Chapter One Modern Network Security Threats. Major Concepts Rationale for network security Data...
If you can't read please download the document
Chapter One Modern Network Security Threats. Major Concepts Rationale for network security Data confidentiality, integrity, availability Risks, threats,
Major Concepts Rationale for network security Data
confidentiality, integrity, availability Risks, threats,
vulnerabilities and countermeasures Methodology of a structured
attack Security model (McCumber cube) Security policies, standards
and guidelines Selecting and implementing countermeasures Network
security design
Slide 3
Lesson Objectives Upon completion of this lesson, the
successful participant will be able to: 1. Describe the rationale
for network security 2. Describe the three principles of network
security 3. Identify risks, threats, vulnerabilities and
countermeasures 4. Discuss the three states of information and
identify threats and appropriate countermeasures for each state 5.
Differentiate between security policies, standards and
guidelines
Slide 4
6. Describe the difference between structured and unstructured
network attacks 7. Describe the stages and tools used in a
structured attack 8. Identify security organisations that influence
and shape network security 9. Identify career specialisations in
Network Security
Slide 5
What is Network Security? National Security Telecommunications
and Information Systems Security Committee (NSTISSC) Network
security is the protection of information and systems and hardware
that use, store, and transmit that information. Network security
encompasses those steps that are taken to ensure the
confidentiality, integrity, and availability of data or
resources.
Slide 6
Rationale for Network Security Network Security initiatives and
Network Security specialists can be found in private and public,
large and small companies and organisations. The need for network
security and its growth are driven by many factors: 1. Internet
connectivity is 24/7 and is worldwide 2. Increase in cyber crime 3.
Impact on business and individuals 4. Legislation & liabilities
5. Proliferation of threats 6. Sophistication of threats
Slide 7
Cyber Crime Fraud/Scams Identity Theft Child Pornography Theft
of Telecommunications Services Electronic Vandalism, Terrorism and
Extortion WASHINGTON, D.C. An estimated 3.6 million households, or
about 3 percent of all households in the nation, learned that they
had been the victim of at least one type of identity theft during a
six- month period, according to the Justice Departments
Slide 8
Business Impact 1. Decrease in productivity 2. Loss of sales
revenue 3. Release of unauthorized sensitive data 4. Threat of
trade secrets or formulas 5. Compromise of reputation and trust 6.
Loss of communications 7. Threat to environmental and safety
systems 8. Loss of time Current Computer Crime Cases
http://www.justice.gov/criminal/cybercrime /cccases.html
Slide 9
Proliferation of Threats In 2001, the National Infrastructure
Protection Center at the FBI released a document summarizing the
Ten Most Critical Internet Security Vulnerabilities. Since that
time, thousands of organizations rely on this list to prioritize
their efforts so they can close the most dangerous holes first. The
threat landscape is very dynamic, which in turn makes it necessary
to adopt newer security measures. Just over the last few years, the
kinds of vulnerabilities that are being exploited are very
different from the ones being exploited in the past.
Slide 10
Network Security Threat A potential danger to information or a
system An example: the ability to gain unauthorized access to
systems or information in order to commit fraud, network intrusion,
industrial espionage, identity theft, or simply to disrupt the
system or network There may be weaknesses that greatly increase the
likelihood of a threat manifesting Threats may include equipment
failure, structured attacks, natural disasters, physical attacks,
theft, viruses and many other potential events causing danger or
damage
Vulnerability A network vulnerability is a weakness in a
system, technology, product or policy In todays environment,
several organisations track, organize and test these
vulnerabilities Each vulnerability is given an ID and can be
reviewed by network security professionals over the Internet. The
Common Vulnerability Exposure (CVE) list also publishes ways to
prevent the vulnerability from being attacked.
Slide 14
Risk Management Terms Vulnerability a system, network or device
weakness Threat potential danger posed by a vulnerability Threat
agent the entity that indentifies a vulnerability and uses it to
attack the victim Risk likelihood of a threat agent taking
advantage of a vulnerability and the corresponding business impact
Exposure potential to experience losses from a threat agent.
Countermeasure put into place to mitigate the potential risk
Slide 15
Understanding Risk
Slide 16
Legislation Some of the EU directives: Directive on the
authorisation of electronic communications networks and services
(the Authorisation Directive); Directive on access to, and
interconnection of, electronic communications networks and
associated facilities (the Access Directive); Directive on the
universal service (the Universal Service Directive); Directive on
the processing of personal data (the Privacy and Electronic
Communications Directive).
Network Security Domains There are 12 network security domains
specified by the International Organisation for Standardization
(ISO). Risk Assessment Security Policy Organizations f information
security Asset Management Human Resources Security Physical and
environmental security Communication and Operations management
Access Control Information system acquisitions, development and
maintenance. Info-sec incident management Business continuity
management Compliance
Slide 19
Security Policy One of the most important domains is security
policy. A security policy is a formal statement of the rules by
which people must abide who are given access to the technology and
information assets of an organisation.
Slide 20
What Is a Security Policy? A document that states how an
organisation plans to protect its tangible and intangible
information assets - Management instructions indicating a course of
action, a guiding principle, or appropriate procedure - High-level
statements that provide guidance to workers who must make present
and future decisions - Generalised requirements that must be
written down and communicated to others
Slide 21
Documents Supporting Policies Standards dictate specific
minimum requirements in our policies Guidelines suggest the best
way to accomplish certain tasks Procedures provide a method by
which a policy is accomplished (the instructions)
Slide 22
Example: The Policy All users must have a unique user ID and
password that conforms to the company password standard. Users must
not share their password with anyone regardless of title or
position Passwords must not be stored in written or any readable
form If a compromise is suspected, it must be reported to the help
desk and a new password must be requested
Slide 23
Example: The Standards Minimum of 8 upper- and lowercase
alphanumeric characters Must include a special character Must be
changed every 30 days Password history of 24 previous passwords
will be used to ensure passwords arent reused
Slide 24
Example: The Guideline Take a phrase Up and At em at 7! Convert
to a strong password Up&atm@7! To create other passwords from
this phrase, change the number, move the symbol, or change the
punctuation mark
Slide 25
Example: The Procedure Procedure for changing a password 1.
Press Control, Alt, Delete to bring up the log in dialog box 2.
Click the change password button 3. Enter your current password in
the top box 4.
Slide 26
Policy Elements Statement of Authority an introduction to the
information security policies Policy Headings logistical
information (security domain, policy number, name of organization,
effective date, author, change control documentation or number)
Policy Objectives states what we are trying to achieve by
implementing the policy Policy Statement of Purpose why the policy
was adopted, and how it will be implemented
Slide 27
Policy Elements, 2 Policy Audience states who the policy is
intended for Policy Statement how the policy will be implemented
(the rules) Policy Exceptions special situations calling for
exception to the normal, accepted rules Policy Enforcement Clause
consequences for violation Policy Definitions a glossary to ensure
that the target audience understands the policy
Slide 28
Policy Example
Slide 29
Modern Network Security Threats Viruses Worms Trojan
Horses
Slide 30
Virus A virus is a malicious code that is attached to
legitimate programs or executable files. Most viruses require
end-user activation. Viruses can be harmless, such as those that
display a picture on the screen, or they can be destructive, such
as those that modify or delete files on the hard drive. Most
viruses are spread by USB memory sticks, CDs, DVDs, network shares,
or email.
Slide 31
Worm Worms replicate themselves by independently exploiting
vulnerabilities in networks. Worms usually slow down networks.
Whereas a virus requires a host program to run, worms can run by
themselves. They do not require user participation and can spread
extremely fast over the network.
Slide 32
Worm Components Most worm attacks have three major components:
Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse) on a
vulnerable system. Propagation mechanism - After gaining access to
a device, the worm replicates itself and locates new targets.
Payload - Any malicious code that results in some action. Most
often this is used to create a backdoor to the infected host.
Slide 33
Trojan Horse A Trojan Horse is a malware that carries out
malicious operations under the guise of a desired function. A virus
or worm could carry a Trojan Horse. Trojan Horse example: FTP
Trojan Horse opens port 21
Slide 34
Mitigating Threats A majority of the software vulnerabilities
that are discovered relate to buffer overflows. A buffer is an
allocated area of memory used by processes to store data
temporarily. Buffer overflows are usually the primary conduit
through which viruses, worms, and Trojan Horses do their damage.
Canary words are use to protect/inform systems against buffer
overflow.
Slide 35
Worm Mitigation The response to a worm infection can be broken
down into four phases: Containment Inoculation Quarantine
Treatment
Slide 36
Worm Mitigation Containment - involves limiting the spread of a
worm infection to areas of the network that are already affected.
Inoculation - all uninfected systems are patched with the
appropriate vendor patch for the vulnerability.
Slide 37
Worm Mitigation Quarantine - tracking down and identifying
infected machines within the contained areas and disconnecting,
blocking, or removing them. Treatment - terminating the worm
process, removing modified files or system settings that the worm
introduced, and patching the vulnerability the worm used to exploit
the system.
Slide 38
Mitigating Threats (1) The primary means of mitigating virus
and Trojan horse attacks is anti-virus software. Anti-virus
products are host-based. They do not prevent viruses from entering
the network. AV database must always be up to date. Can not prevent
Zero Day attacks
Slide 39
Mitigating Threats (2) Apart from well known, ports should
normally be blocked by a firewall on the perimeter. Most attacks
use well known port or backdoors Block the port on all devices
through which worm is spreading on the internal network. Selective
access does not guarantee to solve the problem, but it lowers the
probability of infection.
Slide 40
Mitigating Threats (2) Another option for mitigating the
effects of viruses, worms, and Trojan Horses is a Host- Based
Intrusion Prevention System (HIPS). Network IPS Cisco Network
Admission Control (NAC) Cisco Security Monitoring, Analysis, and
Response System (MARS) Patching OS and S/ware
Slide 41
Network Threats There are four general categories of security
threats to the network: Unstructured threats - Structured threats -
External threats - Internal threats
Slide 42
Slide 43
Four Classes of Network Attacks - Reconnaissance attacks -
Access attacks - Denial of service attacks -Worms, viruses, and
Trojan horses
Slide 44
Specific Attack Types All of the following can be used to
compromise your system: Packet sniffers IP weaknesses Password
attacks DoS or DDoS Man-in-the-middle attacks Application layer
attacks Trust exploitation Port redirection Virus Trojan horse
Operator error Worms
Slide 45
Reconnaissance Attacks Network reconnaissance refers to the
overall act of learning information about a target network by using
publicly available information and applications. An inspection or
exploration of an area, especially one made to gather military
information
Slide 46
Reconnaissance Attack Example
Slide 47
Reconnaissance Attack Mitigation Network reconnaissance cannot
be prevented entirely. - IPSs at the network and host levels can
usually notify an administrator when a reconnaissance gathering
attack (for example, ping sweeps and port scans) is under way.
Slide 48
Packet Sniffers
Slide 49
A packet sniffer is a software application that uses a network
adapter card in promiscuous mode to capture all network packets.
The following are the packet sniffer features: -Packet sniffers
exploit information passed in clear text. Protocols that pass
information in the clear include the following: -Telnet -FTP -SNMP
-POP - Packet sniffers must be on the same collision domain.
Slide 50
Packet Sniffer Mitigation
Slide 51
The following techniques and tools can be used to mitigate
sniffers: - Authentication - Using strong authentication, such as
one- time passwords, is a first option for defense against packet
sniffers. - Switched infrastructure - Deploy a switched
infrastructure to counter the use of packet sniffers in your
environment. - Antisniffer tools - Use these tools to employ
software and hardware designed to detect the use of sniffers on a
network. - Cryptography - The most effective method for countering
packet sniffers does not prevent or detect packet sniffers, but
rather renders them irrelevant.
Slide 52
IP Spoofing IP spoofing occurs when a hacker inside or outside
a network impersonates the conversations of a trusted computer. Two
general techniques are used during IP spoofing: A hacker uses an IP
address that is within the range of trusted IP addresses. A hacker
uses an authorized external IP address that is trusted. -Uses for
IP spoofing include the following: -IP spoofing is usually limited
to the injection of malicious data or commands into an existing
stream of data. -A hacker changes the routing tables to point to
the spoofed IP address, then the hacker can receive all the network
packets that are addressed to the spoofed address and reply just as
any trusted user can.
Slide 53
IP Spoofing Mitigation The threat of IP spoofing can be
reduced, but not eliminated, through the following measures: -
Access controlThe most common method for preventing IP spoofing is
to properly configure access control. - RFC 2827 filteringYou can
prevent users of your network from spoofing other networks (and be
a good Internet citizen at the same time) by preventing any
outbound traffic on your network that does not have a source
address in your organization's own IP range. - Additional
authentication that does not use IP-based authentication Examples
of this include the following: Cryptographic (recommended) Strong,
two-factor, one-time passwords
Slide 54
DoS Attacks
Slide 55
DDoS Attack Example
Slide 56
DoS Attack Mitigation The threat of DoS attacks can be reduced
through the following three methods: - Antispoof features - Proper
configuration of antispoof features on your routers and firewalls -
Anti-DoS features - Proper configuration of anti-DoS features on
routers and firewalls - Traffic rate limiting - Implement traffic
rate limiting with the networks ISP
Slide 57
Password Attacks
Slide 58
Password Attack Example
Slide 59
Password Attacks Mitigation The following are mitigation
techniques: - Do not allow users to use the same password on
multiple systems. - Disable accounts after a certain number of
unsuccessful login attempts. - Do not use plain text passwords. OTP
or a cryptographic password is recommended. - Use strong passwords.
Strong passwords are at least eight characters long and contain
uppercase letters, lowercase letters, numbers, and special
characters.
Slide 60
Man-in-the-Middle Attacks
Slide 61
Man-in-the-Middle Mitigation
Slide 62
Trust Exploitation
Slide 63
Trust Exploitation Mitigation
Slide 64
Port Redirection
Slide 65
Unauthorized Access
Slide 66
Social Engineering Attacks Hacker-speak for tricking a person
into revealing some confidential information Social Engineering is
defined as an attack based on deceiving users or administrators at
the target site Done to gain illicit access to systems or useful
information The goals of social engineering are fraud, network
intrusion, industrial espionage, identity theft, etc.
Slide 67
Types of Attacks Structured attack Come from hackers who are
more highly motivated and technically competent. These people know
system vulnerabilities and can understand and develop exploit code
and scripts. They understand, develop, and use sophisticated
hacking techniques to penetrate unsuspecting businesses. These
groups are often involved with themajor fraud and theft cases
reported to law enforcement agencies. Unstructured attack Consists
of mostly inexperienced individuals using easily available hacking
tools such as shell scripts and password crackers. Even
unstructured threats that are only executed with the intent of
testing and challenging a hackers skills can still do serious
damage to a company.
Slide 68
Types of Attacks External attacks Initiated by individuals or
groups working outside of a company. They do not have authorized
access to the computer systems or network. They gather information
in order to work their way into a network mainly from the Internet
or dialup access servers. Internal attacks More common and
dangerous. Internal attacks are initiated by someone who has
authorized access to the network. According to the FBI, internal
access and misuse account for 60 to 80 percent of reported
incidents. These attacks often are traced to disgruntled
employees.
Slide 69
Types of Attacks Passive Attack - Listen to system passwords -
Release of message content - Traffic analysis - Data capturing
Active Attack - Attempt to log into someone elses account - Wire
taps - Denial of services - Masquerading - Message
modifications
Slide 70
Stages of an Attack Todays attackers have a abundance of
targets. In fact their greatest challenge is to select the most
vulnerable victims. This has resulted in very well- planned and
structured attacks. These attacks have common logistical and
strategic stages. These stages include; - Reconnaissance - Scanning
(addresses, ports, vulnerabilities) -Gaining access -Maintaining
Access -Covering Tracks
Slide 71
Goals of an Information Security Program Confidentiality -
Prevent the disclosure of sensitive information from unauthorized
people, resources, and processes Integrity - The protection of
system information or processes from intentional or accidental
modification Availability - The assurance that systems and data are
accessible by authorized users when needed