3D Security Analysis Sample Report 14

CHECK POINT 3D SECURITY
ANALYSIS REPORT
Prepared for
Prepared for: Prepared by: Date:
COMPANY Check Point Solution Center January 11, 2012
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only|
Page 1
Table of Contents
EXECUTIVE SUMMARY ................................................................................ 2 FINDINGS ..................................................................................................... 7
Web Security Events .................................................................................................................................7 Intrusion Prevention Events ................................................................................................................ 10 Data Loss Prevention............................................................................................................................. 12
REMEDIATION ........................................................................................... 14 APPENDIX .................................................................................................. 17 ABOUT CHECK POINT SOFTWARE TECHNOLOGIES ............................... 20
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only|
Page 1
EXECUTIVE SUMMARY
This document is a summary of the findings of a recent 3D security analysis of your infrastructure. It presents security events and recommendations for addressing the discovered events. The analysis took place on 05/01/2012 and included 2 hours in-network analysis. The analysis is based on data collected using the characteristics below:
PoC Date: In-Network Analysis Duration: Monitored Network: Deployment type: Release version: Security Gateway Software Blades: Security Management Software Blades: 5/1/2012 2 hours Internal facing internet Mirror Port Kit (VMware-based) R75.20 Application Control, URL Filtering, IPS, Data Loss Prevention Pre-Defined 7 Blades with SmartEvent
During the course of the analysis, the installed device identified a number of security events, including some that were permitted by your existing security solutions. Event information collected by the Check Point solution found the following number of critical and high-priority events in your network:
High And Critical Events Summary

Events
35 30 25 20 15 10 5 0 22 17 32
Check Point IPS Software Application Control and Blade URL Filtering
Data Loss Prevention
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 2
Within the areas of Application Control and URL Filtering, the following items are of the highest risk level (the first column specifies the number of events related to the mentioned application/site):
Top High Risk Applications/Sites
Page 3
The following tables provide summary explanations of the top events found and their associated security or business risks:
Top High Risk Applications and Sites

1. Vtunnel
VTunnel is a free anonymous common gateway interface (CGI) proxy that masks IP addresses enabling users to connect to and view websites anonymously.
1 Event/s
2. Dropbox
Dropbox is an application that allows the user to share files. It is crucial to investigate what users are doing with this application and if they are leveraging it to distribute company files or download harmful applications. Consider preventing its use through the Application Control blade until additional information is available that justifies its use.
5 Event/s
3. BitTorrent
BitTorrent is a peer-to-peer file sharing P2P communications protocol. It is a method of distributing large amounts of data widely without the original distributor incurring the entire costs of hardware, hosting, and bandwidth resources. Instead, when data is distributed using the BitTorrent protocol, each recipient supplies pieces of the data to newer recipients, reducing the cost and burden on any given individual source, providing redundancy against system problems, and reducing dependence on the original distributor. There are numerous compatible BitTorrent clients, written in a variety of programming languages, and running on a variety of computing platforms.
1 Event/s
4. Imarketspartners.com
Imarketspartners.com is categorized as a web site that have been promoted through spam techniques.
2 Event/s
5. Bit Che
Bit Che is an application for searching and downloading torrent files from various BitTorrent tracker websites. Bit Che provides a preview of torrent details, integration with other torrent clients and result filtering.
1 Event/s
Page 4
Top Intrusion Prevention Events

1. CIFS Worm Catcher 6 Event/s
A worm is a self-replicating malware (malicious software) that propagates by actively sending itself to new machines. CIFS, The Common Internet File System (sometimes called SMB) is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
2. Non Compliant HTTP
2 Event/s
Directory traversal attacks allow hackers to access files and directories that should be out of their reach. This can for example allow viewing of directory listings, and in many attacks, could lead to running executable code on the web server with one simple URL. There are several techniques to launch a directory traversal attack. Most of the attacks are based on using an HTTP request with a dot slash sequence "../.." within a file system. For example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the root directory. More advanced attackers can try to use encoding to run attacks.
3. Internet Explorer XML Processing Memory Corruption (MS08078)
2 Event/s
Attack Name: Web Client Enforcement Violation Microsoft Internet Explorer is the most widely used Internet browser. The vulnerability is due to the way Internet Explorer handles data bindings. To trigger this issue, an attacker may create a malicious web page that will exploit this vulnerability. Successful exploitation of this vulnerability will crash the browser allowing execution of arbitrary code on the vulnerable system.
4. Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014)
1 Event/s
Attack Name : Windows Kerberos Protection Violation The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys. A denial of service vulnerability exists in implementations of MIT Kerberos. The vulnerability is caused by incorrect handling of ticket renewal requests coming from a non-Windows Kerberos domain. When an MIT Kerberos user logs on to an Active Directory domain joined machine, they will be issued a Kerberos referral TGT (Ticket Granting Ticket) from the MIT Kerberos realm. Windows clients will never attempt to renew this referral TGT. A remote attacker running a malicious Kerberos client could attempt to renew the referral TGT which would result in a null pointer dereference inside of LSASS.EXE on the domain controller causing the domain controller to reboot.
Page 5
Top Data Loss Events

The following types of data were sent outside the organization
1. HIPAA
This Data Type is used by 'HIPAA - Protected Health Information' Data Type to match Protected Health Information (PHI) Documents. The 'HIPAA - Protected Health Information' is recommended to be used in the DLP policy. The 'HIPAA - Protected Health Information' is recommended to be used in the DLP policy.
5 Event/s
2. Credit Card Numbers

Related to Payment Card Industry (PCI); matches data containing credit card numbers of MasterCard, Visa, JCB, American Express and Discover
2 Event/s
3. Customer Names
List of customers is considered as confidential
2 Event/s
In the pages that follow, descriptions of the identified events are provided. Remediation steps are also outlined in the relevant sections.
Page 6
FINDINGS
WEB SECURITY EVENTS
For many organizations, Web Security, encompassing both the applications used by employees and the websites that they visit, has become a critical source of risk. This is because many recent attacks focused on application vulnerabilities and exploited websites for malware injection and network penetration. Also, Internet use is a bandwidth hog. While bandwidth utilization might not be a security risk, it does represent a productivity and TCO challenge. From a security perspective, the following identified applications and websites have a high risk profile:
Top High Risk Applications/Sites
Page 7
In general, the analysis identified that these additional applications and websites are used within your network:
Top Applications/Sites
Page 8
The following table shows the top 10 categories and number of hits associated with employee Internet browsing:
Top Applications/Sites Categories

Category
Search Engines / Portals Computers / Internet Business / Economy Web Browsing News / Media Web Services Provider Social Networking Inactive Sites Network Protocols Other Grand Total
Number of Hits
2,113 2,023 1,747 1,602 1,388 1,292 1,271 1,196 1,010 5,316 18,958
% of Total Hits
11% 11% 9% 8% 7% 7% 7% 6% 5% 28% 100%
And from a user perspective, the following people were involved in the highest number of risky application and web usage events:
Top Users High Risk Applications/Sites

Users
Joe Roberts Mark Johnson Albert Springsteen Maria Davids Anna Smith
Events
5 5 4 3 2
Page 9
INTRUSION PREVENTION EVENTS

During the course of the analysis, the Check Point solution identified a number of intrusion prevention-related events. Some of these events were categorized as critical. The following chart shows the distribution of events according to criticality:
IPS Events By Severity

25% 19% 6%
Critical High Medium
50%
Low
Informational
All organizations need to triage the security incidents to which they respond. Event criticality is often an effective way to prioritize events. And yet, security practitioners will often investigate events that do not fall into the most critical categories, as these seemingly less important incidents can be used to help identify attacks in progress or the first signs of new attacks which have not yet begun in earnest.
Page 10
On a more granular level, the following table shows the types and quantities of events within the defined categories:
IPS Events By Severity

Critical CIFS Worm Catcher Directory Traversal Internet Explorer XML Processing Memory Corruption (MS08-078) Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043) High Microsoft Windows Media Player PNG Chunk Handling Stack Overflow (MS06-024) IBM Lotus Notes HTML Speed Reader Long URL Buffer Overflow BIND 9 DNS Server Dynamic Update Denial of Service Digium Asterisk SIP sscanf Multiple Denial of Service Microsoft Print Spooler Service Impersonation Code Execution (MS10-061) Microsoft Windows SNMP Service GetBulk Memory Corruption (MS06-074) Microsoft WINS Local Privilege Escalation (MS08-034) SNMP Enforcement Medium Brute Force Scanning of CIFS Ports Microsoft Windows NT Null CIFS Sessions Microsoft Windows Workstation Service NetrWkstaUserEnum Denial of Service Informational TCP Invalid Retransmission TCP Segment Limit Enforcement TCP SYN Modified Retransmission Grand Total 4 37 6 1362 65 50 1150 2 1 1 1 4 11 3 15 6 2 2 1 1
Page 11
DATA LOSS PREVENTION

Data have become among the most valuable assets to organizations. The following represents the characteristics of the data loss events that were identified during the course of the project. During the course of the analysis, the Check Point solution identified a number of data lossrelated events. Some of these events were categorized as critical. The following chart shows the distribution of events according to criticality:
DLP Events By Severity
46%
Critical High Medium Low Informational
54%
Page 12
The following list summarizes the identified data loss activity and the number of times that the specific type of events occurred for different data types configured for the DLP
DLP Events By Severity

Severity
High Inappropriate Language Large file to webmail,Inappropriate Language Document File,Large file to webmail Document File Large file to webmail Outlook Message - Confidential Spreadsheet File Medium External Recipient and Internal Users,External Recipient in BCC,Database File or Archive File or Presentation File or Spreadsheet File or Document File or CSV File Document File Spreadsheet File Grand Total 4 1 2 15 18 6 1
Data
Event/s
3 49 3 104
This chart shows data leakage by mail sender on your network.
DLP Mail Events Top Senders

Sender
erou@demo.com ycoen@demo.com osaan@demo.com amr@demo.com tkaeth@demo.com aasis@demo.com sc@demo.com real@demo.com postmaster@demo.com eapr@demo.com
Events
10 9 7 5 4 4 4 4 3 2
Page 13
REMEDIATION
This report addresses identified security events across multiple security areas and at varying levels of criticality. The table below reviews the most critical of these incidents and presents methods to mitigate their risks. Check Point provides multiple methods for addressing these threats and concerns. Relevant protections are noted for each event along with the software blades into which the defenses are incorporated.
WEB SECURITY EVENTS REMEDIATION

Application/ Site
Vtunnel Dropbox BitTorrent Imarketspartners.com Bit Che
Events
1 5 1 2 1
Remediation Steps
In Application Control and URL Filtering Software Blades, you can activate, track and prevent the use of all the mentioned applications & web sites. You can define a granular policy to allow certain applications to specific groups only. Use UserCheck to educate users about the organization web browsing and applications usage policy.
Page 14
INTRUSION PREVENTION EVENTS REMEDIATION

Threat
CIFS Worm Catcher
Events
6
Remediation Steps
In Check Point IPS Software Blade, enable the following protection: CIFS Worm Catcher In Check Point IPS Software Blade, enable the following protection: Non Compliant HTTP
Non Compliant HTTP
Internet Explorer XML Processing Memory Corruption (MS08-078) Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043)
In Check Point IPS Software Blade, enable the following protection: Internet Explorer XML Processing Memory Corruption (MS08-078) In Check Point IPS Software Blade, enable the following protection: Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) In Check Point IPS Software Blade, enable the following protection: Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043)
Page 15
DATA LOSS EVENTS REMEDIATION

Data Loss
HIPAA
Events
5
Check Point DLP software blade protects confidential information from leaking outside the organization. To remediate the detected events activate DLP Software Blade. Configure DLP policy based on the detected DLP data type and choose an action (Detect/Prevent/Ask User/etc..). If you consider the detected data type as sensitive information the recommended action is prevent. Use UserCheck to educate users about the organization data usage policy.
Remediation Steps
Credit Card Numbers
Customer Names
Page 16
APPENDIX
Network Bandwidth Utilization
During the course of the analysis, your companys employees used significant corporate network resources for non-work activity. The following chart shows how bandwidth was used by your employees:
Bandwidth Utilization by Application/Site (MB)

YouTube 912 11%
Web Browsing 912 11% SMTP 774 10%
Other 4549 55%
castup.net 606 ynet.co.il 7% 472 6%
Page 17
Bandwidth Utilization (MB) By Category

3500 3000
2945
2500
2000 1601 1500 1095 1000 500 0 Network Protocols Media SharingWeb Browsing News / Media Business / Economy Other
912
867
804
Page 18
The use of social networking sites has become common at the workplace and at home. Many businesses leverage social networking technologies for their marketing and sales efforts, as well as their recruiting programs. During the course of this project, and consistent with over-all market trends, the following social networking sites consumed the most network bandwidth:
Social Networking Traffic

(MB)
120 100
96
80
60 44 40 20 0 18 8 5 19
Page 19
ABOUT CHECK POINT SOFTWARE TECHNOLOGIES

Check Point Software Technologies (www.checkpoint.com) mission is to secure the Internet. Check Point was founded in 1993, and has since developed technologies to secure communications and transactions over the Internet by enterprises and consumers. When the company was founded, risks and threats were limited and securing the Internet was relatively simple. A firewall and an antivirus solution generally provided adequate security for business transactions and communications over the Internet. Today, enterprises require many (in some cases 15 or more) point solutions to secure their information technology (IT) networks from the multitude of threats and potential attacks and are facing an increasingly complex IT security infrastructure. Check Points core competencies are developing security solutions to protect business and consumer transactions and communications over the Internet, and reducing the complexity in Internet security. We strive to solve the security maze by bringing more, better and simpler security solutions to our customers. Check Point develops markets and supports a wide range of software, as well as combined hardware and software products and services for IT security. We offer our customers an extensive portfolio of network and gateway security solutions, data and endpoint security solutions and management solutions. Our solutions operate under a unified security architecture that enables end-to-end security with a single line of unified security gateways, and allow a single agent for all endpoint security that can be managed from a single unified management console. This unified management allows for ease of deployment and centralized control and is supported by, and reinforced with, real-time security updates. Check Point was an industry pioneer with our FireWall-1 and our patented Stateful Inspection technology. Check Point has recently extended its IT security innovation with the development of our Software Blade architecture. The dynamic Software Blade architecture delivers secure, flexible and simple solutions that can be customized to meet the security needs of any organization or environment. Our products and services are sold to enterprises, service providers, small and medium sized businesses and consumers. Our Open Platform for Security (OPSEC) framework allows customers to extend the capabilities of our products and services with third-party hardware and security software applications. Our products are sold, integrated and serviced by a network of partners worldwide. Check Point customers include tens of thousands of businesses and organizations of all sizes including all Fortune 100 companies. Check Points award-winning ZoneAlarm solutions protect millions of consumers from hackers, spyware and identity theft.
Page 20

3D Security Analysis Sample Report 14

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3D Security Analysis Sample Report 14

Uploaded by

Copyright:

Available Formats

CHECK POINT 3D SECURITY

Prepared for: Prepared by: Date:

COMPANY Check Point Solution Center January 11, 2012

High And Critical Events Summary

Data Loss Prevention

Top High Risk Applications/Sites

Top High Risk Applications and Sites

Top Intrusion Prevention Events

2. Non Compliant HTTP

3. Internet Explorer XML Processing Memory Corruption (MS08078)

4. Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014)

Top Data Loss Events

2. Credit Card Numbers

Top High Risk Applications/Sites

Top Applications/Sites Categories

Top Users High Risk Applications/Sites

INTRUSION PREVENTION EVENTS

IPS Events By Severity

IPS Events By Severity

DATA LOSS PREVENTION

DLP Events By Severity

Critical High Medium Low Informational

DLP Events By Severity

This chart shows data leakage by mail sender on your network.

DLP Mail Events Top Senders

WEB SECURITY EVENTS REMEDIATION

INTRUSION PREVENTION EVENTS REMEDIATION

Non Compliant HTTP

DATA LOSS EVENTS REMEDIATION

Credit Card Numbers

Bandwidth Utilization by Application/Site (MB)

Web Browsing 912 11% SMTP 774 10%

Other 4549 55%

castup.net 606 ynet.co.il 7% 472 6%

Bandwidth Utilization (MB) By Category

Social Networking Traffic

ABOUT CHECK POINT SOFTWARE TECHNOLOGIES

You might also like