2

Richard S. Carsonand Associates

ManagementConsulting

Web-BasedProducts

World Wide Digital Security,

Inc.

Background

3

A suite of web-based security assessment tools used to determine a network’s vulnerability and risk, with a patent pending methodology —

Single assessmentNetworkDenial of Service

Our Product

4

Benefits of WebSaintTM

Web based delivery system – basis for minimum user impact

Dedicated computer is not needed – it is run on the web

Easy to use – complexities of installing software are removed

No costly software

Results are self explanatory – trained security professionals are not needed

Use as many times as you need under the 3-month subscription

Cost advantage in terms of product price and minimal resource impact

Product is always up-to-date with the most current vulnerabilities and threats

5

Our CustomerThe network administrator of a small to medium size enterprise who is looking for the easiest and most accurate tool to analyze network security —

OverworkedDealing with Y2K issuesResources limited for security

6

The Opportunity

1997 2002

Internet Users 50 million 175 million

Electronic Commerce $8 billion $327 billion

Network Security $1.3 billion $6.5 billion

7

The OpportunityOur niche is the Internet Security Assessment market — estimated to be $1 billion by 2002

WebSaint™ provides:

Vulnerability assessment by identifying security strengths and weaknesses

Detailed review and evaluation of a company's network, allowing the development of a baseline security policy from the data collected.

Corporate confidence that current security standards are being met.

8

Our CompetitionInternet Security Systems, Inc.

Network Associates, Inc.

Axent Technologies, Inc.

Netect, Inc.

Security Dynamics Technologies, Inc.

9

Our Uniqueness in the Security MarketPatent pending, web-based delivery system

Subscription sales/easy selling approach

Focused – security assessments

Leads to consulting services

10

Marketing

SATAN SAINT WebSaintTM

Name recognition

VARs, partnerships, Joint Development Agreements

Using integrated Web and PR marketing approach

www.wwdsi.com

11

SATAN Released April 1995

COAST extensions released in December 1995

No updates since release

Scan of large network using SATAN prompted development of SAINT

SAINTTM History

12

SAINTTM – The New SATANNew tests for the following:

“R” services (rlogin, rshell and rexec) Vulnerable CGIs (e.g., webdist, phf, and test-cgi) Vulnerable versions of IMAP and POP SMB open shares New backdoors (NetBus, Back Orifice) ToolTalk service Vulnerable versions of DNS rpc.statd service UDP echo and/or chargen (can be used for DoS) Vulnerable news servers

13

SAINTTM – The New SATAN Identifies Microsoft Windows (3.x, 95, 98, NT) computers

(may be vulnerable to various DoS attacks)

Added a new attack level (heavy +)

Performs in a firewalled environment

Many cosmetic and functional improvements

14

UNIX platform (AIX, OSF, Free BSD, BSDI, IRIX, HP-UX, Linux, SunOS, System V)

20MB disk space

As much memory as you can get

Perl 5.00 or above

C compiler

Web browser

SAMBA (for SMB tests)

What You Need

15

How it Works

16

Controls what hosts SAINT may probe Controls the intensity of the probes Specified in the configuration file

attack level and what probes are included status file timeouts and timeout signals proximity variables trusted or untrusted targeting exceptions workarounds (DNS, ICMP)

Some settings can be changed via command-line switches or from hypertext user interface

Policy Engine

17

Specified by User one host class C subnet

Generated by inference engine when processing facts generated by data acquisition module

Saves time by checking whether hosts are actually alive first fping (default) tcp_scan on common ports (firewall)

Target Acquisition

18

Executes probes based on target’s scanning level

light

normal

heavy

heavy plus

Written in Perl or shell script

Output written to database in common tool record format

Data Acquisition

19

Rules applied in real-time Results are either

new facts for inference engine new probes for data acquisition module new targets for target acquisition module

Actually six separate engines controlled by own rule base todo – what probe to perform next hosttype – deduces system classes facts – deduces potential vulnerabilities services – translates cryptic daemon banners and/or port numbers to user-

friendly names trust – classifies data collected on NFS, DNS, NIS, and other cases of trust drop – what to ignore

Inference Engine

20

Facts – data generated by data acquisition module and inference

engine

All-hosts – all hosts seen

Todo – all things it did

Database Format

21

Target – name of host record refers to Service – base name of tool or service being probed Status – if host was reachable Severity – how serious was the vulnerability Trustee – who trusts another target (user@host) Trusted – who the trustee trusts (user@host) Canonical Service Output

for non-vulnerability records, the reformatted version of the network service for vulnerability records, the name of the tutorial

Text – additional information for reports

Database Format – Facts

22

Host name

IP address

Proximity from original host

Attack level host has been probed with

Was subnet expansion on? (1 = yes, 0 = no)

Time scan was done

Database Format – All-hosts

23

Host name

Tool to be run next

Arguments for tool

Database Format – Todo

24

Requires an HTML browser Documentation Data management Data gathering Viewing results

– vulnerabilities

– host information

– trust Also can be run from the command line

User Interface

25

SAINTTM Vulnerabilities

DNS vulnerabilities FTP vulnerabilities Hacker program found HTTP CGI access IMAP version INN vulnerabilities NFS export to unprivileged programs NFS export via portmapper

Open SMB shares Remote shell access REXD access Sendmail vulnerabilities SSH vulnerabilities TFTP file access Unrestricted modem Unrestricted NFS export Writable FTP home directory

Red — Services that are vulnerable to attack. Hackers exploiting these services may cause substantial harm.

26

SAINTTM – VulnerabilitiesYellow — Services that may directly or indirectly assist a

hacker in determining passwords or other critical information.

NIS password file access

Unrestricted X server access

27

Excessive finger information HTTP CGI info NetBIOS over the Internet POP server POP version Possible DoS (fraggle) problem Remote login on the Internet

Remote shell on the Internet Rexec on the Internet Statd vulnerability Rstatd vulnerability Rusersd vulnerability Sendmail info Windows detected

Brown — Services that may not be vulnerable but the configuration and/or version may make them vulnerable. Further investigation on the part of the system administrator may be necessary.

SAINTTM Vulnerabilities

28

SAINTTM VulnerabilitiesGreen — Services that do not have any vulnerabilities apparent through remote assessment. (However, if passwords have been compromised, these services may prove to be vulnerable to exploitation by local users).

29

System Administrators

Security Administrators

Requires some knowledge of UNIX

Requires installation and configuration of software

What about the less technical,

less UNIX savvy administrator? . . . . . .

Who Uses It?

30

Web browser

Internet connection

E-mail address

What You Need

31

How it Works Customer requests scan via Web page

Customer receives e-mail containing URL for custom page

Customer uses custom page to start scan

Customer receives a second e-mail after the scan completes containing a new URL for the results

Customer can perform an unlimited numberof scans within the subscription period

32

Getting off the ground . . .

We’d like to hear your comments and ideas.

33

Detailed SAINTTM

Vulnerabilities

34

SAINTTM Red Services (1of 5)DNS vulnerabilities

Impact: unauthorized access (remote) and/or denial of service Resolution: patch or updated version

FTP vulnerabilities Impact: unauthorized access (remote or local) Resolution: patch, updated version, restrict access

Hacker program found Impact: host has been compromised Resolution: remove program, remove hacker

HTTP CGI access Impact: execute arbitrary commands (remote or local) Resolution: remove/disable CGI

35

SAINTTM Red Services (2of 5)IMAP version

Impact: unauthorized access (remote) Resolution: patch, updated version, restrict access

INN vulnerabilities Impact: unauthorized access (remote) Resolution: patch, updated version

NFS export to unprivileged programs Impact: unauthorized file access (read/write), program execution Resolution: restrict access, block router ports (2049, 111)

NFS export via portmapper Impact: unauthorized file access (read/write) Resolution: restrict access, block router ports (2049, 111)

36

SAINTTM Red Services (3of 5)Open SMB shares

Impact: unauthorized file access (read/write) Resolution: disable SMB over Internet, restrict access

Remote shell access Impact: unauthorized remote shell/login from arbitrary hosts Resolution: restrict access

REXD access Impact: unauthorized REXD remote access from arbitrary hosts Resolution: disable service, restrict access

Sendmail vulnerabilities Impact: unauthorized access (remote) Resolution: patch, updated version

37

SAINTTM Red Services (4of 5)

SSH vulnerabilities Impact: unauthorized use of credentials (local) Resolution: updated version

TFTP file access Impact: unauthorized access (remote) Resolution: disable service, restrict access

Unrestricted modem Impact: unauthorized access (remote) of modem Resolution: restrict access

Unrestricted NFS export Impact: unauthorized file access (read/write) Resolution: restrict access, block router ports (2049, 111)

38

Writeable FTP home directory Impact: unauthorized file access (read/write/execute) Resolution: restrict access

SAINTTM Red Services (5of 5)

39

NIS password file access Impact: access to NIS password file by arbitrary hosts Resolution: restrict access

Unrestricted X server access Impact: unrestricted X server access from arbitrary hosts Resolution: restrict access

SAINTTM Yellow Services

40

SAINTTM Brown Services (1 of 4)

Excessive finger information Impact: releases excess account information Resolution: disable service, restrict access

HTTP CGI info Impact: provides information about server Resolution: remove/disable CGI

NetBIOS over the Internet Impact: unauthorized file access (read/write) Resolution: disable service

POP server Impact: unauthorized access (passwords in the clear) Resolution: disable service, use more secure version

41

SAINTTM Brown Services (2 of 4)POP version

Impact: unauthorized access (remote) Resolution: patch, updated version, restrict access

Possible DoS (fraggle) problem Impact: denial of service (intermediary and victim) Resolution: router configuration

Remote login on the Internet Impact: unauthorized shell access (with no password) Resolution: disable service, restrict access

Remote shell on the Internet Impact: unauthorized remote shell/login from arbitrary hosts Resolution: restrict access

42

SAINTTM Brown Services (3 of 4)Rexec on the Internet

Impact: unauthorized program execution (remote) Resolution: disable service, restrict access

Sendmail info Impact: provides information about users Resolution: Disable EXPN and VRFY commands

Statd vulnerability Impact: unauthorized access (remote/local) Resolution: patch, disable service

Rstatd vulnerability Impact: provides information about host’s performance Resolution: disable service

43

SAINTTM Brown Services (4 of 4)Rusersd vulnerability

Impact: provides information about users Resolution: disable service

Windows detected Impact: operating system may be vulnerable to denial of service Resolution: patch, disable unnecessary services