Document 189215

CONFIDENTIAL DATA:
How to Find It
IIA El Paso Chapter
November 19
19, 2009
Miguel Hernandez IV, CISSP, CISA
Outline
y
y
y
y
y
Goals and Expectations
CIA Triad
Data Classification, Threats, & Data Leakage
IP Addresses & Hostnames
File Servers & File Shares
◦ Permissions
y
Web Servers
◦ Clear-text vs Cipher-text
y
Conclusion
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Goals
y
y
y
y
y
Learn some terminology.
Understand the areas where confidential data
leakage can occur.
Gather ke
key information (IP addresses
addresses,
hostnames, URLs, etc.)
Find confidential data.
Somethingg for everybody
y
y (hopefully)
( p
y)
◦ Beginner to Advanced
◦ From policy to practice.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Expectations
y
Don’t expect to find confidential data on your
first (or 100+) try(s).
◦ Some automation is possible, but techniques
shown are manual and can be time
consuming.
y
Use the techniques with care.
◦ You
Y might
h break
b k something.
h
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Notable Breaches
y
y
y
Jan. 11, 2009 - University of Rochester
◦ 450 Social Security numbers were stolen from
a database. - Server
Jan. 20, 2009 - Heartland Payment Systems
◦ 130 million credit and debit card numbers Server
Feb. 19, 2009 - University of Florida
◦ 97,200 Social Security numbers - Server
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Confidentiality
Integrity
Availability
CIA TRIAD
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
CIA Triad
y
y
y
Confidentiality - Data is not disclosed to
unauthorized individuals*.
Integrity - Data has not been altered or
destroyed in an unauthorized manner*.
*
Availability - Data is available when needed*.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
* http://www.m-w.com
CIA Triad [Ideal Model]
Confidentiality
I
Integrity
i
Copyright © Miguel Hernandez IV 2009. All rights reserved.
A il bili
Availability
CIA Triad [High Confidentiality]
Confidentiality
The military loves
it’ss secrets!
it
Top Secret
Secret
Confidential
Unclassified
I
Integrity
i
Copyright © Miguel Hernandez IV 2009. All rights reserved.
A il bili
Availability
CIA Triad [High Availability]
Confidentiality
If eBay goes down,
no one’s
’ making
k
money.
I
Integrity
i
Copyright © Miguel Hernandez IV 2009. All rights reserved.
A il bili
Availability
CIA Triad [High Integrity]
Confidentiality
If only I could add a
f more digits
few
d
to
my savings account!
I
Integrity
i
Copyright © Miguel Hernandez IV 2009. All rights reserved.
A il bili
Availability
What about your organization?
y
Where does your organization put emphasis?
y
Do you have a Chief Information Security
Officer?
y
Do you have an information security office?
Copyright © Miguel Hernandez IV 2009. All rights reserved.
DATA CLASSIFICATION,
CLASSIFICATION
THREATS, &
DATA LEAKAGE
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
What is confidential information?
y
Depends on your organization.
◦ Social security numbers
◦ Credit card numbers
◦ Health information
p p y
◦ Intellectual property
◦ Grades
g
◦ Militaryy intelligence
◦ Research and development prototypes
◦ Etc.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Data Classification (1)
y
Data Classification is the conscious decision to
assign a level of sensitivity to data as it is being
created, amended, enhanced, stored, or
t
transmitted.
itt d
y
The classification
Th
l ifi i off the
h d
data d
determines
i
the
h
extent to which the data needs to be controlled
/ secured and is also indicative of its value to an
organization.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Data Classification (2)
y
Data Classification Guide – Document that
defines confidential data and provides guidance
on how to secure it.
y
If you don’t have a data classification guide, you
might
i h hhave a confidential
fid i l data
d leakage
l k
problem
bl
and not know it.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Where’s
Where s the Threat?
y
y
y
y
Insider Threat
◦ Employees
◦ Contractors
◦ Visitors
Outsider Threat
◦ Hackers
Our focus is on the Insider Threat.
70% of data breaches are from insiders*.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
[* www.eccouncil.org]
Insider Threat
y
y
y
Unintentional / Accidental
◦ I didn’t know I couldn’t do that!
Intentional
◦ Disgruntled employee.
Means Opportunity Motive (MOM)
pp
y all
◦ The insider has the Means & Opportunity,
they need is Motive.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Where are the data leaks?
y
y
y
y
y
Servers
◦ File
Our focus is here!
◦ Web
Removable storage
◦ USB
◦ External Hard Drives
◦ CD/DVDs
Email
Instant Messaging
g g
P2P
Copyright © Miguel Hernandez IV 2009. All rights reserved.
So what is a Server?
y
A server is nothing more than a computer that
provides resources (services) to another
computer.
y
Best to define in terms of specific types of
servers.
◦ File, Web, Email, Database, Print, Antivirus,
Game etc…
Game,
etc
y
A server is
i just
j t another
th computer.
t
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Why is a server vulnerable?
y
A server is meant to make a resource available
(files, databases, websites, etc.).
◦ Servers are necessarily high availability
devices.
y
No hacking required! You probably have some
form of access to it.
Low hanging fruit.
y
Copyright © Miguel Hernandez IV 2009. All rights reserved.
IP ADDRESSES &
HOSTNAMES
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
Prerequisites to Server Auditing
y
Must identify IP Addresses and Hostnames.
◦ Analogous to Mailing Addresses.
y
IP Address
Add
– numericall label
l b l assigned
d to a
computer. Ex. 192.168.1.2
Hostname – a computer
computer’ss name.
name Ex.
Ex Web
servers on the internet are usually named
“www”.
y
y
“Hi, my name is 74.125.65.105, but my friends
callll me www.google.com.”
l
”
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Danger, Will Robinson!
y
While not inherentlyy dangerous
g
or
destructive, the following techniques can
result is a loss of data, denial of service, or
other unintended results.
y
Proceed with caution and do not attempt
any of the following if not 100% confident
and comfortable.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Finding the IP Address (1)
DEMO
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Finding the IP Address (2)
192.168.1.2
255.255.255.0
192.168.1.1
DEMO
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Finding the Hostname
DEMO
Copyright © Miguel Hernandez IV 2009. All rights reserved.
FILE SERVERS &
FILE SHARES
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
File Servers (1)
y
File Server – A computer that stores and shares
files. Contains file shares.
y
File Share – The resource made available
(shared) on a network where files are stored.
R f
Refers
to folders
f ld
(directories).
(di
i )
y
FFile
l SServer – the
h physical
h
l computer
File Share – the shared resource
y
Copyright © Miguel Hernandez IV 2009. All rights reserved.
File Servers (2)
y
y
y
A file server can have many file shares!
File Server is like a File Cabinet. The drawers
are the File Shares.
File Share vs Shared Folder vs Network Drive
vs NFS mounts …
◦ All the same thing!
Copyright © Miguel Hernandez IV 2009. All rights reserved.
File Sharing
Files
File Server
Client
File Share
Network
Client
Files
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Locating File Servers and Shares
Shares*
DEMO
File Share
File Server
IP Address
Hostname
Copyright © Miguel Hernandez IV 2009. All rights reserved.
*Applies to Windows-based client systems only.
Auditing File Shares (1)
y
Connect to the File Server using
\\TheHostname\TheFileShare or
\\TheIPAddress\TheFileShare UNC syntax.
*UNC
– Uniform
Naming
Convention
Copyright © Miguel
Hernandez
IV 2009.
All rights
reserved.
Auditing File Shares (2)
DEMO
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Auditing File Shares (3)
DEMO
Copyright © Miguel Hernandez IV 2009. All rights reserved.
More File Shares, Please (1)
y
y
y
Recall that a file server can have multiple file
shares.
You may be auditing Department X and have
identified all of X’s file shares on the file server,
but the same file server may also contain file
shares for Department Y
Y, Z,
Z etc…
etc
There is a way to identify ALL file shares on a
file server!
Copyright © Miguel Hernandez IV 2009. All rights reserved.
More File Shares, Please (2)
File Server
Copyright © Miguel Hernandez IV 2009. All rights reserved.
File Share
More File Shares, Please (3)
y
y
Connect to the File Server using
\\TheHostname or \\TheIPAddress UNC syntax.
Omit the specific file share name when
connecting to the server.
DEMO
Copyright © Miguel Hernandez IV 2009. All rights reserved.
*UNC – Uniform Naming Convention
File Share Auditing Methodology
y
y
Identify file shares and file servers.
For each share identified
◦ Connect to each share using UNC.
x If connection attempt is successful
p files & look for confidential data.
x Sample
x Otherwise
p
x Connect to the next share & repeat.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Q: Does this always work?
y
A: No. Will only work if file permissions do not
limit your access.
◦ DEMO
y
Q: Is it a finding if I am able to connect to a file
share and no confidential information is found?
A: Depends on organizational policy.
y
Copyright © Miguel Hernandez IV 2009. All rights reserved.
FILE SERVERS:
PERMISSIONS
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
A Word About File Permissions
y
A set of conventions for controlling access to a
file that consists of access modes and deny
modes*.
y
“John, I give you permission to look at my files.
“Sorry Jane, you can’t look at my files.”
y
Copyright © Miguel Hernandez IV 2009. All rights reserved.
* http://developer.apple.com
File Permissions (1)
DEMO
Warning!
Copyright © Miguel Hernandez IV 2009. All rights reserved.
File Permissions (2)
y
y
y
The “Everyone” group is usually the problem.
If the file share has confidential data, “Everyone”
should not have access.
Strong access controls refer to permissions
where only those with a need-to-know have
access.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
WEB SERVERS
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
Web Servers
y
Web Server – A computer that contains a
website
b i ((not lilimited
i d to the
h IInternet).
) C
Contains
i
web pages.
y
Internal Web Server – A computer that contains
a website that is onlyy available on the lntranet.
◦ Intranet – A network within the organization.
◦ Our focus is here.
y
TIP: Some file servers are also web servers!
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Locating Web Servers From File
Servers
y
Identify file servers using the techniques just
presented.
y
Connect to the Web Server / File Server using
◦ http:\\TheHostname or http:\\TheIPAddress
URL* syntax (clear text).
◦ https:\\TheHostname or https:\\TheIPAddress
URL syntax ((encrypted).
d)
Copyright © Miguel Hernandez IV 2009. All rights reserved.
*URL – Uniform Resource Locator
Auditing Web Servers (1)
Copyright © Miguel Hernandez IV 2009. All rights reserved.
DEMO
Auditing Web Servers (2)
Copyright © Miguel Hernandez IV 2009. All rights reserved.
DEMO
Web Server Auditing Methodology
y
y
Identify file servers.
For each server identified
◦ Connect to each server using URL syntax.
x If connection attempt is successful
g & look for confidential
x Browse web ppages
data.
x Otherwise
x Connect to the next server & repeat.
Copyright © Miguel Hernandez IV 2009. All rights reserved.
WEB SERVERS:
CLEAR--TEXT VS
CLEAR
CIPHER--TEXT
CIPHER
Copyright © Miguel Hernandez IV 2009. All
rights reserved.
Clear-text vs CipherClearCipher-text
Transmission
y
Clear-text – Information transmitted over the
networkk iin unencrypted
d form.
f
◦ Information Æ Clear-text Æ Information
y
Cipher-text – Information transmitted over the
network in encrypted form.
◦ Information Æ Cipher-text Æ [email protected]#$%^&*()
y
The key is in the URL.
◦ HTTP vs HTTPS
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Who cares about clearclear-text vs
cipher--text?
cipher
y
y
y
y
The bad guys, that’s who.
Confidential information transmitted in cleartext can be easily intercepted using tools freely
available on the Internet.
Usernames and passwords can also be
intercepted!
If the
h web
b site is password
d protected,
d there’s
h ’
probably some confidential information
involved.
involved
Copyright © Miguel Hernandez IV 2009. All rights reserved.
The Bad Guy
Confidential
C
fid i l
Data
Network
Confidential
C
fid i l
Data
Thanks for
the clear-text
Confidential Data
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Clear--text Web Server (1)
Clear
y
y
y
Connect to server.
◦ http://192.168.137.132/webgoat/attack
u:guest p:guest
Wireshark: Network Monitor (sniffer).
(
)
◦ Let’s use this to capture some passwords.
Sniff,
sniff
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Clear--text Web Server (2)
Clear
Copyright © Miguel Hernandez IV 2009. All rights reserved.
DEMO
Clear--text Web Server (3)
Clear
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Cipher--text Web Server (1)
Cipher
y
y
Connect to server.
◦ https://192.168.137.132/webgoat/attack
u:guest p:guest
Sniff,
sniff
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Cipher--text Web Server (2)
Cipher
Copyright © Miguel Hernandez IV 2009. All rights reserved.
DEMO
Q: Does this always work?
y
A: No. Will only work if the server is / is also a web
server.
server
Q: Can I always “sniff” clear-text information off the
wire??
y A: Only if encryption is not used. There are also
switched network vs hubbed network
considerations (advanced topic).
y
Q: Is it a finding if I am able to connect to an
internal web server and no confidential information
is found?
y A: Depends on organizational policy.
policy
y
Copyright © Miguel Hernandez IV 2009. All rights reserved.
Conclusion
y
CIA
Data Classification, Threats, & Data Leakage
IP Addresses & Hostnames
File Servers
Web Servers
y
Go forth and find some confidential data!
y
y
y
y
Copyright © Miguel Hernandez IV 2009. All rights reserved.
QUESTIONS
Copyright © Miguel Hernandez IV 2009. All
rights reserved.