650 likes | 824 Views
Network Security Workshop BUSAN 2003. Saravanan Kulanthaivelu svanan@nrg.cs.usm.my. Security Audit.
E N D
Network Security WorkshopBUSAN 2003 Saravanan Kulanthaivelu svanan@nrg.cs.usm.my
Security Audit • "The world isn’t run by weapons anymore, or energy, or money. It’s run by little ones and zeros, little bits of data... There’s a war out there... and it’s not about who’s got the most bullets. It’s about who controls the information.“ Federation of American Scientists - Intelligence Resource Program
Workshop Outline (2) • Security Audit • Intrusion Detection • Incident Response
FAQ • We already have firewalls in place. Isn't that enough? • We did not realize we could get security audits. Can you really get security audits, just like financial audits? • We have already had a security audit. Why do we need another one?
Answers • Firewalls and other devices are simply tools to help provide security. They do not, by themselves, provide security. Using a castle as an analogy, think of firewalls and other such tools as simply the walls and watch towers. Without guards, reports, and policies and procedures in place, they provide little protection. • Security audits, like financial audits should be performed on a regular basis.
Security Audit-Definitions • A security audit is a policy-based assessment of the procedures and practices of a site, assessing the level of risk created by these actions • A assessment process, which will develop systems and procedures within an organization, create awareness amongst the employees and users and ensure compliance with legislation through periodic checking of processes, constituents and documentation.
Why Audit? • Determine Vulnerable Areas • Obtain Specific Security Information • Allow for Remediation • Check for Compliance • Ensure Ongoing Security To ensure that the site’s networks and systems are efficient and foolproof
Who needs security auditing? • A security audit is necessary for every organization using the Internet. • A ongoing process that must be tried and improved to cope up with the ever-changing and challenging threats. • Should not be feared of being audited. Audit is good practice.
Audit Phases • External Audit • Public information collection • External Penetration • Non-destructive test • Destructive test • Internal Audit • Confidential information collection • Security policy reviewing • Interviews • Environment and Physical Security • Internal Penetration • Change Management • Reporting
Audit Phases-External • Hackers view of the network • Simulate attacks from outside • Point-in-time snapshots • Can NEVER be 100%
External Audit-Public Information Gathering • Search for information about the target and its critical services provided on the Internet. • Network Identification • Identify IP addresses range owned/used • Network Fingerprinting • Try to map the network topology • Perimeter models identifications • OS & Application fingerprinting • OS finger printing • Port scanning to define services and application • Banner grabbing
External Audit - Some Commandments • Do not make ANY changes to the systems or networks • Do not impact processing capabilities by running scanning/ testing tools during business hours or during peak or critical periods • Always get permission before testing • Be confidential and trustworthy • Do not perform unnecessary attacks
External Audit-Penetration Test • Plan the penetration process • Search for vulnerabilities for information gathered and obtain the exploits • Conduct vulnerabilities assessments (ISO 17799) • Non-destructive test • Scans / test to confirm vulnerabilities • Make SURE not harmful • Destructive test • Only for short term effect (DDOS….) • Done from various locations • Done only off-peak hours to confirm effect • Record everything • Save snapshots and record everything for every test done even it returned false result • Watch out for HONEYPOTS
Internal Audit • Conducted at the premises • A process of hacking with full knowledge of the network topology and other crucial information. • Also to identify threats within the organization • Should be 100% accurate. • Must be cross checked with external penetration report.
Policy Standards Procedures, Guidelines & Practices Internal Audit-Policy review • Everything starts with the security policy • If there is no policy, there is not need of security audit.
Internal Audit-Policy review • Policies are studied properly and classified • Identify any security risk exist within the policy • Interview IT staffs to gain proper understanding of the policies • Also to identify the level of implementation of the policies.
Cross check with security policy Internal Audit-Information gathering • Discussion of the network topology • Placement of perimeter devices of routers and firewalls • Placement of mission critical servers • Existence of IDS • Logging
Cross check with security policy Internal Audit-Environment & Physical Security • Locked / combination / card swipe doors • Temperature / humidity controls • Neat and orderly computing rooms • Sensitive data or papers laying around? • Fire suppression equipment • UPS (Uninterruptible power supply) Section 8.1 of the ISO 17799 document defines the concepts of secure area, secure perimeter and controlled access to such areas.
Cross check with security policy Internal Audit-Penetration For Internal penetration test, it can divided to few categories • Network • Perimeter devices • Servers and OS • Application and services • Monitor and response Find vulnerabilities and malpractice in each category
Cross check with security policy Internal Audit-Network • Location of devices on the network • Redundancy and backup devices • Staging network • Management network • Monitoring network • Other network segmentation • Cabling practices • Remote access to the network
Cross check with security policy Internal Audit-Perimeter Devices Check configuration of perimeter devices like • Routers • Firewalls • Wireless AP/Bridge • RAS servers • VPN servers Test the ACL and filters like egress and ingress Firewall rules Configuration Access method Logging methods
Cross check with security policy Internal Audit-Server & OS • Identify mission critical servers like DNS,Email and others.. • Examine OS and the patch levels • Examine the ACL on each servers • Examine the management control-acct & password • Placement of the servers • Backup and redundancy
Cross check with security policy Internal Audit-Application & Services Identify services and application running on the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary services/application • DNS • Name services(BIND) • Email • Pop3,SMTP • Web/Http • SQL • Others
Cross check with security policy Internal Audit-Monitor & Response Check for procedures on • Event Logging and Audit • What are logged? • How frequent logs are viewed? • How long logs are kept? • Network monitoring • What is monitored? • Response Alert? • Intrusion Detection • IDS in place? • What rules and detection used? • Incident Response • How is the response on the attack? • What is recovery plan? • Follow up?
Internal Audit-Analysis and Report • Analysis result • Check compliance with security policy • Identify weakness and vulnerabilities • Cross check with external audit report • Report- key to realizing value • Must be 2 parts • Not technical (for management use) • Technical (for IT staff) • Methodology of the entire audit process • Separate Internal and External • State weakness/vulnerabilities • Suggest solution to harden security
More Tools…. • Inetmon • Firewalk • Dsniff • RafaleX • NetStumbler • RAT (Router Audit Tool)-CIS • Retina scan tools • MBSA
Nmap-Defacto Standard • Even in matrix , nmap was used
Intrusion Detection • Intrusion Detection is the process of monitoring computer networks and systems for violations of security. • An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or availability of a resource. • All intrusion are defined relative to a security policy • Security policy defines what is permitted and what is denied on a network/system • Unless you know what is and is not permitted, its pointless to attempt to catch intrusion
Intrusion Detection • Manual Detection • Check the log files for unusual behavior • Check the setuid and setgid of files • Check important binaries • Check for usage of sniffing programs • Automatic (partially??) • Intrusion Detection Systems
Intrusion Detection Systems • Goal • To detect intrusion real time and respond to it • False positive • No intrusion but alarm • Too many make your life miserable • False negative • Intruder not detected • System is compromised
Intrusion Detection -Detection Schemes • Misuse Detection • The most common technique, where incoming/outgoing traffic is compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan • Anomaly Detection • Uses statistical analysis to find changes from baseline behavior (such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a theoretical at this point and is the topic of extensive research
Intrusion Detection -Detection • Misuse Detection • Detect Known Attack Signatures • Advantage: • Low False Positive Rate • Drawbacks: • Only Known Attacks • Costs for Signature Management • Anomaly Detection • Learn Normal Profiles from User and System Behavior • Detect Anomaly • Advantage • Detect Unknown Attacks • Drawbacks • Difficulty of Profiling • Profile can be controlled by intruders • High false positive rate
Network IDS • Uses network packets as the data source • Searches for patterns in packets • Searches for patterns of packets • Searches for packets that shouldn't be there • May ‘understand’ a protocol for effective pattern searching and anomaly detection • May passively log, alert with SMTP/SNMP or have real-time GUI
Network IDS Strength • Lower cost of ownership • Fewer detection points required • Greater view • More manageable • Detects attacks that host-based systems miss • IP based Denial of Service • Packet or Payload Content • More difficult for an attacker to remove evidence • Uses live network traffic • Captured network traffic
Network IDS Strength • Real time detection and response • Faster notification and responses • Can stop before damage is done (TCP reset) • Detects unsuccesful attacks and malicious intent • Outside a DMZ • See attempts blocked by firewall • Critical information obtained can be used on policy refinement • Operating system independence • Does not require information from the target OS • Does not have to wait until the event is logged • No impact on the target
Network IDS Limitations • Obtaining packets - topology & encryption • Number of signatures • Quality of signatures • Performance • Network session integrity • Understanding the observed protocol • Disk storage
Host Based IDS • Signature log analysis • application and system • File integrity checking • MD5 checksums • Enhanced Kernel Security • API access control • Stack security • Some products listen to port activity and alert administrator when specific ports are accessed
Host IDS Strength • Verifies success or failure of an attack • Log verification • Monitors specific system activities • File access • Logon / Logoff activity • Account changes • Policy changes • Detects attacks that network-based IDS may miss • Keyboard attacks • Brute-Force logins
Host Based IDS Limitations • Places load on system • Disabling system logging • Kernel modifications to avoid file integrity checking (and other stuff) • Management overhead • Network IDS Limitations
Characteristic of a Good IDS • Impose minimal overhead • Does not slowdown the system • Observe deviations from normal behavior • Easily tailored to any system • Cope with changing system behavior over time as applications are being added • High adaptation
Network Honeypots • Sacrificial system(s) or sophisticated simulations • Any traffic to the honeypot is considered suspicious • If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed
Firewall Honeypot HTTP DNS Network Honeypots
Some IDS • Commercial • Real Secure by ISS • VCC/Tripwire TM • CMDS by SAIC • NetRanger by Wheelgroup • Freeware/Opensource • Snort (www.snort.org)
Incident Response • Incident: An action likely to lead to grave consequences • Data loss may lead to commercial loss. • Confidentiality breached. • Political issues… • Network breakdown lead to service and information flow disruption. • Many more..
Incident Response • Response: An act of responding. • Something constituting a reply or a reaction. • The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation • The output of a transducer or detecting device resulting from a given input. • Ideally Incident Response would be a set of policies that allow an individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave consequences. • ISO 17799 • Outlines Comprehensive Incident Response and Internal Investigation Procedures • Detailed Provisions on Computer Evidence Preservation and Handling
Incident Response -Purpose Minimize overall impact. Hide from public scrutiny. Stop further progression. Involve Key personnel. Control situation.
Incident Response -Purpose Minimize overall impact. Recover Quickly & Efficiently. Respond as if going to prosecute. If possible replace system with new one. Priority one, business back to normal. Ensure all participants are notified. Record everything.
Incident Response -Purpose Minimize overall impact. Recover Quickly & Efficiently. Secure System. Lock down all known avenues of attack. Assess system for unseen vulnerabilities. Implement proper auditing. Implement new security measures.
Incident Response -Purpose Minimize overall impact. Recover Quickly & Efficiently. Secure System. Follow-up (A continuous process) Ensure that all systems are secure. Continue prosecution. Securely store all evidence and notes. Distribute lessons learned.