cs3695 – network vulnerability assessment & risk mitigation –

CS3695– Network Vulnerability Assessment

& Risk Mitigation –

Errata to Module #1Introduction to Ethical Hacking

CEH Ver. 8

By Scott Coté

M6-109– Network Vulnerability Assessment

& Risk Mitigation –

Errata to Module #1Introduction to Ethical Hacking

CEH Ver. 8

By Scott Coté

• Be sure to review the objectives posted on Sakai for each module so that you will know what you “need to know”!

Objectives

Who I Am• Scott Coté

– Prior US Naval Officer, Supply Corps, 10 yrs– Lecturer on Information Assurance and Cyber

Security for over 10 yrs– Certified Ethical Hacker (CEH)– Presenting on Cyber issues at such venues as DOD

Cyber Crimes Conferences, PACOM & EUCOM Cyber Endeavor, and at the NATO School in Oberammergau.

So Who the Heck are YOU?• Tell the class:

• Your NAME• Your Country• The JOB you do• What you WANT out of the class• Your GEEK FACTOR

0:How do you spell “IP” ??

2:I can“Surf

the Web”

6:I know

<HTML>

8:I know

C++

4:I make NICEPowerPoint

Slides

9:I run

MY OWNServer

10:I have

CompiledMy OwnKernel

Excerpt from“The Tangled Web” by Richard Power

“You can play the stock market on-line. You can apply for a job on-line. You can shop on-line. You can learn on-line. You can borrow money on-line. You can engage in sexual activity on-line. You can barter on-line. You can buy and sell real estate on-line. You can purchase plane tickets on-line. You can gamble on-line. You can find long-lost friends on-line. You can be informed, enlightened, and entertained on-line. You can order pizza on-line. You can do your banking on-line. In some places, you can even vote on-line.”

“You can perform financial fraud on-line. You can steal secrets on-line. You can blackmail and extort on-line. You can trespass on-line. You can stalk on-line. You can vandalize someone’s property on-line. You can commit libel on-line. You can rob a bank on-line. You can frame someone on-line. You can engage in character assassination on-line. You can commit hate crimes on-line. You can sexually harass someone on-line. You can molest children on-line. You can ruin someone else’s credit on-line. You can disrupt commerce on-line. You can pillage and plunder on-line. You could incite to riot on-line. You could even start a war on-line.”



“In the digital world, just as everywhere else, humanity has encountered its shadow side. Information Age business, government, and culture have led to Information Age crime, Information Age war, and even Information Age terror… Terrorists might well target critical infrastructure such as the telephone system, the power grid, or the air traffic control system. These systems run on computers and are vulnerable to cyber-attacks.”

Today’s Threats…

• Video: Sabotaging the System– Nov, 2009, US Television Newscast, 20

minutes– http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml

• Video: Code Wars– May, 2011, US Television Newscast, 45 Minutes

» http://youtu.be/x-n40xm30S8

http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml

http://youtu.be/x-n40xm30S8



p0wn the Soda Machine

• If I told you to p0wn the soda machine in the hallway, what would that mean?

Are They So Hard To Understand?• Have you ever been curious about how a

virus works or how to hack into a computer system?

• Have you every downloaded a song or video off the Internet?

Are They So Hard To Understand?• Have you every downloaded a song or

video off the Internet?– Its interesting to note that many people who

perform these types of services (downloading music or breaking into a computer system) would normally never walk into a record store and steal the CD or enter someone else's home uninvited…

Are They So Hard To Understand?

• Curiosity can be a very powerful motivator, and cyber space can be an easy place to lose touch with the reality of what one may be doing.

So Why Do They Hack?

• Hackers get away from scripts and into actually understanding the computer…– Hackers don’t generally age out of it, but find

legitimate ways to use their talents.– Curiosity again is the motivation of a good

hacker…

So is Curiosity a Bad Thing?

• Curiosity is not a bad thing, but unchecked it can be…– If a hacker is just “curious” to see if they can get onto

a system and look around, but not steal or harm anything, is that bad?

So is Curiosity a Bad Thing?– Well, I once read this analogy and thought it

very befitting:• If I awoke one night to find a stranger wandering

around my home, and asked him why he was there, and he told me he was a student of interior design and just wanted to see how I had decorated my place, I would still be pissed he was there, and it would still be illegal!

So is Curiosity a Bad Thing?– This can even apply to legal, but unethical,

behaviors. • If I walked by your place and looked in your

windows just to see what was there would it be wrong? What if I tried to turn your doorknob to see if it was locked (but didn’t open the door)?

• This analogy is similar to scanning a network… its not necessarily illegal, but I question the ethical issues surrounding it…

So Who’s Hacking your Network?• Script-kiddies…

– Those who use automated tools found throughout the Web

– Usually limited knowledge, a lot of curiosity– Fairly easily caught

• True Hackers– Use their own tools– VERY knowledgeable– Usually sponsored (for hire…)– Rarely caught…

• Even if they are, they’re rarely publicized

Hackers vs Crackers• There is a difference!!• Hackers:

– Gifted person who extends the function of a computer beyond its original design

– Hackers are basically GOOD…

• Crackers:– Maliciously attack computer systems!– Crackers are basically BAD…

http://pls.mrnet.pt/headline4visual1.html

• Tier III– “Script Kiddies” (Inexpert)– ability to down load exploit code and tools...– Very little understanding of the actual

vulnerability– Randomly fires off scripts until something

works...

Hacker Stratification

• Tier II– IT Savvy– Ability to program or script– Understand what the vulnerability is and how

is works...– Intelligent enough to use the exploit code and

tools with precision


• Tier I– Best of the best– Find new vulnerabilities– Write their own exploit code and tools


What About The Insider Threat• It is common knowledge among security

professionals that it the insider threat (the threat of a cyber incident) causes approximately 70% of the incidents!!– That’s a significant amount!

• Many of the assets put towards protection (firewall and the like) are useless against your own users, as they are already inside your network!

The “Latest” Inside

• Social Engineering has become one of the most common ways to gain access to a network– The hackers use the insider’s knowledge to

become an insider themselves

There is No Patch to Human

Stupidity

Which Pill Will YOU Take?

We will NEVER

be safe again

We are Safe enough

with defense in depth

Advanced Persistent Threats• Advanced Persistent Threats (APTs) ARE the

new spies, and they ARE ON YOUR NETWORK – It’s the truth…– Remember, you wanted the red pill…

• We have seen it in both the Military and Commercial realms!– DOD USB Incident in Nov, 2008– Electrical Utilities in Brazil

The NextGen of Spies: APTs!• One of the most important terms in today’s

cyber security is Advanced Persistent Threats!– Name for targeted attacks on specific

organizations by determined, well-coordinated cyber attackers.

– These are sophisticated attacks aimed at governments and corporations to gather intelligence or achieve specific NONFINANCIAL objectives.

APTs and the Nation State

• This is the new age where nation states no longer send actual spies, like in the days of the Cold War between Russia and the USA, but instead send virtual spies, across light and copper!!

NextGen Spies : APT Characteristics• Characteristics of APTs include:

– ADVANCED - using the best methods available to penetrate systems, gather intelligence and evade detection.

– PERSISTENT - focused on a specific objective and target, not fast financial gain.

– THREAT - organized, coordinated and sophisticated operations by skilled agents. The DAY

BEFOREthe O-DAY!!

So Where Does That Leave Us Today?Looking something like this…

Protecting Your Network• Before you can protect it, decide what’s it

value is… – Identify your critical info (if any)– Decide its value…– Weigh the threats against it…– Decide the protection required…

• Once you’ve protected it, model the attacks that might be perfomed agaist it…

Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School

35

The CIA TriadThe term “CIA Triad” refers to the three core information security objectives. Efforts to obtain/assure these three objectives motivates virtually every aspect of cyber security • Confidentiality: Assurance that information is not disclosed to

unauthorized individuals, processes, or devices• Integrity: guarding against improper information modification,

and includes ensuring information authenticity *• Availability: Timely, reliable access to data and information

services for authorized users

from: CNSSI 4009, the “National Information Assurance (IA) Glossary”

* Adoption of NIST’s definition sans “destruction” and “non-repudiation” developed by JD Fulp

Unauthorized disclosure (aka a “leak”)

Unauthorized modification or impersonation

Denial (or degradation) of Service (DoS)

What do we call a loss/failure/incident of each of the three cyber security objectives?

The CIA Triad

• How do these look when used as a tactic against you?

1. Confidentiality: The enemy knows your information

2. Integrity: The enemy determines (manipulates) your information!!

3. Availability: The enemy denies you access to your information


36


37

Risk = Threats x Vulnerabilities x ImpactSecurity_Controls

• The Risk Equation provides the 30K foot IA view (i.e., the very high-level view)

• The equation is expressed thusly:

The “Risk Equation”

• Note: there is no need to actually input numeric values, this is purely a relational construct

• Note: Security_Controls are also often referred to as “safeguards” or “countermeasures”

• Rationale for the Risk Management Equation– Product (multiplication) reflects the mutual relationship

• zero threat x any vulnerability = zero risk• any threat x zero vulnerability = zero risk• probability of zero risk? ~zero• probability of zero threat? ~zero• therefore, probability of some risk? ~100%

– Risk less Safeguards results in Residual Risk: ideally zero, but more realistically, non-zero yet acceptable

The Risk Management “Equation”



39

The “Risk Equation”Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation

Vulnerabilities… this is where the attacker and defender “meet”



40

Attackers’ specialty. Tactics, tools, tech-niques, skills, etc. employed to exploit vulnerabilities

Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation


Different Types of Threats



42



Defenders’ specialty. Tactics, tools, techniques, skills, etc., employed to deter, prevent, detect, mitigate, and recover from, attacks/incidents.




43



How bad will it hurt if you suffer an attack/failure? Think of each element of the CIA Triad as they relate to $$, trust, mission, military advantage, etc.





44



How bad will it hurt if you suffer an attack/failure? Think of each element of the CIA Triad as they relate to $$, trust, mission, military advantage, etc.


The product of the interdependent elements on right side of equation.

Defender’s job is to minimize.

Attacker’s job is to exploit




45

Defender’s Perspective

Result of efforts at right: must be reduced to an “acceptable” level (Think DAA Certification & Accreditation!)

Set by mission requirements, determines level of security effort!

Work to maximize

Work to minimize

Be aware of and understand




46

Result of efforts at right

Influences attack effort

Attacker’sPerspective

Work to maximize

Work to discover

Be aware of and understand. Attempt to exploit or bypass



47

The Cyber “Matrix”

Crossing the CIA Triad with the controllable elements of the “Risk Equation” yields the 3x3 Cyber “Matrix”

Availability

Integrity

Confidentiality

Security_ ControlsVulnerabilitiesThreats


48


• There is another useful/informative dimension to this matrix; derived from U.S. DoD1 and IATFF2 (among others) work in the area of cyber security

• People• Operations• Technology

1 DoDD 8500.1 Information Assurance, Oct 20022 NSA’s Information Assurance Technical Framework Forum, Release

3.1, Sep 2002

There is a 3x3 table for each of these


49


• Relevant excerpt from the IATFF

“The underlying principles of this strategy are applicable to any information system or network, regardless of organization. Essentially, organizations address IA needs with people executing operations supported by technology.”


50

T E C H N O L O G Y

Threats Vulnera-bilities

Security_ Controls

Confidentiality

Integrity

Availability

Combining the CIA Triad, the controllable terms of the “Risk Equation”, and People, Operations, and Technology, yields a 3x3x3 Cyber “Matrix”. The utility of this matrix is its ability to compactly capture all categories of the playing pieces of the cyber war game.

O P E R A T I O N S


Security_ Controls

Confidentiality

Integrity

Availability

P E O P L E


Security_ Controls

Confidentiality

Integrity

Availability



51

Examples…

PEOPLE

T V S

C X X

I X X X

A X X

OPERATIONS

T V S

C X X

IA X X

TECHNOLOGY

T V S

C X

I X X

A X X

Digital Signa-tures

Uninterruptible Power Supplies

“War-driving”

Insufficiently trained personnel

Forging a signature

Syn-Flood attack

Employing easily “cracked” passwords

“m-of-n” & “peer-review” policies

Maintain an alternate “warm” site

Transporting sensitive data on unencrypted USB drives

Having no backup means for transmission

A “replay” attack

“Phishing”


Ethics

• What are ethics?– Sara Baas, author of the Gift of Fire, describes

it as:“What is means to do the right thing… with the goal to enhance human dignity, peace, happiness, and well-being”

Ethics, Values, and the DoD• Per the Joint Ethics Regulation, DOD 5500.7-R:

12‑500. General. Ethics are standards by which one should act based on values. Values are core beliefs such as duty, honor, and integrity that motivate attitudes and actions. Not all values are ethical values (integrity is; happiness is not). Ethical values relate to what is right and wrong and thus take precedence over non‑ethical values when making ethical decisions. DoD employees should carefully consider ethical values when making decisions as part of official duties.

– Note that underlines are done by me, for emphasis, and are not in the

Values

• Def: a person's principles or standards of behavior; one's judgment of what is important in life– Can vary greatly among cultures and societies!

• Core DoD values (core beliefs) include: Honesty, Integrity, Loyalty, Accountability, Fairness, Caring, Respect, Promise Keeping, Responsible Citizenship, Pursuit of Excellence

(Ref: Joint Ethics Regulation, DOD 5500.7-R)

Ethical Hacking

• The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. Their knowledge is used for legal defensive purposes only!

• Done by request and under a contract – Has authorization to probe the target.

Rights

• Def: a moral or legal entitlement– Negative Rights: AKA Liberties

• Right to act without interference– “Life, Liberty, and the Pursuit of Happiness” & religion.

– Positive Rights: AKA Claim Rights• Right to be provided certain entitlements

– Freedom of Speech may be used as a claim right to ensure equal time for different groups are given on a radio station; a group cannot be denied equal access based upon their beliefs.

Ethics, Values, & Laws

• Laws (based upon a culture’s values) set a minimum standard that can be applied to all of a given set of circumstances (i.e. murder), but still leaves room for the ethical interpretations of the circumstances (i.e. the life taken was necessary for saving the life of thousands of others, such as killing a terrorist)

Ethical Hacking Testing • There are different approaches to security

testing. – Black Box

• With no prior knowledge of the infrastructure to be tested

– White Box• With a complete knowledge of the network

infrastructure – Grey Box

• Also known as Internal Testing. It examines the extent of the access by insiders within the network

cs3695 – network vulnerability assessment & risk mitigation –

Documents