1000 Hackers in a Box Problems with modern security scanners.

Slides:



Advertisements
Similar presentations
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Advertisements

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Chapter 1  Introduction 1 Chapter 1: Introduction.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
System Security Scanning and Discovery Chapter 14.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
System and Network Security Practices COEN 351 E-Commerce Security.
Vulnerability Analysis Borrowed from the CLICS group.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Network Security Testing Techniques Presented By:- Sachin Vador.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Computer Security and Penetration Testing
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
1 Host – Based Intrusion Detection “Working of Tripwire”
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Port Scanning.
IST346:  Information Security Policy  Monitoring and Logging.
Cedes.ba The art of security What is not security (what years of pen testing have shown us)
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
OpenInfreno An Open Source RootWars Platform Dennis W. “LittleW0lf” Mattison
Ana Chanaba Robert Huylo
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.
Bypassing Network Security: Evading IDSs, Honeypots, and Firewalls.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Honeypot and Intrusion Detection System
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
Intrusion Detection and Prevention. Objectives ● Purpose of IDS's ● Function of IDS's in a secure network design ● Install and use an IDS ● Customize.
Internet and Intranet Fundamentals Class 9 Session A.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
RINGS (ResNet Integrated Next Generation Solution) Educause Security Professionals Conference 2006.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.
© 1999 Ernst & Young LLP e e treme hacking Black Hat 1999 Over the Router, Through the Firewall, to Grandma’s House We Go George Kurtz & Eric Schultze.
Hybrid Approaches Towards Optimized Network Discovery Techniques By David Meltzer.
# Ethical Hacking. 2 # Ethical Hacking - ? Why – Ethical Hacking ? Ethical Hacking - Process Ethical Hacking – Commandments Reporting.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
1 Reconnaissance, Network Mapping, and Vulnerability Assessment ECE4112 – Internetwork Security Georgia Institute of Technology.
Linux Networking and Security
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/17- OfficeServ 7400 Enterprise IP Solutions Quick Install Guide.
1 Security Penetration Testing Angela Davis Mrinmoy Ghosh ECE4112 – Internetwork Security Georgia Institute of Technology.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:
Intrusion Detection on a Shoestring Budget Shane Williams UT Austin Graduate School of Library and Information Science Oct. 18, 2000 SANS Network Security.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
HONEYPOTS An Intrusion Detection System. Index Intrusion Detection System Host bases Intrusion Detection System Network Based Intrusion Detection System.
Hackers and Scanners Antti Palokangas. Hackers & scanners Most of scanners are easy to use and widely distributed It is no longer a question of if, but.
Quiz 2 -> Exam Topics Fall Chapter 10a - Firewalls Simple Firewall - drops packets based on IP, port Stateful - Keeps track of connections, set.
Machine Learning for Network Anomaly Detection Matt Mahoney.
Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.
How to Mitigate Stay Safe. Patching Patches Software ‘fixes’ for vulnerabilities in operating systems and applications Why Patch Keep your system secure.
Security Operations Chapter 11 Part 3 Pages 1279 to 1309.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
IDS Intrusion Detection Systems
Port Scanning James Tate II
Working at a Small-to-Medium Business or ISP – Chapter 8
Secure Software Confidentiality Integrity Data Security Authentication
Firewalls.
Nessus Vulnerability Scanning
Chapter 27: System Security
Intrusion Detection Systems (IDS)
Operating System Security
Presentation transcript:

1000 Hackers in a Box Problems with modern security scanners

What is a scanner? Collects data and deduces possible problems on your hosts a “visibility” tool expensive product misunderstood product

What can scanning do? Visibility Software bugs & Installation bugs Protocols & Topology Public Services & Versions

History of scanners SATAN in 1995, now SANTA ISS Ballista, now NAI cybercop (CSC) Asmodeus, now commercial (Webtrends) HackerShield NetSonar (now cisco)

Scanner Propaganda Virus scanner of the 90’s We have 3 million tests The “Best” reporting We “Enforce” your policy

Patching bugs won’t make you secure.

Signature Scanning The attack domain is not confined Scanner’s Signature Coverage The Real World is infinite

Skilled UBER Underground Distro Network Script Kiddies Patch Level

False Sense of Security I ran a scan, now I’m safe I patched the program, now I’m safe I have a firewall, I’m safe I have an IDS, I’m safe I had a consultant scan me, I’m safe I use crypto, I’m safe

Just because you have a scanner doesn’t make you a Hacker 1000 Hackers in a Box (NOT) Doesn’t synthesize attacks based on available data –(hackers don’t just go down a checklist) Cannot find new problems based on programming flaws

You are buying a service not a product Secretary reads bug newsgroups for you Version and Patch checking w/ vendors Is your scanner making you lazy? Reactive, not Proactive Mean time to notification 10 steps behind the hacker

The Shiny Red Button There is always a root compromise in your network You cannot remove it You can only place controls over it –Redundancy (backups, fast recovery) –Visibility (forensics & tripwires) –Deterrence (traps, prosecution, & retaliation)

A Scan is NOT an Audit Doesn’t ENFORCE Policy Doesn’t WRITE Policy Scanners “break” in - not “fix”

Ineffective Relies on Inference & Deduction Very little “Verification” Banner Strings Registry Settings & SNMP “Black Box” Lazy when deep detection is possible

External vs Internal scanning Ineffective if scan filters are in place force scanning takes longer run both and compare

False Positives Generalizations lack of version coverage this is a QA Hell Assumptions about patch level

How to really screw up a Scanner Ping and UDP scan tricks –(create extra work) –make everything listen on UDP port 1 –filter ICMP unreachable messages –don’t allow ping (must force scan) Deception Toolkits (Honey-Pot tool) touch all your files

Scanners suffer from security bugs too! The imports for several common scanners have calls to (do you trust this code?): –strcpy –wsprintf –getenv –system –exec Banner overflows Service Requests (http, smtp …)

The Good Stuff is Free The Port Scanner –nmap ( The Software Scanner –Grinder (rhino9.ml.org) –Banner Scanner (netcat & perl anyone?) –Nessus Registry scanner –Chronicle OS Detection –QueSO ( The Integrity Checker –tripwire ( Deception Toolkit –

A bit better scanner Verify policy A “configuration manager”

A bit better scanner Model Authentication Show authentication systems and domains Show relationships between authentication system and services Show what each entity can and cannot access

A bit better scanner Process to Process Show inter-process relationships File & Registry access IPC channels Databases Close the “window of trust”

A bit better scanner Deep Detection Get *as much* data as possible drill down into exploited resources more data is better more data means better analysis

A bit better scanner Replay Presentation Replay an attack in slow motion, in realtime, in a format that is easy to understand sniffer tty snoop scanner is educational

A bit better scanner Use Host Based technology Easier to verify versions and patches using file hashes less work/less specialized programmers needed more data easier = better analysis (and faster)

A bit better scanner Focus on general security issues, not line item bugs verify confidentiality of information verify authentication systems verify IDS working properly verify trusted/untrusted relationships

A bit better scanner Model protocol usage since applications may depend on protocol security, show these relationships show encapsulation

A bit better scanner Auto-patching wizard gets patches verifies file hashes Wizard helps build patch script patches are automatically deployed verifies installation is secure afterwards

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.