420 likes | 597 Views
eEye Background. A three year old security software company Based in Southern California with offices in Geneva, London and Madrid Creates cutting edge security software: Retina™, the Network Scanner SecureIIS™, an Application Firewall for Internet Information Server
E N D
eEye Background • A three year old security software company • Based in Southern California with offices in Geneva, London and Madrid • Creates cutting edge security software: • Retina™, the Network Scanner • SecureIIS™, an Application Firewall for Internet Information Server • Iris™, the Network Traffic Analyzer • Very active in research and development in the digital security community through numerous advisories • Extensive base clients in over 40 countries eEye Digital Security
CCP Ltd. Background A three year old security consulting company Based in Phoenix, Arizona. Provide consulting, design, implementation, and support of Network Enterprise Solutions focusing on Internet, Intranet, and Extranet Security. Client base includes fortune500 companies and governmental agencies. Computer Consulting Partners, Ltd. has partnered with eEye to provide the highest quality of information security consulting and products. Computer Consulting Partners Ltd.
eEye Client List Some of the world’s leading corporate and government entities secure their networks with our products: Intel University of Chicago IBM Corp. Dartmouth Medical School US Navy CMGI Dupont Federal Reserve Bank Southern California Edison AT&T Microsoft Lotus FAA KPMG Arthur Anderson Bank of America PR Newswire EDS Domainnames.com Bid.com University of California Los Angeles Ernst & Young eEye Digital Security
Competitive Positioning eEye Digital Security
eEye Product Positioning Focus on developing best-of-breed security software products Complement existing tools such as Firewalls and Intrusion Detection Systems Provide the network administrator with user friendly tools that help them keep up with ever changing security requirements Provide security consultants with powerful tools that will significantly increase their efficiency and ability to deliver services eEye Digital Security
CCP Ltd. Positioning Focus on providing our clients with state-of-the-art security solutions, using best of breed products. Focus on providing our clients with high quality audits and assessments of their current IT infrastructure vulnerabilities. Focus on providing our clients with state-of-the-art penetration testing techniques. Enable our clients to understand and support the solutions, after we leave. Support the client to enable their success. Computer Consulting Partners, Ltd.
There are Several Equally Vital Tools to Securing a Network Vulnerability Scanner Intrusion Detection Systems (IDS) Network Traffic Analyzer Firewall Your Network eEye Digital Security Reactive Proactive Virus Scanning Application Security
eEye Focuses on Proactive Security Tools Retina™ Network Security Scanner Intrusion Detection System (IDS) F I R E W A L L Iris™ Network Traffic Analyzer Your Network eEye Digital Security Virus Scanner SecureIIS™ Web Application Firewall
The CCP and eEye Partnership While eEye focuses on proactive Security products, CCP focuses on all-encompassing security solutions. Utilizing our partnerships with best of breed vendors, like eEye, we can offer solutions that fit your needs. Computer Consulting Partners, Ltd.
CCP Focuses on enabling all-encompassing Security Solutions and Proactive Services. ISS RealSecure Tripwire Snort VPN access and Link Encryptors Traffic Analysis And Infrastructure Audit Checkpoint Firewall-1 Or Cisco Pix Your Network Vulnerability Assessments Computer Consulting Partners, Ltd. Biometrics And Access Control TrendMicro Virus Scanner Secure Design of Application and Service infrastructure
Retina The Network Security Scanner eEye Digital Security
Retina – What it Does Retina scans a server, workstation, firewall, router, etc for vulnerabilities. Input in Retina the IP address or URL of a machine (say www.eEye.com) and Retina will audit that machine The result is an interactive or printable report listing all the vulnerabilities on that machine For each of the vulnerabilities, Retina provides a risk assessment and indicates how to fix it by either providing the appropriate patch link or by providing with a step by step procedure of how to configure the machine to fix the problem For many vulnerabilities, Retina has a revolutionary “Auto Fix-It” capability that makes the required system changes eEye Digital Security
Sample Retina Screen Shot Scanned Computer Identified Vulnerabilities Auto Fix eEye Digital Security Risk Level Selected Vulnerability & Description Fix Description
Retina Features – Vulnerability Auditing Modules Retina includes vulnerability scanning and auditing for the following systems & services: - NetBIOS- HTTP, CGI and WinCGI- FTP- DNS- DoS- POP3- SMTP- Registry- Services- Users and Accounts- Password vulnerabilities- Publishing extensions - Database servers- Firewalls and Routers- Proxy Servers- Web Interfaces- Files and permissions- Unix RPC services- NFS mounts- IMAP- LDAP- SSH- Telnet- SNMP- Trojans- DDoS Agents eEye Digital Security
What Makes Retina Unique • Fastest scanner in the market • Incorporates NMAP Fingerprint Database and NMAP functionality • Smart port scanning • CHAM [Common Hacking Attack Methods] – Artificial Intelligence that looks for unknown vulnerabilities • Open architecture and API for custom audit development • Complete control over policy and audits • No limitations on the specific IPs audited • Auto “Fix-It” feature • Auto Update feature • Smart Reporting – reporting modifies according to level of risk • Custom Reporting – modified by client of service provider eEye Digital Security
Retina Features Smart Scanning • Security scanners on the market assume that a certain port is a certain protocol • Retina never assumes anything. It analyses specific input/output data on a port to determine what protocol and service is actually running CHAM (Common Hacking Attack Methods) • CHAM learns as much information as possible about your network to discover unknown vulnerabilities • Based on this information, CHAM then performs hacking attacks on several protocols that you may pre-select in the Policies menu (FTP, POP3, SMTP, HTTP) eEye Digital Security Open Architecture • Retina offers the flexibility to create customized modules with any programming language, including Perl, C, C++, Visual Basic, Delphi etc. • With our new RTH Wizard, administrators can create custom audit on the fly Fix-it • For certain vulnerabilities that require configuration changes, Retina provides the ability to auto-fix the problem • The feature saves network administrators and consultants significant time
Retina Features Policies • Retina allows total flexibility on which audits to perform (ports, audit classes etc.) • For example, create a policy that only audits DoS vulnerabilities or define the NT IP Fragment Reassembly audit within the DoS class Auto update • There are 10 to 50 vulnerabilities discovered every day . eEye discovers many of these and regularly updates its vulnerability database • Retina users are able to regularly update their vulnerability database through a simple Retina interface over a normal internet connection eEye Digital Security Smart Reporting • Retina produces highly customizable reports of network scans and the technical sophistication of the targeted report audience • The reports can be highly “white-labeled” • The reports provide vivid graphical representation of the vulnerability and risk profile of a scanned host or network
FEATURES NETWORK VULNERABILITY SCANNERS eEye Retina ISS Scanner NAI Cybercop Bindview BV-Control Symantec NetRecon Smart Reporting √ √ √ √ √ Smart Scanning √ Autofix √ √ √ Auto Update √ √ √ √ CHAM √ Open Architecture √ √ √ Centralized Management √ √ √ How does Retina stack up to the competition? eEye Digital Security Retina is the FASTEST Security Scanner on the market Includes “Fix-It” option Known for ease-of-use.
SecureIIS The Application Firewall For Microsoft’s IIS Web Server eEye Digital Security
The Issue That SecureIIS Addresses • Web servers are the most vulnerable part of a network since they are open to the public and must allow various forms of traffic to enter the server • Traditional server protection such as network firewalls and intrusion detection systems are not always able to protect a server for several reasons: • Firewalls and IDS systems rely on a database of known hacker attack signatures • Hackers are able to slightly modify attacks to get around these systems… • … the IT administrator may not have updated the systems with the latest database… • … Or, worst yet, there are types of attacks that have not been identified by security organization (unknown attacks.) eEye Digital Security
The Issue That SecureIIS Addresses • Microsoft’s IIS (Internet Information Services) is a very popular Web server application running on approximately 8 million servers worldwide • IIS is notorious for being susceptible to hacker attacks • Over the last few years, Microsoft has released several security updates and patches to cover discovered vulnerabilities • Security research firms continue to uncover more vulnerabilities. eEye recently uncovered two major vulnerabilities, one of which was leveraged by Code Red Worm • IT Administrators tend to share a growing frustration with maintaining the security of IIS… • …A great lead in for the value of SecureIIS eEye Digital Security
SecureIIS – The Application Firewall SecureIIS is an “Application Firewall” designed specifically to protect IIS SecureIIS is not dependent on a vulnerability or attack signature database SecureIIS protects against “classes” of hacker attack. Instead of looking for specific attack signatures, it blocks entire classes of attack by detecting their overall characteristics The application, an extension of the eEye CHAM technology in Retina, “understands” how a web server behaves. Any activity on the network contrary to this authorized behavior is stopped. SecureIIS has been shown to prevent attacks that leverage known vulnerabilities… … In the case of Code Red, SecureIIS protected its clients from that worm before the worm was discovered by the industry eEye Digital Security
SecureIIS Product Features SecureIIS wraps around Internet Information Server and works within it, verifying and analyzing incoming and outgoing Web server data for any possible security breaches The Classes of Attack That SecureIIS Protects Against: • Buffer Overflow Attacks • High Bit Shellcode Protection • Parser Evasion Attacks • Directory Traversal Attacks • General Exploitation • Banner replacement • Logging of failed requests eEye Digital Security
Product Interface Multiple Web sites on a single server can be protected The user can configure the parameters that are protected in each of the classes of attack Classes of hacker attacks blocked – Each represent a category of attack with sub-categories that are configurable eEye Digital Security Each class of attack is described in detail with assistance on configuration
Product Interface eEye Digital Security SecureIIS also protects IIS-related applications such as Frontpage and Outlook Web Access
Description of the Classes of Attack Buffer Overflow Attacks Buffer overflow vulnerabilities stem from problems in string handling. Whenever a computer program tries copying a string or buffer into a buffer that is smaller than itself, an overflow is sometimes caused. If the destination buffer is overflowed sufficiently it will overwrite various crucial system data. In most situations an attacker can leverage this to takeover a specific program's process, thereby acquiring the privileges that process or program has. SecureIIS limits the size of the "strings" being copied. Doing this greatly reduces the chance of a successful buffer overflow. Parser Evasion Attacks Insecure string parsing can allow attackers to remotely execute commands on the machine running the Web server. If the CGI script or Web server feature does not check for various characters in a string, an attacker can append commands to a normal value and have the commands executed on the vulnerable server. Directory Traversal Attacks In certain situations, various characters and symbols can be used to break out of the Web server's root directory and access files on the rest of the file system. By checking for these characters and only allowing certain directories to be accessed, directory traversal attacks are prevented. In addition, SecureIIS only allows clients to access certain directories on the server. Even if a new hacking technique arises, breaking out of webroot will still be impossible. General Exploitation Buffer overflows, format bugs, parser problems, and various other attacks will contain similar data. Exploits that execute a command shell will almost always have the string "cmd.exe" in the exploiting data. By checking for common attacker "payloads" involved with these exploits, we can prevent an attacker from gaining unauthorized access to your Web server and its data. eEye Digital Security
Description of the Classes of Attack HTTPS/SSL Protection SecureIIS resides inside the Web server, thus capturing HTTPS sessions before and after SSL (Secure Socket Layer) encryption. Unlike any Intrusion Detection System or firewall currently on the market, SecureIIS has the ability to stop attacks on both encrypted and unencrypted sessions. High Bit Shellcode Protection Shellcode is what is sent to a system to effectively exploit a hole called a "buffer overflow". High Bit Shellcode Protection offers you a high degree of protection against this type of attack because it will drop and log all requests containing characters that contain high bits. All normal Web traffic, in English, should not contain these types of characters and almost all "shellcode" requires them to produce the effective exploit. Third Party Application Protection The power of SecureIIS is not limited to IIS specific vulnerabilities. SecureIIS can also protect third party applications and custom scripts from attack. If your company has developed customized components for your Web site, components that might be vulnerable to attack, you can use SecureIIS to protect those components from both known and unknown vulnerabilities. Let SecureIIS work as your own web based “Security Quality Assurance” system. Logging of Failed Requests In the installed SecureIIS directory, we post a file called SecureIIS.log. This file contains a log of all attacks and what triggered the event that caused SecureIIS to drop the connection. This is an effective way to monitor why requests are being stopped, and who is requesting things that they shouldn't. Since SecureIIS enforces a strong security policy for how sites are configured, you can use this log to find places where your Web site may not be acting correctly due to an insecure setting. Also, since Internet Information Server has the unfortunate habit of not logging attacks like buffer overflows that are successful, a twofold security benefit is provided here. Such attacks are not only stopped, but also logged so you can take action accordingly. eEye Digital Security
Iris The Network Traffic Analyzer eEye Digital Security
Iris – The Network Traffic Analyzer • Iris is a revolutionary product and has very little competition in the market. • In “promiscuous mode”, it captures all data traffic within a network. For example, when a web page is served, the data is available on the entire network, but only one computer is “listening” for it. A machine in “promiscuous mode” would also pick up that data. • The challenge is organizing and understanding the massive amount of data a compute in promiscuous mode would pick up. eEye Digital Security
Iris – The Network Traffic Analyzer Iris organizes and displays data packets, their origin, their destination and other technical information. Most importantly, Iris recognizes various protocols (HTTP, POP3, SMTP, etc.) and decodes these packets into recognizable forms such as web pages. This allows Iris to act as a video recorder of the activity of network users, giving the network owner tremendous control over the network. Iris is also capable of monitoring and alerting for various variables such as words (pornography), IP addresses (competitors, restricted sites) and more. eEye Digital Security
Iris – Screen Shot Data Packets Analysis of a specific data packet eEye Digital Security
Iris – Screen Shot Network Users eEye Digital Security What is SKYWALKER looking at? The Decoder
Iris Features Monitoring Users • Iris decodes most non-encrypted network protocols such as HTTP, POP3, SMTP and many others. • With the click of a button you will know which site network users have visited, and will regenerate visited web pages with formats and content. • Iris monitors non-encrypted web-based mail, messenger service and chat activity. Network VCR’s • Iris has the ability to act as a “VCR” for your network by recording all information traveling across a network. • Recorded information can be viewed and decoded in real-time or played back at a later time. • This network “VCR" capability also demonstrates Iris’ unrivaled ease-of-use. eEye Digital Security Screening Tools • Iris monitors network traffic by setting numerous screening criteria. • Monitor and record network traffic based on a specific MAC address, IP address, word, protocol, etc.
Building successful security infrastructures Some Information to Help You Build a Successful Security Infrastructure eEye Digital Security
Digital Security - The Problem is Real 90% of companies surveyed by the FBI have detected cyber attacks recently Disgruntled employees, industrial espionage, and data theft are responsible for 70-80% of security breaches Increase in external threats from hackers, ex-employees, competitors and cyber terrorists The rise of “Script Kiddies” - Hackers who do not target specific organizations, but run scripts scanning the net for ANY vulnerable network eEye Digital Security
Digital Security-The Problem is Real • 273 organizations reported $265 Million dollars in financial losses in the year 2000 • Financial losses due to cyber attacks in the year 2000, were higher than 1997,1998 and 1999 combined • The annual loss from computer network crime is $550 million annually in the U.S. alone* eEye Digital Security Survey by Computer Security Institute (CSI) and the Federal Bureau of Investigation, 2000 *National Center for Computer Crime Data in Santa Cruz, California
Seven Fatal Digital Security Management Errors • Relying primarily on a firewall for security perimeter protection. • Failure to realize how much money information and organizational reputation are worth. • Pretending the problem will go away. • Authorizing reactive, short-term fixes so problems re-emerge quickly. • Failure to deal with the operational aspects of security: make a few fixes and then do not follow through to ensure the problem stays fixed. • Failure to understand the relationship of information security to the business problem – they understand physical security, but do not see the consequence of poor information security. • Assigning untrained people to maintain security and provide neither the training nor the time to make it possible to do the job. eEye Digital Security
Typical Security Parameter Failures Management and support personnel often rely exclusively on firewalls and ignore internal digital security considerations Members of your organization can easily request that analog lines be installed at their workspace. These are often used to connect to ISP’s or to set up dial-in access to their desktop system, thus bypassing any protection from the security perimeter Some network services (e.g., ftp, tftp, http, sendmail) destined for internal hosts are passed through the security perimeter control points unscreened The firewall hosts or routers accept connections from multiple hosts on the internal network and from hosts on the DMZ network Access lists are often configured incorrectly, allowing unknown dangerous services pass through freely Logging of connections through the security perimeter is either insufficient or not reviewed on a regular basis Hosts on the DMZ or hosts running firewall software are also running unnecessary services such as tftp, telnet, rpc, mail, etc. Support personnel use telnet or other unencrypted protocols for managing the firewalls and other DMZ devices People frequently implement encrypted tunnels through their security perimeter without fully validating the security of the endpoints of the tunnel eEye Digital Security
Digital Security Best Practices • An understanding of the risks to your environment. CCP can assess the risks facing your networks. • A suite of host and network based security auditing and improvement tools CCP and eEye can provide state-of-the-art tools to help you. • An understanding of the business needs and processes to meet those needs. CCP can help you realize these processes and implement solutions that ensure security success, without interfering with business needs. • A strong commitment from upper management to support your roadmap for security infrastructure improvements and to provide sufficient resources to get the work done CCP can provide the knowledge resources to get the job done right. A security mission statement and the associated guiding principals Computer Consulting Partners, Ltd.
Digital Security Best Practices • A security awareness program that reaches everyone in the organization CCP can help you develop a security awareness program to keep your assets safe. • Clearly defined implemented and documented security policies and procedures that are supplied to everyone within the organization CCP can help you document and implement policies that can help protect your digital assets. • A three to five year roadmap for security infrastructure improvements CCP can help you understand where you are… and enable you to be where you want to be in the future. • A dedicated team of trained security professionals and consultants to make it all happen. CCP & eEye can help you make it happen. Computer Consulting Partners, Ltd.
4800 N. 7th St.Phoenix, AZ 85014 Phone: (602) 277-2285 Toll-Free: (800) 665-0959 Fax: (602) 277-8099 E-Mail: Info@ccpartnersltd.com