KNOW THY SELFcharl v d walt
July 2000
Internal IT Security in SAInternal IT Security in SAProblems & SolutionsProblems & Solutions
Internal IT Security in SAInternal IT Security in SAProblems & SolutionsProblems & Solutions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
AgendaAgendaAgendaAgenda
1. Introduction
2. Considering the global Risk
3. Understanding your own Risk
4. Case Study
5. Setting the Stage
6. Implementing Solutions
7. The role and value of IDS
8. Questions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
IntroductionIntroductionIntroductionIntroduction
• About me
• About Roelof
• SensePost
• Objective
• Approach
• References:– http://wips.sensepost.com/knowthyself.zip
– http://www.sensepost.com
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Understanding the global RiskUnderstanding the global RiskUnderstanding the global RiskUnderstanding the global Risk
• What we know:
– There is a threat to our Information Resources
– The threat has direct financial implications
– The threat is growing
– A large part of the threat is internal
– There are a number of distinguishable trends
• http://www.gocsi.com/prelea990301.htm
• http://www.saps.org.za
• What we don’t know:
– How accurate are the statistics?
– Are international statistics relevant in SA?
– What does this all mean to me?
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Universal ThreatsUniversal ThreatsUniversal ThreatsUniversal Threats
• Data Confidentiality
– Information is the currency of business today
• Customers, Strategy, Financials, HR, Personal
• Data Integrity
– The accuracy and reliability of the information
• Determines the value of information
• Reputation / Credibility
– The market’s perception of your competence
• Web site defacement
• Denial of Service
– Prevent a system from performing their intended function
• EBay, Yahoo, Edgars
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
AgendaAgendaAgendaAgenda
1. Introduction
2. Considering the global Risk
3. Understanding your own Risk
4. Case Study
5. Setting the Stage
6. Implementing Solutions
7. The role and value of IDS
8. Questions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Understanding your own RiskUnderstanding your own RiskUnderstanding your own RiskUnderstanding your own Risk
• What is Risk?
– Valuable resources + exploitable technology
• What is “Secure”?
– When the financial losses incurred are at an acceptable level
• Your “Risk-Profile”:
– The value of your Information
– The degree of technological vulnerability
– A level of loss that is acceptable to you
Unique to your organisation. Today.
• The value of surveys and statistics
– Highlight the existence of threats
– Indicate trends and phases
– Create an awareness
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Your own unique risk profileYour own unique risk profileYour own unique risk profileYour own unique risk profile
• IT Security Assessment
– Make informed decisions on how to spend
• Time
• Money
• People
• An effective assessment:
– Independent and Objective
– Business aware but technology focused
– Prove its worth
– Concrete, practical recommendations
– Finite
– Honest
– Recursive...
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Recursive Security AssessmentsRecursive Security AssessmentsRecursive Security AssessmentsRecursive Security Assessments
• Delta Testing
– Monitor the effect of changes
• New exploits and vulnerabilities
– Staying secure in a global battlefield
• Improved Methodologies
– Tools, techniques, philosophies etc.
• Innovation
– A chance to get to know you
• Extended Scope
– There’s never enough time
• Enhanced Scope
– Moving toward a zero-default environment...
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
AgendaAgendaAgendaAgenda
1. Introduction
2. Considering the global Risk
3. Understanding your own Risk
4. Case Study
5. Setting the Stage
6. Implementing Solutions
7. The role and value of IDS
8. Questions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Welcome to the case studyWelcome to the case studyWelcome to the case studyWelcome to the case study
• Mind of the cybercriminal– journal style, informal
– methodology
• Sensitivity– examples only
• Effort vs Exposure
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
CAT5 from me to youCAT5 from me to youCAT5 from me to youCAT5 from me to you
• Obtaining a IP on the internal network– already have one
– RAS
– the little black box concept
– walking in with a notebook
– Trojans
– splicing copper
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Get to know your neighboursGet to know your neighboursGet to know your neighboursGet to know your neighbours
• The difference between MS and services network– MS network is a service (File Sharing)– Other services - FTP, HTTP, SQL, SMTP
servers.
• Intelligence gathering– Protocols– Services– Identify important hosts– Ping sweep
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Easy cashEasy cashEasy cashEasy cash
• The guy next to you• Microsoft network
– network neighbourhood– shares are published
• Services network– Anonymous FTP, webpages
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Scratching the surfaceScratching the surfaceScratching the surfaceScratching the surface
• Your wannabe admin• Microsoft network
– password guessing– offline cracking– real time cracking
• Service network– sniffing the network (SMTP,POP3,FTP)– default passwords– password guessing (known services)– portscanning
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Knocking on the doorKnocking on the doorKnocking on the doorKnocking on the door
• Your (closet hacker) admin• Microsoft network
– user enumeration– brute force id/password
• Service network– vulnerability scanners– customized for ports (IDS!)– scans for known product problems– commercial (ISS, CyberCop)– share/freeware (Nessus, whisker)
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Blowing the door downBlowing the door downBlowing the door downBlowing the door down
• Your previous administrator turned black hat hacker
• We are inside, now what?• Microsoft network
– search for XLS, DOC files– copy and enjoy– application encryption worthless
• Service network– password files– passwords to backends (SQL)– text copy of databases– mailboxes
• Publish to Internet, sell to competition.• Assumed full control
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Keeping in touchKeeping in touchKeeping in touchKeeping in touch
• Your previous administrator's current employer
• Keeping a grip on your network
• Service network & MS network– Rootkits– Backdoors
• Not only from internal– Internet– RAS
roelof temmingh
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
questions?
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
AgendaAgendaAgendaAgenda
1. Introduction
2. Considering the global Risk
3. Understanding your own Risk
4. Case Study
5. Setting the Stage
6. Implementing Solutions
7. The role and value of IDS
8. Questions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Setting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security culture
• Assign responsibility
– Security Officer
• Empower the Security Officer
– Authority, Money, People
• Measure Progress
– Project Plan, Certification, Audits
• Develop an IT Security Policy
– Guide, mandate & measure
– Should be:
• Endorsed by management
• Effectively communicated
• Specific
• Enforceable
• Practical
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Setting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security culture
• Communicate with key people
– Emphasise the value of data to business
leaders
• Awareness training and programmess
– Buy-in at every level is essential
• Positive / Negative reinforcement
– Use security as a performance criterion
• Consider Security Certification
– Global standards for the implementation and
assessment of security…
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Thoughts on CertificationThoughts on CertificationThoughts on CertificationThoughts on Certification
• Objective
– To enforce structure on your security program
– As a means of assessing your security
– As a means of measuring against best-of-breed
– As a means of convincing others of your security
• Is Certification for you?
– Recognition
– Focus
– Local Presence
– Cost
– Endurance
– Objectivity
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
AgendaAgendaAgendaAgenda
1. Introduction
2. Considering the global Risk
3. Understanding your own Risk
4. Case Study
5. Setting the Stage
6. Implementing Solutions
7. The role and value of IDS
8. Questions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Implementing Solutions - OverviewImplementing Solutions - OverviewImplementing Solutions - OverviewImplementing Solutions - Overview
• Value your information and IT resources
– Know what you’re protecting and what its worth
• Assess your vulnerabilities
– Know exactly where you stand
• Evaluate actual risk versus acceptable risk
– You don’t have to be completely secure
• Develop a Security Strategy
– Know where you’re going and where you are
• Implement Controls
– 80/20 rule
• Assess the effect of the changes
– Security is a cycle
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
Internal Security Cheat SheetInternal Security Cheat SheetInternal Security Cheat SheetInternal Security Cheat Sheet
• Publish a policy– Guide, mandate and measure
• Content security– Viruses, trojans, scripts
• Zoning– Segment data, people, hosts and services
• Centralise– It’s much easier to protect something if its in one place
• Host & service security– Basics!
• Account Policies– Passwords are an essentially weak mechanism
• Switch to the desktop– It’s simple and it works
• Consider your RAS systems– RAS is the soft underbelly of your network
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
AgendaAgendaAgendaAgenda
1. Introduction
2. Considering the global Risk
3. Understanding your own Risk
4. Case Study
5. Setting the Stage
6. Implementing Solutions
7. The role and value of IDS
8. Questions
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
IDS - An OverviewIDS - An OverviewIDS - An OverviewIDS - An Overview
• Intrusion Detection System– Identify and report or react on an unauthorised or malicious action on a
host or a network
• Types of IDS– Host
– Distributed
– Network
• Typical Features (NIDS)– Packet Sniffing Technology
– Attack Pattern Library
• Traffic Patterns , Viruses, Trojans, Signatures
– Rule Set• Source, Destination, Time, Period, Signature
– Response capabilities
• Active or Passive
– Distributed Architecture
– Centralised Management
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
The Role of IDSThe Role of IDSThe Role of IDSThe Role of IDS
• Identifying an “Intrusion”
– Acceptability Parameters:• Destination• Source• Signature• Time• Period
• Effective implementation
– Access to traffic
– Acceptability Parameters
– Response Capabilities
• Good Example - DMZ
– Finite area to monitor
– Existing security infrastructure
– Clearly defined acceptability parameters
– Limited number of events to respond to
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
IDS & Internal SecurityIDS & Internal SecurityIDS & Internal SecurityIDS & Internal Security
• For:– Large, open environments
• eg Corporate Extranet or University
– Effective zoning, segmentation & consolidation– Basic issues addressed– Dedicated security personnel
• Against:– Technology driven decision
• There are no point-and-click solutions to security
– Closed system– Acceptability parameters– Response capabilities
• In SA– Address basic issues– Consolidate valuable resources– Do an assessment– Make a strategy decision– Consider outsourcing
KNOW THY SELFIIR National Summit
charl van der waltJuly 2000
questions?