Security Tools and Technologiesrowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter07.pdfservices such as HTTP, FTP, SMTP, and Telnet 19 Security Tools and Technologies Passive vs.

.

CIS 3500 1

Security Tools and Technologies

Chapter #7:

Technologies and Tools

Chapter Objectives

n Understand how to use appropriate software tools to assess

the security posture of an organization

n Given a scenario, analyze and interpret output from

security technologies

Security Tools and Technologies2

Protocol Analyzer

n A protocol analyzer is simply a tool (either hardware or

software) that can be used to capture and analyze traffic

n Must have the capability to place a network interface in

promiscuous mode

n From a security perspective, protocol analyzers are very

useful and effective tools

n Most organizations have multiple points in the network

where traffic can be sniffed


Switched Port Analyzer

n Switched Port Analyzer (SPAN) or port mirroring or port

monitoring is a special setup on a switch

n A SPAN has the ability to copy network traffic passing

through one or more ports on a switch or one or more

VLANs on a switch and forward that copied traffic to a port

designated for traffic capture and analysis

n Capacity planning for traffic


.

CIS 3500 2

Network Scanners

n A network scanner is a tool to probe a network or systems

for open ports and machines that are on the network.

n Network scanners can work on any IP network because

they operate by examining network connections

n Search for “live” hosts

n Search for any open ports

n Search for specific ports

n Identify services on ports

n Look for TCP/UDP servicesSecurity Tools and Technologies5

Network Scanners

n When you find open services, you’ll need to determine if

those services should be running at all

n Network scanning activity can trigger an incident response

activity when detected - notify sys admins/security team

n Open – open ports accept connections

n Closed – scanned target returns an RST packet.

n Filtered – ICMP unreachable error is returned

n Additional types – dropped, blocked, denied, timeout


Rogue System Detection

n Rogue systems are unauthorized systems and fall outside of

the enterprise operations umbrella, adding risk to a system.

n You have to know the authorized software and hardware in

your environment

n You should do rogue system detection

n active scans of the network to detect any devices not

authorized

n passive scan via an examination of packets to see if anyone is

communicating who is not authorizedSecurity Tools and Technologies7

Network Mapping

n Network mapping tools are another name for network

scanners

n They create network diagrams of how machines are

connected

n Network mapping tools identify the nodes of a network and

characterize them as to OS, purpose, systems, etc. - also

great for inventory


.

CIS 3500 3

Wireless Scanners/Cracker

n You can use wireless scanners/crackers to perform network

analysis of the wireless side of your networks

n Who is connecting to them?

n What are they accessing?

n Is everything in conformance with your security plan?

n There are a wide variety of wireless scanners that can

assist in developing this form of monitoring

Security Tools and Technologies9 Security Tools and Technologies10

KisMAC

Password Cracker

n Password crackers are used by hackers to find weak

passwords

n Sysadmin should also check

n Password crackers work using dictionary lists and brute

force


Vulnerability Scanner

n A vulnerability scanner is a program designed to probe a

system for weaknesses, misconfigurations, old versions of

software etc.

n Three main categories of vulnerability scanners: network,

host, and application


.

CIS 3500 4

Configuration Compliance Scanner

n Automate configuration checks

n SCAP (Security Content Automation Protocol) is a protocol

to manage information related to security configurations

and the automated validation of them

n There is a wide variety of configuration compliance

scanners

n These tools require that there is a baseline set of defined

configurations and then the tools can track changes


Exploitation Frameworks

n Exploitation frameworks assist hackers with exploiting

vulnerabilities in a system

n The most commonly used framework is Metasploit, a set of

“tools” designed to assist a penetration teste

n These frameworks can be used by security personnel as

well, specifically to test the exploitability of a system based

on existing vulnerabilities and employed security controls


Data Sanitization Tools

n Data sanitization tools are tools used to destroy, purge, or

otherwise identify for destruction specific types of data

n Before a system can be retired and disposed of, you need to

sanitize the data

n Use self-encrypting disks and destroy keys

n Identify the sensitive data and deal with it specifically

n It is not the tool that provides the true value, but rather the

processes and procedures that ensure the work is done and done

correctly


Steganography Tools

n Steganography is the science of hidden writing, or more

specifically the hiding of messages in other content

n Digital images, videos, and audio files and the excess coding

capacity in the stream, it is possible to embed additional content

in the file

n If this content is invisible to the typical user, then it is considered

to be steganography

n The same techniques are used to add visible (or invisible)

watermarks to files


.

CIS 3500 5

Honeypot

n A honeypot is a server that is designed to act like the real

server on a corporate network

n Honeypots serve as attractive targets to attackers - traffic

can be assumed to be malicious

n A honeynet is a network designed to look like a corporate

network

n A honeynet is a collection of honeypots

n Extensive logging so we can learn from it


Backup Utilities

n Backup utilities – one of the most important tools

n Backing up a single system isn’t that hard

n Backing up an enterprise full of servers and workstations is

a completely different problem

n segregating data

n scale, and

n management of the actual backup files

n Critical security task


Banner Grabbing

n Banner grabbing is a technique used to gather information

from a service that publicizes information via a banner

n identify services by type

n version

n Warnings

n Attackers can use banners to determine what services are

running, and typically do for common banner-issuing

services such as HTTP, FTP, SMTP, and Telnet


Passive vs. Active

n Passive tools are those that do not interact with the system

n Wireshark performs OS mapping by analyzing TCP/IP traces

n Active tools interact with a target system in a fashion where

their use can be detected

n Nmap is an active interaction that can be detected when

sending packages

n When choosing attackers may consider how much time they

have available


.

CIS 3500 6

Command-Line Tools

n These are built into the operating system itself, or are

common programs that are used by system administrators

and security professionals on a regular basis


ping

n The ping command sends echo requests to a designated

machine to determine if communication is possible

n The syntax is ping [options] targetname/address

n The options include items such as name resolution, how

many pings, data size, TTL counts, and more

n Many sysadmins disable it or filter on the firewall – too

much to give away


netstat

n netstat –a - all open ports

n netstat - at - all active TCP connections

n netstat –an - all active UDP connections

n netstat –l - all listening ports

n netstat –l –n - does not resolve names

n netstat –l –p - listening programs with PID


tracert

n The tracert command is a Windows command for tracing

the route that packets take over the network

n List of the hosts, switches, and routers in the order that a

packet passes by them

n It uses ICMP, if ICMP is blocked

n On Linux and MacOS systems, the command with similar

functionality is traceroute


.

CIS 3500 7

nslookup/dig

n The nslookup command can be used to examine a DNS

query

n A nonauthoritative answer typically means the result is

from a cache as opposed to a server that has an

authoritative answer


arp

n The arp command interfaces with the operating system’s

Address Resolution Protocol (ARP) caches on a system

n Device sometimes needs to know where to send a packet

using the MAC or layer 2 address

n Four basic message types:

n ARP request “Who has this IP address?”

n ARP reply “I have that IP address; my MAC address is…”

n Reverse ARP (RARP) request “Who has this MAC address?”

n RARP reply “I have that MAC address; my IP address is…”Security Tools and Technologies26

ipconfig/ip/ifconfig

n ipconfig (for Windows) and ifconfig (for Linux) are to

manipulate the network interfaces on a system

n List the interfaces and connection parameters, alter

parameters, and refresh/renew connections

n The ip command in Linux is used to show and manipulate

routing, devices, policy routing, and tunnels


tcpdump

n The tcpdump utility is designed to analyze network packets

either from a network connection or a recorded file

n You also can use it to create files of packet captures (pcap)

and perform filtering


.

CIS 3500 8

nmap

n Nmap is a standard network mapping utility for Windows

and Linux since 1999

n The nmap command is the command-line command to

launch and run the nmap utility


netcat

n Netcat is the network utility designed for Linux

environments

n It has Windows version, but is not regularly used in

windows environments

n netcat is nc –options –address

n The netcat utility is the tool of choice in Linux for reading

from and writing to network connections using TCP or UDP

n Has a wide range of functions


Security Technologies

n There are several security technologies that you can

employ to analyze security situations and interpret output

from security technologies


HIDS/HIPS

n Both a host-based intrusion detection system (HIDS) and a

host-based intrusion prevention system (HIPS) alert on

behaviors that match specified behavioral patterns

n They have significant false positive rates depending upon

the specificity of the ruleset

n They serve to act as an alerting mechanism to provide a

signal to start incident response activities


.

CIS 3500 9

Antivirus

n Antivirus (AV) applications check files for matches to known

viruses and other forms of malware

n Quarantine the file or erase it using the AV utility


File Integrity Check

n Perform a file integrity check to ensure that the file has not

been tampered

n This will alert you to a changed binary

n They take a hash of the file and compare this value to an

offline store of correct values - if the hashes match, then

the file is unaltered

n On Windows machines the commandis sfc /scannow


Host-Based Firewall

n A host-based firewall is a firewall located on a host system

n You can tune it to the exact specifications of that machine

n If properly tuned, a host-based firewall will have a very low

false positive rate


Application Whitelisting

n Application whitelisting – marks files as safe to run on a

system based upon their hash values

n Only specified binaries to be run on a system

n On Microsoft Windows machines using the Enterprise

version of the OS, whitelisting can be done natively in the

OS via a tool called applocker


.

CIS 3500 10

Removable Media Control

n Removable media controls are designed to prevent the

transfer of data from a system to a removable media

n Encryption!

n Block physical access


Advanced Malware Tools

n Advanced malware tools – e.g. Yara, a command-line

pattern matcher that looks for indicators of compromise

n Hunting down malware infections based on artifacts in

memory

n Another type is a threat prevention platform that checks a

system and its traffic in real time for common malware

artifacts such as callbacks to external devices


Patch Management Tools

n Patch management tools assist administrators by keeping

lists of the software on a system and alerting users when

patches become available

n Some can even assist in the application of the patches

n Alert users is only part of the necessary solution

n ensure that the patches are installed

n alert administrators when patches have not been updated


UTM

n Unified threat management (UTM) devices typically provide

a wide range of services, including switching, firewall,

IDS/IPS, anti-malware, anti-spam, content filtering, and

traffic shaping

n Simplify security administration

n Typically located at the edge of the network, managing

traffic in and out of the network


.

CIS 3500 11

DLP

n Data loss prevention (DLP) to detect and prevent transfers of

data across an enterprise

n Can scan packets for specific data patterns

n account numbers,

n secrets,

n specific markers, or

n files

n The system can block the transfer

n Challenge is the placement of the sensorSecurity Tools and Technologies41

Data Execution Prevention

n Data execution protection (DEP) is the protection of specific

memory areas as nonexecutable in a Windows system

n Prevent attackers from changing the operation of a

program through code injection

n The OS will kill the program


Web Application Firewall

n A web application firewall (WAF) is a device that performs

restrictions based on rules associated with HTTP/HTTPS

n Form of content filter to provide significant capability and

protections

n WAFs can detect and block disclosure of critical data

n Can also be used to protect websites from common attack

vectors such as cross-site scripting, fuzzing, and buffer

overflow attacks


Stay Alert!

There is no 100 percent secure system, and

there is nothing that is foolproof!

Security Tools and Technologiesrowdysites.msudenver.edu/~fustos/cis3500/pdf/chapter07.pdfservices such as HTTP, FTP, SMTP, and Telnet 19 Security Tools and Technologies Passive vs.

Documents