Introduction to security

1. Yahia Kandeel
GCIH, GSEC, RHCE, CEH, CCNA, MCP
Information Security Engineer
Raya IT

2.  SecurityTerminologies
 DiD Security Model
 Authentication systems
 Cryptography
 How Attackers Do It ..!!
 Network & Host Security
 Wireless Security

4.  Its an technique for ensuring that data stored in a
computer cannot be read or compromised by any
individuals without authorization.

5.  CIA
 Confidentiality
 Integrity
 Availability
Integrity
A
A
A  AAA
 Authorization
 AccessControl
 Authentication

6.  Asset: is what we’re trying to protect.
 Vulnerability: a weakness that may lead to
undesirable consequences.
 Threat: anything that can exploit a vulnerability
 Risk: a potential problem
Risk =Vulnerability *Threat

9.  Physical access to the computer system and
networks is restricted to only authorized
users.
 Access Controls,
 Physical barriers, etc…

10. In network security, an emphasis is placed on:
 Network segmentation between different
systems from different security level or
categories.
 Controlling access to internal computers from
external entities.
 This can be done by:
 Firewalls between different zones.
 Virtual LANs (Vlans)
 AccessControls on network devices
 Vulnerability Scanners

11.  Host security takes a granular view of security by
focusing on protecting each computer and device
individually instead of addressing protection of the
network as a whole:
 Authentication and Logging Mechanisms
 Host based IDS
 File Integrity Checkers
 For Client Security:
 NAC
 Antivirus

12.  AWeb application is an application,
generally comprised of a collection of
scripts, that reside on aWeb server and
interact with databases or other sources of
dynamic content.
 Examples ofWeb applications include search
engines, Webmail, shopping carts and portal
systems

13.  Application attacks are the latest trend when it comes
to hacking.
 On average, 90% of all dynamic content sites have
vulnerabilities associated with them.
 No single web server and
database server combination
has been found to be
immune!
“Today over 70% of attacks against a company’s network come
at the ‘Application Layer’ not the Network or System layer -
Gartner

15.  How to secure a resource?
 Authentication
 Authorization
 Accounting

16.  Something you know
 Something you have
 Something you are

17. One-factor authentication
Two-factor authentication

18.  Memorize password
 Use different passwords
 Use longer passwords
 Use upper- and lower-case letters, numbers and
special characters
 Change frequently
 Avoid reusing passwords

20.  Encryption = convert to unreadable format
 Decryption = convert back to readable format
 Algorithm = procedure for encrypting or
decrypting
 Cipher = encryption & decryption algorithm
pair

21.  Hash (digest) = fixed-length derivation of a
plaintext
 One-way operation
 Unique value / significant change with even
single-bit changes in plaintext

22.  Data verification
 Secure password storage
 Secure password transmission
 Examples:
 md5
 sha1

24.  DES
 Triple DES
 AES
 Rijndael
 Blowfish
 RCn (RC5, RC6, etc.)
 OTP

25.  Advantages ?
 Speed
 Disadvantages!!
 Key distribution

28.  Advantages ?
 Key distribution
 Disadvantages!!
 Very slow
 Key distribution

29.  Provides an increased level of confidence for
exchanging information over an increasingly
insecure Internet.
 By using a Certificate Authority..

31.  Identification information
 Public key
 Hash of the public key
 Signed by trusted third-party

33. Reconnaissance
Scanning
Exploitation
Maintain
Access
Covering
Tracks

34.  Finding out as much as possible information
about the target.
 This can be done by:
1. 'whois' look-up
2. ViewingVictim's current & old website
3. IP Addresses
4. Available e-mails on the internet
5. Metadata of All published documents
6. DNS Enumeration

35. • Registrar.
• Domain status.
• Expiration date, and name servers.
• Contact information for the owner of a domain
name or IP.
• IP and IP location information
• Web server information,
• Related domain availability, premium domain
listings, and more.
Using whois we can know:

36. • All available information of the target’s web
sites in the past..!!
Using archive.org we can know:
• All publicity available Info about target’s
infrastructure & personal including their
mails, phone numbers ..etc
Using Meltego we can Gather :

37. • More than you imagine !!
Using Google we can know:
• Analyze all targets Documents to know email
addresses, user names, software versions,
operating systems, internal server names,
mapped drive share information, etc.
Using FOCA we can :

38.  In scanning phase, we’ll scan the entire
network and the publicity accessible systems
to gain more information about the target.
 This phase includes:
1. Port scanning
2. Vulnerability scanning
3. Open shares
4. Firewall’s implemented rules
5. War driving

39. • Live hosts, the open ports, listening
applications and OS on the target system.
Using nmap we can know:
• Existing vulnerabilities associated with each
running services, missed configurations, and
default users & passwords.
Using Nessus we can know:

40. • The firewall implemented rules..
Using firewalk we can know:
• The existingWeb application vulnerabilities.
Using wa3f we can know:
• Open wireless access points, wardriving, also we can find
hidden AP and its associated SSID, channel #, signal power
Using Netstumpler kismt we can know:

41. Nmap supports:
 Multi-Scanning types:
 Full Scan
 SYN Scan
 XMAX Scan
 Ideal Scan
 UDP Scan
 Ping Scan
 OS fingerprinting
 Application fingerprinting

42.  Nessus provides a simple, yet powerful
interface for managing vulnerability-scanning
activity.
 To use Nuesses:
1. Creating a Policy
I. Define scan type
II. Optional, add taget’s credentials
III. Chose the appropriate plug-ins
2. Creating and Launching a Scan
3. The output will be in the Reports tab

43.  wa3f provides a flexible framework for finding and
exploiting web applicationVulnerabilities. It is easy
to use and extend and features dozens of web
assessment and exploitation plug-ins.

44.  Gain access to the OS, applications on the
computer or victim’s network !!

45.  This can be done by:
1. IP Address Spoofing
2. Password Cracking
3. MiTM Attack
4. Sniffing
5. DoS Attacks
6. Viruses &Worms

46.  In addition, exploiting systems can be done
by:
1. Trojans & Backdoor
2. Social Engineering
3. DHCP & DNS Attacks
4. Web Hacking
5. Wireless Hacking
6. Buffer Overflow

47.  How ?
 Normal IP address configurations.
 Packet crafting.
 Using proxies.
 When ?
 Access based on IP address
 Hide identity

48.  Use it to recover passwords from computer
systems.
-- System Admins—
 Use it to gain unauthorized access to vulnerable
system
--Hackers --
 Password racking Methods :
▪ Dictionary Attack
▪ Brutforce Attack
▪ Hybrid Attack
▪ rainbow table attacks

49. Do you know ARP problem ?
Why ARP ?
When a machine needs to
talk to another, it should
know:
1. Destination IP
2. Destination MAC

50. Problem!!

51.  Some Sniffers have add-on
features:
1. Analyzes network traffic
2. Decoding network protocols
 A sniffer is a piece of software that grabs all of
the traffic flowing into and out of a computer
attached to a network.

52.  Is an attempt to make a computer or network
resource unavailable to its intended users.
--Wikipedia --

53.  What is a virus?
 Malicious SW needs a carrier
 Needs user Interaction
 Needs a trigger
 What is a worm ?
 Don’t need a carrier
 Self replicated
 Used to conquer new targets

56.  DHCP
 Starvation attack
 DNS
 Cash Poisoning

57.  “All input is evil until proven otherwise!”
 Due to bad filtration on user inputs, the web
application may be vulnerable to:
 SQL Injection
 XSS
 DirectoryTraversal
 Session Hijacking
 Account Harvesting

58.  Shared media
 Broadcast
 Vulnerable Encryption Algorithms
▪ To be continued ….

59. void foo (char *bar)
{
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv)
{
foo(argv[1]);
}

60.  Trying to retain the ownership of the
compromised system.
 This phase include:
1. Install Backdoors
2. Using RootKits

62.  In this phase, the attacker will try to hide his activities
on the system and on the network.

64.  Attacks !!
 Mitigation:
 Access control lists
▪ Essentially white or black list
▪ MAC or network address
▪ Layer 2 or layer 3
 VLANs
▪ Virtual network segments
▪ “Distinct broadcast domain”

65.  Attacks !!
 Mitigations:
 Use access controls.
 Secure routing configuration.
 Use any kind of prevention techniques

66. Preventive , Detective or Reactive

67.  A firewall is a hardware or software system
that prevents unauthorized access to or from
a network.
 Types of Firewall:
 Network layer
▪ Packet filters
▪ Stateful Inspection
 Application layer
 Proxy

68.  Device or software application that monitors
network and/or system activities for malicious
activities or policy violations and produces alerts
 Terminologies:
 Alert/Alarm
 True Positive
 False Positive
 False Negative
 True Negative

69.  Signature-Based Detection
 Statistical anomaly-based detection.
 Stateful Protocol Analysis Detection
 Types:
 Network-based IDS
 Wireless IDS
 Host-based IDS

70.  An Intrusion Prevention System works similar to an
IDS. In addition it can block, prevent or drop the
malicious or unwanted traffic in real-time.
 Placed in-line
 Modes
 Learning mode
 Active mode

72.  Network regions of similar level of trust
 Trusted
 Semi-trusted
 Untrusted
 Defense in depth,
Security is Layers …

73.  Filter packets entering network
 Turn off directed broadcasts
 Block packets for any source address not
permitted on the Internet
 Block ports or protocols not used on your
network for Internet access
 Block packets with source addresses
originating from inside your network
 Block counterfeit source addresses from
leaving your network

74.  Command line terminal connection tool
 Replacement for rsh, rcp, telnet, and others
 All traffic encrypted
 Both ends authenticate themselves to the other end
 Ability to carry and encrypt non-terminal traffic

76.  Computers installed out of the box have
known vulnerabilities
 Not just Windows computers
 All services are vulnerable by default …
 Hackers can take them over easily
 They must be hardened—a complex process
that involves many actions

77.  System/application (Vendors) design errors.
 System/application mis-configuration errors.
 In-house applications !!

78.  Secure installation and configuration
 CIS benchmark
 Vendor Documentations
 SANS Reading Room
 Turn off unnecessary services (applications)
 Harden all remaining applications

79.  Manage users and groups
 Default accounts …!!
 Manage access permissions
 For individual files and directories, assign access
permissions specific users and groups
 Back up the server regularly

80.  KnownVulnerabilities
 Most programs have known vulnerabilities
 Exploits are programs that take advantage of
known vulnerabilities.
 Regularly check missing patches
 Using Nessus you can do this task easily
 InstallAnti-Virus/Firewalls on all Servers

81.  Reading Event Logs
 The importance of logging to diagnose problems
▪ Failed logins, changing permissions, starting
programs, kernel messages, etc.
 File Encryption
 File Integrity Checker
 Monitoring Running Services & Processes &
NetworkTraffic.

82.  Nessus

83.  Work-around: A series of actions to be
taken; no new software
 Patches: New software to be added to the
operating system
 Upgrades: Newer versions of programs
usually fix older vulnerabilities.

85.  Wireless networking
 2.4 – 2.5 GHz
 Data Link layer specifications
 Access Point
 Family:
 802.11a
 802.11b
 802.11g
 802.11n

86.  PhysicalAccess
 Rouge access point
 Firmware vulnerabilities
 Protocol vulnerabilities
 Default accounts
 Some vendors hardcode admin accounts on AP

87.  Physical devices
 Laptop software
 Airsnort
 NetStumbler
 War driving

88. What a lovely symbols …

89.  Wired Equivalent Privacy (WEP)
 Wi-Fi Protected Access (WPA)
 WPA2

93.  Physical Barriers..
 Strong Encryption
 Mac filtering
 Static IP addressing
 Restricted access networks 802.1X
 Service Set Identifier (SSID) No.
 Regularly scan for rouge AP

94. Bruce Schneier