Assessments

Lesson 3

The Hacker mindset

Hacker is someone who tries to “figure out how things work”Originally a term of respect given to the uber-geekSomeone who could quickly create software code that worked – ie… hack out a routineOriginal hackers were often looking for loopholes to increase their allotment of CPU time on early mainframesQuest for knowledge

The Cracker mindset

Someone who tries to break into a computer system for malicious purposes (defacement, theft, fraud, denial of service)Thought to have been coined by hackers to differentiate themselves in the 1980sMedia uses hacker when they usually mean crackerKey is intent of actions and attitude

The Cracker mindset (cont.)

Lots of examples of cracker activityTheft: CD Universe and 300,000 credit cards

Russian cracker named MaxusRansom demand of $100K to $300KJanuary 2000

DefacementsInternet is a tempting target

BizRate.com estimated sales of $1.2B during a single week of December 2000

Typical Cracker Activity 2/18/01

What are security assessments

Assessments are an examination of an organization’s current security postureA good mechanism to find and fix holes before someone else finds themKeep in mind – someone else is looking for your security holes even if you aren’t

What are security assessments

Three common terms for security assessments

Security AuditRisk AssessmentPenetration Test

They may sometimes be used synonymously but they are not the same

What are security assessments

Security AuditMore of a compliance checkChecklists and standardsPolicies and proceduresBackupsVerification

Are you doing what you are supposed to be doingBS 7799 (British Standards Institute Code of Practice for Information Security Management)

Controls and practices

What are security assessments

Risk AssessmentAlso more of a paper exerciseWeighs likelihood against impactWeighs cost against benefit

Much more business oriented

What are security assessments

Penetration TestLooks for security vulnerabilities

Unpatched operating system or applicationKnown security holesAccounts with weak or no passwords

Examines impact of discovered vulnerabilitiesTargets digital, physical, and personnel (social engineering)

Hands on test of network securityMore thorough and effective

Penetration Techniques

Breaking into computers and networks can involve technical attacks or social engineering.

Technical attack: involveEavesdroppingBreaches of access controls

Social Engineering (misrepresentation): relies on lies, bribes and forms of seduction that can trick honest or marginally dishonest employees into revealing authentication information.

Technical Attacks

Breaching access controlsBrute Force attacks

Demon/war dialing

Exhaustive search for userid/password

Scavenging RAM

Intelligent GuessworkCanonical passwords (default passwords & accounts)

BAD passwords

Discarded MediaShoulder surfing

Technical Attacks

Intercepting CommunicationsCan obtain information by monitoring communication between a peripheral node and the host.

Wiretapping – intercepting the data stream on a communications channel

Phone lines, leased lines, long distance transmissionsInternet connections

LAN sniffersOptical fiber: can be tapped

WirelessRadio and wireless phones, wireless networksCellularPacket radio

Van Eck interception (emanations security)

Technical Attacks

Penetration TestingLook for vulnerabilities in applications and servicesCommercial and freeware scanners

Many specialized freeware vulnerability scannersWhisker scans for over 500 web-based vulnerabilities

Can scan over SSLHas IDS evasion modesVery powerful in the right hands

There’s a scanner for most major vulnerabilitiesFreeware scanners are usually better and more up to date

Examine each target and services on the targetExamine logins and use brute force tools if allowedLots of research

Technical Attacks

Penetration Testing – Web TestingScan for vulnerabilities

Example: Microsoft IIS 4.0 / 5.0 Extended UNICODE Directory Traversal VulnerabilityPublished in Oct 2000Access to files with IUSR account permissions on same logical drive as the web serverCan give cmd line access to remote attacker

Scan for presence of sample materialsExamine code of web pages (view source)Examine input fieldsCreate test accounts if allowed

Technical Attacks

Penetration Testing – Dial UpOften overlooked access methodOften unsecuredDial company phone numbers looking for modems

Several commercial and freeware scanners available

Test security of discovered modemsDefault passwords work most of the timeTest remote access packages with client software

Penetration Testing – Wireless NetworksOften left with little or no securityFootprint often extends into publicly accessible areas

Social EngineeringPenetration Testing – Social Engineering

Might not be allowedTrying to trick someone into giving you accessPose as administratorPose as new userSound like you belong

LyingImpersonating authorized personnelImpersonating 3rd party personnel

Subverting Employees and 3rd party personnelBriberySeductionExtortionBlackmail

Physical Techniques

Penetration Testing – PhysicalDoor and lock testing

Are servers locked upIs access to telco closets secured

Shoulder surfingClipboard testingDumpster divingWork area security

Do employees use password protected screensaversPasswords on stickiesSensitive materials left out

Results

Document and catalogDetermine extent of discovered vulnerabilities to answer “how bad is it”Record discoveries, systems affected, method of exploit, accounts and systems compromisedMust keep information organized

Reporting

Report generationProvide management level summaryProvide technical level summaryPresent findings in a clear and specific mannerProvide solutions to eliminate or mitigate vulnerabilitiesReport is usually the only physical remnant of the assessment

CountermeasuresStrengthening the perimeter

Identification – single sign-on decreases risk somebody writes something downAuthentication – designed to make impersonation difficult

BiometricsCallbackSmart cards and tokensOne time passwords

EncryptionTransmissionData storage

Monitoring

Risk Analysis Automated Tools

The Buddy System® is a hybrid software package used to identify and deal with system or project risks. It offers both qualitative and quantitative Risk Analysis and Reporting of information or physical security in virtually any environment. The purpose of ASSET is to automate the completion of the questionnaire contained in NIST Special Publication 800-26, "Security Self-Assessment Guide for Information Technology Systems”HIPAA EarlyView™ Security version 2.0 was designed to help covered entities assess their current state of compliance with the Final HIPAA Security Rule. Users answer a series of 165 questions that correspond to each requirement, and the software features over 20 built-in reports to help track progress.

Fundamental Elements of A Risk Analysis Tool

A comprehensive risk analysis tool consists of three fundamental steps:

o Data collection o Analysis o Output results

Not only should the risk analysis tool meet this basic criteria, it should meet organizational requirements as well.

Data Collection

Asset Identification and ValuationThreat AssessmentVulnerability AssessmentCurrent Safeguard Effectiveness

AnalysisThe analytical process analyzes the relationships between assets, threats, vulnerabilities and/or safeguards, and possibly other elements (e.g., likelihood of occurrence) to determine potential losses.Some automated risk analysis tools use the traditional quantitative approach for calculating risks (Annual Loss Expectancy)Some risk analysis tools do not average the value of future losses but calculate single occurrence losses (SOL). The qualitative approach takes the point of view that many potential losses are intangible; therefore, risks cannot be easily specified monetarily. Risk results are portrayed in a linguistic manner (i.e., "no risk" to "very high risk").

Output results

Some tools do not address safeguard selection, while some do an extensive job.Some tools consider the costs of safeguards and their return on investment (ROI). The important point is that the risk analysis tool should provide managers with a good understanding of where to apply limited dollars to protect vital computer assets.

Picking an Automated Tool“GUIDE FOR SELECTING AUTOMATED RISK ANALYSIS TOOLS” --NIST SP500-174

An automated risk analysis tool should contain modules for data collection, analysis, and output results Effective reporting of the risk analysis results will help managers to weigh the alternatives and to select reliable and cost-effective safeguards. Therefore, the types of information expected in the output reports should be clearly defined The ability to maintain a history of the information collected during the data collection phase of the analysis is useful in subsequent reviews or queries

Example selectionUNEMPLOYMENT INSURANCE RISK ANALYSIS PROJECT -- GARTNER GROUP Project staff contacted the vendors and arranged on-site evaluations of their automated risk analysis tools and training programs. The evaluation was performed using the National Institute of Standards and Technology's (NIST) Special Publication 500-174, Guide for Selecting Automated Risk Analysis Tools. For evaluation purposes, NIST recommends scoring the tools in various areas of capabilities.

Each NIST capability was scored from a value of 0 to 3. A score of 0 indicated that the capability did not exist, or if it did exist its quality was inferior. A score of 1 indicated that the capability existed but that it was less than adequate to perform the required tasks. A score of 2 indicated that the capability existed and was considered average. A score of 3 indicated that the capability existed and was considered above average.The capability scores were then totaled to determine the best available automated risk analysis tool.

WEIGHT FACTOR

RISK RISKCAPABILITIES WATCH LAVA PAC

METHODOLOGY:

Quantitative Results 3 1 1

Qualitative Results 3 2 2

DATA COLLECTION CAPABILITY:

Assets 3 2 2

Threat Sources 2 2 2

Vulnerabilities 3 2 2

Safeguards Evaluation Effectiveness 3 2 2

UTILITY:

Ease of Use 3 3 3

Menu Driven 3 3 3

On-line Help Facility 3 0 2

Error Messages 3 0 2

Reiterative Safeguard Selection 3 2 2

Quality of Documentation 3 3 3

RISK RISKCAPABILITIES WATCH LAVA PAC

SECURITY CONTROLS:

Log-on/Password 2 0 0

Audit Trail 2 0 1

REPORTING CAPABILITIES:

Safeguard Selection 2 1 1

Safeguard Cost/Benefit Analysis 3 1 1

Management Oriented Format 2 1 1

Graphic Representations 3 2 0

Detail Narrative 2 1 1

Print/Display Full Report 2 1 2

Print/Display Loss Analysis 2 1 1

Cover Pages 2 2 0

Table of Contents 1 2 0

Page Header/Footers 1 1 1

PRODUCTION SUPPORT:

Vendor Provided Training 3 2 2

Installation Support 3 3 3

Telephone Support 3 3 3

Scheduled Enhancements 3 3 1

OTHER:

Cost 2 2 3

SESA Knowledge Base 3 1 2

Tailoring for Site Specific Concerns 3 0 2

TOTALS 44 27 25

CRAMM Methodology

Developed in 1986-1987. Last version (V3.0) released in 1997 Used in thousands of reviews worldwide Provides the ability for checking scenarios

(what-if)

Provides catalog of threats and countermeasures

CRAMM

Risk evaluation is done ...

By evaluating assets (scale 1:10)

By evaluating threats (scale 1:3)

By evaluating vulnerabilities (scale 1:3)

Impact evaluation is integrated in the vulnerabilities evaluation

CRAMMPhase 1: definition of study’s boundaries

Preparationsasset evaluationfindings review

Phase 2: Threat Evaluation Relation realization Evaluation of threats and vulnerabilities Calculation of risk level findings review

Phase 3: Countermeasure selection recognition of the selected countermeasures comparison with already existing ones design of security package findings review

Types of countermeasures

Reduces the probability of threat occurrence

Reduces vulnerabilities

Reduces impacts

Combination

Summary

Hacker MentailitySecurity AssessmentsPenetration TechniquesRisk Analysis ToolsCRAMM