Network Security

1
Network Security
Basic overview, hacking demos, and other
wholesome discussion

• Presented By
• Robert Settle
• PlatinumSolutions, Inc.
• Thursday, May 19th, 2005

2
Overview

• Basic concepts
• 10 domains of security
• Demos

3
Network Threats and Motivation

• Script kiddies l337 h4x0r w4nn4b35
• Corporate espionage trade secrets
• Foreign espionage govt secrets
• Disgruntled employees - revenge
• Criminals -
• Unwitting employees get job done
• Malicious code recognition or revenge
• Others

4
Biggest Threats

• Unpatched computers
• Users
• Mistakes
• Social engineering

5
Aspects of Network Security

• Access Control Systems Methodology
• Telecommunications, Network Internet Security
• Security Management Practices
• Applications Systems Development
• Cryptography
• Security Architecture Models
• Operations Security
• Business Continuity Planning
• Law, Investigation Ethics
• Physical Security
• borrowed from ISC2 CISSP 10 domains

6
Access Control Systems

• Concept of least privilege
• Role separation
• Applies to network traffic, files, and
  applications
• Certification, auditing, and monitoring

7
Security Management

• Policies
• Essential
• Boundaries and consequences
• Will require extra resources (time, equipment,
  money)
• Upper Management
• Must approve and support policies
• Must provide resources

8
Security Management

• CIA Triad
• Confidentiality
• Integrity
• Availability
• Security education
• Users
• Administrators
• Decision makers

9
Security Management

• Risk Threat x Vulnerability x Asset Value
• As Theat, Vulnerability, or Asset Value approach
  zero, so does your risk
• Analyze all three aspects to allocate security
  resources

10
Network and Internet Security

• Classic concept of network security
• Firewalls are NOT the silver bullet
• Minimize exposure
• perimeter and layered security
• services
• Always assume tapped public lines
• Do not ignore insider threat
• Patch, Patch, PATCH!

11
App/Systems Development

• Remember security upfront
• Writing secure code
• Sanity check variablesespecially user input
• Hack/test your own application
• Secure libraries and code evaluation tools
• Building secure systems
• Integrate centralized security mechanisms
• Allow for granular access control and least
  privilege

12
Cryptography

• Cryptography is not the security silver bullet
  either! Nor is PKI.
• Do not allow external cleartext protocols
• telnet, ftp, imap, pop3, etc
• Remember, public lines are tapped!
• Utilize public and private key configuration in
  appropriate situations
• Very effective and simple protection

13
Security Architecture/Models

• Know basic security models/architectures
• Barrier reef
• Layered security
• Learn from others
• Apply common evaluation criteria
• Common Criteria
• Gold disks/STIGs

14
Operation Security

• Neglected yet essential aspect
• Sensitive information
• Dumpster diving
• Public websites
• Help forums
• Small pieces of information form a larger picture

15
Business Continuity Disaster Recovery Planning

• Planning for the worst
• Personnel safety first
• Value x Risk compared to protection costs
• Procedures to provide order amidst chaos
• Offsite backups and facilities
• Recovery criteria procedures
• Exercises

16
Laws, Investigations, Ethics

• Security laws
• Federal Information Security Management Act
  (FISMA)
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Gramm-Leach-Bliley Act
• Employee monitoring/investigating
• Search/seizure/wiretaps/subpoenas
• Ethical behaviordifficult to define

17
Physical Security

• Physical access owning the box
• Environmental protection
• Raised floor
• Fire supression
• HVAC
• UPS, generators, surge protectors
• Access control
• Badges, mantraps, biometrics, passwords, keys

18
Demos
19
Metasploit

• Modular exploitation toolkit
• Exploit library
• Payload library
• Lets hack Windows XP!

20
Absinthe

• Blind SQL Injection Automation
• Exploiting lack of user input validation
• Similar to 20 questions with the database
• Lets hack Big Bobs Bookstore!

21
Questions?