Upload
billy-lam
View
91
Download
2
Embed Size (px)
Citation preview
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only| Page 1
CHECK POINT 3D SECURITY ANALYSIS REPORT
Prepared for
Prepared for: COMPANY
Prepared by: Check Point Solution Center
Date: January 11, 2012
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only| Page 1
Table of Contents EXECUTIVE SUMMARY ................................................................................ 2
FINDINGS ..................................................................................................... 7
Web Security Events ................................................................................................................................. 7
Intrusion Prevention Events ................................................................................................................ 10
Data Loss Prevention............................................................................................................................. 12
REMEDIATION ........................................................................................... 14
APPENDIX .................................................................................................. 17
ABOUT CHECK POINT SOFTWARE TECHNOLOGIES ............................... 20
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 2
EXECUTIVE SUMMARY
This document is a summary of the findings of a recent 3D security analysis of your
infrastructure. It presents security events and recommendations for addressing the discovered
events. The analysis took place on 05/01/2012 and included 2 hours in-network analysis.
The analysis is based on data collected using the characteristics below:
PoC Date: 5/1/2012
In-Network Analysis Duration: 2 hours
Monitored Network: Internal facing internet
Deployment type: Mirror Port Kit (VMware-based)
Release version: R75.20
Security Gateway Software Blades: Application Control, URL Filtering, IPS, Data Loss Prevention
Security Management Software Blades: Pre-Defined 7 Blades with SmartEvent
During the course of the analysis, the installed device identified a number of security events,
including some that were permitted by your existing security solutions. Event information
collected by the Check Point solution found the following number of critical and high-priority
events in your network:
32
22
17
0
5
10
15
20
25
30
35
Check Point IPS Software
Blade
Application Control and
URL Filtering
Data Loss Prevention
Events
High And Critical Events Summary
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 3
Within the areas of Application Control and URL Filtering, the following items are of the
highest risk level (the first column specifies the number of events related to the mentioned
application/site):
Top High Risk Applications/Sites
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 4
The following tables provide summary explanations of the top events found and their
associated security or business risks:
1. Vtunnel 1 Event/s
VTunnel is a free anonymous common gateway interface (CGI) proxy
that masks IP addresses enabling users to connect to and view websites
anonymously.
2. Dropbox 5 Event/s
Dropbox is an application that allows the user to share files. It is crucial
to investigate what users are doing with this application and if they are
leveraging it to distribute company files or download harmful
applications. Consider preventing its use through the Application
Control blade until additional information is available that justifies its
use.
3. BitTorrent 1 Event/s
BitTorrent is a peer-to-peer file sharing P2P communications protocol. It
is a method of distributing large amounts of data widely without the
original distributor incurring the entire costs of hardware, hosting, and
bandwidth resources. Instead, when data is distributed using the
BitTorrent protocol, each recipient supplies pieces of the data to newer
recipients, reducing the cost and burden on any given individual source,
providing redundancy against system problems, and reducing
dependence on the original distributor. There are numerous compatible
BitTorrent clients, written in a variety of programming languages, and
running on a variety of computing platforms.
4. Imarketspartners.com 2 Event/s
Imarketspartners.com is categorized as a web site that have been
promoted through spam techniques.
5. Bit Che 1 Event/s
Bit Che is an application for searching and downloading torrent files
from various BitTorrent tracker websites. Bit Che provides a preview of
torrent details, integration with other torrent clients and result filtering.
Top High Risk Applications and Sites
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 5
1. CIFS Worm Catcher 6 Event/s
2. Non Compliant HTTP 2 Event/s
3. Internet Explorer XML Processing Memory Corruption (MS08-
078)
2 Event/s
4. Microsoft Active Directory-MIT Kerberos Null Pointer
Dereference (MS10-014)
1 Event/s
Top Intrusion Prevention Events
Directory traversal attacks allow hackers to access files and directories that should be out of
their reach. This can for example allow viewing of directory listings, and in many attacks, could
lead to running executable code on the web server with one simple URL.
There are several techniques to launch a directory traversal attack. Most of the attacks are
based on using an HTTP request with a dot slash sequence "../.." within a file system. For
example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the
root directory.
More advanced attackers can try to use encoding to run attacks.
A worm is a self-replicating malware (malicious software) that propagates by actively sending
itself to new machines. CIFS, The Common Internet File System (sometimes called SMB) is a
protocol for sharing files and printers. The protocol is implemented and widely used by
Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected
a host, use CIFS as their means of propagation.
Attack Name: Web Client Enforcement Violation
Microsoft Internet Explorer is the most widely used Internet browser.
The vulnerability is due to the way Internet Explorer handles data bindings. To trigger this issue,
an attacker may create a malicious web page that will exploit this vulnerability. Successful
exploitation of this vulnerability will crash the browser allowing execution of arbitrary code on
the vulnerable system.
Attack Name : Windows Kerberos Protection Violation
The Kerberos protocol is used to mutually authenticate users and services on an open and
unsecured network. It allows services to correctly identify the user of a Kerberos ticket without
having to authenticate the user at the service. It does this by using shared secret keys.
A denial of service vulnerability exists in implementations of MIT Kerberos. The vulnerability is
caused by incorrect handling of ticket renewal requests coming from a non-Windows Kerberos
domain. When an MIT Kerberos user logs on to an Active Directory domain joined machine,
they will be issued a Kerberos referral TGT (Ticket Granting Ticket) from the MIT Kerberos realm.
Windows clients will never attempt to renew this referral TGT. A remote attacker running a
malicious Kerberos client could attempt to renew the referral TGT which would result in a null
pointer dereference inside of LSASS.EXE on the domain controller causing the domain
controller to reboot.
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 6
1. HIPAA 5 Event/s
This Data Type is used by 'HIPAA - Protected Health Information' Data
Type to match Protected Health Information (PHI) Documents.
The 'HIPAA - Protected Health Information' is recommended to be used
in the DLP policy.
The 'HIPAA - Protected Health Information' is recommended to be used
in the DLP policy.
2. Credit Card Numbers 2 Event/s
Related to Payment Card Industry (PCI); matches data containing credit
card numbers of MasterCard, Visa, JCB, American Express and Discover
3. Customer Names 2 Event/s
List of customers is considered as confidential
Top Data Loss Events
The following types of data were sent outside the organization
In the pages that follow, descriptions of the identified events are provided. Remediation steps
are also outlined in the relevant sections.
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 7
FINDINGS
WEB SECURITY EVENTS
For many organizations, Web Security, encompassing both the applications used by employees
and the websites that they visit, has become a critical source of risk. This is because many
recent attacks focused on application vulnerabilities and exploited websites for malware
injection and network penetration. Also, Internet use is a bandwidth hog. While bandwidth
utilization might not be a security risk, it does represent a productivity and TCO challenge.
From a security perspective, the following identified applications and websites have a high risk
profile:
Top High Risk Applications/Sites
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 8
In general, the analysis identified that these additional applications and websites are used
within your network:
Top Applications/Sites
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 9
The following table shows the top 10 categories and number of hits associated with employee
Internet browsing:
Category Number of Hits % of Total Hits
Search Engines / Portals 2,113 11%
Computers / Internet 2,023 11%
Business / Economy 1,747 9%
Web Browsing 1,602 8%
News / Media 1,388 7%
Web Services Provider 1,292 7%
Social Networking 1,271 7%
Inactive Sites 1,196 6%
Network Protocols 1,010 5%
Other 5,316 28%
Grand Total 18,958 100%
Top Applications/Sites Categories
And from a user perspective, the following people were involved in the highest number of risky
application and web usage events:
Users Events
Joe Roberts 5
Mark Johnson 5
Albert Springsteen 4
Maria Davids 3
Anna Smith 2
Top Users High Risk Applications/Sites
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 10
INTRUSION PREVENTION EVENTS
During the course of the analysis, the Check Point solution identified a number of intrusion
prevention-related events. Some of these events were categorized as critical. The following
chart shows the distribution of events according to criticality:
IPS Events By Severity
19% 6%
50%
25%
Critical
High
Medium
Low
Informational
All organizations need to triage the security incidents to which they respond. Event criticality is
often an effective way to prioritize events.
And yet, security practitioners will often investigate events that do not fall into the most critical
categories, as these seemingly less important incidents can be used to help identify attacks in
progress or the first signs of new attacks which have not yet begun in earnest.
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 11
On a more granular level, the following table shows the types and quantities of events within
the defined categories:
IPS Events By Severity
Critical
CIFS Worm Catcher 6
Directory Traversal 2
Internet Explorer XML Processing Memory Corruption (MS08-078) 2
Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) 1
Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043) 1
High
Microsoft Windows Media Player PNG Chunk Handling Stack Overflow (MS06-024) 2
IBM Lotus Notes HTML Speed Reader Long URL Buffer Overflow 1
BIND 9 DNS Server Dynamic Update Denial of Service 1
Digium Asterisk SIP sscanf Multiple Denial of Service 1
Microsoft Print Spooler Service Impersonation Code Execution (MS10-061) 4
Microsoft Windows SNMP Service GetBulk Memory Corruption (MS06-074) 11
Microsoft WINS Local Privilege Escalation (MS08-034) 3
SNMP Enforcement 15
Medium
Brute Force Scanning of CIFS Ports 65
Microsoft Windows NT Null CIFS Sessions 50
Microsoft Windows Workstation Service NetrWkstaUserEnum Denial of Service 1150
Informational
TCP Invalid Retransmission 4
TCP Segment Limit Enforcement 37
TCP SYN Modified Retransmission 6
Grand Total 1362
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 12
DATA LOSS PREVENTION
Data have become among the most valuable assets to organizations. The following represents
the characteristics of the data loss events that were identified during the course of the project.
During the course of the analysis, the Check Point solution identified a number of data loss-
related events. Some of these events were categorized as critical. The following chart shows the
distribution of events according to criticality:
DLP Events By Severity
46%
54%
Critical
High
Medium
Low
Informational
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 13
The following list summarizes the identified data loss activity and the number of times that the
specific type of events occurred for different data types configured for the DLP
Severity Data Event/sHigh
Inappropriate Language 4
Large file to webmail,Inappropriate Language 1
Document File,Large file to webmail 2
Document File 15
Large file to webmail 18
Outlook Message - Confidential 6Spreadsheet File 1
Medium
External Recipient and Internal Users,External Recipient in BCC,Database
File or Archive File or Presentation File or Spreadsheet File or Document
File or CSV File 3
Document File 49Spreadsheet File 3
Grand Total 104
DLP Events By Severity
This chart shows data leakage by mail sender on your network.
Sender Events
DLP Mail Events Top Senders
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 14
REMEDIATION
This report addresses identified security events across multiple security areas and at varying
levels of criticality. The table below reviews the most critical of these incidents and presents
methods to mitigate their risks. Check Point provides multiple methods for addressing these
threats and concerns. Relevant protections are noted for each event along with the software
blades into which the defenses are incorporated.
WEB SECURITY EVENTS REMEDIATION
Events Remediation Steps
1
5
1
2
1
In Application Control and URL Filtering
Software Blades, you can activate, track
and prevent the use of all the mentioned
applications & web sites. You can define a
granular policy to allow certain
applications to specific groups only.
Use UserCheck to educate users about the
organization web browsing and
applications usage policy.
Application/ Site
Vtunnel
BitTorrent
Imarketspartners.com
Bit Che
Dropbox
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 15
INTRUSION PREVENTION EVENTS REMEDIATION
Threat Events Remediation StepsIn Check Point IPS Software Blade, enable the
following protection:
CIFS Worm Catcher
In Check Point IPS Software Blade, enable the
following protection:
Non Compliant HTTP
In Check Point IPS Software Blade, enable the
following protection:
Internet Explorer XML Processing Memory
Corruption (MS08-078)
In Check Point IPS Software Blade, enable the
following protection:
Microsoft Active Directory-MIT Kerberos Null
Pointer Dereference (MS10-014)
In Check Point IPS Software Blade, enable the
following protection:
Microsoft Windows Print Spooler Service Buffer
Overflow (MS05-043)
CIFS Worm Catcher 6
Non Compliant HTTP 2
Internet Explorer XML Processing
Memory Corruption (MS08-078)2
Microsoft Active Directory-MIT
Kerberos Null Pointer Dereference
(MS10-014)
1
Microsoft Windows Print Spooler
Service Buffer Overflow (MS05-043)1
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 16
DATA LOSS EVENTS REMEDIATION
Events Remediation Steps
5
2
2
Check Point DLP software blade protects
confidential information from leaking
outside the organization.
To remediate the detected events activate
DLP Software Blade. Configure DLP policy
based on the detected DLP data type and
choose an action (Detect/Prevent/Ask
User/etc..). If you consider the detected
data type as sensitive information the
recommended action is prevent.
Use UserCheck to educate users about the
organization data usage policy.
Data Loss
HIPAA
Customer Names
Credit Card Numbers
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 17
APPENDIX
Network Bandwidth Utilization
During the course of the analysis, your company’s employees used significant corporate
network resources for non-work activity. The following chart shows how bandwidth was used
by your employees:
Bandwidth Utilization by Application/Site (MB)
YouTube91211%
Web Browsing91211%
SMTP77410%
castup.net6067%ynet.co.il
4726%
Other454955%
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 18
1601
1095912 867 804
2945
0
500
1000
1500
2000
2500
3000
3500
NetworkProtocols
Media SharingWeb Browsing News / Media Business /Economy
Other
Bandwidth Utilization (MB) By Category
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 19
The use of social networking sites has become common at the workplace and at home. Many
businesses leverage social networking technologies for their marketing and sales efforts, as
well as their recruiting programs. During the course of this project, and consistent with over-all
market trends, the following social networking sites consumed the most network bandwidth:
96
44
18
85
19
0
20
40
60
80
100
120
Social Networking Traffic
(MB)
©2012 Check Point Software Technologies Ltd. All rights reserved
Classification: [Customer Confidential] — For customer use only Page 20
ABOUT CHECK POINT SOFTWARE TECHNOLOGIES
Check Point Software Technologies’ (www.checkpoint.com) mission is to secure the Internet.
Check Point was founded in 1993, and has since developed technologies to secure
communications and transactions over the Internet by enterprises and consumers.
When the company was founded, risks and threats were limited and securing the Internet was
relatively simple. A firewall and an antivirus solution generally provided adequate security for
business transactions and communications over the Internet. Today, enterprises require many
(in some cases 15 or more) point solutions to secure their information technology (IT) networks
from the multitude of threats and potential attacks and are facing an increasingly complex IT
security infrastructure.
Check Point’s core competencies are developing security solutions to protect business and
consumer transactions and communications over the Internet, and reducing the complexity in
Internet security. We strive to solve the security maze by bringing “more, better and simpler”
security solutions to our customers.
Check Point develops markets and supports a wide range of software, as well as combined
hardware and software products and services for IT security. We offer our customers an
extensive portfolio of network and gateway security solutions, data and endpoint security
solutions and management solutions. Our solutions operate under a unified security
architecture that enables end-to-end security with a single line of unified security gateways,
and allow a single agent for all endpoint security that can be managed from a single unified
management console. This unified management allows for ease of deployment and centralized
control and is supported by, and reinforced with, real-time security updates.
Check Point was an industry pioneer with our FireWall-1 and our patented Stateful Inspection
technology. Check Point has recently extended its IT security innovation with the development
of our Software Blade architecture. The dynamic Software Blade architecture delivers secure,
flexible and simple solutions that can be customized to meet the security needs of any
organization or environment.
Our products and services are sold to enterprises, service providers, small and medium sized
businesses and consumers. Our Open Platform for Security (OPSEC) framework allows
customers to extend the capabilities of our products and services with third-party hardware
and security software applications. Our products are sold, integrated and serviced by a network
of partners worldwide. Check Point customers include tens of thousands of businesses and
organizations of all sizes including all Fortune 100 companies. Check Point’s award-winning
ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft.