Protecting Your Website / Network

Onno W. Purbo

onno@indo.net.id

“Information Security isabout technology, policy,

people and common sense”

Excellence References

• http://www.sans.org

• http://www.cert.org

Extreme References

• http://www.remote-exploit.org

• http://packetstormsecurity.org

Outline

• Technical Tips

• Security Policies

• Knowing Your Friends & Enemies

CERT Technical Tips

• URL– http://www.cert.org/tech_tips/

• Covering– Securing System or Networks

– Responding to Incidents

– Web Security Issues

– Mail Abuse

– Understanding Attacks

– Securing Network Systematically

Where It All Started …

• Choosing an Operating System

Choosing an Operating System

• In-House vs. Outside Tech Support– Do you have the HR to do it?

• Freely-Available vs. Commercial Software– Do you have the HR to do it?

• Understand Your Needs– Availability of source code vs. binaries – Availability of technical expertise (internal and external) – Maintenance and/or customer support – Customer requirements and usability – Cost of software, hardware, and technical support staff

Choosing an Operating System

• Regardless of the choice you make, you should first carefully review and understand the needs of your organization or customer base in terms of resources, cost, and security risk, as well as any site-specific constraints; compare the available products and services to your needs; and then determine what product best matches your needs.

Network Security Technology Map

Network Security Technology Map

Internet Security Aspects

• Penetration testing

• Certificate Authority / PKI

• Vulnerability Testing

• Managed Security Services

Penetration Testing

• Active Content Monitoring / Filtering.• Intrusion Detection – Host Based.• Firewall.• Intrusion Detection – Network Based.• Authorization.• Air Gap Technology• Network Authentication.• Security Appliances.• Security Services: Penetration Testing.• Authentication.

Certificate Authority / PKI

• Certificate Authority.

• File & Session Encryption.

• VPN & Cryptographic Communications.

• Secure Web Servers.

• Single Sign On

• Web Application Security.

Vulnerability Testing

• Vulnerability Scanners – Host Based

• Real-Time Security Awareness, Response & Threat Management.

• Vulnerability Scanners – Network Based.

Managed Security Services

• Enterprise Security Policy Implementation.

• Managed Security Services.

• Enterprise Security Administration.

• Security Services: Policy Development.

• Trusted Operating Systems.

• Anti D.D.O.D Tools.

Some Tips

• Securing Networks Systematically — the Security Knowledge in Practice - SKiP Method

• General Advice Pertaining to Intrusion Detection• Minimal Steps in Compromised System• Intruder Detection Checklist• Windows Intruder Detection Checklist• Steps for Recovering from a UNIX or NT System

Compromise

SKiP Method

SKiP Method1. Select systems software from a vendor and customize it

according to an organization’s needs.2. Harden and secure the system against known vulnerabilities.3. Prepare the system so that anomalies may be noticed and

analyzed for potential problems.4. Detect those anomalies and any other system changes that

could indicate evidence of an intrusion.5. Respond to intrusions when they occur.6. Improve practices and procedures after updating the system.7. Repeat the SKiP process as long as the organization needs

to protect the system and its information assets.

SKiP Method

Customizing Vendor Software• eliminate services that are unneeded and

insecurely configured• restrict access to vulnerable files and directories• turn off software “features” that introduce

vulnerabilities• mitigate vulnerabilities that intruders can use to

break into systems

SKiP Method

Harden and Secure the Network• configure their system to meet organizational

security requirements• retaining only those services and features needed to

address specific business needs• Securing a system against known attacks eliminates

vulnerabilities and other weaknesses commonly used by intruders.

• The practices performed during this step may change over time to address new attacks and vulnerabilities.

SKiP Method

Prepare• Network administrators characterize their system

in the Prepare step. An administrator knows what to expect in terms of– changes in files and directories and the operating

system– normal processes, when they run, by whom, and what

resources they consume– network traffic consumed and produced– hardware inventory on the system

SKiP Method

Detect• Administrators concentrate on detecting

signs of anomalous or unexpected behavior since it may indicate possible intrusions and system compromise.

• Administrators also watch for early warning signs of potential intruder actions such as scanning and network mapping attempts.

SKiP Method

Respond• analyze the damage caused by the intrusion and

respond by adding new technology or procedures to combat it

• monitor an intruder’s actions in order to discover all access paths and entry points before acting to restrict intruder access.

• eliminate future intruder access• return the system to a known, operational state

while continuing to monitor and analyze

SKiP Method

Improve the System• hold a post-mortem review meeting to

discuss lessons learned• update policies and procedures• select new tools• collect data about the resources required to

deal with the intrusion and document the damage it caused

General Advice Pertaining to Intrusion Detection

General Advice Pertaining to Intrusion Detection

• Proactive auditing and monitoring are essential steps in intrusion detection.

• It is ineffective to audit altered data or compromised systems -- their logs are unreliable.

• Establish a baseline for what you consider normal activity for your environment so you can determine unusual events and respond appropriately

Minimal Steps in Compromised System

Minimal Steps in Compromised System

• Document every step that you perform in detail.

• Perform a sector-by-sector backup of the hard disk drive.

• If your organization intends to take legal action in connection with intrusions, then consult with your legal department before performing any step.

Intruder Detection Checklist

Intruder Detection Checklist

• Examine log files • Look for setuid and setgid Files • Check system binaries • Check for packet sniffers • Examine files run by 'cron' and 'at'. • Check for unauthorized services • Examine /etc/passwd file • Check system and network configuration • Look everywhere for unusual or hidden files • Examine all machines on the local network

Windows Intruder Detection Checklist

Windows Intruder Detection Checklist

Look for Signs For System Compromised • Rootkits • Examine Log Files • Check for Odd User Accounts and Groups • Check All Groups for Unexpected User Membership • Look for Unauthorized User Rights • Check for Unauthorized Applications Starting

Automatically • Check Your System Binaries for Alterations

Windows Intruder Detection Checklist

Look for Signs For System Compromised • Check Your Network Configurations for

Unauthorized Entries • Check for Unauthorized Shares • Check for Any Jobs Scheduled to Run • Check for Unauthorized Processes • Look Throughout the System for Unusual or Hidden

Files • Check for Altered Permissions on Files or Registry

Keys

Windows Intruder Detection Checklist

Look for Signs For System Compromised

• Check for Changes in User or Computer Policies

• Ensure the System has not been Joined to a Different Domain

• Audit for Intrusion Detection

Windows Intruder Detection Checklist

Consider Running Intrusion Detection Systems

• Freeware/shareware Intrusion Detection Systems

• Commercial Intrusion Detection Systems

Windows Intruder Detection Checklist

Review CERT Documents

• Steps for Recovering from a Windows NT Compromise

• Windows NT Configuration Guidelines

• NIST Checklists

Recovering from Compromise

Recovering from Compromise

• Before you get started• Regain control• Analyze the intrusion• Contact the relevant CSIRT for Incident Reporting• Recover from the intrusion• Improve the security of your system and network• Reconnect to the Internet• Update your security policy

Recovering from Compromise

A. Before you get started• Consult your security policy • If you do not have a security policy • Consult with management • Consult with your legal counsel • Contact law enforcement agencies • Notify others within your organization • Document all of the steps you take in recovering

Recovering from Compromise

B. Regain control

• Disconnect compromised system(s) from the network

• Copy an image of the compromised system(s)

Recovering from Compromise

C. Analyze the intrusion• Look for modifications made to system software and

configuration files • Look for modifications to data • Look for tools and data left behind by the intruder • Review log files • Look for signs of a network sniffer • Check other systems on your network • Check for systems involved or affected at remote sites

Recovering from Compromise

D. Contact the relevant CSIRT and other sites involved

• Incident Reporting

• Contact the CERT Coordination Center

• Obtain contact information for other sites involved

Recovering from Compromise

E. Recover from the intrusion• Install a clean version of your operating system • Disable unnecessary services • Install all vendor security patches • Consult CERT advisories, external security

bulletins and vendor-initiated bulletins • Caution use of data from backups • Change passwords

Recovering from Compromise

F. Improve the security of your system and network

• Review security using the UNIX or NT configuration guidelines document

• Install security tools

• Enable maximal logging

• Configure firewalls to defend networks

Recovering from Compromise

G. Reconnect to the Internet

H. Update your security policy• Document lessons learned from being

compromised • Calculate the cost of this incident • Incorporate necessary changes (if any) in

your security policy

Security Policies

Security Policies

• URL– http://www.sans.org/resources/policies/

– http://www.sans.org/resources/policies/Policy_Primer.pdf

• Template For– Wireless Communication Policy

– Server Security Policy

– Anti-Virus Process

– Extranet Policy

A Security Policy Framework

• Policies define appropriate behavior. • Policies set the stage in terms of what tools and

procedures are needed.• Policies communicate a consensus.• Policies provide a foundation for HR action in

response to inappropriate behavior.• Policies may help prosecute cases.

• Ref: Michele D. Guel, The SANS Policy Primer.

Policy Outline• Purpose• Scope• Guidelines• Policy

– Ownership Responsibilities– Scenarios & Business Impact– Prohibited Use– Network Control– Scanning period– Monitoring

• Enforcement • Definitions

Knowing Friends & Enemies

Type of Communities

• IT Policy & Politics– telematika@yahoogroups.com

• IT Network Administrators– indowli@yahoogroups.com– asosiasi-warnet@yahoogroups.com

• Programmer (Formal & White Collar)– delphindo@yahoogroups.com

• Hacker & Virus– jasakom-perjuangan@yahoogroups.com– newbie-hacker@yahoogroups.com

IT Policy & Politics

Name members

genetika 2205

telematika 1750

mastel-anggota 337

IT Network Administrators

Name members

asosiasi-warnet 6241

Ilmukomputer-networking 5636

It-center 4889

indowli 4766

Programmer

Name members

Ilmukomputer-programming 5226

Indoprog-vb 5215

delphindo 2844

jug-indonesia 1783

csharp-indo 699

Hacker & Virus

Name members

jasakom-perjuangan 12278

newbie-hacker 5636

majalahneotek 5633

vaksin 3388

yogyafree 2251

indocrack 1175

bandunghack 1046

IT Politics & Policy

• telematika

Programmer

• Csharp-indo

• Jug-indonesia

• Dephindo

• Indoprog-vb

• Ilmukomputer-programming

Delphindo

Hacker Communities

• Bandunghack

• Indocrack

• yogyafree

• Jasakom-perjuangan

bandunghack

Jasakom-perjuangan