Upload
theresa-snow
View
214
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright © 2002 ProsoftTraining. All rights reserved.
Security Auditing, Attacks, and Threat Analysis
Objectives
• Identify a security auditor’s chief duties• List security auditing principles• Assess risk factors for a network• Describe the security auditing process• Plan an audit
Conducting aRisk Assessment
• Check for a written security policy• Analyze, categorize and prioritize resources• Consider business concerns• Evaluate existing perimeter and internal
security• Use existing management and control
architecture
Summary
Identify a security auditor’s chief duties List security auditing principles Assess risk factors for a network Describe the security auditing process Plan an audit
Objectives
• Describe the discovery process• Identify specific discovery methods• Install and configure network-based and host-
based discovery software• Conduct network-level and host-level security
scans• Configure and deploy enterprise-grade
network vulnerability scanners
Security Scans
• Whois• nslookup• The host command• The traceroute
(tracert) command• Ping scanning• Port scans
• Network-discovery and server-discovery applications
• NMAP• Share scans• Service scans• Using Telnet
TCP/IPServices
• Finger– User names– Server names– E-mail accounts– User connectivity– User logon status
Enterprise-GradeAuditing Applications
• Protocol support• Network scanners• Subnetting• Configuring network scanners• Configuring host scanners
Scan Levels
• Profiles and policies• Reporting• Symantec NetRecon• ISS Internet Scanner• eEye Retina• Additional scanning application vendors
What InformationCan You Obtain?
• Network-level information• Host-level information• Research• Legitimate versus illegitimate auditing tools
Summary
Describe the discovery process Identify specific discovery methods Install and configure network-based and host-
based discovery software Conduct network-level and host-level security
scans Configure and deploy enterprise-grade
network vulnerability scanners
Copyright © 2002 ProsoftTraining. All rights reserved.
Lesson 3:Auditing Server
Penetration and Attack Techniques
Objectives
• Identify common targets• Discuss penetration strategies and methods• List potential physical, operating system, and
TCP/IP stack attacks• Identify and analyze specific brute-force,
social engineering, and denial-of-service attacks
• Implement methods designed to thwart penetration
Attack Signatures and Auditing
• Reviewing common attacks– Dictionary– Man in the middle– Hijacking– Viruses– Illicit servers– Denial of service
Databases
• The most desirable asset for a hacker to attack– Employee data– Marketing and sales information– R & D– Shipping information
NamingServices
• Unauthorized zone transfers• DNS poisoning• Denial-of-service attacks• WINS• SMB• NFS• NIS
CombiningAttack Strategies
• Penetration strategies– Physical– Operating system– Bad password policies– NAT– Bad system policies– Auditing file system weaknesses
• IP spoofing and hijacking– Blind and non-blind spoofing
Denial of Serviceand the TCP/IP Stack
• SYN flood• Smurf and Fraggle attacks• Teardrop/Teardrop2• Ping of death• Land attack
Summary
Identify common targets Discuss penetration strategies and methods List potential physical, operating system, and
TCP/IP stack attacks Identify and analyze specific brute-force,
social engineering, and denial-of-service attacks
Implement methods designed to thwart penetration
Copyright © 2002 ProsoftTraining. All rights reserved.
Lesson 4:Security Auditing
and the Control Phase
Objectives
• Define control procedures• Identify control methods• List ways to document control procedures and
methods
Control Phases
• Gain root access• Gather information• Open new security holes• Erase evidence of penetration• Spread to other systems• Auditing UNIX file systems• Auditing Windows 2000
UNIX Password File Locations
• The shadow password file• Redirect information• Create new access points• Erase evidence of penetration• Spread to other systems• Port redirection
Control Methods
• System defaults• Services, daemons, and loadable modules• Illicit services, daemons, and loadable
modules• Keyloggers
Auditing andthe Control Phase
• The auditor never truly enters the control phase
• The auditor must recognize suspicious traffic
Summary
Define control procedures Identify control methods List ways to document control procedures and
methods
Objectives
• Define intrusion detection• Differentiate between intrusion detection and
automated scanning• Discuss network- and host-based intrusion
detection• List the elements used in an IDS• Implement intrusion-detection software
What IsIntrusion Detection?
• Capabilities– Network traffic management– System scanning, jails, and the IDS– Tracing
• Is intrusion detection necessary?• IDS application strategies
IntrusionDetection Architecture
• Network-based IDS applications• Host-based IDS architectures• Host-based managers• Host-based IDS agents• Manager-to-agent communication
IDS Actionsand False Positives
• Creating rules• Assigning actions to a rule• Mistaking legitimate traffic for illegitimate
traffic
IntrusionDetection Software
• eTrust Intrusion Detection• Snort• Intruder Alert• ISS RealSecure• Computer Misuse Detection System• Network Flight Recorder• CyberCop Monitor• Cisco Secure IDS
Purchasing an IDS
• Product support• Product training• Update policy• Company reputation
• IDS capacity• Product scalability• Network support• Encryption
Summary
Define intrusion detection Differentiate between intrusion detection and
automated scanning Discuss network- and host-based intrusion
detection List the elements used in an IDS Implement intrusion-detection software
Objectives
• Establish a baseline for your users’ activities• Conduct log analysis• Filter events found in Windows 2000 and
Linux systems• Establish auditing for logons, system restarts,
and specific resource use
Baseline Creation and Firewall and Router Logs
• Baseline is standard activity for a network• Logs help determine activity patterns of users
Filtering Logs
• Filtering logs in Windows 2000• Filtering logs in Linux• Operating system add-ons and third-party
logging
Additional Logs
• Intrusion detection systems• Telephony connections• ISDN and/or frame relay connections• Employee access logs
Log Storage
• Sending logs to a different machine for storage
• Replicating logs to a writable CD-ROM drive• Scheduling hard-copy backups
Summary
Establish a baseline for your users’ activities Conduct log analysis Filter events found in Windows 2000 and
Linux systems Establish auditing for logins, system restarts,
and specific resource use
Objectives
• Recommend solutions based on specific network problems
• Suggest ways to improve compliance to a security policy
• Create an assessment report• Enable proactive detection services
Objectives (cont’d)
• Cleanse operating systems• Install operating system add-ons• Implement native auditing• Use SSH as a replacement for Telnet, rlogin,
and rsh
AuditingRecommendations
• Recommending specific ways to continue or implement efficient auditing
• Confronting and correcting virus, worm and Trojan infections
• Recommending changes and improvements
Four Network Auditing Categories
Firewalls and Routers
Host and Personal Security
Intrusion Detection
and Traceback
Policy Enforcement
Creating the Assessment Report
• Sample audit report elements include:– Overview of existing security– Estimates of time hackers require to enter
system– Summary of important recommendations– Outline of audit procedures– Network element recommendations– Physical security discussion– Terms
Security Auditingand Security Standards
• ISO 7498-2• British Standard 7799• Common Criteria• Evaluation Assurance Levels
EnablingProactive Detection
• Scan detection, honey pots and jails– Detecting a NIC in promiscuous mode
Host AuditingSolutions
• Cleaning up infections• Personal firewall software• IPsec and personal encryption• Native auditing services• Fixing system bugs• IPv6
Replacing andUpdating Services
• Study the new product• Determine the time needed to implement
changes• Test all updates• Consider effect of updates on other services• Determine whether end-user training is
needed
Secure Shell (SSH)
• Security services provided by SSH• Encryption and authentication in SSH• SSH2 components• Preparing SSH components
SSHand DNS
• Compatibility with SSH1• SSH and authentication: Establishing user-
to-user trust relationships
Summary
Recommend solutions based on specific network problems
Suggest ways to improve compliance to a security policy
Create an assessment report Enable proactive detection services
Summary (cont’d)
Cleanse operating systems Install operating system add-ons Implement native auditing Use SSH as a replacement for Telnet, rlogin,
and rsh