Automatização de administração e segurança em redes Windows NT

Orientadores: Paulo Licio de Geus, Celio Cardoso GuimarãesDissertação (mestrado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: A administração, a manutenção da segurança e o gerenciamento de grandes redes de computadores baseados em Windows NT são tarefas desafiadoras e trabalhosas. Algumas tarefas podem se tornar extremamente laboriosas para os administradores dessas redes, como por exemplo: instalação remota de programas, auditoria e modificação de uma configuração de segurança remota ou melhorar o desempenho de cada máquina. Este trabalho tem como objetivo desenvolver técnicas para automatizar as tarefas de administração de redes Windows NT, tornando-as menos complexas. Além disso, este trabalho apresenta e descreve DoIt4Me ("do it for me"), uma ferramenta de gerenciamento remoto capaz de melhorar a segurança, a administração e o desempenho de cada máquina dessas redesAbstract: The administration, the maintenance of the security and the management of large Windows NT networks are challenging tasks. Some tasks can be extremely laborious, such as: software remote install action, auditing and updating the security configurations or to improve the performance of each network machine. The goal of this work is to develop techniques to automate network administra tive tasks, turning them less complexo Besides that, this work presents DoIt4Me ("do it for me"), a network management tool to improve the security, the administration and the performance of each network machineMestradoMestre em Ciência da Computaçã

The Dark Side(-Channel) of Mobile Devices: A Survey on Network Traffic Analysis

In recent years, mobile devices (e.g., smartphones and tablets) have met an increasing commercial success and have become a fundamental element of the everyday life for billions of people all around the world. Mobile devices are used not only for traditional communication activities (e.g., voice calls and messages) but also for more advanced tasks made possible by an enormous amount of multi-purpose applications (e.g., finance, gaming, and shopping). As a result, those devices generate a significant network traffic (a consistent part of the overall Internet traffic). For this reason, the research community has been investigating security and privacy issues that are related to the network traffic generated by mobile devices, which could be analyzed to obtain information useful for a variety of goals (ranging from device security and network optimization, to fine-grained user profiling). In this paper, we review the works that contributed to the state of the art of network traffic analysis targeting mobile devices. In particular, we present a systematic classification of the works in the literature according to three criteria: (i) the goal of the analysis; (ii) the point where the network traffic is captured; and (iii) the targeted mobile platforms. In this survey, we consider points of capturing such as Wi-Fi Access Points, software simulation, and inside real mobile devices or emulators. For the surveyed works, we review and compare analysis techniques, validation methods, and achieved results. We also discuss possible countermeasures, challenges and possible directions for future research on mobile traffic analysis and other emerging domains (e.g., Internet of Things). We believe our survey will be a reference work for researchers and practitioners in this research field.Comment: 55 page

Active security vulnerability notification and resolution

The early version of the Internet was designed for connectivity only, without the consideration of security, and the Internet is consequently an open structure. Networked systems are vulnerable for a number of reasons; design error, implementation, and management. A vulnerability is a hole or weak point that can be exploited to compromise the security of the system. Operating systems and applications are often vulnerable because of design errors. Software vendors release patches for discovered vulnerabilities, and rely upon system administrators to accept and install patches on their systems. Many system administrators fail to install patches on time, and consequently leave their systems vulnerable to exploitation by hackers. This exploitation can result in various security breaches, including website defacement, denial of service, or malware attacks. The overall problem is significant with an average of 115 vulnerabilities per week being documented during 2005. This thesis considers the problem of vulnerabilities in IT networked systems, and maps the vulnerability types into a technical taxonomy. The thesis presents a thorough analysis of the existing methods of vulnerability management which determine that these methods have failed to mange the problem in a comprehensive way, and show the need for a comprehensive management system, capable of addressing the awareness and patch deploymentp roblems. A critical examination of vulnerability databasess tatistics over the past few years is provided, together with a benchmarking of the problem in a reference environment with a discussion of why a new approach is needed. The research examined and compared different vulnerability advisories, and proposed a generic vulnerability format towards automating the notification process. The thesis identifies the standard process of addressing vulnerabilities and the over reliance upon the manual method. An automated management system must take into account new vulnerabilities and patch deploymentt o provide a comprehensives olution. The overall aim of the research has therefore been to design a new framework to address these flaws in the networked systems harmonised with the standard system administrator process. The approach, known as AVMS (Automated Vulnerability Management System), is capable of filtering and prioritising the relevant messages, and then downloading the associated patches and deploying them to the required machines. The framework is validated through a proof-of-concept prototype system. A series of tests involving different advisories are used to illustrate how AVMS would behave. This helped to prove that the automated vulnerability management system prototype is indeed viable, and that the research has provided a suitable contribution to knowledge in this important domain.The Saudi Government and the Network Research Group at the University of Plymouth

Infrastructure as Code for Cybersecurity Training

An organization\u27s infrastructure rests upon the premise that cybersecurity professionals have specific knowledge in administrating and protecting it against outside threats. Without this expertise, sensitive information could be leaked to malicious actors and cause damage to critical systems. These attacks tend to become increasingly specialized, meaning cybersecurity professionals must ensure proficiency in specific areas. Naturally, recommendations include creating advanced practical training scenarios considering realistic situations to help trainees gain detailed knowledge. However, the caveats of high-cost infrastructure and difficulties in the deployment process of this kind of system, primarily due to the manual process of pre-configuring software needed for the training and relying on a set of static Virtual Machines, may take much work to circumvent. In order to facilitate this process, our work addresses the use of Infrastructure as Code (IaC) and DevOps to automate the deployment of cyber ranges. An approach closely related to virtualization and containerization as the code\u27s underlying infrastructure helps lay down this burden. Notably, placing emphasis on using IaC tools like Ansible eases the process of configuration management and provisioning of a network. Therefore, we start by focusing on understanding what the State of the Art perspectives lack and showcasing the benefits of this new working outlook. Lastly, we explore several up-to-date vulnerabilities that are constantly messing with the lives of individuals and organizations, most related to Privilege Escalation, Remote Code Execution attacks, and Incident Forensics, allowing the improvement of skills concerning Red team and Blue team scenarios. The analysis of the attacks and exploitation of such vulnerabilities are carried out safely due to a sandbox environment. The expected results revolve around using IaC to deploy a set of purposely-designed cyber ranges with specific challenges. The main objective is to guarantee a complexity of scenarios similar to what we can observe in enterprise-level networks. Thus, this entails having a set of playbooks that can be run in a machine or laboratory, assuring the final state of the network is consistent. We expect this deployment strategy to be cost-effective, allowing the trainee to get deep insight into a wide range of situations. Nowadays, DevOps solutions work as a silver bullet against the issues derived from old-case-driven approaches for setting up scenarios. In short, one of the key takeaways of this work is contributing to better prepare specialists in ensuring that the principles of the National Institute of Standards and Technology (NIST) Cybersecurity Framework hold, namely: prevent, detect, mitigate, and recover

MOSTO: A toolkit to facilitate security auditing of ICS devices using Modbus/TCP

The integration of the Internet into industrial plants has connected Industrial Control Systems (ICS) worldwide, resulting in an increase in the number of attack surfaces and the exposure of software and devices not originally intended for networking. In addition, the heterogeneity and technical obsolescence of ICS architectures, legacy hardware, and outdated software pose significant challenges. Since these systems control essential infrastructure such as power grids, water treatment plants, and transportation networks, security is of the utmost importance. Unfortunately, current methods for evaluating the security of ICS are often ad-hoc and difficult to formalize into a systematic evaluation methodology with predictable results. In this paper, we propose a practical method supported by a concrete toolkit for performing penetration testing in an industrial setting. The primary focus is on the Modbus/TCP protocol as the field control protocol. Our approach relies on a toolkit, named MOSTO, which is licensed under GNU GPL and enables auditors to assess the security of existing industrial control settings without interfering with ICS workflows. Furthermore, we present a model-driven framework that combines formal methods, testing techniques, and simulation to (formally) test security properties in ICS networks

Dissection of Modern Malicious Software

The exponential growth of the number of malicious software samples, known by malware in the specialized literature, constitutes nowadays one of the major concerns of cyber-security professionals. The objectives of the creators of this type of malware are varied, and the means used to achieve them are getting increasingly sophisticated. The increase of the computation and storage resources, as well as the globalization have been contributing to this growth, and fueling an entire industry dedicated to developing, selling and improving systems or solutions for securing, recovering, mitigating and preventing malware related incidents. The success of these systems typically depends of detailed analysis, often performed by humans, of malware samples captured in the wild. This analysis includes the search for patterns or anomalous behaviors that may be used as signatures to identify or counter-attack these threats. This Master of Science (Ms.C.) dissertation addresses problems related with dissecting and analyzing malware. The main objectives of the underlying work were to study and understand the techniques used by this type of software nowadays, as well as the methods that are used by specialists on that analysis, so as to conduct a detailed investigation and produce structured documentation for at least one modern malware sample. The work was mostly focused in malware developed for the Operating Systems (OSs) of the Microsoft Windows family for desktops. After a brief study of the state of the art, the dissertation presents the classifications applied to malware, which can be found in the technical literature on the area, elaborated mainly by an industry community or seller of a security product. The structuring of the categories is nonetheless the result of an effort to unify or complete different classifications. The families of some of the most popular or detected malware samples are also presented herein, initially in a tabular form and, subsequently, via a genealogical tree, with some of the variants of each previously described family. This tree provides an interesting perspective over malware and is one of the contributions of this programme. Within the context of the description of functionalities and behavior of malware, some advanced techniques, with which modern specimens of this type of software are equipped to ease their propagation and execution, while hindering their detection, are then discussed with more detail. The discussion evolves to the presentation of the concepts related to the detection and defense against modern malware, along with a small introduction to the main subject of this work. The analysis and dissection of two samples of malware is then the subject of the final chapters of the dissertation. A basic static analysis is performed to the malware known as Stuxnet, while the Trojan Banker known as Tinba/zuzy is subdued to both basic and advanced dynamic analysis. The results of this part of the work emphasize difficulties associated with these tasks and the sophistication and dangerous level of samples under investigation.O crescimento exponencial do número de amostras de software malicioso, conhecido na gíria informática como malware, constitui atualmente uma das maiores preocupações dos profissionais de cibersegurança. São vários os objetivos dos criadores deste tipo de software e a forma cada vez mais sofisticada como os mesmos são alcançados. O aumento da computação e capacidade de armazenamento, bem como a globalização, têm contribuído para este crescimento, e têm alimentado toda uma indústria dedicada ao desenvolvimento, venda e melhoramento de sistemas ou soluções de segurança, recuperação, mitigação e prevenção de incidentes relacionados com malware. O sucesso destes sistemas depende normalmente da análise detalhada, feita muitas vezes por humanos, de peças de malware capturadas no seu ambiente de atuação. Esta análise compreende a procura de padrões ou de comportamentos anómalos que possam servir de assinatura para identificar ou contra-atacar essas ameaças. Esta dissertação aborda a problemática da análise e dissecação de malware. O trabalho que lhe está subjacente tinha como objetivos estudar e compreender as técnicas utilizadas por este tipo de software hoje em dia, bem como as que são utilizadas por especialistas nessa análise, de forma a conduzir uma investigação detalhada e a produzir documentação estruturada sobre pelo menos uma amostra de malware moderna. O trabalho focou-se, sobretudo, em malware desenvolvido para os sistemas operativos da família Microsoft Windows para computadores de secretária. Após um breve estudo ao estado da arte, a dissertação apresenta as classificações de malware encontradas na literatura técnica da especialidade, principalmente usada pela indústria, resultante de um esforço de unificação das mesmas. São também apresentadas algumas das famílias de malware mais detetadas da atualidade, inicialmente através de uma tabela e, posteriormente, através de uma árvore geneológica, com algumas das variantes de cada uma das famílias descritas previamente. Esta árvore fornece uma perspetiva interessante sobre malware e constitui uma das contribuições deste programa de mestrado. Ainda no âmbito da descrição de funcionalidades e comportamentos do malware, são expostas, com algum detalhe, algumas técnicas avançadas com as quais os programas maliciosos mais modernos são por vezes munidos com o intuito a facilitar a sua propagação e execução, dificultando a sua deteção. A descrição evolui para a apresentação dos conceitos adjacentes à deteção e combate ao malware moderno, assim como para uma pequena introdução ao tema principal deste trabalho. A análise e dissecação de duas amostras de malware moderno surgem nos capítulos finais da dissertação. Ao malware conhecido por Stuxnet é feita a análise básica estática, enquanto que ao Trojan Banker Tinba/zusy é feita e demonstrada a análise dinâmica básica e avançada. Os resultados desta parte são demonstrativos do grau de sofisticação e perigosidade destas amostras e das dificuldades associadas a estas tarefas

Top 10 technologies and their impact on CPA\u27s

https://egrove.olemiss.edu/aicpa_guides/2474/thumbnail.jp

A Semantic Wiki-based Platform for IT Service Management

The book researches the use of a semantic wiki in the area of IT Service Management within the IT department of an SME. An emphasis of the book lies in the design and prototypical implementation of tools for the integration of ITSM-relevant information into the semantic wiki, as well as tools for interactions between the wiki and external programs. The result of the book is a platform for agile, semantic wiki-based ITSM for IT administration teams of SMEs