CMGT/441 Intro. to Information Systems Security Management Philip Robbins – November 21, 2013...
If you can't read please download the document
CMGT/441 Intro. to Information Systems Security Management Philip Robbins – November 21, 2013 Ethical Hacking & Desktop, Server, and Embedded Operating
CMGT/441 Intro. to Information Systems Security Management
Philip Robbins November 21, 2013 Ethical Hacking & Desktop,
Server, and Embedded Operating System Vulnerabilities Information
Technology University of Phoenix Kapolei Learning Center Week #1
1
Slide 2
2 Ethical Hacking Topics Introductions Syllabus Review
Fundamentals of Ethical Hacking Windows & *nix OS
Vulnerabilities Embedded OS Vulnerabilities Class Discussion,
Tools, Security Resources Review Questions, Q&A Quiz #1
Assignment #1
Slide 3
3 Introductions Who am I? Information Systems Authorizing
Official Representative -United States Pacific Command (USPACOM)
-Risk Management Field -Assessments to USPACOM Authorizing Official
/ CIO Former Electronics & Environmental Engineer Bachelor of
Science in Electrical Engineering Master of Science in Information
Systems Ph.D. Student in Communication & Information Sciences
Certified Information Systems Security Professional (CISSP) and
Project Management Professional (PMP)
Slide 4
4 Syllabus Class Textbook
Slide 5
5 Fundamentals A locked door keeps an honest man out.
Slide 6
6 Fundamentals Introduction to Proactive System Security What
this class IS about: An introductory course in adopting a proactive
(v.s. reactive) stance towards systems security. What this class IS
NOT about: An offensive class in hacking. How does one better
understand how to defend against system security attacks? By
performing and testing against them.
Slide 7
7 Fundamentals What is Hacking? Classical Definition: Seeking
to understand computer systems strictly for the love of having that
knowledge. Modern Definition: Illegal access to computer or network
systems. BEFORE NOW
Slide 8
8 Fundamentals What is a Hacker?
Slide 9
9
Slide 10
10 Fundamentals Who/what is a Cracker? Term used to describe a
hacker with malicious intent. Crackers (cyber criminals) get into
all kinds of mischief, including breaking or "cracking" copy
protection on software programs, breaking into systems and causing
harm, changing data, or stealing.
Slide 11
11 Fundamentals Hacker v.s. Cracker? - Today theres no real
distinction between the two terms. Hacker = Cracker However - Some
hackers regard crackers as less educated. - Some crackers dont
create their own work; simply steal other people's work to cause
mischief, or for personal gain.
Slide 12
12 Fundamentals Who are Script kiddies? - Unskilled individuals
who use scripts or programs developed by knowledgeable programmers
to attack computer systems. - Generally considered posers or
kiddies lacking the ability to write sophisticated scripts or
programs on their own. - Usually seeking to gain credit or impress
their friends.
Slide 13
13 Fundamentals What is an Ethical Hacker? Oxymoron: Honest
Criminal - A new breed of network defenders. - Performs the same
activities a hacker does but with the owner / companys permission.
- Usually contracted to perform penetration testing.
Slide 14
14 Fundamentals Penetration Testing - Discover vulnerabilities.
- Perform attack and penetration assessments. - Perform discovery
and scanning for open ports & services. - Apply exploits to
gain access and expand access as necessary. - Activities involving
application penetration testing and application source review. -
Interact with the client as required. - Produce reports documenting
discoveries during the engagement. - Report your findings with the
client at the conclusion of each engagement. v.s. Security Testing
+ Participate in research and provide recommendations for
improvement. + Participate in knowledge sharing.
Slide 15
15 Fundamentals Why perform Penetration Tests?
Slide 16
16 Fundamentals Steps for a Penetration Test Step #1: Planning
Phase - Scope & Strategy of the assignment is determined. -
Existing security policies and standards are used for defining the
scope. Step #2: Discovery Phase - Collect as much information as
possible about the system including data in the system, user names
and even passwords (fingerprinting). - Scan and Probe into the
ports. - Check for vulnerabilities of the system. Step #3: Attack
Phase - Find exploits for various vulnerabilities. - Obtain
necessary security Privileges to exploit the system &
exploit.
Slide 17
17 Fundamentals Steps for a Penetration Test Step #4: Reporting
Phase - Report must contain detailed findings. - Risks of
vulnerabilities found and their impact on business -
Recommendations for solutions, if any (Security Testing).
Slide 18
18 Fundamentals Penetration Testing Limitations - Cant find all
the vulnerabilities on a system. - Time for tester - Budget - Scope
- Skills of testers - Data loss and corruption - Downtime for
organization - Increased costs for organization* * How could pen
testing decrease costs for an organization?
Slide 19
19 Fundamentals Roles & Responsibilities of the Pen-Tester
- Testers should collect required information from the Organization
to enable penetration tests (depending on the type of testing
model). - Find flaws that could allow hackers to attack a target
machine. - Pen Testers should think & act like real hackers
(ethically). -Tester should be responsible for any loss in the
system or information during the testing. - Tester should keep data
and information confidential.
Slide 20
20 Fundamentals Types of Pen-Testing Methodologies White Box
Model - Tester is given the company network topology, info on
technology used, and permission to interview all employees
(including IT personnel). Black Box Model - Tester is not given any
information. - Management doesnt tell staff about the pen test
being conducted. - Help determine if companys security personnel
are able to detect attacks. Gray Box Model - Hybrid of the white
and black box models. - Tester may get partial information.
Slide 21
21 Class Discussion Which pen-testing category / model closely
mimics that of an insider threat? Which type of pen-testing model
is better suited for an organization on a extremely limited budget?
Which pen-testing model is most accurate? Which can be considered
to have the greatest drawback?
Slide 22
22 Class Discussion
Slide 23
23 Fundamentals Types of Hats - White Hats (Ethical /
Pen-Testers improving security) - Black Hats (Hackers / Crackers
degrading security) - Grey Hats (In-between White and Black) - Red
Hat (Enterprise Linux)
Slide 24
24 Fundamentals What can you do Legally? What about: -Port
scanning? -Possession of hacking tools? -Photographing? -ISP
Acceptable Use Policy (AUP)? -Installing viruses on a computer
network denying users? In Hawaii, the state must prove that the
person charged with committing a crime on a computer had the intent
to commit a crime.
Slide 25
25 Fundamentals Federal Laws: - Computer Fraud and Abuse Act,
Title 18 Crime to access classified information with authorization.
- Electronic Communication and Abuse Act Illegal to intercept any
communication, regardless of how it was transmitted. - Stored Wire
and Electronic Communications and Transactional Records Act Defines
unauthorized access to computers that store classified
information.
Slide 26
26 Class Discussion What are the advantages of using a written
contract when engaged in a computer consulting job? Why is it
important that your attorney read over the contract before you sign
it? What is upper managements role for a penetration test?
Slide 27
27 Class Discussion Why do you think the government does not
define a common law for computer-related crimes, rather than
allowing each state to address these issues?
Slide 28
28 Fundamentals Ethical Hacking in a Nutshell -Must have a good
understanding of networks & computer technology. -Must be able
to communicate with management & IT personnel. -Must have an
understanding of the laws that apply to your location. -Must be
able to apply the necessary tools to perform your tasks.
Slide 29
29 Fundamentals Professional Certifications Certified Ethical
Hacker (CEH) Cisco Certified Network Associate (CCNA) Project
Management Professional (PMP) Certified Information Systems
Security Professional (CISSP)
Slide 30
30 Fundamentals Careers
Slide 31
31 Fundamentals CEH 22 Domains
Slide 32
32 Tools Backtrack 5r3 Ubuntu Linux Distribution providing a
comprehensive collection of security-related tools for digital
forensics and pen testing use.
http://www.backtrack-linux.org/downloads/
Slide 33
33 Tools Kali Linux (a.k.a. Backtrack 6) A debian Linux
Distribution rewritten from Backtrack. Preinstalled with numerous
penetration- testing programs, including nmap (a port scanner),
Wireshark (a packet analyzer), John the Ripper (a password
cracker), and Aircrack-ng (a software suite for penetration-testing
wireless LANs). http://www.kali.org/downloads
35 Tools Damn Vulnerable Linux (DVL) 1.5 Infectious Disease
Originally formed from Slackware with the goal of being an
intentionally vulnerable system for practice/teaching purposes in
regards to Network and Computer Security. Now considered
discontinued. http://distrowatch.com/table.php?distribution=dvl
http://download.vulnhub.com/dvl/DVL_1.5_Infectious_Disease.iso
Slide 36
36 General Security Resources Cyber Hui
http://www.cyberhui.org/ Cyber Hui is a community of Hawaii Cyber
security professionals dedicated to sharing skills and knowledge
with high school and college students. Join the Hui; check out
their resources and discussion forums. SANS Institute
http://www.sans.org/ Source for information security training and
security certification; develops, maintains, and makes available at
no cost, a collection of research documents about various aspects
of information security. Find whitepapers here that interest you.
Symantec Connect http://www.securityfocus.com/ Technical community
for Symantec customers, end-users, developers, and partners.
SearchSecurity http://searchsecurity.techtarget.com/ Online
Information Security Magazine providing immediate access to late
breaking industry news, virus alerts, new hacker threats and
attacks. Internet Storm Center
https://isc.sans.edu/forums/Diary+Discussions/ Community forums,
discussions, and daily podcasts on auditing, forensics, network
security, pen testing.
Slide 37
37 General Security Resources CyberPatriot
http://www.uscyberpatriot.org/CP5/Training.aspx Air Force Cyber
Defense Competition.
Slide 38
38 General Security Resources IASE
http://iase.disa.mil/policy-guidance/ Most comprehensive
compilation of DoD Policies & Guidance documentation for
Information Assurance.
Slide 39
39 Review Questions Question #1 The U.S. Department of Justice
defines a hacker as which of the following? a.A person who accesses
a computer or network without the owners permission. b.A
penetration tester. c.A person who uses telephone services without
payment. d.A person who accesses a computer or network with the
owners permission.
Slide 40
40 Review Questions Question #1 The U.S. Department of Justice
defines a hacker as which of the following? a.A person who accesses
a computer or network without the owners permission. b.A
penetration tester. c.A person who uses telephone services without
payment. d.A person who accesses a computer or network with the
owners permission.
Slide 41
41 Review Questions Question #2 A penetration tester is which
of the following? a.A person who accesses a computer or network
without permission from the owner. b.A person who uses telephone
services without payment. c.A security professional whos hired to
hack into a network to discover vulnerabilities. d.A hacker who
accesses a system without permission but does not delete or destroy
files.
Slide 42
42 Review Questions Question #2 A penetration tester is which
of the following? a.A person who accesses a computer or network
without permission from the owner. b.A person who uses telephone
services without payment. c.A security professional whos hired to
hack into a network to discover vulnerabilities. d.A hacker who
accesses a system without permission but does not delete or destroy
files.
Slide 43
43 Review Questions Question #3 Some experienced hackers refer
to inexperienced hackers who copy or use prewritten scripts or
programs as which of the following? a.Script Monkey b.Packet
Kiddies. c.Packet Monkeys. d.Script Kiddies.
Slide 44
44 Review Questions Question #3 Some experienced hackers refer
to inexperienced hackers who copy or use prewritten scripts or
programs as which of the following? a.Script Monkey b.Packet
Kiddies. c.Packet Monkeys. d.Script Kiddies.
Slide 45
45 Review Questions Question #4 A team composed of people with
varied skills who attempt to penetrate a network is referred to as
which of the following? a.Green Team b.Blue Team c.Black Team d.Red
Team
Slide 46
46 Review Questions Question #4 A team composed of people with
varied skills who attempt to penetrate a network is referred to as
which of the following? a.Green Team b.Blue Team c.Black Team d.Red
Team
Slide 47
47 Review Questions Question #5 What portion of your ISP
contract might affect your ability to conduct a penetration test
over the internet? a.Scanning Policy b.Port Access Policy
c.Acceptable Use Policy d.Warranty Policy
Slide 48
48 Review Questions Question #5 What portion of your ISP
contract might affect your ability to conduct a penetration test
over the internet? a.Scanning Policy b.Port Access Policy
c.Acceptable Use Policy d.Warranty Policy
Slide 49
49 Review Questions Question #6 Which federal law prohibits
unauthorized access of classified information? a.Computer Fraud and
Abuse Act, Title 18 b.Electronic Communication and Abuse Act
c.Stored Wire and Electronic Communications and Transactional
Records Act d.Fourth Amendment
Slide 50
50 Review Questions Question #6 Which federal law prohibits
unauthorized access of classified information? a.Computer Fraud and
Abuse Act, Title 18 b.Electronic Communication and Abuse Act
c.Stored Wire and Electronic Communications and Transactional
Records Act d.Fourth Amendment
Slide 51
51 Review Questions Question #7 Which federal law prohibits
intercepting any communication, regardless of how it was
transmitted? a.Computer Fraud and Abuse Act, Title 18 b.Electronic
Communication and Abuse Act c.Stored Wire and Electronic
Communications and Transactional Records Act d.Fourth
Amendment
Slide 52
52 Review Questions Question #7 Which federal law prohibits
intercepting any communication, regardless of how it was
transmitted? a.Computer Fraud and Abuse Act, Title 18 b.Electronic
Communication and Abuse Act c.Stored Wire and Electronic
Communications and Transactional Records Act d.Fourth
Amendment
Slide 53
53 Review Questions Question #8 Which federal law amended
Chapter 119 of Title 18, U.S. Code? a.Computer Fraud and Abuse Act,
Title 18 b.Electronic Communication and Abuse Act c.Stored Wire and
Electronic Communications and Transactional Records Act d.U.S.
Patriot Act, Sec. 217: Interception of Computer Trespasser
Communications
Slide 54
54 Review Questions Question #8 Which federal law amended
Chapter 119 of Title 18, U.S. Code? a.Computer Fraud and Abuse Act,
Title 18 b.Electronic Communication and Abuse Act c.Stored Wire and
Electronic Communications and Transactional Records Act d.U.S.
Patriot Act, Sec. 217: Interception of Computer Trespasser
Communications
Slide 55
55 Review Questions Question #9 To determine whether scanning
is illegal in your area, you should do which of the following?
a.Refer to the U.S. code b.Refer to the U.S. Patriot Act c.Refer to
the state laws d.Contact your ISP
Slide 56
56 Review Questions Question #9 To determine whether scanning
is illegal in your area, you should do which of the following?
a.Refer to the U.S. code b.Refer to the U.S. Patriot Act c.Refer to
the state laws d.Contact your ISP
Slide 57
57 Review Questions Question #10 As a security tester, what
should you do before installing hacking software on your computer?
a.Check with local law enforcement agencies. b.Contact your
hardware vendor. c.Contact your software vendor. d.Contact your
ISP.
Slide 58
58 Review Questions Question #10 As a security tester, what
should you do before installing hacking software on your computer?
a.Check with local law enforcement agencies. b.Contact your
hardware vendor. c.Contact your software vendor. d.Contact your
ISP.
Slide 59
59 Review Questions Question #11 Before using hacking software
over the Internet, you should contact which of the following?
a.Your ISP. b.Your vendor. c.Local law enforcement authorities to
check for compliance d.The FBI
Slide 60
60 Review Questions Question #11 Before using hacking software
over the Internet, you should contact which of the following?
a.Your ISP. b.Your vendor. c.Local law enforcement authorities to
check for compliance d.The FBI
Slide 61
61 Review Questions Question #12 Which organization issues the
Top 20 list of current network vulnerabilities? a.SANS Institute
b.ISECOM c.EC-Council d.OPST
Slide 62
62 Review Questions Question #12 Which organization issues the
Top 20 list of current network vulnerabilities? a.SANS Institute
b.ISECOM c.EC-Council d.OPST
Slide 63
63 OS Vulnerabilities Windows How do we deal with this?
Slide 64
64 OS Vulnerabilities Windows -OSs contain serious
vulnerabilities that attackers can exploit. -Default installations
are especially at risk. How do we deal with this? -Reducing our
attack surface. -Disable, reconfigure, uninstall unnecessary
services. -Employ System Hardening techniques. -Monitor new
vulnerabilities / automatic updates. -Periodic assessment / scans.
-Patch.
Slide 65
65 OS Vulnerabilities CVE search on NVD
http://www.cve.mitre.org/cve/index.html
http://web.nvd.nist.gov/view/vuln/search?execution=e2s1
Slide 66
66
Slide 67
67 OS Vulnerabilities Windows File Systems Purpose is to store
and manage information. File Allocation Table (FAT): Standard File
System for most removable media. Why would using FAT in a multiuser
environment be considered a critical vulnerability? 512 B = 1
sector 1 cluster = smallest allocated unit for a file
Slide 68
68 OS Vulnerabilities Windows File Systems Purpose is to store
and manage information. File Allocation Table (FAT): Standard File
System for most removable media. Why would using FAT in a multiuser
environment be considered a critical vulnerability? Because FAT
doesnt support file-level access control lists (ACLs)! 512 B = 1
sector 1 cluster = smallest allocated unit for a file
Slide 69
69 OS Vulnerabilities Windows File Systems New Technology File
System (NTFS): Supports larger files and disk volumes while
addressing security through ACLs and FS journaling. Alternate Data
Streams (ADSs) is a NTFS feature used for compatibility with the
old Apple Hierarchical File System, using both data forks (contents
of documents), and resource forks (file type identification) to
store data. Why are ADSs considered a security risk?
Slide 70
70 OS Vulnerabilities Windows File Systems New Technology File
System (NTFS): Supports larger files and disk volumes while
addressing security through ACLs and FS journaling. Alternate Data
Streams (ADSs) is a NTFS feature used for compatibility with the
old Apple Hierarchical File System, using both data forks (contents
of documents), and resource forks (file type identification) to
store data. Why are ADSs considered a security risk? ADSs make it
possible for hackers who want to hide & store, exploitation
tools, and other malicious files on compromised systems.
Slide 71
71 OS Vulnerabilities Windows File Systems New Technology File
System (NTFS): Tools used for detecting ADSs -- LADS
http://www.heysoft.de/en/software/lads.php Program lists all
alternate data streams of an NTFS directory. lns
http://ntsecurity.nu/toolbox/lns LNS is a tool that searches for
NTFS streams (aka alternate data streams or multiple data streams).
Tripwire http://www.tripwire.com/ Enterprise Vulnerability
Management Solution using signatures to find vulnerabilities. dir
/r Command Prompt (cmd) Command used from the directory you want to
display and ADSs available in Windows Vista and later.
Slide 72
72 OS Vulnerabilities Windows File Systems New Technology File
System (NTFS): Using LADS & lns to detect ADSs. LADS - Freeware
version 4.00 (C) Copyright 1998-2004 Frank Heyne Software
(http://www.heysoft.de) This program lists files with alternate
data streams (ADS) Use LADS on your own risk!http://www.heysoft.de
Scanning directory C: size ADS in file ----------
--------------------------------- Error 32 opening C:\pagefile.sys
The following summary might be incorrect because there was at least
one error! 0 bytes in 0 ADS listed LADS - Freeware version 4.00 (C)
Copyright 1998-2004 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS) Use LADS
on your own risk!http://www.heysoft.de Scanning directory C:\compaq
size ADS in file ---------- --------------------------------- 32768
C:\compaq\test_file:ipeye.exe 32768
C:\compaq\test_file2:klogger.exe 143360
C:\compaq\test_file3:psexec.exe 86016
C:\compaq\test_file4:pslist.exe 294912 bytes in 4 ADS listed
Compromised System lns 1.0 - (c) 2002, Arne Vidstrom
([email protected]) - http://ntsecurity.nu/toolbox/lns/
c:\compaq\test_file - Alternative data stream [:ipeye.exe:$DATA]
c:\compaq\test_file2 - Alternative data stream [:klogger.exe:$DATA]
c:\compaq\test_file3 - Alternative data stream [:psexec.exe:$DATA]
c:\compaq\test_file4 - Alternative data stream
[:pslist.exe:$DATA][email protected]://ntsecurity.nu/toolbox/lns/
Compromised System Uncompromised System
Slide 73
73 OS Vulnerabilities Remote Procedure Call (RPC) Interprocess
communication mechanism. Allows a computer program to cause a
subroutine or procedure (program) to execute in another address
space (on another computer within a shared network).
Slide 74
74 OS Vulnerabilities Remote Procedure Call (RPC)
http://technet.microsoft.com/en-us/security/bulletin/
Slide 75
75 OS Vulnerabilities Remote Procedure Call (RPC)
Slide 76
76 OS Vulnerabilities
http://www.microsoft.com/technet/security/tools/mbsahome.mspx/
Slide 77
77 OS Vulnerabilities
Slide 78
78 OS Vulnerabilities
http://www.dorkatron.com/docs/ISA330/W2%20-%20READING%20-%20MBSA%20Report%20for%20Philip%20Robbins.pdf
Slide 79
79 OS Vulnerabilities Network Basic Input / Output System
(NetBIOS) -OSI Session Layer 5. -Software loaded into memory that
allows a program to interact with a shared network resource or
device. -NetBIOS frees an application from understanding the
details of a network. -Still used today for ensuring backward
capability. -Uses ports open to the internet: UDP/137 UDP/138
TCP/139
Slide 80
80 OS Vulnerabilities Network Basic Input / Output System
(NetBIOS) Why is NetBIOs over TCP/IP considered a security
risk?
Slide 81
81 OS Vulnerabilities Network Basic Input / Output System
(NetBIOS) Why is NetBIOs over TCP/IP considered a security
risk?
Slide 82
82 OS Vulnerabilities Network Basic Input / Output System
(NetBIOS) Why is NetBIOs over TCP/IP considered a security risk?
Because an attacker can gain the following information: -Computer
name -Contents of the remote name cache, including IP addresses -A
list of local NetBIOS names -A list of names resolved by broadcast
or via WINS -Contents of the session table with the destination IP
addresses
Slide 83
83 OS Vulnerabilities Server Message Block (SMB) -OSI
Application Layer 7. -Used for sharing access to files, printers,
serial ports, and misc communications between nodes on a network.
-Uses TCP/445 port. -Vulnerabilities are associated with Microsofts
implementation of the SMB protocol and the components it directly
relies on.
http://uwnthesis.wordpress.com/2013/05/29/metasploit-how-to-use-server-message-block-smb-or-file-sharing-scanning/
Slide 84
84 OS Vulnerabilities Common Internet File System (CIFS)
-Replaces SMB but allows backward capability. -Remote File System
Protocol that allows computers to share network resources over the
internet.
Slide 85
85 OS Vulnerabilities Domain Controllers - Servers that handle
authentication. - DCs using CIFS listen on the following ports: DNS
(53), HTTP (80), Kerberos (88), RPC (135), NetBIOS (137 & 139),
LDAP (389), HTTPS (443), SMB/CIFS (445), LDAP over SSL (636),
Active Directory Global Catalog (328) - Most attackers look for DCs
because they contain so much information they want to access.
Slide 86
86 OS Vulnerabilities Null Sessions -Allows you to connect to a
remote machine without using a user name or password. -Anonymous
logins. -i.e. FTP, SQL (null SA password), IPC$, etc This is the
most frequently used method for network reconnaissance employed by
hackers.
Slide 87
87 OS Vulnerabilities Buffer Overflows -Occurs when data is
written to a buffer (temporary memory space) and, because of
insufficient bounds checking, corrupts data in memory next to the
allocated buffer. -Applications written in C & C++ are
vulnerable. -Can allow attackers to run shell code.
Slide 88
88 OS Vulnerabilities Trojan -Non replicating type of malware.
-Program that appears to perform a desired function. -Gains
privileged access. -Allows remote administration (backdoors).
-Creates a file server (FTP). -Drops malicious payload.
Slide 89
89 OS Vulnerabilities Rootkits -Installed by intruders who have
gained root access. -Contains malicious Trojan binary programs.
-Designed to hide and maintain privileged access. -Can reside in
the kernel. -Removal becomes complicated.
Slide 90
90 Class Discussion What are the benefits of using passwords as
an authentication method? Why can it be considered a weakness /
vulnerability?
Slide 91
91 Class Discussion What are the benefits of using passwords as
an authentication method? Cost effective and disposable. Why can it
be considered a weakness / vulnerability? What you know v.s. what
you are or what you have. A username and password is all that
stands between an attacker and access.
Slide 92
92 OS Vulnerabilities Passwords -All users / admins should
change their passwords regularly. -Establish minimum length for
users (8 chars) and admins (15 chars) -Require complexity: include
letters, numbers, symbols, both upper and lower case chars. -No
dictionary (common) or slang words (in any language). -No
connection to the user: ss#, birthdays, or names. -Never write
passwords down (esp. online, through email, or store on a users
computer). -Be aware of shoulder surfing. -Limit reuse of old
passwords. -Set account lockout duration (i.e. timeout 30 seconds
after first attempt). -Set account lockout thresholds (i.e. disable
account after 3 attempts).
Slide 93
93 OS Vulnerabilities Passwords
http://splashdata.com/press/pr121023.htm
Slide 94
94 OS Vulnerabilities
http://www.labnol.org/internet/common-passwords-to-avoid/14136/
99 Patch Scanners HFNetchk & Shavlik -Created by Mark
Shavlik. -MBSA is based on HFNetchk. -Shavlik for Patch Management.
http://www.shavlik.com/
Slide 100
100 Patch Scanners Microsofts System Management Server (SMS)
-Patch Management for all computers on your network.
http://www.microsoft.com/en-us/server-cloud/system-center/configuration-manager-2012.aspx
Slide 101
101 Patch Scanners Windows Software Update Services (WSUS)
-Patch Management from the network. -WSUS downloads patches and
publishes them internally. -Control over which updates are
deployed.
http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
Slide 102
102 OS Vulnerabilities System Hardening -Patch all known
vulnerabilities (automatic updates v.s. patch testing). -Remove
unwanted services. -Enforce password complexity & policies.
-Removed unused user accounts. -Configure and manage user
privileges. -Implement an Antivirus Solution. -Enable logging /
monitoring tools. -Closed unused open network ports: FTP (20, 21),
TFTP (69), Telnet (23), DNS (53), NNTP (119), NetBIOS (135, 137,
138, 139, 445), RDP (3389), SNMP (161, 162), RPC (1025-1039)
Slide 103
103 OS Vulnerabilities *nix
Slide 104
104 Class Discussion Why do you think people believe windows is
more vulnerable than *nix OSs?
Slide 105
105 Class Discussion Why do you think people believe windows is
more vulnerable than *nix OSs? Because a majority of people use
windows, most attackers focus on compromising that OS. Why do you
think only 1% of all desktop users use Linux?
Slide 106
106 Class Discussion Why do you think only 1% of all desktop
users use Linux? Even if Grandma knew about the alternative, (i)
would she even prefer it, and (ii) is she capable?
Slide 107
107 OS Vulnerabilities *nix Samba - Free software. - *nix
servers can share resources with Windows clients, and vice versa
without prejudice. - Designed to trick Windows resources into
believing that *nix resources are Windows resources.
http://www.samba.org/
Slide 108
108 OS Vulnerabilities Samba - Search NVD for *nix
vulnerabilities related to samba.
Slide 109
109 Embedded OS Vulnerabilities What are Embedded Systems? Any
computer system that isnt a general-purpose PC. What are Embedded
Operating Systems? Embedded Systems that include their own
operating system, including stripped-down versions of commonly used
OSs. What are some examples of embedded systems that contain
embedded Oss?
Slide 110
110 Embedded OS Vulnerabilities Things to keep in mind: Dont
underestimate the security risks associated with embedded systems
simply because theyre small, perform simple tasks, or the belief
that no one would bother attacking them. Embedded OSs are networked
and are everywhere (think about Critical Infrastructure &
SCADA). Many of the vulnerabilities seen in common OSs directly
carry over. Coding of the OS and patching can be difficult due to
memory Constraints. How do you patch a PIC16F877?
Slide 111
111 Embedded OS Vulnerabilities W32.Stuxnet -Identified in
2010. -Considered first cyber weapon. -Affected Supervisory Control
and Data Acquisition Systems (SCADA) and Programmable Logic
Controllers (PLC) within IRANS nuclear enrichment facilities.
Slide 112
112 Embedded OS Vulnerabilities Android
Slide 113
113 Embedded OS Vulnerabilities Android
http://www.wtop.com/1253/3433568/Govt-warns-Android-vulnerable-to-mobile-hacks
Slide 114
114 Class Discussion What are some of the vulnerabilities
associated with embedded devices like smart phones? What are the
risks?
Slide 115
115
Slide 116
116 Embedded OS Vulnerabilities
Slide 117
117 Embedded OS Vulnerabilities
Slide 118
118 Class Tools Vulnerable targets Practice researching and
identifying vulnerabilities within our isolated test environment.
localhost user: root password: toor localhost user: Administrator
password: password
Slide 119
119 Review Questions Question #1 MBSA performs which of the
following security checks? a.Security update checks. b.IIS checks.
c.System time checks. d.Computer logon checks.
Slide 120
120 Review Questions Question #1 MBSA performs which of the
following security checks? a.Security update checks. b.IIS checks.
c.System time checks. d.Computer logon checks.
Slide 121
121 Review Questions Question #2 Which ports should be filtered
out to protect a network from SMB attacks? a.134 to 138 and 445.
b.135, 139, and 443. c.137 to 139 and 445. d.53 and 445.
Slide 122
122 Review Questions Question #2 Which ports should be filtered
out to protect a network from SMB attacks? a.134 to 138 and 445.
b.135, 139, and 443. c.137 to 139 and 445. d.53 and 445.
Slide 123
123 Review Questions Question #3 Applications written in which
programming language(s) are especially vulnerable to buffer
overflow attacks? a.C b.Perl c.C++ d.Java
Slide 124
124 Review Questions Question #3 Applications written in which
programming language(s) are especially vulnerable to buffer
overflow attacks? a.C b.Perl c.C++ d.Java
Slide 125
125 Review Questions Question #4 Which of the following is the
most efficient way to determine which OS a company is using? a.Run
Nmap or other port-scanning programs. b.Use the whois database.
c.Install a sniffer on the companys network segment. d.Call the
company and ask.
Slide 126
126 Review Questions Question #4 Which of the following is the
most efficient way to determine which OS a company is using? a.Run
Nmap or other port-scanning programs. b.Use the whois database.
c.Install a sniffer on the companys network segment. d.Call the
company and ask.
Slide 127
127 Review Questions Question #5 Which program can detect
rootkits on *nix systems? a.chkrootkit b.rktdetect c.SELinux
d.Ionx
Slide 128
128 Review Questions Question #5 Which program can detect
rootkits on *nix systems? a.chkrootkit b.rktdetect c.SELinux
d.Ionx
Slide 129
129 Review Questions Question #6 Which of the following doesnt
use an embedded OS? a.An ATM b.A workstation running Windows Vista
Business c.A NAS device running Windows Server 2008 R2 d.A slot
machine
Slide 130
130 Review Questions Question #6 Which of the following doesnt
use an embedded OS? a.An ATM b.A workstation running Windows Vista
Business c.A NAS device running Windows Server 2008 R2 d.A slot
machine
Slide 131
131 Review Questions Question #7 Which of the following is a
major challenge of securing embedded OSs? a.Training users
b.Configuration c.Patching d.Backup and recovery
Slide 132
132 Review Questions Question #7 Which of the following is a
major challenge of securing embedded OSs? a.Training users
b.Configuration c.Patching d.Backup and recovery
Slide 133
133 Review Questions Question #8 SCADA systems are used for
which of the following? a.Monitoring embedded OSs b.Monitoring ATM
access codes c.Monitoring equipment in large-scale industries
d.Protecting embedded OSs from remote attacks
Slide 134
134 Review Questions Question #8 SCADA systems are used for
which of the following? a.Monitoring embedded OSs b.Monitoring ATM
access codes c.Monitoring equipment in large-scale industries
d.Protecting embedded OSs from remote attacks
Slide 135
135 Review Questions Question #9 (last one) Cell phone
vulnerabilities make it possible for attackers to do which of the
following? (Choose all that apply.) a.Use your phone as a
microphone to eavesdrop on meetings. b.Install a BIOS-based
rootkit. c.Clone your phone to make illegal long-distance phone
calls. d.Listen to your phone concersations.
Slide 136
136 Review Questions Question #9 (last one) Cell phone
vulnerabilities make it possible for attackers to do which of the
following? (Choose all that apply.) a.Use your phone as a
microphone to eavesdrop on meetings. b.Install a BIOS-based
rootkit. c.Clone your phone to make illegal long-distance phone
calls. d.Listen to your phone concersations.