Scribd
Upload
88 views20 pages

Information Security Incident Handling MOOC02.1

Uploaded by

joefox
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
88 views20 pages

Information Security Incident Handling MOOC02.1

Uploaded by

joefox
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

Information Security

Incident Handling
Webinar 2
Incident Handling Plan and Hacker Techniques

Jeremy Koster

1
Brief Recap

• The Incident Handler


• Types of attackers
• Why we handle incidents
• Incident in the news
• Information Security risk terms
• Threat scenarios
• Incident vs. events
2
The Incident Handling Process

• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
(Based on SANS GCIH)

3
The Incident Response
Plan
• Purpose
• Sponsorship
• Contents
• Introduction
• Process overview
• Identification
• Containment
• Eradication
• Recovery
• Lessons learned
• Contact list
• Publish the plan
• Test the plan
4
The Hacking Process

• Reconnaissance
– Foot-printing
– Scanning
– Enumeration
• System hacking
• Escalation of privilege
• Extend and maintain access
• Exfiltration
5
Security Testing

• Define Scope
• Get explicit written permission
• Reconnaissance
– Foot-printing
– Scanning
– Enumeration
• System hacking
• Escalation of privilege
• Exfiltrate data
• Write report
– Method
– Findings
– Recommendations

6
Foot-printing – Info on the Web

• General company information services


– Wikipedia
– Hoovers
– Dun and Bradstreet
– Bloomberg
• Search engines
– Google operators (site, link, intitle, filetype, inurl)
– FTP site search engines
• Archives
– The Mayback Machine
– Google Cache

7
Foot-printing – Whois and DNS
• ICAN query – registrar details, admin and tech handles
• IP address ownership (ISP or company, POCs)
• ARIN, RIPE NCC, LACNIC, APNIC
• Nslookup (set q=any, set q=ns, set q=mx)
– A, NS, MX, SOA, CNAME, SRV, PTR
• Smartwhois – good online utility for FQDN or IP
addresses
• Related domains and websites
• Zone transfers

8
Foot-printing – Email

• SMTP headers
– Received
• SMTP content
– Web bugs
• Email addresses
– Scraped from web
pages
– Robots.txt
9
Foot-printing – Social Engineering

• Convincing story
• Soft target
– Personal assistants
– Receptionists
– Temp staff
• Phishing
– Known email address
– Internal terminology
– Policy update, contact list refresh
• Customer care staff
– Masquerading as a customer
– Details on a customer
• Helpdesks
– Password resets
– Access passes

10
Types of Security Scanning

• Modem and wireless network scanning


• Network scanning
• Port scanning
• Vulnerability scanning

11
Wardialing and Wardriving

• Wardialing
– Identifying insecure modems
– Dialling vast ranges of phone numbers
– PABX, firewalls, routers, HVAC, BMS, fax machines, remote access servers
– ToneLoc, THC-Scan, PhoneSweep

• Wardriving
– The wireless version
– Drive or walk around
– Wifi chalking
– Identifying weak access points
– Identifying rogue access points
– Airsnort,Kismet, Netstumbler

12
Common TCP and UDP Ports
• Categories of port numbers
– Well known ports: 0 – 1023
– Registered ports: 1024 – 49151
– Dynamic and private ports: 49152 – 65535

• Common UDP ports and services


• Common TCP ports and services
- Port 53 - DNS
– Port 20 and 21 - FTP

- Port 69 - TFTP
Port 22 - SSH
– Port 23 - Telnet - Port 123 - NTP
– Port 25 - SMTP - Port 161 - SNMP
– Port 53 – DNS
– Port 80 - HTTP

13
TCP Port Scanning
• TCP Flags
– SYN – Used when setting up – synchronising – a connection
– ACK – Acknowledgment of traffic received
– FIN – Used to gracefully close a session
– RST – Resets the connection
– PSH – Used to request that data be immediately pushed to the application
– URG – Designated to urgent traffic
• Types of TCP scans
– TCP Connected – full three-way handshake
– TCP SYN – flood of SYN packets looking for SYN/ACK responses
– TCP FIN, NULL, Xmas – different response depending on OS
– TCP ACK – RST or ICMP unreachable - firewalking

14
Nmap – Network Mapper
• The dominant “Network Mapping” tool
– Written by Fyodor
– De facto tool for host and service discovery
– Used by a lot of other tools
• What can it do?
– TCP, UDP, ARP, ICMP scans
– OS fingerprinting (banners and active TCP
stack profiling)
– IDS evasion
– The NSE - Nmap scripting engine
– Bring down servers, firewalls and printers!

15
Enumeration
• Vulnerabilities
– Software weaknesses
– Misconfigurations
• Usernames
– Admin, user and service accounts
– Groups
• Additional targets
– Internal server names
– IP addresses
– Firewalls and IDS/IPS
– Network shares
– Applications and databases

16
Network Vulnerability Scanning

• Network weaknesses
– The weaknesses are there, it’s just a matter of finding them
– Scans network segments and identifies weaknesses in services (FTP
servers, web servers, network routers, etc.)
– Will find issues in off-the-shelf software
– Default/weak passwords, misconfigurations, open shares, insecure
services)
• Tools
– Nessus
– OpenVAS
– nCircle (Tripwire)

17
Application Vulnerability Scanning

• Web application scanning


– Spidering
– OWASP Top 10
– XSS, injection flaws, CSRF
• Tools
– OWASP Zap (Zed Attack Proxy)
– Burp Proxy
– Acunetix
– Grendel-Scan
– Nikto

18
Password Guessing and Cracking

• Password guessing (online active • Tools


attack) – Pwdump
– Obtain usernames – LCP
– Online password attempts – John the Ripper
• Tools – 0phcrack
– THC Hydra – Cain and Able
– Enum
– TSGrinder
• Password Cracking (offline attack)
– Brute-force
– Dictionary
– Hybrid
– Rainbow tables

19
Discussion Questions
1. How can information gleaned from Google be helpful?

2. Why are rogue access points a cause for concern?

3. Why are worms considered a threat to availability as well as confidentiality?

4. How does a botnet operator profit from the zombies within a botnet?

5. If you were scanning a hosts and did not want to be noticed by IDS what
evasion techniques could you use?

6. Why is it important to scan for vulnerabilities regularly?

20

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy