Date post: | 12-Jan-2016 |
Category: |
Documents |
Upload: | eustacia-robinson |
View: | 212 times |
Download: | 0 times |
2
Richard S. Carsonand Associates
ManagementConsulting
Web-BasedProducts
World Wide Digital Security,
Inc.
Background
3
A suite of web-based security assessment tools used to determine a network’s vulnerability and risk, with a patent pending methodology —
Single assessmentNetworkDenial of Service
Our Product
4
Benefits of WebSaintTM
Web based delivery system – basis for minimum user impact
Dedicated computer is not needed – it is run on the web
Easy to use – complexities of installing software are removed
No costly software
Results are self explanatory – trained security professionals are not needed
Use as many times as you need under the 3-month subscription
Cost advantage in terms of product price and minimal resource impact
Product is always up-to-date with the most current vulnerabilities and threats
5
Our CustomerThe network administrator of a small to medium size enterprise who is looking for the easiest and most accurate tool to analyze network security —
OverworkedDealing with Y2K issuesResources limited for security
6
The Opportunity
1997 2002
Internet Users 50 million 175 million
Electronic Commerce $8 billion $327 billion
Network Security $1.3 billion $6.5 billion
7
The OpportunityOur niche is the Internet Security Assessment market — estimated to be $1 billion by 2002
WebSaint™ provides:
Vulnerability assessment by identifying security strengths and weaknesses
Detailed review and evaluation of a company's network, allowing the development of a baseline security policy from the data collected.
Corporate confidence that current security standards are being met.
8
Our CompetitionInternet Security Systems, Inc.
Network Associates, Inc.
Axent Technologies, Inc.
Netect, Inc.
Security Dynamics Technologies, Inc.
9
Our Uniqueness in the Security MarketPatent pending, web-based delivery system
Subscription sales/easy selling approach
Focused – security assessments
Leads to consulting services
10
Marketing
SATAN SAINT WebSaintTM
Name recognition
VARs, partnerships, Joint Development Agreements
Using integrated Web and PR marketing approach
www.wwdsi.com
11
SATAN Released April 1995
COAST extensions released in December 1995
No updates since release
Scan of large network using SATAN prompted development of SAINT
SAINTTM History
12
SAINTTM – The New SATANNew tests for the following:
“R” services (rlogin, rshell and rexec) Vulnerable CGIs (e.g., webdist, phf, and test-cgi) Vulnerable versions of IMAP and POP SMB open shares New backdoors (NetBus, Back Orifice) ToolTalk service Vulnerable versions of DNS rpc.statd service UDP echo and/or chargen (can be used for DoS) Vulnerable news servers
13
SAINTTM – The New SATAN Identifies Microsoft Windows (3.x, 95, 98, NT) computers
(may be vulnerable to various DoS attacks)
Added a new attack level (heavy +)
Performs in a firewalled environment
Many cosmetic and functional improvements
14
UNIX platform (AIX, OSF, Free BSD, BSDI, IRIX, HP-UX, Linux, SunOS, System V)
20MB disk space
As much memory as you can get
Perl 5.00 or above
C compiler
Web browser
SAMBA (for SMB tests)
What You Need
15
How it Works
16
Controls what hosts SAINT may probe Controls the intensity of the probes Specified in the configuration file
attack level and what probes are included status file timeouts and timeout signals proximity variables trusted or untrusted targeting exceptions workarounds (DNS, ICMP)
Some settings can be changed via command-line switches or from hypertext user interface
Policy Engine
17
Specified by User one host class C subnet
Generated by inference engine when processing facts generated by data acquisition module
Saves time by checking whether hosts are actually alive first fping (default) tcp_scan on common ports (firewall)
Target Acquisition
18
Executes probes based on target’s scanning level
light
normal
heavy
heavy plus
Written in Perl or shell script
Output written to database in common tool record format
Data Acquisition
19
Rules applied in real-time Results are either
new facts for inference engine new probes for data acquisition module new targets for target acquisition module
Actually six separate engines controlled by own rule base todo – what probe to perform next hosttype – deduces system classes facts – deduces potential vulnerabilities services – translates cryptic daemon banners and/or port numbers to user-
friendly names trust – classifies data collected on NFS, DNS, NIS, and other cases of trust drop – what to ignore
Inference Engine
20
Facts – data generated by data acquisition module and inference
engine
All-hosts – all hosts seen
Todo – all things it did
Database Format
21
Target – name of host record refers to Service – base name of tool or service being probed Status – if host was reachable Severity – how serious was the vulnerability Trustee – who trusts another target (user@host) Trusted – who the trustee trusts (user@host) Canonical Service Output
for non-vulnerability records, the reformatted version of the network service for vulnerability records, the name of the tutorial
Text – additional information for reports
Database Format – Facts
22
Host name
IP address
Proximity from original host
Attack level host has been probed with
Was subnet expansion on? (1 = yes, 0 = no)
Time scan was done
Database Format – All-hosts
23
Host name
Tool to be run next
Arguments for tool
Database Format – Todo
24
Requires an HTML browser Documentation Data management Data gathering Viewing results
– vulnerabilities
– host information
– trust Also can be run from the command line
User Interface
25
SAINTTM Vulnerabilities
DNS vulnerabilities FTP vulnerabilities Hacker program found HTTP CGI access IMAP version INN vulnerabilities NFS export to unprivileged programs NFS export via portmapper
Open SMB shares Remote shell access REXD access Sendmail vulnerabilities SSH vulnerabilities TFTP file access Unrestricted modem Unrestricted NFS export Writable FTP home directory
Red — Services that are vulnerable to attack. Hackers exploiting these services may cause substantial harm.
26
SAINTTM – VulnerabilitiesYellow — Services that may directly or indirectly assist a
hacker in determining passwords or other critical information.
NIS password file access
Unrestricted X server access
27
Excessive finger information HTTP CGI info NetBIOS over the Internet POP server POP version Possible DoS (fraggle) problem Remote login on the Internet
Remote shell on the Internet Rexec on the Internet Statd vulnerability Rstatd vulnerability Rusersd vulnerability Sendmail info Windows detected
Brown — Services that may not be vulnerable but the configuration and/or version may make them vulnerable. Further investigation on the part of the system administrator may be necessary.
SAINTTM Vulnerabilities
28
SAINTTM VulnerabilitiesGreen — Services that do not have any vulnerabilities apparent through remote assessment. (However, if passwords have been compromised, these services may prove to be vulnerable to exploitation by local users).
29
System Administrators
Security Administrators
Requires some knowledge of UNIX
Requires installation and configuration of software
What about the less technical,
less UNIX savvy administrator? . . . . . .
Who Uses It?
30
Web browser
Internet connection
E-mail address
What You Need
31
How it Works Customer requests scan via Web page
Customer receives e-mail containing URL for custom page
Customer uses custom page to start scan
Customer receives a second e-mail after the scan completes containing a new URL for the results
Customer can perform an unlimited numberof scans within the subscription period
32
Getting off the ground . . .
We’d like to hear your comments and ideas.
33
Detailed SAINTTM
Vulnerabilities
34
SAINTTM Red Services (1of 5)DNS vulnerabilities
Impact: unauthorized access (remote) and/or denial of service Resolution: patch or updated version
FTP vulnerabilities Impact: unauthorized access (remote or local) Resolution: patch, updated version, restrict access
Hacker program found Impact: host has been compromised Resolution: remove program, remove hacker
HTTP CGI access Impact: execute arbitrary commands (remote or local) Resolution: remove/disable CGI
35
SAINTTM Red Services (2of 5)IMAP version
Impact: unauthorized access (remote) Resolution: patch, updated version, restrict access
INN vulnerabilities Impact: unauthorized access (remote) Resolution: patch, updated version
NFS export to unprivileged programs Impact: unauthorized file access (read/write), program execution Resolution: restrict access, block router ports (2049, 111)
NFS export via portmapper Impact: unauthorized file access (read/write) Resolution: restrict access, block router ports (2049, 111)
36
SAINTTM Red Services (3of 5)Open SMB shares
Impact: unauthorized file access (read/write) Resolution: disable SMB over Internet, restrict access
Remote shell access Impact: unauthorized remote shell/login from arbitrary hosts Resolution: restrict access
REXD access Impact: unauthorized REXD remote access from arbitrary hosts Resolution: disable service, restrict access
Sendmail vulnerabilities Impact: unauthorized access (remote) Resolution: patch, updated version
37
SAINTTM Red Services (4of 5)
SSH vulnerabilities Impact: unauthorized use of credentials (local) Resolution: updated version
TFTP file access Impact: unauthorized access (remote) Resolution: disable service, restrict access
Unrestricted modem Impact: unauthorized access (remote) of modem Resolution: restrict access
Unrestricted NFS export Impact: unauthorized file access (read/write) Resolution: restrict access, block router ports (2049, 111)
38
Writeable FTP home directory Impact: unauthorized file access (read/write/execute) Resolution: restrict access
SAINTTM Red Services (5of 5)
39
NIS password file access Impact: access to NIS password file by arbitrary hosts Resolution: restrict access
Unrestricted X server access Impact: unrestricted X server access from arbitrary hosts Resolution: restrict access
SAINTTM Yellow Services
40
SAINTTM Brown Services (1 of 4)
Excessive finger information Impact: releases excess account information Resolution: disable service, restrict access
HTTP CGI info Impact: provides information about server Resolution: remove/disable CGI
NetBIOS over the Internet Impact: unauthorized file access (read/write) Resolution: disable service
POP server Impact: unauthorized access (passwords in the clear) Resolution: disable service, use more secure version
41
SAINTTM Brown Services (2 of 4)POP version
Impact: unauthorized access (remote) Resolution: patch, updated version, restrict access
Possible DoS (fraggle) problem Impact: denial of service (intermediary and victim) Resolution: router configuration
Remote login on the Internet Impact: unauthorized shell access (with no password) Resolution: disable service, restrict access
Remote shell on the Internet Impact: unauthorized remote shell/login from arbitrary hosts Resolution: restrict access
42
SAINTTM Brown Services (3 of 4)Rexec on the Internet
Impact: unauthorized program execution (remote) Resolution: disable service, restrict access
Sendmail info Impact: provides information about users Resolution: Disable EXPN and VRFY commands
Statd vulnerability Impact: unauthorized access (remote/local) Resolution: patch, disable service
Rstatd vulnerability Impact: provides information about host’s performance Resolution: disable service
43
SAINTTM Brown Services (4 of 4)Rusersd vulnerability
Impact: provides information about users Resolution: disable service
Windows detected Impact: operating system may be vulnerable to denial of service Resolution: patch, disable unnecessary services