Transcript Document

Security Auditing,
Attacks, and Threat Analysis
Copyright © 2002 ProsoftTraining. All rights reserved.
Lesson 1:
Security Auditing
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
•
•
•
•
•
Identify a security auditor’s chief duties
List security auditing principles
Assess risk factors for a network
Describe the security auditing process
Plan an audit
What Is
an Auditor?
• Network security
• Risk assessment
What Does
an Auditor Do?
Compliance
Risk
Analysis
Auditor Roles
and Perspectives
• Auditor as security manager
• Auditor as consultant
• Insider threats
Conducting a
Risk Assessment
•
•
•
•
Check for a written security policy
Analyze, categorize and prioritize resources
Consider business concerns
Evaluate existing perimeter and internal
security
• Use existing management and control
architecture
Risk
Assessment Stages
• Discovery
• Penetration
• Control
Summary





Identify a security auditor’s chief duties
List security auditing principles
Assess risk factors for a network
Describe the security auditing process
Plan an audit
Lesson 2:
Discovery Methods
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
• Describe the discovery process
• Identify specific discovery methods
• Install and configure network-based and hostbased discovery software
• Conduct network-level and host-level security
scans
• Configure and deploy enterprise-grade
network vulnerability scanners
Security Scans
•
•
•
•
Whois
nslookup
The host command
The traceroute
(tracert) command
• Ping scanning
• Port scans
• Network-discovery
and serverdiscovery
applications
• NMAP
• Share scans
• Service scans
• Using Telnet
Using SNMP
• The SetRequest command
• SNMP software
TCP/IP
Services
• Finger
– User names
– Server names
– E-mail accounts
– User connectivity
– User logon status
Enterprise-Grade
Auditing Applications
•
•
•
•
•
Protocol support
Network scanners
Subnetting
Configuring network scanners
Configuring host scanners
Scan
Levels
•
•
•
•
•
•
Profiles and policies
Reporting
Symantec NetRecon
ISS Internet Scanner
eEye Retina
Additional scanning application vendors
Social
Engineering
• Telephone calls
• Fraudulent e-mail
• Education
What Information
Can You Obtain?
•
•
•
•
Network-level information
Host-level information
Research
Legitimate versus illegitimate auditing tools
Summary
 Describe the discovery process
 Identify specific discovery methods
 Install and configure network-based and hostbased discovery software
 Conduct network-level and host-level security
scans
 Configure and deploy enterprise-grade
network vulnerability scanners
Lesson 3:
Auditing Server
Penetration and Attack Techniques
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
• Identify common targets
• Discuss penetration strategies and methods
• List potential physical, operating system, and
TCP/IP stack attacks
• Identify and analyze specific brute-force,
social engineering, and denial-of-service
attacks
• Implement methods designed to thwart
penetration
Attack
Signatures and Auditing
• Reviewing common attacks
– Dictionary
– Man in the middle
– Hijacking
– Viruses
– Illicit servers
– Denial of service
Common
Targets
•
•
•
•
•
•
•
Routers
FTP servers
Databases
Web servers
DNS
WINS
SMB
Routers
• Using your firewall to filter Telnet
• Routers and bandwidth consumption attacks
Databases
• The most desirable asset for a hacker to
attack
– Employee data
– Marketing and sales information
– R&D
– Shipping information
Web and
FTP Servers
• Common problems
• Web graffiti
E-Mail
Servers
• Spam
• Relaying
Naming
Services
•
•
•
•
•
•
•
Unauthorized zone transfers
DNS poisoning
Denial-of-service attacks
WINS
SMB
NFS
NIS
Auditing Trap Doors
and Root Kits
• Auditing bugs and back doors
Buffer
Overflow
• Preventing denial-of-service attacks
• Auditing illicit servers, Trojans and worms
Combining
Attack Strategies
• Penetration strategies
– Physical
– Operating system
– Bad password policies
– NAT
– Bad system policies
– Auditing file system weaknesses
• IP spoofing and hijacking
– Blind and non-blind spoofing
Denial of Service
and the TCP/IP Stack
•
•
•
•
•
SYN flood
Smurf and Fraggle attacks
Teardrop/Teardrop2
Ping of death
Land attack
Summary
 Identify common targets
 Discuss penetration strategies and methods
 List potential physical, operating system, and
TCP/IP stack attacks
 Identify and analyze specific brute-force,
social engineering, and denial-of-service
attacks
 Implement methods designed to thwart
penetration
Lesson 4:
Security Auditing
and the Control Phase
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
• Define control procedures
• Identify control methods
• List ways to document control procedures and
methods
Control
Phases
•
•
•
•
•
•
•
Gain root access
Gather information
Open new security holes
Erase evidence of penetration
Spread to other systems
Auditing UNIX file systems
Auditing Windows 2000
UNIX Password
File Locations
•
•
•
•
•
•
The shadow password file
Redirect information
Create new access points
Erase evidence of penetration
Spread to other systems
Port redirection
Control
Methods
• System defaults
• Services, daemons, and loadable modules
• Illicit services, daemons, and loadable
modules
• Keyloggers
Auditing and
the Control Phase
• The auditor never truly enters the control
phase
• The auditor must recognize suspicious traffic
Summary
 Define control procedures
 Identify control methods
 List ways to document control procedures and
methods
Lesson 5:
Intrusion
Detection
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
• Define intrusion detection
• Differentiate between intrusion detection and
automated scanning
• Discuss network- and host-based intrusion
detection
• List the elements used in an IDS
• Implement intrusion-detection software
What Is
Intrusion Detection?
• Capabilities
– Network traffic management
– System scanning, jails, and the IDS
– Tracing
• Is intrusion detection necessary?
• IDS application strategies
Intrusion
Detection Architecture
•
•
•
•
•
Network-based IDS applications
Host-based IDS architectures
Host-based managers
Host-based IDS agents
Manager-to-agent communication
IDS
Rules
•
•
•
•
Network anomalies
Network misuses
Actions
False positives and IDS configuration
IDS Actions
and False Positives
• Creating rules
• Assigning actions to a rule
• Mistaking legitimate traffic for illegitimate
traffic
Intrusion
Detection Software
•
•
•
•
•
•
•
•
eTrust Intrusion Detection
Snort
Intruder Alert
ISS RealSecure
Computer Misuse Detection System
Network Flight Recorder
CyberCop Monitor
Cisco Secure IDS
Purchasing
an IDS
•
•
•
•
Product support
Product training
Update policy
Company reputation
•
•
•
•
IDS capacity
Product scalability
Network support
Encryption
Summary
 Define intrusion detection
 Differentiate between intrusion detection and
automated scanning
 Discuss network- and host-based intrusion
detection
 List the elements used in an IDS
 Implement intrusion-detection software
Lesson 6:
Auditing and
Log Analysis
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
• Establish a baseline for your users’ activities
• Conduct log analysis
• Filter events found in Windows 2000 and Linux
systems
• Establish auditing for logons, system restarts,
and specific resource use
Baseline Creation and
Firewall and Router Logs
• Baseline is standard activity for a network
• Logs help determine activity patterns of users
Operating
System Logs
• Logging UNIX systems
• Logging Windows 2000 systems
Filtering Logs
• Filtering logs in Windows 2000
• Filtering logs in Linux
• Operating system add-ons and third-party
logging
Suspicious
Activity
• Skilled hacking attempts to camouflage its use
as legitimate system activity
Additional Logs
•
•
•
•
Intrusion detection systems
Telephony connections
ISDN and/or frame relay connections
Employee access logs
Log
Storage
• Sending logs to a different machine for
storage
• Replicating logs to a writable CD-ROM drive
• Scheduling hard-copy backups
Auditing and
Performance Degradation
• Network traffic
• Packet sniffers
Summary
 Establish a baseline for your users’ activities
 Conduct log analysis
 Filter events found in Windows 2000 and Linux
systems
 Establish auditing for logins, system restarts,
and specific resource use
Lesson 7:
Audit Results
Copyright © 2002 ProsoftTraining. All rights reserved.
Objectives
• Recommend solutions based on specific
network problems
• Suggest ways to improve compliance to a
security policy
• Create an assessment report
• Enable proactive detection services
Objectives
•
•
•
•
(cont’d)
Cleanse operating systems
Install operating system add-ons
Implement native auditing
Use SSH as a replacement for Telnet, rlogin,
and rsh
Auditing
Recommendations
• Recommending specific ways to continue or
implement efficient auditing
• Confronting and correcting virus, worm and
Trojan infections
• Recommending changes and improvements
Four Network
Auditing Categories
Firewalls
and Routers
Host and
Personal
Security
Intrusion
Detection
and
Traceback
Policy
Enforcement
Creating the
Assessment Report
• Sample audit report elements include:
– Overview of existing security
– Estimates of time hackers require to enter
system
– Summary of important recommendations
– Outline of audit procedures
– Network element recommendations
– Physical security discussion
– Terms
Improving
Compliance
• Steps for continued auditing and
strengthening
Security Auditing
and Security Standards
•
•
•
•
ISO 7498-2
British Standard 7799
Common Criteria
Evaluation Assurance Levels
Improving
Router Security
• Ingress and egress filtering
• Disable broadcast filtering
Enabling
Proactive Detection
• Scan detection, honey pots and jails
– Detecting a NIC in promiscuous mode
Host Auditing
Solutions
•
•
•
•
•
•
Cleaning up infections
Personal firewall software
IPsec and personal encryption
Native auditing services
Fixing system bugs
IPv6
Replacing and
Updating Services
• Study the new product
• Determine the time needed to implement
changes
• Test all updates
• Consider effect of updates on other services
• Determine whether end-user training is
needed
Secure Shell (SSH)
•
•
•
•
Security services provided by SSH
Encryption and authentication in SSH
SSH2 components
Preparing SSH components
SSH
and DNS
• Compatibility with SSH1
• SSH and authentication: Establishing userto-user trust relationships
Summary
 Recommend solutions based on specific
network problems
 Suggest ways to improve compliance to a
security policy
 Create an assessment report
 Enable proactive detection services
Summary




(cont’d)
Cleanse operating systems
Install operating system add-ons
Implement native auditing
Use SSH as a replacement for Telnet, rlogin,
and rsh
Security Auditing,
Attacks, and Threat Analysis
 Security Auditing
 Discovery Methods
 Auditing Server Penetration and Attack
Techniques
 Security Auditing and the Control Phase
 Intrusion Detection
 Auditing and Log Analysis
 Audit Results