </li></ul><ul><li>EH works under no constraints other than those that would apply to ordinary users </li></ul><ul><li>EH will use same methodology & tools used by Hackers </li></ul>
  4. 4. Types of Penetration Testing <ul><li>External Penetration Testing </li></ul><ul><ul><li>Taking role of hacker to gain access from Internet </li></ul></ul><ul><li>Internal Penetration Testing </li></ul><ul><ul><li>Taking on role of disgruntled employee or third-party vendor to gain access from inside network </li></ul></ul>
  5. 5. Different types of Penetration Testing <ul><li>No knowledge – hacker from Internet. Test is performed with no information about organization </li></ul><ul><li>Knowledgeable – former employee. Test is performed with some knowledge but no access </li></ul><ul><li>Insider – consultants or vendors. Test is performed inside with physical access to network. Knowledge is limited </li></ul><ul><li>Knowledgeable insider – staff. Test is performed inside with knowledge. This is to test how secure network is & whether employees can access resources they shouldn’t be able to </li></ul>What kinds of testing can be done?
  6. 6. Security Offerings – What’s out there? <ul><li>Network Scanning </li></ul><ul><li>Vulnerability Scanning </li></ul><ul><li>Penetration Testing </li></ul><ul><li>What is the difference? </li></ul>
  7. 7. Network Scanning <ul><li>What is it? </li></ul><ul><li>Uses port scanners (ex. Nmap, Superscan) </li></ul><ul><li>Scans network to determine what devices are there, what ports are open & what services are running on those ports </li></ul><ul><li>Fast, efficient but doesn’t probe for vulnerabilities </li></ul>
  8. 8. Vulnerability Scanning <ul><li>What is it? </li></ul><ul><li>Identifies network hosts & services </li></ul><ul><li>Identifies network operating systems </li></ul><ul><li>Identifies applications running on those devices </li></ul><ul><li>Identifies potential vulnerabilities pertinent to those systems & applications </li></ul><ul><li>Based on a database of vulnerabilities & not actual testing </li></ul><ul><li>Fairly fast, provides list of vulnerabilities but has many false positives </li></ul>
  9. 9. Penetration Testing <ul><li>What is it? </li></ul><ul><li>Set of procedures designed to circumvent existing security controls of specific system or organization </li></ul><ul><li>Encompasses network scanning & vulnerability scanning, but includes human element & verification of vulnerabilities </li></ul><ul><li>True hacker approach, verifies vulnerabilities but takes time & expertise </li></ul>
  10. 10. Why do I Need Penetration Testing? <ul><li>Risk assessment </li></ul><ul><li>Verification of security controls </li></ul><ul><li>Identify vulnerabilities </li></ul><ul><li>Regulatory compliance </li></ul><ul><li>Anticipate expenditure </li></ul>
  11. 11. It Won’t Happen to Me <ul><li>No one would be interested in small organization like us </li></ul><ul><li>They think IT department has everything under control or </li></ul><ul><li>People become complacent with their network </li></ul>Consider This!
  12. 12. Check This Out <ul><li> </li></ul><ul><li>Hacked Sites </li></ul>
  13. 13. Data Breaches 2006: Analysis 40% 20% 21% 40% Laptop Theft 17% 17% 17% 15% Theft (non-laptop) 20% 21% 44% 20% Human/Software Incompetence 20% 2% 5% 10% Insider Malfeasance 3% 52% 13% 15% Outside Hackers (incidents n=30) (incidents n=52) (inc. military) (incidents n=114) (incidents n=126) Medical Centers Higher Education Public Sector Private Sector  
  14. 14. Questions to Ask <ul><li>What is their methodology? </li></ul><ul><li>Is methodology proven, has it been successfully used before? </li></ul><ul><li>Ask for references—more is better! </li></ul><ul><li>How long have they been performing this kind of work? </li></ul>
  15. 15. Things to Keep in Mind <ul><li>Need for independence </li></ul><ul><li>Testing of any type can be disruptive & damaging </li></ul><ul><li>Are we talking about network scanning, vulnerability scanning or penetration testing – compare scopes & methodologies </li></ul><ul><li>There is no one standard methodology for penetration testing, but there has been some standardizations </li></ul>
  16. 16. Key Methodology Steps <ul><li>Scope of work/engagement letter </li></ul><ul><li>Footprinting </li></ul><ul><li>Scanning </li></ul><ul><li>Enumeration </li></ul><ul><li>Penetration </li></ul><ul><li>Privilege escalation </li></ul><ul><li>Find sensitive data </li></ul><ul><li>Conference with client (discuss findings) </li></ul><ul><li>Report (contains findings & recommendations) </li></ul>
  17. 17. Footprinting <ul><li>Public information gathering to determine organization’s demographics, locations, address, hosts, etc. </li></ul><ul><li>Organizational reconnaissance </li></ul><ul><li>Network reconnaissance </li></ul><ul><li>Domain names </li></ul><ul><li>IP addresses </li></ul><ul><li>Pinpoint servers (web, email, DNS, etc.) </li></ul><ul><li>Employee information </li></ul><ul><li>Search newsgroups for company information </li></ul>
  18. 18. Scanning <ul><li>Assess & identify listening services to focus attack on most promising avenues of entry </li></ul><ul><li>TCP and UDP port scanning </li></ul><ul><li>Locate publicly accessible devices on IP segment </li></ul><ul><li>Identify open ports on devices </li></ul><ul><li>Stealth is required not to alert Intrusion Detection Systems </li></ul>
  19. 19. Enumeration <ul><li>Enumerate network devices & determine what is running & what it is running on </li></ul><ul><li>Identify hardware </li></ul><ul><li>Identify operating system </li></ul><ul><li>Identify services & their version </li></ul><ul><li>Identify applications </li></ul><ul><li>Identify potential vulnerability </li></ul>
  20. 20. Penetration <ul><li>Use information from previous steps to gain access to systems. </li></ul><ul><li>Using all information gathered so far, prioritize targets by the severity of vulnerabilities found </li></ul><ul><li>Systematically address all potential vulnerabilities on all systems </li></ul><ul><li>Never perform Denial of Service (DoS) attacks </li></ul><ul><ul><ul><ul><li>Demo: RPC Exploit </li></ul></ul></ul></ul>
  21. 21. Privilege Escalation <ul><li>Depending on privilege level obtained from penetration phase, it may be necessary to attempt to increase privilege level to gain total control of system </li></ul><ul><ul><ul><ul><ul><li>Demo: RPC Exploit </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Demo: PWDump </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Demo: File </li></ul></ul></ul></ul></ul>
  22. 22. Find Sensitive Data – a.k.a. Pilfer <ul><li>Footprint & scan internal network </li></ul><ul><li>Identify internal servers & their purpose </li></ul><ul><li>Attempt to locate sensitive information </li></ul><ul><li>Crack password files </li></ul><ul><li>Databases </li></ul><ul><li>Accounting programs </li></ul><ul><ul><ul><ul><ul><li>Demo: LC4 </li></ul></ul></ul></ul></ul>
  23. 23. Exit Meeting <ul><li>Meet & discuss findings </li></ul><ul><li>Address largest security findings so you may begin immediately fixing them </li></ul><ul><li>Get all your questions answered </li></ul>
  24. 24. Report <ul><li>The real value in penetration testing is in the report </li></ul><ul><li>It should identify vulnerabilities </li></ul><ul><li>It should give recommendations on fixing those vulnerabilities </li></ul>
  25. 25. What Will it Take to Keep Me Out? <ul><li>Not as much as you might think </li></ul><ul><li>New expensive equipment is not usually required </li></ul><ul><li>Most security issues can be addressed quickly & easily </li></ul><ul><li>Most time & energy will be spent on security awareness </li></ul>
  26. 26. What Will it Take to Keep Me Out? (cont.) <ul><li>Understand that risks are real </li></ul><ul><li>Be proactive with your IT security </li></ul><ul><li>Clear, concise policies that define security requirements & expectations of employees </li></ul><ul><li>Patches – keep all computers & network devices current with latest service packs, patches and updates </li></ul>
  27. 27. <ul><li>Configure routers & firewalls to block all unnecessary traffic </li></ul><ul><li>Develop an “Incident Response Team” </li></ul><ul><li>Have testing performed regularly </li></ul><ul><li>Use intrusion detection systems </li></ul><ul><li>Remember, all testing/scanning is snapshot of network at that point in time </li></ul>What Will it Take to Keep Me Out? (cont.)
  28. 28. Common Entry Points <ul><li>When locking down your network, pay </li></ul><ul><li>attention to most common points of entry </li></ul><ul><li>for hackers </li></ul><ul><li>Misconfigured routers </li></ul><ul><li>Misconfigured firewalls </li></ul><ul><li>Misconfigured Internet servers </li></ul><ul><li>Unpatched software </li></ul><ul><li>Unsecured remote access </li></ul><ul><li>Accounts with excessive permissions </li></ul><ul><li>Weak & easily guessed passwords </li></ul>
  29. 29. Key Take Aways <ul><li>It is not a matter of “IF” but “WHEN” </li></ul><ul><li>Be proactive before you need to be reactive </li></ul><ul><li>Understand the importance of the methodology </li></ul><ul><li>Retest after significant changes </li></ul><ul><li>It’s a process not a destination </li></ul>
  30. 30. How to Contact Us <ul><li>Brian Hunter </li></ul><ul><li>Supervising Consultant </li></ul><ul><li>Springfield, MO </li></ul><ul><li>417.865.8701 </li></ul><ul><li>[email_address] </li></ul>Philip Diekhoff Senior Consultant Springfield, MO 417.865.8701 [email_address]