Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu

Similar presentations


Presentation on theme: "Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu"— Presentation transcript:

1 Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu svanan@nrg.cs.usm.my

2 Security Audit "The world isn t run by weapons anymore, or energy, or money. It s run by little ones and zeros, little bits of data... There s a war out there... and it s not about who s got the most bullets. It s about who controls the information. "The world isn t run by weapons anymore, or energy, or money. It s run by little ones and zeros, little bits of data... There s a war out there... and it s not about who s got the most bullets. It s about who controls the information. Federation of American Scientists - Intelligence Resource Program

3 Workshop Outline (2) Security Audit Security Audit Intrusion Detection Intrusion Detection Incident Response Incident Response

4 FAQ We already have firewalls in place. Isn't that enough? We already have firewalls in place. Isn't that enough? We did not realize we could get security audits. Can you really get security audits, just like financial audits? We did not realize we could get security audits. Can you really get security audits, just like financial audits? We have already had a security audit. Why do we need another one? We have already had a security audit. Why do we need another one?

5 Answers Firewalls and other devices are simply tools to help provide security. They do not, by themselves, provide security. Using a castle as an analogy, think of firewalls and other such tools as simply the walls and watch towers. Without guards, reports, and policies and procedures in place, they provide little protection. Firewalls and other devices are simply tools to help provide security. They do not, by themselves, provide security. Using a castle as an analogy, think of firewalls and other such tools as simply the walls and watch towers. Without guards, reports, and policies and procedures in place, they provide little protection. Security audits, like financial audits should be performed on a regular basis. Security audits, like financial audits should be performed on a regular basis.

6 Security Audit-Definitions A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions A assessment process, which will develop systems and procedures within an organization, create awareness amongst the employees and users and ensure compliance with legislation through periodic checking of processes, constituents and documentation. A assessment process, which will develop systems and procedures within an organization, create awareness amongst the employees and users and ensure compliance with legislation through periodic checking of processes, constituents and documentation.

7 Why Audit? Determine Vulnerable Areas Determine Vulnerable Areas Obtain Specific Security Information Obtain Specific Security Information Allow for Remediation Allow for Remediation Check for Compliance Check for Compliance Ensure Ongoing Security Ensure Ongoing Security To ensure that the sites networks and systems are efficient and foolproof

8 Who needs security auditing? A security audit is necessary for every organization using the Internet. A security audit is necessary for every organization using the Internet. A ongoing process that must be tried and improved to cope up with the ever-changing and challenging threats. A ongoing process that must be tried and improved to cope up with the ever-changing and challenging threats. Should not be feared of being audited. Audit is good practice. Should not be feared of being audited. Audit is good practice.

9 Audit Phases External Audit External Audit Public information collection Public information collection External Penetration External Penetration Non-destructive testNon-destructive test Destructive testDestructive test Internal Audit Internal Audit Confidential information collection Confidential information collection Security policy reviewing Security policy reviewing Interviews Interviews Environment and Physical Security Environment and Physical Security Internal Penetration Internal Penetration Change Management Change Management Reporting Reporting

10 Audit Phases-External Hackers view of the network Hackers view of the network Simulate attacks from outside Simulate attacks from outside Point-in-time snapshots Point-in-time snapshots Can NEVER be 100% Can NEVER be 100%

11 External Audit-Public Information Gathering Search for information about the target and its critical services provided on the Internet. Search for information about the target and its critical services provided on the Internet. Network Identification Network Identification Identify IP addresses range owned/used Identify IP addresses range owned/used Network Fingerprinting Network Fingerprinting Try to map the network topology Try to map the network topology Perimeter models identifications Perimeter models identifications OS & Application fingerprinting OS & Application fingerprinting OS finger printing OS finger printing Port scanning to define services and application Port scanning to define services and application Banner grabbing Banner grabbing

12 External Audit - Some Commandments Do not make ANY changes to the systems or networks Do not make ANY changes to the systems or networks Do not impact processing capabilities by running scanning/ testing tools during business hours or during peak or critical periods Do not impact processing capabilities by running scanning/ testing tools during business hours or during peak or critical periods Always get permission before testing Always get permission before testing Be confidential and trustworthy Be confidential and trustworthy Do not perform unnecessary attacks Do not perform unnecessary attacks

13 External Audit-Penetration Test Plan the penetration process Plan the penetration process Search for vulnerabilities for information gathered and obtain the exploits Search for vulnerabilities for information gathered and obtain the exploits Conduct vulnerabilities assessments (ISO 17799) Conduct vulnerabilities assessments (ISO 17799) Non-destructive test Non-destructive test Scans / test to confirm vulnerabilities Scans / test to confirm vulnerabilities Make SURE not harmful Make SURE not harmful Destructive test Destructive test Only for short term effect (DDOS….) Only for short term effect (DDOS….) Done from various locations Done from various locations Done only off-peak hours to confirm effect Done only off-peak hours to confirm effect Record everything Record everything Save snapshots and record everything for every test done even it returned false result Save snapshots and record everything for every test done even it returned false result Watch out for HONEYPOTS Watch out for HONEYPOTS

14 Internal Audit Conducted at the premises Conducted at the premises A process of hacking with full knowledge of the network topology and other crucial information. A process of hacking with full knowledge of the network topology and other crucial information. Also to identify threats within the organization Also to identify threats within the organization Should be 100% accurate. Should be 100% accurate. Must be cross checked with external penetration report. Must be cross checked with external penetration report.

15 Internal Audit-Policy review Everything starts with the security policy Everything starts with the security policy If there is no policy, there is not need of security audit. If there is no policy, there is not need of security audit. Policy Standards Procedures, Guidelines & Practices

16 Internal Audit-Policy review Policies are studied properly and classified Policies are studied properly and classified Identify any security risk exist within the policy Identify any security risk exist within the policy Interview IT staffs to gain proper understanding of the policies Interview IT staffs to gain proper understanding of the policies Also to identify the level of implementation of the policies. Also to identify the level of implementation of the policies.

17 Internal Audit-Information gathering Discussion of the network topology Placement of perimeter devices of routers and firewalls Placement of mission critical servers Existence of IDS Logging Cross check with security policy

18 Internal Audit- Environment & Physical Security Locked / combination / card swipe doors Locked / combination / card swipe doors Temperature / humidity controls Temperature / humidity controls Neat and orderly computing rooms Neat and orderly computing rooms Sensitive data or papers laying around? Sensitive data or papers laying around? Fire suppression equipment Fire suppression equipment UPS (Uninterruptible power supply) UPS (Uninterruptible power supply) Section 8.1 of the ISO 17799 document defines the concepts of secure area, secure perimeter and controlled access to such areas. Cross check with security policy

19 Internal Audit-Penetration For Internal penetration test, it can divided to few categories Network Network Perimeter devices Perimeter devices Servers and OS Servers and OS Application and services Application and services Monitor and response Monitor and response Find vulnerabilities and malpractice in each category Cross check with security policy

20 Internal Audit-Network Location of devices on the network Location of devices on the network Redundancy and backup devices Redundancy and backup devices Staging network Staging network Management network Management network Monitoring network Monitoring network Other network segmentation Other network segmentation Cabling practices Cabling practices Remote access to the network Remote access to the network Cross check with security policy

21 Internal Audit-Perimeter Devices Check configuration of perimeter devices like Routers Routers Firewalls Firewalls Wireless AP/Bridge Wireless AP/Bridge RAS servers RAS servers VPN servers VPN servers Test the ACL and filters like egress and ingress Firewall rules Configuration Access method Logging methods Cross check with security policy

22 Internal Audit-Server & OS Identify mission critical servers like DNS,Email and others.. Identify mission critical servers like DNS,Email and others.. Examine OS and the patch levels Examine OS and the patch levels Examine the ACL on each servers Examine the ACL on each servers Examine the management control-acct & password Examine the management control-acct & password Placement of the servers Placement of the servers Backup and redundancy Backup and redundancy Cross check with security policy

23 Internal Audit-Application & Services Identify services and application running on the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary services/application DNS DNS Name services(BIND)Name services(BIND) Email Email Pop3,SMTPPop3,SMTP Web/Http Web/Http SQL SQL Others Others Cross check with security policy

24 Internal Audit-Monitor & Response Check for procedures on Event Logging and Audit Event Logging and Audit What are logged? What are logged? How frequent logs are viewed? How frequent logs are viewed? How long logs are kept? How long logs are kept? Network monitoring Network monitoring What is monitored? What is monitored? Response Alert? Response Alert? Intrusion Detection Intrusion Detection IDS in place? IDS in place? What rules and detection used? What rules and detection used? Incident Response Incident Response How is the response on the attack? How is the response on the attack? What is recovery plan? What is recovery plan? Follow up? Follow up? Cross check with security policy

25 Internal Audit-Analysis and Report Analysis result Analysis result Check compliance with security policy Check compliance with security policy Identify weakness and vulnerabilities Identify weakness and vulnerabilities Cross check with external audit report Cross check with external audit report Report- key to realizing value Report- key to realizing value Must be 2 parts Must be 2 parts Not technical (for management use)Not technical (for management use) Technical (for IT staff)Technical (for IT staff) Methodology of the entire audit process Methodology of the entire audit process Separate Internal and External Separate Internal and External State weakness/vulnerabilities State weakness/vulnerabilities Suggest solution to harden security Suggest solution to harden security

26 Tools

27 More Tools…. Inetmon Inetmon Firewalk Firewalk Dsniff Dsniff RafaleX RafaleX NetStumbler NetStumbler RAT (Router Audit Tool)-CIS RAT (Router Audit Tool)-CIS Retina scan tools Retina scan tools MBSA MBSA

28 Nmap-Defacto Standard Even in matrix, nmap was used Even in matrix, nmap was used

29 Intrusion Detection Intrusion Detection is the process of monitoring computer networks and systems for violations of security. Intrusion Detection is the process of monitoring computer networks and systems for violations of security. An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or availability of a resource. An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or availability of a resource. All intrusion are defined relative to a security policy All intrusion are defined relative to a security policy Security policy defines what is permitted and what is denied on a network/system Security policy defines what is permitted and what is denied on a network/system Unless you know what is and is not permitted, its pointless to attempt to catch intrusion Unless you know what is and is not permitted, its pointless to attempt to catch intrusion

30 Intrusion Detection Manual Detection Check the log files for unusual behavior Check the setuid and setgid of files Check important binaries Check for usage of sniffing programs Automatic (partially??) Intrusion Detection Systems

31 Goal To detect intrusion real time and respond to it False positive No intrusion but alarm Too many make your life miserable False negative Intruder not detected System is compromised

32 Intrusion Detection -Detection Schemes Misuse Detection The most common technique, where incoming/outgoing traffic is compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan Anomaly Detection Uses statistical analysis to find changes from baseline behavior (such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a theoretical at this point and is the topic of extensive research

33 Intrusion Detection -Detection Misuse Detection Detect Known Attack Signatures Advantage: Low False Positive Rate Drawbacks: Only Known Attacks Costs for Signature Management Anomaly Detection Learn Normal Profiles from User and System Behavior Detect Anomaly Advantage Detect Unknown Attacks Drawbacks Difficulty of Profiling Profile can be controlled by intruders High false positive rate

34 Network IDS Uses network packets as the data source Searches for patterns in packets Searches for patterns of packets Searches for packets that shouldn't be there May understand a protocol for effective pattern searching and anomaly detection May passively log, alert with SMTP/SNMP or have real-time GUI

35 Network IDS Strength Lower cost of ownership Fewer detection points required Greater view More manageable Detects attacks that host-based systems miss IP based Denial of Service Packet or Payload Content More difficult for an attacker to remove evidence Uses live network traffic Captured network traffic

36 Network IDS Strength Real time detection and response Faster notification and responses Can stop before damage is done (TCP reset) Detects unsuccesful attacks and malicious intent Outside a DMZ See attempts blocked by firewall Critical information obtained can be used on policy refinement Operating system independence Does not require information from the target OS Does not have to wait until the event is logged No impact on the target

37 Network IDS Limitations Obtaining packets - topology & encryption Number of signatures Quality of signatures Performance Network session integrity Understanding the observed protocol Disk storage

38 Host Based IDS Signature log analysis application and system File integrity checking MD5 checksums Enhanced Kernel Security API access control Stack security Some products listen to port activity and alert administrator when specific ports are accessed

39 Host IDS Strength Verifies success or failure of an attack Log verification Monitors specific system activities File access Logon / Logoff activity Account changes Policy changes Detects attacks that network-based IDS may miss Keyboard attacks Brute-Force logins

40 Host Based IDS Limitations Places load on system Disabling system logging Kernel modifications to avoid file integrity checking (and other stuff) Management overhead Network IDS Limitations

41 Characteristic of a Good IDS Impose minimal overhead Does not slowdown the system Observe deviations from normal behavior Easily tailored to any system Cope with changing system behavior over time as applications are being added High adaptation

42 Network Honeypots Sacrificial system(s) or sophisticated simulations Any traffic to the honeypot is considered suspicious If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

43 Network Honeypots HoneypotHTTPDNS Firewall

44 Some IDS Commercial Real Secure by ISS VCC/Tripwire TM CMDS by SAIC NetRanger by Wheelgroup Freeware/Opensource Snort (www.snort.org)

45 Incident Response Incident: An action likely to lead to grave consequences Incident: An action likely to lead to grave consequences Data loss may lead to commercial loss. Data loss may lead to commercial loss. Confidentiality breached. Confidentiality breached. Political issues… Political issues… Network breakdown lead to service and information flow disruption. Network breakdown lead to service and information flow disruption. Many more.. Many more..

46 Incident Response Response: An act of responding.Response: An act of responding. Something constituting a reply or a reaction.Something constituting a reply or a reaction. The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulationThe activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation The output of a transducer or detecting device resulting from a given input.The output of a transducer or detecting device resulting from a given input. Ideally Incident Response would be a set of policies that allow an individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences.Ideally Incident Response would be a set of policies that allow an individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences. ISO 17799 ISO 17799 Outlines Comprehensive Incident Response and Internal Investigation Procedures Outlines Comprehensive Incident Response and Internal Investigation Procedures Detailed Provisions on Computer Evidence Preservation and Handling Detailed Provisions on Computer Evidence Preservation and Handling

47 Minimize overall impact. Hide from public scrutiny. Stop further progression. Involve Key personnel. Control situation. Incident Response -Purpose

48 Minimize overall impact. Recover Quickly & Efficiently. Respond as if going to prosecute. If possible replace system with new one. Priority one, business back to normal. Ensure all participants are notified. Record everything. Incident Response -Purpose

49 Minimize overall impact. Recover Quickly & Efficiently. Secure System. Lock down all known avenues of attack. Assess system for unseen vulnerabilities. Implement proper auditing. Implement new security measures. Incident Response -Purpose

50 Minimize overall impact. Recover Quickly & Efficiently. Secure System. Follow-up (A continuous process) Ensure that all systems are secure. Continue prosecution. Securely store all evidence and notes. Distribute lessons learned. Incident Response -Purpose

51 Incident Verification How are we certain that an incident occurred? Verify the Incident! Where to find information? Intrusion Logs Firewall Logs Interviews Emails, Network Admin, Users, ISP, etc…

52 Verification: What do we know? Three situations Three situations 1. Verification without touching the system 1. Verification without touching the system 2. Verification by touching the system minimally. You have a clue or two where to look. 2. Verification by touching the system minimally. You have a clue or two where to look. 3. Verification by full analysis of live system to find any evidence that an incident has occurred. 3. Verification by full analysis of live system to find any evidence that an incident has occurred.

53 Secure Incident Scene What exactly does this mean? What exactly does this mean? Limit the amount of activity on the system to as little as possible Limit the amount of activity on the system to as little as possible Limit damage by isolatingLimit damage by isolating ONE person perform actionsONE person perform actions Limit affecting the crime environmentLimit affecting the crime environment Record your actionsRecord your actions

54 Preserve Everything! Anything and everything you do will change the state of the system Anything and everything you do will change the state of the system POWER OFF? Changes it. POWER OFF? Changes it. Leave it plugged in? Changes it. Leave it plugged in? Changes it. Obtaining a backup will change the system Obtaining a backup will change the system Unplug the network? Changes it. Unplug the network? Changes it. Even Doing Nothing will ALSO change the state of the system. Even Doing Nothing will ALSO change the state of the system.

55 Incident Scene Snapshot Record state of computer Record state of computer Photos, State of computer, What is on the screen? Photos, State of computer, What is on the screen? What is obviously running on the screen? What is obviously running on the screen? Xterm?Xterm? X-windows?X-windows? Should you port scan the affected computer? Should you port scan the affected computer? Pros: You can see all active and listening portsPros: You can see all active and listening ports Cons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad guyCons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad guy

56 Unplug power from system? This method may be the most damaging to effective analysis though there are some benefits as well Benefits include that you can now move the system to a more secure location and that you can physically remove the hard drive from the system Cons… you lose evidence of all running processes and memory

57 Unplug from Network? Unplug from the network? Unplug it from the network and plug the distant end into a small hub that is not connected to anything else. Most systems will write error messages into log files if not on a network. If you make the computer think it is still on a network, you will succeed in limiting the amount of changes to that system.

58 Backup or Analyze? Should you backup the system first? Should you find the extent of the damage? Set up in policy for your incident response: It depends on the system and what you need it for. To get BEST evidence BACKUP first at the cost of time to get answers To get FAST answers ANALYZE first at the cost of getting best evidence Label systems with priority. Some will need answers quicker than your ability to get best evidence.

59 Finding Clues Once backup is done start looking for clues Once backup is done start looking for clues Be careful to avoid tampering with the system when it is in the middle of a backup. Be careful to avoid tampering with the system when it is in the middle of a backup. Even though the emphasis might be to quickly assess the WHAT of a situation, if you try and answer that question without preserving the scene of the crime you will inadvertently erase the evidence you seek Even though the emphasis might be to quickly assess the WHAT of a situation, if you try and answer that question without preserving the scene of the crime you will inadvertently erase the evidence you seek Be patient. Its meticulous Be patient. Its meticulous

60 Finding Clues What are we really looking for? What are we really looking for? DATES and TIMES DATES and TIMES TROJAN BINARIES TROJAN BINARIES HIDDEN DIRECTORIES HIDDEN DIRECTORIES OUT OF PLACE FILES OR SOCKETS OUT OF PLACE FILES OR SOCKETS ABNORMAL PROCESSES ABNORMAL PROCESSES We need to find one clue, and once we do, everything else almost always falls into place We need to find one clue, and once we do, everything else almost always falls into place

61 What Next? Prosecute?? Prosecute?? Apply short-term solutions to contain an intrusion Apply short-term solutions to contain an intrusion Eliminate all means of intruder access Eliminate all means of intruder access Return systems to normal operation Return systems to normal operation Identify and implement security lessons learned Identify and implement security lessons learned

62 Useful Links http://www.securityfocus.com http://packetstormsecurity.org http://icat.nist.gov/icat.cfm http://wiretrip.net http://www.guninski.com/ http://nsfocus.com

63 Incident Response Resources Incident Response, Electronic Discovery, and Computer Forensics,www.incident- response.orgwww.incident- response.org Security Focus, www.securityfocus.comwww.securityfocus.com The Federal Computer Incident Response Center (FedCIRC),www.fedcirc.govwww.fedcirc.gov The Canadian Office of Critical Infrastructure Protection and Emergency Preparedness www.ocipep.gc.ca www.ocipep.gc.ca Incident Handling Links & Documents (75 links) http://www.honeypots.net/incidents/links http://www.honeypots.net/incidents/links SEI: Handbook for Computer Security Incident Response Teams http://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf http://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf CERT/CC: Computer Security Incident Response http://www.cert.org/csirts/http://www.cert.org/csirts/ CERT/CC: Responding to Intrusions http://www.cert.org/security-improvement/modules/m06.htmlhttp://www.cert.org/security-improvement/modules/m06.html AuCERT: Forming an Incident Response Team http://www.auscert.org.au/render.html?it=2252&cid=1920http://www.auscert.org.au/render.html?it=2252&cid=1920 SANS: S.C.O.R.E http://www.sans.org/score/ http://www.sans.org/score/

64 White Papers http://www.ins.com/knowledge/whitepapers. asp Information Security Management: Understanding ISO 17799 Microsoft IIS Unicode Exploit Worrisome New Windows Attacks PKI: How it Works IPSec: What Makes it Work

65 Funny things happen! Beware Thank You


Download ppt "Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu"

Similar presentations


Ads by Google