Security Audits

1
Security Audits

• Scot Lymer, GSEC CSSA
• Consysco Solutions

2
Topics

• What is a Security Audit
• Why do I need a Security Audit
• Steps involved (Not all encompassing)
• Tools used
• Legal Considerations

3
What is a Security Audit

• Referred to as Penetration testing
• Gives a company an unbiased view of the corporate
  networks security
• Assists in the creation or update of an existing
  security policy

4
Why do I need a Security Audit

• Prevent loss of data
• Due-diligence
• Government regulations
• HIPPA - Guarantee security and privacy of health
  information
• GLB - regulates data security in the financial
  services industry
• Oxley-Sarbanes Requires Validation of the
  accuracy and integrity of financial data and
  improve reporting capabilities
• Insurance requirements
• E-network Risk Management

5
Steps involved

• Scope of audit
• Finding Network Points
• Router Auditing Tools
• Firewall Auditing Tools
• IDS Testing
• Web Application Testing
• Others

6
Scope of audit

• What is the goal?
• What will be audited?
• What tools will be used?
• Auditor responsibilities
• Users responsibilities
• Depth of the audit
• Costs breakdown

7
Some tools used in a security audit

• NMAP
• www.insecure.org/nmap/nmap_download.html
• NeWT
• www.tenablesecurity.com/newt.html
• Retina
• www.eeye.com
• LANGuard
• www.gfi.com

8
Finding Network Points

• Tools
• NMAP
• Superscan

9
Router Auditing

• Check for proper physical security
• Check for stable updated operating system
• Harden the configuration by removing unnecessary
  services etc.
• Finger - Remove
• Telnet Use Secure Shell
• Etc.
• Check for proper Packet Filtering by only
  allowing needed ports and protocols
• Check for DOS attacks
• Log all occurrences of bad packets
• Reject packets with invalid source addresses
• Ensure the router offers Syn Attack protection

10
Firewall Auditing

• Review security policy
• Test the Rulebase
• Identify vulnerabilities
• Identify misconfigurations
• Firewall Logs

11
Review Security Policy

• What ports should be open on the firewall?
• Who determines what ports should be open?

12
Test the Firewall Rulebase

• Done by scanning every network segment from every
  other network segment
• Place a system on your DMZ and attempt to
  penetrate you internal network
• If during your audit you are not sure if a
  service should be blocked, block it.

13
Identify Vulnerabilities

• Identify vulnerable hosts accessible behind the
  firewall
• Test vulnerabilities using Retina etc.

14
Identify Firewall Misconfigurations

• Authentication
• Ensure encrypted data is actually encrypted
• Ensure encrypted authentication is encrypted
• TCPdump
• Ethereal
• Dsniff
• Ettercap
• Etc.
• Firewall Logs
• Set up the most extensive logging as possible
• Ensure audit scans are logged for proper logging

15
Other Firewall issues

• If using any additional services such as
  Antivirus test by sending infected email through
  your firewall
• http//www.eicar.org/anti_virus_test_file.htm
• Test content filter solution by accessing a site
  that should be blocked

16
IDS Testing

• Check for evidence of attacks in the IDS logs
• Test the IDS using a variety and multitude of
  attacks AND
• Test the IDS for reaction to varied speeds of
  each attack, random protocol adjustments, etc.
• Insertion
• Evasion
• Decoy
• Fragmentation
• Etc.
• Sidestep can be used to demo an IDS evasion

17
Evading IDS via NMAP

• Decoys nmap ( -D) - reduces the chance of your Ip
  address being traced from your scan
• Slow scan (-T sneaky or -T paranoid) - makes it
  almost impossible for a firewall to detect a port
  scan
• Fragmentation attacks (-f) - makes it more
  difficult for a firewall or packet filter to
  determine the packet type.

18
Web Application Testing

• Examine source of available pages
• Test for recognized file types/extensions/director
  ies
• SQL Injection
• Cookies and Session IDs
• Path Traversal and URIs
• Many more..

19
Examine source of available pages

• lttitlegtHome Pagelt/titlegtltmeta content"Microsoft
  Visual Studio 7.0" name"GENERATOR"gtltmeta
  content"C" name"CODE_LANGUAGE"gtltmeta
  content"JavaScript" name"vs_defaultClientScript"
  gt
• Developer is using Visual Studio

20
Test for recognized file types/extensions/directo
ries

• GET /blah.idq HTTP/1.0HTTP/1.1 200 OKServer
  Microsoft-IIS/5.0Date Wed, 04 Jun 2003 111224
  GMTContent-Type text/htmlltHTMLgtThe IDQ file
  blah.idq could not be found.

21
SQL Injection

• Not properly stripping user input of potentially
  "nasty" characters before using that input
  directly in SQL queries

22
SQL Injection sample code

• (using MS Access DB)
• user Request.form("user")
• pass Request.form("pass")
• Set Conn Server.CreateObject("ADODB.Connection")
  Set Rs Server.CreateObject("ADODB.Recordset")
  Conn.Open (dsn)
• SQL "SELECT CCOUNT() FROM users where pass'"
  pass "' and user'" user "'"
• rs.open (sql,conn) if rs.eof or rs.bof then
  response.write "Database Error"
• else if rs("C") lt 1 then response.write "Invalid
  Credentials" else response.write "Logged In" end
  if
• end if
• If the attacker were to submit the following
  credentials to our login script
• user test' OR '1''1pass test
• With no sanity or validity checking the resulting
  query would be
• SELECT FROM users where pass'test' and
  user'test' OR '1' '1
• Since 1 1 is always true the attacker would be
  granted access

23
Cookies and Session IDs

• Cookies (stored on hard drive)
• Cookies authenticate a user to an application
  and, if stolen, a users credentials can be
  compromised
• Cookie expiration dates affect security
• Session IDs (forms part of the URL)
• searching proxy logs, viewing browser histories
  or social engineering a user can reveal
  information that can be pasted into a URL
• Can be logged, replayed or socially engineered.
• More difficult to abuse than cookies because the
  Session ID is not embedded in a sites URL.
• Are Session IDs embedded in a hidden tag??
• Auditor should examine
• Mechanism used to generate session ids
• How are they being persisted

24
Path Traversal and URIs

• Traversing out of the web root and into another
  directory such as etc/passwd or system32/config
• Caused by failure to strip the path character
  (/.) on the file variable
• http//www.example.com/index.php?file../../../../
  etc/passwd

25
Physical Security

• Locate physical entry points
• Are there any monitoring devices? Where are they
  located
• What kind of alarm systems? What triggers the
  alarm? Who is notified?
• Where are backups stored?
• Are computers left in a logged in state when not
  in use?
• Etc.

26
Social-Engineering

• Relies heavily on human interaction
• Examples
• Bogus email sending a user to a web site
• Phone calls to a user asking for password to
  reset their account

27
Review Security Policy

• Where can the security policy be found?
• How are passwords handles?
• Where are backups stored?
• Is personal email allowed?
• What is acceptable web usage?
• etc.

28
Legal Considerations

• Disclosure of information
• Penetration testing should not interfere with
  running systems
• Notify customer of responsibilities
• Backup data prior to audit
• Notify any employee who needs to know about the
  audit
• Obtain written permission

29
What should I do when audit is completed?

• Review with the auditor
• Review with management
• Review with appropriate personnel
• Create or update security policy based on results
  of the audit

30
How often should the audit be performed?

• At least once a year
• New employees
• New technology
• Etc.

31

• ????