Presentation Title: Assessing Server Security - State of the Art
Presentation Details:

OVERVIEW:

Over 70% of all the open ports on the Internet are web servers. In order to effectively evaluate an organization’s Internet security posture we must be able to effectively assess web server security. This talk takes a comprehensive look at the question of assessing web server security over the Internet. During the talk we consider the progress that has been made in web server security over the last few years, and the progress that has been made in attacking web servers over the same time. We visit the new vulnerabilities introduced by web applications and discuss the thinking applied to discover such vulnerabilities.

Finally, we describe the state of the art of web server scanning technology.

This talk should be split over two sessions and will cover the following topics:

Web Security - Yesterday & Today:

Web server security has improved dramatically since the dark days of IIS4 and the possibly even darker days of IIS5. In this section we discuss the new protection mechanisms built into Windows 2003 Server and IIS6 in particular. To demonstrate the improvements web servers have made common attack vectors will be discussed and demonstrated against IIS5.x & IIS6 servers.

The Hunt - Finding servers to attack:

Web servers can run on any port on any server. And a single web server may serve numerous different sites. Finding these servers and sites is the first challenge for the attacker. In this section we discuss and demonstrate current ‘footprinting’ methodology and tools, with special focus on the automation of footprinting technologies.

State of the Art - Current Tools & Techniques:

In October 2004 SensePost introduced ‘Wikto” a Windows tool that took CGI scanning to a new level. The integration of search engine technology, combined with the ability to cascade results and the use of fuzzy logic to detect false positives built on the work done in tools like Nikto to produce arguably the best CGI scanner available today. In this section we demonstrate and discuss the thinking behind Wikto and examine the challenges of introducing Wikto technology into the renowned Nessus open source security scanner.

Opening Windows - Analyzing Web Applications:

Insecure web applications are the single biggest threat to web server security today. However, the variety of development approaches and the custom nature of these applications makes the automated discovery of vulnerabilities on such systems near to impossible. Current web application security scanners only reveal the tip of the iceberg and security analysts have access to very simply copy-cat analysis tools. In this section we discuss an alternative approach to black-box web application security assessment and demonstrate new technology designed to enable detailed and intelligent analysis.

Each section will include detailed technical demonstration and an open forum for questions and comments.

About Christoff:

Christoff Breytenbach studied B.Com Informatics at the University of Pretoria, South Africa. During 1999, while still studying, he was employed part time at the University’s Bureau of Institutional Research and Planning as a Natural/Adabas programmer. He started fulltime employment at the end of 1999 doing Visual Basic development work on company secretarial systems. His career moved towards information security in 2000 when he joined NetXactics (formerly eSafe Technologies) where one of his areas of expertise was application integration and technical support of cryptographic tokens.

Christoff joined AST Security Management in 2001 as an information security architect, specialising in network security consulting, architecture design and implementations. Just one of the various projects he was involved in, included Microsoft Certificate Services architecture design as a partner consultant to Microsoft Consulting Services South Africa. In August of 2002, Christoff joined SensePost as a senior IT security consultant involved in the various assessment services SensePost provides, including internal-, external-, architecture-, web application- / services- and database security assessments. Christoff has presented various talks (Internet Solutions’ Internetix conference, MSUG, ISSA, TechEd, etc.), papers (editorial for ITP Asia etc.), and presented various Black Hat- and SensePost training sessions, both locally and internationally. Christoff holds various certifications, including CISSP and MCSE in Security.