eEye Digital Security - Vulnerability Expert Forum, August 2011
eEye Digital Security A three year old security software company Based in Southern California with...
-
Upload
shannon-junior-joseph -
Category
Documents
-
view
215 -
download
0
Transcript of eEye Digital Security A three year old security software company Based in Southern California with...
eEye D
igit
al S
ecu
rity
• A three year old security software company
• Based in Southern California with offices in Geneva, London and Madrid
• Creates cutting edge security software:
– Retina™, the Network Scanner– SecureIIS™, an Application Firewall for Internet
Information Server– Iris™, the Network Traffic Analyzer
• Very active in research and development in the digital security community through numerous advisories
• Extensive base clients in over 40 countries
eEye Background
Com
pu
ter
Con
sult
ing
Part
ners
Ltd
. • A three year old security consulting company
• Based in Phoenix, Arizona.
• Provide consulting, design, implementation, and support of Network Enterprise Solutions focusing on Internet, Intranet, and Extranet Security.
• Client base includes fortune500 companies and governmental agencies.
• Computer Consulting Partners, Ltd. has partnered with eEye to provide the highest quality of information security consulting and products.
CCP Ltd. Background
eEye D
igit
al S
ecu
rity • Intel
• University of Chicago• IBM Corp.• Dartmouth Medical
School• US Navy• CMGI• Dupont• Federal Reserve Bank• Southern California
Edison• AT&T• Microsoft
• Lotus• FAA• KPMG• Arthur Anderson• Bank of America• PR Newswire• EDS• Domainnames.com• Bid.com• University of California Los
Angeles• Ernst & Young
Some of the world’s leading corporate and government entities secure their networks with our products:
eEye Client List
eEye D
igit
al S
ecu
rity
• Focus on developing best-of-breed security software products
• Complement existing tools such as Firewalls and Intrusion Detection Systems
• Provide the network administrator with user friendly tools that help them keep up with ever changing security requirements
• Provide security consultants with powerful tools that will significantly increase their efficiency and ability to deliver services
eEye Product Positioning
Com
pu
ter
Con
sult
ing
Part
ners
, Lt
d.
• Focus on providing our clients with state-of-the-art security solutions, using best of breed products.
• Focus on providing our clients with high quality audits and assessments of their current IT infrastructure vulnerabilities.
• Focus on providing our clients with state-of-the-art penetration testing techniques.
• Enable our clients to understand and support the solutions, after we leave.
• Support the client to enable their success.
CCP Ltd. Positioning
eEye D
igit
al S
ecu
rity
Your Your NetworkNetwork
Intrusion Detection Systems (IDS)
Firewall
Virus Scanning
VulnerabilityScanner
NetworkTraffic
Analyzer
Application Security
ProactiveReactive
There are Several Equally Vital Tools to Securing a Network
eEye D
igit
al S
ecu
rity
Your Your NetworkNetwork
Retina™Network
Security Scanner
Iris™
NetworkTraffic
Analyzer
Intrusion Detection
System (IDS)
FIREWALL
Virus Scanner SecureIIS™Web Application
Firewall
eEye Focuses on Proactive Security Tools
Com
pu
ter
Con
sult
ing
Part
ners
, Lt
d.
• While eEye focuses on proactive Security products, CCP focuses on all-encompassing security solutions.
• Utilizing our partnerships with best of breed vendors, like eEye, we can offer solutions that fit your needs.
The CCP and eEye Partnership
Com
pu
ter
Con
sult
ing
Part
ners
, Lt
d.
Your Your NetworkNetwork
VPN access and Link
Encryptors
VulnerabilityAssessments
ISS RealSecureTripwire
Snort
CheckpointFirewall-1
Or Cisco Pix
TrendMicroVirus Scanner
Secure Design ofApplication and Service
infrastructure
CCP Focuses on enabling all-encompassing Security Solutions and Proactive Services.
BiometricsAnd
AccessControl
Traffic AnalysisAnd
Infrastructure Audit
eEye D
igit
al S
ecu
rity
• Retina scans a server, workstation, firewall, router, etc for vulnerabilities. Input in Retina the IP address or URL of a machine (say www.eEye.com) and Retina will audit that machine
• The result is an interactive or printable report listing all the vulnerabilities on that machine
• For each of the vulnerabilities, Retina provides a risk assessment and indicates how to fix it by either providing the appropriate patch link or by providing with a step by step procedure of how to configure the machine to fix the problem
• For many vulnerabilities, Retina has a revolutionary “Auto Fix-It” capability that makes the required system changes
Retina – What it Does
eEye D
igit
al S
ecu
rity
Identified Vulnerabilities
Risk Level
Fix Description
Auto Fix
Scanned Computer
Selected Vulnerability & Description
Sample Retina Screen Shot
eEye D
igit
al S
ecu
rity
- NetBIOS- HTTP, CGI and WinCGI- FTP- DNS- DoS- POP3- SMTP- Registry- Services- Users and Accounts- Password vulnerabilities- Publishing extensions
- Database servers- Firewalls and Routers- Proxy Servers- Web Interfaces- Files and permissions- Unix RPC services- NFS mounts- IMAP- LDAP- SSH- Telnet- SNMP- Trojans- DDoS Agents
Retina includes vulnerability scanning and auditing for the following systems & services:
Retina Features – Vulnerability Auditing Modules
eEye D
igit
al S
ecu
rity
• Fastest scanner in the market
• Incorporates NMAP Fingerprint Database and NMAP functionality
• Smart port scanning
• CHAM [Common Hacking Attack Methods] – Artificial Intelligence that looks for unknown vulnerabilities
• Open architecture and API for custom audit development
• Complete control over policy and audits
• No limitations on the specific IPs audited
• Auto “Fix-It” feature
• Auto Update feature
• Smart Reporting – reporting modifies according to level of risk
• Custom Reporting – modified by client of service provider
What Makes Retina Unique
eEye D
igit
al S
ecu
rity
Smart Scanning• Security scanners on the
market assume that a certain port is a certain protocol
• Retina never assumes anything. It analyses specific input/output data on a port to determine what protocol and service is actually running
CHAM (Common Hacking Attack Methods)
• CHAM learns as much information as possible about your network to discover unknown vulnerabilities
• Based on this information, CHAM then performs hacking attacks on several protocols that you may pre-select in the Policies menu (FTP, POP3, SMTP, HTTP)
Open Architecture• Retina offers the flexibility to
create customized modules with any programming language, including Perl, C, C++, Visual Basic, Delphi etc.
• With our new RTH Wizard, administrators can create custom audit on the fly
Fix-it• For certain vulnerabilities that
require configuration changes, Retina provides the ability to auto-fix the problem
• The feature saves network administrators and consultants significant time
Retina Features
eEye D
igit
al S
ecu
rity
Policies
• Retina allows total flexibility on which audits to perform (ports, audit classes etc.)
• For example, create a policy that only audits DoS vulnerabilities or define the NT IP Fragment Reassembly audit within the DoS class
Auto update
• There are 10 to 50 vulnerabilities discovered every day . eEye discovers many of these and regularly updates its vulnerability database
• Retina users are able to regularly update their vulnerability database through a simple Retina interface over a normal internet connectionSmart Reporting
• Retina produces highly customizable reports of network scans and the technical sophistication of the targeted report audience
• The reports can be highly “white-labeled”
• The reports provide vivid graphical representation of the vulnerability and risk profile of a scanned host or network
Retina Features
eEye D
igit
al S
ecu
rity
FEATURESNETWORK VULNERABILITY SCANNERS
eEyeRetina
ISSScanner
NAICybercop
BindviewBV-Control
SymantecNetRecon
SmartReporting
√ √ √ √ √
SmartScanning
√
Autofix √ √ √
Auto Update √ √ √ √
CHAM √
OpenArchitecture
√ √
√
CentralizedManagement
√ √ √
Retina is the FASTEST Security Scanner on the market Includes “Fix-It” option Known for ease-of-use.
How does Retina stack up to the competition?
eEye D
igit
al S
ecu
rity
The Application Firewall For Microsoft’s IIS Web
Server
SecureIIS
eEye D
igit
al S
ecu
rity
• Web servers are the most vulnerable part of a network since they are open to the public and must allow various forms of traffic to enter the server
• Traditional server protection such as network firewalls and intrusion detection systems are not always able to protect a server for several reasons:• Firewalls and IDS systems rely on a database of known
hacker attack signatures• Hackers are able to slightly modify attacks to get around
these systems…• … the IT administrator may not have updated the systems
with the latest database…• … Or, worst yet, there are types of attacks that have not
been identified by security organization (unknown attacks.)
The Issue That SecureIIS Addresses
eEye D
igit
al S
ecu
rity
• Microsoft’s IIS (Internet Information Services) is a very popular Web server application running on approximately 8 million servers worldwide
• IIS is notorious for being susceptible to hacker attacks• Over the last few years, Microsoft has released several
security updates and patches to cover discovered vulnerabilities
• Security research firms continue to uncover more vulnerabilities. eEye recently uncovered two major vulnerabilities, one of which was leveraged by Code Red Worm
• IT Administrators tend to share a growing frustration with maintaining the security of IIS…
• …A great lead in for the value of SecureIIS
The Issue That SecureIIS Addresses
eEye D
igit
al S
ecu
rity
• SecureIIS is an “Application Firewall” designed specifically to protect IIS
• SecureIIS is not dependent on a vulnerability or attack signature database
• SecureIIS protects against “classes” of hacker attack. Instead of looking for specific attack signatures, it blocks entire classes of attack by detecting their overall characteristics
• The application, an extension of the eEye CHAM technology in Retina, “understands” how a web server behaves. Any activity on the network contrary to this authorized behavior is stopped.
• SecureIIS has been shown to prevent attacks that leverage known vulnerabilities…
• … In the case of Code Red, SecureIIS protected its clients from that worm before the worm was discovered by the industry
SecureIIS – The Application Firewall
eEye D
igit
al S
ecu
rity
The Classes of Attack That SecureIIS Protects Against:
• Buffer Overflow Attacks
• High Bit Shellcode Protection
• Parser Evasion Attacks
• Directory Traversal Attacks
• General Exploitation
• Banner replacement
• Logging of failed requests
SecureIIS wraps around Internet Information Server and works within it, verifying and analyzing incoming and outgoing Web server data for any possible security breaches
SecureIIS Product Features
eEye D
igit
al S
ecu
rity
Product Interface
Each class of attack is described in detail with assistance on configuration
Classes of hacker attacks blocked – Each represent a category of attack with sub-categories that are configurable
The user can configure the parameters that are protected in each of the classes of attack
Multiple Web sites on a single server can be protected
eEye D
igit
al S
ecu
rity
Product Interface
SecureIIS also protects IIS-related applications such as Frontpage and Outlook Web Access
eEye D
igit
al S
ecu
rity
Description of the Classes of Attack
Buffer Overflow AttacksBuffer overflow vulnerabilities stem from problems in string handling. Whenever a
computer program tries copying a string or buffer into a buffer that is smaller than itself, an overflow is sometimes caused. If the destination buffer is overflowed sufficiently it will overwrite various crucial system data. In most situations an attacker can leverage this to takeover a specific program's process, thereby acquiring the privileges that process or program has. SecureIIS limits the size of the "strings" being copied. Doing this greatly reduces the chance of a successful buffer overflow.
Parser Evasion AttacksInsecure string parsing can allow attackers to remotely execute commands on the
machine running the Web server. If the CGI script or Web server feature does not check for various characters in a string, an attacker can append commands to a normal value and have the commands executed on the vulnerable server.
Directory Traversal AttacksIn certain situations, various characters and symbols can be used to break out of the
Web server's root directory and access files on the rest of the file system. By checking for these characters and only allowing certain directories to be accessed, directory traversal attacks are prevented. In addition, SecureIIS only allows clients to access certain directories on the server. Even if a new hacking technique arises, breaking out of webroot will still be impossible.
General ExploitationBuffer overflows, format bugs, parser problems, and various other attacks will contain
similar data. Exploits that execute a command shell will almost always have the string "cmd.exe" in the exploiting data. By checking for common attacker "payloads" involved with these exploits, we can prevent an attacker from gaining unauthorized access to your Web server and its data.
eEye D
igit
al S
ecu
rity
Description of the Classes of Attack
HTTPS/SSL ProtectionSecureIIS resides inside the Web server, thus capturing HTTPS sessions before and
after SSL (Secure Socket Layer) encryption. Unlike any Intrusion Detection System or firewall currently on the market, SecureIIS has the ability to stop attacks on both encrypted and unencrypted sessions.High Bit Shellcode Protection
Shellcode is what is sent to a system to effectively exploit a hole called a "buffer overflow". High Bit Shellcode Protection offers you a high degree of protection against this type of attack because it will drop and log all requests containing characters that contain high bits. All normal Web traffic, in English, should not contain these types of characters and almost all "shellcode" requires them to produce the effective exploit.Third Party Application Protection
The power of SecureIIS is not limited to IIS specific vulnerabilities. SecureIIS can also protect third party applications and custom scripts from attack. If your company has developed customized components for your Web site, components that might be vulnerable to attack, you can use SecureIIS to protect those components from both known and unknown vulnerabilities. Let SecureIIS work as your own web based “Security Quality Assurance” system.Logging of Failed Requests
In the installed SecureIIS directory, we post a file called SecureIIS.log. This file contains a log of all attacks and what triggered the event that caused SecureIIS to drop the connection. This is an effective way to monitor why requests are being stopped, and who is requesting things that they shouldn't. Since SecureIIS enforces a strong security policy for how sites are configured, you can use this log to find places where your Web site may not be acting correctly due to an insecure setting. Also, since Internet Information Server has the unfortunate habit of not logging attacks like buffer overflows that are successful, a twofold security benefit is provided here. Such attacks are not only stopped, but also logged so you can take action accordingly.
eEye D
igit
al S
ecu
rity
• Iris is a revolutionary product and has very little competition in the market.
• In “promiscuous mode”, it captures all data traffic within a network. For example, when a web page is served, the data is available on the entire network, but only one computer is “listening” for it. A machine in “promiscuous mode” would also pick up that data.
• The challenge is organizing and understanding the massive amount of data a compute in promiscuous mode would pick up.
Iris – The Network Traffic Analyzer
eEye D
igit
al S
ecu
rity
• Iris organizes and displays data packets, their origin, their destination and other technical information.
• Most importantly, Iris recognizes various protocols (HTTP, POP3, SMTP, etc.) and decodes these packets into recognizable forms such as web pages.
• This allows Iris to act as a video recorder of the activity of network users, giving the network owner tremendous control over the network.
• Iris is also capable of monitoring and alerting for various variables such as words (pornography), IP addresses (competitors, restricted sites) and more.
Iris – The Network Traffic Analyzer
eEye D
igit
al S
ecu
rity
Data Packets
Analysis of a specific data packet
Iris – Screen Shot
eEye D
igit
al S
ecu
rity
What is SKYWALKER looking at? The Decoder
Network Users
Iris – Screen Shot
eEye D
igit
al S
ecu
rity
Monitoring Users
• Iris decodes most non-encrypted network protocols such as HTTP, POP3, SMTP and many others.
• With the click of a button you will know which site network users have visited, and will regenerate visited web pages with formats and content.
• Iris monitors non-encrypted web-based mail, messenger service and chat activity.
Network VCR’s
• Iris has the ability to act as a “VCR” for your network by recording all information traveling across a network.
• Recorded information can be viewed and decoded in real-time or played back at a later time.
• This network “VCR" capability also demonstrates Iris’ unrivaled ease-of-use.
Screening Tools
• Iris monitors network traffic by setting numerous screening criteria.
• Monitor and record network traffic based on a specific MAC address, IP address, word, protocol, etc.
Iris Features
eEye D
igit
al S
ecu
rity
Some Information to Help You Build a Successful Security Infrastructure
Building successful security infrastructures
eEye D
igit
al S
ecu
rity
• 90% of companies surveyed by the FBI have detected cyber attacks recently
• Disgruntled employees, industrial espionage, and data theft are responsible for 70-80% of security breaches
• Increase in external threats from hackers, ex-employees, competitors and cyber terrorists
• The rise of “Script Kiddies” - Hackers who do not target specific organizations, but run scripts scanning the net for ANY vulnerable network
Digital Security - The Problem is Real
eEye D
igit
al S
ecu
rity
• 273 organizations reported $265 Million dollars in financial losses in the year 2000
• Financial losses due to cyber attacks in the year 2000, were higher than 1997,1998 and 1999 combined
• The annual loss from computer network crime is $550 million annually in the U.S. alone*
Survey by Computer Security Institute (CSI) and the Federal Bureau of Investigation, 2000*National Center for Computer Crime Data in Santa Cruz, California
Digital Security-The Problem is Real
eEye D
igit
al S
ecu
rity
1. Relying primarily on a firewall for security perimeter protection.
2. Failure to realize how much money information and organizational reputation are worth.
3. Pretending the problem will go away.
4. Authorizing reactive, short-term fixes so problems re-emerge quickly.
5. Failure to deal with the operational aspects of security: make a few fixes and then do not follow through to ensure the problem stays fixed.
6. Failure to understand the relationship of information security to the business problem – they understand physical security, but do not see the consequence of poor information security.
7. Assigning untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
Seven Fatal Digital Security Management Errors
eEye D
igit
al S
ecu
rity
• Management and support personnel often rely exclusively on firewalls and ignore internal digital security considerations
• Members of your organization can easily request that analog lines be installed at their workspace. These are often used to connect to ISP’s or to set up dial-in access to their desktop system, thus bypassing any protection from the security perimeter
• Some network services (e.g., ftp, tftp, http, sendmail) destined for internal hosts are passed through the security perimeter control points unscreened
• The firewall hosts or routers accept connections from multiple hosts on the internal network and from hosts on the DMZ network
• Access lists are often configured incorrectly, allowing unknown dangerous services pass through freely
• Logging of connections through the security perimeter is either insufficient or not reviewed on a regular basis
• Hosts on the DMZ or hosts running firewall software are also running unnecessary services such as tftp, telnet, rpc, mail, etc.
• Support personnel use telnet or other unencrypted protocols for managing the firewalls and other DMZ devices
• People frequently implement encrypted tunnels through their security perimeter without fully validating the security of the endpoints of the tunnel
Typical Security Parameter Failures
Com
pu
ter
Con
sult
ing
Part
ners
, Lt
d.
• An understanding of the risks to your environment. CCP can assess the risks facing your networks.
• A suite of host and network based security auditing and improvement tools
CCP and eEye can provide state-of-the-art tools to help you.
• An understanding of the business needs and processes to meet those needs.
CCP can help you realize these processes and implement solutions that ensure security success, without interfering with business needs.
• A strong commitment from upper management to support your roadmap for security infrastructure improvements and to provide sufficient resources to get the work done
CCP can provide the knowledge resources to get the job done right. A security mission statement and the associated guiding principals
Digital Security Best Practices
• A security awareness program that reaches everyone in the organization
CCP can help you develop a security awareness program to keep your assets safe.
• Clearly defined implemented and documented security policies and procedures that are supplied to everyone within the organization
CCP can help you document and implement policies that can help protect your digital assets.
• A three to five year roadmap for security infrastructure improvements
CCP can help you understand where you are… and enable you to be where you want to be in the future.
• A dedicated team of trained security professionals and consultants to make it all happen.
CCP & eEye can help you make it happen.
Digital Security Best PracticesC
om
pu
ter
Con
sult
ing
Part
ners
, Lt
d.
4800 N. 7th St.Phoenix, AZ 85014
Phone: (602) 277-2285
Toll-Free: (800) 665-0959 Fax: (602) 277-8099
E-Mail: [email protected]