security tools and technologiesrowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter07.pdfservices...
TRANSCRIPT
.
CIS 3500 1
Security Tools and Technologies
Chapter #7:
Technologies and Tools
Chapter Objectives
n Understand how to use appropriate software tools to assess
the security posture of an organization
n Given a scenario, analyze and interpret output from
security technologies
Security Tools and Technologies2
Protocol Analyzer
n A protocol analyzer is simply a tool (either hardware or
software) that can be used to capture and analyze traffic
n Must have the capability to place a network interface in
promiscuous mode
n From a security perspective, protocol analyzers are very
useful and effective tools
n Most organizations have multiple points in the network
where traffic can be sniffed
Security Tools and Technologies3
Switched Port Analyzer
n Switched Port Analyzer (SPAN) or port mirroring or port
monitoring is a special setup on a switch
n A SPAN has the ability to copy network traffic passing
through one or more ports on a switch or one or more
VLANs on a switch and forward that copied traffic to a port
designated for traffic capture and analysis
n Capacity planning for traffic
Security Tools and Technologies4
.
CIS 3500 2
Network Scanners
n A network scanner is a tool to probe a network or systems
for open ports and machines that are on the network.
n Network scanners can work on any IP network because
they operate by examining network connections
n Search for “live” hosts
n Search for any open ports
n Search for specific ports
n Identify services on ports
n Look for TCP/UDP servicesSecurity Tools and Technologies5
Network Scanners
n When you find open services, you’ll need to determine if
those services should be running at all
n Network scanning activity can trigger an incident response
activity when detected - notify sys admins/security team
n Open – open ports accept connections
n Closed – scanned target returns an RST packet.
n Filtered – ICMP unreachable error is returned
n Additional types – dropped, blocked, denied, timeout
Security Tools and Technologies6
Rogue System Detection
n Rogue systems are unauthorized systems and fall outside of
the enterprise operations umbrella, adding risk to a system.
n You have to know the authorized software and hardware in
your environment
n You should do rogue system detection
n active scans of the network to detect any devices not
authorized
n passive scan via an examination of packets to see if anyone is
communicating who is not authorizedSecurity Tools and Technologies7
Network Mapping
n Network mapping tools are another name for network
scanners
n They create network diagrams of how machines are
connected
n Network mapping tools identify the nodes of a network and
characterize them as to OS, purpose, systems, etc. - also
great for inventory
Security Tools and Technologies8
.
CIS 3500 3
Wireless Scanners/Cracker
n You can use wireless scanners/crackers to perform network
analysis of the wireless side of your networks
n Who is connecting to them?
n What are they accessing?
n Is everything in conformance with your security plan?
n There are a wide variety of wireless scanners that can
assist in developing this form of monitoring
Security Tools and Technologies9 Security Tools and Technologies10
KisMAC
Password Cracker
n Password crackers are used by hackers to find weak
passwords
n Sysadmin should also check
n Password crackers work using dictionary lists and brute
force
Security Tools and Technologies11
Vulnerability Scanner
n A vulnerability scanner is a program designed to probe a
system for weaknesses, misconfigurations, old versions of
software etc.
n Three main categories of vulnerability scanners: network,
host, and application
Security Tools and Technologies12
.
CIS 3500 4
Configuration Compliance Scanner
n Automate configuration checks
n SCAP (Security Content Automation Protocol) is a protocol
to manage information related to security configurations
and the automated validation of them
n There is a wide variety of configuration compliance
scanners
n These tools require that there is a baseline set of defined
configurations and then the tools can track changes
Security Tools and Technologies13
Exploitation Frameworks
n Exploitation frameworks assist hackers with exploiting
vulnerabilities in a system
n The most commonly used framework is Metasploit, a set of
“tools” designed to assist a penetration teste
n These frameworks can be used by security personnel as
well, specifically to test the exploitability of a system based
on existing vulnerabilities and employed security controls
Security Tools and Technologies14
Data Sanitization Tools
n Data sanitization tools are tools used to destroy, purge, or
otherwise identify for destruction specific types of data
n Before a system can be retired and disposed of, you need to
sanitize the data
n Use self-encrypting disks and destroy keys
n Identify the sensitive data and deal with it specifically
n It is not the tool that provides the true value, but rather the
processes and procedures that ensure the work is done and done
correctly
Security Tools and Technologies15
Steganography Tools
n Steganography is the science of hidden writing, or more
specifically the hiding of messages in other content
n Digital images, videos, and audio files and the excess coding
capacity in the stream, it is possible to embed additional content
in the file
n If this content is invisible to the typical user, then it is considered
to be steganography
n The same techniques are used to add visible (or invisible)
watermarks to files
Security Tools and Technologies16
.
CIS 3500 5
Honeypot
n A honeypot is a server that is designed to act like the real
server on a corporate network
n Honeypots serve as attractive targets to attackers - traffic
can be assumed to be malicious
n A honeynet is a network designed to look like a corporate
network
n A honeynet is a collection of honeypots
n Extensive logging so we can learn from it
Security Tools and Technologies17
Backup Utilities
n Backup utilities – one of the most important tools
n Backing up a single system isn’t that hard
n Backing up an enterprise full of servers and workstations is
a completely different problem
n segregating data
n scale, and
n management of the actual backup files
n Critical security task
Security Tools and Technologies18
Banner Grabbing
n Banner grabbing is a technique used to gather information
from a service that publicizes information via a banner
n identify services by type
n version
n Warnings
n Attackers can use banners to determine what services are
running, and typically do for common banner-issuing
services such as HTTP, FTP, SMTP, and Telnet
Security Tools and Technologies19
Passive vs. Active
n Passive tools are those that do not interact with the system
n Wireshark performs OS mapping by analyzing TCP/IP traces
n Active tools interact with a target system in a fashion where
their use can be detected
n Nmap is an active interaction that can be detected when
sending packages
n When choosing attackers may consider how much time they
have available
Security Tools and Technologies20
.
CIS 3500 6
Command-Line Tools
n These are built into the operating system itself, or are
common programs that are used by system administrators
and security professionals on a regular basis
Security Tools and Technologies21
ping
n The ping command sends echo requests to a designated
machine to determine if communication is possible
n The syntax is ping [options] targetname/address
n The options include items such as name resolution, how
many pings, data size, TTL counts, and more
n Many sysadmins disable it or filter on the firewall – too
much to give away
Security Tools and Technologies22
netstat
n netstat –a - all open ports
n netstat - at - all active TCP connections
n netstat –an - all active UDP connections
n netstat –l - all listening ports
n netstat –l –n - does not resolve names
n netstat –l –p - listening programs with PID
Security Tools and Technologies23
tracert
n The tracert command is a Windows command for tracing
the route that packets take over the network
n List of the hosts, switches, and routers in the order that a
packet passes by them
n It uses ICMP, if ICMP is blocked
n On Linux and MacOS systems, the command with similar
functionality is traceroute
Security Tools and Technologies24
.
CIS 3500 7
nslookup/dig
n The nslookup command can be used to examine a DNS
query
n A nonauthoritative answer typically means the result is
from a cache as opposed to a server that has an
authoritative answer
Security Tools and Technologies25
arp
n The arp command interfaces with the operating system’s
Address Resolution Protocol (ARP) caches on a system
n Device sometimes needs to know where to send a packet
using the MAC or layer 2 address
n Four basic message types:
n ARP request “Who has this IP address?”
n ARP reply “I have that IP address; my MAC address is…”
n Reverse ARP (RARP) request “Who has this MAC address?”
n RARP reply “I have that MAC address; my IP address is…”Security Tools and Technologies26
ipconfig/ip/ifconfig
n ipconfig (for Windows) and ifconfig (for Linux) are to
manipulate the network interfaces on a system
n List the interfaces and connection parameters, alter
parameters, and refresh/renew connections
n The ip command in Linux is used to show and manipulate
routing, devices, policy routing, and tunnels
Security Tools and Technologies27
tcpdump
n The tcpdump utility is designed to analyze network packets
either from a network connection or a recorded file
n You also can use it to create files of packet captures (pcap)
and perform filtering
Security Tools and Technologies28
.
CIS 3500 8
nmap
n Nmap is a standard network mapping utility for Windows
and Linux since 1999
n The nmap command is the command-line command to
launch and run the nmap utility
Security Tools and Technologies29
netcat
n Netcat is the network utility designed for Linux
environments
n It has Windows version, but is not regularly used in
windows environments
n netcat is nc –options –address
n The netcat utility is the tool of choice in Linux for reading
from and writing to network connections using TCP or UDP
n Has a wide range of functions
Security Tools and Technologies30
Security Technologies
n There are several security technologies that you can
employ to analyze security situations and interpret output
from security technologies
Security Tools and Technologies31
HIDS/HIPS
n Both a host-based intrusion detection system (HIDS) and a
host-based intrusion prevention system (HIPS) alert on
behaviors that match specified behavioral patterns
n They have significant false positive rates depending upon
the specificity of the ruleset
n They serve to act as an alerting mechanism to provide a
signal to start incident response activities
Security Tools and Technologies32
.
CIS 3500 9
Antivirus
n Antivirus (AV) applications check files for matches to known
viruses and other forms of malware
n Quarantine the file or erase it using the AV utility
Security Tools and Technologies33
File Integrity Check
n Perform a file integrity check to ensure that the file has not
been tampered
n This will alert you to a changed binary
n They take a hash of the file and compare this value to an
offline store of correct values - if the hashes match, then
the file is unaltered
n On Windows machines the commandis sfc /scannow
Security Tools and Technologies34
Host-Based Firewall
n A host-based firewall is a firewall located on a host system
n You can tune it to the exact specifications of that machine
n If properly tuned, a host-based firewall will have a very low
false positive rate
Security Tools and Technologies35
Application Whitelisting
n Application whitelisting – marks files as safe to run on a
system based upon their hash values
n Only specified binaries to be run on a system
n On Microsoft Windows machines using the Enterprise
version of the OS, whitelisting can be done natively in the
OS via a tool called applocker
Security Tools and Technologies36
.
CIS 3500 10
Removable Media Control
n Removable media controls are designed to prevent the
transfer of data from a system to a removable media
n Encryption!
n Block physical access
Security Tools and Technologies37
Advanced Malware Tools
n Advanced malware tools – e.g. Yara, a command-line
pattern matcher that looks for indicators of compromise
n Hunting down malware infections based on artifacts in
memory
n Another type is a threat prevention platform that checks a
system and its traffic in real time for common malware
artifacts such as callbacks to external devices
Security Tools and Technologies38
Patch Management Tools
n Patch management tools assist administrators by keeping
lists of the software on a system and alerting users when
patches become available
n Some can even assist in the application of the patches
n Alert users is only part of the necessary solution
n ensure that the patches are installed
n alert administrators when patches have not been updated
Security Tools and Technologies39
UTM
n Unified threat management (UTM) devices typically provide
a wide range of services, including switching, firewall,
IDS/IPS, anti-malware, anti-spam, content filtering, and
traffic shaping
n Simplify security administration
n Typically located at the edge of the network, managing
traffic in and out of the network
Security Tools and Technologies40
.
CIS 3500 11
DLP
n Data loss prevention (DLP) to detect and prevent transfers of
data across an enterprise
n Can scan packets for specific data patterns
n account numbers,
n secrets,
n specific markers, or
n files
n The system can block the transfer
n Challenge is the placement of the sensorSecurity Tools and Technologies41
Data Execution Prevention
n Data execution protection (DEP) is the protection of specific
memory areas as nonexecutable in a Windows system
n Prevent attackers from changing the operation of a
program through code injection
n The OS will kill the program
Security Tools and Technologies42
Web Application Firewall
n A web application firewall (WAF) is a device that performs
restrictions based on rules associated with HTTP/HTTPS
n Form of content filter to provide significant capability and
protections
n WAFs can detect and block disclosure of critical data
n Can also be used to protect websites from common attack
vectors such as cross-site scripting, fuzzing, and buffer
overflow attacks
Security Tools and Technologies43
Stay Alert!
There is no 100 percent secure system, and
there is nothing that is foolproof!