Are Your Students Ready To Play The (Ethical) Hacking Game? Welcome! Presenter: Steven Graham | Senior Director, EC-Council > About EC-Council > Global, Member Based Information Security Certification Body > 320+ partners in over 70 Countries > 60,000 Trained Professionals over 21,000 Certified > Primary Certifications: > > > > > Network Security Administrator (E|NSA) Certified Ethical Hacker (C|EH) Computer Hacking Forensic Investigator (C|HFI) Certified Security Analyst/ Licensed Penetration Tester (E|CSA/L|PT) 27 total industry certifications. More info at www.eccouncil.org Agenda > Why Information Security is Important > Oops, I gave my Visa to a Hacker! (Heartland Breach) > Cyber War on our own soil? Is it Possible? (Bot-Nets) > Individual Responsibilities tied to National Security and our responsibility as educators (DOD-National Strategy to Secure Cyberspace) > Understanding IT Security Roles and Responsibilities, and educating to them. > Incorporating Information Security into existing Education programs with the EC-Council | Press > The Ethical Hacking Game – and introduction to Ethical Hacking – overview & Phase 1 - Reconnaissance > Discussion Why Information Security is Important > Oops, I gave my Visa to a Hacker! (the Heartland Breach Exposed) > January of 2009 Heartland Payment Systems, responsible for the processing of 100 Million Credit Card Transactions for 175,000 unique Merchants every month, announced their compromise. > Bob Carr, CEO sells 80,000 Shares for 1.4 million right before public announcement of the breach > Stock Plummets Why Information Security is Important > Oops, I gave my Visa to a Hacker! (the Heartland Breach Exposed) 1 day marked a January 6th, 2009 43% Drop in Stock Price: 18.83 January 21st, 2009 Value with Shares Volume: 329k Price: 14.11 Jumping from 839K Volume: 839k To over 4 million January 22nd, 2009 Price: 8.18 Volume: 4 Million Why Information Security is Important > Oops, I gave my Visa to a Hacker! (the Heartland Breach Exposed) > In a recent USA TODAY interview, Heartland’s President and CFO, Robert Baldwin Noted, in late 2008, hackers had access for “longer than weeks”, no specific information was released. > Visa & MasterCard Notified Heartland of suspicious transactions stemming from their accounts, then investigators found a “Data-Stealing” program. > 3 weeks access, potentially 750 million credit card transactions exposed! Why Information Security is Important > Oops, I gave my Visa to a Hacker! (the Heartland Breach Exposed) > Lessons Learned > > > > End-to-end encryption was not in place Intrusion Detection, Intrusion Prevention systems were insufficient Proactive Scanning for anomalies failed or was not present. Cyber criminals Exploited Vulnerabilities in Heartland Systems compromising the financial Data of millions of customers. > Preventative security measures were insufficient despite best efforts and compliance to standard industry regulations. Why Information Security is Important > Cyber War on our own soil? Is it Possible? (Bot-Nets) > The simple answer, YES AND IT’S HAPPENING NOW! > 2008 attacks against SecureWorks managed clients originating countries: > > > > > > > > #10 Canada originated 107,483 Attacks #9 Germany originated 110,493 Attacks #8 Taiwan originated 124,997 Attacks #7 Russia originated 130,572 Attacks #6 Japan originated 142,346 Attacks #5 Poland originated 153,205 Attacks #4 South Korea originated 162,289 Attacks #3 Brazil originated 166,987 Attacks Why Information Security is Important > Cyber War on our own soil? Is it Possible? (Bot-Nets) > The simple answer, YES AND IT’S HAPPENING NOW! > 2008 attacks against SecureWorks managed clients originating countries: >#2 China originated 7,700,000 Attacks >#1 United States of America originated 20,600,000 Attacks emanating from Computers inside US Borders Why Information Security is Important > Cyber War on our own soil? Is it Possible? (Bot-Nets) > What is prompting these attacks? > “Owned computers” by large become a part of various “BotNets” and can be remotely controlled. > Hackers gain access to combined computing resources through distribution of passive Malware, Virus’, and Trojans. > Compromised/unprotected Personal Computers, Library Networks, School Networks, Govt. Networks, and Corporate Networks contribute to the proliferation of BotNets. Example Workings of a BotNet • • • • • • • Stage 1, Stage 2: The Bot Master sends malicious trojan/botnet client over the Internet and infects a victim Stage 3: The bot client connects to the Command Centre( Malicious Server)and informs the status of being infected Stage4: Command Centre informs the Bot Master about the victim Stage 5: The attacker sends attack information to the command centre Stage6, The command centre triggers the victim with the set of instructions sent by the Bot Master to search for other victim computers with similar vulnerabilities Stage 7: The compromised computer scans the Internet for other similar systems and infects them with malicious code Stage 8: This way the attacker creates a huge network of bots that are ready to act based on the instructions sent by the attacker. The network of bots is referred to as botnet Example Workings of a BotNet 1 Creates a vicious Trojan/ Bot Client Victim 8 Bot Master 7 8 5 Victim INTERNET 2 4 3 Command Centre 6 7 Victim 8 7 7 Victim 8 Victim EC-Council Why Information Security is Important > How does this apply to me as an educator? – According to the DOD’s National Strategy to Secure Cyber Space: “Each American who depends on cyberspace, the network of information networks, must secure the part that they own or for which they are responsible.” – To further explain, Threats & Vulnerabilities a 5 Level Problem. Consider where your graduates go. 1. 2. 3. 4. 5. Home Users/Small Business Large Enterprises Critical Sectors/Infrastructures National Issues Global Typical Security Job Roles and responsibilities Job Level Typical Roles Corresponding EC-Council Certifications & Designations IT/IS Executive Information Assurance, Design, and Compliance MSS/ECSO (Coming Soon) IT/IS Manager Information Assurance oversight and Personnel management IT/IS Specialist Specialization roles including Pen Testing, Forensics, Disaster Recover, Voice over IP, Secure Programming, etc. IT/IS Admin Network Installation, Configuration, maintenance, Information Assurance IT/IS Technician Standard Network installation & configuration Information Worker Access to Computing systems Penetration Testing Specialist Forensics Specialist Disaster Recovery Specialist VOIP Specialist Secure Programmer Why Information Security is Important > Information Security Job Roles/Responsibilities. > Front Line (Receptionist, secretaries, Information Workers, HR, Accounting, Non-IT personnel) > Responsibilities – Protect Corporate information > > Vulnerable to – Social Engineering attacks leaking sensitive information, or portions of the “big Picture” allowing attackers to gain access. Computer Virus/Worms/Trojans, Etc. 1st Level IT, Help Desk, Support Specialists, Network Administrators. > Responsibilities – Adhere to Security/General IT Policy. Standard Configurations and supporting roles to superiors, internal and external clients. > Vulnerable to – Social Engineering, Mis-configurations, Common mistakes exposing serious vulnerability Why Information Security is Important > Information Security Job Roles/Responsibilities. > 2nd Level IT Network Engineers, Managers, Auditors, Specialists > > > Responsibility – System Design and maintenance, constant assessment, Security Patching, Hardware/software break-fix upgrade. Typically first line contact with outsourced firms/consultants. E-Discovery/Preservation. DR/BC Vulnerabilities – Mis-configuration, Policy Gaps, Outsource mistakes/decisions/assessment. Admin Level Access. Executives – Director of IT, CIO, CISO, CEO > Responsibility – Compliance, Compliance, Compliance > Vulnerability - ALL VULNERABILITIES END UP HERE. Incorporating Information Security Titles in existing Education Programs. EC-Council | Press Security Fundamentals – General Education – entry level Computer Science Security | 5 Titles • Social Site and Online Behavior • Cyber Dangers • ID Theft Security Essentials – Entry Level Computer Science E|NSA Network Defense Titles: • Network fundamentals and protocols • Network threats and security policy • Perimeter defense mechanisms • Securing network devices, operating system and troubleshooting • Patch Management and Log Analysis Incorporating Information Security Titles in existing Education Programs. EC-Council | Press Ethical Hacking & Counter Measures – Computer Science/Security – entry level to advanced Computer Science C|EH Ethical Hacking Titles • • • • The CEH Hacking cycle and Penetration Testing Threats and defensive mechanisms Hacking Web applications Securing Linux and Defense against Buffer Overflows • Securing Network Infrastructure Incorporating Information Security Titles in existing Education Programs. EC-Council | Press Computer Forensics – Computer Science/Security – entry level to advanced Computer Science C|HFI Computer Forensics Titles: • • • • • • Investigating procedures and role of an expert witness Computer Forensic Lab Requirements Ethical Hacking: Hacking Web applications Investigating file systems, hard disks and operating systems for evidence Investigating data and image files for evidence Investigating network intrusions and cyber attacks Investigating attacks on wireless network and devices Incorporating Information Security Titles in existing Education Programs. EC-Council | Press Penetration Testing – Computer Science/Security – Advanced Computer Science E|CSA Computer Security Analyst/ Advanced Penetration Testing Titles: • • • • • Security analysis and advanced tools Customer agreements and reporting procedures Penetration Testing Methodologies Network Perimeter Testing Procedures Communication Media Testing Procedures Network Threat Testing Procedures Now, It’s time to play! EC-Council Slides extracted from EC-Council’s Intro to Ethical Hacking Here comes the part you all came for Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. ECC Fulfills the Need • Ethical Hacking and Countermeasures (C|EH) – CEH understand tools and techniques used • Attack tools – by those outside the network • Compromise tools – by those inside the network – “Thinking like a hacker” Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Problem Definition – Why Security? Direct impact of security breach on corporate asset base and goodwill Increasing complexity of computer infrastructure administration and management Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. What Does a Malicious Hacker Do? Reconnaissance • Active/passive Reconnaissance Scanning Clearing Tracks Gaining access • Operating system level/application level • Network level • Denial of service Maintaining Access Scanning Maintaining access • Uploading/altering/ downloading programs or data Clearing tracks Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Gaining Access Phase 1 - Reconnaissance Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack Generally noted as "rattling the door knobs" to see if someone is watching and responding Discovered information “filed” for future use when more is known about the target as a whole Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Reconnaissance Types Passive reconnaissance involves acquiring information without directly interacting with the target • For example, searching public records or news releases Active reconnaissance involves interacting with the target directly by any means • For example, telephone calls to the help desk or technical department Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Step 1: Reconnaissance Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Part 1: Footprinting Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Revisiting Reconnaissance 1 Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack Reconnaissanc e 5 2 Clearing Tracks Scanning 4 Maintaining Access 3 Gaining Access It involves three phases: footprinting, scanning and enumeration of the network Footprinting is conducted externally, while scanning and network enumeration take place both externally AND internally Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Defining Footprinting Footprinting is the blueprint of the security profile of an organization, undertaken in a methodological manner Footprinting is one of the three pre-attack phases An attacker spends 90% of the time in profiling an organization and another 10% in the attack Footprinting results in a unique organization profile with respect to networks (Internet/intranet/extranet/wireless) and systems involved Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Why is Footprinting Necessary Footprinting is necessary to systematically and methodically ensure that all possible pieces of information related to the technologies in use are identified Footprinting is often the most difficult task conducted o determine the security posture of an entity Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Unearthing Initial Information Hacking tool Sam Spade Commonly includes: • Domain name lookup • Locations • Contacts (telephone / mail) Information Sources: • Open source • Whois • Nslookup Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Finding a Company’s URL Search for a company’s URL using a search engine such as Google Type the company’s name in the search engine to get the company’s URL Google provides rich information to perform passive reconnaissance Check newsgroups, forums, and blogs for sensitive information regarding the network, the organization, and its employees Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Tool: WebFerret WebFerret searches the web quickly and thoroughly by instantly submitting the search query to multiple search engines All of the results are displayed in a single concise window Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Extracting Archive 0f a Website You can get information on a company website since its launch at www.archive.org • For example: www.eccouncil.org You can see updates made to the website You can look for an employee database, past products, press releases, contact information, and more Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. www.archive.org Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. www.archive.org (cont’d) Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Anonymity with Caches Hackers may get a copy of sensitive data even if the admin pulls the plug on that pesky Web server They can crawl the entire website without even sending a single packet to the original server If the web server does not get so much as a packet, it can not write any thing to log files Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Yahoo People Search Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Footprinting Through Job Sites You can gather a company’s infrastructure details from job postings Look for the company’s infrastructure postings such as “looking for system administrator to manage Solaris 10 network” This means that the company uses Solaris in their network • E.g., www.jobsdb.com Job requirements Employee profile Hardware information Software information Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Footprinting Through Industry Sites • Industry trade associations may provide information about the target network as well Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Passive Information Gathering Passive information gathering is done by finding out the freely available information over the Internet and by various other techniques without coming in contact with the organization’s servers Organizational websites are an exception as the information gathering activities carried out by an attacker do not raise suspicion Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Competitive Intelligence Gathering “Business moves fast. Product cycles are measured in months, not years. Partners become rivals quicker than you can say ‘breach of contract.’ So how can you possibly hope to keep up with your competitors if you can't keep an eye on them?” –FastCompany.com Competitive intelligence gathering is the process of gathering information about your competitors from resources such as the Internet Non-interfering and subtle in nature Both a product and a process Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Tool: HTTrack Web Site Copier This tool mirrors an entire website to the desktop You can footprint the contents of an entire website locally rather than visiting the individual pages Valuable footprinting tool Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Tool: SpiderFoot SpiderFoot is a free, open-source, domain footprinting tool which will scrape the websites on that domain, as well as search Google, Netcraft, Whois, and DNS to build up information like: Subdomains Affiliates Web server versions Users Similar domains Email addresses Netblocks Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Tool: Expired Domains Expired Domains enable searching for expiring domain names by keyword, domain, character length, and other criteria The program can download an updated list of domain names with the click of a button Multiple filter rules can be created to find domain names that are of interest A list of “interesting” domain names can be printed or exported Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Tool: Maltego Maltego can be used for the information gathering phase of penetration testing making it possible for less experienced testers to work faster and more accurately Maltego provides you with a graphical interface that makes seeing information relationships instant and accurate - making it possible to see hidden connections Maltego has applications in: • • • • • Forensic investigations Law enforcement Intelligence operations Identity fraud investigation Identity verification processes Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. E-Mail Spiders Have you ever wondered how Spammers generate a huge mailing database? They pick up tons of e-mail addresses by searching in the Internet All they need is a web spidering tool picking up e-mail addresses and storing them to a database If these tools run the entire night, they can capture hundreds of thousands of e-mail addresses Tools: • Web data Extractor • 1st E-mail Address Spider Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Part 2: Google Hacking Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. What is Google Hacking Google hacking is a term that refers to the art of creating complex search engine queries in order to filter through large amounts of search results for information related to computer security In its malicious format, it can be used to detect websites that are vulnerable to numerous exploits and vulnerabilities as well as locate private, sensitive information about others, such as credit card numbers, social security numbers, and passwords Google Hacking involves using Google operators to locate specific strings of text within search results Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. What a Hacker Can Find With Google Hacking Information that the Google Hacking Database identifies: Advisories and server vulnerabilities Error messages that contain too much information Files containing passwords Sensitive directories Pages containing logon portals Pages containing network or vulnerability data such as firewall logs Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. SiteDigger Tool SiteDigger searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on websites Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. C|EH Cont. Source Decks continue on with complete presentations of: •Scanning •Gaining Access •Maintaining Access •Covering Your Tracks Over 3500 Tools, virus;, malware, robo-demo videos recorded in our advanced hacking lab, and examples included in curriculum. Copyright © by EC-Council All rights reserved. Reproduction is strictly prohibited. Conclusion Thank you for your Time. Discussion is now open. Contact: Cengage: EC-Council: Steven Graham Senior Director | US steve.graham@eccouncil.org 3819 Osuna NE, Albuquerque, NM 87109 Web: http://iclass.eccouncil.org/ US Office: 505.341.3228 x102 Elizabeth Sugg Senior Curriculum Services Manager, Digital Solutions Group Cengage Learning PO Box 563, Nyack, New York 10960 c 845-337-0253 (o) 845-358-4836| (e) elizabeth.sugg@cengage.com | www.cengage.com Presentation Sources: EC-Council www.eccouncil.org iclass.eccouncil.org USA Today: http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm Heartland Processing Systems www.2008breach.com Secure Works http://www.secureworks.com/media/press_releases/20080922-attacks/ EC-Council Certified Ethical Hacker Curriculum Version 6.0 – Botnets Department of Defense (US) http://www.dhs.gov/xlibrary/assets/National_Cyberspace_Strategy.pdf