|
Title: |
Corporate Information Security Strategy how to avoid giving free information to attackers. |
Content: |
This paper explores techniques for exploitation of corporate information to attack an organisation and focuses on what can be done to develop security strategy to minimise risk exposure. |
Developed by: |
Richard Bartley. (richard.bartley@xinetica.com) |
Xinetica Ltd., |
|
Document Contents:
1.
Introduction
2.
Synopsis
3. Information provision
and risk exposure
4. What is useful
to an attacker?
5. Information
Gathering Techniques
5.1. Organisational Information Gathering
5.2. Meta-search engines
5.3. Basic Company searches
5.4. Disclosing peoples names
5.5. Offering direct telephone numbers
5.6. Providing IT suppliers names
5.7. Showing website design house names
5.8. Asking for the organisation directly for
information
5.9. Social Engineering
5.10. Dumpster diving
5.11. Gaining access by invitation under false
pretence
5.12. Piggybacking
5.13. Getting a job
5.14. Insiders
5.15. Peer relationship exploitation
5.16. Residual data gathering
5.17. Local dumpster diving
5.18. Shoulder-surfing
5.19. Collaborative exploitation
5.20. Technical Information Gathering
5.21. Casing techniques
5.22. Probing techniques
5.23. Port scanning
5.24. Banner grabbing
6.
Conclusion
Introduction
An increase in the number of well-publicised corporate network intrusions has highlighted the need for improved information security. Often, this will take the form of a firewall, intrusion detection system and sometimes penetration testing. An information provision strategy balances the publication of information products with the implied business need. Exposure to a wider range of known and unknown threats can be reduced by carefully considering security as part of such a strategy.
This paper explores techniques for exploitation of corporate information to attack an organisation and focuses on what can be done to develop security strategy to minimise risk exposure.
This paper is an assessment of where organisations leak valuable information, how this information can be gathered and analysed by a malicious attacker, either from inside or outside the organisation. Where necessary, recommendations for changes to corporate information practices are suggested. Some information is needed technically for internet use and network management, however this paper makes suggestions for providing this without substantial risk of compromise.
3. Information provision and risk exposure
How can an organisation simultaneously provide maximum marketing coverage, whilst supplying the minimum amount of information that could be used by an attacker? How can an organisation provide necessary technical information for connection to ISPs and on to the Internet without furnishing an attacker with enough information for an attack?
The nature of the attack may be trivial vandalism (website defacement), theft (of credit card numbers or perhaps of intellectual property), change or substitution of information (perhaps for personal gain by insiders). Each type of attack needs different levels of knowledge of the organisation.
An organisation therefore needs to be careful what information is openly available to the untrusted, what is available to the trusted (and how trusted they can be), and what information is considered to be very limited distribution only. The organisation needs to adopt methods for safe information provision that does not hinder marketing or connectivity. Hence corporate strategy for information provision needs to consider levels of risk exposure and best security practice for mitigating and limiting exposure.
This paper suggests that strategy to mitigate
risk exposure[1] for
information provision (see Figure 1) should be considered in terms of:
Figure 1 : Risk assessment supporting Information Provision Strategy
How exploitable information is gathered and used by an attacker is discussed in the next sections.
4. What is useful to an attacker?
The target-oriented attacker aims to assimilate
as much information regarding a target as possible. The attacker uses a
combination of information gathering techniques to simultaneously sweep and
individually cherry-pick important information regarding the organization and
its technical arrangement.
Figure 2: Range of potentially useful information for an attacker
There is a spectrum of enterprise information that the attacker could use to facilitate an attack. Different organizations operate to a range of enterprise information models hence a definitive list is not appropriate. Examples of the types of information that attackers find useful, using the taxonomy from the diagram include:
Patently some of this information may be considered to be the organisations crown jewels and will be limited in distribution and access whereas other information may be openly available. The range of open-ness of information is addressed by the range of different gathering techniques.
5. Information Gathering Techniques
Gathering techniques exist for the range of
organisational and technical information. There is a general spectrum of
information gathering activity from fairly passive means, systemically
examining open source material for useful snippets of information through to
more active, stimulus-response gathering where the attacker directly
engages the target organization to gather particularly relevant information.
Figure 3 illustrates:
Figure 3 : Spectrum of Information Gathering
5.1. Organisational Information Gathering
Non-technical information gathering is targeted at the structure, infrastructure, people, policies and procedures. The reasons for getting this information range from this information being the target of the attack (e.g. obtaining competitive business intelligence) through to providing essential supporting information to facilitate a technical attack on the organisation.
The means by which organisational information can be gathered range from systemic approaches to internet searches through social engineering type methods to actual physical intrusion. The process and underlying means of collection are discussed in more detail.
The attacker begins with very little information, perhaps the name of the organisation only or even a website URL. The first step in information gathering is to turn to internet search engines.
5.2. Meta-search engines
are on-line applications that utilise the functionality of a
host of different web search engines and provide a gathered product. Some
meta-search engines do some collation and repeated entry removal, but others
just provide raw search output. A general sequence of information
searches may include the target organisation, peripheral and subsidiary
organisations, products/services/brands, and suppliers. Some examples of
good metasearch engines can be seen in Figure 4. Internet searches are
not only useful at the start of a search, but also when specific information
needs support or corroboration, it is often useful to turn to the search engine
as a matter of course throughout the gathering process. Other example
results may provide details of subsidiaries (that perhaps use the same IP
domain), there may be suppliers and customers that have links to the target
organisations extranet but dont have secure internet
connectivity. Particular useful for an attacker is extranet connectivity
where there is outsourcing of IT supply, IT support and security. It is
important to understand that corporate information strategy should encapsulate
service level agreements for outsourcing, partnerships, and other
business-to-business relationships. (This is useful for social
engineering.)
Figure 4 : Some favourite metasearch applications
5.3. Basic Company searches are free and provide more information about an organisation including company geographic location, general company demographics (size, turnover etc). In the UK the place to check out company names, ownership and company relationships (e.g. subsidiaries) is Companies House (www.companieshouse.gov.uk). More detailed company records can be downloaded but are charged a fee on-line, hence the attacker could be exposed to some degree to gain this information it is likely that if the information is desperately important (this information often provides home addresses of directors) he will use a forged credit card. In the US try the SEC Edgar database (www.sec.gov/edgarhp.htm) - all information is free.
Once the attacker has found the web presence, a systemic scan of corporate websites will provide a prime source of information. Examples of excess information that can be gathered passively:
A reaction to this list might be But I need all of this to do business! This may be right for some items, but there are ways and means of doing business without:
5.4. Disclosing peoples names which can lead to tracing, social engineering, identity spoofing etc. This can be avoided by using professional positions (e.g. Product Consultant), generic e-mail addresses (e.g. sales@acme.net ). Only release peoples names where it is absolutely necessary or required. Call centres get round this with the Hello, my name is Tracy, your happy customer friend routine! It is good practice to only assign a persons name to a prospective client once definite contact has been made. It is also good practice to carry out a quick background check on prospective clients to determine their sincerity and integrity (and their likelihood of becoming a customer!)
5.5. Offering
direct telephone numbers
is an awkward area since they can give away so much
information. It is good company policy to only use the main switchboard
for initial contact and route external calls through there until a level of
trust can be attained, where the direct line can be provided.
Figure 5: A successful war dialling attack worked out from gathered direct dial number
Consider the receptionist as a
firewall since using a few telephone numbers, an attacker can guess
a direct dial interface (DDI) telephone range of numbers upon which to war-dial
(looking for modems).
Figure 6: Use the receptionist as a firewall!
5.6. Providing IT suppliers names is frequent since it can on one hand demonstrate technical expertise and acumen, but it can also provide an attacker insight regarding the technical infrastructure, types of operating system that might be expected inside the network, and various server builds. Simultaneously, it is very common for IT providers to be very proud of their installed network, and they will name the organisation where it was installed and tell the world all about the hardware and software. This is an area where more involved web searches offer up the target organisations name and infrastructure details on suppliers websites!
5.7. Showing website design house names , (often small gif images in the corner with a hyperlink) can provide significant information regarding the internet infrastructure of the organisation, including type of web server and web-authoring software used without having to delve into source html.
Once an attacker has exhausted all available avenues of open-source material, depending on necessity there may be a change towards more active search tactics perhaps for more specific information that will be used to plan and construct an attack. These sorts of searches for information become more and more intrusive, gathering information using a range of widespread techniques:
5.8. Asking for the organisation directly for information is the first active (stimulus-response) gathering process, and the most innocuous. The attacker may make direct requests for organisation and or marketing information by phoning or e-mailing perhaps posing as a potential customer or investor. Getting faxback messages (provides internal fax number), filling out online forms to gain contact inside (might get the target organisation to respond by phoning up (using Caller-ID this may provide the telephone number though this can be limited at a DDI). This can often provide more organisational information than is available just from on the website. Often when paper copies are mailed a business card may be stapled or placed in the information pack this usually provides a name, phone, e-mail, website etc!
5.9. Social Engineering is the pro causing unsuspecting staff to provide important and often compromising information for the attack. This is generally done remotely (there are anecdotal cases of intruders gaining physical access by masquerading as new starters and contractors) and can be done using a range of techniques from use of paper post through to telephone calls all of which require a degree of deception and masquerade. Popular examples include assuming the identity of an identified subcontractor to gain inside information (e.g. telephone directories), assuming the identity of the system administrator on the phone to steal passwords.
Once remote methods of gathering information by stimulus-response have been exhausted, the motivated attacker resorts to direct contact.
5.10. Dumpster diving is relatively passive, but requires access to the targets refuse products. This is now easier (and less smelly) since a lot of organisations have a separate bin for paper recycling!
5.11. Gaining access by invitation under false pretence, e.g. job interview, setting up a false meeting with the target (e.g. salesman). Just visiting the foyer of an organisation usually offers important internal information including corporate literature, letter headed paper, fixed but on display information such as internal phone number lists with names on walls and diagrams for emergency services showing locations of IT equipment, switch rooms etc) a bold attacker might try and steal the internal phone directory. A careful access control policy will also monitor people in foyers and at entrances - it is at this stage that a motivated attacker begins to defeat even the most secure information provision strategy.
5.12. Piggybacking is gaining illicit access to the target organisation for example by entry with a group of staff after lunch or by using a 3rd party groups authentication for example stealing an access control pass from someone in a bar) to gain access in some way. Again only very stringent security policy will limit this sort of behaviour.
5.13. Getting a job is effectively becoming the insider threat. The job could be directly for the organisation or with an outsourcing firm with anything from IT to cleaning! The attacker now assumes all the qualities and capabilities of the insider. Corporate vetting procedures should reflect the degree of access employees have to certain types of information, but only the most secure information provision strategies will be successful in limiting damage from an inside threat. Military information control uses a need to know policy; the successful application of this sort of information strategy may limit insiders attempting to gain access to limited distribution material.
5.14. Insiders have an immediate advantage since they can gather information whilst operating from the inside of an organisation. This ranges from immediate access to low-level internal corporate information such as:
Insiders can use a range of potentially criminal means [2] to gather other sensitive information. Techniques that have been observed widespread include:
5.15. Peer relationship exploitation where an insider uses the security access of colleagues to gain access to unauthorised information. This can include a form of piggybacking (discussed earlier) where the attacker uses peer access capabilities to gain access to unauthorised areas by association. This can be in terms of physical access or information access (i.e. borrowing a username/password pair).
5.16. Residual data gathering of information that has been left or cached on shared machines or shared work areas and over time compiling a detailed picture.
5.17. Local dumpster diving . Gathering information from nearby desk bins of others.
5.18.Shoulder-surfing is observing password entries, system access routes and other procedures, literally over the shoulder of the legitimate operator.
5.19. Collaborative exploitation is the classic insider job, where an anonymous insider provides information to an external third party who will carry out the attack. This can also include direct action to facilitate an attack (e.g. setting up of a false admin account with external access).
As an attackers motivation becomes more intense, logically it becomes more difficult to protect against an attack. Hence an organisation must decide the aggregate level to which it will protect its assets. Information provision strategy must be devised with security at the heart.
5.20. Technical Information Gathering
Depending on the nature of the attack (either from the inside or from an external source), different technical information will be needed to conduct an attack. This section provides an insight into the various types of technical information gathered by an attacker from all parts of the network.
An attacker needs to furnish enough information to support a route to particular information within an organisations system. There are a number of scenarios that can be considered:
The external attacker with no internal access (i.e. the stereotypical hacker) will probably need to gather the most information since this attack requires information regarding the gateway routes from the internet to the internal network. Since this is the worst-case compromise scenario and all the other attack scenarios are effectively subsets of this attack, the information gathered to expedite the external attack is described.
The means by which an attacker gathers technical information can be passive (gathering technical information from internet databases and repositories) or active (polling the targeted machines).
5.21. Casing techniques are generally passive, in that they gather information from places other than the organisations IT equipment.
WHOIS queries a NIC (e.g.whois.interNIC.net, or www.nic.uk) that maintains a database of all registered domain names. WHOIS queries can provide domain names for the target organisation, valid IP subnet from the IP address entry this can be used to look for networked machines with scanning tools, geographic location this provides an attacker with the address to begin looking for organisational material, an administrative contact a name can be useful for social engineering or for wider internet searches, a phone/fax number can provide the phone number block range on which to launch a war-dialling attack, name server addresses are also supplied for the domain this provides information for the next step.
Whois for dodgysite.com
Official name:
dodgysite.com
Addresses: 192.161.53.50
Registrants:
Dodgy inc ( dog3-DOM)
23 Melrose Road
Beverley Hills 90100
Los Angeles
USA
00 01 123 456 789
Fax- 00 01 123 456 799
Domain name: dodgysite.com
Administrative contact, billing contact:
Domain admin (DP0901-ORG) Johnny.hacker@dodgysite.com
Dodgysite.com
23 Melrose Road
Beverley Hills 90100
Los Angeles
USA
00 01 123 456 789
Fax- 00 01 123 456 799
Record last updated on 01-Apr-2000.
Record expires on 01-Nov-2001.
Record created on 31-Jul-1994.
Database last updated on 01-Jun-2000 16:20:42 EST
Domain servers in listed order:
NS1.DODGYSITE.COM
193.161.4.220
NS2.DODGYSITE.COM
193.161.8.220
Figure 7: Example WHOIS query
NSLOOKUP query examines the name server addresses provided from the WHOIS query. This allows the collection of host and IP address information. The attacker uses this query to gather information to develop an expectation of network topology at the gateway to the target (and sometimes inside!).
Using an NSLOOKUP client or the NSLOOKUP command in *nix, an attacker can point at the DNS server for target organisation. This is done with the SERVER command in nslookup:
[blah:~]$ nslookup
Default server: foobar.badguy.net
Address: 192.151.4.221
>
> server ns1.dodgysite.com
Default server: ns1.dodgysite.com
Address: 193.161.4.220
NSLOOKUP can now attempt to zone transfer to collect target information. This is achieved using the ls d command in NSLOOKUP. The output can be sent to a file.
ls -d dodgysite.com > output.txt
[ns1.dodgysite.com]
received 20 answers (0 records)
The output.txt file has details from the
domain.
@ 1D IN SOA dodgy
postmaster
(
1910003071 ;
serial
3H
; refresh
1H
; retry
5D
; expiry
1D
; minimum
1D in
NS ns1
1D in
NS ns2
1D in
NS
nic.near.net
1D in
MX 10
zorg
www_server 1D in
A
192.161.53.50
test_server 1D in
A
192.161.53.21
news
1D in
A
192.161.53.12
zorg ID
in A 192.161.53.10
DNS are generally controlled and maintained by ISPs. Security at the DNS may be part of a service level agreement. If this DNS had been set up securely, it would not have been able to zone transfer to just any machine but to specific named machines. The attacker would have received a Cant list domain error. Hence the attacker would have been forced to try other methods of information gathering.
Technical information can also be present on the internet and found using search engines and looking at file headers.
The example below is from the header of a usenet message from the administrator of dodgysite.com! It is easy to search http://www.deja.com/usenet once some rudimentary site or people contacts have been made. This message provides details about the news servers name news.dodgysite.com but also lets us know that the webserver uses IIS and has FrontPage extensions on a Compaq machine running Windows NT. Looking a bit deeper shows that the client used to send this on was running Windows 95 and the news software was Netscape based. This is all useful technical information for mounting an attack.
Xref: news.demon.co.uk
microsoft.public.inetserver.iis:1046
Path:
news.noneed.co.uk!noneed!dispose.news.noneed.net!noneed!newsfeed.cil.net!logbridge.uorigin.ed
u!
pln-w!spln!dex!news.dodgysite.com
From: Johnny Hacker <johnny.hacker@dodgysite.com>
Newsgroups: microsoft.public.inetserver.iis.
Subject: cant get frontpage extensions with IIS server working
Date: Sun, 24 Dec 2000 09:50:18 -0800
Organization: Dodgy Web Services
Message-ID: <3A46375A.EE4E5F56@dodgysite.com>
Reply-To: johnny.hacker@dodgysite.com
NNTP-Posting-Host: news@dodgysite.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 4.75 [en] (Win95; U)
X-Accept-Language: en
Lines: 5
Cant get Frontpage Extensions working with IIS on NT, using a Compaq
server.
Any ideas?
Johnny H
This leads to the concept of information leakage. An information provision strategy should provide guidelines to staff on what is and what is not acceptable to post on usenet groups, forums and other bulletin boards.
It is also possible to use search engines to seek for vulnerabilities. A script-kiddie will run a search engine to indiscriminately find websites that have a particular executable uploaded (e.g. perl.exe in the cgi-bin directory which can be used to run exploits at the server side).
5.22. Probing techniques are more active in nature and involve direct network communications between the attacker and target (albeit through numerous networks). Probing techniques range from pinging hosts (a popular analogy used to describe ping scans is like knocking on everyones front door to see if they are in!) through port scanning (which could be like looking through the windows to see whos inside) to vulnerability scanning at particular hosts (which is rather like crow-barring the door to see if its locked!!!)
The previous casing types of information gathering will have provided the attacker with at worst a set of IP addresses, at best the attacker will have drafted a network topology. Hence probing techniques assume that the attacker knows which machines (possibly all of them) to poke at.
Ping scans provide live evidence that a host exists on the network. Ping is an ICMP request; a scan sequentially steps through each IP address on the subnet and awaits reply. A successful reply indicates presence; however an absence doesnt necessary indicate that the machine is either down or not there. Routers (and firewalls) frequently are set up to drop incoming ICMP requests (and/or outgoing replies) which forces the attacker to seek another way of confirming host presence.
Traceroute provides information regarding the route by which the attacker connects to the target host. Again traceroute can be dropped since it also relies on ICMP. Traceroute will only provide information regarding the route to the target, using a command such as Ping R often provides not only the IP addresses of machines along the route to the target including any external routers, but on poorly set up systems this command can provide the routers internal address!
Traceroute can also be used to confirm whether the organisations webserver is located at a different place (e.g. web author/ISP location).
Passive monitoring can be carried out at the internet gateway. By capturing packets that emanate from a router gateway it is possible to gather information about the internal hosts that are using the gateway including operating system details, processor details and www browser types. Proxy firewalls can be used to remove sensitive data such as this.
At a lower level of packet capture, but only when network address translation (NAT) is not being performed it is often possible to gather internal IP addresses from IP source in the IP packet header.
Using particular software (e.g. sniffit, BUTTsniff, snuff etc) it is possible to extract usernames and passwords (obviously those of users from within the organisation) this can often lead to compromise since people are generally lazy and use the same username/password almost indiscriminately from their desktop access control to web-based personal e-mail.
5.23. Port scanning provides details of network services available at each host. Port scanning can be systemic across the subnet or targeted (and intense!). Often firewalls do not allow through the usual SYN-type port scan, along with ICMP that often prevents many standard scanners. Hence the de-facto standard is nmap (by Fyodor available from www.insecure.org) since it has the ability to do so-called stealth port scans (reducing the probability that any IDS will detect the scan). This is achieved using SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Below is a typical output from nmap note that host 192.161.53.50 is the webserver, .12 is a news-server, and .139 is a router.
Starting nmap V. 2.53 by fyodor@insecure.org (
www.insecure.org/nmap/ )
Interesting ports on (192.161.53.50):
(The 1503 ports scanned but not shown below are in state: closed)
Port
State Service
80/tcp
open http
443/tcp open
https
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=14 (Easy)
Remote operating system guess: Windows NT4 / Win95 / Win98
Interesting ports on (192.161.53.12):
(The 1503 ports scanned but not shown below are in state: closed)
119/tcp open
nntp
Port
State Service
135/tcp open
loc-srv
139/tcp open
netbios-ssn
143/tcp open
imap2
0;
389/tcp open
ldap
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=14 (Easy)
Remote operating system guess: Windows NT4 / Win95 / Win98
Interesting ports on (192.161.53.21):
(The 1503 ports scanned but not shown below are in state: closed)
Port
State Service
80/tcp
open http
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=14 (Easy)
Remote operating system guess: Windows NT4 / Win95 / Win98
Interesting ports on (192.161.53.139):
(The 1503 ports scanned but not shown below are in state: closed)
Port
State Service
23/tcp
open telnet
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=14 (Easy)
Remote operating system guess: Cisco Router
5.24. Banner grabbing is a method by which inadvertent information leakage can provide important information regarding the network service. The example below shows the result of telnet-ing to an SMTP mail server.
Figure 8: Telnet to an SMTP mail server
It is possible to telnet to a wide range of network services including telnet itself, ftp, SMTP, POP3, HTTP, IMAP4 amongst others. All of which will often provide service information. It is important that information provision strategy stretches down to service level such that this sort of information is removed.
There are a wide range of Vulnerability
scanning tools each having their own particular advantage. For
example, tools like gnit (by glitch available from
security.ellicit.org) that provides
a perl based output that provides a lot of NT based detail. Many
automated vulnerability scanners cannot pass through well-configured firewalls,
though this only precludes inexperienced attackers. Figure 9 shows how gnit
dumps the users and groups from a host.
Figure 9 : Product of Gnit vulnerability scan
Other vulnerability scanners include the SAINT (from www.wwdsi.com) that provides a raft of vulnerabilities to detect SAINT is associated with the Common Vulnerabilities and Exposures database from Mitre (cve.mitre.org). For particular targets there are particular flavours of vulnerability scanner, for example for web presence, there is a Windows based CGI / web server scanner known as the Simpsons CGI Scanner which allows use of your own CGI database, but rapidly checks for vulnerabilities that can be exploited.
At this level of information gathering, the only serious methods of prevention are firewalls with rules that exclude the passing of particular information (e.g. outgoing ICMP traffic) and intrusion detection systems (IDS)(both host based and network) that have up to date attack signatures, since vulnerability scanning invariably precedes attack. Vulnerability scanning is generally seen as an attack by IDS hence there are rules to alert and potentially close certain services when these sorts of scans are detected. Experienced attackers generally do not use automated vulnerability scanners for this very reason but rely on their knowledge of network services and known vulnerabilities in software and hardware.
Once the attacker has successfully isolated an attack route through the target network, utilising a detected vulnerability (either from observation or from the products of the automated tools) the attack on the organisation can begin.
There are a host of ways that a motivated attacker could gather enough information to compromise an organisations information enterprise mainly using freely available corporate information.
All the latest information security devices and skills are abused to some degree with relation to a combination of lack of security understanding by decision makers and the financial budget that can be afforded.
Firewalls and intrusion detection systems (IDS) are often seen as panaceas, once installed fire and forget type applications, with the marketing hype still buzzing Now that we have these we must be safe as houses! Firewalls and IDS need constant monitoring, weekly (sometimes daily!) updates and a reasonable amount of in-house security knowledge to understand what is actually happening.
Penetration testing is also abused since it appears to be taking on an information security certification position which it unfortunately is not. Penetration testing exercises the security implementation in response to a sample of known vulnerabilities at a specific time.
By assessing risk exposure and creating sound information provision strategy an organisation can limit the means by which an attacker gathers organisational and technical information.
This paper has shown ways and means of managing information security from strategic direction to technical services to provide a coherent and pan-organisational information provision strategy.
[1] Developed from guidelines and studies by the Inter-liaison group on risk assessment (ILGRA) within the UK government.
[2] Reference Fred Cohens Information Security Threat Database at all.net