1 / 0

CIST 1601 Information Security Fundamentals

CIST 1601 Information Security Fundamentals. Chapter 2 Identifying Potential Risks. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College. Calculating Attack Strategies.

tallys
Télécharger la présentation

CIST 1601 Information Security Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIST 1601 Information Security Fundamentals

    Chapter 2 Identifying Potential Risks Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College

  2. Calculating Attack Strategies

    An attack occurs when an unauthorized individual or group of individuals attempts to access, modify, or damage your systems or environment. These attacks can be fairly simple and unfocused, or they can appear to be almost blitzkrieg-like in their intensity. Attacks occur in many ways and for different reasons. They are generally used to accomplish one or more of these three goals: In an access attack, someone who should not be able to wants to access your resources. During a modification and repudiation attack, someone wants to modify information in your systems. A denial-of-service (DoS) attack is an attempt to disrupt your network and services. When your system becomes so busy responding to illegitimate requests, it can prevent authorized users from having access. Regardless of the motive, your job is to protect the people you work with from these acts of aggression.
  3. Dumpster Diving (3:51)

    Understanding Access Attack Types

    An access attack is an attempt to gain access to information that the attacker isn’t authorized to have. Dumpster diving is a common physical access method. Dumpsters may contain information that is highly sensitive in nature. Equipment is sometimes put in the garbage because city laws do not require special disposal. Because intruders know this, they can scavenge through discarded equipment and documents and extract sensitive information from it without ever contacting anyone in the company. A second common method used in access attacks is to capture information en route between two systems. There are several common types of access attacks: Eavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network traffic. Eavesdropping also includes attackers listening in on your network traffic.This type of attack is generally passive. Snooping occurs when someone looks through your files hoping to find something interesting. The files may be either electronic or on paper. In the case of physical snooping, people might inspect your Dumpster, recycling bins, or even your file cabinets; they can look under the keyboard for Post-it notes or look for scraps of paper tacked to your bulletin board. Computer snooping, on the other hand, involves someone searching through your electronic files trying to find something interesting. Interception can be either an active or a passive process. A passive interception would involve someone who routinely monitors network traffic. From the perspective of interception, this process is a covert process. Active interception might include putting a computer system between the sender and receiver to capture information as it is sent. From the perspective of interception, this process is a covert process.

  4. Recognizing Modification and Repudiation Attacks

    Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user. These attacks can be hard to detect. The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar. Website defacements involve someone changing web pages in a malicious manner. Repudiation attacks make data or information that is used invalid or misleading, which can be even worse. An example of a repudiation attack might be someone accessing your e-mail server and sending inflammatory information to others. This information can prove embarrassing to you or your company if this happens. Repudiation attacks are fairly easy to accomplish because most e-mail systems do not check outbound mail for validity. Repudiation attacks usually begin as access attacks. A common type of repudiation attack would involve a customer who claims that they never received a service for which they were billed. In this situation, the burden of proof is on the company to prove that the information used to generate the invoice is accurate. If the data has been modified by an external attacker, accuracy verification of the information may be difficult.
  5. Denial of Service (7:10)

    Identifying Denial-of-Service Attacks

    A denial-of-service (DoS) attack is intended to prevent authorized users access to network resources by overwhelming or flooding a service or network. DoS attacks are very common on the Internet.  An attacker may attempt: To bring down an e-commerce website To prevent or deny usage by legitimate customers.  A significant increase in network traffic might indicate that a network is undergoing a DoS attack.  Performance baselines can help to determine if you are undergoing a DoS attack. Virtualization can help to prevent DoS attacks. Smurf attacks are well-known DoS attacks during which internal addresses are spoofed for the source of attack. The attack itself is an ICMP ping sent to the victim. A DoS attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP is called a ping flood or Ping of Death. A SYN flood attack is the exploitation of the TCP handshake. A flood attack is designed to overload a protocol or service by repeatedly initiating a request for service. This type of attack usually results in a DoS situation occurring because the protocol freezes or excessive bandwidth is used in the network as a result of the requests. Buffer overflow attacks exploit poor programming techniques and code review. A buffer overflow occurs when a buffer receives more data than it is programmed to accept. These attacks are common on Web servers. A buffer overflow attack can be detected using a packet sniffer. A long string of numbers in the middle of a packet is indicative of a buffer overflow attack. The best countermeasure for a buffer overflow attack on a commercial application is to update the software with the latest patches, updates, and service packs. Another countermeasure for buffer overflow attacks is input validation, which can prevent the input of certain characters that would cause an application or database to lock up. Buffer Overflows (4:56)

  6. Identifying Distributed Denial-of-Service Attacks

    Botnets (3:44) Distributed Denial of Service Attack (DDoS) attacks are an extension of the DoS attack. In DDoS, the attacker uses multiple computers to target a critical server and deny access to the legitimate users. A hacker might install malicious code on computers on a network to form a botnet and then remotely trigger the botnet to cause a flood of network traffic. The infected computers then act as “zombies” by performing malicious acts on behalf of the perpetrator. The primary components of a DDoS attack are: The client The masters or handlers Masters or handlers are systems on which the attacker has been able to gain administrative access and instruct the slaves to launch an attack against a target host. The slaves Slaves are typically systems that have been compromised through backdoors, such as Trojans, and are not aware of their participation in the attack. The target system It is difficult to detect DDoS attacks by using security technologies such as SSL and PKI. To detect the use of zombies in a DDoS attack, you should examine the firewall logs. Both zombies and botnets can be used in a DDoS attack. A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control.  A zombie is a remote-controlled malicious program. A botnet is formed when a malicious program is installed on several host computers and is remotely triggered. You may also hear a botnet referred to as a zombie army.

  7. Distributed Denial-of-Service Attack

  8. Recognizing Common Attacks

    Most attacks are designed to exploit potential weaknesses, which can be in the implementation of programs or in the protocols used in networks. Many types of attacks require a high level of sophistication and are rare, but you need to know about them so that, should they occur, you can identify what has happened in your network. You need to be aware that many attacks are often launched in combination with each other.

  9. Back Door Attacks

    Back doors are programs or services that system designers use to bypass security. During the development of a complicated operating system or application, programmers add back doors or maintenance hooks to allow rapid code evaluation and testing. These back doors allow them to examine operations inside the code while the code is running. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment. Back doors can also be put in place maliciously.

  10. Back Door Attacks

    The second type of back door refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. The program may allow a certain user ID to log on without a password or gain administrative privileges. A number of tools exist to create back door attacks on systems. One of the more popular is Back Orifice. Another popular back door program is NetBus. A back door attack is usually either an access or modification attack. Fortunately, most conventional antivirus software will detect and block these types of attacks. A back door attack can be used to bypass the security of a network. In this example, the attacker is using a back door program to utilize resources or steal information.

  11. Spoofing Attacks

    Spoofing occurs when an attacker pretends to be something they are not in order to gain access.. In a spoofing attack, which is also referred to as a masquerading attack, a person or program is able to masquerade successfully as another person or program. Spoofing refers to modifying the source IP address field in an IP datagram to imitate the IP address of a packet originating from an authorized source. This results in the target computer communicating with the attacker’s computer and providing access to restricted resources. Spoofing attacks have to do with the misdirection of domain name resolution and Internet traffic. DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Basically, the Internet traffic is misdirected because the DNS server is resolving the domain name to an incorrect IP address. Properly configured DNS security on the DNS server can provide message validation, which, in turn, would prevent DNS poisoning. The latest release of DNS includes measures to defend against DNS cache poisoning. A very common spoofing attack that was popular for many years involved a programmer writing a fake logon program. This program would prompt the user for a user ID and password. Other types of spoofing attacks, apart from IP spoofing, are: E-mail spoofing Web spoofing A man-in-the-middle which is a spoofing as well as a session hijacking attack. This type of attack is usually considered an access attack.
  12. A spoofing attack during logon

    Spoofing Attacks

    The attacker in this situation impersonates the server to the client attempting to log in. No matter what the client attempts to do, the impersonating system will fail the login. When this process is finished, the impersonating system disconnects from the client. The client then logs in to the legitimate server. In the meantime, the attacker now has a valid user ID and password.
  13. Man-in-the-Middle and ARP Poisoning (8:08)

    Man-in-the-Middle Attacks

    A man-in-the-middle attack attempts to fool both ends of a communications session into believing the system in the middle is the other end. The hacker’s system appears to be the server to the real client and appears to be the client to the real server.  The man-in-the-middle software may be recording information for someone to view later, altering it, or in some other way compromising the security of your system and session. A man-in-the-middle attack can be perpetrated by hijacking a communications session between a Web browser and a Web server. When a Web browser submits information to a Web server through a form, a hacker might be able to gain sensitive information, such as credit card numbers. The method used in these attacks clandestinely places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. This attack is common in wireless technologies. A common solution to this problem is to enforce a secure wireless authentication protocol such as WPA2. This type of attack is an access attack, but it can be used as the starting point for a modification attack.

  14. Man-in-the-Middle Attacks

    Notice how both the server and client assume that the system they’re talking to is the legitimate system. The man in the middle appears to be the server to the client, and it appears to be the client to the server.

  15. Replay Attacks

    An attacker presenting a previously captured certificate to a Kerberos enabled system. The attacker gets legitimate information from the client and records it. Then, the attacker attempts to use the information to enter the system. The attacker later relays information to gain access. Replay attacks are becoming quite common. These attacks occur when information is captured over a network and the attacker attempts to replay the results to gain access. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture this information and replay it again later. This can also occur with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity. Replay attacks are used for access or modification attacks. The best countermeasure for replay attacks it to implement timestamps and sequence numbers.

  16. Password-Guessing Attacks

    A password guessing attack occurs when a user account is repeatedly attacked using a variety of different passwords. This is accomplished by utilizing applications known as password crackers, which send possible passwords to the account in a systematic manner. The attacks are initially carried out to gain passwords for an access or modification attack. A password cracker is a software utility that allows direct testing of user logon password strength by conducting a brute force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Passwords are susceptible to sniffing, dictionary attacks, brute force attacks, and social engineering attacks. In addition, passwords can sometimes be obtained by gaining access to a network and accessing the password file. Sniffing occurs when an attacker captures information from a network to obtain user passwords. Many times this technique provides the attacker with multiple user passwords. To prevent this, you should always encrypt your password when it is stored on electronic devices or transmitted across the network. There are two types of password-guessing attacks: Brute-force attack Dictionary attack

  17. Brute-force attack 

    A brute force password attack, also known as exhaustive attack, is when an attacker tries many different combinations (sometimes hundreds and thousands) of random alphanumeric characters to try and “guess” the password. A brute force password attack can include the use of rainbow tables. A rainbow table is a lookup table that recovers a plaintext password from a password hash. It usually works well in finding weak passwords in use. Weak passwords are those passwords that are not complex or long enough. To implement strong passwords, you should force users to create passwords of at least eight characters in length that include both uppercase and lowercase letters, numbers, and special characters. To protect against brute force attacks, an account lockout policy should be enforced that locks out a user’s account after a certain number of unsuccessful login attempts. A brute force attack can also be possible if a token and a personal identification number (PIN) are used to access a system and the token performs offline checking of the PIN.

  18. Dictionary attack  

    Dictionary attacks employ the use of a dictionary of words as the password to repeatedly attempt to access a system using a valid user account. A dictionary attack is based on the attacker’s efforts to determine the decryption key to defeat a cipher. This attack uses words from the dictionary and typically succeeds because many users choose passwords from a dictionary that are easy to remember. Therefore, the dictionary attack is a part of cryptanalysis. One-way encryption or one-way hashing protects against reading or modifying the password file, but an intruder can launch a dictionary attack after capturing the password file. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack. A long dictionary attack can be executed against an encrypted password file provided the attacker has access to the system, has read access to the password file, and knows the encryption mechanism used to encrypt the password file. A dictionary attack and a brute force attack are very similar in that they both focus on cracking the password. The tools used in dictionary and brute force attacks are sometimes referred to as password crackers.

  19. Privilege Escalation

    Privilege escalation can be the accidental assignment of too high a permission set to a user or group of users. It can also be the result of bugs or back doors left in an application. When creating a software program, developers will occasionally leave a back door in the program that allows them to become a root user should they need to fix something during the debugging phase. After debugging is done and before the software goes live, these abilities are removed. If a developer forgets to remove the back door in the live version and the method of accessing them gets out, it leaves the ability for a miscreant to take advantage of the system.

  20. Identifying TCP/IP Security Concerns

    You could say that the ease of connectivity TCP/IP offers is one of the most significant difficulties a security professional faces. Virtually all large networks, including the Internet, are built on the TCP/IP protocol suite. TCP/IP was designed to connect disparate computer systems into a robust and reliable network with capabilities and support for many different protocols. Unfortunately, a downside that comes with being an easy-to-use, well-documented network that has been around for many years is numerous holes. You can easily close most of these holes in your network, but you must first know about them. The four layers of TCP/IP have unique functions and methods for accomplishing work. Each layer talks to the layers that reside above and below it. Each layer also has its own rules and capabilities. The TCP/IP architecture protocol layers

  21. Working with the TCP/IP Suite The Application Layer

    The Application layer is the highest layer of the suite.  It allows applications to access services or protocols to exchange data. Most programs, such as web browsers, interface with TCP/IP at this level. The most commonly used Application layer protocols are as follows: Hypertext Transfer Protocol is the protocol that is used by a web browser to communicate with web servers. File Transfer Protocol is a common application used to transfer files between hosts on the Internet. Simple Mail Transfer Protocol is the standard protocol used for sending e-mail messages. Telnet is a terminal emulation protocol that provides a remote logon to another host over the network. Domain Name Service allows hosts to resolve hostnames to an IP address. Routing Information Protocol allows routing information to be exchanged between routers on an IP network. Simple Network Management Protocol is an application layer protocol whose purpose is to collect statistics from TCP/IP devices. Most routers, bridges, and intelligent hubs can communicate using SNMP. Post Office Protocol and IMAP4 transmit e-mail between the e-mail client and the e-mail server.

  22. Working with the TCP/IP Suite The Transport Layer

    The Transport layer provides the Application layer with session and datagram communications services. The TCP and User Datagram Protocol (UDP) operate at this layer. These two protocols provide a huge part of the functionality of the TCP/IP network: TCP is responsible for providing a reliable one-to-one, connection-oriented persistent session. TCP establishes a connection and ensures reliable data transfer through sequencing and acknowledgements. When the session ends, the connection is broken. UDP  provides an unreliable connectionless communication method between hosts. UDP protocol is considered a best-effort protocol, but it’s considerably faster than TCP. The sessions don’t establish a synchronized session like the kind used in TCP, and UDP doesn’t guarantee error-free communications. The primary purpose of UDP is to send small packets of information. The application is responsible for acknowledging the correct reception of the data.

  23. Working with the TCP/IP Suite The Internet Layer

    The Internet layer is responsible for: Routing IP addressing packets Here are the four standard protocols of the Internet layer: Internet Protocol (IP) is a routable protocol, and it’s responsible for IP addressing. IP only routes information; it doesn’t verify it for accuracy. IP determines if a destination is known and, if so, routes the information to that destination. If the destination is unknown, IP sends the packet to the router, which sends it on. Address Resolution Protocol (ARP) is responsible for resolving IP addresses to hardware (MAC) addresses. MAC addresses are used to identify hardware devices such as a NIC. Internet Control Message Protocol (ICMP) provides maintenance and reporting functions. It’s used by the Ping program. When a user wants to test connectivity to another host, they can enter the PING command with the IP address, and the user’s system will test connectivity to the other host’s system. If connectivity is good, ICMP will return data to the originating host. ICMP will also report if a destination is unreachable. Routers and other network devices report path information between hosts with ICMP. Internet Group Management Protocol (IGMP) is responsible primarily for managing IP multicast groups. IP multicasts can send messages or packets to a specified group of hosts.

  24. Working with the TCP/IP Suite The Network Interface Layer

    The lowest level of the TCP/IP suite is the Network Interface layer. This layer is responsible for placing and removing packets on the physical network through communications with the network adapters in the host. This process allows TCP/IP to work with virtually any type of network topology or technology with little modification. If a new physical network topology were installed—say, a 10GB Fiber Ethernet connection—TCP/IP would only need to know how to communicate with the network controller in order to function properly. TCP/IP can also communicate with more than one network topology simultaneously. This allows the protocol to be used in virtually any environment.

  25. Understanding Encapsulation

    The encapsulation process of an e-mail message Encapsulation allows a transport protocol to be sent across the network and utilized by the equivalent service or protocol at the receiving host. The figure to the right shows how e‑mail is encapsulated as it moves from the application protocols through the transport and Internet protocols. Each layer adds header information as the e‑mail moves down the layers. After it is encapsulated, the message is sent to the server. Transmission of the packet between the two hosts occurs through the physical connection in the network adapter. Notice that in The figure to the right the message is sent via the Internet; it could have just as easily been sent locally. The e‑mail client doesn’t know how the message is delivered, and the server application doesn’t care how the message got there. This makes designing and implementing services such as e‑mail possible in a global or Internet environment. An e-mail message that an e-mail client sent to an e-mail server across the Internet
  26. Common Network Ports (4:01) Overview of Network Ports (5:29)

    Working with Protocols and ServicesWell-Known Ports

    Ports identify how a communication process occurs. A port is nothing more than a bit of additional information added to either the TCP or UDP message. This information is added in the header of the packet. The layer below it encapsulates the message with its header. Well-known ports are special addresses that allow communication between hosts. A port number is added from the originator, indicating which port to communicate with on a server. If a server has this port defined and available for use, it will send back a message accepting the request. If the port isn’t valid, the server will refuse the connection. All the ports allow access to your network; even if you establish a firewall, you must have some of these ports open if you want to provide services such as e‑mail or web services.

  27. TCP Three-Way Handshake

    TCP, which is a connection-oriented protocol, establishes a session using a three-way handshake. A host called a client originates this connection. The client sends a TCP segment, or message, to the server. This client segment includes an Initial Sequence Number (ISN) for the connection and a window size. The server responds with a TCP segment that contains its ISN and a value indicating its buffer, or window size. The client then sends back an acknowledgment of the server’s sequence number. After this occurs, the two systems communicate with each other. A server can handle many requests simultaneously. Each session has a different sequence number even though all sessions use the same port. All the communications in any given session use this sequence number to keep the sessions from becoming confused.

  28. Application Programming Interface

    Application Programming Interfaces (APIs) allow programmers to create interfaces to the protocol. When a programmer writes an application, they can call or use one of these APIs to: Make the connection Send or receive data End the connection Microsoft uses an API called a Windows socket (WinSock) to interface to the protocol. It can access either TCP or UDP. A Windows socket is the combination of the IP address and the port number separated by a colon. For example, 190.10.5.1:80 would be a WinSock connection to HTTP.

  29. Recognizing TCP/IP Attacks

    Attacks on TCP/IP usually occur at the host-to-host or Internet layer, although any layer is potentially vulnerable. External attacks are somewhat limited by the devices in the network, including the router. The router blocks many of the protocols from exposure to the Internet. Some protocols, such as ARP, aren’t routable and aren’t generally vulnerable to outside attacks. Other protocols, such as SMTP and ICMP, pass through the router and are part of Internet and TCP/IP traffic. TCP, UDP, and IP are all vulnerable to attack. Any network-enabled host has access to the full array of protocols used in the network, and a computer with a network card has the ability to act as a network sniffer with the proper configuration and software.

  30. Sniffing the Network

    A networksniffer, or scanner, is a device that captures and displays network traffic. Any traffic in a particular segment is visible to all stations in that segment. In a normal networking environment, the data travels in clear text, making it easier for anyone to discover confidential information by using packet sniffers. Many advanced sniffers can reassemble packets and create entire messages, including user IDs and passwords. Computers running sniffer software must be set to Promiscuous mode in which a network adapter card captures and analyzes all forms of traffic, including that which is not addressed to that network adapter. Promiscuous mode provides a statistical picture of the network activity. Sniffers can be used both for legitimate network management functions and for stealing information off a network. An attacker could put a laptop or a portable computer in your wiring closet and attach it to your network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect. Microsoft’s Systems Management Server (SMS) package includes a network sniffer. A number of sniffers, such as Wireshark, are also available online.

  31. Scanning Ports

    A scanning attack is used to identify the topology of the target network. Scanning is the process of gathering information about a network to find out vulnerabilities before attempting to commit a security breach. Also referred to as network reconnaissance, scanning involves: Identifying systems on the target network Verifying the TCP ports that are open Verifying services a system is hosting Identifying OS types Identifying applications running on a target host A port scanner attempts to communicate with different protocols over all ports and records which ports are open to which protocols. A hacker can also use stealth scanning to determine which operating systems are being used on a network. Stealth usually does not include determining which ports are open. After they know the IP addresses of your systems, external attackers can attempt to communicate with the ports open in your network, sometimes simply by using Telnet. Network mapping allows you to visually see everything that is available. The most well-known network mapper is nmap, which is free for download.

  32. TCP Attacks TCP SYN or TCP ACK Flood Attack

    The TCP SYN flood, also known as a TCP ACK attack, is common. The purpose is to deny service. This attack is virtually undetectable in most environments. The attack begins as a normal TCP connection: The client and server exchange information in TCP packets The TCP client sends ACK packets to the server requesting a connection The server responds with an ACK packet to the client The client responds with another packet accepting the connection, and a session is established.

  33. TCP Attacks TCP SYN or TCP ACK Flood Attack

    In this attack, the client continually sends and receives the ACK packets but doesn’t open the session. The server holds these sessions open, awaiting the final packet in the sequence. This causes the server to fill up the available sessions and deny other clients the ability to access the resources. An attacker can use an invalid IP address, and TCP won’t care because TCP will respond to any valid request presented from the IP layer. Many newer routers can track and attempt to prevent this attack by setting limits on the length of an initial session to force sessions that don’t complete to close out.

  34. TCP Sequence Number Attack

    TCP sequence number attacks occur when an attacker takes control of one end of a TCP session. A successful attack kicks the attacked end off the network for the duration of the session. Each time a TCP message is sent either the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session, either disrupting or hijacking a valid session. The attacker effectively hijacks the session and gains access to the data from the legitimate system as well as the session privileges of the victim’s system. The victim’s system may get an error message indicating that it has been disconnected, or it may reestablish a new session. Your major defense against this type of attack is knowing that it’s occurring. Such an attack is also frequently a precursor to a targeted attack on a server or network.

  35. TCP/IP Hijacking

    TCP/IP hijacking, or session hijacking, allows an attacker to reroute data traffic from a network device to a personal computer. The attacker can then capture and analyze the data addressed to a target system such as an IP address. The attacker then inserts another machine with the same IP address and uses it to gain authorization and access to critical resources and user credentials, such as passwords, and access to critical systems. TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the network and logically disconnecting it from the network. This can occur due to the TCP three-way handshake. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all of the information on the original system. The server will not know this has occurred and will respond as if the client is trusted. As with a sequence number attack, there is little you can do to counter the threat. Fortunately, these attacks require fairly sophisticated software and are harder to engineer than a DoS attack such as a TCP SYN attack. One of the symptoms of a TCP/IP hijacking attack may be the unavailability of a TCP/IP address when the system is started.

  36. UDP Attacks

    A UDP attack attacks either a maintenance protocol or a UDP service in order to overload services and initiate a DoS situation. UDP packets aren’t connection oriented and don’t require the synchronization process of TCP. UDP, like TCP, doesn’t check the validity of IP addresses. The nature of this layer is to trust the layer below it, the IP layer. Common UDP attacks involve UDP flooding, in which large streams of UDP packets are focused at a target, causing UDP services on that host to shut down. UDP floods also overload the network bandwidth and cause a DoS situation to occur. ICMP attacks occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate maintenance request. ICMP, part of the IP level of the protocol suite, supports maintenance and reporting in a TCP/IP network. Several programs, including PING, use the ICMP protocol. Until fairly recently, ICMP was regarded as a benign protocol that was incapable of very much damage. It has now joined the ranks of protocols used in common attack methods for DoS attacks. Two primary methods use ICMP to disrupt systems: smurf attacks and ICMP tunneling.

  37. UDP Attacks

    A smurf attack uses IP spoofing and broadcasting to send a PING to a group of hosts in a network. When a host is pinged, it sends back ICMP message traffic information indicating status to the originator. If a broadcast is sent to a network, all of the hosts will answer back to the ping. The result of this is an overload of the network and the target system. To initiate a smurf attack, a hacker sends ICMP messages from a computer outside a network with a spoofed IP address of a computer inside the network. The ICMP message is broadcast on the network, and the hosts on the network attempt to reply to the spurious ICMP message. This causes a Denial-of-Service because computers are busy responding to the ICMP messages. The IP spoofing part of a smurf attack can be countered by configuring a router to ensure that messages with IP addresses inside the network originate on the private network side of the router. ICMP Tunneling    ICMP messages can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network.
  38. Malware Overview (8:46)

    Understanding Software Exploitation

    A software exploitation attack attempts to exploit weaknesses in software. A common attack attempts to communicate with an established port to gain unauthorized access. Database exploitation Many database products allow sophisticated access queries to be made in the client/server environment. If a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information. For this attack to be successful, the attacker must first gain access to the environment through one of the attacks outlined previously. Application exploitation A macro virus is a set of programming instructions in a language such as VBScript that commands an application to perform illicit actions. The macro virus takes advantage of the power offered by word processors, spreadsheets, or other applications. This exploitation is inherent in the product, and all users are susceptible to it unless they disable all macros. E‑mail exploitation Modern e‑mail clients offer many shortcuts, lists, and other capabilities to meet user demands. A popular exploitation of e‑mail clients involves accessing the client address book and propagating viruses. There is virtually nothing a client user can do about these exploitations, although antivirus software that integrates with your e‑mail client does offer some protection. Anti-Malware Best Practices (11:03)
  39. Adware and Spyware (6:41)

    Understanding Software Exploitation

    Spyware Spyware often uses third-party tracking cookies to collect and report on a user’s activities to the spyware programmer without notifying the user. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Not all spyware is adware, and not all adware is spyware: Spyware requires that your activities are monitored and tracked Adware requires that advertisements are displayed Spyware is NOT self-replicating. Microsoft OSs are most affected by spyware, and Microsoft has released Microsoft AntiSpyware to combat the problem. Spyware-eliminator programs can scan your machine, similarly to how antivirus software scans for viruses. Keep antispyware programs updated and regularly run scans.
  40. Rootkits (5:43)

    Understanding Software Exploitation

    Rootkits Rootkits are software programs that can be installed on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. They have the ability to hide certain things from the operating system such as processes or connections that are running on a computer. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware if it monitors your Internet usage and personal information. Some adware will even allow credit card information theft. Rootkits have also been known to use encryption to protect outbound communication and piggyback on commonly used ports to communicate without interrupting other applications that use that port. Rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges. Rootkit analyzers detect rootkits that are running on a computer.  Within any search engine, you can find a rootkit analyzer for your system, including Spybot, Spyware Doctor, and AdAware.

  41. Understanding Software Exploitation

    Files with the following extensions should not be allowed as e-mail attachments: .bat – batch files are executable and should not be allowed .com .exe – exe files are executable and should not be allowed .hlp .pif – pif is a type of file that allows legacy executable programs to run and should not be allowed .scf - No legitimate user should be sending screensavers via e‑mail to your users

  42. Understanding OVAL and Surviving Malicious Code

    Open Vulnerability and Assessment Language (OVAL) is a standard written in XML that provides open and publicly available security content. Its purpose is to standardize information between different security tools. OVAL is intended as an international language for representing vulnerability information using an XML schema for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository. Within US Governmental agencies, vulnerability may be discussed using the OVAL sponsored by the Department of Homeland Security’s National Cyber Security Division (NCSD). Malicious code refers to a broad category of software threats to your network and systems, including viruses, Trojan horses, bombs, and worms. When successful, these attacks can be devastating to systems, and they can spread through an entire network.
  43. Viruses and Worms (9:30)

    Viruses

    A virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems. Some viruses won’t damage a system in an attempt to spread into all the other systems in a network. These viruses use that system as the carrier of the virus. A boot sector virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. Viruses get into your computer in one of three ways: On contaminated media (floppy, USB drive, or CD-ROM) Through e‑mail and peer-to-peer sites As part of another program. Viruses can be classified as polymorphic, stealth, retroviruses, multipartite, armored, companion, phage, and macro viruses. Each type of virus has a different attack strategy and different consequences.

  44. Symptoms of a Virus Infection

    You should look for some of the following symptoms when determining if a virus infection has occurred: The programs on your system start to load more slowly. This happens because the virus is spreading to other files in your system or is taking over system resources. Unusual files appear on your hard drive, or files start to disappear from your system. Many viruses delete key files in your system to render it inoperable. Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs on your disk. Your browser, word processing application, or other software begins to exhibit unusual operating characteristics. Screens or menus may change. The system mysteriously shuts itself down or starts itself up and does a great deal of unanticipated disk activity. You mysteriously lose access to a disk drive or other system resources. The virus has changed the settings on a device to make it unusable. Your system suddenly doesn’t reboot or gives unexpected error messages during startup.

  45. How Viruses Work

    A virus, in most cases, tries to accomplish one of two things: Render your system inoperable Spread to other systems Many viruses will spread to other systems given the chance and then render your system unusable. If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users. A virus spreading from an infected system either through a network or by removable media. When you give removable media to another user or put it into another system, you then infect that system with the virus.

  46. How Viruses Work

    Many newer viruses spread using e‑mail. The infected system attaches a file e‑mail sent to another user. The recipient opens the file and the virus infects the target system. The virus might then attach itself to all the e‑mails the newly infected system sends, in turn infecting the recipients of the e‑mails. An e-mail virus spreading geometrically to other users

  47. Types of Viruses Armored Virus

    An armored virus is designed to make itself difficult to detect or analyze. Armored viruses will cover themselves with "protective code" that stops debuggers or dis-assemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program. An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus. The key to stopping most viruses is to identify them quickly and educate administrators about them—the very things that the armor intensifies the difficulty of accomplishing.
  48. Types of Viruses Companion Virus A companion virus attaches itself to legitimate programs and then creates a program with a different file extension. This file may reside in the temporary directory of your system. When the user types the name of the legitimate program, the companion virus executes instead of the real program. This effectively hides the virus from the user. Many of the viruses that are used to attack Windows systems make changes to program pointers in the Registry so that it points to the infected program. The infected program may perform its dirty deed and then start the real program.

  49. Types of Viruses Macro Virus

    Macro viruses are programs written in Word Basic, Visual Basic, or VBScipt. Macro viruses are platform independent and pose a major threat because their underlying language is simple, so they are easy to develop. Macro viruses can infect files that are written in the same language as the macro virus is written. They do not rely on the size of the packet. A macro virus exploits the enhancements made too many application programs. Programs such as Word or Excel allow programmers to expand the capability of the application. Word for example, supports a mini-BASIC programming language that allows files to be manipulated automatically. These programs in the document are called macros. A macro can tell your word processor to spellcheck your document automatically when it opens. Macro viruses are typically used with Microsoft Office products. Macro viruses written in Visual Basic for Applications almost exclusively affect operating systems. Macro viruses can infect all of the documents on your system and spread to other systems using mail or other methods. Macro viruses are the fastest growing exploitation today.

  50. Types of Viruses Multipartite Virus

    A multipartite virus is a hybrid of boot and program viruses. A Multipartite virus attacks your system in multiple ways. A multipartite virus can infect both executable files and boot sectors of hard disk drives. The multipartite virus resides in the memory and then infects boot sectors and executable files of the computer. The hope is that you will not be able to correct all of the problems and will allow the infestation to continue. A multipartite virus commencing an attack on a system

  51. Types of Viruses Phage Virus

    A phage virus modifies and alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system.

  52. Types of Viruses Polymorphic Virus

    Polymorphic viruses change form in order to avoid detection. These types of viruses attack your system, display a message on your computer, and delete files on your system. The virus will attempt to hide from your antivirus software. A polymorphic virus produces different operational copies of itself to ensure that in the event of an antivirus detection, only a few copies are caught. When the virus does this, it is referred to as mutation. A polymorphic virus is also capable of implementing encryption routines that will require different decryption routines to avoid detection. The polymorphic virus changing it’s characteristics

  53. Types of Viruses Retrovirus

    A retrovirus virus attacks or bypasses anti-virus software. Retroviruses even attack the anti-virus program to destroy the virus definitions or to create bypasses for itself. Destroying this information without your knowledge would leave you with a false sense of security. Retroviruses are often referred to as anti-antiviruses. They can render your antivirus software unusable and leave you exposed to other, less-formidable viruses.

  54. Types of Viruses Stealth Virus

    A stealth virus hiding in a disk boot sector A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. A stealth virus hides the changes it makes to system files and boot records, making it difficult for antivirus software to detect its presence. A stealth virus keeps a copy of a file before infecting it and presents the original copy to the monitoring software. The stealth virus modifies the actual file and makes it difficult to detect the presence of the virus. An infected file may report a file size different from what is actually present in order to avoid detection.

  55. Types of Viruses Self-garbling Virus

    A self-garbling virus can hide itself from antivirus software by manipulating its own code. When a self-garbling virus spreads, it jumbles and garbles its own code to prevent the antivirus software from detecting its presence. A small part of the virus code later decodes the jumbled part to obtain the rest of the virus code to infect the system. The ability of the self-garbling virus to format its own code makes it difficult for an antivirus to detect its presence.
  56. Hoaxes (4:24)

    Identifying Hoaxes

    Hoax messages may warn of emerging threats that do not exist. They might instruct users to delete certain files to ensure their security against a new virus, while actually only rendering the system more susceptible to later viral agents. Although hoaxes present issues such as loss of functionality or security vulnerabilities, they also use system resources and consume users’ time. This results in lost productivity and an undue burden on the organization’s resources, especially if many employees respond. Spam (5:43)
  57. Trojans and Backdoors (8:52)

    Trojan Horses

    Trojans are programs disguised as useful application software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Trojan horses may also arrive as part of an e-mail for a free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Trojans do no replicate themselves like viruses, but they can be just as destructive. Its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction. The best preventive measure is to not allow them entry into your system. Immediately before and after you install a new software program or operating system, back it up! If you suspect a Trojan horse, you can reinstall the original programs, which should delete the Trojan horse. A port scan may also reveal a Trojan horse on your system. If an application opens a TCP or UDP port that isn’t regularly used in your network, you can notice this and begin corrective action.
  58. Logic Bombs (3:33)

    Logic Bombs

    A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or a period of time goes by. A logic bomb notifies an attacker when a certain set of circumstances has occurred. This message informs the attacker that the user is ready for an attack and may in turn trigger an attack on your system. Notice that this bomb doesn’t begin the attack but tells the attacker that the victim has met the needed criteria or state for an attack to begin. In the attack the logic bomb sends a message back to the attacking system that it has loaded successfully. The victim system can then be used to initiate an attack such as a DDoS attack, or it can grant access at the time of the attacker’s choosing.

  59. Worms

    Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. A worm is designed to multiply and propagate. Worms may carry viruses that cause system destruction, but that isn’t their primary mission. The worm may not have come from the user’s system; rather, a system with the user’s name in the address book has attacked these people. Worms can use TCP/IP, e‑mail, Internet services, or any number of means to reach their target. 

  60. Antivirus Software

    Antivirus software is an application that is installed on a system to protect it and to scan for viruses as well as worms and Trojan horses. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. Signature files contain information about viruses, such as examples of virus code and the types of files that a virus infects. Antivirus software looks for these characteristics, or fingerprints, to identify and neutralize viruses before they impact you. Virus scanners are typically more effective against known virus than they are against new or unknown viruses. Signature files should be periodically updated to ensure that a virus scanner has the most recent virus definitions. Antivirus software without the latest antivirus definitions is an example of a vulnerability. To provide optimum protection on the network, you should ensure that all, workstations and servers have Antivirus software installed on them. Users need to scan every disk, e‑mail, and document they receive before they open them.

  61. Understanding Social Engineering

    Social Engineering requires nothing but human intelligence in order to carry through an attack. A skilled con man could acquire this information easily just by talking. Social Engineering is a low-tech attack due to it requiring minimal software and computer skills. A hacker typically uses social engineering to gain user names and passwords or sensitive documents by non-technical means, such as posing as an employee or dumpster diving. A common approach is initiated by a phone call or an e-mail from a software vendor, telling you that they have a critical fix that must be installed on your computer system. If this patch is not installed right away, your system will crash and you will lose all of your data. For some reason, you have changed your maintenance account password and they can't log on. Your systems operator gives the password to the person and Bingo! There is such a slim chance of a social engineering attack that very often it is the last known risk to the company and is therefore ignored until it happens. Measures to effectively stay away from social engineering attacks: Get qualified staff Require employees to attend security awareness training Don't tell anyone your password or user ID Use a more complex method of authentication Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Ideally, users should not be able to directly access email attachments from within the email applications. However, the best defense is user education. Phishing (7:34)

  62. Introducing Auditing Processes and Files

    Most systems generate security logs and audit files of activity. These files should be periodically reviewed for unusual events. The amount and volume of information these files contain can be overwhelming. Many web servers provide message auditing, as do logon, system, and application servers. This is done to ensure that the system is running ok and isn't being attacked. Audit files and security logs often contain critical system information, including resource sharing, security status, and so on. An attacker may be able to use this information to gather more detailed data about your network. In an access attack, these files can be deleted, modified, and scrambled to prevent system administrators from knowing what happened in the system. A logic bomb could, for example, delete these files when it completes. You should periodically inspect systems to see what software is installed and whether passwords are posted on sticky notes on monitors or keyboards. You should also consider obtaining a vulnerability scanner and running it across your network. A vulnerability scanner is an application that identifies security issues on a network and offers suggestions on how to prevent the issues. One of the best-known vulnerability scanners is Nessus.
  63. The End
More Related