Sans 401 June 10-17, 2009
- SANS Security Essentials
  - Schedule
Networking Concepts - Day 1
Defense in Depth - Day 2
Day 3
Day 4
Day 5
Linux Security - Day 6

Sans 401 June 10-17, 2009

SANS Security Essentials

Schedule

0900-1030 - class
1030-1050 - break
1050-1200/1215 - class
1200-1330 - Lunch
1330-1500 - class
1500-1520 - break
1520-1715 - class
1715-1900 - Bootcamp

Networking Concepts - Day 1

Module 1: Network Fundamentals..1-2

color coding scheme
- Red - external
- Yellow - DMZ
- Green - internal
left interface usually external interface

Network Fundamentals..1-3

types of networks..1-6

LAN - Local Area Network
MAN - Metropolitan Area Network
WAN - Wide area network
Internet
PAN - Personal Area Network

Physical and Logical Topologies..1-9

Physical
- Bus - older
- Ring - older
- Star - most popular
Logical
- Ethernet
- Token Ring

Ethernet..1-12

Baseband shared media network.
CSMA/CD - carrier sense, multiple access with collision detection
the most common layer 2 protocol
A Chunk of data transmitted over the wire is called a frame
Uses 1500 byte frame size
GigE networks utilize Jumbo Frames. Large numbers of small frames will cause problems on GigE.

Token Ring and FDDI..1-14

Communications is token based
Not common with client computing
Large mainframes where each system needs to communicat in a predictable manner still use this technology

Asynchronous Transfer Mode (ATM)..1-17

Older protocol
Encapsulates common protocols
Like combining Ethernet and IP
expensive to set up, not seen on LANs
efficient for video streaming
commonly used for establishing high speed backbones over significant distances

WAN Technologies..1-19

Dedicated lines
- T1 or T3
- E1 or E3
Frame Relay
MPLS - IPv6, VoIP, IP Video – considered a replacement for Frame Relay and ATM
ISDN - any ISDN could possibly call any other ISDN providing a backdoor attack
DSL
- Distance limitations
Cable Modems
WAN

Networking Hardware..1-24

Category 1 and 2
Cat 3 10Mb
Cat 4 16Mb
Cat 5,5e 100Mb-1Gb
Cat 6
Network Taps
Vampire Taps

Crossover Cable..1-26

+TX to +RX
-TX to -RX

Network Devices..1-28

Hub
Bridge
Switch - can be flooded and turned into a hub. Newer devices not susceptible.
- ettercap
- dsniff
Router - Drops traffic if it does not know where to send it.

regarding ping

block-all-icmp cannot (should not) be done on IPv6
ping
- ECHO REQ →
- ECHO REP ←
- sending an inbound ECHO REP can let a hacker map networks blocking ECHO REQ, because the router sends host unreachable. If the machine exists, the reply will just be dropped, indicating the existence of a machine.

Virtual LAN (VLAN) and Network Access Control (NAC)..1-32

can be used to switch an attacking machine to a virtual “jail”.

Network Design..1-33

Network Design Objectives..1-34

Publish separate mail, Web and DNS servers to the Internet
Provide appropriate access from the internal network to the Internet
Protect the internal network from external attaccks
Provide defense-in-depth
Protect all aspects of the system

Network Sections..1-35

Public - Internet
Semi-public(DMZ) - Web, Mail, DNS servers
Private - Internal Systems
Locate firewalls:
- Between the Internet and the other networks
- Between the semi-public and private network
- Between sections of varying trust levels

The Final Design..1-38

Module 2: IP Concepts..1-41

Network Protocol..1-44

What is Network Protocol?..1-45

Three basic purposes
- to standardizw the format of communication
- to specify the order or timing of communication
- to allow all parties to determine the meaning of a communication
Protocol Stacks - The layered protocols involved in communication

The OSI Protocol Stack..1-47

International Standards Organization (ISO) Open Systems Interconnect (OSI)
Application - Layer 7
Presentation - Layer 6
Session - Layer 5
Transport - Layer 4
Network - Layer 3
Data - Layer 2
Physical - Layer 1

OSI vs TCP/IP..1-49

OSI	TCP/IP
5 Session, 6 Presentation, 7 Application	Application
4 Transport	Transport (TCP)
3 Network	Internet (IP)
1 Physical, 2 Data	Network

How Protocol Stacks Communicate..1-51

How TCP/IP Packets are Generated..1-52

Encapsulation passes information to each layer
Each layer adds header information
The previous layer's headers are the current layers data

IP Packets..1-55

IPv4 Header..1-56 *

IPv4 Header..1-57

Version field tells IPv4 or IPv6
Protocol can be a user defined number by a hacker
TTL Time to Live, router hops counts
- Decremented each time and is discarded once the count reaches 0
- Can tell how far away in router hops.
- TTL can tell if a packet has been spoofed. If you expect a close route and receive a high count, something is wrong or intercepted (man in the middle).
Fragment Offset
- 1500 bytes is generally the MTU. Anything longer will need to be put back together once received.
- crafting the offset value can cause bytes to overlap and change the value.
IP addresses
Identity Match - commercial SSN finder

IP Header Identifies Protocol..1-60

Network Addressing..1-61

Addressing Basics..1-62

Two Parts of and Address..1-63

network and Host portions

IPv4 Addressess and Subnets..1-64

Class A address - 1-127
- N.H.H.H
- 255.0.0.0
- /8
Class B Address - 128-191
- /16
Class C Address - 192-223
- N.N.N.H
- 255.255.255.0
- /24

Netmasks and CIDR..1-65

CIDR provides a shorthand like /16
172.20.0.0/16
the 16 is how many bits are allocated to the network address

Broadcast Addresses

all 1's for the host portion
older networking hardware will interpret all zeros as broadcast
172.20.15.0/24 broadcast is 172.20.15.255
Limited Broadcast - 255.255.255.255 limited to local network
smurf attack based on Windows 95 stack vulnerability from broadcast flood

Private Network Addressing..1-69

10.0.0.0
172.16.0.0
192.168.0.0

using NAT on wireless does not buy you anything because a sniffer can read the internal IP's

Two Addresses..1-71

Mac address
IP address

Address Resolution Protocol (ARP)..1-74

Hacker in the '90's would respond to arp requests and be man in the middle.

Domain Name System (DNS)..1-76

Domain Name System (DNS)..1-77

Static host tables

Domain Hierarchy..1-79

Types of DNS Queries..1-81

Gethostbyname
Gethostbyaddr

DNS Security..1-83

Attacks
- Cashe poisioning
- Denial of service
- Footprinting - information leakage
- Registration spoofing
Defenses
- Keep DNS software up-to-date
- Distribute aurhoritative DNS servers
- Limit zone transfers (Never allow this)
- Register with reputable registrars

split dns
- external
  - only authoritative for your domain name
  - randomize query id's
  - only recursive for your internal dns server
  - don't allow zone transfers
- internal
  - always does recursion on external

IPv6..1-85

128 bits

IPv4 vs. IPv6

IPv4
- 32 bits, 4.2 billion addresses
- no authentication
- Encryption provided by applications
- Best effort transport
IPv6
- 128 bits, 240 undecillion addresses
- Provides authentication of endpoinots
- Support for encryption in protocol
- Quality of Service (QoS) features provided in the protocol

IPv6 features..1-88

IPv6 Addressing..1-90

divided in three portions
Network prefix (48 bits)
Subnet ID (32 bits)
Interface ID (64 bits)

Module 3: IP Concepts II..1-94

Objectives

...OSI

User Datagram Protocol (UDP)..1-98

UDP..1-99

connectionless communications

UPD uses..1-101

(Multimedia/VoIP) streaming
multicasting is required
- transmission is expected to occur on a reliable network.
TCP is fundamentally incapable of multicasting
DNS
Common protocols:

UDP Header..1-103

TCP (Transmission Control Protocol..105

TCP uses..1-107

Offers flow control to handle network congestion
Allows for transmission of larger amount of data per packet
Guaranteed delivery of transmitted dtat is more important than speed
offers better

FTP (File Transfew Protocol)..1-108 *

bounce attack can allow access to FTP through firewall

Active vs. Passive FTP..1-111 *

google “FTP Bounce attack”

Establishing a TCP Connection..1-113

SYN, SYN/ACK, ACK

TCP Header..1-114

TCP Header - Key Fields..1-116 *

session hijacking can be accomplished by sending a duplicate frame number which will cause the receiver to discard the old frame
hunt 1.5 is a tool to hijack telnet or tcp sessions

TCP Code Bits/Flags..1-119 *

Mask
- SYN 02
- SYN/ACK 12
- ACK 10

Closing a TCP Session..1-121

an attacker could open a session then disconnect leaving an outbound port open
graceful close is 4-way
Abrupt closure RST/ACK in either direction

TCPdump Output from a Graceful Connection Termination..1-123

TCPdump Output from an Aborted Connection

Because closure occurs based upon a single packet, be sure to validate the packet was not spoofed
- Check Sequence/Acknowledgment numbers

TCP and UDP..1-126

Internet Control Message Protocol (ICMP)..1-127

ICMP..1-128

two purposes
- report errors
- provide network information

ICMP Header..1-129

ICMP Payload usually contains the header of the packet that failed
Payload can contain anything
tools that cross firewall
- icmptunnel
- httptunnel
- smtptunnel
- loki is an old tool that used the icmp tunnel

ping..1-132

be most concerned about icmp being used as covert data channel

traceroute..1-133

Unix and Windows Traceroute..1-135

Unix traceroute uses UDP packets
Windows tracert uses ICMP

M0dule 4: Protocal Analysis..1-139

Protocal Analysis..1-140

tcpdump/windump..1-143

What is a Sniffer..1-144

airpcap wireless
ettercap dcap for wired networks

Sniffing on a Switch..1-147

The technique of sniffing traffic on a switched segment has been discussed for some time. …dsniff

tcpdump..1-148

tcpdump commands..1-149

-s entire packet
-vv
-nn

Analysys with tcpdump..1-150

Sample TCPdump ICMP Output..1-153

Sample TCPdump UDP Output..1-154

Sample TCPdump TCP Output..1-155

some extra fields
- Flag
- Sequence numbers

Reading Packets..1-157

Hexadecimal Representaion..1-160

Five Tips for Decoding Packets..1-161

Decoding and IP Header..163 ..1-170

Decoding a TCP Header..1-171 ..1-180 (* 1-177 and 1-180)

Calculating Variable Length Fields..1-177

Module 5: Virtual Machines..1-183

Module 6: Safety and Physical Security

Managing Safety & Physical Security..1-231

Safety trumps security
oftcrack
backtrack

Evacuation Procedures..1-237

Restricted Area..1-253

Preventing Unauthorized access..1-258

Deterring Unauthorized Access..1-262

Managing Physical Security..1-267

Cookbook Tools - Networking Concepts..2-1

Defense in Depth - Day 2

Module 7: Defense in Depth..2-2

Defense in Depth..2-3

router example - put in

no ip source routing
no ip directed broadcast

Defense in Depth..2-5

application flaws should be known to the user for them to make the decision on how to proceed.
the informed user is a safe user

What is Defense-in-Depth?..2-6

Data
Application
Host
internal network
perimeter
Physical security

Focus of Security is Risk..2-7

Risk = threat x vulnerabilities

Key Focus of Risk..2-8

Prioritizing CIA..2-10

Confidentiality
- Pharmaceuticals
- soft drink manufacturers
Integrity
Availability

What is a Threat?..2-11

Primary Threats:
- Malware
- Insider
- Natural disasters
- Terrorism

Vulnerabilities..2-13

known
unknown - “zero day”
unpatched systems
mis-configured systems

Approaches to DiD..2-15

Uniform Protection..2-16

Protected Enclaves..2-17

Information Centric..2-18

Vector-Oriented..2-19

Viruses and Malicious Code..2-20

Viruses..2-23

COM/Script Program Infectors..2-25

inserts itself in existing code

EXE Program Infectors..2-26

similar to com infectors

web bug

a 1×1 document that points to a remote site which records a log entry indicating the document has been opened.
cnn.com use techniques like this all the time.

Worms..2-27

Attack systems through known vulnerabilities
scan for more systems to attack
used to build botnets

The Morris Worm 1988..2-29

Linux Worms..2-31

search for lrk4 lrk5 lrk6 to find these rootkits

SQL Slammer Worm..2-33

Sasser/Netsky Worms..2-34

Conficker Worm..2-35

Fixing the Problem..2-36

What Worms Teach Us about Configuration management..2-37

Malicious Browser Content..2-39

Hybrid Threats..2-41

Malware Capabilities..2-43

backdoor access
leaking of data

propagation Techniques..2-46 *

Malware Defense Techniques..2-47 *

Activity monitoring
malware scanners
File and resource integrity checking
Stripping e-mail attachments - can cause business practice problems
Remember defense-in-depth
Patch all systems
turn off unused services

Malware Analysis..2-54

"The machinery of democracy"

paper on problems with voting machines

Module 8: Basic Security Policy..2-57

Basic Security Policy..2-58

Why an Organization Needs a Security Policy..2-61

Protect people who are trying to do the right thing

Convincing the Organization..2-63

if an organization does not have this is will cost money maybe in fines

Mission Statement..2-64

Overall Security Posture..2-65

Example Posture Issues..2-66

Presumption of privacy
physical search
Trust for all connections initid inside the organization
- no egress filtering

Establish a Documentation Baseline..2-68

Policy and Procedures..2-69

A high level policy should not address specific technologies

Defining a Policy..2-70

make sure there is a way to enforce the policy. For instance each user should be responsible for activities from an account.

Procedure Definitions and Issues..2-71

Standard Definitions and Issues..2-72

Baseline Definitions and Issues..2-73

Guideline Definitions and Issues..2-74

Documentation Review..2-75

Issue-Specific Policies..2-76

Policy Table of Contents..2-77

Policy Statement Must..2-79

SMART

Is the Policy..2-81

consistent with law, regulations?

Creating the Policy..2-83

Building the Policy: State the Issue..2-84

Example of Applicability/Scope..2-85

Compliance/Penalties..2-86

Non-Disclosure Agreement..2-88

Intellectual Property - Copyright..2-90

Contingency Planning..2-93

What is a Business Continuity Plan?..2-95

What is a Disaster Recovery Plan?..2-97

BCP vs DRP...2-99

Basic Elements of Continuity Planning..2-102

BCP Key Components..2-104

Business Impact Analysis..2-105

Maximum tolerable downtime MTD

BCP-DRP Planning Process Lifecycle..2-107

Top BCP/DRP Planning Mistakes..2-108

Asset Classification (Randy's)

* several machines may be part of a single system, such as an Oracle system

Module 9: Access Control and Password Management..2-112

Access Control Theory..2-115

Key Terms & Principles..2-116

it is the data owners job to determine if the data is sensitive.

Data Classification by Sensitive and by Type..2-118

Identity, Authentication, Authorization, and Accountability..2-120

Identity
Authentication
Authorization
Accountability

Angels and Demons ←-movie

Controlling Access..2-122

Least Privilege
Need to Know
Separation of Duties
Rotation of Duties

Access Control Techniques..2-123 *

Discretionary
Mandatory
Role-based
Ruleset-based
List-based
Token-based

Managing Access..2-125

Single Sign-On (SSO)..2-127

Protocols and Centralized Control..2-128

Password Management..2-131

Reversible and Irreversible Encryption..2-132

Access Control: Passwords..2-134

best stored as irreversible hashes

What is Password Cracking?..2-135

crack for unix systems used the dictionary to create hashes and compared to the password file

What determines the strength of a Password Hash?..2-137

Quality of algorithm
etc…

Methods of Password Assessment..2-139

Dictionary attack
Hybrid attack
Brute force
Precomputation brute force (Rainbow attack)

John the Ripper vs Linux MD5 Password File..2-143

Windows Passwords..2-146

ntds.dit

Cain-Password Cracking..2-148

Rainbow Tables..2-151

ophcrack website has pre-made tables

Winrtgen..2-152

Cain and Rainbow Tables..2-154

How to protect against password Cracking Hacks..2-155

check the passwords!

Enforce a Strong Password Policy..2-156

Use Shadow Passwords..2-159

Use One-time Passwords..2-160

Utilize Biometrics..2-162

Disable LAN Manager Authentication..2-165

Module 10: Incident handling Foundations..2-168

Incident handling Fundamentals..2-171

Why is it Important?..2-173 *

What is an Incident?..2-175

What is an Event?..2-176

Overview of the Incident-Handling Process..2-179

The Six-Step Process for Incedent Handling..2-180

Preparation..2-181
Identification..2-183
Containment..2-188
Eradication..2-190
Recovery..2-192
Lessons Learned..2-194

Key Mistakes in Incident Handling..2-195

Putting the steps together..2-196

Legal Aspects of Incident Handling..2-198

Incident Handling and the Legal System..2-201

Criminal Law
Civil Law
Others
- GLBA, SOX, HIPAA, PCI

The United States Code, Title 18, Section 1030..2-204

Computer Fraud and Abuse Act

Laws Relating to Incident Handling..2-206

Computer Security Act of 1987
US Privacy Act of 1974
ECPS 1986
HIPAA

Terrorism, Infrastructure Protection and Espionage..2-208

Search/Seizure with Warrant..2-210

Arrest/False Arrest..2-212

Evidence Must be Admissible..2-213

base business decisions on logs will show the logs are used for important purposes.
18 month retention allows 6 months to do a 1 year log review.

Chain of Custody..2-215

Evidence Integrity..2-217

md5sum

Real and Direct..2-218

Best Evidence..2-219

Search Warrant, comply immediately
supeana contact local authority first

Module 11: Information Warfare..2-221

The Threat, Attacks are Increasing..2-225

More Unknowns than knowns..2-226

Information Warfare tools..2-228

Example of a blended Threat..2-229

Could the US Presidency be Affected?..2-230

Could a city be destroyed?..2-231

Offshore Coding and SW Engineering 2009..2-232

Terrorism and Economic Warfare (The business of terrorism.)..2-233

Information Warfare Theory..2-234

Information Warfare Theory..2-235

Cycle Time..2-237

Indications and Warning..2-238

Indications and Warnings Analysis Model..2-239

Measures of Effectiveness..2-240

Offensive Players..2-241

Offensive Operations Goal..2-242

Increase Value to Offense..2-243

Decrease Value to Defense..2-244

Defense is not Usually Dominant..2-245

Module 12: Web Communications and Security..2-248

Web Application Security..2-251

Web Architecture Hardening..2-255

Web Communication Basics - http..2-257

http transactions..2-259

html-Hypertext Markup Language..2-261 *

html forms..2-262 *

POST Actions sends form data in http headers
GET action post form dta appended with URL

Cookies..2-266

SSL/TLS..2-269

Server Side Programming..2-271

Client Side Programming..2-273

Developing Secure Web Applications..2-275

99% of problems are input validation problems
accunetics (commercial), paros (free)

Basics of Secure Coding..2-277

Web Application Service Providers..2-279

Web Application Vulnerabilities..2-281

Web Application Authentication..2-282 *

basic mode uses base64 encoding
digest used encryption

Access Control..2-286

Session Tracking/Maintaining State..2-288

Hacking Session Information..2-289

Protection from Session Attacks..2-291

Input Attacks..2-293

Cookbook

Day 3

http://www.giac.org/proctor/kryterion.php

Module 13: Attack Strategies and Mitigation..3-2

K. Mitnick vs. T. Shimomura..3-6

Reconnaissance (r utilities, rlogin, rshell)
TCP/IP sequence number prediction attack

Two Systems, Trust Relationship..3-8

Starting the Attack..3-9

Finger gives information about users and accounts

Silence B with DoS..3-11

SYN Floods B

Attacker Probes for a Weakness in A's TCP Stack..3-13 *

IP spoofing attack

Attacker Pretends to be B..3-14

The Attacker, pretending to be B, uses the predictable response to open a connection

Make 'A' Defenseless..3-15

Attacker sends expected ACK wut fake SRC IP Address to establish a connection

Finish the job..3-16

Sends rshell packet '“echo ++”>/.rhosts' to open the victim to accept any login
Then, Attacker uses '# rlogin -l root' to takover “A”

Detecting and Prevention Techniques?..3-19

Patch Systems..3-21

Hardening the System Disabling Unused Services..3-22

disable finger

Network Vulnerability Scanner..3-23

Host-based Intrusion Detection..3-24

tripwire
aide

Network-based Intrusion Detection..3-25

Firewalls..3-26

Mitnick Examples: Lessons Learned *

Common Types of Attacks..3-31

Methods of Attack..3-32

Logic Bombs
Trojan Horses
Trap Doors
- Embed malware in something that looks like a music file.

Denial of Service..3-35

Smurf
SYN flood
DDoS Attacks

Physical Attack..3-36

stealing hard drives

Buffer Overflows..3-37

poorly coded applications
extra code placed in buffers can be used to execute attack code
The Shellcoder's Handbook 2nd or 3rd edition

Buffer Overflow concepts..3-38

buffer, heap, stack
“Smashing the Stack” paper on topic

When the Return Address Points to our Payload, We Win!..3-39

Brute Force..3-40

bombard with passwords

Remote Maintenance..3-42

vendor can have access to machine

Browsing..3-43

Race Condidtions..3-44

Interrupts..3-46

Alteration of Code..3-47

Rootkits..3-48

rootkit.com

Module 14: Firewalls and Honeypots..3-51

Why a Firewall?..3-55

Protecting systems from attempts to exploit vulnerabilities

How does a Firewall fit in the big picture?..3-57

Benefits of Firewalls..3-58

protects unwanted services
logs

Shortcomings of Firewalls..3-58

Attacks at the application layer may sneak through
Dial-up, VPN extranet can bypass.

The Default Rule..3-60

Filtering..3-61

firewall protect in one direction only
Ingress
Egress

Multi-Zone Designs..3-63

Stateless Packet Filter..3-65

No State Inspection ACK Flag Set..3-66

Stateful Firewalls..3-68

what happens if the state table fills up
- DoS or Stateless

Stateful Inspection with FTP..3-70 *

Proxy or Application Gateway..3-72

Desktop Protection Personal Firewalls..3-74

Firewall Complementing and IDS..3-75

Network Address Translation (and Private Addresses)..3-76

wireless allows anyone to sniff addresses behind NAT

Port Address Translation(PAT)..3-78 *

Randy's

Old document on firewall configuration

http://www.security.vt.edu/lockitdown/Firewall_Ports_and_Protocols_Summary.doc

80, 1494 are only needed now for Citrix server

Honeypots..3-81

What is a Honeypot?..3-82

system that has no legitimate purpose for someone to connect.

Honeypot Example..3-84

Advantages of Honeypots..3-84

Provides insight

Disadvanges of Honeypots..3-86

Way too time consuming

Classifying honeypots..3-90

Basic honeypot - Netcat Listener..3-93

nc -l -p 80 -n -o hexcapture.txt >port80-listener.txt

honeyd..3-94

simulate network

Sticky Honeypots - LaBrea Tarpit..3-99

Deploying Honeypots..3-102

Honeypot Checklist/Summary..3-104

Module 15: Vulnerability Scanning..3-107

R3: Reconnaissance, Resource Protection, ROI..

Steve Gibbson - Shields up

5 Vulnerability axioms..3-113

Threat Types and Vectors..3-114

Threat Concerns..3-115

Firewall Subversion..3-117

KaZaA - Firewall Subversion..3-118

P2P
bounce a scan off an internal machine

Bypassing Firewall Protection..3-120

Firewalls, Wireless Connections, and Modems..3-121

HTTP Tunnels..3-123

Social Engineering..3-125

Social Engineering Defense..3-127

Bypassing Firewall Protection Controls..3-128

Network Mapping Tools..3-129

ids.cirt.vt.edu

Finding Unprotected Shares - Legion..3-131

Hping3 - Spoofing Port Scanner..3-133

allows crafting packets with illegal flag settings

Attack History..3-136

Network Scanning..3-139

What is a Port Scan?..3-140

Port Scanning with Nmap..3-142

nmap -A -T4 testip

Simple nmap scan..3-144

nmap scan types..3-146

Operating System Identification..3-149

system fingerprinting based on responses to various requests

Vulnerability Scanning..3-151

Vulnerability Scanners..3-152

only scan systems you own
the difference between a hacker and a vulnerability scan is permission

How to do a Vulnerability Scan..3-154

scan when you can respond

Nessus..3-156

Freeware scanner.
grand daddy of all scanners

Alternate Network Mapping Techniques..3-167

Wireless network scanning..3-168

Net Stumbler..3-169

Windows

Kismet..3-172

Linux

Mitigating Wireless network Mapping..3-176

War Dialing..3-177

identify phone modems and see who answers to find an entry point

War Dialers..3-178

Managing Penetration testing..3-181

Core Impact
metasploit auto pwn

Pen Testing Techniques..3-182

Scanning Tools Warning..3-184

Module 16: Intrusion Detection Technologies..3-189

Intrusion Detection Technologies..3-189

What is IDS?..3-192

sec 503 Sans intrusion detection

IDS Technology..3-194

IDS Alerts..3-197

true positives, False Positive
True Negative, False Negative

NIDS Overview..3-199

passive sensor, a sniffer

How Signature Analysis Works..3-201

to attack a signature, alter the signature

Rules and Signature Criteria..3-202 *

How Anomaly Analysis Works..3-204 *

requires an understanding of what “normal” is

How Application Protocol Analysis Works..3-205

things like it's not possible to have SYN and FIN set at the same time

Deep vs. Shallow Packet Inspection..3-207

Data Normalization..3-209

NIDS Advantages..3-210

NIDS Challenges..3-213

Topology Limitatinos..3-214

Analyzing Encrypted Traffic..3-216

Signature Quality vs Quantity..3-217

Performance Limitations..3-218

NIDS Costs..3-220

TCPdump as NIDS..3-222

Snort as NIDS..3-224

Snort Rule Flexibility..3-227

Writing Snort Rules..3-228

Simple Snort Rules..3-229

Advanced Snort Rules..3-230

Key Points for NIDS..3-231 *

Developments in NIDS..3-233

HR IDS Application - Content Monitoring Systems..3-236

HIDS Overview..3-238

Early were local only with no way to collect logs.

How File Integrity Checking Works..3-241

Tripwire

How Log Monitoring works..3-242

logcheck

HIDS Network Monitoring..3-244

HIDS Advantages..3-245

HIDS Challenges..3-246

HIDS Recommendations..3-248

Developments in HIDS..3-248

Zone Alarm is Randy's Favorite

Host and Network-based Intrusion Detection..3-251

Internet Storm Center..3-252

Module 17: Intrusion Prevention Technologies..3-255

What is IPS?..3-259

What IPS is Not?..3-261

HIPS Detail..3-263

Host based Intrusion Prevention System

HIPS Advantages..3-264

HIPS Challenges..3-265

Application Behavior Monitoring..3-267

HIPS Recommendations..3-269

to test, use hping
Port Sentry

Developments in HIPS..3-271

NIPS Overview..3-273

How NIPS Work..3-274

NIPS Detail..3-275

NIPS Challenges..3-278

Passive Analysis..3-279

Developments in NIPS..3-281 *

IPS Examples..3-284

Randy

network-tools.com/analyze
FastDial add on for Firefox

Module 18: IT Risk Management..3-291

Risk management Overview..3-295

IT Risk management - Where do I Start?..3-296

IT is Only One Form of Risk..3-300

Define Risk..3-301

Risk Management Questions..3-302

SLE vs ALE..3-305

Single Loss Expectancy (SLE - one shot)..3-306

Annualize Loss Expectancy (ALE - multi-hits)..3-307

Quantitative vs Qualitative..3-309

Threat Assessment, Analysis & Report to Management..3-311

Business Case for Risk Management..3-312

Business Case - Applications..3-313

Step 1 Threat Assessment and Analysis..3-314

Outsider Attack - Internet..3-316

Insider Attack - Internal Net..3-318

Insider Attack - Honeypot..3-320

Malicious Code..3-321

Step 2 - Asset Identification and Valuation..3-322

Step 3 - Vulnerability Analysis..3-323

Step 4 - Risk Evaluation..3-324

Step 5 - Interim Report..3-325

Acceptable Risk - Who Decides?..3-326

Cost Benefit Analysis..3-327

"Final" Report..3-328

http://www.security.vt.edu/playitsafe/riskassessmentresources.html

Cookbook - Internet Security Technologies..2-1

Available upon request from Security Office ***

Nexpose commercial vulnerability scanner
Hawki asset manager

find where ipaddresses originate

ip2location.com
dnsstuff.com

Day 4

Module 19: Encryption 101..4-2

Encryption 101..4-3

What is Cryptography?..4-6 **

means hidden writing
plaintext is a message in its original form
Ciphertext is a message in its encrypted form
David kann, “Codebreaker”

Security by Obscurity is no Security..4-8

never believe in a secret pro proprietary cryptographic algorithm

Beware of Overconfidence..4-10

large key lengths do not ensure security

Credit Cards Over the Internet..4-11

The Challenges That We Face..4-13

Goals of Cryptography..4-14 *

Digital Substitution (Encryption)..4-16

Digital Substitution (Decryption)..4-18

symmetric crypto system uses the same key to encrypt and decrypt

General Symetric Encryption Technique..4-19

substitution
Permutation
Hybrid

Arbitrary Substitution..4-20

Rotation Substitution..4-21

Usenet uses ROT-13

Permutation..4-23

Block Ciphers..4-24 *

Stream Ciphers..4-26 *

could be used for VoIP

General Types of Cryptosystems..4-28

Types..4-29

Secret Key
- Symmetric
- Single or 1-key encryption
Public Key
- Asymetric
- Dual or Two key encryption
Hash
- One-way transformation
- No key encryption

Symetric Key Cryptosystems..4-30

AKA “Secret Key” Encryption
DES
Triple-DES
RC4
IDEA

Asymmetric Key Cryptosystems..4-32

“Public-Key” Encryption
RSA
EI Gamal
ECC

Diffie-Hellman Key Exchange..4-35 *

Agree on a large prime number, n
generator number, g
…
algorithms like this are not unbreakable, just not in a reasonable amount of time

Hash Functions..4-37

No Key
Primary Use: Message integrity
“weaknesses in oracle password algorithm”
a weakness involves multiple strings resolving to the same hash.
- marchany, marchan, marcha all could give the same hash. This is bad

Steganography..4-39

Steganography (Stego)..4-40

hides message in another, like a message in a picture

Crypto vs Stego..4-41

Detecting Cryptography..4-43

Historgrams..4-44

How Steganography Works..4-45

need Host to carry the message, an image or sound file

General Types of Stego..4-46

Injection..4-47
- antiword - retrieves deleted text in a Word document
- hydan
Substitution..4-49
Generate New File..4-46
- spammimic.com

xrite.com Online color Challenge

Module 20: Encryption 102..4-53

Concepts in Cyptography..4-57

Tractable problems
Intractable problems, cannot be solved in a reasonable time..4-58
- factory primes
- solving the discrete logarithm problem (El Garmal)..4-61
- Computing Elliptic curves (ECC)..4-63
  - low power consumption would be useful on cell phones, pda's

Symmetric & Asymmetric Cryptosystems..4-64

DES..4-65

began in 1975 (same time Randy started at Tech)
O'Riely “Cracking DES”

DES Weakness..4-66

DES Advangage..4-68

Meet-in-the-middle Attack..4-69 *

Triple DES..4-70

AES..4-72

Advanced Encryption Standard
round is the number of iterations within the algorithm

AES Algorithm..4-74 *

AES Basic Functions..4-75

AES (2)..4-76

DVD encryption secrecy resulted in a crackable system
seed numbers make an algorithm secure

RSA..4-77

center part of SSL
cracked system have been insecure keys or small key length

AES vs. DES (Asymetric vs Symmetric)..4-78

speed. DES is about 100 times faster

Elliptic Curve Cyptosystems (1)..4-79

PDA's smart phones, appliances, smart cards

Elliptic Curve Cyptosystems (2)..4-80

Comparing Key Length..4-82 *

important when evaluating vendor encryption
bigger may not be better
compare sysmetric systems with symetric systems

Crypto Attacks..4-83

known plaintext attack
chosen plaintext attack
Adaptive chosen plaintext attack
Ciphertext only Attack
Chosen ciphertext attack
Chosen key attack

Birthday Attack..4-87

pairs of messages might share the same hash

Module 21: Applying Cryptography..4-90

Applying Cryptography..4-91

Objectives..4-92

Data in Transit - VPN's
data at rest - PGP
Key Management - PKI

Virtual Private Networks (VPN's)..4-95

Confidentiality in Transit..4-96

private network

Virtual Private Network (VPN)..4-97

data encrypted at on end, cyphertext is transmitted
endpoints are the weakness

VPN Advantage - "Flexibility"..4-98

VPN Advantage - "Cost"..4-99

VPN Breakdown..4-100

Types of Remote Access..4-101

Security Implications..4-103

must trust the other end

IPSec Overview..4-105

IP Security Standard for VPN's
the term gets blurred with a Windows term

Types of IPSec Headers..4-106 *

authentication header (AH)
- ICV computation , AH includes every field that does not change from source to destination
Encapsulation Security Payload (ESP)
- encrypts the entire message including the header

Types of IPSec Modes..4-109 *

tunnel mode (site to site VPN's)
- entire ip packet
transport mode (client side)

SSL VPN's..4-112

requirements for procurement..4-113 *

Examples of Non-IPSec VPN's..4-114

ssh
L2TP
SLIP
PPP
SOCKS

Pretty Good Privacy (PGP)..4-116

Confidentiality in Storage..4-117

Phil Zimmerman
entire disk vs file-by-file

On-the-Fly Encryption..4-120

data encrypted to be transmitted

Establishing a Key..4-121

Choosing a Passphrase..4-122

Encrypting Outbound Email..4-123

Sample PGP-Encrypted E-mail..4-125

Decrypting Inbound E-mail..4-126

Signing Outbound E-mail..4-127

Confirming a Signed E-mail..4-128

Public Key infrastructure (PKI)..4-129

What is the business Value of a Public Key Infrastructure?..4-130

How PKI Works..4-132

repository of digital certificates that is vetted by some personal identification.
root CA
Intermediate CA
Issuing CA
implementation
- Microsoft Certificate Services
- Entrust Authority
- Verizon / Cybertrust UniCert PKI
- OpenSSL

Operational Goals of PKI..4-135 *

Digital Certificates..4-139 *

Secure Web Traffic (SSL)..4-141

PKI SSL Crypto: An Illustration..4-143 *

Client Web Request
Server Responds
Client validates certificate & Crypto ( this is the step the client can cause failure by accepting the cert)
Client encrypts the session dey
Session key exchange
Server decrypts the session key
Encrypted messages are exchanged

Secure E-mail (S/MIME)..4-145

Partial or Whole Disk encryption..4-147

Microsoft BitLocker..4-148

Other Uses of PKI..4-150

PGP as 'Web of Trust'..4-151

Problems with PKI..4-154

Certificate Authorities
- expense
- certification of the CA

Applying Cryptography: Summary..4-156

www.pki.vt.edu

Module 22: Wireless Network Security..4-158

Wireless Network Security..4-159

PDA's
Mobile Phones
Laptops
Pagers
HVAC Control Units
traffic signals
power meters

Wireless Advantages..4-163

Vertical Markets..4-165

Healthcare
Financial
Academia
Factroies/Industrial
Retail
Wireless Internet Service Providers

Bluetooth..4-168

Bluetooth..4-169

Bluetooth Specification..4-170

Bluetooth Security..4-172

4-16 byte pin
default 0000 or 9999

Bluetooth Security Issues

hackfromacave.com - John Paul's security tools

blueScanner..4-176

hcitool bluez-hcidump
merlin and frontline are commercial sniffers

Bluesnarf Attacks..4-177

Bluetooth Sniffing Impact..4-178

Protecting Bluetooth..4-180

non-advertise mode
change pin
Josh Write utube - Eavesdropping on Bluetooth headsets
- carwhisperer
bluesnipper
gumstick computer

ZigBee Wireless..4-182

HVAC
product tracking
medical device monitoring
Industrial sensors
Home automation

ZigBee Specification..4-183

10-75 meters
868 MHz, 915 MHz, 2.4 GHz
low power consumption, goal of 10 year service

ZigBee Security..4-185

802.11..4-187

IEE 802.11 Wireless..4-188

WEP Security..4-190

airsnort has been replaced by aircrack (aircrack-ng)

IEEE 802.11i, 802.1x, EAP..4-192

802.1x Authentication..4-193 *

Wi-Fi Protected Access..4-195

Wireless Security..4-196

wellenreiter - listens for mac address and spoofs the address for wireless access

General Misconceptions..4-197

Top 4 Security Risks for WLAN's..4-203

Eavesdropping..4-204

Eavesdropping Mitigation..4-205

use strong encryption in the lowest layer protocol possible
Design you wireless networks with caution- minimize coverage area
Audit with a sniffer

Masquerading..4-207

Masquerading Mitigation..4-209

Use SSL/TLS
Educate users on the danger of clicking “Yes” to digital certificate warnings ←-Joke?

Denial-of-Service Attacks..4-210

DoS Attack Mitigation..4-212

Rogue AP's..4-213

Rogue AP Mitigation..4-214

Steps to Planning a Secure WLAN..4-216 *

detection tools:
kismet
- get_essid

Protecting Wireless Networks..4-218 *

Module 23: Voice over IP..4-220

VoIP..4-221

VoIP Functionality & Architecture..4-223

VoIP Overview..4-224

Phone can be routed and transmitted over the network.
can be any combination of analog telephone adapter, IP telephone and Computers.

VoIP Risks..4-225

External attacks
Internal Misuse
Theft
System Malfunction
Service interruption

LAN VoIP..4-227

WAN VoIP..4-228

VoIP Networking..4-229

Advantages of VoIP..4-231

Disadvantages of VoIP..4-234

VoIP Architecture..4-238

VoIP Components..4-240

Media Gateways
Registration and location servers
Messaging servers
End user devices: VoIP phones, softphones

VoIP Traffic Patterns..4-242

VoIP Protocols..4-243

H.323, SIP

VoIP Signaling H.323..4-245 *

…
H239

VoIP Signaling - SIP..4-247

alternate to H.323

SIP Packet Details..4-248

SIP Exchange..4-249

VoIP Media - RTP..4-251

VoIP and TCP vs UDP..4-252

base protocol decision on need. reliable connection would require TCP

Skype..4-253

VoIP Challenges..4-254

VoIP Operation Challenges..4-255

VoIP Security Challenges..4-257

CID spoofing. privacy attacks
Phone impersonation

VoIP Security Challenges..4-259

Call Hijacking

Securing VoIP..4-261

security focus article#1862 http://www.securityfocus.com/infocus/1862

other services

google voice

Module 24: Operations Security..4-264

Operations Security (OPSEC) Defensive and Offensive Methods..4-265

Management Application - Operations Security (OPSEC)..4-268

The three Laws of Defensive OPSEC..4-270

OPSEC Weekly Assessment Cycle..4-271

Employee Issues..4-273

Employment Agreements..4-275

Need to Know..4-277

Putting it all together..4-278

Sensitive Information..4-280

Offensive OPSEC..4-282

bing bird's eye view
pipl.com
governmentrecords.com
magtech software for reading and writing magnetic cards

Society for Competitive Intelligence Professionals Code of Ethics..4-290

Corporate Information..4-292

Edgar Search..4-293

Wayback Search..4-298

Company Information from Other Web Sites..4-301

Company Financials..4-302

Project/Product Information..4-304

Individual Information..4-305

Project/Product Information..4-304

Individual Information..4-305

Intelius
County Court House records

What does this mean to me..4-306

How to Apply OPSEC - Summary..4-307

google searches

Cookbook Tools - Secure Communications

pgp

netstumbler

s-tools

steganographic tools
- bmp
- gif
- wav

Invisible Secrets

hide information inside
- jpeg
- png
- bmp
- html
- wav
DOD-compliant shredder
30 day demo
added features cost extra

xsteg/stegdetect

xsteg is gui front end for stegdetect
detects stego from the following:
- jsteg
- outguess
- jphide
- invisible secrets
- f5

wireshark

wireshark and VoIP

Day 5

tiddlywiki java script and css http://www.tiddlywiki.com
articles to google:
- How Mitnick Hacked Tsutomu Shimomura with an IP sequence attack
- Best Practices for “Forgotten Passwords” Feature
truecrypt
- only one person gets rw access, all others ro
- put hidden volume inside a visible truecrypt volume (plausible denyability)
pgp netshare gets around the rw limitation of truecrypt
http://security.vt.edu/findssnccn.html
http://securiosities.org/tag/secret-question/

Module: 25 The Windows Security Infrastructure..5-2

The Windows Security Infrastructure..5-3

Windows Operating Systems..5-5

Windows Mobile
- not socket access, so no sniffers available

Windows XP..5-6

xp home used to ship with a blank admin password
sp2 started shipping with security features enabled

Windows Server 2003..5-9

Windows Vista & Windows 7..5-11

Windows Server 2008..5-14

same code base as vista
Powershell
Hyper-V

Windows Mobile..5-17

no raw socket support, so no sniffer cannot be written for it
therefore, no IDS would be available
showing up in embedded systems
Windows Mobile security Best Practices..19 *

Windows Workgroups and Accounts..5-21

Workgroups..5-22

no domain controller

Workgroups..5-24 Benefits

Workgroups..5-25 Drawbacks

Users are creatively careless

Managing Local Accounts..5-26

wmic
netsh

Security ID Numbers (SIDs)..5-27

SIDs for common accounts are well known, like Administrator and Everyone
changing the name of these common accounts is a minimal security gain
- it might lessen the brute force attacks
- it could also lessen the log entries

Your Security Access Token (SAT)..5-29

whoami.exe /all /fo list

To Form a More Perfect Workgroup..5-31

Windows Active Directory and Group Policy..5-33

Active Directory Domains..5-34

master database for machines and users
similar to nis+
partial list of what can be stored in Active Directory..5-36 *

Authentication Protocols (1 of 3)..5-37

4 parts of SAT..5-37 *

Authentication Protocols: Kerberos (2 of 2)..5-39

default authentication protocol
- NTLM only used when necessary
ticket encrypted based on the user's passphrase
- vulnerable to brute-force cracking, last paragraph..40 *
- http://ntsecurity.nu

Forests and Trusts..5-42

..43 2nd paragraph http://www.microsoft.com/activedirectory

The Nature of Trust..5-44

Cross-Forest Trusts..5-46 *

Group Policy..5-48

How Group Policy Works..5-49

GPO's applied at boot-up, Logon and 90-120 minute intervals

Module 26: Service packs, Hotfixes and Backups..5-53

Service Packs..5-56

It's a Giant Patch
Do staged roll-outs and check for problems

Slipstreaming..5-58

nlite helps with this

Hands-Free Service Packs..5-59

Hotfixes..5-61

E-mail/Newsfeed Bulletins..5-62

microsoft.com/security

Installing Multiple Hotfixes..5-63

Organize Hotfixes..5-64

BATCH.BAT..5-65

Microsoft Update..5-67

Windows Update..5-68

http://vtnet.vt.edu

Windows Server update Services (WSUS)..5-69

How does WSUS work..5-71

WSUS Administration..5-72 *

3rd-Party Patch Management..5-74

http://www.windowsitpro.com
for remote offices heise or disconnected remote site

http://www.h-online.com/security/Do-it-yourself-Service-Pack--/features/80682

Windows Backup and Restore..5-76

Importance of Backups for Security..5-77

Windows XP/2003 Backup..5-78 *

ntbackup.exe came from veritas

System State Backup..5-80

Windows 7 will allow system state over the network

Windows Vista/2008/7 Backup..5-81

robocopy (Vista/2008/7)
wbadmin (2008)

Third-Party Backup Solutions..5-84

Binary Disk Images..5-85

System Restore..5-86 *

system restore snapshot times

Previous Versions..5-89

Device Driver Rollback..5-91

Summary..5-92

comment

To clean up a new system

http://www.pcdecrapifier.com/

Module 27: Windows Access Controls..5-94

Windows Access Controls..5-96

NTFS Overview..5-98 *

NTFS DACL's..5-100

Advanced Security Settings for ACE's *

by default, deny overrides allow
inherited..5-103 *

NTFS Owners..5-104

Principle of Least Privilege..5-106

needs analysis

AGULP..5-108,5-109 *

AD Users and Computers..5-110

Shared Folder Permissions..5-112

net help share

Hidden and Administrative Shares..5-115

Combining NTFS and Share DACL's..5-117 *

calculate effective permissions of user

What is the Registry?..5-119

Remote Registry Service..5-120

default is enabled

Registry DACL..5-122

Active Directory Permissions..5-123

Delegation of Authority in AD..5-125

Mandatory Integrity Control (MIC)..5-127 *

medium is default

User Rights..5-129

..5-130,5-132 *

Encypting File System..5-137

can prevent Linux boot disk access
cipher.exe

EFS Implementation Details..5-139 *

EFS Key Recovery..5-140

EFS Best Practices..5-142

BitLocker Overview..5-144

Trusted Platform Module..5-146

motherboard failure would render data inaccessible.

BitLocker TPM Options..5-148

Disabling vs Turning Off..5-150

…the decryption key is stored in plaintext on the drive

Emergency Recovery..5-151,5-153 *

Module 28: Enforcing Security Policy..5-156

Security Templates..5-159 *

keep track of the template directory with tripwire.
CIS scoring tool..5-162,5-163

SCA Snap-In..5-164

there is no Un-Do

SECEDIT.EXE..5-166

Local Group Policy Object..5-167

GPO Security Settings..5-169

GPO Scripts..5-170

activestate.com
loopback policy processing mode

Administrative Templates..5-171

if there is a conflict between user and computer, usually the computer wins

Domain Group Policy Objects..5-173

gpupdate /force /sync

Default Domain and OU GPO's..5-175

Checklist of GPO Settings..5-176 * (for audit)

GPO > Passphrase Policy..5-177

GPO > Lockout Policy..5-179

GPO > Security Options..5-180,5-183

Anonymous Access..5-184 ** check

net.exe use \\address\IPC$ "" /user:""
* null users not used as much on later OS's

Kerberos & NTLMv1..5-186

Don't use!

Kerberos & NTLMv2..5-187

The Guest Account..5-188

Administrative Accounts..5-190

Randy does not recommend 4 or 6 on the slide

Software restriction Policies..5-192

Windows 7, AppLocker

User Account Control..5-195

Internet Explorer Security..5-198 *

folders with Low MIC label assigned “low” contain low in name

Internet Explorer Security..5-201

Internet Zone
Trusted Sites Zone..5-203
SmartScreen filter and XSS Filter

Module 29: Windows Network Services..5-207

The Best Way to Secure a Service..5-210

How to disable Service..5-211

Service Applet
Security Template
GPO
SC.EXE

Security Configuration Wizard..5-214

Windows XP services that can be disabled http://www.digitalmediaminute.com/article/1841/windows-xp-services-that-can-be-disabled
blackviper http://www.blackviper.com/

Server Manager..5-218

Network Adapter Bindings..5-220

Do I Still Need NetBIOS?..5-222

restrict to campus or subnet
don't let requests off campus or subnet

nbstat.exe -A ipaddress

refer to table on page 5-223 *

Key Protocols..5-226

SMB TCP/139/445
RPC TCP/135
LDAP TCP/389/636/3268/3269
Kerberos TCP/UDP/88

More Key Protocols..5-228

The Windows Firewall in Vista/2008/7..5-230

Network Location Types..5-232 *

Managing Firewall Rules..5-234

Order Firewall Rules are processes..5-235,5-236 *

Windows IPSec & other VPN's..5-238

Internet Protocol Security..5-239

Command-Line IPSec Tools..5-240

IPSec & Group Policy..5-242

Group Policy Example..5-243

Virtual Private Networking..5-245

never use PPTPv1 or NTML
these could be required by embedded devices that cannot be updated

Windows VPN Client..5-247

Routing and Remote Access Service..5-249

Windows IIS Security..5-251

Securing Internet Information Server (IIS)..5-252

Use a Minimal Patched Install..5-253

the gui is almost required to get it to do anything

Separate NTFS Volumes for Web Content..5-255

very important
makes backup easier

Require a Host Header..5-257

Remove Unused Handler Mapping..5-259

Folders Not to Have..5-261

IIS Access Controls..5-263

Some Questions for Your Web Developers..5-267,5-270 *

SQL SErver Security Tips..5-271,5-272 *

Validate and sanitize all user input before letting it touch the server

Remote Desktop Services..5-273

Remote Desktop Services..5-274

TCP port 3389

RDP Best Practices..5-278

Investigate Citrix as a cross-platform alternative

Module 30: Automation, auditing and response..5-285

Windows Automation and Auditing..5-286

Automation..5-289

The Support Tools..5-290,5-291

Microsoft Resource Kits..5-292

WMIC.EXE..5-297

wmic.exe process list full

Network Configuration Tools..5-302

netsh.exe

Other free Toolsets..5-304

whatsrunning http://www.whatsrunning.net/
activeports

Scripting Support And *NIX tools..5-306

Microsoft PowerShell..5-310

windowsitpro.com has tutorials

Push Scripts with Group Policy..5-312

Scheduling Jobs..5-314

Auditing..5-316 *

Verifying Policy Comliance..5-317

The SCA Snap-In Again..

SECEDIT.EXE..5-320

Microsoft Baseline Security Analyzer..5-322,5-323 *

MBSACLI.EXE..5-326

Windows Defender..5-328

Creating Snapshots..5-330

Snapshot Batch Script..5-334,5-335,to 5-338

http://www.windowspowershelltraining.com/downloads/scripts.zip

Gathering Ongoing Data..5-339

event log scanning tools
ossec http://en.wikipedia.org/wiki/OSSEC
Microsoft log parser http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx

Security Event Log and Audit Policies..5-341 *

NTFS, Registry and Printer SACLs..5-343

What Objects Should be Audited?..5-346 *

running security tools and monitoring logs will help reveal what the logs will look like with a certain attack. Signature.

Log Size and Wrapping Options

kb183097

Log Consolidation..5-350

IIS Logging..5-352

Change Detection and Analysis..5-355

Cookbook - Windows Security..5-358

nmap scans

nmap SYN: -sS, UDP: -sU, Xmas: -sX, FIN: -sF

Cookbook

SCA

BSA

CIS

Linux Security - Day 6

Module 31: Securing Linux/Unix..6-3

fog

Free Opensource Ghost http://www.fogproject.org
http://www.hfslip.org for slipstreaming xp, 2003
nLite, vLite

Securing Linux/Unix..6-3

Operating System Overview..6-5

Kernel..6-6

the most important thing to protect from a security point

File system Structure..6-7

the root structure is independent of drives

File System Strucure..6-8

only one root denoted by /

Shell..6-9

three basic shells
- sh was native shell

Examples of Shells..6-10

sh
csh
bash
ksh
tcsh
for windows, COMMAND.COM

Commands You Need to Know..6-11,6-12 *

pwd..6-13
cd..6-14
ls..6-15
touch / clear..6-16
cat..6-17
mv..6-18
cp..6-19
mkdir..6-20
rmdir..6-21
rm..6-22
su..6-23
find..6-26
grep..6-27
- generic regular expression program
man

vms moved from DEC to windows NT (vms→wnt one letter off) (ibm→hal one letter of Arthur C. Clarke's Space Odyssey saga)

Unix File Permissions..6-29

ls -l
- regular file
d directory
l link
c
v

w implies delete
x execute, or list directory

Unix File Permissions..6-31 *

permissions have different meaning if the target it is a file or or a folder

chmod..6-32
setuid..6-33
- run program with owner's permission
- for example passwd modifies /etc/passwd, which is not writable by users.
- don't have shell scripts with suid set, especially if the owner is root. Aborting the shell will leave the system in root shell.
- 4 suid, 2 sgid, 1 sticky
- capital S means x is not set
chmod..38 chmod nnnn <filename>
chown/chgrp

Group Management..6-40

newgrp
groupadd
groupdel

/etc/group..6-41

gpasswd..6-42

id..6-44

uid=500(steve) gid=500(steve) groups=500(steve) context=user_u:system_r:unconfined_t

passwd File "good old days"..6-45

Hash string stored in passwd file
@Large book on password cracking

Passwd/shadow..6-46

AIX
- /etc/passwd
- /etc/security/passwd
Free BSD
- /etc/passwd
- /etc/master.passwd
HP-UX
- /etc/passwd
- /etc/files/auth/root
LINUX(RedHat) & Solaris
- /etc/passwd
- /etc/shadow

passwd File..6-47 *

shadow File..6-48 *

useradd..6-49

some flavors - adduser

Enabling Password Aging..6-50

/etc/login.defs
/etc/default/useradd

Account Password Info..6-52

chage -l <user>

Enforce stronger Passwords..6-53

Restricting Use of Previous Passwords..6-54

Locking User Accounts After To Many Login Failures..6-55

Process Status (ps)..6-56

ps -aux |more

Process Status (ps)..6-57

User
PID
%CPU
%mem
vsz
stat
start
time
command

netstat..6-59

Backup with dd..6-61

Module 32: Securing Linux/Unix..6-63

How Unix Systems Boot..6-65

1st stage is MBR
2nd stage

Boot Loader..6-69

lilo
grub

Run Levels..6-70,6-71 *

inittab..6-72

Run condition directory..6-73

rc files and directories
scripts in /etc/init.d
rc directories have links to these scripts

init.d..6-74

solaris 10 uses smf instead of rc

service management..6-75

Patch a Disabled Service?..6-76

service command..6-77

chkconfig..6-78

list services at each run level

How are services started..6-79

at boot time
automatically by inetd/xinetd
cron
command line

Common Services..6-80

File sharing - NFS and samba
Naming - NIS/NIS+, DNS
RPC
internet

Network File System..6-81

UDP port 2049

NFS..6-82.6-83

different machines can have different users with the same UID

Samba..6-84

uses smb to share with Windows clients

DNS Basic..6-85

DNS server check cache first the goes out to root servers

Network Information Service (NIS)..6-86

used to be called Yellow Pages (yp)

Remote Procedure Call..6-88

Remote Procedure Call in action..6-89

Port Mapper..6-90

Other RPC Services..6-91

lockd
statd
automountd
rsh
rcmd and rexd

Inetd/ xinetd..6-92

inetd..6-93

xinetd..6-95

xinetd Key files/Directory..6-96 *

tcpwrappers..6-98

gave a method for access control for services started with inetd

Module 33: Securing Linux/Unix..6-106

Logs and Log Management

showing use of log files for business decisions will validate confidence in logs even for legal matters.

Important Log Files..6-108

WTMP Log..6-109

/var/log/wtmp
logins and logouts
last command pulls from here

UTMP Log..6-110

w, finger and who
updated by login program

utmp "w" output..6-112

Lastlog..6-113

SULOG..6-114

/var/adm/sulog

HTTP Logs..6-116,6-117 *

Messages (SYSLOG)..6-118

Messages..6-119 *

The syslogd..6-120

/etc/syslog.conf

syslog.conf..6-122

Facilities..6-123
Levels..6-124
Actions..6-125

Secure Log..6-126

Example of a Secure Log after a Scan..6-127

FTP Logs..6-128

Maillog..6-132

Module 34: Securing Linux/Unix..6-136

Patch Management

Why Patch..6-138

Be Careful..6-139

Finding Out About Patches..6-140

Using apt..6-141

RPM..6-143

rpm -q <pkgname>
rpm -initdb
rpm -rebuilddb

GUI Tools..6-145

Other O/S..6-146

Module 35: Securing Linux/Unix..6-148

Security Enhancement Utilities

Tripwire..6-150

Tripwire Attribute Tracking..6-151

Tripwire Common Commands..6-152

iptables..6-153

Mangle..6-154

filtering..6-155

nat..6-156

Custom Chains..6-157

rules..6-158,6-159 *

iptables -L (list)..6-160

iptables -L -n

iptables -F (flush)..6-161

Additional Security Options..6-162

Boot Loader Password
ps
Netstat
SELinux
AppArmor