SlideShare a Scribd company logo

jhon ibrahim.ppt

Download as PPT, PDF
M
Muhammad Fahad Khan

WOnderful piece of info

Education
1 of 106
Securing Enterprise Network Infrastructure (Towards secure internetworking on Pakistan Educational Research Network) Dr. Adeel Akram UET Taxila
Outline ►Introduction to Enterprise Network ►Enterprise Network Architectures ►Securing Enterprise Networks ►Enterprise Network Security Requirements ►Pakistan Educational Research Network ►Type of Network Attacks and Vulnerabilities ►Case Studies  Hacking of Educational and Govt. Websites !!! ►Lessons Learnt ►Recommendations
Introduction to Enterprise Network ► Enterprise Network is the network that allows communication and resource-sharing among all of a company's business functions and workers. ► In some cases, Enterprise network would even include the company's suppliers, contractors and distributors. ► It consists of hardware, software and media connecting information technology resources of an organization.
Enterprise Network Architectures
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Securing Enterprise Networks
Enterprise Network Security Requirements ►Network security has become increasingly more difficult to manage and evaluate, even as industry and government compliance requirements have become more demanding.
Enterprise Network Security Requirements ►The network threats are real, and costly. Internal and external vulnerabilities can cause business disruption, loss of revenue, or loss of operational efficiencies. ►Because network security can be breached from both internal and external sources, traditional perimeter firewalls are not enough to protect the network.
Enterprise Network Security Requirements ►Enterprise networks require new network security tools, network appliances, and professional services to secure large and small networks. ►The following slides show key components of network security that are now required in all organizations to secure their networks:
Enterprise Security Key Components ►Unified Threat Management (UTM) Firewalls ►Network Access Control (NAC), or ROLE- based Networking ►Mobile Computer Client Protection ►Event Correlation and Log Analysis ►Layer-7 Visibility and Packet Analysis ►Managed Services
Enterprise Network Security Requirements ►Unified Threat Management (UTM) Firewalls  It is too costly and operationally inefficient to add-on each separate component as security threats emerge. Today's solutions use multiple scanning methods and multiple defense layers in high-throughput appliances. IDS/IPS, Anti- Virus, Content-Filtering, VPN, Anti-Spam, P2P control, etc. all needs to be included in a network security solution.
Enterprise Network Security Requirements ►Network Access Control (NAC), or ROLE- based Networking  Creating differentiated network services based on individual access requirements is the key. The era of every user's ability to browse to all network resources should be over. Role-based networking is required to limit visibility to networks, servers, and TCP/IP ports and protocols, regardless of the user's point-of-entry into the network.
Enterprise Network Security Requirements ►Mobile Computer Client Protection  Also referred to as "Mobile NAC", all network devices that can leave and join the network need to have accountability and control regardless of location. The ability to control laptops, PDA's, and other mobile devices when they are not connected to a VPN session is a key requirement.
Enterprise Network Security Requirements ► Event Correlation and Log Analysis  Security threats cannot be stopped by reviewing logs in "post-mortem" analysis. To stop "zero- day" threats, the network needs event-correlation and adaptive-response tools. While SNMP report tools are important for network engineers responsible for network health, other tools are required to correlate client, server, and firewall activities with computer application processes.
Enterprise Network Security Requirements ►Layer-7 (Application Layer) Visibility and Packet Analysis  The ability to classify all applications regardless of port and protocol is essential for both security and performance analysis. In-line devices for analyzing and reporting network traffic across all OSI layers are essential for compliance, security assessment, and resolving performance issues.
Enterprise Network Security Requirements ►Managed Services  Many companies can not become experts in Cyber-Security, PC/Server Management, Regulatory Compliance, and Disaster Recovery. But even small businesses are impacted by critical data security threats and technology maintenance hurdles that detract from the core business goals. Managed Services offer expertise on contractual basis.
Educational Enterprise Network ►Pakistan Education and Research Network
Pakistan Educational Research Network ►PERN - Pakistan Education and Research Network is a national research and education network of Pakistan which connects premiere educational and research institutions of the country.
Pakistan Educational Research Network ►PERN focuses on collaborative research, knowledge sharing, resource sharing, and distance learning by connecting people through the use of Intranet and Internet resources.
Pakistan Educational Research Network
Types of Network Attacks Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Application Vulnerabilities Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Top Attack Outcomes Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
Hacking Statistics for .gov.pk
Hacking Statistics for .edu.pk
Cyber Attack Response Procedure Detect Attack Source Seal Crime Scene / Preserve System State Activate Auditing / Gather Suspect Traces Estimate Attack Losses Report to Security Agencies Prevent Attack / Plan Response
FBI Cybercrime Investigation Procedure ► To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. ► The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization's polices and procedures):
 Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder.  If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if possible. FBI Cybercrime Investigation Procedure
 Document the losses suffered by your organization as a result of the incident. These could include: ►estimated number of hours spent in response/recovery ►cost of temporary help ►cost of damaged equipment ►value of data lost ►amount of credit given to customers for inconvenience ►loss of revenue ►value of any trade secrets To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov FBI Cybercrime Investigation Procedure
► NR3C CERT (Computer Emergency Response Team) ► Forensic Lab ► R&D ► Implementation of Standards & Procedures ► Media and Projection Cell ► Technology Development Center ► Network Operations & Security ► Liaison with LEA(s) & public /private sector organizations ► Trainings & Seminars ► Legal Regularity & Issues To report an incident to the NR3C visit: http://www.nr3c.gov.pk Federal Investigation Agency Headquarters Sector-G-9/4, Islamabad Ph. 051-9261686, Fax. 051-9261685 National Response Centre For Cyber Crimes
Case Studies ►UET Taxila – Internal Website(s) Hacked ►HEC Website(s) – Hacked ►LUMS Website(s) – Hacked ►Ministry of Information and Broadcasting Website – Hacked ►FIA’s National Response Center for Cyber Crime Website
UET Taxila Website(s) Hacked
UET Taxila’s Internal Website http://uet.homeip.net Hacked in 2006 !
Email from Hackers
The Next Day
Searched for traces of Hackers ►Event Viewer  Application Logs  System Logs  Security Logs ►User Manager  Any Accounts Modifications  New Accounts Creation  Rights requests
Checked Systems for Trojan Horses ►See if any backdoor is created on the system ►Try to figure out how hackers accomplished to hack the system ►Check Task Manager for any suspicious running process ►Check System/Firewalls Security Logs
Search the Logs
Checked Logs on the DHCP Server ►Cross Checked the MAC Address of Hackers from their IP 169.254.2.57  00-01-02-08-37-A8
Checked Hostel Switch Logs ►Went to Hostel Switch and checked this MAC address binds to which switch port  Port Number 31 on Switch ►Consulted the Hostel Network Diagrams to find out Room Number for Port # 31  Room Number 41
Hackers Caught Red-Handed
Website Restored to Original State
Observations ►The site was hacked by our own students who were doing internship in Network Center on Windows Server Administration ►They were also developing student-portal website on the same server and were given administrative rights on the web server ►They misused their rights to hack the site
The defacing of UET TAXILA’s Examination website in August 2007 http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/
Hacked by Whom? • There were 5 main IP addresses that used the URL responsible for hacking and planting the pages on our alpha webserver ! • 202.86.249.21 • 202.86.248.23 • 74.6.25.141 • 88.254.235.5 • 85.106.249.98
Guess What ! ►Who owns this IP Address? ►202.86.249.21 ►Pakistan
Whois 202.86.249.21 ► WHOIS - 202.86.249.21 ► inetnum: 202.86.249.0 - 202.86.249.255 ► netname: DIALLOG ► descr: Great Bear International Services (Pvt) Ltd, Wireless Local Loop ► descr: CDMA Operator, Pakistan ► country: PK ► person: Artem Orange ► nic-hdl: AO71-AP ► e-mail: artem@diallog.com.pk ► address: Great Bear International Services (Pvt) Ltd ► address: 106-E, Asif Plaza 3rd & 4th Floor ► address: Fazal-ul-Haq Road, Blue Area, ► address: Islamabad ► phone: +92 51 2806222 ► country: PK ► changed: artem@diallog.com.pk 20060111 ► mnt-by: MAINT-PK-DIALLOG ► source: APNIC
Who owns the 2nd Attacker IP? ►Who owns this IP Address? ►202.86.248.23 ►Singapore
Whois 74.6.25.141 ► WHOIS - 74.6.25.141 ► OrgName: Inktomi Corporation ► OrgID: INKT ► Address: 701 First Ave ► City: Sunnyvale ► StateProv: CA ► PostalCode: 94089 ► Country: US ► NetRange: 74.6.0.0 - 74.6.255.255 ► CIDR: 74.6.0.0/16 ► NetName: INKTOMI-BLK-6 ► NetHandle: NET-74-6-0-0-1 ► Parent: NET-74-0-0-0-0 ► NetType: Direct Allocation ► NameServer: NS1.YAHOO.COM ► RAbuseEmail: network-abuse@cc.yahoo-inc.com
Whois 85.106.249.98 ► WHOIS - 85.106.249.98 ► Location: Turkey (high) [City: Adana, Adana] ► inetnum: 85.106.128.0 - 85.106.255.255 ► netname: TurkTelekom ► descr: TT ADSL-alcatel dynamic_ulus ► country: tr ► admin-c: BADB3-RIPE ► tech-c: ZA66-RIPE ► status: ASSIGNED PA ► mnt-by: as9121-mnt ► notify: ipg@telekom.gov.tr ► changed: ipg@telekom.gov.tr 20070220 ► source: RIPE role: TT Administrative Contact Role address: Turk Telekom address: Network Direktorlugu address: Aydinlikevler address: 06103 ANKARA phone: +90 312 555 1927 fax-no: +90 312 313 1924 e-mail: abuse@ttnet.net.tr source: RIPE
Whois 88.254.235.5 ► WHOIS - 88.254.235.5 ► Location: Turkey (high) [City: Adana, Adana] ► inetnum: 88.254.128.0 - 88.254.255.255 ► netname: TurkTelekom ► descr: TT ADSL-alcatel dynamic_ulus ► country: tr ► admin-c: TTBA1-RIPE ► tech-c: TTBA1-RIPE ► status: ASSIGNED PA ► mnt-by: as9121-mnt ► notify: ipg@telekom.gov.tr ► changed: ipg@telekom.gov.tr 20070220 ► source: RIPE role: TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: abuse@ttnet.net.tr source: RIPE
How it was done? ►An ASP Shell script CP5.asp was planted under http://web.uettaxila.edu.pk/uet/UETsub/uet Downloads/examination/ folder that had Write rights on it with Directory Browsing turned ON ►Our Firewall Logs showed that the first call to the malicious asp page was done on 30/Aug/2007 at 14:45:24 PST.
Home of CyberSpy 5 (CP5.asp)
CP5.asp Removed from Server! ► I didn’t understand the Turkish language, but the icons were pretty intuitive to indicate that the means Delete and means Download. ► So after indiring the CP5.asp for my personal interest and further investigation, Siled the cp5.asp using its own page. ► Thanks to the author of CP5 for self destructive features ;-)
Observations ► The CP-5 (CyberSpy 5) ASP Shell Script code was intentionally/unintentionally planted in the Examination website by someone having physical access to the server ► The network supervisors of exam branch didn’t confess their fault ► CyberSpy 5 is now detected by newer Antiviruses as PhP/C99Shell.A.Trojan and ASP/Ace.DC. Trojan
What security measures were taken? ►As the first step during the revival of web.uettaxila.edu.pk website, All traffic for web.uettaxila.edu.pk was redirected to www.uettaxila.edu.pk to get the original website contents from our hosted services server directly instead of the local Hacked Server.
What security measures were taken? ►Browsed through the IIS Service manager on Hacked Server to check the rights on all folders related to the Website. ►Removed Write rights by IUSR_ALPHA on all folders. ►Changed the default webpage at web.uettaxila.edu.pk from index.htm to index1.asp
What security measures were taken? ►Backed up the Hacked pages and emailed them to my account for further investigation. ►I deleted the Hacked index.htm file and replaced the original files from Hosted Services Server to Local Hacked Server. ►At this time, the hackers tried to reinstall their hacked page on our server by overwriting the index.htm with their hacked page.
What security measures were taken? ►As the Webserver was now set to show index1.asp instead of index.htm, the hacked page was no longer visible on the main page. ►The hackers realized that they should leave the server now. ►As a protective measure, we blocked all IP ranges of hackers IP class to Firewall block list. ►In future they will not be able to use the same addresses to access our server.
What security measures were taken? ►The domain accounts of all users were checked for their security privileges. ►Un-necessary administrative group members were removed. ►Passwords were changed on all Administrative accounts. ►anonymous@uettaxila.edu.pk was removed.
Response to the Hackers ► Used network forensic tools to track the hackers ► Used OS fingerprinting to identify the types of systems used by the attackers ► Tried to gain access of their network resources ► Tried to get personal information about hackers
Who owned 88.254.235.5? I changed its old password for future communication This is the ADSL Router of Attacker in Turkey
ZyXEL ADSL Router on Turk IP!
Who owned 88.254.235.5?
Suggestions and Comments ► Routine checking of Firewall Logs should be performed to see obnoxious calls to URL addresses on server. ► All servers should be shifted behind a UTM Firewall ► Intrusion Prevention System on UTM should be configured to detect and block such attacks in future. ► Concerned ISPs and Security Agencies should be contacted for Logs to get access to the owners of these attacker IP Addresses.
HEC Website(s) Hacked
HEC Website(s) Hacked ► Domain: http://hjp.hec.gov.pk  Hacking Reported on: 2010-05-19 10:47:33  Notified by: Ashiyane Digital Security Team  IP address: 111.68.100.144  System: Linux  Web server: Apache
http://hjp.hec.gov.pk
HEC Website(s) Hacked ► Domain: http://dev.hec.gov.pk  Hacking Reported on: 2010-07-06 16:50:06  Notified by: r4diationz  IP address: 72.249.151.41  Sub directory: /appsup/submit.asp  Attack Type: Database injection
http://dev.hec.gov.pk
HEC Website(s) Hacked ► Domain: http://app.hec.gov.pk  Hacking Reported on: 2010-07-06 16:51:25  Notified by: r4diationz  IP address: 72.249.151.41  Sub directory: /appsup/submit.asp  Attack Type: Database injection
http://app.hec.gov.pk
HEC Website(s) Hacked ► Domain: http://sc.hec.gov.pk/aphds/Submit.asp  Hacking Reported on: 2010-02-05 16:09:21  Notified by: sacred_relic  IP address: 111.68.100.150  System: Win 2003  Web server: IIS/6.0
http://sc.hec.gov.pk
LUMS Website(s) Hacked
LUMS Website(s) Hacked ► Domain: http://cmer.lums.edu.pk  Hacking Reported on: 2009-07-12 21:17:08  Notified by: syniack  IP address: 203.128.0.46  System: Linux  Web server: Apache
http://cmer.lums.edu.pk
LUMS Website(s) Hacked ► Domain: http://suraj.lums.edu.pk/~lrs/forum/phpBB2  Hacking Reported on: 2006-07-19 15:39:52  Notified by: SanalYargic  IP address: 203.128.0.6  System: SolarisSunOS  Web server: Apache
http://suraj.lums.edu.pk
LUMS Website(s) Hacked ► Domain: http://sedp.lums.edu.pk/index2.htm  Hacking Reported on: 2003-08-15 22:39:41  Notified by: INDIAN TIGERS  IP address: 203.128.1.242  System: Win 2000  Web server: IIS/5.0
http://sedp.lums.edu.pk
LUMS Website(s) Hacked ► Domain: http://sedp.lums.edu.pk  Hacking Reported on: 2003-08-16 17:38:40  Notified by: INDIAN TIGERS  IP address: 203.128.1.242  System: Win 2000  Web server: IIS/5.0
http://sedp.lums.edu.pk
InfoPak.gov.pk Website Hacked
Ministry of Information and Broadcasting Website Hacked ► Domain: http://www.infopak.gov.pk ► Hacking Reported on : 2010-07-13 09:20:12  Notified by: Sovalye  IP address: 174.143.146.58  System: Win 2003  Web server: IIS/6.0
http://www.infopak.gov.pk
NR3C Website Hacked
FIA’s National Response Center for Cyber Crime Website Hacked ► Domain: http://www.nr3c.gov.pk  Hacking Reported on : 2010-01-07 16:16:56  Notified by: ZombiE_KsA  IP address: 72.9.156.44  System: Linux  Web server: Apache
http://www.nr3c.gov.pk
Lessons Learnt ► The faster the network the more are the attacks from the internet ► Greater availability/always online connectivity increases the chances for hacking attacks ► Internal users are mostly responsible for compromising network security ► Easy availability of hacking scripts have encouraged script kiddies to try hacking ► Lack of regular security audits, shortage of certified ethical hackers and knowledge sharing
Recommendations ► Enable ROLE-based Network Services ► Disable Windows File Sharing ► Update the Operating System ► Choose Strong Passwords ► Anti-virus Software Installation and Update ► Train the End Users to maintain their PCs ► Install A Personal Firewall and Email Security Apps ► On demand and Startup Scan For Spyware ► Network Access Control
Tips for End Users ► Deploy Internet Security Software (FW+AV+UTM)  ESET NOD32 Business Edition  TrendMicro Internet Security  Symantec Endpoint protection + Network Access Control ► Keep Security Software updated ► Keep OS and Installed Software updated ► Report abnormal system behavior to Admins ► Enable System Restore and Backup System
Tips for Network and Sys Admins ► Block TCP Port 25 (Commonly used by Spam-bots) ► Block TCP Port 135 (Used by W32/Blaster worm) ► Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS, NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and Ping to/from WAN ► Turn off File and Printer Sharing for Microsoft Networks on WAN Interfaces of all servers ► Install Firewall and Antivirus software on servers ► Create Backups / Images of Servers
References ► http://www.nle.com ► www.networkdictionary.com/networking/e.php ► http://www.cisco.com/web/about/security/intelligence/worm-mitigation-whitepaper.html ► http://www.firewall.cx/firewall_topologies.php ► http://webappsec.pbworks.com/Web-Hacking-Incident-Database ► http://www.zone-h.com/archive ► http://www.dnsstuff.com/tools ► http://www.ip-whois-lookup.com/lookup.php?ip=88.254.235.5 ► http://www.hec.gov.pk ► http://www.pern.edu.pk ► http://www.cert.org/tech_tips/FBI_investigates_crime.html ► http://www.insecure.org ► http://www.eeye.com ► https://secure.dshield.org/reports.html
Questions adeel.akram@uettaxila.edu.pk

Recommended

Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
TOPIC7.pptx
TOPIC7.pptxTOPIC7.pptx
TOPIC7.pptx
tahaniali27
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
BreakingPoint от Ixia
BreakingPoint от IxiaBreakingPoint от Ixia
BreakingPoint от Ixia
BAKOTECH
 
The New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler ArchitectureThe New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler Architecture
LiveAction Next Generation Network Management Software
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docx
ikirkton
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
ipspat
 

Recommended

Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
All Hope is Not Lost Network Forensics Exposes Today's Advanced Security Thr...
Savvius, Inc
 
TOPIC7.pptx
TOPIC7.pptxTOPIC7.pptx
TOPIC7.pptx
tahaniali27
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
BreakingPoint от Ixia
BreakingPoint от IxiaBreakingPoint от Ixia
BreakingPoint от Ixia
BAKOTECH
 
The New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler ArchitectureThe New Intelligent Network: Building a Smarter, Simpler Architecture
The New Intelligent Network: Building a Smarter, Simpler Architecture
LiveAction Next Generation Network Management Software
 
Background Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docxBackground Information for World-Wide Trading CompanyWorld-Wide .docx
Background Information for World-Wide Trading CompanyWorld-Wide .docx
ikirkton
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
ipspat
 
Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber security
Aurobindo Nayak
 
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxAuthentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
rock73
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
Shah Sheikh
 
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
Belayet Hossain
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PROIDEA
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
Rishabh Gupta
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
Ivan Carmona
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
Alan Rudd
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Angeloluca Barba
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
TI Safe
 
Best Practices to Cybersecurity Vulnerability Management,.pdf
Best Practices to Cybersecurity Vulnerability Management,.pdfBest Practices to Cybersecurity Vulnerability Management,.pdf
Best Practices to Cybersecurity Vulnerability Management,.pdf
Tuan Yang
 
8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx
Metaorange
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
Tony DeGonia (LION)
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf
Metaorange
 
Hacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOWHacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOW
Kapil Kanugo
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
Universitas Bina Darma Palembang
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
marukanda
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
Vijay Νavgire
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
Samuel Kamuli
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
Thiyagu K
 

More Related Content

Similar to jhon ibrahim.ppt

Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxAuthentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
rock73
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
Alan Rudd
 
Hacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOWHacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOW
Kapil Kanugo
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
ijtsrd
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
Samuel Kamuli
 

Similar to jhon ibrahim.ppt (20)

Indian perspective of cyber security
Indian perspective of cyber securityIndian perspective of cyber security
Indian perspective of cyber security
 
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docxAuthentic Assessment Project (AAP) Jan 2017Background Informat.docx
Authentic Assessment Project (AAP) Jan 2017Background Informat.docx
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
3.8 Ways to Establish Secure Protocols in a Digital Organization.pdf
 
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr WojciechowskiPLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
PLNOG14: Firewalls In Modern Data Centers - Piotr Wojciechowski
 
Implementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommutersImplementing an improved security for collin’s database and telecommuters
Implementing an improved security for collin’s database and telecommuters
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
Level 3 Security solutions
Level 3 Security solutionsLevel 3 Security solutions
Level 3 Security solutions
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
CLASS 2018 - Palestra de Edgard Capdevielle (Presidente e CEO – Nozomi)
 
Best Practices to Cybersecurity Vulnerability Management,.pdf
Best Practices to Cybersecurity Vulnerability Management,.pdfBest Practices to Cybersecurity Vulnerability Management,.pdf
Best Practices to Cybersecurity Vulnerability Management,.pdf
 
8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx8 Top Cybersecurity Tools.pptx
8 Top Cybersecurity Tools.pptx
 
Tyler Technology Expo
Tyler Technology ExpoTyler Technology Expo
Tyler Technology Expo
 
8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf8 Top Cybersecurity Tools.pdf
8 Top Cybersecurity Tools.pdf
 
Hacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOWHacking your Connected Car: What you need to know NOW
Hacking your Connected Car: What you need to know NOW
 
Remotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal NetworkRemotely Scanning Organization’s Internal Network
Remotely Scanning Organization’s Internal Network
 
5691 computer network career
5691 computer network career5691 computer network career
5691 computer network career
 
Cyber security general perspective a
Cyber security general perspective aCyber security general perspective a
Cyber security general perspective a
 
Resume | Vijay Navgire
Resume | Vijay Navgire Resume | Vijay Navgire
Resume | Vijay Navgire
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
ciinovamais
 

Recently uploaded (20)

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 

jhon ibrahim.ppt

  • 1. Securing Enterprise Network Infrastructure (Towards secure internetworking on Pakistan Educational Research Network) Dr. Adeel Akram UET Taxila
  • 2. Outline ►Introduction to Enterprise Network ►Enterprise Network Architectures ►Securing Enterprise Networks ►Enterprise Network Security Requirements ►Pakistan Educational Research Network ►Type of Network Attacks and Vulnerabilities ►Case Studies  Hacking of Educational and Govt. Websites !!! ►Lessons Learnt ►Recommendations
  • 3. Introduction to Enterprise Network ► Enterprise Network is the network that allows communication and resource-sharing among all of a company's business functions and workers. ► In some cases, Enterprise network would even include the company's suppliers, contractors and distributors. ► It consists of hardware, software and media connecting information technology resources of an organization.
  • 10. Enterprise Network Security Requirements ►Network security has become increasingly more difficult to manage and evaluate, even as industry and government compliance requirements have become more demanding.
  • 11. Enterprise Network Security Requirements ►The network threats are real, and costly. Internal and external vulnerabilities can cause business disruption, loss of revenue, or loss of operational efficiencies. ►Because network security can be breached from both internal and external sources, traditional perimeter firewalls are not enough to protect the network.
  • 12. Enterprise Network Security Requirements ►Enterprise networks require new network security tools, network appliances, and professional services to secure large and small networks. ►The following slides show key components of network security that are now required in all organizations to secure their networks:
  • 13. Enterprise Security Key Components ►Unified Threat Management (UTM) Firewalls ►Network Access Control (NAC), or ROLE- based Networking ►Mobile Computer Client Protection ►Event Correlation and Log Analysis ►Layer-7 Visibility and Packet Analysis ►Managed Services
  • 14. Enterprise Network Security Requirements ►Unified Threat Management (UTM) Firewalls  It is too costly and operationally inefficient to add-on each separate component as security threats emerge. Today's solutions use multiple scanning methods and multiple defense layers in high-throughput appliances. IDS/IPS, Anti- Virus, Content-Filtering, VPN, Anti-Spam, P2P control, etc. all needs to be included in a network security solution.
  • 15. Enterprise Network Security Requirements ►Network Access Control (NAC), or ROLE- based Networking  Creating differentiated network services based on individual access requirements is the key. The era of every user's ability to browse to all network resources should be over. Role-based networking is required to limit visibility to networks, servers, and TCP/IP ports and protocols, regardless of the user's point-of-entry into the network.
  • 16. Enterprise Network Security Requirements ►Mobile Computer Client Protection  Also referred to as "Mobile NAC", all network devices that can leave and join the network need to have accountability and control regardless of location. The ability to control laptops, PDA's, and other mobile devices when they are not connected to a VPN session is a key requirement.
  • 17. Enterprise Network Security Requirements ► Event Correlation and Log Analysis  Security threats cannot be stopped by reviewing logs in "post-mortem" analysis. To stop "zero- day" threats, the network needs event-correlation and adaptive-response tools. While SNMP report tools are important for network engineers responsible for network health, other tools are required to correlate client, server, and firewall activities with computer application processes.
  • 18. Enterprise Network Security Requirements ►Layer-7 (Application Layer) Visibility and Packet Analysis  The ability to classify all applications regardless of port and protocol is essential for both security and performance analysis. In-line devices for analyzing and reporting network traffic across all OSI layers are essential for compliance, security assessment, and resolving performance issues.
  • 19. Enterprise Network Security Requirements ►Managed Services  Many companies can not become experts in Cyber-Security, PC/Server Management, Regulatory Compliance, and Disaster Recovery. But even small businesses are impacted by critical data security threats and technology maintenance hurdles that detract from the core business goals. Managed Services offer expertise on contractual basis.
  • 20. Educational Enterprise Network ►Pakistan Education and Research Network
  • 21. Pakistan Educational Research Network ►PERN - Pakistan Education and Research Network is a national research and education network of Pakistan which connects premiere educational and research institutions of the country.
  • 22. Pakistan Educational Research Network ►PERN focuses on collaborative research, knowledge sharing, resource sharing, and distance learning by connecting people through the use of Intranet and Internet resources.
  • 24. Types of Network Attacks Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
  • 25. Top Application Vulnerabilities Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
  • 26. Top Attack Outcomes Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
  • 29. Cyber Attack Response Procedure Detect Attack Source Seal Crime Scene / Preserve System State Activate Auditing / Gather Suspect Traces Estimate Attack Losses Report to Security Agencies Prevent Attack / Plan Response
  • 30. FBI Cybercrime Investigation Procedure ► To ensure that your organization can react to an incident efficiently, make sure that staff knows who is responsible for cyber security and how to reach them. ► The following steps will help you document an incident and assist federal, state, and local law enforcement agencies in their investigation (be sure to act in accordance with your organization's polices and procedures):
  • 31.  Preserve the state of the computer at the time of the incident by making a backup copy of logs, damaged or altered files, and files left by the intruder.  If the incident is in progress, activate auditing software and consider implementing a keystroke monitoring program if possible. FBI Cybercrime Investigation Procedure
  • 32.  Document the losses suffered by your organization as a result of the incident. These could include: ►estimated number of hours spent in response/recovery ►cost of temporary help ►cost of damaged equipment ►value of data lost ►amount of credit given to customers for inconvenience ►loss of revenue ►value of any trade secrets To report an incident to the FBI, you can submit a tip report at https://tips.fbi.gov FBI Cybercrime Investigation Procedure
  • 33. ► NR3C CERT (Computer Emergency Response Team) ► Forensic Lab ► R&D ► Implementation of Standards & Procedures ► Media and Projection Cell ► Technology Development Center ► Network Operations & Security ► Liaison with LEA(s) & public /private sector organizations ► Trainings & Seminars ► Legal Regularity & Issues To report an incident to the NR3C visit: http://www.nr3c.gov.pk Federal Investigation Agency Headquarters Sector-G-9/4, Islamabad Ph. 051-9261686, Fax. 051-9261685 National Response Centre For Cyber Crimes
  • 34. Case Studies ►UET Taxila – Internal Website(s) Hacked ►HEC Website(s) – Hacked ►LUMS Website(s) – Hacked ►Ministry of Information and Broadcasting Website – Hacked ►FIA’s National Response Center for Cyber Crime Website
  • 36. UET Taxila’s Internal Website http://uet.homeip.net Hacked in 2006 !
  • 39. Searched for traces of Hackers ►Event Viewer  Application Logs  System Logs  Security Logs ►User Manager  Any Accounts Modifications  New Accounts Creation  Rights requests
  • 40.
  • 41. Checked Systems for Trojan Horses ►See if any backdoor is created on the system ►Try to figure out how hackers accomplished to hack the system ►Check Task Manager for any suspicious running process ►Check System/Firewalls Security Logs
  • 43. Checked Logs on the DHCP Server ►Cross Checked the MAC Address of Hackers from their IP 169.254.2.57  00-01-02-08-37-A8
  • 44.
  • 45. Checked Hostel Switch Logs ►Went to Hostel Switch and checked this MAC address binds to which switch port  Port Number 31 on Switch ►Consulted the Hostel Network Diagrams to find out Room Number for Port # 31  Room Number 41
  • 47. Website Restored to Original State
  • 48. Observations ►The site was hacked by our own students who were doing internship in Network Center on Windows Server Administration ►They were also developing student-portal website on the same server and were given administrative rights on the web server ►They misused their rights to hack the site
  • 49. The defacing of UET TAXILA’s Examination website in August 2007 http://web.uettaxila.edu.pk/uet/UETsub/uetDownloads/examination/
  • 50. Hacked by Whom? • There were 5 main IP addresses that used the URL responsible for hacking and planting the pages on our alpha webserver ! • 202.86.249.21 • 202.86.248.23 • 74.6.25.141 • 88.254.235.5 • 85.106.249.98
  • 51. Guess What ! ►Who owns this IP Address? ►202.86.249.21 ►Pakistan
  • 52. Whois 202.86.249.21 ► WHOIS - 202.86.249.21 ► inetnum: 202.86.249.0 - 202.86.249.255 ► netname: DIALLOG ► descr: Great Bear International Services (Pvt) Ltd, Wireless Local Loop ► descr: CDMA Operator, Pakistan ► country: PK ► person: Artem Orange ► nic-hdl: AO71-AP ► e-mail: artem@diallog.com.pk ► address: Great Bear International Services (Pvt) Ltd ► address: 106-E, Asif Plaza 3rd & 4th Floor ► address: Fazal-ul-Haq Road, Blue Area, ► address: Islamabad ► phone: +92 51 2806222 ► country: PK ► changed: artem@diallog.com.pk 20060111 ► mnt-by: MAINT-PK-DIALLOG ► source: APNIC
  • 53.
  • 54. Who owns the 2nd Attacker IP? ►Who owns this IP Address? ►202.86.248.23 ►Singapore
  • 55.
  • 56. Whois 74.6.25.141 ► WHOIS - 74.6.25.141 ► OrgName: Inktomi Corporation ► OrgID: INKT ► Address: 701 First Ave ► City: Sunnyvale ► StateProv: CA ► PostalCode: 94089 ► Country: US ► NetRange: 74.6.0.0 - 74.6.255.255 ► CIDR: 74.6.0.0/16 ► NetName: INKTOMI-BLK-6 ► NetHandle: NET-74-6-0-0-1 ► Parent: NET-74-0-0-0-0 ► NetType: Direct Allocation ► NameServer: NS1.YAHOO.COM ► RAbuseEmail: network-abuse@cc.yahoo-inc.com
  • 57.
  • 58. Whois 85.106.249.98 ► WHOIS - 85.106.249.98 ► Location: Turkey (high) [City: Adana, Adana] ► inetnum: 85.106.128.0 - 85.106.255.255 ► netname: TurkTelekom ► descr: TT ADSL-alcatel dynamic_ulus ► country: tr ► admin-c: BADB3-RIPE ► tech-c: ZA66-RIPE ► status: ASSIGNED PA ► mnt-by: as9121-mnt ► notify: ipg@telekom.gov.tr ► changed: ipg@telekom.gov.tr 20070220 ► source: RIPE role: TT Administrative Contact Role address: Turk Telekom address: Network Direktorlugu address: Aydinlikevler address: 06103 ANKARA phone: +90 312 555 1927 fax-no: +90 312 313 1924 e-mail: abuse@ttnet.net.tr source: RIPE
  • 59.
  • 60. Whois 88.254.235.5 ► WHOIS - 88.254.235.5 ► Location: Turkey (high) [City: Adana, Adana] ► inetnum: 88.254.128.0 - 88.254.255.255 ► netname: TurkTelekom ► descr: TT ADSL-alcatel dynamic_ulus ► country: tr ► admin-c: TTBA1-RIPE ► tech-c: TTBA1-RIPE ► status: ASSIGNED PA ► mnt-by: as9121-mnt ► notify: ipg@telekom.gov.tr ► changed: ipg@telekom.gov.tr 20070220 ► source: RIPE role: TT Administrative Contact Role address: Turk Telekom address: Bilisim Aglari Dairesi address: Aydinlikevler address: 06103 ANKARA phone: +90 312 313 1950 fax-no: +90 312 313 1949 e-mail: abuse@ttnet.net.tr source: RIPE
  • 61.
  • 62. How it was done? ►An ASP Shell script CP5.asp was planted under http://web.uettaxila.edu.pk/uet/UETsub/uet Downloads/examination/ folder that had Write rights on it with Directory Browsing turned ON ►Our Firewall Logs showed that the first call to the malicious asp page was done on 30/Aug/2007 at 14:45:24 PST.
  • 63. Home of CyberSpy 5 (CP5.asp)
  • 64.
  • 65. CP5.asp Removed from Server! ► I didn’t understand the Turkish language, but the icons were pretty intuitive to indicate that the means Delete and means Download. ► So after indiring the CP5.asp for my personal interest and further investigation, Siled the cp5.asp using its own page. ► Thanks to the author of CP5 for self destructive features ;-)
  • 66. Observations ► The CP-5 (CyberSpy 5) ASP Shell Script code was intentionally/unintentionally planted in the Examination website by someone having physical access to the server ► The network supervisors of exam branch didn’t confess their fault ► CyberSpy 5 is now detected by newer Antiviruses as PhP/C99Shell.A.Trojan and ASP/Ace.DC. Trojan
  • 67. What security measures were taken? ►As the first step during the revival of web.uettaxila.edu.pk website, All traffic for web.uettaxila.edu.pk was redirected to www.uettaxila.edu.pk to get the original website contents from our hosted services server directly instead of the local Hacked Server.
  • 68. What security measures were taken? ►Browsed through the IIS Service manager on Hacked Server to check the rights on all folders related to the Website. ►Removed Write rights by IUSR_ALPHA on all folders. ►Changed the default webpage at web.uettaxila.edu.pk from index.htm to index1.asp
  • 69. What security measures were taken? ►Backed up the Hacked pages and emailed them to my account for further investigation. ►I deleted the Hacked index.htm file and replaced the original files from Hosted Services Server to Local Hacked Server. ►At this time, the hackers tried to reinstall their hacked page on our server by overwriting the index.htm with their hacked page.
  • 70. What security measures were taken? ►As the Webserver was now set to show index1.asp instead of index.htm, the hacked page was no longer visible on the main page. ►The hackers realized that they should leave the server now. ►As a protective measure, we blocked all IP ranges of hackers IP class to Firewall block list. ►In future they will not be able to use the same addresses to access our server.
  • 71. What security measures were taken? ►The domain accounts of all users were checked for their security privileges. ►Un-necessary administrative group members were removed. ►Passwords were changed on all Administrative accounts. ►anonymous@uettaxila.edu.pk was removed.
  • 72. Response to the Hackers ► Used network forensic tools to track the hackers ► Used OS fingerprinting to identify the types of systems used by the attackers ► Tried to gain access of their network resources ► Tried to get personal information about hackers
  • 73. Who owned 88.254.235.5? I changed its old password for future communication This is the ADSL Router of Attacker in Turkey
  • 74. ZyXEL ADSL Router on Turk IP!
  • 76. Suggestions and Comments ► Routine checking of Firewall Logs should be performed to see obnoxious calls to URL addresses on server. ► All servers should be shifted behind a UTM Firewall ► Intrusion Prevention System on UTM should be configured to detect and block such attacks in future. ► Concerned ISPs and Security Agencies should be contacted for Logs to get access to the owners of these attacker IP Addresses.
  • 78. HEC Website(s) Hacked ► Domain: http://hjp.hec.gov.pk  Hacking Reported on: 2010-05-19 10:47:33  Notified by: Ashiyane Digital Security Team  IP address: 111.68.100.144  System: Linux  Web server: Apache
  • 80. HEC Website(s) Hacked ► Domain: http://dev.hec.gov.pk  Hacking Reported on: 2010-07-06 16:50:06  Notified by: r4diationz  IP address: 72.249.151.41  Sub directory: /appsup/submit.asp  Attack Type: Database injection
  • 82. HEC Website(s) Hacked ► Domain: http://app.hec.gov.pk  Hacking Reported on: 2010-07-06 16:51:25  Notified by: r4diationz  IP address: 72.249.151.41  Sub directory: /appsup/submit.asp  Attack Type: Database injection
  • 84. HEC Website(s) Hacked ► Domain: http://sc.hec.gov.pk/aphds/Submit.asp  Hacking Reported on: 2010-02-05 16:09:21  Notified by: sacred_relic  IP address: 111.68.100.150  System: Win 2003  Web server: IIS/6.0
  • 87. LUMS Website(s) Hacked ► Domain: http://cmer.lums.edu.pk  Hacking Reported on: 2009-07-12 21:17:08  Notified by: syniack  IP address: 203.128.0.46  System: Linux  Web server: Apache
  • 89. LUMS Website(s) Hacked ► Domain: http://suraj.lums.edu.pk/~lrs/forum/phpBB2  Hacking Reported on: 2006-07-19 15:39:52  Notified by: SanalYargic  IP address: 203.128.0.6  System: SolarisSunOS  Web server: Apache
  • 91. LUMS Website(s) Hacked ► Domain: http://sedp.lums.edu.pk/index2.htm  Hacking Reported on: 2003-08-15 22:39:41  Notified by: INDIAN TIGERS  IP address: 203.128.1.242  System: Win 2000  Web server: IIS/5.0
  • 93. LUMS Website(s) Hacked ► Domain: http://sedp.lums.edu.pk  Hacking Reported on: 2003-08-16 17:38:40  Notified by: INDIAN TIGERS  IP address: 203.128.1.242  System: Win 2000  Web server: IIS/5.0
  • 96. Ministry of Information and Broadcasting Website Hacked ► Domain: http://www.infopak.gov.pk ► Hacking Reported on : 2010-07-13 09:20:12  Notified by: Sovalye  IP address: 174.143.146.58  System: Win 2003  Web server: IIS/6.0
  • 99. FIA’s National Response Center for Cyber Crime Website Hacked ► Domain: http://www.nr3c.gov.pk  Hacking Reported on : 2010-01-07 16:16:56  Notified by: ZombiE_KsA  IP address: 72.9.156.44  System: Linux  Web server: Apache
  • 101. Lessons Learnt ► The faster the network the more are the attacks from the internet ► Greater availability/always online connectivity increases the chances for hacking attacks ► Internal users are mostly responsible for compromising network security ► Easy availability of hacking scripts have encouraged script kiddies to try hacking ► Lack of regular security audits, shortage of certified ethical hackers and knowledge sharing
  • 102. Recommendations ► Enable ROLE-based Network Services ► Disable Windows File Sharing ► Update the Operating System ► Choose Strong Passwords ► Anti-virus Software Installation and Update ► Train the End Users to maintain their PCs ► Install A Personal Firewall and Email Security Apps ► On demand and Startup Scan For Spyware ► Network Access Control
  • 103. Tips for End Users ► Deploy Internet Security Software (FW+AV+UTM)  ESET NOD32 Business Edition  TrendMicro Internet Security  Symantec Endpoint protection + Network Access Control ► Keep Security Software updated ► Keep OS and Installed Software updated ► Report abnormal system behavior to Admins ► Enable System Restore and Backup System
  • 104. Tips for Network and Sys Admins ► Block TCP Port 25 (Commonly used by Spam-bots) ► Block TCP Port 135 (Used by W32/Blaster worm) ► Block TCP Port 445, NetBIOS-DGM, NetBIOS-NS, NetBIOS-SSN, Kerberos, LDAP, WINS, RDP and Ping to/from WAN ► Turn off File and Printer Sharing for Microsoft Networks on WAN Interfaces of all servers ► Install Firewall and Antivirus software on servers ► Create Backups / Images of Servers
  • 105. References ► http://www.nle.com ► www.networkdictionary.com/networking/e.php ► http://www.cisco.com/web/about/security/intelligence/worm-mitigation-whitepaper.html ► http://www.firewall.cx/firewall_topologies.php ► http://webappsec.pbworks.com/Web-Hacking-Incident-Database ► http://www.zone-h.com/archive ► http://www.dnsstuff.com/tools ► http://www.ip-whois-lookup.com/lookup.php?ip=88.254.235.5 ► http://www.hec.gov.pk ► http://www.pern.edu.pk ► http://www.cert.org/tech_tips/FBI_investigates_crime.html ► http://www.insecure.org ► http://www.eeye.com ► https://secure.dshield.org/reports.html

Editor's Notes

  1. Title slide backgroumd and some information is provided by National Lan Exchange, Utah, USA. http://www.nle.com
  2. www.networkdictionary.com/networking/e.php = Hardware, software and media connecting information technology resources
  3. http://www.cisco.com/web/about/security/intelligence/worm-mitigation-whitepaper.html + A sinkhole is also a useful tool for analyzing an attack. The sinkhole router can be used to forward the attack traffic to a back-end switch where a network analyzer, such as a sniffer or Ethereal, can be used to look at the details of the attack. + iBGP is used to selectively trigger the remote dropping of any traffic based on either source or destination address. + Arbor Peakflow X and Peakflow DoS use a collector and controller architecture
  4. http://www.firewall.cx/firewall_topologies.php = Traditional Network Setup with a single Firewall separating LAN from WAN
  5. http://www.firewall.cx/firewall_topologies.php = Common Scenario in organizations hosting their web, email and other servers that are accessible from WAN DMZ Servers are vulnerable to attacks from WAN and require special configuration and hardening
  6. http://www.firewall.cx/firewall_topologies.php = Recommended Configuration for Enterprise networks Single Firewall must be strong enough with sufficient bandwidth and features to facilitate smooth traffic flow between the private, public and DMZ networks
  7. http://www.firewall.cx/firewall_topologies.php = Using two firewalls inline require synchronization of policies on both devices and thus creates overhead for the IT staff = If Firewall 1 goes down all users on the Internal network are unable to access internet resources
  8. http://www.firewall.cx/firewall_topologies.php = The two firewalls secure LAN and DMZ from WAN attacks = Each network can access internet independantly
  9. http://www.nle.com/network_security.html = Security requirements are becoming more and more complex with improvement in IT infrastructure and attack techniques
  10. http://www.nle.com/network_security.html = Preventing an attack is much better than recovering from it afterwards
  11. http://www.nle.com/network_security.html = New type of security softwares and devices are required to secure the enterprise
  12. = UTM, NAC, Mobile Client Protection, Network Traffic Monitoring and Analysis Tools and Professionally Managed Services are common components of an Enterprise network
  13. http://www.nle.com/network_security.html = UTMs have State-ful Inspection Firewalls, IPS, AV, Content Filters, Anti-spam, Traffic Flow Control and VPN servers in a consolidated architecture to facilitate a uniform policies among all network components
  14. http://www.nle.com/network_security.html = Each user must be identified and provided with a specific level of service depending on his/her role in the organization. NAC helps prevent spread of worms and network viruses.
  15. http://www.nle.com/network_security.html = All mobile users must be identified, authenticated and connected through secure VPN session to the enterprise. Their network session ends if their connection is compromised.
  16. http://www.nle.com/network_security.html = Network Flow Analysis and Anomaly detection based on traffic trends is essential to prevent zero-day attacks.
  17. http://www.nle.com/network_security.html = Network Administrations require end to end visibility of network processes and transactions in order to assess the effectiveness of security policies and prevent unauthorized traffic flows.
  18. http://www.nle.com/network_security.html = If you can’t do it yourself, ask the experts to help you out.
  19. http://pern.edu.pk/index.php?option=com_content&task=view&id=36&Itemid=1 = In the first phase of the project 56 educational institutions have been connected through PERN. Rest of the 59 HEC recognized universities in Pakistan will be connected in the second phase.
  20. http://pern.edu.pk/index.php?option=com_content&task=view&id=36&Itemid=1 = Internet bandwidth, Intranet resource sharing, Video conferencing and digital library resource provisioning.
  21. http://www.hec.gov.pk/Documents/S1-P1-PERN2%20Introduction%20@%20Workshop%20on%20NRENs-v1/S1-P1-PERN2%20Introduction%20@%20Workshop%20on%20NRENs-v1.html = Currently we are in second phase of PERN
  22. Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
  23. Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
  24. Web-Hacking-Incident-Database - http://webappsec.pbworks.com/Web-Hacking-Incident-Database
  25. http://www.zone-h.com/archive
  26. http://www.zone-h.com/archive
  27. http://www.cert.org/tech_tips/FBI_investigates_crime.html
  28. http://www.cert.org/tech_tips/FBI_investigates_crime.html
  29. http://www.cert.org/tech_tips/FBI_investigates_crime.html
  30. Pakistan’s cyber crime wing, NR3C, was established on 13 March, 2003. Need for the forensic examination of an email from abductors of Daniel Pearl, an American journalist led to its creation. Computer forensics, a relatively new science, involves the preservation, identification, extraction, documentation, analysis and court presentation of evidence of computer related data stored in the form of magnetically, optically, or electronically stored media.
  31. http://web.uettaxila.edu.pk