Copyright © 2002 ProsoftTraining. All rights reserved.

Security Auditing, Attacks, and Threat Analysis

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 1:Security Auditing

Objectives

• Identify a security auditor’s chief duties• List security auditing principles• Assess risk factors for a network• Describe the security auditing process• Plan an audit

What Is an Auditor?

• Network security• Risk assessment

What Doesan Auditor Do?

Compliance

Risk Analysis

Auditor Rolesand Perspectives

• Auditor as security manager• Auditor as consultant• Insider threats

Conducting aRisk Assessment

• Check for a written security policy• Analyze, categorize and prioritize resources• Consider business concerns• Evaluate existing perimeter and internal

security• Use existing management and control

architecture

Risk Assessment Stages

• Discovery• Penetration• Control

Summary

Identify a security auditor’s chief duties List security auditing principles Assess risk factors for a network Describe the security auditing process Plan an audit

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 2:Discovery Methods

Objectives

• Describe the discovery process• Identify specific discovery methods• Install and configure network-based and host-

based discovery software• Conduct network-level and host-level security

scans• Configure and deploy enterprise-grade

network vulnerability scanners

Security Scans

• Whois• nslookup• The host command• The traceroute

(tracert) command• Ping scanning• Port scans

• Network-discovery and server-discovery applications

• NMAP• Share scans• Service scans• Using Telnet

Using SNMP

• The SetRequest command• SNMP software

TCP/IPServices

• Finger– User names– Server names– E-mail accounts– User connectivity– User logon status

Enterprise-GradeAuditing Applications

• Protocol support• Network scanners• Subnetting• Configuring network scanners• Configuring host scanners

Scan Levels

• Profiles and policies• Reporting• Symantec NetRecon• ISS Internet Scanner• eEye Retina• Additional scanning application vendors

Social Engineering

• Telephone calls• Fraudulent e-mail• Education

What InformationCan You Obtain?

• Network-level information• Host-level information• Research• Legitimate versus illegitimate auditing tools

Summary

Describe the discovery process Identify specific discovery methods Install and configure network-based and host-

based discovery software Conduct network-level and host-level security

scans Configure and deploy enterprise-grade

network vulnerability scanners

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 3:Auditing Server

Penetration and Attack Techniques

Objectives

• Identify common targets• Discuss penetration strategies and methods• List potential physical, operating system, and

TCP/IP stack attacks• Identify and analyze specific brute-force,

social engineering, and denial-of-service attacks

• Implement methods designed to thwart penetration

Attack Signatures and Auditing

• Reviewing common attacks– Dictionary– Man in the middle– Hijacking– Viruses– Illicit servers– Denial of service

Common Targets

• Routers• FTP servers• Databases• Web servers• DNS• WINS• SMB

Routers

• Using your firewall to filter Telnet• Routers and bandwidth consumption attacks

Databases

• The most desirable asset for a hacker to attack– Employee data– Marketing and sales information– R & D– Shipping information

Web andFTP Servers

• Common problems• Web graffiti

E-MailServers

• Spam• Relaying

NamingServices

• Unauthorized zone transfers• DNS poisoning• Denial-of-service attacks• WINS• SMB• NFS• NIS

Auditing Trap Doorsand Root Kits

• Auditing bugs and back doors

Buffer Overflow

• Preventing denial-of-service attacks• Auditing illicit servers, Trojans and worms

CombiningAttack Strategies

• Penetration strategies– Physical– Operating system– Bad password policies– NAT– Bad system policies– Auditing file system weaknesses

• IP spoofing and hijacking– Blind and non-blind spoofing

Denial of Serviceand the TCP/IP Stack

• SYN flood• Smurf and Fraggle attacks• Teardrop/Teardrop2• Ping of death• Land attack

Summary

Identify common targets Discuss penetration strategies and methods List potential physical, operating system, and

TCP/IP stack attacks Identify and analyze specific brute-force,

social engineering, and denial-of-service attacks

Implement methods designed to thwart penetration

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 4:Security Auditing

and the Control Phase

Objectives

• Define control procedures• Identify control methods• List ways to document control procedures and

methods

Control Phases

• Gain root access• Gather information• Open new security holes• Erase evidence of penetration• Spread to other systems• Auditing UNIX file systems• Auditing Windows 2000

UNIX Password File Locations

• The shadow password file• Redirect information• Create new access points• Erase evidence of penetration• Spread to other systems• Port redirection

Control Methods

• System defaults• Services, daemons, and loadable modules• Illicit services, daemons, and loadable

modules• Keyloggers

Auditing andthe Control Phase

• The auditor never truly enters the control phase

• The auditor must recognize suspicious traffic

Summary

Define control procedures Identify control methods List ways to document control procedures and

methods

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 5:Intrusion Detection

Objectives

• Define intrusion detection• Differentiate between intrusion detection and

automated scanning• Discuss network- and host-based intrusion

detection• List the elements used in an IDS• Implement intrusion-detection software

What IsIntrusion Detection?

• Capabilities– Network traffic management– System scanning, jails, and the IDS– Tracing

• Is intrusion detection necessary?• IDS application strategies

IntrusionDetection Architecture

• Network-based IDS applications• Host-based IDS architectures• Host-based managers• Host-based IDS agents• Manager-to-agent communication

IDS Rules

• Network anomalies• Network misuses• Actions• False positives and IDS configuration

IDS Actionsand False Positives

• Creating rules• Assigning actions to a rule• Mistaking legitimate traffic for illegitimate

traffic

IntrusionDetection Software

• eTrust Intrusion Detection• Snort• Intruder Alert• ISS RealSecure• Computer Misuse Detection System• Network Flight Recorder• CyberCop Monitor• Cisco Secure IDS

Purchasing an IDS

• Product support• Product training• Update policy• Company reputation

• IDS capacity• Product scalability• Network support• Encryption

Summary

Define intrusion detection Differentiate between intrusion detection and

automated scanning Discuss network- and host-based intrusion

detection List the elements used in an IDS Implement intrusion-detection software

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 6:Auditing and Log Analysis

Objectives

• Establish a baseline for your users’ activities• Conduct log analysis• Filter events found in Windows 2000 and

Linux systems• Establish auditing for logons, system restarts,

and specific resource use

Baseline Creation and Firewall and Router Logs

• Baseline is standard activity for a network• Logs help determine activity patterns of users

OperatingSystem Logs

• Logging UNIX systems• Logging Windows 2000 systems

Filtering Logs

• Filtering logs in Windows 2000• Filtering logs in Linux• Operating system add-ons and third-party

logging

Suspicious Activity

• Skilled hacking attempts to camouflage its use as legitimate system activity

Additional Logs

• Intrusion detection systems• Telephony connections• ISDN and/or frame relay connections• Employee access logs

Log Storage

• Sending logs to a different machine for storage

• Replicating logs to a writable CD-ROM drive• Scheduling hard-copy backups

Auditing andPerformance Degradation

• Network traffic• Packet sniffers

Summary

Establish a baseline for your users’ activities Conduct log analysis Filter events found in Windows 2000 and

Linux systems Establish auditing for logins, system restarts,

and specific resource use

Copyright © 2002 ProsoftTraining. All rights reserved.

Lesson 7:Audit Results

Objectives

• Recommend solutions based on specific network problems

• Suggest ways to improve compliance to a security policy

• Create an assessment report• Enable proactive detection services

Objectives (cont’d)

• Cleanse operating systems• Install operating system add-ons• Implement native auditing• Use SSH as a replacement for Telnet, rlogin,

and rsh

AuditingRecommendations

• Recommending specific ways to continue or implement efficient auditing

• Confronting and correcting virus, worm and Trojan infections

• Recommending changes and improvements

Four Network Auditing Categories

Firewalls and Routers

Host and Personal Security

Intrusion Detection

and Traceback

Policy Enforcement

Creating the Assessment Report

• Sample audit report elements include:– Overview of existing security– Estimates of time hackers require to enter

system– Summary of important recommendations– Outline of audit procedures– Network element recommendations– Physical security discussion– Terms

Improving Compliance

• Steps for continued auditing and strengthening

Security Auditingand Security Standards

• ISO 7498-2• British Standard 7799• Common Criteria• Evaluation Assurance Levels

Improving Router Security

• Ingress and egress filtering• Disable broadcast filtering

EnablingProactive Detection

• Scan detection, honey pots and jails– Detecting a NIC in promiscuous mode

Host AuditingSolutions

• Cleaning up infections• Personal firewall software• IPsec and personal encryption• Native auditing services• Fixing system bugs• IPv6

Replacing andUpdating Services

• Study the new product• Determine the time needed to implement

changes• Test all updates• Consider effect of updates on other services• Determine whether end-user training is

needed

Secure Shell (SSH)

• Security services provided by SSH• Encryption and authentication in SSH• SSH2 components• Preparing SSH components

SSHand DNS

• Compatibility with SSH1• SSH and authentication: Establishing user-

to-user trust relationships

Summary

Recommend solutions based on specific network problems

Suggest ways to improve compliance to a security policy

Create an assessment report Enable proactive detection services

Summary (cont’d)

Cleanse operating systems Install operating system add-ons Implement native auditing Use SSH as a replacement for Telnet, rlogin,

and rsh

Security Auditing, Attacks, and Threat Analysis

Security Auditing Discovery Methods Auditing Server Penetration and Attack

Techniques Security Auditing and the Control Phase Intrusion Detection Auditing and Log Analysis Audit Results