1 / 28

1000 Hackers in a Box

1000 Hackers in a Box. Problems with modern security scanners. What is a scanner?. Collects data and deduces possible problems on your hosts a “visibility” tool expensive product misunderstood product. What can scanning do?. Visibility Visibility Visibility

barksdale
Download Presentation

1000 Hackers in a Box

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 1000 Hackers in a Box Problems with modern security scanners

  2. What is a scanner? • Collects data and deduces possible problems on your hosts • a “visibility” tool • expensive product • misunderstood product

  3. What can scanning do? • Visibility • Visibility • Visibility • Software bugs & Installation bugs • Protocols & Topology • Public Services & Versions

  4. History of scanners • SATAN in 1995, now SANTA • ISS • Ballista, now NAI cybercop (CSC) • Asmodeus, now commercial (Webtrends) • HackerShield • NetSonar (now cisco)

  5. Virus scanner of the 90’s We have 3 million tests The “Best” reporting We “Enforce” your policy Scanner Propaganda

  6. Patching bugs won’t make you secure.

  7. Signature Scanning • The attack domain is not confined Scanner’s Signature Coverage The Real World is infinite

  8. Skilled UBER Underground Distro Network Script Kiddies Patch Level

  9. False Sense of Security • I ran a scan, now I’m safe • I patched the program, now I’m safe • I have a firewall, I’m safe • I have an IDS, I’m safe • I had a consultant scan me, I’m safe • I use crypto, I’m safe

  10. Just because you have a scannerdoesn’t make you a Hacker • 1000 Hackers in a Box (NOT) • Doesn’t synthesize attacks based on available data • (hackers don’t just go down a checklist) • Cannot find new problems based on programming flaws

  11. You are buying a servicenot a product • Secretary reads bug newsgroups for you • Version and Patch checking w/ vendors • Is your scanner making you lazy? • Reactive, not Proactive • Mean time to notification • 10 steps behind the hacker

  12. The Shiny Red Button • There is always a root compromise in your network • You cannot remove it • You can only place controls over it • Redundancy (backups, fast recovery) • Visibility (forensics & tripwires) • Deterrence (traps, prosecution, & retaliation)

  13. Doesn’t ENFORCE Policy Doesn’t WRITE Policy Scanners “break” in - not “fix” A Scan is NOT an Audit

  14. Ineffective • Relies on Inference & Deduction • Very little “Verification” • Banner Strings • Registry Settings & SNMP • “Black Box” • Lazy when deep detection is possible

  15. External vs Internal scanning • Ineffective if scan filters are in place • force scanning takes longer • run both and compare

  16. False Positives • Generalizations • lack of version coverage • this is a QA Hell • Assumptions about patch level

  17. How to really screw up a Scanner • Ping and UDP scan tricks • (create extra work) • make everything listen on UDP port 1 • filter ICMP unreachable messages • don’t allow ping (must force scan) • Deception Toolkits (Honey-Pot tool) • touch all your files

  18. Scanners suffer from security bugs too! • The imports for several common scanners have calls to (do you trust this code?): • strcpy • wsprintf • getenv • system • exec • Banner overflows • Service Requests (http, smtp …)

  19. The Good Stuff is Free • The Port Scanner • nmap (www.insecure.org) • The Software Scanner • Grinder (rhino9.ml.org) • Banner Scanner (netcat & perl anyone?) • Nessus • Registry scanner • Chronicle • OS Detection • QueSO (www.apostols.org) • The Integrity Checker • tripwire (www.tripwiresecurity.com) • Deception Toolkit • http://all.net/dtk/dtk.html

  20. A bit better scanner • Verify policy • A “configuration manager”

  21. A bit better scanner • Model Authentication • Show authentication systems and domains • Show relationships between authentication system and services • Show what each entity can and cannot access

  22. A bit better scanner • Process to Process • Show inter-process relationships • File & Registry access • IPC channels • Databases • Close the “window of trust”

  23. A bit better scanner • Deep Detection • Get *as much* data as possible • drill down into exploited resources • more data is better • more data means better analysis

  24. A bit better scanner • Replay Presentation • Replay an attack in slow motion, in realtime, in a format that is easy to understand • sniffer • tty snoop • scanner is educational

  25. A bit better scanner • Use Host Based technology • Easier to verify versions and patches using file hashes • less work/less specialized programmers needed • more data easier = better analysis (and faster)

  26. A bit better scanner • Focus on general security issues, not line item bugs • verify confidentiality of information • verify authentication systems • verify IDS working properly • verify trusted/untrusted relationships

  27. A bit better scanner • Model protocol usage • since applications may depend on protocol security, show these relationships • show encapsulation

  28. A bit better scanner • Auto-patching wizard • gets patches • verifies file hashes • Wizard helps build patch script • patches are automatically deployed • verifies installation is secure afterwards

More Related