Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CIS 450 – Network Security Chapter 2 – How and Why Hackers Do It What is an Exploit – Anything that can be used to compromise a machine/network Compromises Include Gaining access Simplifying gaining access Taking a system offline Desensitizing sensitive information Critical to minimize the risk while reducing the impact it has on overall functionality The Attacker’s Process Passive Reconnaissance Attacker must have some general information Used to properly position themselves Sniffing: sitting on a network segment watching and recording all traffic (especially passwords Information gathering to help launch as active attack The Attacker’s Process Active Reconnaissance Gather the additional information hacker is after Active probing of system to find out additional information Find out IP address of firewall and routers Version of Operating System It is critical that there be some form of logging & review to catch active reconnaissance. The Attacker’s Process Exploiting the System Gaining Access Operating System Attacks – The default install of most operating systems has large number of services running and ports open Application-level Attacks – take advantage of less-than-perfect security found in most of today’s software Scripts & Sample Program Attacks – Sample files and scripts that come with operating systems/applications The Attacker’s Process Exploiting the System Gaining Access – continued Misconfiguration Attacks: Don’t bother to remove unneeded services or software Elevating Privileges: Goal is to gain either root or administrator access to a system Denial of Service: Deny legitimate users access to a resource The Attacker’s Process Uploading Programs – Can be used to: Increase access Compromising other systems on network Upload tools to compromise other systems Downloading Data Keeping Access Put back door in for when attacker wants to return (use Trojan horse program) The Attacker’s Process Covering Tracks Clean up the log files Turn off logging as soon as access is gained Change properties to original settings. To combat use programs that calculate checksums. The Types of Attacks Active Attacks – a deliberate action on the part of the attacker to gain access to the information he is after Denial of Service Intelligence gathering Resource usage Deception Passive Attacks – geared to gathering information rather than gaining access Categories of Exploits Over the Internet Coordinated attacks – coordinate with other users and machines on a network (other users do not have to be aware that they are being used in attack) Session hijacking – taking over a session after a legitimate user has gained access & authentication Spoofing – the impersonating of assuming an identity that is not your own. Very effective with trust relationships. Categories of Exploits Over the Internet – continued Relaying – an attacker relays or bounces an attack through a third party’s machine so it looks like the attack came from the third party and not from him Trojan Horses or Viruses Categories of Exploits Over the LAN Large number of attacks come from trusted insiders Attacker, if breaking in as a legitimate user, gets full access that the user would have Sniffing Traffic – easier on a hub than a switched network. Network cards should not be set to promiscuous mode. Categories of Exploits Over the LAN – continued Sniffing – Hub vs. Switch The difference is in what a switch does versus what a hub does. A hub is really a layer 1 device, simply a repeater. Putting a sniffer on a hub truly allows you to monitor ALL traffic on that network segment. A switch operates at layer 2, and sorts traffic based on destination MAC address. Thus, if a packet is sent to one specific host, and the switch knows which port that host lives on, only that host will get the traffic. If a packet is broadcast to the whole network, then the switch forwards that to all ports, since there cannot be a MAC address correlated to a broadcast address. Putting a sniffer on a standard switch port then will only be able to see traffic in and outbound from itself, plus the local network segment broadcast traffic. Most switches, at least at the enterprise level, allow configuring at least 1 port as a "monitoring" port. When this mode is enabled, the switch will pass all traffic to the destination port and to the monitoring port. So if you hang a sniffer off that port, you can then see all traffic on the segment, at least from those devices attached to that switch. Categories of Exploits Over the LAN – continued Broadcasts – using TCP/IP broadcast address which will send a packet to every machine on the network segment File Access Remote Control – controlling the machine as if you were sitting at it Application Hijacking – similar in concept to session hijacking. Involves taking over an application & gaining unauthorized access. Categories of Exploits Locally Shoulder Surfing – watching someone as they type in their password Unlocked Terminals Written Passwords Unplugging Machines Local Logon Offline Download Password File Categories of Exploits Offline – continued Download Encrypted Text – the longer the key the longer it will take to break Copying large amounts of data to a removable drive to look at offsite later Routes Attackers Use to Get In Ports – the windows and doors of a computer system - the more ports that are open the more points of vulnerability http://www.stengel.net/tcpports.htm http://www.iss.net/security_center/advice/Expl oits/Ports/default.htm Services – programs running on a machine to perform a specific function - If a service is running as root, any command it executes runs as root. Have to limit number of services running and at what priority they are running. Routes Attackers Use to Get In Third-Party Software Operating System – default install is to leave most of ports open and services running Passwords Social Engineering Trojan Horses – overt (open)/covert (hidden feature) Inference Channels – gathers information from open sources and surrounding events Routes Attackers Use to Get In Covert Channels – involves a trusted insider who is sending information to an unauthorized outsider Goals Attackers Try to Achieve Goals of information Security Confidentiality –Preventing, detecting, or deterring the improper disclosure of information Hacker’s Goal – credit card information, competitor information, identity theft Integrity – preventing, detecting, or deterring the improper modification of data Hacker’s Goal – change data for own purposes Availability – preventing, detecting, or deterring the unauthorized denial of service to data Hacker’s Goal – denieing access to all key components of system