Rochester Institute of Technology Secure IT 2007 Security Auditing Course Development Rochester Institute of Technology Yin Pan [email protected]

Rochester Institute of Technology Secure IT 2007

Security Auditing Security Auditing Course Course

DevelopmentDevelopment Rochester Institute of Rochester Institute of

TechnologyTechnology

Yin PanYin [email protected]@rit.edu


RR..II..TT

AgendaAgenda

MotivationMotivation Course developmentCourse development Procedures used to develop basic Procedures used to develop basic

auditing labsauditing labs Outcomes and feedback from Outcomes and feedback from

studentsstudents ImprovementsImprovements


RR..II..TT

Why think about Why think about security?security?

Facts (one year ago)Facts (one year ago) By average, every 20 minutes, one unpatched machine By average, every 20 minutes, one unpatched machine

is compromisedis compromised Once a patch is announced, an exploit will be available Once a patch is announced, an exploit will be available

in 2-3 daysin 2-3 days Between 2004-2005, Between 2004-2005,

Unauthorized access increased 500%Unauthorized access increased 500% Identity theft increase 100%Identity theft increase 100%

TargetsTargets Government agenciesGovernment agencies

Customized trojan horse designed to pilfer sensitive Customized trojan horse designed to pilfer sensitive government secretsgovernment secrets

E-commerce sites, banks and credit-cared processorsE-commerce sites, banks and credit-cared processors CompaniesCompanies

Source code, coca-cola recipe? Game?Source code, coca-cola recipe? Game?


RR..II..TT

Why think about security? Why think about security? (con’t)(con’t)

There are people who are actively There are people who are actively seeking your resourcesseeking your resources But I don’t have anything anyone But I don’t have anything anyone

wants!wants! Even just as a hiding place for files or a Even just as a hiding place for files or a

way to become anonymous, you are way to become anonymous, you are targetedtargeted Personal video recorders (PVR)Personal video recorders (PVR) Carjacking and carhackingCarjacking and carhacking


RR..II..TT

Course ObjectiveCourse Objective Designed for Designed for

system administratorssystem administrators network administratorsnetwork administrators security personnel security personnel

to defend to defend their systems from attack their systems from attack

byby designing and implementing the most effective defensedesigning and implementing the most effective defense

using using effective defensive techniqueseffective defensive techniques

The objective of this course is to provide students with the The objective of this course is to provide students with the knowledge to develop security network audits, apply knowledge to develop security network audits, apply appropriate auditing tools to conduct professional audits, appropriate auditing tools to conduct professional audits, analyze results, and provide recommendations to mitigate analyze results, and provide recommendations to mitigate any risks.any risks.


RR..II..TT

OutcomesOutcomes Upon completion of this course, students will Upon completion of this course, students will

be able tobe able to Explain the fundamental techniques, processes Explain the fundamental techniques, processes

and procedures of networks, and systems auditing.and procedures of networks, and systems auditing. Describe the basic design and configuration of Describe the basic design and configuration of

routers, firewalls, and Intrusion Detection Systems routers, firewalls, and Intrusion Detection Systems (IDS).(IDS).

Identify and apply appropriate tools to perform Identify and apply appropriate tools to perform systems (Unix/Windows), servers, and network systems (Unix/Windows), servers, and network infrastructure components audit.infrastructure components audit.

Conduct vulnerability and validation testing.Conduct vulnerability and validation testing. Write and present an auditing report on security Write and present an auditing report on security

vulnerability.vulnerability.


RR..II..TT

Course outlineCourse outline Auditing Process and ProcedureAuditing Process and Procedure Different phases of an auditDifferent phases of an audit

Discovery methodsDiscovery methods Network Identification and Penetration Network Identification and Penetration Systems AuditingSystems Auditing Servers and Network perimeters auditingServers and Network perimeters auditing

Audit ReportsAudit Reports Auditing RecommendationsAuditing Recommendations Writing audit reportWriting audit report Security improvementsSecurity improvements


RR..II..TT

TopicsTopics

Audit Process and procedureAudit Process and procedure Network Audit EssentialsNetwork Audit Essentials Wireless Audit EssentialsWireless Audit Essentials Unix/linux system auditUnix/linux system audit Windows auditWindows audit Network Perimeter AuditNetwork Perimeter Audit Web Servers AuditWeb Servers Audit Audit ReportAudit Report


RR..II..TT

Concerns…Concerns…

Many tools covered in this class can Many tools covered in this class can harm your systemharm your system

Some tools may include hidden Some tools may include hidden features that exploit your systemsfeatures that exploit your systems


RR..II..TT

What is “Auditing”What is “Auditing”

A methodical examination and A methodical examination and review of measuring something review of measuring something against a standardagainst a standard

Answer the question, “How do you Answer the question, “How do you know?”know?”

Example of auditsExample of audits


RR..II..TT

Why auditing?Why auditing?

Manage IT-related riskManage IT-related risk Ensure information securityEnsure information security


RR..II..TT

Objective of AuditingObjective of Auditing

To measure and report on risksTo measure and report on risks Against existing policy within the Against existing policy within the

organizationorganization Against existing standards or Against existing standards or

guidelines, best practicesguidelines, best practices Raise awareness and reduce risksRaise awareness and reduce risks


RR..II..TT

6 Step Process for Audit6 Step Process for Auditfrom SANSfrom SANS

Audit PlanningAudit Planning Meeting Relevant People With The Meeting Relevant People With The

PlanPlan With high level people, Initiating auditWith high level people, Initiating audit

Measuring the SystemsMeasuring the Systems Preparing the ReportPreparing the Report Presenting ResultsPresenting Results Report to ManagementReport to Management


RR..II..TT

Measuring the systemsMeasuring the systems--Vulnerability assessment----Vulnerability assessment--

Starting with physical securityStarting with physical security Networks (wired and wireless)Networks (wired and wireless) Secure the perimeter such as router, Secure the perimeter such as router,

firewall, IDS, etc.firewall, IDS, etc. Secure the DMZ and Internal systemsSecure the DMZ and Internal systems Scan network from both inside and outsideScan network from both inside and outside Audit systemsAudit systems

Focus on Unix/Linux and WindowsFocus on Unix/Linux and Windows Eliminate externally accessible vulnerabilitiesEliminate externally accessible vulnerabilities Eliminate internally accessible vulnerabilitiesEliminate internally accessible vulnerabilities Search for Trojan horse programSearch for Trojan horse program


RR..II..TT

Our goalOur goal

To secure every possible path into To secure every possible path into our systemsour systems


RR..II..TT

Network AuditNetwork Audit

Secure the DMZSecure the DMZ Map the hosts in the DMZMap the hosts in the DMZ Audit goal:Audit goal:

Make sure there are no extra ports Make sure there are no extra ports open on the DMZ hostsopen on the DMZ hosts

Once you find out the open Once you find out the open ports/services, use vulnerability tools to ports/services, use vulnerability tools to find any possible vulnerabilities find any possible vulnerabilities associated with these servicesassociated with these services


RR..II..TT

Scan directionsScan directions

From outside to eliminate externally From outside to eliminate externally accessible vulnerabilitiesaccessible vulnerabilities

Form inside to eliminate internally Form inside to eliminate internally accessible vulnerabilitiesaccessible vulnerabilities


RR..II..TT

Perimeter Devices AuditPerimeter Devices Audit

Company policy/procedure review Company policy/procedure review and interviewsand interviews

Perimeter configurationPerimeter configuration Rule validation and perimeter Rule validation and perimeter

penetration test penetration test From outsideFrom outside From insideFrom inside


RR..II..TT

Web server and Web server and application auditapplication audit

Web server auditWeb server audit ApacheApache Windows IISWindows IIS

Web applications auditWeb applications audit Commercial/free toolsCommercial/free tools

AppScan from FirewatchAppScan from Firewatch Hailstorm from CenzicHailstorm from Cenzic NiktoNikto


RR..II..TT

Practice makes perfectPractice makes perfect

Practice allows them to obtain the Practice allows them to obtain the skills and knowledge necessaryskills and knowledge necessary

Allow students to discover new Allow students to discover new vulnerabilities and techniquesvulnerabilities and techniques


RR..II..TT

The goal of the lab The goal of the lab componentcomponent

The goal of the labs is to The goal of the labs is to provide students with hands-on provide students with hands-on

experience in utilizing sophisticated experience in utilizing sophisticated technological tools technological tools

to conduct vulnerability and validation to conduct vulnerability and validation testing on systems and networks. testing on systems and networks.


RR..II..TT

ChallengesChallenges

How to quarantine the vulnerable How to quarantine the vulnerable systems/networks in a controlled systems/networks in a controlled environment so that no risks are environment so that no risks are introduced to the rest of the introduced to the rest of the networks networks

How to choose the How to choose the appropriateappropriate tools and techniques tools and techniques

How to design the labs to fit in our How to design the labs to fit in our future lab plan future lab plan


RR..II..TT

Lab Exercise DesignLab Exercise Design

Virtual environment with VMwareVirtual environment with VMware Select appropriate tools combining Select appropriate tools combining

commercial tools with free toolscommercial tools with free tools Nmap, Nessus, nikto, firewalk, cheops-Nmap, Nessus, nikto, firewalk, cheops-

ng, tripwire, windows’ tools, Linux/Univ ng, tripwire, windows’ tools, Linux/Univ tools, hping2, RAT,…tools, hping2, RAT,…

AppScan, N-stalker, hailstormAppScan, N-stalker, hailstorm Closely tracks lecture contentClosely tracks lecture content


RR..II..TT

Lab topicsLab topics Lab 1: Network Discovery and Vulnerability ScanningLab 1: Network Discovery and Vulnerability Scanning Lab 2: Network audit and analysis within DMZLab 2: Network audit and analysis within DMZ Lab 3: Audits and validations of routers, firewalls Lab 3: Audits and validations of routers, firewalls

and Intrusion Detection System (IDS) configuration and Intrusion Detection System (IDS) configuration and technical rule basesand technical rule bases

Lab 4: Audits of Unix/Linux systems including Lab 4: Audits of Unix/Linux systems including FreeBSD server and workstation, Fedora Core and FreeBSD server and workstation, Fedora Core and Debian workstationDebian workstation

Lab 5: Audits of Windows systems including Lab 5: Audits of Windows systems including Windows 2000 Server, Windows 2003 server, Windows 2000 Server, Windows 2003 server, Windows 2000 Pro and Windows XP.Windows 2000 Pro and Windows XP.

Lab 6: Audits of Web servers (Apache and Microsoft Lab 6: Audits of Web servers (Apache and Microsoft IIS) and applications IIS) and applications

Lab 7. Create Alive CDLab 7. Create Alive CD Project: Demonstrate tools used for auditingProject: Demonstrate tools used for auditing


RR..II..TT

Lab diagramLab diagram


RR..II..TT

Physical Lab DesignPhysical Lab Design

Dedicated hard drivesDedicated hard drives VMWaresVMWares / BackTrack / Hakin9/ etc/ BackTrack / Hakin9/ etc

Imaging systemImaging system Air-gap capabilityAir-gap capability


RR..II..TT

How did labs work?How did labs work? Labs are effective at conveying and Labs are effective at conveying and

applying techniques discussed and applying techniques discussed and discovered in lecture. discovered in lecture.

General Student FeedbackGeneral Student Feedback Enjoyed hands-on learning Learned a lot through the labs. Appreciated the dedicated forensics

machines/drives The final project allow us to build a VMware The final project allow us to build a VMware

image and apply our favorite tools on the image and apply our favorite tools on the system. We learned a lot from others too system. We learned a lot from others too


RR..II..TT

Things can be improvedThings can be improved

Lack of time was an issue (insufficient time for great depth of study.)

Combining the vulnerabilities to one machine allows in depth auditing

Get rid of duplicate tools Focus on the audit report Reduce the time to set up the VMware

images Labs need further tweaking


RR..II..TT

Future directionFuture direction

Remote lab systemsRemote lab systems Split the course to two Split the course to two Training of other facultyTraining of other faculty


RR..II..TT

What did we miss?What did we miss?

Suggestions?Suggestions?

Questions?Questions?

Documents

Rochester Institute of Technology Secure IT 2007 Security Auditing Course Development Rochester Institute of Technology Yin Pan [email protected]