apa style
Security Assessment & Penetration testing
Marcus Murray, MVP marcus.murray@truesec.se
1
Riskhantering hanteras av Management.
Vi kommer att prata om risk ur ett tekniker perspektiv.
Som tekniker måste vi veta vad som kan hända och förstå konsekvenserna av det. Dessutom bör vi förstå hur man skall mitigera.
Vi behöver inte kunskapen om att beräkna hur många kronor saker kostar
Agenda
Planning Security Assessments
Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Marcus Murray, MVP marcus.murray@truesec.se
2
Planning Security Assessments
Planning Security Assessments
Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Marcus Murray, MVP marcus.murray@truesec.se
3
Why Does Network Security Fail?
Network security fails in several common areas, including:
Human awareness
Policy factors
Hardware or software misconfigurations
Poor assumptions
Ignorance
Failure to stay up-to-date
Marcus Murray, MVP marcus.murray@truesec.se
Understanding Defense-in-Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Guards, locks, tracking devices
Application hardening
OS hardening, authentication,
security update management, antivirus updates, auditing
Network segments, NIDS
Firewalls, boarder routers, VPNs with quarantine procedures
Strong passwords, ACLs, backup and restore strategy
Marcus Murray, MVP marcus.murray@truesec.se
Why Perform Security Assessments?
Security assessments can:
Answer the questions “Is our network secure?” and “How do we know that our network is secure?”
Provide a baseline to help improve security
Find configuration mistakes or missing security updates
Reveal unexpected weaknesses in your organization’s security
Ensure regulatory compliance
Marcus Murray, MVP marcus.murray@truesec.se
Planning a Security Assessment
| Project phase | Planning elements |
| Pre-assessment | Scope Goals Timelines Ground rules |
| Assessment | Choose technologies Perform assessment Organize results |
| Preparing results | Estimate risk presented by discovered weaknesses Create a plan for remediation Identify vulnerabilities that have not been remediated Determine improvement in network security over time |
| Reporting your findings | Create final report Present your findings Arrange for next assessment |
Marcus Murray, MVP marcus.murray@truesec.se
Understanding the Security Assessment Scope
| Components | Example |
| Target | All servers running: Windows 2000 Server Windows Server 2003 |
| Target area | All servers on the subnets: 192.168.0.0/24 192.168.1.0/24 |
| Timeline | Scanning will take place from June 3rd to June 10th during non-critical business hours |
| Vulnerabilities to scan for | RPC-over-DCOM vulnerability (MS 03-026) Anonymous SAM enumeration Guest account enabled Greater than 10 accounts in the local Administrator group |
Marcus Murray, MVP marcus.murray@truesec.se
Understanding Security Assessment Goals
| Project goal | |
| All computers running Windows 2000 Server and Windows Server 2003 on the subnets 192.168.0.0/24 and 192.168.1.0/24 will be scanned for the following vulnerabilities and will be remediated as stated | |
| Vulnerability | Remediation |
| RPC-over-DCOM vulnerability (MS 03-026) | Install Microsoft security updates 03-026 and 03-39 |
| Anonymous SAM enumeration | Configure RestrictAnonymous to: 2 on Windows 2000 Server 1 on Windows Server 2003 |
| Guest account enabled | Disable Guest account |
| Greater than 10 accounts in the local administrator group | Minimize the number of accounts on the administrators group |
Marcus Murray, MVP marcus.murray@truesec.se
Types of Security Assessments
Vulnerability scanning:
Focuses on known weaknesses
Can be automated
Does not necessarily require expertise
Penetration testing:
Focuses on known and unknown weaknesses
Requires highly skilled testers
Carries tremendous legal burden in certain countries/organizations
IT security auditing:
Focuses on security policies and procedures
Used to provide evidence for industry regulations
Marcus Murray, MVP marcus.murray@truesec.se
Using Vulnerability Scanning to Assess Network Security
Develop a process for vulnerability scanning that will do the following:
Detect vulnerabilities
Assign risk levels to discovered vulnerabilities
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
Marcus Murray, MVP marcus.murray@truesec.se
Using Penetration Testing to Assess Network Security
Steps to a successful penetration test include:
Determine how the attacker is most likely to go about attacking a network or an application
1
Determine how an attacker could exploit weaknesses
3
Locate assets that could be accessed, altered, or destroyed
4
Locate areas of weakness in network or application defenses
2
Determine whether the attack was detected
5
Determine what the attack footprint looks like
6
Make recommendations
7
Marcus Murray, MVP marcus.murray@truesec.se
Understanding Components of an IT Security Audit
Process
Technology
Implementation
Documentation
Operations
Start with policy
Build process
Apply technology
Security Policy Model
Policy
Marcus Murray, MVP marcus.murray@truesec.se
Implementing an IT Security Audit
Compare each area to standards and best practices
Security policy
Documented procedures
Operations
What you must do
What you say you do
What you really do
Marcus Murray, MVP marcus.murray@truesec.se
Reporting Security Assessment Findings
Organize information into the following reporting framework:
Define the vulnerability
Document mitigation plans
Identify where changes should occur
Assign responsibility for implementing approved recommendations
Recommend a time for the next security assessment
Marcus Murray, MVP marcus.murray@truesec.se
Gathering Information About the Organization
Planning Security Assessments
Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Marcus Murray, MVP marcus.murray@truesec.se
16
What Is a Nonintrusive Attack?
Examples of nonintrusive attacks include:
Information reconnaissance
Port scanning
Obtaining host information using fingerprinting techniques
Network and host discovery
Nonintrusive attack: The intent to gain information about an organization’s network in preparation for a more intrusive attack at a later time
Marcus Murray, MVP marcus.murray@truesec.se
17
Information Reconnaissance Techniques
Common types of information sought by attackers include:
System configuration
Valid user accounts
Contact information
Extranet and remote access servers
Business partners and recent acquisitions or mergers
Information about your network may be obtained by:
Querying registrar information
Determining IP address assignments
Organization Web pages
Search engines
Public discussion forums
Marcus Murray, MVP marcus.murray@truesec.se
18
Countermeasures Against Information Reconnaissance
Only provide information that is absolutely required to your Internet registrar
Review your organization’s Web site content regularly for inappropriate information
Create a policy defining appropriate public discussion forums usage
Use e-mail addresses based on job roles on your company Web site and registrar information
ü
ü
ü
ü
Marcus Murray, MVP marcus.murray@truesec.se
19
What Information Can Be Obtained by Port Scanning?
Port scanning tips include:
Start by scanning slowly, a few ports at a time
To avoid detection, try the same port across several hosts
Run scans from a number of different systems, optimally from different networks
Typical results of a port scan include:
Discovery of ports that are listening or open
Determination of which ports refuse connections
Determination of connections that time out
Marcus Murray, MVP marcus.murray@truesec.se
20
Port-Scanning Countermeasures
Port scanning countermeasures include:
Implement defense-in-depth to use multiple layers of filtering
Plan for misconfigurations or failures
Run only the required services
Implement an intrusion-detection system
ü
ü
ü
ü
Expose services through a reverse proxy
ü
Marcus Murray, MVP marcus.murray@truesec.se
21
What Information Can Be Collected About Network Hosts?
Types of information that can be collected using fingerprinting techniques include:
IP and ICMP implementation
TCP responses
Listening ports
Banners
Service behavior
Remote operating system queries
Marcus Murray, MVP marcus.murray@truesec.se
22
Countermeasures to Protect Network Host Information
| Fingerprinting source | Countermeasures |
| IP, ICMP, and TCP | Be conservative with the packets that you allow to reach your system Use a firewall or inline IDS device to normalize traffic Assume that your attacker knows what version of operating system is running, and make sure it is secure |
| Banners | Change the banners that give operating system information Assume that your attacker knows what version of operating system and application is running, and make sure it is secure |
| Port scanning, service behavior, and remote queries | Disable unnecessary services Filter traffic coming to isolate specific ports on the host Implement IPSec on all systems in the managed network |
Marcus Murray, MVP marcus.murray@truesec.se
23
Penetration Testing for Intrusive Attacks
Planning Security Assessments
Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Marcus Murray, MVP marcus.murray@truesec.se
24
What Is Penetration Testing for Intrusive Attacks?
Examples of penetration testing for intrusive attack methods include:
Automated vulnerability scanning
Password attacks
Denial-of-service attacks
Application and database attacks
Network sniffing
Intrusive attack: Performing specific tasks that result in a compromise of system information, stability, or availability
Marcus Murray, MVP marcus.murray@truesec.se
25
What Is Automated Vulnerability Scanning?
Automated vulnerability scanning makes use of scanning tools to automate the following tasks:
Banner grabbing and fingerprinting
Exploiting the vulnerability
Inference testing
Security update detection
Marcus Murray, MVP marcus.murray@truesec.se
26
Scale/Performance
Basis: Fully patched remote Windows XP SP1 on a busy 100-Mbps LAN
| Check | Duration (seconds) | Network Resources (bytes) |
| Windows vulnerabilities | 9 | 1 MB |
| Weak passwords | 16 | 3.2 MB |
| IIS vulnerabilities | 2 | 130 KB |
| SQL vulnerabilities | 5 | 200 KB |
| Security Updates (/nosum) | 4 | 6.5 MB |
| Total | 36 | 11 MB |
| Security Updates (/sum) | 10 | 64 MB |
Marcus Murray, MVP marcus.murray@truesec.se
27
What Is a Password Attack?
Two primary types of password attacks are:
Brute-force attacks
Password-disclosure attacks
Countermeasures to protect against password attacks include:
Require complex passwords
Educate users
Implement smart cards
Create policy that restricts passwords in batch files, scripts, or Web pages
Marcus Murray, MVP marcus.murray@truesec.se
28
What Is a Denial-of-Service Attack?
DoS attacks can be divided into three categories:
Flooding attacks
Resource starvation attacks
Disruption of service
Denial-of-Service (DoS) attack: Any attempt by an attacker to deny his victim’s access to a resource
Note: Denial-of-service attacks should not be launched against your own live production network
Marcus Murray, MVP marcus.murray@truesec.se
29
Countermeasures for Denial-of-Service Attacks
| DoS attack | Countermeasures |
| Flooding attacks | Ensure that your routers have anti-spoofing rules in place and rules that block directed broadcasts Set rate limitations on devices to mitigate flooding attacks Consider blocking ICMP packets |
| Resource starvation attacks | Apply the latest updates to the operating system and applications Set disk quotas |
| Disruption of service | Make sure that the latest update has been applied to the operating system and applications Test updates before applying to production systems Disable unneeded services |
Marcus Murray, MVP marcus.murray@truesec.se
30
Understanding Application and Database Attacks
Common application and database attacks include:
Buffer overruns:
Write applications in managed code
SQL injection attacks:
Validate input for correct size and type
Marcus Murray, MVP marcus.murray@truesec.se
31
What Is Network Sniffing?
An attacker can perform network sniffing by performing the following tasks:
Compromising the host
Installing a network sniffer
Using a network sniffer to capture sensitive data such as network credentials
Using network credentials to compromise additional hosts
Network sniffing: The ability of an attacker to eavesdrop on communications between network hosts
1
2
3
4
Marcus Murray, MVP marcus.murray@truesec.se
32
Countermeasures for Network Sniffing Attacks
To reduce the threat of network sniffing attacks on your network consider the following:
Use encryption to protect data
Use switches instead of hubs
Secure core network devices
Use crossover cables
Develop policy
Conduct regular scans
Marcus Murray, MVP marcus.murray@truesec.se
33
How Attackers Avoid Detection During an Attack
Common ways that attackers avoid detection include:
Flooding log files
Using logging mechanisms
Attacking detection mechanisms
Using canonicalization attacks
Using decoys
Marcus Murray, MVP marcus.murray@truesec.se
34
How Attackers Avoid Detection After an Attack
Common ways that attackers avoid detection after an attack include:
Installing rootkits
Tampering with log files
Marcus Murray, MVP marcus.murray@truesec.se
35
Countermeasures to Detection-Avoidance Techniques
| Avoidance Technique | Countermeasures |
| Flooding log files | Back up log files before they are overwritten |
| Using logging mechanisms | Ensure that your logging mechanism is using the most updated version of software and all updates |
| Attacking detection mechanisms | Keep software and signatures updated |
| Using canonicalization attacks | Ensure that applications normalize data to its canonical form |
| Using decoys | Secure the end systems and networks being attacked |
| Using rootkits | Implement defense-in-depth strategies |
| Tampering with log files | Secure log file locations Store logs on another host Use encryption to protect log files Back up log files |
Marcus Murray, MVP marcus.murray@truesec.se
36
Session Summary
Plan your security assessment to determine scope and goals
Disclose only essential information about your organization on Web sites and on registrar records
Educate users to use strong passwords or pass-phrases
Assume that the attacker already knows the exact operating system and version and take as many steps as possible to secure those systems
ü
ü
ü
ü
Keep systems up-to-date on security updates and service packs
ü
Marcus Murray, MVP marcus.murray@truesec.se
37
Data
Application
Client
Data
Application
Server
FW
Network
Perimeter
Physical Layer
Policies & Procedures