Educating System Testers in Vulnerability Analysis: Laboratory Development and Deployment Leonardo A. Martucci, Hans Hedbom, Stefan Lindskog, and Simone.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Computer Concepts – Illustrated 8th edition

1 of 18 Information Dissemination New Digital Opportunities IMARK Investing in Information for Development Information Dissemination New Digital Opportunities.

1 of 19 Evaluating an Information Project Defining Content © FAO 2005 IMARK Investing in Information for Development Evaluating an Information Project.

INTERNET SHIELD COURSE F-SECURE ® ANTI-VIRUS CLIENT SECURITY 6.

INTRODUCTION TO SIMULATION WITH OMNET++ José Daniel García Sánchez ARCOS Group – University Carlos III of Madrid.

Secure Mobile IP Communication

Guide to Network Defense and Countermeasures Second Edition

Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

System Security Scanning and Discovery Chapter 14.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

Network Security Testing Techniques Presented By:- Sachin Vador.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

Lesson 19: Configuring Windows Firewall

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

COEN 252: Computer Forensics Router Investigation.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

1 Creating a Virtual Laboratory to Teach Information Assurance Courses Online Dr. Wayne Summers & Dr. Bhagyavati Columbus State University Columbus, Georgia.

Using Windows Firewall and Windows Defender

A Framework for Automated Web Application Security Evaluation

NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Module 14: Configuring Server Security Compliance

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Software Security Testing Vinay Srinivasan cell:

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Network Security Techniques by Bruce Roy Millard Division of Computing Studies Arizona State University

NETWORK SECURITY USING IPTABLES. TOPICS OF DISCUSSION NETWORK TRAFFIC IN PRESENT SCENARIO !! WHY WE NEED SECURITY ? T TYPE OF ATTACKS & WAYS TO TACKLE.

Linux Networking and Security

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.

1 Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise your system.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

James S. Rothfuss, Computer Protection Program COMPUTING SCIENCES NETS Network Equipment Tracking System.

1 NES554: Computer Networks Defense Course Overview.

Role Of Network IDS in Network Perimeter Defense.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

Lab #2 NET332 By Asma AlOsaimi. "Security has been a major concern in today’s computer networks. There has been various exploits of attacks against companies,

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 4 Network Security Tools and Techniques.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

The Challenges of Teaching an Interdisciplinary IA Course Rose Shumba Indiana University of Pennsylvania EPASEC 2006.

Department of Computer Science Introduction to Information Security Chapter 7 Activity Security Assessment Semester 1.

You can easily passed the GPEN Penetration tester exam by the help of exams4sure.com exams4sure.com Get Complete File From

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.

Lab #2 NET332 By Asma AlOsaimi.

CompTIA Security+ SY0-401 Real Exam Question Answer

Network Security Analysis Name : Waleed Al-Rumaih ID :

CompTIA Server+ Certification (Exam SK0-004)

Secure Software Confidentiality Integrity Data Security Authentication

Network hardening Chapter 14.

Presentation transcript:

Educating System Testers in Vulnerability Analysis: Laboratory Development and Deployment Leonardo A. Martucci, Hans Hedbom, Stefan Lindskog, and Simone Fischer-Hübner Department of Computer Science Karlstad University SWEDEN

2 WECS'7 Outline Introduction and background Course overview Course content Hands-on assignments Evaluation and lessons learned Conclusion Errata

3 WECS'7 Introduction The constantly growing number of security vulnerabilities threats incidents has led to increased investments in the development of more secure systems The lack of security functionality and assurance may result in high costs Vulnerability analysis (VA) is an important means for improving security assurance of IT systems during test and integration phases

4 WECS'7 Background A large telecom company decided to increase their efforts in VA by educating their software testers They decided to outsource the education and training of its testers A compact (3 days) VA course was developed at our department The course has been held 3 times during 2005 for a total of 45 participants

5 WECS'7 Course Overview The emphasis of the course is on practical hands-on assignments The course is aimed for software testers with little or no security experience extensive knowledge in software testing The topics included in the course is based on a preliminary list of topics specified by the contractor A set of laboratory assignments were derived from this list Approximately 30-40% covers theoretical aspects and the rest is used for practical assignments

6 WECS'7 Course Content The course content is divided into 4 blocks: Introduction to computer and network security Motivation, evaluation criteria, security standards, risk analysis, and ethics Computer and network security protocols and tools Cryptography, IPSec, SSH, SSL/TLS, PKI, VPNs, IDSs, firewalls, and a set of laboratory assignments Vulnerability analysis The four steps of VA: (1) reconnaissance, (2) research and planning, (3) attack mounting, and (4) assessment Known vulnerabilities, reconnaissance tools and information gathering Common host attacks, malicious code, node hardening, and several practical laboratory assignments

7 WECS'7 Hands-on Assignments The following laboratory assignments are included: password cracking testing for randomness firewall black box testing network analyzing (and ARP spoofing) port scanning node hardening security scanning Final project Putting it all together (i.e., from grain to bread)

8 WECS'7 Ethical Rules The participants were requested to follow the following ethical rules: Do not experiment with VA-tools without explicit permission of an authorized party Do not pass on/publish material, tools, and vulnerabilities to unauthorized parties Do not use your technical skills in criminal or ethically questionable activities Always report flaws to vendors/developers first Software tools provided in this course must only be used in a laboratory environment and on laboratory computers

9 WECS'7 The Laboratory Environment The laboratory was prepared for 20 students working in pairs Each pair have their own workstation Each workstation Was dual boot – Windows XP and Feodora Core 3 Linux Equipped with an Ethernet NIC The laboratory was also configured with two servers One running Windows 2000 Server The other running Feodora Core 3 Linux The servers were in some assignments the target

10 WECS'7 Password Cracking Goal To show that weak passwords could be a serious threat Running the assignment The password cracking tool John the Ripper was used to detect weak passwords on their own workstation running Linux Some easy to break passwords were introduced in the password file Knowledge obtained The participants have tested a password cracking tool to identify weak passwords

11 WECS'7 Testing for Randomness Goal To educate the participants in how to identify non-random properties in sequences produced by a pseudo random number generator (PRNG) Running the assignment The NIST statistical test suite was used to evaluate outputs from different PRNGs A short introduction on hypothesis testing was needed in order for the participants to evaluate the output from the tool Knowledge obtained The participants have learned that: good PRNGs are a crucial cryptographic primitive automatic tools exist to validate PRNGs

12 WECS'7 Firewall Goal To provide hands-on experience on how firewall rules in Linux using ipTables can be used Running the assignment The participants were asked to write firewall rules for the setup in the figure in order to implement a given policy Knowledge obtained The participants have the knowledge to write, read, understand, verify and evaluate firewall rules

13 WECS'7 Black Box Testing Goal To learn how a protocol implementation can be evaluated using a black box testing method Running the assignment The PROTOS tool was used to evaluate the SNMP protocol in a CISCO 1005 router A ready-made test suite to perform a DoS attack was used Knowledge obtained The participants have learned that black box testing using automatic tools can be used to evaluate implementations of communication protocols

14 WECS'7 Network Analyzing (and ARP Spoofing) Goal To show how easy it is to capture network traffic in a LAN using Ethereal Running the assignment Ethereal was used to capture a password sent over the network using TELNET Knowledge obtained The participants have learned how to manage a network analyzer to capture network traffic

15 WECS'7 Port Scanning Goal To demonstrate how port scanners can be used to find open ports in a networked computer Running the assignment The participants were asked to gather information about open ports on the two servers using the Network MAPper (NMAP) in Linux Knowledge obtained The participants have learned how to use a port scanner to find unexpected open ports in a product before deployment

16 WECS'7 Node Hardening Goal To educate the participants on how to increase the security of nodes by turning off unnecessary services restricting the rights of necessary services verifying that used software uses the latest patches Running the assignment The Bastille tool was used When running Bastille, a large set of questions are asked on how the user would like the node to be configured and after that automatically configure the system according to the answers Knowledge obtained The participants have learned the importance of correct configurations and to handle a node hardening tool

17 WECS'7 Security Scanning Goal To show how to use security scanners in order to automatically scan the system for known vulnerabilities Running the assignment Two unpatched servers running Windows 2000 Server and Fedora Core 3 Linux were acting as targets Both the Internet Scanner (IS) and Nessus were used as scanners Neither the configuration nor the IP addresses of the servers were known to the students Knowledge obtained The participants have learned that security scanners are tools that can assist the testers in the verification process

18 WECS'7 Putting it all Together Goal To let the participants conduct a full VA of a target with limited resources and time (<8 hours). Running the assignment The assignment was conducted in groups of 4 students Each group had two workstations and one server that was the target of evaluation The group was given a requirement specification describing the role of the server and its security requirements The exercise was to find out what has to be done to fulfill the requirements, perform the necessary changes and verify the result Knowledge obtained The participants have gained a better understanding on how to perform a full- scale VA

19 WECS'7 Evaluation and Lessons Learned After each course instance, the participants have been asked to fill in a questionnaire used to evaluate the course Based on the answers, the following conclusion can be drawn The most popular assignments have been: Security scanning, port scanning, and node hardening The least interesting assignments have been: Testing for randomness and firewall Each participant has either been satisfied or very satisfied with the course We have also noticed that having a system administrator available during the course would greatly reduce the burden on the teachers

20 WECS'7 Concluding Remarks A vulnerability analysis (VA) course aimed for software testers is described in the paper The focus is on the various laboratory assignments provided within the course All participants have either been satisfied or very satisfied with the course and we are convinced that the course has significantly raised their awareness concerning security and VA An investigation of how the participants use their knowledge in VA will be performed during spring 2006 Three new instances of the course are scheduled in 2006

21 WECS'7 Errata Page 2, third sentence in second paragraph, i.e.: Students from an applied computer security course were engaged and trained to attack a target system and evaluate its security [2]. Delete and trained in the sentence.