Extranet for Security Professionals Intrusion Scenarios

1
Extranet for Security ProfessionalsIntrusion
Scenarios

• Heather T. Kowalski
• Tong Xu
• Ying Hao
• Hui Huang
• Bill Halpin
• Nov. 14, 2000

2
Preview

• Review of Project Progress
• Accomplishments
• Current Status
• What We Have Learned
• Todays Focus Intrusion Scenarios
• Future Steps

3
Review

• Business Mission
• Central Repository of Security Information
• Central Location for Information Sharing
• Secure Environment, Manageable Resource
• System Architecture
• Essential Services/Assets
• Normal Usage Scenarios

4
Primary Users
DNS RedHat 6.2
Router (FW1) Cisco 7200 128.237.144.1
Client WorkStation
IPchains
IDS-1 Windows NT 4.0 (SP6) Hot Fixes
Firewall-2 Windows NT 4.0 (SP6) Hot Fixes
IDS-2 Windows NT 4.0 (SP6) Hot Fixes
RealSecure 3.2
RealSecure 3.2
Guardian Pro V5
Web Server Windows NT 4.0 (SP6), Hot Fixes
NES 3.63
Cold Fusion 4.5.1
Database
DNS RedHat 6.2
ActiveState Perl 5.5
Tripwire 2.2.1
IPchains
Visual FoxPro
5
Attackers vs. Legitimate Users

• Recreational/Casual Hackers
• Disgruntled Employee
• Organized Criminal Groups
• Nation/State

• ESP User
• VSO CR Owners
• Site Manager
• Organizational Manager
• Site Administrator

6
Objectives of Attacks

• Embarrassment of the Target Organization
• Embarrassment of the Target User
• Financial Gain by Selling Acquired Information
• Improve Hacking Skill Set
• Fun/Vanity
• Publicity

7
Attacker Profile Recreational/Casual Hacker

• Resources none or limited
• Time depends on opportunity
• Tools free/cheap and readily available tools
• Risk attitude unaware of consequences and risks
• Access from outside network
• Objective fun, vanity, skill test, or none
• Damage limited

8
Attacker Profile Disgruntled Employee

• Resources enough to create a significant attack
• Time depends on malice
• Risk Attitude strongly risk averse
• Access from inside
• Objectives
• Revenge through embarrassment
• Financial gain

9
Attackers Profile Organized Entity

• Who organized criminals, fanatics, enemy
  nations/states, etc
• Resources and Time unlimited
• Risk Attitude genuine risk seeker
• Access external or internal
• Objectives Publicity!!! Real Damage!!!

10
Potential Attack Pattern

• Attack as User
• Gain the illegal access as end user
• Gain the illegal access as system administrator
• Attack on Component
• Disable or slow down the process ability of a
  component
• Attack on Application
• Induce system crash
• Induce service failure
• Induce assets damage

11
Compromisable Components

• Route
• DNS
• Firewall
• Web Server
• Database
• IDS

• Sniffing, Scans, Enumeration, Malicious Code,
  Flooding
• Malicious Code, Buffer Overflow
• Time, Planning, Buffer Overflow, Password

12
More Facts

• No intrusion in ESP has been reported since date
  of establishment
• ESP has strong physical security
• Multi-layer protection
• Dedicated room
• Only few have physical access
• Other protective efforts
• Regular reconfiguration of firewall (once/ per
  month)
• Virus signature files are updated daily

13
Recreational Hacker
Router (FW1)
Firewall-2
DNS1
IDS
Database
Web Server
DNS2
IDS
14
Compromised User Workstation
Router (FW1)
Firewall-2
DNS1
IDS
Database
Web Server
DNS2
IDS
15
Router (FW1)
Firewall-2
DNS1
IDS
Admin Console
Database
Web Server
DNS2
IDS
16
Future Plans

• Regular Saturday Team Meetings
• Planned Meeting with Client
• Final Presentation and Report
• Summary of Findings
• Recommendations

17
Questions?
18
Type of DOS Attacks

• Bandwidth consumption
• Resource starvation
• Programming flaws
• Router attacks
• DNS attacks

19
Examples of DOS Attacks

• Network based DOS attack
• ICMP traffics (PING, Echo flood)
• SYN-flood
• Windows NT Programming Flaw Attacks
• Tools TearDrop, OOB (port 139), Land, Ping of
  Death
• Cisco Router Attacking Tools
• Tool Land