Security Review report of a famous media company in China

Execution report

Summary

The general security level is found to be relatively low. The initial penetration of the system as an administrator can be completed in less than ten minutes. The main security problem lies in the lack of good security filters and vulnerable password options for key system accounts. These vulnerabilities make tools such as package detectors very easy to place, and package detectors allow transmission of all information, this includes checking information transmission in the network placed behind the firewall.

Border security

A media company does not have a firewall, either soft or hard. No additional rules are set. The existing rules must be edited to prevent update attacks. For details about the recommended rule configuration, refer to a document named "firewall rule recommendations.

Internal Security

No intrusion detection or probe software is installed on the network host of a media company. Although it is necessary to enhance the training strategy of a media company employee, the host security of a media company is the most adequate. Discussions about these "Employee Training Suggestions" will be found in the attached documents.

Summary of penetration risks

Temporary Attacker
In the current security settings, it is estimated that the time for a temporary but strong attacker to penetrate a system is less than two days.

Experienced attackers
In the current security settings, the time for an experienced attacker to penetrate the security system is estimated to be less than an hour.

Professional attackers
In the current security settings, it is estimated that a professional attacker can penetrate the security system in less than 15 minutes.

Detailed research results for the IT department

Security Evaluation Process

The evaluation of external security includes multiple measures to determine an effective level of external security. To get a real security assessment from the perspective of an external attacker, the methods and tools we use are the same as those used by hackers. This process usually involves three phases.

Development Phase

In this phase, we use a variety of tools to determine each event that may occur in the system of the target network. This information is obtained based on system monitoring. Once the system is located, each system is scanned separately to determine the system components. These system components include: Operating System versions (Windows operating systems in a media company have different versions such as win98, win2000, and winXP) and Patch software (a media company has installed patches on a few machines, but only SP1.) and most software running on the operating system is downloaded over the Internet, during the download, MD5 software verification is not performed on the software, and most of them are free versions. The Downloaded Program is not antivirus during download. Effective users are not set for the operating system installed by default, and no corresponding security policy is set for the system account. As a result, hackers can copy and replace the default installed system account. The complete system parameters (such as the system name, operation parameters, system roles and security settings in the target CIDR Block) do not have a uniform setting, so many users cannot tell the roles of each user. Disrupt the network topology. This prevents company employees from distinguishing application servers and database servers.

Test the integrity and availability of all programs while determining the application server.

Penetration stage

By checking the information obtained during the discovery phase and looking for the network weakness of a media company, this indicates that the penetration phase has started. All operating systems and system software are inspected based on known defect libraries. These defects are tested independently on the target system. The purpose of this phase is to understand the security of the target system.

Control phase

This phase begins after successfully understanding the system security. Multiple operations may occur in the target system. All target systems will be accessed, and all related files and information will be found. These files include complete security settings and parameters, log files, and system software configuration files. Other operating systems include creating backdoors and removing penetration evidence in the target system. Once the target system is completely damaged, it is used as an intermediate point to penetrate the system security in other subnets, where the same process will be executed, as an intermediate point, we do not know the process of occurrence.
Finally, in order to test the attention of all system staff, I initiated a large number of attacks to determine the response of employees. But no one knows what happened.

Conclusion
The conclusion in the execution overview is based on the following findings:

1. Effective security filters are not used on external routers.
2. strong passwords are not used in accessible systems.
3. unused services are not removed.
4. Microsoft networking is accessible from outside.
5. SNMP information with the default "public" group name can be accessed.
6. security reviews on accessible systems are not started.
7. File System Security protection is not fully implemented on accessible systems.
8. DNS is not protected.
9. Windows 2000 is not reconfigured by default.
10. The key windows 2000 registry tree is not protected by review.
11. The system audit log can be accessed.
12. The system is vulnerable to DOS and DDOS attacks ).
13. It is recommended that LAN gateways Use Window 2000 because of its powerful network services.

Suggestions

First, filter out specific vulnerable services on external routers. The second is to properly protect personal WIN2000/XP systems. This includes correctly protecting accounts and services on their respective machines. Third, you need to install network-based IDS (Intrusion Detection System) on the host ). Host-Based Intrusion Detection should be performed on the 218. 30. *. * 218. 30.*218. 30.*219. 145. *. * system.

The next phase of security analysis is the on-site inspection system, software, and configuration. In addition, we should meet with major system personnel to determine the current business process, because the most important principle of security is to adjust and configure the existing network and system without affecting the business.

Direct suggestion (medium to high risk)

Perform information packet filtering on the external router:
1. TCP/UDP 135 (RPC)
2. UDP 137,138; TCP 139 (Microsoft Networking)
3. UDP 161,162 (SNMP)
Note: When the filter executes the first two items, it will block more than 80% effective tools for windows 2000 attacks.

Change the passwords of all system accounts to strong passwords (the so-called strong passwords refer to passwords used in combination with uppercase and lowercase letters, numbers, and characters, for example, Hevvn83-=/LiU ).

Start Windows security audit on all machines. If possible, perform the following operations:
1. Review all failures.
2. successful login.
3. Successful security policy changes.
4. Review the successful startup and shutdown of the system.
5. Log coverage is not allowed.
6. Regularly store audit logs.

Strong Password requirements for windows systems.

Restrict Anonymous login.

Controls remote access to the registry.

Restrict access to sched services.

Start the account shell to lock the account and force the password to be refreshed.

Start the Administrator account lock.

Rename the administrator account in Windows (for example, you can rename the super administrator Account administrator to fashion)

Replace the Everyone group with the Authenticated Users Group.

Properly Disable the unnecessary service Disable unneeded services as appropriate:
1. RAS
2. redundant network protocols.
3. Server
4. Alerter
5. Messenger

Protects IIS, including placing FTP files in a separate partition. You are running anonymous FTP with full read access permissions. Although this arrangement is better than password protection, you should ensure that the server does not allow itself to become part of a DoS attack that may compromise the root user.

Network and host-level security

Run an ACL report tool.

Encrypt the SAM password database.

The Administrator account must be logged on locally.

Do not allow end users to start the system.

Use NTFS to protect/WINNT/SYSTEM32.

Long-term Recommendations

Implement an effective security monitoring system (such as snort Symantec intruder alert ISS realsecure or eTrust Intrusion detection). A network-based and host-based IDS will be ideal for applications.

Install the Web anti-hacker.

Create a zombie Administrator Account and review a large number of accounts and activate the logon shell with warnings. If possible, install an application system to spread out and even punish hackers.

Execute BS 7799 anti-virus management suggestions. There is no system in the network that is suitable for regulation and systemization of all systems for virus updates. Host 192.168.0.1 has no virus protection at all.

No WINDOWS server has been patched by eEye IIS 5.0 buffer overflow attack software. You can install service package version 2 (or a hot fix of a released Service Package) to solve this problem.

Configure a media company's firewall to handle IP Spoofing and Smurf attacks. Similarly, a media company has no firewall to become part of a Smurf attack.

A media company's WEB servers are vulnerable to man-in-the-middle attacks and denial-of-service attacks. You can add a WEB server to a DMZ (unmanaged zone) to further protect it. Similarly, you need to monitor its execution and processing more thoroughly to determine whether it has become a victim of discovery and penetration attacks.

Overall network security solution design

Security Solution Design Principles

The following principles should be observed in the design and planning of the enterprise lan network security solution:

Principles of comprehensiveness and integrity: analyzes network security and specific measures based on the viewpoint and method of application system engineering. Security measures mainly include: administrative legal measures, various management systems (personnel review, work flow, maintenance of security systems, etc) and professional measures (identification technology, access control, password, low radiation, fault tolerance, anti-virus, use of high security products, etc ). A better security measure is often the result of an appropriate combination of multiple methods. A computer network, including individuals, devices, software, and data. Only by looking at and analyzing these links from the overall perspective of the system can we take effective and feasible measures. That is to say, computer network security should follow the overall security principles and formulate a reasonable network security architecture according to the prescribed security policies.

Balance of requirements, risks, and costs: it is absolutely difficult or necessary for any network to achieve security. Conduct actual research on a network (including tasks, performance, structure, reliability, and maintainability ), it also analyzes the threats and possible risks faced by the network in combination with qualitative and quantitative analysis, and then develops norms and measures to determine the security policies of the system.

Consistency principle: the consistency principle mainly refers to the existence of network security problems in the entire network cycle (or lifecycle). The security architecture formulated must be consistent with the network security requirements. Safe Network System Design (including preliminary or detailed design) and implementation plan, network verification, acceptance, and operation should all have safe inner glow and measures. In fact, at the beginning of network construction, it is easier and less costly to consider network security measures than to consider security measures after network construction.

Operational Principle: security measures require human