Network security workshop busan 2003
1 / 65

Security Workshop Part 2 - PowerPoint PPT Presentation

  • Uploaded on

Network Security Workshop BUSAN 2003. Saravanan Kulanthaivelu [email protected] Security Audit.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Security Workshop Part 2' - MartaAdara

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Network security workshop busan 2003 l.jpg

Network Security WorkshopBUSAN 2003

Saravanan Kulanthaivelu

[email protected]

Security audit l.jpg
Security Audit

  • "The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeros, little bits of data... There’s a war out there... and it’s not about who’s got the most bullets. It’s about who controls the information.“

    Federation of American Scientists - Intelligence Resource Program

Workshop outline 2 l.jpg
Workshop Outline (2)

  • Security Audit

  • Intrusion Detection

  • Incident Response

Slide4 l.jpg

  • We already have firewalls in place. Isn't that enough?

  • We did not realize we could get security audits. Can you really get security audits, just like financial audits?

  • We have already had a security audit. Why do we need another one?

Answers l.jpg

  • Firewalls and other devices are simply tools to help provide security. They do not, by themselves, provide security. Using a castle as an analogy, think of firewalls and other such tools as simply the walls and watch towers. Without guards, reports, and policies and procedures in place, they provide little protection.

  • Security audits, like financial audits should be performed on a regular basis.

Security audit definitions l.jpg
Security Audit-Definitions

  • A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions

  • A assessment process, which will develop systems and procedures within an organization, create awareness amongst the employees and users and ensure compliance with legislation through periodic checking of processes, constituents and documentation.

Why audit l.jpg
Why Audit?

  • Determine Vulnerable Areas

  • Obtain Specific Security Information

  • Allow for Remediation

  • Check for Compliance

  • Ensure Ongoing Security

To ensure that the site’s networks and systems are efficient and foolproof

Who needs security auditing l.jpg
Who needs security auditing?

  • A security audit is necessary for every organization using the Internet.

  • A ongoing process that must be tried and improved to cope up with the ever-changing and challenging threats.

  • Should not be feared of being audited. Audit is good practice.

Audit phases l.jpg
Audit Phases

  • External Audit

    • Public information collection

    • External Penetration

      • Non-destructive test

      • Destructive test

  • Internal Audit

    • Confidential information collection

    • Security policy reviewing

    • Interviews

    • Environment and Physical Security

    • Internal Penetration

    • Change Management

  • Reporting

Audit phases external l.jpg
Audit Phases-External

  • Hackers view of the network

  • Simulate attacks from outside

  • Point-in-time snapshots

  • Can NEVER be 100%

External audit public information gathering l.jpg
External Audit-Public Information Gathering

  • Search for information about the target and its critical services provided on the Internet.

  • Network Identification

    • Identify IP addresses range owned/used

  • Network Fingerprinting

    • Try to map the network topology

    • Perimeter models identifications

  • OS & Application fingerprinting

    • OS finger printing

    • Port scanning to define services and application

    • Banner grabbing

External audit some commandments l.jpg
External Audit - Some Commandments

  • Do not make ANY changes to the systems or networks

  • Do not impact processing capabilities by running scanning/ testing tools during business hours or during peak or critical periods

  • Always get permission before testing

  • Be confidential and trustworthy

  • Do not perform unnecessary attacks

External audit penetration test l.jpg
External Audit-Penetration Test

  • Plan the penetration process

    • Search for vulnerabilities for information gathered and obtain the exploits

    • Conduct vulnerabilities assessments (ISO 17799)

  • Non-destructive test

    • Scans / test to confirm vulnerabilities

    • Make SURE not harmful

  • Destructive test

    • Only for short term effect (DDOS….)

    • Done from various locations

    • Done only off-peak hours to confirm effect

  • Record everything

    • Save snapshots and record everything for every test done even it returned false result

    • Watch out for HONEYPOTS

Internal audit l.jpg
Internal Audit

  • Conducted at the premises

  • A process of hacking with full knowledge of the network topology and other crucial information.

  • Also to identify threats within the organization

  • Should be 100% accurate.

  • Must be cross checked with external penetration report.

Internal audit policy review l.jpg



Procedures, Guidelines

& Practices

Internal Audit-Policy review

  • Everything starts with the security policy

  • If there is no policy, there is not need of security audit.

Internal audit policy review16 l.jpg
Internal Audit-Policy review

  • Policies are studied properly and classified

  • Identify any security risk exist within the policy

  • Interview IT staffs to gain proper understanding of the policies

  • Also to identify the level of implementation of the policies.

Internal audit information gathering l.jpg

Cross check with security policy

Internal Audit-Information gathering

  • Discussion of the network topology

  • Placement of perimeter devices of routers and firewalls

  • Placement of mission critical servers

  • Existence of IDS

  • Logging

Internal audit environment physical security l.jpg

Cross check with security policy

Internal Audit-Environment & Physical Security

  • Locked / combination / card swipe doors

  • Temperature / humidity controls

  • Neat and orderly computing rooms

  • Sensitive data or papers laying around?

  • Fire suppression equipment

  • UPS (Uninterruptible power supply)

Section 8.1 of the ISO 17799 document defines the concepts of secure area, secure perimeter and controlled access to such areas.

Internal audit penetration l.jpg

Cross check with security policy

Internal Audit-Penetration

For Internal penetration test, it can divided to few categories

  • Network

  • Perimeter devices

  • Servers and OS

  • Application and services

  • Monitor and response

    Find vulnerabilities and malpractice in each category

Internal audit network l.jpg

Cross check with security policy

Internal Audit-Network

  • Location of devices on the network

  • Redundancy and backup devices

  • Staging network

  • Management network

  • Monitoring network

  • Other network segmentation

  • Cabling practices

  • Remote access to the network

Internal audit perimeter devices l.jpg

Cross check with security policy

Internal Audit-Perimeter Devices

Check configuration of perimeter devices like

  • Routers

  • Firewalls

  • Wireless AP/Bridge

  • RAS servers

  • VPN servers

Test the ACL and filters like egress and ingress

Firewall rules

Configuration Access method

Logging methods

Internal audit server os l.jpg

Cross check with security policy

Internal Audit-Server & OS

  • Identify mission critical servers like DNS,Email and others..

  • Examine OS and the patch levels

  • Examine the ACL on each servers

  • Examine the management control-acct & password

  • Placement of the servers

  • Backup and redundancy

Internal audit application services l.jpg

Cross check with security policy

Internal Audit-Application & Services

Identify services and application running on the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary services/application

  • DNS

    • Name services(BIND)

  • Email

    • Pop3,SMTP

  • Web/Http

  • SQL

  • Others

Internal audit monitor response l.jpg

Cross check with security policy

Internal Audit-Monitor & Response

Check for procedures on

  • Event Logging and Audit

    • What are logged?

    • How frequent logs are viewed?

    • How long logs are kept?

  • Network monitoring

    • What is monitored?

    • Response Alert?

  • Intrusion Detection

    • IDS in place?

    • What rules and detection used?

  • Incident Response

    • How is the response on the attack?

    • What is recovery plan?

    • Follow up?

Internal audit analysis and report l.jpg
Internal Audit-Analysis and Report

  • Analysis result

    • Check compliance with security policy

    • Identify weakness and vulnerabilities

    • Cross check with external audit report

  • Report- key to realizing value

    • Must be 2 parts

      • Not technical (for management use)

      • Technical (for IT staff)

    • Methodology of the entire audit process

    • Separate Internal and External

    • State weakness/vulnerabilities

    • Suggest solution to harden security

More tools l.jpg
More Tools….

  • Inetmon

  • Firewalk

  • Dsniff

  • RafaleX

  • NetStumbler

  • RAT (Router Audit Tool)-CIS

  • Retina scan tools

  • MBSA

Nmap defacto standard l.jpg
Nmap-Defacto Standard

  • Even in matrix , nmap was used 

Intrusion detection l.jpg
Intrusion Detection

  • Intrusion Detection is the process of monitoring computer networks and systems for violations of security.

  • An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or availability of a resource.

  • All intrusion are defined relative to a security policy

    • Security policy defines what is permitted and what is denied on a network/system

    • Unless you know what is and is not permitted, its pointless to attempt to catch intrusion

Intrusion detection30 l.jpg
Intrusion Detection

  • Manual Detection

    • Check the log files for unusual behavior

    • Check the setuid and setgid of files

    • Check important binaries

    • Check for usage of sniffing programs

  • Automatic (partially??)

    • Intrusion Detection Systems

Intrusion detection systems l.jpg
Intrusion Detection Systems

  • Goal

    • To detect intrusion real time and respond to it

  • False positive

    • No intrusion but alarm

    • Too many make your life miserable

  • False negative

    • Intruder not detected

    • System is compromised

Intrusion detection detection schemes l.jpg
Intrusion Detection -Detection Schemes

  • Misuse Detection

    • The most common technique, where incoming/outgoing traffic is compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan

  • Anomaly Detection

    • Uses statistical analysis to find changes from baseline behavior (such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a theoretical at this point and is the topic of extensive research

Intrusion detection detection l.jpg
Intrusion Detection -Detection

  • Misuse Detection

    • Detect Known Attack Signatures

    • Advantage:

      • Low False Positive Rate

    • Drawbacks:

      • Only Known Attacks

      • Costs for Signature Management

  • Anomaly Detection

    • Learn Normal Profiles from User and System Behavior

    • Detect Anomaly

    • Advantage

      • Detect Unknown Attacks

    • Drawbacks

      • Difficulty of Profiling

      • Profile can be controlled by intruders

      • High false positive rate

Network ids l.jpg
Network IDS

  • Uses network packets as the data source

  • Searches for patterns in packets

  • Searches for patterns of packets

  • Searches for packets that shouldn't be there

  • May ‘understand’ a protocol for effective pattern searching and anomaly detection

  • May passively log, alert with SMTP/SNMP or have real-time GUI

Network ids strength l.jpg
Network IDS Strength

  • Lower cost of ownership

    • Fewer detection points required

    • Greater view

    • More manageable

  • Detects attacks that host-based systems miss

    • IP based Denial of Service

    • Packet or Payload Content

  • More difficult for an attacker to remove evidence

    • Uses live network traffic

    • Captured network traffic

Network ids strength36 l.jpg
Network IDS Strength

  • Real time detection and response

    • Faster notification and responses

    • Can stop before damage is done (TCP reset)

    • Detects unsuccesful attacks and malicious intent

  • Outside a DMZ

    • See attempts blocked by firewall

    • Critical information obtained can be used on policy refinement

  • Operating system independence

    • Does not require information from the target OS

    • Does not have to wait until the event is logged

    • No impact on the target

Network ids limitations l.jpg
Network IDS Limitations

  • Obtaining packets - topology & encryption

  • Number of signatures

  • Quality of signatures

  • Performance

  • Network session integrity

  • Understanding the observed protocol

  • Disk storage

Host based ids l.jpg
Host Based IDS

  • Signature log analysis

    • application and system

  • File integrity checking

    • MD5 checksums

  • Enhanced Kernel Security

    • API access control

    • Stack security

  • Some products listen to port activity and alert administrator when specific ports are accessed

Host ids strength l.jpg
Host IDS Strength

  • Verifies success or failure of an attack

    • Log verification

  • Monitors specific system activities

    • File access

    • Logon / Logoff activity

    • Account changes

    • Policy changes

  • Detects attacks that network-based IDS may miss

    • Keyboard attacks

    • Brute-Force logins

Host based ids limitations l.jpg
Host Based IDS Limitations

  • Places load on system

  • Disabling system logging

  • Kernel modifications to avoid file integrity checking (and other stuff)

  • Management overhead

  • Network IDS Limitations

Characteristic of a good ids l.jpg
Characteristic of a Good IDS

  • Impose minimal overhead

    • Does not slowdown the system

  • Observe deviations from normal behavior

  • Easily tailored to any system

  • Cope with changing system behavior over time as applications are being added

    • High adaptation

Network honeypots l.jpg
Network Honeypots

  • Sacrificial system(s) or sophisticated simulations

  • Any traffic to the honeypot is considered suspicious

  • If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

Network honeypots43 l.jpg





Network Honeypots

Some ids l.jpg
Some IDS

  • Commercial

    • Real Secure by ISS

    • VCC/Tripwire TM

    • CMDS by SAIC

    • NetRanger by Wheelgroup

  • Freeware/Opensource

    • Snort (

Incident response l.jpg
Incident Response

  • Incident: An action likely to lead to grave consequences

    • Data loss may lead to commercial loss.

    • Confidentiality breached.

    • Political issues…

    • Network breakdown lead to service and information flow disruption.

    • Many more..

Incident response46 l.jpg
Incident Response

  • Response: An act of responding.

    • Something constituting a reply or a reaction.

    • The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation

    • The output of a transducer or detecting device resulting from a given input.

  • Ideally Incident Response would be a set of policies that allow an individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences.

  • ISO 17799

    • Outlines Comprehensive Incident Response and Internal Investigation Procedures

    • Detailed Provisions on Computer Evidence Preservation and Handling

Incident response purpose l.jpg
Incident Response -Purpose

Minimize overall impact.

Hide from public scrutiny.

Stop further progression.

Involve Key personnel.

Control situation.

Incident response purpose48 l.jpg
Incident Response -Purpose

Minimize overall impact.

Recover Quickly & Efficiently.

Respond as if going to prosecute.

If possible replace system with new one.

Priority one, business back to normal.

Ensure all participants are notified.

Record everything.

Incident response purpose49 l.jpg
Incident Response -Purpose

Minimize overall impact.

Recover Quickly & Efficiently.

Secure System.

Lock down all known avenues of attack.

Assess system for unseen vulnerabilities.

Implement proper auditing.

Implement new security measures.

Incident response purpose50 l.jpg
Incident Response -Purpose

Minimize overall impact.

Recover Quickly & Efficiently.

Secure System.

Follow-up (A continuous process)

Ensure that all systems are secure.

Continue prosecution.

Securely store all evidence and notes.

Distribute lessons learned.

Incident verification l.jpg
Incident Verification

  • How are we certain that an incident occurred?

  • Verify the Incident!

  • Where to find information?

    • Intrusion Logs

    • Firewall Logs

    • Interviews

      • Emails, Network Admin, Users, ISP, etc…

Verification what do we know l.jpg
Verification: What do we know?

  • Three situations

    • 1. Verification without touching the system

    • 2. Verification by touching the system minimally. You have a clue or two where to look.

    • 3. Verification by full analysis of live system to find any evidence that an incident has occurred.

Secure incident scene l.jpg
Secure Incident Scene

  • What exactly does this mean?

    • Limit the amount of activity on the system to as little as possible

      • Limit damage by isolating

      • ONE person perform actions

      • Limit affecting the crime environment

      • Record your actions

Preserve everything l.jpg
Preserve Everything!

  • Anything and everything you do will change the state of the system

    • POWER OFF? Changes it.

    • Leave it plugged in? Changes it.

    • Obtaining a backup will change the system

    • Unplug the network? Changes it.

    • Even Doing Nothing will ALSO change the state of the system.

Incident scene snapshot l.jpg
Incident Scene Snapshot

  • Record state of computer

    • Photos, State of computer, What is on the screen?

    • What is obviously running on the screen?

      • Xterm?

      • X-windows?

    • Should you port scan the affected computer?

      • Pros: You can see all active and listening ports

      • Cons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad guy

Unplug power from system l.jpg
Unplug power from system?

  • This method may be the most damaging to effective analysis though there are some benefits as well

    • Benefits include that you can now move the system to a more secure location and that you can physically remove the hard drive from the system

    • Cons… you lose evidence of all running processes and memory

Unplug from network l.jpg
Unplug from Network?

  • Unplug from the network?

    • Unplug it from the network and plug the distant end into a small hub that is not connected to anything else.

    • Most systems will write error messages into log files if not on a network.

    • If you make the computer think it is still on a network, you will succeed in limiting the amount of changes to that system.

Backup or analyze l.jpg
Backup or Analyze?

  • Should you backup the system first?

  • Should you find the extent of the damage?

  • Set up in policy for your incident response:

    • It depends on the system and what you need it for.

    • To get BEST evidence BACKUP first at the cost of time to get answers

    • To get FAST answers ANALYZE first at the cost of getting best evidence

    • Label systems with priority. Some will need answers quicker than your ability to get best evidence.

Finding clues l.jpg
Finding Clues

  • Once backup is done start looking for clues

  • Be careful to avoid tampering with the system when it is in the middle of a backup.

  • Even though the emphasis might be to quickly assess the WHAT of a situation, if you try and answer that question without preserving the scene of the crime you will inadvertently erase the evidence you seek

  • Be patient. It’s meticulous

Finding clues60 l.jpg
Finding Clues

  • What are we really looking for?

    • DATES and TIMES





  • We need to find one clue, and once we do, everything else almost always falls into place

What next l.jpg
What Next?

  • Prosecute??

  • Apply short-term solutions to contain an intrusion

  • Eliminate all means of intruder access

  • Return systems to normal operation

  • Identify and implement security lessons learned

Useful links l.jpg
Useful Links







Incident response resources l.jpg
Incident Response Resources

  • Incident Response, Electronic Discovery, and Computer Forensics,

  • Security Focus,

  • The Federal Computer Incident Response Center (FedCIRC) ,

  • The Canadian Office of Critical Infrastructure Protection and Emergency Preparedness

  • Incident Handling Links & Documents (75 links)

  • SEI: Handbook for Computer Security Incident Response Teams

  • CERT/CC: Computer Security Incident Response

  • CERT/CC: Responding to Intrusions

  • AuCERT: Forming an Incident Response Team

  • SANS: S.C.O.R.E

White papers l.jpg
White Papers

  • Security Management: Understanding ISO 17799

    • Microsoft IIS Unicode Exploit

    • Worrisome New Windows Attacks

    • PKI: How it Works

    • IPSec: What Makes it Work