Backgroun d Richard S Carson and Associates Management
Backgroun d Richard S. Carson and Associates Management Consulting World Wide Digital Security, Inc. Web-Based Products
Our Product A suite of web-based security assessment tools used to determine a network’s vulnerability and risk, with a patent pending methodology — 4 Single assessment 4 Network 4 Denial of Service
Benefits of Web. Saint TM 4 Web based delivery system – basis for minimum user impact 4 Dedicated computer is not needed – it is run on the web 4 Easy to use – complexities of installing software removed 4 No costly software 4 Results are self explanatory – trained security professionals are not needed 4 Use as many times as you need under the 3 -month subscription 4 Cost advantage in terms of product price and minimal resource impact 4 Product is always up-to-date with the most current vulnerabilities and threats
Our Customer The network administrator of a small to medium size enterprise who is looking for the easiest and most accurate tool to analyze network security — 4 Overworked 4 Dealing with Y 2 K issues 4 Resources limited for security
The Opportunity 1997 2002 Internet Users 50 million 175 million Electronic Commerce $8 billion $327 billion $1. 3 billion $6. 5 billion Network Security
The Opportunity Our niche is the Internet Security Assessment market — estimated to be $1 billion by 2002 Web. Saint™ provides: 4 Vulnerability assessment by identifying security strengths and weaknesses 4 Detailed review and evaluation of a company's network, allowing the development of a baseline security policy from the data collected. 4 Corporate confidence that current security standards are being met.
Our Competition 4 Internet Security Systems, Inc. 4 Network Associates, Inc. 4 Axent Technologies, Inc. 4 Netect, Inc. 4 Security Dynamics Technologies, Inc.
Our Uniqueness in the Security Market 4 Patent pending, web-based delivery system 4 Subscription sales/easy selling approach 4 Focused – security assessments 4 Leads to consulting services
Marketing 4 SATAN ® SAINT ® Web. Saint. TM 4 Name recognition 4 VARs, partnerships, Joint Development Agreements 4 Using integrated Web and PR marketing approach 4 www. wwdsi. com
SAINT TM History 8 SATAN Released April 1995 8 COAST extensions released in December 1995 8 No updates since release 8 Scan of large network using SATAN prompted development of SAINT
TM SAINT – The New tests for the following: SATAN 8 “R” services (rlogin, rshell and rexec) 8 Vulnerable CGIs (e. g. , webdist, phf, and test-cgi) 8 Vulnerable versions of IMAP and POP 8 SMB open shares 8 New backdoors (Net. Bus, Back Orifice) 8 Tool. Talk service 8 Vulnerable versions of DNS 8 rpc. statd service 8 UDP echo and/or chargen (can be used for Do. S) 8 Vulnerable news servers
TM SAINT – The New SATAN 8 Identifies Microsoft Windows (3. x, 95, 98, NT) computers (may be vulnerable to various Do. S attacks) 8 Added a new attack level (heavy +) 8 Performs in a firewalled environment 8 Many cosmetic and functional improvements
What You Need 8 UNIX platform (AIX, OSF, Free BSD, BSDI, IRIX, HP-UX, Linux, Sun. OS, System V) 8 20 MB disk space 8 As much memory as you can get 8 Perl 5. 00 or above 8 C compiler 8 Web browser 8 SAMBA (for SMB tests)
How it Works
Policy Engine 8 Controls what hosts SAINT may probe 8 Controls the intensity of the probes 8 Specified in the configuration file x attack level and what probes are included x status file x timeouts and timeout signals x proximity variables x trusted or untrusted x targeting exceptions x workarounds (DNS, ICMP) 8 Some settings can be changed via command-line switches or from hypertext user interface
Target Acquisition 8 Specified by User x one host x class C subnet 8 Generated by inference engine when processing facts generated by data acquisition module 8 Saves time by checking whether hosts are actually alive first x fping (default) x tcp_scan on common ports (firewall)
Data Acquisition 8 Executes probes based on target’s scanning level x light x normal x heavy plus 8 Written in Perl or shell script 8 Output written to database in common tool record format
Inference Engine 8 Rules applied in real-time 8 Results are either x x x new facts for inference engine new probes for data acquisition module new targets for target acquisition module 8 Actually six separate engines controlled by own rule base x x x todo – what probe to perform next hosttype – deduces system classes facts – deduces potential vulnerabilities services – translates cryptic daemon banners and/or port numbers to userfriendly names trust – classifies data collected on NFS, DNS, NIS, and other cases of trust drop – what to ignore
Database Format 8 Facts – data generated by data acquisition module and inference engine 8 All-hosts – all hosts seen 8 Todo – all things it did
Database Format – 8 Target – name of host record refers to Facts 8 Service – base name of tool or service being probed 8 8 8 Status – if host was reachable Severity – how serious was the vulnerability Trustee – who trusts another target (user@host) Trusted – who the trustee trusts (user@host) Canonical Service Output x x for non-vulnerability records, the reformatted version of the network service for vulnerability records, the name of the tutorial 8 Text – additional information for reports
Database Format – All-hosts 8 Host name 8 IP address 8 Proximity from original host 8 Attack level host has been probed with 8 Was subnet expansion on? (1 = yes, 0 = no) 8 Time scan was done
Database Format – Todo 8 Host name 8 Tool to be run next 8 Arguments for tool
User Interface 8 Requires an HTML browser x Documentation x Data management x Data gathering x Viewing results – vulnerabilities – host information – trust 8 Also can be run from the command line
SAINT TM Vulnerabilities Red — Services that are vulnerable to attack. Hackers exploiting these services may cause substantial harm. y y y y DNS vulnerabilities FTP vulnerabilities Hacker program found HTTP CGI access IMAP version INN vulnerabilities NFS export to unprivileged programs NFS export via portmapper y y y y y Open SMB shares Remote shell access REXD access Sendmail vulnerabilities SSH vulnerabilities TFTP file access Unrestricted modem Unrestricted NFS export Writable FTP home directory
SAINT TM – Vulnerabilities Yellow — Services that may directly or indirectly assist a hacker in determining passwords or other critical information. y NIS password file access y Unrestricted X server access
SAINT TM Vulnerabilities Brown — Services that may not be vulnerable but the configuration and/or version may make them vulnerable. Further investigation on the part of the system administrator may be necessary. y y y y Excessive finger information HTTP CGI info Net. BIOS over the Internet POP server POP version Possible Do. S (fraggle) problem Remote login on the Internet y y y y Remote shell on the Internet Rexec on the Internet Statd vulnerability Rstatd vulnerability Rusersd vulnerability Sendmail info Windows detected
SAINT TM Vulnerabilities Green — Services that do not have any vulnerabilities apparent through remote assessment. (However, if passwords have been compromised, these services may prove to be vulnerable to exploitation by local users).
Who Uses It? 8 System Administrators 8 Security Administrators 8 Requires some knowledge of UNIX 8 Requires installation and configuration of software 8 What about the less technical, less UNIX savvy administrator? . . .
What You Need 8 Web browser 8 Internet connection 8 E-mail address
How it Works 8 Customer requests scan via Web page 8 Customer receives e-mail containing URL for custom page 8 Customer uses custom page to start scan 8 Customer receives a second e-mail after the scan completes containing a new URL for the results 8 Customer can perform an unlimited number of scans within the subscription period
Getting off the ground. . . We’d like to hear your comments and ideas.
Detailed SAINT Vulnerabilities TM
SAINT TM Red Services (1 of 5) 8 DNS vulnerabilities x Impact: unauthorized access (remote) and/or denial of service x Resolution: patch or updated version 8 FTP vulnerabilities x Impact: unauthorized access (remote or local) x Resolution: patch, updated version, restrict access 8 Hacker program found x Impact: host has been compromised x Resolution: remove program, remove hacker 8 HTTP CGI access x Impact: execute arbitrary commands (remote or local) x Resolution: remove/disable CGI
SAINT TM Red Services (2 of 5) 8 IMAP version y Impact: unauthorized access (remote) y Resolution: patch, updated version, restrict access 8 INN vulnerabilities y Impact: unauthorized access (remote) y Resolution: patch, updated version 8 NFS export to unprivileged programs y Impact: unauthorized file access (read/write), program execution y Resolution: restrict access, block router ports (2049, 111) 8 NFS export via portmapper y Impact: unauthorized file access (read/write) y Resolution: restrict access, block router ports (2049, 111)
SAINT TM Red Services (3 of 5) 8 Open SMB shares y Impact: unauthorized file access (read/write) y Resolution: disable SMB over Internet, restrict access 8 Remote shell access y Impact: unauthorized remote shell/login from arbitrary hosts y Resolution: restrict access 8 REXD access y Impact: unauthorized REXD remote access from arbitrary hosts y Resolution: disable service, restrict access 8 Sendmail vulnerabilities y Impact: unauthorized access (remote) y Resolution: patch, updated version
SAINT TM Red Services (4 of 5) 8 SSH vulnerabilities y Impact: unauthorized use of credentials (local) y Resolution: updated version 8 TFTP file access y Impact: unauthorized access (remote) y Resolution: disable service, restrict access 8 Unrestricted modem y Impact: unauthorized access (remote) of modem y Resolution: restrict access 8 Unrestricted NFS export y Impact: unauthorized file access (read/write) y Resolution: restrict access, block router ports (2049, 111)
SAINT TM Red Services (5 of 5) 8 Writeable FTP home directory y Impact: unauthorized file access (read/write/execute) y Resolution: restrict access
SAINT TM Yellow Services 8 NIS password file access y Impact: access to NIS password file by arbitrary hosts y Resolution: restrict access 8 Unrestricted X server access y Impact: unrestricted X server access from arbitrary hosts y Resolution: restrict access
SAINT of 4) TM Brown Services (1 8 Excessive finger information y Impact: releases excess account information y Resolution: disable service, restrict access 8 HTTP CGI info y Impact: provides information about server y Resolution: remove/disable CGI 8 Net. BIOS over the Internet y Impact: unauthorized file access (read/write) y Resolution: disable service 8 POP server y Impact: unauthorized access (passwords in the clear) y Resolution: disable service, use more secure version
SAINT of 4) TM Brown Services (2 8 POP version y Impact: unauthorized access (remote) y Resolution: patch, updated version, restrict access 8 Possible Do. S (fraggle) problem y Impact: denial of service (intermediary and victim) y Resolution: router configuration 8 Remote login on the Internet y Impact: unauthorized shell access (with no password) y Resolution: disable service, restrict access 8 Remote shell on the Internet y Impact: unauthorized remote shell/login from arbitrary hosts y Resolution: restrict access
SAINT of 4) TM Brown Services (3 8 Rexec on the Internet y Impact: unauthorized program execution (remote) y Resolution: disable service, restrict access 8 Sendmail info y Impact: provides information about users y Resolution: Disable EXPN and VRFY commands 8 Statd vulnerability y Impact: unauthorized access (remote/local) y Resolution: patch, disable service 8 Rstatd vulnerability y Impact: provides information about host’s performance y Resolution: disable service
SAINT TM Brown Services (4 of 4) 8 Rusersd vulnerability y Impact: provides information about users y Resolution: disable service 8 Windows detected y Impact: operating system may be vulnerable to denial of service y Resolution: patch, disable unnecessary services
- Slides: 43