10 Application and Network Security and security testing IT Governance CEN 667 1
Project proposal (week 4) Goal of the projects are to find applicable measurement and metric methods to improve processes: For 27000 series of standards 27001 and 27004 For ITIL For Business Continuity and BS 25999 For Disaster Recovery For Penetration testing For Operational and Security Incident management For Risk Management Secure method for visual authentication Mobile securty access with speach recognition Other agreed with lecturer Literature review on selected topic - between 500 and 1000 words Proposal / for improvements of choosen method, approach, techniqe, - up to 2000 words List of references Document prepared in two columns as it should Be prepared for the conference paper Week report on updates 2
Project proposal (week 11) Candidate Topic Literature review draft Paper Proposed correction s week? Azizah Ibrahim Emina Aličković Jasmin Kevrić Mobile IPv6 handover packet loss avoidance A Novel Intrusion System Based on Support Vector Machines Algorithm improvement for the network anomaly detection using improved KDD 2009 NO NO NO NO NO NO NO NO NO Adnan Miljković Implementation of two factor authentication for web appliacation YES (463 words) NO NO Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion Detection System using Real Network Data NO NO NO Tarik Kraljić NO NO NO NO Adnan Kraljić NO NO NO NO 3
10 Application and Network Security and security testing IT Governance CEN 667 4
Lectures Schedule Week Topic Introduction to IT governance Week 1 Overwiev of Information Security standards - ISO 27000 series of standards (27001, Week 2 27002, 27003, 27004, 27005) Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2 Week 4 ITIL Week 5 Business Continuity and BS 25999-1 and BS 25999-2 Week 6 Disaster Recovery Week 7 COBIT Week 8 Project implementation (ISO 10006 and ISO 27003) Week 9 Midterm Week 10 Risk Managament (ISO 27005) Week 11 Application and Network Security and security testing Week 12 Specific Requirements and Controls Implementation (ISO 27002) Week 13 Operational and Security Incident managament Week 14 Perforamnce Measurement and Metrics (ISO 27004) Week 15 Audit (ISO 19011) and Plan- Do-Check-Act impovement cyclus 5
6
System Development Life Cycle 7
System Development Life Cycle 1. Initiation the system is described in terms of its purpose, mission, and configuration. 2. Development and Acquisition the system is possibly contracted and constructed according to documented procedures and requirements. 3. Implementation and Installation the system is installed and integrated with other applications, usually on a network. 4. Operational and Maintenance the system is operated and maintained according to its mission requirements. 5. Disposal the system s lifecycle is complete and it is deactivated and removed from the network and active use. 8
When is the Network Security Testing done? It is done after system has been developed, installed and integrated during Implementation and Operational stages. 9
Tools and Techniques for Network Security Network Scanning Vulnerability Scanning Password Cracking Log Reviews War Dialing Wireless LAN Testing (War Driving) Penetration Testing 10
Network Scanning Scan for connected hosts Scan for services running on the host Scan for which applications are running those services How Scanning takes place? Ping the hosts using ICMP ECHO and Reply. Look for open TCP/UDP ports. Operating system fingerprinting. Not reliable as firewalls can be configured to camouflage the operating system. 11
Network Scanning Vulnerabilities of IIS different from Apache. Listen on the remote port. Banner Grabbing. Need human to interpret the results. Preparation for Penetration Testing. 12
Network Scanning Results Investigate and disconnect unauthorized hosts Disable or remove unnecessary and vulnerable services Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP wrappers), and Modify enterprise firewalls to restrict outside access to known vulnerable services. 13
Vulnerability Scanning Takes Network Scanning 1 step ahead. Maintains database of vulnerabilities in operating systems. They generate more traffic that port scanners. Network based Scanners. Host based Scanners. 14
Log Reviews Dynamic picture of system activities. Conformance with the security policies. IDS sensors placed behind firewall. Change Firewall Policies. 15
War Dialing Unauthorized modems. Dialing software can dial hundreds of numbers in short time Block the inbound calls to the identified number if it is not possible to remove them 16
War Driving Wireless Default Configuration is insecure. Drive Test Just need wireless network card and testing tools Frequency of testing 17
Security Penetration Services Goal: help organizations secure their systems Skill set: equivalent to system administrators Record keeping & ethics 18
Penetration Testing It is a method of getting into the system by using the techniques used by the attacker. Specific IP addresses/ranges to be tested Any restricted hosts (i.e., hosts, systems, subnets, not to be tested) A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.) Times when testing is to be conducted (e.g., during business hours, after business hours, etc.) Identification of a finite period for testing IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks Points of contact for the penetration testing team, the targeted systems, and the networks Measures to prevent law enforcement being called with false alarms (created by the testing) Handling of information collected by penetration testing team. 19
Penetration Testing Blue Teaming Red Teaming 20
Phases of Penetration Testing 21
Phases of Penetration Testing Planning Phase Goals are set. Permission is taken. No testing. Discovery Phase Testing starts. Port scanning is used to identify the vulnerabilities. Executing the attack Exploit the vulnerabilities. 22
Announced vs. Unannounced Penetration Testing Announced testing Pros Cons Efficient Team oriented Holes may be fixed as discovered & block further penetration False sense of security Unannounced testing Pros Cons Greater range of testing Response may block further penetration Requires strict escalation process Impact operations 23
Rules of Engagement Type of attacks allowed (no DoS) Off-limits machines & files (passwords) Designated machines or networks Test Plan Contacts 24
Penetration Testing Phases Footprint Scanning/Probing Enumeration Gain Access Escalate Privileges Exploit Cover Tracks Create Backdoors 25
Footprinting Profile target passively Address blocks Internet IP addresses Administrators Techniques Googling Whois lookups 26
Scanning/Probing: nmap Active probing NMAP Port scanner www.insecure.org Discovers: Available Hosts Ports (services) OS & version Firewalls Packet filters 27
Scanning/Probing: nessus www.nessus.org Vulnerability scanning Common configuration errors Default configuration weaknesses Well-known vulnerabilities 28
Enumeration: hackbot Identify accounts, files & resources Ws.obit.nl/hackbot Finds: CGI Services X connection check 29
Gaining Access: packet captures Eavesdropping Ethereal, www.ethereal.com 30
Physical Access Boot loader & BIOS vulnerabilities GRUB loader No password Allows hacker to boot into single-user w/root access Password crackers John the Ripper Crack 31
Wireless Security War driving with directional antenna Wired Equivalent Privacy (WEP) vulnerabilities Penetration Tools: WEPcrack AirSnort 32
Counter Measures 1 Update latest patches. Change default settings/options Setup password and protect your password file. Install anti-virus software and keep it updated. 33
Counter Measures 2 Install only required softwares, open only required ports. Maintain a good backup. Set BIOS password, system loader password, or other passwords that necessary. Have a good emergency plan. 34
Counter Measures 3 Monitor your system if possible. Have a good administrator. 35
Software Testing Application fulfills functional requirements Dynamic, functional tests late in the SDLC Contextual information 36
Security Testing Look for unexpected but intentional misuse of the system Must test for all potential misuse types using Architectural risk analysis results Abuse cases Verify that All intended security features work (white hat) Intentional attacks cannot compromise the system (black hat) 37
Penetration Testing Testing for negative what must not exist in the system Difficult how to prove non-existence If penetration testing does not find errors than Can conclude that under the given circumstances no security faults occurred Little assurance that application is immune to attacks Feel-good exercise 38
Penetration Testing Today Often performed Applied to finished products Outside in approach Late SDLC activity Limitation: too little, too late 39
Late-Lifecycle Testing Limitations: Design and coding errors are too late to discover Higher cost than earlier designs-level detection Options to remedy discovered flaws are constrained by both time and budget Advantages: evaluate the system in its final operating environment 40
Success of Penetration Testing Depends on skill, knowledge, and experience of the tester Important! Result interpretation Disadvantages of penetration testing: Often used as an excuse to declare victory and go home Everyone looks good after negative testing results 41
Testing Process External Testing: across the internet. Simulate attacker s environment Gathering information related to remote access, IP addresses, open ports, allowed services, etc. Tools to support Internal Testing: onsite. View of the system behind the external perimeters Software penetration testing tools Attempt to exploit vulnerabilities 42
Testing Activities Scoping: assessing target system Discovery: building information about the system Offline and online activities Vulnerability scanning: testing system components Target penetration: within testing parameters Analysis: of results of previous stages Reporting: detailed findings and recommendations 43
Software Penetration Testing Marketing, managerial, industry production line, etc. Needs tools Test more than once Need knowledge of risk analysis Feedback to real life progress. 44
Testing and Application Context Organizations: How to update legacy systems with security capabilities Application specific risk. 45
Is Penetration Testing Worth it? Schneier, http://schneier.com/blog/archives/2007/05/is_penetr ation.html Opinions: Penetration testing is essential for network security Penetration testing is a waster of time and money What is the goal of penetration testing? Finding too much vulnerabilities how to fix them all? Useful penetration testing: Find vulnerabilities you re going to fix Pursue managers to invest in security 46
Future Improvements Correction of weaknesses uncovered by the penetration exercise Automate and customize the penetration test process Use of intrusion detection systems Use of honeypots and honeynets 47
Bibliography Klevinsky, et. al. Hack I.T.-Security Through Penetration Testing. ISBN 0-201- 71956-8. McClure, et. al. Hacking Exposed: Network Security Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7. Sage, Scott & Lear, Lt. Col. Tom. A Penetration Analysis of UCCS Network Lab Machines, March, 2003. UCCS course CS691c. Warren Kruse, et. al. Computer Forensics. ISBN 0-201-70719-5 Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9 Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7 Retina network security scanner, http://www.eeye.com/html/products/retina/index.html 48
Conclusion Acceptable use guidelines (e.g., what is acceptable use of organization computing and network resources) Roles and responsibilities (for users, administrators, management) Authentication (e.g., passwords, biometrics) Availability of resources (redundancy, recovery, backups) Compliance (consequences and penalties). 49