View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Rochester Institute of Technology Secure IT 2007
Security Auditing Security Auditing Course Course
DevelopmentDevelopment Rochester Institute of Rochester Institute of
TechnologyTechnology
Yin PanYin [email protected]@rit.edu
Rochester Institute of Technology Secure IT 2007
RR..II..TT
AgendaAgenda
MotivationMotivation Course developmentCourse development Procedures used to develop basic Procedures used to develop basic
auditing labsauditing labs Outcomes and feedback from Outcomes and feedback from
studentsstudents ImprovementsImprovements
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Why think about Why think about security?security?
Facts (one year ago)Facts (one year ago) By average, every 20 minutes, one unpatched machine By average, every 20 minutes, one unpatched machine
is compromisedis compromised Once a patch is announced, an exploit will be available Once a patch is announced, an exploit will be available
in 2-3 daysin 2-3 days Between 2004-2005, Between 2004-2005,
Unauthorized access increased 500%Unauthorized access increased 500% Identity theft increase 100%Identity theft increase 100%
TargetsTargets Government agenciesGovernment agencies
Customized trojan horse designed to pilfer sensitive Customized trojan horse designed to pilfer sensitive government secretsgovernment secrets
E-commerce sites, banks and credit-cared processorsE-commerce sites, banks and credit-cared processors CompaniesCompanies
Source code, coca-cola recipe? Game?Source code, coca-cola recipe? Game?
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Why think about security? Why think about security? (con’t)(con’t)
There are people who are actively There are people who are actively seeking your resourcesseeking your resources But I don’t have anything anyone But I don’t have anything anyone
wants!wants! Even just as a hiding place for files or a Even just as a hiding place for files or a
way to become anonymous, you are way to become anonymous, you are targetedtargeted Personal video recorders (PVR)Personal video recorders (PVR) Carjacking and carhackingCarjacking and carhacking
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Course ObjectiveCourse Objective Designed for Designed for
system administratorssystem administrators network administratorsnetwork administrators security personnel security personnel
to defend to defend their systems from attack their systems from attack
byby designing and implementing the most effective defensedesigning and implementing the most effective defense
using using effective defensive techniqueseffective defensive techniques
The objective of this course is to provide students with the The objective of this course is to provide students with the knowledge to develop security network audits, apply knowledge to develop security network audits, apply appropriate auditing tools to conduct professional audits, appropriate auditing tools to conduct professional audits, analyze results, and provide recommendations to mitigate analyze results, and provide recommendations to mitigate any risks.any risks.
Rochester Institute of Technology Secure IT 2007
RR..II..TT
OutcomesOutcomes Upon completion of this course, students will Upon completion of this course, students will
be able tobe able to Explain the fundamental techniques, processes Explain the fundamental techniques, processes
and procedures of networks, and systems auditing.and procedures of networks, and systems auditing. Describe the basic design and configuration of Describe the basic design and configuration of
routers, firewalls, and Intrusion Detection Systems routers, firewalls, and Intrusion Detection Systems (IDS).(IDS).
Identify and apply appropriate tools to perform Identify and apply appropriate tools to perform systems (Unix/Windows), servers, and network systems (Unix/Windows), servers, and network infrastructure components audit.infrastructure components audit.
Conduct vulnerability and validation testing.Conduct vulnerability and validation testing. Write and present an auditing report on security Write and present an auditing report on security
vulnerability.vulnerability.
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Course outlineCourse outline Auditing Process and ProcedureAuditing Process and Procedure Different phases of an auditDifferent phases of an audit
Discovery methodsDiscovery methods Network Identification and Penetration Network Identification and Penetration Systems AuditingSystems Auditing Servers and Network perimeters auditingServers and Network perimeters auditing
Audit ReportsAudit Reports Auditing RecommendationsAuditing Recommendations Writing audit reportWriting audit report Security improvementsSecurity improvements
Rochester Institute of Technology Secure IT 2007
RR..II..TT
TopicsTopics
Audit Process and procedureAudit Process and procedure Network Audit EssentialsNetwork Audit Essentials Wireless Audit EssentialsWireless Audit Essentials Unix/linux system auditUnix/linux system audit Windows auditWindows audit Network Perimeter AuditNetwork Perimeter Audit Web Servers AuditWeb Servers Audit Audit ReportAudit Report
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Concerns…Concerns…
Many tools covered in this class can Many tools covered in this class can harm your systemharm your system
Some tools may include hidden Some tools may include hidden features that exploit your systemsfeatures that exploit your systems
Rochester Institute of Technology Secure IT 2007
RR..II..TT
What is “Auditing”What is “Auditing”
A methodical examination and A methodical examination and review of measuring something review of measuring something against a standardagainst a standard
Answer the question, “How do you Answer the question, “How do you know?”know?”
Example of auditsExample of audits
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Why auditing?Why auditing?
Manage IT-related riskManage IT-related risk Ensure information securityEnsure information security
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Objective of AuditingObjective of Auditing
To measure and report on risksTo measure and report on risks Against existing policy within the Against existing policy within the
organizationorganization Against existing standards or Against existing standards or
guidelines, best practicesguidelines, best practices Raise awareness and reduce risksRaise awareness and reduce risks
Rochester Institute of Technology Secure IT 2007
RR..II..TT
6 Step Process for Audit6 Step Process for Auditfrom SANSfrom SANS
Audit PlanningAudit Planning Meeting Relevant People With The Meeting Relevant People With The
PlanPlan With high level people, Initiating auditWith high level people, Initiating audit
Measuring the SystemsMeasuring the Systems Preparing the ReportPreparing the Report Presenting ResultsPresenting Results Report to ManagementReport to Management
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Measuring the systemsMeasuring the systems--Vulnerability assessment----Vulnerability assessment--
Starting with physical securityStarting with physical security Networks (wired and wireless)Networks (wired and wireless) Secure the perimeter such as router, Secure the perimeter such as router,
firewall, IDS, etc.firewall, IDS, etc. Secure the DMZ and Internal systemsSecure the DMZ and Internal systems Scan network from both inside and outsideScan network from both inside and outside Audit systemsAudit systems
Focus on Unix/Linux and WindowsFocus on Unix/Linux and Windows Eliminate externally accessible vulnerabilitiesEliminate externally accessible vulnerabilities Eliminate internally accessible vulnerabilitiesEliminate internally accessible vulnerabilities Search for Trojan horse programSearch for Trojan horse program
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Our goalOur goal
To secure every possible path into To secure every possible path into our systemsour systems
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Network AuditNetwork Audit
Secure the DMZSecure the DMZ Map the hosts in the DMZMap the hosts in the DMZ Audit goal:Audit goal:
Make sure there are no extra ports Make sure there are no extra ports open on the DMZ hostsopen on the DMZ hosts
Once you find out the open Once you find out the open ports/services, use vulnerability tools to ports/services, use vulnerability tools to find any possible vulnerabilities find any possible vulnerabilities associated with these servicesassociated with these services
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Scan directionsScan directions
From outside to eliminate externally From outside to eliminate externally accessible vulnerabilitiesaccessible vulnerabilities
Form inside to eliminate internally Form inside to eliminate internally accessible vulnerabilitiesaccessible vulnerabilities
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Perimeter Devices AuditPerimeter Devices Audit
Company policy/procedure review Company policy/procedure review and interviewsand interviews
Perimeter configurationPerimeter configuration Rule validation and perimeter Rule validation and perimeter
penetration test penetration test From outsideFrom outside From insideFrom inside
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Web server and Web server and application auditapplication audit
Web server auditWeb server audit ApacheApache Windows IISWindows IIS
Web applications auditWeb applications audit Commercial/free toolsCommercial/free tools
AppScan from FirewatchAppScan from Firewatch Hailstorm from CenzicHailstorm from Cenzic NiktoNikto
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Practice makes perfectPractice makes perfect
Practice allows them to obtain the Practice allows them to obtain the skills and knowledge necessaryskills and knowledge necessary
Allow students to discover new Allow students to discover new vulnerabilities and techniquesvulnerabilities and techniques
Rochester Institute of Technology Secure IT 2007
RR..II..TT
The goal of the lab The goal of the lab componentcomponent
The goal of the labs is to The goal of the labs is to provide students with hands-on provide students with hands-on
experience in utilizing sophisticated experience in utilizing sophisticated technological tools technological tools
to conduct vulnerability and validation to conduct vulnerability and validation testing on systems and networks. testing on systems and networks.
Rochester Institute of Technology Secure IT 2007
RR..II..TT
ChallengesChallenges
How to quarantine the vulnerable How to quarantine the vulnerable systems/networks in a controlled systems/networks in a controlled environment so that no risks are environment so that no risks are introduced to the rest of the introduced to the rest of the networks networks
How to choose the How to choose the appropriateappropriate tools and techniques tools and techniques
How to design the labs to fit in our How to design the labs to fit in our future lab plan future lab plan
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Lab Exercise DesignLab Exercise Design
Virtual environment with VMwareVirtual environment with VMware Select appropriate tools combining Select appropriate tools combining
commercial tools with free toolscommercial tools with free tools Nmap, Nessus, nikto, firewalk, cheops-Nmap, Nessus, nikto, firewalk, cheops-
ng, tripwire, windows’ tools, Linux/Univ ng, tripwire, windows’ tools, Linux/Univ tools, hping2, RAT,…tools, hping2, RAT,…
AppScan, N-stalker, hailstormAppScan, N-stalker, hailstorm Closely tracks lecture contentClosely tracks lecture content
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Lab topicsLab topics Lab 1: Network Discovery and Vulnerability ScanningLab 1: Network Discovery and Vulnerability Scanning Lab 2: Network audit and analysis within DMZLab 2: Network audit and analysis within DMZ Lab 3: Audits and validations of routers, firewalls Lab 3: Audits and validations of routers, firewalls
and Intrusion Detection System (IDS) configuration and Intrusion Detection System (IDS) configuration and technical rule basesand technical rule bases
Lab 4: Audits of Unix/Linux systems including Lab 4: Audits of Unix/Linux systems including FreeBSD server and workstation, Fedora Core and FreeBSD server and workstation, Fedora Core and Debian workstationDebian workstation
Lab 5: Audits of Windows systems including Lab 5: Audits of Windows systems including Windows 2000 Server, Windows 2003 server, Windows 2000 Server, Windows 2003 server, Windows 2000 Pro and Windows XP.Windows 2000 Pro and Windows XP.
Lab 6: Audits of Web servers (Apache and Microsoft Lab 6: Audits of Web servers (Apache and Microsoft IIS) and applications IIS) and applications
Lab 7. Create Alive CDLab 7. Create Alive CD Project: Demonstrate tools used for auditingProject: Demonstrate tools used for auditing
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Physical Lab DesignPhysical Lab Design
Dedicated hard drivesDedicated hard drives VMWaresVMWares / BackTrack / Hakin9/ etc/ BackTrack / Hakin9/ etc
Imaging systemImaging system Air-gap capabilityAir-gap capability
Rochester Institute of Technology Secure IT 2007
RR..II..TT
How did labs work?How did labs work? Labs are effective at conveying and Labs are effective at conveying and
applying techniques discussed and applying techniques discussed and discovered in lecture. discovered in lecture.
General Student FeedbackGeneral Student Feedback Enjoyed hands-on learning Learned a lot through the labs. Appreciated the dedicated forensics
machines/drives The final project allow us to build a VMware The final project allow us to build a VMware
image and apply our favorite tools on the image and apply our favorite tools on the system. We learned a lot from others too system. We learned a lot from others too
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Things can be improvedThings can be improved
Lack of time was an issue (insufficient time for great depth of study.)
Combining the vulnerabilities to one machine allows in depth auditing
Get rid of duplicate tools Focus on the audit report Reduce the time to set up the VMware
images Labs need further tweaking
Rochester Institute of Technology Secure IT 2007
RR..II..TT
Future directionFuture direction
Remote lab systemsRemote lab systems Split the course to two Split the course to two Training of other facultyTraining of other faculty