400 likes | 412 Views
System and Network Assurance Program (GIAC) Overview. Objectives and Curriculum The SANS Institute www.sans.org October, 1999. Highlights of the GIAC Initiative What Evaluators Like Best About GIAC. “Agreed upon course of action; real-world knowledge; do it right the first time”
E N D
System and Network Assurance Program (GIAC) Overview Objectives and Curriculum The SANS Institute www.sans.org October, 1999
Highlights of the GIAC InitiativeWhat Evaluators Like Best About GIAC • “Agreed upon course of action; real-world knowledge; do it right the first time” • “Technical depth, not just high-level fluff” • “Web or classroom training or both.” • “Move at your own pace” • “Hands-on” “Flight School” • “Certification for self confidence and employer confidence that you have the skills to do the job”
Why Do You Want To Learn How To Protect Your Information Systems? • To protect important information against disclosure or alteration • To allow your organization to continue operating • To gain new, marketable skills • To play a role in protecting the critical infrastructure of your nation and the world
Do Organizations Actually Stop Operating? Early in 1999 attackers caused one component of a federal agency to stop operating for more than two weeks while servers were checked, cleaned of the attacker’s back doors, and reloaded.
“FBI Special Agent E. Brent Rasmussen asked FBI field offices in Northern California for help in obtaining information from CIAC, Lawrence Livermore, UC Berkeley, and other sites penetrated by Infomaster. “To his shock, he was informed that the cracker had penetrated the BLM network in Portland, roamed the agency's national network, and skipped to Sacramento, where he easily obtained root access on the computers that controlled every dam in the northern part of the state [of California].” From @Large, p. 200.
Summary of Objectives • Protecting information • Protecting operations • Increasing marketability • Helping the protect the critical infrastructure
INTERNET VANDALS STRIKE USIA WEB SITE • The Web site of the United States Information Agency, which is used by American diplomats abroad for statements on American policy or texts of official speeches, was broken into recently by Internet vandals who left on the USIA system a "Trojan Horse" piece of computer code that caused basic hardware damage and the destruction of the site. A USIA spokesman said security for the site will be beefed up. "We simply can't have this happening every six months. People rely on us." (New York Times 21 Jan 99)
What People Do • They hire a consultant to perform a vulnerability analysis. • The consultant provides a detailed analysis showing 5 to 50 vulnerabilities for every system. • They send the vulnerability report to the system administrators with a strong suggestion that the problems should be fixed right away.
What Actually Happens Then? • The sysadmins are overwhelmed by the number of tasks and the hours/days required. • They do things they know how to do. Lack of knowledge slows progress. • The demands of their regular work reassert themselves. Boss says “Let’s just get this one project done and then you can go back to the security project.” • And then....
INTERNET VANDALS STRIKE USIA WEB SITE • The Web site of the United States Information Agency, which is used by American diplomats abroad for statements on American policy or texts of official speeches, was broken into recently by Internet vandals who left on the USIA system a "Trojan Horse" piece of computer code that caused basic hardware damage and the destruction of the site. A USIA spokesman said security for the site will be beefed up. "We simply can't have this happening every six months. People rely on us." (New York Times 21 Jan 99)
Why Security Problems Persist • Lack of agreement on what needs to be done. • Endless lists of “vulnerabilities” • Administrators with limited security skills. • Managers who give security lower priority.
What Is The System and Network Assurance Program? • A step-by-step training and certification program to close security holes • Delivered via the web and in live classes • With both knowledge-based and skills-based components • To train people who can make changes needed today and be ready to meet challenges that arise in the future.
LevelOne Roadmap • Demonstrate hands on skills* in • Anti-virus installation and virus capture and eradication – both workstations and servers • System backup, UNIX/Linux and NT • Password testing • Firewall ruleset modification and testing; Setting Router ACLs • Network mapping, vulnerability assessment, and closing the holes (LevelOne Notebook) • Damage control, evidence collection, investigation and forensics *Policies are required and/or supplied for each capability
LevelOne Roadmap (cont) • Demonstrate core knowledge expected of a security professional • Security architecture and principles • Ethics and policy • Perimeter defense, plus IP Fundamentals • UNIX/Linux and or NT system auditing and administration • Incident handling and investigation
LevelTwo Roadmap • Here you raise the overall enterprise security level. Demonstrate skills in and/or knowledge in: • Insider threats: sources and countermeasures • Physical security; Layered security • Network-based intrusion detection sensor deployment and header-based analysis • Securing remote access through authentication/ authorization (SSH, tokens, TACACS, RADIUS, IPSEC) • Modem sweeps • LevelTwo vulnerability scanning/correction (use LevelTwo Notebook)
LevelThree Roadmap • Here you take on the harder challenges that may do the most good. Demonstrate hands-on skills in and/or knowledge in • Change control and configuration management (the heart of the matter) • Security awareness implementation (“drivers license renewal”) • Virtual Private Network appropriateness/ planning/deployment, plus other cryptography (SSL, PGP, IPSEC) • Securing web servers • Log file monitoring and analysis (automated scripts) • Professional development: making the most of opportunities with management, effective presentation and writing budgeting, project management, advanced incident handling
LevelOne StepOne • 1.1.1 Information Assurance Foundations “The Big Picture” • 1.1.2 Network Foundation Course: IP Concepts • 1.1.3 Network Foundation Course: IP Behavior Pt 1 • 1.1.4 Threat Foundation Course: What the Hackers Know About You - Internet Threat • 1.1.5 Basic NT Auditing • 1.1.6 Basic Unix/Linux Auditing
The Big PictureInformation Assurance Foundations • What students report: • Excellent for the beginner and great review for the intermediate security professional! -Ian McCain Data Processing Sciences Inc. • Brings Info Security into focus. We all run around worrying about our little niche, but this gives the big picture. Kevin Davidson UTA, Inc • It will give them a real clue, there is more to security than throwing in a FW. The examples are meaningful. The hacks are real. Teri Lindstrom Renaissance Worldwide Inc • I've been reading about IT security for some time but I always felt lost in an ocean of information, this course points me to the road step by step to understand the whole picture. Basima Zaidan Jordan Ministry of Post and Communication
01001010 01001110 01000010 01001011 11001010 Packets Header Data The header provides addressing and type information much like the outside of a snail-mail envelope.
11001010 Packets Have Addresses MAC IP 172.20.31.25 172.20.31.28 0826C1f45231 0826Cf1541f2 01001011 01001011 Internet Protocol (IP) Addresses are like your name and Media Access Controllers (MAC) are like your street address in the envelope analogy (Packet shown is notional, IP Packets don’t have MAC addresses, however ethernet frames do)
Frames and packets Frames are packets on the media Frame Header Frame Trailer Data 14 Bytes 4 Bytes
Service Table # Network Services, Internet style $ cat /etc/services ftp 21/tcp telnet 23/tcp smtp 25/tcp domain 53/udp domain 53/tcp ... People like names, computers like numbers
Transport Control Protocol reliable connection oriented slower internet optimized User Datagram Protocol unreliable connectionless faster intranet optimized TCP and UDP What a difference an ACK makes
Routing Example 41.2 wants to talk to 19.8, what has to happen? - 41.2 builds a packet, puts it on the media - Router forwards it to 19.8 172.20.41.1 172.20.41.2 172.20.19.8 172.20.19.212
Sample slides from the Internet Threats class • Threats from the Internet teaches you the types of attacks that are being actively launched against internet-connected computers • Knowing the attacks makes it easier to understand the defenses.
PCs ship with fast modems as standard equipment INTERNET ISP Firewall The more restrictive a sites firewall policy, the more likely the employees will use modems
Tools that may be visiting your DMZ • Trojans • Jackal • Queso, “Passive Queso” • Nmap • Hping • ICMP by slayer, sscan ...
Moving Through The Program • Download the visuals • Listen to the course online • Listen again and read the notes for parts that are difficult. • Take the quiz. • Complete the feedback form
The Questions We Get Asked We hope you’ll add more
How Long Will It Take? • GIAC LevelOne Ground School has approximately 40 hours of courses. We expect you’ll be able to complete all of them in 3 months. • If you do, you’ll be eligible for Flight School early in 2000.
How Much Does It Cost? • LevelOne Ground School costs $2,500 including technical support and all tests and access to the materials and updates for a period of one year. • That’s approximately one quarter less than the cost of the same number of course hours at a SANS conference. • Fees include licenses to pdf versions of SANS Step-by-Step Guides (Solaris, Linux, NT, Incident Handling, and Intrusion Detection).
How Do You Get Help? • At first: Email questions and receive answers the same way • Over time: Use the knowledge bank
How Do You Keep Up To Date? • Special version of the SANS Network Security Digest for certified people • Classes exclusively for certified people at SANS conferences and on the web • On-line flash updates and access to the Notebook for certified people
Can You Audit the Program? • You may take Ground School without attempting certification.
How Do You Know You Are Making Progress? • Post-tests for each course • Your own portfolio of accomplishments (that you’ll also be able to use to demonstrate mastery.)
What Questions Do You Have?Please email them to meStephen Northcuttintrusion@sans.org