Ethical Hacking Workshop

1
Ethical Hacking Workshop

• Your name

2
Presentation Goals

• Provide a framework for understanding security
• Present best practices for
• Protecting against attacks from the Internet
• Locking down clients and servers
• Developing an ongoing security strategy
• Discuss primary and emerging technologies
• Encryption
• Biometrics
• Smart Cards
• Trustworthy Computing
• Listen to your concerns
• Questions and Answers

3
The Challenge of Security
Internet-enabled businesses face challenges
ensuring their technologies for computing and
information assets are secure, fast and easy with
which to interact
The right access
to the right content
by the right people
4
Business Impact

• According to the Computer Crime and Security
  Survey 2002 by the Computer Security Institute
  (CSI) and the FBI
• 90 detected computer security breaches
• 80 acknowledged financial losses due to computer
  breaches
• 40 of respondents quantified financial losses at
  456 million, or 2 million per respondent
• 40 detected system penetration from the outside
  up from 25 in 2000
• 85 detected computer viruses
• InformationWeek estimates
• Security breaches cost businesses 1.4 trillion
  worldwide this year
• 2/3 of companies have experienced viruses, worms,
  or Trojan Horses
• 15 have experienced Denial of Service attacks

Source Computer Security Institute (CSI)
Computer Crime and Security Survey 2002 Source
InformationWeek.com, 10/15/01
5
Evaluating Security Threats
The Security Puzzle
6
Evaluating Security Threats
7
Evaluating Security Threats
8
Evaluating Security Threats
9
Evaluating Security Threats
10
Evaluating Security Threats
11
Evaluating Security Threats
12
Evaluating Security Threats
13
Evaluating Security Threats
14
Common Attacks

• Replay attack
• Script kiddies
• Security audit tools
• Shell escapes
• Shoulder surfing
• Smurfing
• Social engineering
• SYN flooding
• Traffic analysis
• Trapdoor
• Trojan horse
• van Eck attack
• Virus
• War dialing
• Worm

• Backdoor
• Bacteria
• Buffer overflow/overrun
• Compromised system utilities
• E-mail forgery
• E-mail relay
• IP spoofing
• Keystroke monitoring
• Logic bomb
• Mail bombing
• Man in the middle
• Masquerade
• Network scanning
• Packet sniffing
• Password cracking
• Ping flooding

15
Example 1

• Attack Buffer Overflow
• Goals
• All
• Vulnerabilities
• Weak design (designer)
• Carelessness (customer not patching)
• Defenses
• Peer review (designer)
• Patching (customer)
• Examples
• Code Red
• Internet Worm of 88

16
Example 2

• Attack E-Mail Forgery
• Goals
• Trophy grabbing
• Identity theft
• Vulnerabilities
• Implicit trust
• Public information
• Weak design
• Defenses
• Public key cryptography
• Training
• Examples
• Good Times
• Free Windows
• Penpal Greetings

17
Example 3

• Attack Social Engineering
• Goals
• All
• Vulnerabilities
• Implicit trust
• Defenses
• Training
• Process review
• Examples
• IRQ downloads
• Attachment viruses
• Password elicitation

18
Example 4

• Attack Virus
• Goals
• Trophy grabbing
• Tampering and Vandalism
• Denial of service
• Vulnerabilities
• Implicit trust
• Weak design
• Defenses
• Virus scanner
• Training
• Patching
• Examples
• Stoned, Michelangelo (true)
• Love Bug (macro)
• Melissa (macro)

19
Hacking

• Coordinated series of attacks for gaining control
  of a computer system
• Each attack achieves a goal which enables a
  subsequent, more serious attack
• Example
• Scanning reveals target networks
• Sniffing on those networks reveals a user
  password
• Masquerading as that user, the hacker logs in
• Exploiting a buffer overflow in a utility yields
  admin privileges
• Compromising system utilities helps to hide
  presence
• Creating backdoors provides for easier re-entry

20
Hacking

• Coordinated series of attacks for gaining control
  of a computer system
• Each attack achieves a goal which enables a
  subsequent, more serious attack
• Example
• Scanning reveals target networks
• Sniffing on those networks reveals a user
  password
• Masquerading as that user, the hacker logs in
• Exploiting a buffer overflow in a utility yields
  admin privileges
• Compromising system utilities helps to hide
  presence
• Creating backdoors provides for easier re-entry

Hacking is just one of many security threats.
21
Hacking Lifecycle
22
10 Steps toBetter Security
23
STEP 1 Implement a firewall

• Either stateful inspection, a proxy, or hybrid
• Create a demilitarized zone and use it properly

24
STEP 2 Filter packets to prevent spoofing

• At your gateway
• Both incoming and outgoing packets

25
STEP 3 Harden the software

• Patch quickly and routinely
• When re-installing an OS, dont forget to patch
• Enable OS features that detect common DoS attacks
• Always scrutinize default configurations
• Bind interfaces to listen only on networks they
  will serve
• Disable unnecessary services

FIX!
26
Limiting Interface Connections
27
STEP 4 Lock down Web applications

• Disable scripting if not needed
• Remove sample scripts
• Use restricted permission modes of scripting
  environments
• Make use of integrated security features
• Be vigilant in preventing replay attacks

28
STEP 5 Always use encryption

• Disable Telnet
• Use terminal services or other secure access
  mechanisms
• Consider link-level or OS-supported for
  high-security apps

29
STEP 6 Defend DNS

• Dont allow zone transfers to unknown servers
• Limit records available to external queries
• Be paranoid about registrar records to avoid
  hijacks

30
STEP 7 Patrol passwords

• Train users on good password selection
• Enforce good password selection
• Outlaw and punish password sharing
• Use aging tools
• Dont give in to whining about inconvenience
• Prepare for the increased support load

31
STEP 8 Implement auditing and intrusion detection

• Watch for suspicious activity
• Includes virus scanning software
• Keep intrusion detection software up-to-date
• Post No Trespassing signs and prosecute
  violators

32
STEP 9 Dont forget the human factor

• Insure policies are congruent with technical
  safeguards
• Always have checks and balances
• Implement peer and process reviews
• Re-evaluate policies and processes regularly

33
Security Policy Life Cycle Model
34
STEP 10 Remain diligent

• Develop an ongoing mindset
• Develop and update organizational security
  policies and audits
• Take advantage of pro-active notification
  services, such as for patches
• Never done with security
• New threats will emerge
• Not if but when
• Keep a lookout and be prepared!

35
Networked Storage Security Guidelines
1 - Compartmentalize Hosts, Volumes and Arrays
Administration
Host
2 - Control administrator actions
Host
Host
Networked Storage
3 Restrict network access
4 - Physically protect your environment
5 - Optimize security on Hosts and on
administration servers
36
Advanced Authentication

• authentication n. To establish the authenticity
  of, such as identity
• Authentication methods
• Something you know
• Passwords
• Something you possess
• A badge or smart card
• Something about you
• Biometrics (fingerprints, retinal scan, etc.)
• Most used/convenient is something known
• Weakest is something known
• Strongest authentication combines two or more

37
Advanced Privacy

• privacy n. The state of being concealed secrecy
• Privacy methods
• Encryption
• Cryptography (its obviously encrypted)
• Steganography (hidden, and not obvious)
• Security through obscurity
• Capture prevention
• Nearly impossible
• Physical proximity
• Impractical for network connections

38
Encryption
Cleartext
Cyphertext
Encoding Key
Cyphertext
Cleartext
Decoding Key
39
Symmetric and Public Key Systems

• Symmetric Key
• A single key is used for both encoding and
  decoding
• The key is kept secret
• Old style encryption system
• Key distribution is a significant problem
• Examples DES, AES
• Public (Asymmetric) Key
• Always two keys (key pair)
• One private, the other public anyone can know
  it
• Encrypt with either, and decrypt with the other
• Key distribution easier (new problem public key
  disinformation)
• Provides authentication and privacy
• Examples RSA, PGP

40
More About Public Key Systems

• Keys are based on prime numbers and arithmetic
  operations
• Strength expressed as size of key (64-bit,
  128-bit)
• Authentication
• If my public key turns cyphertext into
  cleartext, you know it was encoded with my
  private key, which only I know.
• Privacy
• If I encode something with your public key, only
  you will be able to decode it.
• Authentication and privacy
• If I encode something with my private key, then
  with your public key, you would decode it with
  your private key, then my public key.
• Public key systems support certificate
  authorities

41
Hybrid Encryption Systems

• Private key systems have key distribution
  problems
• Public key systems are computationally intensive
• Best practice combines the two
• Use public key to establish authenticity and
  privacy
• A secure connection is both private and
  authenticated
• Negotiate a one-time private key using the secure
  connection
• Known as a session key good only for this
  session
• Tear down the public key secure connection
• It is too expensive to use for the rest of the
  conversation
• Create new secure connection using private
  session key
• Use this connection for the rest of the
  conversation
• Example SSL, VPNs

42
But Encryption Isnt Enough

• Solely a what you know system
• Keys can be divulged
• Keys can be guessed or determined
• Combined with what you have or what you are
• Smart Card
• Password no good without your badge
• Biometrics
• Password no good without your fingerprint
• Platform authentication
• Private keys stored in silicon, bound to hardware
• Maybe use all three?

43
The Security Challenge

• Products and systems must be designed with
  security as a goal, not as an afterthought
• System administrators must consider security
  ramifications of every decision
• Security awareness must infuse every process and
  policy
• Security training and education cannot be skipped
• Must do all this while
• Not significantly reducing the benefits of use
• Not increasing inconvenience beyond users
  toleration

44
The Future of Security

• Opt-in configurations instead of Opt-out
• Security checks at every level
• Platform authentication more important
• Biometrics and smart cards more prevalent
• All-pervasive encryption
• Stronger authentication systems
• Security an absolute product requirement
• Potential for increased hassle
• Potential for lost information
• Increased litigation surrounding security breaches

45
(No Transcript)
46
Infamous Bill Gates Trustworthy Computing E-mail

• Year 2002 - Microsoft initiated Trustworthy
  computing initiative to focus on security on all
  of its products.

47
Today Security at Microsoft?

• May 9, 2003, 1045 AM PT
• A serious security flaw in Microsoft's Passport
  service put more than just its 200 million
  customers' accounts at risk.
• For a company that has publicly made security a
  priority, the Passport problem was a serious
  setback. http//news.com.com/2100-1009-1000655.h
  tml

48
Questions and Feedback

• Please send us your feedback on this workshop to
• feedback_at_eccouncil.org