Protecting Your Website /

Network

Onno W. Purbo
onno@indo.net.id
“Information Security is
about technology, policy,
people and common sense”
Outline
Technical Tips
Security Policies
Knowing Your Friends & Enemies
Outline
Technical Tips
Security Policies
Knowing Your Friends & Enemies
CERT Technical Tips
URL
http://www.cert.org/tech_tips/
Covering
Securing System or Networks
Responding to Incidents
Web Security Issues
Mail Abuse
Understanding Attacks
Securing Network Systematically
Where It All Started …
Choosing a Technology
Choosing a Technology
In-House vs. Outside Tech Support
Do you have the HR to do it?
Freely-Available vs. Commercial Software
Do you have the HR to do it?
Understand Your Needs
Availability of source code vs. binaries
Availability of technical expertise (internal and
external)
Maintenance and/or customer support
Customer requirements and usability
Cost of software, hardware, and technical support
staff
Choosing a Technology
Regardless of the choice you make,
you should first carefully review and
understand the needs of your organization
or customer base in terms of resources,
cost, and security risk,
as well as any site-specific constraints;
compare the available products and
services to your needs;
and then determine what product best
matches your needs.
Network Security
Technology Map
Network Security Technology
Map
Internet Security Aspects
Penetration testing
Certificate Authority / PKI
Vulnerability Testing
Managed Security Services
Penetration Testing
Active Content Monitoring / Filtering.
Intrusion Detection – Host Based.
Firewall.
Intrusion Detection – Network Based.
Authorization.
Air Gap Technology
Network Authentication.
Security Appliances.
Security Services: Penetration Testing.
Authentication.
Certificate Authority / PKI
Certificate Authority.
File & Session Encryption.
VPN & Cryptographic Communications.
Secure Web Servers.
Single Sign On
Web Application Security.
Vulnerability Testing
Vulnerability Scanners – Host Based
Real-Time Security Awareness, Response
& Threat Management.
Vulnerability Scanners – Network Based.
Managed Security Services
Enterprise Security Policy Implementation.
Managed Security Services.
Enterprise Security Administration.
Security Services: Policy Development.
Trusted Operating Systems.
Anti D.D.O.D Tools.
Some Tips
Securing Networks Systematically — the
Security Knowledge in Practice - SKiP Method
General Advice Pertaining to Intrusion Detection
Minimal Steps in Compromised System
Intruder Detection Checklist
Windows Intruder Detection Checklist
Steps for Recovering from a UNIX or NT
System Compromise
SKiP Method
SKiP Method
1. Select systems software from a vendor and customize it
according to an organization’s needs.
2. Harden and secure the system against known vulnerabilities.
3. Prepare the system so that anomalies may be noticed and
analyzed for potential problems.
4. Detect those anomalies and any other system changes that
could indicate evidence of an intrusion.
5. Respond to intrusions when they occur.
6. Improve practices and procedures after updating the system.
7. Repeat the SKiP process as long as the organization needs to
protect the system and its information assets.
SKiP Method
Customizing Vendor Software
eliminate services that are unneeded and
insecurely configured
restrict access to vulnerable files and directories
turn off software “features” that introduce
vulnerabilities
mitigate vulnerabilities that intruders can use to
break into systems
SKiP Method
Harden and Secure the Network
configure their system to meet organizational
security requirements
retaining only those services and features
needed to address specific business needs
Securing a system against known attacks
eliminates vulnerabilities and other weaknesses
commonly used by intruders.
The practices performed during this step may
change over time to address new attacks and
vulnerabilities.
SKiP Method
Prepare
Network administrators characterize their
system in the Prepare step. An administrator
knows what to expect in terms of
changes in files and directories and the operating
system
normal processes, when they run, by whom, and
what resources they consume
network traffic consumed and produced
hardware inventory on the system
SKiP Method
Detect
Administrators concentrate on detecting
signs of anomalous or unexpected
behavior since it may indicate possible
intrusions and system compromise.
Administrators also watch for early
warning signs of potential intruder actions
such as scanning and network mapping
attempts.
SKiP Method
Respond
analyze the damage caused by the intrusion
and respond by adding new technology or
procedures to combat it
monitor an intruder’s actions in order to discover
all access paths and entry points before acting
to restrict intruder access.
eliminate future intruder access
return the system to a known, operational state
while continuing to monitor and analyze
SKiP Method
Improve the System
hold a post-mortem review meeting to
discuss lessons learned
update policies and procedures
select new tools
collect data about the resources required
to deal with the intrusion and document
the damage it caused
General Advice Pertaining
to Intrusion Detection
General Advice Pertaining to
Intrusion Detection
Proactive auditing and monitoring are essential
steps in intrusion detection.
It is ineffective to audit altered data or
compromised systems -- their logs are
unreliable.
Establish a baseline for what you consider
normal activity for your environment so you can
determine unusual events and respond
appropriately
Minimal Steps in
Compromised System
Minimal Steps in
Compromised System
Document every step that you perform in
detail.
Perform a sector-by-sector backup of the
hard disk drive.
If your organization intends to take legal
action in connection with intrusions, then
consult with your legal department before
performing any step.
Intruder Detection Checklist
Intruder Detection Checklist
Examine log files
Look for setuid and setgid Files
Check system binaries
Check for packet sniffers
Examine files run by 'cron' and 'at'.
Check for unauthorized services
Examine /etc/passwd file
Check system and network configuration
Look everywhere for unusual or hidden files
Examine all machines on the local network
Windows Intruder Detection
Checklist
Windows Intruder Detection
Checklist
Look for Signs For System Compromised
Rootkits
Examine Log Files
Check for Odd User Accounts and Groups
Check All Groups for Unexpected User
Membership
Look for Unauthorized User Rights
Check for Unauthorized Applications Starting
Automatically
Check Your System Binaries for Alterations
Windows Intruder Detection
Checklist
Look for Signs For System Compromised
Check Your Network Configurations for
Unauthorized Entries
Check for Unauthorized Shares
Check for Any Jobs Scheduled to Run
Check for Unauthorized Processes
Look Throughout the System for Unusual or
Hidden Files
Check for Altered Permissions on Files or
Registry Keys
Windows Intruder Detection
Checklist
Look for Signs For System Compromised
Check for Changes in User or Computer
Policies
Ensure the System has not been Joined to
a Different Domain
Audit for Intrusion Detection
Windows Intruder Detection
Checklist
Consider Running Intrusion Detection
Systems
Freeware/shareware Intrusion Detection
Systems
Commercial Intrusion Detection Systems
Windows Intruder Detection
Checklist
Review CERT Documents
Steps for Recovering from a Windows NT
Compromise
Windows NT Configuration Guidelines
NIST Checklists
Recovering from
Compromise
Recovering from Compromise
Before you get started
Regain control
Analyze the intrusion
Contact the relevant CSIRT for Incident
Reporting
Recover from the intrusion
Improve the security of your system and
network
Reconnect to the Internet
Update your security policy
Recovering from Compromise
A. Before you get started
Consult your security policy
If you do not have a security policy
Consult with management
Consult with your legal counsel
Contact law enforcement agencies
Notify others within your organization
Document all of the steps you take in recovering
Recovering from Compromise
B. Regain control
Disconnect compromised system(s) from
the network
Copy an image of the compromised
system(s)
Recovering from Compromise
C. Analyze the intrusion
Look for modifications made to system software
and configuration files
Look for modifications to data
Look for tools and data left behind by the
intruder
Review log files
Look for signs of a network sniffer
Check other systems on your network
Check for systems involved or affected at
remote sites
Recovering from Compromise
D. Contact the relevant CSIRT and other sites
involved
Incident Reporting
Contact the CERT Coordination Center
Obtain contact information for other sites
involved
Recovering from Compromise
E. Recover from the intrusion
Install a clean version of your operating system
Disable unnecessary services
Install all vendor security patches
Consult CERT advisories, external security
bulletins and vendor-initiated bulletins
Caution use of data from backups
Change passwords
Recovering from Compromise
F. Improve the security of your system and
network
Review security using the UNIX or NT
configuration guidelines document
Install security tools
Enable maximal logging
Configure firewalls to defend networks
Recovering from Compromise
G. Reconnect to the Internet

H. Update your security policy

Document lessons learned from being
compromised
Calculate the cost of this incident
Incorporate necessary changes (if any) in
your security policy
Outline
Technical Tips
Security Policies
Knowing Your Friends & Enemies
Security Policies
URL
http://www.sans.org/resources/policies/
http://www.sans.org/resources/policies/Policy_Primer
.pdf
Template For
Wireless Communication Policy
Server Security Policy
Anti-Virus Process
Extranet Policy
A Security Policy Framework
Policies define appropriate behavior.
Policies set the stage in terms of what tools and
procedures are needed.
Policies communicate a consensus.
Policies provide a foundation for HR action in
response to inappropriate behavior.
Policies may help prosecute cases.

Ref: Michele D. Guel, The SANS Policy Primer.

Policy Outline
Purpose
Scope
Guidelines
Policy
Ownership Responsibilities
Scenarios & Business Impact
Prohibited Use
Network Control
Scanning period
Monitoring
Enforcement
Definitions
Outline
Technical Tips
Security Policies
Knowing Your Friends & Enemies
Type of Communities
IT Policy & Politics
telematika@yahoogroups.com
IT Network Administrators
indowli@yahoogroups.com
asosiasi-warnet@yahoogroups.com
Programmer (Formal & White Collar)
delphindo@yahoogroups.com
Hacker & Virus
jasakom-perjuangan@yahoogroups.com
newbie-hacker@yahoogroups.com
IT Policy & Politics
Name Members
genetika 2205
telematika 1750
mastel-anggota 337
IT Network Administrators
Name Members
asosiasi-warnet 6241
Ilmukomputer-networking 5636
It-center 4889
indowli 4766
Programmer
Name Members
Ilmukomputer-programming 5226
Indoprog-vb 5215
delphindo 2844
jug-indonesia 1783
csharp-indo 699
Hacker & Virus
Name Members
jasakom-perjuangan 12278
newbie-hacker 5636
majalahneotek 5633
vaksin 3388
yogyafree 2251
indocrack 1175
bandunghack 1046
IT Politics & Policy
telematika
Programmer
Csharp-indo
Jug-indonesia
Dephindo
Indoprog-vb
Ilmukomputer-programming
Delphindo
Hacker Communities
Bandunghack
Indocrack
yogyafree
Jasakom-perjuangan
bandunghack
Jasakom-perjuangan
Excellence References
http://www.sans.org
http://www.cert.org
Extreme References
http://www.remote-exploit.org
http://packetstormsecurity.org
 © 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.