Security Audits - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Security Audits

Description:

Gives a company an unbiased view of the corporate network's security ... NeWT. www.tenablesecurity.com/newt.html. Retina. www.eeye.com. LANGuard. www.gfi.com ... – PowerPoint PPT presentation

Number of Views:449
Avg rating:3.0/5.0
Slides: 32
Provided by: scotl
Category:
Tags: audits | newt | security

less

Transcript and Presenter's Notes

Title: Security Audits


1
Security Audits
  • Scot Lymer, GSEC CSSA
  • Consysco Solutions

2
Topics
  • What is a Security Audit
  • Why do I need a Security Audit
  • Steps involved (Not all encompassing)
  • Tools used
  • Legal Considerations

3
What is a Security Audit
  • Referred to as Penetration testing
  • Gives a company an unbiased view of the corporate
    networks security
  • Assists in the creation or update of an existing
    security policy

4
Why do I need a Security Audit
  • Prevent loss of data
  • Due-diligence
  • Government regulations
  • HIPPA - Guarantee security and privacy of health
    information
  • GLB - regulates data security in the financial
    services industry
  • Oxley-Sarbanes Requires Validation of the
    accuracy and integrity of financial data and
    improve reporting capabilities
  • Insurance requirements
  • E-network Risk Management

5
Steps involved
  • Scope of audit
  • Finding Network Points
  • Router Auditing Tools
  • Firewall Auditing Tools
  • IDS Testing
  • Web Application Testing
  • Others

6
Scope of audit
  • What is the goal?
  • What will be audited?
  • What tools will be used?
  • Auditor responsibilities
  • Users responsibilities
  • Depth of the audit
  • Costs breakdown

7
Some tools used in a security audit
  • NMAP
  • www.insecure.org/nmap/nmap_download.html
  • NeWT
  • www.tenablesecurity.com/newt.html
  • Retina
  • www.eeye.com
  • LANGuard
  • www.gfi.com

8
Finding Network Points
  • Tools
  • NMAP
  • Superscan

9
Router Auditing
  • Check for proper physical security
  • Check for stable updated operating system
  • Harden the configuration by removing unnecessary
    services etc.
  • Finger - Remove
  • Telnet Use Secure Shell
  • Etc.
  • Check for proper Packet Filtering by only
    allowing needed ports and protocols
  • Check for DOS attacks
  • Log all occurrences of bad packets
  • Reject packets with invalid source addresses
  • Ensure the router offers Syn Attack protection

10
Firewall Auditing
  • Review security policy
  • Test the Rulebase
  • Identify vulnerabilities
  • Identify misconfigurations
  • Firewall Logs

11
Review Security Policy
  • What ports should be open on the firewall?
  • Who determines what ports should be open?

12
Test the Firewall Rulebase
  • Done by scanning every network segment from every
    other network segment
  • Place a system on your DMZ and attempt to
    penetrate you internal network
  • If during your audit you are not sure if a
    service should be blocked, block it.

13
Identify Vulnerabilities
  • Identify vulnerable hosts accessible behind the
    firewall
  • Test vulnerabilities using Retina etc.

14
Identify Firewall Misconfigurations
  • Authentication
  • Ensure encrypted data is actually encrypted
  • Ensure encrypted authentication is encrypted
  • TCPdump
  • Ethereal
  • Dsniff
  • Ettercap
  • Etc.
  • Firewall Logs
  • Set up the most extensive logging as possible
  • Ensure audit scans are logged for proper logging

15
Other Firewall issues
  • If using any additional services such as
    Antivirus test by sending infected email through
    your firewall
  • http//www.eicar.org/anti_virus_test_file.htm
  • Test content filter solution by accessing a site
    that should be blocked

16
IDS Testing
  • Check for evidence of attacks in the IDS logs
  • Test the IDS using a variety and multitude of
    attacks AND
  • Test the IDS for reaction to varied speeds of
    each attack, random protocol adjustments, etc.
  • Insertion
  • Evasion
  • Decoy
  • Fragmentation
  • Etc.
  • Sidestep can be used to demo an IDS evasion

17
Evading IDS via NMAP
  • Decoys nmap ( -D) - reduces the chance of your Ip
    address being traced from your scan
  • Slow scan (-T sneaky or -T paranoid) - makes it
    almost impossible for a firewall to detect a port
    scan
  • Fragmentation attacks (-f) - makes it more
    difficult for a firewall or packet filter to
    determine the packet type.

18
Web Application Testing
  • Examine source of available pages
  • Test for recognized file types/extensions/director
    ies
  • SQL Injection
  • Cookies and Session IDs
  • Path Traversal and URIs
  • Many more..

19
Examine source of available pages
  • lttitlegtHome Pagelt/titlegtltmeta content"Microsoft
    Visual Studio 7.0" name"GENERATOR"gtltmeta
    content"C" name"CODE_LANGUAGE"gtltmeta
    content"JavaScript" name"vs_defaultClientScript"
    gt
  • Developer is using Visual Studio

20
Test for recognized file types/extensions/directo
ries
  • GET /blah.idq HTTP/1.0HTTP/1.1 200 OKServer
    Microsoft-IIS/5.0Date Wed, 04 Jun 2003 111224
    GMTContent-Type text/htmlltHTMLgtThe IDQ file
    blah.idq could not be found.

21
SQL Injection
  • Not properly stripping user input of potentially
    "nasty" characters before using that input
    directly in SQL queries

22
SQL Injection sample code
  • (using MS Access DB)
  • user Request.form("user")
  • pass Request.form("pass")
  • Set Conn Server.CreateObject("ADODB.Connection")
    Set Rs Server.CreateObject("ADODB.Recordset")
    Conn.Open (dsn)
  • SQL "SELECT CCOUNT() FROM users where pass'"
    pass "' and user'" user "'"
  • rs.open (sql,conn) if rs.eof or rs.bof then
    response.write "Database Error"
  • else if rs("C") lt 1 then response.write "Invalid
    Credentials" else response.write "Logged In" end
    if
  • end if
  • If the attacker were to submit the following
    credentials to our login script
  • user test' OR '1''1pass test
  • With no sanity or validity checking the resulting
    query would be
  • SELECT FROM users where pass'test' and
    user'test' OR '1' '1
  • Since 1 1 is always true the attacker would be
    granted access

23
Cookies and Session IDs
  • Cookies (stored on hard drive)
  • Cookies authenticate a user to an application
    and, if stolen, a users credentials can be
    compromised
  • Cookie expiration dates affect security
  • Session IDs (forms part of the URL)
  • searching proxy logs, viewing browser histories
    or social engineering a user can reveal
    information that can be pasted into a URL
  • Can be logged, replayed or socially engineered.
  • More difficult to abuse than cookies because the
    Session ID is not embedded in a sites URL.
  • Are Session IDs embedded in a hidden tag??
  • Auditor should examine
  • Mechanism used to generate session ids
  • How are they being persisted

24
Path Traversal and URIs
  • Traversing out of the web root and into another
    directory such as etc/passwd or system32/config
  • Caused by failure to strip the path character
    (/.) on the file variable
  • http//www.example.com/index.php?file../../../../
    etc/passwd

25
Physical Security
  • Locate physical entry points
  • Are there any monitoring devices? Where are they
    located
  • What kind of alarm systems? What triggers the
    alarm? Who is notified?
  • Where are backups stored?
  • Are computers left in a logged in state when not
    in use?
  • Etc.

26
Social-Engineering
  • Relies heavily on human interaction
  • Examples
  • Bogus email sending a user to a web site
  • Phone calls to a user asking for password to
    reset their account

27
Review Security Policy
  • Where can the security policy be found?
  • How are passwords handles?
  • Where are backups stored?
  • Is personal email allowed?
  • What is acceptable web usage?
  • etc.

28
Legal Considerations
  • Disclosure of information
  • Penetration testing should not interfere with
    running systems
  • Notify customer of responsibilities
  • Backup data prior to audit
  • Notify any employee who needs to know about the
    audit
  • Obtain written permission

29
What should I do when audit is completed?
  • Review with the auditor
  • Review with management
  • Review with appropriate personnel
  • Create or update security policy based on results
    of the audit

30
How often should the audit be performed?
  • At least once a year
  • New employees
  • New technology
  • Etc.

31
  • ????
Write a Comment
User Comments (0)
About PowerShow.com