- Turn your information security training or awareness ...€¦ · 2 - Turn your information...
Transcript of - Turn your information security training or awareness ...€¦ · 2 - Turn your information...
In this talk you will learn how information security awareness training can be
delivered to IT staff, like developers, management and helpdesk personnel, using
actual incidents to create a lasting impression. The training exercise will
investigate an actual compromised system recreated on a VMware image. Using
this hands-on approach, the attendees will review the system; find the
vulnerabilities, the hidden folders and files; and practice cleaning up the system -
all the while documenting their findings and following the organization’s incident
handling procedures. Attendees will learn how a hands-on approach in a lab
setting can be an effective learning tool.
2
- Turn your information security training or awareness talk into a hands-on
exercise based on a real incident using VMware.
- This gets the students involved, so they will retain more.
- By using an example of a real incident at your organization, you can drive home
the importance of information security incident handling and apply the lessons
learned.
- If your organization does not practice incident handling, how will you know
your organization is ready for a real incident?
3
Configuration
- It is best to use a real incident that impacted your organization.
- For this presentation, we will recreate an incident I was involved in.
- We will use VMware running a Windows 2000 Server.
- We will be setting up a Warez site for bootlegged movies and a key logger.
Installation
- Using VMware, install the Windows 2000 operating system.
- Make sure the server is vulnerable to the null session exploit.
- Create ‘illegal’ folders.
- Copy and hide files.
- Install and start the FTP server and key logger.
4
The Incident Background
- Users notice that the system is running out of disk space.
- Server administrators cannot account for several gigabytes of disk space.
- Network traffic from the Internet is observed going to and from the internal
server.
- Your group is called in to investigate and handle the incident.
- It is important to properly set up the scenarios.
- Give the audience clues on what to look for:
Missing disk space
Network connections
- It is best to follow your organization’s incident response procedures.
- This can be part of a larger training plan, an awareness exercise or just a demo
for management.
5
The Purpose and Rules
The point of the exercise is to determine what happened and clean it up.
To achieve this purpose we should:
- Work together in teams
- Be able to explain what your team did and discovered
- Focus on learning, not just cleaning up the system
What are your organization’s incident handling policies and procedures with
respect to:
- Record keeping?
- Informing management and system owners?
- Human Resources and Legal notification and involvement?
- When to engage Human Resources, Legal, Compliance, Management, ISO,
CTO, CEO?
- What about outside notification? Law enforcement, the press, the public?
Think privacy breach laws!
6
The Teams
- The exercise should be a team effort.
- Involve members from different IT groups or departments.
- The strongest technical person needs to explain the process and results clearly
so the entire team understands.
- A time limit with milestones should be used – provide hints if teams get stuck
– It is better to learn in a training exercise setting rather than a real incident.
The Tools
- Provide any additional tools needed on the VMware image.
- The tools you provide will depend on the technical level of the students.
- For short exercises, provide teams with all necessary information.
- For longer exercises, allow the use of outside information.
- Keep it simple; you will want to provide all the tools needed to complete the
exercise.
- The exercise should not become a treasure hunt for the tools.
- This helps limit the scope of the exercise. For example, there is no need to
bring in Encase for forensic investigation.
- You may want to include:
Pens and papers for incident handling notes, recording times
White boards, large note pads or overhead for debrief walk through
7
The Walk Through
- Identify the accounts with weak or no passwords.
- In this case, the vulnerability is null sessions - a “feature” of Windows 2000. It
is still around in all versions of Windows by default. Null sessions can allows the
Bad Guys to enumerate system information (usernames, shares, etc.) without
logging in first. But the Bad Guys could have used any Windows 2000
vulnerability to break in.
8
- For Windows 2000, the hidden folders can be accessed from the desktop with
Start > Run and then the host IP address, name of the share and then the path
name – all in quotes, for example: “\\192.168.10.128\c$\aux\ \com3
\HiddenFolder”. Note there is a non-printing alt-255 character after com3.
9
- For Windows XP, use Start > Run “c:\aux\ \com3 \HiddenFolder” (don’t forget
the alt-255 after com3) to access the folder. Just double clicking on ‘aux’ can
hang up Explorer under both Windows 2000 and Windows XP.
The Walk Through
- To find hidden folders and files in them, use Windows search and look in the
common hiding places:
\Winnt or \Windows system folders
Documents and Settings
Recycle bin (i.e.: c:\recycler)
Only limited by the Bad Guy’s imagination
Deleting the folders
- This example uses the reserved name folder trick and Alt-255*
- The Bad Guys have hidden their files in a folder with an illegal folder name (i.e.,
AUX, COM1, PRN, LPT1).
- works under at least Windows 2000, Windows XP and Windows 2003
- These folders cannot be deleted using normal methods.
- See How to Remove Files with Reserved Names in Windows from Microsoft.
(http://support.microsoft.com/?kbid=120716)
* Part of the Extended ASCII Character Set, alt 255 is a nonprinting null
character. Because it is unprinted, it appears to be a space.
There are at least two methods you can use to delete these folders:
- Using the rm.exe tool from the Windows Resource Kit
rm -d "//C/Program Files/Subdir/COM1"
- The rd command with special syntax
Rd/s \\.\c:\aux
10
The Walk Through
- A Serv-U FTP server was installed as a service using FireDaemon.
- FireDaemon can convert an application to a Windows service.
- It can automatically restart the application if it stops.
- It can be installed and started via the command line.
11
The Walk Through
- Finding unusual services requires knowing what the usual services are.
- This is partly prior knowledge, partly guess work.
- Google can help identify unknown services.
- Note details of the service, for example the path to the executable.
- The FTP server can be removed by stopping and deleting the service and then
deleting the files.
12
The Walk Through
Key Logger:
- Installed via the command line
- Startup added to the registry
- Hidden from the task manager
13
The Walk Through
- What to look for and where to look
- Key logger can be removed by deleting the files and the startup source via
msconfig. Msconfig does not come with Windows 2000 but the XP version of
msconfig works with windows 2000. You can use other tools as well, for example
HiJackThis.
- What about “contraband” files? For example, child pornography
- What does your organization’s policy say?
14
The Walk Through
- What else could be checked?
User accounts
Group permissions
Event logs
Startup files
Installed programs
Network connections
What else?
15
Discussion
- What steps would your organization take to return the server to production?
- Would you try and clean the server or just rebuild it?
- How would you ensure the server was not re-infected?
- What procedures are in place to return the server to production?
- Who signs off on the server before returning it to production?
- Will the server be monitored once it is back in production?
16
Discussion
- Why was this server compromised?
- What vulnerability made this attack possible?
- How could this have been prevented?
Fixing the Vulnerability
- Edit the registry to add the “RestrictAnonymous” registry key and set the value
of the key to “2” under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.
The possible values are:
0 - None. Rely on default permissions
1 - Do not allow enumeration of SAM accounts and names
2 - No access without explicit anonymous permissions
- This change can break networks and applications. It should be tested before
changing production systems.
17
- Security awareness talks are not always the most effective.
- Training may be required to demonstrate compliance with policy and
regulations – might as well make it effective.
- Can be a team building exercise.
- It is important to make it relevant to YOUR organization.
18
- Know your audience and tailor the exercise for them.
- Take a more hands-on approach for the techies, but maybe a quick demo
would be best for management.
- This is an inexpensive training once the exercise has been configured and
documented.
References:
GCIH Gold Paper - Hijacked Server Serves Up Foreign Bootlegged Pornography
http://www.giac.org/certified_professionals/practicals/GCIH/00447.php
The files and scripts used to setup this Windows 2000 server are available online
at: http://drop.io/VB08train