network security workshop busan 2003 l.
Skip this Video
Loading SlideShow in 5 Seconds..
Network Security Workshop BUSAN 2003 PowerPoint Presentation
Download Presentation
Network Security Workshop BUSAN 2003

Loading in 2 Seconds...

play fullscreen
1 / 65

Network Security Workshop BUSAN 2003 - PowerPoint PPT Presentation

  • Uploaded on

Network Security Workshop BUSAN 2003. Saravanan Kulanthaivelu Security Audit.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Network Security Workshop BUSAN 2003' - MartaAdara

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
network security workshop busan 2003

Network Security WorkshopBUSAN 2003

Saravanan Kulanthaivelu

security audit
Security Audit
  • "The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeros, little bits of data... There’s a war out there... and it’s not about who’s got the most bullets. It’s about who controls the information.“

Federation of American Scientists - Intelligence Resource Program

workshop outline 2
Workshop Outline (2)
  • Security Audit
  • Intrusion Detection
  • Incident Response
  • We already have firewalls in place. Isn't that enough?
  • We did not realize we could get security audits. Can you really get security audits, just like financial audits?
  • We have already had a security audit. Why do we need another one?
  • Firewalls and other devices are simply tools to help provide security. They do not, by themselves, provide security. Using a castle as an analogy, think of firewalls and other such tools as simply the walls and watch towers. Without guards, reports, and policies and procedures in place, they provide little protection.
  • Security audits, like financial audits should be performed on a regular basis.
security audit definitions
Security Audit-Definitions
  • A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions
  • A assessment process, which will develop systems and procedures within an organization, create awareness amongst the employees and users and ensure compliance with legislation through periodic checking of processes, constituents and documentation.
why audit
Why Audit?
  • Determine Vulnerable Areas
  • Obtain Specific Security Information
  • Allow for Remediation
  • Check for Compliance
  • Ensure Ongoing Security

To ensure that the site’s networks and systems are efficient and foolproof

who needs security auditing
Who needs security auditing?
  • A security audit is necessary for every organization using the Internet.
  • A ongoing process that must be tried and improved to cope up with the ever-changing and challenging threats.
  • Should not be feared of being audited. Audit is good practice.
audit phases
Audit Phases
  • External Audit
    • Public information collection
    • External Penetration
      • Non-destructive test
      • Destructive test
  • Internal Audit
    • Confidential information collection
    • Security policy reviewing
    • Interviews
    • Environment and Physical Security
    • Internal Penetration
    • Change Management
  • Reporting
audit phases external
Audit Phases-External
  • Hackers view of the network
  • Simulate attacks from outside
  • Point-in-time snapshots
  • Can NEVER be 100%
external audit public information gathering
External Audit-Public Information Gathering
  • Search for information about the target and its critical services provided on the Internet.
  • Network Identification
    • Identify IP addresses range owned/used
  • Network Fingerprinting
    • Try to map the network topology
    • Perimeter models identifications
  • OS & Application fingerprinting
    • OS finger printing
    • Port scanning to define services and application
    • Banner grabbing
external audit some commandments
External Audit - Some Commandments
  • Do not make ANY changes to the systems or networks
  • Do not impact processing capabilities by running scanning/ testing tools during business hours or during peak or critical periods
  • Always get permission before testing
  • Be confidential and trustworthy
  • Do not perform unnecessary attacks
external audit penetration test
External Audit-Penetration Test
  • Plan the penetration process
    • Search for vulnerabilities for information gathered and obtain the exploits
    • Conduct vulnerabilities assessments (ISO 17799)
  • Non-destructive test
    • Scans / test to confirm vulnerabilities
    • Make SURE not harmful
  • Destructive test
    • Only for short term effect (DDOS….)
    • Done from various locations
    • Done only off-peak hours to confirm effect
  • Record everything
    • Save snapshots and record everything for every test done even it returned false result
    • Watch out for HONEYPOTS
internal audit
Internal Audit
  • Conducted at the premises
  • A process of hacking with full knowledge of the network topology and other crucial information.
  • Also to identify threats within the organization
  • Should be 100% accurate.
  • Must be cross checked with external penetration report.
internal audit policy review



Procedures, Guidelines

& Practices

Internal Audit-Policy review
  • Everything starts with the security policy
  • If there is no policy, there is not need of security audit.
internal audit policy review16
Internal Audit-Policy review
  • Policies are studied properly and classified
  • Identify any security risk exist within the policy
  • Interview IT staffs to gain proper understanding of the policies
  • Also to identify the level of implementation of the policies.
internal audit information gathering

Cross check with security policy

Internal Audit-Information gathering
  • Discussion of the network topology
  • Placement of perimeter devices of routers and firewalls
  • Placement of mission critical servers
  • Existence of IDS
  • Logging
internal audit environment physical security

Cross check with security policy

Internal Audit-Environment & Physical Security
  • Locked / combination / card swipe doors
  • Temperature / humidity controls
  • Neat and orderly computing rooms
  • Sensitive data or papers laying around?
  • Fire suppression equipment
  • UPS (Uninterruptible power supply)

Section 8.1 of the ISO 17799 document defines the concepts of secure area, secure perimeter and controlled access to such areas.

internal audit penetration

Cross check with security policy

Internal Audit-Penetration

For Internal penetration test, it can divided to few categories

  • Network
  • Perimeter devices
  • Servers and OS
  • Application and services
  • Monitor and response

Find vulnerabilities and malpractice in each category

internal audit network

Cross check with security policy

Internal Audit-Network
  • Location of devices on the network
  • Redundancy and backup devices
  • Staging network
  • Management network
  • Monitoring network
  • Other network segmentation
  • Cabling practices
  • Remote access to the network
internal audit perimeter devices

Cross check with security policy

Internal Audit-Perimeter Devices

Check configuration of perimeter devices like

  • Routers
  • Firewalls
  • Wireless AP/Bridge
  • RAS servers
  • VPN servers

Test the ACL and filters like egress and ingress

Firewall rules

Configuration Access method

Logging methods

internal audit server os

Cross check with security policy

Internal Audit-Server & OS
  • Identify mission critical servers like DNS,Email and others..
  • Examine OS and the patch levels
  • Examine the ACL on each servers
  • Examine the management control-acct & password
  • Placement of the servers
  • Backup and redundancy
internal audit application services

Cross check with security policy

Internal Audit-Application & Services

Identify services and application running on the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary services/application

  • DNS
    • Name services(BIND)
  • Email
    • Pop3,SMTP
  • Web/Http
  • SQL
  • Others
internal audit monitor response

Cross check with security policy

Internal Audit-Monitor & Response

Check for procedures on

  • Event Logging and Audit
    • What are logged?
    • How frequent logs are viewed?
    • How long logs are kept?
  • Network monitoring
    • What is monitored?
    • Response Alert?
  • Intrusion Detection
    • IDS in place?
    • What rules and detection used?
  • Incident Response
    • How is the response on the attack?
    • What is recovery plan?
    • Follow up?
internal audit analysis and report
Internal Audit-Analysis and Report
  • Analysis result
    • Check compliance with security policy
    • Identify weakness and vulnerabilities
    • Cross check with external audit report
  • Report- key to realizing value
    • Must be 2 parts
      • Not technical (for management use)
      • Technical (for IT staff)
    • Methodology of the entire audit process
    • Separate Internal and External
    • State weakness/vulnerabilities
    • Suggest solution to harden security
more tools
More Tools….
  • Inetmon
  • Firewalk
  • Dsniff
  • RafaleX
  • NetStumbler
  • RAT (Router Audit Tool)-CIS
  • Retina scan tools
  • MBSA
nmap defacto standard
Nmap-Defacto Standard
  • Even in matrix , nmap was used 
intrusion detection
Intrusion Detection
  • Intrusion Detection is the process of monitoring computer networks and systems for violations of security.
  • An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or availability of a resource.
  • All intrusion are defined relative to a security policy
    • Security policy defines what is permitted and what is denied on a network/system
    • Unless you know what is and is not permitted, its pointless to attempt to catch intrusion
intrusion detection30
Intrusion Detection
  • Manual Detection
    • Check the log files for unusual behavior
    • Check the setuid and setgid of files
    • Check important binaries
    • Check for usage of sniffing programs
  • Automatic (partially??)
    • Intrusion Detection Systems
intrusion detection systems
Intrusion Detection Systems
  • Goal
    • To detect intrusion real time and respond to it
  • False positive
    • No intrusion but alarm
    • Too many make your life miserable
  • False negative
    • Intruder not detected
    • System is compromised
intrusion detection detection schemes
Intrusion Detection -Detection Schemes
  • Misuse Detection
    • The most common technique, where incoming/outgoing traffic is compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan
  • Anomaly Detection
    • Uses statistical analysis to find changes from baseline behavior (such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a theoretical at this point and is the topic of extensive research
intrusion detection detection
Intrusion Detection -Detection
  • Misuse Detection
    • Detect Known Attack Signatures
    • Advantage:
      • Low False Positive Rate
    • Drawbacks:
      • Only Known Attacks
      • Costs for Signature Management
  • Anomaly Detection
    • Learn Normal Profiles from User and System Behavior
    • Detect Anomaly
    • Advantage
      • Detect Unknown Attacks
    • Drawbacks
      • Difficulty of Profiling
      • Profile can be controlled by intruders
      • High false positive rate
network ids
Network IDS
  • Uses network packets as the data source
  • Searches for patterns in packets
  • Searches for patterns of packets
  • Searches for packets that shouldn't be there
  • May ‘understand’ a protocol for effective pattern searching and anomaly detection
  • May passively log, alert with SMTP/SNMP or have real-time GUI
network ids strength
Network IDS Strength
  • Lower cost of ownership
    • Fewer detection points required
    • Greater view
    • More manageable
  • Detects attacks that host-based systems miss
    • IP based Denial of Service
    • Packet or Payload Content
  • More difficult for an attacker to remove evidence
    • Uses live network traffic
    • Captured network traffic
network ids strength36
Network IDS Strength
  • Real time detection and response
    • Faster notification and responses
    • Can stop before damage is done (TCP reset)
    • Detects unsuccesful attacks and malicious intent
  • Outside a DMZ
    • See attempts blocked by firewall
    • Critical information obtained can be used on policy refinement
  • Operating system independence
    • Does not require information from the target OS
    • Does not have to wait until the event is logged
    • No impact on the target
network ids limitations
Network IDS Limitations
  • Obtaining packets - topology & encryption
  • Number of signatures
  • Quality of signatures
  • Performance
  • Network session integrity
  • Understanding the observed protocol
  • Disk storage
host based ids
Host Based IDS
  • Signature log analysis
    • application and system
  • File integrity checking
    • MD5 checksums
  • Enhanced Kernel Security
    • API access control
    • Stack security
  • Some products listen to port activity and alert administrator when specific ports are accessed
host ids strength
Host IDS Strength
  • Verifies success or failure of an attack
    • Log verification
  • Monitors specific system activities
    • File access
    • Logon / Logoff activity
    • Account changes
    • Policy changes
  • Detects attacks that network-based IDS may miss
    • Keyboard attacks
    • Brute-Force logins
host based ids limitations
Host Based IDS Limitations
  • Places load on system
  • Disabling system logging
  • Kernel modifications to avoid file integrity checking (and other stuff)
  • Management overhead
  • Network IDS Limitations
characteristic of a good ids
Characteristic of a Good IDS
  • Impose minimal overhead
    • Does not slowdown the system
  • Observe deviations from normal behavior
  • Easily tailored to any system
  • Cope with changing system behavior over time as applications are being added
    • High adaptation
network honeypots
Network Honeypots
  • Sacrificial system(s) or sophisticated simulations
  • Any traffic to the honeypot is considered suspicious
  • If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
some ids
Some IDS
  • Commercial
    • Real Secure by ISS
    • VCC/Tripwire TM
    • CMDS by SAIC
    • NetRanger by Wheelgroup
  • Freeware/Opensource
    • Snort (
incident response
Incident Response
  • Incident: An action likely to lead to grave consequences
    • Data loss may lead to commercial loss.
    • Confidentiality breached.
    • Political issues…
    • Network breakdown lead to service and information flow disruption.
    • Many more..
incident response46
Incident Response
  • Response: An act of responding.
    • Something constituting a reply or a reaction.
    • The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation
    • The output of a transducer or detecting device resulting from a given input.
  • Ideally Incident Response would be a set of policies that allow an individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences.
  • ISO 17799
    • Outlines Comprehensive Incident Response and Internal Investigation Procedures
    • Detailed Provisions on Computer Evidence Preservation and Handling
incident response purpose
Incident Response -Purpose

Minimize overall impact.

Hide from public scrutiny.

Stop further progression.

Involve Key personnel.

Control situation.

incident response purpose48
Incident Response -Purpose

Minimize overall impact.

Recover Quickly & Efficiently.

Respond as if going to prosecute.

If possible replace system with new one.

Priority one, business back to normal.

Ensure all participants are notified.

Record everything.

incident response purpose49
Incident Response -Purpose

Minimize overall impact.

Recover Quickly & Efficiently.

Secure System.

Lock down all known avenues of attack.

Assess system for unseen vulnerabilities.

Implement proper auditing.

Implement new security measures.

incident response purpose50
Incident Response -Purpose

Minimize overall impact.

Recover Quickly & Efficiently.

Secure System.

Follow-up (A continuous process)

Ensure that all systems are secure.

Continue prosecution.

Securely store all evidence and notes.

Distribute lessons learned.

incident verification
Incident Verification
  • How are we certain that an incident occurred?
  • Verify the Incident!
  • Where to find information?
    • Intrusion Logs
    • Firewall Logs
    • Interviews
      • Emails, Network Admin, Users, ISP, etc…
verification what do we know
Verification: What do we know?
  • Three situations
    • 1. Verification without touching the system
    • 2. Verification by touching the system minimally. You have a clue or two where to look.
    • 3. Verification by full analysis of live system to find any evidence that an incident has occurred.
secure incident scene
Secure Incident Scene
  • What exactly does this mean?
    • Limit the amount of activity on the system to as little as possible
      • Limit damage by isolating
      • ONE person perform actions
      • Limit affecting the crime environment
      • Record your actions
preserve everything
Preserve Everything!
  • Anything and everything you do will change the state of the system
    • POWER OFF? Changes it.
    • Leave it plugged in? Changes it.
    • Obtaining a backup will change the system
    • Unplug the network? Changes it.
    • Even Doing Nothing will ALSO change the state of the system.
incident scene snapshot
Incident Scene Snapshot
  • Record state of computer
    • Photos, State of computer, What is on the screen?
    • What is obviously running on the screen?
      • Xterm?
      • X-windows?
    • Should you port scan the affected computer?
      • Pros: You can see all active and listening ports
      • Cons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad guy
unplug power from system
Unplug power from system?
  • This method may be the most damaging to effective analysis though there are some benefits as well
    • Benefits include that you can now move the system to a more secure location and that you can physically remove the hard drive from the system
    • Cons… you lose evidence of all running processes and memory
unplug from network
Unplug from Network?
  • Unplug from the network?
    • Unplug it from the network and plug the distant end into a small hub that is not connected to anything else.
    • Most systems will write error messages into log files if not on a network.
    • If you make the computer think it is still on a network, you will succeed in limiting the amount of changes to that system.
backup or analyze
Backup or Analyze?
  • Should you backup the system first?
  • Should you find the extent of the damage?
  • Set up in policy for your incident response:
    • It depends on the system and what you need it for.
    • To get BEST evidence BACKUP first at the cost of time to get answers
    • To get FAST answers ANALYZE first at the cost of getting best evidence
    • Label systems with priority. Some will need answers quicker than your ability to get best evidence.
finding clues
Finding Clues
  • Once backup is done start looking for clues
  • Be careful to avoid tampering with the system when it is in the middle of a backup.
  • Even though the emphasis might be to quickly assess the WHAT of a situation, if you try and answer that question without preserving the scene of the crime you will inadvertently erase the evidence you seek
  • Be patient. It’s meticulous
finding clues60
Finding Clues
  • What are we really looking for?
    • DATES and TIMES
  • We need to find one clue, and once we do, everything else almost always falls into place
what next
What Next?
  • Prosecute??
  • Apply short-term solutions to contain an intrusion
  • Eliminate all means of intruder access
  • Return systems to normal operation
  • Identify and implement security lessons learned
useful links
Useful Links
incident response resources
Incident Response Resources
  • Incident Response, Electronic Discovery, and Computer Forensics,
  • Security Focus,
  • The Federal Computer Incident Response Center (FedCIRC) ,
  • The Canadian Office of Critical Infrastructure Protection and Emergency Preparedness
  • Incident Handling Links & Documents (75 links)
  • SEI: Handbook for Computer Security Incident Response Teams
  • CERT/CC: Computer Security Incident Response
  • CERT/CC: Responding to Intrusions
  • AuCERT: Forming an Incident Response Team
  • SANS: S.C.O.R.E
white papers
White Papers
  • Security Management: Understanding ISO 17799
    • Microsoft IIS Unicode Exploit
    • Worrisome New Windows Attacks
    • PKI: How it Works
    • IPSec: What Makes it Work