Checking the Security Posture of Third Party Machines

1
Checking the Security Posture of Third Party
Machines

• Patrick McCrann, CISSP
• Lead IT Security Analyst
• AmTrust Bank

2
Agenda

• Introduction
• Who are Third Parties?
• Security Posture Explained
• Automated Ways to Control Network Access
• Automated Ways to Confirm Security Postures of
  Hosts Connecting to Your Network
• Manual Ways to Check the Security Posture of
  Third Party Machines (Presentation Focus)
• Tools You Can Use to Verify Security Posture
• Demonstration Of Tools

3
Introduction

• It may be necessary to allow third-party machines
  to attach non-corporate controlled workstations
  to your companys network. This presentation
  will discuss
• Automated ways to control access and confirm the
  security posture of the machine.
• Manual ways that can be performed by your IT
  Security staff that can confirm that the machine
  is a low risk to your network.
• Focus will be on Manual Security Posture
  Assessments

4
Best Practice

• Allowing/Controlling Network Connectivity
• In a Perfect world Never allow non-corporate
  controlled devices to connect to your network.
• Control access to your network so that
  non-corporate controlled devices CANNOT connect
  to your network
• If Internet access is required physically or
  logically segment the machine using a GuestNet

5
Third Parties?

• Third Parties are any persons who connects to
  your network using non-corporate owned computers
  such as
• Vendors
• Audit Firms
• Governmental Agencies
• Consultants
• Training Companies
• Hackers and Malicious Entities
• Yes, Your own Employees

6
Third Party Acceptable Use

• All Third Parties that are attaching to your
  network should be required to read and sign a
  Corporate Acceptable Use Policy just as your own
  employees do.
• The objectives are threefold
• To protect Company's networks and equipment.
• Security Awareness.
• To protect Company, employees and anyone else who
  attaches to the corporate network from activities
  that might expose them or Company to legal action.

7
Security Posture - Definition

• Determining the overall security risk a computer
  attached to your network would pose by
  determining
• It's current patch level
• Virus protection and virus signature version/date
• Malware/Spyware existence and protection
• RootKit Detection
• Host based firewall implementation
• And other local security settings/attributes.

8
Automated Ways to Control Network Access

• 802.1x
• GuestNets
• De-activate Unused Network Ports
• SSL-VPN instead of Network VPN

9
Automated Ways to Control Network Access

• 802.1x
• Provides a means of authenticating and
  authorizing devices attached to a LAN port, and
  of preventing access to that port in cases in
  which the authentication and authorization
  process fails. Usually if authentication is
  successful the host is assigned an IP Address.

10
Automated Ways to Control Network Access

• GuestNets
• GuestNets typically allow approved visitors to
  limited network access and must provide a few
  pieces of information so that their computer can
  be granted access.
• Network access is usually limited to the Internet
• Also, GuestNet accounts do not allow visitors to
  login to corporate computers.

11
Automated Ways to Control Network Access

• De-activate Unused Network Ports
• At the switch level de-activate any unused ports.
• Pros
• Allows control of ports by Network Administrators
• Keeps third parties from connecting to network
  without knowing
• Cons
• High Administrative Costs
• Does not keep users from un-plugging from active
  ports and then plugging in an unauthorized device

12
Automated Ways to Control Network Access

• SSL-VPN instead of Network VPN
• Access via Application layer instead of the
  Network layer
• Does not put the users machine on the corporate
  network.
• SSL VPNs deliver user-level authentication,
  ensuring that the right people have access only
  to the right resources instead of the entire
  network
• SSL-VPN is in many cases clientless
• Provides access mostly to Web applications, while
  in many cases failing to address the needs of
  companies whose users require access to
  client/server applications

13
Automated Ways to Control Network Access

• Other technologies used to control access to the
  network
• Citrix via ICA Protocol
• Remote Desktop via Remote Desktop Protocol
• VNC
• Other Remote Control Utilities including WebEx,
  GoToMyPC, Live Meeting, MeetMeNow and so on.

14
Validating Security Postures of Hosts Connecting
to Your Network

• NAC (Network Admission Control - Cisco)
• Uses 802.1x at the port level and Cisco Trust
  Agent to control access
• NAP (Network Access Protection Microsoft
• Uses DHCP Server and Quarantine Agent to control
  Access

• Both require that client software be installed on
  each and every computer

15
Automated Ways to Confirm Security Postures of
Hosts Connecting to Your Network

• NAC/NAP
• Restricts the availability of network resources
  to endpoint devices that comply with a defined
  security policy.
• Blocks or quarantines non-compliant devices
• Host Integrity tests against pre-defined
  templates such as patch level, service packs,
  antivirus, and personal firewall status, as well
  as custom created checks tailored for the
  enterprise environment
• Also can provide a location where remediation can
  take place

16
Manual Ways to Check the Security Posture of
Third Party Machines (Presentation Focus)

• The remaining portions of this Presentation will
  outline some manual procedures that could be used
  by IT Security Professionals prior to allowing a
  vendor or third party to connect their laptop or
  desktop machine to a corporate network

17
Manual Assessment of a Machines Security Posture

• Things to Review
• Dual Boot or Multi Boot Machine?
• Can the machine boot from CDROM or USB Device?
• Anti-Virus/Anti-Spyware
• On-line Scanners can help
• Basic Registry settings
• Suspicious applications installed
• Running processes
• Network Connections
• Is VMWare or another Virtual Machine Software
  installed on the computer?
• Root-Kit Check

18
Inspect the Boot Loader

• A boot loader, also called a boot manager, is a
  small program that places the operating system
  (OS) of a computer into memory
• Upon booting the machine check to see if there
  are multiple operating system options within the
  boot loader program.
• Common Boot Loaders are
• Lilo
• GRUB
• BootMagic
• System Commander
• Windows NTLDR and Bootmgr via Boot.ini
• Apples BootCamp (Windows and MAC on same
  Machine)

19
CD-ROM or USB Bootable?

• Does the BIOS allow the machine to boot from
  CD-ROM or USB? (Also called Live CDs)
• Most Popular Security Live CDs
• Auditor Security checking
• Knoppix STD Tons of security tools
• Helix Incident response and forensics
• BackTrack Security Tools
• Whoppix Penetration testing
• Fire - Forensic analysis, incident response, data
  recovery, virus scanning and vulnerability
  assessment
• Damn Small Linux Small form-factor Linux Distro
• Basically any OS can be ported to boot from CD or
  USB
• http//www.frozentech.com/content/livecd.php
• http//www.l0t3k.org/linux/links/livecd/

20
Verify Virus Scanner and Signature

• Perform this check by looking in the System Tray
  of the PC (by the clock). Most Anti-Virus
  Programs will have a system tray Icon, for
  example, a yellow shield for Symantec Norton
  Anti-Virus and a Red-White and Blue Shield with
  the Letter V in the middle if the PC is using
  McAfees Anti-Virus Program.
• Double click on the system tray icon and make
  sure the Virus Definition version at the most a
  month old.
• Make sure the software is set for Active Scans
  (scan files as they are written to disk) and the
  services are running.

21
Most Popular Virus Scaners

• BitDefender
• Kaspersky
• ESET Nod32
• TrendMicro PC-cillin
• F-Secure Anti-Virus
• McAfee VirusScan
• Norton AntiVirus
• Grisoft AVG Anti-Virus Pro
• CA Antivirus
• Norman Virus Control
• AVAST!
• Panda Titanium
• F-Prot
• PC Tools AntiVirus

22
Anti-Virus Live CDs

• If you can't remove the virus from within
  Windows, you may be able to use a Linux based
  LiveCD with antivirus software
• Two popular Anti-Virus Distros
• LinuxDefender Live!
• Local Area Security Linux
• Ultimate Boot Disk for Windows
• LinuxDefender Live! CD is a BitDefender
  re-mastered Knoppix distribution. It was designed
  to provide users of both Windows and Linux
  computers with virus incident rescue tools.
• The BitDefender antivirus can scan and disinfect
  existing hard drives (including Windows NTFS
  partitions), remote Samba/Windows shares or NFS
  mount points
• LinuxDefender Live! (uses the Linux version of
  BitDefender) or Local Area Security Linux (uses
  Clam Antivirus).

23
On-Line Scanners

• If you suspect a machine has a virus, spywre,
  malware, trojan or RootKit there are many On-line
  Scanners you can use for free to scan your
  system.
• Panda Security
• http//www.pandasecurity.com/homeusers/solutions/a
  ctivescan/?
• Kapersky
• http//www.kaspersky.com/virusscanner
• 3 Trend Micro
• http//housecall.trendmicro.com/
• 4 Microsoft One Care
• http//onecare.live.com/site/en-us/default.htm

24
Check for suspicious applications starting
automatically via the registry

• The most common locations for applications to
  start through the registry are
• Check both HKey_Local_Machine and
  HKey_Current_User
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Services
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Once
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  OnceEx
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  ServicesOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  ServicesOnce
• HKLM\Software\Microsoft\Windows\CurrentVersion\Pol
  icies\Explorer\Run
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Once\Setup

25
The Startup Folder

• There are a number of methods an intruder could
  use to start a backdoor program one is to place
  the exe in the Startup folders.
• Check all items in "C\Documents and
  Settings\username\Start Menu\Programs\Startup"
  folders, (for Windows NT4, Substitute
  "C\Documents and Settings" for
  "C\WINNT40\Profiles").
• You can also examine all the shortcuts by
  selecting Start, Programs, and Startup. Note that
  there are two startup folders, one for the local
  user and one for all users. When a user logs on,
  all of the applications in both the "All Users"
  and in the user's startup folder are started.

26
Check for unauthorized or suspicious services

• Some backdoor programs will install themselves as
  a service that is started when the system boots
  up
• The following command will output information
  regarding installed services to a formatted html
  file (Note WMIC command only works on XP and
  above)
• wmic /outputC\services.htm service get
  /formathform
• Open this file from the C drive and ensure that
  there are no services that look suspect.
• If there are any services that do not have a
  description, be suspicious and use a Google
  search to see what application is associated with
  the service.
• Note You can also use the Autruns.exe
  application provided and click on the Services
  tab to also see information on services.

27
WMIC Output Example
28
Check Running Processes

• Use ProcessExplorer to give you a graphical view
  of all process running and the path to the
  executable.
• You can also use Vision (needs to be installed)
  to view all processes and applications running on
  the machine and verify that the paths to the
  executables are correct.
• Be suspicious of all processes that dont have a
  description
• If you are unsure of any processes Google them.

29
View all Network Connections

• Use netstat a or TCPView to verify that all TCP
  connections are to Remote Hosts that you expect.
  
• Make sure that you have no application running to
  get a cleaner view.
• Open TCPView and focus on the Remote Address
  field. If you see Established connections to
  Internet based hosts or IP Addresses make sure
  that valid applications are making these
  connections.
• Many Trojan connect to remote hosts over port
  6667 (IRC Channels) to notify the bot network
  controller that it is listening. If you see any
  ports opened using port 6667 to IP addresses
  hostnames on the Internet the machine may have a
  Trojan

30
Network Connections Contd

• The TCPView application will also list all
  applications running and what connections via the
  network they are making. Verify that nothing
  stands out as suspicious. Investigate all
  suspicious connections/applications.
• You can also use the Netstat command that is part
  of the OS install. Run NetStat an and verify
  that it matches what you see in TCPView. If an
  open connection is shown in TCPView and does not
  show up in Netstat, you may have a rootkit
  installed on the machine.
• Note TCPView and Netstat would identify more
  about applications attempting to connect to an
  external IP if the workstation has a connection
  to the Internet.

31
Is VMWare or another Virtual Machine Software
installed on the computer?

• Virtual Machines allow multiplexing the
  underlying physical machine between different
  virtual machines, each running its own operating
  system
• Multiple OS environments can co-exist on the same
  computer
• VMWare Player and Microsoft Virtual PC are now
  free.
• Tons of VMWare Appliances ready for use at
• http//www.vmware.com/appliances/

32
RootKit DetectionDifficult to Detect and Nearly
Impossible to Remove

• RootKit Detection Details
• For best results exit all applications and keep
  the system otherwise idle during the Rootkit
  scanning process
• RootKit Detection programs compare the results of
  a system scan at the highest level with that at
  the lowest level
• Original ways to perform detection was to dump a
  complete list of all the files on the volume
  while inside the operating system, then boot to
  the Recovery Console and dump another file list,
  then compare the two. If a file shows up in the
  second list but not in the first and isn't a
  Windows file kept hidden by default, it's
  probably a culprit
• You should examine all discrepancies and
  determine the likelihood that they indicate the
  presence of a RootKit
• From the results you should NOT see any of the
  following known RootKits AFX, Vanquish and
  HackerDefender

33
RootKit Detection Applications

• Top 6
• Products Comparisons can be found at
• www.informationweek.com/news/showArticle.jhtml?art
  icleID196901062pgno1queryText
• Listing of Other RootKit Detectors can be found
  at
• www.antirootkit.com/software/index.htm
• F-Secure Backlight Freeware
• www.f-secure.com/security_center/
• IceSword Freeware
• www.blogcn.com/user17/pjf/index.html
• RKDetector - Freeware
• www.rkdetector.com
• RootKitBuster Freeware
• www.trendmicro.com/download/rbuster.asp
• RootKit Unhooker Freeware
• www.antirootkit.com/software/RootKit-Unhooker.htm
• RootKitRevealer Freeware by SysInternals
• www.microsoft.com/technet/sysinternals/Utilities/R
  ootkitRevealer.mspx

34
Demonstration

• Autoruns Shows you what programs are configured
  to run during system bootup or login
• TCPView - Active socket command-line viewer
• ProcessExplorer - Find out what files, registry
  keys and other objects processes have open, which
  DLLs they have loaded
• ProcMon - An advanced monitoring tool for Windows
  that shows real-time file system, Registry and
  process/thread activity
• FileMon - This monitoring tool lets you see all
  file system activity in real-time
• HiJackThis -lists the contents of key areas of
  the Registry and hard drive
• HiJack This Analyzer - A website that analyzes
  the HiJack This output. http//hjt.networktechs.co
  m/
• Vision - Reports all open TCP and UDP ports and
  maps them to the owning process or application
• MBSA for Windows - easy-to-use tools that help to
  determine a machines security state in accordance
  with Microsoft security recommendations and
  offers specific remediation guidance
• ActivePorts Monitor all open TCP and UDP ports
  on the local computer

35
Tools You Can Use - Summary

• Applications that run as binaries (Executables
  that do not need to be installed)
• Autoruns
• TCPView
• RootKitRevealer
• FileMon
• DiskMon
• ProcessExplorer
• ProcMon
• OpenPorts
• http//www.virustotal.com/
• Applications that need to be installed in order
  to use
• Vision
• AVS.msi
• MBSA
• HiJackThis
• ActivePorts

36
Lessons Learned

• Best Practice is to prohibit third party
  connections to your company network
• Implement a automated way to protect your network
  such as 802.1x and NAC/NAP
• If connection is required, have the third party
  read and sign an acceptable use document
• Allow 2-3 hours per workstation to perform due
  diligence scan of their machine.
• If youre going to allow third party connections
  to your network, there are many risks that must
  be accepted.
• Remember, your own employees could be your
  biggest concern.

37
Questions?
38
THANK YOU!For More Information

• You can download the Utilities I used at
• http//www.patrickmccrann.com/utlities.zip
• An assessment procedures document can be
  downloaded at
• http//www.patrickmccrann.com/security_posture.doc
  
• This Powerpoint can be downloaded at
• http//www.patrickmccrann.com/secpos_slides.ppt