FTP/Sentry - DBA Sistemi

Download Report

Transcript FTP/Sentry - DBA Sistemi

Protecting Mainframe and
Distributed Corporate Data from
FTP Attacks: Introducing
FTP/Security Suite
Alessandro Braccia, DBA Sistemi
XXVIII Convegno Annuale del CMG-Italia
Milano - 28 Maggio 2014 Roma – 29 Maggio 2014
www.softwareassist.net
Agenda
•
•
•
•
•
•
About SAC
The Problem
How Attackers Operate
Popular Hacking Tools
FTP Issues
What the Products do –and how
• Conceptual Overview
• Why are our products important?
www.softwareassist.net
About SAC
•
•
•
•
Founded in 1990
Developed a number of very successful products
Until now purely development company
Products were private labeled by other companies,
for ex:
• AF/Operator: Candle Corporation (now IBM)
• TapeSaver: Mobius Management Systems (now Unicom)
•
•
These products have been sold or moved to
subsidiaries
Focus on the FTP/Security Suite
• Establishing Worldwide Partner Network
www.softwareassist.net
The Problem
•
•
•
•
Complex problem, lack of understanding in market place
Big vendors focus security discussion on their products
Most attacks never make it to the press – do not educate
the market
Customers often:
•
•
•
•
Do not know how hackers operate
Spend a lot of money on some solutions
Lack tools in other (important) areas
Result:
Companies don’t even know they were attacked
or notice it many months later – and don’t know what was
taken
www.softwareassist.net
How attackers operate
•
•
Attackers can be Hobbyists, Amateurs or
Professionals
Use automated tools
• Attack weaknesses in common Tools and Protocols
• Prefer those that are not typically monitored
•
Prime Target: FTP
• The world’s most common data interchange protocol,
including corporate IT
• Customers forget they use it, no one responsible
• No Management / Monitoring Tools
• By default attacks are typically not logged
• Attack tools available on internet, instructions on
YouTube
www.softwareassist.net
Popular FTP Hacking Tools
• THC-Hydra
• Medusa
(http://www.thc.org/thc-hydra)
(http://foofus.net/goons/jmk/medusa/medusa.html)
• Ncrack
• Brutus
www.softwareassist.net
(http://nmap.org/ncrack)
(http://www.hoobie.net/brutus)
Search ”Hack FTP” on YouTube
www.softwareassist.net
Where is FTP used?
•
With External Partners
• Often hosting sensitive data
•
On Web Servers
• Providing access to the corporate web site and other
resources
•
As departmental data interchange tool
• Often deployed without IT’s knowledge & involvement
• Typically extremely vulnerable due to lack of security
•
In the Data Center
• Server <->
transfer
www.softwareassist.net
Server and Server <-> Mainframe data
FTP Issues
• Don’t know where they use FTP – and how much
• No Tools to monitor and audit FTP usage
• Lack of compliance
• Not able to detect attacks
• Not able to determine what was taken
• Not sufficiently protected against FTP attacks
• Firewalls and IDS (Intrusion Detection Systems)
cannot do it
www.softwareassist.net
Intrusion Detection Systems
• Designed primarily to detect intrusions from
outside
• Malicious employees and contractors are a common
threat
• Looks for anomalies in network traffic
• Does not understand the network protocols it looks
at
• Recognizes brute force attacks by frequency, not
content
• Can be circumvented easily
www.softwareassist.net
The FTP/Security Suite
•
FTP/Auditor: FTP Server discovery
•
•
FTP/Sentry: Real-Time monitoring and alerting
•
•
Who accessed which files - when and from where?
Exceptions and Alerts
FTP/Armor: Securing FTP Servers
•
•
•
What is happening ? What problems are occurring?
Sentry Desktop: Auditing and historical analysis
•
•
•
Where is FTP running, how is it secured?
Detects attacks, alerts IT staff and blocks intruders
Complements Intrusion Detection Systems
FTP/Guardian: Integrates Mainframe FTP with Mainframe
Security
www.softwareassist.net
Conceptual Overview
Real Time
Monitor
Sentry
Desktop
Remote
Agents
www.softwareassist.net
FTP Activity DB
(SQL Server)
Typical FTP Attack
User: Administrator
Password: AAAAA
Password: AAAAB
Password: AAABA
Password: AAABB
……
IP n.n.n.n
www.softwareassist.net
FTP Attack with
FTP/Sentry
User: Administrator
Password: AAAAA
Password: AAAAB
Password: AAABA
Password: AAABB
……
Real Time
Monitor
IP n.n.n.n
FTP Activity DB
(SQL Server)
www.softwareassist.net
FTP Attack with
FTP/Sentry
User: Administrator
Password: AAAAA
Password: AAAAB
Password: AAABA
Password: AAABB
……
Real Time
Monitor
Console
Alert
Email
IP n.n.n.n
Sentry
Desktop
www.softwareassist.net
FTP Attack with
FTP/Sentry
BLOCK
IP n.n.n.n
User: Administrator
Password: AAAAA
Password: AAAAB
Password: AAABA
Password: AAABB
……
BLOCK
IP n.n.n.n
IP n.n.n.n
BLOCK
IP n.n.n.n
Remote
Agents
www.softwareassist.net
Real Time
Monitor
FTP Attack with
FTP/Sentry
User: Administrator
Password: AAAAA
Password: AAAAB
Password: AAABA
Password: AAABB
……
IP n.n.n.n
Connection
refused
Remote
Agents
www.softwareassist.net
Why are our products so
important?
• Without them our Customers would not:
• Know which servers are vulnerable through running
FTP
• Be protected against FTP attacks
• Be able to notice an attack
• what ID was compromised and
• what was taken
• Be able to audit WHEN WHO accessed WHAT from WHERE
• Have operational visibility and control of their
FTP infrastructure
www.softwareassist.net
Interesting Studies & Reports
• Carnegie Mellon Software Engineering Institute:
‘Insider Threat Study: Illicit Cyber Activity Involving Fraud in the
U.S. Financial Services Sector’
•
Key Findings:
•
•
An average of 32 months elapsed between the beginning of
the fraud and its detection by the victim organization
”The insiders’ means were not especially sophisticated” –
the fraud was possible due to lack of controls/security,
not the skills of the perpetrators
www.softwareassist.net
Interesting Studies & Reports
•
Forrester:
•
Key Findings:
‘Understand The State Of Data Security And Privacy: 2012
To 2013’
•
•
•
Intentional Data Theft accounts for 45% of all Data Breaches
33% of Intentional Data Theft is committed by Malicious
Insiders
66 % of Intentional Data Theft is committed by External
Attacks
www.softwareassist.net
Interesting Studies & Reports
• Ponemon Institute:
‘2012 Cost of Cyber Crime Study: United States’
•
Key Findings:
•
•
•
Average cost of a data breach in the US is $8,933,510
Certain industries, such as Financial Services,
experience higher cost
The companies in the study experienced an average
of 1.8 successful attacks per week
www.softwareassist.net
Questions ?
www.softwareassist.net