CISCO 3 - Module 3 (Network Security Concepts)
Mitigation
Mitigation is the counter-measure that reduces the likelihood or severity of a potential threat or risk. Network security involves multiple mitigation techniques.
Network Scanning and Hacking Tools
Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Data Loss Vector - Removable Media
One risk is that an employee could perform an unauthorized transfer of data to a USB drive. Another risk is that a USB drive containing valuable corporate data could be lost.
Password Crackers
Password cracking tools are often referred to as password recovery tools and can be used to crack or recover a password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
Data Loss Vector - Improper Access Control
Passwords or weak passwords which have been compromised can provide a threat actor with easy access to corporate data.
Reconnaissance Attacks
Reconnaissance is information gathering. It is analogous to a thief surveying a neighborhood by going door-to-door pretending to sell something. What the thief is actually doing is looking for vulnerable homes to break into, such as unoccupied residences, residences with easy-to-open doors or windows, and those residences without security systems or security cameras. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks.
Risk
Risk is the likelihood of a threat to exploit the vulnerability of an asset, with the aim of negatively affecting an organization. Risk is measured using the probability of the occurrence of an event and its consequences.
Data Loss Vector - Cloud Storage Devices
Sensitive data can be lost if access to the cloud is compromised due to weak security settings.
Social Engineering Attacks
Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Some social engineering techniques are performed in-person while others may use the telephone or internet. Social engineers often rely on people's willingness to be helpful. They also prey on people's weaknesses. For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access. The threat actor could appeal to the employee's vanity, invoke authority using name-dropping techniques, or appeal to the employee's greed.
Something for Something
Sometimes called "Quid pro quo", this is when a threat actor requests personal information from a party in exchange for something such as a gift.
State-Sponsored Hackers Cont'd
State-sponsored hackers create advanced, customized attack code, often using previously undiscovered software vulnerabilities called zero-day vulnerabilities. An example of a state-sponsored attack involves the Stuxnet malware that was created to damage Iran's nuclear enrichment capabilities.
Other Types of Malware
Such as Adware, Ransomeware, Rootkit, Spyware, and Worm.
Social Engineering Toolkit (SET)
The Social Engineering Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. Enterprises must educate their users about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.
Initiate a ping sweep of the target network
The information query usually reveals the target's network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.
Perform an information query of a target
The threat actor is looking for initial information about a target. Various tools can be used, including the Google search, organizations website, whois, and more.
Run exploitation tools
The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
Cyber criminals
These are black hat hackers who are either self-employed or working for large cybercrime organizations.
State-Sponsored
These are either white hat or black hat hackers who steal government secrets, gather intelligence, and sabotage networks. Their targets are foreign governments, terrorist groups, and corporations. Most countries in the world participate to some degree in state-sponsored hacking.
White Hat Hackers
These are ethical hackers who use their programming skills for good, ethical, and legal purposes. White hat hackers may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers for them to fix before the vulnerabilities can be exploited.
Hacktivists
These are gray hat hackers who publicly protest organizations or governments by posting articles, videos, leaking sensitive information, and performing network attacks.
Gray Hat Hackers
These are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. Gray hat hackers may disclose a vulnerability to the affected organization after having compromised their network.
Hacking Operating Systems
These are specially designed operating systems preloaded with tools optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, Knoppix, BackBox Linux.
Script Kiddies
These are teenagers or inexperienced hackers running existing scripts, tools, and exploits, to cause harm, but typically not for profit.
Black Hat Hackers
These are unethical criminals who compromise computer and network security for personal gain, or for malicious reasons, such as attacking networks.
Vulnerability Broker
These are usually gray hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.
Debuggers
These tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.
Forensic Tools
These tools are used by white hat hackers to sniff out any trace of evidence existing in a computer. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.
Packet Sniffers
These tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
Packet Crafting Tools
These tools are used to probe and test a firewall's robustness using specially crafted forged packets. Examples include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
Vulnerability Exploitation Tools
These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
Vulnerability Scanners
These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of tools include Nipper, Secunia PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Man-in-the-Middle Attack
This attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.
Rootkit Detectors
This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
Run vulnerability scanners
This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
Initiate a port scan of active IP addresses
This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Eavesdropping Attack
This is when a threat actor captures and "listens" to network traffic. This attack is also referred to as sniffing or snooping.
Shoulder surfing
This is where a threat actor inconspicuously looks over someone's shoulder to steal their passwords or other information.
Tailgating
This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.
Dumpster diving
This is where a threat actor rummages through trash bins to discover confidential documents.
Impersonation
This type of attack is where a threat actor pretends to be someone they are not to gain the trust of a victim.
ICMP attacks
Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.
Trojan Horse
Threat actors use Trojan horses to compromise hosts. A Trojan horse is a program that looks useful but also carries malicious code. Trojan horses are often provided with free online programs such as computer games. Unsuspecting users download and install the game, along with the Trojan horse.
Keylogger
Trojan horse actively attempts to steal confidential information, such as credit card numbers, by recording key strokes entered into a web form.
Destructive
Trojan horse corrupts or deletes files.
FTP
Trojan horse enables unauthorized file transfer services on end devices.
Remote-access
Trojan horse enables unauthorized remote access.
Data-sending
Trojan horse provides the threat actor with sensitive data, such as passwords.
Denial of Service (DoS)
Trojan horse slows or halts network activity.
Security software disabler
Trojan horse stops antivirus programs or firewalls from functioning.
Proxy
Trojan horse will use the victim's computer as the source device to launch attacks and perform other illegal activities.
Hacktivists Cont'd
Two examples of hacktivist groups are Anonymous and the Syrian Electronic Army. Although most hacktivist groups are not well organized, they can cause significant problems for governments and businesses. Hacktivists tend to rely on fairly basic, freely available tools.
Script virus
Virus attacks the OS interpreter which is used to execute scripts.
Boot sector virus
Virus attacks the boot sector, file partition table, or file system.
Firmware virus
Virus attacks the device firmware.
Program virus
Virus inserts itself in another executable program.
Macro virus
Virus uses the MS Office or other applications macro feature maliciously.
Wireless Hacking Tools
Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
Viruses
iruses require human action to propagate and infect other computers. For example, a virus can infect a computer when a victim opens an email attachment, opens a file on a USB drive, or downloads a file. The virus hides by attaching itself to computer code, software, or documents on the computer. When opened, the virus executes and infects the computer. Viruses can: - Alter, corrupt, delete files, or erase entire drives. - Cause computer booting issues, and corrupt applications. - Capture and send sensitive information to threat actors. - Access and use email accounts to spread. - Lay dormant until summoned by the threat actor.
Worm
- A worm is a self-replicating program that propagates automatically without user actions by exploiting vulnerabilities in legitimate software. - It uses the network to search for other victims with the same vulnerability. - The intent of a worm is usually to slow or disrupt network operations.
Adware
- Adware is usually distributed by downloading online software. - Adware can display unsolicited advertising using pop-up web browser windows, new toolbars, or unexpectedly redirect a webpage to a different website. - Pop-up windows may be difficult to control as new windows can pop-up faster than the user can close them.
Ransomware
- Ransomware typically denies a user access to their files by encrypting the files and then displaying a message demanding a ransom for the decryption key. - Users without up-to-date backups must pay the ransom to decrypt their files. - Payment is usually made using wire transfer or crypto currencies such as Bitcoin.
Rootkit
- Rootkits are used by threat actors to gain administrator account-level access to a computer. - They are very difficult to detect because they can alter firewall, antivirus protection, system files, and even OS commands to conceal their presence. - They can provide a backdoor to threat actors giving them access to the PC, and allowing them to upload files, and install new software to be used in a DDoS attack. - Special rootkit removal tools must be used to remove them, or a complete OS re-install may be required.
Spyware
- Similar to adware, but used to gather information about the user and send to threat actors without the user's consent. - Spyware can be a low threat, gathering browsing data, or it can be a high threat capturing personal and financial information.
DoS and DDoS Attacks
A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications. There are two major types of DoS attacks: Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service. Maliciously Formatted Packets - The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.
DDoS Attack
A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies. The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system. The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack.
Denial of Service Attack
A DoS attack prevents normal use of a computer or network by valid users. A DoS attack can flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.
Sniffer Attack
A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet.
IP Address Spoofing Attack
A threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.
Spear phishing
A threat actor creates a targeted phishing attack tailored for a specific individual or organization.
Baiting
A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.
Pretexting
A threat actor pretends to need personal or financial data to confirm the identity of the recipient.
Phishing
A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.
Threat
A threat is a potential danger to a company's assets, data, or network functionality.
Vulnerability
A vulnerability is a weakness in a system, or its design, that could be exploited by a threat.
Spam
Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.
Assets
An asset is anything of value to the organization. It includes people, equipment, resources, and data.
Vectors of Network Attacks
An attack vector is a path by which a threat actor can gain access to a server, host, or network. Attack vectors originate from inside or outside the corporate network. Threat actors may target a network through the internet, to disrupt network operations and create a denial of service (DoS) attack.
Exploit
An exploit is a mechanism that takes advantage of a vulnerability.
Vectors of Network Attacks (Internal)
An internal user, such as an employee, can accidentally or intentionally: - Steal and copy confidential data to removable media, email, messaging software, and other media. - Compromise internal servers or network infrastructure devices. - Disconnect a critical network connection and cause a network outage. - Connect an infected USB drive into a corporate computer system.
Current State of Affairs
Assets must be identified and protected. Vulnerabilities must be addressed before they become a threat and are exploited. Mitigation techniques are required before, during, and after an attack.
Data Loss Vector - Hard Copy
Confidential data should be shredded when no longer required.
Encryption Tools
Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the encrypted data. Examples of these tools include VeraCrypt, CipherShed, OpenSSH, OpenSSL, Tor, OpenVPN, and Stunnel.
Fuzzers to Search Vulnerabilities
Fuzzers are tools used by threat actors to discover a computer's security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
Evolution of Hackers
Hacking started in the 1960s with phone freaking, or phreaking, which refers to using audio frequencies to manipulate phone systems. At that time, telephone switches used various tones to indicate different functions. Early hackers realized that by mimicking a tone using a whistle, they could exploit the phone switches to make free long-distance calls. In the mid-1980s, computer dial-up modems were used to connect computers to networks. Hackers wrote "war dialing" programs which dialed each telephone number in a given area in search of computers. When a computer was found, password-cracking programs were used to gain access.
IPv4 and IPv6 Attacks
IP does not validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. Threat actors can also tamper with the other fields in the IP header to carry out their attacks. Security analysts must understand the different fields in both the IPv4 and IPv6 headers.
Compromised-Key Attack
If a threat actor obtains a secret key, that key is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.
Data Loss Vector - Unencrypted Devices
If the data is not stored using an encryption algorithm, then the thief can retrieve valuable confidential data.
Password-Based Attacks
If threat actors discover a valid user account, the threat actors have the same rights as the real user. Threat actors could use that valid account to obtain lists of other users, network information, change server and network configurations, and modify, reroute, or delete data.
Data Modification Attack
If threat actors have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.
Buffer overflow attacks
In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. The figure shows that the threat actor is sending many packets to the victim in an attempt to overflow the victim's buffer.
Man-in-the-middle attacks
In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. The figure displays an example of a man-in-the-middle attack.
Password Attacks
In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools.
Port redirections
In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets. The example in the figure shows a threat actor using SSH (port 22) to connect to a compromised Host A. Host A is trusted by Host B and, therefore, the threat actor can use Telnet (port 23) to access it.
Trust exploitations
In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target. Click Play in the figure to view an example of trust exploitation.
Spoofing Attacks
In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. These spoofing attacks will be discussed in more detail later in this module
Data Loss Vector - Email/Social Networking
Intercepted email or IM messages could be captured and reveal confidential information.
Cyber Criminals Cont'd
It is estimated that cyber criminals steal billions of dollars from consumers and businesses. Cyber criminals operate in an underground economy where they buy, sell, and trade attack toolkits, zero day exploit code, botnet services, banking Trojans, keyloggers, and much more. They also buy and sell the private information and intellectual property they steal. Cyber criminals target small businesses and consumers, as well as large enterprises and entire industries.
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of these types of attacks is to gain entry to web accounts, confidential databases, and other sensitive information. Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status.
Data Loss
Data is likely to be an organization's most valuable asset. Organizational data can include research and development data, sales data, financial data, human resource and legal data, employee data, contractor data, and customer data. Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world. The data loss can result in: - Brand damage and loss of reputation - Loss of competitive advantage - Loss of customers - Loss of revenue - Litigation/legal action resulting in fines and civil penalties - Significant cost and effort to notify affected parties and recover from the breach
DoS Attack
DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.
