san francisco chapter san francisco chapter
play

San Francisco Chapter San Francisco Chapter Presented by: AAA - PowerPoint PPT Presentation

Feb 21, 2024 •49 likes •969 views

San Francisco Chapter San Francisco Chapter Presented by: AAA Northern California, Nevada & Utah Derek Koopowitz IT Audit Manager Norm Gutierrez IT Audit Specialist Infrastructure Vulnerability Assessment Infrastructure

  1. San Francisco Chapter San Francisco Chapter Presented by: AAA Northern California, Nevada & Utah Derek Koopowitz – IT Audit Manager Norm Gutierrez – IT Audit Specialist

  2. Infrastructure Vulnerability Assessment Infrastructure Vulnerability Assessment Agenda Agenda  What Is A Vulnerability Assessment?  Vulnerability Assessment Process  Business Case For A Vulnerability Assessment  Footprinting  Testing Network Security  Testing Operating System and Web Application Security  Testing Database Security  Vulnerability Management  Q & A San Francisco Chapter San Francisco Chapter

  3. What Is A Vulnerability Assessment? Generally called Ethical Hacking or Network Penetration testing. Another term used these days is Red Teaming. Essentially we are trying to detect network and system vulnerabilities and to test security by taking an “attacker” like approach in order to gain access. We want to enhance security in our infrastructure and a VA is a great way to accomplish that goal. San Francisco Chapter San Francisco Chapter

  4. What Is A Vulnerability Assessment? (cont’d) A vulnerability assessment is being proactive. It determines one’s susceptibility to an attack before the infrastructure is exploited, and it forces companies to take early corrective action (hopefully). It can show the consequences of an attack to your organization. San Francisco Chapter San Francisco Chapter

  5. Vulnerability Assessment Process  Impartial assessment - should not be done by IT (fox guarding the hen house)  Customer consent must be obtained  Define the scope – general or specific depending on cost/time. Areas to test can be: ◦ Internet security (port scanning, password cracking, etc.) ◦ Communications security (VM testing, modem testing, etc.) ◦ Information security (privacy, etc.) ◦ Social engineering ◦ Wireless security ◦ Physical security (access controls, etc.) San Francisco Chapter San Francisco Chapter

  6. Business Case For A Vulnerability Assessment  Protect the crown jewels (data)  Comply with Federal/State laws such as SOX, HIPAA and Privacy  Comply with vendor requirements such as PCI  Avoiding unneeded publicity for your company (i.e. TJ Maxx, ChoicePoint)  Preparing For Potential Infrastructure Breach  Independent Assessment San Francisco Chapter San Francisco Chapter

  7. Footprinting Layman’s term is reconnaissance. This is the information gathering aspect of the VA – obtain all system and user information to understand the environment. Use this information to execute local and remote attacks. Reduces the risk of being discovered. San Francisco Chapter San Francisco Chapter

  8. Footprinting (cont’d) Methodology used:  Publicly available information ◦ Company web pages ◦ SEC Edgar ◦ Search sites (Yahoo, Google, etc.) ◦ Usenet ◦ Job postings San Francisco Chapter San Francisco Chapter

  9. Footprinting (cont’d) Methodology used:  Internet footprinting ◦ Whois ◦ ARIN ◦ Traceroute ◦ NSLookup San Francisco Chapter San Francisco Chapter

  10. Footprinting (cont’d) Methodology used:  Scanning ◦ Port scanning (ping sweep, etc.) ◦ Network scanning (nmap, Superscan, etc.) ◦ Vulnerability scanning (Nessus, Satan, etc.) ◦ Wardialing (Phonescan, Toneloc, etc.) ◦ Banner grabbing San Francisco Chapter San Francisco Chapter

  11. Testing Network Security  Why test the network  What is the objective of testing  Risks associated with not testing  How to test the network San Francisco Chapter San Francisco Chapter

  12. Testing Operating System and Web Application Security  Why test OS and application security  What is the objective of testing  Risks associated with not testing  How to test the OS and application San Francisco Chapter San Francisco Chapter

  13. Testing Database Security  Why test database security  What is the objective of testing  Risks associated with not testing  How to test database security San Francisco Chapter San Francisco Chapter

  14. Infrastructure Vulnerability Assessment Computer Networks  Presentation ◦ Protocol Models ◦ Communication Components and Devices ◦ Infrastructure Attacks ◦ Infrastructure Vulnerabilities ◦ Passive Attacks  Demonstration ◦ Sniff Passwords Over a Network ◦ Sniff Passwords Over a Wireless Network  Q & A San Francisco Chapter San Francisco Chapter

  15. Protocol Models Communication Architecture and Protocols ISO’s OSI Model  DARPA’s TCP/IP Model  Acronyms ISO - International Organization for Standardization  OSI - Open Systems Interconnection  DARPA - Defense Advanced Research Projects Agency  TCP - Transmission Control Protocol  IP - Internet Protocol  San Francisco Chapter San Francisco Chapter

  16. OSI Model OSI is a computer-communications architecture that uses layering. Each layer performs a related subset of the functions required to communicate with another system. It relies on the next lower layer to perform more primitive functions and to conceal the details of those functions. San Francisco Chapter San Francisco Chapter

  17. Seven Layers Of The ISO/OSI Model San Francisco Chapter San Francisco Chapter

  18. OSI Seven Layers And Function Physical - Deals with electrical and mechanical procedures (bits) to establish,  maintain, deactivate physical links Data Link – Sends blocks (frames) of data across physical link providing flow  control and error recovery Network – Provides upper layers with independence from data transmission  and switching technologies Transport – Provides reliable, transparent transfer of data between end  points, flow control and error recovery Session – Provides controls structure for communication between cooperating  applications Presentation – Performs generally useful transformations on data to provide a  standardized application interface and to provide common communications services; encryption, text, compression, reformatting Application – Provides services to users. Defines network applications to perform tasks such as file transfer, e-mail, network management  San Francisco Chapter San Francisco Chapter

  19. OSI Relationship With TCP/IP Protocol Suite  OSI is a reference to protocols, specifically ISO standards, for the interconnection of cooperative computer systems  TCP/IP is a type of OSI protocol  When referring to ISO standards, TCP/IP is not an OSI protocol (i.e., TP-0,TP-1) San Francisco Chapter San Francisco Chapter

  20. OSI Layer Mapped To TCP/IP Mapped To Protocols San Francisco Chapter San Francisco Chapter

  21. TCP/IP Background  TCP/IP Protocol Suite resulted from research funded by DARPA  The protocol suite was designed to foster communication between computers: With diverse hardware architectures ◦ To accommodate multiple computer operating systems ◦ Using any packet switched network ◦ San Francisco Chapter San Francisco Chapter

  22. TCP/IP Background (cont’d)  TCP/IP Protocol Suite Provides Three Conceptual Sets of Internet Services Application Services ◦ Reliable Transport Service (TCP) ◦ Connectionless Packet Delivery (UDP) ◦ Note: User Datagram Protocol (UDP) San Francisco Chapter San Francisco Chapter

  23. IP Datagram Anatomy  TCP/IP’s Basic Transfer Unit is an IP IP Datagram Datagram Fields VER - Version HLEN – Header Length Service Type Length ID, Flags, and Flags Offset TTL – Time To Live Protocol Protocol Header Checksum Source IP Address Source IP Address Destination IP Address Destination IP Address IP Options Padding Data San Francisco Chapter San Francisco Chapter

  24. TCP Anatomy TCP Packet Segment Format TCP Packet Segment Format Source Port  Destination Port  Sequence Number  Acknowledgement Number  HLEN  Reserved  Code Bits  Window  Checksum  Urgent Pointer  Options (IF ANY)  Padding  Data  San Francisco Chapter San Francisco Chapter

  25. UDP Anatomy UDP Packet Segment Format UDP Packet Segment Format Source Port  Destination Port  Length  Checksum  Data  San Francisco Chapter San Francisco Chapter

  26. Communication Components  Packet - A physical message unit entity that passes through a network sending and receiving data between two computers ◦ It usually contains only a few hundred bytes of data ◦ Carries identification that enables computers on the network to know whether it is destined for them or how to send it on to its correct destination  Networks - Packet-Switched Networks San Francisco Chapter San Francisco Chapter

  27. Packet Switched Network Technologies Some examples are:  MPLS – Multiprotocol Layer Switching  Ethernet  X.25  Frame Relay San Francisco Chapter San Francisco Chapter

  28. Network Devices  Hubs  Switches  Routers  Firewalls San Francisco Chapter San Francisco Chapter

  29. Hubs  Operates at Layer 1 (Physical) of the OSI model  Forwards packets by simply broadcasting to every port  Does not look at address information  Floods incoming packets to every port  Each port is the same collision domain  Each port shares the available bandwidth and hosts must contend for access San Francisco Chapter San Francisco Chapter

Recommend

Whats New Donald E. Hester San Francisco Chapter For updates to this slide deck and other

Whats New Donald E. Hester San Francisco Chapter For updates to this slide deck and other

San Francisco Chapter Whats New Donald E. Hester San Francisco Chapter For updates to this slide deck and other slide decks please see: http://www.learnsecurity.org/Shared%20Documents /Forms/AllItems.aspx San Francisco Chapter San

650 views • 41 slides
Welcome by the San Francisco Chapter: Philipp Barmettler President SACCSF

Welcome by the San Francisco Chapter: Philipp Barmettler President SACCSF

Welcome by the San Francisco Chapter: Philipp Barmettler President SACCSF (philipp.barmettler@gmail.com) Welcome by the San Francisco Chapter: Philipp Barmettler President SACCSF philipp.barmettler@gmail.com Lukas Peter Andreas Jossen

434 views • 29 slides
City and County of San Francisco City and County of San Francisco San Francisco Planning

City and County of San Francisco City and County of San Francisco San Francisco Planning

City and County of San Francisco City and County of San Francisco San Francisco Planning Department San Francisco Planning Department Summary Presentation on Draft Program Environmental Impact Report for the San Francisco Public Utilities

688 views • 42 slides
Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining

Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining

Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches ITGC considerations The Concept of Benchmarking

395 views • 26 slides
Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is

Chapter 13 Chapter 13 1 What is this? Chapter 13 2 What is this? Chapter 13 3 What is this? Uncertainty Chapter 13 4 Outline Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule

688 views • 37 slides
AFSP Greater San Francisco Bay Area Chapter AFSP Save Lives and Bring Hope to Those Affected

AFSP Greater San Francisco Bay Area Chapter AFSP Save Lives and Bring Hope to Those Affected

AFSP Greater San Francisco Bay Area Chapter AFSP Save Lives and Bring Hope to Those Affected by Suicide. AFSP Our Work Research AFSP is the largest private funder of research Legislative Advocacy State/Federal levels Education

536 views • 16 slides
Guidelines for Planning an IS Audit Agenda Session Objectives Information Systems Audit

Guidelines for Planning an IS Audit Agenda Session Objectives Information Systems Audit

San Francisco Chapter San Francisco Chapter Guidelines for Planning an IS Audit Agenda Session Objectives Information Systems Audit Planning and Scoping Understanding Business Requirements Knowledge of the Organization

596 views • 32 slides
Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager

Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager

Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager Brad Ames, Internal Audit Director Hewlett-Packard Company San Francisco Chapter San Francisco Chapter Premise for Continuous Monitoring

879 views • 70 slides
Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008

Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008

San Francisco Chapter San Francisco Chapter Introduction to Change Introduction to Change Management Management Tuesday, September 23, 2008 Mark Lundin Steve Owyoung Partner Manager KPMG LLP, IT Advisory KPMG LLP, IT

835 views • 37 slides
Deborah Grove, Principal Grove-Associates Why Green IT is Important Why Green IT is Important

Deborah Grove, Principal Grove-Associates Why Green IT is Important Why Green IT is Important

San Francisco Chapter San Francisco Chapter Deborah Grove, Principal Grove-Associates Why Green IT is Important Why Green IT is Important 1. The energy consumed by servers in the US (and associated air -conditioning) is equivalent to the

369 views • 21 slides
Regulation versus Regulation versus Reality Reality Regulatory Compliance should not be the

Regulation versus Regulation versus Reality Reality Regulatory Compliance should not be the

San Francisco Chapter San Francisco Chapter Regulation versus Regulation versus Reality Reality Regulatory Compliance should not be the goal of an Information Security program - it should be the result. Introduction Introduction (thanx

726 views • 58 slides
SAN FRANCISCO HEALTH REFORM TASK FORCE FINAL REPORT Presentation to the San Francisco Health

SAN FRANCISCO HEALTH REFORM TASK FORCE FINAL REPORT Presentation to the San Francisco Health

SAN FRANCISCO HEALTH REFORM TASK FORCE FINAL REPORT Presentation to the San Francisco Health Commission April 19, 2011 Tangerine Brigham, Deputy Director of Health/Director of Healthy San Francisco, San Francisco Department of Public Health

381 views • 17 slides
Major Themes of 7-12 the horror of human evil, particularly as it is concentrated in the state

Major Themes of 7-12 the horror of human evil, particularly as it is concentrated in the state

Chapter 2Nebuchadnezzars Dream Chapter 3Blazing Furnace Chapter 4Nebuchadnezzar worships God Chapter 5Belshazzar mocks God Chapter 6Lions Chapter 7Daniels Dream Questions: What will we do with

488 views • 13 slides
High Risk Emergency Medicine San Francisco May 21-24, 2014 Westin Market Street San Francisco,

High Risk Emergency Medicine San Francisco May 21-24, 2014 Westin Market Street San Francisco,

Presented by the Department of Emergency Medicine at San Francisco General Hospital and University of California, San Francisco High Risk Emergency Medicine San Francisco May 21-24, 2014 Westin Market Street San Francisco, CA Course Chairs:

297 views • 13 slides
Francisco de Goya and the Mirrors Reflection Andrea Blanco Francisco Goya, Los Caprichos, pl.

Francisco de Goya and the Mirrors Reflection Andrea Blanco Francisco Goya, Los Caprichos, pl.

Francisco de Goya and the Mirrors Reflection Andrea Blanco Francisco Goya, Los Caprichos, pl. 55: Hasta la muerte , Etching, 1794-1799 Diego Velazquez, The Toilet of Venus (The Rokeby Venus) , Oil on Canvas, Francisco Goya, Nude Woman

640 views • 7 slides
San Francisco San Francisco Draft Rate Application Funding the SF Recycling Program and

San Francisco San Francisco Draft Rate Application Funding the SF Recycling Program and

San Francisco San Francisco Draft Rate Application Funding the SF Recycling Program and Pursuing Zero Waste by 2020 80 Percent Diversion Rate in SF San Francisco customers are recycling and composting more and use of the black bin is

430 views • 19 slides
Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Learning Objectives Learning

Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Learning Objectives Learning

San Francisco Chapter San Francisco Chapter Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Learning Objectives Learning Objectives Understand how data analysis can impact/improve business Understand typical data

525 views • 28 slides
The Americas Cup in San Francisco April 24, 2012 Policy Context The San Francisco waterfront is

The Americas Cup in San Francisco April 24, 2012 Policy Context The San Francisco waterfront is

The Americas Cup in San Francisco April 24, 2012 Policy Context The San Francisco waterfront is a valuable public trust asset of the state that provides special maritime, navigational, recreational, cultural, and historical benefits to the

362 views • 20 slides
9/30/2016 Disclosures F Vincenti University of California San Francisco, San Francisco, United

9/30/2016 Disclosures F Vincenti University of California San Francisco, San Francisco, United

9/30/2016 Disclosures F Vincenti University of California San Francisco, San Francisco, United States I have received grants and/or research support from: Astellas Alexion Immucor Bristol-Myers Squibb Genentech

292 views • 17 slides
Francisco Corona Encinas M.Sc. Francisco Corona Encinas M.Sc. Introduction Introduction

Francisco Corona Encinas M.Sc. Francisco Corona Encinas M.Sc. Introduction Introduction

Study of pig manure digestate pre-treatment for subsequent valorisation by struvite F. Corona, D. Hidalgo, J.M. Martn-Marroqun, E. Meers Crete, 27 th June 2019 Francisco Corona Encinas M.Sc. Francisco Corona Encinas M.Sc. Introduction

689 views • 27 slides
UCSF Vascular Symposium 2018 April 19-21, 2018 Parc55 San Francisco San Francisco, CA COURSE

UCSF Vascular Symposium 2018 April 19-21, 2018 Parc55 San Francisco San Francisco, CA COURSE

Department of Surgery, Division of Vascular and Endovascular Surgery, University of California, San Francisco School of Medicine presents UCSF Vascular Symposium 2018 April 19-21, 2018 Parc55 San Francisco San Francisco, CA COURSE CHAIR

648 views • 17 slides
Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13

Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13

Date Chapter 11/6/2006 Chapter 10, start Chapter 11 Topics 11/13/2006 Chapter 11, start Chapter 12 11/20/2006 Chapter 12 11/27/2006 Chapter 13 Exception Handling 12/4/2006 Final Exam Using try and catch Blocks 12/11/2006 Project Due

197 views • 18 slides
Hacking 101: Hacking 101: Understanding the Top Web Application Understanding the Top Web

Hacking 101: Hacking 101: Understanding the Top Web Application Understanding the Top Web

San Francisco Chapter San Francisco Chapter Hacking 101: Hacking 101: Understanding the Top Web Application Understanding the Top Web Application Vulnerabilities and How to Protect Vulnerabilities and How to Protect Against the Next Level

1.53k views • 136 slides
Book Presentation GLOBAL COOLING San Francisco 7/10/2012 Hans-Josef Fell Member of the

Book Presentation GLOBAL COOLING San Francisco 7/10/2012 Hans-Josef Fell Member of the

Book Presentation GLOBAL COOLING San Francisco 7/10/2012 Hans-Josef Fell Member of the GermanBundestag Chapter 1: Introduction Climate protection success stories Renewables: stimulus package without public borrowing no burden for

546 views • 18 slides

More recommend