networks and security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Networks and Security PowerPoint Presentation
Download Presentation
Networks and Security

Networks and Security

286 Vues Download Presentation
Télécharger la présentation

Networks and Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Networks and Security

  2. How Real is the Threat? 88% of IT staff polled in the US recently said their organizations had been affected by Internet viruses or worms in the past year even though 90% of firms have an IT security system in place. Information Security Magazine, 2001

  3. Worm Threats • NIMDA and Code Red generated the majority of attack activity accounting for 63% of recorded attacks • Each worm attacked known problems with available patches • New zero-day worms that hit vulnerabilities not posted • Future worms will morph

  4. Trends • 39% seemed to be targeted to breech a specific system or company • 61% seemed opportunistic with the attacker scanning and looking to exploit what was found • 42% of the attacks were aimed at large corporations of 1,000 or more employees • This suggests, higher profile corporations are bigger targets than lower profile

  5. Majority of Attacks Are Launched From a Small Number of Countries • Ten countries account for 70% of attacks • 30% United States • 9% South Korea • 8% China • The largest number of attacks per IP address was Israel

  6. Attacks and Ports

  7. Current Attacks

  8. Most Probed Ports Windows service for conversion Of IP addresses to names in file sharing apps First step in a scan to hit file shares Open when a web server installed Used by MS-SQL server for remote Clients to query for network connections

  9. Trends • The industries with the highest attacks rates are: • Education • High Tech • Financial Services • Media/Entertainment • Power and energy companies • Each averaged more than 700 attacks per company in the last six months • Power and energy companies suffered attacks from the Mid East at twice the mean of other companies • High Tech and Financial companies suffered attacks from Asia at a rate that was 50% higher than the mean for other companies

  10. Top Ten Attacks • 47.8% M.S. IIS Server ISAPI overflow • 25.1% (Code Red) Generic Root Request Attack of root.exe in /scripts directory. • 23.5% M.S. IIS Server Traversal Attack • 17% M.S. IIS Server Arbitrary Code Attack (code URL twice) • 16.5% (Code Red) "cmd.exe" Attack • 5% Scan for 27374 port for SubSeven (2600 Magazine) • 3.8% Scan for vulnerable or mis-configured FTP servers. • 2.8% Scans for RPC enabled • 1.3% Scans for ssh (Exploit) • 1.2% Scans for LPD (Exploit) (Source RipTech)

  11. General Types of Hackers • Kiddie Scripters • Black hats • Network-savvy employees • Government Entities

  12. Kiddie Scripters • Run scripts from hacker sites • Rarely recompile to change ports or affect attack signatures • Poor resources ‑ usually tied to an ISP • Usually want a quick “hit” or break‑in and are largely indiscriminate about targets • Leave behind lots of evidence

  13. Take Your Pick of Hacker Groups

  14. Places for Evil

  15. Know Your Enemy--Places to Visit • • • • • http://ist‑it‑ • http://hackersplayground • •

  16. Black Hats • Re‑compile code of others to change attack signatures • Write programs that may or may not be shared • Moderate resources ‑ usually tied to an ISP but can have own domains and domain servers • Much more cautious and attacks may be spread over weeks • Mafia organizational models: key talented hackers with high skills are generally isolated by layers of “kiddie scripters” for protection

  17. Reconnaissance Look for a file that Doesn’t exist on a web Server: 404 error will Reveal server and version

  18. Network-Savvy Employees • Never share or use code of others unless it is an intentional deception • Inside knowledge of infrastructure enables more sophisticated approach

  19. Governments • Attacks and coordinated probes may stretch over a period of months or years and are calculated to bypass the best IDS’ • Launched as part of policy • Has direct access to tier 1 Internet service providers (ISP) or uses government resources • Able to manipulate domain, WHOIS databases, and root server and Internet routing paths • May be recruited from Black hats or federal agencies

  20. Nuisance Threats • These individuals may evolve from online trespass and vandalism to more criminal activity such as theft of information, extortion, and credit card fraud • In addition, this group is a pool of potential resources for more traditional criminal elements to exploit either directly or indirectly

  21. Low Level Threats • On‑line Trespass • Vandalism • Script Kiddies – compile existing hacker code • Existing vulnerabilities

  22. Malicious Threats • Launch virus’ or self-propagating “bots” that harvest e-mail addresses, credit card numbers, or other valuable data • Identity theft is big business

  23. Doomsday Threats • After key financial information that can be leveraged for money • Scan likely unfriendly nations for critical infrastructure weak points • Characterized by long term stealth (not noisy) scans and probes • Access to resources • Undetectable

  24. Criminal Activity Categories • Extortion • Organized Crime • Political Groups (Terrorists) • Industrial Espionage and Sabotage • International Intrusions

  25. Criminal Activity 49% of information security professionals' companies have had personnel who have physically destroyed or stole computing equipment ‑‑ up from 42% in 2000. Industry Survey from Information Security Magazine, 2001. See

  26. Hacker Pattern Reuse • Each hacker has a “signature” for attack methodologies • It is often possible to describe each separate attacker by their trademark styles and choice of tools and exploits • Once they find a sequence or type of attack that works they use the same choice of tools each time

  27. Reconnaissance – gathering information on your organization Foot printing – get the network details. Port Scanning – find the actual services available. Enumeration - Promising targets are identified in more detail. Gaining Access - choose an informed hack/crack. Escalating Privileges - elevate to system access. Pilfering - Grab any interesting/profitable data. Covering Tracks - Hide interlopers machine romp Seven Step Attack Profile Overview

  28. Objective Gathering information about the organization Technique Web searches, public documents, and legal databases Web browsers – most public or legally available information is now available on line Profiling

  29. Sniffers Are Your Friend and Foe • Everything that touches your machine from a data network can be seen on a sniffer: Passwords, account names, social security numbers, birth dates, and other personal information • Hackers frequently use sniffers to ply their trade • Sniffers also help the good guys by catching issues that IDS’ and firewall logs will miss

  30. Network Associates (NAI) Sniffer

  31. Network Associates (NAI) Sniffer • Premier network diagnostic program available to network professionals • A great number of hacker sniffers tend to concentrate on capturing and logging targeted information such as user names, passwords and commands • dsniff is a package of password grabs including mailsnarf an e-mail grabber

  32. dsniff

  33. Sniffer Exploits • Sniffers are programs that use “promiscuous” drivers • These specialized drivers allow network information to be “sniffed” off of the local network segment • In segments that utilize Ethernet hubs, as opposed to switches, the attacker can log every user’s information off the network

  34. Dsniff – De-encrypting Password Sniffer • dsniff listens patiently for passwords to come along • It will decode NETBios-based Windows, IMAP, POP3, SNMP, and many other types of passwords • If you are using the network diagram programs like Visio, TGV (Computer Associates) and HP OpenView with the read/read-write SMP password – you are giving it away to attackers

  35. Sniffer Defenses • Ethernet switches are not a security panacea • Flooding the switch with bogus MAC addresses can flood the bridge table and cause one of two of the following switch behaviors to users: • 30% of the time switch starts forwarding ALL packet to ALL ports (hub behavior) • 70% of the time the switch crashes

  36. Sniffer Defense • Monitor your switch reboots with simple networking management protocol (SNMP) • Send SNMP “traps” to your central security monitoring console when switches reboot or have switch table “full” error events • It is also very valuable to centrally log switch and router SNMP AUTH events which send login authorization failures!

  37. Sniffer Defense • @stake, makes a sniffer “detector” AntiSniff available for trial and sale • Promiscuous drivers take notably longer to process network requests • This detector makes detection available based on the noted delays in the surrounding IP client software on hosts

  38. L0PHT (@stake) antisniff

  39. Foot Printing • Objective • Get address range, namespace details, contacts, and reverse domain info • Technique • Open source info, DNS, iterative reverse DNS or zone transfer • Tools • nslookup, dig, whois, ARIN whois, etc., • Plain old HTTP lookups on their favorite search engine, Google, Altavista

  40. Foot printing • whois • nslookup • • Department of Defense • RIPE • APNIC • Web Search Engines • Google

  41. Domain Name Service (DNS) • Domain name services (DNS) map text strings by a hierarchical directory to a specific IP address that the computer application can use • Domain name servers are also called name servers

  42. Domain Name Services (DNS) • DNS servers use forward and reverse zone text files that contain domain entries • Forward files include INFO records • INFO type “A” records for IP addresses • INFO HINFO records for software and platform information • INFO CNAME or canonical names for aliases • INFO MX or mail exchange records for email

  43. Whois Domain Lookup


  45. DNS Exploit – Information Grabbing Programs like Sam Spade and whois reveal an enormous amount of information about your company Internet connections, managers, and administrative contacts.

  46. Sam Spade

  47. Sam Spade

  48. Sam Spade

  49. DNS Exploit – Information Grabbing Defense • Use two DNS servers, one inside your network, and another outside. This is called the “split” domain name server architecture. • By blocking the inside name server that has all the network information from outside access – it is possible to hide inner host information from interlopers • Allow only the most essential information to be available to the general Internet. • Secure the servers the Internet “knows about.”

  50. “Split” Domain Servers