Assessing Network Security

Farzad Parsi
January 21, 2006
Agenda

Planning Security Assessments

Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Northwind
Traders
Planning Security Assessments

Planning Security Assessments

Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Northwind
Traders
Why Does Network Security Fail?

Network security fails in several common areas, including:

Human awareness
Policy factors
Hardware or software misconfigurations
Poor assumptions
Ignorance
Failure to stay up-to-date
Understanding Defense-in-Depth

Using a layered approach:

Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Strong passwords, ACLs,
Data backup and restore
strategy
Application Application hardening
OS hardening, authentication,
Host security update management, antivirus
updates, auditing
Internal network Network segments, NIDS
Firewalls, boarder routers, VPNs with
Perimeter quarantine procedures
Physical security Guards, locks, tracking devices
Security policies, procedures, and
Policies, procedures, and awareness education
Why Perform Security Assessments?

Security assessments can:

Answer the questions “Is our network secure?” and
“How do we know that our network is secure?”
Provide a baseline to help improve security
Find configuration mistakes or missing
security updates
Reveal unexpected weaknesses in your
organization’s security
Ensure regulatory compliance
 Planning a Security Assessment

Project phase Planning elements

Scope
Goals
Pre-assessment
Timelines
Ground rules
Choose technologies
Assessment Perform assessment
Organize results
Estimate risk presented by discovered weaknesses
Create a plan for remediation
Preparing results
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
Create final report
Reporting your
Present your findings
findings
Arrange for next assessment
 Understanding the Security Assessment Scope

Components Example
All servers running:
Target Windows 2000 Server
Windows Server 2003
All servers on the subnets:
Target area 192.168.0.0/24
192.168.1.0/24

Scanning will take place from Jan 21th to Jan 27th during non-
Timeline critical business hours

RPC-over-DCOM vulnerability (MS 03-026)

Vulnerabilities to scan Anonymous SAM enumeration
for Guest account enabled
Greater than 10 accounts in the local Administrator group
 Understanding Security Assessment Goals

Project goal
All computers running Windows 2000 Server and Windows Server 2003 on the
subnets 192.168.0.0/24 and 192.168.1.0/24 will be scanned for the following
vulnerabilities and will be remediated as stated
Vulnerability Remediation
RPC-over-DCOM vulnerability Install Microsoft security updates
(MS 03-026) 03-026 and 03-39
Configure RestrictAnonymous to:
Anonymous SAM enumeration 2 on Windows 2000 Server
1 on Windows Server 2003

Guest account enabled Disable Guest account

Greater than 10 accounts in the local Minimize the number of accounts on the
administrator group administrators group
Types of Security Assessments

Vulnerability scanning:
Focuses on known weaknesses
Can be automated
Does not necessarily require expertise

Penetration testing:
Focuses on known and unknown weaknesses
Requires highly skilled testers
Carries tremendous legal burden in certain countries/organizations

IT security auditing:
Focuses on security policies and procedures
Used to provide evidence for industry regulations
Using Vulnerability Scanning to Assess Network
Security

Develop a process for vulnerability scanning that will do the

following:
Detect vulnerabilities
Assign risk levels to discovered vulnerabilities
Identify vulnerabilities that have not been remediated
Determine improvement in network security over time
Using Penetration Testing to Assess Network
Security

Steps to a successful penetration test include:

Determine how the attacker is most likely to go about attacking a
1 network or an application

2 Locate areas of weakness in network or application defenses

3 Determine how an attacker could exploit weaknesses

4 Locate assets that could be accessed, altered, or destroyed

5 Determine whether the attack was detected

6 Determine what the attack footprint looks like

7 Make recommendations
Understanding Components of an IT Security Audit

Security Policy Model

Operations

Documentation

Implementation

Technology

Process Start with policy

Build process
Policy
Apply technology
 Implementing an IT Security Audit

Compare each area to standards and best practices

Documented Operations
Security policy procedures

What you must do What you say you do What you really do
Reporting Security Assessment Findings

Organize information into the following

reporting framework:
Define the vulnerability
Document mitigation plans
Identify where changes should occur
Assign responsibility for implementing approved
recommendations
Recommend a time for the next security assessment
Gathering Information About the Organization

Planning Security Assessments

Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Northwind
Traders
What Is a Nonintrusive Attack?

Nonintrusive attack: The intent to gain information about an

organization’s network in preparation for a more intrusive
attack at a later time

Examples of nonintrusive attacks include:

Information reconnaissance
Port scanning
Obtaining host information using
fingerprinting techniques
Network and host discovery
Information Reconnaissance Techniques

Common types of information sought by attackers include:

System configuration
Valid user accounts
Contact information
Extranet and remote access servers
Business partners and recent acquisitions or mergers

Information about your network may be obtained by:

Querying registrar information
Determining IP address assignments
Organization Web pages
Search engines
Public discussion forums
Countermeasures Against Information
Reconnaissance

 Only provide information that is absolutely required to

your Internet registrar

 Review your organization’s Web site content regularly

for inappropriate information

 Use e-mail addresses based on job roles on your

company Web site and registrar information

 Create a policy defining appropriate public discussion

forums usage
What Information Can Be Obtained by Port Scanning?

Typical results of a port scan include:

Discovery of ports that are listening or open
Determination of which ports refuse connections
Determination of connections that time out

Port scanning tips include:

Start by scanning slowly, a few ports at a time
To avoid detection, try the same port across
several hosts
Run scans from a number of different systems,
optimally from different networks
Port-Scanning Countermeasures

Port scanning countermeasures include:

 Implement defense-in-depth to use multiple layers

of filtering

 Plan for misconfigurations or failures

 Implement an intrusion-detection system

 Run only the required services

 Expose services through a reverse proxy

What Information Can Be Collected About Network
Hosts?

Types of information that can be collected using

fingerprinting techniques include:
IP and ICMP implementation
TCP responses
Listening ports
Banners
Service behavior
Remote operating system queries
 Countermeasures to Protect Network Host
Information

Fingerprinting
source Countermeasures

Be conservative with the packets that you allow to reach

your system
IP, ICMP, and TCP Use a firewall or inline IDS device to normalize traffic
Assume that your attacker knows what version of operating
system is running, and make sure it is secure
Change the banners that give operating system information
Banners Assume that your attacker knows what version of operating
system and application is running, and make sure it is
secure

Port scanning, Disable unnecessary services

service behavior, Filter traffic coming to isolate specific ports on the host
and remote queries Implement IPSec on all systems in the managed network
Penetration Testing for Intrusive Attacks

Planning Security Assessments

Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Northwind
Traders
What Is Penetration Testing for Intrusive
Attacks?

Intrusive attack: Performing specific tasks that result in a

compromise of system information, stability, or availability

Examples of penetration testing for intrusive attack methods

include:
Automated vulnerability scanning
Password attacks
Denial-of-service attacks
Application and database attacks
Network sniffing
What Is Automated Vulnerability Scanning?

Automated vulnerability scanning makes use of scanning

tools to automate the following tasks:
Banner grabbing and fingerprinting
Exploiting the vulnerability
Inference testing
Security update detection
What Is a Password Attack?

Two primary types of password attacks are:

Brute-force attacks
Password-disclosure attacks

Countermeasures to protect against password attacks

include:
Require complex passwords
Educate users
Implement smart cards
Create policy that restricts passwords in batch files,
scripts, or Web pages
What Is a Denial-of-Service Attack?

Denial-of-Service (DoS) attack: Any attempt by an attacker

to deny his victim’s access to a resource

DoS attacks can be divided into three categories:

Flooding attacks
Resource starvation attacks
Disruption of service

Note: Denial-of-service attacks should not be launched

against your own live production network
 Countermeasures for Denial-of-Service Attacks

DoS attack Countermeasures

Ensure that your routers have anti-spoofing rules in
place and rules that block directed broadcasts
Flooding attacks Set rate limitations on devices to mitigate
flooding attacks
Consider blocking ICMP packets

Apply the latest updates to the operating system and

Resource starvation applications
attacks
Set disk quotas
Make sure that the latest update has been applied to
the operating system and applications
Disruption of service
Test updates before applying to production systems
Disable unneeded services
Understanding Application and Database Attacks

Common application and database attacks include:

Buffer overruns:
Write applications in managed code

SQL injection attacks:

Validate input for correct size and type
What Is Network Sniffing?

Network sniffing: The ability of an attacker to eavesdrop on

communications between network hosts

An attacker can perform network sniffing by performing the

following tasks:
1 Compromising the host
2 Installing a network sniffer
3 Using a network sniffer to capture sensitive data such
as network credentials
as network credentials
4 Using network credentials to compromise
additional hosts
Countermeasures for Network Sniffing Attacks

To reduce the threat of network sniffing attacks on your

network consider the following:
Use encryption to protect data
Use switches instead of hubs
Secure core network devices
Use crossover cables
Develop policy
Conduct regular scans
How Attackers Avoid Detection During an Attack

Common ways that attackers avoid detection include:

Flooding log files
Using logging mechanisms
Attacking detection mechanisms
Using canonicalization attacks
Using decoys
How Attackers Avoid Detection After an Attack

Common ways that attackers avoid detection after an attack

include:
Installing rootkits
Tampering with log files
 Countermeasures to Detection-Avoidance Techniques

Avoidance Technique Countermeasures

Flooding log files Back up log files before they are overwritten

Using logging Ensure that your logging mechanism is using the most
mechanisms updated version of software and all updates
Attacking detection
Keep software and signatures updated
mechanisms
Using canonicalization Ensure that applications normalize data to its canonical
attacks form
Using decoys Secure the end systems and networks being attacked
Using rootkits Implement defense-in-depth strategies
Secure log file locations
Store logs on another host
Tampering with log files
Use encryption to protect log files
Back up log files
Case Study: Assessing Network Security for
Northwind Traders

Planning Security Assessments

Gathering Information About the Organization
Penetration Testing for Intrusive Attacks
Case Study: Assessing Network Security for Northwind
Traders
Introducing the Case-Study Scenario
Defining the Security Assessment Scope

Components Scope

Target LON-SRV1.nwtraders.msft

Scanning will take place December 2

Timeline
during noncritical business hours

Buffer overflow
Assess for the SQL injection
following
vulnerabilities Guest account enabled
RPC-over-DCOM vulnerability
 Defining the Security Assessment Goals

Project goal
LON-SRV1 will be scanned for the following vulnerabilities and will be
remediated as stated

Vulnerability Remediation
Require developers to fix Web-based
SQL Injection
applications
Have developers fix applications as
Buffer Overflow
required

Guest account enabled Disable guest account

Install Microsoft security update
RPC-over-DCOM vulnerability
MS04-012
Choosing Tools for the Security Assessment

The tools that will be used for the Northwind Traders security
assessment include the following:
Microsoft Baseline Security Analyzer
KB824146SCAN.exe
Portqry.exe
Manual input
Demonstration: Performing the Security Assessment

Perform port scanning using Portqry.exe

Use KB824146Scan.exe to perform a vulnerability scan
Determine buffer overflow vulnerabilities
Determine SQL injection vulnerabilities
Use the Microsoft Baseline Security Analyzer to perform a vulnerability scan
Reporting the Security Assessment Findings

Answer the following questions to complete the report:

What risk does the vulnerability present?
What is the source of the vulnerability?
What is the potential impact of the vulnerability?
What is the likelihood of the vulnerability being
exploited?
What should be done to mitigate the vulnerability?
Give at least three options if possible
Where should the mitigation be done?
Who should be responsible for implementing the
mitigations?
Session Summary

 Plan your security assessment to determine scope and goals

 Disclose only essential information about your organization on

Web sites and on registrar records

Assume that the attacker already knows the exact operating

 system and version and take as many steps as possible to secure
those systems

 Educate users to use strong passwords or pass-phrases

 Keep systems up-to-date on security updates and

service packs
References

Microsoft Website:
http://www.microsoft.com
Security Communications:
http://www.microsoft.com/technet/security/signup/default.mspx
Questions and Answers