Title: Checking the Security Posture of Third Party Machines
1Checking the Security Posture of Third Party
Machines
- Patrick McCrann, CISSP
- Lead IT Security Analyst
- AmTrust Bank
2Agenda
- Introduction
- Who are Third Parties?
- Security Posture Explained
- Automated Ways to Control Network Access
- Automated Ways to Confirm Security Postures of
Hosts Connecting to Your Network - Manual Ways to Check the Security Posture of
Third Party Machines (Presentation Focus) - Tools You Can Use to Verify Security Posture
- Demonstration Of Tools
3Introduction
- It may be necessary to allow third-party machines
to attach non-corporate controlled workstations
to your companys network. This presentation
will discuss - Automated ways to control access and confirm the
security posture of the machine. - Manual ways that can be performed by your IT
Security staff that can confirm that the machine
is a low risk to your network. - Focus will be on Manual Security Posture
Assessments
4Best Practice
- Allowing/Controlling Network Connectivity
- In a Perfect world Never allow non-corporate
controlled devices to connect to your network. - Control access to your network so that
non-corporate controlled devices CANNOT connect
to your network - If Internet access is required physically or
logically segment the machine using a GuestNet
5Third Parties?
- Third Parties are any persons who connects to
your network using non-corporate owned computers
such as - Vendors
- Audit Firms
- Governmental Agencies
- Consultants
- Training Companies
- Hackers and Malicious Entities
- Yes, Your own Employees
6Third Party Acceptable Use
- All Third Parties that are attaching to your
network should be required to read and sign a
Corporate Acceptable Use Policy just as your own
employees do. - The objectives are threefold
- To protect Company's networks and equipment.
- Security Awareness.
- To protect Company, employees and anyone else who
attaches to the corporate network from activities
that might expose them or Company to legal action.
7Security Posture - Definition
- Determining the overall security risk a computer
attached to your network would pose by
determining - It's current patch level
- Virus protection and virus signature version/date
- Malware/Spyware existence and protection
- RootKit Detection
- Host based firewall implementation
- And other local security settings/attributes.
8Automated Ways to Control Network Access
- 802.1x
- GuestNets
- De-activate Unused Network Ports
- SSL-VPN instead of Network VPN
9Automated Ways to Control Network Access
- 802.1x
- Provides a means of authenticating and
authorizing devices attached to a LAN port, and
of preventing access to that port in cases in
which the authentication and authorization
process fails. Usually if authentication is
successful the host is assigned an IP Address.
10Automated Ways to Control Network Access
- GuestNets
- GuestNets typically allow approved visitors to
limited network access and must provide a few
pieces of information so that their computer can
be granted access. - Network access is usually limited to the Internet
- Also, GuestNet accounts do not allow visitors to
login to corporate computers.
11Automated Ways to Control Network Access
- De-activate Unused Network Ports
- At the switch level de-activate any unused ports.
- Pros
- Allows control of ports by Network Administrators
- Keeps third parties from connecting to network
without knowing - Cons
- High Administrative Costs
- Does not keep users from un-plugging from active
ports and then plugging in an unauthorized device
12Automated Ways to Control Network Access
- SSL-VPN instead of Network VPN
- Access via Application layer instead of the
Network layer - Does not put the users machine on the corporate
network. - SSL VPNs deliver user-level authentication,
ensuring that the right people have access only
to the right resources instead of the entire
network - SSL-VPN is in many cases clientless
- Provides access mostly to Web applications, while
in many cases failing to address the needs of
companies whose users require access to
client/server applications
13Automated Ways to Control Network Access
- Other technologies used to control access to the
network - Citrix via ICA Protocol
- Remote Desktop via Remote Desktop Protocol
- VNC
- Other Remote Control Utilities including WebEx,
GoToMyPC, Live Meeting, MeetMeNow and so on.
14Validating Security Postures of Hosts Connecting
to Your Network
- NAC (Network Admission Control - Cisco)
- Uses 802.1x at the port level and Cisco Trust
Agent to control access - NAP (Network Access Protection Microsoft
- Uses DHCP Server and Quarantine Agent to control
Access
- Both require that client software be installed on
each and every computer
15Automated Ways to Confirm Security Postures of
Hosts Connecting to Your Network
- NAC/NAP
- Restricts the availability of network resources
to endpoint devices that comply with a defined
security policy. - Blocks or quarantines non-compliant devices
- Host Integrity tests against pre-defined
templates such as patch level, service packs,
antivirus, and personal firewall status, as well
as custom created checks tailored for the
enterprise environment - Also can provide a location where remediation can
take place
16Manual Ways to Check the Security Posture of
Third Party Machines (Presentation Focus)
- The remaining portions of this Presentation will
outline some manual procedures that could be used
by IT Security Professionals prior to allowing a
vendor or third party to connect their laptop or
desktop machine to a corporate network
17Manual Assessment of a Machines Security Posture
- Things to Review
- Dual Boot or Multi Boot Machine?
- Can the machine boot from CDROM or USB Device?
- Anti-Virus/Anti-Spyware
- On-line Scanners can help
- Basic Registry settings
- Suspicious applications installed
- Running processes
- Network Connections
- Is VMWare or another Virtual Machine Software
installed on the computer? - Root-Kit Check
18Inspect the Boot Loader
- A boot loader, also called a boot manager, is a
small program that places the operating system
(OS) of a computer into memory - Upon booting the machine check to see if there
are multiple operating system options within the
boot loader program. - Common Boot Loaders are
- Lilo
- GRUB
- BootMagic
- System Commander
- Windows NTLDR and Bootmgr via Boot.ini
- Apples BootCamp (Windows and MAC on same
Machine)
19CD-ROM or USB Bootable?
- Does the BIOS allow the machine to boot from
CD-ROM or USB? (Also called Live CDs) - Most Popular Security Live CDs
- Auditor Security checking
- Knoppix STD Tons of security tools
- Helix Incident response and forensics
- BackTrack Security Tools
- Whoppix Penetration testing
- Fire - Forensic analysis, incident response, data
recovery, virus scanning and vulnerability
assessment - Damn Small Linux Small form-factor Linux Distro
- Basically any OS can be ported to boot from CD or
USB - http//www.frozentech.com/content/livecd.php
- http//www.l0t3k.org/linux/links/livecd/
20Verify Virus Scanner and Signature
- Perform this check by looking in the System Tray
of the PC (by the clock). Most Anti-Virus
Programs will have a system tray Icon, for
example, a yellow shield for Symantec Norton
Anti-Virus and a Red-White and Blue Shield with
the Letter V in the middle if the PC is using
McAfees Anti-Virus Program. - Double click on the system tray icon and make
sure the Virus Definition version at the most a
month old. - Make sure the software is set for Active Scans
(scan files as they are written to disk) and the
services are running.
21Most Popular Virus Scaners
- BitDefender
- Kaspersky
- ESET Nod32
- TrendMicro PC-cillin
- F-Secure Anti-Virus
- McAfee VirusScan
- Norton AntiVirus
- Grisoft AVG Anti-Virus Pro
- CA Antivirus
- Norman Virus Control
- AVAST!
- Panda Titanium
- F-Prot
- PC Tools AntiVirus
22Anti-Virus Live CDs
- If you can't remove the virus from within
Windows, you may be able to use a Linux based
LiveCD with antivirus software - Two popular Anti-Virus Distros
- LinuxDefender Live!
- Local Area Security Linux
- Ultimate Boot Disk for Windows
- LinuxDefender Live! CD is a BitDefender
re-mastered Knoppix distribution. It was designed
to provide users of both Windows and Linux
computers with virus incident rescue tools. - The BitDefender antivirus can scan and disinfect
existing hard drives (including Windows NTFS
partitions), remote Samba/Windows shares or NFS
mount points - LinuxDefender Live! (uses the Linux version of
BitDefender) or Local Area Security Linux (uses
Clam Antivirus).
23On-Line Scanners
- If you suspect a machine has a virus, spywre,
malware, trojan or RootKit there are many On-line
Scanners you can use for free to scan your
system. - Panda Security
- http//www.pandasecurity.com/homeusers/solutions/a
ctivescan/? - Kapersky
- http//www.kaspersky.com/virusscanner
- 3 Trend Micro
- http//housecall.trendmicro.com/
- 4 Microsoft One Care
- http//onecare.live.com/site/en-us/default.htm
24Check for suspicious applications starting
automatically via the registry
- The most common locations for applications to
start through the registry are - Check both HKey_Local_Machine and
HKey_Current_User - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Services - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Once - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
OnceEx - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ServicesOnce - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ServicesOnce - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol
icies\Explorer\Run - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Once\Setup
25The Startup Folder
- There are a number of methods an intruder could
use to start a backdoor program one is to place
the exe in the Startup folders. - Check all items in "C\Documents and
Settings\username\Start Menu\Programs\Startup"
folders, (for Windows NT4, Substitute
"C\Documents and Settings" for
"C\WINNT40\Profiles"). - You can also examine all the shortcuts by
selecting Start, Programs, and Startup. Note that
there are two startup folders, one for the local
user and one for all users. When a user logs on,
all of the applications in both the "All Users"
and in the user's startup folder are started.
26Check for unauthorized or suspicious services
- Some backdoor programs will install themselves as
a service that is started when the system boots
up - The following command will output information
regarding installed services to a formatted html
file (Note WMIC command only works on XP and
above) - wmic /outputC\services.htm service get
/formathform - Open this file from the C drive and ensure that
there are no services that look suspect. - If there are any services that do not have a
description, be suspicious and use a Google
search to see what application is associated with
the service. - Note You can also use the Autruns.exe
application provided and click on the Services
tab to also see information on services.
27WMIC Output Example
28Check Running Processes
- Use ProcessExplorer to give you a graphical view
of all process running and the path to the
executable. - You can also use Vision (needs to be installed)
to view all processes and applications running on
the machine and verify that the paths to the
executables are correct. - Be suspicious of all processes that dont have a
description - If you are unsure of any processes Google them.
29View all Network Connections
- Use netstat a or TCPView to verify that all TCP
connections are to Remote Hosts that you expect.
- Make sure that you have no application running to
get a cleaner view. - Open TCPView and focus on the Remote Address
field. If you see Established connections to
Internet based hosts or IP Addresses make sure
that valid applications are making these
connections. - Many Trojan connect to remote hosts over port
6667 (IRC Channels) to notify the bot network
controller that it is listening. If you see any
ports opened using port 6667 to IP addresses
hostnames on the Internet the machine may have a
Trojan
30Network Connections Contd
- The TCPView application will also list all
applications running and what connections via the
network they are making. Verify that nothing
stands out as suspicious. Investigate all
suspicious connections/applications. - You can also use the Netstat command that is part
of the OS install. Run NetStat an and verify
that it matches what you see in TCPView. If an
open connection is shown in TCPView and does not
show up in Netstat, you may have a rootkit
installed on the machine. - Note TCPView and Netstat would identify more
about applications attempting to connect to an
external IP if the workstation has a connection
to the Internet.
31Is VMWare or another Virtual Machine Software
installed on the computer?
- Virtual Machines allow multiplexing the
underlying physical machine between different
virtual machines, each running its own operating
system - Multiple OS environments can co-exist on the same
computer - VMWare Player and Microsoft Virtual PC are now
free. - Tons of VMWare Appliances ready for use at
- http//www.vmware.com/appliances/
32RootKit DetectionDifficult to Detect and Nearly
Impossible to Remove
- RootKit Detection Details
- For best results exit all applications and keep
the system otherwise idle during the Rootkit
scanning process - RootKit Detection programs compare the results of
a system scan at the highest level with that at
the lowest level - Original ways to perform detection was to dump a
complete list of all the files on the volume
while inside the operating system, then boot to
the Recovery Console and dump another file list,
then compare the two. If a file shows up in the
second list but not in the first and isn't a
Windows file kept hidden by default, it's
probably a culprit - You should examine all discrepancies and
determine the likelihood that they indicate the
presence of a RootKit - From the results you should NOT see any of the
following known RootKits AFX, Vanquish and
HackerDefender
33RootKit Detection Applications
- Top 6
- Products Comparisons can be found at
- www.informationweek.com/news/showArticle.jhtml?art
icleID196901062pgno1queryText - Listing of Other RootKit Detectors can be found
at - www.antirootkit.com/software/index.htm
-
- F-Secure Backlight Freeware
- www.f-secure.com/security_center/
- IceSword Freeware
- www.blogcn.com/user17/pjf/index.html
- RKDetector - Freeware
- www.rkdetector.com
- RootKitBuster Freeware
- www.trendmicro.com/download/rbuster.asp
- RootKit Unhooker Freeware
- www.antirootkit.com/software/RootKit-Unhooker.htm
- RootKitRevealer Freeware by SysInternals
- www.microsoft.com/technet/sysinternals/Utilities/R
ootkitRevealer.mspx
34Demonstration
- Autoruns Shows you what programs are configured
to run during system bootup or login - TCPView - Active socket command-line viewer
- ProcessExplorer - Find out what files, registry
keys and other objects processes have open, which
DLLs they have loaded - ProcMon - An advanced monitoring tool for Windows
that shows real-time file system, Registry and
process/thread activity - FileMon - This monitoring tool lets you see all
file system activity in real-time - HiJackThis -lists the contents of key areas of
the Registry and hard drive - HiJack This Analyzer - A website that analyzes
the HiJack This output. http//hjt.networktechs.co
m/ - Vision - Reports all open TCP and UDP ports and
maps them to the owning process or application - MBSA for Windows - easy-to-use tools that help to
determine a machines security state in accordance
with Microsoft security recommendations and
offers specific remediation guidance - ActivePorts Monitor all open TCP and UDP ports
on the local computer
35Tools You Can Use - Summary
- Applications that run as binaries (Executables
that do not need to be installed) - Autoruns
- TCPView
- RootKitRevealer
- FileMon
- DiskMon
- ProcessExplorer
- ProcMon
- OpenPorts
- http//www.virustotal.com/
- Applications that need to be installed in order
to use - Vision
- AVS.msi
- MBSA
- HiJackThis
- ActivePorts
36Lessons Learned
- Best Practice is to prohibit third party
connections to your company network - Implement a automated way to protect your network
such as 802.1x and NAC/NAP - If connection is required, have the third party
read and sign an acceptable use document - Allow 2-3 hours per workstation to perform due
diligence scan of their machine. - If youre going to allow third party connections
to your network, there are many risks that must
be accepted. - Remember, your own employees could be your
biggest concern.
37Questions?
38THANK YOU!For More Information
- You can download the Utilities I used at
- http//www.patrickmccrann.com/utlities.zip
- An assessment procedures document can be
downloaded at - http//www.patrickmccrann.com/security_posture.doc
- This Powerpoint can be downloaded at
- http//www.patrickmccrann.com/secpos_slides.ppt