Upload File

network auditing essentials

prev
next
out of 14
Download Network Auditing Essentials

Upload: kazampas

Post on 06-Apr-2018

230 views

Category:

Documents


0 download

Report

TRANSCRIPT

  • 8/3/2019 Network Auditing Essentials

    1/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 1

    Performing a Comprehensive

    Network Security ReviewNovember 3, 2009

    Timothy Agee, CISA, CGEIT

    Jacob Arthur

    FDH Consulting

    Frasier, Dean & Howard, PLLC

    For SOXFor HIPAAFor PCI

  • 8/3/2019 Network Auditing Essentials

    2/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 2

    Performing a Comprehensive Network

    Security Assessment:Vulnerability Assessment / Penetration Test Security Policies (Change Control Policies) Security Configuration User Account Provisioning Security Monitoring Employee Training Social Engineering

    What is it?

  • 8/3/2019 Network Auditing Essentials

    3/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 3

    Vulnerability Assessment / Pen Test

    Using a variety of third-party tools, avulnerability assessment includes mappinghosts and services within a specified publicaddress space or internal network andscanning them for potential vulnerabilities.

    During penetration testing, third party tools

    are used to exploit security weaknesses for thepurpose of identifying and correcting means ofunauthorized access.

    Why a Vulnerability Assessment / Pen Test?

    SOX compliance is not enough

  • 8/3/2019 Network Auditing Essentials

    4/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 4

    Why? (Examples) 130 Million Total Cards

    Barnes & Noble Office Max BJs Wholesale JC Penny Target Forever21

    DSW Sports Authority Boston Market Dave and Busters TJ Maxx

    47 Million Cards

    Why? (Vulnerabilities)

    PatchingServers, workstations, firewalls, etc.

    Old technology Windows 2000 (beware if using WSUS) WEP encryption

    Poor design Poor configuration

    Unapproved devices or services Change control

  • 8/3/2019 Network Auditing Essentials

    5/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 5

    Vulnerability Assessment / Pen Testing

    Internal vs. External Black Box vs. Crystal/White Box

    What are the advantages & disadvantages Start with tool, but interpretation is key

    Vulnerability Assessment /

    Pen Test (Rules for Engagement) Determining scopeExploits that could crash systems or services Timing / notification requirements Defined stop points Stealth requirements Get out of jail free card

  • 8/3/2019 Network Auditing Essentials

    6/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 6

    Proceed at your own risk!

    Vulnerability Assessment /

    Pen Test (BackTrack 4 pre-release)

    www.remote-exploit.org

    Bootable DVD Image (is0) / VMWare Image Linux distribution built for the sole purpose of

    testing security

  • 8/3/2019 Network Auditing Essentials

    7/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 7

    Vulnerability Assessment /

    Pen Test (Scanning - nMap)www.insecure.org

    Linux (Unix) / Windows / Mac OS X / etc Internal vs. External Finding potential targets

    What are we looking for?

    Vulnerability Assessment /

    Pen Testing (Wireless Scanning)

    AirPcap / Kismet (AirCrack)www.cacetech.com (AirPcap) Hardwarewww.kismetwireless.net (Kismet)

    Linux / Windows (requires AirPcap for Win)www.aircrack-ng.org (AirCrack)

    Linux / Windows (requires AirPcap for Win) Finding potential targets

    What are we looking for?

  • 8/3/2019 Network Auditing Essentials

    8/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 8

    Vulnerability Assessment /

    Pen Test (Vulnerability Scan - Nessus)

    www.nessus.orgFree & commercial versionsLinux / FreeBSD / Windows / Mac OS X

    Internal vs. External Pros & Cons (Why its not enough)

    Vulnerability Assessment /

    Pen Test (Exploit - Metasploit)

    www.metasploit.com (Just acquired by Rapid7)Linux (Unix) / Windows

    Various uses Internal vs. External Can generate stand-alone files

  • 8/3/2019 Network Auditing Essentials

    9/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 9

    Vulnerability Assessment /

    Pen Test (Exploit What Now)

    View permissions of exploited user Migrate to other processes, view available tokens Enabling shell access

    Vulnerability Assessment /

    Pen Test (Standard User)

    Review standard permissions assigned to users Must determine the potential risky users Begins with exploring the infrastructure

  • 8/3/2019 Network Auditing Essentials

    10/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 10

    Security Policies (Change Control)

    Acceptable Use User Provisioning Password Network Access Incident Response Remote Access Guest AccessWireless Configuration Standards Configuration Changes

    Third Party Connection Network Security Encryption Confidential Data Data Classification Mobile Device Retention Outsourcing Physical Security Monitoring

    Configuration / Design Review

    FirewallWireless IDS Remote accessActive Directory Group Policy / Accounts

    Local admin accounts iSeries System Values / Profiles Standard configurations / deployment

  • 8/3/2019 Network Auditing Essentials

    11/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 11

    User Provisioning

    New Hires / Transfers / TerminationsAdministrative access Consultants / Contractors / Vendors

    Security Monitoring

    Security Logs Log Aggregation / Filtering / Alerts IDS Indicators / Alerts Use of powerful accounts Excessive failed login attemptsAccess to sensitive data Use of unapproved IP services

  • 8/3/2019 Network Auditing Essentials

    12/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 12

    Employee Training

    Documents and Posters only? New employee orientation? Regular updates / reinforcement?

    Emails / Newsletters / Classroom (frequency)Incorporate with other meetingsMake it personal

    Social Engineering

    Contact a sample of employees and attempt toobtain passwords or contact lists. Impersonate

    IT Support personnel.

    Contact the IT Help desk and attempt to havepassword reset for known employee

    Send an outside person into the office to walkaround. Assess the length of time it takes forpersonnel to identify this unauthorized entry.

  • 8/3/2019 Network Auditing Essentials

    13/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 13

    Social Engineering

    Place forged memos into a sample of companymailboxes with instructions that would facilitateunauthorized intrusion.

    Examine trash in a sample of offices todetermine if sensitive material is being

    improperly disposed of that could lead tounauthorized access.

    Social Engineering

    Randomly leave USB flash drives throughout theoffice, which are loaded with malicious files(hidden). Evaluate whether employees willattempt to use these drives.

    Impersonate a known company vendor atcentral or remote locations. Attempt to gainaccess to company network.

  • 8/3/2019 Network Auditing Essentials

    14/14

    FDHConsul+ng November3,2009

    PerformingaComprehensiveNetwork

    SecurityReview 14

    Online Resources

    Proceed at your own riskwww.packetstormsecurity.orgwww.cve.mitre.orgwww.smashthestack.orgwww.securityfocus.comwww.osvdb.comwww.infosecnews.orgwww.undergroundnews.com

    Questions?

    Timothy Agee, CISA, CGEIT

    [email protected]

    615-330-8652 (Mobile)

    Jacob Arthur

    [email protected]

    615-852-8540 (Mobile)


Database Auditing Essentials (new prez)-lg - DB2 Forum Auditing Essentials (April 2008).pdf · 2008-02-05 · Database Auditing Who did what to ... — Capacity Planning Managing

Network essentials chapter 4

Network Essentials v2.0

Linux Essentials Network Development Group

Network Security Essentials Chapter 7

Lights On Network Essentials

Patch management Vulnerability scanning Network auditing ... · Network auditing Network security insights. Benefits at a glance Centralized patch management, vulnerability assessment

Network Security Essentials

z/Auditing Essentials - New Era · 2019. 8. 1. · z/Auditing ESSENTIALS Volume 4 1 2 About Audit Essentials 2.1 Overview In the previous Audit Essentials volumes we addressed various

Network Security Essentials Chapter 5

Network essentials chapter 2

Ad Network Essentials

Network Essentials – Network Specialist Program

Auditing Essentials

SNMP Network Management the Essentials

Network Security Essentials Chapter 6

Network essentials chapter 3

Network Auditing, Telecom Training, Telecom Consulting

Network Security Essentials Chapter 2

Network essentials

Network Security Essentials Chapter 3

z/Auditing Essentials - Query Informatique

37126119 Network Security Essentials (1)

TCP/IP Network Essentials

Network Security Essentials Chapter 4

The Essentials of Linux Network Administration · The Essentials of Linux Network Administration 1 The Essentials of Linux Network Administration Introduction If you’re ever going

Network Security Essentials Chapter 1

Auditing the Merchant – Network Relationship

z/Auditing Essentials - newera.com

Network Security Essentials - Dr. Bhargavi Goswami · Network Security Essentials Applications and Standards Third Edition William Stallings

Lmt 2 Network Design Essentials

Ad Network Essentials (PinYou)

CIA Part 1 Essentials of Internal Auditing

Auditing Os and Network

Database auditing essentials