Differentiate among various systems’ security threats: Privilege escalation Virus Worm Trojan Spyware Spam Adware Rootkits Botnets

Differentiate among various systems’ security threats: Privilege escalation Virus Worm Trojan Spyware Spam Adware Rootkits Botnets Logic bomb

Implement security applications. Differentiate between the different ports and protocols, their

respective threats and mitigation techniques. Antiquated protocols TCP/IP hijacking Null sessions Spoofing Man-in-the-middle Replay DoS DDoS Domain Name Kiting DNS poisoning

Explain the vulnerabilities and mitigations associated with network devices. Privilege escalation Weak passwords Back doors DoS

Carry out vulnerability assessments using common tools. Vulnerability scanners Password crackers

Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds

Access attack, someone who should not be able to wants to access your resources. Its purpose is to gain access to information that the attacker isn’t authorized to have

Modification and repudiation attack, someone wants to modify information in your systems

Denial-of-service (DoS) attack

Eavesdropping Eavesdropping is the process of listening in on or overhearing

parts of a conversation, including listening in on your network traffic

This type of attack is generally passive

Snooping Occurs when someone looks through your files hoping to find

something interesting The files may be either electronic or on paper

Interception can be either an active or a passive process Intercept (v): to stop something or someone that is going from

one place to another before they get there In a networked environment, a passive interception would

involve someone who routinely monitors network traffic. Active interception might include putting a computer system

between the sender and receiver to capture information as it’s sent. The process is usually covert.

Intercept missions can occur for years without the knowledge of the parties being monitored.

Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user

They’re similar to access attacks in that the attacker must first get to the data on the servers, but they differ from that point on.

The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar.

Website defacements are a common form of modification attack.

Repudiation attack is a variation of modification attacks repudiate / rɪpjudieɪt /

to refuse to accept or continue with something to state or show that something is not true or correct

Repudiation attacks make data or information appear to be invalid or misleading.

Repudiation attacks are fairly easy to accomplish because most e-mail systems don’t check outbound mail for validity.

Repudiation attacks, like modification attacks, usually begin as access attacks.

Denial-of-Service DoS attacks prevent access to resources by users

authorized to use those resources Most simple DoS attacks occur from a single system Types of DoS attacks:

ping of death buffer overflow

Requires a powerful transmitter

Distributed Denial-of-Service Attacks Multiple computer systems used to conduct the attack Zombies Botnet: the malicious software running on a zombie

How to face with Denial attacks?


Back doors?

A spoofing attack is an attempt by someone or something to masquerade as someone else.

IP spoofing and DNS spoofing

This type of attack is also an access attack, but it can be used as the starting point for a modification attack

Places a piece of software between a server and the user.

The attacker captures the information and replay it later. The information can be username, passwords,

certificates from authentication systems such as Kerboros.

Captured passwords projected on the wall at DEFCON

Solutions: Certificates usually contain a unique session identifier and a time stamp.

Records cookies and replays them This technique breaks into Gmail accounts Technical name: Cross Site Request Forgery Almost all social networking sites are vulnerable to this

attack Facebook, MySpace, Yahoo, etc.

Brute-force attack. Dictionary attack Hybrids: mixing the two above techniques

Privilege escalation can be the result of an error on an administrator’s part in assigning too high a permission set to a user, but it’s more often associated with bugs left in software.

Cheat codes in video games.


Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?

Network = OSI layer 3 – defines addressing and routing Transport/Host to Host = OSI layer 4, 5 – defines a

communication session between two applications on one or two hosts

Application = OSI layers 6,7 the application data that is being sent across a network

Maps to Layer 1 and 2 of the OSI model The Level that a Network Interface Card Works on Source and Destination MAC addresses are used

defining communications endpoints Protocols include

Ethernet Token Ring FDDI

Routing, IP addressing, and packaging Internet Protocol (IP) is a routable protocol, and it’s

responsible for: IP addressing. fragments and reassembles message packets only routes information; doesn’t verify it for accuracy(Accuracy

checking is the responsibility of TCP)

Maps to layer 4 and 5 of the OSI model Concerned with establishing sessions between two

applications Source and destination endpoints are defined by port

numbers The two transport protocols in TCP/IP are TCP and UDP

Connection oriented “guaranteed” delivery. Advantages

Easier to program with Truly implements a “session” Adds security

Disadvantages More overhead / slower

Connectionless, non-guaranteed delivery (best effort) Advantages

Fast / low overhead

Disadvantages Harder to program with No true sessions Less security A pain to firewall (due to no connections)

Most programs, such as web browsers, interface with TCP/IP at this level

Protocols: Hypertext Transfer Protocol (HTTP) File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Telnet Domain Name Service (DNS) Routing Information Protocol (RIP) Post Office Protocol (POP3)

Encapsulate to express or show something in a short way to completely cover something with something else, especially in

order to prevent a substance getting out

To change data from a form to another AM (Amplitude Modulation) FM (Frequency Modulation) PM (Phase Modulation)

Keying methods Current State Keying

ASKFSK

State Transition KeyingPhase Shift Keying (PSK)

Modulation and Demodulation Used in modems and in transfering data units among

OSI layers

Port Mirroring Sniffing the Network TCP Attacks

A device that captures and displays network traffic

TCP sequence number attacks occur when an attacker takes control of one end of a TCP session Each time a TCP message is sent, either the client or the server

generates a sequence number The attacker intercepts and then responds with a sequence

number similar to the one used in the original session Disrupt or hijack a valid session

Rogue access points Rogue: not behaving in the usual or accepted way and often

causing trouble Employees often set up home wireless routers for convenience

at work This allows attackers to bypass all of the network security and

opens the entire network and all users to direct attacks An attacker who can access the network through a rogue access

point is behind the company's firewallCan directly attack all devices on the network

War driving Beaconing

At regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the network

ScanningEach wireless device looks for those beacon frames

Unapproved wireless devices can likewise pick up the beaconing RF transmission

Formally known as wireless location mapping

Bluetooth A wireless technology that uses short-range RF transmissions Provides for rapid “on the fly” and ad hoc connections between

devices

Bluesnarfing Stealing data through a Bluetooth connection E-mails, calendars, contact lists, and cell phone pictures and

videos, …


Database exploitation If a client session can be hijacked or spoofed, the attacker can

formulate queries against the database that disclose unauthorized information.

Application exploitation E-mail exploitation Spyware

Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it

Rootkits Enables continued privileged access to a computer, while actively

hiding its presence from administrators by subverting standard operating system functionality or other applications


Armored Virus designed to make itself difficult to detect or analyze

Companion Virus A companion virus attaches itself to legitimate programs and

then creates a program with a different filename extension

Macro Virus a set of programming instructions in a language such as

VBScript that commands an application to perform illicit actions

Multipartite Virus: attacks the system in multiple ways

Phage Virus Modifies and alters other programs and database The only way to remove this virus is to reinstall the programs

that are infected

Polymorphic Virus Change form in order to avoid detection Frequently, the virus will encrypt parts of itself to avoid detection

Stealth Virus Attempts to avoid detection by masking itself from applications

Logic bombs are programs or snippets of code that execute when a certain predefined event occurs.


Connections to a Microsoft Windows 2000 or Windows NT computer with a blank username and password

Attacker can collect a lot of data from a vulnerable system

Cannot be fixed by patches to the operating systems Much less of a problem with modern Windows versions,

Win XP SP2, Vista, or Windows 7

Check kiting A type of fraud that involves the unlawful use of checking

accounts to gain additional time before the fraud is detected

Domain Name Kiting Registrars are organizations that are approved by ICANN to sell

and register Internet domain names A five-day Add Grade Period (AGP) permits registrars to delete

any newly registered Internet domain names and receive a full refund of the registration fee

Unscrupulous registrars register thousands of Internet domain names and then delete them

Recently expired domain names are indexed by search engines

Visitors are directed to a re-registered site Which is usually a single page Web with paid advertisement

links

Visitors who click on these links generate money for the registrar

Used to manage switches, routers, and other network devices

Early versions did not encrypt passwords, and had other security flaws

But the old versions are still commonly used

DNS is used to resolve domain names like www.ccsf.edu to IP addresses like 147.144.1.254

DNS has many vulnerabilities It was never designed to be secure

Put false entries into the Hosts file C:\Windows\System32\Drivers\etc\hosts

Attacker sends many spoofed DNS responses Target just accepts the first one it gets

Intended to let a new DNS server copy the records from an existing one

Can be used by attackers to get a list of all the machines in a company, like a network diagram Usually blocked by modern DNS servers

Antispyware software will warn you when the hosts file is modified

Using updated versions of DNS server software prevents older DNS attacks against the server

But many DNS flaws cannot be patched Eventually: Switch to DNSSEC (Domain Name System

Security Extensions) But DNSSEC is not widely deployed yet, and it has its own

problems

ARP is used to convert IP addresses like 147.144.1.254 into MAC addresses like 00-30-48-82-11-34

Attacker sends many spoofed ARP responses Target just accepts the first one it gets

Documents

Differentiate among various systems’ security threats: Privilege escalation Virus Worm Trojan Spyware Spam Adware Rootkits Botnets