Presentation is loading. Please wait.

Presentation is loading. Please wait.

1000 Hackers in a Box Problems with modern security scanners.

Published byStuart Booker Modified over 9 years ago

Similar presentations

Presentation on theme: "1000 Hackers in a Box Problems with modern security scanners."— Presentation transcript:

1 1000 Hackers in a Box Problems with modern security scanners

2 What is a scanner? Collects data and deduces possible problems on your hosts a “visibility” tool expensive product misunderstood product

3 What can scanning do? Visibility Software bugs & Installation bugs Protocols & Topology Public Services & Versions

4 History of scanners SATAN in 1995, now SANTA ISS Ballista, now NAI cybercop (CSC) Asmodeus, now commercial (Webtrends) HackerShield NetSonar (now cisco)

5 Scanner Propaganda Virus scanner of the 90’s We have 3 million tests The “Best” reporting We “Enforce” your policy

6 Patching bugs won’t make you secure.

7 Signature Scanning The attack domain is not confined Scanner’s Signature Coverage The Real World is infinite

8 Skilled UBER Underground Distro Network Script Kiddies Patch Level

9 False Sense of Security I ran a scan, now I’m safe I patched the program, now I’m safe I have a firewall, I’m safe I have an IDS, I’m safe I had a consultant scan me, I’m safe I use crypto, I’m safe

10 Just because you have a scanner doesn’t make you a Hacker 1000 Hackers in a Box (NOT) Doesn’t synthesize attacks based on available data –(hackers don’t just go down a checklist) Cannot find new problems based on programming flaws

11 You are buying a service not a product Secretary reads bug newsgroups for you Version and Patch checking w/ vendors Is your scanner making you lazy? Reactive, not Proactive Mean time to notification 10 steps behind the hacker

12 The Shiny Red Button There is always a root compromise in your network You cannot remove it You can only place controls over it –Redundancy (backups, fast recovery) –Visibility (forensics & tripwires) –Deterrence (traps, prosecution, & retaliation)

13 A Scan is NOT an Audit Doesn’t ENFORCE Policy Doesn’t WRITE Policy Scanners “break” in - not “fix”

14 Ineffective Relies on Inference & Deduction Very little “Verification” Banner Strings Registry Settings & SNMP “Black Box” Lazy when deep detection is possible

15 External vs Internal scanning Ineffective if scan filters are in place force scanning takes longer run both and compare

16 False Positives Generalizations lack of version coverage this is a QA Hell Assumptions about patch level

17 How to really screw up a Scanner Ping and UDP scan tricks –(create extra work) –make everything listen on UDP port 1 –filter ICMP unreachable messages –don’t allow ping (must force scan) Deception Toolkits (Honey-Pot tool) touch all your files

18 Scanners suffer from security bugs too! The imports for several common scanners have calls to (do you trust this code?): –strcpy –wsprintf –getenv –system –exec Banner overflows Service Requests (http, smtp …)

19 The Good Stuff is Free The Port Scanner –nmap (www.insecure.org) The Software Scanner –Grinder (rhino9.ml.org) –Banner Scanner (netcat & perl anyone?) –Nessus Registry scanner –Chronicle OS Detection –QueSO (www.apostols.org) The Integrity Checker –tripwire (www.tripwiresecurity.com) Deception Toolkit –http://all.net/dtk/dtk.html

20 A bit better scanner Verify policy A “configuration manager”

21 A bit better scanner Model Authentication Show authentication systems and domains Show relationships between authentication system and services Show what each entity can and cannot access

22 A bit better scanner Process to Process Show inter-process relationships File & Registry access IPC channels Databases Close the “window of trust”

23 A bit better scanner Deep Detection Get *as much* data as possible drill down into exploited resources more data is better more data means better analysis

24 A bit better scanner Replay Presentation Replay an attack in slow motion, in realtime, in a format that is easy to understand sniffer tty snoop scanner is educational

25 A bit better scanner Use Host Based technology Easier to verify versions and patches using file hashes less work/less specialized programmers needed more data easier = better analysis (and faster)

26 A bit better scanner Focus on general security issues, not line item bugs verify confidentiality of information verify authentication systems verify IDS working properly verify trusted/untrusted relationships

27 A bit better scanner Model protocol usage since applications may depend on protocol security, show these relationships show encapsulation

28 A bit better scanner Auto-patching wizard gets patches verifies file hashes Wizard helps build patch script patches are automatically deployed verifies installation is secure afterwards

Download ppt "1000 Hackers in a Box Problems with modern security scanners."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.

Security Administration Tools and Practices Amit Bhan Usable Privacy and Security.
Chapter 1  Introduction 1 Chapter 1: Introduction.

Chapter 1  Introduction 1 Chapter 1: Introduction.
1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.

1 Colorado University Guest Lecture: Vulnerability Assessment Chris Triolo Spring 2007.
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.

Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.

Intrusion Detection CS-480b Dick Steflik. Hacking Attempts IP Address Scans scan the range of addresses looking for hosts (ping scan) Port Scans scan.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.

ROOT KITS. Overview History What is a rootkit? Rootkit capabilities Rootkits on windows OS Rootkit demo Detection methodologies Good tools for detection.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
1 Host – Based Intrusion Detection “Working of Tripwire”

1 Host – Based Intrusion Detection “Working of Tripwire”
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Similar presentations

Ads by Google