Syllabus

1
Unit 1 Class overview Traffic Analysis
Vulnerability Scan Nessus

• Syllabus
• Review of some security concepts
• Traffic analysis with WireShark (formerly
  Ethereal)
• Vulnerability Scan
• Network inventory
• Nessus

2
Common Attacks and Defenses
3
Common Attacks and Defenses
4
Common Attacks and Defenses
5
Common Attacks and Defenses
6
Goals Confidentiality, Integrity, and
availability - CIA

• Confidentiality
• Integrity
• Availability

7
Defense in DepthWhat is it?

• Physical security
• Authentication and password security
• Operating system security
• Antivirus protection
• Packet Filtering
• Firewalls

8
Defense in Depth Contd.

• Demilitarized zones (DMZs)
• Intrusion detection systems (IDSs)
• Virtual private networks (VPNs)
• Auditing and log files
• Routers and access control
• Build a security toolbox http//sectools.org/inde
  x.html

9
Traffic Analysis

• Network analyzers (sniffers) e.g.
• Wireshark (formerly ethereal) -
  http//www.wireshark.org/
• Tcpdump - http//www.tcpdump.org/
• WinDump - http//www.winpcap.org/windump/default.h
  tm
• Netscouts (Formerly Network Generals) Sniffer
  http//www.netscout.com/products/default.asp
• Microsofts Network Monitor
• Sun Snoop - http//docs.sun.com/app/docs/doc/802-5
  753/6i9g71m3l?aview
• etc.
• GUI vs line-interface

10
Wireshark

• Features overview
• Analyze menu
• Statistics menu
• See Wireshark users guide for details
• http//www.wireshark.org/docs/

11
Somethings to look for Scans

• Purpose
• Good guys
• Bad guys
• TCP SYN scan  
• "half-open"  scanning
• send a SYN packet
• A SYNACK indicates  the  port is  listening. 
• A  RST  is indicative of a non-listener. 
• If a SYNACK is received, a RST is  immediately 
  sent  to  tear down the connection

12
A way to use Wireshark

• Use the Edit ? Find Packet option to find
  packets of interest.
• Apply a filter to show just the packets of
  interest.
• Follow the TCP stream of the packets of interest
  (if they are TCP traffic)
• Use the File menu to export just the packets
  selected to a separate export file. Replay that
  file in an IDS (e.g. Snort), which can identify
  the predefined attacks.

13
Vulnerability assessment or scanning

• Vulnerability
• Programming error or misconfiguration that could
  allow and intruder to gain unauthorized access
• We need to know better about our environment.
• Do we have any vulnerability?
• How can I determine that?
• Should I be fearful of possible weakness?

14
Vulnerability scanning 101

• Basically Since there are tools out there that
  will identify vulnerabilities
• Why not use them before the bad guy does?
• Vulnerability scanning is the process of locating
  and reporting vulnerabilities.
• Can also be used to validate security measures
  such as Intrusion Detection System (IDS)

15
Other uses of vulnerability assessment

• Inventory of the systems and the services
• Asset classification
• Detecting corporate policy violations
• Event correlation if an intrusion does occur, a
  recent assessment report may help to determine
  how it occurred, and what other assets may have
  been compromised.

16
Types of vulnerability assessment

• Manual vs Automated
• Automated Stand-alone vs subscription
• Stand-alone examples Nessus, eEyes Retina,
  Microsofts Security Baseline Scanner etc.
• Subscription examples
• Qualys QualysGuard http//www.qualys.com/
• BeyondSecuritys Automated Scan
  http//www.beyondsecurity.com/
• Digital Defense Frontline http//www.digitaldefens
  e.net/

17
So what are we going to review?

• What are our assets?
• What are our risks?
• What are we going to test, review, perform scans
  on?

18
Know Ourselves

• First, we must identify, examine, and understand
  the information, and systems, currently in place
• In order to protect our assets, defined here as
  the information and the systems that use, store,
  and transmit it, we have to understand everything
  about the information
• Once we have examined these aspects, we can then
  look at what we are already doing to protect the
  information and systems from the threats

19
Know the Enemy

• For information security this means identifying,
  examining, and understanding the threats that
  most directly affect our organization and the
  security of our organizations information assets
  
• We then can use our understanding of these
  aspects to create a list of threats prioritized
  by importance to the organization

20
Steps in Threat/Risk Assessment and evaluation

• Note this is just one possible approach. The
  process presented here is a blended approach
  based on NIST 800-30.
• Step 1 Identify Target - Perform Asset
  identification/inventory. Also perform
  classification.
• Step 2 Perform asset valuation.
• Step 3 Vulnerability/Threat assessment.
• Step 4 Control Analysis
• Step 5 Likelihood determination.
• Step 6 Evaluation of cost of security breach
  or incident. Impact Analysis.
• Step 7 Risk Determination
• Step 8 Risk Assessment Documentation
• After that perform control recommendations and
  infrastructure design.
• For this lecture, we will concentrate on Steps 1
  and 3.

21
Know your assets
Wireless
Microsoft IIS
Exchange
Apache
Sendmail
22
What do all of those have in common?

• They are all installed in production networks
  today
• Oh and your homes too.
• They all have had a number of vulnerabilities
  discovered and exploited.
• Resulting in
• Compromises
• Loss of Assets
• Unwanted Press

23
Computer Vulnerability

• OS or Service Mis-configuration
• Factory Defaults
• Administrator / No Password
• Cisco / Cisco
• Vendors Problem (aka poor coding)
• Eg. Buffer Overflow

24
Where do we start on the road to
recovery/discovery?

• Know what you have
• Cyber Assets network inventory
• Database
• Host
• IP
• MAC
• OS
• Patch Level
• Services Offered
• Classification of Data on the system
• Owner
• Location
• How to do this?
• Microsoft SMS / Discovery Tools / By Hand ?

25
Network inventory

• Two primary steps
• Identify the existence of a system
• The more secure a system the more difficult
• Ping, port scans etc
• Physically locate the system
• Well defined names indicating location
• Traceroute
• Rouge system
• A living document

26
IMPORTANT!

• Do NOT scan or do any vulnerability testing
  without WRITTEN notice from the owner of that
  subnet before even starting!
• If you do scan without getting approval, it can
  lead to dismissal from your job or even criminal
  charges!

27
Nmap

• Open source utility
• Used for network exploration or security auditing
  
• Which machines are alive
• Which ports (tcp/udp) are open/closed
• What is the version of the services
• What is the version of the OS
• Runs on almost every OS
• http//www.insecure.org/

28
Nmap Results

• Starting nmap 3.48 ( http//www.insecure.org/nmap/
  ) at 2004-02-26 2354 CST
• Interesting ports on XXXXXXXXXX (146.137.X.XX)
• (The 1640 ports scanned but not shown below are
  in state closed)
• PORT STATE SERVICE VERSION
• 22/tcp open ssh OpenSSH
  3.0.2p1-anl-20020626 (protocol 2.0)
• 25/tcp open smtp Sendmail
  8.11.6/8.11.6
• 80/tcp open http Apache
  httpd 1.3.27 ((Unix) (Red-Hat/Linux)
  mod_ssl/2.8.12 OpenSSL/0.9.6b
• 111/tcp open rpcbind 2 (rpc
  100000)
• 139/tcp open netbios-ssn Samba smbd
  3.X (workgroup XXX)
• 443/tcp open ssl/http Apache
  httpd 1.3.27 ((Unix) (Red-Hat/Linux)
  mod_ssl/2.8.12 OpenSSL/0.9.6b
• 445/tcp open netbios-ssn Samba smbd
  3.X (workgroup XXX)
• 544/tcp open kshell?
• 615/tcp open ypbind 1-2 (rpc
  100007)
• 2105/tcp open eklogin?
• 3306/tcp open mysql MySQL
  (unauthorized)
• 8080/tcp open http Apache httpd
• 8081/tcp open http Apache httpd
• 8082/tcp open http Apache httpd
• 13722/tcp open VeritasNetbackup?

29
NMAP usage

• NMAP does not per-se perform vulnerability
  testing but OS fingerprinting and asset/service
  identification.
• Used by administrators for asset/service
  determination also to identify changes in
  services available.
• Used by enemies to perform reconnaissance. If
  you see an NMAP scan inside your network that you
  do not know about respond immediately!

30
Other scanners

• Scanrand - http//www.secureworks.com/research/art
  icles/scanrand
• PortBunny - http//portbunny.recurity.com/
• Unicornscan - http//www.unicornscan.org/
• Foundstone Superscan - http//www.foundstone.com/u
  s/resources/proddesc/superscan4.htm
• Angry IP Scanner - http//www.angryziber.com/w/Hom
  e
• Foundstone Scanline light weight, command line
  only
• http//www.foundstone.com/us/resources/proddesc/sc
  anline.htm
• Special purposes enumerators e.g. Foundstone
  SNScan for detecting SNMP enabled devices.
  http//www.foundstone.com/us/resources/proddesc/sn
  scan.htm

31
Locating wireless devices

• NetStumbler - http//www.netstumbler.com/
  actively send additional traffic to try to obtain
  information about devices.
• Kismet - http//www.kismetwireless.net/ collect
  information passively.

32
Documentation

• Network Topology Maps
• Access Request Forms
• Business Continuity and Disaster Recovery Plans
• IT Security Policies/Standards/Procedures

33
Documentation Network Topology Maps
34
Documentation IT Security Policies/Standards/Pro
cedures

• Policies broad statements. E.g. "data classified
  as confidential or higher must be encrypted when
  traversing an untrusted network."
• Standards These specify what method should be
  used to conform to policy. E.g. "acceptable
  encryption protocols are 3DES, AES(128), and
  AES(256)."
• Procedures most detailed documents. A procedure
  outlines exactly how to perform a given activity.
  E.g. Instructions such as "click here" or "run
  this program using these options."

35
Vulnerability Testing FAQs

• What is it?
• Using programs/tools/scripts to test a host (or
  range of hosts) for vulnerabilities.
• Why do it?
• To Be Secure
• To attempt to keep Hackers Out
• Live an easier life
• Not filling out incident reports and dealing with
  authorities.

36
Terms

• Vulnerability Tester Program used to
  automatically scan for vulnerabilities.
• Exploit A program or script that is used against
  a machine to break into it.
• Kiddy-Script Similar to an exploit, but easy
  enough for a kiddy to use.

37
Approaches

• Administrative approach
• From the perspective of an authenticated
  administrator
• Example Microsofts Security Baseline Scanner
• Need credentials (user name and passwords) to
  detect missing patches, insecure configuration
  settings, potentially vulnerable client-side
  software
• Check registry information
• Advantage usually does not adversely affect the
  tested systems.
• Disadvantage - uses standard Windows
  administrative channels. Vulnerabilities in
  systems configured with another authentication
  method may be missed.

38
Approaches (contd.)

• Outsider Approach
• Take the perspective of a malicious outsider
  trying to break into the system
• Good for networks with many different operating
  systems and devices.
• If the system is behind a firewall, only exposed
  services will be tested.
• May crash systems/networks
• Hybrid Approach
• Example Nessus and eEyes Retina

39
Realistic Expectations

• Performing vulnerability scanning may lead to
  network outage
• Consecutive assessment reports may be
  inconsistent
• False positives
• Manual security audits still provide better
  results than automated tools

40
What To Use

• Vulnerability Scanning
• (A top 10 list http//sectools.org/vuln-scanners.
  html)
• Nessus ( http//www.nessus.org )
• Free prior to Version 3.
• To Nessus 3 released under a proprietary license
  to meet market demands. Homefeed subscription
  remains free for non-profit/non-professional
  users.
• IBM ISS Internet Security Systems (
  http//www.iss.net )
• started off in '92 as a tiny open source scanner
  by Christopher Klaus. Grown into a billion-dollar
  company with a myriad of security products.
  Acquired by IBM in 2006.
• eEye Retina (http//www.eeye.com/html/products/R
  etina/)

41
Results

• Once you finish scanning, what next?
• Distribute the results to either the system
  administrators, or patch for the vulnerabilities,
  according to the instructions.

42
Where to Scan From

• A dedicated machine(s)
• HIGH Network Throughput
• Some place that has access to ALL machines
• Inside your Firewall
• Outside your Firewall
• Be careful may lead to application and network
  outages.

43
How Often?

• As often as possible
• Administrators will kill you at some point.
• Whenever a new exploit comes out
• Status of patch deployment
• As frequent as possible from outside your
  firewall.
• Those are your most vulnerable machines
• They have conduits to allow outside access

44
In real-life do we do vulnerability scans?

• Yes! Very often.
• Sometime mandated security audits, vulnerability
  scans, compliance review.

45
Focus on Nessus

• Components
• Nessus Client and Server (See diagram on the next
  slide)
• The Nessus Plugins written in NASL Nessus
  Attack Scripting Language, for creating custom
  vulnerability tests.
• The Nessus Knowledge Base Store values gleaned
  by some Plugins which can be used by other
  Plugins

46
(No Transcript)
47
Nessus Server
48
Nessus Client
49
(No Transcript)
50
(No Transcript)