the ethical hackeraccessola2.com/images/olita/paulstillwell.pdf · 2017-09-15 · 10 network...

76
The Ethical Hacker Paul Stillwell

Upload: others

Post on 28-Jul-2020

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

The Ethical Hacker

Paul Stillwell

Page 2: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

2

Introduction

● Paul Stillwell● GCIA – GIAC Certified Intrusion Analyst● 16 Years of IT Experience● 8 Years designing and implementing large scale 

Network Security Architectures

Page 3: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

3

Outline

● Are YOU Aware?● Security Truths and Fallacies● A Little Healthy Paranoia (goes a long way :­)

● Security Components● Bringing It All Together

Page 4: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

4

Where Do We Start?

● Easily Accessible Public Information● The Telephone Book● Business Cards

– E­mail Addresses– Domain Names– Telephone Exchanges– Rank Within The Company

● Public Financial Statements

Page 5: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

5

Step 1● The Internet

– Domain Name– SamSpade.org– Network Solutions Inc.– ARIN – The American Registry of Internet 

Numbers– APNIC – Asia Pacific Network Information Centre– Ripe NCC – Reseaux IP Europeens Network 

Coordination Centre

Page 6: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

6

Page 7: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

7

Page 8: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

8

Page 9: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

9

Network SolutionsRegistrant:Check Point Software Technologies (CHECKPOINT­DOM)   3A Jabotinsky St.   Ramat­Gan, 52520   ISRAEL

   Domain Name: CHECKPOINT.COM

   Administrative Contact:      Dragojevic, Miroslav  (FSNVZACZUI) [email protected]      Check Point Software Technologies Inc.      3 Lagoon Drive      Redwood City, CA  94065      US      650­628­2026 650­654­4233   

Page 10: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

10

Network Solutions

Technical Contact:      Wilf, Gonen  (GWA129) [email protected]      Check Point Software Technologies Ltd.      3A Jabotinsky St.      Ramat­Gan, 52520      IL      +972­3­7534555 (FAX) +972­3­5759256

   Record expires on 30­Mar­2007.   Record created on 29­Mar­1994.   Database last updated on 12­Sep­2002 21:34:40 EDT.

   Domain servers in listed order:

   NS.CHECKPOINT.COM            199.203.73.197   NS2.CHECKPOINT.COM           206.184.151.195   NS3.CHECKPOINT.COM           204.156.136.26

Page 11: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

11

Page 12: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

12

Page 13: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

13

ARIN Whois

 Search results for: 199.203.73.197

Elron Technologies ELRON­C­BLK1 (NET­199­203­0­0­1)

                                  199.203.0.0 ­ 199.203.255.255

Checkpoint Software Technologies NV­CHECKPOINT (NET­199­203­73­0­1)

                                  199.203.73.0 ­ 199.203.73.255

# ARIN Whois database, last updated 2002­09­11 19:05

# Enter ? for additional hints on searching ARIN's Whois database.

            

Page 14: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

14

Arin Whois Search results for: 206.184.151.195OrgName:    Verio, Inc.OrgID:      VRIONetRange:   206.184.0.0 ­ 206.184.255.255CIDR:       206.184.0.0/16NetName:    VRIO­206­184NetHandle:  NET­206­184­0­0­1Parent:     NET­206­0­0­0­0NetType:    Direct AllocationNameServer: NS0.VERIO.NETNameServer: NS1.VERIO.NETNameServer: NS2.VERIO.NETComment:    ********************************************            Reassignment information for this block is            available at rwhois.verio.net port 4321            ********************************************RegDate:    2000­11­15Updated:    2001­09­26TechHandle: VIA4­ORG­ARINTechName:   Verio, Inc.TechPhone:  +1­303­645­1900TechEmail:  [email protected]# ARIN Whois database, last updated 2002­09­11 19:05# Enter ? for additional hints on searching ARIN's Whois database.

            

Page 15: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

15

Domain Name Servicedigckpoint.com;; global options:  printcmd;; Got answer:;; ­>>HEADER<<­ opcode: QUERY, status: NOERROR, id: 40908;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:;checkpoint.com. IN A

;; ANSWER SECTION:checkpoint.com. 172769 IN A 206.86.35.130

;; AUTHORITY SECTION:checkpoint.com. 172769 IN NS NS2.checkpoint.com.checkpoint.com. 172769 IN NS NS3.checkpoint.com.checkpoint.com. 172769 IN NS NS.checkpoint.com.

;; ADDITIONAL SECTION:NS.checkpoint.com. 172769 IN A 199.203.73.197NS2.checkpoint.com. 172769 IN A 206.184.151.195NS3.checkpoint.com. 172769 IN A 204.156.136.26

;; Query time: 39 msec;; SERVER: 192.168.244.2#53(192.168.244.2);; WHEN: Thu Sep 12 21:45:51 2002;; MSG SIZE  rcvd: 149

Page 16: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

16

Domain Name Service

Dig checkpoint.com mxmx1.us.checkpoint.com. 86400 IN A 204.156.136.26mx2.us.checkpoint.com. 86400 IN A 206.184.151.195

Page 17: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

17

Step 2 – Telnet, A Hacking Tool?

[paul@Pluto paul]$ telnet mx1.checkpoint.com 25

Trying 199.203.73.197...

Connected to mx1.checkpoint.com.

Escape character is '̂]'.

220 cale.checkpoint.com ESMTP Sendmail Fri, 13 Sep 2002 03:49:12 +0200 (IST) Check Point Welcomes!

helo

501 5.0.0 helo requires domain address

helo cyberklix.com

250 cale.checkpoint.com Hello CPE012059940726.cpe.net.cable.rogers.com [24.101.166.122] (may be forged), pleased to meet you

Page 18: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

18

Telnet

telnet www.microsoft.com 80

Trying 207.46.197.102...

Connected to www.microsoft.com.

Escape character is '̂]'.

get

HTTP/1.1 400 Bad Request

Content­Type: text/html

Server: Microsoft­IIS/6.0

Date: Fri, 13 Sep 2002 01:55:13 GMT

Connection: close

Content­Length: 35

<h1>Bad Request (Invalid Verb)</h1>Connection closed by foreign host.

Page 19: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

19

Page 20: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

20

Page 21: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

21

Page 22: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

22

Page 23: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

23

Page 24: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

24

Step 3 – Google, A Hacking Tool?

Page 25: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

25

Page 26: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

26

Page 27: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

27

Fallacies

● Hacking Is Hard– Code Kiddies or Script Kiddies

Page 28: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

28

Page 29: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

29

Page 30: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

30

Fallacies

● Hacking Is Hard– Code Kiddies or Script Kiddies

● It Won’ t Happen To Me

Page 31: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

31

September, 2002

Page 32: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

32

September, 2002

Page 33: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

33

Sunday, April 9th

Page 34: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

34

Sunday, April 9th

Page 35: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

35

Monday, April 3rd

Page 36: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

36

Monday, April 3rd

Page 37: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

37

Fallacies

● Hacking Is Hard– Code Kiddies or Script Kiddies

● It Won’ t Happen To Me● I Can’ t Do Anything About This

Page 38: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

38

Polls Indicate Fear

Poll: Security Officers Fear Cyber­Attack

Date: Fri Aug 30 @ 15:41

Source: CNN.com

Nearly half of corporate security officers expect terrorists to launch a major strike through computer networks in the next 12 months, a poll released on Thursday showed. A total of 49 percent of 1,009 subscribers to CSO Magazine said they feared a major cyber attack in the coming year by a group like al Qaeda, blamed for the Sept. 11 attacks by four hijacked airplanes that killed more than 3,000 people in the United States.

The poll was carried out between July 19 and August 1 by Framingham, Massachusetts­based CSO, whose first edition will appear next month. To help protect cyberspace, U.S. President George W. Bush will roll out a blueprint next month calling on people from personal computer users to U.S. rocket scientists to do their share, including installing anti­virus software, White House officials said on Wednesday. The goal is to prevent such things as "denial­of­service" attacks in which hijacked computing power could be collected and used to attack electricity grids, telecommunications and other critical infrastructure.

Page 39: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

39

Hackers Only Exist On The Internet

Do Firewalls and IDS Create a False Sense of Internal Security?Date: Fri Aug 30 @ 15:43Source: SC Magazine

In an effort to boost sales and generate revenue, one U.S. multinational energy company recently embraced the Internet to bolster external communication and internal collaboration. In addition to creating a corporate web site, the firm deployed hundreds of intranet applications for procurement, expense reporting and other processes. Numerous departments and branch offices worldwide also set up specialized web sites for partners, customers and even project management. Though the company has achieved its strategic goals for the web, by leveraging valuable communication and management tools that lower costs and streamline processes, it has, unwittingly, set itself up for malicious intrusion. The decentralized and ad hoc intranet application deployment has created a fragmented, multi­platform mosaic that raises important security questions (see boxout below).

Clearly for internal or external web applications, security is the biggest concern today. The dramatic number of attacks is expected by CERT to double again this year to almost 100,000. It is estimated by Gartner Group that as many as 70 to 80 percent of these attacks are coming in through ports 80 and 443, commonly used by web applications. Such attacks can be costly and detrimental to corporate credibility. Privileged customer, financial and operational information or valuable intellectual property can be damaged or stolen during the average hacker intrusion of 15 minutes or less. The average loss is more than $2 million among those willing to quantify losses, according to an FBI/CSI survey. Downtime alone can potentially cost tens of thousands of dollars per minute. "There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace," the survey concluded.

Page 40: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

40

A Little Paranoia Goes A Long Way

● Now You Know There Is A Problem– “ And knowing is half the battle”

● Thirst for knowledge● Subscribe to the CERT Alerts mailing List

– http://www.cert.org● Subscribe to the ISS Xforce Alerts Mailing List– http://www.iss.net/security_center/maillists/

● The more you learn the better prepared your organization will be

Page 41: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

41

Let’ s Do Something!

● What You Need– Support– Knowledge– Teamwork

Page 42: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

42

Where Do I Start?

● Network Security Components

Page 43: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

43

Network Security Components

● Security Policy● Firewalls● Network Based IDS● Host Based IDS● Encryption ● Virtual Private Networks VPN● Authentication ● Vulnerability Assessment Tools● Anti­Virus

Page 44: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

44

Security Policy

● The Guiding Light For Security Professionals● Reference Document

Page 45: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

45

Policy Do’ s And Don’ ts

● Do Make It Simple– A Policy is a shell that refers to other documents

● It is easier to get buy­in from management on changes to a single smaller document than it is for a huge one!

● Management Signoff Required– Senior Executive and Board of Directors too

● Don’ t Overcomplicate– It can be a long process

Page 46: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

46

What’ s In A Policy?

● Data Classification Guidelines● Authentication Guidelines● Network Security Guidelines● Server Security Guidelines

– Internet– Intranet– Etc.

● Portable Computer (Laptop) Security Guidelines

Page 47: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

47

What’ s In A Policy

● Disaster Recovery Guidelines● Security Incident Response Guidelines● Anti­Virus Guidelines● The List Goes On…

Page 48: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

48

Firewalls

● A Firewall is a traffic cop● A Crude Device that implements brute force 

access control on an IP network● For a firewall to be effective all network traffic 

in and out of the protected network must flow through it– No back doors allowed!

Page 49: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

49

Firewalls

● There are 3 types of firewalls● Packet Filter● Stateful Packet Filter● Proxy or Application Gateway

Page 50: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

50

Firewalls

● Placement is all important– At The Perimeter

● Protection for Web Servers, Business­to­Business Applications etc.

– Internal● Protection for sensitive internal departments

– Finance, R&D, Security, Human Resources

Page 51: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

51

Intrusion Detection

● Network Based IDS● Host Based IDS● Similar to Antivirus Software

Page 52: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

52

Intrusion Detection

● Network Based IDS– Uses Network IDS Sensors (network sniffers)– Analyzes every packet it sees– Matches sniffed packets against known attack signature lists– Sends detects to a central console

● Brands– Cisco, ISS, NFR, Dragon, Snort

Page 53: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

53

Intrusion Detection

● Host Based IDS– Watches system logs– Watches key system files– Matches system activity to known attack patterns– Sends detects to central console

● Brands– Cisco, ISS, Tripwire, Symantec ITA, Swatch

Page 54: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

54

Intrusion Detection

● All this stuff is supposed to happen in REAL TIME!

Event

Time

Detect

Analyze RespondProblem Fixed

Page 55: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

55

Intrusion Prevention

● Network Based IPS– Similar to Intrusion Detection

● Matches packets against known patterns

– Device placed in­line on the wire– Can create a point of failure– Doesn't just detect, but blocks and drops too!– Sends alerts to central console

● Vendors– NAI, Tipping Point

Page 56: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

56

Intrusion Prevention

● Host Based IPS– Similar to Intrusion Detection

● Matches activities against known patterns

– Places a shim between the O/S and the kernel● Any attempt at a buffer overflow can be blocked!

– Doesn't just detect, but blocks too!– Sends alerts to central console

● Vendors– NAI, Cisco

Page 57: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

57

Encryption

● Caesar Cipher● Substitution Ciphers● Symmetric Key Cryptography● Asymmetric Key Cryptography● PGP

Page 58: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

58

Virtual Private Networks

● Secure network communication over insecure networks– Not necessarily the Internet

● Devices use cryptography to “ scramble”  the data

● Only devices/persons possessing the correct “ keys”  can read the data

Page 59: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

59

Virtual Private Networks

● What constitutes a VPN?● TLS/SSL?● SSH (SecureShell)?● IPSec

Page 60: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

60

Authentication● Protection against unauthorized access to data and/or 

network resources● Logon ID + Password

– Telnet vs. SSH● X.509 certificates● Kerberos● S­Key● SecureID● Secure Shell● PGP

Page 61: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

61

Vulnerability Assessment Tools

● The automated hacker● Check for 2000+ vulnerabilities● Network and host based tools are available● Network tools

– Eeye Retina, Nessus, nmap, ISS● Host Tools

– Symantec ESM (Enterprise Security Manager)– CIS (Center for Internet Security)

Page 62: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

62

Anti­Virus / Anti­Malware

● Watches for patterns and activities● Signature based pattern matching● Heuristics

Page 63: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

63

Malware Propagation Strategies

Malware Type Characteristic Analagy ExamplesDirect Installation

Virus

Worm

Malicious Mobile Code

Malware installed by hand or by script

Barbarians walk into the village

Rootkit installation scripts

Self-replicating code that infects a host file

Barbarians infect normal villagers

Thousands of examples

Self-replicating code that spreads across a network

Barbarians parachute into the village

Thousands of examples

Lightweight program spread via web browser or e-mail

Barbarians teleport into the village

Brown Orifice and various exploits that open a remote command shell

Page 64: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

64

Bringing It All Together

● No single component will do● Take a Layered Approach● Monitor everything

– But…  how?

Page 65: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

65

Event Consolidation Tools

● New breed of security tool● Brings all security events together in one place 

for consolidated monitoring and reporting● Tools

– Network Intelligence Engine, netForensics, e­Security

Page 66: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

66

What are you protecting?

● Before you can protect it, you must have some idea of what it is and, more importantly, what it is worth to your company.

Page 67: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

67

What are you protecting?

● Data Classification– Public Data

● E­mail addresses● Public info websites● Phone numbers● E­mail

Page 68: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

68

What are you protecting?

● Data Classification– Sensitive Data

● Not necessarily damaging (on it’ s own)● Not public● Internal phone numbers● Internal organization charts● Internal DNS entries● Web Server software● Public Web Applications

Page 69: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

69

What are you protecting?

● Data Classification– Private Data

● Could cause financial damage if made public● Internal security issues● Hiring of employees from competition● Private Web Applications

Page 70: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

70

What are you protecting?

● Data Classification– Secret Data

● Could ruin the company if made public– Source code– “ The Coke Formula”

● Human Resources Data● Customer Credit Card Data● Financial Data

Page 71: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

71

Zones of Trust

● Zones correspond to classification of data

Page 72: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

72

Zones of Trust

PublicSensitive

Private

Secret

Page 73: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

73

Zones of Trust

● Back to the real world● Data exists on our networks in pockets● Security concerns are relatively new for 

commercial & public sector entities● Security is often “ bolted on”  as an afterthought.

Page 74: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

74

Zones of Trust

● Compartmentalization– Place appropriate protection around appropriate 

pockets of the network (data classification)– HR applications– Development labs– Executive LAN– Security Dept LAN

Page 75: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

75

Zones of Trust

Web Site

Human Resources

Executive LAN

Development Lab

Sales

Page 76: The Ethical Hackeraccessola2.com/images/olita/PaulStillwell.pdf · 2017-09-15 · 10 Network Solutions Technical Contact: Wilf, Gonen (GWA129) gonenw@CHECKPOINT.COM Check Point Software

76

The Last Word

● Security Definition of a Web Server– Anonymous, unauthenticated access to your 

computing resources!