Information Technology Security:
Fitting Into the Big Picture
Brandon Hoffman, KPMG LLP
Topics for Discussion

Typical IT Security Technical Work
Intrusion Detection/Prevention
 Ethical Hacking/Penetration Testing


IT Security in the Business


Risk, Audit Support, Compliance
Policies, Standards, and Procedures

IT Security’s Role in Creation and
Enforcement
Intrusion Detection
Intrusion Detection Systems are just what they
seem to be.
 Detect and Alert


How they work?




Host Based and Network Based
Statistical Modeling
Heuristics
Trending
End result? Similar to home security system
Intrusion Prevention Systems
Actively participates in defense of
security violations
 Host based IPS:

Resident to the host machine. Monitors
system calls and inbound traffic. Creates a
baseline and can prevent internal “bad”
behavior through system controls.
 Typically
works in conjunction with Anti-virus
 Sandboxing – Creates isolated “scratch” disk
space to run untrusted platforms or
applications from untrusted third parties
Intrusion Prevention cont’d

Network based IPS has several
operating modes or implementations:
Inline IPS is directly inline with the data
stream similar to a firewall
 Gateway Interaction performs packet
analysis interactively with the
router/firewall

Intrusion Prevention cont’d

Network intrusion prevention action
methods:
Content based – Inspects packet contents
for unique sequences or “signatures” to
prevent known attacks
 Protocol analysis – Decodes known
protocols to detect anomalous behavior
 Rate based – Used to prevent Denial of
Service attacks

Intrusion Prevention cont’d
Core Design:
www.pandasecurity.com
IPS Business Case 1
Company X requires a homogeneous solution due to compliance
and governance restrictions. The facts:
 Cisco is the network hardware provider for all communications.
 All connections need to be monitored:










VOIP
Hosts
Gateways
VPN
Routers and Switches
Ingress/Egress traffic (Firewall)
The aggregation point for analysis and statistics must be built
on a windows server platform
The solution must be licensed
The solution should not be built on open source code
Support from the vendor must be highly available regardless of
cost
IPS Business Case 1 cont’d
How do you choose?
© 2008 Gartner, Inc. and/or
its Affiliates. All Rights
Reserved.
IPS Business Case 1 cont’d
Cisco Solutions
Sourcefire Solutions
Points to consider:
Points to consider:
 Homogeneous solution  Homogeneous solution
 Proprietary Code Base
 Visionary Leader
 Controls SNORT signature
 Supreme Support
engine
 Current Vendor
 Cost
 Management easy but
 Potentially lacking support
not intuitive
 New vendor
 Fewer vulnerability
 Technically complicated
signatures
 Open Source based
 Cost
IPS Business Case 1 cont’d
Cisco wins based on the scorecard of requirements.
© 2007 Cisco Systems, Inc.
All rights reserved.
IPS Business Case 1 cont’d
Protection At All Layers
© 2007 Cisco Systems, Inc.
All rights reserved.
Ethical Hacking
Ethical hacking is a very common
profession within the IT security
industry.
 White hat, Grey hat, Black hat
 Sometimes synonymous with
penetration testing – A method of
assessing the security posture of a
system or network by simulating an
“attack”
Ethical Hacking cont’d
Most current computer protocols were designed
in a time when security was not a
consideration. Times have changed:
Source: CERT
Ethical Hacking cont’d
Why perform an ethical hack?
 Determine flaws and vulnerabilities
 Provide a quantitative metric for
evaluating systems and networks
 Measure against pre-established
baselines
 Determine risk to the organization
 Design mitigating controls
Ethical Hacking cont’d
Ethical Hacking cont’d
Ethical Hacking cont’d
Ethical Hacking cont’d
We will now explore some free tools and simple techniques to break into
a machine.
Disclaimer:

Don’t Try This At Home

Statute 1030, Fraud and Related Activity in Connection with
Computers, specifically states that whoever intentionally
accesses a protected computer without authorization, and as a
result of such conduct, recklessly causes damage or impairs
medical treatment, can receive a fine or imprisonment of five to
20 years. http://www.usdoj.gov/criminal/cybercrime/1030NEW.htm

Cyber Security Enhancement Act 2002 implicates life sentences
for hackers who 'recklessly' endanger the lives of others, and
several U.S. statutes address cyber crime.

http://www.usdoj.gov/criminal/cybercrime/homeland_CSEA.htm
Wanna Break In?
The first step in any ethical hack is to
obtain information in the most stealth
fashion.
USE NMAP!!
NMAP

nmap is an open-source port/security
scanner

http://insecure.org/
It’s primary function is the discovery
and mapping of hosts on a network
 nmap is consistently voted as one of
the most used security tools

NMAP



Host Discovery – Identifying computers on a
network
Port Scanning – Enumerating the open ports
on one or more target computers
Version Detection – Interrogating listening
network services


listening on remote computers to determine the
application name and version number
OS Detection – Remotely determining the
operating system from network devices
NMAP
Sample Syntax:
nmap [ <Scan Type> ...] [ <Options> ] { <target specification> }
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
NMAP cont’d
Analyze your results:
Vulnerabilities
Find any hosts worthwhile? Your next
step should be scanning for exploitable
vulnerabilities.
USE NESSUS!!!
© Copyright 2002 - 2009 Tenable Network Security(R).
All Rights Reserved.
Nessus


Nessus is an open-source vulnerability scanner
 Public domain software, such as Nessus, isn't
always inferior and sometimes it is actually
superior !
 Technical support available at
tenablesecurity.com
Three steps
1. Run a port-scan (using nmap) on the target host
to determine which ports are open
2. Once open ports are identified, Nessus runs a set
of exploits on the open ports. Nessus assumes
standard processes run on standard ports (i.e.,
http on port 80)
3. Check for and reporting vulnerabilities
Nessus

Vulnerability checks are implemented
through plugins.




Plugins are written in Nessus Attack Scripting
Language (NASL), a scripting language optimized
for custom network interaction.
New plugins are added as vulnerabilities are
discovered.
Many plugins check for a vulnerability by
actually exploiting the vulnerability.
The ‘safe checks’ option specifies that no
vulnerability check capable of crashing a
remote host be used (such as DOS attacks).
Nessus
Check your results!!
How Do We Exploit?
Now that you have found a useful
exploit, what do we use?
USE METASPLOIT!!!
Copyright © 2003-2009 Metasploit LLC
Metasploit ™ is a registered trademark
Contact us at msfdev[at]metasploit.com
MetaSploit
Metasploit was created in 2003 as a portable
network game using the Perl scripting
language. Later, the Metasploit Framework
was then completely rewritten in the Ruby
programming language. It is most notable
for releasing some of the most technically
sophisticated exploits to public security
vulnerabilities. In addition it is a powerful
tool for third party security researchers to
investigate potential vulnerabilities.
MetaSploit cont’d
Remember the machine with vulns?? Let’s use the metasploit framework….
MetaSploit cont’d
What else can we do now that were in???
MetaSploit cont’d
We can add shares as root!!
Ethical Hacking cont’d
Administrative items:
 Authorization letter – “Get out of jail
free card”
 Risk report
Likelihood of risk
 Mitigation plans
 Trends (performed with recurring clients)

Ethical Hacking cont’d
Quantitative Heat Map Guide
Vertical Axis = Likelihood of risk being realized
Horizontal Axis = Impact if risk were realized
Size of Bubble = Relative total instances of that issue
= Low Risk
= High Risk
= Moderate Risk
= Critical Risk
Almost
Certain
Likelihood of Occurrence
B
C
Likely
D
E
F
J
Moderate
K
H
L
O
I
N
Unlikely
A
G
M
P
Q
Rare
R
Low
Moderate
to Low
Moderate
Magnitude of Impact
Moderate
to High
High
Q&A
ANY QUESTIONS?
The CISO Agenda
Business
Managing 3rd Party Risk (Outsourcers)
Culture / Awareness
M&A
Strategy
High Availability
Technology
Enablement
Executive / Board Reporting
Metrics / Benchmarking
Privacy / Security Breach
Business Continuity
Brand Protection & Enhancement
Alignment with Business Goals / Objectives
Disaster Recovery
CISO
Identity Management
Mobile Computing
Linkage to Enterprise
Risk Mgmt
Regulatory
Compliance
Compliance / Internal Audit
Evolving Threats
Vulnerability / Patch Management
Staffing Support
Core Functions
Risk
IT Security performs a critical role in
assessing risk in the organization.
 Vulnerability Scanning
 Penetration Testing
 Industry Trends
 IT Strategy
 Familiarity with Audit and Compliance
measures
Audit Support
In many cases, IT Security is heavily
relied upon to perform in depth testing
required by an audit organization.
Security is enlisted by audit because:
 Technical expertise
 Familiarity with current issues from
internal testing
 Familiarity with Policies, Standards, and
Procedures
Compliance
Compliance may relate to internal
compliance or external compliance.
Internal compliance:
 Policies and Standards
 Security and Configuration baselines
 Framework use – ISO, COBIT, ITIL,
GAISP, NIST
 Best Practices
Compliance cont’d
External compliance:
 SOX (Sarbanes Oxley)

COSO Framework
HIPAA
 PCI
 Safe Harbor

ISO Best Practices
Source: www.rsa.com
Compliance in Action
Source: www.rsa.com
Internal Policy
IT Security is regularly tasked with
creation and enforcement of IT
policies, standards, and procedures.
Creation and enforcement of these
documents require:



Understanding of audit roles and procedures
Familiarity with all systems, networks, and
applications
Compliance considerations
Internal Policy cont’d
Definitions:



A Policy is a set of directional statements and requirements
aiming to protect corporate values, assets and intelligence.
Policies serve as the foundation for related standards,
procedures and guidelines.
A Standard is a set of practices and benchmarks employed
to comply with the requirements set forth in policies. A
standard should always be a derivation of a policy, as it is the
second step in the process of a company’s policy propagation.
A Procedure is a set of step-by-step instructions for
implementing policy requirements and executing standard
practices.
Internal Policy cont’d
Internal Policy cont’d
Policy creation and enforcement cycle
Policy Business Case
A top 5 global food retailer has a massive
IT/IS infrastructure and good
governance….but no real policies!
Policies are the foundation for enforcing
IT compliance and governance.
What policies were written for the client…
Policy Business Case cont’d
Policies written for IT Security:
 Acceptable Use Policy
 Information Classification & Ownership Policy
 Risk Assessment & Mitigation Policy
 Access Control Policy
 Network Configuration and Communication Policy
 Remote Access Policy
 Business Continuity Policy
 Incident Response Policy
 Third Party Data Sharing Policy
 System Implementation & Maintenance
 Secure Application Development
 Cryptography & Key Management
 Mobile Computing
 Physical & Environmental Security
Policy Business Case cont’d
Sample Policies
Q&A
Any Questions?
Contact Information
Brandon Hoffman
bshoffman@gmail.com
312.665.2775