No Slide Title

Download Report

Transcript No Slide Title 

Hacking 101
How hackers do it
Ron Woerner
Security Administrator
CSG Systems, Inc.
What do you think when you hear:







7/20/2015
Hacker or cracker
Melissa, LoveBug (ILOVEYOU)
Denial of Service (DoS) attacks
Packet sniffing
Password cracking
Information warfare or Cybercrime
Social engineering
©2000, CSG Systems, Inc.
All rights reserved
3
Home Security Analogy
 Systems Security is like securing your house




Policies are the written understanding
Access control and passwords are the keys
Window and door locks keep out intruders
A security camera watches open doors
 The intent is to make the environment less
inviting to those looking for easy pickings
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
4
The “Crown Jewels”
Question:
What are your “Crown Jewels”?
 What attracts hackers to your company?
 Why would a hacker take interest in your company?
 What is your companies biggest vulnerabilities?
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
5
Security Risks
You need to be concerned about:
 Disclosure of confidential information - The disclosure of
personal and private information about individuals can lead to civil
or criminal liability for your company.
 Data loss - Data can be electronically destroyed or altered either
accidentally or maliciously.
 Damage to reputation - Customers, potential customers,
investors, and potential investors are all influenced by a security
incident.
 Downtime - A security incident can shut an organization down.
7/20/2015
CSG Systems, Inc.Confidential & Proprietary
©2000, CSG Systems, Inc.
All rights reserved
6
Anatomy of a Hack
 Perimeter / Vulnerability Assessment
 Footprinting
 Scanning
 Enumeration
 Exploitation





7/20/2015
Gaining Access
Escalating privileges
Pilfering
Covering Tracks
Creating backdoors
©2000, CSG Systems, Inc.
All rights reserved
7
Assessment
 Footprinting - Information gathering
 Open source search on the site
 Network Solutions (www.networksolutions.com/cgibin/whois/whois)
 ARIN whois (www.arin.net/whois)
This gives network and contact information
 DNS lookup (nslookup, Sam Spade)
The Domain Name Server gives further network and
system information
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
8
Assessment
 Scanning - System type
 IP Address determination - ping sweep
Determines which systems I can access
 Port Scan (TCP/UDP)
Shows what is “open” on those systems
 Enumeration - Getting details
 System/application vulnerabilities
What’s running on a particular system
 System users
Who is on that system
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
9
Exploitation
 Gaining access
 Password eavesdropping
 Buffer overflows
 Application vulnerabilities
 Escalating privilege (gaining root/admin)
 Password cracking
 Network sniffing
 Application vulnerabilities
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
10
Exploitation
 Pilfering - getting the “crown jewels”
 Finding whatever is valuable such as
 Credit information
 Personal information
 Additional system information
 Covering Tracks
Loading a “root kit”




7/20/2015
Clear log files
Hide tools
Secure the system
Creating back doors - so they can get in again
©2000, CSG Systems, Inc.
All rights reserved
11
Denial of Service (DoS)
Rendering a service offered by a workstation or
server unavailable to others - Disabling the target.
 Reasons:
 To get a system reboot
 Hacker covering his/her tracks
 Malicious intent
 How it’s done:
 Ping of death - ICMP techniques
 Syn (network) vulnerabilities
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
12
Social Engineering
An attack based on deceiving users or administrators
at the target site to gain information or access.
 The “old con job”
 Typically done by telephoning users or operators. The
“hackers” pretend to be an authorized user and attempt
to gain information about the systems and/or gain illicit
access to systems.
 Requires little technical skill.
 Relies on people’s “natural” trusting nature.
7/20/2015
©2000, CSG Systems, Inc.
All rights reserved
13
What you can do
ALL systems/applications are insecure! It’s up to
the administrators and users for security.





7/20/2015
Think Security
Secure passwords
Physical security
Report incidents/anomalies
Work with system/application administrators
©2000, CSG Systems, Inc.
All rights reserved
14