490 likes | 727 Views
EE579T Network Security 7: Vulnerability Assessment. Prof. Richard A. Stanley. Overview of Tonight’s Class. Review last week’s lesson Look at network security in the news Vulnerability assessment. Last time. SSL provides a means for secure transport layer communications in TCP/IP networks
E N D
EE579TNetwork Security7: Vulnerability Assessment Prof. Richard A. Stanley WPI
Overview of Tonight’s Class • Review last week’s lesson • Look at network security in the news • Vulnerability assessment WPI
Last time... • SSL provides a means for secure transport layer communications in TCP/IP networks • SSL is a commonly used protocol, developed by Netscape, but ubiquitously used in browsers, etc. • The key element of SSL is the handshake protocol • SET not widely used for credit transactions, but the dual signature it introduced is useful WPI
Network Security Checklist(searchSecurity.com) • Check systems for zombie agent software • Minimize external exposure by minimizing Internet access and connectivity [do not leave non-mission critical Internet connections open continuously and deny Internet access to employees who do not need it.] • Review security policies and ensure that they are current, implemented and enforced. WPI
Security checklist - 2 • Ensure all current service-level and security patches have been installed on operating systems and software, including antivirus updates • Enhance the review and monitoring of all critical system logs for suspect activity, and consider implementing an intrusion-detection system • Revisit firewall configurations and rules to ensure that unnecessary ports and services are turned off and that access control is tightly managed WPI
Security checklist - 3 • Consider curtailing remote access by employees, business partners, customers and consultants to essential business. • Consider changing passwords for all super-user or power IDs such as Root, dbadmin, application manager IDs, etc., especially if that information has become widely shared. (emphasis added) • Revisit access control lists to ensure that access to critical functions and resources is limited. WPI
Security checklist - 4 • Discuss with your ISP what measures they are taking to ensure the security and reliability of the services they are providing you. • Regularly back up all critical systems and test actual systems recovery procedures . • Consider an incident response plan for addressing actions to be taken should a debilitating cyber-incident/event occur, affecting your business. WPI
Security checklist - 5 • Ensure all users of your corporate computer systems (including employees, consultants, contractors and temporary workers) understand the importance of protecting the business and their role in the overall program. • Users working from home via high-speed, broadband connections should be required to have a firewall installed on their system. In addition, they should only be allowed to connect to the corporate network through a VPN tunnel. WPI
Thought for the Day “The network is the computer.” Sun Microsystems WPI
Is this quote for real or is it for marketing? • What is typical PC bus speed? • What sort of network data transfer rates can be attained? • What does this mean for the future of networked computing? WPI
How To Rob a Bank • Just walk in and demand the money • Where is the bank? • How do you know there is any money? • Where to park the getaway car? • Are there any guards or surveillance devices? • Will you need a disguise? • What kinds of things might go wrong? • What if they say “NO?” WPI
Success Requires Planning • Whether robbing a bank or breaching network security, you need to plan ahead • Planning ahead is known as vulnerability assessment • Acquire the target (case the joint) • Scan for vulnerabilities (find the entry points) • Identify poorly protected data (shake the doors) WPI
Information in Plain Sight • Lots of valuable information is just lying around waiting to be used • telephone directories • company organization charts • business meeting attendee lists • promotional material • The Internet has made having a company web page the measure of being “with it” WPI
Target: FBI WPI
? WPI
You get the idea • There is a lot of information out there, and it is readily available to anyone • Good intelligence usually consists of open source material properly collated • Law enforcement used to have special access to this sort of information--now it’s out on the ‘net • Network access speeds up the rate at which good intelligence can be collected WPI
Determine Your Scope • Check out the target’s web page • physical locations • related companies or entities • merger/acquisition news • phone numbers, contact information • privacy or security policies • links to other related web servers • check the HTML source code WPI
Refine Your Search • Run down leads from the news, etc. • Search engines are a good way • FerretSoft • Dogpile • Check USENET postings • Use advance search capabilities to find links back to target • Search on wpi + security gives ~ 2900 hits WPI
Use the Government • EDGAR • SEC site (www.sec.gov/edgarhp.htm) • Search for 10-Q and 10-K reports • Try to find subsidiary organizations with different names • Think about what your organization has on databases available to the public WPI
Zero In On The Networks • InterNIC • Organization • Domain • Network • Point of contact • www.networksolutions.com • www.arin.net WPI
Other Sources • InterNIC has 50-record limit, so… • ftp://rs.internic.net/domain • http://samspade.org/ssw/ • freeware • www.nwpsw.com • Netscan tools • Single copy price = $32.00 • www.ipswitch.com • WS_Ping ProPack = $37.50 WPI
Query on Found Data • POC • May be (often is) POC for other domains • Query for email addresses -- here are a few from @wpi.edu Amiji, Murtaza (MA3608) murti@WPI.EDU (508) 831-5395 Baboval, John (JBJ116) jbaboval@WPI.EDU XXX-XXXX Ballard, Richard (RBS722) rick@WPI.EDU 508-831-6731 Barnett, Glenn S (GSB14) rhythm@WPI.EDU (315)475-5920 Bartelson, Jon (JB12891) jonb@WPI.EDU (508) 831-5725 (FAX) (508) 831-5483 Berard, Keith (KB2414) keithb@WPI.EDU (508)754-4502 Blank, Karin (KBJ257) blankk@WPI.EDU 203-762-0532 Blomberg, Adam (AB5417) scarpa@WPI.EDU 508-755-7699 WPI
Query the DNS • Insecure DNS configuration can reveal information that should be kept confidential • Zone transfers are popular attack methodologies • nslookup often used • pipe output to a text file • review the text file at your leisure • select potential “good targets” based on data WPI
Map the Network • traceroute • Unix and Win/NT • tracert in NT for file name legacy reasons • Shows hops from router to destination • Graphical tools exist, too • VisualRoute • www.visualroute.com WPI
Detailed Scanning • Network ping sweeps • Who is active? • Automated capabilities with some tools • ICMP queries • Reveal lots of information on systems • System time • Network mask WPI
Port Scanning • Identify running services • Identify OS • Identify specific applications of a service • Very popular • Very simple • Very dangerous WPI
Port Scan Types • Connect Scan--completes 3-way handshake • SYN--should receive SYN/ACK • FIN--should receive RST on closed ports • Xmas tree--sends FIN, URG, PSH; should receive RST for closed ports • Null--turns off all flags; target should send back RST for closed ports • UDP--port probably open if no “ICMP port unreachable” message received WPI
Identify Running Services • Strobe • Udp_scan (from SATAN) • netcat • PortPro & Portscan • nmap • Using SYN scan is usually stealthy • Beware of DoS results WPI
OS Detection, etc. • Stack fingerprinting • Different vendors interpret RFCs differently • Example: • RFC 793 states correct response to FIN probe is none • Win/NT responds with FIN/ACK • Based on responses to specific probes, possible to make very educated guesses as to what OS running • Automated tools to make this easy! • Nmap www.insecure.org/nmap/ • Retina www.eeye.com/html/Products/Retina/ WPI
Enumeration • Try to identify valid user accounts on poorly protected resource shares • Windows NT • net view • lists domains on network • can also list shared resources • nltest -- identifies PDC & BDC • SNMP • open a telnet connection WPI
Automated, Graphical Tools • Can trace network topology very accurately • ID machines by IP, OS, etc. • Makes attack much easier • Cheops • www.marko.net/cheops/ • Tkined • wwwhome.cs.utwente.nl/~schoenw/scotty/ WPI
Summary • Attacking a network is no different from robbing a bank; you have to plan if you expect to be successful • There are three basic steps to planning, which is called vulnerability assessment: • Acquire the target (case the joint) • Scan for vulnerabilities (find the entry points) • Identify poorly protected data (enumeration) • This applies if you are inside or outside the protected perimeter! WPI
Homework - 1 1. Identify and describe how you would enumerate resources on a Unix network, similar to the discussion in class of enumeration on Windows/NT 2. You are the network administrator. How would you defend against the threats of target acquisition and vulnerability scanning? WPI