Upload
robert-conti-jr
View
385
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Martinez Technology ConsultingSecurity Audit
COVERT Security Systems
Who Are We?
• IT Security Audit Firm
• Since June 2011
• Corporate Headquarters located in Milwaukee, WI
• Privately held and operated
• Specializing in logical and physical security audits
Mission Statement
Our mission is simple: We want to make your company’s security an enhancement, not a hindrance. Unlike other IT firms, COVERT will only recommend solutions that are appropriate for the specific client while keeping business operations in mind. We work with our clients to provide the best possible support, training, documentation, policies and plans to ensure the utmost security.
Security Audit Department Staff
Lane Salmon
Joseph Finn
Robert Conti
Ryan Urban
Jason Leitner
Matthew Wiza
Ronald Cox
Project Lead Project Manager Security Staff
Security Industry As A Whole
2011 Cloud Security
Largest Threats
Graph from Infoweek.com article (see Sited Sources)
Scope
Security AuditPrimary• Audit security functions already in place• Physical and virtual audit including penetration testing• Of both MTC as well as the housing Church (Cedar Hills Church)
The Three - P’s ReviewSecondary • Review already in place:• Policies, Processes and Procedures
Recommendations and ReportsFinal• Create final analysis reports• Create updated polies, processes and procedures
RFP (Request)
RFP (Response)
Our Process
Data Gathering• Interviewed MCT Staff• Internet and public record
searches
Verification • Verified data collected
Security Audit• Physical,
Logical and Social
Policy Review and Creation
Information Consolidation and Review
• Review policies currently in place, expand upon or create
Data Gathering
Physical Mapping
Interview
Server/Workstation Audit
Physical Floor Plan
Current Network Diagram
Interview – Key FindingsJoe
• CEO of MTC• Specialize in SAP cloud services and
training• Recently terminated an employee• Does not regularly check logs of any kind• No Disaster Recovery Plan in place• Time Warner is the ISP
• Rents a firewall from them• Company web pages are not hosted
locally• Remote access via RDP using open ports
and basic Windows authentication
Social Engineering
Exploit
Create Story A and B
Created Credentials
Verified Info
Took Known Info
Verification
Cross Reference Interview Questions
Web search
Security Audit
Network Audit
Wireless Audit
Software and Hardware Audit
•802.11G•WEPPinks
•802.11N•WPA2Kitty
•802.11N•WPA2PK Fire
•802.11G•WPA22Wire243
•802.11G•WPA22Wire160
•802.11G•OpenBad Rocket
•802.11G•WEPFinalApproach
•802.11N•WPA2Pegassus3
•801.11G•WEPThe430
•802.11N•WPA22Wire157
•802.11G•WPABelkin.5284
•802.11G•WPA2Pegasus2
Wireless Audit
13%
58%
13%
15%
Wireless Encryption Types Within 1 Block
WEPWPA2OpenWPA
52 Access Points Total
Wireless Audit
Wireless Audit Tools
Backtrack 5
Wireless Adapter (monitor)
Airodump -ng Airplay -ng Airmon -ng
Scanning and Enumeration
MTC Network
IP Schema
Ping Sweeps
Fingerprinting (Limited)
Tools Used for Scanning Process
• NMAP• Hping• Tracert• Dsniff• DFI LANguard
Fingerprint of ServerCCI-SAP14
• Server Data\Win Audit\CCI-SAP14\CCI-SAP14.html
• A few security flaws that were found.Item Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 9999 Minutes
Screen Saver Password Protected No
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age Forever
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status Disabled
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
Fingerprint of ServerCCI-SAP17B
• Server Data\Win Audit\CCI-SAP17B\CCI-SAP17B.htmlItem Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status Notify before installation
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Not allowed
Fingerprint of ServerECC6C2
• Server Data\Win Audit\ECC6C2\ECC6C2.htmlItem Name Setting
AutoLogon Enabled No
Screen Saver Enabled Yes
Screen Saver Timeout 0 Seconds
Screen Saver Password Protected No
All Accounts Force Network Logoff Never
All Accounts All Accounts All Accounts All Accounts Automatic Updates Automatic Updates Internet Explorer Internet Explorer Internet Explorer Internet Explorer Internet Explorer Internet Explorer
Minimum Password Length 0 Characters Maximum Password Age Forever Historical Passwords 0 remembered Lockout Threshold 0 Attempts Update Status Disabled Update Schedule Every day Run Script Allow Run ActiveX Allow Run Java Allow Download Files Allow Install Desktop Items Prompt user Launch Applications Prompt user
Fingerprint of ServerSVCTAG-2KXKWC1
• Server Data\Win Audit\SVCTAG-2KXKWC1\SVCTAG-2KXKWC1.htmlItem Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status NotConfigured
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
Fingerprint of ServerSVCTAG-5KXKWC1
• Server Data\Win Audit\SVCTAG-5KXKWC1\SVCTAG-5KXKWC1.htmlItem Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status NotConfigured
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
Fingerprint of ServerSVCTAG-CJXKWC1
• Server Data\Win Audit\SVCTAG-CJXKWC1\SVCTAG-CJXKWC1.htmlItem Name Setting
Screen Saver Enabled Yes
Screen Saver Timeout 10 Minutes
Screen Saver Password Protected Yes
All Accounts Minimum Password Length 0 Characters
All Accounts Maximum Password Age 42 Days
All Accounts Historical Passwords 0 remembered
All Accounts Lockout Threshold 0 Attempts
Automatic Updates Update Status Scheduled installation
Automatic Updates Update Schedule Every day
Internet Explorer Download Files Allow
Win Audit
• WinAudit is a software program that audits Windows based personal computers. Just about every aspect of computer inventory is examined. The report is displayed as a web page, which can be saved in a number of standard formats. You can e-mail it to your technical support or even post the audit to a database for archiving. When used in conjunction with its command line functionality, you can automate inventory administration at the network level.
http://www.pxserver.com/WinAudit.htm
System Information for Windows (SIW)
• SIW is an advanced System Information for Windows tool that analyzes your computer and gathers detailed information about system properties and settings and displays it in an extremely comprehensible manner.
http://www.gtopala.com/
SIW Continued
• The System Information is divided into few major categories:• Software Information: Operating System, Software Licenses (Product Keys /
Serial Numbers / CD Key), Installed Software and Hot fixes, Processes, Services, Users, Open Files, System Uptime, Installed Codec's, Passwords Recovery, Server Configuration.
• Hardware Information: Motherboard, CPU, Sensors, BIOS, chipset, PCI/AGP, USB and ISA/PnP Devices, Memory, Video Card, Monitor, Disk Drives, CD/DVD Devices, SCSI Devices, S.M.A.R.T., Ports, Printers.
• Network Information: Network Cards, Network Shares, currently active Network Connections, Open Ports.
• Network Tools: MAC Address Changer, Neighborhood Scan, Ping, Trace, Statistics, Broadband Speed Test
• Miscellaneous Tools: Eureka! (Reveal lost passwords hidden behind asterisks), Monitor Test, Shutdown / Restart.
• Real-time monitors: CPU, Memory, Page File usage and Network Traffic.
Microsoft Baseline Security Analyzer
• Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
http://technet.microsoft.com/en-us/security/cc184924
SIW Audit of Server CCISAP\ECC6C2
• Server Data\SIW\ECC6siwReport.htmlSIW Audit of Server
CCI-SAP14• Server Data\SIW\SIW_FREEWARE_CCI-SAP14_20110718_19225
0.html
SIW Audit of ServerCCI-SAP17B
• Server Data\SIW\SIW_FREEWARE_CCI-SAP17B_20110718_194229.html
Analyzer Audit of Server CCISAP\ECC6C2
• Server Data\Analyzer\ECC6.xps
Analyzer Audit of ServerWORKGROUP\SVCTAG-2KXKWC1
• Server Data\Analyzer\ubuntu.mht
SIW Audit of Server CCISAP\ECC6C2
• Server Data\SIW\SIW_FREEWARE_ECC6C2_20110718_192841.htmlSIW Audit of Server
WORKGROUP\SVCTAG-5KXKWC1• Server Data\SIW\SIW_FREEWARE_SVCTAG-5KXKWC1_20110718_1927
26.html
SIW Audit of Server WORKGROUP\SVCTAG-CJXKWC1
• Server Data\SIW\SIW_FREEWARE_SVCTAG-CJXKWC1_20110718_184840.html
Analyzer Audit of Server WORKGROUP\SVCTAG-CJXKWC1
• Server Data\Analyzer\C4.xps
Analyzer Audit of ServerWORKGROUP\SVCTAG-5KXKWC1
• Server Data\Analyzer\c3ecc6.mht
Physical Site Security
Fire Suppressions
Power Issues
Access Control
Door & Window Reinforcement
Site Monitoring
Policy Review and Creation
Review Current Polices & Procedures Update Existing
Create New
Acceptable Use Policy
Define Responsibility
System And Network Activates
Communications
Remote Connection
Proprietary Information Enforcement
Business Continuity Plan
1. Know the Business
2. Assess the Risks
3. Formulate the Plan4. Implement
5. Test
Disaster Recovery Policy
Current Policy
Current Threats
Acceptable Risk Assessment
Update
Information Consolidation and Review
Audit Overview Recommendations
Suggested Network Diagram
Audit Findings Summery
Wireless• Cedar Hills WEP -> WPA2• Cedar Hills wireless and LAN same network
Network• Flat Network• Lack of central management (AD)• Lack of enforced network security policy• Windows Updates
Physical• Social Engineering successful• Power Issues• High Availability and Redundancy• Cooling
• Fire Suppression• Battery backup• Backup process• Security Camera
Recommendations Specifics
• Implement AD system• This will allow constant
server hardening and polies to be pushed to all machines
• IDS• Logging
• Wireless change to WPA2• Change password to
complex on all networking devices
• Including church router and printer
• Backup system • High Availability
• Switches, routers, ISP, Important servers
• Redundancy• Switches, routers, ISP,
UPS, Cooling• Possibly Hot or Cold site
• Inventory Control
Recommendations Specifics (Continued)
• Physical Security• Camera and access controls• Must include logging capabilities• Reinforced doors and walls• Glass into server room - remove
• Fire suppression• Seal Server room for better cooling• Power issues
• Extension cord• Encryption on Laptops• More Secure method of Remote
Access
Final suggested network diagram
Cost Analysis
Continually Evolving
By Incident
Questions?
Thank You For Your Time
References