Security System 1 - 05

8/14/2019 Security System 1 - 05

http://slidepdf.com/reader/full/security-system-1-05 1/36

SECURITY SYSTEMSECURITY SYSTEM11

#5. PHYSICAL SECURITY



AGENDA

Operational Security

Calculating Attact Strategies

Recognizing Common Attack

CompTIA Security+ Study Guide, Sybex






Operational security focuses on computers,networks, and communications systems aswell as the management of information.

Operational security encompasses a largearea, and as a security professional, you’llbe primarily involved here more than anyother area.




Operational security issues include networkaccess control (NAC), authentication, andsecurity topologies after the networkinstallation is complete. Issues include the

daily operations of the network, connections toother networks, backup plans, and recoveryplans.

In short, operational security encompasses

everything that isn’t related to design or physical security in your network. Instead of focusing on the physical components wherethe data is stored, such as the server, thefocus is now on the topology and connections.



Calculating AttackStrategies

One main reason for the differences in attacks isthat they occur in many ways and for differentreasons. Regardless of how they occur, theyare generally used to accomplish one or more

of these three goals:In an access attack , someone who should not be

able to wants to access your resources.

During a modification and repudiation attack ,someone wants to modify information in your systems.

A denial-of-service (DoS) attack is an attempt todisrupt your network and services. When your system becomes so busy responding toillegitimate requests, it can prevent authorizedusers from having access.




A. Understanding Access Attack Types The goal of an access attack is

straightforward. An access attack is an attempt togain access to information that the attacker isn’t

authorized to have. These types of attacks focuson breaching the confidentiality of information.They occur either internally or externally; theymight also occur when physical access to theinformation is possible.

Dumpster diving is a common physical accessmethod. Companies normally generate a hugeamount of paper, most of which eventuallywinds up in Dumpsters or recycle bins.




A second common method used in accessattacks is to capture information en routebetween two systems; rather than paper, datais found in such attacks. There are several

common types of access attacks:Eavesdropping Eavesdropping is the process of listening in on or overhearing parts of aconversation, including listening in on your network traffic. This type of attack is generallypassive. For example, a coworker might overhear

your dinner plans because your speakerphone isset too loud or you’re yelling into your cell phone.The opportunity to overhear a conversation iscoupled with the carelessness of the parties in theconversation.




Snooping Snooping occurs when someone looksthrough your files hoping to find somethinginteresting. The files may be either electronic or on paper. In the case of physical snooping, people

might inspect your Dumpster, recycling bins, or even your file cabinets; they can look under thekeyboard for Post-it notes or look for scraps of paper tacked to your bulletin board. Computer snooping, on the other hand, involves someone

searching through your electronic files trying tofind something interesting.




Interception Interception can be either an activeor a passive process. In a networked environment,a passive interception would involve someonewho routinely monitors network traffic. Active

interception might include putting a computer system between the sender and receiver tocapture information as it’s sent. The process isusually covert. The last thing a person on anintercept mission wants is to be discovered.

Intercept missions can occur for years without theknowledge of the parties being monitored.




B. Recognizing Modification and RepudiationAttacks

Modification attacks involve the deletion,insertion, or alteration of information in an

unauthorized manner that is intended to appear genuine to the user. These attacks can be hard todetect. They’re similar to access attacks in that theattacker must first get to the data on the servers, butthey differ from that point on. The motivation for thistype of attack may be to plant information, change

grades in a class, fraudulently alter credit cardrecords, or something similar. Website defacementsare a common form of modification attack; theyinvolve someone changing web pages in amalicious manner.




A variation of a modification attack is arepudiation attack.Repudiation attacks make data or information appear to be invalid or misleading(which can be even worse). For example, someonemight access your e-mail server and send

inflammatory information to others under the guiseof one of your top managers. This information mightprove embarrassing to your company and possiblydo irreparable harm. Repudiation attacks are fairlyeasy to accomplish because most e-mail systems

don’t check outbound mail for validity. Repudiationattacks, like modification attacks, usually begin asaccess attacks.




C.Identifying Denial-of-Service and DistributedDenial-of-Service Attacks

Denial-of-service (DoS) attacks preventaccess to resources by users authorized to use

those resources. An attacker may attempt tobring down an e-commerce website to preventor deny usage by legitimate customers. DoSattacks are common on the Internet, where theyhave hit large companies such as Amazon,

Microsoft, and AT&T. These attacks are oftenwidely publicized in the media. Most simple DoSattacks occur from a single system, and aspecific server or organization is the target.




There isn’t a single type of DoS attack, buta variety of similar methods that have thesame purpose. It’s easiest to think of a DoS

attack by imagining that your servers are sobusy responding to false requests that theydon’t have time to service legitimaterequests. Not only can the servers be

physically busy, but the same result canoccur if the attack consumes all the availablebandwidth.




Several types of attacks can occur in thiscategory. These attacks can deny access toinformation, applications, systems, or communications.

A DoS attack on an application may bring down awebsite while the communications and systemscontinue to operate.

A DoS attack on a system crashes the operatingsystem (a simple reboot may restore the server to normal operation).

A DoS attack against a network is designed to fillthe communications channel and preventaccess by authorized users.




A common DoS attack involves opening asmany TCP sessions as possible; this type of attack is called a TCP SYN flood DoS attack.Two of the most common types of DoS attacks

are the ping of death and the buffer overflow .The ping of death crashes a system by sendingInternet Control Message Protocol (ICMP)packets (think echoes) that are larger than the

system can handle. Buffer overflow attacks, asthe name implies, attempt to put more data(usually long input strings) into the buffer than itcan hold.




A distributed denial-of-service (DDoS) attack issimilar to a DoS attack. A DDoS attack amplifies theconcepts of a DoS by using multiple computer systems to conduct the attack against a singleorganization. These attacks exploit the inherent

weaknesses of dedicated networks such as DSLand cable. These permanently attached systemsusually have little, if any, protection. An attacker canload an attack program onto dozens or evenhundreds of computer systems that use DSL or

cable modems. The attack program lies dormant onthese computers until they get an attack signal froma master computer. The signal triggers the systems,which launch an attack simultaneously on the targetnetwork or system.






The nasty part of this type of attack is thatthe machines used to carry out the attackbelong to normal computer users. The attack

gives no special warning to those users.When the attack is complete, the attackprogram may remove itself from the systemor infect the unsuspecting user’s computer

with a virus that destroys the hard drive,thereby wiping out the evidence.



Recognizing CommonAttacks

Most attacks are designed to exploit potentialweaknesses, which can be in theimplementation of programs or in the

protocols used in networks. Many types of attacks require a high level of sophisticationand are rare, but you need to know aboutthem so that, should they occur, you can

identify what has happened in your network.

In the following sections, we’ll look at somecommon attacks more closely.




Back Door Attacks The term back door attack refers to gainingaccess to a network and inserting aprogram or utility that creates an entrancefor an attacker. The program may allow acertain user ID to log on without a passwordor gain administrative privileges. The nextfigure shows how a back door attack can be

used to bypass the security of a network. Inthis example, the attacker is using a backdoor program to utilize resources or stealinformation.






Spoofing Attacks A spoofing attack is an attempt by someone or

something to masquerade as someone else. This type of attack is usually considered an

access attack. A common spoofing attack that waspopular for many years on early Unix and other timesharing systems involved a programmer writing afake logon program. It would prompt the user for auser ID and password. No matter what the user typed, the program would indicate an invalid logonattempt and then transfer control to the real logonprogram. The spoofing program would write thelogon and password into a disk file, which was

retrieved later.




The most popular spoofing attacks today areIP spoofing and DNS spoofing . With IP spoofing,the goal is to make the data look as if it camefrom a trusted host when it didn’t (thus spoofing

the IP address of the sending host). With DNSspoofing, the DNS server is given informationabout a name server that it thinks is legitimatewhen it isn’t. This can send users to a websiteother than the one they wanted to go to, reroutemail, or do any other type of redirection whereindata from a DNS server is used to determine adestination. Another name for this is DNS

poisoning .






Another DNS weakness is Domain NameKiting . When a new domain name is issued,there is a five-day grace period before you

must technically pay for it. Those engaged inkiting can delete the account within the fivedays and re-register it again—allowing themto have accounts that they never have to pay

for.




Man-in-the-Middle Attacks Man-in-the-middle attacks tend to be fairly

sophisticated. This type of attack is also an

access attack, but it can be used as the startingpoint for a modification attack. The method usedin these attacks clandestinely places a piece of software between a server and the user thatneither the server administrators nor the user isaware of.




The software intercepts data and then sendsthe information to the server as if nothing iswrong. The server responds back to the software,thinking it’s communicating with the legitimate

client. The attacking software continues sendinginformation on to the server, and so forth. If communication between the server and user

continues, what’s the harm of the software? Theanswer lies in whatever else the software is

doing. The man-in-the-middle software may berecording information for someone to view later,altering it, or in some other way compromisingthe security of your system and session.




Replay Attacks Replay attacksare becoming quite common.

They occur when information is captured over anetwork. A replay attack is a kind of access or

modification attack. In a distributed environment,logon and password information is sent betweenthe client and the authentication system. Theattacker can capture the information and replay itagain later. This can also occur with security

certificates from systems such as Kerberos: Theattacker resubmits the certificate, hoping to bevalidated by the authentication system andcircumvent any time sensitivity.






If this attack is successful, the attacker willhave all the rights and privileges from theoriginal certificate. This is the primary reason

that most certificates contain a uniquesession identifier and a time stamp: If thecertificate has expired, it will be rejected andan entry should be made in a security log to

notify system administrators.




Password-Guessing Attacks Password-guessing attacks occur when an

account is attacked repeatedly. This is

accomplished by utilizing applications knownas password crackers, which send possiblepasswords to the account in a systematicmanner. The attacks are initially carried out to

gain passwords for an access or modificationattack.




There are two types of password-guessingattacks:

Brute-force attack

A brute-force attack is an attempt to guesspasswords until a successful guess occurs. Thistype of attack usually occurs over a long period.To make passwords more difficult to guess, theyshould be much longer than two or threecharacters (six should be the bare minimum), becomplex, and have password lockout policies.

i i




Dictionary attack A dictionary attack uses a dictionary of

common words to attempt to find the user’spassword. Dictionary attacks can be automated,

and several tools exist in the public domain toexecute them.

Not all attacks are only brute-force or dictionary based. A number of hybrids alsoexist that will try combinations of these twomethods.

i i C




Privilege Escalation Privilege escalation can be the result of an error on

an administrator’s part in assigning too high apermission set to a user, but it’s more often associatedwith bugs left in software.

When creating a software program, developers willoccasionally leave a back door in the program thatallows them to become a root user should they need tofix something during the debugging phase.

After debugging is done and before the softwaregoes live, these abilities are removed. If a developer forgets to remove the back door in the live version andthe method of accessing them gets out, it leaves theability for a miscreant to take advantage of the system.

R i i C




To understand privilege escalation, think of cheat codes in video games. Once you know thegame’s code, you can enter it and becomeinvincible. Similarly, someone might take

advantage of a hidden cheat in a softwareapplication you are using to become root.

Documents

Security System 1 - 05