Download Trojan Horse

Modern Network Security Threats
Source:
CCNA Security
Cisco Networking Academy
1
Modern Network Security Threats



1.1 Fundamental Principles of a Secure
Network
1.2 Viruses, Worms, and Trojan Horses
1.3 Attack Methodologies
2
1.1 Fundamental Principles of a Secure
Network

1.1.1 Evolution of Network Security

1.1.2 Drivers for Network Security

1.1.3 Network Security Organizations
3
1.1.1 Evolution of Network Security
In July 2001, the Code Red
worm attacked web servers
globally, infecting over 350,000
hosts.
Security of the network is ultimately the
responsibility of everyone that uses it.
4
Evolution of Network Security
"Necessity is the mother of invention."
5
Evolution of Network Security
6
Evolution of Network Security
Internal threats can cause
even greater damage than
external threats.
7
Evolution of Network Security



Confidentiality
Integrity
Availability
8
Evolution of Network Security

Confidentiality


Integrity


Prevent the disclosure of sensitive information from
unauthorized people, resources, and processes
The protection of system information or processes from
intentional or accidental modification
Availability

The assurance that systems and data are
accessible by authorized users when needed
9
1.1.2 Drivers for Network Security

Hackers


Negative
Positive
Hacking is a driving force in network security.
10
Drivers for Network Security
Hacker:
 1960s: Phreaking,

John Draper

1980s: Wardialing

1990s: Wardriving
……

11
Drivers for Network Security
12
Drivers for Network Security

Network security professionals
13
1.1.3 Network Security Organizations
www.infosyssec.com
www.sans.org
www.cisecurity.org
www.cert.org
www.isc2.org
www.first.org
www.infragard.net
www.mitre.org
www.cnss.gov
14
1.2 Viruses, Worms, and Trojan Horses

1.2.1 Virus


1.2.2 Worm


Executes arbitrary code and installs copies of itself in the
memory of the infected computer, which then infects other
hosts.
1.2.3 Trojan Horse


Malicious software which attaches to another program to
execute a specific unwanted function on a computer.
An application written to look like something else. When a
Trojan Horse is downloaded and opened, it attacks the enduser computer from within.
1.2.4 Mitigating Virus, Worms, and Trojan Horse
15
1.2.1 Viruses
16
1.2.2 Worms
17
Worms

Three major components to most worm attacks:



Enabling vulnerability - A worm installs itself using an exploit
mechanism (email attachment, executable file, Trojan Horse)
on a vulnerable system.
Propagation mechanism - After gaining access to a device,
the worm replicates itself and locates new targets.
Payload - Any malicious code that results in some action. Most
often this is used to create a backdoor to the infected host.
18
Worms

Five basic phases of attack of worm and virus:
19
1.2.3 Trojan Horses


The term Trojan Horse originated from Greek
mythology.
A Trojan Horse in the world of computing is malware
software.


It have to be “spread” via human engineering or by manually
emailing them.
It does not replicate itself, and it does not infect other files.
20
Trojan Horses

Classify of Trojan horse:







Remote-access Trojan Horse (enables unauthorized remote
access)
Data sending Trojan Horse (provides the attacker with
sensitive data such as passwords)
Destructive Trojan Horse (corrupts or deletes files)
Proxy Trojan Horse (user's computer functions as a proxy
server)
FTP Trojan Horse (opens port 21)
Security software disabler Trojan Horse (stops anti-virus
programs or firewalls from functioning)
Denial of Service Trojan Horse (slows or halts network
activity)
21
1.2.4 Mitigating Viruses, Worms, and Trojan
Horses

Viruses and Trojan Horses tend to
take advantage of local root buffer
overflows.



A root buffer overflow is a buffer
overflow intended to attain root
privileges to a system.
Worms such as SQL Slammer and
Code Red exploit remote root
buffer overflows.
The primary means of mitigating
virus and Trojan horse attacks is
anti-virus software.


Anti-virus products are host-based
and do not prevent viruses from
entering the network.
Network security professional
needs to be aware of the major
viruses and keep track of security
updates regarding emerging
viruses.
22
Mitigating Viruses, Worms, and Trojan Horses


Worms are more network-based than viruses.
The response to a worm infection can be
broken down into four phases:

Containment

Inoculation

Quarantine

Treatment
23
Mitigating Viruses, Worms, and Trojan Horses


Containment (抑制)

Limiting the spread of a worm infection to areas of the
network that are already affected.

Requires compartmentalization and segmentation of the
network to slow down or stop the worm and prevent
currently infected hosts from targeting and infecting other
systems.

Requires using both outgoing and incoming ACLs on
routers and firewalls at control points within the network.
Inoculation (防疫注射)

All uninfected systems are patched with the appropriate
vendor patch for the vulnerability. The process further
deprives the worm of any available targets.

A network scanner can help identify potentially vulnerable
hosts.
24
Mitigating Viruses, Worms, and Trojan Horses


Quarantine (隔離)

Involves tracking down and identifying infected machines
within the contained areas and disconnecting, blocking, or
removing them. This isolates these systems appropriately
for the treatment phase.
Treatment (治療)

Actively infected systems are disinfected of the worm. This
can involve terminating the worm process, removing
modified files or system settings that the worm introduced,
and patching the vulnerability the worm used to exploit the
system.

In more severe cases, can require completely reinstalling
the system to ensure that the worm and its byproducts are
removed.
25
Mitigating Viruses, Worms, and Trojan Horses
Example ( SQL Slammer worm):

Malicious traffic was detected on UDP port 1434.
Prevent the spreading:



Block this port on all devices throughout the internal
network.
In some cases, the port on which the worm is
spreading might be critical to business operation:



Require to access the SQL Server for legitimate
business transactions.
In such a situation, alternatives must be considered.
If the network devices using the service on the
affected port are known, permitting selective access
is an option.
26
1.3 Attack Methodologies











Reconnaissance (偵察) Attacks
Reconnaissance attacks involve the unauthorized discovery and
mapping of systems, services, or vulnerabilities.
Known as information gathering and, in most cases, precedes an
access or DoS attack.
Access Attacks
Access attacks exploit known vulnerabilities in authentication
services, FTP services, and web services.
Denial of Service Attacks
Denial of service attacks send extremely large numbers of
requests over a network or the Internet.
These excessive requests cause the target device to run
suboptimally.
Consequently, the attacked device becomes unavailable for
legitimate access and use.
Social Engineering Attacks
Class of attacks that uses trickery (欺騙) on people instead of
computers.
27
1.3.1 Reconnaissance Attack

Reconnaissance attacks use various tools to
gain access to a network:
Packet sniffers
 Ping sweeps
 Port scans
 Internet information queries

28
Reconnaissance Attack



A packet sniffer is a software application.
Uses a network adapter card in promiscuous (混雜)
mode to capture all network packets that are sent
across a LAN.
Some network applications distribute network packets
in unencrypted plaintext.
Numerous freeware and
shareware packet sniffers.
29
Reconnaissance Attack
30
Reconnaissance Attack

Keep in mind that reconnaissance attacks are typically the
precursor to further attacks.

A network security professional can detect when a
reconnaissance attack is underway by configured alarms
that are triggered when certain parameters are exceeded,
such as ICMP requests per second.

Host-based intrusion prevention systems and standalone
network-based intrusion detection systems can also be used
to notify when a reconnaissance attack is occurring.

Cisco IOS security images running on ISRs
31
1.3.2 Access Attacks

Hackers use access attacks on networks or systems
for three reasons: retrieve data, gain access, and
escalate access privileges.

There are five types of access attacks:





Password attack
Trust exploitation
Port redirection
Man-in-the-middle attack
Buffer overflow
32
Access Attacks

Password attack


An attacker attempts to guess system passwords.
Most password attacks refer to brute-force attacks,
which involve repeated attempts based on a built-in
dictionary to identify a user account or password.
33
Access Attacks

Password attack

Example



A user can run the L0phtCrack, or LC5, application to
perform a brute-force attack to obtain a Windows server
password.
When the password is obtained, the attacker can install a
keylogger, which sends a copy of all keystrokes to a
desired destination.
Or, a Trojan Horse can be installed to send a copy of all
packets sent and received by the target to a particular
destination, thus enabling the monitoring of all the traffic to
and from that server.
34
Access Attacks

Trust exploitation

An attacker uses privileges granted to a system in
an unauthorized way, possibly leading to
compromising the target.
35
Access Attacks

Port redirection

A compromised system is used as a jump-off point for attacks
against other targets. An intrusion tool is installed on the
compromised system for session redirection.
36
Access Attacks

Man-in-the-middle attack

An attacker is positioned in the middle of
communications between two legitimate entities in
order to read or modify the data that passes
between the two parties.

A popular man-in-the-middle attack involves a
laptop acting as a rogue access point (惡意存取點)
to capture and copy all network traffic from a
targeted user. Often the user is in a public location
on a wireless hotspot.
37
Access Attacks

Man-in-the-middle attack
38
Access Attacks

Buffer overflow

A program writes data beyond the allocated
buffer memory resulting in that valid data is
overwritten or exploited to enable the execution
of malicious code.
39
Access Attacks

Detect the Access Attacks:

Reviewing logs



Check the numbers of failed login attempts.
Bandwidth utilization

Detect the Man-in-the-middle attacks.

Man-in-the-middle attacks often involve replicating data. An indication of
such an attack is an unusual amount of network activity and bandwidth
utilization.
Process loads

Detect the buffer overflow attacks.

A compromised system would likely be revealed by sluggish activity due
to ongoing buffer overflow attacks, as indicated by active process loads
viewable on a Windows or UNIX system.
40
1.3.3 Denial of Service Attacks

A DoS attack (阻斷服務攻擊) is a network attack.

DoS attacks attempt to compromise the availability of a
network, host, or application.

There are two major reasons a DoS attack occurs:


A host or application fails to handle an unexpected condition.
A network, host, or application is unable to handle an
enormous quantity of data.
41
Denial of Service Attacks

DDoS — Distribute DoS


A Distributed Denial of Service Attack (DDoS) is similar in
intent to a DoS attack, except that a DDoS attack originates
from multiple coordinated sources.
In addition to increasing the amount of network traffic from
multiple distributed attackers, a DDoS attack also presents
the challenge of requiring the network defense to identify
and stop each distributed attacker.
42
Denial of Service Attacks

DDoS — Distribute DoS

Example

A hacker scans for systems that
are accessible. After the hacker
accesses several "handler"
systems, the hacker installs
zombie (殭屍) software on them.

Zombies then scan and infect
agent systems. When the
hacker accesses the agent
systems, the hacker loads
remote-control attack software
to carry out the DDoS attack.
Source:
Security+ Guide to Network Security Fundamentals, Thomson
43
Denial of Service Attacks

Three common DoS attacks:



Ping of Death
Smurf Attack
TCP SYN Flood
44
Denial of Service Attacks

Ping of Death

A hacker sends an echo request in an IP packet larger than the
maximum packet size of 65,535 bytes.


Sending a ping of this size can crash the target
computer.
A variant of this attack is to crash a system by
sending ICMP fragments, which fill the reassembly
buffers of the target.

ping -t -l 65550 192.168.1.1
45
Denial of Service Attacks

Smurf Attack



In a smurf attack, a perpetrator (犯罪者) sends a
large number of ICMP requests to directed broadcast
addresses, all with spoofed source addresses.
If the routing device delivering traffic to those
broadcast addresses forwards the directed
broadcasts, all hosts on the destination networks
send ICMP replies, multiplying the traffic by the
number of hosts on the networks.
On a multi-access broadcast network, hundreds of
machines might reply to each packet.
46
Denial of Service Attacks

Smurf Attack
47
Denial of Service Attacks

TCP SYN Flood


A flood of TCP SYN packets is sent, often with a forged sender
address. Each packet is handled like a connection request, causing
the server to spawn a half-open connection by sending back a TCP
SYN-ACK packet and waiting for a packet in response from the
sender address.
However, because the sender address is forged, the response never
comes. These half-open connections saturate the number of
available connections the server is able to make, keeping it from
responding to legitimate requests until after the attack ends.
The three-way handshake is correctly performed
Source:
http://en.wikipedia.org/wiki/SYN_flood
48
Denial of Service Attacks

TCP SYN Flood
49
Denial of Service Attacks

To date, hundreds of DoS attacks have been documented.

There are five basic ways that DoS attacks can do harm:
 Consumption of computational resources, such as bandwidth, disk
space, or processor time
 Disruption of configuration information, such as routing information
 Disruption of state information, such as unsolicited resetting of TCP
sessions
 Disruption of physical network components
 Obstruction of communication between the victim and others.
50
1.3.4 Social Engineering Attacks

Social Engineering Attacks
 Tricking a person into revealing some confidential information.
 An attack based on deceiving users or administrators at the
target site.


Done to gain illicit (不法的) access to systems or useful
information.
The goals of social engineering are fraud, network intrusion,
industrial espionage, identity theft, etc.
51
1.3.5 Mitigating Network Attacks

Reconnaissance attacks can be mitigated (緩解) in several
ways:
 Using strong authentication such as a One-Time
Password (OTP).
 Encryption makes the captured data not readable.
 Antisniffer tools to determine whether the hosts are
processing more traffic than their own traffic loads would
indicate.
 A switched infrastructure which makes it difficult to
capture any data except that on your immediate collision
domain, which probably contains only one host.
 Network-based IPS and host-based IPS can usually notify
an administrator when a reconnaissance attack is under
way.
52
Mitigating Network Attacks
53
Mitigating Network Attacks

Techniques are available for
mitigating access attacks:

Strong password policy:



Disabling accounts after a specific
number of unsuccessful logins. This
practice helps to prevent continuous
password attempts.
Not using plaintext passwords. Use
either a one-time password (OTP) or
encrypted password.
Using strong passwords. Strong
passwords are at least eight characters
and contain uppercase letters,
lowercase letters, numbers, and special
characters.
54
Mitigating Network Attacks

Techniques are available for mitigating access
attacks:

Principle of minimum trust




The principle of minimum trust should also be designed into
the network structure.
This means that systems should not use one another
unnecessarily.
For example, if an organization has a server that is used by
untrusted devices, such as web servers, the trusted device
(server) should not trust the untrusted devices (web servers)
unconditionally.
Cryptography

Using encryption for remote access to a network is
recommended.
55
Mitigating Network Attacks
56
Mitigating Network Attacks

Mitigating DDoS attacks requires careful diagnostics,
planning, and cooperation from ISPs.

The most important elements for mitigating DoS
attacks are firewalls and IPSs.
57
Mitigating Network Attacks

Social Engineering Countermeasures


Take proper care of trash and discarded items.
Ensure that all system users have periodic
training about network security.
Source:
Security+ Guide to Network Security Fundamentals, Thomson
58
Mitigating Network Attacks

There are 10 best practices for your network:
1.
Keep patches up to date by installing them weekly or daily, if possible,
to prevent buffer overflow and privilege escalation attacks.
Shut down unnecessary services and ports.
Use strong passwords and change them often.
Control physical access to systems.
Avoid unnecessary web page inputs.
Perform backups and test the backed up files on a regular basis.
Educate employees about the risks of social engineering, and develop
strategies to validate identities over the phone, via email, or in person.
Encrypt and password-protect sensitive data.
Implement security hardware and software firewalls, IPSs, virtual
private network (VPN) devices, anti-virus software, and content
filtering.
Develop a written security policy for the company.
2.
3.
4.
5.
6.
7.
8.
9.
10.
59
Mitigating Network Attacks
60