Document

Download Report

Transcript Document 

Information and Network
Security
Preparing for
The Present & The Future
21/07/2015
Totally Connected Security
Presentation Summary
Hacker/Cracker Operation Stages
 Discovery
 Exploitation
 Cover up
 Backdoor/Trojan
21/07/2015
Totally Connected Security
Presentation Summary
Prevention
 Policies
 Ethical Hacking/Pen Testing
 Tools
Forensics
 First response
 Preserving evidence
 Tools
21/07/2015
Totally Connected Security
So… Has it been working?
“85 percent of enterprises surveyed have been
breached in the last 12 months, with 64 percent of
the breaches costing $2 million or more.” - csi
 Of those:
 99% used antivirus software
 98% used firewalls
 91% employed physical security to protect their
computer and information assets
 92% employed some measure of access control
21/07/2015
Totally Connected Security
So… Has it been working?
 Misuse of network access by employees was about as
frequent as virus attacks, occurring in more than 75% of
organizations.
 Theft of proprietary information occurred in over 20% of
organizations, resulting in financial losses of more than
$ 2.7 million on average.
 Denial of service occurred in over 40% of organizations,
with financial losses averaging over $2.5 million per
organization.
 System penetration occurred in more than 35% of
organizations, sabotage in over 25%.
 Disgruntled employees were identified nearly as often as
external hackers as the most likely source of security
violations (over 75% of organizations cited both!).
* CSI/03
21/07/2015
Totally Connected Security
21/07/2015
Totally Connected Security
Discovery
 Port Scanning
 Identify running services
 Web Server, Mail Server, SSH, etc..
 Firewalls
 Information Gathering
 OS Fingerprinting
 Banner information
 How vulnerable
21/07/2015
Totally Connected Security
Discovery
21/07/2015
Totally Connected Security
Exploitation
 Vulnerable service is found
 Attacker searches internet for existing exploit
 Attacker creates their own exploit
 Exploit is run against system
 Typically gain root or administrator privileges
 At worst gain low level user privileges
 System’s security is compromised
21/07/2015
Totally Connected Security
Exploitation
21/07/2015
Totally Connected Security
Exploitation
21/07/2015
Totally Connected Security
Cover up
 Altering or deletion of logs
 Rootkits
 Replace system binaries (netstat, ls, etc)
 Hides attackers connection to the system
 Hides installed software
 Backdoor / Trojan system
 Allow attacker to return unnoticed
 Allow attacker to remotely control system
 IRC Bots
21/07/2015
Totally Connected Security
Cover up
21/07/2015
Totally Connected Security
Prevention
Policies
 Acceptable use
 Password protection
Not just for IT
 Phone
 Fax
 Physical
21/07/2015
Totally Connected Security
Ethical Hacking / Pen Test
What you can expect
 Identify exposures and risks
 Give detailed results of the testing
performed
 What the results indicate
 Recommendations on fixes need to be
applied and how
21/07/2015
Totally Connected Security
Ethical Hacking / Pen Test
 What should you include?
 Internal
 Printers, Faxes, Switches, Desktops, etc..
 External
 Firewalls
 Routers
 Dial Up
 VPN’s & Remote Users
 Wireless
 Access points
 Laptops
21/07/2015
Totally Connected Security
Ethical Hacking / Pen Test
Common Attack
 Browsing attacks
 Information Disclosure
 Mass rooting/scanning
 Viruses and Trojans
 Browser Hijacking
Employee misuse more than all other
threats!
21/07/2015
Totally Connected Security
Ethical Hacking / Pen Test
 Relying on Commercial software
 Inability to identify certain vulnerabilities
 High false positives
 After the Audit
 Implementing Fixes
 Mitigating risks
 Ensuring fixes were applied correctly
21/07/2015
Totally Connected Security
Tools
 Security Scanners
 Nessus
(http://www.nessus.org/)
 Retina© by Eeye (http://www.eeye.com/)
 Port Scanners
 Nmap – “Network Mapper”
(http://www.insecure.org/)
 HPING - TCP/IP packet assembler/analyzer
(www.hping.org)
21/07/2015
Totally Connected Security
Tools
Packet Sniffers
 IRIS
(www.eeye.com)
 Ethereal
(www.ethereal.com)
Patch Management
 HFNetChkPro - (http://www.shavlik.com/)
 Patchlink
- (http://www.patchlink.com)
 Microsoft SMS -
(http://www.microsoft.com/smserver)
21/07/2015
Totally Connected Security
Forensics - Summary
 What to do when an incident occurs
 Determine point of entry/infection
 Sniffers
 IDS
 Unusual Behavior
 Acquiring evidence
 Shutting down the system
 Creating an image
 Documentation
21/07/2015
Totally Connected Security
Forensics
 Some questions to ask:
 What type of evidence is being sought?
 Is there a computer use policy?
 Is there a network administrator?
 Where are the backups?
 If conducting a large search:
 What keywords can I use to identify computers
that contain evidence?
 What type of system will I be looking at?
21/07/2015
Totally Connected Security
Point of entry
Things to look for;
 Unusual registry keys
 \Software\Microsoft\Windows\CurrentVersion\R
un\*
 Modified hosts file
 %windir%\system32\drivers\etc\hosts
 Unknown running services
 Run “sigverif”
21/07/2015
Totally Connected Security
Some tools for discovery
 TCPView - www.sysinternals.com/ntw2k/source/tcpview.shtml
 Filemon - www.sysinternals.com/ntw2k/source/filemon.shtml
 Deleted File Analysis Utility www.execsoft.com/freeware/undelete/download.asp
 DumpSec - www.systemtools.com/somarsoft/
 F.I.R.E. - http://prdownloads.sourceforge.net/biatchux/fire0.4a.iso?download
21/07/2015
Totally Connected Security
Forensics
Don’t panic!
 Use tools to identify the source of
infection!



21/07/2015
Sniffers to identify malicious data / content
IDS to isolate which machines were violated
User reports of unusual behavior
Totally Connected Security
Forensics
 I found it, now what?
 Shutting down systems:
 DOS, Win95/98/NT/2K/XP – Pull the plug
 NT Server / Win2k Server – Shut down
 Image the drive to preserve the evidence
 Encase – http://www.guidancesoftware.com
 SafeBack - http://www.forensics-intl.com/safeback.html
 Forensic Toolkit - http://www.accessdata.com
 NTImage - http://www.dmares.com
21/07/2015
Totally Connected Security
Forensics
Once you have your image, maintain
proper chain of custody
 Ensure evidence is stored securely and
logs are maintained of all who have
access
 Use camera’s in storage area’s
 Never leave evidence in an unsecured
area
21/07/2015
Totally Connected Security
Forensics
21/07/2015
Totally Connected Security
Documentation
 Take pictures
 Overall work area
 Screen / Programs running
 Connections
 Time and Date of incident
 What was acquired
NO SUCH THING AS BEING TOO THOROUGH !
21/07/2015
Totally Connected Security
Summary
Statistics regarding computer breakins with traditional countermeasures
Important difference between
crackers and ethical hackers
21/07/2015
Totally Connected Security
Summary
What to expect from Audits/Pen
Tests
Tools which can be used to assist in
network assessments
Incident Response and forensics in a
windows environment
21/07/2015
Totally Connected Security
Totally Connected Security
www.tcsecurity.ca
1312 SE Marine Dr.
Vancouver, BC V5X 4K4
(604) 432-7828
21/07/2015
Totally Connected Security