Download Expanded Notes: Common Network Threats Parts 1 and 2

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
Document related concepts

Policies promoting wireless broadband in the United States wikipedia , lookup

Deep packet inspection wikipedia , lookup

Computer network wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Wireless security wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
Common Network Threats
Lesson overview.
In this lesson, we will cover:
●
●
●
Inside jobs or threats.
Outside threats.
Wireless network threats.
Inside jobs or threats.
When most people consider security threats to networks or systems, they think about the
threats that come from outside of an organization. However, in reality, the overwhelming
majority of security breaches occur from within an organization. Some of the more common
risks and threats are outlined below.
Malicious employee.
We may not know the reason why malicious employees are malicious, but they are difficult to
defend against because they are already inside the defenses of the network. Additionally,
because they are employees, authorization to resources has been granted to them in order for
them to be able to do their jobs.
One of the most effective defensive measures that can be utilized to protect against malicious
employees is employing the principle of least privilege—only granting the least amount of
authorization required for a person to get his or her work done.
Highlights:
●
●
Malicious employees are difficult to defend against, as the threat is already inside the
network.
One of the best defenses is using the principle of least privilege.
Compromised system.
Compromised systems are another threat. Once a PC or network device has been
compromised, it is vitally important to isolate it from the system as a whole. A compromised PC
could lead to a completely compromised network, as malware may be able to spread across its
connections. Once malware has gained access to network resources, it can be extremely
difficult root out and remove. Malware may also degrade the network’s performance, causing
additional issues.
Highlights:
●
●
Once a PC or network device has been compromised, it is vitally important to isolate it
from the system.
A compromised PC or network device could lead to a completely compromised network,
as malware may be able to spread across connections.
Social engineering.
Social engineering is the process of using social pressure to cause somebody to compromise a
system from inside the defenses of the network. Social engineering pressure can be applied in
multiple forms. An employee can receive a phone call from someone claiming to be from the IT
department asking for his or her credentials. It may occur in person. The social engineering can
also occur through email or through a rogue website. There are many avenues in which social
engineering can occur. The best defense to protect against this is providing end user education.
Training your end users to resist social engineering is a good idea.
Highlights:
●
●
Social engineering involves using social pressure to cause somebody to compromise a
system from inside the network defenses.
The pressure can be applied in multiple forms: by phone, in person, via email, through a
rogue website, or by other methods.
ARP (Address Resolution Protocol) cache poisoning.
ARP (Address Resolution Protocol) cache poisoning is another threat that can occur on a
network. With ARP cache poisoning, the ARP cache (which maps IP addresses to MAC
addresses) is corrupted by an attacker with the end result being that the attacker has control of
which IP addresses are associated with MAC addresses. It is commonly used in man-in-themiddle attacks.
Highlights:
●
●
ARP cache poisoning is corrupting the ARP cache, resulting in an attacker having
control of which IP addresses are associated with MAC addresses.
It is commonly used in man-in-the-middle attacks.
Protocol or packet abuse.
A protocol or packet abuse threat involves taking a specific protocol and repurposing it to
perform a different function. Protocol abuse is commonly used to bypass a router’s access
control list (ACL) from the inside of a network. An example of this is encapsulating a not allowed
protocol within a DNS packet—which is almost always an allowed protocol—in order to get that
un-allowed protocol out of the network.
Highlights:
●
●
Protocol or packet abuse is the process of taking a specific protocol and repurposing it to
perform a different function.
It is commonly used to bypass a router’s ACL from inside a network.
Man-in-the-middle attack.
A man-in-the-middle attack is another threat to be aware of. With a man-in-the-middle attack,
the attacker is not necessarily inside the network per se, but is in between two endpoints that
are communicating on a network. In most cases, a man-in-the-middle attack involves disrupting
the ARP process between the two endpoints. The attack allows a malicious user to be able to
view all network packets that are flowing between the communicating hosts. Often, a man-in-
the-middle attack is used in an attempt to gain sensitive information, such as network
credentials.
Highlights:
●
●
With a man-in-the-middle attack, the attacker is in between two endpoints that are
communicating on a network.
The attack allows a malicious user to view all network packets flowing between the
communicating hosts.
VLAN hopping.
VLAN hopping involves circumventing the security that is inherent when virtual local area
networks (VLANs) are created. Normally, traffic that is tagged for one VLAN is not allowed onto
another VLAN without the intervention of a router. VLAN hopping occurs when an attacker adds
an additional fake VLAN tag to the network packets. Once the packets get to the switch, the
switch strips one of the VLAN tags off the packet and then passes it through. Once through the
switch, the packet is considered as belonging to the new VLAN, thus bypassing the security that
is inherent in VLANs.
Highlights:
●
●
VLAN hopping circumvents the security inherent when VLANs are created.
VLAN hopping occurs when an attacker adds an additional fake VLAN tag to the network
packets, allowing dangerous packets to cross into unprotected VLANs.
Outside threats.
While inside threats may constitute the majority of an organization’s security breaches, this does
not mean that outside threats can be ignored. Most of the largest thefts of data in recent history
have been traced to outside perpetrators.
Security threats are constantly evolving and security experts need to keep pace in order to
remain effective. Some of the most common threats are outlined below.
Brute force attacks.
Brute force attacks involve using computing power and time to compromise passwords. With
this type of threat, the attacker uses a program that continually tries different password
combinations—often in the form of a special dictionary application—in an effort to crack a
password. The best defense against this is to limit the number of times that a user can attempt
to log on before he or she is locked out.
Highlights:
●
●
Brute force attacks involve using computing power and time to compromise passwords.
The attacker uses a program that continually tries different password combinations in an
effort to crack a password.
Spoofing.
Spoofing is a category of threats where either the MAC address or the IP address of the
attacker has been modified to look like a friendly address in order to bypass network security. In
the past, it was common for an attacker to spoof his or her IP addresses so that it was actually
viewed as an inside host. A best practice to defend against this type of spoofing is an ACL rule
that doesn't allow an inside IP address to come from outside of the network.
Highlights:
●
●
With spoofing, either the MAC address or IP address of an attacker is modified to look
like a friendly address to bypass network security.
A common use in the past was to spoof the IP address, so that an outside attacker was
actually viewed as an inside host.
Session hijacking.
In session hijacking, an attacker attempts to take over a communication session after a user has
been authenticated. The hijacking can occur through various methods, such as using a packet
sniffer to steal a session cookie or installing malware on a user’s computer that is activated after
the user is authenticated. A man-in-the-middle attack is often used as a prelude to a session
hijacking attack.
Highlights:
●
●
In session hijacking, an attacker attempts to take over a communication session after a
user has been authenticated.
A man-in-the-middle attack is often used as a prelude to a session hijacking attack.
DoS (Denial of Service) threats.
The denial of service (DoS) threat actually covers a very broad category of threats to networks
and systems. This is because DoS applies to any threat that can potentially keep users or
customers from using network resources as designed.
Highlights:
●
●
DoS threats cover a very broad category of threats to networks and systems.
Any threat that can potentially keep users or customers from using network resources as
designed is considered a DoS threat.
Traditional DoS attacks.
A traditional DoS attack attempts to flood a network with enough traffic to bring it down. It is
commonly used with a flood of malformed ICMP requests. The host that receives the flood can
be so busy dealing with the deluge of data that it cannot respond to legitimate requests.
Highlights:
●
●
Traditional DoS attacks attempt to flood a network with enough rouge traffic to stop it
from responding to legitimate requests.
It is commonly used with a flood of malformed ICMP requests.
Permanent DoS attacks.
A permanent DoS attack is an attempt to permanently deny a network resource for others. It can
be achieved by physically destroying or removing the resource. It can also be achieved through
the use of malware that corrupts or damages the underlying digital system to the point where it
cannot be repaired and must be replaced.
Highlights:
●
●
A permanent DoS attack is an attempt to permanently deny a network resource for
others.
It can be achieved by physically destroying or removing the resource or by using
malware to corrupt or damage the underlying system.
Friendly or unintentional DoS attacks.
There are also friendly or unintentional DoS attacks. An unintended DoS attack can occur when
poorly written applications consume more network resources than are available. Unintentional
DoS attacks can also occur when a network interface controller (NIC) begins to fail. It is quite
common when a NIC is about to fail for it to go offline and come back online repeatedly and
rapidly. This consumes network resources, which can cause an unintentional DoS attack.
Highlights:
●
●
An unintentional DoS attack can occur when a poorly written application consumes more
network resources than are available.
An unintentional DoS attack can also occur when a NIC begins to fail.
Distributed DoS (DDoS) attacks.
More disruptive than the standard DoS attack is the distributed denial of service (DDoS) attack.
It is a denial of service attack in which more than a single system is involved in sending the
attack. A DDoS attack has a higher chance of succeeding due to the increased number of
participants. The machines used to send the attack may be voluntary participants—this is called
a coordinated attack—or they may be part of a botnet. With a botnet, malware has been
installed on machines and they are no longer under the complete control of their owners.
Many DDoS attacks involve botnets where the attacker has actually rented the botnet for the
sole purpose of performing the DDoS. The goal of the DDoS is to create a large enough spike in
traffic that the target becomes unreachable. In some cases, the target system may need to be
rebooted in order for it to come back online.
Highlights:
●
●
A DDoS attack is a DoS attack in which more than a single system is involved in sending
the attack.
The machines used to send the DDoS may be voluntary participants or they may be part
of a botnet.
Reflective DoS (also known as amplified DoS) attacks.
The reflective denial of service attack is also known as an amplified DoS. In this case, the
attacker uses some method—usually some form of spoofing—to hide the source of the attack.
In a reflective DNS attack, the attacker usually spoofs the intended target's IP address and
sends multiple requests to an open DNS server. The DNS server responds by sending traffic
back to the targeted system. The attacker's hope is that the response from the DNS server will
overwhelm the targeted system.
A cousin to the reflective DNS attack is the reflective NTP (network time protocol) attack. It
works in the same way. However, instead of using DNS, it relies on open NTP servers.
Highlights:
●
●
●
In a reflective DoS attack, the attacker uses some method—usually some form of
spoofing—to hide the source of the attack.
In a reflective DNS attack, the attacker usually spoofs the intended target’s IP address
and sends multiple requests to an open DNS server.
A reflective NTP attack works in the same way; however, instead of using DNS, it relies
upon open NTP servers.
Smurf attacks or Smurfing.
Not very common anymore (but something that still should be known about) are Smurf
attacks—also known as Smurfing. They are a type of reflective DoS attack that also involves
spoofing the intended target's IP address. With a Smurf attack, a network is flooded with ICMP
requests in which the source address for the requests appears to be that of the intended target.
As the reply is returned, the network becomes slowed down by the traffic. The goal is to
overwhelm the target system and bring it down.
Highlights:
●
●
A Smurf attack is a type of reflective DoS that also involves spoofing the intended
target’s IP address.
A network is flooded with ICMP requests in which the source address for the requests
appears to be that of the intended target.
Zero day attacks.
One of the largest threats that face network security personnel is the unknown vulnerability.
Network and system administrators expend a fair amount of effort protecting the assets under
their control and they can do a good job of hardening their systems, but not a perfect job.
The problem lies with zero day attacks. Zero day attacks take advantage of either new or very
recently discovered vulnerabilities, which means that networks and systems probably haven’t
yet been hardened against them. The unfortunate reality is that attacks keep changing and
security experts must also be willing to adapt in order to keep pace.
Highlights:
●
Zero day attacks take advantage of either new or recently discovered vulnerabilities,
which networks and systems haven't yet been protected from.
●
The unfortunate reality is that attacks keep changing and security experts must be willing
to adapt in order to keep pace.
Wireless network threats.
Wireless networking represents a unique challenge to security. By their very nature, wireless
networks broadcast their transmissions over the air, making them easy to be intercepted. There
are a number of threats that are specific to wireless networks. Some common threats are
outlined below.
Wi-Fi Protected Setup (WPS).
A common feature on a modern wireless access point (WAP) is Wi-Fi Protected Setup (WPS).
The goal of WPS is to create an easy and secure method for consumers and small businesses
to set up a secure wireless network.
Unfortunately, the outcome has fallen short of the goal. While WPS does ease the setup
burden, it is also easily exploited by an attacker and should actually be disabled on all
equipment.
Highlights:
●
●
WPS was created to simplify secure wireless setup.
It is extremely insecure and should not be used.
War driving/war chalking.
War driving or war chalking is the practice of attempting to sniff out unprotected, or minimally
protected, wireless networks. Once such networks are found, marks are placed on buildings and
streets indicating that networks are available and vulnerable. Something to remember is that
wireless networks are vulnerable merely due to the fact that they need to broadcast over the air.
Highlights:
●
●
War driving/war chalking is the practice of attempting to sniff out unprotected or
minimally protected wireless networks.
Once found, marks are placed on buildings and streets indicating what networks are
available and vulnerable.
WEP cracking/WPA cracking.
WEP cracking or WPA cracking is using a packet sniffer to capture the password and/or the
preshared key on a wireless network. Wired Equivalent Privacy (WEP) can be cracked in
minutes. Wi-Fi Protected Access (WPA) cracking will take hours, but it can still be cracked.
Neither of these encryption standards should be used on wireless networks.
Highlights:
●
●
WEP or WPA cracking is the use of a packet sniffer to capture the password or
preshared key on a wireless network.
WEP can be cracked in minutes.
●
WPA cracking will take hours, but can still be done.
Rogue access point attack.
Rogue access point attacks are another threat that technicians should be familiar with. A rogue
access point is an unauthorized WAP that gets installed onto a network. Unfortunately, the
biggest culprits in this situation are the end users themselves. They often install their own WAPs
for convenience and then don't properly secure them, opening a vulnerability into the network.
Administrators should periodically check for rogue access points on their networks, even if
wireless is not installed.
Highlights:
●
●
A rogue access point is an unauthorized WAP that gets installed on a network.
The biggest culprits are the end users who install their own WAPs for convenience and
don’t properly secure them.
Evil twin attack.
Related to the rogue wireless access point attack, is the evil twin attack. In such an attack, a
WAP is installed and configured with an SSID that is very similar to the authorized version. As
users access the evil twin, their keystrokes are captured in the hopes of gaining sensitive
information, such as the credentials to log in to the actual wireless network. An evil twin attack
can also be considered a type of wireless phishing attack.
Highlights:
●
●
An evil twin attack is a type of rogue access point attack.
A WAP is installed and configured with an SSID that is very similar to the authorized
version and, as users access the twin, their keystrokes are captured.
Bluejacking.
Bluejacking involves sending unsolicited messages over a Bluetooth connection in an effort to
keep the target from responding to valid requests. It is more of an annoyance than an actual
network threat, as it mostly involves a personal area network (PAN)—which tend to be very
limited in their abilities.
Highlights:
●
Bluejacking involves sending unsolicited messages over a Bluetooth connection in an
effort to keep the target from responding to valid requests.
Bluesnarfing.
Related to Bluejacking is Bluesnarfing. This an attack in which the attacker creates a Bluetooth
connection with another device without that device's permission. The goal is to retrieve
information from the compromised device, such as contact information or stored email. This
vulnerability has been patched and may no longer be a concern, but is still something to be
aware of.
Highlights:
●
●
Bluesnarfing is an attack in which the attacker creates a Bluetooth connection with
another device without that device’s permission.
The goal is to retrieve information from the compromised device.
What was covered.
Inside jobs or threats.
Given the nature and purpose of networks, it can be difficult to make them secure. Common
threats that come from within the network itself are: malicious employees, compromised
systems, social engineering, ARP cache poisoning, protocol or packet abuse, man-in-the-middle
attacks, and VLAN hopping.
Outside threats.
Some outside threats include: brute force attacks, spoofing attacks, and session hijacking. A
very common and broad category of threats is DoS. There are many types of DoS threats,
including traditional DoS, permanent DoS, friendly or unintentional DoS, DDoS, reflective DoS,
and Smurf attacks. Of major concern to network security personnel are zero day attacks (the
exploitation of previously unknown vulnerabilities) and it is imperative that they keep current with
what is being developed.
Wireless network threats.
WPS creates an easy method of placing security on a wireless network, but it also creates a
vulnerability in the network. Threats that face wireless networks include war driving or chalking,
WEP or WPA cracking, rogue access points, and evil twin attacks. Bluetooth networks are also
vulnerable to Bluejacking and, possibly, Bluesnarfing.
Related documents
dos_nanog
dos_nanog
Introduction to Information Security Chapter N
Introduction to Information Security Chapter N
Chapter 2 - Department of Accounting and Information Systems
Chapter 2 - Department of Accounting and Information Systems
Introduction to Information Security Chapter N
Introduction to Information Security Chapter N
Introduction to Information Security Chapter 2
Introduction to Information Security Chapter 2
Skating on Stilts
Skating on Stilts
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
E-Commerce and Bank Security
E-Commerce and Bank Security
The Need for Security
The Need for Security
Operating systems
Operating systems
Forms of Network Attacks
Forms of Network Attacks
Malicious code, Mobile Code and Denial of Service attacks
Malicious code, Mobile Code and Denial of Service attacks
Computer Operating Systems
Computer Operating Systems
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
operating system
operating system