invited talk - Northwestern University
Download
Report
Transcript invited talk - Northwestern University
Security Policy
Topics for Discussion
• IT Security in the Business
– Risk, Audit Support, Compliance
• Policies, Standards, and Procedures
– IT Security’s Role in Creation and Enforcement
• Typical IT Security Technical Work
– Intrusion Detection/Prevention
– Ethical Hacking/Penetration Testing
The CISO Agenda
Business
Managing 3rd Party Risk (Outsourcers)
Culture / Awareness
M&A
Strategy
High Availability
Executive / Board Reporting
Metrics / Benchmarking
Privacy / Security Breach
Business Continuity
Brand Protection & Enhancement
Alignment with Business Goals / Objectives
Disaster Recovery
CISO
Technology
Identity Management
Mobile Computing
Enablement
Linkage to Enterprise
Risk Mgmt
Evolving Threats
Regulatory
Compliance
Compliance / Internal Audit
Vulnerability / Patch Management
Staffing Support
Core Functions
Risk
IT Security performs a critical role in assessing
risk in the organization.
• Vulnerability Scanning
• Penetration Testing
• Industry Trends
• IT Strategy
• Familiarity with Audit and Compliance
measures
Audit Support
In many cases, IT Security is heavily relied upon
to perform in depth testing required by an
audit organization. Security is enlisted by audit
because:
• Technical expertise
• Familiarity with current issues from internal
testing
• Familiarity with Policies, Standards, and
Procedures
Compliance
Compliance may relate to internal compliance or
external compliance.
Internal compliance:
• Policies and Standards
• Security and Configuration baselines
• Framework use – ISO, COBIT, ITIL, GAISP, NIST
• Best Practices
Compliance cont’d
External compliance:
• SOX (Sarbanes Oxley)
– COSO Framework
• HIPAA
• PCI
• Safe Harbor
ISO Leading Practices
Source: www.rsa.com
Compliance in Action
Source: www.rsa.com
Internal Policy
IT Security is regularly tasked with creation and
enforcement of IT policies, standards, and
procedures. Creation and enforcement of
these documents require:
• Understanding of audit roles and procedures
• Familiarity with all systems, networks, and applications
• Compliance considerations
Internal Policy cont’d
Definitions:
• A Policy is a set of directional statements and requirements aiming
to protect corporate values, assets and intelligence. Policies serve
as the foundation for related standards, procedures and guidelines.
• A Standard is a set of practices and benchmarks employed to
comply with the requirements set forth in policies. A standard
should always be a derivation of a policy, as it is the second step in
the process of a company’s policy propagation.
• A Procedure is a set of step-by-step instructions for implementing
policy requirements and executing standard practices.
Internal Policy cont’d
Internal Policy cont’d
Policy creation and enforcement cycle
Policy Business Case
A top 5 global food retailer has a massive IT/IS
infrastructure and good governance….but no
real policies!
Policies are the foundation for enforcing IT
compliance and governance.
What policies were written for the client…
Policy Business Case cont’d
Policies written for IT Security:
• Acceptable Use Policy
• Information Classification & Ownership Policy
• Risk Assessment & Mitigation Policy
• Access Control Policy
• Network Configuration and Communication Policy
• Remote Access Policy
• Business Continuity Policy
• Incident Response Policy
• Third Party Data Sharing Policy
• System Implementation & Maintenance
• Secure Application Development
• Cryptography & Key Management
• Mobile Computing
• Physical & Environmental Security
Policy Business Case cont’d
Sample Policies
Ethical Hacking
Ethical hacking is a very common profession
within the IT security industry.
• White hat, Grey hat, Black hat
• Sometimes synonymous with penetration
testing – A method of assessing the security
posture of a system or network by simulating
an “attack”
Ethical Hacking
Why perform an ethical hack?
• Determine flaws and vulnerabilities
• Provide a quantitative metric for evaluating
systems and networks
• Measure against pre-established baselines
• Determine risk to the organization
• Design mitigating controls
Ethical Hacking
Ethical Hacking
Administrative items:
• Authorization letter – “Get out of jail free
card”
• Risk report
– Likelihood of risk
– Mitigation plans
– Trends (performed with recurring clients)
Q&A
ANY QUESTIONS?
Layer 2
Hacking
Slide material sourced from the Black Hat presentation presented by Sean Convery of Cisco Systems
Topics for Discussion
• Layer 2 Protocols and Weaknesses
–
–
–
–
–
–
–
ARP
MAC/CAM
VLAN/Encapsulation
STP/BPDU
DHCP
MPLS
BGP
• Tools
• Carrier “Ethernet” Appendix
Why Layer 2
ARP
• ARP Spoofing is the process of sending a
crafted ARP request across the network to
enable the sniffing of one or many hosts on a
network.
• ARP poisoning is also a similar attack but you
attack all hosts on a subnet. This is useful to
ARP spoof the address of a switch or router so
all traffic can be send through you!
ARP Poisoning
ARP Poisoning
• Start Sniffing
• Scan for hosts
ARP Poisoning
ARP Poisoning
ARP Poisoning
ARP Poisoning
• Select the machines to poison
We chose to ARP poison only the windows machine
192.168.1.2 and the router 192.168.1.1.
• Highlight the line containing 192.168.1.1 and click on
the "target 1" button.
• Highlight the line containing 192.168.1.2 and click on
the "target 2" button.
• If you do not select any machines as target, all the
machine inside the subnet will be ARP poisoned.
ARP Poisoning
ARP Poisoning
ARP Poisoning
ARP Poisoning
• To recap the information found using
Wireshark (or another sniffer)
– 192.168.1.1 is at 11:22:33:44:11:11 (Router)
– 192.168.1.2 is at 11:22:33:44:55:66 (Host)
– 192.168.1.100 is at 11:22:33:44:99:99 (Attacker)
ARP Poisoning
• Before the ARP poisoning:
SRC: 11:22:33:44:55:66 (host)
DST: FF:FF:FF:FF:FF:FF (gateway/router)
Message: Who has 192.168.1.1? Tell 192.168.1.2
SRC: 11:22:33:44:11:11 (gateway/router)
DST: 11:22:33:44:55:66 (host)
Message: 192.168.1.1 is at 11:22:33:44:11:11
During/After ARP Poisoning/Spoof
• Executing the ARP poisoning/spoof:
Before: 192.168.1.1|11:22:33:44:11:11 (in host
ARP table)
Execution
SRC: 11:22:33:44:99:99
DST: 11:22:33:44:55:66 (Host)
Message: 192.168.1.1 is at 11:22:33:44:99:99
After attack: 192.168.1.1| 11:22:33:44:99:99 (in
host ARP table)
ARP Poisoning
ARP Poisoning
• What to do once poisoned?
– Man In The Middle Attacks
• DNS Spoof
• Manipulate Connections
• Steal Info
• Redirect Sessions
• SSH/Protocol Downgrade Attack
ARP Spoof Defense
• SARPI & DARPI: Static and Dynamic ARP inspection. Not
practical -- Requires an agent on every host.
• DHCP Snooping: Keeps a record of each MAC address
connected to a port and hence can detect false ARP
responses.
– Widely used on commercial network gear.
– Can be easily circumvented by not using DHCP. This is the most
common defense since almost all networks require a DHCP
address be assigned, but it is not perfect.
• Static Mapping: Statically mapping IP-MAC relationships is
an easy way to defend against only simple ARP Spoof
attacks
ARP Spoof Defense
• Monitoring: There are numerous products
and software packages that can actively
monitor ARP requests and caches to clean
caches and identify ARP attacks.
– ARPDefender (appliance in network)
– Arpwatch (software)
– Xarp (software)
– anti-arpspoof (software)
Exploiting Simple Masking Errors
• Here’s a rule on a Cisco firewall:
– access-list outside permit ip
10.11.12.0 255.255.255.0 host a.b.c.d
– That says “allow anyone in 10.11.12.* to reach
a.b.c.d”
• Here’s the same rule in Cisco IOS:
– permit ip 10.11.12.0 0.0.0.255 host
a.b.c.d
– That does (almost) the same thing
• Note the way you have to write the mask “backwards” in IOS
• Suppose you forget – you say:
– permit ip 10.11.12.0 255.255.255.0 host
a.b.c.d
Exploiting Simple Masking Errors
• The Backwards Mask:
– permit ip 10.11.12.0 255.255.255.0 host
a.b.c.d
• What does it do?
• It really looks like “permit one subnet”
• It actually permits 16,777,216 different hosts
– Every address that ends in a zero
• Once you know this happens, the lesson is obvious
– When in an unknown network, set your IP to something
like *.*.*.0
– You may find a lot of doors suddenly spring open!
• In many networks, the right source IP grants magic access
MAC/CAM
• Every switch uses a Content Addressable
Memory (CAM) space to store the physical
address of a hosts so it knows where to send
data destined for a host. This memory space
of course has a limitation.
• In order to place a MAC in CAM the switch
hashes all the various information regarding
the host: MAC, VLAN, etc.
MAC/CAM
• There are tools like macof and dsniff that can
generate thousands of CAM entries per
minute. Why? To flood the CAM table. Once
the CAM is flooded, all traffic on the switch is
sent to all physically connected hosts because
the switch cannot determine what traffic goes
where, thereby allowing you to see all traffic
on the switch.
MAC/CAM
CAM Flood Defense
• Port Security: This requires writing the MAC
address of the host allowed to use a specified
port on each port description in the switch
configuration. Hard to implement. Not Scalable.
• Sticky MAC: Sticky MAC addresses allow MAC
addresses to be dynamically learned and limit
port access to said MAC address. The MAC
address will be learned when the first MAC
address attempts to connect to the port and will
be written to the running configuration.
Hakipedia
• www.hakipedia.com