Course Overview
Course Overview
Online 451 is designed to provide students with a strong foundational knowledge of network security including the principles, algorithms and protocols underlying the design and development of network security. The course focuses on exploring security measures that are widely used in industry to deter, prevent, detect and correct security violations. Students will have many hands-on practices in lab operating hacking tools and implementing security applications, which, later, will greatly benefit them in resolving real world security issues
The course is organized to cover the following major topics:
Security Fundamentals
Firewalls
Virtual Private Networks
Encryption
Key Management
Authentication
Intrusion Detection
Web Security
The Future
Course Goals
• Present the fundamentals and principles of network security
• Demonstrate different network security products and solutions
Course Objectives
Upon completion of this course, each student should be able to:
• Describe the need for network security, different categories of security threats, as well as common attack methods and techniques used by hackers
• Discuss the functionality, design principles and security issues associated with firewalls, and configure a firewall
• Discuss the foundational concepts associated with VPN and implement a VPN
• Describe major encryption techniques, concepts, and algorithms underlying those techniques
• Describe widely used key management techniques and approaches
• Discuss the requirements for authentication and approaches to authentications and analyze specific examples
• Define network attack issues, intrusion detection, and analyze various approaches to prevention and detection
• Discuss important security area and web security key standards
• Identify future trends in network security architecture and strategies
Topic 1 Security Fundamentals
Topic lessons:
1. Introduction
2. Vulnerabilities and Incidents
3. Network Attacks
4. Intrusion and Penetration
5. Network Security Policy
6. Wrap-Up
Lesson 1 Introduction
Topical Goals
Over the past few years, there has been an explosive growth in computer systems and their interconnections via networks. Computer networking has evolved into every aspect of our lives. Businesses start relying more on Internet and networking in order to build strong relationship with customers and partners, improve their efficiency and lower operation costs. Internet and networking has greatly expanded the way of communicating and sharing data between businesses, providing services to customers and processing data.
As computer networks continues to grow to enable more and more applications and are available to more and more users, they become even more vulnerable to a wider range of security threats. It has become a major concern in network industry as to how to prevent data and resources from disclosure, to guarantee the integrity of data and messages, and to protect systems from network-based attacks. It is important to understand common techniques used by hackers and learn how to implement adequate measures to enhance the business’s daily procedures and transactions.
After reading this topic, you should be able to:
• Explain the importance of network security
• Describe different type of attacks, common attack techniques and their mitigation recommendations
• Describe different intrusion tools, penetration scenarios and steps to conduct a penetration
• Identify the components of a complete security policy
Lesson 2 the Importance of Network Security
Lesson Objectives
Network in the past was designed relatively more secure due to the connections with only known parties and sites within a corporate environment. Nowadays, network with availability to the Internet and public networks has become more important to improve businesses’ efficiency and revenue growth. It is now possible to interconnect partner companies at separate geographical locations and to place orders and update information online easily. However, this broad access has brought with it the possibility for data theft, disclosure of private information and financial loss.
This lesson will present the growth of security vulnerability and incidents in today’s networks and the need for network security.
After reading this lesson, you should be able to:
• Illustrate the security vulnerability and incident level in today’s network
• Review examples of historic security incidents
• Identify the need for network security
Vulnerabilities and Incidents
Modern networks have become increasingly large and complex in terms of sites connected, of users at each site, and of the use they each make. While the increased connectivity provides benefits to the business, it enables the outside world to reach and interact with local network assets.
It is hard to keep up with all possible security vulnerabilities. Network applications are too complicated to be perfect from security perspective. Businesses tend to focus more on improving revenue growth than spending time and money on better techniques to identify and remove vulnerabilities. More people are using computers without knowing well how to protect their computers. Even protocols used to manage your network can be a source of vulnerability themselves. All too often security weakness is exposed only after the system has been compromised, by which time it is already too late.
Not only there are more security vulnerabilities in today’s network, but obtaining the hacking tools becomes easier – there are free downloadable tools available that require little or no technical knowledge to put into practice. There are also build-in applications for troubleshooting a network that could be maliciously used for hacking purpose.
As a result, there has been a huge increase in security incidents in the past twenty years.
Though most network security crimes are unreported, the statistics are alarming. According to an FBI survey of 500 private corporations and large government agencies, in 1996 42% of those organizations had a security breach over the last 12 months, while 20% don't know. In 1997, 50% had a security breach with 17% having no knowledge that a breach occurred. In 1998, 64% had a security breach with 18% not knowing. In 1999, 63% had a security breach and 21% cited no knowledge of an attack. Out of these known attacks in 1999, 57% occurred via the Internet, 51% from internal systems, and 27% via remote dial-in.
[pic]
Figure 1 – Total Number of Vulnerabilities
[pic]
Figure 2 – Total Number of Incidents
Since more business processes and sensitive data are handled online, companies are experiencing significant losses due to security breaches. The cost of lost goods and services was estimated at 100 million in 1997. This number rose to 138 million in 1998 and 125 million in 1999.
Security Incidents in History
Every computer is a potential host of vulnerabilities. The more accessible it is, the more it is susceptible to attack. Connecting to a network such as the Internet makes it potentially accessible to everyone on the network.
Network security incidents are the network-related activities with negative security implications. This usually means that the activity violates an explicit or implicit security policy. Here we present several sever security incidents in the history of the Internet.
Melissa
First found on March 26, 1999, Melissa came to be one of the most infamous computer viruses the world has ever seen. At around 2:00pm that day, reports had been received from more than 100,000 hosts about performance problems and denial of services on mail servers that clogged with virus propagating emails.
Melissa spreads on machines with Microsoft Word 97 or Word 2000 in the form of e-mail attachment. The orginial version of attached file is called “List.DOC”. If the word document containing the virus, either LIST.DOC or another file infected, is downloaded and opened, then the macro in the document runs and attempts to mass mail itself. It collects the first 50 entries from the MS outlook address book, and sends an copy of itself to those e-mail addresses and then spreads from there.
An infected e-mail looks like:
From:
Subject: Important message from
To:
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone else ;-)
I love you
Over a five-hour period during May 4, 2000, this virus spread across Asia, Europe and the United States via e-mail messages titled "ILOVEYOU." The virus clogged web servers, overwrote personal files and caused e-mail systems shut down. As of 5:00 pm, May 8, 2000, it was reported that more than 500,000 individual systems were affected. Sites infected suffer considerable network degradation and corruption of certain files.
The virus arrives as an e-mail with the subject line "I Love You" and an attachment named "Love-Letter-For-You.txt.vbs." New variants have different names including Very Funny.vbs, virus_warning.jpg.vbs, and protect.vbs. The attached file is an executable visual basic script. Opening the attachment executes the script and thus infects your computer. The infection first scans your PC's memory for passwords, which are sent back to the virus's creator. The infection then replicates itself to all entries in your outlook address book. Finally, the infection replaces certain types of files (e.g., .vbs, .vbe, .js, .css, .wsh, .jpg, .jpeg, .mp2, .mp3) with a copy of itself. It also appears to reset the default start page for Internet Explorer.
Denial-of-service
On Feb. 6, 2000, Yahoo web site went down for three hours. By evening Feb. 7, eBay, Amazon, and CNN were shutdown, followed by E*trade in the morning of Feb. 8. The deluge slowed the entire Internet, even sites that weren’t targeted. To access a typical web page (un-attacked) during that week, it was 6% slower on Monday, was 7% slower on Tuesday and rose to 26% slower on Wednesday. Sites such as Yahoo got hit with as many as 1 billion bits of data a second – more than some sites get in a week.
A denial of service (DoS) attack is a security incident that deprives legitimate users of services or resources they would normally able to access. When a DoS attack happens, users experience unavailability of one particular network service or even temporary loss of all network connectivity and services. Dos attacks are easy to launch and difficult to track because hackers can send legitimate requests for service. Moreover, they come in a variety of forms and aim at a variety of services such as email, web sites, online shopping, and etc. For example, users will have trouble to access a URL of a web site which is flooded with millions of requests and forced to cease operation. Although it usually does not result in the data disclosure or other security loss, a DoS attack can essentially disable your computer or network and cost the victim a great deal of time and money.
Internet Worm
On the evening of November 2, 1988, the Internet came under attack from within - a self-replicating program was released upon the Internet. This program (a worm) invaded VAX and Sun-3 computers running versions of Berkeley UNIX, and used their resources to attack other computers. As time went on, hundreds or thousands of computers in the U.S. had been affected. Many of them became so loaded with running processes that they were unable to continue any processing. Some machines failed completely with all swap space or process tables exhausted. The Internet had never been attacked in this way before, and November 3, 1988 came to be known as Black Thursday.
A worm is a program that propagates itself across a network, using resources on one machine to attack other machines. When a worm breaks into a computer in the Internet, it replicates and executes itself to collect information about hosts, networks and users from this computer and proceeds to infect more machines using the information. The worm spreads over the internet with no assistance (Virus requires involvement of user for propagation). Once it identifies an internet connection, it downloads a copy of itself to a new location and runs itself, so all machines connected to an infected machine are at potential risk of attack. Worm can cause denial of service when systems are loaded with multitudes of worms trying to propagate the epidemic.
Need for Security
Today’s businesses rely on extensive information communication with public networks and systems for survival and profitability. In the modern business environment, regardless of the business type, all data resident on a computer system is both valuable and vulnerable. Business is constantly under risk of threats that could potentially harm the operation, assets, and profitability. The consequences can be loss or modification of critical business data, disruption of services, disclosure of proprietary business plans and even stop of operation.
Security threat has extended beyond physical boundary of every system. Since all systems are virtually connected to one big network – Internet, compromise of one system could virtually affect every system connected with it. Without proper protection, any part of any network can be susceptible to attacks or unauthorized activity. Routers, switches, and hosts can all be violated by professional hackers, company competitors, or even internal employees. This increased connectivity has brought both risk and convenience.
In addition, hackers’ understanding of security weaknesses has increased over time, as have advancements in their attack tools. Internal vulnerabilities may be exploited by external threats as well as internal. It is urgent that we increase our understanding of security and improvements in computer systems.
When implementing security, there sometimes exists a conflict between security objectives and operational requirements. The benefits of a security plan need to be quantified as a function of costs, and benefit cost tradeoffs need to be considered to justify an appropriate security plan.
Lesson Wrap-Up
With the advent of Internet and networking, companies’ abilities have dramatically improved in terms of building stronger relationships with customers, suppliers, partners, and employees. Internet-enabled companies have become more flexible and competitive.
As companies open their networks to more users and applications, they also expose their networks to greater risk. Statistical analysis confirms that vulnerabilities in network systems have increased, so have attacks that exploit these vulnerabilities. As a consequence, there has been a surge in incidents recently. To combat those attacks and ensure a system is not compromised, security technology must play a major role in today’s networks.
Now that you have completed this lesson, you should be able to:
• Illustrate the security vulnerability and incident level in today’s network
• Review examples of historic security incidents
• Identify the need for network security
Lesson 3 Network Attacks
Lesson Objectives:
An attack is a single unauthorized access attempt, or unauthorized use attempt regardless of success. Network attacks can be as varied as the systems that they attempt to penetrate.
To determine the best ways to protect against attacks, we should understand the many types of attacks that can instigate and damage to a network infrastructures.
After reading this lesson, you should be able to:
• Identify different categories of network security attacks
• Discuss common attack techniques and corresponding mitigation recommendations
Network Attack Types
Network threats are potential dangers that might exploit vulnerabilities of a network and cause harm or havoc. Network attacks are assaults on system security that derives from a threat. Threats can come from within an organization or outside. External threats are dangers from an external source that are malicious and can be destructive to a system. Internal threats are often from an internal source such as disgruntled employees or visitors who have been given permission to access certain network resources. Necessary security measures should be in place to reduce vulnerabilities to both internal and external threats and respond when attacks occur.
Network attacks can be originated from both external and internal threat sources. Despite their origins, there are generally considered to be two types of network attacks: passive attacks and active attacks.
A passive attack attempts to learn or monitor traffic transmitted over a network without applying any changes to the system. Hackers of passive attacks are typically eavesdropping or monitoring information that is being passed across the network. They can often successfully obtain sensitive or confidential information that are distributed in plain text, such as an important e-mail messages or a transferred file containing a business plan.
Another purpose of passive attack is to perform traffic analysis. When information are encrypted, passive attacks can be used to study the pattern of the traffic. Such study can reveal information, such as the location and identity of communication hosts, or the frequency and length of data being exchanged, which might be useful in guessing the nature of the communication that is taking place.
Passive attacks are difficult to detect because traffic is still sent and received in a normal pattern and there is no sign of any type of data alteration and resource affection. Therefore, countering passive attacks should focus on prevention than detection.
An active attack is an attack within a computer network which modifies the data stream (e.g. message) or creates a false data stream. Active attacks basically take four different forms: masquerade, replay, modification of messages, and denial of service.
A masquerade happens when one entity hides its identity under the mask of another entity. An example of a masquerade is to send out an e-mail message that to a recipient appears to be from a trusted source. IP spoofing, which will be discussed later, is a masquerade attack.
A replay takes place when a hacker obtains a message without interrupting the normal delivery process, and later relays the original message to the recipient again.
Modification of messages involves altering, or reordering some portion of a legitimate message to produce an unauthorized effect. For example, a message “allow John to access the database” could be changed to “allow Fred to access the database”.
A denial of service attack inhibits the normal use of network facilities, or disables a network or degrades its performance by exhausting the network resources. For example, a hacker may suppress all messages directed to a particular destination (e.g. network audit service), or flood an e-mail server with millions of meaningless messages so the mail server will grind to a halt.
Active attacks often launched by hackers who are more motivated and technically competent to use sophisticated hacking techniques to penetrate unsuspecting businesses.
These attacks are often involved with the major fraud and theft cases. Contrary to passive attacks, it is quite difficult to prevent active attacks completely. The goal for countering attack attacks is to detect them and then to recover from the damages.
Common Attack Weapons
There are many types of attacks that can be used to assault a network and compromise your system. The following are some attack weapons commonly used by hackers:
▪ Packet sniffers
▪ Spoofing tools
▪ Password crackers
▪ Denial-of-service (DoS) or distributed denial of service (DDoS) tools
▪ Virus, Worm and Trojan horse
▪ Malicious applets
▪ War Dialing
▪ Logic bombs
▪ Buffer overflow
▪ Social engineering
▪ Dumpster diving
Packet Sniffers
A packet sniffer is a software program that covertly searches individual packets of data as they were sent across a local network, capturing login sessions or the entire contents. A packet sniffer is able to place the network adapter of the machine hosting the sniffing software into “promiscuous mode”, which allows all of the traffic on the physically connected network to be directed to sniffing application to process. Pakcet sniffers merely examine and log the network packets without modifying them (passive attack).
Network protocols that distribute network packets in plain text data, such as Telnet, FTP, SNMP and POP, are in great risk, because the original packets of data can be interpreted and processed by sniffers that monitor them on the network. Packet sniffers can steal meaningful and sensitive information, such as user login names and passwords. Because humans tend to use a single login and password for multiple applications, attackers are often successful in gaining access to vital information.
One-time password (OTP) system is a good method to counter packet sniffers implemented to grab login information. OTP requires a personal identification number (PIN) and a token card for authentication to get into a device or software application. A token card is a hardware or software device that creates a sequence of one-time (random) passwords at specified intervals (usually 60 seconds). The random password combined with a PIN generates a unique password each time for one instance of authentication. Even a hacker obtains the password through a packet sniffer, the password is useless because it has expired by the time the hacker tries to use it. Note that OTP is not designed to prevent a sniffer from gaining other sensitive information (such as email messages).
Sniffers are usually difficult to detect as they do not interfere with the normal network traffic. There are several antisniffer programs developed to identify the use of sniffers on a network. These programs analyze changes in the response time of a host since the host running a sniffer processes more traffic than it is supposed to get. Antisniffers cannot eliminate sniffers, but, as part of an overall security system, they can be effective to detect sniffers.
The most effective technique for defense against packet sniffers is encryption. When the network packets are encrypted, packet snidffers will only detect the cipher text (unreadable format) rather then original messages. Cisco’s IPSec is one standard method for networking devices to communicate securely using encryption. Others include Secure Shell Protocol (SSH) and Secure Sockets Layer (SSL) for secure network management.
Spoofing tools
Attackers have long learned the tactic of disguising their true identity when conducting harmful activities. IP spoofing is a camouflage technique, in which attackers emulate a trusted host by using either a valid IP address in your network or an authorized external IP address that you trust. This is accomplished by first using a variety of means to get an IP address of a trusted host, and then modifying the source address in the packet header of a packet to make it appear to be from that host.
Spoofing can yield access to sensitive information. One form of spoofing is that attackers fake an email address or web page that appears to have originated from a computer within your organization to trick users into passing along critical information such as passwords or credit-card numbers.
Access control is one common method to reduce the effectiveness of IP spoofing. If only internal addresses are trusted, access control should be set to deny any traffic from the external network that uses a source address from the internal network. However, this method will not work if some external addresses are trusted as well.
A properly configured filter can also be effective to prevent users of one network from spoofing other networks. Such a filter will not allow any traffic with a source IP address that doesn’t belong to your network going out from your network. With this filter in place, users cannot send out malicious traffic (e.g. an e-mail message) to another network by pretending to be as one computer on that network.
Additionally there are many network devices that use only IP address-based authentication; that is, a device accepts requests as long as they come from trusted IP addresses. In such cases, other authentication methods, such as cryptography authentication and OTP, can be added to counter IP spoofing.
Denial of Service (DoS) Tools
Dos attacks are not aimed at gaining access to the information or resources on your network, rather, they focus on consuming resource limitation and thus making a service unavailable for normal use. DoS attacks require little effort to execute and are among the most difficult attacks to defend against because they are often carried out using traffic that would normally be allowed into a network. However, the damage caused by Dos attacks are serious - they can effectively clog the system, slow down the performance or even crash a system by hammering the target (e.g., a web site) with more packets than it can handle in a short amount of time. This method of overloading computers is sometimes used to cover up an attack.
Figure - DDoS Example
[pic]
A more powerful form of Dos attack is DDoS which involves multiple compromised systems, together attempting to flood a victim with packets that are often from spoofed (fake) IP addresses. In the DDoS attack, thousands of systems can be used to conduct a typical DoS attack.
To launch a DDoS attack, the hacker must have possessed a set of specific hacking tools from scores of underground web sites. In the above figure, the hacker uses the hacking tools to search for systems to hack on the web. After breaking into a number of computers, the hacker installs the master program on the computers to identify, compromise, and infect more computers with daemon software. The hacker now picks a victim – say Yahoo!, eBay, or Amazon – to carry out the DoS attack by executing the master programs which will then activate the daemon programs to send a lot of packets (e.g., requests) to the victim. When so many compromised hosts all send out spoofed traffic, it can take hours to stop them. But as system administrators sift through the traffic, they can identify the daemons and then the master programs and finally shut down them.
DoS attacks are often hard to trace and block due to spoof source IP addresses used by hackers. Methods to defeat spoofing attacks are helpful to reduce the threat of DoS because hackers might not attack if they cannot disguise their identities. A DDoS program can be mitigated by a solution to find machines hosting masters and daemons before they are put to use. There are now products to achieve this task. Another way is to implement filter to limit the amount of nonessential traffic allowed into a network at a certain rate. For example, ICMP traffic, normally used for diagnostic purposes, can be limited to prevent against ICMP-based DDoS attack.
Password Crackers
A password cracker is any software that can detect or guess passwords and therefore disable password protection.
We know packet sniffers and spoofing attack can yield user accounts and passwords. Under the situation when a password is encrypted, password crackers are often used for repeatedly attempting to identify the original password in clear text. Encrypted passwords cannot be decrypted since most of encryption algorithms are now one-way, that is, the encryption process cannot be reversed to reveal the original password.
Many password crackers are based on brute-force engines – programs, utilizing the same algorithm as the original password program, try to match encrypted versions of the password to the original through a comparative analysis. The program uses a particular character set, such as A-Z plus 0-9, and computes every possible combination of the characters in a high speed. A simple way is to use all of the words in a dictionary, called “dictionary cracking”. These crackers often lead to successful encounters of the right passwords due to human characteristics – Humans are simply lazy to create strong passwords, and often uses the same password for every system they access.
()
To reduce the threat of password attacks, strong passwords are strongly recommended. Many systems with strong password support restrict a user to only use the passwords that are at least eight characters long containing uppercase letters, lowercase letters, numbers, and special characters. Even with strong passwords, some systems require users to change the password at regular time intervals. In addition to that, do not allow users to use the same password to access all systems and whenever possible, use strong authentication such as OTP or encrypted password.
Virus, Worms and Trojan Horses
Every end-user’s workstation has a potential risk to suffer viruses, worms and Trojan horse attacks. A virus is a piece of software embedded in real applications to perform unauthoried activities on a user’s workstation. Like biological viruses, computer viruses have to reside in other programs or documents in order to get executed. For example, a virus may attach itself to a word document. Every time the word document is open, the virus runs. Once it is running, virus has the capability to reproduce itself by attaching to more programs on your computer and creates huge damage. Viruses can also hide in an email and move around by automatically mailing itself to people in the victim’s address book.
A worm is a also a piece of software, but different than virus, it automatically replicates itself and expands quickly from machine to machine through the network connection. A worm usually exploits some sort of security holes in a system. It first scans the network for machines with a specific security hole. When it discovers such a machine, it copies itself to the new machine and propagates from there using the security hole.
A Trojan horse refers to a computer program that does things more than it claims. For example, a Trojan horse, which looks like a simple game, when the victim clicks and plays it, can spread itself by mailing a copy of itself to every user in the victim’s address book. Trojan horse attacks are often deployed by replacing common programs with hacker’s programs on a system. The hacker’s programs provide all the functionality of normal programs in addition to the features only known to the hacker. A typical example is a Trojan horse that displays a screen prompting for login. It then captures user’s input distribute the login information back to the hacker. Next, it pops out an error message such as Bad username/password, and starts normal login instance. The user will proceed with a new login attempt without knowing of the disclosure of his/her account information. Trojan horse programs can also modify an application, such as adding a blind carbon copy whenever you send out an email so that the hacker can read all your messages.
Avoid software or demos with doubtful origins can keep your computer safe and away from almost all traditional viruses. For example, do not execute unknown applications or download free software from suspicious web sites. Additionally, make sure that Macro Virus Protection is enabled in all Microsoft applications, and only run macros in a document from trusted resources. Executables that arrive via e-mail is dangerous too. An executable file with an extension of .exe, .com, or .vbs may contain virus that does anything it wants on your machine once you run it. Always use anti-virus software to scan any program or document download onto your machine before you open or read, which is very effective to prevent most viruses and many Trojan horse applications from spreading in the network. Finally, you can better position yourself in the fight against these attacks by keeping up with the latest knowledge about these types of attacks.
()
Malicious Applets:
An applet is a small program, typically written in Java, which can be embedded directly into Web pages. When you connect to a web page containing an applet, the applet’s code, along with any text, image or file on the page, will be automatically transferred to your computer and executed by your browser. Applets are convenient in terms of providing an application with special effects such as animations, graphics, and sound.
Malicious applets are such hostile applets which invade your machines with its malicious code and conduct unwanted functions. Once malicious code gets control of the machine it can misuse your computer’s resources, compromise the user’s privacy, modify or delete files on the hard disk, send fake e-mail or steal passwords, snoop the user’s keystrokes, spread viruses, or even launch a DDoS attack.
Malicious applets could invade your machine when you connect to an “untrusted” site. Disabling Java solves this problem when necessary. It is advised that you disable Java when browsing an “untrusted” Web using Netscape 2.0. You can enable it when you connect to a “trusted” site. Systems maintained by a legitimate company would be more trustworthy than a site maintained by an unknown person. There hasn’t been any malicious applets discovered, yet we need to be aware of the potential risk. ()
War Dialers
War dialers are programs that automatically dial thousands of telephone numbers to identify the phone numbers that can successfully make a connection with a computer modem. Advanced versions of war dialer may attempt to determine the operating system or even perform an automated break-in test. In such cases, an intruder could attempt to gain access to the system with unprotected log-ins or easily cracked passwords.
One effective way to reduce the effect of war dialer attack is to make constant password change and use complex (strong) passwords. Additionally, you will notice that certain system would prompt dial up users with information like “Red Hat Linux 7.1…”; therefore you need to avoid anything about your system is disclosed to users who have not yet logged in ().
Logic Bombs:
A logic bomb is a set of instructions buried in a computer program which perform malicious act on your computer system when executed. Logic bomb typically stays dormant until certain conditions are satisfied. When “exploded”, it causes damages ranging from printing a spurious message, corrupting data on your disk, to making the entire file system unusable.
For example, a program, which reviews payroll records daily, could activate another piece of code to destroy vital files on the organization’s system when the name of the programmer responsible is disappeared from payroll. In this case, the logic bomb can be built to set off in 2 or 3 months so that the programmer cannot be easily identified. ()
Some logic bombs can be detected and eliminated before executing through a periodic scan of all computer files. There are also a number of network utilities that can effectively track and remove unauthorized files and programs and other potential sources of logic bombs based on a pre-set time frame.
Buffer Overflow:
Buffer overflow is a technique for crashing or gaining control of a computer by sending more data to the buffer (allocated memory) than the space it has allocated to hold in a computer’s memory.
Generally services, such as web server, mail servers, and etc., are triggered by requests. A service crashes if receiving too many requests than its memory can contain (memory leak). For example, a web server can cease operation when it receives too many access requests.
Hackers can also use buffer overflow to execute a piece of malicious code. When a program is executed, the addresses of the program code that should be executed next are saved into the stack (A contiguous block of memory in computing where data items are stored and retrieved from the top). By overflowing the stack, you can overwrite the addresses kept in the stack. When the program executes to the next, instead of the original code, the code pointed by the new address will be executed. This allows an attacker to hijack the control of a program by replacing the original process code with attacker’s harmful code.
It makes more difficult to perform buffer overflow attack by writing secure code and keeping away from insecure functions in a programming language such as those that read user’s input until a terminating newline with no bounds check.
()
Social Engineering
Social engineering is a tactic used to take control of a computer system by taking advantage of human characteristics. For example, hackers can talk unsuspecting company employees out of valuable information such as passwords, and thus successfully gain access to sensitive information as people tend to use a single password for multiple accounts.
Training is essential to ensure employee would not involuntarily leak out any sensitive information. It is also important to develop and implement comprehensive security policies to address information access controls, setting up accounts, password changes and necessary security protection procedures. ()
Dumpster Diving
Dumpster diving is to sift through a company’s garbage to find information to help break into the computers. Businesses and individuals negligently discard information including organizational charts, printouts of logins and passwords, system manuals, printouts of source code and so on. Sometimes the information is used to make a stab at social engineering more credible.
This technique was commonly used in the 80’s due to insufficient security then; nowdays businesses became more aware of the need for security, sensitive documents were shredded before being dumped or special procedure was adapted for disposing information or storgae media. ()
Lesson Wrap-Up
Network attacks assault on system security to evade security services and violate the security policy of a system. Attack can be passive or active, conducted by insider or by outsider. Success depends on the degree of system vulnerability, the strength of attacks, and the effectiveness of any countermeasures in use. Understanding how and why each attack technique is used, combined with the knowledge of prevention methods, can help protect your network to defend against these attacks.
Now that you have completed this lesson, you should be able to:
• Identify different categories of network security attacks
• Discuss common attack techniques and corresponding mitigation recommendations
Lesson 4 Intrusion and Penetration
Lesson Objectives:
The term intrusion is used to describe attacks from the outside by means of different tools. Intrusion tools are generally classified as follows:
- Scanners
- Remote exploits tools
- Local exploits tools
- Monitoring tools
- Stealth and backdoor tools
Each type of the tools, involving one or a group of attack techniques, can be used to exploit a specific type of system vulnerability. This section examines these intrusion tools and how a penetration is performed by utilizing these tools.
After reading this lesson, you should be able to
• Define and give examples of each category of intrusion tool
• Discuss three different penetration scenarios
• Describe each step used to perform a penetration
Intrusion Tools
Scanners
Scanners are widespread probes of the Internet to obtain information about a host or network such as types of computers, services, open ports, local IP range and connections. Network administrators often use scanners, such as Domain Name Server (DNS) queries, IP address queries, ping sweeps, port scans, and etc., for monitoring, reporting and trouble-shooting network and systems activities, while hackers can take advantage of them to locate common security weaknesses in a particular network or host before attacking.
There are two types of scanners: network auditing tools and host-based static auditing tools. Network auditing tools are used to scan a remote host or series of hosts on a network and reveal as much information as possible about the network. Host-based static auditing tools are used to scan a local host and reveal as much information as possible about the local host.
Using network auditing tools, hackers are often able to gather enough essential information to identify security related vulnerabilities of each host on a network. For example, hackers can obtain information such as,
- host machines that are connected to the target network and that respond
- host IP addresses
- host machine types
- operating system running on hosts
- network configurations and connections
- services available on the responding hosts (i.e., web servers)
- version of services available on the responding hosts
- etc..
Hacker always look into version of a service because certain version of a particular service has publicly known security holes (i.e., sendmail can be tricked into running bad commands). In addition to the above information, hackers also examine possibilities to remotely execute certain commands or tools, or run remote access utilities, such as remote execute (rexecute) or remote shell access (rsh) which provides the ability to run commands on a remote system without entering a password. Examples of network auditing tools are SATAN and ISS.
Using host-based static auditing tools, hackers are able to obtain necessary information to identify security vulnerabilities of a local host. Such information includes:
- permission in files, directories, and devices
- poor security for password and easy-to-guess passwords
- known vulnerable services running on the local host
- signs of past intrusions
Once they get these information, hacker can apply local exploit tools (discussed later) and gain access to poorly protected files, directories and devices, and find the password that enable unauthorized privileged access. Local vulnerable services (i.e., fingerd, or anonymous FTP configuration), which are found locally, can be exploited by remote exploits tools as discussed next. Also hackers use signs of past intrusions to identify any loopholes (backdoors) left from previous attacks to easily gain control of the host. Examples of host-based static auditing tools are COPS and TIGER.
Remote exploits tools
A remote exploit is a program, or method, that can be used by a person who has no existing account, to penetrate a remote machine. Remote exploits often associates with services provided by hosts in a network. They take advantages of security weakness of those services, and are among the most feared and hardly guarded tool sets. Examples of remote exploits are:
- Buffer overflow technique used by worm to attack fingerd, a daemon that provides an interface to the “finger” program at most network sites. The “finger” program is used to return a user-friendly status report on a network. Fingerd’s memory can be over its limit when there are too many incoming requests.
- Rsh provides ability to execute commands on remote hosts without entering passwords. This makes it possible for a hacker, who doesn’t possess a password, to remotely issue harmful commands.
- Sendmail (the debugging mode). A sendmail service is a program processing electronic mail. The sendmail accepts a connection request from a user and communicates with the user. Under certain mode (option of a command), sendmail has a security vulnerability that can be exploited through user-defined data. This makes the server hosting sendmail vulnerable to attacks from unprivileged users on any connected machines.
- Ip Spoofing is a technique that would let a (hostile) host appear to have another host’s IP address. If the target system is using a protocol that relies on IP address-based authentication, a hostile host is able to access the target system as a trusted host using spoof address.
- Malicious mobile codes are tiny programs, embedded in a web page and executable by a web browser, misuse your computer’s resources, modify files on the hard disk, send fake e-mail, or steal passwords. Examples are email attachments that are executable, i.e., Melissa, I LOVE YOU, and denial-of-service technique.
Local exploits tools
A local exploit is a tool, or method, that can be used to gain unauthorized privileges on a computer by a person who has an existing account. The existing account can either be legitimate, or acquired through other means such as remote exploits, packet sniffers, social engineering, and etc. Examples of local exploits are:
- Password crackers, i.e., using dictionary cracking to find easy-to-guess passwords
- Exploit Bugs exploit errors or bugs in a privileged program’s design or implementation that allow an intruder, as an unprivileged user, to execute hostile commands at a privileged level or access and modify privileged data. This may help an intruder to attain the privileged access to control the whole system.
Monitoring tools
A monitoring tool allows a user to monitor a computer system and the network data. Monitoring tools utilize two attack techniques: sniffers and snooping tools.
A sniffer program monitors and logs network data traffic (e.g., tcpdump, a powerful tool that allow a user to sniff network packets and make some statistical analysis out of those dumps). Sniffers can capture sensitive information such as user login and password, and other important data passing through a network.
A snooper monitors a user’s activities by snooping on terminal sessions, monitoring process memory, or logging a user’s keystrokes, e.g., keystroke snooper. By watching user’s actions, a hacker can get information about other systems and use them to attack more systems.
Stealth and backdoor tools
A stealth and backdoor toolkit allows an unauthorized user to hide his/her trails and continue using the system after a break-in. A stealth tool allows the attacker to modify the system logs and eliminate all records relating to his/her activities to ensure the malicious activity goes undetected. A backdoor tool is a modified, drop-in replacement of the original critical system that provides authentication and system reporting services. It is typically a Trojan horse and can provide continued, un-logged use of the system, hide suspicious files and processes from the user and system administrators and report false system status. In case the original entry point has been detected, backdoor tools, allow a few hidden ways to makes reentry easy and difficult to detect.
Penetration
Network penetration refers to intruder use a set of procedures, designed to bypass the security controls of a network system, to gain the control of the system to the certain degree. To bypass the security controls, intruders exploit vulnerabilities on the external or internal network, including operating systems, e-mail servers, web servers, applications, databases, etc.
Regardless of the intent or the goal, a penetration attack normally consists of a combination of one or more of the following scenarios:
▪ The blind remote attack – the attack on a computer or network where the attacker does not have valid account information or access. This is the classical scenario of an attack. Attackers generally only know the address or name of the target system. From here, attackers attempt to get more information about a network, hosts and users on the network using scanner tools, and then apply remote exploit and local exploit to gain a higher level (i.e. user-level) access to the network.
▪ The user-level attack – the attack on a computer where the attacker has user-level, or unprivileged access. This attack can come from a legitimate account (customer or employee) of the organization, or an account illicitly acquired through blind remote attack.
▪ The physical attack – the attack on a computer or network where the attacker has physical access. In this scenario, an intruder can relatively easy to gain entry to a computer that he/she can physically access. Many users log in and leave their computer on when they leave. When the intruder get into this computer, he/she can use local exploit to gain privileged access and damage the computer itself. Or he/she tries to connect the computer physically with a network and use it to monitor network traffic. Once the intruder collects enough network data, he/she can then locally or remotely gain access into other hosts on the network.
In each of these scenarios, an intruder uses different intrusion tools to conduct penetration attack step by step. The following seven steps cover a complete set of procedures needed during a penetration. Basically, every penetration will involves one of more of the following seven steps:
Step 1 Reconnaissance refers to the overall act of learning publicly available information about a target system or network by using tools such as scanners. Before hackers attempt to penetrate a target network, they often collect as much information as possible about the network such as host names, host IP addresses, host owner, host machine types, operating system, network configuration, other hosts connected with the network, other hosts trusted by the network, list of users, etc..
Such information can be acquired through Domain Name Server (DNS) queries, IP address queries, ping sweeps, and port scans. DNS queries give the hackers information regarding to who owns a particular domain and what addresses have been assigned to that domain. IP addresses queries reveal information about who owns a particular IP address or range of addresses and what domain is associated to them. Ping sweeps of the addresses obtained from DNS queries specify the live hosts within that particular domain. The hackers then use port scanners to cycle through all well known ports to obtain a list of all services running on the hosts.
Step 2 Probe and attack are when the hackers use scanners and monitoring tools, on top of the knowledge gathered from network reconnaissance, to probe the system for weaknesses and deploy the tools for attacking. At this step, the hackers examine the characteristics of all services running on the hosts and search for security holes that can be exploited to compromise the system. The services that are examined normally are FTP (file transfer protocol), SMTP (simple mail transfer protocol for e-mail), Web server, printer, and/or X Window System server.
Intrusion detection system at the host and network level can usually detect a penetration probe that is taking place.
[pic]
Figure – Penetration Scenario
Step 3 Toehold refers to that the intruders exploit the security weakness discovered from step 2 and mange to gain entry into the system. Tools used are remote exploits and local exploits. For example, many computer systems on the Internet offer files through anonymous FTP, which allows a user to access a machine without having to have an account on that machine. A hacker may discover an anonymous FTP service on a target host and break into the target by taking advantage of the feature that a user without official account can access the server.
Step 4 Advancement refers to the hackers advance from the unprivileged account to a privileged account to gain full internal access and establish a firebase to attack the whole internal network. This is accomplished by using local exploits tools.
Step 5 Stealth refers to the hackers, like human criminals, hide all traces and destroy all evidences that, if left over, might have exposed his/her activities conducted on the victim equipment. The hackers also install a backdoor that permits reentry or remote control of a computer. This step basically ensures the intrusion to be undetected and allows continued and privileged access to a series of hosts. Tools involved at this step are stealth and backdoor tools
Step 6 Listening post is when the hackers establish a listening post on the victim equipment, which is a place where any privileged user can view the network traffic. The listening post is accomplished through sniffer programs and backdoor tools, which allows the hackers to externally spy out data transmitting over the network. Logging the interesting network traffic help the intruder gain more toeholds and advance his/her attack to the next phase.
Step 7 Takeover is the last step when the hackers move deeper into the network and expand the area of control from a single host to other hosts using a series of tools such as sniffers, remote exploits and local exploits. By using all the information obtained from the previous steps, the intruder can compromise more machines and rapidly spread throughout the network.
A company can conduct penetration to test attack its network and identify the security issues or vulnerabilities that could be exploited by either internal or external users.
An advantage of this approach is that it is a less expensive alternative to discover security holes and implement defensive measures, than when a real penetration happens and your systems have been damaged.
Lesson Wrap-Up
There are many ways that hackers use for intrusion attack and penetrate into our network. Only after we understand how a hacker exploits vulnerability and launches intrusion attacks to compromise a system, we can come up with proper security solutions to countermeasure these intrusions.
Now that you have completed this lesson, you should be able to
• Define and give examples of each category of intrusion tool
• Discuss three different penetration scenarios
• Describe each step used to perform a penetration
Lesson 5 Network Security Policy
Lesson Objectives
As security threats and possibilities of misuse have increased, organizations have recognized the importance of the development of security policies and regulations. By defining and using an appropriate security policy, an organization has a better chance to maintain the integrity of its network and lower the risks and losses associated with potential threats to its network and network services.
After reading this lesson, you should be able to:
• Discuss why a security policy is important
• Describe what determines a good security policy
• List the key components of a security policy
Why a Security Policy is Important?
In today’s fast moving but insecure network environment, having a security policy is very critical for an organization to be successful. The security policy lays out a security framework and creates security under this framework by assigning responsibility and granting authority to management, defining allowed and not-allowed behaviors and providing basic principles, guidelines and procedures for everyone who is given access to an organization’s network resources. Without a security policy, an organization will not be able to protect its network assets from unacceptable use and are vulnerable to a lot of potential threats.
The security policy, usually in a written form, provides employees with an improved understanding of security posture and issues involved in an organization’s business model. Impact of failing to fulfill a security policy therefore become more visible, which ensures that security policy can be better accepted and complied with by employees when performing daily tasks.
Furthermore, the security policy help creates consensus throughout the organization. It is more realistic to require that all security issues be handled in the same manner or be subject to the same protection rules, and thus help prevent confusion that can cause risk.
What Determines a Good Security Policy?
A good security policy generally has the following features:
Comprehensive – A good policy addresses all areas deemed of interest and priority within an organization from high-level business goals to day-to-day activities. All relevant personnel should be involved when creating the policy.
Practical – A good policy takes into consideration an organization’s business function, the corporate culture and available budget and resources. It balances prevention and protection with business productivity and should not impede or interfere with the business. A large budget does not necessary guarantee success of a security policy.
Usable – A good policy should provide sufficient guidance and proper instruction for personnel to follow in everyday operations and activities. A security policy is of no use to an organization if it cannot be implemented.
Expandable/adaptable – A good policy should be sufficiently flexible to adapt to new business processes and accommodate many different systems and resources. It also needs to be routinely reviewed, updated and versioned to reflect the changes as new technology and procedures evolve.
Concise and Clear – A good policy is documented properly, and communicates clearly with information detailed enough to direct the deployment of the standards defined in the policy. Relevant information should be easily located and followed by personnel to resolve security issues.
Enforceable – Success of security begins with a policy that is enforceable within an organization. It can be enforced through security tools and systems or via manual processes when automated systems are not applicable. It helps to involve upper management (e.g. CEO) when enacting a policy.
What Does a Security Policy Contain?
A complete security policy addresses security issues revolving around all applicable areas and functions within an organization. It normally contains the following important components:
Security statement specifies an organization’s security requirements, obligations to protect its private, proprietary resources and other sensitive information. The security statement conveys to readers the reason to implement a security policy and the content of a security policy.
Security framework provides a guideline for implementing a secure network infrastructure and applying secure controls uniformly across the whole network on all devices, such as servers, workstations, routers, switches, modems, transmission medias, etc..
Security controls used to secure an organization’s assets may include:
- Firewall
- Intrusion detection systems
- Access controls
- Authentication methods
- Network auditing
- Computer system security: operating systems used; peripherals, storage media, etc.
- File system security: directory structures and etc.
- Physical security
- Operational security: environment control, operational activities
- Procedural security
This section should also cover how to determine what services are necessary on which devices to meet the organizational security needs. For example, if your organization needs to host a server for remote login users, SSH or SSL are safer than Telnet service.
Acceptable use policy defines necessary procedures and safety measures that the company will use to protect its assets from access or loss of essential information. This should include information such as:
- Specifications on technologies and equipment used to permit only authorized access and use, e.g. passwords
- Polices for allowable passwords
- Regulations on public area access, email and Internet usage
- Restriction on downloading and installing applications
- Guidelines for use of personal machines to access organization’s resources
- Restriction on extranet connection from outside networks
- Procedures for routine logging and auditing
- Procedures for account application and termination
User roles and privileges policy defines roles and privileges (access level permission) for each person who is given access to the organization’s network assets and information resources. It identifies the areas of responsibility and grants authority for different roles, such as users, operational staff and administrators. For example, the following roles and privileges can be defined:
Administrator – highest privileges with permission to read, write, modify and delete all data and files
Super-user/developer – Administrator privilege to access one part of data and file while only user privilege to access the other part of data and files
User – Medium privilege with permission to read, write all data and files but have no permission to modify and delete them
Guest – Lowest privilege with permission to only read certain data and files
Availability policy defines resource available time period and downtime period for resource recovery and maintenance, as well as the procedures that internal, external maintenance staff and vendors use to perform maintenance, backup and upgrade of equipment.
Incidence Handling specifies the procedures for discovering, reporting and mitigating security breaches. It points out the processes to follow during and after specific incidents, which may include:
- Procedures for threat alert and notification to right response team
- Steps to take for mitigating the incident
- Rules to prioritize incidents
- Procedures to escalate problems to high level management when necessary
This is one of the most important sections of a security policy. Timely detection and response can dramatically reduce the function or monetary losses caused by a security incident.
Policy Enforcement addresses how the security policy will be enforced and what personnel and procedures will be involved to deal with security breaches and violations. This may include:
- Repetitive security awareness training for current and newly hired employees
- Policies to handle misconduct and non-compliance
- Process to investigate any suspected non-compliance
Lesson Wrap-Up
Network security policies are the foundation of information security within an organization. The content and structure of the policies must be well-rounded, up to date and accurately reflect a company’s security needs. Distribution and deployment of inappropriate or inadequate policies can cause substantial problems.
Now that you have completed this lesson, you should be able to
• Discuss why a security policy is important
• Describe what determines a good security policy
• List the key components of a security policy
Lesson 6 Topic Wrap-up
The need for network security has increased as networks become more complex and interconnected. Potential dangers and threats exist everywhere, internal or external, to breach security and disrupt a system and service. .
A security policy is the most fundamental item necessary for an organization to address security problems
Now that you have completed this topic, you should be able to
• Explain the importance of network security
• Describe four types of security threats, specific attack techniques and the general remediation for mitigating those attack techniques
• Describe different intrusion tools
• Discuss penetration scenarios and the steps to perform a penetration
• Identify the security issues implicit in common management protocols
• Identify the components of a complete security policy
[pic][pic][pic]
-----------------------
Real Attacker
Master
Daemon
Daemon
Daemon
Daemon
Daemon
Victim
Web Server
B
A
Probing packets
Bad Guy
Firewall
Firewall
Internet
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- overview of starbucks
- starbucks overview of the company
- overview of photosynthesis
- overview of photosynthesis quizlet
- activity overview of photosynthesis
- brief overview of starbucks
- overview of photosynthesis review worksheet
- overview of philosophers beliefs
- overview of photosynthesis 4.2 answers
- overview of photosynthesis worksheet
- brief overview of a meeting
- section 4.2 overview of photosynthesis