Professional Documents
Culture Documents
ANALYSIS REPORT
Prepared for
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only|
Page 1
Table of Contents
EXECUTIVE SUMMARY ................................................................................ 2 FINDINGS ..................................................................................................... 7
Web Security Events .................................................................................................................................7 Intrusion Prevention Events ................................................................................................................ 10 Data Loss Prevention............................................................................................................................. 12
REMEDIATION ........................................................................................... 14 APPENDIX .................................................................................................. 17 ABOUT CHECK POINT SOFTWARE TECHNOLOGIES ............................... 20
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only|
Page 1
EXECUTIVE SUMMARY
This document is a summary of the findings of a recent 3D security analysis of your infrastructure. It presents security events and recommendations for addressing the discovered events. The analysis took place on 05/01/2012 and included 2 hours in-network analysis. The analysis is based on data collected using the characteristics below:
PoC Date: In-Network Analysis Duration: Monitored Network: Deployment type: Release version: Security Gateway Software Blades: Security Management Software Blades: 5/1/2012 2 hours Internal facing internet Mirror Port Kit (VMware-based) R75.20 Application Control, URL Filtering, IPS, Data Loss Prevention Pre-Defined 7 Blades with SmartEvent
During the course of the analysis, the installed device identified a number of security events, including some that were permitted by your existing security solutions. Event information collected by the Check Point solution found the following number of critical and high-priority events in your network:
Check Point IPS Software Application Control and Blade URL Filtering
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 2
Within the areas of Application Control and URL Filtering, the following items are of the highest risk level (the first column specifies the number of events related to the mentioned application/site):
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 3
The following tables provide summary explanations of the top events found and their associated security or business risks:
1 Event/s
2. Dropbox
Dropbox is an application that allows the user to share files. It is crucial to investigate what users are doing with this application and if they are leveraging it to distribute company files or download harmful applications. Consider preventing its use through the Application Control blade until additional information is available that justifies its use.
5 Event/s
3. BitTorrent
BitTorrent is a peer-to-peer file sharing P2P communications protocol. It is a method of distributing large amounts of data widely without the original distributor incurring the entire costs of hardware, hosting, and bandwidth resources. Instead, when data is distributed using the BitTorrent protocol, each recipient supplies pieces of the data to newer recipients, reducing the cost and burden on any given individual source, providing redundancy against system problems, and reducing dependence on the original distributor. There are numerous compatible BitTorrent clients, written in a variety of programming languages, and running on a variety of computing platforms.
1 Event/s
4. Imarketspartners.com
Imarketspartners.com is categorized as a web site that have been promoted through spam techniques.
2 Event/s
5. Bit Che
Bit Che is an application for searching and downloading torrent files from various BitTorrent tracker websites. Bit Che provides a preview of torrent details, integration with other torrent clients and result filtering.
1 Event/s
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 4
A worm is a self-replicating malware (malicious software) that propagates by actively sending itself to new machines. CIFS, The Common Internet File System (sometimes called SMB) is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
2 Event/s
Directory traversal attacks allow hackers to access files and directories that should be out of their reach. This can for example allow viewing of directory listings, and in many attacks, could lead to running executable code on the web server with one simple URL. There are several techniques to launch a directory traversal attack. Most of the attacks are based on using an HTTP request with a dot slash sequence "../.." within a file system. For example, http://www.server.com/first/second/../../.. is illegal because it goes deeper than the root directory. More advanced attackers can try to use encoding to run attacks.
2 Event/s
Attack Name: Web Client Enforcement Violation Microsoft Internet Explorer is the most widely used Internet browser. The vulnerability is due to the way Internet Explorer handles data bindings. To trigger this issue, an attacker may create a malicious web page that will exploit this vulnerability. Successful exploitation of this vulnerability will crash the browser allowing execution of arbitrary code on the vulnerable system.
1 Event/s
Attack Name : Windows Kerberos Protection Violation The Kerberos protocol is used to mutually authenticate users and services on an open and unsecured network. It allows services to correctly identify the user of a Kerberos ticket without having to authenticate the user at the service. It does this by using shared secret keys. A denial of service vulnerability exists in implementations of MIT Kerberos. The vulnerability is caused by incorrect handling of ticket renewal requests coming from a non-Windows Kerberos domain. When an MIT Kerberos user logs on to an Active Directory domain joined machine, they will be issued a Kerberos referral TGT (Ticket Granting Ticket) from the MIT Kerberos realm. Windows clients will never attempt to renew this referral TGT. A remote attacker running a malicious Kerberos client could attempt to renew the referral TGT which would result in a null pointer dereference inside of LSASS.EXE on the domain controller causing the domain controller to reboot.
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 5
5 Event/s
2 Event/s
3. Customer Names
List of customers is considered as confidential
2 Event/s
In the pages that follow, descriptions of the identified events are provided. Remediation steps are also outlined in the relevant sections.
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 6
FINDINGS
WEB SECURITY EVENTS
For many organizations, Web Security, encompassing both the applications used by employees and the websites that they visit, has become a critical source of risk. This is because many recent attacks focused on application vulnerabilities and exploited websites for malware injection and network penetration. Also, Internet use is a bandwidth hog. While bandwidth utilization might not be a security risk, it does represent a productivity and TCO challenge. From a security perspective, the following identified applications and websites have a high risk profile:
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 7
In general, the analysis identified that these additional applications and websites are used within your network:
Top Applications/Sites
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 8
The following table shows the top 10 categories and number of hits associated with employee Internet browsing:
Number of Hits
2,113 2,023 1,747 1,602 1,388 1,292 1,271 1,196 1,010 5,316 18,958
% of Total Hits
11% 11% 9% 8% 7% 7% 7% 6% 5% 28% 100%
And from a user perspective, the following people were involved in the highest number of risky application and web usage events:
Events
5 5 4 3 2
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 9
50%
Low
Informational
All organizations need to triage the security incidents to which they respond. Event criticality is often an effective way to prioritize events. And yet, security practitioners will often investigate events that do not fall into the most critical categories, as these seemingly less important incidents can be used to help identify attacks in progress or the first signs of new attacks which have not yet begun in earnest.
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 10
On a more granular level, the following table shows the types and quantities of events within the defined categories:
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 11
46%
54%
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 12
The following list summarizes the identified data loss activity and the number of times that the specific type of events occurred for different data types configured for the DLP
Data
Event/s
3 49 3 104
Events
10 9 7 5 4 4 4 4 3 2
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 13
REMEDIATION
This report addresses identified security events across multiple security areas and at varying levels of criticality. The table below reviews the most critical of these incidents and presents methods to mitigate their risks. Check Point provides multiple methods for addressing these threats and concerns. Relevant protections are noted for each event along with the software blades into which the defenses are incorporated.
Events
1 5 1 2 1
Remediation Steps
In Application Control and URL Filtering Software Blades, you can activate, track and prevent the use of all the mentioned applications & web sites. You can define a granular policy to allow certain applications to specific groups only. Use UserCheck to educate users about the organization web browsing and applications usage policy.
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 14
Events
6
Remediation Steps
In Check Point IPS Software Blade, enable the following protection: CIFS Worm Catcher In Check Point IPS Software Blade, enable the following protection: Non Compliant HTTP
Internet Explorer XML Processing Memory Corruption (MS08-078) Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043)
In Check Point IPS Software Blade, enable the following protection: Internet Explorer XML Processing Memory Corruption (MS08-078) In Check Point IPS Software Blade, enable the following protection: Microsoft Active Directory-MIT Kerberos Null Pointer Dereference (MS10-014) In Check Point IPS Software Blade, enable the following protection: Microsoft Windows Print Spooler Service Buffer Overflow (MS05-043)
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 15
Events
5
Check Point DLP software blade protects confidential information from leaking outside the organization. To remediate the detected events activate DLP Software Blade. Configure DLP policy based on the detected DLP data type and choose an action (Detect/Prevent/Ask User/etc..). If you consider the detected data type as sensitive information the recommended action is prevent. Use UserCheck to educate users about the organization data usage policy.
Remediation Steps
Customer Names
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 16
APPENDIX
Network Bandwidth Utilization
During the course of the analysis, your companys employees used significant corporate network resources for non-work activity. The following chart shows how bandwidth was used by your employees:
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 17
2945
2500
2000 1601 1500 1095 1000 500 0 Network Protocols Media SharingWeb Browsing News / Media Business / Economy Other
912
867
804
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 18
The use of social networking sites has become common at the workplace and at home. Many businesses leverage social networking technologies for their marketing and sales efforts, as well as their recruiting programs. During the course of this project, and consistent with over-all market trends, the following social networking sites consumed the most network bandwidth:
96
80
60 44 40 20 0 18 8 5 19
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 19
2012 Check Point Software Technologies Ltd. All rights reserved Classification: [Customer Confidential] For customer use only
Page 20