NSSA Faculty Involvement in IT Security Auditing at RIT



Similar documents
Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Build Your Own Security Lab

Chapter 1 The Principles of Auditing 1

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

Information Security Policy

An Introduction to Network Vulnerability Testing

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Understanding Security Testing

By David G. Holmberg, Ph.D., Member ASHRAE

Vulnerability Assessment and Penetration Testing. CC Faculty ALTTC, Ghaziabad

Network Attacks and Defenses

EC-Council Certified Security Analyst / License Penetration Tester (ECSA/LPT) v4.0 Bootcamp

CRYPTUS DIPLOMA IN IT SECURITY

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

A Decision Maker s Guide to Securing an IT Infrastructure

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

Demystifying Penetration Testing

EC-Council Network Security Administrator (ENSA) Duration: 5 Days Method: Instructor-Led

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

March

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

WHITE PAPER. An Introduction to Network- Vulnerability Testing

Client logo placeholder XXX REPORT. Page 1 of 37

Security Considerations White Paper for Cisco Smart Storage 1

Certified Ethical Hacker (CEH)

Managing IT Security with Penetration Testing

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Rapid Vulnerability Assessment Report

DETAILED RISK ASSESSMENT REPORT

!!!!!!!!!!!!!!!!!!!!!!

HIPAA Risk Analysis By: Matthew R. Johnson GIAC HIPAA Security Certificate (GHSC) Practical Assignment Version 1.0 Date: April 12, 2004

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

EC Council Security Analyst (ECSA)

Presented By: Holes in the Fence. Agenda. IPCCTV Attack. DDos Attack. Why Network Security is Important

Vulnerability Assessment and Penetration Testing

Network Security Administrator

Securing Database Servers. Database security for enterprise information systems and security professionals

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How To Protect A Network From Attack From A Hacker (Hbss)

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

NETWORK PENETRATION TESTING

Penetration Testing. NTS330 Unit 1 Penetration V1.0. February 20, Juan Ortega. Juan Ortega, juaorteg@uat.edu. 1 Juan Ortega, juaorteg@uat.

Open Source Security Tools

ETHICAL HACKING. By REAL TIME FACULTY

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Vinny Hoxha Vinny Hoxha 12/08/2009

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Ed Ferrara, MSIA, CISSP Fox School of Business

Basics of Internet Security

Ethical Hacking Course Layout

Best Practices For Department Server and Enterprise System Checklist

2012 Risk Assessment Workshop

Information Security: A Perspective for Higher Education

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

Consensus Policy Resource Community. Lab Security Policy

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

ANTI-HACKER TOOL KIT. ourth Edition

Network Penetration Testing

INTRUSION DETECTION SYSTEMS and Network Security

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

1B1 SECURITY RESPONSIBILITY

Network and Host-based Vulnerability Assessment

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Simple Steps to Securing Your SSL VPN

Firewalls. Ola Flygt Växjö University, Sweden Firewall Design Principles

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Network Security Policy

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Best Practices for PCI DSS V3.0 Network Security Compliance

Log Management for the University of California: Issues and Recommendations

Windows Operating Systems. Basic Security

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

SonicWALL PCI 1.1 Implementation Guide

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Penetration Testing Report Client: Business Solutions June 15 th 2015

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Penetration Testing - a way for improving our cyber security

INTRUSION DETECTION SYSTEM (IDS) by Kilausuria Abdullah (GCIH) Cyberspace Security Lab, MIMOS Berhad

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

CEH Version8 Course Outline

Network Security Audit. Vulnerability Assessment (VA)

SCP - Strategic Infrastructure Security

Achieving PCI Compliance Using F5 Products

Course Title: Penetration Testing: Security Analysis

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Transcription:

NSSA Faculty Involvement in IT Security Auditing at RIT Daryl Johnson and Yin Pan Rochester Institute of Technology Agenda Motivation challenges A special IT security auditing team Auditing Procedures Techniques and Tools Benefits and our experience Improvements Why think about security? With our great reliance on computers and the Internet, plus the numerous flaws found in most systems, today is the Golden Age of Hacking. Targets Government agencies E-commerce sites, banks and credit-cared processors Companies Universities Risk Tolerance Exposure Reputation Financial loss Employment Freedom Injury Death Threat to family The Attackers --outside threats Organized crime Sensitive data for identity theft or other fraud Terrorists Shut down critical systems, destroy systems or cause potentially life-threatening problem Governments Have active interest in the activities of organizations Competition Hacktivists If your organization does something politically sensitive Hired guns Hired to stealing information or gaining access 1

The Attackers --Insiders Disgruntled employees Clueless employees Customers Attacking suppliers in an attempt to gain sensitive information about other customers or alter prices Suppliers/ Vendors Attack customers Contractors and consultants The Challenge Those in the security arena understand these threats. The challenge is to impart some sense of vulnerability to those outside. Everyone is a target of opportunity Some are a High Valued Target Which are you? How to fight back in this battle? Regulators create a large set of regulations and frameworks in an effort to enforce protection of information, privacy and transparency of information. We need to manage security risks and ensure compliance with information security regulations and industry standards Audit your system and network periodically! Challenges Where to find the auditors with the IT skills required to meet the rapidly increased needs Our university, Rochester Institute of Technology (RIT), faces the same challenge. RIT has a team of professional auditors whose expertise lie in financial audits the auditors lack of technical background of IT audits Our solution Utilizing faculty s auditing and computer security expertise RIT formed an auditing team that was composed of the RIT faculty the auditors the campus security officers Auditing campus wide servers and networks, and systems What is Auditing A methodical examination and review of measuring something against a standard Answer the question, How do you know? Example of audits 2

Objective of Auditing To measure and report on risks Against existing policy within the organization Against existing standards or guidelines, best practices Raise awareness and reduce risks How do we start? Preparation for the auditing Faculty signs confidentiality agreement. Follow the six-step Process for Audit from SANS 6 Step Process for Audit from SANS Audit Planning Meeting Relevant People With The Plan With high level people, Initiating audit Measuring the Systems Preparing the Report Presenting Results Report to Management Audit Planning by faculty and the campus auditors Determining audit objectives and scope identify responsibility Research vulnerabilities and risks Creating checklist Lay out the strategies Determining audit objectives and scope identify responsibility What is our audit goal? Policies for compliance? What should we audit? What is the time period for auditing? Our goal To secure every possible path into our critical systems To prevent the leaking of sensitive data out 3

What to be compliant with? Policies provided by the campus security office to follow Server security standard http://security.rit.edu/articles/serverstandard.pdf Network standard http://security.rit.edu/articles/networkstandard.pdf Industrial best practice Center for Internet Security NIST: http://www.nist.gov/ NSA: http://www.nsa.gov/snac/ SANs:www.san.org Web Standards OWASP: www.owasp.org What should we audit? Reviewing the RIT System Inventory and RIT Logical Network diagram provided by campus Information Technology Support Team Randomly select 5-10 systems, 5-10 servers and 5-10 routers for auditing Audit campus wide modem systems Time period audited Phase I and Phase II Phase I Campus wide modem security audits Require system administration to provide answers to the checklist Phase II Campus wide modem security audits Conduct servers and networks auditing by IT auditors Create Checklist / form The most important step for an auditor in the planning phase What are included in an audit checklist? Statement of purpose/scope (optional) What to measure against Existing corporate policy and procedure or create one Existing audit standards or guidelines Best practices Security guides with technical detail For example, the content to be checked, under which section, reference to the standard How to measure it Create the audit procedure to answer how to measure it References Findings Compliance An example http://www.sans.org/score/checklists/iso_17799_checklist.pdf Creating checklists Faculty and auditors studied the given standards and industrial best practice Meet the chief security officer to discuss the standards clarify, modify, enhance the server and network security standards Create IACA network checklist and IACA Server checklist Lay out the strategies How to provide the team with the confidential information (network diagram, routing configurations) in a secure manner? 4

Measure the systems First, we will discuss the overall approach Secondly, what we have done for our phase I Measuring the systems --Vulnerability assessment-- Specifically answering the question: how do you know? how do we verify? Procedure Starting with physical security Scan networks (wired and wireless) Secure the perimeter such as router, firewall, IDS, etc. Secure the DMZ Audit internal systems Methodologies for measuring systems Different phases of an audit Discovery methods Reconnaissance Network Identification and Penetration Scanning Systems Auditing Servers and Network perimeters auditing Reconnaissance Auditing team schedule at least a couple of days of comprehensive recon work With low-technology Social Engineering Physical break-in Dumpster diving Awareness & Education Search Engine and web-based reconnaissance Tools for Reconnaissance Google Sam Spade: A general purpose reconnaissance client tool Whois databases To find out a registrar for organization based on its domain name InterNIC at www.internic.net/whois.html Outside of USA at www.uwhois.com Nslookup or dig for DNS information Range of IP addresses American Registry for Internet Numbers --Arin www.arin.net Network Identification and Penetration Wireless Access Points -- War driving Modem -- War dialing Network mapping Identifying services with port scanning Vulnerability scanning 5

War driving tools Identifying wireless access points and determining their ESSIDs Wireless side techniques include Active scanning-- NetStumbler Passive scanning -- Wellenreiter and Kismet Forcing de-authentication -- ESSID-Jack Wired side audit Nessus-- plugin 11026, Access point detection Airsnort and WEPCrack Brute forces WEP/RC4 keys War Dialing Approach Dial a collection of telephone numbers attempting to locate modem carriers, etc. Why are we still talking about war dialing? Clueless users connect a modem to their desktop computer in order to access it from home through PC Anywhere for example Give modem access to vendors and service providers to troubleshoot devices remotely via phone when the existing IP network goes down Abandoned and forgotten routers and servers still connect to modems Malicious act purposeful unauthorized access Rogue fax machines War Dialing How to prepare for the audit? Get permission the difference between a hacker and auditor Define the range to dial (remove emergency numbers) When to dial? How often? Test the audit by dialing some known numbers War Dialing tools Tools ToneLoc THC Scan 2.0 (The Hacker s Choice) Runs on platforms w/pc emulation PhoneSweep from SandStorm Enterprises (commercial) Phone Tag ModemScan TBA use a Palm OS War Dialing Results What can be found Modems Secondary dial tones Fax machines Logs warning banner or login prompt for revealing platform information Level of penetration Once you found a bunch of modems, what do you do with them? War Dialing Audit Strong modem and dial-up line policy and procedure Modems identified should be authorized for business use only Scan all telephone lines for authentication and authorization PBX or direct lines from the phone company digital PBX lines VoIP connections perform war dialing periodically Conduct a baseline of the modems within your environment audit the changes to the baseline over time Audit the dial-up banner information 6

Network Audit Secure the DMZ Map the hosts in the DMZ Audit goal: Make sure there are no extra ports open on the DMZ hosts Once you find out the open ports/services, use vulnerability tools to find any possible vulnerabilities associated with these services Network scan directions From outside to eliminate externally accessible vulnerabilities Form inside to eliminate internally accessible vulnerabilities Tools used in network scanning and vulnerability accessment Nmap, scanline, superscan Netstat, fport Nessus Firewalk cheops-ng Perimeter Devices Audit Company policy/procedure review and interviews Perimeter configuration Rule validation and perimeter penetration test From outside From inside Tools Auditing router configuration file -- RAT, SDM Password recovery -- Cain & Abel Auditing rule base -- hping2, nmap Services Auditing DNS, DHCP, SMB, FTP, SMTP, SNMP, SSH, VPN auditing basics Web server and database auditing basics Web server and application audit Web server audit Apache Windows IIS Web applications audit Commercial/free tools AppScan from Firewatch Hailstorm from Cenzic Nikto Brutus 7

Systems Auditing System information logging information Files and permissions data integrity Users, groups, and passwords services and processes Hidden data and rootkits detection Tools used for system auditing Unix/Linux netstat, nmap and lsof for gathering open ports chkrootkit and rkhunter for trojan horse detection tripwire for file integrity assessment John the Ripper for password recovery tara for an overall Unix assessment scan Windows ScanLine, SuperScan, fport for gathering open ports psservice and tasklist for gathering running services information Rootkit revealer for trojan horse detection Cain & Abel, lophtcrack and DumpSec for auditing users/groups and password strength Microsoft Baseline Security Analyzer for overall Windows assessment scan Measure the systems in our phase I Modem audits Propose a war dialing exercise Get the written permission from Administrator of which range of phones to be audit at certain time period. Perform the audit using phonesweep Analyze the result Auditing selected servers and routers with the defined checklists Presenting results To system administrators To Management Things that surprised us SA did not list VMware servers in the check list Using same password on routers Router uses Cisco type 7 encoding Using same admin password on ITS imaged PCs If a question is not addressed in the security standards, the SA refused to answer on these issues Other issues How to securely deliver sensitive data such as router config to auditing team to audit? PGP How to work with SAs? Benefits Through this audit, the professional auditor learned IT auditing technologies Auditor sits in auditing class Faculty members gain real auditing experiences Benefit to college Utilize the existing resources, save cost Security Officer Enhance the security standard 8

Benefits (Con t) Benefit to students Faculty members were able to bring their real auditing experience to the auditing and security courses. The auditing procedures and auditing experience will be added to the auditing course material Invite auditor to the auditing class Future direction Work on phase II How to deal with virtual servers? Work closely with other local companies SCADA included in audit What did we miss? Suggestions and Questions? Contacts Daryl Johnson daryl.johnson@rit.edu Yin Pan yin.pan@rit.edu 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information