Ethical Hacking Workshop

Your name

EC-Council
 Presentation Goals

• Provide a framework for understanding security

• Present best practices for
– Protecting against attacks from the Internet
– Locking down clients and servers
– Developing an ongoing security strategy

• Discuss primary and emerging technologies

– Encryption
– Biometrics
– Smart Cards
– Trustworthy Computing

• Listen to your concerns

• Questions and Answers

2 EC-Council
 The Challenge of Security

Internet-enabled businesses face challenges ensuring their

technologies for computing and information assets are secure,
fast and easy with which to interact

The right access

to the right content
by the right people

3 EC-Council
 Business Impact

• According to the Computer Crime and Security Survey 2002

by the Computer Security Institute (CSI) and the FBI:
– 90% detected computer security breaches
– 80% acknowledged financial losses due to computer breaches
– 40% of respondents quantified financial losses at $456 million, or $2 million per respondent
– 40% detected system penetration from the outside;
up from 25% in 2000
– 85% detected computer viruses
• InformationWeek estimates:
– Security breaches cost businesses $1.4 trillion worldwide this year
– 2/3 of companies have experienced viruses, worms, or Trojan Horses
– 15% have experienced Denial of Service attacks

Security Breaches Have Real Costs

Source: Computer Security Institute (CSI) Computer Crime and
Security Survey 2002
Source: InformationWeek.com, 10/15/01
4 EC-Council
 Evaluating Security Threats

The
The
Security
Security
Puzzle
Puzzle

5 EC-Council
 Evaluating Security Threats

Attackers
Misfeasors
–Authorized users who abuse their privileges
–“Insiders”
Masqueraders
–Unauthorized persons posing as an authorized user
–“Outsiders”
Clandestine Users
–Unauthorized persons who appear to be authorized
–“Insiders” or “Outsiders”

6 EC-Council
 Evaluating Security Threats

Attackers
Who is doing it?

• Misfeasors
• Masqueraders
• Clandestine Users

7 EC-Council
 Evaluating Security Threats

Attackers
Goals
Who is doing it?
Trophy Grabbing
• Misfeasors –Hacker “badge of honor”
• Masqueraders
Information Theft
• Clandestine Users
–Learning something meant to be secret
Service Theft
–Using computer services without paying for them
Identity Theft
–Acquiring things through masquerading
Tampering and Vandalism
–Changing information
Denial of Service
–Hampering the access of legitimate users

8 EC-Council
 Evaluating Security Threats

Attackers Goals
Who is doing it? Why are they doing it?

• Misfeasors • Trophy Grabbing

• Masqueraders • Information Theft
• Clandestine Users • Service Theft
• Identity Theft
• Tampering and Vandalism
• Denial of Service

9 EC-Council
 Evaluating Security Threats

Attackers Goals
Who is doing it? Why are they doing it?

• Misfeasors • Trophy Grabbing

• Masqueraders • Information Theft
Vulnerabilities
• Clandestine Users • Service Theft
Implicit Trust
• Identity Theft
• Tampering and Vandalism
–Assuming you can trust someone or something
• Denial of Service
Configuration Error
–Relying on default configurations, improper
configuration
Public Information
–Exploiting easily obtainable non-secret data
Weak Design
–Exploiting systems not designed with security in
mind
Carelessness
–Sloppy execution or inattentiveness to details

10 EC-Council
 Evaluating Security Threats

Attackers Goals
Who is doing it? Why are they doing it?

• Misfeasors • Trophy Grabbing

• Masqueraders
• Clandestine Users
• Information Theft
• Service Theft
• Identity Theft
• Tampering and Vandalism
• Denial of Service

Vulnerabilities
What enables the attack?

• Implicit Trust
• Configuration Error
• Public Information
• Weak Design
• Carelessness

11 EC-Council
 Evaluating Security Threats

Attackers Goals
Who is doing it? Why are they doing it?

• Misfeasors • Trophy Grabbing

• Masqueraders • Information Theft
• ClandestineDefenses
Users • Service Theft
Obfuscation • Identity Theft
–Hiding information • Tampering and Vandalism
• Denial of Service
Authentication and Authorization
–Verifying identity, then using it to regulate access
Vulnerabilities
Monitoring and Auditing
What enables the attack?
–Keeping an eye out, tracking suspicious activity
Currency
• Implicit Trust
–Keeping systems up-to-date with patches and updates
• Configuration Error
Education and Enforcement
• Public Information
• Weak Design –Training users, then making sure they use that
• Carelessness knowledge

12 EC-Council
 Evaluating Security Threats
Attackers
Who is doing it?
• Misfeasors
• Masqueraders
• Clandestine Users
Vulnerabilities
What enables the attack?
• Implicit Trust
• Configuration Error
• Public Information
• Weak Design
• Carelessness
13
Goals
Why are they doing it?
• Trophy Grabbing
• Information Theft
• Service Theft
• Identity Theft
• Tampering and Vandalism
• Denial of Service
Defenses
How do you stop them?
• Obfuscation
• Authentication and Authorization
• Monitoring and Auditing
• Currency
• Education and Enforcement
EC-Council
 Common Attacks

• Backdoor • Replay attack

• Bacteria
• Script kiddies
• Buffer overflow/overrun
• Compromised system utilities • Security audit tools
• E-mail forgery • Shell escapes
• E-mail relay • Shoulder surfing
• IP spoofing • Smurfing
• Keystroke monitoring
• Social engineering
• Logic bomb
• Mail bombing • SYN flooding
• Man in the middle • Traffic analysis
• Masquerade • Trapdoor
• Network scanning • Trojan horse
• Packet sniffing
Password cracking
• van Eck attack
•
• Ping flooding • Virus
• War dialing
• Worm

14 EC-Council
 Example #1

Attack: Buffer Overflow

• Goals
– All
• Vulnerabilities
– Weak design (designer)
– Carelessness (customer not patching)
• Defenses
– Peer review (designer)
– Patching (customer)
• Examples
– Code Red
– Internet Worm of ‘88

15 EC-Council
 Example #2

Attack: E-Mail Forgery

• Goals
– Trophy grabbing
– Identity theft
• Vulnerabilities
– Implicit trust
– Public information
– Weak design
• Defenses
– Public key cryptography
– Training
• Examples
– Good Times
– Free Windows
– Penpal Greetings

16 EC-Council
 Example #3

Attack: Social Engineering

• Goals
– All
• Vulnerabilities
– Implicit trust
• Defenses
– Training
– Process review
• Examples
– IRQ downloads
– Attachment viruses
– Password elicitation

17 EC-Council
 Example #4

Attack: Virus
• Goals
– Trophy grabbing
– Tampering and Vandalism
– Denial of service
• Vulnerabilities
– Implicit trust
– Weak design
• Defenses
– Virus scanner
– Training
– Patching
• Examples
– Stoned, Michelangelo (true)
– Love Bug (macro)
– Melissa (macro)

18 EC-Council
 Hacking

• Coordinated series of attacks for gaining control of a computer

system

• Each attack achieves a goal which enables a subsequent,

more serious attack

• Example:
1. Scanning reveals target networks
2. Sniffing on those networks reveals a user password
3. Masquerading as that user, the hacker logs in
4. Exploiting a buffer overflow in a utility yields admin privileges
5. Compromising system utilities helps to hide presence
6. Creating backdoors provides for easier re-entry

19 EC-Council
 Hacking

• Coordinated series of attacks for gaining control of a computer

system

• Each attack achieves a goal which enables a subsequent,

more serious attack

• Example:
1.
Hacking is just
Scanning reveals target networks
one of
2. many
Sniffing on those security threats.
networks reveals a user password
3. Masquerading as that user, the hacker logs in
4. Exploiting a buffer overflow in a utility yields admin privileges
5. Compromising system utilities helps to hide presence
6. Creating backdoors provides for easier re-entry

20 EC-Council
 Hacking Lifecycle

Profiling

Entering

Concealing

Compromising Empowering

21 EC-Council
 10 Steps to
Better Security

22 EC-Council
 STEP 1: Implement a firewall

• Either stateful inspection, a proxy, or hybrid

• Create a demilitarized zone and use it properly

23 EC-Council
 STEP 2: Filter packets to prevent spoofing

• At your gateway
• Both incoming and outgoing packets

24 EC-Council
 STEP 3: Harden the software

• Patch quickly and routinely

• When re-installing an OS, don’t forget to patch
• Enable OS features that detect common DoS attacks
• Always scrutinize default configurations
• Bind interfaces to listen only on networks they will serve
• Disable unnecessary services

FIX!

25 EC-Council
 Limiting Interface Connections

26 EC-Council
 STEP 4: Lock down Web applications

• Disable scripting if not needed

• Remove sample scripts
• Use restricted permission modes of scripting environments
• Make use of integrated security features
• Be vigilant in preventing replay attacks

27 EC-Council
 STEP 5: Always use encryption

• Disable Telnet
• Use terminal services or other secure access mechanisms
• Consider link-level or OS-supported for high-security apps

28 EC-Council
 STEP 6: Defend DNS

• Don’t allow zone transfers to unknown servers

• Limit records available to external queries
• Be paranoid about registrar records to avoid hijacks

29 EC-Council
 STEP 7: Patrol passwords

• Train users on good password selection

• Enforce good password selection
• Outlaw and punish password sharing
• Use aging tools
• Don’t give in to whining about inconvenience
• Prepare for the increased support load

30 EC-Council
 STEP 8: Implement auditing and intrusion detection

• Watch for suspicious activity

• Includes virus scanning software
• Keep intrusion detection software up-to-date
• Post “No Trespassing” signs and prosecute violators

31 EC-Council
 STEP 9: Don’t forget the human factor

• Insure policies are congruent with technical safeguards

• Always have checks and balances
• Implement peer and process reviews
• Re-evaluate policies and processes regularly

32 EC-Council
 Security Policy Life Cycle Model

33 EC-Council
 STEP 10: Remain diligent

• Develop an “ongoing” mindset

– Develop and update organizational security policies and audits
– Take advantage of pro-active notification services, such as for patches
• Never done with security
• New threats will emerge
• Not “if” but “when”
• Keep a lookout and be prepared!

34 EC-Council
 Networked Storage Security Guidelines

Administration 1 - Compartmentalize Hosts,

Volumes and Arrays

2 - Control administrator
actions
Host Networked
Host Storage
Host 3 – Restrict network access

4 - Physically protect your

environment

5 - Optimize security on Hosts

and on administration servers

35 EC-Council
 Advanced Authentication

authentication n. To establish the authenticity of, such as identity

• Authentication methods
– Something you know
• Passwords
– Something you possess
• A badge or smart card
– Something about you
• Biometrics (fingerprints, retinal scan, etc.)

• Most used/convenient is “something known”

• Weakest is “something known”
• Strongest authentication combines two or more
36 EC-Council
 Advanced Privacy

privacy n. The state of being concealed; secrecy

• Privacy methods
– Encryption
• Cryptography (its obviously encrypted)
• Steganography (hidden, and not obvious)
• “Security through obscurity”
– Capture prevention
• Nearly impossible
– Physical proximity
• Impractical for network connections

37 EC-Council
 Encryption

Cleartext
Transmit or Store
Encryption Cyphertext
Function
Encoding
Key

Receive or Retrieve

Cyphertext
Decryption
Cleartext
Function

Decoding
Key

38 EC-Council
 Symmetric and Public Key Systems

• Symmetric Key
– A single key is used for both encoding and decoding
– The key is kept secret
– “Old” style encryption system
– Key distribution is a significant problem
– Examples: DES, AES

• Public (Asymmetric) Key

– Always two keys (key pair)
– One private, the other public – anyone can know it
– Encrypt with either, and decrypt with the other
– Key distribution easier (new problem – public key disinformation)
– Provides authentication and privacy
– Examples: RSA, PGP

39 EC-Council
 More About Public Key Systems

• Keys are based on prime numbers and arithmetic operations

• “Strength” expressed as size of key (64-bit, 128-bit)
• Authentication
– “If my public key turns cyphertext into cleartext, you know it was
encoded with my private key, which only I know.”
• Privacy
– “If I encode something with your public key, only you will be able to
decode it.”
• Authentication and privacy
– “If I encode something with my private key, then with your public key,
you would decode it with your private key, then my public key.”
• Public key systems support “certificate authorities”

40 EC-Council
 Hybrid Encryption Systems

• Private key systems have key distribution problems

• Public key systems are computationally intensive
• Best practice combines the two
– Use public key to establish authenticity and privacy
• A “secure” connection is both private and authenticated
– Negotiate a one-time private key using the secure connection
• Known as a “session key” – good only for this session
– Tear down the public key secure connection
• It is too expensive to use for the rest of the conversation
– Create new secure connection using private session key
• Use this connection for the rest of the conversation
• Example: SSL, VPNs

41 EC-Council
 But Encryption Isn’t Enough…

• Solely a “what you know” system

– Keys can be divulged
– Keys can be guessed or determined

• Combined with “what you have” or “what you are”

– Smart Card
• Password no good without your badge
– Biometrics
• Password no good without your fingerprint
– Platform authentication
• Private keys stored in silicon, bound to hardware

• Maybe use all three?

42 EC-Council
 The Security Challenge

• Products and systems must be designed with security as a goal,

not as an afterthought

• System administrators must consider security ramifications of

every decision

• Security awareness must infuse every process and policy

• Security training and education cannot be skipped
• Must do all this while
– Not significantly reducing the benefits of use
– Not increasing inconvenience beyond users’ toleration

43 EC-Council
 The Future of Security

• “Opt-in” configurations instead of “Opt-out”

• Security checks at every level
• Platform authentication more important
• Biometrics and smart cards more prevalent
• All-pervasive encryption
• Stronger authentication systems
• Security an absolute product requirement
• Potential for increased hassle
• Potential for lost information
• Increased litigation surrounding security breaches

44 EC-Council
 d Ni m da at tack s, M icrosoft heard back
d an
“Following the Code Re of th is . M or e than anything, it
e ju st si ck
from users that they wer d on IIS users. It was
im pa ct Co de Re d ha
was the huge “We will
e not
pa tc rest
he s aruntil all
e so fre qu ent,customers
our
ob le m is th es
horrendous…The pr e su re yo ep up with
u kesecure
“I have urwhat
ce s tothey
m
t's nreotsothat IIS is poorlak need to get and stay
Microsoft is adding to its y w ri
aking the product be tten, but it's pretty
tte r."
y majorcl ea
is sur e
th isatmII
secure.”
them . But m S and Microsoft are hu
viruses and other malic ge taatrg
oret
e s for
John Brian
Pesc Valentine
ious code, pune
at risk.” Gartner Vi point,Senior
ew CNET tt ins.gco
w
VP, thme firm
Microsoft
9/20/2001
“What we discovered a few months ago is that, Mattwhile
Kesnewer,are
Fenwick & West
doing a pretty good job providing [security tools Inteand
rnetpatches],
week.com, 10/4/01
it wasn't easy enough for our customers to roll them out.
Because of our position in the industry, we felt it was our
“Typically, Microsoft
responsibility to maketakes threeastimes
it as easy to get
possible foritthe
right.
customer to
That's not going to work here.”
do what it takes to stay secure.”
Dave Thompson
William Malik, Gartner
ZDNet News, 10/22/2001 VP, Microsoft

45 EC-Council
 Infamous Bill Gates Trustworthy Computing E-mail

• Year 2002 - Microsoft initiated Trustworthy computing initiative to

focus on security on all of its products.

46 EC-Council
 Today Security at Microsoft?

• May 9, 2003, 10:45 AM PT

• A serious security flaw in Microsoft's Passport service put

more than just its 200 million customers' accounts at risk.
• For a company that has publicly made security a priority, the
Passport problem was a serious setback.

http://news.com.com/2100-1009-1000655.html

47 EC-Council
 Questions and Feedback

Please send us your feedback on this workshop to:

feedback@eccouncil.org

48 EC-Council