Educating System Testers in Vulnerability Analysis: Laboratory Development and Deployment Leonardo...
-
Upload
faith-mitchell -
Category
Documents
-
view
215 -
download
0
Transcript of Educating System Testers in Vulnerability Analysis: Laboratory Development and Deployment Leonardo...
Educating System Testers in Vulnerability Analysis:
Laboratory Development and Deployment
Leonardo A. Martucci, Hans Hedbom, Stefan Lindskog, and Simone Fischer-Hübner
Department of Computer ScienceKarlstad University
SWEDEN
2 WECS'7
Outline
Introduction and backgroundCourse overviewCourse contentHands-on assignmentsEvaluation and lessons learnedConclusionErrata
3 WECS'7
Introduction
The constantly growing number of securityvulnerabilitiesthreatsincidents
has led to increased investments in the development of more secure systems The lack of security functionality and assurance may result in high costsVulnerability analysis (VA) is an important means for improving security assurance of IT systems during test and integration phases
4 WECS'7
Background
A large telecom company decided to increase their efforts in VA by educating their software testersThey decided to outsource the education and training of its testers A compact (3 days) VA course was developed at our departmentThe course has been held 3 times during 2005 for a total of 45 participants
5 WECS'7
Course Overview
The emphasis of the course is on practical hands-on assignmentsThe course is aimed for software testers with
little or no security experienceextensive knowledge in software testing
The topics included in the course is based on a preliminary list of topics specified by the contractorA set of laboratory assignments were derived from this listApproximately 30-40% covers theoretical aspects and the rest is used for practical assignments
6 WECS'7
Course Content
The course content is divided into 4 blocks:Introduction to computer and network security
Motivation, evaluation criteria, security standards, risk analysis, and ethics
Computer and network security protocols and toolsCryptography, IPSec, SSH, SSL/TLS, PKI, VPNs, IDSs, firewalls, and a set of laboratory assignments
Vulnerability analysis The four steps of VA: (1) reconnaissance, (2) research and planning, (3) attack mounting, and (4) assessment
Known vulnerabilities, reconnaissance tools and information gathering
Common host attacks, malicious code, node hardening, and several practical laboratory assignments
7 WECS'7
Hands-on AssignmentsThe following laboratory assignments are included:
password crackingtesting for randomnessfirewallblack box testingnetwork analyzing (and ARP spoofing)port scanningnode hardeningsecurity scanning
Final projectPutting it all together (i.e., “from grain to bread”)
8 WECS'7
Ethical Rules
The participants were requested to follow the following ethical rules:
Do not experiment with VA-tools without explicit permission of an authorized partyDo not pass on/publish material, tools, and vulnerabilities to unauthorized partiesDo not use your technical skills in criminal or ethically questionable activitiesAlways report flaws to vendors/developers firstSoftware tools provided in this course must only be used in a laboratory environment and on laboratory computers
9 WECS'7
The Laboratory Environment
The laboratory was prepared for 20 students working in pairs Each pair have their own workstation Each workstation
Was dual boot – Windows XP and Feodora Core 3 Linux Equipped with an Ethernet NIC
The laboratory was also configured with two servers One running Windows 2000 Server The other running Feodora Core 3 Linux
The servers were in some assignments the target
10 WECS'7
Password Cracking
GoalTo show that weak passwords could be a serious threat
Running the assignmentThe password cracking tool “John the Ripper” was used to detect weak passwords on their own workstation running LinuxSome easy to break passwords were introduced in the password file
Knowledge obtainedThe participants have tested a password cracking tool to identify weak passwords
11 WECS'7
Testing for RandomnessGoal
To educate the participants in how to identify non-random properties in sequences produced by a pseudo random number generator (PRNG)
Running the assignmentThe NIST statistical test suite was used to evaluate outputs from different PRNGsA short introduction on hypothesis testing was needed in order for the participants to evaluate the output from the tool
Knowledge obtainedThe participants have learned that:
good PRNGs are a crucial cryptographic primitiveautomatic tools exist to validate PRNGs
12 WECS'7
FirewallGoal
To provide hands-on experience on how firewall rules in Linux using ipTables can be used
Running the assignmentThe participants wereasked to write firewall rulesfor the setup in the figure in order to implement a given policy
Knowledge obtainedThe participants have the knowledge to write, read, understand, verify and evaluate firewall rules
Firewall
LAN DMZ
13 WECS'7
Black Box TestingGoal
To learn how a protocol implementation can be evaluated using a black box testing method
Running the assignmentThe PROTOS tool was usedto evaluate the SNMP protocolin a CISCO 1005 routerA ready-made test suite to perform a DoS attack was used
Knowledge obtainedThe participants have learned that black box testing using automatic tools can be used to evaluate implementations of communication protocols
Cisco 1005PCs running
PROTOS
14 WECS'7
Network Analyzing (and ARP Spoofing)
GoalTo show how easy it is to capture network traffic in a LAN using Ethereal
Running the assignmentEthereal was used to capturea password sent over thenetwork using TELNET
Knowledge obtainedThe participants have learned how to manage a network analyzer to capture network traffic
Router
PCs running ETHEREAL
Administrator configuring his
router
PCs running ETHEREALHub
15 WECS'7
Port Scanning
GoalTo demonstrate how port scanners can be used to find open ports in a networked computer
Running the assignmentThe participants were asked to gather information about open ports on the two servers using the Network MAPper (NMAP) in Linux
Knowledge obtainedThe participants have learned how to use a port scanner to find unexpected open ports in a product before deployment
16 WECS'7
Node HardeningGoal
To educate the participants on how to increase the security of nodes by turning off unnecessary servicesrestricting the rights of necessary servicesverifying that used software uses the latest patches
Running the assignmentThe Bastille tool was used When running Bastille, a large set of questions are asked on how the user would like the node to be configured and after that automatically configure the system according to the answers
Knowledge obtainedThe participants have learned the importance of correct configurations and to handle a node hardening tool
17 WECS'7
Security ScanningGoal
To show how to use security scanners in order to automatically scan the system for known vulnerabilities
Running the assignmentTwo unpatched servers running Windows 2000 Server and Fedora Core 3 Linux were acting as targetsBoth the Internet Scanner (IS) and Nessus were used as scannersNeither the configuration nor the IP addresses of the servers were known to the students
Knowledge obtainedThe participants have learned that security scanners are tools that can assist the testers in the verification process
18 WECS'7
Putting it all TogetherGoal
To let the participants conduct a full VA of a target with limited resources and time (<8 hours).
Running the assignmentThe assignment was conducted in groups of 4 studentsEach group had two workstations and one server that was the target of evaluationThe group was given a requirement specification describing the role of the server and its security requirementsThe exercise was to find out what has to be done to fulfill the requirements, perform the necessary changes and verify the result
Knowledge obtainedThe participants have gained a better understanding on how to perform a full-scale VA
19 WECS'7
Evaluation and Lessons LearnedAfter each course instance, the participants have been asked to fill in a questionnaire used to evaluate the courseBased on the answers, the following conclusion can be drawn
The most popular assignments have been:Security scanning, port scanning, and node hardening
The least interesting assignments have been:Testing for randomness and firewall
Each participant has either been satisfied or very satisfied with the course
We have also noticed that having a system administrator available during the course would greatly reduce the burden on the teachers
20 WECS'7
Concluding RemarksA vulnerability analysis (VA) course aimed for software testers is described in the paperThe focus is on the various laboratory assignments provided within the courseAll participants have either been satisfied or very satisfied with the course and we are convinced that the course has significantly raised their awareness concerning security and VAAn investigation of how the participants use their knowledge in VA will be performed during spring 2006Three new instances of the course are scheduled in 2006
21 WECS'7
Errata
Page 2, third sentence in second paragraph, i.e.: “Students from an applied computer security course were engaged and trained to attack a target system and evaluate its security [2].”Delete “and trained” in the sentence.