To Stop a Hacker is to Think Like One!
-
Upload
sandeep20022 -
Category
Documents
-
view
221 -
download
0
Transcript of To Stop a Hacker is to Think Like One!
-
8/14/2019 To Stop a Hacker is to Think Like One!
1/53
Hacking &
Security Policies
Presented by:
Balram Sahu
Electrical Engg.IInd Year
G.B.P.E.C. Pauri
To Stop a Hacker is to Think Like One!
-
8/14/2019 To Stop a Hacker is to Think Like One!
2/53
Background
Seminar Objectives
Provide insight into current efforts and future plansfor network security.
Provide helpful perspective on nature of todaysInternet security risk
Provide guidelines to achieving goals.
Demonstrations of tools used by hackers
-
8/14/2019 To Stop a Hacker is to Think Like One!
3/53
Presentation Outline
Part 1: Threats to Security
Part 2: Performing a Risk Assessment
Part 3: Hacker Technologies
Part 4: Buffer Overflow Exploits
Part 5: Firewalls
Part 6: Denial of Service and Trojans
Part 7: Security Policy
Part 8: How to Handle an Attack?
Part 9: Educational Resources
-
8/14/2019 To Stop a Hacker is to Think Like One!
4/53
Why Security
96% of large companies & govt. agencies had
computer security breaches in 2005
Three-quarters suffered financial losses
Most frequent problems Computer viruses (85%)
Abuse of Internet access (79%)
Web-site vandalism (64%)
Source: 2005 CSI/FBI Computer Crime and Security Survey
-
8/14/2019 To Stop a Hacker is to Think Like One!
5/53
External threats, suchas social engineeringor viruses
Internal threats, such asinternal attacks or codevulnerabilities
Threats to Security
-
8/14/2019 To Stop a Hacker is to Think Like One!
6/53
Addressing Internal Threats
Failure to update hotfixes and security patches
Blank or weak passwords
Default installation with unnecessary services
Internal attacks
Restricted Areaof Network
-
8/14/2019 To Stop a Hacker is to Think Like One!
7/53
External Threats
Organizational
Attacks
Acquire confidentialinformation to gain a business
or competitive advantage
OrganizationalAttacks
Bypasses Technology togain network access
SocialEngineeringOrganizationalAttacks
Social
Engineering AutomatedAttacks
Uses software to gainnetwork access
OrganizationalAttacks
Social
Engineering AutomatedAttacks
Denial ofService (DoS)User
Connection Fails
Blocks access to dataor services
DoSDoS
OrganizationalAttacks
Social
Engineering
Denial ofService (DoS)
AutomatedAttacks
Viruses,Trojan Horses,
and Worms
Harmful code, maliciousprograms, self replicating
OrganizationalAttacks
Social
Engineering
Denial ofService (DoS)
AutomatedAttacks
Viruses, Trojan Horses,and Worms
Improper permissions canresult in access to restricted
data
Accidental BreachesIn Security
RestrictedData
FCFC
OrganizationalAttacks
Social
Engineering
Viruses, Trojan Horses,and Worms
Denial ofService (DoS)
AutomatedAttacks
Accidental Breachesin Security
-
8/14/2019 To Stop a Hacker is to Think Like One!
8/53
General Prevention
Test and apply service packs and hotfixes
Run and maintain antivirus software
Run an intrusion detection system at the perimeter
to your network Block all messages containing Readme.exe or
Admin.dll attachments
Reinstall infected systems
-
8/14/2019 To Stop a Hacker is to Think Like One!
9/53
Microsoft Outlook e-mail security update Blocks common script and executable extensions
Disables active scripting
Warns users about attempts to accessthe Outlook address book or send e-mail
Internet Explorer service packs for Microsoft Outlook Express Internet Explorer 5.01 SP2
Internet Explorer 5.5 SP2
Internet Explorer 6 (full installation required on upgrades)
Protecting E-Mail
-
8/14/2019 To Stop a Hacker is to Think Like One!
10/53
Protecting Web Servers
Apply the latest hotfixes
Install the latest service pack
Install the security roll-up packages Remove unnecessary IIS components
Install UrlScan with the default rule set
InternetInformation ServiceInternetInformation Service
-
8/14/2019 To Stop a Hacker is to Think Like One!
11/53
Protecting File Servers
Remove unnecessary file shares
Use an AGDLP or AGUDLP Strategy
Assign the minimum required permissions Enforce complex passwords
-
8/14/2019 To Stop a Hacker is to Think Like One!
12/53
Microsoft Strategic TechnologyProtection Program
Two-phase program that integrates Microsoftproducts, services, and support
Phase 1: Get Secure
Phase 2: Stay Secure
-
8/14/2019 To Stop a Hacker is to Think Like One!
13/53
Phase 1: Get Secure
The Microsoft Security Tool Kit
Contains tools that provide a baseline level of security for
servers that are connected to the Internet. Provides support for Windows NT 4.0 and Windows 2003.
Toll-free virus support
-
8/14/2019 To Stop a Hacker is to Think Like One!
14/53
Phase 2: Stay Secure
Worldwide security-readiness events
Tools, updates, and patches
Enterprise security tools
Windows Update auto-update functionality
Bimonthly product roll-up patches
Consulting engagements
-
8/14/2019 To Stop a Hacker is to Think Like One!
15/53
Part 2: Performing a Risk Assessment
-
8/14/2019 To Stop a Hacker is to Think Like One!
16/53
Strategies to Manage Risk
AvoidanceAvoidance
MitigationMitigation
ContingencyPlans
ContingencyPlans
AcceptanceAcceptance
RiskRisk
-
8/14/2019 To Stop a Hacker is to Think Like One!
17/53
Analyzing Risk
1. IdentifyResources
1. IdentifyResources
5. ReviewPlan
5. ReviewPlan
4. ImplementSecurityMeasures
4. ImplementSecurityMeasures
3. CalculateExposure
3. CalculateExposure
2. IdentifyThreats
2. IdentifyThreats
-
8/14/2019 To Stop a Hacker is to Think Like One!
18/53
Identifying the Resources to Protect
HardwareHardware
SoftwareSoftware
DataData
PeoplePeople
DocumentationDocumentation
1. IdentifyResources
1. IdentifyResources
-
8/14/2019 To Stop a Hacker is to Think Like One!
19/53
Identifying the Threats toResources
Viruses, TrojanHorses,
and Worms
SocialEngineering
AutomatedAttacks
AccidentalBreaches in
Security Denial ofService (DoS)
OrganizationalAttacks
RestrictedData
2. IdentifyThreats
2. IdentifyThreats
-
8/14/2019 To Stop a Hacker is to Think Like One!
20/53
Calculating Exposure
Example
A security risk to data valued at $500,000 hasa 75% probability of occurring
Multiply 75% x $500,000 to calculate a $375,000exposure value.
Rank risks to an organization based onexposure value
Exposure = Probability x ImpactExposure = Probability x Impact
3. CalculatingExposure
3. CalculatingExposure
-
8/14/2019 To Stop a Hacker is to Think Like One!
21/53
External Attacks Most Frequent
Greater use ofInternet
Tools & techniquesevolve to enablenew opportunitiesfor attack
Source: 2000 CSI/FBI Computer Crime and Security Survey
Frequent Points of Attack
38
59
0 20 40 60 80
Internalsystems
Internetconnection
Percent of respondents
-
8/14/2019 To Stop a Hacker is to Think Like One!
22/53
password
guessing
self-replicating
code
password
cracking
exploiting
known
vulnerabilities
disabling
audits
back
doors
hijacking
sessions
sniffer /
sweepers
stealth
diagnostics
packet forging /
spoofing
GUI
Hacking
Tools
Average
Intruder
1980 1985 1990 1995
Relativ
eTechnica
lC
omple
xity
Source: GAO Report to Congress, 1996
20-Year Trend: Stronger Attack Tools
-
8/14/2019 To Stop a Hacker is to Think Like One!
23/53
Trend Has Continued
Windows
Remote
Control
Stacheldraht
Trinoo
Melissa
PrettyPark
1998 1999 2000
?
DDoS
Insertion
Tools
Hacking
Tools
Kiddie
Scripter
2001
Rela
tiv
eTechnicalC
omplexity
-
8/14/2019 To Stop a Hacker is to Think Like One!
24/53
Part 3: Hacker Technologies
-
8/14/2019 To Stop a Hacker is to Think Like One!
25/53
The Threats
Hacker Technologies Internet Engineering
System Administration
Network Management
Reverse Engineering
Distributing Computing
Cryptography
Social Engineering
-
8/14/2019 To Stop a Hacker is to Think Like One!
26/53
The Threats
Hacking Tools become more and moresophisticated and powerful in term of Efficiency
Distributing Stealth
Automation
User friendliness
These hacking tools could be easilydownload from the Internet
-
8/14/2019 To Stop a Hacker is to Think Like One!
27/53
The Threats
Your host does not need to be as famous as yahooor ebay to be targeted
They need a place to hide their trace
They need your host as a stepping stone to hack other sites
They need your host resource to carry out their activities
Your host security weakness can be identified by scan tool
Security of any network on the Internet depends on the securityof every other networks
No network is really secure
-
8/14/2019 To Stop a Hacker is to Think Like One!
28/53
The Threats
The Trends From Jan to April 2000 (before we fully deploy our IE firewall
for RLAB segment) , our site has received the followingsecurity warning
Web page defacement
Unauthorized system access
Port scanning
Ping broadcast scanning
Telnet probe scanning
-
8/14/2019 To Stop a Hacker is to Think Like One!
29/53
Part 4: Buffer Overflow Exploits
-
8/14/2019 To Stop a Hacker is to Think Like One!
30/53
How they Hack in?
General Steps
Locate the victim host by some scanning program
Identify the victim host vulnerability
Attack the victim host via this vulnerability Establish backdoors for later access
Some hacking tools can automate the above
steps into a single command.
-
8/14/2019 To Stop a Hacker is to Think Like One!
31/53
How they Hack in?
Buffer Overflow Exploit
stuffing more data into a buffer than it canhandle
it overwrites the return address of a function
it switches the execution flow to the hacker code
-
8/14/2019 To Stop a Hacker is to Think Like One!
32/53
How they Hack in?
Buffer Overflow Exploit
Text Region
(program code)
Data Region
(initialization/unintialization)
Stack Region
(subroutine local variable
and return address)
Low Memory
Address
High Memory
Address
Process Memory Region
-
8/14/2019 To Stop a Hacker is to Think Like One!
33/53
How they Hack in?
Buffer Overflow Exploit
void function(char *str) {
char buffer[16];
strcpy(buffer,str);}
void main() {
char large_string[256];
int i;
for( i = 0; i < 255; i++)
large_string[i] = 'A';
function(large_string);
}Bottom of stack
Top of Stack
Str*
ret
sfp
Function
localvariable
buffer
Return address
Save Frame Pointer
-
8/14/2019 To Stop a Hacker is to Think Like One!
34/53
How they Hack in?
Real Case Study I Hackers first located the victim hosts by sunrpc scan of
137.189 network
Break-in the victim hosts via amd (Berkeley AutomounterDaemon) buffer overflow vulnerability
Created backdoor on port 2222 by starting a second instanceof inetd daemon
Used the victim hosts to scan other networks
-
8/14/2019 To Stop a Hacker is to Think Like One!
35/53
How they Hack in?
Real Case Study II Hackers first located the victim hosts by BIND port 53
scanning
Identify the victim OS (a telnet probe)
Set up a trap DNS daemon at the hacker DNS server
Kicked the victim hosts to query the hacker DNS server
Break-in victim hosts via BIND buffer overflow
Established back door accounts at the victim hosts
Distribute, built and operated the IRC Bot (eggdrop)
-
8/14/2019 To Stop a Hacker is to Think Like One!
36/53
Part 5: Firewalls
-
8/14/2019 To Stop a Hacker is to Think Like One!
37/53
Fighting Back
Get Your Security Profile
Set Your Security Policy Build the Firewall
-
8/14/2019 To Stop a Hacker is to Think Like One!
38/53
Get Your Security Profile
Act as a hacker and try to break-in your host Port scan your host and see what network ports are open
Figure out if the version of your host OS and softwareapplications are vulnerable
Can you cover up your trace after break-in? (Does your host haveany monitoring or intrusion detection system)
Can you easily establish back door after break-ins? (Have youbuilt any firewall?)
-
8/14/2019 To Stop a Hacker is to Think Like One!
39/53
Set Your Security Policy
There is always a trade off between security and convenience
Identify your host services
shutdown any unnecessary ports and build the kernel as
minimum as possible Identify your target users, trusted hosts and networks so that
you can formulate your host access lists
Set up your firewall
use private IP network
use proxy servers
-
8/14/2019 To Stop a Hacker is to Think Like One!
40/53
Set Your Security Policy
Set up your monitoring and intrusion detection systems
COPS, tripewire, tcpdump, snmp
Set up you operation codes/rules such as
read only file system mounting
ssh login
sudo
restrict login shell
Set up your recovery plan
recovery procedure and backup scheme
-
8/14/2019 To Stop a Hacker is to Think Like One!
41/53
Build Your Firewall and IDS
Control and monitor the traffic IN and OUT of yournetwork
Block any unnecessary network connection from
non-trusted hosts and networks Define your access rules according to your security
policy
Use packet filtering and Application Proxy
Build sniffer to monitor your internal network traffic
-
8/14/2019 To Stop a Hacker is to Think Like One!
42/53
Firewall Architecture
Dual-home host architecture
-
8/14/2019 To Stop a Hacker is to Think Like One!
43/53
Firewall Architecture
Architecture using two routers
-
8/14/2019 To Stop a Hacker is to Think Like One!
44/53
Firewall Architecture
Architecture using a merged interior and exterior router
-
8/14/2019 To Stop a Hacker is to Think Like One!
45/53
Build Your Firewall
How it protects your network
Prevents port scanning
Prevents DDOS attack and IP spoofing from your host
Blocks any unnecessary network port opening
Increases the difficulty of creating back door after break-in
Facilitates the network monitoring and network intrusiondetection
-
8/14/2019 To Stop a Hacker is to Think Like One!
46/53
Firewall in IE Network
Set your own filter rules at your host
Here is the example how you use ipchains to block all non-IE network TCP andUDP connections to your host except 80 port
ipchains -A input -s 0.0.0.0./0.0.0.0 -d your_host_ip/255.255.255.255 80 -i eth0 -p 6 -j ACCEPT
ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 6 -j DENY -y
ipchains -A input -s ! 137.189.96.0/255.255.252.0 -d 0.0.0.0/0.0.0.0 -i eth0 -p 17 -j DENY
-
8/14/2019 To Stop a Hacker is to Think Like One!
47/53
Firewall Protection Services
Network address translation (NAT)
Packet filters Server publishing
Stateful inspection
LANLAN
FirewallInternet
Protecting the Internal Network
-
8/14/2019 To Stop a Hacker is to Think Like One!
48/53
192.168.10.1
192.168.10.2
192.168.10.3
Network address translation
Source IP Source port Target IP Target port
192.168.10.1207.46.197.100
10331998
Any 80
Protecting the Internal NetworkAddressing Scheme
Firewall
Internet
NAT DNS zones
Private network addressing
207.46.197.100
-
8/14/2019 To Stop a Hacker is to Think Like One!
49/53
Private Network
SMTP
POP3
IMAP
Public Network
Filtering Protocols
Filtering strategies Deny all filter Allow all filter
SMTP
POP3
IMAP
FTP
Telnet
FirewallFirewall RulesFirewall Rules
SMTP
POP3
IMAP
FTP
Telnet
-
8/14/2019 To Stop a Hacker is to Think Like One!
50/53
Concealing an IP Address
Server publishingSource Destination Port
Any 207.46.197.100192.168.10.3
TCP 3389TCP 3389
Firewall
Internet
192.168.10.1
192.168.10.2
192.168.10.3
207.46.197.100
WebServer
Router
-
8/14/2019 To Stop a Hacker is to Think Like One!
51/53
Private Network
Client: UDP:5555
Public Network
Firewall
Stateful Inspection
Client: UDP 4444
Client
Client sends a packet from UDP port 4444 Response to UDP port 4444 = Permitted Response to UDP port 5555 = Denied
-
8/14/2019 To Stop a Hacker is to Think Like One!
52/53
References
http://www.research.ibm.com/journal/sj/403/palmer.html
http://www.research.ibm.com/journal/sj/403/palmer.html.
http://abcnews.go.com/Business/FinancialSecurity/story?id=501292&page=2
Introduction to Hacking written by D. M. Chess,
-
8/14/2019 To Stop a Hacker is to Think Like One!
53/53
Thank You