Assessments - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Assessments

Description:

Freeware scanners are usually better and more up to date ... Several commercial and freeware scanners available. Test security of discovered modems ... – PowerPoint PPT presentation

Number of Views:241
Avg rating:3.0/5.0
Slides: 40
Provided by: roberto2
Category:

less

Transcript and Presenter's Notes

Title: Assessments


1
Assessments
  • Lesson 3

2
The Hacker mindset
  • Hacker is someone who tries to figure out how
    things work
  • Originally a term of respect given to the
    uber-geek
  • Someone who could quickly create software code
    that worked ie hack out a routine
  • Original hackers were often looking for loopholes
    to increase their allotment of CPU time on early
    mainframes
  • Quest for knowledge

3
The Cracker mindset
  • Someone who tries to break into a computer system
    for malicious purposes (defacement, theft, fraud,
    denial of service)
  • Thought to have been coined by hackers to
    differentiate themselves in the 1980s
  • Media uses hacker when they usually mean cracker
  • Key is intent of actions and attitude

4
The Cracker mindset (cont.)
  • Lots of examples of cracker activity
  • Theft CD Universe and 300,000 credit cards
  • Russian cracker named Maxus
  • Ransom demand of 100K to 300K
  • January 2000
  • Defacements
  • Internet is a tempting target
  • BizRate.com estimated sales of 1.2B during a
    single week of December 2000

5
Typical Cracker Activity 2/18/01
6
What are security assessments
  • Assessments are an examination of an
    organizations current security posture
  • A good mechanism to find and fix holes before
    someone else finds them
  • Keep in mind someone else is looking for your
    security holes even if you arent

7
What are security assessments
  • Three common terms for security assessments
  • Security Audit
  • Risk Assessment
  • Penetration Test
  • They may sometimes be used synonymously but they
    are not the same

8
What are security assessments
  • Security Audit
  • More of a compliance check
  • Checklists and standards
  • Policies and procedures
  • Backups
  • Verification
  • Are you doing what you are supposed to be doing
  • BS 7799 (British Standards Institute Code of
    Practice for Information Security Management)
  • Controls and practices

9
What are security assessments
  • Risk Assessment
  • Also more of a paper exercise
  • Weighs likelihood against impact
  • Weighs cost against benefit
  • Much more business oriented

10
What are security assessments
  • Penetration Test
  • Looks for security vulnerabilities
  • Unpatched operating system or application
  • Known security holes
  • Accounts with weak or no passwords
  • Examines impact of discovered vulnerabilities
  • Targets digital, physical, and personnel (social
    engineering)
  • Hands on test of network security
  • More thorough and effective

11
Penetration Techniques
  • Breaking into computers and networks can involve
    technical attacks or social engineering.
  • Technical attack involve
  • Eavesdropping
  • Breaches of access controls
  • Social Engineering (misrepresentation) relies on
    lies, bribes and forms of seduction that can
    trick honest or marginally dishonest employees
    into revealing authentication information.

12
Technical Attacks
  • Breaching access controls
  • Brute Force attacks
  • Demon/war dialing
  • Exhaustive search for userid/password
  • Scavenging RAM
  • Intelligent Guesswork
  • Canonical passwords (default passwords
    accounts)
  • BAD passwords
  • Discarded Media
  • Shoulder surfing

13
Technical Attacks
  • Intercepting Communications
  • Can obtain information by monitoring
    communication between a peripheral node and the
    host.
  • Wiretapping intercepting the data stream on a
    communications channel
  • Phone lines, leased lines, long distance
    transmissions
  • Internet connections
  • LAN sniffers
  • Optical fiber can be tapped
  • Wireless
  • Radio and wireless phones, wireless networks
  • Cellular
  • Packet radio
  • Van Eck interception (emanations security)

14
Technical Attacks
  • Penetration Testing
  • Look for vulnerabilities in applications and
    services
  • Commercial and freeware scanners
  • Many specialized freeware vulnerability scanners
  • Whisker scans for over 500 web-based
    vulnerabilities
  • Can scan over SSL
  • Has IDS evasion modes
  • Very powerful in the right hands
  • Theres a scanner for most major vulnerabilities
  • Freeware scanners are usually better and more up
    to date
  • Examine each target and services on the target
  • Examine logins and use brute force tools if
    allowed
  • Lots of research

15
Technical Attacks
  • Penetration Testing Web Testing
  • Scan for vulnerabilities
  • Example Microsoft IIS 4.0 / 5.0 Extended
    UNICODE Directory Traversal Vulnerability
  • Published in Oct 2000
  • Access to files with IUSR account permissions on
    same logical drive as the web server
  • Can give cmd line access to remote attacker
  • Scan for presence of sample materials
  • Examine code of web pages (view source)
  • Examine input fields
  • Create test accounts if allowed

16
Technical Attacks
  • Penetration Testing Dial Up
  • Often overlooked access method
  • Often unsecured
  • Dial company phone numbers looking for modems
  • Several commercial and freeware scanners
    available
  • Test security of discovered modems
  • Default passwords work most of the time
  • Test remote access packages with client software
  • Penetration Testing Wireless Networks
  • Often left with little or no security
  • Footprint often extends into publicly accessible
    areas

17
Social Engineering
  • Penetration Testing Social Engineering
  • Might not be allowed
  • Trying to trick someone into giving you access
  • Pose as administrator
  • Pose as new user
  • Sound like you belong
  • Lying
  • Impersonating authorized personnel
  • Impersonating 3rd party personnel
  • Subverting Employees and 3rd party personnel
  • Bribery
  • Seduction
  • Extortion
  • Blackmail

18
Physical Techniques
  • Penetration Testing Physical
  • Door and lock testing
  • Are servers locked up
  • Is access to telco closets secured
  • Shoulder surfing
  • Clipboard testing
  • Dumpster diving
  • Work area security
  • Do employees use password protected screensavers
  • Passwords on stickies
  • Sensitive materials left out

19
Results
  • Document and catalog
  • Determine extent of discovered vulnerabilities to
    answer how bad is it
  • Record discoveries, systems affected, method of
    exploit, accounts and systems compromised
  • Must keep information organized

20
Reporting
  • Report generation
  • Provide management level summary
  • Provide technical level summary
  • Present findings in a clear and specific manner
  • Provide solutions to eliminate or mitigate
    vulnerabilities
  • Report is usually the only physical remnant of
    the assessment

21
Countermeasures
  • Strengthening the perimeter
  • Identification single sign-on decreases risk
    somebody writes something down
  • Authentication designed to make impersonation
    difficult
  • Biometrics
  • Callback
  • Smart cards and tokens
  • One time passwords
  • Encryption
  • Transmission
  • Data storage
  • Monitoring

22
Risk Analysis Automated Tools
  • The Buddy System is a hybrid software package
    used to identify and deal with system or project
    risks. It offers both qualitative and
    quantitative Risk Analysis and Reporting of
    information or physical security in virtually any
    environment.
  • The purpose of ASSET is to automate the
    completion of the questionnaire contained in NIST
    Special Publication 800-26, "Security
    Self-Assessment Guide for Information Technology
    Systems
  • HIPAA EarlyView Security version 2.0 was
    designed to help covered entities assess their
    current state of compliance with the Final HIPAA
    Security Rule. Users answer a series of 165
    questions that correspond to each requirement,
    and the software features over 20 built-in
    reports to help track progress.

23
Fundamental Elements of A Risk Analysis Tool
  • A comprehensive risk analysis tool consists of
    three fundamental steps
  • o Data collection
  • o Analysis
  • o Output results
  • Not only should the risk analysis tool meet this
    basic criteria, it should meet organizational
    requirements as well.

24
Data Collection
  • Asset Identification and Valuation
  • Threat Assessment
  • Vulnerability Assessment
  • Current Safeguard Effectiveness

25
Analysis
  • The analytical process analyzes the relationships
    between assets, threats, vulnerabilities and/or
    safeguards, and possibly other elements (e.g.,
    likelihood of occurrence) to determine potential
    losses.
  • Some automated risk analysis tools use the
    traditional quantitative approach for calculating
    risks (Annual Loss Expectancy)
  • Some risk analysis tools do not average the value
    of future losses but calculate single occurrence
    losses (SOL).
  • The qualitative approach takes the point of view
    that many potential losses are intangible
    therefore, risks cannot be easily specified
    monetarily. Risk results are portrayed in a
    linguistic manner (i.e., "no risk" to "very high
    risk").

26
Output results
  • Some tools do not address safeguard selection,
    while some do an extensive job.
  • Some tools consider the costs of safeguards and
    their return on investment (ROI).
  • The important point is that the risk analysis
    tool should provide managers with a good
    understanding of where to apply limited dollars
    to protect vital computer assets.

27
Picking an Automated Tool
  • GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS
    TOOLS --NIST SP500-174
  • An automated risk analysis tool should contain
    modules for data collection, analysis, and output
    results
  • Effective reporting of the risk analysis results
    will help managers to weigh the alternatives and
    to select reliable and cost-effective safeguards.
    Therefore, the types of information expected in
    the output reports should be clearly defined
  • The ability to maintain a history of the
    information collected during the data collection
    phase of the analysis is useful in subsequent
    reviews or queries

28
Example selection
  • UNEMPLOYMENT INSURANCE RISK ANALYSIS PROJECT --
    GARTNER GROUP
  • Project staff contacted the vendors and arranged
    on-site evaluations of their automated risk
    analysis tools and training programs. The
    evaluation was performed using the National
    Institute of Standards and Technology's (NIST)
    Special Publication 500-174, Guide for Selecting
    Automated Risk Analysis Tools. For evaluation
    purposes, NIST recommends scoring the tools in
    various areas of capabilities.

29
  • Each NIST capability was scored from a value of 0
    to 3. A score of 0 indicated that the capability
    did not exist, or if it did exist its quality was
    inferior. A score of 1 indicated that the
    capability existed but that it was less than
    adequate to perform the required tasks. A score
    of 2 indicated that the capability existed and
    was considered average. A score of 3 indicated
    that the capability existed and was considered
    above average.
  • The capability scores were then totaled to
    determine the best available automated risk
    analysis tool.

30
(No Transcript)
31
(No Transcript)
32
CRAMM Methodology
  • Developed in 1986-1987.
  • Last version (V3.0) released in 1997
  • Used in thousands of reviews worldwide
  • Provides the ability for checking scenarios
  • (what-if)
  • Provides catalog of threats and countermeasures

33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
CRAMM
  • Risk evaluation is done ...
  • By evaluating assets (scale 110)
  • By evaluating threats (scale 13)
  • By evaluating vulnerabilities (scale 13)
  • Impact evaluation is integrated in the
    vulnerabilities evaluation

37
CRAMM
  • Phase 1 definition of studys boundaries
  • Preparations
  • asset evaluation
  • findings review
  • Phase 2 Threat Evaluation
  • Relation realization
  • Evaluation of threats and vulnerabilities
  • Calculation of risk level
  • findings review
  • Phase 3 Countermeasure selection
  • recognition of the selected countermeasures
  • comparison with already existing ones
  • design of security package
  • findings review

38
Types of countermeasures
  • Reduces the probability of threat occurrence
  • Reduces vulnerabilities
  • Reduces impacts
  • Combination

39
Summary
  • Hacker Mentaility
  • Security Assessments
  • Penetration Techniques
  • Risk Analysis Tools
  • CRAMM
Write a Comment
User Comments (0)
About PowerShow.com