Upload
rodger-bryant
View
228
Download
1
Embed Size (px)
DESCRIPTION
M6-109 – Network Vulnerability Assessment & Risk Mitigation – Errata to Module #1 Introduction to Ethical Hacking CEH Ver. 8 By Scott Coté
Citation preview
CS3695– Network Vulnerability Assessment
& Risk Mitigation –
Errata to Module #1Introduction to Ethical Hacking
CEH Ver. 8
By Scott Coté
M6-109– Network Vulnerability Assessment
& Risk Mitigation –
Errata to Module #1Introduction to Ethical Hacking
CEH Ver. 8
By Scott Coté
• Be sure to review the objectives posted on Sakai for each module so that you will know what you “need to know”!
Objectives
Who I Am• Scott Coté
– Prior US Naval Officer, Supply Corps, 10 yrs– Lecturer on Information Assurance and Cyber
Security for over 10 yrs– Certified Ethical Hacker (CEH)– Presenting on Cyber issues at such venues as DOD
Cyber Crimes Conferences, PACOM & EUCOM Cyber Endeavor, and at the NATO School in Oberammergau.
So Who the Heck are YOU?• Tell the class:
• Your NAME• Your Country• The JOB you do• What you WANT out of the class• Your GEEK FACTOR
0:How do you spell “IP” ??
2:I can“Surf
the Web”
6:I know
<HTML>
8:I know
C++
4:I make NICEPowerPoint
Slides
9:I run
MY OWNServer
10:I have
CompiledMy OwnKernel
Excerpt from“The Tangled Web” by Richard Power
“You can play the stock market on-line. You can apply for a job on-line. You can shop on-line. You can learn on-line. You can borrow money on-line. You can engage in sexual activity on-line. You can barter on-line. You can buy and sell real estate on-line. You can purchase plane tickets on-line. You can gamble on-line. You can find long-lost friends on-line. You can be informed, enlightened, and entertained on-line. You can order pizza on-line. You can do your banking on-line. In some places, you can even vote on-line.”
“You can perform financial fraud on-line. You can steal secrets on-line. You can blackmail and extort on-line. You can trespass on-line. You can stalk on-line. You can vandalize someone’s property on-line. You can commit libel on-line. You can rob a bank on-line. You can frame someone on-line. You can engage in character assassination on-line. You can commit hate crimes on-line. You can sexually harass someone on-line. You can molest children on-line. You can ruin someone else’s credit on-line. You can disrupt commerce on-line. You can pillage and plunder on-line. You could incite to riot on-line. You could even start a war on-line.”
Excerpt from“The Tangled Web” by Richard Power
Excerpt from“The Tangled Web” by Richard Power
“In the digital world, just as everywhere else, humanity has encountered its shadow side. Information Age business, government, and culture have led to Information Age crime, Information Age war, and even Information Age terror… Terrorists might well target critical infrastructure such as the telephone system, the power grid, or the air traffic control system. These systems run on computers and are vulnerable to cyber-attacks.”
Today’s Threats…
• Video: Sabotaging the System– Nov, 2009, US Television Newscast, 20
minutes– http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565.shtml
• Video: Code Wars– May, 2011, US Television Newscast, 45 Minutes
» http://youtu.be/x-n40xm30S8
p0wn the Soda Machine
• If I told you to p0wn the soda machine in the hallway, what would that mean?
Are They So Hard To Understand?• Have you ever been curious about how a
virus works or how to hack into a computer system?
• Have you every downloaded a song or video off the Internet?
Are They So Hard To Understand?• Have you every downloaded a song or
video off the Internet?– Its interesting to note that many people who
perform these types of services (downloading music or breaking into a computer system) would normally never walk into a record store and steal the CD or enter someone else's home uninvited…
Are They So Hard To Understand?
• Curiosity can be a very powerful motivator, and cyber space can be an easy place to lose touch with the reality of what one may be doing.
So Why Do They Hack?
• Hackers get away from scripts and into actually understanding the computer…– Hackers don’t generally age out of it, but find
legitimate ways to use their talents.– Curiosity again is the motivation of a good
hacker…
So is Curiosity a Bad Thing?
• Curiosity is not a bad thing, but unchecked it can be…– If a hacker is just “curious” to see if they can get onto
a system and look around, but not steal or harm anything, is that bad?
So is Curiosity a Bad Thing?– Well, I once read this analogy and thought it
very befitting:• If I awoke one night to find a stranger wandering
around my home, and asked him why he was there, and he told me he was a student of interior design and just wanted to see how I had decorated my place, I would still be pissed he was there, and it would still be illegal!
So is Curiosity a Bad Thing?– This can even apply to legal, but unethical,
behaviors. • If I walked by your place and looked in your
windows just to see what was there would it be wrong? What if I tried to turn your doorknob to see if it was locked (but didn’t open the door)?
• This analogy is similar to scanning a network… its not necessarily illegal, but I question the ethical issues surrounding it…
So Who’s Hacking your Network?• Script-kiddies…
– Those who use automated tools found throughout the Web
– Usually limited knowledge, a lot of curiosity– Fairly easily caught
• True Hackers– Use their own tools– VERY knowledgeable– Usually sponsored (for hire…)– Rarely caught…
• Even if they are, they’re rarely publicized
Hackers vs Crackers• There is a difference!!• Hackers:
– Gifted person who extends the function of a computer beyond its original design
– Hackers are basically GOOD…
• Crackers:– Maliciously attack computer systems!– Crackers are basically BAD…
http://pls.mrnet.pt/headline4visual1.html
• Tier III– “Script Kiddies” (Inexpert)– ability to down load exploit code and tools...– Very little understanding of the actual
vulnerability– Randomly fires off scripts until something
works...
Hacker Stratification
• Tier II– IT Savvy– Ability to program or script– Understand what the vulnerability is and how
is works...– Intelligent enough to use the exploit code and
tools with precision
Hacker Stratification
• Tier I– Best of the best– Find new vulnerabilities– Write their own exploit code and tools
Hacker Stratification
What About The Insider Threat• It is common knowledge among security
professionals that it the insider threat (the threat of a cyber incident) causes approximately 70% of the incidents!!– That’s a significant amount!
• Many of the assets put towards protection (firewall and the like) are useless against your own users, as they are already inside your network!
The “Latest” Inside
• Social Engineering has become one of the most common ways to gain access to a network– The hackers use the insider’s knowledge to
become an insider themselves
There is No Patch to Human
Stupidity
Which Pill Will YOU Take?
We will NEVER
be safe again
We are Safe enough
with defense in depth
Advanced Persistent Threats• Advanced Persistent Threats (APTs) ARE the
new spies, and they ARE ON YOUR NETWORK – It’s the truth…– Remember, you wanted the red pill…
• We have seen it in both the Military and Commercial realms!– DOD USB Incident in Nov, 2008– Electrical Utilities in Brazil
The NextGen of Spies: APTs!• One of the most important terms in today’s
cyber security is Advanced Persistent Threats!– Name for targeted attacks on specific
organizations by determined, well-coordinated cyber attackers.
– These are sophisticated attacks aimed at governments and corporations to gather intelligence or achieve specific NONFINANCIAL objectives.
APTs and the Nation State
• This is the new age where nation states no longer send actual spies, like in the days of the Cold War between Russia and the USA, but instead send virtual spies, across light and copper!!
NextGen Spies : APT Characteristics• Characteristics of APTs include:
– ADVANCED - using the best methods available to penetrate systems, gather intelligence and evade detection.
– PERSISTENT - focused on a specific objective and target, not fast financial gain.
– THREAT - organized, coordinated and sophisticated operations by skilled agents. The DAY
BEFOREthe O-DAY!!
So Where Does That Leave Us Today?Looking something like this…
Protecting Your Network• Before you can protect it, decide what’s it
value is… – Identify your critical info (if any)– Decide its value…– Weigh the threats against it…– Decide the protection required…
• Once you’ve protected it, model the attacks that might be perfomed agaist it…
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
35
The CIA TriadThe term “CIA Triad” refers to the three core information security objectives. Efforts to obtain/assure these three objectives motivates virtually every aspect of cyber security • Confidentiality: Assurance that information is not disclosed to
unauthorized individuals, processes, or devices• Integrity: guarding against improper information modification,
and includes ensuring information authenticity *• Availability: Timely, reliable access to data and information
services for authorized users
from: CNSSI 4009, the “National Information Assurance (IA) Glossary”
* Adoption of NIST’s definition sans “destruction” and “non-repudiation” developed by JD Fulp
Unauthorized disclosure (aka a “leak”)
Unauthorized modification or impersonation
Denial (or degradation) of Service (DoS)
What do we call a loss/failure/incident of each of the three cyber security objectives?
The CIA Triad
• How do these look when used as a tactic against you?
1. Confidentiality: The enemy knows your information
2. Integrity: The enemy determines (manipulates) your information!!
3. Availability: The enemy denies you access to your information
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
36
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
37
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
• The Risk Equation provides the 30K foot IA view (i.e., the very high-level view)
• The equation is expressed thusly:
The “Risk Equation”
• Note: there is no need to actually input numeric values, this is purely a relational construct
• Note: Security_Controls are also often referred to as “safeguards” or “countermeasures”
• Rationale for the Risk Management Equation– Product (multiplication) reflects the mutual relationship
• zero threat x any vulnerability = zero risk• any threat x zero vulnerability = zero risk• probability of zero risk? ~zero• probability of zero threat? ~zero• therefore, probability of some risk? ~100%
– Risk less Safeguards results in Residual Risk: ideally zero, but more realistically, non-zero yet acceptable
The Risk Management “Equation”
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
39
The “Risk Equation”Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation
Vulnerabilities… this is where the attacker and defender “meet”
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
40
Attackers’ specialty. Tactics, tools, tech-niques, skills, etc. employed to exploit vulnerabilities
Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation
The “Risk Equation”
Different Types of Threats
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
42
Attackers’ specialty. Tactics, tools, tech-niques, skills, etc. employed to exploit vulnerabilities
Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation
Defenders’ specialty. Tactics, tools, techniques, skills, etc., employed to deter, prevent, detect, mitigate, and recover from, attacks/incidents.
The “Risk Equation”
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
43
Attackers’ specialty. Tactics, tools, tech-niques, skills, etc. employed to exploit vulnerabilities
Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation
How bad will it hurt if you suffer an attack/failure? Think of each element of the CIA Triad as they relate to $$, trust, mission, military advantage, etc.
Defenders’ specialty. Tactics, tools, techniques, skills, etc., employed to deter, prevent, detect, mitigate, and recover from, attacks/incidents.
The “Risk Equation”
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
44
Attackers’ specialty. Tactics, tools, tech-niques, skills, etc. employed to exploit vulnerabilities
Attributes of a system’s (or human’s!) design that result in the poten-tial for error or exploitation
How bad will it hurt if you suffer an attack/failure? Think of each element of the CIA Triad as they relate to $$, trust, mission, military advantage, etc.
Defenders’ specialty. Tactics, tools, techniques, skills, etc., employed to deter, prevent, detect, mitigate, and recover from, attacks/incidents.
The product of the interdependent elements on right side of equation.
Defender’s job is to minimize.
Attacker’s job is to exploit
The “Risk Equation”
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
45
Defender’s Perspective
Result of efforts at right: must be reduced to an “acceptable” level (Think DAA Certification & Accreditation!)
Set by mission requirements, determines level of security effort!
Work to maximize
Work to minimize
Be aware of and understand
The “Risk Equation”
Risk = Threats x Vulnerabilities x ImpactSecurity_Controls
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
46
Result of efforts at right
Influences attack effort
Attacker’sPerspective
Work to maximize
Work to discover
Be aware of and understand. Attempt to exploit or bypass
The “Risk Equation”
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
47
The Cyber “Matrix”
Crossing the CIA Triad with the controllable elements of the “Risk Equation” yields the 3x3 Cyber “Matrix”
Availability
Integrity
Confidentiality
Security_ ControlsVulnerabilitiesThreats
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
48
The Cyber “Matrix”
• There is another useful/informative dimension to this matrix; derived from U.S. DoD1 and IATFF2 (among others) work in the area of cyber security
• People• Operations• Technology
1 DoDD 8500.1 Information Assurance, Oct 20022 NSA’s Information Assurance Technical Framework Forum, Release
3.1, Sep 2002
There is a 3x3 table for each of these
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
49
The Cyber “Matrix”
• Relevant excerpt from the IATFF
“The underlying principles of this strategy are applicable to any information system or network, regardless of organization. Essentially, organizations address IA needs with people executing operations supported by technology.”
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
50
T E C H N O L O G Y
Threats Vulnera-bilities
Security_ Controls
Confidentiality
Integrity
Availability
Combining the CIA Triad, the controllable terms of the “Risk Equation”, and People, Operations, and Technology, yields a 3x3x3 Cyber “Matrix”. The utility of this matrix is its ability to compactly capture all categories of the playing pieces of the cyber war game.
O P E R A T I O N S
Threats Vulnera-bilities
Security_ Controls
Confidentiality
Integrity
Availability
P E O P L E
Threats Vulnera-bilities
Security_ Controls
Confidentiality
Integrity
Availability
The Cyber “Matrix”
Unclassified J.D. Fulp CISSP-ISSEP Naval Postgraduate School
51
Examples…
PEOPLE
T V S
C X X
I X X X
A X X
OPERATIONS
T V S
C X X
IA X X
TECHNOLOGY
T V S
C X
I X X
A X X
Digital Signa-tures
Uninterruptible Power Supplies
“War-driving”
Insufficiently trained personnel
Forging a signature
Syn-Flood attack
Employing easily “cracked” passwords
“m-of-n” & “peer-review” policies
Maintain an alternate “warm” site
Transporting sensitive data on unencrypted USB drives
Having no backup means for transmission
A “replay” attack
“Phishing”
The Cyber “Matrix”
Ethics
• What are ethics?– Sara Baas, author of the Gift of Fire, describes
it as:“What is means to do the right thing… with the goal to enhance human dignity, peace, happiness, and well-being”
Ethics, Values, and the DoD• Per the Joint Ethics Regulation, DOD 5500.7-R:
12‑500. General. Ethics are standards by which one should act based on values. Values are core beliefs such as duty, honor, and integrity that motivate attitudes and actions. Not all values are ethical values (integrity is; happiness is not). Ethical values relate to what is right and wrong and thus take precedence over non‑ethical values when making ethical decisions. DoD employees should carefully consider ethical values when making decisions as part of official duties.
– Note that underlines are done by me, for emphasis, and are not in the
Values
• Def: a person's principles or standards of behavior; one's judgment of what is important in life– Can vary greatly among cultures and societies!
• Core DoD values (core beliefs) include: Honesty, Integrity, Loyalty, Accountability, Fairness, Caring, Respect, Promise Keeping, Responsible Citizenship, Pursuit of Excellence
(Ref: Joint Ethics Regulation, DOD 5500.7-R)
Ethical Hacking
• The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. Their knowledge is used for legal defensive purposes only!
• Done by request and under a contract – Has authorization to probe the target.
Rights
• Def: a moral or legal entitlement– Negative Rights: AKA Liberties
• Right to act without interference– “Life, Liberty, and the Pursuit of Happiness” & religion.
– Positive Rights: AKA Claim Rights• Right to be provided certain entitlements
– Freedom of Speech may be used as a claim right to ensure equal time for different groups are given on a radio station; a group cannot be denied equal access based upon their beliefs.
Ethics, Values, & Laws
• Laws (based upon a culture’s values) set a minimum standard that can be applied to all of a given set of circumstances (i.e. murder), but still leaves room for the ethical interpretations of the circumstances (i.e. the life taken was necessary for saving the life of thousands of others, such as killing a terrorist)
Ethical Hacking Testing • There are different approaches to security
testing. – Black Box
• With no prior knowledge of the infrastructure to be tested
– White Box• With a complete knowledge of the network
infrastructure – Grey Box
• Also known as Internal Testing. It examines the extent of the access by insiders within the network
Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council EC-Council All Rights Reserved. Reproduction is Strictly Prohibited