Scribd Logo
Upload

Welcome to Scribd!

  • VoIP Telephony With Asterisk (Paul Mahler)

    Uploaded by

    danilofantinato
    17 views16 pages
    VoIP Telephony With Asterisk (Paul Mahler)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    VoIP Telephony With Asterisk (Paul Mahler)

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    17 views16 pages

    VoIP Telephony With Asterisk (Paul Mahler)

    Uploaded by

    danilofantinato
    VoIP Telephony With Asterisk (Paul Mahler)

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 16

    Penetration Testing,

    Vulnerability Scanning, and


    Security Auditing
    Jesper M. Johansson, Ph.D., CISSP
    Security Program Manager
    Security Engineering
    Microsoft Corporation
    jesperjo@microsoft.com

    Agenda
    ‹ The ages of security
    ‹ Why do you need to this?
    ‹ Type of Security Assessments
    ¾ Vulnerability Scanning
    ¾ Penetration Testing
    ¾ IT Audits
    ‹ Conclusion

    1
    Assessing Security

    The Bronze Age

    Defense in depth:
    1000 years ago

    2
    Ages of Security
    Information
    Stone Age Bronze Age
    Age

    ‹ No decent ‹ Primitive Tools ‹ Advanced,


    tools ‹ Primitive automated
    ‹ No mythology, methodology tools
    no guidance ‹ Little sense of ‹ Comprehensive
    the big picture methodology
    ‹ Very little
    ‹ Information Widespread
    information spreads slowly
    ‹
    shared expertise
    ‹ Awareness
    ‹ Global lack of widespread, but ‹ Universal
    awareness expertise rare awareness
    ‹ Survival ‹ Think
    mentality integrated!

    Why Assess Security?


    1. Your manager asks the good question:
    ¾ Is our network secure?
    ¾ How do you know?
    2. Organizations only measure what the care
    about and only care about what they measure
    3. Your organization is regulated
    4. Because you might be your own customer
    5. Because you do not trust anyone
    6. So you can sleep at night

    3
    Fundamental Tradeoff
    Secure

    Usable Cheap

    You get to pick any two!

    Assessing Security

    Type of Security
    Assessments

    4
    3 Basic Types
    Vulnerability Scanning
    z Focuses on known weaknesses
    z Of the three, requires the least expertise
    z Generally easy to automate

    Penetration Testing
    z Focuses on unknown weaknesses
    z Requires advanced technical expertise
    z Carries tremendous legal burden in certain
    countries/organizations

    IT Security Audits
    z Focuses on security policies and procedures
    z Of the three, requires the most expertise
    z When done right is the most effective type of assessment

    Vulnerability Scanning
    Looks for:
    ‹ The same mistakes that everyone else
    makes
    ‹ The kind of things that get easily
    missed
    ¾ Service packs, hot fixes, weak passwords
    ‹ Common settings on software you are
    not familiar with
    ‹ Susceptibility to attack
    ¾ Known weaknesses with known attacks
    (think DOS attacks)

    5
    Vulnerability Scanning Tools

    To require admin access or not to


    require admin access that is the
    question!

    KB824146Scan.exe for DCOM Vulnerabilies


    (MS03-026 and MS03-039)

    Pitfalls of Vulnerability Scanning


    ‹ Tools have their problems
    ¾ Some work inconsistently or are just wrong
    ¾ Scanning software has bugs, just like all
    software
    ¾ Sometimes tools do more damage than the
    attacks
    ¾ Account Lockout
    ¾ TCP/IP DOS Testing
    ¾ Generally do not work well against computers
    that are turned off
    ‹ Humans must interpret the output
    ¾ Results may not be understandable by the admin
    running the tool
    ¾ Scanners suggest overly strict countermeasures
    ¾ Can be easily ignored

    6
    Vulnerability Scans Miss The
    Biggest Threat To Your Security
    Problem
    In
    Chair
    Not
    In
    Computer

    Would Your Users Open This?

    7
    MBSA 1.2: What It Does
    ‹ Helps identify vulnerable Windows systems
    ¾ Scans for missing security patches and
    common security mis-
    mis-configurations
    ¾ Scans various versions of Windows and other
    Microsoft applications, incl. Office
    ¾ Scans local or multiple remote systems via
    GUI or command line invocation
    ¾ Generates XML scan reports on each scanned
    system

    ‹ Runs on Windows Server 2003, Windows 2000


    and Windows XP
    ‹ Requires Administrator privileges
    ‹ Integrates with SUS & SMS

    MBSA: How It Works*

    Microsoft
    Download Center

    MBSA
    Computer

    SUS Server
    *Only covers security patch scanning capabilities, not security configuration detection issues

    8
    MBSA: How It Works*
    MSSecure.xml contains
    1. Run MBSA on Admin • Security Bulletin names
    system, specify targets • Product specific updates
    Microsoft • Version and checksum info
    Download Center • Registry keys changed
    • KB article numbers
    MSSecure.xml
    • Etc.

    MBSA
    Computer

    SUS Server
    *Only covers security patch scanning capabilities, not security configuration detection issues

    MBSA: How It Works*


    MSSecure.xml contains
    1. Run MBSA on Admin • Security Bulletin names
    system, specify targets • Product specific updates
    Microsoft • Version and checksum info
    2. Downloads CAB file with • Registry keys changed
    MSSecure.xml & verifies Download Center
    • KB article numbers
    digital signature MSSecure.xml
    • Etc.

    MBSA
    Computer

    SUS Server
    *Only covers security patch scanning capabilities, not security configuration detection issues

    9
    MBSA: How It Works*
    MSSecure.xml contains
    1. Run MBSA on Admin • Security Bulletin names
    system, specify targets • Product specific updates
    Microsoft • Version and checksum info
    2. Downloads CAB file with • Registry keys changed
    MSSecure.xml & verifies Download Center
    • KB article numbers
    digital signature MSSecure.xml
    • Etc.
    3. Scans target systems for
    OS, OS components, &
    applications

    MBSA
    Computer

    SUS Server
    *Only covers security patch scanning capabilities, not security configuration detection issues

    MBSA: How It Works*


    MSSecure.xml contains
    1. Run MBSA on Admin • Security Bulletin names
    system, specify targets • Product specific updates
    Microsoft • Version and checksum info
    2. Downloads CAB file with • Registry keys changed
    MSSecure.xml & verifies Download Center
    • KB article numbers
    digital signature MSSecure.xml
    • Etc.
    3. Scans target systems for
    OS, OS components, &
    applications
    4. Parses MSSecure
    to see if updates
    available
    5. Checks if
    required updates
    are missing MBSA
    Computer

    SUS Server
    *Only covers security patch scanning capabilities, not security configuration detection issues

    10
    MBSA: How It Works*
    MSSecure.xml contains
    1. Run MBSA on Admin • Security Bulletin names
    system, specify targets • Product specific updates
    Microsoft • Version and checksum info
    2. Downloads CAB file with • Registry keys changed
    MSSecure.xml & verifies Download Center
    • KB article numbers
    digital signature MSSecure.xml
    • Etc.
    3. Scans target systems for
    OS, OS components, &
    applications
    4. Parses MSSecure
    to see if updates
    available
    5. Checks if
    required updates
    are missing MBSA
    6. Generates time Computer
    stamped report of
    missing updates

    SUS Server
    *Only covers security patch scanning capabilities, not security configuration detection issues

    Demo

    Using MBSA
    The good
    The bad
    The ugly

    11
    How to Measure Security With
    Vulnerability Scanning
    ‹ Pick metrics and start tracking
    ¾ Compliance with baseline security
    ¾ Security features enabled and up to date (Anti-
    (Anti-
    virus)
    ¾ Days from patch release to application
    ‹ Divide networks by segment to better
    detect unmanaged systems
    ‹ Create bonuses for IT staff based on
    metrics
    ‹ Compare metrics to previous time periods
    or other divisions

    Penetration Testing
    Looks for:
    ‹ Unknown weaknesses
    ‹ Locating unpredictable sequences of
    vulnerability exploit that lead bigger
    exploits
    ‹ Help illustrate the consequences of
    exploits
    ‹ Helps answer the “big” question

    12
    Penetration Testing 101
    ‹ There are no rules
    ‹ Think physical
    ‹ Think low hanging fruit
    ¾ Avoid the myth of the movie
    ‹ Remember that people make the same
    mistakes
    ¾ Unpatched systems, weak passwords
    ‹ It is all about getting trust

    Penetration Testing Tips


    1. Hire someone!

    2. Remember, pen testing is not nearly as


    glamorous as it seems
    a. Good pen testing has methodology and solid
    documentation
    b. Write-ups are very tedious
    3. Don’t practice on you corporate network
    or your bank or the FBI
    4. Don’t scare people with pen tests

    13
    IT Security Audits
    ‹ 1st rule of security:
    ¾ You cannot have strong security over a
    reasonably sized network without security
    policy
    ‹ 2nd rule of security:
    ¾ A security policy without assessment is only
    slightly better than no security policy

    Strategies for Creating


    Security Policy
    ‹ Root your security policy in well-
    known industry standards or
    regulations
    ¾ ISO 17799 – Security Management Best
    Practices
    ‹ Security policies have to start from the
    top down
    ¾ Illustrate the value of security policy to
    management
    ¾ Get corporate legal and HR departments
    to assist you

    14
    Security design model
    Operations

    Documentation

    Implementation

    Technology
    Policy
    Process
    ‹ Start with policy
    ‹ Build process
    ‹ Apply technology

    Policy Passwords

    Process Password creation, reset, change, use

    Technology System enforcement, protocols,


    limitations, threats

    Implementation How it works on the network, settings


    enabled/disabled

    Documentation Record of what was done and how to do


    it again

    Operations Assessment, problem management, end


    use

    15
    Measuring Security Policy

    Compare to standards and best practices

    Documented
    Security Policy Operations
    Procedures

    “What you “What you “What you


    must do” say you do” really do”

    Jesper M. Johansson, Ph.D., CISSP


    Security Program Manager
    Security Engineering
    Microsoft Corporation
    jesperjo@microsoft.com
    © 2004 Microsoft Corporation. All rights reserved.
    This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

    16

    You might also like