Checking the Security Posture of Third Party Machines - PowerPoint PPT Presentation

1 / 38
About This Presentation
Title:

Checking the Security Posture of Third Party Machines

Description:

Automated Ways to Confirm Security Postures of Hosts Connecting to Your Network ... AVAST! Panda Titanium. F-Prot. PC Tools AntiVirus. 22. Anti-Virus Live CD's ... – PowerPoint PPT presentation

Number of Views:289
Avg rating:3.0/5.0
Slides: 39
Provided by: micros83
Category:

less

Transcript and Presenter's Notes

Title: Checking the Security Posture of Third Party Machines


1
Checking the Security Posture of Third Party
Machines
  • Patrick McCrann, CISSP
  • Lead IT Security Analyst
  • AmTrust Bank

2
Agenda
  • Introduction
  • Who are Third Parties?
  • Security Posture Explained
  • Automated Ways to Control Network Access
  • Automated Ways to Confirm Security Postures of
    Hosts Connecting to Your Network
  • Manual Ways to Check the Security Posture of
    Third Party Machines (Presentation Focus)
  • Tools You Can Use to Verify Security Posture
  • Demonstration Of Tools

3
Introduction
  • It may be necessary to allow third-party machines
    to attach non-corporate controlled workstations
    to your companys network. This presentation
    will discuss
  • Automated ways to control access and confirm the
    security posture of the machine.
  • Manual ways that can be performed by your IT
    Security staff that can confirm that the machine
    is a low risk to your network.
  • Focus will be on Manual Security Posture
    Assessments

4
Best Practice
  • Allowing/Controlling Network Connectivity
  • In a Perfect world Never allow non-corporate
    controlled devices to connect to your network.
  • Control access to your network so that
    non-corporate controlled devices CANNOT connect
    to your network
  • If Internet access is required physically or
    logically segment the machine using a GuestNet

5
Third Parties?
  • Third Parties are any persons who connects to
    your network using non-corporate owned computers
    such as
  • Vendors
  • Audit Firms
  • Governmental Agencies
  • Consultants
  • Training Companies
  • Hackers and Malicious Entities
  • Yes, Your own Employees

6
Third Party Acceptable Use
  • All Third Parties that are attaching to your
    network should be required to read and sign a
    Corporate Acceptable Use Policy just as your own
    employees do.
  • The objectives are threefold
  • To protect Company's networks and equipment.
  • Security Awareness.
  • To protect Company, employees and anyone else who
    attaches to the corporate network from activities
    that might expose them or Company to legal action.

7
Security Posture - Definition
  • Determining the overall security risk a computer
    attached to your network would pose by
    determining
  • It's current patch level
  • Virus protection and virus signature version/date
  • Malware/Spyware existence and protection
  • RootKit Detection
  • Host based firewall implementation
  • And other local security settings/attributes.

8
Automated Ways to Control Network Access
  • 802.1x
  • GuestNets
  • De-activate Unused Network Ports
  • SSL-VPN instead of Network VPN

9
Automated Ways to Control Network Access
  • 802.1x
  • Provides a means of authenticating and
    authorizing devices attached to a LAN port, and
    of preventing access to that port in cases in
    which the authentication and authorization
    process fails. Usually if authentication is
    successful the host is assigned an IP Address.

10
Automated Ways to Control Network Access
  • GuestNets
  • GuestNets typically allow approved visitors to
    limited network access and must provide a few
    pieces of information so that their computer can
    be granted access.
  • Network access is usually limited to the Internet
  • Also, GuestNet accounts do not allow visitors to
    login to corporate computers.

11
Automated Ways to Control Network Access
  • De-activate Unused Network Ports
  • At the switch level de-activate any unused ports.
  • Pros
  • Allows control of ports by Network Administrators
  • Keeps third parties from connecting to network
    without knowing
  • Cons
  • High Administrative Costs
  • Does not keep users from un-plugging from active
    ports and then plugging in an unauthorized device

12
Automated Ways to Control Network Access
  • SSL-VPN instead of Network VPN
  • Access via Application layer instead of the
    Network layer
  • Does not put the users machine on the corporate
    network.
  • SSL VPNs deliver user-level authentication,
    ensuring that the right people have access only
    to the right resources instead of the entire
    network
  • SSL-VPN is in many cases clientless
  • Provides access mostly to Web applications, while
    in many cases failing to address the needs of
    companies whose users require access to
    client/server applications

13
Automated Ways to Control Network Access
  • Other technologies used to control access to the
    network
  • Citrix via ICA Protocol
  • Remote Desktop via Remote Desktop Protocol
  • VNC
  • Other Remote Control Utilities including WebEx,
    GoToMyPC, Live Meeting, MeetMeNow and so on.

14
Validating Security Postures of Hosts Connecting
to Your Network
  • NAC (Network Admission Control - Cisco)
  • Uses 802.1x at the port level and Cisco Trust
    Agent to control access
  • NAP (Network Access Protection Microsoft
  • Uses DHCP Server and Quarantine Agent to control
    Access
  • Both require that client software be installed on
    each and every computer

15
Automated Ways to Confirm Security Postures of
Hosts Connecting to Your Network
  • NAC/NAP
  • Restricts the availability of network resources
    to endpoint devices that comply with a defined
    security policy.
  • Blocks or quarantines non-compliant devices
  • Host Integrity tests against pre-defined
    templates such as patch level, service packs,
    antivirus, and personal firewall status, as well
    as custom created checks tailored for the
    enterprise environment
  • Also can provide a location where remediation can
    take place

16
Manual Ways to Check the Security Posture of
Third Party Machines (Presentation Focus)
  • The remaining portions of this Presentation will
    outline some manual procedures that could be used
    by IT Security Professionals prior to allowing a
    vendor or third party to connect their laptop or
    desktop machine to a corporate network

17
Manual Assessment of a Machines Security Posture
  • Things to Review
  • Dual Boot or Multi Boot Machine?
  • Can the machine boot from CDROM or USB Device?
  • Anti-Virus/Anti-Spyware
  • On-line Scanners can help
  • Basic Registry settings
  • Suspicious applications installed
  • Running processes
  • Network Connections
  • Is VMWare or another Virtual Machine Software
    installed on the computer?
  • Root-Kit Check

18
Inspect the Boot Loader
  • A boot loader, also called a boot manager, is a
    small program that places the operating system
    (OS) of a computer into memory
  • Upon booting the machine check to see if there
    are multiple operating system options within the
    boot loader program.
  • Common Boot Loaders are
  • Lilo
  • GRUB
  • BootMagic
  • System Commander
  • Windows NTLDR and Bootmgr via Boot.ini
  • Apples BootCamp (Windows and MAC on same
    Machine)

19
CD-ROM or USB Bootable?
  • Does the BIOS allow the machine to boot from
    CD-ROM or USB? (Also called Live CDs)
  • Most Popular Security Live CDs
  • Auditor Security checking
  • Knoppix STD Tons of security tools
  • Helix Incident response and forensics
  • BackTrack Security Tools
  • Whoppix Penetration testing
  • Fire - Forensic analysis, incident response, data
    recovery, virus scanning and vulnerability
    assessment
  • Damn Small Linux Small form-factor Linux Distro
  • Basically any OS can be ported to boot from CD or
    USB
  • http//www.frozentech.com/content/livecd.php
  • http//www.l0t3k.org/linux/links/livecd/

20
Verify Virus Scanner and Signature
  • Perform this check by looking in the System Tray
    of the PC (by the clock). Most Anti-Virus
    Programs will have a system tray Icon, for
    example, a yellow shield for Symantec Norton
    Anti-Virus and a Red-White and Blue Shield with
    the Letter V in the middle if the PC is using
    McAfees Anti-Virus Program.
  • Double click on the system tray icon and make
    sure the Virus Definition version at the most a
    month old.
  • Make sure the software is set for Active Scans
    (scan files as they are written to disk) and the
    services are running.

21
Most Popular Virus Scaners
  • BitDefender
  • Kaspersky
  • ESET Nod32
  • TrendMicro PC-cillin
  • F-Secure Anti-Virus
  • McAfee VirusScan
  • Norton AntiVirus
  • Grisoft AVG Anti-Virus Pro
  • CA Antivirus
  • Norman Virus Control
  • AVAST!
  • Panda Titanium
  • F-Prot
  • PC Tools AntiVirus

22
Anti-Virus Live CDs
  • If you can't remove the virus from within
    Windows, you may be able to use a Linux based
    LiveCD with antivirus software
  • Two popular Anti-Virus Distros
  • LinuxDefender Live!
  • Local Area Security Linux
  • Ultimate Boot Disk for Windows
  • LinuxDefender Live! CD is a BitDefender
    re-mastered Knoppix distribution. It was designed
    to provide users of both Windows and Linux
    computers with virus incident rescue tools.
  • The BitDefender antivirus can scan and disinfect
    existing hard drives (including Windows NTFS
    partitions), remote Samba/Windows shares or NFS
    mount points
  • LinuxDefender Live! (uses the Linux version of
    BitDefender) or Local Area Security Linux (uses
    Clam Antivirus).

23
On-Line Scanners
  • If you suspect a machine has a virus, spywre,
    malware, trojan or RootKit there are many On-line
    Scanners you can use for free to scan your
    system.
  • Panda Security
  • http//www.pandasecurity.com/homeusers/solutions/a
    ctivescan/?
  • Kapersky
  • http//www.kaspersky.com/virusscanner
  • 3 Trend Micro
  • http//housecall.trendmicro.com/
  • 4 Microsoft One Care
  • http//onecare.live.com/site/en-us/default.htm

24
Check for suspicious applications starting
automatically via the registry
  • The most common locations for applications to
    start through the registry are
  • Check both HKey_Local_Machine and
    HKey_Current_User
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Services
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Once
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    OnceEx
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ServicesOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    ServicesOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Pol
    icies\Explorer\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    Once\Setup

25
The Startup Folder
  • There are a number of methods an intruder could
    use to start a backdoor program one is to place
    the exe in the Startup folders.
  • Check all items in "C\Documents and
    Settings\username\Start Menu\Programs\Startup"
    folders, (for Windows NT4, Substitute
    "C\Documents and Settings" for
    "C\WINNT40\Profiles").
  • You can also examine all the shortcuts by
    selecting Start, Programs, and Startup. Note that
    there are two startup folders, one for the local
    user and one for all users. When a user logs on,
    all of the applications in both the "All Users"
    and in the user's startup folder are started.

26
Check for unauthorized or suspicious services
  • Some backdoor programs will install themselves as
    a service that is started when the system boots
    up
  • The following command will output information
    regarding installed services to a formatted html
    file (Note WMIC command only works on XP and
    above)
  • wmic /outputC\services.htm service get
    /formathform
  • Open this file from the C drive and ensure that
    there are no services that look suspect.
  • If there are any services that do not have a
    description, be suspicious and use a Google
    search to see what application is associated with
    the service.
  • Note You can also use the Autruns.exe
    application provided and click on the Services
    tab to also see information on services.

27
WMIC Output Example
28
Check Running Processes
  • Use ProcessExplorer to give you a graphical view
    of all process running and the path to the
    executable.
  • You can also use Vision (needs to be installed)
    to view all processes and applications running on
    the machine and verify that the paths to the
    executables are correct.
  • Be suspicious of all processes that dont have a
    description
  • If you are unsure of any processes Google them.

29
View all Network Connections
  • Use netstat a or TCPView to verify that all TCP
    connections are to Remote Hosts that you expect.
  • Make sure that you have no application running to
    get a cleaner view.
  • Open TCPView and focus on the Remote Address
    field. If you see Established connections to
    Internet based hosts or IP Addresses make sure
    that valid applications are making these
    connections.
  • Many Trojan connect to remote hosts over port
    6667 (IRC Channels) to notify the bot network
    controller that it is listening. If you see any
    ports opened using port 6667 to IP addresses
    hostnames on the Internet the machine may have a
    Trojan

30
Network Connections Contd
  • The TCPView application will also list all
    applications running and what connections via the
    network they are making. Verify that nothing
    stands out as suspicious. Investigate all
    suspicious connections/applications.
  • You can also use the Netstat command that is part
    of the OS install. Run NetStat an and verify
    that it matches what you see in TCPView. If an
    open connection is shown in TCPView and does not
    show up in Netstat, you may have a rootkit
    installed on the machine.
  • Note TCPView and Netstat would identify more
    about applications attempting to connect to an
    external IP if the workstation has a connection
    to the Internet.

31
Is VMWare or another Virtual Machine Software
installed on the computer?
  • Virtual Machines allow multiplexing the
    underlying physical machine between different
    virtual machines, each running its own operating
    system
  • Multiple OS environments can co-exist on the same
    computer
  • VMWare Player and Microsoft Virtual PC are now
    free.
  • Tons of VMWare Appliances ready for use at
  • http//www.vmware.com/appliances/

32
RootKit DetectionDifficult to Detect and Nearly
Impossible to Remove
  • RootKit Detection Details
  • For best results exit all applications and keep
    the system otherwise idle during the Rootkit
    scanning process
  • RootKit Detection programs compare the results of
    a system scan at the highest level with that at
    the lowest level
  • Original ways to perform detection was to dump a
    complete list of all the files on the volume
    while inside the operating system, then boot to
    the Recovery Console and dump another file list,
    then compare the two. If a file shows up in the
    second list but not in the first and isn't a
    Windows file kept hidden by default, it's
    probably a culprit
  • You should examine all discrepancies and
    determine the likelihood that they indicate the
    presence of a RootKit
  • From the results you should NOT see any of the
    following known RootKits AFX, Vanquish and
    HackerDefender

33
RootKit Detection Applications
  • Top 6
  • Products Comparisons can be found at
  • www.informationweek.com/news/showArticle.jhtml?art
    icleID196901062pgno1queryText
  • Listing of Other RootKit Detectors can be found
    at
  • www.antirootkit.com/software/index.htm
  • F-Secure Backlight Freeware
  • www.f-secure.com/security_center/
  • IceSword Freeware
  • www.blogcn.com/user17/pjf/index.html
  • RKDetector - Freeware
  • www.rkdetector.com
  • RootKitBuster Freeware
  • www.trendmicro.com/download/rbuster.asp
  • RootKit Unhooker Freeware
  • www.antirootkit.com/software/RootKit-Unhooker.htm
  • RootKitRevealer Freeware by SysInternals
  • www.microsoft.com/technet/sysinternals/Utilities/R
    ootkitRevealer.mspx

34
Demonstration
  • Autoruns Shows you what programs are configured
    to run during system bootup or login
  • TCPView - Active socket command-line viewer
  • ProcessExplorer - Find out what files, registry
    keys and other objects processes have open, which
    DLLs they have loaded
  • ProcMon - An advanced monitoring tool for Windows
    that shows real-time file system, Registry and
    process/thread activity
  • FileMon - This monitoring tool lets you see all
    file system activity in real-time
  • HiJackThis -lists the contents of key areas of
    the Registry and hard drive
  • HiJack This Analyzer - A website that analyzes
    the HiJack This output. http//hjt.networktechs.co
    m/
  • Vision - Reports all open TCP and UDP ports and
    maps them to the owning process or application
  • MBSA for Windows - easy-to-use tools that help to
    determine a machines security state in accordance
    with Microsoft security recommendations and
    offers specific remediation guidance
  • ActivePorts Monitor all open TCP and UDP ports
    on the local computer

35
Tools You Can Use - Summary
  • Applications that run as binaries (Executables
    that do not need to be installed)
  • Autoruns
  • TCPView
  • RootKitRevealer
  • FileMon
  • DiskMon
  • ProcessExplorer
  • ProcMon
  • OpenPorts
  • http//www.virustotal.com/
  • Applications that need to be installed in order
    to use
  • Vision
  • AVS.msi
  • MBSA
  • HiJackThis
  • ActivePorts

36
Lessons Learned
  • Best Practice is to prohibit third party
    connections to your company network
  • Implement a automated way to protect your network
    such as 802.1x and NAC/NAP
  • If connection is required, have the third party
    read and sign an acceptable use document
  • Allow 2-3 hours per workstation to perform due
    diligence scan of their machine.
  • If youre going to allow third party connections
    to your network, there are many risks that must
    be accepted.
  • Remember, your own employees could be your
    biggest concern.

37
Questions?
38
THANK YOU!For More Information
  • You can download the Utilities I used at
  • http//www.patrickmccrann.com/utlities.zip
  • An assessment procedures document can be
    downloaded at
  • http//www.patrickmccrann.com/security_posture.doc
  • This Powerpoint can be downloaded at
  • http//www.patrickmccrann.com/secpos_slides.ppt
Write a Comment
User Comments (0)
About PowerShow.com