Lecture Information systems security - Chapter 2: Identifying potential risks

After studying this chapter you should be able to differentiate among various systems’ security threats: Privilege escalation, virus, Worm, Trojan, Spyware, Spam, Adware, Rootkits, Botnets, Logic bomb,... For further information, inviting you to refer lecture.

 

Identifying Potential Risks

3

10

11

v Implement security applications

v Differentiate between the different ports and protocols, their respective threats and mitigation techniques

v Attack Strategies

v Recognizing Common Attacks

v Identifying TCP/IP Security Concerns

v Understanding Software Exploitation

v Surviving Malicious Code

v Other Attacks and Frauds

Attack Strategies

v Access attack, someone who should not be able to

wants to access your resources Its purpose is to gain access to information that the attacker isn’t authorized to have

v Modification and repudiation attack, someone wants

to modify information in your systems

v Denial-of-service (DoS) attack

Access Attack Types

v Eavesdropping

v Eavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network traffic

v This type of attack is generally passive

Access Attack Types

v Interception can be either an active or a passive process

v Intercept (v): to stop something or someone that is going from

one place to another before they get there

v In a networked environment, a passive interception would involve someone who routinely monitors network traffic.

v Active interception might include putting a computer system between the sender and receiver to capture information as it’s sent The process is usually covert

v Intercept missions can occur for years without the knowledge of the parties being monitored.

Modification & Repudiation Attacks

v Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that

is intended to appear genuine to the user

v They’re similar to access attacks in that the attacker must first get to the data on the servers, but they differ from that point on

v The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar.

v Website defacements are a common form of

modification attack

Modification & Repudiation Attacks

v Repudiation attack is a variation of modification attacks

v repudiate / rɪpjudieɪt /

v to refuse to accept or continue with something

v to state or show that something is not true or correct

v Repudiation attacks make data or information appear to

be invalid or misleading

v Repudiation attacks are fairly easy to accomplish because most e-mail systems don’t check outbound mail for validity

v Repudiation attacks, like modification attacks, usually begin as access attacks

DoS Attacks

v Denial-of-Service

v DoS attacks prevent access to resources by users authorized to use those resources

v Most simple DoS attacks occur from a single system

v Types of DoS attacks:

v ping of death

v buffer overflow

DoS Attacks

Wireless DoS

v Requires a powerful transmitter

An Easier Wireless DoS

DDoS Attacks

v Distributed Denial-of-Service Attacks

v Multiple computer systems used to conduct the attack

v Botnet: the malicious software running on a zombie

DDoS Attacks

v How to face with Denial attacks?

v Attack Strategies

v Recognizing Common Attacks

v Identifying TCP/IP Security Concerns

v Understanding Software Exploitation

v Surviving Malicious Code

v Other Attacks and Frauds

Back Door Attacks

v Back doors?

Replay Attacks

v The attacker captures the information and replay it later

v The information can be username, passwords, certificates from authentication systems such as Kerboros

Wall of Sheep

Captured passwords projected on the wall

at DEFCON

Replay Attacks

v Solutions: Certificates usually contain a unique session identifier and a time stamp

v Records cookies and replays them

v This technique breaks into Gmail accounts

v Technical name: Cross Site Request Forgery

v Almost all social networking sites are vulnerable to this attack

v Facebook, MySpace, Yahoo, etc.

Privilege Escalation

v Privilege escalation can be the result of an error on an administrator’s part in assigning too high a permission set to a user, but it’s more often associated with bugs left

in software

v Cheat codes in video games

v Attack Strategies

v Recognizing Common Attacks

v Identifying TCP/IP Security Concerns

v Understanding Software Exploitation

v Surviving Malicious Code

v Other Attacks and Frauds

OSI vs TCP/IP

TCP/IP model

v Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?

v Network = OSI layer 3 – defines addressing and routing

v Transport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one

or two hosts

v Application = OSI layers 6,7 the application data that is being sent across a network

Network Access Layer

v Maps to Layer 1 and 2 of the OSI model

v The Level that a Network Interface Card Works on

v Source and Destination MAC addresses are used defining communications endpoints

v Protocols include

v Ethernet

v Token Ring

v FDDI

Network Layer

v Routing, IP addressing, and packaging

v Internet Protocol (IP) is a routable protocol, and it’s responsible for:

v IP addressing.

v fragments and reassembles message packets

v only routes information; doesn’t verify it for accuracy(Accuracy checking is the responsibility of TCP)

Host-to-Host or Transport Layer

v Maps to layer 4 and 5 of the OSI model

v Concerned with establishing sessions between two applications

v Source and destination endpoints are defined by port

numbers

v The two transport protocols in TCP/IP are TCP and UDP

TCP – Transmission Control Protocol

v Connection oriented “guaranteed” delivery

v Advantages

v Easier to program with

v Truly implements a “session”

v Adds security

v Disadvantages

v More overhead / slower

UDP - User Datagram Protocol

v Connectionless, non-guaranteed delivery (best effort)

Application Layer

v Most programs, such as web browsers, interface with TCP/IP at this level

v Protocols:

v Hypertext Transfer Protocol (HTTP)

v File Transfer Protocol (FTP)

v Simple Mail Transfer Protocol (SMTP)

v Telnet

v Domain Name Service (DNS)

v Routing Information Protocol (RIP)

v Post Office Protocol (POP3)

v Encapsulate

v to express or show something in a short way

v to completely cover something with something else, especially in order to prevent a substance getting out

v State Transition Keying

v Phase Shift Keying (PSK)

v Modulation and Demodulation

v Used in modems and in transfering data units among OSI layers

Recognizing TCP/IP Attacks

v Port Mirroring

v Sniffing the Network

v TCP Attacks

Port Mirroring

v A device that captures and displays network traffic

TCP SYN or TCP ACK Flood Attack

v The client and server exchange information in TCP packets

v The TCP client sends an ACK packet to the server

v ACK packets tell the server that a connection is requested

v Server responds with an ACK packet

v The TCP Client sends another packet to open the connection

v Instead of opening the connection, the TCP client continues to send ACK packet to the server

TCP SYN or TCP ACK Flood Attack

TCP Sequence Number Attack

v TCP sequence number attacks occur when an attacker takes control of one end of a TCP session

v Each time a TCP message is sent, either the client or the server generates a sequence number

v The attacker intercepts and then responds with a sequence number similar to the one used in the original session

v Disrupt or hijack a valid session

Wireless Attacks

v Rogue access points

v Rogue: not behaving in the usual or accepted way and often causing trouble

v Employees often set up home wireless routers for convenience

Wireless Attacks

v War driving

v Beaconing

v At regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the network

v Scanning

v Each wireless device looks for those beacon frames

v Unapproved wireless devices can likewise pick up the beaconing

RF transmission

v Formally known as wireless location mapping

Wireless Attacks

v Bluetooth

v A wireless technology that uses short-range RF transmissions

v Provides for rapid “on the fly” and ad hoc connections between devices

v Bluesnarfing

v Stealing data through a Bluetooth connection

v E-mails, calendars, contact lists, and cell phone pictures and videos, …

v Attack Strategies

v Recognizing Common Attacks

v Identifying TCP/IP Security Concerns

v Understanding Software Exploitation

v Surviving Malicious Code

v Other Attacks and Frauds

Software Exploitations

v Database exploitation

v If a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information.

v Attack Strategies

v Recognizing Common Attacks

v Identifying TCP/IP Security Concerns

v Understanding Software Exploitation

v Surviving Malicious Code

v Other Attacks and Frauds

v Multipartite Virus: attacks the system in multiple ways

v Phage Virus

v Modifies and alters other programs and database

v The only way to remove this virus is to reinstall the programs that are infected

v Polymorphic Virus

v Change form in order to avoid detection

v Frequently, the virus will encrypt parts of itself to avoid detection

v Stealth Virus

v Attempts to avoid detection by masking itself from applications

Logic Bombs

v Logic bombs are programs or snippets of code that execute when a certain predefined event occurs

v Attack Strategies

v Recognizing Common Attacks

v Identifying TCP/IP Security Concerns

v Understanding Software Exploitation

v Surviving Malicious Code

v Other Attacks and Frauds

Null Sessions

v Connections to a Microsoft Windows 2000 or Windows

NT computer with a blank username and password

v Attacker can collect a lot of data from a vulnerable system

v Cannot be fixed by patches to the operating systems

v Much less of a problem with modern Windows versions, Win XP SP2, Vista, or Windows 7

Domain Name Kiting

v Check kiting

v A type of fraud that involves the unlawful use of checking accounts to gain additional time before the fraud is detected

v Domain Name Kiting

v Registrars are organizations that are approved by ICANN to sell and register Internet domain names

v A five-day Add Grade Period (AGP) permits registrars to delete any newly registered Internet domain names and receive a full refund of the registration fee

Domain Name Kiting

v Unscrupulous registrars register thousands of Internet domain names and then delete them

v Recently expired domain names are indexed by search engines

v Visitors are directed to a re-registered site

v Which is usually a single page Web with paid advertisement links

v Visitors who click on these links generate money for the registrar

SNMP (Simple Network Management Protocol)

v Used to manage switches, routers, and other network devices

v Early versions did not encrypt passwords, and had other security flaws

v But the old versions are still commonly used

DNS (Domain Name System)

v DNS is used to resolve domain names like www.ccsf.edu

to IP addresses like 147.144.1.254

v DNS has many vulnerabilities

v It was never designed to be secure

DNS Poisoning

Local DNS Poisoning

v Put false entries into the Hosts file

v C:\Windows\System32\Drivers\etc\hosts

DNS Cache Poisoning

v Attacker sends many spoofed DNS responses

v Target just accepts the first one it gets

Sending Extra DNS Records

DNS Transfers

v Intended to let a new DNS server copy the records from

an existing one

v Can be used by attackers to get a list of all the machines

in a company, like a network diagram

v Usually blocked by modern DNS servers

Protection from DNS Attacks

v Antispyware software will warn you when the hosts file is modified

v Using updated versions of DNS server software prevents older DNS attacks against the server

v But many DNS flaws cannot be patched

v Eventually: Switch to DNSSEC (Domain Name System Security Extensions)

v But DNSSEC is not widely deployed yet, and it has its own problems

ARP (Address Resolution Protocol)

v ARP is used to convert IP addresses like 147.144.1.254 into MAC addresses like 00-30-48-82-11-34

ARP Cache Poisoning

v Attacker sends many spoofed ARP responses

v Target just accepts the first one it gets

Results of ARP Poisoning Attacks