10 Application and Network Security and
security testing
IT Governance CEN 667
Project proposal (week 4)
• Goal of the projects are to find applicable measurement and metric methods to improve processes:
– For 27000 series of standards 27001 and 27004
– For ITIL
– For Business Continuity and BS 25999
– For Disaster Recovery
– For Penetration testing
– For Operational and Security Incident management
– For Risk Management
– Secure method for visual authentication
– Mobile securty access with speach recognition
– Other agreed with lecturer
• Literature review on selected topic - between 500 and 1000 words
• Proposal / for improvements of choosen method, approach, techniqe, - up to 2000 words
• List of references
Project proposal (week 11)
Candidate Topic Literature
review draft
Paper Proposed correction s week ?
Azizah Ibrahim Mobile IPv6 handover packet loss avoidance
NO NO NO
Emina Aličković A Novel Intrusion System Based on Support Vector Machines
NO NO NO
Jasmin Kevrić Algorithm improvement for the network anomaly detection using improved KDD 2009
NO NO NO
Adnan Miljković Implementation of two factor
authentication for web appliacation
YES (463 words)
NO NO
Fatih Ozturk Evolutionary Computation Method Application for Network Intrusion
IT Governance CEN 667
10 Application and Network Security and
security testing
Week Topic Week 1
Introduction to IT governance
Week 2
Overwiev of Information Security standards - ISO 27000 series of standards (27001, 27002, 27003, 27004, 27005)
Week 3 Information Technology Service management ISO 20000-1 and ISO 20000-2 Week 4 ITIL
Week 5 Business Continuity and BS 25999-1 and BS 25999-2 Week 6 Disaster Recovery
Week 7 COBIT
Week 8 Project implementation (ISO 10006 and ISO 27003) Week 9 Midterm
Week 10 Risk Managament (ISO 27005)
System Development Life Cycle
• 1. Initiation – the system is described in terms of its purpose, mission, andconfiguration.
• 2. Development and Acquisition – the system is possibly contracted and constructed according to documented procedures and requirements.
• 3. Implementation and Installation – the system is installed and integrated with other applications, usually on a network.
• 4. Operational and Maintenance – the system is operated and maintained according to its mission requirements.
When is the Network Security Testing
done?
• It is done after system has been developed, installed and integrated during
Tools and Techniques for Network
Security
• Network Scanning • Vulnerability Scanning • Password Cracking • Log Reviews • War DialingNetwork Scanning
• Scan for connected hosts• Scan for services running on the host
• Scan for which applications are running those services
• How Scanning takes place?
Ping the hosts using ICMP ECHO and Reply. Look for open TCP/UDP ports.
• Operating system fingerprinting.
Not reliable as firewalls can be configured to camouflage the operating system.
Network Scanning
• Vulnerabilities of IIS different from Apache.
• Listen on the remote port.
• Banner Grabbing.
• Need human to interpret the results.
Network Scanning Results
• Investigate and disconnect unauthorized hosts• Disable or remove unnecessary and vulnerable services
• Modify vulnerable hosts to restrict access to vulnerable services to a limited number of required hosts (e.g., host level firewall or TCP
wrappers), and
• Modify enterprise firewalls to restrict outside access to known vulnerable services.
Vulnerability Scanning
• Takes Network Scanning 1 step ahead.
• Maintains database of vulnerabilities in operating systems.
• They generate more traffic that port scanners.
• Network based Scanners.
Log Reviews
• Dynamic picture of system activities.
• Conformance with the security policies.
• IDS sensors placed behind firewall.
War Dialing
• Unauthorized modems.
• Dialing software can dial hundreds of numbers in short time
• Block the inbound calls to the identified
War Driving
• Wireless Default Configuration is insecure.
• Drive Test
• Just need wireless network card and testing tools
Security Penetration Services
• Goal: help organizations secure their systems
• Skill set: equivalent to system administrators • Record keeping & ethics
Penetration Testing
• It is a method of getting into the system by using the techniques used by the attacker.
• Specific IP addresses/ranges to be tested
• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested)
• A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.)
• Times when testing is to be conducted (e.g., during business hours, after business hours, etc.)
• Identification of a finite period for testing
• IP addresses of the machines from which penetration testing will be conducted so that administrators can differentiate the legitimate penetration testing attacks from actual malicious attacks
Penetration Testing
• Blue Teaming
Phases of Penetration Testing
• Planning Phase
Goals are set. Permission is taken. No testing.
• Discovery Phase
Testing starts. Port scanning is used to identify the vulnerabilities.
Announced vs. Unannounced Penetration
Testing
• Announced testing • Pros – Efficient – Team oriented • Cons– Holes may be fixed as
discovered & block further penetration
– False sense of security
• Unannounced testing
• Pros
– Greater range of testing • Cons
– Response may block further penetration
– Requires strict escalation process
Rules of Engagement
• Type of attacks allowed (no DoS)
• Off-limits machines & files (passwords)
• Designated machines or networks
Penetration Testing Phases
• Footprint • Scanning/Probing • Enumeration • Gain Access • Escalate Privileges • Exploit • Cover TracksFootprinting
• Profile target passively
– Address blocks – Internet IP addresses – Administrators • Techniques – Googling – Whois lookups
Scanning/Probing: nmap
• Active probing • NMAP – Port scanner – www.insecure.org • Discovers: – Available Hosts – Ports (services)Scanning/Probing: nessus
• www.nessus.org • Vulnerability scanning – Common configuration errors – Default configuration weaknesses – Well-known vulnerabilitiesEnumeration: hackbot
• Identify accounts, files & resources • Ws.obit.nl/hackbot • Finds: – CGI – Services – X connection check
Gaining Access: packet captures
• Eavesdropping • Ethereal,
Physical Access
• Boot loader & BIOS vulnerabilities
• GRUB loader
– No password
– Allows hacker to boot into single-user w/root access
• Password crackers
Wireless Security
• War driving with directional antenna
• Wired Equivalent Privacy (WEP) vulnerabilities
• Penetration Tools:
– WEPcrack
Counter Measures 1
• Update latest patches.
• Change default settings/options
• Setup password and protect your password file.
Counter Measures 2
• Install only required softwares, open only required ports.
• Maintain a good backup.
• Set BIOS password, system loader password, or other passwords that necessary.
Counter Measures 3
• Monitor your system if possible.
Software Testing
• Application fulfills functional requirements
• Dynamic, functional tests late in the SDLC
Security Testing
• Look for unexpected but intentional misuse of the system
• Must test for all potential misuse types using
– Architectural risk analysis results
– Abuse cases
Penetration Testing
• Testing for negative – what must not exist in the system
• Difficult – how to prove “non-existence”
• If penetration testing does not find errors than
– Can conclude that under the given circumstances no
security faults occurred
Penetration Testing Today
• Often performed
• Applied to finished products
• Outside in approach
• Late SDLC activity
Late-Lifecycle Testing
• Limitations:
– Design and coding errors are too late to discover
– Higher cost than earlier designs-level detection
– Options to remedy discovered flaws are constrained
by both time and budget
Success of Penetration Testing
• Depends on skill, knowledge, and experience of the tester
• Important! Result interpretation
• Disadvantages of penetration testing:
– Often used as an excuse to declare victory and go home
Testing Process
• External Testing: across the internet.– Simulate attacker’s environment
– Gathering information related to remote access, IP
addresses, open ports, allowed services, etc.
– Tools to support
• Internal Testing: onsite. View of the system behind the external perimeters
Testing Activities
• Scoping: assessing target system
• Discovery: building information about the system
– Offline and online activities
• Vulnerability scanning: testing system components
• Target penetration: within testing parameters
• Analysis: of results of previous stages
Software Penetration Testing
• Marketing, managerial, industry production line, etc.
• Needs tools
• Test more than once
Testing and Application Context
• Organizations: How to update legacy systems with security capabilities
Is Penetration Testing Worth it?
• Schneier,
http://schneier.com/blog/archives/2007/05/is_penetr ation.html
• Opinions:
– Penetration testing is essential for network security
– Penetration testing is a waster of time and money
• What is the goal of penetration testing?
Future Improvements
• Correction of weaknesses uncovered by the penetration exercise
• Automate and customize the penetration test process
• Use of intrusion detection systems
Bibliography
• Klevinsky, et. al. Hack I.T.-Security Through Penetration Testing. ISBN 0-201-71956-8.
• McClure, et. al. Hacking Exposed: Network Security Secrets and Solutions, 2nd edition, ISBN 0-07-222742-7.
• Sage, Scott & Lear, Lt. Col. Tom. “A Penetration Analysis of UCCS Network Lab Machines,” March, 2003. UCCS course CS691c.
• Warren Kruse, et. al. Computer Forensics. ISBN 0-201-70719-5
• Ed Skoudis, et. al. Counter Hack. ISBN 0-13-033273-9
• Lance Spitzner, et. al. Honeypots. ISBN 0-321-10895-7
• Retina network security scanner,
Conclusion
• Acceptable use guidelines (e.g., what is acceptable use of organization computing and network resources)
• Roles and responsibilities (for users, administrators, management) • Authentication (e.g., passwords, biometrics)
• Availability of resources (redundancy, recovery, backups) • Compliance (consequences and penalties).
