Assessments

1
Assessments

• Lesson 3

2
The Hacker mindset

• Hacker is someone who tries to figure out how
  things work
• Originally a term of respect given to the
  uber-geek
• Someone who could quickly create software code
  that worked ie hack out a routine
• Original hackers were often looking for loopholes
  to increase their allotment of CPU time on early
  mainframes
• Quest for knowledge

3
The Cracker mindset

• Someone who tries to break into a computer system
  for malicious purposes (defacement, theft, fraud,
  denial of service)
• Thought to have been coined by hackers to
  differentiate themselves in the 1980s
• Media uses hacker when they usually mean cracker
• Key is intent of actions and attitude

4
The Cracker mindset (cont.)

• Lots of examples of cracker activity
• Theft CD Universe and 300,000 credit cards
• Russian cracker named Maxus
• Ransom demand of 100K to 300K
• January 2000
• Defacements
• Internet is a tempting target
• BizRate.com estimated sales of 1.2B during a
  single week of December 2000

5
Typical Cracker Activity 2/18/01
6
What are security assessments

• Assessments are an examination of an
  organizations current security posture
• A good mechanism to find and fix holes before
  someone else finds them
• Keep in mind someone else is looking for your
  security holes even if you arent

7
What are security assessments

• Three common terms for security assessments
• Security Audit
• Risk Assessment
• Penetration Test
• They may sometimes be used synonymously but they
  are not the same

8
What are security assessments

• Security Audit
• More of a compliance check
• Checklists and standards
• Policies and procedures
• Backups
• Verification
• Are you doing what you are supposed to be doing
• BS 7799 (British Standards Institute Code of
  Practice for Information Security Management)
• Controls and practices

9
What are security assessments

• Risk Assessment
• Also more of a paper exercise
• Weighs likelihood against impact
• Weighs cost against benefit
• Much more business oriented

10
What are security assessments

• Penetration Test
• Looks for security vulnerabilities
• Unpatched operating system or application
• Known security holes
• Accounts with weak or no passwords
• Examines impact of discovered vulnerabilities
• Targets digital, physical, and personnel (social
  engineering)
• Hands on test of network security
• More thorough and effective

11
Penetration Techniques

• Breaking into computers and networks can involve
  technical attacks or social engineering.
• Technical attack involve
• Eavesdropping
• Breaches of access controls
• Social Engineering (misrepresentation) relies on
  lies, bribes and forms of seduction that can
  trick honest or marginally dishonest employees
  into revealing authentication information.

12
Technical Attacks

• Breaching access controls
• Brute Force attacks
• Demon/war dialing
• Exhaustive search for userid/password
• Scavenging RAM
• Intelligent Guesswork
• Canonical passwords (default passwords
  accounts)
• BAD passwords
• Discarded Media
• Shoulder surfing

13
Technical Attacks

• Intercepting Communications
• Can obtain information by monitoring
  communication between a peripheral node and the
  host.
• Wiretapping intercepting the data stream on a
  communications channel
• Phone lines, leased lines, long distance
  transmissions
• Internet connections
• LAN sniffers
• Optical fiber can be tapped
• Wireless
• Radio and wireless phones, wireless networks
• Cellular
• Packet radio
• Van Eck interception (emanations security)

14
Technical Attacks

• Penetration Testing
• Look for vulnerabilities in applications and
  services
• Commercial and freeware scanners
• Many specialized freeware vulnerability scanners
• Whisker scans for over 500 web-based
  vulnerabilities
• Can scan over SSL
• Has IDS evasion modes
• Very powerful in the right hands
• Theres a scanner for most major vulnerabilities
• Freeware scanners are usually better and more up
  to date
• Examine each target and services on the target
• Examine logins and use brute force tools if
  allowed
• Lots of research

15
Technical Attacks

• Penetration Testing Web Testing
• Scan for vulnerabilities
• Example Microsoft IIS 4.0 / 5.0 Extended
  UNICODE Directory Traversal Vulnerability
• Published in Oct 2000
• Access to files with IUSR account permissions on
  same logical drive as the web server
• Can give cmd line access to remote attacker
• Scan for presence of sample materials
• Examine code of web pages (view source)
• Examine input fields
• Create test accounts if allowed

16
Technical Attacks

• Penetration Testing Dial Up
• Often overlooked access method
• Often unsecured
• Dial company phone numbers looking for modems
• Several commercial and freeware scanners
  available
• Test security of discovered modems
• Default passwords work most of the time
• Test remote access packages with client software
• Penetration Testing Wireless Networks
• Often left with little or no security
• Footprint often extends into publicly accessible
  areas

17
Social Engineering

• Penetration Testing Social Engineering
• Might not be allowed
• Trying to trick someone into giving you access
• Pose as administrator
• Pose as new user
• Sound like you belong
• Lying
• Impersonating authorized personnel
• Impersonating 3rd party personnel
• Subverting Employees and 3rd party personnel
• Bribery
• Seduction
• Extortion
• Blackmail

18
Physical Techniques

• Penetration Testing Physical
• Door and lock testing
• Are servers locked up
• Is access to telco closets secured
• Shoulder surfing
• Clipboard testing
• Dumpster diving
• Work area security
• Do employees use password protected screensavers
• Passwords on stickies
• Sensitive materials left out

19
Results

• Document and catalog
• Determine extent of discovered vulnerabilities to
  answer how bad is it
• Record discoveries, systems affected, method of
  exploit, accounts and systems compromised
• Must keep information organized

20
Reporting

• Report generation
• Provide management level summary
• Provide technical level summary
• Present findings in a clear and specific manner
• Provide solutions to eliminate or mitigate
  vulnerabilities
• Report is usually the only physical remnant of
  the assessment

21
Countermeasures

• Strengthening the perimeter
• Identification single sign-on decreases risk
  somebody writes something down
• Authentication designed to make impersonation
  difficult
• Biometrics
• Callback
• Smart cards and tokens
• One time passwords
• Encryption
• Transmission
• Data storage
• Monitoring

22
Risk Analysis Automated Tools

• The Buddy System is a hybrid software package
  used to identify and deal with system or project
  risks. It offers both qualitative and
  quantitative Risk Analysis and Reporting of
  information or physical security in virtually any
  environment.
• The purpose of ASSET is to automate the
  completion of the questionnaire contained in NIST
  Special Publication 800-26, "Security
  Self-Assessment Guide for Information Technology
  Systems
• HIPAA EarlyView Security version 2.0 was
  designed to help covered entities assess their
  current state of compliance with the Final HIPAA
  Security Rule. Users answer a series of 165
  questions that correspond to each requirement,
  and the software features over 20 built-in
  reports to help track progress.

23
Fundamental Elements of A Risk Analysis Tool

• A comprehensive risk analysis tool consists of
  three fundamental steps
• o Data collection
• o Analysis
• o Output results
• Not only should the risk analysis tool meet this
  basic criteria, it should meet organizational
  requirements as well.

24
Data Collection

• Asset Identification and Valuation
• Threat Assessment
• Vulnerability Assessment
• Current Safeguard Effectiveness

25
Analysis

• The analytical process analyzes the relationships
  between assets, threats, vulnerabilities and/or
  safeguards, and possibly other elements (e.g.,
  likelihood of occurrence) to determine potential
  losses.
• Some automated risk analysis tools use the
  traditional quantitative approach for calculating
  risks (Annual Loss Expectancy)
• Some risk analysis tools do not average the value
  of future losses but calculate single occurrence
  losses (SOL).
• The qualitative approach takes the point of view
  that many potential losses are intangible
  therefore, risks cannot be easily specified
  monetarily. Risk results are portrayed in a
  linguistic manner (i.e., "no risk" to "very high
  risk").

26
Output results

• Some tools do not address safeguard selection,
  while some do an extensive job.
• Some tools consider the costs of safeguards and
  their return on investment (ROI).
• The important point is that the risk analysis
  tool should provide managers with a good
  understanding of where to apply limited dollars
  to protect vital computer assets.

27
Picking an Automated Tool

• GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS
  TOOLS --NIST SP500-174
• An automated risk analysis tool should contain
  modules for data collection, analysis, and output
  results
• Effective reporting of the risk analysis results
  will help managers to weigh the alternatives and
  to select reliable and cost-effective safeguards.
  Therefore, the types of information expected in
  the output reports should be clearly defined
• The ability to maintain a history of the
  information collected during the data collection
  phase of the analysis is useful in subsequent
  reviews or queries

28
Example selection

• UNEMPLOYMENT INSURANCE RISK ANALYSIS PROJECT --
  GARTNER GROUP
• Project staff contacted the vendors and arranged
  on-site evaluations of their automated risk
  analysis tools and training programs. The
  evaluation was performed using the National
  Institute of Standards and Technology's (NIST)
  Special Publication 500-174, Guide for Selecting
  Automated Risk Analysis Tools. For evaluation
  purposes, NIST recommends scoring the tools in
  various areas of capabilities.

29

• Each NIST capability was scored from a value of 0
  to 3. A score of 0 indicated that the capability
  did not exist, or if it did exist its quality was
  inferior. A score of 1 indicated that the
  capability existed but that it was less than
  adequate to perform the required tasks. A score
  of 2 indicated that the capability existed and
  was considered average. A score of 3 indicated
  that the capability existed and was considered
  above average.
• The capability scores were then totaled to
  determine the best available automated risk
  analysis tool.

30
(No Transcript)
31
(No Transcript)
32
CRAMM Methodology

• Developed in 1986-1987.
• Last version (V3.0) released in 1997
• Used in thousands of reviews worldwide
• Provides the ability for checking scenarios
• (what-if)
• Provides catalog of threats and countermeasures

33
(No Transcript)
34
(No Transcript)
35
(No Transcript)
36
CRAMM

• Risk evaluation is done ...
• By evaluating assets (scale 110)
• By evaluating threats (scale 13)
• By evaluating vulnerabilities (scale 13)
• Impact evaluation is integrated in the
  vulnerabilities evaluation

37
CRAMM

• Phase 1 definition of studys boundaries
• Preparations
• asset evaluation
• findings review
• Phase 2 Threat Evaluation
• Relation realization
• Evaluation of threats and vulnerabilities
• Calculation of risk level
• findings review
• Phase 3 Countermeasure selection
• recognition of the selected countermeasures
• comparison with already existing ones
• design of security package
• findings review

38
Types of countermeasures

• Reduces the probability of threat occurrence
  
• Reduces vulnerabilities
• Reduces impacts
• Combination

39
Summary

• Hacker Mentaility
• Security Assessments
• Penetration Techniques
• Risk Analysis Tools
• CRAMM