Preparing for The Present & The Future 17/11/2018 Information and Network Security Preparing for The Present & The Future 17/11/2018 Totally Connected Security
Presentation Summary Hacker/Cracker Operation Stages Discovery Exploitation Cover up Backdoor/Trojan 17/11/2018 Totally Connected Security
Presentation Summary Prevention Forensics Policies Ethical Hacking/Pen Testing Tools Forensics First response Preserving evidence 17/11/2018 Totally Connected Security
So… Has it been working? “85 percent of enterprises surveyed have been breached in the last 12 months, with 64 percent of the breaches costing $2 million or more.” - csi Of those: 99% used antivirus software 98% used firewalls 91% employed physical security to protect their computer and information assets 92% employed some measure of access control 17/11/2018 Totally Connected Security
17/11/2018 So… Has it been working? Misuse of network access by employees was about as frequent as virus attacks, occurring in more than 75% of organizations. Theft of proprietary information occurred in over 20% of organizations, resulting in financial losses of more than $ 2.7 million on average. Denial of service occurred in over 40% of organizations, with financial losses averaging over $2.5 million per organization. System penetration occurred in more than 35% of organizations, sabotage in over 25%. Disgruntled employees were identified nearly as often as external hackers as the most likely source of security violations (over 75% of organizations cited both!). * CSI/03 These are the CSI 03 statistics, as we can see, Firewalls, Antivirus, and Patching your systems are just simply not enough anymore! 17/11/2018 Totally Connected Security
17/11/2018 Totally Connected Security
Discovery Port Scanning Information Gathering Identify running services Web Server, Mail Server, SSH, etc.. Firewalls Information Gathering OS Fingerprinting Banner information How vulnerable 17/11/2018 Totally Connected Security
Discovery 17/11/2018 Totally Connected Security
Exploitation Vulnerable service is found Exploit is run against system Attacker searches internet for existing exploit Attacker creates their own exploit Exploit is run against system Typically gain root or administrator privileges At worst gain low level user privileges System’s security is compromised 17/11/2018 Totally Connected Security
Exploitation 17/11/2018 Totally Connected Security
Exploitation 17/11/2018 Totally Connected Security
Cover up Altering or deletion of logs Rootkits 17/11/2018 Cover up Altering or deletion of logs Rootkits Replace system binaries (netstat, ls, etc) Hides attackers connection to the system Hides installed software Backdoor / Trojan system Allow attacker to return unnoticed Allow attacker to remotely control system IRC Bots * THERE ARE WAYS THAT YOU CAN MAKE IT SO NO USER SHOWS UP IN THE LIST, BUT STILL ALLOWS THE ATTACKER ADMINISTRIVE PRIVILEGES 17/11/2018 Totally Connected Security
Cover up 17/11/2018 Totally Connected Security
Prevention Policies Not just for IT Acceptable use Password protection Phone Fax Physical 17/11/2018 Totally Connected Security
Ethical Hacking / Pen Test What you can expect Identify exposures and risks Give detailed results of the testing performed What the results indicate Recommendations on fixes need to be applied and how 17/11/2018 Totally Connected Security
Ethical Hacking / Pen Test What should you include? Internal Printers, Faxes, Switches, Desktops, etc.. External Firewalls Routers Dial Up VPN’s & Remote Users Wireless Access points Laptops 17/11/2018 Totally Connected Security
Ethical Hacking / Pen Test 17/11/2018 Ethical Hacking / Pen Test Common Attack Browsing attacks Information Disclosure Mass rooting/scanning Viruses and Trojans Browser Hijacking Employee misuse more than all other threats! 17/11/2018 Totally Connected Security
Ethical Hacking / Pen Test Relying on Commercial software Inability to identify certain vulnerabilities High false positives After the Audit Implementing Fixes Mitigating risks Ensuring fixes were applied correctly 17/11/2018 Totally Connected Security
Tools Security Scanners Port Scanners Nessus (http://www.nessus.org/) Retina© by Eeye (http://www.eeye.com/) Port Scanners Nmap – “Network Mapper” (http://www.insecure.org/) HPING - TCP/IP packet assembler/analyzer (www.hping.org) 17/11/2018 Totally Connected Security
Tools Packet Sniffers Patch Management IRIS (www.eeye.com) Ethereal (www.ethereal.com) Patch Management HFNetChkPro - (http://www.shavlik.com/) Patchlink - (http://www.patchlink.com) Microsoft SMS -(http://www.microsoft.com/smserver) 17/11/2018 Totally Connected Security
Forensics - Summary What to do when an incident occurs Determine point of entry/infection Sniffers IDS Unusual Behavior Acquiring evidence Shutting down the system Creating an image Documentation 17/11/2018 Totally Connected Security
Forensics Some questions to ask: If conducting a large search: What type of evidence is being sought? Is there a computer use policy? Is there a network administrator? Where are the backups? If conducting a large search: What keywords can I use to identify computers that contain evidence? What type of system will I be looking at? 17/11/2018 Totally Connected Security
Point of entry Things to look for; Unusual registry keys \Software\Microsoft\Windows\CurrentVersion\Run\* Modified hosts file %windir%\system32\drivers\etc\hosts Unknown running services Run “sigverif” 17/11/2018 Totally Connected Security
Some tools for discovery TCPView - www.sysinternals.com/ntw2k/source/tcpview.shtml Filemon - www.sysinternals.com/ntw2k/source/filemon.shtml Deleted File Analysis Utility -www.execsoft.com/freeware/undelete/download.asp DumpSec - www.systemtools.com/somarsoft/ F.I.R.E. - http://prdownloads.sourceforge.net/biatchux/fire-0.4a.iso?download 17/11/2018 Totally Connected Security
Forensics Don’t panic! Use tools to identify the source of infection! Sniffers to identify malicious data / content IDS to isolate which machines were violated User reports of unusual behavior 17/11/2018 Totally Connected Security
Forensics I found it, now what? Shutting down systems: 17/11/2018 Forensics I found it, now what? Shutting down systems: DOS, Win95/98/NT/2K/XP – Pull the plug NT Server / Win2k Server – Shut down Image the drive to preserve the evidence Encase – http://www.guidancesoftware.com SafeBack - http://www.forensics-intl.com/safeback.html Forensic Toolkit - http://www.accessdata.com NTImage - http://www.dmares.com Wiping Utilities: Shutting down vs. Pulling the plug Imaging: To preserver to evidence Ensure looking at evidence doesn’t change system files Allow the machine to go back into production 17/11/2018 Totally Connected Security
Forensics Once you have your image, maintain proper chain of custody Ensure evidence is stored securely and logs are maintained of all who have access Use camera’s in storage area’s Never leave evidence in an unsecured area 17/11/2018 Totally Connected Security
Forensics 17/11/2018 Totally Connected Security
NO SUCH THING AS BEING TOO THOROUGH ! 17/11/2018 Documentation Take pictures Overall work area Screen / Programs running Connections Time and Date of incident What was acquired NO SUCH THING AS BEING TOO THOROUGH ! Taking pictures for screen shots can show evidence of activity at the time Connections can show plugged in devices used to steal intelec. Property Time and Date important to construct time line What was taken? Continuity 17/11/2018 Totally Connected Security
Summary Statistics regarding computer break- ins with traditional countermeasures Important difference between crackers and ethical hackers 17/11/2018 Totally Connected Security
Summary What to expect from Audits/Pen Tests Tools which can be used to assist in network assessments Incident Response and forensics in a windows environment 17/11/2018 Totally Connected Security
Totally Connected Security 17/11/2018 Totally Connected Security www.tcsecurity.ca 1312 SE Marine Dr. Vancouver, BC V5X 4K4 (604) 432-7828 17/11/2018 Totally Connected Security