Protecting Mainframe and
Distributed Corporate Data from
FTP Attacks: Introducing
FTP/Security Suite
Alessandro Braccia, DBA Sistemi
XXVIII Convegno Annuale del CMG-Italia Milano - 28 Maggio 2014 Roma – 29 Maggio 2014
Agenda
•
About SAC
•
The Problem
•
How Attackers Operate
•
Popular Hacking Tools
•
FTP Issues
•
What the Products do –and how
• Conceptual Overview
About SAC
•
Founded in 1990
•
Developed a number of very successful products
•
Until now purely development company
•
Products were private labeled by other companies,
for ex:
• AF/Operator: Candle Corporation (now IBM)
• TapeSaver: Mobius Management Systems (now Unicom)
•
These products have been sold or moved to
subsidiaries
•
Focus on the FTP/Security Suite
The Problem
• Complex problem, lack of understanding in market place • Big vendors focus security discussion on their products • Most attacks never make it to the press – do not educate
the market
• Customers often:
• Do not know how hackers operate
• Spend a lot of money on some solutions • Lack tools in other (important) areas
• Result:
Companies don’t even know they were attacked
or notice it many months later – and don’t know what was taken
How attackers operate
•
Attackers can be Hobbyists, Amateurs or
Professionals
•
Use automated tools
• Attack weaknesses in common Tools and Protocols • Prefer those that are not typically monitored
•
Prime Target: FTP
• The world’s most common data interchange protocol,
including corporate IT
• Customers forget they use it, no one responsible • No Management / Monitoring Tools
• By default attacks are typically not logged
• Attack tools available on internet, instructions on
Popular FTP Hacking Tools
•
THC-Hydra
(http://www.thc.org/thc-hydra)•
Medusa
(http://foofus.net/goons/jmk/medusa/medusa.html)
•
Ncrack
(http://nmap.org/ncrack)•
Brutus
(http://www.hoobie.net/brutus)Where is FTP used?
•
With External Partners
• Often hosting sensitive data
•
On Web Servers
• Providing access to the corporate web site and other
resources
•
As departmental data interchange tool
• Often deployed without IT’s knowledge & involvement • Typically extremely vulnerable due to lack of security
•
In the Data Center
• Server <-> Server and Server <-> Mainframe data
FTP Issues
•
Don’t know where they use FTP – and how much
•
No Tools to monitor and audit FTP usage
• Lack of compliance
• Not able to detect attacks
• Not able to determine what was taken
•
Not sufficiently protected against FTP attacks
• Firewalls and IDS (Intrusion Detection Systems)
Intrusion Detection Systems
•
Designed primarily to detect intrusions from
outside
• Malicious employees and contractors are a common
threat
•
Looks for anomalies in network traffic
• Does not understand the network protocols it looks
at
• Recognizes brute force attacks by frequency, not
content
The FTP/Security Suite
• FTP/Auditor: FTP Server discovery
• Where is FTP running, how is it secured?
• FTP/Sentry: Real-Time monitoring and alerting
• What is happening ? What problems are occurring?
• Sentry Desktop: Auditing and historical analysis
• Who accessed which files - when and from where? • Exceptions and Alerts
• FTP/Armor: Securing FTP Servers
• Detects attacks, alerts IT staff and blocks intruders • Complements Intrusion Detection Systems
• FTP/Guardian: Integrates Mainframe FTP with Mainframe
Sentry Desktop FTP Activity DB (SQL Server)
Conceptual Overview
Real Time Monitor Remote AgentsTypical FTP Attack
User: Administrator Password: AAAAA Password: AAAAB Password: AAABA Password: AAABB …… IP n.n.n.nFTP Attack with
FTP/Sentry
FTP Activity DB (SQL Server) Real Time Monitor User: Administrator Password: AAAAA Password: AAAAB Password: AAABA Password: AAABB …… IP n.n.n.nFTP Attack with
FTP/Sentry
Real Time Monitor User: Administrator Password: AAAAA Password: AAAAB Password: AAABA Password: AAABB …… IP n.n.n.n Alert Sentry Desktop ConsoleFTP Attack with
FTP/Sentry
Real Time Monitor Remote Agents User: Administrator Password: AAAAA Password: AAAAB Password: AAABA Password: AAABB …… IP n.n.n.n BLOCK IP n.n.n.n BLOCK IP n.n.n.n BLOCK IP n.n.n.nFTP Attack with
FTP/Sentry
Remote Agents User: Administrator Password: AAAAA Password: AAAAB Password: AAABA Password: AAABB …… IP n.n.n.n Connection refusedWhy are our products so
important?
•
Without them our Customers would not:
• Know which servers are vulnerable through running
FTP
• Be protected against FTP attacks • Be able to notice an attack
• what ID was compromised and • what was taken
• Be able to audit WHEN WHO accessed WHAT from WHERE • Have operational visibility and control of their
Interesting Studies & Reports
•
Carnegie Mellon Software Engineering Institute:
‘Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector’
• Key Findings:
• An average of 32 months elapsed between the beginning of
the fraud and its detection by the victim organization
• ”The insiders’ means were not especially sophisticated” –
the fraud was possible due to lack of controls/security, not the skills of the perpetrators
Interesting Studies & Reports
•
Forrester:
‘Understand The State Of Data Security And Privacy: 2012 To 2013’
• Key Findings:
• Intentional Data Theft accounts for 45% of all Data Breaches • 33% of Intentional Data Theft is committed by Malicious
Insiders
• 66 % of Intentional Data Theft is committed by External
Interesting Studies & Reports
•
Ponemon Institute:
‘2012 Cost of Cyber Crime Study: United States’
• Key Findings:
• Average cost of a data breach in the US is $8,933,510 • Certain industries, such as Financial Services,
experience higher cost
• The companies in the study experienced an average
