1 / 35

Auditing and Assessments

Auditing and Assessments. Lesson 18. Overview. The Hacker mindset The Cracker mindset What are security assessments Example penetration test What are they good for. The Hacker mindset. Hacker is someone who tries to “figure out how things work”

winka
Download Presentation

Auditing and Assessments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Auditing and Assessments Lesson 18

  2. Overview • The Hacker mindset • The Cracker mindset • What are security assessments • Example penetration test • What are they good for

  3. The Hacker mindset • Hacker is someone who tries to “figure out how things work” • Originally a term of respect given to the uber-geek • Someone who could quickly create software code that worked – ie… hack out a routine • Original hackers were often looking for loopholes to increase their allotment of CPU time on early mainframes • Quest for knowledge

  4. The Cracker mindset • Someone who tries to break into a computer system for malicious purposes (defacement, theft, fraud, denial of service) • Thought to have been coined by hackers to differentiate themselves in the 1980s • Media uses hacker when they usually mean cracker • Key is intent of actions and attitude

  5. The Cracker mindset (cont.) • Lots of examples of cracker activity • Theft: CD Universe and 300,000 credit cards • Russian cracker named Maxus • Ransom demand of $100K to $300K • January 2000 • Defacements • Internet is a tempting target • BizRate.com estimated sales of $1.2B during a single week of December 2000

  6. Typical Cracker Activity 2/18/01

  7. What are security assessments • Assessments are an examination of current security posture • Good mechanism to find and fix holes before someone else finds them • Keep in mind – someone else is looking for security holes even if you aren’t

  8. What are security assessments • Three common terms for security assessments • Security Audit • Risk Assessment • Penetration Test • They may sometimes be used synonymously but they are not the same

  9. What are security assessments • Security Audit • More of a compliance check • Checklists and standards • Policies and procedures • Backups • Verification • Are you doing what you are supposed to be doing • BS 7799 (British Standards Institute Code of Practice for Information Security Management) • Controls and practices

  10. What are security assessments • Risk Assessment • Also more of an academic exercise • Weighs likelihood against impact • Weighs cost against benefit • Much more business oriented

  11. What are security assessments • Penetration Test • Looks for security vulnerabilities • Unpatched operating system or application • Known security holes • Accounts with weak or no passwords • Examines impact of discovered vulnerabilities • Targets digital, physical, and personnel (social engineering) • Hands on test of network security • More thorough and effective

  12. First Steps • Find the Work • Client approaches you • Salesperson approaches client • Request for Proposal (RFP) • Competitive situation • Several to many responses • Client evaluates responses and picks a vendor • Ask questions and get clarifications

  13. Building the Proposal • Address the Client’s Needs • Figure out what they want • Tell them what you are going to do • Tell them how long it is going to take • Tell them what they are going to get • Tell them why they should pick you • Tell them how much it is going to cost • Don’t be afraid to give them options

  14. Penetration Testing • Preassessment Discussion • Establish goal of assessment • Establish target list • Determine client’s areas of concerns • Discuss areas of coordination • Determine POCs and timeline • Establish ground rules • Set expectations **Two way exchange of information**

  15. Penetration Testing • Information Gathering • Operating systems • Application versions • IP addresses and names • Open services (port scanning) • Response patterns • Traffic flow – what’s allowed in and what’s allowed back out

  16. Penetration Techniques • Breaking into computers and networks can involve technical attacks or social engineering. • Technical attack: involve • Eavesdropping • Breaches of access controls • Social Engineering (misrepresentation): relies on lies, bribes and forms of seduction that can trick honest or marginally dishonest employees into revealing authentication information.

  17. Technical Attacks • Breaching access controls • Brute Force attacks • Demon/war dialing • Exhaustive search for userid/password • Scavenging RAM • Intelligent Guesswork • Canonical passwords (default passwords & accounts) • BAD passwords • Discarded Media • Shoulder surfing

  18. Technical Attacks • Intercepting Communications • Can obtain information by monitoring communication between a peripheral node and the host. • Wiretapping – intercepting the data stream on a communications channel • Phone lines, leased lines, long distance transmissions • Internet connections • LAN sniffers • Optical fiber: can be tapped • Wireless • Radio and wireless phones, wireless networks • Cellular • Packet radio • Van Eck interception (emanations security)

  19. Technical Attacks • Penetration Testing • Look for vulnerabilities in applications and services • Commercial and freeware scanners • Many specialized freeware vulnerability scanners • Whisker scans for over 500 web-based vulnerabilities • Can scan over SSL • Has IDS evasion modes • Very powerful in the right hands • There’s a scanner for most major vulnerabilities • Freeware scanners are usually better and more up to date • Examine each target and services on the target • Examine logins and use brute force tools if allowed • Lots of research

  20. Technical Attacks • Penetration Testing – Web Testing • Scan for vulnerabilities • Example: Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal Vulnerability • Published in Oct 2000 • Access to files with IUSR account permissions on same logical drive as the web server • Can give cmd line access to remote attacker • Scan for presence of sample materials • Examine code of web pages (view source) • Examine input fields • Create test accounts if allowed

  21. Technical Attacks • Penetration Testing – Dial Up • Often overlooked access method • Often unsecured • Dial company phone numbers looking for modems • Several commercial and freeware scanners available • Test security of discovered modems • Default passwords work most of the time • Test remote access packages with client software • Penetration Testing – Wireless Networks • Often left with little or no security • Footprint often extends into publicly accessible areas

  22. Social Engineering • Penetration Testing – Social Engineering • Might not be allowed • Trying to trick someone into giving you access • Pose as administrator • Pose as new user • Sound like you belong • Lying • Impersonating authorized personnel • Impersonating 3rd party personnel • Subverting Employees and 3rd party personnel • Bribery • Seduction • Extortion • Blackmail

  23. Physical Techniques • Penetration Testing – Physical • Door and lock testing • Are servers locked up • Is access to telco closets secured • Shoulder surfing • Clipboard testing • Dumpster diving • Work area security • Do employees use password protected screensavers • Passwords on stickies • Sensitive materials left out

  24. Results • Document and catalog • Determine extent of discovered vulnerabilities to answer “how bad is it” • Record discoveries, systems affected, method of exploit, accounts and systems compromised • Must keep information organized

  25. Reporting • Report generation • Provide management level summary • Provide technical level summary • Present findings in a clear and specific manner • Provide solutions to eliminate or mitigate vulnerabilities • Report is usually the only physical remnant of the assessment

  26. Countermeasures • Strengthening the perimeter • Identification – single sign-on decreases risk somebody writes something down • Authentication – designed to make impersonation difficult • Biometrics • Callback • Smart cards and tokens • One time passwords • Encryption • Transmission • Data storage • Monitoring

  27. What is the point • Helps your client conduct business in a safer manner • Helps protect against fraud, loss, or theft • Answers the “what if” questions • Helps ensure integrity, availability, and confidentiality of client data • Helps prevent your client from becoming the next headline

  28. Things to do • Planning • Outline proposed activities • Request information from the client • Coordination • Let the client POC know when and where testing occurs • Tell the client all the possible impacts before testing starts

  29. Things to do • Involvement • Keep the client POC in the loop during testing • Depending on arrangement, major findings may be discussed immediately upon discovery • Minimize Surprises • Prepare your client for the unexpected • Assessment teams usually find something • Sometimes the extent of discovery is troubling • Be prepared for follow-up actions • Report should contain next steps and recommendations

  30. Things to do • Report • Spend enough time writing the report • Discuss the report with the client • Make sure the client understands exactly what’s in the report and what it means • Help client develop a plan of action • Fix biggest vulnerabilities or easiest ones first • Follow up with client • An assessment should not be a one shot arrangement • Perform periodic assessments

  31. What clients consider when choosing a security firm • Determine their needs • What are we trying to accomplish • What do we need to fix • What are we looking for • Compare and Contrast • Expertise • Name recognition • Past clients (careful here, many security firms don’t release past client information) • Reputation • Service Offerings

  32. Choosing a security firm • Personnel • Backgrounds • Capabilities • Responsiveness • Flexibility • Clients want someone willing to provide exactly what they want • Clients tend to avoid cookie cutter firms • Samples of work • Clients usually ask for sample reports

  33. What clients consider when choosing a security firm • Personality • Are they easy to talk to • Do they listen • Are they always “on the clock” • Can you work with this firm on a long-term basis • Do you trust them with your company’s biggest secrets

  34. Final Thoughts

  35. Summary • What is the Importance and Significance of this material? • How does this topic fit into the subject of “Voice and Data Security”?

More Related