310 likes | 457 Views
Security Auditing Course Development. Rochester Institute of Technology Yin Pan yin.pan@rit.edu. Agenda. Motivation Course development Procedures used to develop basic auditing labs Outcomes and feedback from students Improvements. Why think about security?. Facts (one year ago)
E N D
Security Auditing Course Development Rochester Institute of Technology Yin Pan yin.pan@rit.edu Rochester Institute of Technology Secure IT 2007
Agenda • Motivation • Course development • Procedures used to develop basic auditing labs • Outcomes and feedback from students • Improvements Rochester Institute of Technology Secure IT 2007
Why think about security? • Facts (one year ago) • By average, every 20 minutes, one unpatched machine is compromised • Once a patch is announced, an exploit will be available in 2-3 days • Between 2004-2005, • Unauthorized access increased 500% • Identity theft increase 100% • Targets • Government agencies • Customized trojan horse designed to pilfer sensitive government secrets • E-commerce sites, banks and credit-cared processors • Companies • Source code, coca-cola recipe? Game? Rochester Institute of Technology Secure IT 2007
Why think about security? (con’t) • There are people who are actively seeking your resources • But I don’t have anything anyone wants! • Even just as a hiding place for files or a way to become anonymous, you are targeted • Personal video recorders (PVR) • Carjacking and carhacking Rochester Institute of Technology Secure IT 2007
Course Objective • Designed for • system administrators • network administrators • security personnel • to defend • their systems from attack • by • designing and implementing the most effective defense • using • effective defensive techniques • The objective of this course is to provide students with the knowledge to develop security network audits, apply appropriate auditing tools to conduct professional audits, analyze results, and provide recommendations to mitigate any risks. Rochester Institute of Technology Secure IT 2007
Outcomes • Upon completion of this course, students will be able to • Explain the fundamental techniques, processes and procedures of networks, and systems auditing. • Describe the basic design and configuration of routers, firewalls, and Intrusion Detection Systems (IDS). • Identify and apply appropriate tools to perform systems (Unix/Windows), servers, and network infrastructure components audit. • Conduct vulnerability and validation testing. • Write and present an auditing report on security vulnerability. Rochester Institute of Technology Secure IT 2007
Course outline • Auditing Process and Procedure • Different phases of an audit • Discovery methods • Network Identification and Penetration • Systems Auditing • Servers and Network perimeters auditing • Audit Reports • Auditing Recommendations • Writing audit report • Security improvements Rochester Institute of Technology Secure IT 2007
Topics • Audit Process and procedure • Network Audit Essentials • Wireless Audit Essentials • Unix/linux system audit • Windows audit • Network Perimeter Audit • Web Servers Audit • Audit Report Rochester Institute of Technology Secure IT 2007
Concerns… • Many tools covered in this class can harm your system • Some tools may include hidden features that exploit your systems Rochester Institute of Technology Secure IT 2007
What is “Auditing” • A methodical examination and review of measuring something against a standard • Answer the question, “How do you know?” • Example of audits Rochester Institute of Technology Secure IT 2007
Why auditing? • Manage IT-related risk • Ensure information security Rochester Institute of Technology Secure IT 2007
Objective of Auditing • To measure and report on risks • Against existing policy within the organization • Against existing standards or guidelines, best practices • Raise awareness and reduce risks Rochester Institute of Technology Secure IT 2007
6 Step Process for Auditfrom SANS • Audit Planning • Meeting Relevant People With The Plan • With high level people, Initiating audit • Measuring the Systems • Preparing the Report • Presenting Results • Report to Management Rochester Institute of Technology Secure IT 2007
Measuring the systems--Vulnerability assessment-- • Starting with physical security • Networks (wired and wireless) • Secure the perimeter such as router, firewall, IDS, etc. • Secure the DMZ and Internal systems • Scan network from both inside and outside • Audit systems • Focus on Unix/Linux and Windows • Eliminate externally accessible vulnerabilities • Eliminate internally accessible vulnerabilities • Search for Trojan horse program Rochester Institute of Technology Secure IT 2007
Our goal • To secure every possible path into our systems Rochester Institute of Technology Secure IT 2007
Network Audit • Secure the DMZ • Map the hosts in the DMZ • Audit goal: • Make sure there are no extra ports open on the DMZ hosts • Once you find out the open ports/services, use vulnerability tools to find any possible vulnerabilities associated with these services Rochester Institute of Technology Secure IT 2007
Scan directions • From outside to eliminate externally accessible vulnerabilities • Form inside to eliminate internally accessible vulnerabilities Rochester Institute of Technology Secure IT 2007
Perimeter Devices Audit • Company policy/procedure review and interviews • Perimeter configuration • Rule validation and perimeter penetration test • From outside • From inside Rochester Institute of Technology Secure IT 2007
Web server and application audit • Web server audit • Apache • Windows IIS • Web applications audit • Commercial/free tools • AppScan from Firewatch • Hailstorm from Cenzic • Nikto Rochester Institute of Technology Secure IT 2007
Practice makes perfect • Practice allows them to obtain the skills and knowledge necessary • Allow students to discover new vulnerabilities and techniques Rochester Institute of Technology Secure IT 2007
The goal of the lab component • The goal of the labs is to • provide students with hands-on experience in utilizing sophisticated technological tools • to conduct vulnerability and validation testing on systems and networks. Rochester Institute of Technology Secure IT 2007
Challenges • How to quarantine the vulnerable systems/networks in a controlled environment so that no risks are introduced to the rest of the networks • How to choose the appropriate tools and techniques • How to design the labs to fit in our future lab plan Rochester Institute of Technology Secure IT 2007
Lab Exercise Design • Virtual environment with VMware • Select appropriate tools combining commercial tools with free tools • Nmap, Nessus, nikto, firewalk, cheops-ng, tripwire, windows’ tools, Linux/Univ tools, hping2, RAT,… • AppScan, N-stalker, hailstorm • Closely tracks lecture content Rochester Institute of Technology Secure IT 2007
Lab topics • Lab 1: Network Discovery and Vulnerability Scanning • Lab 2: Network audit and analysis within DMZ • Lab 3: Audits and validations of routers, firewalls and Intrusion Detection System (IDS) configuration and technical rule bases • Lab 4: Audits of Unix/Linux systems including FreeBSD server and workstation, Fedora Core and Debian workstation • Lab 5: Audits of Windows systems including Windows 2000 Server, Windows 2003 server, Windows 2000 Pro and Windows XP. • Lab 6: Audits of Web servers (Apache and Microsoft IIS) and applications • Lab 7. Create Alive CD • Project: Demonstrate tools used for auditing Rochester Institute of Technology Secure IT 2007
Lab diagram Rochester Institute of Technology Secure IT 2007
Physical Lab Design • Dedicated hard drives • VMWares • / BackTrack / Hakin9/ etc • Imaging system • Air-gap capability Rochester Institute of Technology Secure IT 2007
How did labs work? • Labs are effective at conveying and applying techniques discussed and discovered in lecture. • General Student Feedback • Enjoyed hands-on learning • Learned a lot through the labs. • Appreciated the dedicated forensics machines/drives • The final project allow us to build a VMware image and apply our favorite tools on the system. We learned a lot from others too Rochester Institute of Technology Secure IT 2007
Things can be improved • Lack of time was an issue (insufficient time for great depth of study.) • Combining the vulnerabilities to one machine allows in depth auditing • Get rid of duplicate tools • Focus on the audit report • Reduce the time to set up the VMware images • Labs need further tweaking Rochester Institute of Technology Secure IT 2007
Future direction • Remote lab systems • Split the course to two • Training of other faculty Rochester Institute of Technology Secure IT 2007
What did we miss? • Suggestions? • Questions? Rochester Institute of Technology Secure IT 2007