the ethical hackeraccessola2.com/images/olita/paulstillwell.pdf · 2017-09-15 · 10 network...
TRANSCRIPT
The Ethical Hacker
Paul Stillwell
2
Introduction
● Paul Stillwell● GCIA – GIAC Certified Intrusion Analyst● 16 Years of IT Experience● 8 Years designing and implementing large scale
Network Security Architectures
3
Outline
● Are YOU Aware?● Security Truths and Fallacies● A Little Healthy Paranoia (goes a long way :)
● Security Components● Bringing It All Together
4
Where Do We Start?
● Easily Accessible Public Information● The Telephone Book● Business Cards
– Email Addresses– Domain Names– Telephone Exchanges– Rank Within The Company
● Public Financial Statements
5
Step 1● The Internet
– Domain Name– SamSpade.org– Network Solutions Inc.– ARIN – The American Registry of Internet
Numbers– APNIC – Asia Pacific Network Information Centre– Ripe NCC – Reseaux IP Europeens Network
Coordination Centre
6
7
8
9
Network SolutionsRegistrant:Check Point Software Technologies (CHECKPOINTDOM) 3A Jabotinsky St. RamatGan, 52520 ISRAEL
Domain Name: CHECKPOINT.COM
Administrative Contact: Dragojevic, Miroslav (FSNVZACZUI) [email protected] Check Point Software Technologies Inc. 3 Lagoon Drive Redwood City, CA 94065 US 6506282026 6506544233
10
Network Solutions
Technical Contact: Wilf, Gonen (GWA129) [email protected] Check Point Software Technologies Ltd. 3A Jabotinsky St. RamatGan, 52520 IL +97237534555 (FAX) +97235759256
Record expires on 30Mar2007. Record created on 29Mar1994. Database last updated on 12Sep2002 21:34:40 EDT.
Domain servers in listed order:
NS.CHECKPOINT.COM 199.203.73.197 NS2.CHECKPOINT.COM 206.184.151.195 NS3.CHECKPOINT.COM 204.156.136.26
11
12
13
ARIN Whois
Search results for: 199.203.73.197
Elron Technologies ELRONCBLK1 (NET199203001)
199.203.0.0 199.203.255.255
Checkpoint Software Technologies NVCHECKPOINT (NET1992037301)
199.203.73.0 199.203.73.255
# ARIN Whois database, last updated 20020911 19:05
# Enter ? for additional hints on searching ARIN's Whois database.
14
Arin Whois Search results for: 206.184.151.195OrgName: Verio, Inc.OrgID: VRIONetRange: 206.184.0.0 206.184.255.255CIDR: 206.184.0.0/16NetName: VRIO206184NetHandle: NET206184001Parent: NET2060000NetType: Direct AllocationNameServer: NS0.VERIO.NETNameServer: NS1.VERIO.NETNameServer: NS2.VERIO.NETComment: ******************************************** Reassignment information for this block is available at rwhois.verio.net port 4321 ********************************************RegDate: 20001115Updated: 20010926TechHandle: VIA4ORGARINTechName: Verio, Inc.TechPhone: +13036451900TechEmail: [email protected]# ARIN Whois database, last updated 20020911 19:05# Enter ? for additional hints on searching ARIN's Whois database.
15
Domain Name Servicedigckpoint.com;; global options: printcmd;; Got answer:;; >>HEADER<< opcode: QUERY, status: NOERROR, id: 40908;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:;checkpoint.com. IN A
;; ANSWER SECTION:checkpoint.com. 172769 IN A 206.86.35.130
;; AUTHORITY SECTION:checkpoint.com. 172769 IN NS NS2.checkpoint.com.checkpoint.com. 172769 IN NS NS3.checkpoint.com.checkpoint.com. 172769 IN NS NS.checkpoint.com.
;; ADDITIONAL SECTION:NS.checkpoint.com. 172769 IN A 199.203.73.197NS2.checkpoint.com. 172769 IN A 206.184.151.195NS3.checkpoint.com. 172769 IN A 204.156.136.26
;; Query time: 39 msec;; SERVER: 192.168.244.2#53(192.168.244.2);; WHEN: Thu Sep 12 21:45:51 2002;; MSG SIZE rcvd: 149
16
Domain Name Service
Dig checkpoint.com mxmx1.us.checkpoint.com. 86400 IN A 204.156.136.26mx2.us.checkpoint.com. 86400 IN A 206.184.151.195
17
Step 2 – Telnet, A Hacking Tool?
[paul@Pluto paul]$ telnet mx1.checkpoint.com 25
Trying 199.203.73.197...
Connected to mx1.checkpoint.com.
Escape character is '̂]'.
220 cale.checkpoint.com ESMTP Sendmail Fri, 13 Sep 2002 03:49:12 +0200 (IST) Check Point Welcomes!
helo
501 5.0.0 helo requires domain address
helo cyberklix.com
250 cale.checkpoint.com Hello CPE012059940726.cpe.net.cable.rogers.com [24.101.166.122] (may be forged), pleased to meet you
18
Telnet
telnet www.microsoft.com 80
Trying 207.46.197.102...
Connected to www.microsoft.com.
Escape character is '̂]'.
get
HTTP/1.1 400 Bad Request
ContentType: text/html
Server: MicrosoftIIS/6.0
Date: Fri, 13 Sep 2002 01:55:13 GMT
Connection: close
ContentLength: 35
<h1>Bad Request (Invalid Verb)</h1>Connection closed by foreign host.
19
20
21
22
23
24
Step 3 – Google, A Hacking Tool?
25
26
27
Fallacies
● Hacking Is Hard– Code Kiddies or Script Kiddies
28
29
30
Fallacies
● Hacking Is Hard– Code Kiddies or Script Kiddies
● It Won’ t Happen To Me
31
September, 2002
32
September, 2002
33
Sunday, April 9th
34
Sunday, April 9th
35
Monday, April 3rd
36
Monday, April 3rd
37
Fallacies
● Hacking Is Hard– Code Kiddies or Script Kiddies
● It Won’ t Happen To Me● I Can’ t Do Anything About This
38
Polls Indicate Fear
Poll: Security Officers Fear CyberAttack
Date: Fri Aug 30 @ 15:41
Source: CNN.com
Nearly half of corporate security officers expect terrorists to launch a major strike through computer networks in the next 12 months, a poll released on Thursday showed. A total of 49 percent of 1,009 subscribers to CSO Magazine said they feared a major cyber attack in the coming year by a group like al Qaeda, blamed for the Sept. 11 attacks by four hijacked airplanes that killed more than 3,000 people in the United States.
The poll was carried out between July 19 and August 1 by Framingham, Massachusettsbased CSO, whose first edition will appear next month. To help protect cyberspace, U.S. President George W. Bush will roll out a blueprint next month calling on people from personal computer users to U.S. rocket scientists to do their share, including installing antivirus software, White House officials said on Wednesday. The goal is to prevent such things as "denialofservice" attacks in which hijacked computing power could be collected and used to attack electricity grids, telecommunications and other critical infrastructure.
39
Hackers Only Exist On The Internet
Do Firewalls and IDS Create a False Sense of Internal Security?Date: Fri Aug 30 @ 15:43Source: SC Magazine
In an effort to boost sales and generate revenue, one U.S. multinational energy company recently embraced the Internet to bolster external communication and internal collaboration. In addition to creating a corporate web site, the firm deployed hundreds of intranet applications for procurement, expense reporting and other processes. Numerous departments and branch offices worldwide also set up specialized web sites for partners, customers and even project management. Though the company has achieved its strategic goals for the web, by leveraging valuable communication and management tools that lower costs and streamline processes, it has, unwittingly, set itself up for malicious intrusion. The decentralized and ad hoc intranet application deployment has created a fragmented, multiplatform mosaic that raises important security questions (see boxout below).
Clearly for internal or external web applications, security is the biggest concern today. The dramatic number of attacks is expected by CERT to double again this year to almost 100,000. It is estimated by Gartner Group that as many as 70 to 80 percent of these attacks are coming in through ports 80 and 443, commonly used by web applications. Such attacks can be costly and detrimental to corporate credibility. Privileged customer, financial and operational information or valuable intellectual property can be damaged or stolen during the average hacker intrusion of 15 minutes or less. The average loss is more than $2 million among those willing to quantify losses, according to an FBI/CSI survey. Downtime alone can potentially cost tens of thousands of dollars per minute. "There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace," the survey concluded.
40
A Little Paranoia Goes A Long Way
● Now You Know There Is A Problem– “ And knowing is half the battle”
● Thirst for knowledge● Subscribe to the CERT Alerts mailing List
– http://www.cert.org● Subscribe to the ISS Xforce Alerts Mailing List– http://www.iss.net/security_center/maillists/
● The more you learn the better prepared your organization will be
41
Let’ s Do Something!
● What You Need– Support– Knowledge– Teamwork
42
Where Do I Start?
● Network Security Components
43
Network Security Components
● Security Policy● Firewalls● Network Based IDS● Host Based IDS● Encryption ● Virtual Private Networks VPN● Authentication ● Vulnerability Assessment Tools● AntiVirus
44
Security Policy
● The Guiding Light For Security Professionals● Reference Document
45
Policy Do’ s And Don’ ts
● Do Make It Simple– A Policy is a shell that refers to other documents
● It is easier to get buyin from management on changes to a single smaller document than it is for a huge one!
● Management Signoff Required– Senior Executive and Board of Directors too
● Don’ t Overcomplicate– It can be a long process
46
What’ s In A Policy?
● Data Classification Guidelines● Authentication Guidelines● Network Security Guidelines● Server Security Guidelines
– Internet– Intranet– Etc.
● Portable Computer (Laptop) Security Guidelines
47
What’ s In A Policy
● Disaster Recovery Guidelines● Security Incident Response Guidelines● AntiVirus Guidelines● The List Goes On…
48
Firewalls
● A Firewall is a traffic cop● A Crude Device that implements brute force
access control on an IP network● For a firewall to be effective all network traffic
in and out of the protected network must flow through it– No back doors allowed!
49
Firewalls
● There are 3 types of firewalls● Packet Filter● Stateful Packet Filter● Proxy or Application Gateway
50
Firewalls
● Placement is all important– At The Perimeter
● Protection for Web Servers, BusinesstoBusiness Applications etc.
– Internal● Protection for sensitive internal departments
– Finance, R&D, Security, Human Resources
51
Intrusion Detection
● Network Based IDS● Host Based IDS● Similar to Antivirus Software
52
Intrusion Detection
● Network Based IDS– Uses Network IDS Sensors (network sniffers)– Analyzes every packet it sees– Matches sniffed packets against known attack signature lists– Sends detects to a central console
● Brands– Cisco, ISS, NFR, Dragon, Snort
53
Intrusion Detection
● Host Based IDS– Watches system logs– Watches key system files– Matches system activity to known attack patterns– Sends detects to central console
● Brands– Cisco, ISS, Tripwire, Symantec ITA, Swatch
54
Intrusion Detection
● All this stuff is supposed to happen in REAL TIME!
Event
Time
Detect
Analyze RespondProblem Fixed
55
Intrusion Prevention
● Network Based IPS– Similar to Intrusion Detection
● Matches packets against known patterns
– Device placed inline on the wire– Can create a point of failure– Doesn't just detect, but blocks and drops too!– Sends alerts to central console
● Vendors– NAI, Tipping Point
56
Intrusion Prevention
● Host Based IPS– Similar to Intrusion Detection
● Matches activities against known patterns
– Places a shim between the O/S and the kernel● Any attempt at a buffer overflow can be blocked!
– Doesn't just detect, but blocks too!– Sends alerts to central console
● Vendors– NAI, Cisco
57
Encryption
● Caesar Cipher● Substitution Ciphers● Symmetric Key Cryptography● Asymmetric Key Cryptography● PGP
58
Virtual Private Networks
● Secure network communication over insecure networks– Not necessarily the Internet
● Devices use cryptography to “ scramble” the data
● Only devices/persons possessing the correct “ keys” can read the data
59
Virtual Private Networks
● What constitutes a VPN?● TLS/SSL?● SSH (SecureShell)?● IPSec
60
Authentication● Protection against unauthorized access to data and/or
network resources● Logon ID + Password
– Telnet vs. SSH● X.509 certificates● Kerberos● SKey● SecureID● Secure Shell● PGP
61
Vulnerability Assessment Tools
● The automated hacker● Check for 2000+ vulnerabilities● Network and host based tools are available● Network tools
– Eeye Retina, Nessus, nmap, ISS● Host Tools
– Symantec ESM (Enterprise Security Manager)– CIS (Center for Internet Security)
62
AntiVirus / AntiMalware
● Watches for patterns and activities● Signature based pattern matching● Heuristics
63
Malware Propagation Strategies
Malware Type Characteristic Analagy ExamplesDirect Installation
Virus
Worm
Malicious Mobile Code
Malware installed by hand or by script
Barbarians walk into the village
Rootkit installation scripts
Self-replicating code that infects a host file
Barbarians infect normal villagers
Thousands of examples
Self-replicating code that spreads across a network
Barbarians parachute into the village
Thousands of examples
Lightweight program spread via web browser or e-mail
Barbarians teleport into the village
Brown Orifice and various exploits that open a remote command shell
64
Bringing It All Together
● No single component will do● Take a Layered Approach● Monitor everything
– But… how?
65
Event Consolidation Tools
● New breed of security tool● Brings all security events together in one place
for consolidated monitoring and reporting● Tools
– Network Intelligence Engine, netForensics, eSecurity
66
What are you protecting?
● Before you can protect it, you must have some idea of what it is and, more importantly, what it is worth to your company.
67
What are you protecting?
● Data Classification– Public Data
● Email addresses● Public info websites● Phone numbers● Email
68
What are you protecting?
● Data Classification– Sensitive Data
● Not necessarily damaging (on it’ s own)● Not public● Internal phone numbers● Internal organization charts● Internal DNS entries● Web Server software● Public Web Applications
69
What are you protecting?
● Data Classification– Private Data
● Could cause financial damage if made public● Internal security issues● Hiring of employees from competition● Private Web Applications
70
What are you protecting?
● Data Classification– Secret Data
● Could ruin the company if made public– Source code– “ The Coke Formula”
● Human Resources Data● Customer Credit Card Data● Financial Data
71
Zones of Trust
● Zones correspond to classification of data
72
Zones of Trust
PublicSensitive
Private
Secret
73
Zones of Trust
● Back to the real world● Data exists on our networks in pockets● Security concerns are relatively new for
commercial & public sector entities● Security is often “ bolted on” as an afterthought.
74
Zones of Trust
● Compartmentalization– Place appropriate protection around appropriate
pockets of the network (data classification)– HR applications– Development labs– Executive LAN– Security Dept LAN
75
Zones of Trust
Web Site
Human Resources
Executive LAN
Development Lab
Sales
76
The Last Word
● Security Definition of a Web Server– Anonymous, unauthenticated access to your
computing resources!