Network Defense Ch 1
Threats to Network Security: Revenge
Disgruntled current or former employees might want to retaliate against an organization for policies or actions they consider wrong. They can sometimes gain entry through an undocumented account (back door) in the system.
Hacker Goals: Script Kiddies
Hackers who are relatively unskilled programmers who spread viruses and other malicious scripts to exploit weaknesses in computer systems. Script kiddies lack the ability to create viruses or Trojan programs on their own, but they can usually find these programs online.
Threats to Network Security: Industrial Espionage
Proprietary information is often valuable enough that it can be sold to competing companies or other parties.
Common Attacks and Defenses: Application vulnerability exploits
Unpatched or vulnerable client-side applications that can be invoked and then misused by browsers are targeted, often by trusted Web sites converted into malicious servers. -Defense: Keep applications patched. Maintain software inventories so vulnerable software is accounted for and defended. Ensure secure configurations of all software and use perimeter defenses to help identify and prevent attacks.
M86 MailMarshal Secure Email Gateway by M86 Security
scans the content of each e-mail message before it reaches the recipient
Goals of Network Security: Providing Secure Connectivity
secure connectivity with trusted users and net- works
Threats to Network Security: Status
Some attackers attempt to take over computer systems just for the thrill of it. They like to count the number of systems they have accessed as notches on their belt
Common Attacks and Defenses: Remote Procedure Calls (RPC) attacks
The operating systems crash because they are unable to handle arbitrary data sent to an RPC port. -Defense: Set up an IDPS (intrusion detection and prevention system)
DiD Layer: Authentication and Password Security
- a password security policy, which requires your employees to select good passwords, keep them secure, and change them regularly. -Using multiple passwords, including screen-saver passwords and passwords for protecting critical applications, is also a good idea to guard against unauthorized employees gaining control of unattended computers. -complex passwords and their safekeeping can be enforced through technical means, passwords can become a serious vulnerability. - Authenticate: verifying the identity of a user, service, or computer—uses one of three methods: verifying something the user knows, something the user possesses, or something the user is.
DiD Layer: Demilitarized Zone (DMZ)
-A subnet and is a network that sits outside the internal net- work but is connected to the firewall -makes services like HTTP (Web server) and FTP (File Transfer Protocol) publicly available, yet protects the internal LAN. - might also contain a DNS server that resolves fully qualified domain names to IP addresses. -subnet attached to the firewall and contained in the DMZ is sometimes called a service network or perimeter network. A
Firewalls: Restrictive Policy
-Calls for a firewall and associated network security components to deny all traffic by default. The first rule denies all traffic on any service and using any port. To allow a specific type of traffic, a new rule must be placed ahead of the "deny all" rule.
Firewalls: Permissive Policy
-Calls for a firewall and associated security components to allow all traffic through the network gateway by default and then to block services on a case- by-case basis.
DiD Layer: Log files Analysis
-Compiling, reviewing, and analyzing log files are among the most tedious and time-consuming tasks associated with network security. Network administrators read and analyze log files to see who is accessing their networks from the Internet. All connection attempts that are rejected should be recorded in the hope of identifying possible intruders or pinpointing vulnerable points in the system. -When you first install intrusion detection or firewalls on your network, you will probably be asked to prepare reports that describe how the network is being used and what kinds of filtering activities the device is performing. It is a good idea to sort logs by time of day and per hour. (Sorting log files produces material that is more organized and easier to review than the log files produced by the server, firewall, or other device.) -Be sure to check logs to learn the peak traffic times on your network, and try to identify the services that consume the largest part of your available bandwidth. If your firewall or IDPS can display log file entries graphically, you should consider showing the graphs to management as needed. Graphs illustrate trends more effectively than lists of raw data
Packet Filtering: Software Firewalls
-Most enterprise-level programs, such as Check Point Firewall Software Blade, perform packet filtering. Personal firewalls such as ZoneAlarm per- form basic stateless packet filtering based on simple rules. You use ZoneAlarm in the hands-on projects at the end of this chapte
Always-On Connectivity: Problems
-Remote users include employees who are on the road, contractors who work at home, and business partners. As the Internet grew in popularity, more home computers started using modems. These connections were usually made through temporary dial-up connections that used protocols such as Point-to-Point Protocol (PPP). Today, however, it is increasingly likely that remote users connect to a network through an always-on DSL or cable modem connection, which means they might be connected to a network for hours at a time. -network security policy should specify that remote users have their computers equipped with firewall and antivirus protection software. - if attackers can break into a remote user's computer while the user is connected to your network through a virtual private network (VPN) or other connection, your network becomes vulnerable as well
Packet Filtering: Operating Systems
-Some systems, such as Windows and Linux, have built-in utilities for packet filtering on the TCP/IP stack of the server software. Linux has a kernel-level packet filter called Iptables; Windows Server 2008 and Windows 7 have a feature called Windows Filtering Platform.
DiD Layer: Firewalls
-The foundation for installing and configuring a firewall is your organization's overall security policy. -create a packet-filtering rule base for your firewall that reflects your overall approach to network security. -should enforce the overall policy established by the network administrator - Enforcement is handled primarily through setting up packet-filtering rules; a rule base contains a set of these rules. - The order of rules in the rule base is important to how the firewall processes traffic.
Social Engineering: The People Factor
-The vulnerability in this case is well-meaning but gullible employees who attackers fool into giving out passwords or other access codes. To protect itself against personnel who do not observe accepted security practices or who willfully abuse them, an organization needs a strong and consistently enforced security policy and a rigorous training program.
Packet Filtering: Routers
-These devices are probably the most common packet filters. -process packets according to an access control list (ACL) the administrator defines
Access Control Method: Mandatory Access Control (MAC)
-This is an uncompromising method for controlling how information can be accessed. -all access capabilities are defined in advance. System administrators establish what information users can and cannot share.
Using a Layered Defense Strategy: Defense in Depth (DiD)
-a group of methods that work in a coordinated fashion to provide protection against a variety of threats. -When beginning with an unprotected system, the first layer of defense added is always the most effective. -more layers are stacked on the first, potential attackers must successfully breach each layer to gain access to the next one. However, adding layers also adds increasing complexity for system administrators. Security enhancements must be balanced against the cost to maintain and monitor defenses.
Back doors
-a way of gaining unauthorized access to a computer or other resource, such as an unused port or terminal service, that makes it possible for attackers to gain control over the computer.
DiD Layer: Packet Filtering
-block or allow the transmission of packets of information based on port, IP address, protocol, or other criteria -can be performed by different types of systems -evaluates information in the packet header and compares it to the established rules. If the information corresponds to one of the "allow" rules, the packet is allowed to pass; if the information matches one of the "deny" rules, the packet is dropped.
Melissa macro virus
-caused Microsoft to shut down the company's entire e-mail service. -spread rapidly and arrived as an attachment with the subject line "Important message from [name of someone]." The body text read, "Here is that document you asked for...don't show anyone else." If the recipient opened the attachment, the macro virus infected the computer and carried out a series of commands. -was a fast-spreading virus, infecting more than 100,000 computers in the first few days.
Goals of Network Security: Ensuring Privacy
-educate all employees about security dangers and to explain security policies. -employees likely to detect security breaches and to cause security breaches accidentally through their own behavior. They can also be mindful of their coworkers' activities and be alert to suspicious actions that could indicate a security problem. -protect organizations that maintain databases of personal and financial information that need to maintain privacy -ensure information is protected according to US laws
DiD Layer: Operating System Security
-installing operating system (OS) patches that have been issued to address security flaws. -keep up with patches, hot fixes, and service packs and to test and install them when they become available. - stopping any unneeded services and disabling guest user accounts helps make an OS more secure.
Email Filtering Programs
-introduce privacy issues that need to be balanced against an organization's need for protection—a trade-off that applies to almost all aspects of network security, not just e-mail messages.
Port
-is an area in random access memory (RAM) that is assigned a number (the port address) and is reserved for a program that runs in the background to listen for requests for the service it offers.
Threats to Network Security: Viruses
-is executable code that can replicate itself from one place to another sur-reptitiously and perform actions that range from benign to harmful. -are spread by several methods, including running executable code, sharing disks or memory sticks, opening e-mail attachments, and viewing infected or malicious Web pages. -can attach to other executables or replace them in order to spread or execute. -require user intervention to run -can mutate or be altered to defeat antivirus software
DiD Layer: Network auditing
-is the process of recording which computers are accessing a network and what resources are being accessed, and then recording the information in a log file.
DiD Layer: Physical Security
-measures taken to protect a computer or other network device from theft, fire, or environmental disaster - installing computer locks that attach a computer device to a piece of furniture in your office, and keeping critical servers in a room protected by a lock and/or burglar alarm.
Problems with Redundant Program Functions
-not always compatible with security software -poor connection -communications blocked
Biometric Authentication
-physical information that identifies a person, such as retinal scans, voice prints, and fingerprints
DiD Layer: Antivirus Protection: Virus Scanning
-process of examining files or e-mail messages for filenames, file extensions such as .exe (for executable code) or .zip (for zipped files), and other indications that viruses are present. Many viruses have suspicious file extensions, but some seem innocuous.
Malicious Code: Conficker
-program attacked all Windows operating systems from Windows 2000 through Windows 7. An estimated 9 to 15 million computers were infected. In 2009, Microsoft offered a $250,000 reward for the identification of authors. -was designed to create botnets: networks of tens of thousands of infected computers that belong to unsuspecting victims and can be controlled from a central station -the program was designed not to infect systems with a Ukrainian keyboard, it is thought that the worm was developed in Eastern Europe.
Goals of Network Security: Secure Remote Access
-provide secure remote access for contractors and employees who are traveling. -VPN, with its combination of encryption and authentication, is often provided by the industry standard, IP security (IPsec), and is a simple and cost-effective solution
DiD Layer: Virtual Private Networks (VPNs)
-public telecommunications infrastructure, such as the Internet, to provide secure access to corporate assets for remote users. - use authentication to verify users' identities and encrypt and encapsulate traffic to protect it in transit.
DiD Layer: Intrusions Detection and Prevention System (IDPS)
-recognizing the signs of a possible attack and sending a notification to an administrator that an attack is under way. Some traffic can trigger a response that attempts to actively combat the threat. -not precise because there is no known method for preventing all possible intrusions. -The signs of possible attacks are commonly called signatures—combinations of IP addresses, port numbers, and the frequency of access attempts.
DiD Layer: Routing and access control methods
-routers are positioned on a network's perimeter, they can be equipped with their own firewall software to perform packet filtering and other functions. -Access Points: ●Vulnerable services—The attacker might be able to exploit known vulnerabilities in an application. ●E-mail gateways—The attacker might be able to attach a virus payload to an e-mail message. If a recipient clicks the attachment to open it, the program runs and the virus installs itself on the user's system. ●Porous borders—Computers on the network might be listening (that is, waiting for connections) on a port that has no functional use. If an attacker discovers a port that the computer has left open and that is not being used, the open port can give the attacker access to that computer's content -Access Control encompasses everything from complex permission configurations on domain controllers to locked doors.
Challenge/Response Authentication
-the authenticating device generates a random code or number (the challenge) and sends it to the user who wants to be authenticated. The user resubmits the number or code and adds a secret PIN or password (the response), or uses a possession such as a smart card to swipe through a card reader.
DiD Layer: Configuring Log files
-the log files compiled by a firewall or IDPS give you different options. You can view active data (data compiled by the firewall as traffic moves through the gateway in real time) or data that the device has recently recorded. You can also view the information in the following ways: -System events—These events usually track the operations of the firewall or IDPS, making a log entry whenever it starts or shuts down. -Security events—These events are records of any alerts the firewall or IDPS has issued. -Traffic—This is a record of the traffic that passes through the firewall. -Packets—Some programs enable you to view information about packets that pass through them.
Goals of Network Security: 1. Confidentiality, 2. Integrity, and 3. Availability
-three primary goals of information security 1. is the prevention of intentional or unintentional disclosure of communications between a sender and recipient. 2. ensures the accuracy and consistency of information during all processing (creation, storage, and trans- mission). 3. is the assurance that authorized users can access resources in a reliable and timely manner.
DiD Layer: Antivirus Protection: Signature Files
-which contain a pattern of known viruses. -primary reason for keeping your antivirus software updated; antivirus software vendors frequently create updates and make them available for customers to download -When antivirus software recognizes the presence of viruses, it deletes them from the file system or places them in a storage area called a quarantine where they cannot replicate them- selves or do harm to other files
Goals of Network Security: Providing Non-repudiation
-which is the capability to prevent a participant in an electronic transaction from denying that it per- formed an action. -simply means ensuring that the sender cannot deny sending a message and the recipient cannot deny receiving it. -is an important aspect of establishing trusted communication between organizations that do business across a network rather than face to face.
Malicious Code: MyDoom
-worm infected millions of computers in only a few days, costing $38.5 billion in cleanup, lost productivity, and other losses - was believed to have been the fastest-spreading worm ever created - primarily transmitted via e-mail, with subject lines such as "Error," "Mail Delivery System," or "Mail Transaction Failed." If the user opens the attachment, the worm resends itself to e-mail addresses in the user's address book and local files
Stuxnet
-worm was designed to attack Windows systems used in industrial and military settings. The goal was to infect the control systems of automated industrial processes. Security experts who analyzed -concluded that it was probably the work of a government operation because of the complexity of the program and the amount of time and resources required to create and propagate it. -Prevalent in Iran, though U.S./Israel responsible for creation and intended target=Iran's nuclear industry
Common Attacks and Defenses: Internet Control Message (ICMP) message abuse
A network is flooded with a stream of ICMP echo requests to a target computer. -Defense: Set up packet filtering
Common Attacks and Defenses: SYN Flood
A network is overloaded with packets that have the SYN flag set. Servers are overloaded with requests for connections and are unable to respond to legitimate requests (a denial of service attack) -Defense: Keep your firewall and OS up to date so that these attacks are blocked by means of software patches and updates, and review your log files of access attempts to see whether intrusion attempts have been mad
Common Attacks and Defenses: Trojan Program
A user installs a malicious Trojan program that can create a "back door" an attacker can exploit. -Defense: Install antivirus software and keep virus definitions up to date. Keep applications and operating systems patched.
Common Attacks and Defenses: New files being placed on the system
A virus or other program causes new files to proliferate on infected computers, using up system resources. -Defense: Install system-auditing software
Common Attacks and Defenses: Malicious Port Scanning
An attacker looks for open ports to infiltrate a network. -Defense: Install and configure a firewall, which is hardware and/or software designed to filter out unwanted network traffic and protect authorized traffic.
Common Attacks and Defenses: Man-in-the-middle attack
An attacker operates between two computers in a network and impersonates one computer to intercept communications. -Defense: Use VPN encryption
Common Attacks and Defenses: Finding vulnerable hosts on the internal network to attack
An attacker who gains access to one computer on a network can get IP addresses, host names, and passwords, which are then used to find other hosts to attack. -Defense: use proxy servers
Common Attacks and Defenses: Social Engineering
An employee is misled into giving out passwords or other sensitive information. -Defense: Educate employees about your security policy, which is a set of goals and procedures for making an organization's network secure.
Hacker
Anyone who attempts to gain access to unauthorized resources on a network, usually by finding a way to circumvent passwords, firewalls. or other protective measures.
Common Attacks and Defenses: Web application attacks
Brute force password guessing is used to gain a valid username/password pair. Popular targets of this attack are Microsoft SQL, SSH servers, and FTP. Cross-site scripting, SQL injection, and PHP File Include attacks are the most popular methods for compromising Web sites. -Defense: Perimeter defenses should be used to ensure that layered defenses identify and prevent attacks aimed at Web servers. Log files can help determine if your Web server has been compromised. Ensure that all applications and operating systems are patched regularly.
Upper Management Support: Key Purposes
Money, Time, Implementation, Support from beginning to end, Keep Everything Up To Date ●The project will cost money, and you need to have funding for the project approved beforehand. ●The project will require IT staff time, and managers, supervisors, and employees from all departments must participate to paint a clear picture of priorities and carry out the security plan. ●The process of implementing security systems might require down time for the network, which translates into lost productivity and inconvenience for everyone. ●Most importantly for the long-term success of security efforts, executives and management need to support the project from start to finish. If they do not, development, testing, implementation, and maintenance are nearly impossible to complete. The necessary resources and enforcement will not be available. Besides, if management does not seem to care and does not support the initiative, why would anyone else?
Common Attacks and Defenses: Virus
Network computers are infected by viruses -Defense: Install antivirus software and keep virus definitions up to date. Keep applications and operating systems patched
Threats to Network Security: Financial Gain
Other attackers have financial profit as their goal. Attackers who break into a network can gain access to financial accounts. They can steal individual or corpo-rate credit card numbers and make unauthorized purchases. Just as often, attackers defraud people out of money with scams carried out via e-mail or other mean
Common Attacks and Defenses: Denial of Service Attack
The traffic into and out of a network is blocked when servers are flooded with malformed packets (bits of digital information) that contain false IP addresses, other harmful data, or other fake communications. -Defense: Keep your server OS up to date; log instances of frequent connection attempts against one service.
Access Control Method: Discretionary Access Control (DAC)
With this method, network users are given more flexibility in accessing information. This method allows users to share information with other users; however, the risk of unauthorized disclosure is higher than with the MAC method.
Adeniyi Adeyemi
a contract employee of Bank of New York Mellon, stole the per- sonal information of dozens of bank employees, mainly in the IT department. He used the information to open dummy financial accounts and receive funds stolen from the accounts of charities and nonprofit organizations.
Email and Communications: Firewalls
a firewall's primary job is to keep viruses from infecting the system and to prevent Trojan programs from being installed and creating back door openings. Personal firewall programs, such as Comodo Internet Security, come with an antivirus program that alerts users to an e-mail attachment or a file containing a known virus.
Ansir Khan
a former bank employee in Sheffield, England, attempted to steal $1.9 million after successfully stealing more than $1.1 million from the bank in April 2005 and May 2006. He extracted customer data and shared it with accomplices. He was sentenced to three years in jail.
Luis Robert Altamirano,
a former employee of United Way in Miami, accessed the United Way computer system a year after he left the organization. He deleted files and disabled the voicemail system. pled guilty and was sentenced to 18 months in jail and fined $50,000 for computer fraud
Threats to Network Security: Trojan Programs
a harmful computer program, but one that appears to be something useful—a deception like the Trojan horse described in Greek legends. The difference between a virus and a Trojan program lies in how the malicious code is used. Viruses replicate and can potentially cause damage when they run on a user's computer. -can also create a back door, which opens the system to additional attacks. -often hidden or obscure nature of a back door makes the attacker's activities difficult to detect.
Threats to Network Security: Government Operations
a number of countries see computer operations as more than simply a spying technique; computer networks are a potential battleground
Internet Security Concerns
a port number combined with a computer's IP address constitutes a network connection called a socket. Attackers commonly use software to try to identify sockets that respond to connection requests. The sockets that respond can be targeted to see whether they have been left open or have security vulnerabilities that can be exploited. Hypertext Transport Protocol (HTTP) Web services use port 80. HTTP is among the most commonly exploited services.
Macro Viruses
a type of script that automates repetitive tasks in Microsoft Word or similar applications. When you run a macro, a series of actions are carried out automatically. Macros are a useful way to make some tasks perform more efficiently. Unfortunately, macro viruses perform the same functions as macros, but they tend to be harmful - remain a threat today, but the good news is that the user must perform some action for the virus to be activated; therefore, educating users not to open the attach- ments is essential. Most modern operating systems and office suites do not automatically run macros, so the threat from is reduced.
Threats to Network Security: Worms
creates files that copy themselves repeatedly and consume disk space. -do not require user intervention to be launched; they are self-propagating. -can install back doors -can destroy data on a hard disk -can mutate or be altered to defeat antivirus software
Always-On Connectivity
easier to locate and attack because their IP addresses remain the same as long as they are connected to the Internet—which might be days at a time if computers are left on overnight or over a weekend - static IP addresses that never change and that enable them to run easily found Web ser- vers or other services. Static IP addresses, however, make it easier for attackers to locate a computer and scan it for open ports. -effectively extend the boundaries of your corporate network, and you should secure them as you would any part of your network perimeter.
Threats to Network Security: Terrorists
group might want to attack computer systems for several reasons: to make a political statement or accomplish a political goal, such as the release of a jailed comrade; cause damage to critical systems; or disrupt the target's financial stability. Attacking the World Trade Center certainly accomplished the latter goal, given the nature and location of the structures. -might also want simply to cause panic - The overall psychological effect could be just as detrimental as the infrastructure damage and even the loss of life
Hacker Goals: "Old School"
hackers consider themselves seekers of knowledge; they operate on the theory that knowledge is power, regardless of how they come by that knowledge. They are not out to destroy or harm; they want to discover how things work and open any sources of knowledge they can find. They believe the Internet was intended to be an open environment, and that anything online can and should be available to anyone.
Hacker Goals: Hacktivists
hackers who are computer attackers with political goals. Frequently they use denial of service attacks to shut down Web sites of organizations with whom they disagree. Ex. Anonymous, has successfully shut down sites of the U.S. Federal Trade Commission to express its opposition to proposed laws that combat digital piracy. Anonymous has also shut down sites that belong to the State of Alabama in protest of immigration laws. After discovering that the Central Intelligence Agency (CIA) was investigating the group, Anonymous shut down some of the CIA's sites as well.
Hacker Goals: Young and Board
hackers who are highly adept with computers try to gain control of as many systems as possible for the thrill of it. They enjoy disrupting systems and keeping them from working, and they tend to boast about their exploits online.
Hacker Goals: Crackers
hackers who are less ethical and pursue destructive aims, such as the proliferation of viruses and worms, much like vandals
Hacker Goals: Packet Monkeys
hackers who are primarily interested in blocking Web site activities through a distributed denial of service (DDoS) attack. In a DDoS attack, many computers are hijacked and used to flood the target with so many false requests that the server cannot process them all, and normal traffic is blocked. might also want to deface Web sites by leaving messages that their friends can read
Hacker Goals: Criminals & Industrial Spies
hackers who might be interested in selling information to the top bidder or using it to influence potential victims. Some companies would certainly be interested in getting the plans for a new product from their competitors.
Basic Authentication
involves using something the user knows, such as a username/ password pair
Logic Bomb
malware designed to start at a specific time in the future or when a specified condition exists. At Fannie Mae, the Federal National Mortgage Association, a former engineer planted a logic bomb that could have shut the company down and cost millions by destroying all 4000 of the company's servers. Fortunately, the attack did not succeed. The former employee was sentenced to three years in jail.
Threats to Network Security: Disgruntled Employees
usually unhappy over perceived injustices and want to exact revenge by stealing information. With the economic downturn, more current or former employees are stealing information for financial reasons. Often they give confidential information to new employers. When an employee is terminated, security measures should be taken immediately to ensure that the employee can no longer access the company network and telecommunications systems
Access Control Method: Role-Based Access Control (RBAC)
—This method establishes organizational roles to control access to information. -RBAC method limits access by job function or job responsibility. An employee could have one or more roles that allow access to specific information.
Scripting
—executable code attached to e-mail messages or downloaded files that infiltrates a system -It can be difficult for a firewall or intrusion-detection system (IDS) to block all such files; specialty firewalls and other programs should be integrated with existing security systems to keep scripts from infecting a network. -A specialty e-mail firewall can monitor and control certain types of content that pass into and out of a network. These firewalls can be configured to filter out pornographic content, junk e-mail, and malicious code.