Security Auditing Course Development

1
Security Auditing Course Development

• Rochester Institute of Technology
• Yin Pan
• yin.pan_at_rit.edu

2
Agenda

• Motivation
• Course development
• Procedures used to develop basic auditing labs
• Outcomes and feedback from students
• Improvements

3
Why think about security?

• Facts (one year ago)
• By average, every 20 minutes, one unpatched
  machine is compromised
• Once a patch is announced, an exploit will be
  available in 2-3 days
• Between 2004-2005,
• Unauthorized access increased 500
• Identity theft increase 100
• Targets
• Government agencies
• Customized trojan horse designed to pilfer
  sensitive government secrets
• E-commerce sites, banks and credit-cared
  processors
• Companies
• Source code, coca-cola recipe? Game?

4
Why think about security? (cont)

• There are people who are actively seeking your
  resources
• But I dont have anything anyone wants!
• Even just as a hiding place for files or a way to
  become anonymous, you are targeted
• Personal video recorders (PVR)
• Carjacking and carhacking

5
Course Objective

• Designed for
• system administrators
• network administrators
• security personnel
• to defend
• their systems from attack
• by
• designing and implementing the most effective
  defense
• using
• effective defensive techniques
• The objective of this course is to provide
  students with the knowledge to develop security
  network audits, apply appropriate auditing tools
  to conduct professional audits, analyze results,
  and provide recommendations to mitigate any risks.

6
Outcomes

• Upon completion of this course, students will be
  able to
• Explain the fundamental techniques, processes and
  procedures of networks, and systems auditing.
• Describe the basic design and configuration of
  routers, firewalls, and Intrusion Detection
  Systems (IDS).
• Identify and apply appropriate tools to perform
  systems (Unix/Windows), servers, and network
  infrastructure components audit.
• Conduct vulnerability and validation testing.
• Write and present an auditing report on security
  vulnerability.

7
Course outline

• Auditing Process and Procedure
• Different phases of an audit
• Discovery methods
• Network Identification and Penetration
• Systems Auditing
• Servers and Network perimeters auditing
• Audit Reports
• Auditing Recommendations
• Writing audit report
• Security improvements

8
Topics

• Audit Process and procedure
• Network Audit Essentials
• Wireless Audit Essentials
• Unix/linux system audit
• Windows audit
• Network Perimeter Audit
• Web Servers Audit
• Audit Report

9
Concerns

• Many tools covered in this class can harm your
  system
• Some tools may include hidden features that
  exploit your systems

10
What is Auditing

• A methodical examination and review of measuring
  something against a standard
• Answer the question, How do you know?
• Example of audits

11
Why auditing?

• Manage IT-related risk
• Ensure information security

12
Objective of Auditing

• To measure and report on risks
• Against existing policy within the organization
• Against existing standards or guidelines, best
  practices
• Raise awareness and reduce risks

13
6 Step Process for Auditfrom SANS

• Audit Planning
• Meeting Relevant People With The Plan
• With high level people, Initiating audit
• Measuring the Systems
• Preparing the Report
• Presenting Results
• Report to Management

14
Measuring the systems--Vulnerability assessment--

• Starting with physical security
• Networks (wired and wireless)
• Secure the perimeter such as router, firewall,
  IDS, etc.
• Secure the DMZ and Internal systems
• Scan network from both inside and outside
• Audit systems
• Focus on Unix/Linux and Windows
• Eliminate externally accessible vulnerabilities
• Eliminate internally accessible vulnerabilities
• Search for Trojan horse program

15
Our goal

• To secure every possible path into our systems

16
Network Audit

• Secure the DMZ
• Map the hosts in the DMZ
• Audit goal
• Make sure there are no extra ports open on the
  DMZ hosts
• Once you find out the open ports/services, use
  vulnerability tools to find any possible
  vulnerabilities associated with these services

17
Scan directions

• From outside to eliminate externally accessible
  vulnerabilities
• Form inside to eliminate internally accessible
  vulnerabilities

18
Perimeter Devices Audit

• Company policy/procedure review and interviews
• Perimeter configuration
• Rule validation and perimeter penetration test
• From outside
• From inside

19
Web server and application audit

• Web server audit
• Apache
• Windows IIS
• Web applications audit
• Commercial/free tools
• AppScan from Firewatch
• Hailstorm from Cenzic
• Nikto

20
Practice makes perfect

• Practice allows them to obtain the skills and
  knowledge necessary
• Allow students to discover new vulnerabilities
  and techniques

21
The goal of the lab component

• The goal of the labs is to
• provide students with hands-on experience in
  utilizing sophisticated technological tools
• to conduct vulnerability and validation testing
  on systems and networks.

22
Challenges

• How to quarantine the vulnerable systems/networks
  in a controlled environment so that no risks are
  introduced to the rest of the networks
• How to choose the appropriate tools and
  techniques
• How to design the labs to fit in our future lab
  plan

23
Lab Exercise Design

• Virtual environment with VMware
• Select appropriate tools combining commercial
  tools with free tools
• Nmap, Nessus, nikto, firewalk, cheops-ng,
  tripwire, windows tools, Linux/Univ tools,
  hping2, RAT,
• AppScan, N-stalker, hailstorm
• Closely tracks lecture content

24
Lab topics

• Lab 1 Network Discovery and Vulnerability
  Scanning
• Lab 2 Network audit and analysis within DMZ
• Lab 3 Audits and validations of routers,
  firewalls and Intrusion Detection System (IDS)
  configuration and technical rule bases
• Lab 4 Audits of Unix/Linux systems including
  FreeBSD server and workstation, Fedora Core and
  Debian workstation
• Lab 5 Audits of Windows systems including
  Windows 2000 Server, Windows 2003 server,
  Windows 2000 Pro and Windows XP.
• Lab 6 Audits of Web servers (Apache and
  Microsoft IIS) and applications
• Lab 7. Create Alive CD
• Project Demonstrate tools used for auditing

25
Lab diagram
26
Physical Lab Design

• Dedicated hard drives
• VMWares
• / BackTrack / Hakin9/ etc
• Imaging system
• Air-gap capability

27
How did labs work?

• Labs are effective at conveying and applying
  techniques discussed and discovered in lecture.
• General Student Feedback
• Enjoyed hands-on learning
• Learned a lot through the labs.
• Appreciated the dedicated forensics
  machines/drives
• The final project allow us to build a VMware
  image and apply our favorite tools on the system.
  We learned a lot from others too

28
Things can be improved

• Lack of time was an issue (insufficient time for
  great depth of study.)
• Combining the vulnerabilities to one machine
  allows in depth auditing
• Get rid of duplicate tools
• Focus on the audit report
• Reduce the time to set up the VMware images
• Labs need further tweaking

29
Future direction

• Remote lab systems
• Split the course to two
• Training of other faculty

30
What did we miss?

• Suggestions?
• Questions?