n Given a scenario, analyze and interpret output from n A SPAN has the ability to copy network traffic passing n Capacity planning for traffic

Similar documents
Ethical Hacking and Prevention

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Penetration Testing with Kali Linux

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Curso: Ethical Hacking and Countermeasures

CIS Controls Measures and Metrics for Version 7

CIS Controls Measures and Metrics for Version 7

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 9 Performing Vulnerability Assessments

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Training for the cyber professionals of tomorrow

GCIH. GIAC Certified Incident Handler.

Port Mirroring in CounterACT. CounterACT Technical Note

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

Chapter 11: Networks

INF5290 Ethical Hacking. Lecture 3: Network reconnaissance, port scanning. Universitetet i Oslo Laszlo Erdödi

CompTIA Security+(2008 Edition) Exam

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

IT Foundations Networking Specialist Certification with Exam

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Chapter 11: It s a Network. Introduction to Networking

Chapter 4. Network Security. Part I

Basics of executing a penetration test

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Education Network Security

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Cyber Security Audit & Roadmap Business Process and

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

SANS Exam SEC504 Hacker Tools, Techniques, Exploits and Incident Handling Version: 7.1 [ Total Questions: 328 ]

CISNTWK-440. Chapter 5 Network Defenses

A. It provides special tunneling, such as UDP to TCP, with the possibility of specifying all network parameters.

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

CPTE: Certified Penetration Testing Engineer

CoreMax Consulting s Cyber Security Roadmap

Project 3: Network Security

CIH

CompTIA Security+ Certification

Computer Network Vulnerabilities

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CompTIA Network+ N (Course & Labs) Course Outline. CompTIA Network+ N (Course & Labs) 14 Mar

Chapter 9. Firewalls

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

Network Traffic Analysis - Course Outline

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

DumpsTorrent. Latest dumps torrent provider, real dumps

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Securing CS-MARS C H A P T E R

Hackveda Training - Ethical Hacking, Networking & Security

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

CS 356 Operating System Security. Fall 2013

Payment Card Industry (PCI) Data Security Standard

Chapter 5: Vulnerability Analysis

ITdumpsFree. Get free valid exam dumps and pass your exam test with confidence

Overview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks

CHCSS. Certified Hands-on Cyber Security Specialist (510)

High School Graduation Years 2016, 2017 and 2018

Certified Vulnerability Assessor

Week Date Teaching Attended 5 Feb 2013 Lab 7: Snort IDS Rule Development

n Describe sniffing concepts, including active and passive sniffing n Describe sniffing countermeasures n Describe signature analysis within Snort

A quick theorical introduction to network scanning. 23rd November 2005

N exam.420q. Number: N Passing Score: 800 Time Limit: 120 min N CompTIA Network+ Certification

CompTIA Security+ (Exam SY0-401)

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

CEH Tools. Sniffers. - Wireshark: The most popular packet sniffer with cross platform support.

Certified Ethical Hacker (CEH)

Pearson: Certified Ethical Hacker Version 9. Course Outline. Pearson: Certified Ethical Hacker Version 9.

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

CE Advanced Network Security Honeypots

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

ECCouncil Certified Ethical Hacker. Download Full Version :

Security+ Practice Questions Exam Cram 2 (Exam SYO-101) Copyright 2004 by Que Publishing. International Standard Book Number:

Overview. Computer Network Lab, SS Security. Type of attacks. Firewalls. Protocols. Packet filter

Dynamic Datacenter Security Solidex, November 2009

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Cybersecurity Foundations

Intrusion Detection System (IDS) IT443 Network Security Administration Slides courtesy of Bo Sheng

Indicate whether the statement is true or false.

Honeypot Hacker Tracking and Computer Forensics

Security+ SY0-501 Study Guide Table of Contents

CompTIA CSA+ Cybersecurity Analyst

CSC 574 Computer and Network Security. TCP/IP Security

Seqrite Endpoint Security

Chapter Three test. CompTIA Security+ SYO-401: Read each question carefully and select the best answer by circling it.

NIP6000 Next-Generation Intrusion Prevention System

PROTECTING INFORMATION ASSETS NETWORK SECURITY

CS0-001.exam. Number: CS0-001 Passing Score: 800 Time Limit: 120 min File Version: CS0-001

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Transcription:

Chapter Objectives n Understand how to use appropriate software tools to assess the security posture of an organization Chapter #7: Technologies and Tools n Given a scenario, analyze and interpret output from security technologies 2 Protocol Analyzer Switched Port Analyzer n A protocol analyzer is simply a tool (either hardware or software) that can be used to capture and analyze traffic n Must have the capability to place a network interface in promiscuous mode n From a security perspective, protocol analyzers are very useful and effective tools n Most organizations have multiple points in the network n Switched Port Analyzer (SPAN) or port mirroring or port monitoring is a special setup on a switch n A SPAN has the ability to copy network traffic passing through one or more ports on a switch or one or more VLANs on a switch and forward that copied traffic to a port designated for traffic capture and analysis n Capacity planning for traffic where traffic can be sniffed 3 4 CIS 3500 1

Network Scanners Network Scanners n A network scanner is a tool to probe a network or systems for open ports and machines that are on the network. n Network scanners can work on any IP network because they operate by examining network connections n Search for live hosts n Search for any open ports n Search for specific ports n Identify services on ports n When you find open services, you ll need to determine if those services should be running at all n Network scanning activity can trigger an incident response activity when detected - notify sys admins/security team n Open open ports accept connections n Closed scanned target returns an RST packet. n Filtered ICMP unreachable error is returned n Additional types dropped, blocked, denied, timeout 5 n Look for TCP/UDP services 6 Rogue System Detection Network Mapping n Rogue systems are unauthorized systems and fall outside of the enterprise operations umbrella, adding risk to a system. n You have to know the authorized software and hardware in your environment n You should do rogue system detection n active scans of the network to detect any devices not authorized n Network mapping tools are another name for network scanners n They create network diagrams of how machines are connected n Network mapping tools identify the nodes of a network and characterize them as to OS, purpose, systems, etc. - also great for inventory n passive scan via an examination of packets to see if anyone is 7 communicating who is not authorized 8 CIS 3500 2

Wireless Scanners/Cracker KisMAC n You can use wireless scanners/crackers to perform network analysis of the wireless side of your networks n Who is connecting to them? n What are they accessing? n Is everything in conformance with your security plan? n There are a wide variety of wireless scanners that can assist in developing this form of monitoring 9 10 Password Cracker Vulnerability Scanner n Password crackers are used by hackers to find weak passwords n Sysadmin should also check n Password crackers work using dictionary lists and brute force n A vulnerability scanner is a program designed to probe a system for weaknesses, misconfigurations, old versions of software etc. n Three main categories of vulnerability scanners: network, host, and application 11 12 CIS 3500 3

Configuration Compliance Scanner Exploitation Frameworks n Automate configuration checks n SCAP (Security Content Automation Protocol) is a protocol to manage information related to security configurations and the automated validation of them n There is a wide variety of configuration compliance scanners n These tools require that there is a baseline set of defined n Exploitation frameworks assist hackers with exploiting vulnerabilities in a system n The most commonly used framework is Metasploit, a set of tools designed to assist a penetration teste n These frameworks can be used by security personnel as well, specifically to test the exploitability of a system based on existing vulnerabilities and employed security controls configurations and then the tools can track changes 13 14 Data Sanitization Tools Steganography Tools n Data sanitization tools are tools used to destroy, purge, or otherwise identify for destruction specific types of data n Before a system can be retired and disposed of, you need to sanitize the data n Use self-encrypting disks and destroy keys n Identify the sensitive data and deal with it specifically n It is not the tool that provides the true value, but rather the processes and procedures that ensure the work is done and done correctly n Steganography is the science of hidden writing, or more specifically the hiding of messages in other content n Digital images, videos, and audio files and the excess coding capacity in the stream, it is possible to embed additional content in the file n If this content is invisible to the typical user, then it is considered to be steganography n The same techniques are used to add visible (or invisible) watermarks to files 15 16 CIS 3500 4

Honeypot Backup Utilities n A honeypot is a server that is designed to act like the real server on a corporate network n Honeypots serve as attractive targets to attackers - traffic can be assumed to be malicious n A honeynet is a network designed to look like a corporate network n A honeynet is a collection of honeypots n Extensive logging so we can learn from it n Backup utilities one of the most important tools n Backing up a single system isn t that hard n Backing up an enterprise full of servers and workstations is a completely different problem n segregating data n scale, and n management of the actual backup files n Critical security task 17 18 Banner Grabbing Passive vs. Active n Banner grabbing is a technique used to gather information from a service that publicizes information via a banner n identify services by type n version n Warnings n Attackers can use banners to determine what services are running, and typically do for common banner-issuing services such as HTTP, FTP, SMTP, and Telnet n Passive tools are those that do not interact with the system n Wireshark performs OS mapping by analyzing TCP/IP traces n Active tools interact with a target system in a fashion where their use can be detected n Nmap is an active interaction that can be detected when sending packages n When choosing attackers may consider how much time they have available 19 20 CIS 3500 5

Command-Line Tools ping n These are built into the operating system itself, or are common programs that are used by system administrators and security professionals on a regular basis n The ping command sends echo requests to a designated machine to determine if communication is possible n The syntax is ping [options] targetname/address n The options include items such as name resolution, how many pings, data size, TTL counts, and more n Many sysadmins disable it or filter on the firewall too much to give away 21 22 netstat tracert n netstat a n netstat - at n netstat an n netstat l n netstat l n n netstat l p - all open ports - all active TCP connections - all active UDP connections - all listening ports - does not resolve names - listening programs with PID n The tracert command is a Windows command for tracing the route that packets take over the network n List of the hosts, switches, and routers in the order that a packet passes by them n It uses ICMP, if ICMP is blocked n On Linux and MacOS systems, the command with similar functionality is traceroute 23 24 CIS 3500 6

nslookup/dig arp n The nslookup command can be used to examine a DNS query n A nonauthoritative answer typically means the result is from a cache as opposed to a server that has an authoritative answer n The arp command interfaces with the operating system s Address Resolution Protocol (ARP) caches on a system n Device sometimes needs to know where to send a packet using the MAC or layer 2 address n Four basic message types: n ARP request Who has this IP address? n ARP reply I have that IP address; my MAC address is n Reverse ARP (RARP) request Who has this MAC address? 25 26 n RARP reply I have that MAC address; my IP address is ipconfig/ip/ifconfig tcpdump n ipconfig (for Windows) and ifconfig (for Linux) are to manipulate the network interfaces on a system n List the interfaces and connection parameters, alter parameters, and refresh/renew connections n The tcpdump utility is designed to analyze network packets either from a network connection or a recorded file n You also can use it to create files of packet captures (pcap) and perform filtering n The ip command in Linux is used to show and manipulate routing, devices, policy routing, and tunnels 27 28 CIS 3500 7

nmap netcat n Nmap is a standard network mapping utility for Windows and Linux since 1999 n The nmap command is the command-line command to launch and run the nmap utility n Netcat is the network utility designed for Linux environments n It has Windows version, but is not regularly used in windows environments n netcat is nc options address n The netcat utility is the tool of choice in Linux for reading from and writing to network connections using TCP or UDP n Has a wide range of functions 29 30 Security Technologies HIDS/HIPS n There are several security technologies that you can employ to analyze security situations and interpret output from security technologies n Both a host-based intrusion detection system (HIDS) and a host-based intrusion prevention system (HIPS) alert on behaviors that match specified behavioral patterns n They have significant false positive rates depending upon the specificity of the ruleset n They serve to act as an alerting mechanism to provide a signal to start incident response activities 31 32 CIS 3500 8

Antivirus File Integrity Check n Antivirus (AV) applications check files for matches to known viruses and other forms of malware n Quarantine the file or erase it using the AV utility n Perform a file integrity check to ensure that the file has not been tampered n This will alert you to a changed binary n They take a hash of the file and compare this value to an offline store of correct values - if the hashes match, then the file is unaltered n On Windows machines the commandis sfc /scannow 33 34 Host-Based Firewall Application Whitelisting n A host-based firewall is a firewall located on a host system n You can tune it to the exact specifications of that machine n If properly tuned, a host-based firewall will have a very low false positive rate n Application whitelisting marks files as safe to run on a system based upon their hash values n Only specified binaries to be run on a system n On Microsoft Windows machines using the Enterprise version of the OS, whitelisting can be done natively in the OS via a tool called applocker 35 36 CIS 3500 9

Removable Media Control Advanced Malware Tools n Removable media controls are designed to prevent the transfer of data from a system to a removable media n Encryption! n Block physical access n Advanced malware tools e.g. Yara, a command-line pattern matcher that looks for indicators of compromise n Hunting down malware infections based on artifacts in memory n Another type is a threat prevention platform that checks a system and its traffic in real time for common malware artifacts such as callbacks to external devices 37 38 Patch Management Tools UTM n Patch management tools assist administrators by keeping lists of the software on a system and alerting users when patches become available n Some can even assist in the application of the patches n Alert users is only part of the necessary solution n ensure that the patches are installed n alert administrators when patches have not been updated n Unified threat management (UTM) devices typically provide a wide range of services, including switching, firewall, IDS/IPS, anti-malware, anti-spam, content filtering, and traffic shaping n Simplify security administration n Typically located at the edge of the network, managing traffic in and out of the network 39 40 CIS 3500 10

DLP Data Execution Prevention n Data loss prevention (DLP) to detect and prevent transfers of data across an enterprise n Can scan packets for specific data patterns n account numbers, n secrets, n specific markers, or n Data execution protection (DEP) is the protection of specific memory areas as nonexecutable in a Windows system n Prevent attackers from changing the operation of a program through code injection n The OS will kill the program n files n The system can block the transfer n Challenge is the placement of the sensor 41 42 Web Application Firewall n A web application firewall (WAF) is a device that performs restrictions based on rules associated with HTTP/HTTPS n Form of content filter to provide significant capability and There is no 100 percent secure system, and there is nothing that is foolproof! protections n WAFs can detect and block disclosure of critical data n Can also be used to protect websites from common attack vectors such as cross-site scripting, fuzzing, and buffer Stay Alert! overflow attacks 43 CIS 3500 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback