Assessing Network Security

Slides:



Advertisements
Similar presentations
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Advertisements

Paula Kiernan Senior Consultant Ward Solutions
System Security Scanning and Discovery Chapter 14.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
System and Network Security Practices COEN 351 E-Commerce Security.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.
Network Security Testing Techniques Presented By:- Sachin Vador.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Security Awareness: Applying Practical Security in Your World Chapter 6: Total Security.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Essentials of Security Steve Lamb Technical Security Advisor
Operating System Security Chapter 9. Operating System Security Terms and Concepts An operating system manages and controls access to hardware components.
Secure SQL Server configuration Pat Larkin Ward Solutions
Installing and Configuring a Secure Web Server COEN 351 David Papay.
Network security policy: best practices
Security Assessment & Penetration testing Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Agenda 9:30 – 10:45 Assessing Network Security 10:45 – 11:00 Break 11:00 – 11:45 BS7799 How Are you Managing Security? 11:45 – 12:15 Security Assessment.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Avanade: 10 tips for å sikring av dine SQL Server databaser Bernt Lervik Infrastructure Architect Avanade.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
COEN 252 Computer Forensics
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 4 Finding Network Vulnerabilities By Whitman, Mattord, & Austin© 2008 Course Technology.
Security Policies Paul Hogan Ward Solutions. Agenda 09:30 10:10 Security Policies 10:10 10:30 Veritas 10:30 10:45Break 10:45 11:55 Securing your Server.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Module 14: Configuring Server Security Compliance
SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Chapter 6 of the Executive Guide manual Technology.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Linux Networking and Security
IS Network and Telecommunications Risks Chapter Six.
Security Assessment Tools Paula Kiernan Senior Consultant Ward Solutions.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
TCOM Information Assurance Management System Hacking.
NetTech Solutions Protecting the Computer Lesson 10.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Module 2: Designing Network Security
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Role Of Network IDS in Network Perimeter Defense.
How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.
Syo-401 Question Answer. QUESTION 1 An achievement in providing worldwide Internet security was the signing of certificates associated with which of the.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
Network Devices and Firewalls Lesson 14. It applies to our class…
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Critical Security Controls
Configuring Windows Firewall with Advanced Security
Secure Software Confidentiality Integrity Data Security Authentication
Securing the Network Perimeter with ISA 2004
Implementing Client Security on Windows 2000 and Windows XP Level 150
Intrusion Detection system
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
Presentation transcript:

Assessing Network Security Paula Kiernan Ward Solutions

Session Prerequisites Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of network security-assessment strategies Level 200

Session Overview Planning Security Assessments Gathering Information About the Organization Penetration Testing for Intrusive Attacks Case Study: Assessing Network Security for Northwind Traders

Planning Security Assessments Gathering Information About the Organization Penetration Testing for Intrusive Attacks Case Study: Assessing Network Security for Northwind Traders

Why Does Network Security Fail? Network security fails in several common areas, including: Human awareness Policy factors Hardware or software misconfigurations Poor assumptions Ignorance Failure to stay up-to-date

Understanding Defense-in-Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Security policies, procedures, and education Policies, procedures, and awareness Strong passwords, ACLs, backup and restore strategy Data Guards, locks, tracking devices Physical security Application hardening Application OS hardening, authentication, security update management, antivirus updates, auditing Host Network segments, NIDS Internal network Firewalls, boarder routers, VPNs with quarantine procedures Perimeter

Why Perform Security Assessments? Security assessments can: Answer the questions “Is our network secure?” and “How do we know that our network is secure?” Provide a baseline to help improve security Find configuration mistakes or missing security updates Reveal unexpected weaknesses in your organization’s security Ensure regulatory compliance

Planning a Security Assessment Project phase Planning elements Pre-assessment Scope Goals Timelines Ground rules Assessment Choose technologies Perform assessment Organize results Preparing results Estimate risk presented by discovered weaknesses Create a plan for remediation Identify vulnerabilities that have not been remediated Determine improvement in network security over time Reporting your findings Create final report Present your findings Arrange for next assessment

Understanding the Security Assessment Scope Components Example Target All servers running: Windows 2000 Server Windows Server 2003 Target area All servers on the subnets: 192.168.0.0/24 192.168.1.0/24 Timeline Scanning will take place from June 3rd to June 10th during non-critical business hours Vulnerabilities to scan for RPC-over-DCOM vulnerability (MS 03-026) Anonymous SAM enumeration Guest account enabled Greater than 10 accounts in the local Administrator group

Understanding Security Assessment Goals Project goal All computers running Windows 2000 Server and Windows Server 2003 on the subnets 192.168.0.0/24 and 192.168.1.0/24 will be scanned for the following vulnerabilities and will be remediated as stated Vulnerability Remediation RPC-over-DCOM vulnerability (MS 03-026) Install Microsoft security updates 03-026 and 03-39 Anonymous SAM enumeration Configure RestrictAnonymous to: 2 on Windows 2000 Server 1 on Windows Server 2003 Guest account enabled Disable Guest account Greater than 10 accounts in the local administrator group Minimize the number of accounts on the administrators group

Types of Security Assessments Vulnerability scanning: Focuses on known weaknesses Can be automated Does not necessarily require expertise Penetration testing: Focuses on known and unknown weaknesses Requires highly skilled testers Carries tremendous legal burden in certain countries/organizations IT security auditing: Focuses on security policies and procedures Used to provide evidence for industry regulations

Using Vulnerability Scanning to Assess Network Security Develop a process for vulnerability scanning that will do the following: Detect vulnerabilities Assign risk levels to discovered vulnerabilities Identify vulnerabilities that have not been remediated Determine improvement in network security over time

Using Penetration Testing to Assess Network Security Steps to a successful penetration test include: Determine how the attacker is most likely to go about attacking a network or an application 1 2 Locate areas of weakness in network or application defenses 3 Determine how an attacker could exploit weaknesses 4 Locate assets that could be accessed, altered, or destroyed 5 Determine whether the attack was detected 6 Determine what the attack footprint looks like 7 Make recommendations

Understanding Components of an IT Security Audit Security Policy Model Operations Documentation Implementation Technology Start with policy Build process Apply technology Process Policy

Implementing an IT Security Audit Compare each area to standards and best practices Security policy Documented procedures Operations What you must do What you say you do What you really do

Reporting Security Assessment Findings Organize information into the following reporting framework: Define the vulnerability Document mitigation plans Identify where changes should occur Assign responsibility for implementing approved recommendations Recommend a time for the next security assessment

Gathering Information About the Organization Planning Security Assessments Gathering Information About the Organization Penetration Testing for Intrusive Attacks Case Study: Assessing Network Security for Northwind Traders

What Is a Nonintrusive Attack? Nonintrusive attack: The intent to gain information about an organization’s network in preparation for a more intrusive attack at a later time Examples of nonintrusive attacks include: Information reconnaissance Port scanning Obtaining host information using fingerprinting techniques Network and host discovery

Information Reconnaissance Techniques Common types of information sought by attackers include: System configuration Valid user accounts Contact information Extranet and remote access servers Business partners and recent acquisitions or mergers Information about your network may be obtained by: Querying registrar information Determining IP address assignments Organization Web pages Search engines Public discussion forums

Countermeasures Against Information Reconnaissance Only provide information that is absolutely required to your Internet registrar ü Review your organization’s Web site content regularly for inappropriate information ü Use e-mail addresses based on job roles on your company Web site and registrar information ü Create a policy defining appropriate public discussion forums usage ü

What Information Can Be Obtained by Port Scanning? Typical results of a port scan include: Discovery of ports that are listening or open Determination of which ports refuse connections Determination of connections that time out Port scanning tips include: Start by scanning slowly, a few ports at a time To avoid detection, try the same port across several hosts Run scans from a number of different systems, optimally from different networks

Port-Scanning Countermeasures Port scanning countermeasures include: Implement defense-in-depth to use multiple layers of filtering ü ü Plan for misconfigurations or failures ü Implement an intrusion-detection system ü Run only the required services ü Expose services through a reverse proxy

What Information Can Be Collected About Network Hosts? Types of information that can be collected using fingerprinting techniques include: IP and ICMP implementation TCP responses Listening ports Banners Service behavior Remote operating system queries

Countermeasures to Protect Network Host Information Fingerprinting source Countermeasures IP, ICMP, and TCP Be conservative with the packets that you allow to reach your system Use a firewall or inline IDS device to normalize traffic Assume that your attacker knows what version of operating system is running, and make sure it is secure Banners Change the banners that give operating system information Assume that your attacker knows what version of operating system and application is running, and make sure it is secure Port scanning, service behavior, and remote queries Disable unnecessary services Filter traffic coming to isolate specific ports on the host Implement IPSec on all systems in the managed network

Penetration Testing for Intrusive Attacks Planning Security Assessments Gathering Information About the Organization Penetration Testing for Intrusive Attacks Case Study: Assessing Network Security for Northwind Traders

What Is Penetration Testing for Intrusive Attacks? Intrusive attack: Performing specific tasks that result in a compromise of system information, stability, or availability Examples of penetration testing for intrusive attack methods include: Automated vulnerability scanning Password attacks Denial-of-service attacks Application and database attacks Network sniffing

What Is Automated Vulnerability Scanning? Automated vulnerability scanning makes use of scanning tools to automate the following tasks: Banner grabbing and fingerprinting Exploiting the vulnerability Inference testing Security update detection

What Is a Password Attack? Two primary types of password attacks are: Brute-force attacks Password-disclosure attacks Countermeasures to protect against password attacks include: Require complex passwords Educate users Implement smart cards Create policy that restricts passwords in batch files, scripts, or Web pages

What Is a Denial-of-Service Attack? Denial-of-Service (DoS) attack: Any attempt by an attacker to deny his victim’s access to a resource DoS attacks can be divided into three categories: Flooding attacks Resource starvation attacks Disruption of service Note: Denial-of-service attacks should not be launched against your own live production network

Countermeasures for Denial-of-Service Attacks DoS attack Countermeasures Flooding attacks Ensure that your routers have anti-spoofing rules in place and rules that block directed broadcasts Set rate limitations on devices to mitigate flooding attacks Consider blocking ICMP packets Resource starvation attacks Apply the latest updates to the operating system and applications Set disk quotas Disruption of service Make sure that the latest update has been applied to the operating system and applications Test updates before applying to production systems Disable unneeded services

Understanding Application and Database Attacks Common application and database attacks include: Buffer overruns: Write applications in managed code SQL injection attacks: Validate input for correct size and type

What Is Network Sniffing? Network sniffing: The ability of an attacker to eavesdrop on communications between network hosts An attacker can perform network sniffing by performing the following tasks: 1 Compromising the host Installing a network sniffer Using a network sniffer to capture sensitive data such as network credentials Using network credentials to compromise additional hosts 2 3 4

Countermeasures for Network Sniffing Attacks To reduce the threat of network sniffing attacks on your network consider the following: Use encryption to protect data Use switches instead of hubs Secure core network devices Use crossover cables Develop policy Conduct regular scans

How Attackers Avoid Detection During an Attack Common ways that attackers avoid detection include: Flooding log files Using logging mechanisms Attacking detection mechanisms Using canonicalization attacks Using decoys

How Attackers Avoid Detection After an Attack Common ways that attackers avoid detection after an attack include: Installing rootkits Tampering with log files

Countermeasures to Detection-Avoidance Techniques Flooding log files Back up log files before they are overwritten Using logging mechanisms Ensure that your logging mechanism is using the most updated version of software and all updates Attacking detection mechanisms Keep software and signatures updated Using canonicalization attacks Ensure that applications normalize data to its canonical form Using decoys Secure the end systems and networks being attacked Using rootkits Implement defense-in-depth strategies Tampering with log files Secure log file locations Store logs on another host Use encryption to protect log files Back up log files

Case Study: Assessing Network Security for Northwind Traders Planning Security Assessments Gathering Information About the Organization Penetration Testing for Intrusive Attacks Case Study: Assessing Network Security for Northwind Traders

Introducing the Case-Study Scenario

Defining the Security Assessment Scope Components Scope Target LON-SRV1.nwtraders.msft Timeline Scanning will take place December 2 during noncritical business hours Assess for the following vulnerabilities Buffer overflow SQL injection Guest account enabled RPC-over-DCOM vulnerability

Defining the Security Assessment Goals Project goal LON-SRV1 will be scanned for the following vulnerabilities and will be remediated as stated Vulnerability Remediation SQL Injection Require developers to fix Web-based applications Buffer Overflow Have developers fix applications as required Guest account enabled Disable guest account RPC-over-DCOM vulnerability Install Microsoft security update MS04-012

Choosing Tools for the Security Assessment The tools that will be used for the Northwind Traders security assessment include the following: Microsoft Baseline Security Analyzer KB824146SCAN.exe Portqry.exe Manual input

Demonstration: Performing the Security Assessment Perform port scanning using Portqry.exe Use KB824146Scan.exe to perform a vulnerability scan Determine buffer overflow vulnerabilities Determine SQL injection vulnerabilities Use the Microsoft Baseline Security Analyzer to perform a vulnerability scan

Reporting the Security Assessment Findings Answer the following questions to complete the report: What risk does the vulnerability present? What is the source of the vulnerability? What is the potential impact of the vulnerability? What is the likelihood of the vulnerability being exploited? What should be done to mitigate the vulnerability? Give at least three options if possible Where should the mitigation be done? Who should be responsible for implementing the mitigations?

Session Summary ü Plan your security assessment to determine scope and goals Disclose only essential information about your organization on Web sites and on registrar records ü Assume that the attacker already knows the exact operating system and version and take as many steps as possible to secure those systems ü ü Educate users to use strong passwords or pass-phrases Keep systems up-to-date on security updates and service packs ü

Next Steps Find additional security training events: http://www.microsoft.com/ireland/events/default.asp Sign up for security communications: http://www.microsoft.com/technet/security/signup/default.mspx Find additional e-learning clinics https://www.microsoftelearning.com/security/ Refer to Assessing Network Security by Kevin Lam, David LeBlanc, and Ben Smith http://www.microsoft.com/mspress/books/6788.asp

Questions and Answers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.