3D Security Analysis Sample Report 14

©2012 Check Point Software Technologies Ltd. All rights reserved

Classification: [Customer Confidential] — For customer use only| Page 1

CHECK POINT 3D SECURITY ANALYSIS REPORT

Prepared for

Prepared for: COMPANY

Prepared by: Check Point Solution Center

Date: January 11, 2012


Classification: [Customer Confidential] — For customer use only| Page 1

Table of Contents EXECUTIVE SUMMARY ................................................................................ 2

FINDINGS ..................................................................................................... 7

Web Security Events ................................................................................................................................. 7

Intrusion Prevention Events ................................................................................................................ 10

Data Loss Prevention............................................................................................................................. 12

REMEDIATION ........................................................................................... 14

APPENDIX .................................................................................................. 17

ABOUT CHECK POINT SOFTWARE TECHNOLOGIES ............................... 20


Classification: [Customer Confidential] — For customer use only Page 2

EXECUTIVE SUMMARY

This document is a summary of the findings of a recent 3D security analysis of your

infrastructure. It presents security events and recommendations for addressing the discovered

events. The analysis took place on 05/01/2012 and included 2 hours in-network analysis.

The analysis is based on data collected using the characteristics below:

PoC Date: 5/1/2012

In-Network Analysis Duration: 2 hours

Monitored Network: Internal facing internet

Deployment type: Mirror Port Kit (VMware-based)

Release version: R75.20

Security Gateway Software Blades: Application Control, URL Filtering, IPS, Data Loss Prevention

Security Management Software Blades: Pre-Defined 7 Blades with SmartEvent

During the course of the analysis, the installed device identified a number of security events,

including some that were permitted by your existing security solutions. Event information

collected by the Check Point solution found the following number of critical and high-priority

events in your network:

32

22

17

0

5

10

15

20

25

30

35

Check Point IPS Software

Blade

Application Control and

URL Filtering

Data Loss Prevention

Events

High And Critical Events Summary



Within the areas of Application Control and URL Filtering, the following items are of the

highest risk level (the first column specifies the number of events related to the mentioned

application/site):

Top High Risk Applications/Sites



The following tables provide summary explanations of the top events found and their

associated security or business risks:

1. Vtunnel 1 Event/s

VTunnel is a free anonymous common gateway interface (CGI) proxy

that masks IP addresses enabling users to connect to and view websites

anonymously.

2. Dropbox 5 Event/s

Dropbox is an application that allows the user to share files. It is crucial

to investigate what users are doing with this application and if they are

leveraging it to distribute company files or download harmful

applications. Consider preventing its use through the Application

Control blade until additional information is available that justifies its

use.

3. BitTorrent 1 Event/s

BitTorrent is a peer-to-peer file sharing P2P communications protocol. It

is a method of distributing large amounts of data widely without the

original distributor incurring the entire costs of hardware, hosting, and

bandwidth resources. Instead, when data is distributed using the

BitTorrent protocol, each recipient supplies pieces of the data to newer

recipients, reducing the cost and burden on any given individual source,

providing redundancy against system problems, and reducing

dependence on the original distributor. There are numerous compatible

BitTorrent clients, written in a variety of programming languages, and

running on a variety of computing platforms.

4. Imarketspartners.com 2 Event/s

Imarketspartners.com is categorized as a web site that have been

promoted through spam techniques.

5. Bit Che 1 Event/s

Bit Che is an application for searching and downloading torrent files

from various BitTorrent tracker websites. Bit Che provides a preview of

torrent details, integration with other torrent clients and result filtering.

Top High Risk Applications and Sites



1. CIFS Worm Catcher 6 Event/s

2. Non Compliant HTTP 2 Event/s

3. Internet Explorer XML Processing Memory Corruption (MS08-

078)

2 Event/s

4. Microsoft Active Directory-MIT Kerberos Null Pointer

Dereference (MS10-014)

1 Event/s

Top Intrusion Prevention Events

Directory traversal attacks allow hackers to access files and directories that should be out of

their reach. This can for example allow viewing of directory listings, and in many attacks, could

lead to running executable code on the web server with one simple URL.

There are several techniques to launch a directory traversal attack. Most of the attacks are

based on using an HTTP request with a dot slash sequence "../.." within a file system. For

example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the

root directory.

More advanced attackers can try to use encoding to run attacks.

A worm is a self-replicating malware (malicious software) that propagates by actively sending

itself to new machines. CIFS, The Common Internet File System (sometimes called SMB) is a

protocol for sharing files and printers. The protocol is implemented and widely used by

Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected

a host, use CIFS as their means of propagation.

Attack Name: Web Client Enforcement Violation

Microsoft Internet Explorer is the most widely used Internet browser.

The vulnerability is due to the way Internet Explorer handles data bindings. To trigger this issue,

an attacker may create a malicious web page that will exploit this vulnerability. Successful

exploitation of this vulnerability will crash the browser allowing execution of arbitrary code on

the vulnerable system.

Attack Name : Windows Kerberos Protection Violation

The Kerberos protocol is used to mutually authenticate users and services on an open and

unsecured network. It allows services to correctly identify the user of a Kerberos ticket without

having to authenticate the user at the service. It does this by using shared secret keys.

A denial of service vulnerability exists in implementations of MIT Kerberos. The vulnerability is

caused by incorrect handling of ticket renewal requests coming from a non-Windows Kerberos

domain. When an MIT Kerberos user logs on to an Active Directory domain joined machine,

they will be issued a Kerberos referral TGT (Ticket Granting Ticket) from the MIT Kerberos realm.

Windows clients will never attempt to renew this referral TGT. A remote attacker running a

malicious Kerberos client could attempt to renew the referral TGT which would result in a null

pointer dereference inside of LSASS.EXE on the domain controller causing the domain

controller to reboot.



1. HIPAA 5 Event/s

This Data Type is used by 'HIPAA - Protected Health Information' Data

Type to match Protected Health Information (PHI) Documents.

The 'HIPAA - Protected Health Information' is recommended to be used

in the DLP policy.

The 'HIPAA - Protected Health Information' is recommended to be used

in the DLP policy.

2. Credit Card Numbers 2 Event/s

Related to Payment Card Industry (PCI); matches data containing credit

card numbers of MasterCard, Visa, JCB, American Express and Discover

3. Customer Names 2 Event/s

List of customers is considered as confidential

Top Data Loss Events

The following types of data were sent outside the organization

In the pages that follow, descriptions of the identified events are provided. Remediation steps

are also outlined in the relevant sections.



FINDINGS

WEB SECURITY EVENTS

For many organizations, Web Security, encompassing both the applications used by employees

and the websites that they visit, has become a critical source of risk. This is because many

recent attacks focused on application vulnerabilities and exploited websites for malware

injection and network penetration. Also, Internet use is a bandwidth hog. While bandwidth

utilization might not be a security risk, it does represent a productivity and TCO challenge.

From a security perspective, the following identified applications and websites have a high risk

profile:

Top High Risk Applications/Sites



In general, the analysis identified that these additional applications and websites are used

within your network:

Top Applications/Sites



The following table shows the top 10 categories and number of hits associated with employee

Internet browsing:

Category Number of Hits % of Total Hits

Search Engines / Portals 2,113 11%

Computers / Internet 2,023 11%

Business / Economy 1,747 9%

Web Browsing 1,602 8%

News / Media 1,388 7%

Web Services Provider 1,292 7%

Social Networking 1,271 7%

Inactive Sites 1,196 6%

Network Protocols 1,010 5%

Other 5,316 28%

Grand Total 18,958 100%

Top Applications/Sites Categories

And from a user perspective, the following people were involved in the highest number of risky

application and web usage events:

Users Events

Joe Roberts 5

Mark Johnson 5

Albert Springsteen 4

Maria Davids 3

Anna Smith 2

Top Users High Risk Applications/Sites



INTRUSION PREVENTION EVENTS

During the course of the analysis, the Check Point solution identified a number of intrusion

prevention-related events. Some of these events were categorized as critical. The following

chart shows the distribution of events according to criticality:

IPS Events By Severity

19% 6%

50%

25%

Critical

High

Medium

Low

Informational

All organizations need to triage the security incidents to which they respond. Event criticality is

often an effective way to prioritize events.

And yet, security practitioners will often investigate events that do not fall into the most critical

categories, as these seemingly less important incidents can be used to help identify attacks in

progress or the first signs of new attacks which have not yet begun in earnest.



On a more granular level, the following table shows the types and quantities of events within

the defined categories:

IPS Events By Severity

Critical

CIFS Worm Catcher 6

Directory Traversal 2

Internet Explorer XML Processing Memory Corruption (MS08-078) 2

Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) 1

Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043) 1

High

Microsoft Windows Media Player PNG Chunk Handling Stack Overflow (MS06-024) 2

IBM Lotus Notes HTML Speed Reader Long URL Buffer Overflow 1

BIND 9 DNS Server Dynamic Update Denial of Service 1

Digium Asterisk SIP sscanf Multiple Denial of Service 1

Microsoft Print Spooler Service Impersonation Code Execution (MS10-061) 4

Microsoft Windows SNMP Service GetBulk Memory Corruption (MS06-074) 11

Microsoft WINS Local Privilege Escalation (MS08-034) 3

SNMP Enforcement 15

Medium

Brute Force Scanning of CIFS Ports 65

Microsoft Windows NT Null CIFS Sessions 50

Microsoft Windows Workstation Service NetrWkstaUserEnum Denial of Service 1150

Informational

TCP Invalid Retransmission 4

TCP Segment Limit Enforcement 37

TCP SYN Modified Retransmission 6

Grand Total 1362



DATA LOSS PREVENTION

Data have become among the most valuable assets to organizations. The following represents

the characteristics of the data loss events that were identified during the course of the project.

During the course of the analysis, the Check Point solution identified a number of data loss-

related events. Some of these events were categorized as critical. The following chart shows the

distribution of events according to criticality:

DLP Events By Severity

46%

54%

Critical

High

Medium

Low

Informational



The following list summarizes the identified data loss activity and the number of times that the

specific type of events occurred for different data types configured for the DLP

Severity Data Event/sHigh

Inappropriate Language 4

Large file to webmail,Inappropriate Language 1

Document File,Large file to webmail 2

Document File 15

Large file to webmail 18

Outlook Message - Confidential 6Spreadsheet File 1

Medium

External Recipient and Internal Users,External Recipient in BCC,Database

File or Archive File or Presentation File or Spreadsheet File or Document

File or CSV File 3

Document File 49Spreadsheet File 3

Grand Total 104

DLP Events By Severity

This chart shows data leakage by mail sender on your network.

Sender Events

[email protected] 10

[email protected] 9

[email protected] 7

[email protected] 5

[email protected] 4

[email protected] 4

[email protected] 4

[email protected] 4

[email protected] 3

[email protected] 2

DLP Mail Events Top Senders



REMEDIATION

This report addresses identified security events across multiple security areas and at varying

levels of criticality. The table below reviews the most critical of these incidents and presents

methods to mitigate their risks. Check Point provides multiple methods for addressing these

threats and concerns. Relevant protections are noted for each event along with the software

blades into which the defenses are incorporated.

WEB SECURITY EVENTS REMEDIATION

Events Remediation Steps

1

5

1

2

1

In Application Control and URL Filtering

Software Blades, you can activate, track

and prevent the use of all the mentioned

applications & web sites. You can define a

granular policy to allow certain

applications to specific groups only.

Use UserCheck to educate users about the

organization web browsing and

applications usage policy.

Application/ Site

Vtunnel

BitTorrent

Imarketspartners.com

Bit Che

Dropbox



INTRUSION PREVENTION EVENTS REMEDIATION

Threat Events Remediation StepsIn Check Point IPS Software Blade, enable the

following protection:

CIFS Worm Catcher

In Check Point IPS Software Blade, enable the


Non Compliant HTTP



Internet Explorer XML Processing Memory

Corruption (MS08-078)



Microsoft Active Directory-MIT Kerberos Null

Pointer Dereference (MS10-014)



Microsoft Windows Print Spooler Service Buffer

Overflow (MS05-043)

CIFS Worm Catcher 6

Non Compliant HTTP 2

Internet Explorer XML Processing

Memory Corruption (MS08-078)2

Microsoft Active Directory-MIT

Kerberos Null Pointer Dereference

(MS10-014)

1

Microsoft Windows Print Spooler

Service Buffer Overflow (MS05-043)1



DATA LOSS EVENTS REMEDIATION

Events Remediation Steps

5

2

2

Check Point DLP software blade protects

confidential information from leaking

outside the organization.

To remediate the detected events activate

DLP Software Blade. Configure DLP policy

based on the detected DLP data type and

choose an action (Detect/Prevent/Ask

User/etc..). If you consider the detected

data type as sensitive information the

recommended action is prevent.

Use UserCheck to educate users about the

organization data usage policy.

Data Loss

HIPAA

Customer Names

Credit Card Numbers



APPENDIX

Network Bandwidth Utilization

During the course of the analysis, your company’s employees used significant corporate

network resources for non-work activity. The following chart shows how bandwidth was used

by your employees:

Bandwidth Utilization by Application/Site (MB)

YouTube91211%

Web Browsing91211%

SMTP77410%

castup.net6067%ynet.co.il

4726%

Other454955%



1601

1095912 867 804

2945

0

500

1000

1500

2000

2500

3000

3500

NetworkProtocols

Media SharingWeb Browsing News / Media Business /Economy

Other

Bandwidth Utilization (MB) By Category



The use of social networking sites has become common at the workplace and at home. Many

businesses leverage social networking technologies for their marketing and sales efforts, as

well as their recruiting programs. During the course of this project, and consistent with over-all

market trends, the following social networking sites consumed the most network bandwidth:

96

44

18

85

19

0

20

40

60

80

100

120

Social Networking Traffic

(MB)



ABOUT CHECK POINT SOFTWARE TECHNOLOGIES

Check Point Software Technologies’ (www.checkpoint.com) mission is to secure the Internet.

Check Point was founded in 1993, and has since developed technologies to secure

communications and transactions over the Internet by enterprises and consumers.

When the company was founded, risks and threats were limited and securing the Internet was

relatively simple. A firewall and an antivirus solution generally provided adequate security for

business transactions and communications over the Internet. Today, enterprises require many

(in some cases 15 or more) point solutions to secure their information technology (IT) networks

from the multitude of threats and potential attacks and are facing an increasingly complex IT

security infrastructure.

Check Point’s core competencies are developing security solutions to protect business and

consumer transactions and communications over the Internet, and reducing the complexity in

Internet security. We strive to solve the security maze by bringing “more, better and simpler”

security solutions to our customers.

Check Point develops markets and supports a wide range of software, as well as combined

hardware and software products and services for IT security. We offer our customers an

extensive portfolio of network and gateway security solutions, data and endpoint security

solutions and management solutions. Our solutions operate under a unified security

architecture that enables end-to-end security with a single line of unified security gateways,

and allow a single agent for all endpoint security that can be managed from a single unified

management console. This unified management allows for ease of deployment and centralized

control and is supported by, and reinforced with, real-time security updates.

Check Point was an industry pioneer with our FireWall-1 and our patented Stateful Inspection

technology. Check Point has recently extended its IT security innovation with the development

of our Software Blade architecture. The dynamic Software Blade architecture delivers secure,

flexible and simple solutions that can be customized to meet the security needs of any

organization or environment.

Our products and services are sold to enterprises, service providers, small and medium sized

businesses and consumers. Our Open Platform for Security (OPSEC) framework allows

customers to extend the capabilities of our products and services with third-party hardware

and security software applications. Our products are sold, integrated and serviced by a network

of partners worldwide. Check Point customers include tens of thousands of businesses and

organizations of all sizes including all Fortune 100 companies. Check Point’s award-winning

ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft.

http://www.checkpoint.com/