Security intelligenceIT Security AuditingMr. Watcharaphon WongaphaiSenior Information Security InstructorGIAC GCFA ,SSCP ,E CSA ,C EH ,CNE6 ,Security ,CCNA ,Network

Security intelligenceClass Introduction Introduce Instructor Watcharaphon WongaphaiGIAC GCFA ,SSCP ,E CSA ,C EH ,CNE6 ,Security ,CCNA ,Network Contact Point [email protected] [email protected] (MSN) Session & Break Session 1 09:00 – 10:30 Coffee Break10:30 – 10:45 Session 2 10:45 – 12:00 Lunch12:00 – 13:00 Session 3 13:00 – 14:30 Coffee Break14:30 – 14:45 Session 4 14:45 – 16:00 Summary of the Daywww.cdicconference.com16:002

Security intelligenceWatcharaphon WongaphailKurpaik0 GCFA ,SSCP ,E CSA ,C EH ,CNE6 ,Security ,CCNA ,Network Instructor / Speaker ,Researcher My Folio ACIS Article– SSLStrip– How to steal cookie– How to recover Social Network and Vulnerability Public VDO– (Kurapiko)– (lKurapiko)3

Security intelligencePublic VDO on ,Vimeo.com4

Security intelligenceIntroduction Penetration Testing

Security intelligenceObjective Importance of information security in today‟s worldElements of securityPenetration Testing FrameworkHacking methodologyHacktivismVulnerability research and tools

Security intelligenceEssential Terminologies Threat– An action or event that might compromise security. A threat is apotential violation of security Vulnerability– Existence of a weakness, design ,or implementation error that canlead an unexpected and undesirable event compromising thesecurity system Target or Victim– An IT system .Product or component that is subjected to requiresecurity evaluation

Security intelligenceEssential Terminologies (Cont’d) Attack– An assault on the system security that is derived fromintelligent threat Exploit– A defined way to breach the security of and IT systemthrough vulnerability

Security intelligenceElements of Security ConfidentialityAuthenticityIntegrityAvailability

Security intelligenceBalance the Security

Security intelligenceEC-Council Hacking Methodology Foot printingScanningEnumerationGaining AccessMaintaining AccessCovering Tracks

Security intelligenceTypes of Hacker Attacks There are several ways an attacker can gainaccess to a system The attacker must be able to exploit a weaknessor vulnerability in a system– Attack Types Operating System attacksApplication-Level attacksShrink Wrap code attacksMisconfiguration attacks

Security intelligence1. Operating System Attacks

Security intelligence1. Operating System Attacks (Cont’d) Today‟s operating systems are complex in nature Operating systems rum many services, Ports and modesof access and require extensive tweaking to lock themdown The default installation of most operating systems haslarge numbers of services running and ports open Applying patches and hotfixes are not easy in today‟scomplex network Attackers look for OS Vulnerabilities and exploit them togain access to a network system

Security intelligence2. Application Level Attacks Software developers are under tight schedules to deliverproducts on time Extreme Programming is on the rise in softwareengineering methodology Software applications come with toms of functionalitiesand features Sufficient time is not there to perform complete testingbefore releasing products Poor or non-existent error checking in applications whichleads to “Buffer Overflow Attacks”

Security intelligence3. Shrink Wrap Code Attacks Why reinvent the when you can buy off-the-shelf“libraries” and code? When you install an OS/Application ,it comes withtons of sample scripts to make the life of anadministrator easy The problem is “not fine tuning” or customizingthese scripts

Security intelligence3. Shrink Wrap Code Attacks (Cont’d)

Security intelligence4. Misconfiguration Attacks Systems that should be fairly secure are hacked becausethey were not configured correctly Systems are complex and the administrator does not havethe necessary skills or resources to fix the problem Administrator will create a simple configuration that works In order to maximize your chances of configuring a machinecorrectly, remove any unneeded service and software

Security intelligenceRemember This Rule! If a hacker really want to get inside your system,He will and there is nothing you can do about it The only thing you can do is Make it harder forhim

Security intelligenceHacker Classes Black HatsWhite HatsGray HatsSuicide Hackers

Security intelligenceCan Hacking be Ethical Hacker: Refers to a person who enjoys learning thedetail of computer systems and to stretch his capabilities Cracker: Refer to a person who uses his hacking skills foroffensive purpose Hacking: Describes the repid development of newprograms or the reverse engineesing of the alreadyexisting software to make the code better and moreefficient Ethical hacker: Refers to security professionals whoapply their hacking hacking skills for defensive purposes

Security intelligenceWhat is Vulnerability Research Discovering vulnerabilities and designing weaknesses that will open anoperating system and its applications to attack or misuse Includes both dynamic study of products and technologies and ongoingassessment of the hacking underground Relevant innovations are released in the form of alerts and are deliveredwithin product improvement for security systems Can be classified based on– Severity level (Low, Medium ,Or high)– Exploit range (Local or remote)

Security intelligenceWhy Hackers Need Vulnerability ResearchTo identify and correct network vulnerabilitiesTo protect the network from being attacked by intrudersTo get information that helps to prevent security problemsTo Gather information about virusesTo find weaknesses in the network and to alert the networkadministrator before a network attack To know how to recover from a network attack

Security intelligenceVulnerability Research Websites

Security intelligenceNational Vulnerability Database

Security intelligenceExploit-db.com26

Security intelligenceHow to Conduct Ethical Hacking Step 1: Talk to your client on the needs of testing Step 2: Prepare NDA document and ask the client to signthem Step 3: Prepare an ethical hacking team and draw upschedule for testing Step 4: Conduct the test Step 5: Analyze the results and prepare a report Step 6: Deliver the report to the client

Security intelligenceEthical hacking Testing Approaches to testing are shown below:– Black box: with no prior knowledge of the infrastructureto be tested– White box: With a complete knowledge of the networkinfrastructure– Gray box: Also known as internal Testing.It examines theextent of the access by insiders

Security intelligenceHacking methodology EC – Council Hacking Methodology Foundstone Hacking Methodology Hacking Exposed Methodology

Security intelligenceEC-Council Hacking Methodology Foot printingScanningEnumerationGaining AccessMaintaining AccessCovering Tracks

Security intelligenceSecurity Testing Framework Open source security testing methodology manual(OSSTMM) SP 800-115 NIST Publication The Information System Security AssessmentFramework (ISSAF)

Security intelligenceNIST SP800-115: Technical Guide toInformationSecurity Testing (Draft)Release date: Nov 14, 2007Replace: SP800-42The publication provides practical recommendations fordesigning, implementing, and maintaining technicalinformation security testing processes and procedures.SP 800-115 provides an overview of key elements ofsecurity testing, with an emphasis on technical testingtechniques, the benefits and limitations of each technique,and recommendations for their use.

Security intelligenceInformation Security TestingOverviewInformation security testing is the process of validating theeffective implementation of security controls for informationsystems and networks, based on the organization‟s securityrequirements.Technical information security testing can identify, validate,and assess technical vulnerabilities, which helpsorganizations to understand and improve the securityposture of their systems and networks.Security testing is required by FISMA and other regulations.

Security intelligenceInformation Security TestingMethodologyThe testingmethodology shouldcontain at least thefollowing phases:PlanningExecutionPostExecutionNIST does not endorse one methodologyover another; the intent is to provide optionsto organizations so they can make aninformed decision to adopt an existingmethodology or take several others todevelop a unique methodology that bestsuits the organization.One of these methodologies was created byNIST and is documented in SpecialPublication (SP) 800-53A, Guide for Assessingthe Security Controls in Federal InformationSystems (Draft), which offers suggestions forassessing the effectiveness of securitycontrols recommended in NIST SP 800-53

Security intelligenceInformation Security Testing TechniquesTargetVulnerabilityValidationTechniques Password cracking Remote access testing Penetration testing Social engineering Physical security testingReviewTechniques Documentation review Log review Ruleset review System configurationreview Network sniffing File integrity checkingTarget Identificationand AnalysisTechniques Network discovery Network port and Serviceidentification Vulnerability scanning Wireless scanning Application security testing

Review Techniques:Documentation tecturesSecurity policiesDocuments toreview fortechnical accuracyand completenessincludeSystemsecurityplans andauthorizationagreementsMemorandaofunderstanding andagreementfor systeminterconnections Security intelligenceIncidentresponseplans

Security intelligenceReview Techniques:Log ReviewThe following are examples of log information that may beuseful when conducting security testing:– Authentication server or system logs may include successful andfailed authentication attempts.– System logs may include system and service startup and shutdowninformation, installation of unauthorized software, file accesses,security policy changes, account changes (e.g., account creation anddeletion, account privilege assignment), and use of privileges.– Intrusion detection and prevention system logs may includemalicious activity and inappropriate use.

Security intelligenceReview Techniques:Log Review (2)– Firewall and router logs may include outbound connections thatindicate compromised internal devices (e.g., rootkits, bots, Trojanhorses, spyware).– Firewall logs may include unauthorized connection attempts andinappropriate use.– Application logs may include unauthorized connection attempts,account changes, use of privileges, and application or databaseusage information.– Antivirus logs may include update failures and other indications ofoutdated signatures and software.– Security logs, in particular patch management and some IDS andintrusion Prevention system (IPS) products, may record informationon known vulnerable services and applications.

Security intelligenceReview Techniques:Log Review (2)NIST SP 800-92, Guide to Security Log Managementprovides more information on security log managementmethods and techniques, including log review.It is available 2/SP800-92.pdfCDIC2007 LAB: How to centralize and audit log / How to write ITAudit Report and present Audit Result

Security intelligenceReview Techniques:Ruleset ReviewRouter access control listsFirewall rulesets Each rule is still required (forexample, rules that were addedfor temporary purposes areremoved as soon as they are nolonger needed). Only traffic that is authorizedper policy is permitted and allother traffic is denied bydefault. Each rule is still required. The rules enforce least privilegeaccess, such as specifying onlyrequired IP addresses andports. More specific rules are triggeredbefore general rules. There are no unnecessary openports that could be closed totighten the perimeter security. The ruleset does not allowtraffic to bypass other securitydefenses. For host-based firewall rulesets,the rules do not indicate thepresence of backdoors, spywareactivity, or prohibitedapplications such as peer-topeer file sharing programs.IDS/IPS rulesets Unnecessary signatures havebeen disabled or removed toeliminate false positives andimprove performance. Necessary signatures areenabled and have been finetuned and properly maintained.

Security intelligenceReview Techniques:System Configuration ReviewSystem configuration review is the process ofidentifying weaknesses in security configurationcontrols, such as– Systems not being hardened properly– Not being configured according to security policies.For example, system configuration review will Reveal unnecessary services and applications Improper user account and password settings Improper logging and backup settings

Security intelligenceReview Techniques:System Configuration Review (2)Testers using manual review techniques usesecurity configuration guides or checklists to verifythat system settings are configured to minimizesecurity risksNIST maintains a repository of securityconfiguration checklists for IT products at

Security intelligenceNIST SP800-70: Security ConfigurationChecklists Program for IT ProductsThe name of the organization andauthors that produce the checklist– Center for Internet Security (CIS)– Citadel Security Software– Defense Information Systems Agency (DISA)– National Security Agency (NSA)– NIST, Computer Security Division– ThreatGuard– HP, Kyocera Mita America INC, LJK Software,Microsoft Corporation

Security intelligenceExample:CISCO Router and Switch National Security Agency (NSA)– Router Security Configuration Guide cisco.cfm Center for Internet Security (CIS)– Gold Standard Benchmark for Cisco IOS, Level 1 and 2 Benchmarks Documents Tool - RAT (Router Auditing Tool) Version 2.2 Update Nov 20,2007 Defense Information Security Agency (DISA)– Network Checklist Version 7, Release 1.1 Update Nov, 2007– Defense Switched Network Checklist Version 2, Release 3.2 UpdateNov 24, 2006

Security intelligenceHacking Methodology Copyright, ACIS Professional Center Company Limited, All rights reserved

Security intelligenceFootprinting

Security intelligenceModule Objective This module will familiarize you with:–––––Overview of the Reconnaissance PhaseFootprinting: An IntroductionInformation Gathering Methodology of HackersCompetitive Intelligence gatheringTools that aid in Footprinting

Security intelligenceRevisiting Reconnaissance Reconnaissance refers to thepreparatory phase where anattacker seeks to gather as muchinformation as possible about atarget of evaluation prior tolaunching an attack It involves network scanning, eitherexternal or internal, withoutauthorization

Security intelligenceDefining Footprinting Footprinting is the blueprint of the security profile of anarganization, undertaken in a methodological manner Footprinting is one of the three pre-attack phases An attacker spends 90% of the time in profiling anorganization and another 10% in launching the attack Footprinting results in a unique organization profile withrespect to networks(Internet/intranet/extranet/wireless) and systems involved

Security intelligenceAreas and Information which Attackers Seek

Security intelligenceInformation Gathering

Security intelligenceInformation Gathering Methodology Unearth initial informationLocate the network rangeAscertain active machinesDiscover open ports/access pointsDetect operating systemsUncover services on portsMap the network

Security intelligenceUnearthing Initial Information Hacking tool Sam Spade Commonly includes:– Domain name lookup– Locations– Contacts (telephone / mail) Information Sources:– Open source– Whois– Nslookup

Security intelligenceExtracting Archive of of a Website You can get all information of a company‟s websitesince the time it was launched at www.archive.orgFor example : You can see updates made to the website You can look for employee‟s database, pastproducts, press releases, contact information, andmore


Security (con’d)

ISAT - Information Security Awareness Training 2012 Security intelligenceYour Privacy Exposed (Cont.)

Security intelligenceYour Privacy Exposed (Cont.)ISAT - Information Security Awareness Training 2012

Security intelligenceIncreasing use of Web 2.0 malware59

Security intelligenceFootprinting Through Job Sites You can gather company‟s infrastructure details from job postings Look for company‟s infrastructure postings such as “looking for systemadministrator to manage Solaris 10 network” This means that the company has Solaris networks on site– E.g.,

Security intelligenceWhois

Security intelligenceDNS Information Extraction

Security intelligenceTypes of DNS Records

Security intelligenceTool: Necrosoft Advanced DIG

Security intelligenceScanning

Security intelligenceObjective Definition of scanningTypes and objectives of scanningUnderstanding scanning methodologyChecking live systems and open portsUnderstanding scanning techniquesDifferent tools present to perform scanningUnderstanding banner grabbing and OS fingerprintingDrawing network diagrams of vulnerable hostsPreparing proxiesUnderstanding anonymizersScanning countermeasuers

Security intelligenceScanning – Definition Scanning is one of the three components of intelligencegathering for an attacker– The attacker finds information about Specific IP Address Operating System System architecture Services running on each computer

Security intelligenceTypes of Scanning Port Scanning– A series of messages sent by someone attempting to break into acomputer to learn about the computer‟s network service– Each associated with a “well-know” port number Network Scanning– A procedure for identifying active on a network– Either for the purpose of attacking them or for network securityassessment Vulnerability Scanning– The automated process of proactively identifying vulnerabilities ofcomputing systems present in a network

Security intelligenceObjectives of Scanning To detect live systems running on the network To discover which ports are active/running To discover the operating system running on thetarget system(fingerprint) To discover the service running/listening on thetarget system To discover the IP address of the target system

Security intelligenceThe TCP Handshake

Security intelligencePort ScanScan typeScan openHalf openstealthsweepsMisc.TCP connectTCP synTCP FINICMP echoUDP/ICMPerrorReverse identDump synAck scanTCP sweepsXMAS scanNULL scanFTP bounce

Security intelligenceNmap72

Security intelligenceBANNER GRABBING

Security intelligenceOS Fingerprinting OS fingerprinting is the method to determine theoperating system that is running on the targetsystem– Active stack fingerprinting– Passive fingerprinting

Security intelligenceActive Stack Fingerprinting Based on the that OS Vendor implement the TCP stackdifferently Specially crafted packets are sent to remote OS and theresponse is noted The response are then compared with a database todetermine the OS The firewall logs your active banner grabbing scan since youare probing directly

Security intelligencePassive Fingerprining Passive banner grabbing refers to indirectly scanning asystem to reveal It is also based on the differential implantation of the stackand the various ways an OS responds to it It uses sniffing techniques instead of the scanningtechniques It is less accurate than active fingerprinting

Security intelligenceActive Banner Grabbing Using Telnet

Security intelligenceP0f

Security intelligenceDisable or change banner

Security intelligencePREPARING PROXY

Security intelligenceProxy Servers Proxy is a network computer that can serve as anintermediate for connection with other computerThey are usually used for the following purposes:– As a Firewall , a proxy protect the local network from outside access– As an IP address multiplexer a proxy allows the connection of anumber of computer to the internet when having only one IP

Security intelligenceUse of Proxies for attack

Security intelligenceFree Proxy server

Security intelligenceTOR Proxy

Security intelligenceAnonymous Proxy Browser

Nov 14, 2007 · Information Security Testing Overview Information security testing is the process of validating the effective implementation of security controls for information systems and networks, based on the organization‟s security requirements. Technical information security testing can identify, va