Download Course Overview - Cyber Security Lab

1
Course Overview
Online 451 is designed to provide students with a strong foundational knowledge of
network security including the principles, algorithms and protocols underlying the design
and development of network security. The course focuses on exploring security
measures that are widely used in industry to deter, prevent, detect and correct security
violations. Students will have many hands-on practices in lab operating hacking tools
and implementing security applications, which, later, will greatly benefit them in
resolving real world security issues
The course is organized to cover the following major topics:
Security Fundamentals
Firewalls
Virtual Private Networks
Encryption
Key Management
Authentication
Intrusion Detection
Web Security
The Future
Course Goals


Present the fundamentals and principles of network security
Demonstrate different network security products and solutions
Course Objectives
Upon completion of this course, each student should be able to:









Describe the need for network security, different categories of security threats, as
well as common attack methods and techniques used by hackers
Discuss the functionality, design principles and security issues associated with
firewalls, and configure a firewall
Discuss the foundational concepts associated with VPN and implement a VPN
Describe major encryption techniques, concepts, and algorithms underlying those
techniques
Describe widely used key management techniques and approaches
Discuss the requirements for authentication and approaches to authentications and
analyze specific examples
Define network attack issues, intrusion detection, and analyze various approaches
to prevention and detection
Discuss important security area and web security key standards
Identify future trends in network security architecture and strategies
1
2
Topic 1 Security Fundamentals
Topic lessons:
1. Introduction
2. Vulnerabilities and Incidents
3. Network Attacks
4. Intrusion and Penetration
5. Network Security Policy
6. Wrap-Up
Lesson 1 Introduction
Topical Goals
Over the past few years, there has been an explosive growth in computer systems and
their interconnections via networks. Computer networking has evolved into every aspect
of our lives. Businesses start relying more on Internet and networking in order to build
strong relationship with customers and partners, improve their efficiency and lower
operation costs. Internet and networking has greatly expanded the way of
communicating and sharing data between businesses, providing services to customers and
processing data.
As computer networks continues to grow to enable more and more applications and are
available to more and more users, they become even more vulnerable to a wider range of
security threats. It has become a major concern in network industry as to how to prevent
data and resources from disclosure, to guarantee the integrity of data and messages, and
to protect systems from network-based attacks. It is important to understand common
techniques used by hackers and learn how to implement adequate measures to enhance
the business’s daily procedures and transactions.
After reading this topic, you should be able to:




Explain the importance of network security
Describe different type of attacks, common attack techniques and their mitigation
recommendations
Describe different intrusion tools, penetration scenarios and steps to conduct a
penetration
Identify the components of a complete security policy
Lesson 2 the Importance of Network Security
Lesson Objectives
Network in the past was designed relatively more secure due to the connections with only
known parties and sites within a corporate environment. Nowadays, network with
2
3
availability to the Internet and public networks has become more important to improve
businesses’ efficiency and revenue growth. It is now possible to interconnect partner
companies at separate geographical locations and to place orders and update information
online easily. However, this broad access has brought with it the possibility for data theft,
disclosure of private information and financial loss.
This lesson will present the growth of security vulnerability and incidents in today’s
networks and the need for network security.
After reading this lesson, you should be able to:



Illustrate the security vulnerability and incident level in today’s network
Review examples of historic security incidents
Identify the need for network security
Vulnerabilities and Incidents
Modern networks have become increasingly large and complex in terms of sites
connected, of users at each site, and of the use they each make. While the increased
connectivity provides benefits to the business, it enables the outside world to reach and
interact with local network assets.
It is hard to keep up with all possible security vulnerabilities. Network applications are
too complicated to be perfect from security perspective. Businesses tend to focus more on
improving revenue growth than spending time and money on better techniques to identify
and remove vulnerabilities. More people are using computers without knowing well how
to protect their computers. Even protocols used to manage your network can be a source
of vulnerability themselves. All too often security weakness is exposed only after the
system has been compromised, by which time it is already too late.
Not only there are more security vulnerabilities in today’s network, but obtaining the
hacking tools becomes easier – there are free downloadable tools available that require
little or no technical knowledge to put into practice. There are also build-in applications
for troubleshooting a network that could be maliciously used for hacking purpose.
As a result, there has been a huge increase in security incidents in the past twenty years.
Though most network security crimes are unreported, the statistics are alarming.
According to an FBI survey of 500 private corporations and large government agencies,
in 1996 42% of those organizations had a security breach over the last 12 months, while
20% don't know. In 1997, 50% had a security breach with 17% having no knowledge
that a breach occurred. In 1998, 64% had a security breach with 18% not knowing. In
1999, 63% had a security breach and 21% cited no knowledge of an attack. Out of these
known attacks in 1999, 57% occurred via the Internet, 51% from internal systems, and
27% via remote dial-in.
3
4
Figure 1 – Total Number of Vulnerabilities
Figure 2 – Total Number of Incidents
4
5
Since more business processes and sensitive data are handled online, companies are
experiencing significant losses due to security breaches. The cost of lost goods and
services was estimated at 100 million in 1997. This number rose to 138 million in 1998
and 125 million in 1999.
Security Incidents in History
Every computer is a potential host of vulnerabilities. The more accessible it is, the more it
is susceptible to attack. Connecting to a network such as the Internet makes it potentially
accessible to everyone on the network.
Network security incidents are the network-related activities with negative security
implications. This usually means that the activity violates an explicit or implicit security
policy. Here we present several sever security incidents in the history of the Internet.
Melissa
First found on March 26, 1999, Melissa came to be one of the most
infamous computer viruses the world has ever seen. At around
2:00pm that day, reports had been received from more than
100,000 hosts about performance problems and denial of services
on mail servers that clogged with virus propagating emails.
Melissa spreads on machines with Microsoft Word 97 or Word
2000 in the form of e-mail attachment. The orginial version of attached file is called
“List.DOC”. If the word document containing the virus, either LIST.DOC or another file
infected, is downloaded and opened, then the macro in the document runs and attempts to
mass mail itself. It collects the first 50 entries from the MS outlook address book, and
sends an copy of itself to those e-mail addresses and then spreads from there.
An infected e-mail looks like:
From:
Subject: Important message from
To:
Attachment: LIST.DOC
Body: Here is that document you asked for ... don't show anyone
else ;-)
I love you
Over a five-hour period during May 4, 2000, this virus spread
across Asia, Europe and the United States via e-mail messages
titled "ILOVEYOU." The virus clogged web servers, overwrote
personal files and caused e-mail systems shut down. As of 5:00
pm, May 8, 2000, it was reported that more than 500,000
individual systems were affected. Sites infected suffer
5
6
considerable network degradation and corruption of certain files.
The virus arrives as an e-mail with the subject line "I Love You" and an attachment
named "Love-Letter-For-You.txt.vbs." New variants have different names including Very
Funny.vbs, virus_warning.jpg.vbs, and protect.vbs. The attached file is an executable
visual basic script. Opening the attachment executes the script and thus infects your
computer. The infection first scans your PC's memory for passwords, which are sent back
to the virus's creator. The infection then replicates itself to all entries in your outlook
address book. Finally, the infection replaces certain types of files
(e.g., .vbs, .vbe, .js, .css, .wsh, .jpg, .jpeg, .mp2, .mp3) with a copy of itself. It also
appears to reset the default start page for Internet Explorer.
Denial-of-service
On Feb. 6, 2000, Yahoo web site went down for three hours. By evening Feb. 7, eBay,
Amazon, and CNN were shutdown, followed by E*trade in the morning of Feb. 8. The
deluge slowed the entire Internet, even sites that weren’t targeted. To access a typical
web page (un-attacked) during that week, it was 6% slower on Monday, was 7% slower
on Tuesday and rose to 26% slower on Wednesday. Sites such as Yahoo got hit with as
many as 1 billion bits of data a second – more than some sites get in a week.
A denial of service (DoS) attack is a security incident that deprives legitimate users of
services or resources they would normally able to access. When a DoS attack happens,
users experience unavailability of one particular network service or even temporary loss
of all network connectivity and services. Dos attacks are easy to launch and difficult to
track because hackers can send legitimate requests for service. Moreover, they come in a
variety of forms and aim at a variety of services such as email, web sites, online shopping,
and etc. For example, users will have trouble to access a URL of a web site which is
flooded with millions of requests and forced to cease operation. Although it usually does
not result in the data disclosure or other security loss, a DoS attack can essentially disable
your computer or network and cost the victim a great deal of time and money.
Internet Worm
On the evening of November 2, 1988, the Internet came under attack from within - a selfreplicating program was released upon the Internet. This program (a worm) invaded
VAX and Sun-3 computers running versions of Berkeley UNIX, and used their resources
to attack other computers. As time went on, hundreds or thousands of computers in the
U.S. had been affected. Many of them became so loaded with running processes that
they were unable to continue any processing. Some machines failed completely with all
swap space or process tables exhausted. The Internet had never been attacked in this way
before, and November 3, 1988 came to be known as Black Thursday.
A worm is a program that propagates itself across a network, using resources on one
machine to attack other machines. When a worm breaks into a computer in the Internet, it
replicates and executes itself to collect information about hosts, networks and users from
6
7
this computer and proceeds to infect more machines using the information. The worm
spreads over the internet with no assistance (Virus requires involvement of user for
propagation). Once it identifies an internet connection, it downloads a copy of itself to a
new location and runs itself, so all machines connected to an infected machine are at
potential risk of attack. Worm can cause denial of service when systems are loaded with
multitudes of worms trying to propagate the epidemic.
Need for Security
Today’s businesses rely on extensive information communication with public networks
and systems for survival and profitability. In the modern business environment,
regardless of the business type, all data resident on a computer system is both valuable
and vulnerable. Business is constantly under risk of threats that could potentially harm
the operation, assets, and profitability. The consequences can be loss or modification of
critical business data, disruption of services, disclosure of proprietary business plans and
even stop of operation.
Security threat has extended beyond physical boundary of every system. Since all
systems are virtually connected to one big network – Internet, compromise of one system
could virtually affect every system connected with it. Without proper protection, any part
of any network can be susceptible to attacks or unauthorized activity. Routers, switches,
and hosts can all be violated by professional hackers, company competitors, or even
internal employees. This increased connectivity has brought both risk and convenience.
In addition, hackers’ understanding of security weaknesses has increased over time, as
have advancements in their attack tools. Internal vulnerabilities may be exploited by
external threats as well as internal. It is urgent that we increase our understanding of
security and improvements in computer systems.
When implementing security, there sometimes exists a conflict between security
objectives and operational requirements. The benefits of a security plan need to be
quantified as a function of costs, and benefit cost tradeoffs need to be considered to
justify an appropriate security plan.
Lesson Wrap-Up
With the advent of Internet and networking, companies’ abilities have dramatically
improved in terms of building stronger relationships with customers, suppliers, partners,
and employees. Internet-enabled companies have become more flexible and competitive.
As companies open their networks to more users and applications, they also expose their
networks to greater risk. Statistical analysis confirms that vulnerabilities in network
systems have increased, so have attacks that exploit these vulnerabilities. As a
consequence, there has been a surge in incidents recently. To combat those attacks and
ensure a system is not compromised, security technology must play a major role in
today’s networks.
7
8
Now that you have completed this lesson, you should be able to:



Illustrate the security vulnerability and incident level in today’s network
Review examples of historic security incidents
Identify the need for network security
Lesson 3 Network Attacks
Lesson Objectives:
An attack is a single unauthorized access attempt, or unauthorized use attempt regardless
of success. Network attacks can be as varied as the systems that they attempt to penetrate.
To determine the best ways to protect against attacks, we should understand the many
types of attacks that can instigate and damage to a network infrastructures.
After reading this lesson, you should be able to:


Identify different categories of network security attacks
Discuss common attack techniques and corresponding mitigation
recommendations
Network Attack Types
Network threats are potential dangers that might exploit vulnerabilities of a network and
cause harm or havoc. Network attacks are assaults on system security that derives from a
threat. Threats can come from within an organization or outside. External threats are
dangers from an external source that are malicious and can be destructive to a system.
Internal threats are often from an internal source such as disgruntled employees or
visitors who have been given permission to access certain network resources. Necessary
security measures should be in place to reduce vulnerabilities to both internal and
external threats and respond when attacks occur.
Network attacks can be originated from both external and internal threat sources. Despite
their origins, there are generally considered to be two types of network attacks: passive
attacks and active attacks.
A passive attack attempts to learn or monitor traffic transmitted over a network without
applying any changes to the system. Hackers of passive attacks are typically
eavesdropping or monitoring information that is being passed across the network. They
can often successfully obtain sensitive or confidential information that are distributed in
plain text, such as an important e-mail messages or a transferred file containing a
business plan.
8
9
Another purpose of passive attack is to perform traffic analysis. When information are
encrypted, passive attacks can be used to study the pattern of the traffic. Such study can
reveal information, such as the location and identity of communication hosts, or the
frequency and length of data being exchanged, which might be useful in guessing the
nature of the communication that is taking place.
Passive attacks are difficult to detect because traffic is still sent and received in a normal
pattern and there is no sign of any type of data alteration and resource affection.
Therefore, countering passive attacks should focus on prevention than detection.
An active attack is an attack within a computer network which modifies the data stream
(e.g. message) or creates a false data stream. Active attacks basically take four different
forms: masquerade, replay, modification of messages, and denial of service.
A masquerade happens when one entity hides its identity under the mask of another entity.
An example of a masquerade is to send out an e-mail message that to a recipient appears
to be from a trusted source. IP spoofing, which will be discussed later, is a masquerade
attack.
A replay takes place when a hacker obtains a message without interrupting the normal
delivery process, and later relays the original message to the recipient again.
Modification of messages involves altering, or reordering some portion of a legitimate
message to produce an unauthorized effect. For example, a message “allow John to
access the database” could be changed to “allow Fred to access the database”.
A denial of service attack inhibits the normal use of network facilities, or disables a
network or degrades its performance by exhausting the network resources. For example,
a hacker may suppress all messages directed to a particular destination (e.g. network
audit service), or flood an e-mail server with millions of meaningless messages so the
mail server will grind to a halt.
Active attacks often launched by hackers who are more motivated and technically
competent to use sophisticated hacking techniques to penetrate unsuspecting businesses.
These attacks are often involved with the major fraud and theft cases. Contrary to
passive attacks, it is quite difficult to prevent active attacks completely. The goal for
countering attack attacks is to detect them and then to recover from the damages.
Common Attack Weapons
There are many types of attacks that can be used to assault a network and compromise
your system. The following are some attack weapons commonly used by hackers:


Packet sniffers
Spoofing tools
9
10









Password crackers
Denial-of-service (DoS) or distributed denial of service (DDoS) tools
Virus, Worm and Trojan horse
Malicious applets
War Dialing
Logic bombs
Buffer overflow
Social engineering
Dumpster diving
Packet Sniffers
A packet sniffer is a software program that covertly searches individual packets of data as
they were sent across a local network, capturing login sessions or the entire contents. A
packet sniffer is able to place the network adapter of the machine hosting the sniffing
software into “promiscuous mode”, which allows all of the traffic on the physically
connected network to be directed to sniffing application to process. Pakcet sniffers
merely examine and log the network packets without modifying them (passive attack).
Network protocols that distribute network packets in plain text data, such as Telnet, FTP,
SNMP and POP, are in great risk, because the original packets of data can be interpreted
and processed by sniffers that monitor them on the network. Packet sniffers can steal
meaningful and sensitive information, such as user login names and passwords. Because
humans tend to use a single login and password for multiple applications, attackers are
often successful in gaining access to vital information.
One-time password (OTP) system is a good method to counter packet sniffers
implemented to grab login information. OTP requires a personal identification number
(PIN) and a token card for authentication to get into a device or software application. A
token card is a hardware or software device that creates a sequence of one-time (random)
passwords at specified intervals (usually 60 seconds). The random password combined
with a PIN generates a unique password each time for one instance of authentication.
Even a hacker obtains the password through a packet sniffer, the password is useless
because it has expired by the time the hacker tries to use it. Note that OTP is not
designed to prevent a sniffer from gaining other sensitive information (such as email
messages).
Sniffers are usually difficult to detect as they do not interfere with the normal network
traffic. There are several antisniffer programs developed to identify the use of sniffers on
a network. These programs analyze changes in the response time of a host since the host
running a sniffer processes more traffic than it is supposed to get. Antisniffers cannot
eliminate sniffers, but, as part of an overall security system, they can be effective to
detect sniffers.
The most effective technique for defense against packet sniffers is encryption. When the
network packets are encrypted, packet snidffers will only detect the cipher text
10
11
(unreadable format) rather then original messages. Cisco’s IPSec is one standard method
for networking devices to communicate securely using encryption. Others include Secure
Shell Protocol (SSH) and Secure Sockets Layer (SSL) for secure network management.
Spoofing tools
Attackers have long learned the tactic of disguising their true identity when conducting
harmful activities. IP spoofing is a camouflage technique, in which attackers emulate a
trusted host by using either a valid IP address in your network or an authorized external
IP address that you trust. This is accomplished by first using a variety of means to get an
IP address of a trusted host, and then modifying the source address in the packet header
of a packet to make it appear to be from that host.
Spoofing can yield access to sensitive information. One form of spoofing is that attackers
fake an email address or web page that appears to have originated from a computer
within your organization to trick users into passing along critical information such as
passwords or credit-card numbers.
Access control is one common method to reduce the effectiveness of IP spoofing. If only
internal addresses are trusted, access control should be set to deny any traffic from the
external network that uses a source address from the internal network. However, this
method will not work if some external addresses are trusted as well.
A properly configured filter can also be effective to prevent users of one network from
spoofing other networks. Such a filter will not allow any traffic with a source IP address
that doesn’t belong to your network going out from your network. With this filter in
place, users cannot send out malicious traffic (e.g. an e-mail message) to another network
by pretending to be as one computer on that network.
Additionally there are many network devices that use only IP address-based
authentication; that is, a device accepts requests as long as they come from trusted IP
addresses. In such cases, other authentication methods, such as cryptography
authentication and OTP, can be added to counter IP spoofing.
Denial of Service (DoS) Tools
Dos attacks are not aimed at gaining access to the information or resources on your
network, rather, they focus on consuming resource limitation and thus making a service
unavailable for normal use. DoS attacks require little effort to execute and are among the
most difficult attacks to defend against because they are often carried out using traffic
that would normally be allowed into a network. However, the damage caused by Dos
attacks are serious - they can effectively clog the system, slow down the performance or
even crash a system by hammering the target (e.g., a web site) with more packets than it
can handle in a short amount of time. This method of overloading computers is
sometimes used to cover up an attack.
11
12
Figure - DDoS Example
Daemon
Master
Daemon
Daemon
Daemon
Daemon
Real Attacker
Victim
A more powerful form of Dos attack is DDoS which involves multiple compromised
systems, together attempting to flood a victim with packets that are often from spoofed
(fake) IP addresses. In the DDoS attack, thousands of systems can be used to conduct a
typical DoS attack.
To launch a DDoS attack, the hacker must have possessed a set of specific hacking tools
from scores of underground web sites. In the above figure, the hacker uses the hacking
tools to search for systems to hack on the web. After breaking into a number of
computers, the hacker installs the master program on the computers to identify,
compromise, and infect more computers with daemon software. The hacker now picks a
victim – say Yahoo!, eBay, or Amazon – to carry out the DoS attack by executing the
master programs which will then activate the daemon programs to send a lot of packets
(e.g., requests) to the victim. When so many compromised hosts all send out spoofed
traffic, it can take hours to stop them. But as system administrators sift through the
traffic, they can identify the daemons and then the master programs and finally shut down
them.
DoS attacks are often hard to trace and block due to spoof source IP addresses used by
hackers. Methods to defeat spoofing attacks are helpful to reduce the threat of DoS
because hackers might not attack if they cannot disguise their identities. A DDoS
program can be mitigated by a solution to find machines hosting masters and daemons
before they are put to use. There are now products to achieve this task. Another way is to
implement filter to limit the amount of nonessential traffic allowed into a network at a
certain rate. For example, ICMP traffic, normally used for diagnostic purposes, can be
limited to prevent against ICMP-based DDoS attack.
12
13
Password Crackers
A password cracker is any software that can detect or guess passwords and therefore
disable password protection.
We know packet sniffers and spoofing attack can yield user accounts and passwords.
Under the situation when a password is encrypted, password crackers are often used for
repeatedly attempting to identify the original password in clear text. Encrypted
passwords cannot be decrypted since most of encryption algorithms are now one-way,
that is, the encryption process cannot be reversed to reveal the original password.
Many password crackers are based on brute-force engines – programs, utilizing the same
algorithm as the original password program, try to match encrypted versions of the
password to the original through a comparative analysis. The program uses a particular
character set, such as A-Z plus 0-9, and computes every possible combination of the
characters in a high speed. A simple way is to use all of the words in a dictionary, called
“dictionary cracking”. These crackers often lead to successful encounters of the right
passwords due to human characteristics – Humans are simply lazy to create strong
passwords, and often uses the same password for every system they access.
(http://docs.rinet.ru/LomamVse/ch10/ch10.htm)
To reduce the threat of password attacks, strong passwords are strongly recommended.
Many systems with strong password support restrict a user to only use the passwords that
are at least eight characters long containing uppercase letters, lowercase letters, numbers,
and special characters. Even with strong passwords, some systems require users to
change the password at regular time intervals. In addition to that, do not allow users to
use the same password to access all systems and whenever possible, use strong
authentication such as OTP or encrypted password.
Virus, Worms and Trojan Horses
Every end-user’s workstation has a potential risk to suffer viruses, worms and Trojan
horse attacks. A virus is a piece of software embedded in real applications to perform
unauthoried activities on a user’s workstation. Like biological viruses, computer viruses
have to reside in other programs or documents in order to get executed. For example, a
virus may attach itself to a word document. Every time the word document is open, the
virus runs. Once it is running, virus has the capability to reproduce itself by attaching to
more programs on your computer and creates huge damage. Viruses can also hide in an
email and move around by automatically mailing itself to people in the victim’s address
book.
A worm is a also a piece of software, but different than virus, it automatically replicates
itself and expands quickly from machine to machine through the network connection. A
worm usually exploits some sort of security holes in a system. It first scans the network
for machines with a specific security hole. When it discovers such a machine, it copies
itself to the new machine and propagates from there using the security hole.
13
14
A Trojan horse refers to a computer program that does things more than it claims. For
example, a Trojan horse, which looks like a simple game, when the victim clicks and
plays it, can spread itself by mailing a copy of itself to every user in the victim’s address
book. Trojan horse attacks are often deployed by replacing common programs with
hacker’s programs on a system. The hacker’s programs provide all the functionality of
normal programs in addition to the features only known to the hacker. A typical example
is a Trojan horse that displays a screen prompting for login. It then captures user’s input
distribute the login information back to the hacker. Next, it pops out an error message
such as Bad username/password, and starts normal login instance. The user will proceed
with a new login attempt without knowing of the disclosure of his/her account
information. Trojan horse programs can also modify an application, such as adding a
blind carbon copy whenever you send out an email so that the hacker can read all your
messages.
Avoid software or demos with doubtful origins can keep your computer safe and away
from almost all traditional viruses. For example, do not execute unknown applications or
download free software from suspicious web sites. Additionally, make sure that Macro
Virus Protection is enabled in all Microsoft applications, and only run macros in a
document from trusted resources. Executables that arrive via e-mail is dangerous too.
An executable file with an extension of .exe, .com, or .vbs may contain virus that does
anything it wants on your machine once you run it. Always use anti-virus software to
scan any program or document download onto your machine before you open or read,
which is very effective to prevent most viruses and many Trojan horse applications from
spreading in the network. Finally, you can better position yourself in the fight against
these attacks by keeping up with the latest knowledge about these types of attacks.
(http://computer.howstuffworks.com/virus8.htm)
Malicious Applets:
An applet is a small program, typically written in Java, which can be embedded directly
into Web pages. When you connect to a web page containing an applet, the applet’s code,
along with any text, image or file on the page, will be automatically transferred to your
computer and executed by your browser. Applets are convenient in terms of providing an
application with special effects such as animations, graphics, and sound.
Malicious applets are such hostile applets which invade your machines with its malicious
code and conduct unwanted functions. Once malicious code gets control of the machine it
can misuse your computer’s resources, compromise the user’s privacy, modify or delete
files on the hard disk, send fake e-mail or steal passwords, snoop the user’s keystrokes,
spread viruses, or even launch a DDoS attack.
Malicious applets could invade your machine when you connect to an “untrusted” site.
Disabling Java solves this problem when necessary. It is advised that you disable Java
when browsing an “untrusted” Web using Netscape 2.0. You can enable it when you
connect to a “trusted” site. Systems maintained by a legitimate company would be more
trustworthy than a site maintained by an unknown person. There hasn’t been any
14
15
malicious applets discovered, yet we need to be aware of the potential risk.
(http://www.hmc.edu/comp/occ-down/vol4/iss3/java.html)
War Dialers
War dialers are programs that automatically dial thousands of telephone numbers to
identify the phone numbers that can successfully make a connection with a computer
modem. Advanced versions of war dialer may attempt to determine the operating system
or even perform an automated break-in test. In such cases, an intruder could attempt to
gain access to the system with unprotected log-ins or easily cracked passwords.
One effective way to reduce the effect of war dialer attack is to make constant password
change and use complex (strong) passwords. Additionally, you will notice that certain
system would prompt dial up users with information like “Red Hat Linux 7.1…”;
therefore you need to avoid anything about your system is disclosed to users who have
not yet logged in (http://www.leave-me-alone.com/hackers_wardialer.htm).
Logic Bombs:
A logic bomb is a set of instructions buried in a computer program which perform
malicious act on your computer system when executed. Logic bomb typically stays
dormant until certain conditions are satisfied. When “exploded”, it causes damages
ranging from printing a spurious message, corrupting data on your disk, to making the
entire file system unusable.
For example, a program, which reviews payroll records daily, could activate another
piece of code to destroy vital files on the organization’s system when the name of the
programmer responsible is disappeared from payroll. In this case, the logic bomb can be
built to set off in 2 or 3 months so that the programmer cannot be easily identified.
(http://www.yourwindow.to/information-security/gl_logicbomb.htm)
Some logic bombs can be detected and eliminated before executing through a periodic
scan of all computer files. There are also a number of network utilities that can
effectively track and remove unauthorized files and programs and other potential sources
of logic bombs based on a pre-set time frame.
Buffer Overflow:
Buffer overflow is a technique for crashing or gaining control of a computer by sending
more data to the buffer (allocated memory) than the space it has allocated to hold in a
computer’s memory.
Generally services, such as web server, mail servers, and etc., are triggered by requests. A
service crashes if receiving too many requests than its memory can contain (memory
leak). For example, a web server can cease operation when it receives too many access
requests.
15
16
Hackers can also use buffer overflow to execute a piece of malicious code. When a
program is executed, the addresses of the program code that should be executed next are
saved into the stack (A contiguous block of memory in computing where data items are
stored and retrieved from the top). By overflowing the stack, you can overwrite the
addresses kept in the stack. When the program executes to the next, instead of the
original code, the code pointed by the new address will be executed. This allows an
attacker to hijack the control of a program by replacing the original process code with
attacker’s harmful code.
It makes more difficult to perform buffer overflow attack by writing secure code and
keeping away from insecure functions in a programming language such as those that read
user’s input until a terminating newline with no bounds check.
(http://www.linuxjournal.com/article.php?sid=6701)
Social Engineering
Social engineering is a tactic used to take control of a computer system by taking
advantage of human characteristics. For example, hackers can talk unsuspecting
company employees out of valuable information such as passwords, and thus successfully
gain access to sensitive information as people tend to use a single password for multiple
accounts.
Training is essential to ensure employee would not involuntarily leak out any sensitive
information. It is also important to develop and implement comprehensive security
policies to address information access controls, setting up accounts, password changes
and necessary security protection procedures.
(http://www.securityfocus.com/infocus/1533)
Dumpster Diving
Dumpster diving is to sift through a company’s garbage to find information to help break
into the computers. Businesses and individuals negligently discard information including
organizational charts, printouts of logins and passwords, system manuals, printouts of
source code and so on. Sometimes the information is used to make a stab at social
engineering more credible.
This technique was commonly used in the 80’s due to insufficient security then; nowdays
businesses became more aware of the need for security, sensitive documents were
shredded before being dumped or special procedure was adapted for disposing
information or storgae media. (http://en.wikipedia.org/wiki/Dumpster-diving)
Lesson Wrap-Up
Network attacks assault on system security to evade security services and violate the
security policy of a system. Attack can be passive or active, conducted by insider or by
outsider. Success depends on the degree of system vulnerability, the strength of attacks,
16
17
and the effectiveness of any countermeasures in use. Understanding how and why each
attack technique is used, combined with the knowledge of prevention methods, can help
protect your network to defend against these attacks.
Now that you have completed this lesson, you should be able to:


Identify different categories of network security attacks
Discuss common attack techniques and corresponding mitigation
recommendations
Lesson 4 Intrusion and Penetration
Lesson Objectives:
The term intrusion is used to describe attacks from the outside by means of different tools.
Intrusion tools are generally classified as follows:
-
Scanners
Remote exploits tools
Local exploits tools
Monitoring tools
Stealth and backdoor tools
Each type of the tools, involving one or a group of attack techniques, can be used to
exploit a specific type of system vulnerability. This section examines these intrusion tools
and how a penetration is performed by utilizing these tools.
After reading this lesson, you should be able to



Define and give examples of each category of intrusion tool
Discuss three different penetration scenarios
Describe each step used to perform a penetration
Intrusion Tools
Scanners
Scanners are widespread probes of the Internet to obtain information about a host or
network such as types of computers, services, open ports, local IP range and connections.
Network administrators often use scanners, such as Domain Name Server (DNS) queries,
IP address queries, ping sweeps, port scans, and etc., for monitoring, reporting and
trouble-shooting network and systems activities, while hackers can take advantage of
them to locate common security weaknesses in a particular network or host before
attacking.
17
18
There are two types of scanners: network auditing tools and host-based static auditing
tools. Network auditing tools are used to scan a remote host or series of hosts on a
network and reveal as much information as possible about the network. Host-based static
auditing tools are used to scan a local host and reveal as much information as possible
about the local host.
Using network auditing tools, hackers are often able to gather enough essential
information to identify security related vulnerabilities of each host on a network. For
example, hackers can obtain information such as,
-
host machines that are connected to the target network and that respond
host IP addresses
host machine types
operating system running on hosts
network configurations and connections
services available on the responding hosts (i.e., web servers)
version of services available on the responding hosts
etc..
Hacker always look into version of a service because certain version of a particular
service has publicly known security holes (i.e., sendmail can be tricked into running bad
commands). In addition to the above information, hackers also examine possibilities to
remotely execute certain commands or tools, or run remote access utilities, such as
remote execute (rexecute) or remote shell access (rsh) which provides the ability to run
commands on a remote system without entering a password. Examples of network
auditing tools are SATAN and ISS.
Using host-based static auditing tools, hackers are able to obtain necessary information to
identify security vulnerabilities of a local host. Such information includes:
-
permission in files, directories, and devices
poor security for password and easy-to-guess passwords
known vulnerable services running on the local host
signs of past intrusions
Once they get these information, hacker can apply local exploit tools (discussed later) and
gain access to poorly protected files, directories and devices, and find the password that
enable unauthorized privileged access. Local vulnerable services (i.e., fingerd, or
anonymous FTP configuration), which are found locally, can be exploited by remote
exploits tools as discussed next. Also hackers use signs of past intrusions to identify any
loopholes (backdoors) left from previous attacks to easily gain control of the host.
Examples of host-based static auditing tools are COPS and TIGER.
Remote exploits tools
18
19
A remote exploit is a program, or method, that can be used by a person who has no
existing account, to penetrate a remote machine. Remote exploits often associates with
services provided by hosts in a network. They take advantages of security weakness of
those services, and are among the most feared and hardly guarded tool sets. Examples of
remote exploits are:
-
Buffer overflow technique used by worm to attack fingerd, a daemon that provides an
interface to the “finger” program at most network sites. The “finger” program is used
to return a user-friendly status report on a network. Fingerd’s memory can be over its
limit when there are too many incoming requests.
-
Rsh provides ability to execute commands on remote hosts without entering
passwords. This makes it possible for a hacker, who doesn’t possess a password, to
remotely issue harmful commands.
-
Sendmail (the debugging mode). A sendmail service is a program processing
electronic mail. The sendmail accepts a connection request from a user and
communicates with the user. Under certain mode (option of a command), sendmail
has a security vulnerability that can be exploited through user-defined data. This
makes the server hosting sendmail vulnerable to attacks from unprivileged users on
any connected machines.
-
Ip Spoofing is a technique that would let a (hostile) host appear to have another host’s
IP address. If the target system is using a protocol that relies on IP address-based
authentication, a hostile host is able to access the target system as a trusted host using
spoof address.
-
Malicious mobile codes are tiny programs, embedded in a web page and executable
by a web browser, misuse your computer’s resources, modify files on the hard disk,
send fake e-mail, or steal passwords. Examples are email attachments that are
executable, i.e., Melissa, I LOVE YOU, and denial-of-service technique.
Local exploits tools
A local exploit is a tool, or method, that can be used to gain unauthorized privileges on a
computer by a person who has an existing account. The existing account can either be
legitimate, or acquired through other means such as remote exploits, packet sniffers,
social engineering, and etc. Examples of local exploits are:
-
Password crackers, i.e., using dictionary cracking to find easy-to-guess passwords
-
Exploit Bugs exploit errors or bugs in a privileged program’s design or
implementation that allow an intruder, as an unprivileged user, to execute hostile
commands at a privileged level or access and modify privileged data. This may help
an intruder to attain the privileged access to control the whole system.
19
20
Monitoring tools
A monitoring tool allows a user to monitor a computer system and the network data.
Monitoring tools utilize two attack techniques: sniffers and snooping tools.
A sniffer program monitors and logs network data traffic (e.g., tcpdump, a powerful tool
that allow a user to sniff network packets and make some statistical analysis out of those
dumps). Sniffers can capture sensitive information such as user login and password, and
other important data passing through a network.
A snooper monitors a user’s activities by snooping on terminal sessions, monitoring
process memory, or logging a user’s keystrokes, e.g., keystroke snooper. By watching
user’s actions, a hacker can get information about other systems and use them to attack
more systems.
Stealth and backdoor tools
A stealth and backdoor toolkit allows an unauthorized user to hide his/her trails and
continue using the system after a break-in. A stealth tool allows the attacker to modify
the system logs and eliminate all records relating to his/her activities to ensure the
malicious activity goes undetected. A backdoor tool is a modified, drop-in replacement
of the original critical system that provides authentication and system reporting services.
It is typically a Trojan horse and can provide continued, un-logged use of the system,
hide suspicious files and processes from the user and system administrators and report
false system status. In case the original entry point has been detected, backdoor tools,
allow a few hidden ways to makes reentry easy and difficult to detect.
Penetration
Network penetration refers to intruder use a set of procedures, designed to bypass the
security controls of a network system, to gain the control of the system to the certain
degree. To bypass the security controls, intruders exploit vulnerabilities on the external
or internal network, including operating systems, e-mail servers, web servers,
applications, databases, etc.
Regardless of the intent or the goal, a penetration attack normally consists of a
combination of one or more of the following scenarios:

The blind remote attack – the attack on a computer or network where the attacker
does not have valid account information or access. This is the classical scenario
of an attack. Attackers generally only know the address or name of the target
system. From here, attackers attempt to get more information about a network,
hosts and users on the network using scanner tools, and then apply remote exploit
and local exploit to gain a higher level (i.e. user-level) access to the network.
20
21

The user-level attack – the attack on a computer where the attacker has user-level,
or unprivileged access. This attack can come from a legitimate account (customer
or employee) of the organization, or an account illicitly acquired through blind
remote attack.

The physical attack – the attack on a computer or network where the attacker has
physical access. In this scenario, an intruder can relatively easy to gain entry to a
computer that he/she can physically access. Many users log in and leave their
computer on when they leave. When the intruder get into this computer, he/she
can use local exploit to gain privileged access and damage the computer itself. Or
he/she tries to connect the computer physically with a network and use it to
monitor network traffic. Once the intruder collects enough network data, he/she
can then locally or remotely gain access into other hosts on the network.
In each of these scenarios, an intruder uses different intrusion tools to conduct penetration
attack step by step. The following seven steps cover a complete set of procedures needed
during a penetration. Basically, every penetration will involves one of more of the
following seven steps:
Step 1 Reconnaissance refers to the overall act of learning publicly available information
about a target system or network by using tools such as scanners. Before hackers attempt
to penetrate a target network, they often collect as much information as possible about the
network such as host names, host IP addresses, host owner, host machine types, operating
system, network configuration, other hosts connected with the network, other hosts
trusted by the network, list of users, etc..
Such information can be acquired through Domain Name Server (DNS) queries, IP
address queries, ping sweeps, and port scans. DNS queries give the hackers information
regarding to who owns a particular domain and what addresses have been assigned to that
domain. IP addresses queries reveal information about who owns a particular IP address
or range of addresses and what domain is associated to them. Ping sweeps of the
addresses obtained from DNS queries specify the live hosts within that particular domain.
The hackers then use port scanners to cycle through all well known ports to obtain a list
of all services running on the hosts.
Step 2 Probe and attack are when the hackers use scanners and monitoring tools, on top
of the knowledge gathered from network reconnaissance, to probe the system for
weaknesses and deploy the tools for attacking. At this step, the hackers examine the
characteristics of all services running on the hosts and search for security holes that can
be exploited to compromise the system. The services that are examined normally are
FTP (file transfer protocol), SMTP (simple mail transfer protocol for e-mail), Web server,
printer, and/or X Window System server.
Intrusion detection system at the host and network level can usually detect a penetration
probe that is taking place.
21
22
Firewall
Firewall
A
B
Internet
Web Server
Probing packets
Bad Guy
Figure – Penetration Scenario
Step 3 Toehold refers to that the intruders exploit the security weakness discovered from
step 2 and mange to gain entry into the system. Tools used are remote exploits and local
exploits. For example, many computer systems on the Internet offer files through
anonymous FTP, which allows a user to access a machine without having to have an
account on that machine. A hacker may discover an anonymous FTP service on a target
host and break into the target by taking advantage of the feature that a user without
official account can access the server.
Step 4 Advancement refers to the hackers advance from the unprivileged account to a
privileged account to gain full internal access and establish a firebase to attack the whole
internal network. This is accomplished by using local exploits tools.
Step 5 Stealth refers to the hackers, like human criminals, hide all traces and destroy all
evidences that, if left over, might have exposed his/her activities conducted on the victim
equipment. The hackers also install a backdoor that permits reentry or remote control of
a computer. This step basically ensures the intrusion to be undetected and allows
continued and privileged access to a series of hosts. Tools involved at this step are stealth
and backdoor tools
22
23
Step 6 Listening post is when the hackers establish a listening post on the victim
equipment, which is a place where any privileged user can view the network traffic. The
listening post is accomplished through sniffer programs and backdoor tools, which allows
the hackers to externally spy out data transmitting over the network. Logging the
interesting network traffic help the intruder gain more toeholds and advance his/her
attack to the next phase.
Step 7 Takeover is the last step when the hackers move deeper into the network and
expand the area of control from a single host to other hosts using a series of tools such as
sniffers, remote exploits and local exploits. By using all the information obtained from
the previous steps, the intruder can compromise more machines and rapidly spread
throughout the network.
A company can conduct penetration to test attack its network and identify the security
issues or vulnerabilities that could be exploited by either internal or external users.
An advantage of this approach is that it is a less expensive alternative to discover security
holes and implement defensive measures, than when a real penetration happens and your
systems have been damaged.
Lesson Wrap-Up
There are many ways that hackers use for intrusion attack and penetrate into our network.
Only after we understand how a hacker exploits vulnerability and launches intrusion
attacks to compromise a system, we can come up with proper security solutions to
countermeasure these intrusions.
Now that you have completed this lesson, you should be able to



Define and give examples of each category of intrusion tool
Discuss three different penetration scenarios
Describe each step used to perform a penetration
Lesson 5 Network Security Policy
Lesson Objectives
As security threats and possibilities of misuse have increased, organizations have
recognized the importance of the development of security policies and regulations. By
defining and using an appropriate security policy, an organization has a better chance to
maintain the integrity of its network and lower the risks and losses associated with
potential threats to its network and network services.
After reading this lesson, you should be able to:
23
24



Discuss why a security policy is important
Describe what determines a good security policy
List the key components of a security policy
Why a Security Policy is Important?
In today’s fast moving but insecure network environment, having a security policy is very
critical for an organization to be successful. The security policy lays out a security
framework and creates security under this framework by assigning responsibility and
granting authority to management, defining allowed and not-allowed behaviors and
providing basic principles, guidelines and procedures for everyone who is given access to
an organization’s network resources. Without a security policy, an organization will not
be able to protect its network assets from unacceptable use and are vulnerable to a lot of
potential threats.
The security policy, usually in a written form, provides employees with an improved
understanding of security posture and issues involved in an organization’s business
model. Impact of failing to fulfill a security policy therefore become more visible, which
ensures that security policy can be better accepted and complied with by employees when
performing daily tasks.
Furthermore, the security policy help creates consensus throughout the organization. It is
more realistic to require that all security issues be handled in the same manner or be
subject to the same protection rules, and thus help prevent confusion that can cause risk.
What Determines a Good Security Policy?
A good security policy generally has the following features:
Comprehensive – A good policy addresses all areas deemed of interest and priority
within an organization from high-level business goals to day-to-day activities. All
relevant personnel should be involved when creating the policy.
Practical – A good policy takes into consideration an organization’s business function,
the corporate culture and available budget and resources. It balances prevention and
protection with business productivity and should not impede or interfere with the
business. A large budget does not necessary guarantee success of a security policy.
Usable – A good policy should provide sufficient guidance and proper instruction for
personnel to follow in everyday operations and activities. A security policy is of no use to
an organization if it cannot be implemented.
Expandable/adaptable – A good policy should be sufficiently flexible to adapt to new
business processes and accommodate many different systems and resources. It also
24
25
needs to be routinely reviewed, updated and versioned to reflect the changes as new
technology and procedures evolve.
Concise and Clear – A good policy is documented properly, and communicates clearly
with information detailed enough to direct the deployment of the standards defined in the
policy. Relevant information should be easily located and followed by personnel to
resolve security issues.
Enforceable – Success of security begins with a policy that is enforceable within an
organization. It can be enforced through security tools and systems or via manual
processes when automated systems are not applicable. It helps to involve upper
management (e.g. CEO) when enacting a policy.
What Does a Security Policy Contain?
A complete security policy addresses security issues revolving around all applicable areas
and functions within an organization. It normally contains the following important
components:
Security statement specifies an organization’s security requirements, obligations to
protect its private, proprietary resources and other sensitive information. The security
statement conveys to readers the reason to implement a security policy and the content of
a security policy.
Security framework provides a guideline for implementing a secure network
infrastructure and applying secure controls uniformly across the whole network on all
devices, such as servers, workstations, routers, switches, modems, transmission medias,
etc..
Security controls used to secure an organization’s assets may include:
-
Firewall
Intrusion detection systems
Access controls
Authentication methods
Network auditing
Computer system security: operating systems used; peripherals, storage media, etc.
File system security: directory structures and etc.
Physical security
Operational security: environment control, operational activities
Procedural security
This section should also cover how to determine what services are necessary on which
devices to meet the organizational security needs. For example, if your organization
needs to host a server for remote login users, SSH or SSL are safer than Telnet service.
25
26
Acceptable use policy defines necessary procedures and safety measures that the
company will use to protect its assets from access or loss of essential information. This
should include information such as:
- Specifications on technologies and equipment used to permit only authorized access
and use, e.g. passwords
- Polices for allowable passwords
- Regulations on public area access, email and Internet usage
- Restriction on downloading and installing applications
- Guidelines for use of personal machines to access organization’s resources
- Restriction on extranet connection from outside networks
- Procedures for routine logging and auditing
- Procedures for account application and termination
User roles and privileges policy defines roles and privileges (access level permission)
for each person who is given access to the organization’s network assets and information
resources. It identifies the areas of responsibility and grants authority for different roles,
such as users, operational staff and administrators. For example, the following roles and
privileges can be defined:
Administrator – highest privileges with permission to read, write, modify and delete all
data and files
Super-user/developer – Administrator privilege to access one part of data and file while
only user privilege to access the other part of data and files
User – Medium privilege with permission to read, write all data and files but have no
permission to modify and delete them
Guest – Lowest privilege with permission to only read certain data and files
Availability policy defines resource available time period and downtime period for
resource recovery and maintenance, as well as the procedures that internal, external
maintenance staff and vendors use to perform maintenance, backup and upgrade of
equipment.
Incidence Handling specifies the procedures for discovering, reporting and mitigating
security breaches. It points out the processes to follow during and after specific incidents,
which may include:
-
Procedures for threat alert and notification to right response team
Steps to take for mitigating the incident
Rules to prioritize incidents
Procedures to escalate problems to high level management when necessary
26
27
This is one of the most important sections of a security policy. Timely detection and
response can dramatically reduce the function or monetary losses caused by a security
incident.
Policy Enforcement addresses how the security policy will be enforced and what
personnel and procedures will be involved to deal with security breaches and violations.
This may include:
- Repetitive security awareness training for current and newly hired employees
- Policies to handle misconduct and non-compliance
- Process to investigate any suspected non-compliance
Lesson Wrap-Up
Network security policies are the foundation of information security within an
organization. The content and structure of the policies must be well-rounded, up to date
and accurately reflect a company’s security needs. Distribution and deployment of
inappropriate or inadequate policies can cause substantial problems.
Now that you have completed this lesson, you should be able to



Discuss why a security policy is important
Describe what determines a good security policy
List the key components of a security policy
Lesson 6 Topic Wrap-up
The need for network security has increased as networks become more complex and
interconnected. Potential dangers and threats exist everywhere, internal or external, to
breach security and disrupt a system and service. .
A security policy is the most fundamental item necessary for an organization to address
security problems
Now that you have completed this topic, you should be able to






Explain the importance of network security
Describe four types of security threats, specific attack techniques and the general
remediation for mitigating those attack techniques
Describe different intrusion tools
Discuss penetration scenarios and the steps to perform a penetration
Identify the security issues implicit in common management protocols
Identify the components of a complete security policy
27