Network Security Workshop BUSAN 2003 Saravanan Kulanthaivelu [email protected]

Network Security Network Security WorkshopWorkshop

BUSAN 2003BUSAN 2003

Saravanan KulanthaiveluSaravanan [email protected]@nrg.cs.usm.my

Security AuditSecurity Audit

"The world isn’t run by weapons "The world isn’t run by weapons anymore, or energy, or money. It’s run anymore, or energy, or money. It’s run by little ones and zeros, little bits of by little ones and zeros, little bits of data... There’s a war out there... and data... There’s a war out there... and it’s not about who’s got the most it’s not about who’s got the most bullets. It’s about who controls the bullets. It’s about who controls the information.“information.“

Federation of American Scientists - Intelligence Resource Federation of American Scientists - Intelligence Resource ProgramProgram

Workshop OWorkshop Outline utline (2)(2)Security AuditSecurity AuditIntrusion Detection Intrusion Detection Incident ResponseIncident Response

FAQFAQ

We already have firewalls in place. Isn't We already have firewalls in place. Isn't that enough?that enough?

We did not realize we could get security We did not realize we could get security audits. Can you really get security audits, audits. Can you really get security audits, just like financial audits?just like financial audits?

We have already had a security audit. We have already had a security audit. Why do we need another one?Why do we need another one?

AnswersAnswers

Firewalls and other devices are simply tools to Firewalls and other devices are simply tools to help provide security. They do not, by help provide security. They do not, by themselves, provide security. Using a castle as themselves, provide security. Using a castle as an analogy, think of firewalls and other such an analogy, think of firewalls and other such tools as simply the walls and watch towers. tools as simply the walls and watch towers. Without guards, reports, and policies and Without guards, reports, and policies and procedures in place, they provide little procedures in place, they provide little protection.protection.

Security audits, like financial audits should be Security audits, like financial audits should be performed on a regular basis.performed on a regular basis.

Security Audit-DefinitionsSecurity Audit-Definitions

A A security auditsecurity audit is a policy-based assessment of is a policy-based assessment of the procedures and practices of a site, assessing the procedures and practices of a site, assessing the level of risk created by these actionsthe level of risk created by these actions

A assessment process, which will develop A assessment process, which will develop systems and procedures within an organization, systems and procedures within an organization, create awareness amongst the employees and create awareness amongst the employees and users and ensure compliance with legislation users and ensure compliance with legislation through periodic checking of processes, through periodic checking of processes, constituents and documentation.constituents and documentation.

Why Audit?Why Audit?

Determine Vulnerable AreasDetermine Vulnerable Areas Obtain Specific Security InformationObtain Specific Security Information Allow for RemediationAllow for Remediation Check for ComplianceCheck for Compliance Ensure Ongoing SecurityEnsure Ongoing Security

To ensure that the site’s To ensure that the site’s networks and systems are networks and systems are

efficient and foolproofefficient and foolproof

Who needs security auditing?Who needs security auditing?

A security audit is necessary for every A security audit is necessary for every organization using the Internet.organization using the Internet.

A ongoing process that must be tried A ongoing process that must be tried and improved to cope up with the and improved to cope up with the ever-changing and challenging ever-changing and challenging threats.threats.

Should not be feared of being audited. Should not be feared of being audited. Audit is good practice.Audit is good practice.

Audit PhasesAudit Phases External AuditExternal Audit

Public information collectionPublic information collectionExternal PenetrationExternal Penetration

• Non-destructive testNon-destructive test• Destructive testDestructive test

Internal AuditInternal AuditConfidential information collectionConfidential information collectionSecurity policy reviewingSecurity policy reviewingInterviewsInterviewsEnvironment and Physical SecurityEnvironment and Physical SecurityInternal Penetration Internal Penetration Change ManagementChange Management

ReportingReporting

Audit Phases-External Audit Phases-External

Hackers view of the networkHackers view of the network Simulate attacks from outsideSimulate attacks from outside Point-in-time snapshotsPoint-in-time snapshots Can NEVER be 100%Can NEVER be 100%

External Audit-Public External Audit-Public Information GatheringInformation Gathering Search for information about the target and its Search for information about the target and its

critical services provided on the Internet.critical services provided on the Internet. Network IdentificationNetwork Identification

Identify IP addresses range owned/usedIdentify IP addresses range owned/used Network FingerprintingNetwork Fingerprinting

Try to map the network topologyTry to map the network topologyPerimeter models identificationsPerimeter models identifications

OS & Application fingerprintingOS & Application fingerprintingOS finger printingOS finger printingPort scanning to define services and applicationPort scanning to define services and applicationBanner grabbingBanner grabbing

External Audit - Some External Audit - Some CommandmentsCommandments Do not make Do not make ANYANY changes to the systems or changes to the systems or

networksnetworks Do not impact processing capabilities by Do not impact processing capabilities by

running scanning/ testing tools during business running scanning/ testing tools during business hours or during peak or critical periodshours or during peak or critical periods

Always get permission before testingAlways get permission before testing Be confidential and trustworthyBe confidential and trustworthy Do not perform unnecessary attacksDo not perform unnecessary attacks

External Audit-Penetration External Audit-Penetration TestTest Plan the penetration processPlan the penetration process

Search for vulnerabilities for information gathered and obtain the Search for vulnerabilities for information gathered and obtain the exploitsexploits

Conduct vulnerabilities assessments (ISO 17799)Conduct vulnerabilities assessments (ISO 17799) Non-destructive testNon-destructive test

Scans / test to confirm vulnerabilitiesScans / test to confirm vulnerabilities Make SURE not harmfulMake SURE not harmful

Destructive testDestructive test Only for short term effect (DDOS….)Only for short term effect (DDOS….) Done from various locationsDone from various locations Done only off-peak hours to confirm effect Done only off-peak hours to confirm effect

Record everythingRecord everything Save snapshots and record everything for every test done even it Save snapshots and record everything for every test done even it

returned false resultreturned false result Watch out for HONEYPOTSWatch out for HONEYPOTS

Internal AuditInternal Audit

Conducted at the premisesConducted at the premises A process of hacking with full knowledge of the A process of hacking with full knowledge of the

network topology and other crucial network topology and other crucial information. information.

Also to identify threats within the organization Also to identify threats within the organization Should be 100% accurate.Should be 100% accurate. Must be cross checked with external Must be cross checked with external

penetration report.penetration report.

Internal Audit-Policy reviewInternal Audit-Policy review

Everything Everything starts with the starts with the security policysecurity policy

If there is no If there is no policy, there is policy, there is not need of not need of security audit.security audit.

PolicyPolicy

StandardsStandards

Procedures, Guidelines Procedures, Guidelines & Practices& Practices

Internal Audit-Policy reviewInternal Audit-Policy review

Policies are studied properly and classified Policies are studied properly and classified Identify any security risk exist within the policyIdentify any security risk exist within the policy Interview IT staffs to gain proper Interview IT staffs to gain proper

understanding of the policiesunderstanding of the policies Also to identify the level of implementation of Also to identify the level of implementation of

the policies.the policies.

Internal Audit-Information Internal Audit-Information gatheringgathering Discussion of the network topology Placement of perimeter devices of routers and

firewalls Placement of mission critical servers Existence of IDS Logging

Cross check with

Cross check with

security policy

security policy

Internal Audit-Internal Audit-Environment & Environment & Physical SecurityPhysical Security

Locked / combination / card swipe doorsLocked / combination / card swipe doorsTemperature / humidity controlsTemperature / humidity controlsNeat and orderly computing roomsNeat and orderly computing roomsSensitive data or papers laying around?Sensitive data or papers laying around?Fire suppression equipmentFire suppression equipmentUPS (Uninterruptible power supply)UPS (Uninterruptible power supply)

Section 8.1 of the ISO 17799 Section 8.1 of the ISO 17799 document defines the concepts of document defines the concepts of secure area, secure perimeter and secure area, secure perimeter and controlled access to such areas.controlled access to such areas.

Cross check with

Cross check with

security policy

security policy

Internal Audit-PenetrationInternal Audit-Penetration

For Internal penetration test, it can divided to few For Internal penetration test, it can divided to few categoriescategories

Network Network Perimeter devicesPerimeter devicesServers and OSServers and OSApplication and servicesApplication and servicesMonitor and responseMonitor and response

Find vulnerabilities and malpractice in each Find vulnerabilities and malpractice in each categorycategory

Cross check with

Cross check with

security policy

security policy

Internal Audit-NetworkInternal Audit-Network

Location of devices on the networkLocation of devices on the network Redundancy and backup devicesRedundancy and backup devices Staging networkStaging network Management networkManagement network Monitoring networkMonitoring network Other network segmentationOther network segmentation Cabling practicesCabling practices Remote access to the networkRemote access to the network

Cross check with

Cross check with

security policy

security policy

Internal Audit-Perimeter DevicesInternal Audit-Perimeter Devices

Check configuration of perimeter devices likeCheck configuration of perimeter devices likeRoutersRoutersFirewallsFirewallsWireless AP/BridgeWireless AP/BridgeRAS serversRAS serversVPN serversVPN servers

Test the ACL and filters like egress and ingressTest the ACL and filters like egress and ingressFirewall rulesFirewall rulesConfiguration Access method Configuration Access method Logging methodsLogging methods

Cross check with

Cross check with

security policy

security policy

Internal Audit-Server & OSInternal Audit-Server & OS

Identify mission critical servers like Identify mission critical servers like DNS,Email and others..DNS,Email and others..

Examine OS and the patch levelsExamine OS and the patch levels Examine the ACL on each serversExamine the ACL on each servers Examine the management control-acct & Examine the management control-acct &

password password Placement of the serversPlacement of the servers Backup and redundancyBackup and redundancy

Cross check with

Cross check with

security policy

security policy

Internal Audit-Application & Internal Audit-Application & ServicesServices

Identify services and application running on the Identify services and application running on the critical mission servers.Check vulnerabilities for the critical mission servers.Check vulnerabilities for the versions running.Remove unnecessary versions running.Remove unnecessary services/applicationservices/application

DNSDNS• Name services(BIND)Name services(BIND)

EmailEmail• Pop3,SMTPPop3,SMTP

Web/HttpWeb/HttpSQLSQLOthersOthers

Cross check with

Cross check with

security policy

security policy

Internal Audit-Monitor & Internal Audit-Monitor & ResponseResponseCheck for procedures onCheck for procedures on Event Logging and AuditEvent Logging and Audit

What are logged?What are logged? How frequent logs are viewed?How frequent logs are viewed? How long logs are kept?How long logs are kept?

Network monitoringNetwork monitoring What is monitored?What is monitored? Response Alert?Response Alert?

Intrusion DetectionIntrusion Detection IDS in place?IDS in place? What rules and detection used?What rules and detection used?

Incident ResponseIncident Response How is the response on the attack?How is the response on the attack? What is recovery plan?What is recovery plan? Follow up?Follow up?

Cross check with

Cross check with

security policy

security policy

Internal Audit-Analysis and Internal Audit-Analysis and ReportReport Analysis result Analysis result

Check compliance with security policyCheck compliance with security policyIdentify weakness and vulnerabilitiesIdentify weakness and vulnerabilitiesCross check with external audit reportCross check with external audit report

Report- key to realizing valueReport- key to realizing valueMust be 2 partsMust be 2 parts

• Not technical (for management use)Not technical (for management use)• Technical (for IT staff)Technical (for IT staff)

Methodology of the entire audit processMethodology of the entire audit processSeparate Internal and ExternalSeparate Internal and ExternalState weakness/vulnerabilities State weakness/vulnerabilities Suggest solution to harden securitySuggest solution to harden security

Tools Tools

More Tools….More Tools….

Inetmon Inetmon FirewalkFirewalk DsniffDsniff RafaleXRafaleX NetStumblerNetStumbler RAT (Router Audit Tool)-CISRAT (Router Audit Tool)-CIS Retina scan toolsRetina scan tools MBSAMBSA

Nmap-Defacto StandardNmap-Defacto Standard

Even in matrix , nmap was used Even in matrix , nmap was used

Intrusion DetectionIntrusion Detection Intrusion Detection is the process of monitoring Intrusion Detection is the process of monitoring

computer networks and systems for violations of computer networks and systems for violations of security.security.

An Intrusion – any set of actions that attempt to An Intrusion – any set of actions that attempt to compromise the integrity,confidentially or compromise the integrity,confidentially or availability of a resource.availability of a resource.

All intrusion are defined relative to a security All intrusion are defined relative to a security policypolicySecurity policy defines what is permitted and what is Security policy defines what is permitted and what is

denied on a network/systemdenied on a network/systemUnless you know what is and is not permitted, its Unless you know what is and is not permitted, its

pointless to attempt to catch intrusionpointless to attempt to catch intrusion

Intrusion DetectionIntrusion Detection

Manual DetectionCheck the log files for unusual behaviorCheck the setuid and setgid of filesCheck important binariesCheck for usage of sniffing programs

Automatic (partially??)Intrusion Detection Systems

Intrusion Detection SystemsIntrusion Detection Systems

GoalTo detect intrusion real time and respond to it

False positiveNo intrusion but alarmToo many make your life miserable

False negativeIntruder not detectedSystem is compromised

Intrusion Detection -Detection Intrusion Detection -Detection SchemesSchemes Misuse Detection

The most common technique, where incoming/outgoing traffic is compared against well-known 'signatures'. For example, a large number of failed TCP connections to a wide variety of ports indicate somebody is doing a TCP port scan

Anomaly Detection Uses statistical analysis to find changes from baseline behavior

(such as a sudden increase in traffic, CPU utilization, disk activity, user logons, file accesses, etc.). This technique is weaker than signature recognition, but has the benefit that can catch attacks for which no signature exists. Anomaly detection is mostly a

theoretical at this point and is the topic of extensive research

Intrusion Detection -Detection Intrusion Detection -Detection • Misuse Detection

• Detect Known Attack Signatures• Advantage:

• Low False Positive Rate

• Drawbacks:• Only Known Attacks• Costs for Signature Management

• Anomaly Detection• Learn Normal Profiles from User and System Behavior• Detect Anomaly• Advantage

• Detect Unknown Attacks

• Drawbacks• Difficulty of Profiling• Profile can be controlled by intruders• High false positive rate

Network IDSNetwork IDS Uses network packets as the data source Searches for patterns in packets Searches for patterns of packets Searches for packets that shouldn't be there May ‘understand’ a protocol for effective

pattern searching and anomaly detection May passively log, alert with

SMTP/SNMP or have real-time GUI

Network IDS StrengthNetwork IDS Strength Lower cost of ownership

Fewer detection points requiredGreater viewMore manageable

Detects attacks that host-based systems missIP based Denial of ServicePacket or Payload Content

More difficult for an attacker to remove evidenceUses live network trafficCaptured network traffic

Network IDS StrengthNetwork IDS Strength Real time detection and response

Faster notification and responsesCan stop before damage is done (TCP reset)Detects unsuccesful attacks and malicious intent

Outside a DMZ See attempts blocked by firewallCritical information obtained can be used on policy

refinement Operating system independence

Does not require information from the target OSDoes not have to wait until the event is loggedNo impact on the target

Network IDS LimitationsNetwork IDS Limitations

Obtaining packets - topology & encryption Number of signatures Quality of signatures Performance Network session integrity Understanding the observed protocol Disk storage

Host Based IDSHost Based IDS Signature log analysis

application and system File integrity checking

MD5 checksums Enhanced Kernel Security

API access controlStack security

Some products listen to port activity and alert administrator when specific ports are accessed

Host IDS Strength Host IDS Strength Verifies success or failure of an attack

Log verification Monitors specific system activities

File access Logon / Logoff activityAccount changesPolicy changes

Detects attacks that network-based IDS may missKeyboard attacksBrute-Force logins

Host Based IDS LimitationsHost Based IDS Limitations

Places load on system Disabling system logging Kernel modifications to avoid file integrity

checking (and other stuff) Management overhead Network IDS Limitations

Characteristic of a Good IDSCharacteristic of a Good IDS

Impose minimal overheadDoes not slowdown the system

Observe deviations from normal behavior Easily tailored to any system Cope with changing system behavior over

time as applications are being addedHigh adaptation

Network HoneypotsNetwork Honeypots

Sacrificial system(s) or sophisticated simulations

Any traffic to the honeypot is considered suspicious

If a scanner bypassed the NIDS, HIDS and firewalls, they still may not know that a Honeypot has been deployed

Network Honeypots Network Honeypots

Honeypot HTTP DNS

Firewall

Some IDSSome IDS

CommercialReal Secure by ISSVCC/Tripwire TMCMDS by SAICNetRanger by Wheelgroup

Freeware/OpensourceSnort (www.snort.org)

Incident ResponseIncident Response

• Incident: An action likely to Incident: An action likely to lead to grave consequences lead to grave consequences • Data loss may lead to commercial Data loss may lead to commercial

loss.loss.• Confidentiality breached.Confidentiality breached.• Political issues…Political issues…• Network breakdown lead to Network breakdown lead to

service and information flow service and information flow disruption.disruption.

• Many more..Many more..

Incident ResponseIncident Response• Response: An act of responding.Response: An act of responding.

• Something constituting a reply or a reaction.Something constituting a reply or a reaction.• The activity or inhibition of previous activity of an organism or The activity or inhibition of previous activity of an organism or

any of its parts resulting from stimulationany of its parts resulting from stimulation• The output of a transducer or detecting device resulting from a The output of a transducer or detecting device resulting from a

given input.given input.• Ideally Incident Response would be a set of policies that allow an Ideally Incident Response would be a set of policies that allow an

individual or individuals to react to an incident in an efficient and individual or individuals to react to an incident in an efficient and professional manner thereby decreasing the likelihood of grave professional manner thereby decreasing the likelihood of grave consequences.consequences.

• ISO 17799 ISO 17799 Outlines Comprehensive Incident Response and Internal Outlines Comprehensive Incident Response and Internal

Investigation ProceduresInvestigation Procedures Detailed Provisions on Computer Evidence Preservation and Detailed Provisions on Computer Evidence Preservation and

HandlingHandling

Minimize overall impactMinimize overall impact..

Hide from public scrutiny.Hide from public scrutiny.

Stop further progression.Stop further progression.

Involve Key personnel.Involve Key personnel.

Control situation.Control situation.

Incident ResponseIncident Response -Purpose -Purpose


Recover Quickly & Efficiently.Recover Quickly & Efficiently.

Respond as if going to prosecute.Respond as if going to prosecute.

If possible replace system with new If possible replace system with new one.one.

Priority one, business back to normal.Priority one, business back to normal.

Ensure all participants are notified.Ensure all participants are notified.

Record everything.Record everything.




Secure System.Secure System.

Lock down all known avenues of Lock down all known avenues of attack.attack.

Assess system for unseen Assess system for unseen vulnerabilities.vulnerabilities.

Implement proper auditing.Implement proper auditing.

Implement new security measures.Implement new security measures.




Secure System.Secure System.

Follow-up (A continuous process)Follow-up (A continuous process)

Ensure that all systems are secure.Ensure that all systems are secure.

Continue prosecution.Continue prosecution.

Securely store all evidence and notes.Securely store all evidence and notes.

Distribute lessons learned.Distribute lessons learned.


Incident VerificationIncident Verification

How are we certain that an incident occurred?

Verify the Incident! Where to find information?

Intrusion LogsFirewall LogsInterviews

• Emails, Network Admin, Users, ISP, etc…

Verification: What do we Verification: What do we know?know? Three situationsThree situations

1. Verification without touching the system1. Verification without touching the system2. Verification by touching the system 2. Verification by touching the system

minimally. You have a clue or two where to minimally. You have a clue or two where to look.look.

3. Verification by full analysis of live system 3. Verification by full analysis of live system to find any evidence that an incident has to find any evidence that an incident has occurred.occurred.

Secure Incident SceneSecure Incident Scene

What exactly does this mean?What exactly does this mean?Limit the amount of activity on the system to Limit the amount of activity on the system to

as little as possibleas little as possible• Limit damage by isolatingLimit damage by isolating

• ONE person perform actionsONE person perform actions

• Limit affecting the crime environmentLimit affecting the crime environment

• Record your actionsRecord your actions

Preserve Everything!Preserve Everything!

Anything and everything you do will Anything and everything you do will change the state of the systemchange the state of the systemPOWER OFF? Changes it.POWER OFF? Changes it.Leave it plugged in? Changes it.Leave it plugged in? Changes it.Obtaining a backup will change the systemObtaining a backup will change the systemUnplug the network? Changes it.Unplug the network? Changes it.Even Even Doing NothingDoing Nothing will ALSO change the will ALSO change the

state of the system. state of the system.

Incident Scene SnapshotIncident Scene Snapshot

Record state of computerRecord state of computerPhotos, State of computer, What is on the screen?Photos, State of computer, What is on the screen?What is obviously running on the screen?What is obviously running on the screen?

• Xterm?Xterm?

• X-windows?X-windows?

Should you port scan the affected computer?Should you port scan the affected computer?• Pros: You can see all active and listening portsPros: You can see all active and listening ports

• Cons: It affects the computer and some backdoors log how Cons: It affects the computer and some backdoors log how many connections come into them and could tip off the bad many connections come into them and could tip off the bad guyguy

Unplug power from system?Unplug power from system?

This method may be the most damaging to effective analysis though there are some benefits as wellBenefits include that you can now move the

system to a more secure location and that you can physically remove the hard drive from the system

Cons… you lose evidence of all running processes and memory

Unplug from Network?Unplug from Network?

Unplug from the network?Unplug it from the network and plug the

distant end into a small hub that is not connected to anything else.

Most systems will write error messages into log files if not on a network.

If you make the computer think it is still on a network, you will succeed in limiting the amount of changes to that system.

Backup or Analyze?Backup or Analyze?

Should you backup the system first? Should you find the extent of the damage? Set up in policy for your incident response:

It depends on the system and what you need it for.To get BEST evidence BACKUP first at the cost of

time to get answersTo get FAST answers ANALYZE first at the cost of

getting best evidenceLabel systems with priority. Some will need answers

quicker than your ability to get best evidence.

Finding CluesFinding Clues

Once backup is done start looking for clues Once backup is done start looking for clues Be careful to avoid tampering with the Be careful to avoid tampering with the

system when it is in the middle of a backup.system when it is in the middle of a backup. Even though the emphasis might be to Even though the emphasis might be to

quickly assess the WHAT of a situation, if quickly assess the WHAT of a situation, if you try and answer that question without you try and answer that question without preserving the scene of the crime you will preserving the scene of the crime you will inadvertently erase the evidence you seekinadvertently erase the evidence you seek

Be patient. It’s meticulousBe patient. It’s meticulous

Finding CluesFinding Clues

What are we really looking for?What are we really looking for?DATES and TIMESDATES and TIMESTROJAN BINARIESTROJAN BINARIESHIDDEN DIRECTORIESHIDDEN DIRECTORIESOUT OF PLACE FILES OR SOCKETSOUT OF PLACE FILES OR SOCKETSABNORMAL PROCESSESABNORMAL PROCESSES

We need to find one clue, and once we do, We need to find one clue, and once we do, everything else almost always falls into everything else almost always falls into placeplace

What Next?What Next?

Prosecute??Prosecute?? Apply short-term solutions to contain Apply short-term solutions to contain

an intrusionan intrusion Eliminate all means of intruder access Eliminate all means of intruder access Return systems to normal operation Return systems to normal operation Identify and implement security lessons Identify and implement security lessons

learned learned

Useful LinksUseful Links

http://www.securityfocus.com http://packetstormsecurity.org http://icat.nist.gov/icat.cfm http://wiretrip.net http://www.guninski.com/ http://nsfocus.com

Incident Response Resources

Incident Response, Electronic Discovery, and Computer Forensics,www.incident-response.org

Security Focus, www.securityfocus.com The Federal Computer Incident Response Center (FedCIRC) ,www.fedcirc.gov The Canadian Office of Critical Infrastructure Protection and Emergency

Preparedness www.ocipep.gc.ca

Incident Handling Links & Documents (75 links) http://www.honeypots.net/incidents/links

SEI: Handbook for Computer Security Incident Response Teamshttp://www.sei.cmu.edu/pub/documents/98.reports/pdf/98hb001.pdf

CERT/CC: Computer Security Incident Response http://www.cert.org/csirts/

CERT/CC: Responding to Intrusions http://www.cert.org/security-improvement/modules/m06.html

AuCERT: Forming an Incident Response Team http://www.auscert.org.au/render.html?it=2252&cid=1920

SANS: S.C.O.R.E http://www.sans.org/score/

White Papers White Papers

http://www.ins.com/knowledge/whitepapers.aspInformation Security Management: Understanding ISO 17799Microsoft IIS Unicode ExploitWorrisome New Windows AttacksPKI: How it Works IPSec: What Makes it Work

Funny things happen! BewareFunny things happen! Beware

Thank YouThank You