1 / 33

IT Security Assessments: Challenges and Solutions

This presentation provides ideas and approaches for conducting IT security assessments, focusing on scanning infrastructure and generating effective reports. It covers vulnerabilities, threats, exploits, and the importance of visualization.

strayhorn
Télécharger la présentation

IT Security Assessments: Challenges and Solutions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Decade of IT Security Assessments: March 23, 2011

  2. About The Presentation IT Security and Compliance assessments pose many challenges to organizations whereby many departments demand results in a variety of reporting visualizations. This presentation provides numerous ideas concentrated on IT Security Assessmentsthat can be generated from scanning your infrastructure from 2 approaches. Individual scanner node installations for security engineer/auditor use. Individual scanners centrally managed a.k.a. distributed vulnerability management systemuse.

  3. Heterogeneous Threats Identify all systems and devices with an IPv4, IPv6 &URL address.

  4. Sample Vulnerabilities Unsecured Accounts • Null Password, Admin no PW, no PW expiration… Unnecessary Services • VNC, Finger, SSH, Telnet, RPC… Backdoors • Spyware, Conficker, MyDoom, BACKORIFICE… Mis-configurations • Netbios shares, Anonymous FTP world read/write Software Defects (Missing Patches) • Buffer overflow, RPC-DCOM, SQL Injection, XSS…

  5. Types of Exploits • Remote Exploit –Attacks that utilize the vulnerability can be launched across a network against a system without the user having previous access to the system • Client Exploit –The victim must access the attacker’s resource for an attack to take place. Most commonly used in (email forgery) attacks. • Local Exploit –In order to launch an attack locally, the attacker must have some previous access to the operating system. (Privilege elevation.) “DoS – Denial of Service Exploits – excluded”

  6. Router Remote Exploit Sample Exploit http:/VICTIM/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\inetpub\wwwroot Internet Firewall Network Over 75% of our successful remote attack services are exploited by known vulnerabilities. The majority of these attacks are performed through open services such as 80 (http), 443 (https) and 25 (smtp).

  7. Router Local Exploit Sample Exploit http:/VICTIM/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\inetpub\wwwroot Internet C:/VICTIM/whatever/attacks/because/now I am in! Firewall Local attacks will be utilizing a “easy vulnerable system” to attack the rest of the network. Local exploits work when a system has already been compromised. The future for “tunneling” or compromising trusted relations. Network 3/22/11 7

  8. Router Client Exploit Sample Forged Email Smtp://Happy Valentines Day! Internet Firewall Network Client exploits are becoming very popular as attack servers are hosted off-site where users click on an html link, visit a web site or open an attachment. The most successful compromise of systems today!

  9. Sample Vulnerability List 25 other popular columns for correlation depending on who your audience is. Note* All vulnerabilities are not exploitable

  10. Critical Concept • Create scan policy “Exploitable Vulns Only” • Equals = Fast Scan Time • Reporting = Straight forward with mission critical remediation • Great for Pen Testers • Top of the remediation list = eliminate any exploit code that could be launched

  11. Critical Concept - Visualization No need to filter reports as all threats are mission critical that require immediate action.

  12. Critical Concept - Visualization Exploits have evolved from the need to know a programming language to GUI launch pads.

  13. Arming the Security Engineer

  14. How Long Does An Assessment Take? A daily question I receive. Performing any type of security assessment include numerous variables related to the completion. Below are some prime examples: External / Internal CPU GHZ / Ram GB VPN / Remote / Local Policy Selection Scanner OS installation Scanning by IP’s or Subnet Port Scan configuration 32 or 64 bit architecture Safe / Unsafe checks Password Guessing Bandwidth availability Authenticated or Not Web Spidering or Not Concurrent Threads Seconds for TCP Drop Spidering depth Targets have FW enabled Concurrent TCP Connects Maximum # of web pages Discovery – TCP/ICMP/ARP Timeout Values (UDP)

  15. How Long Was The Assessment? System: MacBook Pro – OSX 10.6.6 – 8GB Ram – 2.66GHZ i7 Remote: Scans from Dallas to DC (VPN > Internal Network) Scanning by Class C subnet – 22 Systems resolved 44 Minutes Policy: Heavy Common Port Scan PW Guess - Enabled 10 Threads Exhaustive - No 23 Minutes Policy: Heavy Common Port Scan PW Guess - Disabled 25 Threads Exhaustive - No 1 Hour, 45 Minutes Policy: “PCI” Full Port Scan PW Guess - Disabled 10 Threads Exhaustive - No

  16. Exploit Terminology • Remote Exploit –Attacks that utilize the vulnerability can be launched across a network against a system without the user having previous access to the system • Client Exploit –The victim must access the attacker’s resource for an attack to take place. Most commonly used in (email forgery) attacks. • Local Exploit –In order to launch an attack locally, the attacker must have some previous access to the operating system. (Privilege elevation.) “DoS – Denial of Service Exploits – excluded”

  17. Scanning Evolution The road ahead: Maintenance– of all existing Develop new checks - future Compliance mappings Web Apps Configurations Benchmarks Integration – GRC/SIEM Mobile Performance Exploits

  18. Stages Before Report Generation In order to create any type of report, we must first gather data by scanning a target. (Targets are defined as any computer system, application or network device) High-level process: Create a workplace for managing the assessment. What needs to be assessed. Who is the report for and what type of report. Select a security or compliance policy.

  19. Creating Sessions Creating a session is also known as a workplace and/or an asset group. Ideas below are illustrated along with a sample description of utilization.

  20. Defining Targets There are numerous options for defining a target to be assessed and the matrix below provides the most popular method of selecting a target.

  21. Policy Selection - #1 What policy needs to be selected to obtain our assessment report goals.

  22. Policy Selection - #2 What policy needs to be selected to obtain our assessment report goals.

  23. Defining Reporting Requirements • Full Vulnerability Assessment • Trend Analysis • Penetration Testing Assessment • PCI/HIPAA/FISMA Compliance • FDCC /USGCB Compliance • Phishing Assessment • Content Scanning • Web Spidering • Anti-virus informative • Trouble Tickets • Remediation • Executive Management & Technical Defining scanning policies and the scope make reporting process easier

  24. Basic Configuration Questions

  25. Sample Assessment Charts Numerous executive charts are included with the results of the assessment in addition to host lists and remediation details.

  26. Sample Comparison Charts Trending: Is my security posture getting better or worse.

  27. Content Assessment Sample Results

  28. Penetration Test Report Exploits are typically smaller in volume than traditional VA reports.

  29. USGCB IE8 Browser Audit Sample

  30. Test Volume Sample of various assessments and volumes of checks/tests.

  31. About SAINT • Founded in 1998 • Office: Bethesda, MD and Dallas, TX • Privately funded • Focus on: • Vulnerability assessment & management • Penetration testing • Regulatory compliances • Benchmark testing 2010 SAINT is SCAP validated by NIST & a certified PCI ASV scanning vendor.

  32. Request a Free T-shirt

  33. Contact Information Billy Austin, CSO austin@saintcorporation.com (301) 841-0119 James White, Mid-Atlantic Mgr whitejs@saintcorporation.com (301) 841-0123 SAINT Corporation 4720 Montgomery LaneSuite 800 Bethesda, MD 20814 www.saintcorporation.com

More Related