Transcript Document
Security Auditing, Attacks, and Threat Analysis Copyright © 2002 ProsoftTraining. All rights reserved. Lesson 1: Security Auditing Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • • • • • Identify a security auditor’s chief duties List security auditing principles Assess risk factors for a network Describe the security auditing process Plan an audit What Is an Auditor? • Network security • Risk assessment What Does an Auditor Do? Compliance Risk Analysis Auditor Roles and Perspectives • Auditor as security manager • Auditor as consultant • Insider threats Conducting a Risk Assessment • • • • Check for a written security policy Analyze, categorize and prioritize resources Consider business concerns Evaluate existing perimeter and internal security • Use existing management and control architecture Risk Assessment Stages • Discovery • Penetration • Control Summary Identify a security auditor’s chief duties List security auditing principles Assess risk factors for a network Describe the security auditing process Plan an audit Lesson 2: Discovery Methods Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • Describe the discovery process • Identify specific discovery methods • Install and configure network-based and hostbased discovery software • Conduct network-level and host-level security scans • Configure and deploy enterprise-grade network vulnerability scanners Security Scans • • • • Whois nslookup The host command The traceroute (tracert) command • Ping scanning • Port scans • Network-discovery and serverdiscovery applications • NMAP • Share scans • Service scans • Using Telnet Using SNMP • The SetRequest command • SNMP software TCP/IP Services • Finger – User names – Server names – E-mail accounts – User connectivity – User logon status Enterprise-Grade Auditing Applications • • • • • Protocol support Network scanners Subnetting Configuring network scanners Configuring host scanners Scan Levels • • • • • • Profiles and policies Reporting Symantec NetRecon ISS Internet Scanner eEye Retina Additional scanning application vendors Social Engineering • Telephone calls • Fraudulent e-mail • Education What Information Can You Obtain? • • • • Network-level information Host-level information Research Legitimate versus illegitimate auditing tools Summary Describe the discovery process Identify specific discovery methods Install and configure network-based and hostbased discovery software Conduct network-level and host-level security scans Configure and deploy enterprise-grade network vulnerability scanners Lesson 3: Auditing Server Penetration and Attack Techniques Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • Identify common targets • Discuss penetration strategies and methods • List potential physical, operating system, and TCP/IP stack attacks • Identify and analyze specific brute-force, social engineering, and denial-of-service attacks • Implement methods designed to thwart penetration Attack Signatures and Auditing • Reviewing common attacks – Dictionary – Man in the middle – Hijacking – Viruses – Illicit servers – Denial of service Common Targets • • • • • • • Routers FTP servers Databases Web servers DNS WINS SMB Routers • Using your firewall to filter Telnet • Routers and bandwidth consumption attacks Databases • The most desirable asset for a hacker to attack – Employee data – Marketing and sales information – R&D – Shipping information Web and FTP Servers • Common problems • Web graffiti E-Mail Servers • Spam • Relaying Naming Services • • • • • • • Unauthorized zone transfers DNS poisoning Denial-of-service attacks WINS SMB NFS NIS Auditing Trap Doors and Root Kits • Auditing bugs and back doors Buffer Overflow • Preventing denial-of-service attacks • Auditing illicit servers, Trojans and worms Combining Attack Strategies • Penetration strategies – Physical – Operating system – Bad password policies – NAT – Bad system policies – Auditing file system weaknesses • IP spoofing and hijacking – Blind and non-blind spoofing Denial of Service and the TCP/IP Stack • • • • • SYN flood Smurf and Fraggle attacks Teardrop/Teardrop2 Ping of death Land attack Summary Identify common targets Discuss penetration strategies and methods List potential physical, operating system, and TCP/IP stack attacks Identify and analyze specific brute-force, social engineering, and denial-of-service attacks Implement methods designed to thwart penetration Lesson 4: Security Auditing and the Control Phase Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • Define control procedures • Identify control methods • List ways to document control procedures and methods Control Phases • • • • • • • Gain root access Gather information Open new security holes Erase evidence of penetration Spread to other systems Auditing UNIX file systems Auditing Windows 2000 UNIX Password File Locations • • • • • • The shadow password file Redirect information Create new access points Erase evidence of penetration Spread to other systems Port redirection Control Methods • System defaults • Services, daemons, and loadable modules • Illicit services, daemons, and loadable modules • Keyloggers Auditing and the Control Phase • The auditor never truly enters the control phase • The auditor must recognize suspicious traffic Summary Define control procedures Identify control methods List ways to document control procedures and methods Lesson 5: Intrusion Detection Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • Define intrusion detection • Differentiate between intrusion detection and automated scanning • Discuss network- and host-based intrusion detection • List the elements used in an IDS • Implement intrusion-detection software What Is Intrusion Detection? • Capabilities – Network traffic management – System scanning, jails, and the IDS – Tracing • Is intrusion detection necessary? • IDS application strategies Intrusion Detection Architecture • • • • • Network-based IDS applications Host-based IDS architectures Host-based managers Host-based IDS agents Manager-to-agent communication IDS Rules • • • • Network anomalies Network misuses Actions False positives and IDS configuration IDS Actions and False Positives • Creating rules • Assigning actions to a rule • Mistaking legitimate traffic for illegitimate traffic Intrusion Detection Software • • • • • • • • eTrust Intrusion Detection Snort Intruder Alert ISS RealSecure Computer Misuse Detection System Network Flight Recorder CyberCop Monitor Cisco Secure IDS Purchasing an IDS • • • • Product support Product training Update policy Company reputation • • • • IDS capacity Product scalability Network support Encryption Summary Define intrusion detection Differentiate between intrusion detection and automated scanning Discuss network- and host-based intrusion detection List the elements used in an IDS Implement intrusion-detection software Lesson 6: Auditing and Log Analysis Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • Establish a baseline for your users’ activities • Conduct log analysis • Filter events found in Windows 2000 and Linux systems • Establish auditing for logons, system restarts, and specific resource use Baseline Creation and Firewall and Router Logs • Baseline is standard activity for a network • Logs help determine activity patterns of users Operating System Logs • Logging UNIX systems • Logging Windows 2000 systems Filtering Logs • Filtering logs in Windows 2000 • Filtering logs in Linux • Operating system add-ons and third-party logging Suspicious Activity • Skilled hacking attempts to camouflage its use as legitimate system activity Additional Logs • • • • Intrusion detection systems Telephony connections ISDN and/or frame relay connections Employee access logs Log Storage • Sending logs to a different machine for storage • Replicating logs to a writable CD-ROM drive • Scheduling hard-copy backups Auditing and Performance Degradation • Network traffic • Packet sniffers Summary Establish a baseline for your users’ activities Conduct log analysis Filter events found in Windows 2000 and Linux systems Establish auditing for logins, system restarts, and specific resource use Lesson 7: Audit Results Copyright © 2002 ProsoftTraining. All rights reserved. Objectives • Recommend solutions based on specific network problems • Suggest ways to improve compliance to a security policy • Create an assessment report • Enable proactive detection services Objectives • • • • (cont’d) Cleanse operating systems Install operating system add-ons Implement native auditing Use SSH as a replacement for Telnet, rlogin, and rsh Auditing Recommendations • Recommending specific ways to continue or implement efficient auditing • Confronting and correcting virus, worm and Trojan infections • Recommending changes and improvements Four Network Auditing Categories Firewalls and Routers Host and Personal Security Intrusion Detection and Traceback Policy Enforcement Creating the Assessment Report • Sample audit report elements include: – Overview of existing security – Estimates of time hackers require to enter system – Summary of important recommendations – Outline of audit procedures – Network element recommendations – Physical security discussion – Terms Improving Compliance • Steps for continued auditing and strengthening Security Auditing and Security Standards • • • • ISO 7498-2 British Standard 7799 Common Criteria Evaluation Assurance Levels Improving Router Security • Ingress and egress filtering • Disable broadcast filtering Enabling Proactive Detection • Scan detection, honey pots and jails – Detecting a NIC in promiscuous mode Host Auditing Solutions • • • • • • Cleaning up infections Personal firewall software IPsec and personal encryption Native auditing services Fixing system bugs IPv6 Replacing and Updating Services • Study the new product • Determine the time needed to implement changes • Test all updates • Consider effect of updates on other services • Determine whether end-user training is needed Secure Shell (SSH) • • • • Security services provided by SSH Encryption and authentication in SSH SSH2 components Preparing SSH components SSH and DNS • Compatibility with SSH1 • SSH and authentication: Establishing userto-user trust relationships Summary Recommend solutions based on specific network problems Suggest ways to improve compliance to a security policy Create an assessment report Enable proactive detection services Summary (cont’d) Cleanse operating systems Install operating system add-ons Implement native auditing Use SSH as a replacement for Telnet, rlogin, and rsh Security Auditing, Attacks, and Threat Analysis Security Auditing Discovery Methods Auditing Server Penetration and Attack Techniques Security Auditing and the Control Phase Intrusion Detection Auditing and Log Analysis Audit Results