Documente Academic
Documente Profesional
Documente Cultură
Your name
EC-Council
Presentation Goals
2 EC-Council
The Challenge of Security
3 EC-Council
Business Impact
The
The
Security
Security
Puzzle
Puzzle
5 EC-Council
Evaluating Security Threats
Attackers
Misfeasors
–Authorized users who abuse their privileges
–“Insiders”
Masqueraders
–Unauthorized persons posing as an authorized user
–“Outsiders”
Clandestine Users
–Unauthorized persons who appear to be authorized
–“Insiders” or “Outsiders”
6 EC-Council
Evaluating Security Threats
Attackers
Who is doing it?
• Misfeasors
• Masqueraders
• Clandestine Users
7 EC-Council
Evaluating Security Threats
Attackers
Goals
Who is doing it?
Trophy Grabbing
• Misfeasors –Hacker “badge of honor”
• Masqueraders
Information Theft
• Clandestine Users
–Learning something meant to be secret
Service Theft
–Using computer services without paying for them
Identity Theft
–Acquiring things through masquerading
Tampering and Vandalism
–Changing information
Denial of Service
–Hampering the access of legitimate users
8 EC-Council
Evaluating Security Threats
Attackers Goals
Who is doing it? Why are they doing it?
9 EC-Council
Evaluating Security Threats
Attackers Goals
Who is doing it? Why are they doing it?
10 EC-Council
Evaluating Security Threats
Attackers Goals
Who is doing it? Why are they doing it?
Vulnerabilities
What enables the attack?
• Implicit Trust
• Configuration Error
• Public Information
• Weak Design
• Carelessness
11 EC-Council
Evaluating Security Threats
Attackers Goals
Who is doing it? Why are they doing it?
12 EC-Council
Evaluating Security Threats
Attackers Goals
Who is doing it? Why are they doing it?
Vulnerabilities Defenses
What enables the attack? How do you stop them?
13 EC-Council
Common Attacks
14 EC-Council
Example #1
15 EC-Council
Example #2
16 EC-Council
Example #3
17 EC-Council
Example #4
Attack: Virus
• Goals
– Trophy grabbing
– Tampering and Vandalism
– Denial of service
• Vulnerabilities
– Implicit trust
– Weak design
• Defenses
– Virus scanner
– Training
– Patching
• Examples
– Stoned, Michelangelo (true)
– Love Bug (macro)
– Melissa (macro)
18 EC-Council
Hacking
• Example:
1. Scanning reveals target networks
2. Sniffing on those networks reveals a user password
3. Masquerading as that user, the hacker logs in
4. Exploiting a buffer overflow in a utility yields admin privileges
5. Compromising system utilities helps to hide presence
6. Creating backdoors provides for easier re-entry
19 EC-Council
Hacking
• Example:
1.
Hacking is just
Scanning reveals target networks
one of
2. many
Sniffing on those security threats.
networks reveals a user password
3. Masquerading as that user, the hacker logs in
4. Exploiting a buffer overflow in a utility yields admin privileges
5. Compromising system utilities helps to hide presence
6. Creating backdoors provides for easier re-entry
20 EC-Council
Hacking Lifecycle
Profiling
Entering
Concealing
Compromising Empowering
21 EC-Council
10 Steps to
Better Security
22 EC-Council
STEP 1: Implement a firewall
23 EC-Council
STEP 2: Filter packets to prevent spoofing
• At your gateway
• Both incoming and outgoing packets
24 EC-Council
STEP 3: Harden the software
FIX!
25 EC-Council
Limiting Interface Connections
26 EC-Council
STEP 4: Lock down Web applications
27 EC-Council
STEP 5: Always use encryption
• Disable Telnet
• Use terminal services or other secure access mechanisms
• Consider link-level or OS-supported for high-security apps
28 EC-Council
STEP 6: Defend DNS
29 EC-Council
STEP 7: Patrol passwords
30 EC-Council
STEP 8: Implement auditing and intrusion detection
31 EC-Council
STEP 9: Don’t forget the human factor
32 EC-Council
Security Policy Life Cycle Model
33 EC-Council
STEP 10: Remain diligent
34 EC-Council
Networked Storage Security Guidelines
2 - Control administrator
actions
Host Networked
Host Storage
Host 3 – Restrict network access
35 EC-Council
Advanced Authentication
• Authentication methods
– Something you know
• Passwords
– Something you possess
• A badge or smart card
– Something about you
• Biometrics (fingerprints, retinal scan, etc.)
• Privacy methods
– Encryption
• Cryptography (its obviously encrypted)
• Steganography (hidden, and not obvious)
• “Security through obscurity”
– Capture prevention
• Nearly impossible
– Physical proximity
• Impractical for network connections
37 EC-Council
Encryption
Cleartext
Transmit or Store
Encryption Cyphertext
Function
Encoding
Key
Receive or Retrieve
Cyphertext
Decryption
Cleartext
Function
Decoding
Key
38 EC-Council
Symmetric and Public Key Systems
• Symmetric Key
– A single key is used for both encoding and decoding
– The key is kept secret
– “Old” style encryption system
– Key distribution is a significant problem
– Examples: DES, AES
39 EC-Council
More About Public Key Systems
40 EC-Council
Hybrid Encryption Systems
41 EC-Council
But Encryption Isn’t Enough…
42 EC-Council
The Security Challenge
43 EC-Council
The Future of Security
44 EC-Council
d Ni m da at tack s, M icrosoft heard back
d an
“Following the Code Re of th is . M or e than anything, it
e ju st si ck
from users that they wer d on IIS users. It was
im pa ct Co de Re d ha
was the huge “We will
e not
pa tc rest
he s aruntil all
e so fre qu ent,customers
our
ob le m is th es
horrendous…The pr e su re yo ep up with
u kesecure
“I have urwhat
ce s tothey
m
t's nreotsothat IIS is poorlak need to get and stay
Microsoft is adding to its y w ri
aking the product be tten, but it's pretty
tte r."
y majorcl ea
is sur e
th isatmII
secure.”
them . But m S and Microsoft are hu
viruses and other malic ge taatrg
oret
e s for
John Brian
Pesc Valentine
ious code, pune
at risk.” Gartner Vi point,Senior
ew CNET tt ins.gco
w
VP, thme firm
Microsoft
9/20/2001
“What we discovered a few months ago is that, Mattwhile
Kesnewer,are
Fenwick & West
doing a pretty good job providing [security tools Inteand
rnetpatches],
week.com, 10/4/01
it wasn't easy enough for our customers to roll them out.
Because of our position in the industry, we felt it was our
“Typically, Microsoft
responsibility to maketakes threeastimes
it as easy to get
possible foritthe
right.
customer to
That's not going to work here.”
do what it takes to stay secure.”
Dave Thompson
William Malik, Gartner
ZDNet News, 10/22/2001 VP, Microsoft
45 EC-Council
Infamous Bill Gates Trustworthy Computing E-mail
46 EC-Council
Today Security at Microsoft?
http://news.com.com/2100-1009-1000655.html
47 EC-Council
Questions and Feedback
feedback@eccouncil.org
48 EC-Council