agenda
DESCRIPTION
Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi XXVIII Convegno Annuale del CMG-Italia Milano - 28 Maggio 2014 Roma – 29 Maggio 2014. Agenda. About SAC The Problem How Attackers Operate - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/1.jpg)
www.softwareassist.net
Protecting Mainframe and Distributed Corporate Data from
FTP Attacks: Introducing FTP/Security Suite
Alessandro Braccia, DBA Sistemi
XXVIII Convegno Annuale del CMG-ItaliaMilano - 28 Maggio 2014 Roma – 29 Maggio 2014
![Page 2: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/2.jpg)
www.softwareassist.net
Agenda• About SAC• The Problem• How Attackers Operate• Popular Hacking Tools• FTP Issues• What the Products do –and how
• Conceptual Overview• Why are our products important?
![Page 3: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/3.jpg)
www.softwareassist.net
About SAC• Founded in 1990• Developed a number of very successful products• Until now purely development company• Products were private labeled by other companies, for ex:
• AF/Operator: Candle Corporation (now IBM)• TapeSaver: Mobius Management Systems (now Unicom)
• These products have been sold or moved to subsidiaries• Focus on the FTP/Security Suite
• Establishing Worldwide Partner Network
![Page 4: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/4.jpg)
www.softwareassist.net
The Problem• Complex problem, lack of understanding in market place• Big vendors focus security discussion on their products• Most attacks never make it to the press – do not educate the market• Customers often:
• Do not know how hackers operate• Spend a lot of money on some solutions• Lack tools in other (important) areas
• Result:Companies don’t even know they were attacked or notice it many months later – and don’t know what was taken
![Page 5: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/5.jpg)
www.softwareassist.net
How attackers operate• Attackers can be Hobbyists, Amateurs or Professionals• Use automated tools
• Attack weaknesses in common Tools and Protocols• Prefer those that are not typically monitored
• Prime Target: FTP• The world’s most common data interchange protocol,
including corporate IT• Customers forget they use it, no one responsible• No Management / Monitoring Tools • By default attacks are typically not logged• Attack tools available on internet, instructions on YouTube
![Page 6: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/6.jpg)
www.softwareassist.net
Popular FTP Hacking Tools• THC-Hydra (http://www.thc.org/thc-hydra)• Medusa (
http://foofus.net/goons/jmk/medusa/medusa.html)• Ncrack (http://nmap.org/ncrack)• Brutus (http://www.hoobie.net/brutus)
![Page 7: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/7.jpg)
www.softwareassist.net
Search ”Hack FTP” on YouTube
![Page 8: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/8.jpg)
www.softwareassist.net
Where is FTP used?• With External Partners
• Often hosting sensitive data• On Web Servers
• Providing access to the corporate web site and other resources
• As departmental data interchange tool• Often deployed without IT’s knowledge & involvement• Typically extremely vulnerable due to lack of security
• In the Data Center• Server <-> Server and Server <-> Mainframe data transfer
![Page 9: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/9.jpg)
www.softwareassist.net
FTP Issues• Don’t know where they use FTP – and how much• No Tools to monitor and audit FTP usage
• Lack of compliance• Not able to detect attacks • Not able to determine what was taken
• Not sufficiently protected against FTP attacks• Firewalls and IDS (Intrusion Detection Systems) cannot do it
![Page 10: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/10.jpg)
www.softwareassist.net
Intrusion Detection Systems• Designed primarily to detect intrusions from outside
• Malicious employees and contractors are a common threat
• Looks for anomalies in network traffic• Does not understand the network protocols it looks at• Recognizes brute force attacks by frequency, not content • Can be circumvented easily
![Page 11: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/11.jpg)
www.softwareassist.net
The FTP/Security Suite• FTP/Auditor: FTP Server discovery
• Where is FTP running, how is it secured?• FTP/Sentry: Real-Time monitoring and alerting
• What is happening ? What problems are occurring?• Sentry Desktop: Auditing and historical analysis
• Who accessed which files - when and from where?• Exceptions and Alerts
• FTP/Armor: Securing FTP Servers• Detects attacks, alerts IT staff and blocks intruders• Complements Intrusion Detection Systems
• FTP/Guardian: Integrates Mainframe FTP with Mainframe Security
![Page 12: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/12.jpg)
www.softwareassist.net
SentryDesktop
FTP Activity DB(SQL Server)
Conceptual Overview
Real TimeMonitor
RemoteAgents
![Page 13: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/13.jpg)
www.softwareassist.net
Typical FTP Attack
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
![Page 14: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/14.jpg)
www.softwareassist.net
FTP Attack with FTP/Sentry
FTP Activity DB(SQL Server)
Real TimeMonitor
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
![Page 15: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/15.jpg)
www.softwareassist.net
FTP Attack with FTP/Sentry
Real TimeMonitor
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
Alert
SentryDesktop
Console
![Page 16: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/16.jpg)
www.softwareassist.net
FTP Attack with FTP/Sentry
Real TimeMonitor
RemoteAgents
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
BLOCKIP n.n.n.n
BLOCKIP n.n.n.n
BLOCKIP n.n.n.n
![Page 17: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/17.jpg)
www.softwareassist.net
FTP Attack with FTP/Sentry
RemoteAgents
User: AdministratorPassword: AAAAAPassword: AAAABPassword: AAABAPassword: AAABB
……
IP n.n.n.n
Connectionrefused
![Page 18: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/18.jpg)
www.softwareassist.net
Why are our products so important?• Without them our Customers would not:
• Know which servers are vulnerable through running FTP• Be protected against FTP attacks• Be able to notice an attack
• what ID was compromised and • what was taken
• Be able to audit WHEN WHO accessed WHAT from WHERE• Have operational visibility and control of their FTP
infrastructure
![Page 19: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/19.jpg)
www.softwareassist.net
Interesting Studies & Reports• Carnegie Mellon Software Engineering Institute:
‘Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector’
• Key Findings:• An average of 32 months elapsed between the beginning of the
fraud and its detection by the victim organization• ”The insiders’ means were not especially sophisticated” – the
fraud was possible due to lack of controls/security, not the skills of the perpetrators
![Page 20: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/20.jpg)
www.softwareassist.net
Interesting Studies & Reports• Forrester:
‘Understand The State Of Data Security And Privacy: 2012 To 2013’
• Key Findings:• Intentional Data Theft accounts for 45% of all Data Breaches• 33% of Intentional Data Theft is committed by Malicious Insiders• 66 % of Intentional Data Theft is committed by External Attacks
![Page 21: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/21.jpg)
www.softwareassist.net
Interesting Studies & Reports• Ponemon Institute:
‘2012 Cost of Cyber Crime Study: United States’• Key Findings:
• Average cost of a data breach in the US is $8,933,510• Certain industries, such as Financial Services, experience higher
cost• The companies in the study experienced an average
of 1.8 successful attacks per week
![Page 22: Agenda](https://reader035.vdocuments.net/reader035/viewer/2022070500/5681685f550346895ddea710/html5/thumbnails/22.jpg)
www.softwareassist.net
Questions ?