1 / 36

COMP3357 Cyber Security

COMP3357 Cyber Security. Richard Henson University of Worcester March 2017. Week 6: Risks from External Threats. Objectives: Explain clearly the difference between an internal threat and external threat

patriciablair
Télécharger la présentation

COMP3357 Cyber Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COMP3357 Cyber Security Richard Henson University of Worcester March2017

  2. Week 6:Risks from External Threats • Objectives: • Explain clearly the difference between an internal threat and external threat • Explain different approaches to managing external threats so vulnerabilities are not exploited • Explain why a solely technical solution to external threats is very likely to fail…

  3. NOT about “the insider threat”(!) • Much of this module has been about the internal organisation structure… • Analysis of risk not complete without looking at specifically external threats to an organisation’s infrastructure • many ways the network’s defences could be tested… and breached… without help from the malign or dopey insider!

  4. Can’t see everything when inside looking out! • The network team should do all they can to ensure that their network is safe, and secure against unauthorised intruders • but team are working on the inside • Outsiders looking in may see something that insider can’t… • e.g. security “hole”

  5. The “good” outsider • An increasing number of organisations actually pay people to try to hack into their network! • professional service, provide report • low level prodding… vulnerability testing • fairly inexpensive – needed for CE+ standard • higher level “hacking”… penetration testing • expensive – needed for PCI-DSS standard

  6. Ethical Hacking principles • If not done by a professional, with permission… illegal! • even if legal, may not be ethical! • Even law-enforcement Professionals only hack without permission if they believe a law is being broken!

  7. Ethical Hacking Guidelines • Remember… you are the good guys, so be good!!! • ALWAYS ask permission • otherwise definitely unethical • and if more than just vulnerability scanning • may be illegal… • “gaining access without permission” (Computer Misuse Act)

  8. A Bit of Theory • The Internet, and most networks, use a 7-layer software model called OSI (1978) • Why 7 layers? Compromise to get all International players to agree • top layer – application (app) • bottom layer – physical (hardware) • web apps have to engage with the seven layers!

  9. TCP/IP and the Seven Layers screen app vulnerab… • TCP (Transport Control Protocol) and IP (Internet Protocol) only make up part (layers 3 & 4) of the seven layers • upper layers interface with TCP to produce the screen display • lower layer packets required to interface with hardware to create/convert electrical signals • Each layer represents a potential security vulnerability (!) port vulnerab… TCP IP network vulnerab… hardware

  10. OSI layers and Hacking • Application layer connects to transport layer, through… • session layer • used for logon • Popular way to hack… • bypass the session layer • program as “anonymous”.

  11. Secure HTTP and the session layer • Application layer protocols communicate with TCP layer through unique TCP logical ports via (optional) session layer logon • Anonymous ftp, http, etc… bypass session layer • no authentication Layer 7 “Session” Layer 4

  12. Securityand the session layer • App user security therefore imposed, by authenticating at the “logon” layer • username/password check is required before data can pass the session layer and be displayed by the browser Layer 7 “Session” Layer 4

  13. Network Layers and Hacking • Schematic TCP/IP stack interacting at higher level OSI levels (application, transport, network) HTTP FTP HTTPS NFS DNS SNMP X X X X ports X X TCP UDP IP

  14. TCP & UDP ports • Hackers exploit vulnerable software using transport layer ports to get inside firewalls etc. • Essential to know the most frequently “scanned” ports (e.g. by hacking software): • 20, 21 ftp 80 http 389 Ldap • 22 ssh 88 Kerberos 443 https • 23 telnet 110 pop3 636 Ldap/SSL • 25 smtp 135 smb • 53 dns 137-9 NetBIOS • 60 tftp 161 SNMP

  15. Typical Types of External Attacks - 1 • Obtaining valid passwords and masquerading as a legitimate user… • Dictionary • Compare password characters for a match, against words in the dictionary • Exhaustive • “brute force” attacks using all possible combinations of passwords to gain access • Inference • if a default password has never been changed… • taking educated guesses on passwords, based on information gleaned through “social engineering” and other “footprinting” techniques

  16. Types of External Attacks - 2 • TOC/TOU (Time of check/Time of use) • hacking tool that “watches” access to web apps via the TCP/UDP port • depends on the fact that a user privilege change doesn’t come into effect until they log out and log in again • TOC is when the user logs on… • TOU is when that web app is actually used by the user • hacker exploits the contradictory message…

  17. Types of External Attacks - 3 • 1. use of a “sniffer” (e.g. keylogger) to capture log on data for a valid network user operating outside the organisation • perhaps logging in to the organisational Extranet (see diagram… next slide) • 2. (later…) using captured data & machine IP address (obtained through footprinting) in an attempt to impersonate the original user/client • may even be able to escalate privileges for that user to cause even more disruption…

  18. Intranet • Misunderstood term • achieved by organisations using http to share data internally in a www-compatible format • Many still call a protected file structure on its own an Intranet… (technically incorrect!) • uses secure user authentication • uses secure data transmission system • Implemented as EITHER: • single LAN (domain) with a web server (see diagram) • several interconnected LANs (trusted domains) • cover a larger geographic area

  19. Extranet • An extension of the Intranet beyond organisation boundary to cover selected trusted “links” • e.g. customers and business partners • uses the public Internet as its transmission system • requires authentication to gain access • Can provide secure TCP/IP access to: • paid research • current inventories • internal databases • any unpublished • information

  20. Typical Types of External Attacks – 4, 5, 6 • Three other types of attacks that firewalls should be configured to protect against: • denial of service (DOS) attacks • distributed denial of service (DDOS) attacks • IP Spoofing (pretence that the data is coming from a “safe” source IP address)

  21. Attacks through Website • Cross-site Scripting • clone whole website • put cloned website on another server (proxy) • Set traffic to reroute to proxy server • SQL Injection • use SQL “trigger” code on HTML form to gain access to a database… then full range of SQL commands available to hacker…

  22. “Scanning” Methodology for Ethical Hackers • Check for Live Systems • Check for open ports • Note web page error page used • e.g. “bad html request” • exploit this… “Banner Grabbing” • Scan for vulnerabilities • Draw Network diagram(s) • Prepare proxies… (next slide) • then tell the (shocked?) client…

  23. A LAN-Internet connection via Proxy Server INTERNET/EXTERNAL NETWORK e.g. TCP/IP Proxy Server – local IP addresses local protocol Internal Network ...

  24. Cyber Security careers • https://www.eventbrite.co.uk/e/careers-in-cyber-security-panel-talk-tickets-32320787345

  25. How can hackers exploit TCP & UDP ports? • This is what “back door” entry is all about… • “front door” is via username/password • “back door” is using anonymous access and a software vulnerability • result of bad programming? • virus manipulating functionality • “hole” deliberate programmed in…

  26. Port “holes” • Web applications use HTTP (application layer) linking to TCP or UDP (transport layer) • vulnerabilities to cause bypass of login (session layer) completely!!! • “anonymous” login • can also use vulnerabilities created by malware (e.g. “Back Door Trojan”)

  27. What can hackers do, via exploited TCP & UDP ports? • Range of options available: • Denial of Service (DoS) attack • using TCP port utilised by “ping” • Distributed Denial of Service (DDoS) attack • Ping from multiple (may be many thousands!) of “Internet-ready” devices • IP spoofing • disguising data packets by changing “IP header” addresses

  28. “Ping” Attacks • Also called “The Ping of Death“ • exploits TCP port 161; ICMP service • ICMP cannot just be turned off or blocked – used for important network management purposes • Protection not that difficult: • block ICMP echo requests and replies • ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages

  29. “Ping” Attacks (2) • Can take two forms (both stopped by restricting ICMP): • the attacker deliberately creates a very large ping packet and then transmits it to a victim • ICMP can't deal with large packets • the receiving computer is unable to accept delivery and crashes or hangs • an attacker will send thousands of ping requests to a victim so that its processor time is taken up answering ping requests, preventing the processor from responding to other, legitimate requests

  30. Denial of Service (DoS) Attacks • Attempt to harm a network server by flooding it with traffic so it is overwhelmed and unable to provide services • Uses Ping: • sends a brief request to a remote computer asking it to echo back its IP address • again, and again, and again…

  31. Distributed Denial of Service (DDoS) Attacks • Related to DoS: • A DDOS attack has occurred when attacker: • gains access to a wide number of computers/devices • uses them to launch a coordinated attack against the IP address of a “victim” computer • historically, relied on home computers • less frequently protected • can also use worms and virusesalready there… • with more and more “flawed” electronic devices now “Internet ready”(IP addresses and TCP/IP) • often imperfectly written applications, can be exploited…

  32. IP Spoofing • Hackers can gain access to a PC within a protected network (Intranet – see next slide) • use footprinting to obtain its IP address • write this into packet headers • dodgy packets of data will be routed to that PC! • can then reassemble as malware, then devastate that PC… • or the whole network!

  33. Intranet • Often implemented as a single LAN (domain) with a web server (see above) • Internal IP addresses should be protected b y networking software, but IP spoofing is a threat…

  34. Protection against DDOS & IP Spoofing • Block traffic coming into the network that contains IP addresses from the internal network… • In addition, block the following private IP, illegal and unroutable addresses: • Illegal/unroutable: • 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0 • “Private” addresses useful for NAT, or Proxy Servers (RFC 1918): • 10.0.0.0-10.255.255.255 • 172.16.0.0-172.31.255.255 • 192.168.0.0-192.168.255.255 • Finally, keep anti-virus software up-to-date, & firewall software patched and up-to-date

  35. Conclusion • External threats are unlikely to disappear, even with good organisational policy, followed avidly by all users • Technical expertise and the right tools/equipment are vital to make sure the network is, and remains, safe for all authorised users

More Related