Linux Firewall Capabilities

INF526: Secure Systems Administration Linux and Server Administration

Prof. Clifford Neuman

Lecture 8 1 March 2017 OHE100C Annoncements Second Mid-Term Exam: Wednesday 8 March, 2:00PM to 3:30 PM Followed by lecture on Network Security Administration Review for mid-term In later part of lecture today

1 Class Presentation Schedule

2/8 Miles Wright-Walker - Developing adversarial security plan 2/15 Matthew Jackoski - Red Teaming / Pen Testing Tools 2/22 Abdulla Binkulaib - Developing a response plan 3/1 Jikun Li - Linux security administration 3/22 Daniel Dmytrisin - Network security components & Tech 3/22 Haibo Zhang - Network Security administration 3/29 Mariam Fahad Bubeshait - Configuration Management 4/5 Mohammed Alsubaie – SIEM and Intrusion Detection 4/12 Vishnu Vadlamani - Network Monitoring/Attack Forensics 4/19 Andrew Gronski - Accreditation and acceptance testing

2 Host Administration

Many security issues today are the result of poor system administration. – Failure to implement least privilege – Poor management of user accounts – Mismanagement of remote access – Managing permissions incorrectly – Allowing vulnerable programs to run – Not keeping required programs up to date – Misconfiguration of applications • Not just Linux, but many server machines are implemented on Linux, so that is our focus

3 Linux Security Administration

Read a guide on the topic: http://www.linuxtopia.org/online_books/linux_administrators_security_guide/ – Physical Console Security – Linux network security – Administration – Lunux software management – Backup – Linux Encrytion – File system and file security – Limiting and monitoring users – User authentication – Malicious code – System and user logging – Linux VPNs – SELinux (or capabilities in CentOS) – Linux Kernel Security – Attach Detection – Linux security resources – Testing Security – Linux firewall capabilities

4 Console Security

Basic concern with physical security of resources – Access to console and hardware allows installation of new OS – But keep in mind that many virtualized systems provide access to the console remotely.

5 Administration

Many tools supporting administration – Thinks like Sudo should be used – Other administrative tools create an increased attack surface in that an adversary compromising remote administration tools can affect the security of the administered system. • So, be sure to lock down these tools – Centralized administration also has benefits for security, as a common policy (such as disabling accounts of past employees, etc) can be managed centrally, keeping you from overlooking some forgotten system which provides a path back into your organization.

6 Administrator Remote Access

Today, such access probably is needed over the network to manage systems. SSH – With encrypted channel and PK authentication. – Consider multi-hop attacks and implications. • What are they? VNC – Widely used for GUI access to virtual machines as well as remote console access. – There have been many vulnerabilities - https://support.realvnc.com/Knowledgebase/Article/View/266/ – Good idea to manage access to port at firewall (inc host based) Remote Execution – Using SSH and other tools

7 Linux Security Administration

Read a guide on the topic: http://www.linuxtopia.org/online_books/linux_administrators_security_guide/ – Physical Console Security – Linux network security – Administration – Lunux software management – Backup (see tools listed) – Linux Encrytion – File system and file security – Limiting and monitoring users – User authentication – Malicious code – System and user logging – Linux VPNs – SELinux (or capabilities in CentOS) – Linux Kernel Security – Attach Detection – Linux security resources – Testing Security – Linux firewall capabilities

8 Linux Security Administration

9 Least Privilege - Users

Users – Restrict host access to users with need to access – Don’t share root password • Separate account and limited use of sudo – Account Management • /etc/passwd and shadow password file – Strong passwords • Network based password mechanisms – YP/NIS (bad) – Encryption Based (good) – SSH pk based login • Group management

10 Least Privilege - Processes

Programs / Processes UserID Create unique for process or application Have system startup run as user /etc/init.d and update-rc.d Data Access Set groups on files / devices Chmod, chown, and chgrp Linux Containers Better than the old standby “chroot”, it provides a lightweight virtual environment, not quite as isolated as a separate VM.

11 Linux Security Administration

Read a guide on the topic: http://www.linuxtopia.org/online_books/linux_administrators_security_guide/ – Physical Console Security – Linux network security – Administration – Lunux software management – Backup – Linux Encryption – File system and file security – Limiting and monitoring users – User authentication – Malicious code – System and user logging – Linux VPNs – SELinux (or capabilities in CentOS) – Linux Kernel Security – Attack Detection – Linux security resources – Testing Security – Linux firewall capabilities

12 Managing User Accounts

Managing Accounts – Need organizational process to remove account when user leaves organization or changes roles. • This is an argument for central management – This is especially important if user had admin access • What kinds of accounts might be left around – Normal linux tools don’t cut it for more than 3 or 4 systems. • Why?

13 Authentication

Many Tools Password based NIS / Yellow Pages Kerberos and other enterprise systems Pluggable Authentication Modules

14 Linux Security Administration

Read a guide on the topic: http://www.linuxtopia.org/online_books/linux_administrators_security_guide/ – Physical Console Security – Linux network security – Administration – Linux software management – Backup – Linux Encryption – File system and file security – Limiting and monitoring users – User authentication – Malicious code – System and user logging – Linux VPNs – SELinux (or capabilities in CentOS) – Linux Kernel Security – Attack Detection – Linux security resources – Testing Security – Linux firewall capabilities

15 Linux Firewall Capabilities

IPChains Supports sequences of rules similar to what is found in appliance firewalls

IPTables (NetFilter) Stateful and extensible. Can support NATing

These are important in administering servers, and especially gateways.

16 Linux Security Administration

Read a guide on the topic: http://www.linuxtopia.org/online_books/linux_administrators_security_guide/ – Physical Console Security – Linux network security – Administration – Lunux software management – Backup – Linux Encryption – File system and file security – Limiting and monitoring users – User authentication – Malicious code – System and user logging – Linux VPNs – SELinux (or capabilities in CentOS) – Linux Kernel Security – Attack Detection – Linux security resources – Testing Security – Linux firewall capabilities

17 Chroot

Unix (and hence Linux) call that “changes the root directory of the calling process to that specified in path. This directory will be used for pathnames beginning with /. The root directory is inherited by all children of the calling process.”

“it is not intended to be used for any kind of security purpose, neither to fully sandbox a process nor to restrict filesystem system calls. In the past, chroot() has been used by daemons to restrict themselves prior to passing paths supplied by untrusted users to system calls such as open(2).

(source, chroot man page)

18 Jails (FreeBSD) https://www.freebsd.org/doc/handbook/jails.html

“Jails improve on the concept of the traditional chroot environment in several ways. In a traditional chroot environment, processes are only limited in the part of the file system they can access. The rest of the system resources, system users, running processes, and the networking subsystem are shared by the chrooted processes and the processes of the host system. Jails expand this model by virtualizing access to the file system, the set of users, and the networking subsystem. More fine-grained controls are available for tuning the access of a jailed environment. Jails can be considered as a type of operating system-level virtualization.” (Matteo Riondato)

19 Jails vs Trusted Computing

Trusted computing provides an inside-out jail – Jails protect what is on the outside from that within. – Trusted computing protects the inside from the rest of the system

20 VIRTUALIZATION FOR SECURITY ADMINISTRATION

SHEILA SARAIN JULY 29, 2016

INF-526 SUMMER 2016 Presentation Overview

 Introduction  Network Virtualization  Isolation  Server/Applications  Redundancy  Desktop/Clients  Disaster Recovery  Balancing Performance and Isolation  Virtualization In-House  Configuration Management  Visibility from outside vs the Cloud  Monitor hosts & guest OS  Summary Introduction

 What is virtualization?  Benefits:  More for less  Optimized hardware  Central management  Faster recovery  Isolation Isolation – Servers/Applications

 Separate server roles /functions  Isolated environment  Fault isolation  Functional isolation  Namespace isolation  Performance isolation  Security isolation  Rapid quarantine Safe

App App VM VM

OS OS

OS VMM

Hardware Hardware

Isolated environment Isolation – Desktops/Clients

 Standardize security configurations  Centralized data  Faster Patch/Updates  Able to lock down guest OS  Virtual Desktop Infrastructure  VMWare Horizon, Citrix XenDesktop, RedHat Enterprise Virtualization for Desktops Redhat Enterprise Virtualization for Desktops Balancing Isolation and Performance

 Over-provisioning of VMs  Can lead to VM sprawl  So easy to create new VMs  Exposes risks to the deployment model  Idle or forgotten VMs  Increased management overhead  Over allocation of resources  Critical applications experience reduced performance Configuration Management

 Maintain consistent configurations across VMs  Rapid re-configure  Track configuration changes  Create security policies to keep in compliance  Monitor resource usage  Easily identify bottlenecks  Appropriate allocate resources  Alerts for potential problems resulting in faster resolutions  Host hardware health monitoring

Network Virtualization

 Centralized configuration and management  Reduces complexity  Reduces human error  Isolation  Micro-segmentation  Decrease attack surface WMWARE NSX

Redundancy

 Same VM can be run on another host  High availability  Clustered hosts can still support running VMs  Load balancing – having more VMs to support a service  Denial of service attacks

Disaster Recovery

 Reduced amount of time to complete full restoration  Easier disaster recovery testing  Hardware  Independent  Less is needed  Data  More up to date  Secure Primary Secondary Disaster Recovery in a Virtualized Site Site environment

• VMs and data are synchronized to secondary site

• When primary site goes down, the VMs can be turned on at secondary site X • Since VMs run on hypervisor, the hosts at second site do not need to SAN SAN be identical to primary site

Native or third-party replication Virtualization In-House

PROS CONS

 Physical local control  Purchase and maintain of servers own hardware  Required more strategic  Complete control of planning and who has access to configuration of systems data  Must have more  Internet connectivity is extensive backup and not a requirement disaster recovery plan Virtualization in the Cloud

PROS CONS

 Pay as you go  Multi-tenancy  No direct control of who  Scalability has access to data on  Less maintenance vendor side headache  Requires communication  Backup/Disaster over internet Recovery is in Cloud  Have to rely on vendor for support Hybrid Cloud Solutions

 Evaluate what should be kept in-house vs what can benefit from cloud computing  Example: Databases can be stored in-house and front-end website/portals can be house in cloud Summary

 Administration of servers in virtual environment can provide isolation  Increased visibility into systems  Network virtualization can provide micro- segmentation  Provide increased availability with redundancy  Reduced recovery time with faster recovery process and more up-to-date data Vulnerable Programs and Minimization

Too Much Runs on systems as routinely deployed. – What do you need to run. • You did this exercise for the banking system • But there are still many support functions that must run. • Consider differences between servers and general user machines – User machines – including timeshared systems – are general purpose computers – Servers have one or several specific purposes. • Only run those specific services • And tools needed to administer those services.

43 What You Don’t Need

Remotely accessible services for: – Email and other inter-user communication – Probably not an FTP or web server – Block these also with host based firewall

44 Configuration Management

Configuration management (CM) refers to a discipline for evaluating, coordinating, approving or disapproving, and implementing changes in artifacts that are used to construct and maintain software systems. An artifact may be a piece of hardware or software or documentation.

-- A Framework for Software Product Line Practice, Version 5.0, CMU Software Engineering Institute

45 Configuration Management

Know what is running – AFICK or Tripwire • Manage history from another system Keep your system up to date – How depends on the size of your organization – Standardize configurations • User machines, server machines • If you select patches, your systems should be configured to automatically follow your lead. There is an industry around all of this – Larger installations should use commercial products

46 Local Network Management

Linux Kernel Firewall and ipTables Also an example of minimization NTOP – Network Monitoring – Can be run on host or guest OS – It is a major CPU hog but a useful tool – Shows all network flows in real time • Useful to find flows used by applications • Which can then be restricted in ipTables

47 INF526: Secure Systems Administration

Linux Security Administration

M.S. Candidate Jikun Li

1 March 2017 OHE100C Outline

• Introduction about Linux administration • User Security • Administration Tools

49 Introduction

• Is Linux a secure operating system? – No, secure is a goal – But, a lot of people scrutinize it

50 Introduction

• Physical & Console Security • User Security • Linux Internet Security – FTP – Mail – Telnet – Web server – Firewalls – Logs and audit trails

51 Introduction

• Firewall – ipfwadm • Ipfwadm [rule_category] [policy_action] [policy] [interface] [target] • Ipfwadm –I –p deny • Ipfwadm –O –p deny • Ipfwadm –F –p deny – Dante – Ip_filter – SINUS

52 User security

• Creating and managing accounts • Performing administrative tasks with su • Access control • Permissions and ownership

53 User Security

• Creating and managing accounts

Root Create user accounts

User Set groups Set rights Groups Files and Directories

54 User Security

• Creating and managing account – Account Policy • Authorization to log in (Privilege) • Authorization to access services – Account Structure • A valid username and password • A home directory • Shell access – Creating and deleting ordinary user accounts – Handling special accounts

55 User Security

• Performing administrative tasks with su – Su: the substitute user – Granting other users limited su-like access – sudo

56 User Security

• Access control

57 User Security

• Permissions and ownership – r – Read access – w – Write access – x – Execute access

– f u g o – -rw-rw-r--

– chmod

58 Administration Tools

• Local tools • WWW based tools • Other network based tools

59 Administration Tools

• Local tools – YaST (Yet Another Setup Tool)

interface of the YaST Control Center under KDE in openSUSE 13.1

60 Administration Tools

• Local tools – YaST (Yet Another Setup Tool) – Sudo

61 Administration Tools

• Local tools – YaST (Yet Another Setup Tool) – Sudo – Super

62 Administration Tools

• WWW based tools – Webmin – Linuxconf

63 Administration Tools

• Other network based tools – Pikt – VNC – cfengine

64 Review for Mid-Term 2

• In Class – 90 minutes – More of a Quiz than mid-term – Closed Book • Focus will be on materials and discussions since the first mid-term: – Adversarial Security Planning – Red teaming and pen-testing – Response Planning – Secure host and server administration • Format similar to first quiz

65 Plan Your Attacks • It is important to think like an attacker to best assess your defenses. – Look for the overlooked • Attackers seek out the weakest links, the forgotten window – Consider environmental assumptions • Incorrect assumptions create vulnerabilities – Weak systems may be used as stepping stones • That forgotten system that is unpatched is compromised, then the attacker pivots and attacks from within. – Check the integrity of your defenses • Attackers may disable defensive measures

66 Attack-Defense Tree Example

67 Single Exploits vs. Sequence

• Single exploit – Short term goal – May or may not violate some part of the security policy – E.g., a port scan • Sequence of single exploits (scenario) – Has an end goal in mind – Explicitly violates security policy – E.g., port scan followed by buffer overflow followed by installation of back door … – Very dangerous

68 STRIDE

• Acronym for categories of threats:

Threat Security Property at Risk Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information disclosure Confidentiality Denial of service Availability Elevation of privilege Authorization

69 Meaning of Each Threat Class

• Spoofing : Impersonating something or someone else • Tampering : Modifying data or code • Repudiation : Claiming to have not performed an action • Information Disclosure : Exposing information to someone not authorized to see it • Denial of Service : Deny or degrade service to users • Elevation of Privilege : Gain capabilities without proper authorization

70 STRIDE Steps

• Decompose system into components – May need to recurse down to necessary level of detail • Analyze each component for susceptibility to each relevant type of threat • Develop countermeasures until no component has susceptibility • Is system secure? – Maybe, but probably not – Due to emergent properties of composition • Does this give higher assurance? – Yes, because flaw in one component affects entire system

71 Data Flow Diagram (DFD)

• Used to graphically represent a system and its components • Standard set of elements: – Data flows – Data stores – Processes – Interactors • One more for threat modeling: – Trust boundaries

72 Relevant Threats for Elements

Interactors Process Data Data Store Flow Spoofing x x Tampering x x x Repudiation x x * Information disclosure x x x Denial of Service x x x Elevation of Privilege x * Logs held in data stores are usually the mitigation against a repudiation threat. Data stores often come under attack to allow for a repudiation attack to work.

73 STRIDE Process

• Create DFD of system – Represent all key components – Represent all data flows – Identify trust boundaries • Repeat, adding more details to the diagram if required • Recurse on each component as required

74 Mitigation Choices in Reality

• Redesign – Change the design to eliminate threats – E.g., reduce elements that touch a trust boundary • Use standard mitigations – Firewalls, validated authentication systems, … • Use custom mitigations – If you are a gambling sort of person • Accept risk – If you think risk is low, or too expensive to mitigate

75 What is an Adversarial Security Plan?

• An adversarial security plan enables an entity to develop an awareness of their networks and systems in order to protect data, safeguard their operations, and guard their infrastructure.

• Purposes: – Predicting intentions and future actions of malicious entities – Limit attack surface – Assist in developing a containment architecture in case of breach

76 Goals of Attackers: Methodology

• Attackers generally implement the following methodology: 1. Reconnaissance . Information gathering, What/ Who is the target? 2. Scanning/ Enumerating . What is the attack surface? Ex: Access points/ open ports, live hosts, accounts, policies, etc. 3. Gaining Access . Breaching systems, executing malicious software 4. Maintaining Access . Establishing backdoors, unpatched systems 5. Clearing Evidence . Decoy traffic, log manipulation, obfuscation of identity

77 Goals of Attackers: Targets

• As stated in the previous lecture, adversaries will target:

– The weakest link within a target system or network • Example: Unpatched systems

– Weaknesses within the system environment • Example: Open ports, weak security mechanism policies

– Subversion of defenses • Example: IDS evasion, disabling firewalls

78 Goals of Attackers: Tools

• Gaining Access – Metasploit, oclHashcat

• Maintaining Access – Establishing backdoor through creating user accounts or taking over unused accounts. – Metasploit Meterperter

• Clearing Evidence – VPN service/ Other Encrypted Communication – Proxies – Botnet – Log Manipulation (Not Always Plausible)

79 Virtualization

• Management – You can running many more “machines” and create new ones in an automated manner. – This is useful for server farms. • Separation – “Separate” machines provide a fairly strong, though coarse grained level of protection. – Because the isolation can be configured to be almost total, there are fewer special cases or management interfaces to get wrong. Virtualization and Administration

• Issues affecting administration of virtual machines – Containment – Side Channels – Throwaway mentality – Stateless machines – Privileged remote access – Less physical or siloed specialization – Relationship to cloud computing

81 Virtualization

• Running multiple operating systems simultaneously. – OS protects its own objects from within – Hypervisor provides partitioning of resources between guest OS’s. What is the benefit of virtualization

• Management – You can run many more “machines” and create new ones in an automated manner. – This is useful for server farms. • Separation – “Separate” machines provide a fairly strong, though coarse grained level of protection. – Because the isolation can be configured to be almost total, there are fewer special cases or management interfaces to get wrong. Virtualization and Side Channels

– Multi-Tenant architecture (cloud) – Ability to monitor performance and power to monitor and spy on activities in other virtual machines.

84 Virtualization and Throwaway

– VM’s can be recreated easily and automatically. – This allows administrators to be careless – It allows fast recovery – But new instance of machine has same vulnerabilities of compromised machine.

85 Stateless Virtualizaton

• Tendency to store persistent data on separate services such as NAS. • Those external services must be considered part of attack surface. • Local state such as logs might be lost, use network based monitoring.

86 Privileges and Virtualizaton

• Inherent privleges used to be based on access to console and the physical machine. • Console access is “remote” when using virtual machines, and thus such access may be available without true physical access.

87 Virtualizaton and the Cloud

• What happens when you “outsource” administration of your VMs. – Policy on assignment to providers – Accreditation of providers – Need visibility through “information points” in policy evaluation. – Side channels an issue for multi-tenancy.

88 Ethical Hacking

– Primary motive: To identify the weaknesses of the cyber infrastructure of an organization before an unethical hacker does. – It is legal given testers have taken permission from the relevant stakeholders of the assets on which testing is performed (depending on jurisdication this may requie approval from the developers of the software being tested) – It is a subset of an Organization’s security program. – It does not just protect the information but helps organizations to succeed.

89 Ethical Hacking Methodology

Scope

Cleanup and Information Patching Gathering

Reporting Scanning

Result Attacks Analysis

90 Information Gathering (cont.)

• Passive Methods – To gain information about targeted organization’s cyber infrastructure without actively engaging with the systems. • WHOIS – Anyone can use the this service to search for databases and identify the registrant of a domain name and other information. – It also provides the information regarding: IP address, name servers, admin contact etc. – Link: http://whois.domaintools.com/

91 Information Gathering (cont.)

• Google Dork – It uses Google search engine to find security holes on the web applications over the internet. – To locate specific strings of text within search results. – Link: https://www.exploit-db.com/google-hacking- database/ – Some of the Operators • inurl .php?id= • intitle text • site text • filetype pdf

92 Information Gathering (cont.)

• DNS Information Gathering – dnsenum: Tool in the backtrack Kali OS. It starts querying DNS servers and gather information: • Host address • Name servers • MX records • Gathering SOA records • Command: perl dnsnum.pl [host] – dnsrecon: to gather network infrastructure information. – Dig: DNS information groper • dig example.com MX @ns0.example.com

93 Information Gathering (cont.)

• Active Methods – Interact directly with a system of interest. • Ping – It is used to test the reachability of a system. – It works at the network layer. – It measures RTT, report errors and packet losses. – One can also fix the size of the parameters using -l and number of request using –n. – Command: ping -c 5 www.example.com – Result: 64 bytes from xx.xxx.xxx.xxx: icmp_seq=0 ttl=100 time=23.82 ms

94 Information Gathering (cont.)

• Traceroute – It is used to gather information about network infrastructure and IP ranges of a given host. – Tool for displaying the overall path hop by hop from source to the destination. – By default it sends the UDP packets. – We can modify the command to send TCP/SYN and ICMP requests. – $ traceroute -w 3 -q 1 -m 16 example.com – $ traceroute –I -w 3 -q 1 -m 16 example.com – $ traceroute –T -w 3 -q 1 -m 16 example.com

95 Scanning (cont.)

• Network Scanning – Tool to find out active host on the network – You select the range of IP addresses and start scanning over the network. – It provides the information Network devices including FTP servers and workstations.

• Tools: – Advance IP scanner (Windows, Mac and Linux) – Network Mapper (Nmap, ZenMap) – Nessus

96 Scanning (cont.)

Source: http://angryip.org/screenshots/

97 Scanning (cont.)

• Port Scanning – Tool to find out which number of ports are accessible on a server or a host. – Port scanning identifies open doors to a hosts. – Nmap classifies port in these States: • Open • Closed • Filtered • Unfiltered

98 Scanning (cont.)

• Vulnerability Scanning – Once we have identified the accessible ports and services running on them, now we need to find the vulnerabilities associated with those applications. – Tools: • Web Application Acunetix, BurpSuite etc. • Network Security Nessus • Mobile Security Veracode, Tenable Security etc. – Web Goat • Insecure web application maintained by OWASP designed to teach web application security lessons.

99 Scanning (cont.)

• OWASP Top 10 – Injection – Broken Authentication and Session Management – Cross Site Scripting (XSS) – Insecure Direct Object References – Security Misconfiguration – Sensitive Data Exposure – Missing Function Level Access Control – Cross Site Request Forgery (CSRF) – Using Components with Known Vulnerabilities – Unvalidated Redirects and Forwards

100 Scanning (cont.)

• CMS (Content Management Servers) – Popular ones are: • Drupal • WordPress • Joomla – Platforms rich in features and vulnerabilities – Open source – Some of the vulnerabilities are: • SQL Injection • Default and weak passwords • Errors reveal sensitive information • By default Directory listing

101 Attack

• Suppose these are the vulnerabilities we found in the system: – SQL Injection - SQLMap, SQLNinja etc. – Buffer Overflow • Now we will see how we hack into the system by exploiting these weaknesses.

102 Attack (cont.)

How to plan step-by-step to hack a server?

Find Get Back Vulnerability Exploit SQL Username Connect to on the server Exploit Server Upload Shell Injection and your such as Vulnerability Rooting password machine Buffer Overflow

103 Attack (cont.)

• Exploiting SQL Injection – Idea of exploiting SQL injection is to get access to the data and find out what is the admin username and password on the website. – Once we know this, we can login and upload our shell on the server through which we can escalate our privileges. – In vulnerability scanning phase, we have identified SQL injection vulnerability in a server. Now we exploit that vulnerability manually and using a automated tool SQL Map.

104 Attack (cont.)

• Back connect – Once shell is uploaded, we need to back connect the server so that we can access all the functionality of the uploaded shell and perform privilege escalation attacks. – For back connect you need to specify the IP address of your computer and Port on which you want to connect on the shell. – You have to shutdown your firewall and router should be configured for the port forwarding feature. – Command for listening: nc -v ipaddress port – Start listening for the connection on the port specified.

105 Attack (cont.)

• Buffer Overflow (BO) – It is a vulnerability where a software, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. – Overwriting values of the IP (Instruction Pointer), BP (Base Pointer) and other registers causes exceptions, segmentation faults etc. – Consists of overflowing the heap or stack depending on the code that developer has written.

106 Attack (cont.)

• Understanding Stack

• Source: Slide of CSCI 402 Operating System: Basic Concepts (Prof. Cheng)

107 Attack (cont.)

• DDOS Attacks – Network bandwidth by flooding • DNS Amplification – Server resources • TCP SYN flooding • HTTP GET and HTTP POST • Slowloris – Destroy the function of the server or application • Tools: – Trinoo – LOIC (Low Orbit In Cannon) – TFN2K (Tribe Flood Network)

108 Attack (cont.)

• DNS Amplification IP Address: 1.1.1.1

DNS Victim Server

IP Spoofing Source IP Address: 1.1.1.1

Attacker Bots

109 Tools

Acunetix Web Application Security Scanner BurpSuite Web Application Security Scanner Veracode Application security mobile, web and 3rd party apps.

NMap Network Scanning and debugging Wireshark Network protocol analyzer for Unix and Windows.

NeXpose Vulnerability Management Software Nessus Vulnerability Scanner on Network and applications

Metasploit Penetration Testing tool. Read: Metasploit The penetration guide (reading) FOCA Tool to find metadata and hidden information in the documents its scans. Scapy/Tamper Packet Generation and Manipulation Program

110 Tools (cont.)

Fuzzer Manipulating network protocol manipulation AirGrab Wireless network scanning tool Wi-Fi radar Wireless network scanning tool Acrylic Wi-Fi Wireless network scanning tool Aircrack-ng Wireless network scanning tool Angry IP Network Scanning scanner Netcat Network Scanning and debugging Nikto2 Network Scanning and debugging Sulley Fuzzing framework for fuzzing files, network protocols CLAs etc.

111 Security Minded Linux Distributions

• Kali • Parrot Os • BackBox

112 Most Popular Penetration Testing Tools

• Nmap • Metasploit Framework • John The Ripper • THC Hydra • OWASP Zed • Wireshark • Aircrack-ng • Maltego • Cain and Abel (Cain) • Nikto Website Vulnerability Scanner

113 Nmap

• Used to discover hosts and services on a computer network. • Creates a “map” of the network. • Sends packets to host and analyzes response to generate map. • Examples of features: – Os detection – Open Ports – Can adapt to latency and congestion

114 Metasploit Framework

• Tool for executing exploit code against remort machines. • Basic steps: – Chose and configure an exploit – Checking whether target is susceptible to the chosen exploit (optional) – Choosing and configuring payload – Choosing and encoding a stealth method – Executing the exploit

115 OWASP Zed

• Application Security Scanner • When used as proxy server, it allows for the user to manipulate all of the traffic that passes through using https. • Features: – Intercepting proxy server – Traditional and AJAX Web crawlers – Automated scanner – Passive scanner – Forced browsing – Fuzzer – WebSocket support – Scripting languages – Plug-n-Hack support

116 Wireshark (TShark)

• Open source packet analyzer • Uses pcap to capture packets • Allows users to see all traffic, not just the traffic addressed to one of the interface’s configured addresses and broadcast/multicase traffic. (network interface must support promisicious mode)

117 Aircrack-ng

• Software includes: – Detector – Packet sniffer – WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs

118 Business Continuity Plan

• The processes and procedures that are carried out by an organization to ensure that essential business functions continue to operate during and after a disaster. • This type of planning enables them to re-establish services to a fully functional level as quickly and smoothly as possible. • BCP mostly covers Non-IT aspects of business. • It includes identification of the resources that are needed to maintain the business continuity, such as: – Critical personnel – Key business processes – Recovery of vital records – Critical suppliers identification – Contacts of key vendors and clients. – Standby Equipment – Legal Help – Financials – Alternate infrastructure – Alternate accommodation, etc.

Material by Vini Gupta

MS Student Summer 2016 119 IT Disaster Recovery Plan

• A plan that provides a structured approach for responding to unplanned incidents that threaten an IT infrastructure, which includes hardware, software, networks, processes and people.

• Key reasons for implementing an IT DR Plan are to protect: – the organization’s investment in its technology infrastructure – the organization’s ability to conduct business

Material by Vini Gupta

MS Student Summer 2016 120 How to Write a DR Plan

Material by Vini Gupta

MS Student Summer 2016 121 6. Agree on Activation Plans

• Generate a runbook, documentation for the plan. – For use by management who will take the actions. – It should be descriptive and spell out its assumptions

• While stored securely, one should assume others may know what it contains, and this could be used by adversaries. Don’t include critical passwords, etc. • Should spell out who is to be contacted, including any mass notifications. • Should be specific, get general enough to cover multiple kinds of incidents. – E.g. chapters for IT failure, power failure, hacked systems.

122 7. Testing

• Plan should be tested for efficiency. • KPIs should be formulated, along with testing strategies and corresponding testplan. • Metrics should be recorded and analysed for: – Test coverage ? – Success ? – Meeting the recovery objectives ? • Full disaster recovery test, at least once per year. • Analysis should be documented..

Material by Vini Gupta

MS Student Summer 2016 123 8. Updates and Maintaining the Plan • Your systems change and so must the plan • If there are changes to the control systems your plan must be updated. • Schedule a review quarterly to see if any changes require updates to the plan. • Review teams, activities, and update documentation of plan.

124 Backups and Replication

• Backups – Full Backup - full and complete backup of the entire system. – Incremental Backup - only archives data that has been modified that day. – Differential Backup - storage of all the files that have changed or been added since last full backup...

Material by Vini Gupta

MS Student Summer 2016 125 Replication

Provides backup process for immediate failover • Synchronous – Writes data to primary and secondary sites at the same time. – It’s expensive. – Introduces latency, slows down the primary site. – Preferred for applications with low RTOs (Recovery Time Objectives) that can’t abide data loss. • Asynchronous – There’s a delay before the data is written to secondary site. – Designed to work over distances and use less bandwidth. – There is a risk of losing data during an outage. • Journaling – Basically an incremental backup (per transaction) – Replayed from journal and last image of system when restarting.

Material by Vini Gupta

MS Student Summer 2016 126 Intrusion Response Planning

What is an intrusion or incident? – An action likely to lead to grave consequences especially in diplomatic matters – Consequences can affect company revenue and business – Incident examples • Virus • Malicious code • Trojan horse • Espionage

Material by Reshma Ravindran

MS Student Summer 2016 127 Incident Response Plan

Response: An act of responding. Something constituting a reply or a reaction. – The activity or inhibition of previous activity of an organism or any of its parts resulting from stimulation – The output of a transducer or detecting device resulting from a given input. – Action taken to prevent or recover from an intrusion occurrence or breach.

Material by Reshma Ravindran

MS Student Summer 2016 128 Information to Gather

• Time and date reported (specify time zone) • Name of contact. • Phone number and/or email of contact. • System suspected to be affected. • Technical details of system if known. – IP address(es), OS, patches loaded, – physical location, services running, – suspected access point (vulnerability). • Time and date ‘incident’ noticed by contact. • Description of incident.

Material by Reshma Ravindran

MS Student Summer 2016 129 Formal Intrusion Response Plan

• Overview • Purpose • Incident Response Goals • Incident Definition • Incident Planning • Incident Response Lifecycle

Material by Reshma Ravindran

MS Student Summer 2016 130 Overview, Purpose, Goals, Defintion

• The incident response plan defines what constitutes a security incident and outlines the incident response phases. how information is passed to the appropriate personnel, assessment of the incident, minimizing damage and response strategy, documentation, and preservation of evidence • The policy is designed to protect the organizational resources against intrusion. • Incident Response Goals: – Verify that an incident occurred. – Maintain or Restore Business Continuity. – Reduce the incident impact. – Determine how the attack was done if the incident happened.

Material by Reshma Ravindran

MS Student Summer 2016 131 Incident Definition

• Loss of information confidentiality (data theft) • Compromise of information integrity (damage to data or unauthorized modification). • Theft of physical IT asset including computers, storage devices, printers, etc. • Damage to physical IT assets including computers, storage devices, printers. • Denial of service. • Misuse of services, information, or assets. • Infection of systems by unauthorized or hostile software. • An attempt at unauthorized access. • Unauthorized changes to organizational hardware, softwaare, or configuration. • Reports of unusual system behavior. • Responses to intrusion detection alarms. Material by Reshma Ravindran

MS Student Summer 2016 132 Incident Response Planning • Define roles and responsibilities • Establish procedures detailing actions taken during the incident. – Detail actions based on type of incident such as a virus, hacker intrusion, data theft, system destruction. – Procedures should consider how critical the threatened system or data is. – Consider whether the incident is ongoing or done.

Material by Reshma Ravindran

MS Student Summer 2016 133 Incident Response Life Cycle

Material by Reshma Ravindran

MS Student Summer 2016 134 Preparation

• Policies and Procedures – Computer Security Policies -These involve many policies including password policies, intrusion detection, computer property control, data assessment, and others. – Incident Response Procedures – Backup and Recovery Procedures • Implement policies with security tools including firewalls, intrusion detection systems, and other required items. • Post warning banners against unauthorized use at system points of access. • Establish Response Guidelines by considering and discussing possible scenarios. • Train users about computer security and train IT staff in handling security situations and recognizing intrusions. • Establish Contacts -Incident response team member contact information should be readily available. An emergency contact procedure should be established. There should be one contact list with names listed by contact priority. • Test the process.

Material by Reshma Ravindran

MS Student Summer 2016 135 Detection Analysis

• Analysis and Assessment -Many factors will determine the proper response including: Is the incident real or perceived? • Is the incident still in progress? • What data or property is threatened and how critical is it? • What is the impact on the business should the attack succeed? Minimal, serious, or critical? • What system or systems are targeted, where are they located physically and on the network? • Is the incident inside the trusted network?

Material by Reshma Ravindran

MS Student Summer 2016 136 Recovery

• Restore affected systems to their original state. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. Depending on the situation, restoring the system could include one or more of the following re-install the affected system(s) from scratch and restore data from backups if necessary. Be sure to preserve evidence against the intruder by backing up logs or possibly the entire system. • Make users change passwords if passwords may have been sniffed. • Be sure the system has been hardened by turning off or uninstalling unused services. • Be sure the system is fully patched. • Be sure real time virus protection and intrusion detection is running. • Be sure the system is logging the correct items

Material by Reshma Ravindran

MS Student Summer 2016 137 Recovery (2)

• Documentation -Document what was discovered about the incident including how it occurred, where the attack came from, the response, whether the response was effective.

• Evidence Preservation -Make copies of logs, email, and other documentable communication. Keep lists of witnesses.

• Notifying proper external agencies -Notify the police if prosecution of the intruder is possible.

• Assess damage and cost -Assess the damage to the organization and estimate both the damage cost and the cost of the containment efforts.

Material by Reshma Ravindran

MS Student Summer 2016 138 Post Incident

• Review response and update policies -Plan and take preventative steps so the intrusion can't happen again. Consider whether an additional policy could have prevented the intrusion. • Consider whether a procedure or policy was not followed which allowed the intrusion, then consider what could be changed to be sure the procedure or policy is followed in the future. • Was the incident response appropriate? How could it be improved? • Was every appropriate party informed in a timely manner? • Were the incident response procedures detailed and cover the entire situation? How can they be improved? • Have changes been made to prevent a re-infection of the current infection? Are all systems patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc.? • Have changes been made to prevent a new and similar infection? • Should any security policies be updated? • What lessons have been learned from this experience?

Material by Reshma Ravindran

MS Student Summer 2016 139 The CIRT

The CIRT is a group consisting of employees with expert knowledge from various departments. Not only are Information Technology staff needed to handle incidents from the technical aspect, CIRT members should include key staff from many areas of the organization. – Information Security – Help Desk – Telecommunication – Legal/ audit – Public media relations – Human resources – Physical security management – Management

Material by Reshma Ravindran

MS Student Summer 2016 140