lesson 5 knowing the threat. unauthorized use of computer systems 2000 csi/fbi survey trend
TRANSCRIPT
Lesson 5
Knowing the Threat
0
10
20
30
40
50
60
70
Yes No Don'tKnow
19961997199819992000
Unauthorized use of Computer Systems
2000 CSI/FBI Survey
Tren
d
0
10
20
30
40
50
60
InternalSystems
RemoteDial-In
Internet
19961997199819992000
Frequency Point of Attack2000 CSI/FBI Survey
TrendTrend
0102030405060708090
For
eign
Gov
ernm
ents
For
eign
Cor
pora
tion
s
Inde
pend
ent
Hac
kers
U.S
.C
pmpe
tito
rs
Dis
grun
tled
Em
ploy
ees
1997199819992000
Foreign Corporations
U.S. Corporations
Likely Sources of Attack
2000 CSI/FBI Survey
E-Commerce Security Example
Breaking an E-Business
WEB Server
DBA Server
Router
Investment App servers
Network
User Clients
Email Server
Consider this Network
How Can A Hacker Attack?
ATTACKER
WEB Server
DBA Server
Router
Investment App servers
Network
User Clients
Email Server
Step 1: Attackerexploits weakness inCGI script to break throughfirewall and gain shell privileges on host
ATTACKER
WEB Server
DBA Server
Router
Investment App servers
Network
User Clients
Email Server
Step 1: Attackerexploits weakness inCGI script to break throughfirewall and gain shell privileges on host
Step 2: Attacker findsdBase PW in CGI Scriptand downloads allaccount numbers and PWs
ATTACKER
WEB Server
DBA Server
Router
Investment App servers
Network
User Clients
Email Server
Step 1: Attackerexploits weakness inCGI script to break throughfirewall and gain shell privileges on host
Step 2: Attacker findsdBase PW in CGI Scriptand downloads allaccount numbers and PWs
Step 3: Attacker installsNetBus and controlsmanager’s terminal
Going for the Kill!
Customer Entersaccount ID and PW
Customer is Authenticated andaccess is granted
Customer Checksportfolio performance
Customer updatesportfolio trackingpreferences
Customer buys/sellsshares
Step 4: Attacker creditsaccount under their control
Investment bank debits/creditscustomer’s cash accountand updates portfolios
Investment bank notifiescustomer with confirmationof transaction
So What Happens When Computer Security Fails?
Incident Response--A Six Step Process– Preparation: Proactive Computer Security– Identification– Containment– Eradication– Recovery– Hot Wash
History LessonThe Art of War, Sun Tzu
Lesson for youKnow the enemyKnow yourself…and in a 100 battles
you will never be defeatedIf ignorant both of your enemy and of
yourself you are certain in every battle to be in peril
History LessonThe Art of War, Sun Tzu
Lesson for the HackerProbe him and learn where his strength
is abundant and where deficientTo subdue the enemy without fighting
is the acme of skillOne able to gain victory by modifying
his tactics IAW with enemy situation may be said to be divine
Hacker Attacks
Intent is for you to know your enemyNot intended to make you a hackerNeed to know defensive techniquesNeed to know where to start recovery
processNeed to assess extent of
investigative environment
Anatomy of a Hack
FOOTPRINTING SCANNING ENUMERATION
GAINING ACCESS ESCALATINGPRIVILEGE
PILFERING
COVERING TRACKS
CREATING BACKDOORSDENIAL
OF SERVICE
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Anatomy of The Hack
FOOTPRINTING SCANNING ENUMERATION
GAINING ACCESS ESCALATINGPRIVILEGE
PILFERING
COVERING TRACKS
CREATING BACKDOORSDENIAL
OF SERVICE
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Footprinting
Objective Target Address
Range Acquire
Namespace Information
Gathering Surgical Attack Don’t Miss Details
Technique Open Source
Search whois Web Interface to
whois ARIN whois DNS Zone Transfer
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Scanning
Objective Bulk target
assessment Determine
Listening Services
Focus attack vector
Technique Ping Sweep TCP/UDP Scan OS Detection
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Enumeration
Objective Intrusive Probing
Commences Identify valid
accounts Identify poorly
protected shares
Technique List user accounts List file shares Identify
applications
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Gaining Access
Objective Informed attempt
to access target
Typically User level access
Technique Password sniffing File share brute
forcing Password file grab Buffer overflows
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Escalating Privilege
Objective Gain Root level
access
Technique Password cracking
Known exploits
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Pilfering
Objective Info gathering to
access trusted systems
Technique Evaluate trusts
Search for cleartext passwords
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Cover Tracks
Objective Ensure highest
access
Hide access from system administrator or owner
Technique Clear logs
Hide tools
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Creating Back Doors
Objective Deploy trap
doors
Ensure easy return access
Technique Create rogue user
accounts Schedule batch jobs Infect startup files Plant remote control
services Install monitors Trojanize
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Denial of Service
Objective If unable to
escalate privilege then kill
Build DDOS network
Technique SYN Flood ICMP Attacks Identical src/dst
SYN requests Out of bounds TCP
options DDOS
Source: Hacking Exposed, McClure, Sacmbray, and Kurtz
Hacker Exploits per SANS
RECONNAISSANCE SCANNING
EXPLOIT SYSTEMS KEEPING ACCESS
COVERTRACKS
Source: SANs Institute
Hacking Summary
Hacking on the riseHacktivismNew crime vectorLoose international laws
Tools automated and readily availableBlended Threats
Multi-axis attacksAutomated Zombies