apa style

JamVic
Domain_6.pptx

Security Assessment & Penetration testing

Marcus Murray, MVP marcus.murray@truesec.se

1

Riskhantering hanteras av Management.

Vi kommer att prata om risk ur ett tekniker perspektiv.

Som tekniker måste vi veta vad som kan hända och förstå konsekvenserna av det. Dessutom bör vi förstå hur man skall mitigera.

Vi behöver inte kunskapen om att beräkna hur många kronor saker kostar

Agenda

Planning Security Assessments

Gathering Information About the Organization

Penetration Testing for Intrusive Attacks

Marcus Murray, MVP marcus.murray@truesec.se

2

Planning Security Assessments

Planning Security Assessments

Gathering Information About the Organization

Penetration Testing for Intrusive Attacks

Marcus Murray, MVP marcus.murray@truesec.se

3

Why Does Network Security Fail?

Network security fails in several common areas, including:

Human awareness

Policy factors

Hardware or software misconfigurations

Poor assumptions

Ignorance

Failure to stay up-to-date

Marcus Murray, MVP marcus.murray@truesec.se

Understanding Defense-in-Depth

Using a layered approach:

Increases an attacker’s risk of detection

Reduces an attacker’s chance of success

Guards, locks, tracking devices

Application hardening

OS hardening, authentication,

security update management, antivirus updates, auditing

Network segments, NIDS

Firewalls, boarder routers, VPNs with quarantine procedures

Strong passwords, ACLs, backup and restore strategy

Marcus Murray, MVP marcus.murray@truesec.se

Why Perform Security Assessments?

Security assessments can:

Answer the questions “Is our network secure?” and “How do we know that our network is secure?”

Provide a baseline to help improve security

Find configuration mistakes or missing security updates

Reveal unexpected weaknesses in your organization’s security

Ensure regulatory compliance

Marcus Murray, MVP marcus.murray@truesec.se

Planning a Security Assessment

Project phase Planning elements
Pre-assessment Scope Goals Timelines Ground rules
Assessment Choose technologies Perform assessment Organize results
Preparing results Estimate risk presented by discovered weaknesses Create a plan for remediation Identify vulnerabilities that have not been remediated Determine improvement in network security over time
Reporting your findings Create final report Present your findings Arrange for next assessment

Marcus Murray, MVP marcus.murray@truesec.se

Understanding the Security Assessment Scope

Components Example
Target All servers running: Windows 2000 Server Windows Server 2003
Target area All servers on the subnets: 192.168.0.0/24 192.168.1.0/24
Timeline Scanning will take place from June 3rd to June 10th during non-critical business hours
Vulnerabilities to scan for RPC-over-DCOM vulnerability (MS 03-026) Anonymous SAM enumeration Guest account enabled Greater than 10 accounts in the local Administrator group

Marcus Murray, MVP marcus.murray@truesec.se

Understanding Security Assessment Goals

Project goal
All computers running Windows 2000 Server and Windows Server 2003 on the subnets 192.168.0.0/24 and 192.168.1.0/24 will be scanned for the following vulnerabilities and will be remediated as stated
Vulnerability Remediation
RPC-over-DCOM vulnerability (MS 03-026) Install Microsoft security updates 03-026 and 03-39
Anonymous SAM enumeration Configure RestrictAnonymous to: 2 on Windows 2000 Server 1 on Windows Server 2003
Guest account enabled Disable Guest account
Greater than 10 accounts in the local administrator group Minimize the number of accounts on the administrators group

Marcus Murray, MVP marcus.murray@truesec.se

Types of Security Assessments

Vulnerability scanning:

Focuses on known weaknesses

Can be automated

Does not necessarily require expertise

Penetration testing:

Focuses on known and unknown weaknesses

Requires highly skilled testers

Carries tremendous legal burden in certain countries/organizations

IT security auditing:

Focuses on security policies and procedures

Used to provide evidence for industry regulations

Marcus Murray, MVP marcus.murray@truesec.se

Using Vulnerability Scanning to Assess Network Security

Develop a process for vulnerability scanning that will do the following:

Detect vulnerabilities

Assign risk levels to discovered vulnerabilities

Identify vulnerabilities that have not been remediated

Determine improvement in network security over time

Marcus Murray, MVP marcus.murray@truesec.se

Using Penetration Testing to Assess Network Security

Steps to a successful penetration test include:

Determine how the attacker is most likely to go about attacking a network or an application

1

Determine how an attacker could exploit weaknesses

3

Locate assets that could be accessed, altered, or destroyed

4

Locate areas of weakness in network or application defenses

2

Determine whether the attack was detected

5

Determine what the attack footprint looks like

6

Make recommendations

7

Marcus Murray, MVP marcus.murray@truesec.se

Understanding Components of an IT Security Audit

Process

Technology

Implementation

Documentation

Operations

Start with policy

Build process

Apply technology

Security Policy Model

Policy

Marcus Murray, MVP marcus.murray@truesec.se

Implementing an IT Security Audit

Compare each area to standards and best practices

Security policy

Documented procedures

Operations

What you must do

What you say you do

What you really do

Marcus Murray, MVP marcus.murray@truesec.se

Reporting Security Assessment Findings

Organize information into the following reporting framework:

Define the vulnerability

Document mitigation plans

Identify where changes should occur

Assign responsibility for implementing approved recommendations

Recommend a time for the next security assessment

Marcus Murray, MVP marcus.murray@truesec.se

Gathering Information About the Organization

Planning Security Assessments

Gathering Information About the Organization

Penetration Testing for Intrusive Attacks

Marcus Murray, MVP marcus.murray@truesec.se

16

What Is a Nonintrusive Attack?

Examples of nonintrusive attacks include:

Information reconnaissance

Port scanning

Obtaining host information using fingerprinting techniques

Network and host discovery

Nonintrusive attack: The intent to gain information about an organization’s network in preparation for a more intrusive attack at a later time

Marcus Murray, MVP marcus.murray@truesec.se

17

Information Reconnaissance Techniques

Common types of information sought by attackers include:

System configuration

Valid user accounts

Contact information

Extranet and remote access servers

Business partners and recent acquisitions or mergers

Information about your network may be obtained by:

Querying registrar information

Determining IP address assignments

Organization Web pages

Search engines

Public discussion forums

Marcus Murray, MVP marcus.murray@truesec.se

18

Countermeasures Against Information Reconnaissance

Only provide information that is absolutely required to your Internet registrar

Review your organization’s Web site content regularly for inappropriate information

Create a policy defining appropriate public discussion forums usage

Use e-mail addresses based on job roles on your company Web site and registrar information

ü

ü

ü

ü

Marcus Murray, MVP marcus.murray@truesec.se

19

What Information Can Be Obtained by Port Scanning?

Port scanning tips include:

Start by scanning slowly, a few ports at a time

To avoid detection, try the same port across several hosts

Run scans from a number of different systems, optimally from different networks

Typical results of a port scan include:

Discovery of ports that are listening or open

Determination of which ports refuse connections

Determination of connections that time out

Marcus Murray, MVP marcus.murray@truesec.se

20

Port-Scanning Countermeasures

Port scanning countermeasures include:

Implement defense-in-depth to use multiple layers of filtering

Plan for misconfigurations or failures

Run only the required services

Implement an intrusion-detection system

ü

ü

ü

ü

Expose services through a reverse proxy

ü

Marcus Murray, MVP marcus.murray@truesec.se

21

What Information Can Be Collected About Network Hosts?

Types of information that can be collected using fingerprinting techniques include:

IP and ICMP implementation

TCP responses

Listening ports

Banners

Service behavior

Remote operating system queries

Marcus Murray, MVP marcus.murray@truesec.se

22

Countermeasures to Protect Network Host Information

Fingerprinting source Countermeasures
IP, ICMP, and TCP Be conservative with the packets that you allow to reach your system Use a firewall or inline IDS device to normalize traffic Assume that your attacker knows what version of operating system is running, and make sure it is secure
Banners Change the banners that give operating system information Assume that your attacker knows what version of operating system and application is running, and make sure it is secure
Port scanning, service behavior, and remote queries Disable unnecessary services Filter traffic coming to isolate specific ports on the host Implement IPSec on all systems in the managed network

Marcus Murray, MVP marcus.murray@truesec.se

23

Penetration Testing for Intrusive Attacks

Planning Security Assessments

Gathering Information About the Organization

Penetration Testing for Intrusive Attacks

Marcus Murray, MVP marcus.murray@truesec.se

24

What Is Penetration Testing for Intrusive Attacks?

Examples of penetration testing for intrusive attack methods include:

Automated vulnerability scanning

Password attacks

Denial-of-service attacks

Application and database attacks

Network sniffing

Intrusive attack: Performing specific tasks that result in a compromise of system information, stability, or availability

Marcus Murray, MVP marcus.murray@truesec.se

25

What Is Automated Vulnerability Scanning?

Automated vulnerability scanning makes use of scanning tools to automate the following tasks:

Banner grabbing and fingerprinting

Exploiting the vulnerability

Inference testing

Security update detection

Marcus Murray, MVP marcus.murray@truesec.se

26

Scale/Performance

Basis: Fully patched remote Windows XP SP1 on a busy 100-Mbps LAN

Check Duration (seconds) Network Resources (bytes)
Windows vulnerabilities 9 1 MB
Weak passwords 16 3.2 MB
IIS vulnerabilities 2 130 KB
SQL vulnerabilities 5 200 KB
Security Updates (/nosum) 4 6.5 MB
Total 36 11 MB
Security Updates (/sum) 10 64 MB

Marcus Murray, MVP marcus.murray@truesec.se

27

What Is a Password Attack?

Two primary types of password attacks are:

Brute-force attacks

Password-disclosure attacks

Countermeasures to protect against password attacks include:

Require complex passwords

Educate users

Implement smart cards

Create policy that restricts passwords in batch files, scripts, or Web pages

Marcus Murray, MVP marcus.murray@truesec.se

28

What Is a Denial-of-Service Attack?

DoS attacks can be divided into three categories:

Flooding attacks

Resource starvation attacks

Disruption of service

Denial-of-Service (DoS) attack: Any attempt by an attacker to deny his victim’s access to a resource

Note: Denial-of-service attacks should not be launched against your own live production network

Marcus Murray, MVP marcus.murray@truesec.se

29

Countermeasures for Denial-of-Service Attacks

DoS attack Countermeasures
Flooding attacks Ensure that your routers have anti-spoofing rules in place and rules that block directed broadcasts Set rate limitations on devices to mitigate flooding attacks Consider blocking ICMP packets
Resource starvation attacks Apply the latest updates to the operating system and applications Set disk quotas
Disruption of service Make sure that the latest update has been applied to the operating system and applications Test updates before applying to production systems Disable unneeded services

Marcus Murray, MVP marcus.murray@truesec.se

30

Understanding Application and Database Attacks

Common application and database attacks include:

Buffer overruns:

Write applications in managed code

SQL injection attacks:

Validate input for correct size and type

Marcus Murray, MVP marcus.murray@truesec.se

31

What Is Network Sniffing?

An attacker can perform network sniffing by performing the following tasks:

Compromising the host

Installing a network sniffer

Using a network sniffer to capture sensitive data such as network credentials

Using network credentials to compromise additional hosts

Network sniffing: The ability of an attacker to eavesdrop on communications between network hosts

1

2

3

4

Marcus Murray, MVP marcus.murray@truesec.se

32

Countermeasures for Network Sniffing Attacks

To reduce the threat of network sniffing attacks on your network consider the following:

Use encryption to protect data

Use switches instead of hubs

Secure core network devices

Use crossover cables

Develop policy

Conduct regular scans

Marcus Murray, MVP marcus.murray@truesec.se

33

How Attackers Avoid Detection During an Attack

Common ways that attackers avoid detection include:

Flooding log files

Using logging mechanisms

Attacking detection mechanisms

Using canonicalization attacks

Using decoys

Marcus Murray, MVP marcus.murray@truesec.se

34

How Attackers Avoid Detection After an Attack

Common ways that attackers avoid detection after an attack include:

Installing rootkits

Tampering with log files

Marcus Murray, MVP marcus.murray@truesec.se

35

Countermeasures to Detection-Avoidance Techniques

Avoidance Technique Countermeasures
Flooding log files Back up log files before they are overwritten
Using logging mechanisms Ensure that your logging mechanism is using the most updated version of software and all updates
Attacking detection mechanisms Keep software and signatures updated
Using canonicalization attacks Ensure that applications normalize data to its canonical form
Using decoys Secure the end systems and networks being attacked
Using rootkits Implement defense-in-depth strategies
Tampering with log files Secure log file locations Store logs on another host Use encryption to protect log files Back up log files

Marcus Murray, MVP marcus.murray@truesec.se

36

Session Summary

Plan your security assessment to determine scope and goals

Disclose only essential information about your organization on Web sites and on registrar records

Educate users to use strong passwords or pass-phrases

Assume that the attacker already knows the exact operating system and version and take as many steps as possible to secure those systems

ü

ü

ü

ü

Keep systems up-to-date on security updates and service packs

ü

Marcus Murray, MVP marcus.murray@truesec.se

37

Data

Application

Client

Data

Application

Server

FW

Network

Perimeter

Physical Layer

Policies & Procedures