ICT Role in 21st Century Education & its Challenges.pptx
jhon ibrahim.ppt
1. Securing Enterprise Network Infrastructure
(Towards secure internetworking on Pakistan Educational Research Network)
Dr. Adeel Akram
UET Taxila
2. Outline
►Introduction to Enterprise Network
►Enterprise Network Architectures
►Securing Enterprise Networks
►Enterprise Network Security Requirements
►Pakistan Educational Research Network
►Type of Network Attacks and Vulnerabilities
►Case Studies
Hacking of Educational and Govt. Websites !!!
►Lessons Learnt
►Recommendations
3. Introduction to Enterprise Network
► Enterprise Network is the network that allows
communication and resource-sharing among all of
a company's business functions and workers.
► In some cases, Enterprise network would even
include the company's suppliers, contractors and
distributors.
► It consists of hardware, software and media
connecting information technology resources of an
organization.
10. Enterprise Network Security Requirements
►Network security has become increasingly
more difficult to manage and evaluate, even
as industry and government compliance
requirements have become more
demanding.
11. Enterprise Network Security Requirements
►The network threats are real, and costly.
Internal and external vulnerabilities can
cause business disruption, loss of revenue,
or loss of operational efficiencies.
►Because network security can be breached
from both internal and external sources,
traditional perimeter firewalls are not
enough to protect the network.
12. Enterprise Network Security Requirements
►Enterprise networks require new network
security tools, network appliances, and
professional services to secure large and
small networks.
►The following slides show key components
of network security that are now required in
all organizations to secure their networks:
13. Enterprise Security Key Components
►Unified Threat Management (UTM) Firewalls
►Network Access Control (NAC), or ROLE-
based Networking
►Mobile Computer Client Protection
►Event Correlation and Log Analysis
►Layer-7 Visibility and Packet Analysis
►Managed Services
14. Enterprise Network Security Requirements
►Unified Threat Management (UTM) Firewalls
It is too costly and operationally inefficient to
add-on each separate component as security
threats emerge. Today's solutions use multiple
scanning methods and multiple defense layers
in high-throughput appliances. IDS/IPS, Anti-
Virus, Content-Filtering, VPN, Anti-Spam, P2P
control, etc. all needs to be included in a
network security solution.
15. Enterprise Network Security Requirements
►Network Access Control (NAC), or ROLE-
based Networking
Creating differentiated network services based on
individual access requirements is the key. The era
of every user's ability to browse to all network
resources should be over. Role-based networking
is required to limit visibility to networks, servers,
and TCP/IP ports and protocols, regardless of the
user's point-of-entry into the network.
16. Enterprise Network Security Requirements
►Mobile Computer Client Protection
Also referred to as "Mobile NAC", all network
devices that can leave and join the network
need to have accountability and control
regardless of location. The ability to control
laptops, PDA's, and other mobile devices when
they are not connected to a VPN session is a
key requirement.
17. Enterprise Network Security Requirements
► Event Correlation and Log Analysis
Security threats cannot be stopped by reviewing
logs in "post-mortem" analysis. To stop "zero-
day" threats, the network needs event-correlation
and adaptive-response tools. While SNMP report
tools are important for network engineers
responsible for network health, other tools are
required to correlate client, server, and firewall
activities with computer application processes.
18. Enterprise Network Security Requirements
►Layer-7 (Application Layer) Visibility and
Packet Analysis
The ability to classify all applications regardless of
port and protocol is essential for both security and
performance analysis. In-line devices for analyzing
and reporting network traffic across all OSI layers
are essential for compliance, security assessment,
and resolving performance issues.
19. Enterprise Network Security Requirements
►Managed Services
Many companies can not become experts in
Cyber-Security, PC/Server Management,
Regulatory Compliance, and Disaster Recovery.
But even small businesses are impacted by
critical data security threats and technology
maintenance hurdles that detract from the core
business goals. Managed Services offer
expertise on contractual basis.
21. Pakistan Educational Research Network
►PERN - Pakistan Education and Research
Network is a national research and
education network of Pakistan which
connects premiere educational and research
institutions of the country.
22. Pakistan Educational Research Network
►PERN focuses on collaborative research,
knowledge sharing, resource sharing, and
distance learning by connecting people
through the use of Intranet and Internet
resources.
29. Cyber Attack Response Procedure
Detect
Attack
Source
Seal Crime
Scene /
Preserve
System
State
Activate
Auditing /
Gather
Suspect
Traces
Estimate
Attack
Losses
Report to
Security
Agencies
Prevent
Attack / Plan
Response
30. FBI Cybercrime Investigation Procedure
► To ensure that your organization can react to an
incident efficiently, make sure that staff knows
who is responsible for cyber security and how to
reach them.
► The following steps will help you document an
incident and assist federal, state, and local law
enforcement agencies in their investigation (be
sure to act in accordance with your organization's
polices and procedures):
31. Preserve the state of the computer at the time
of the incident by making a backup copy of
logs, damaged or altered files, and files left by
the intruder.
If the incident is in progress, activate auditing
software and consider implementing a
keystroke monitoring program if possible.
FBI Cybercrime Investigation Procedure
32. Document the losses suffered by your organization
as a result of the incident. These could include:
►estimated number of hours spent in response/recovery
►cost of temporary help
►cost of damaged equipment
►value of data lost
►amount of credit given to customers for inconvenience
►loss of revenue
►value of any trade secrets
To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov
FBI Cybercrime Investigation Procedure
33. ► NR3C CERT (Computer Emergency Response Team)
► Forensic Lab
► R&D
► Implementation of Standards & Procedures
► Media and Projection Cell
► Technology Development Center
► Network Operations & Security
► Liaison with LEA(s) & public /private sector organizations
► Trainings & Seminars
► Legal Regularity & Issues
To report an incident to the NR3C visit: http://www.nr3c.gov.pk
Federal Investigation Agency Headquarters
Sector-G-9/4, Islamabad
Ph. 051-9261686, Fax. 051-9261685
National Response Centre For Cyber Crimes
34. Case Studies
►UET Taxila – Internal Website(s) Hacked
►HEC Website(s) – Hacked
►LUMS Website(s) – Hacked
►Ministry of Information and Broadcasting
Website – Hacked
►FIA’s National Response Center for Cyber
Crime Website
39. Searched for traces of Hackers
►Event Viewer
Application Logs
System Logs
Security Logs
►User Manager
Any Accounts Modifications
New Accounts Creation
Rights requests
40.
41. Checked Systems for Trojan Horses
►See if any backdoor is created on the
system
►Try to figure out how hackers accomplished
to hack the system
►Check Task Manager for any suspicious
running process
►Check System/Firewalls Security Logs
43. Checked Logs on the DHCP Server
►Cross Checked the MAC Address of Hackers
from their IP 169.254.2.57
00-01-02-08-37-A8
44.
45. Checked Hostel Switch Logs
►Went to Hostel Switch and checked this
MAC address binds to which switch port
Port Number 31 on Switch
►Consulted the Hostel Network Diagrams to
find out Room Number for Port # 31
Room Number 41
48. Observations
►The site was hacked by our own students
who were doing internship in Network
Center on Windows Server Administration
►They were also developing student-portal
website on the same server and were given
administrative rights on the web server
►They misused their rights to hack the site
49. The defacing of UET TAXILA’s
Examination website in August 2007
http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/
50. Hacked by Whom?
• There were 5 main IP addresses that used
the URL responsible for hacking and
planting the pages on our alpha webserver !
• 202.86.249.21
• 202.86.248.23
• 74.6.25.141
• 88.254.235.5
• 85.106.249.98
62. How it was done?
►An ASP Shell script CP5.asp was planted
under
http://web.uettaxila.edu.pk/uet/UETsub/uet
Downloads/examination/ folder that had
Write rights on it with Directory Browsing
turned ON
►Our Firewall Logs showed that the first call
to the malicious asp page was done on
30/Aug/2007 at 14:45:24 PST.
65. CP5.asp Removed from Server!
► I didn’t understand the Turkish language, but
the icons were pretty intuitive to indicate that
the means Delete and means
Download.
► So after indiring the CP5.asp for my personal
interest and further investigation, Siled the
cp5.asp using its own page.
► Thanks to the author of CP5 for self destructive
features ;-)
66. Observations
► The CP-5 (CyberSpy 5) ASP Shell Script code was
intentionally/unintentionally planted in the
Examination website by someone having physical
access to the server
► The network supervisors of exam branch didn’t
confess their fault
► CyberSpy 5 is now detected by newer Antiviruses
as PhP/C99Shell.A.Trojan and ASP/Ace.DC. Trojan
67. What security measures were taken?
►As the first step during the revival of
web.uettaxila.edu.pk website, All traffic for
web.uettaxila.edu.pk was redirected to
www.uettaxila.edu.pk to get the original
website contents from our hosted services
server directly instead of the local Hacked
Server.
68. What security measures were taken?
►Browsed through the IIS Service manager
on Hacked Server to check the rights on all
folders related to the Website.
►Removed Write rights by IUSR_ALPHA on all
folders.
►Changed the default webpage at
web.uettaxila.edu.pk from index.htm to
index1.asp
69. What security measures were taken?
►Backed up the Hacked pages and emailed them
to my account for further investigation.
►I deleted the Hacked index.htm file and
replaced the original files from Hosted Services
Server to Local Hacked Server.
►At this time, the hackers tried to reinstall their
hacked page on our server by overwriting the
index.htm with their hacked page.
70. What security measures were taken?
►As the Webserver was now set to show
index1.asp instead of index.htm, the hacked
page was no longer visible on the main page.
►The hackers realized that they should leave
the server now.
►As a protective measure, we blocked all IP
ranges of hackers IP class to Firewall block list.
►In future they will not be able to use the same
addresses to access our server.
71. What security measures were taken?
►The domain accounts of all users were
checked for their security privileges.
►Un-necessary administrative group members
were removed.
►Passwords were changed on all
Administrative accounts.
►anonymous@uettaxila.edu.pk was removed.
72. Response to the Hackers
► Used network forensic tools to track the hackers
► Used OS fingerprinting to identify the types of
systems used by the attackers
► Tried to gain access of their network resources
► Tried to get personal information about hackers
73. Who owned 88.254.235.5?
I changed its old password for future communication
This is the ADSL Router of Attacker in Turkey
76. Suggestions and Comments
► Routine checking of Firewall Logs should be
performed to see obnoxious calls to URL addresses
on server.
► All servers should be shifted behind a UTM Firewall
► Intrusion Prevention System on UTM should be
configured to detect and block such attacks in future.
► Concerned ISPs and Security Agencies should be
contacted for Logs to get access to the owners of
these attacker IP Addresses.
99. FIA’s National Response Center for
Cyber Crime Website Hacked
► Domain: http://www.nr3c.gov.pk
Hacking Reported on : 2010-01-07 16:16:56
Notified by: ZombiE_KsA
IP address: 72.9.156.44
System: Linux
Web server: Apache
101. Lessons Learnt
► The faster the network the more are the attacks from
the internet
► Greater availability/always online connectivity
increases the chances for hacking attacks
► Internal users are mostly responsible for
compromising network security
► Easy availability of hacking scripts have encouraged
script kiddies to try hacking
► Lack of regular security audits, shortage of certified
ethical hackers and knowledge sharing
102. Recommendations
► Enable ROLE-based Network Services
► Disable Windows File Sharing
► Update the Operating System
► Choose Strong Passwords
► Anti-virus Software Installation and Update
► Train the End Users to maintain their PCs
► Install A Personal Firewall and Email Security Apps
► On demand and Startup Scan For Spyware
► Network Access Control
103. Tips for End Users
► Deploy Internet Security Software (FW+AV+UTM)
ESET NOD32 Business Edition
TrendMicro Internet Security
Symantec Endpoint protection + Network Access Control
► Keep Security Software updated
► Keep OS and Installed Software updated
► Report abnormal system behavior to Admins
► Enable System Restore and Backup System
104. Tips for Network and Sys Admins
► Block TCP Port 25 (Commonly used by Spam-bots)
► Block TCP Port 135 (Used by W32/Blaster worm)
► Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS,
NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and
Ping to/from WAN
► Turn off File and Printer Sharing for Microsoft
Networks on WAN Interfaces of all servers
► Install Firewall and Antivirus software on servers
► Create Backups / Images of Servers
Title slide backgroumd and some information is provided by National Lan Exchange, Utah, USA. http://www.nle.com
www.networkdictionary.com/networking/e.php
= Hardware, software and media connecting information technology resources
http://www.cisco.com/web/about/security/intelligence/worm-mitigation-whitepaper.html
+ A sinkhole is also a useful tool for analyzing an attack. The sinkhole router can be used to forward the attack traffic to a back-end switch where a network analyzer, such as a sniffer or Ethereal, can be used to look at the details of the attack.
+ iBGP is used to selectively trigger the remote dropping of any traffic based on either source or destination address.
+ Arbor Peakflow X and Peakflow DoS use a collector and controller architecture
http://www.firewall.cx/firewall_topologies.php
= Traditional Network Setup with a single Firewall separating LAN from WAN
http://www.firewall.cx/firewall_topologies.php
= Common Scenario in organizations hosting their web, email and other servers that are accessible from WAN
DMZ Servers are vulnerable to attacks from WAN and require special configuration and hardening
http://www.firewall.cx/firewall_topologies.php
= Recommended Configuration for Enterprise networks
Single Firewall must be strong enough with sufficient bandwidth and features to facilitate smooth traffic flow between the private, public and DMZ networks
http://www.firewall.cx/firewall_topologies.php
= Using two firewalls inline require synchronization of policies on both devices and thus creates overhead for the IT staff
= If Firewall 1 goes down all users on the Internal network are unable to access internet resources
http://www.firewall.cx/firewall_topologies.php
= The two firewalls secure LAN and DMZ from WAN attacks
= Each network can access internet independantly
http://www.nle.com/network_security.html
= Security requirements are becoming more and more complex with improvement in IT infrastructure and attack techniques
http://www.nle.com/network_security.html
= Preventing an attack is much better than recovering from it afterwards
http://www.nle.com/network_security.html
= New type of security softwares and devices are required to secure the enterprise
= UTM, NAC, Mobile Client Protection, Network Traffic Monitoring and Analysis Tools and Professionally Managed Services are common components of an Enterprise network
http://www.nle.com/network_security.html
= UTMs have State-ful Inspection Firewalls, IPS, AV, Content Filters, Anti-spam, Traffic Flow Control and VPN servers in a consolidated architecture to facilitate a uniform policies among all network components
http://www.nle.com/network_security.html
= Each user must be identified and provided with a specific level of service depending on his/her role in the organization. NAC helps prevent spread of worms and network viruses.
http://www.nle.com/network_security.html
= All mobile users must be identified, authenticated and connected through secure VPN session to the enterprise. Their network session ends if their connection is compromised.
http://www.nle.com/network_security.html
= Network Flow Analysis and Anomaly detection based on traffic trends is essential to prevent zero-day attacks.
http://www.nle.com/network_security.html
= Network Administrations require end to end visibility of network processes and transactions in order to assess the effectiveness of security policies and prevent unauthorized traffic flows.
http://www.nle.com/network_security.html
= If you can’t do it yourself, ask the experts to help you out.
http://pern.edu.pk/index.php?option=com_content&task=view&id=36&Itemid=1
= In the first phase of the project 56 educational institutions have been connected through PERN. Rest of the 59 HEC recognized universities in Pakistan will be connected in the second phase.
http://pern.edu.pk/index.php?option=com_content&task=view&id=36&Itemid=1
= Internet bandwidth, Intranet resource sharing, Video conferencing and digital library resource provisioning.
http://www.hec.gov.pk/Documents/S1-P1-PERN2%20Introduction%20@%20Workshop%20on%20NRENs-v1/S1-P1-PERN2%20Introduction%20@%20Workshop%20on%20NRENs-v1.html
= Currently we are in second phase of PERN
Pakistan’s cyber crime wing, NR3C, was established on 13 March, 2003. Need for the forensic examination of an email from abductors of Daniel Pearl, an American journalist led to its creation. Computer forensics, a relatively new science, involves the preservation, identification, extraction, documentation, analysis and court presentation of evidence of computer related data stored in the form of magnetically, optically, or electronically stored media.