390 likes | 727 Views
Assessments Lesson 3 The Hacker mindset Hacker is someone who tries to “figure out how things work” Originally a term of respect given to the uber-geek Someone who could quickly create software code that worked – ie… hack out a routine
E N D
Assessments Lesson 3
The Hacker mindset • Hacker is someone who tries to “figure out how things work” • Originally a term of respect given to the uber-geek • Someone who could quickly create software code that worked – ie… hack out a routine • Original hackers were often looking for loopholes to increase their allotment of CPU time on early mainframes • Quest for knowledge
The Cracker mindset • Someone who tries to break into a computer system for malicious purposes (defacement, theft, fraud, denial of service) • Thought to have been coined by hackers to differentiate themselves in the 1980s • Media uses hacker when they usually mean cracker • Key is intent of actions and attitude
The Cracker mindset (cont.) • Lots of examples of cracker activity • Theft: CD Universe and 300,000 credit cards • Russian cracker named Maxus • Ransom demand of $100K to $300K • January 2000 • Defacements • Internet is a tempting target • BizRate.com estimated sales of $1.2B during a single week of December 2000
What are security assessments • Assessments are an examination of an organization’s current security posture • A good mechanism to find and fix holes before someone else finds them • Keep in mind – someone else is looking for your security holes even if you aren’t
What are security assessments • Three common terms for security assessments • Security Audit • Risk Assessment • Penetration Test • They may sometimes be used synonymously but they are not the same
What are security assessments • Security Audit • More of a compliance check • Checklists and standards • Policies and procedures • Backups • Verification • Are you doing what you are supposed to be doing • BS 7799 (British Standards Institute Code of Practice for Information Security Management) • Controls and practices
What are security assessments • Risk Assessment • Also more of a paper exercise • Weighs likelihood against impact • Weighs cost against benefit • Much more business oriented
What are security assessments • Penetration Test • Looks for security vulnerabilities • Unpatched operating system or application • Known security holes • Accounts with weak or no passwords • Examines impact of discovered vulnerabilities • Targets digital, physical, and personnel (social engineering) • Hands on test of network security • More thorough and effective
Penetration Techniques • Breaking into computers and networks can involve technical attacks or social engineering. • Technical attack: involve • Eavesdropping • Breaches of access controls • Social Engineering (misrepresentation): relies on lies, bribes and forms of seduction that can trick honest or marginally dishonest employees into revealing authentication information.
Technical Attacks • Breaching access controls • Brute Force attacks • Demon/war dialing • Exhaustive search for userid/password • Scavenging RAM • Intelligent Guesswork • Canonical passwords (default passwords & accounts) • BAD passwords • Discarded Media • Shoulder surfing
Technical Attacks • Intercepting Communications • Can obtain information by monitoring communication between a peripheral node and the host. • Wiretapping – intercepting the data stream on a communications channel • Phone lines, leased lines, long distance transmissions • Internet connections • LAN sniffers • Optical fiber: can be tapped • Wireless • Radio and wireless phones, wireless networks • Cellular • Packet radio • Van Eck interception (emanations security)
Technical Attacks • Penetration Testing • Look for vulnerabilities in applications and services • Commercial and freeware scanners • Many specialized freeware vulnerability scanners • Whisker scans for over 500 web-based vulnerabilities • Can scan over SSL • Has IDS evasion modes • Very powerful in the right hands • There’s a scanner for most major vulnerabilities • Freeware scanners are usually better and more up to date • Examine each target and services on the target • Examine logins and use brute force tools if allowed • Lots of research
Technical Attacks • Penetration Testing – Web Testing • Scan for vulnerabilities • Example: Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal Vulnerability • Published in Oct 2000 • Access to files with IUSR account permissions on same logical drive as the web server • Can give cmd line access to remote attacker • Scan for presence of sample materials • Examine code of web pages (view source) • Examine input fields • Create test accounts if allowed
Technical Attacks • Penetration Testing – Dial Up • Often overlooked access method • Often unsecured • Dial company phone numbers looking for modems • Several commercial and freeware scanners available • Test security of discovered modems • Default passwords work most of the time • Test remote access packages with client software • Penetration Testing – Wireless Networks • Often left with little or no security • Footprint often extends into publicly accessible areas
Social Engineering • Penetration Testing – Social Engineering • Might not be allowed • Trying to trick someone into giving you access • Pose as administrator • Pose as new user • Sound like you belong • Lying • Impersonating authorized personnel • Impersonating 3rd party personnel • Subverting Employees and 3rd party personnel • Bribery • Seduction • Extortion • Blackmail
Physical Techniques • Penetration Testing – Physical • Door and lock testing • Are servers locked up • Is access to telco closets secured • Shoulder surfing • Clipboard testing • Dumpster diving • Work area security • Do employees use password protected screensavers • Passwords on stickies • Sensitive materials left out
Results • Document and catalog • Determine extent of discovered vulnerabilities to answer “how bad is it” • Record discoveries, systems affected, method of exploit, accounts and systems compromised • Must keep information organized
Reporting • Report generation • Provide management level summary • Provide technical level summary • Present findings in a clear and specific manner • Provide solutions to eliminate or mitigate vulnerabilities • Report is usually the only physical remnant of the assessment
Countermeasures • Strengthening the perimeter • Identification – single sign-on decreases risk somebody writes something down • Authentication – designed to make impersonation difficult • Biometrics • Callback • Smart cards and tokens • One time passwords • Encryption • Transmission • Data storage • Monitoring
Risk Analysis Automated Tools • The Buddy System® is a hybrid software package used to identify and deal with system or project risks. It offers both qualitative and quantitative Risk Analysis and Reporting of information or physical security in virtually any environment. • The purpose of ASSET is to automate the completion of the questionnaire contained in NIST Special Publication 800-26, "Security Self-Assessment Guide for Information Technology Systems” • HIPAA EarlyView™ Security version 2.0 was designed to help covered entities assess their current state of compliance with the Final HIPAA Security Rule. Users answer a series of 165 questions that correspond to each requirement, and the software features over 20 built-in reports to help track progress.
Fundamental Elements of A Risk Analysis Tool A comprehensive risk analysis tool consists of three fundamental steps: o Data collection o Analysis o Output results Not only should the risk analysis tool meet this basic criteria, it should meet organizational requirements as well.
Data Collection • Asset Identification and Valuation • Threat Assessment • Vulnerability Assessment • Current Safeguard Effectiveness
Analysis • The analytical process analyzes the relationships between assets, threats, vulnerabilities and/or safeguards, and possibly other elements (e.g., likelihood of occurrence) to determine potential losses. • Some automated risk analysis tools use the traditional quantitative approach for calculating risks (Annual Loss Expectancy) • Some risk analysis tools do not average the value of future losses but calculate single occurrence losses (SOL). • The qualitative approach takes the point of view that many potential losses are intangible; therefore, risks cannot be easily specified monetarily. Risk results are portrayed in a linguistic manner (i.e., "no risk" to "very high risk").
Output results • Some tools do not address safeguard selection, while some do an extensive job. • Some tools consider the costs of safeguards and their return on investment (ROI). • The important point is that the risk analysis tool should provide managers with a good understanding of where to apply limited dollars to protect vital computer assets.
Picking an Automated Tool • “GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS TOOLS” --NIST SP500-174 • An automated risk analysis tool should contain modules for data collection, analysis, and output results • Effective reporting of the risk analysis results will help managers to weigh the alternatives and to select reliable and cost-effective safeguards. Therefore, the types of information expected in the output reports should be clearly defined • The ability to maintain a history of the information collected during the data collection phase of the analysis is useful in subsequent reviews or queries
Example selection • UNEMPLOYMENT INSURANCE RISK ANALYSIS PROJECT -- GARTNER GROUP • Project staff contacted the vendors and arranged on-site evaluations of their automated risk analysis tools and training programs. The evaluation was performed using the National Institute of Standards and Technology's (NIST) Special Publication 500-174, Guide for Selecting Automated Risk Analysis Tools. For evaluation purposes, NIST recommends scoring the tools in various areas of capabilities.
Each NIST capability was scored from a value of 0 to 3. A score of 0 indicated that the capability did not exist, or if it did exist its quality was inferior. A score of 1 indicated that the capability existed but that it was less than adequate to perform the required tasks. A score of 2 indicated that the capability existed and was considered average. A score of 3 indicated that the capability existed and was considered above average. • The capability scores were then totaled to determine the best available automated risk analysis tool.
CRAMM Methodology • Developed in 1986-1987. • Last version (V3.0) released in 1997 • Used in thousands of reviews worldwide • Provides the ability for checking scenarios • (what-if) • Provides catalog of threats and countermeasures
CRAMM • Risk evaluation is done ... • By evaluating assets (scale 1:10) • By evaluating threats (scale 1:3) • By evaluating vulnerabilities (scale 1:3) • Impact evaluation is integrated in the vulnerabilities evaluation
CRAMM • Phase 1: definition of study’s boundaries • Preparations • asset evaluation • findings review • Phase 2: Threat Evaluation • Relation realization • Evaluation of threats and vulnerabilities • Calculation of risk level • findings review • Phase 3: Countermeasure selection • recognition of the selected countermeasures • comparison with already existing ones • design of security package • findings review
Types of countermeasures • Reduces the probability of threat occurrence • Reduces vulnerabilities • Reduces impacts • Combination
Summary • Hacker Mentaility • Security Assessments • Penetration Techniques • Risk Analysis Tools • CRAMM