Agenda
description
Transcript of Agenda
www.softwareassist.net
Protecting Mainframe and Distributed Corporate Data from
FTP Attacks: Introducing FTP/Security Suite
Alessandro Braccia, DBA Sistemi
XXVIII Convegno Annuale del CMG-ItaliaMilano - 28 Maggio 2014 Roma – 29 Maggio 2014
www.softwareassist.net
Agenda• About SAC• The Problem• How Attackers Operate• Popular Hacking Tools• FTP Issues• What the Products do –and how
• Conceptual Overview• Why are our products important?
www.softwareassist.net
About SAC• Founded in 1990• Developed a number of very successful products• Until now purely development company• Products were private labeled by other companies, for ex:
• AF/Operator: Candle Corporation (now IBM)• TapeSaver: Mobius Management Systems (now Unicom)
• These products have been sold or moved to subsidiaries• Focus on the FTP/Security Suite
• Establishing Worldwide Partner Network
www.softwareassist.net
The Problem• Complex problem, lack of understanding in market place• Big vendors focus security discussion on their products• Most attacks never make it to the press – do not educate the market• Customers often:
• Do not know how hackers operate• Spend a lot of money on some solutions• Lack tools in other (important) areas
• Result:Companies don’t even know they were attacked or notice it many months later – and don’t know what was taken
www.softwareassist.net
How attackers operate• Attackers can be Hobbyists, Amateurs or Professionals• Use automated tools
• Attack weaknesses in common Tools and Protocols• Prefer those that are not typically monitored
• Prime Target: FTP• The world’s most common data interchange protocol,
including corporate IT• Customers forget they use it, no one responsible• No Management / Monitoring Tools • By default attacks are typically not logged• Attack tools available on internet, instructions on YouTube
www.softwareassist.net
Popular FTP Hacking Tools• THC-Hydra (http://www.thc.org/thc-hydra)• Medusa (
http://foofus.net/goons/jmk/medusa/medusa.html)• Ncrack (http://nmap.org/ncrack)• Brutus (http://www.hoobie.net/brutus)
www.softwareassist.net
Search ”Hack FTP” on YouTube
www.softwareassist.net
Where is FTP used?• With External Partners
• Often hosting sensitive data• On Web Servers
• Providing access to the corporate web site and other resources
• As departmental data interchange tool• Often deployed without IT’s knowledge & involvement• Typically extremely vulnerable due to lack of security
• In the Data Center• Server <-> Server and Server <-> Mainframe data transfer
www.softwareassist.net
FTP Issues• Don’t know where they use FTP – and how much• No Tools to monitor and audit FTP usage
• Lack of compliance• Not able to detect attacks • Not able to determine what was taken
• Not sufficiently protected against FTP attacks• Firewalls and IDS (Intrusion Detection Systems) cannot do it
www.softwareassist.net
Intrusion Detection Systems• Designed primarily to detect intrusions from outside
• Malicious employees and contractors are a common threat
• Looks for anomalies in network traffic• Does not understand the network protocols it looks at• Recognizes brute force attacks by frequency, not content • Can be circumvented easily
www.softwareassist.net
The FTP/Security Suite• FTP/Auditor: FTP Server discovery
• Where is FTP running, how is it secured?• FTP/Sentry: Real-Time monitoring and alerting
• What is happening ? What problems are occurring?• Sentry Desktop: Auditing and historical analysis
• Who accessed which files - when and from where?• Exceptions and Alerts
• FTP/Armor: Securing FTP Servers• Detects attacks, alerts IT staff and blocks intruders• Complements Intrusion Detection Systems
• FTP/Guardian: Integrates Mainframe FTP with Mainframe Security
www.softwareassist.net
SentryDesktop
FTP Activity DB(SQL Server)
Conceptual Overview
Real TimeMonitor
RemoteAgents
www.softwareassist.net
Typical FTP Attack
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
www.softwareassist.net
FTP Attack with FTP/Sentry
FTP Activity DB(SQL Server)
Real TimeMonitor
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
www.softwareassist.net
FTP Attack with FTP/Sentry
Real TimeMonitor
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
Alert
SentryDesktop
Console
www.softwareassist.net
FTP Attack with FTP/Sentry
Real TimeMonitor
RemoteAgents
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
BLOCKIP n.n.n.n
BLOCKIP n.n.n.n
BLOCKIP n.n.n.n
www.softwareassist.net
FTP Attack with FTP/Sentry
RemoteAgents
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
Connectionrefused
www.softwareassist.net
Why are our products so important?• Without them our Customers would not:
• Know which servers are vulnerable through running FTP• Be protected against FTP attacks• Be able to notice an attack
• what ID was compromised and • what was taken
• Be able to audit WHEN WHO accessed WHAT from WHERE• Have operational visibility and control of their FTP
infrastructure
www.softwareassist.net
Interesting Studies & Reports• Carnegie Mellon Software Engineering Institute:
‘Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector’
• Key Findings:• An average of 32 months elapsed between the beginning of the
fraud and its detection by the victim organization• ”The insiders’ means were not especially sophisticated” – the
fraud was possible due to lack of controls/security, not the skills of the perpetrators
www.softwareassist.net
Interesting Studies & Reports• Forrester:
‘Understand The State Of Data Security And Privacy: 2012 To 2013’
• Key Findings:• Intentional Data Theft accounts for 45% of all Data Breaches• 33% of Intentional Data Theft is committed by Malicious Insiders• 66 % of Intentional Data Theft is committed by External Attacks
www.softwareassist.net
Interesting Studies & Reports• Ponemon Institute:
‘2012 Cost of Cyber Crime Study: United States’• Key Findings:
• Average cost of a data breach in the US is $8,933,510• Certain industries, such as Financial Services, experience higher
cost• The companies in the study experienced an average
of 1.8 successful attacks per week
www.softwareassist.net
Questions ?