knowthyself : Internal IT Security in SA

KNOW THY SELFcharl v d walt

July 2000

Internal IT Security in SAInternal IT Security in SAProblems & SolutionsProblems & Solutions

Internal IT Security in SAInternal IT Security in SAProblems & SolutionsProblems & Solutions

KNOW THY SELFIIR National Summit

charl van der waltJuly 2000

AgendaAgendaAgendaAgenda

1. Introduction

2. Considering the global Risk

3. Understanding your own Risk

4. Case Study

5. Setting the Stage

6. Implementing Solutions

7. The role and value of IDS

8. Questions



IntroductionIntroductionIntroductionIntroduction

• About me

• About Roelof

• SensePost

• Objective

• Approach

• References:– http://wips.sensepost.com/knowthyself.zip

– http://www.sensepost.com

– [email protected]

– [email protected]



Understanding the global RiskUnderstanding the global RiskUnderstanding the global RiskUnderstanding the global Risk

• What we know:

– There is a threat to our Information Resources

– The threat has direct financial implications

– The threat is growing

– A large part of the threat is internal

– There are a number of distinguishable trends

• http://www.gocsi.com/prelea990301.htm

• http://www.saps.org.za

• What we don’t know:

– How accurate are the statistics?

– Are international statistics relevant in SA?

– What does this all mean to me?



Universal ThreatsUniversal ThreatsUniversal ThreatsUniversal Threats

• Data Confidentiality

– Information is the currency of business today

• Customers, Strategy, Financials, HR, Personal

• Data Integrity

– The accuracy and reliability of the information

• Determines the value of information

• Reputation / Credibility

– The market’s perception of your competence

• Web site defacement

• Denial of Service

– Prevent a system from performing their intended function

• EBay, Yahoo, Edgars




1. Introduction



4. Case Study




8. Questions



Understanding your own RiskUnderstanding your own RiskUnderstanding your own RiskUnderstanding your own Risk

• What is Risk?

– Valuable resources + exploitable technology

• What is “Secure”?

– When the financial losses incurred are at an acceptable level

• Your “Risk-Profile”:

– The value of your Information

– The degree of technological vulnerability

– A level of loss that is acceptable to you

Unique to your organisation. Today.

• The value of surveys and statistics

– Highlight the existence of threats

– Indicate trends and phases

– Create an awareness



Your own unique risk profileYour own unique risk profileYour own unique risk profileYour own unique risk profile

• IT Security Assessment

– Make informed decisions on how to spend

• Time

• Money

• People

• An effective assessment:

– Independent and Objective

– Business aware but technology focused

– Prove its worth

– Concrete, practical recommendations

– Finite

– Honest

– Recursive...



Recursive Security AssessmentsRecursive Security AssessmentsRecursive Security AssessmentsRecursive Security Assessments

• Delta Testing

– Monitor the effect of changes

• New exploits and vulnerabilities

– Staying secure in a global battlefield

• Improved Methodologies

– Tools, techniques, philosophies etc.

• Innovation

– A chance to get to know you

• Extended Scope

– There’s never enough time

• Enhanced Scope

– Moving toward a zero-default environment...




1. Introduction



4. Case Study




8. Questions



Welcome to the case studyWelcome to the case studyWelcome to the case studyWelcome to the case study

• Mind of the cybercriminal– journal style, informal

– methodology

• Sensitivity– examples only

• Effort vs Exposure

roelof temmingh



CAT5 from me to youCAT5 from me to youCAT5 from me to youCAT5 from me to you

• Obtaining a IP on the internal network– already have one

– RAS

– the little black box concept

– walking in with a notebook

– Trojans

– splicing copper

roelof temmingh



Get to know your neighboursGet to know your neighboursGet to know your neighboursGet to know your neighbours

• The difference between MS and services network– MS network is a service (File Sharing)– Other services - FTP, HTTP, SQL, SMTP

servers.

• Intelligence gathering– Protocols– Services– Identify important hosts– Ping sweep

roelof temmingh



Easy cashEasy cashEasy cashEasy cash

• The guy next to you• Microsoft network

– network neighbourhood– shares are published

• Services network– Anonymous FTP, webpages

roelof temmingh



Scratching the surfaceScratching the surfaceScratching the surfaceScratching the surface

• Your wannabe admin• Microsoft network

– password guessing– offline cracking– real time cracking

• Service network– sniffing the network (SMTP,POP3,FTP)– default passwords– password guessing (known services)– portscanning

roelof temmingh



Knocking on the doorKnocking on the doorKnocking on the doorKnocking on the door

• Your (closet hacker) admin• Microsoft network

– user enumeration– brute force id/password

• Service network– vulnerability scanners– customized for ports (IDS!)– scans for known product problems– commercial (ISS, CyberCop)– share/freeware (Nessus, whisker)

roelof temmingh



Blowing the door downBlowing the door downBlowing the door downBlowing the door down

• Your previous administrator turned black hat hacker

• We are inside, now what?• Microsoft network

– search for XLS, DOC files– copy and enjoy– application encryption worthless

• Service network– password files– passwords to backends (SQL)– text copy of databases– mailboxes

• Publish to Internet, sell to competition.• Assumed full control

roelof temmingh



Keeping in touchKeeping in touchKeeping in touchKeeping in touch

• Your previous administrator's current employer

• Keeping a grip on your network

• Service network & MS network– Rootkits– Backdoors

• Not only from internal– Internet– RAS

roelof temmingh



questions?




1. Introduction



4. Case Study




8. Questions



Setting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security culture

• Assign responsibility

– Security Officer

• Empower the Security Officer

– Authority, Money, People

• Measure Progress

– Project Plan, Certification, Audits

• Develop an IT Security Policy

– Guide, mandate & measure

– Should be:

• Endorsed by management

• Effectively communicated

• Specific

• Enforceable

• Practical



Setting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security cultureSetting the Stage - a security culture

• Communicate with key people

– Emphasise the value of data to business

leaders

• Awareness training and programmess

– Buy-in at every level is essential

• Positive / Negative reinforcement

– Use security as a performance criterion

• Consider Security Certification

– Global standards for the implementation and

assessment of security…



Thoughts on CertificationThoughts on CertificationThoughts on CertificationThoughts on Certification

• Objective

– To enforce structure on your security program

– As a means of assessing your security

– As a means of measuring against best-of-breed

– As a means of convincing others of your security

• Is Certification for you?

– Recognition

– Focus

– Local Presence

– Cost

– Endurance

– Objectivity




1. Introduction



4. Case Study




8. Questions



Implementing Solutions - OverviewImplementing Solutions - OverviewImplementing Solutions - OverviewImplementing Solutions - Overview

• Value your information and IT resources

– Know what you’re protecting and what its worth

• Assess your vulnerabilities

– Know exactly where you stand

• Evaluate actual risk versus acceptable risk

– You don’t have to be completely secure

• Develop a Security Strategy

– Know where you’re going and where you are

• Implement Controls

– 80/20 rule

• Assess the effect of the changes

– Security is a cycle



Internal Security Cheat SheetInternal Security Cheat SheetInternal Security Cheat SheetInternal Security Cheat Sheet

• Publish a policy– Guide, mandate and measure

• Content security– Viruses, trojans, scripts

• Zoning– Segment data, people, hosts and services

• Centralise– It’s much easier to protect something if its in one place

• Host & service security– Basics!

• Account Policies– Passwords are an essentially weak mechanism

• Switch to the desktop– It’s simple and it works

• Consider your RAS systems– RAS is the soft underbelly of your network




1. Introduction



4. Case Study




8. Questions



IDS - An OverviewIDS - An OverviewIDS - An OverviewIDS - An Overview

• Intrusion Detection System– Identify and report or react on an unauthorised or malicious action on a

host or a network

• Types of IDS– Host

– Distributed

– Network

• Typical Features (NIDS)– Packet Sniffing Technology

– Attack Pattern Library

• Traffic Patterns , Viruses, Trojans, Signatures

– Rule Set• Source, Destination, Time, Period, Signature

– Response capabilities

• Active or Passive

– Distributed Architecture

– Centralised Management



The Role of IDSThe Role of IDSThe Role of IDSThe Role of IDS

• Identifying an “Intrusion”

– Acceptability Parameters:• Destination• Source• Signature• Time• Period

• Effective implementation

– Access to traffic

– Acceptability Parameters

– Response Capabilities

• Good Example - DMZ

– Finite area to monitor

– Existing security infrastructure

– Clearly defined acceptability parameters

– Limited number of events to respond to



IDS & Internal SecurityIDS & Internal SecurityIDS & Internal SecurityIDS & Internal Security

• For:– Large, open environments

• eg Corporate Extranet or University

– Effective zoning, segmentation & consolidation– Basic issues addressed– Dedicated security personnel

• Against:– Technology driven decision

• There are no point-and-click solutions to security

– Closed system– Acceptability parameters– Response capabilities

• In SA– Address basic issues– Consolidate valuable resources– Do an assessment– Make a strategy decision– Consider outsourcing



questions?

knowthyself : Internal IT Security in SA

Technology

Transcript of knowthyself : Internal IT Security in SA