Security

Assessment
Principles
 Agenda

 Planning Security Assessments

 Gathering Information About the Organization
 Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security for
Northwind Traders
Planning Security Assessments
 Planning Security Assessments
 Gathering Information About the Organization
 Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security for
Northwind Traders
 Why Does Network Security
Fail?
Network security fails in several common areas, including:

Human awareness
Policy factors
Hardware or software misconfigurations
Poor assumptions
Ignorance
Failure to stay up-to-date
 Understanding Defense-in-Depth
Using a layered approach:
 Increases an attacker’s risk of detection
 Reduces an attacker’s chance of success

Guards, locks, tracking devices

Policies & Procedures
Firewalls, boarder routers,
Physical Layer VPNs with quarantine
procedures
Perimeter
Network segments, NIDS
Network
Client
Server
OS hardening, authentication,
Application
Application
security update management,
FW
Data
antivirus updates, auditing
Data

Application hardening

Strong passwords, ACLs,

backup and restore strategy
 Why Perform Security
Assessments?
Security assessments can:
Answer the questions “Is our network secure?” and “How do
we know that our network is secure?”
Provide a baseline to help improve security
Find configuration mistakes or missing
security updates
Reveal unexpected weaknesses in your
organization’s security
Ensure regulatory compliance
 Planning a Security Assessment
Project phase Planning elements
Scope
Goals
Pre-assessment
Timelines
Ground rules
Choose technologies
Assessment Perform assessment
Organize results
Estimate risk presented by discovered weaknesses
Create a plan for remediation
Preparing results
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
Create final report
Reporting your
Present your findings
findings
Arrange for next assessment
 Understanding the Security Assessment Scope

Components Example

All servers running:

Target Windows 2000 Server
Windows Server 2003

All servers on the subnets:

Target area 192.168.0.0/24
192.168.1.0/24

Scanning will take place from June 3rd to June 10th

Timeline
during non-critical business hours

RPC-over-DCOM vulnerability (MS 03-026)

Anonymous SAM enumeration
Vulnerabilities to scan
Guest account enabled
for
Greater than 10 accounts in the local Administrator
group
 Understanding Security Assessment Goals

Project goal

All computers running Windows 2000 Server and Windows Server 2003 on the subnets
192.168.0.0/24 and 192.168.1.0/24 will be scanned for the following vulnerabilities and will
be remediated as stated

Vulnerability Remediation
RPC-over-DCOM vulnerability Install Microsoft security updates
(MS 03-026) 03-026 and 03-39

Configure RestrictAnonymous to:

Anonymous SAM enumeration 2 on Windows 2000 Server
1 on Windows Server 2003

Guest account enabled Disable Guest account

Greater than 10 accounts in the local Minimize the number of accounts on the
administrator group administrators group
 Types of Security Assessments

Vulnerability scanning:
Focuses on known weaknesses
Can be automated
Does not necessarily require expertise

Penetration testing:
Focuses on known and unknown weaknesses
Requires highly skilled testers
Carries tremendous legal burden in certain countries/organizations

IT security auditing:
Focuses on security policies and procedures
Used to provide evidence for industry regulations
 Using Vulnerability Scanning to
Assess Network Security

Develop a process for vulnerability scanning that will do

the following:
Detect vulnerabilities
Assign risk levels to discovered vulnerabilities
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
 Using Penetration Testing to Assess Network Security

Steps to a successful penetration test include:

Determine how the attacker is most likely to go about attacking a
1 network or an application

2 Locate areas of weakness in network or application defenses

3 Determine how an attacker could exploit weaknesses

4 Locate assets that could be accessed, altered, or destroyed

5 Determine whether the attack was detected

6 Determine what the attack footprint looks like

7 Make recommendations
Understanding Components of a Security Audit

Security Policy Operations

Operations
Model Documentation
Documentation

Implementation
Implementation

Technology
Technology

Process
Process Start with policy
Build process
Policy
Policy Apply technology
 Reporting Security Assessment Findings

Organize information into the following reporting framework:

Define the vulnerability

Document mitigation plans
Identify where changes should occur
Assign responsibility for implementing approved
recommendations
Recommend a time for the next security
assessment
 Gathering Information About the Organization

 Planning Security Assessments

 Gathering Information About the Organization
 Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security for
Northwind Traders
 What Is a Nonintrusive Attack?
Nonintrusive attack: The intent to gain information about an
organization’s network in preparation for a more intrusive attack at a later
time
Examples of nonintrusive attacks include:

Information reconnaissance
Port scanning
Obtaining host information using
fingerprinting techniques
Network and host discovery
 Information Reconnaissance
Techniques
Common types of information sought by attackers include:
System configuration
Valid user accounts
Contact information
Extranet and remote access servers
Business partners and recent acquisitions or mergers

Information about your network may be obtained by:

Querying registrar information
Determining IP address assignments
Organization Web pages
Search engines
Public discussion forums
Countermeasures Against Information
Reconnaissance

ü Only provide information that is absolutely required to

your Internet registrar

ü Review your organization’s Web site content regularly

for inappropriate information

ü Use e-mail addresses based on job roles on your

company Web site and registrar information

ü Create a policy defining appropriate public discussion

forums usage
What Information Can Be Obtained by Port
Scanning?
Typical results of a port scan include:
Discovery of ports that are listening or open
Determination of which ports refuse connections
Determination of connections that time out

Port scanning tips include:

Start by scanning slowly, a few ports at a time
To avoid detection, try the same port across
several hosts
Run scans from a number of different systems,
optimally from different networks
Port-Scanning Countermeasures
Port scanning countermeasures include:

ü Implement defense-in-depth to use multiple layers

of filtering

ü Plan for misconfigurations or failures

ü Implement an intrusion-detection system

ü Run only the required services

ü Expose services through a reverse proxy

 What Information Can Be
Collected About Network Hosts?
Types of information that can be collected using
fingerprinting techniques include:
IP and ICMP implementation
TCP responses
Listening ports
Banners
Service behavior
Remote operating system queries
 Countermeasures to Protect Network
Host Information
Fingerprinting source Countermeasures
Be conservative with the packets that you allow to reach
your system
IP, ICMP, and TCP Use a firewall or inline IDS device to normalize traffic
Assume that your attacker knows what version of
operating system is running, and make sure it is secure
Change the banners that give operating system
information
Banners Assume that your attacker knows what version of
operating system and application is running, and make
sure it is secure
Port scanning, service Disable unnecessary services
behavior, and remote Filter traffic coming to isolate specific ports on the host
queries Implement IPSec on all systems in the managed network
 Penetration Testing for Intrusive Attacks

 Planning Security Assessments

 Gathering Information About the Organization
 Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security for
Northwind Traders
 What Is Penetration Testing for Intrusive Attacks?

Intrusive attack: Performing specific tasks that result in a compromise of system

information, stability, or availability

Examples of penetration testing for intrusive attack methods

include:
Automated vulnerability scanning
Password attacks
Denial-of-service attacks
Application and database attacks
Network sniffing
What Is Automated Vulnerability Scanning?

Automated vulnerability scanning makes use of scanning

tools to automate the following tasks:

Banner grabbing and fingerprinting

Exploiting the vulnerability
Inference testing
Security update detection
What Is a Password Attack?
Two primary types of password attacks are:
Brute-force attacks
Password-disclosure attacks

Countermeasures to protect against password attacks

include:
Require complex passwords
Educate users
Implement smart cards
Create policy that restricts passwords in batch files,
scripts, or Web pages
 What Is a Denial-of-Service
Attack?
Denial-of-Service (DoS) attack: Any attempt by an
attacker to deny his victim’s access to a resource

DoS attacks can be divided into three categories:

Flooding attacks
Resource starvation attacks
Disruption of service

Note: Denial-of-service attacks should not be launched

against your own live production network
Countermeasures for Denial-of-Service Attacks

DoS attack Countermeasures

Ensure that your routers have anti-spoofing
rules in place and rules that block directed
broadcasts
Flooding attacks Set rate limitations on devices to mitigate
flooding attacks
Consider blocking ICMP packets
Apply the latest updates to the operating
Resource
system and applications
starvation attacks Set disk quotas
Make sure that the latest update has been
applied to the operating system and
Disruption of applications
service Test updates before applying to production
systems
Disable unneeded services
Understanding Application and Database Attacks

Common application and database attacks include:

Buffer overruns:
Write applications in managed code

SQL injection attacks:

Validate input for correct size and type
 What Is Network Sniffing?
Network sniffing: The ability of an attacker to eavesdrop
on communications between network hosts

An attacker can perform network sniffing by performing

the following tasks:
1 Compromising the host
2 Installing a network sniffer

3 Using a network sniffer to capture sensitive data such

as network credentials
Using network credentials to compromise
4 additional hosts
 Countermeasures for Network Sniffing Attacks

To reduce the threat of network sniffing attacks on your network consider the
following:

Use encryption to protect data

Use switches instead of hubs
Secure core network devices
Use crossover cables
Develop policy
Conduct regular scans
How Attackers Avoid Detection During an Attack

Common ways that attackers avoid detection include:

Flooding log files
Using logging mechanisms
Attacking detection mechanisms
Using canonicalization attacks
Using decoys
How Attackers Avoid Detection After an Attack

Common ways that attackers avoid detection after an

attack include:
Installing rootkits
Tampering with log files
 Countermeasures to Detection-Avoidance Techniques

Avoidance Technique Countermeasures

Flooding log files Back up log files before they are overwritten
Ensure that your logging mechanism is using the
Using logging mechanisms
most updated version of software and all updates
Attacking detection
Keep software and signatures updated
mechanisms
Using canonicalization Ensure that applications normalize data to its
attacks canonical form
Using decoys Secure the end systems and networks being attacked
Using rootkits Implement defense-in-depth strategies
Secure log file locations
Store logs on another host
Tampering with log files
Use encryption to protect log files
Back up log files
 Case Study: Assessing Network
Security for Northwind Traders

 Planning Security Assessments

 Gathering Information About the
Organization
 Penetration Testing for Intrusive Attacks
 Case Study: Assessing Network Security
for Northwind Traders
Introducing the Case-Study Scenario
 Defining the Security Assessment
Scope
Components Scope

Target LON-SRV1.nwtraders.msft

Scanning will take place December 2

Timeline
during noncritical business hours

Buffer overflow
Assess for the
SQL injection
following
Guest account enabled
vulnerabilities
RPC-over-DCOM vulnerability
 Defining the Security Assessment Goals

Project goal
LON-SRV1 will be scanned for the following vulnerabilities and
will be remediated as stated
Vulnerability Remediation
Require developers to fix Web-
SQL Injection
based applications
Have developers fix
Buffer Overflow
applications as required
Guest account enabled Disable guest account
RPC-over-DCOM Install Microsoft security
vulnerability update MS04-012
Choosing Tools for the Security Assessment

The tools that will be used for the Northwind Traders security
assessment include the following:

Microsoft Baseline Security Analyzer

KB824146SCAN.exe
Portqry.exe
Manual input
 Reporting the Security Assessment Findings

Answer the following questions to complete the report:

What risk does the vulnerability present?

What is the source of the vulnerability?
What is the potential impact of the vulnerability?
What is the likelihood of the vulnerability being exploited?
What should be done to mitigate the vulnerability?
Give at least three options if possible
Where should the mitigation be done?
Who should be responsible for implementing the mitigations?
 Summary

ü Plan your security assessment to determine scope and goals

Disclose only essential information about your organization
ü on Web sites and on registrar records

Assume that the attacker already knows the exact operating

ü system and version and take as many steps as possible to
secure those systems

ü Educate users to use strong passwords or pass-phrases

Keep systems up-to-date on security updates and
ü service packs
 More information

 www.microsoft.se/technet
 www.microsoft.se/security
 www.truesec.se/events
 www.itproffs.se