710 likes | 727 Vues
Identifying Potential Risks. Contents. Differentiate among various systems’ security threats: Privilege escalation Virus Worm Trojan Spyware Spam Adware Rootkits Botnets Logic bomb. Contents. Implement security applications .
E N D
Contents • Differentiate among various systems’ security threats: • Privilege escalation • Virus • Worm • Trojan • Spyware • Spam • Adware • Rootkits • Botnets • Logic bomb
Contents • Implement security applications. • Differentiate between the different ports and protocols, their respective threats and mitigation techniques. • Antiquated protocols • TCP/IP hijacking • Null sessions • Spoofing • Man-in-the-middle • Replay • DoS • DDoS • Domain Name Kiting • DNS poisoning
Contents • Explain the vulnerabilities and mitigations associated with network devices. • Privilege escalation • Weak passwords • Back doors • DoS • Carry out vulnerability assessments using common tools. • Vulnerability scanners • Password crackers
Index • Attack Strategies • Recognizing Common Attacks • Identifying TCP/IP Security Concerns • Understanding Software Exploitation • Surviving Malicious Code • Other Attacks and Frauds
Attack Strategies • Access attack, someone who should not be able to wants to access your resources. Its purpose is to gain access to information that the attacker isn’t authorized to have • Modification and repudiation attack, someone wants to modify information in your systems • Denial-of-service (DoS) attack
Access Attack Types • Eavesdropping • Eavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network traffic • This type of attack is generally passive • Snooping • Occurs when someone looks through your files hoping to find something interesting • The files may be either electronic or on paper
Access Attack Types • Interception can be either an active or a passive process • Intercept (v): to stop something or someone that is going from one place to another before they get there • In a networked environment, a passive interception would involve someone who routinely monitors network traffic. • Active interception might include putting a computer system between the sender and receiver to capture information as it’s sent. The process is usually covert. • Intercept missions can occur for years without the knowledge of the parties being monitored.
Modification & Repudiation Attacks • Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user • They’re similar to access attacks in that the attacker must first get to the data on the servers, but they differ from that point on. • The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar. • Website defacements are a common form of modification attack.
Modification & Repudiation Attacks • Repudiation attack is a variation of modification attacks • repudiate / rɪpjudieɪt / • to refuse to accept or continue with something • to state or show that something is not true or correct • Repudiation attacks make data or information appear to be invalid or misleading. • Repudiation attacks are fairly easy to accomplish because most e-mail systems don’t check outbound mail for validity. • Repudiation attacks, like modification attacks, usually begin as access attacks.
DoSAttacks • Denial-of-Service • DoS attacks prevent access to resources by users authorized to use those resources • Most simple DoS attacks occur from a single system • Types of DoS attacks: • ping of death • buffer overflow
Wireless DoS • Requires a powerful transmitter
DDoS Attacks • Distributed Denial-of-Service Attacks • Multiple computer systems used to conduct the attack • Zombies • Botnet: the malicious software running on a zombie
DDoS Attacks • How to face with Denial attacks?
Index • Attack Strategies • Recognizing Common Attacks • Identifying TCP/IP Security Concerns • Understanding Software Exploitation • Surviving Malicious Code • Other Attacks and Frauds
Back Door Attacks • Back doors?
Spoofing Attacks • A spoofing attack is an attempt by someone or something to masquerade as someone else. • IP spoofing and DNS spoofing
Man-in-the-Middle Attacks • This type of attack is also an access attack, but it can be used as the starting point for a modification attack • Places a piece of software between a server and the user.
Replay Attacks • The attacker captures the information and replay it later. • The information can be username, passwords, certificates from authentication systems such as Kerboros.
Wall of Sheep Captured passwords projected on the wall at DEFCON
Replay Attacks • Solutions: Certificates usually contain a unique session identifier and a time stamp.
Sidejacking • Records cookies and replays them • This technique breaks into Gmail accounts • Technical name: Cross Site Request Forgery • Almost all social networking sites are vulnerable to this attack • Facebook, MySpace, Yahoo, etc.
Password-Guessing Attacks • Brute-force attack. • Dictionary attack • Hybrids: mixing the two above techniques
Privilege Escalation • Privilege escalation can be the result of an error on an administrator’s part in assigning too high a permission set to a user, but it’s more often associated with bugs left in software. • Cheat codes in video games.
Index • Attack Strategies • Recognizing Common Attacks • Identifying TCP/IP Security Concerns • Understanding Software Exploitation • Surviving Malicious Code • Other Attacks and Frauds
TCP/IP model • Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that? • Network = OSI layer 3 – defines addressing and routing • Transport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one or two hosts • Application = OSI layers 6,7 the application data that is being sent across a network
Network Access Layer • Maps to Layer 1 and 2 of the OSI model • The Level that a Network Interface Card Works on • Source and Destination MAC addresses are used defining communications endpoints • Protocols include • Ethernet • Token Ring • FDDI
Network Layer • Routing, IP addressing, and packaging • Internet Protocol (IP) is a routable protocol, and it’s responsible for: • IP addressing. • fragments and reassembles message packets • only routes information; doesn’t verify it for accuracy(Accuracy checking is the responsibility of TCP)
Host-to-Host or Transport Layer • Maps to layer 4 and 5 of the OSI model • Concerned with establishing sessions between two applications • Source and destination endpoints are defined by port numbers • The two transport protocols in TCP/IP are TCP and UDP
TCP – Transmission Control Protocol • Connection oriented “guaranteed” delivery. • Advantages • Easier to program with • Truly implements a “session” • Adds security • Disadvantages • More overhead / slower
UDP - User Datagram Protocol • Connectionless, non-guaranteed delivery (best effort) • Advantages • Fast / low overhead • Disadvantages • Harder to program with • No true sessions • Less security • A pain to firewall (due to no connections)
Application Layer • Most programs, such as web browsers, interface with TCP/IP at this level • Protocols: • Hypertext Transfer Protocol (HTTP) • File Transfer Protocol (FTP) • Simple Mail Transfer Protocol (SMTP) • Telnet • Domain Name Service (DNS) • Routing Information Protocol (RIP) • Post Office Protocol (POP3)
Encapsulation • Encapsulate • to express or show something in a short way • to completely cover something with something else, especially in order to prevent a substance getting out
Modulation – Điều chế • To change data from a form to another • AM (Amplitude Modulation) • FM (Frequency Modulation) • PM (Phase Modulation) • Keying methods • Current State Keying • ASK • FSK • State Transition Keying • Phase Shift Keying (PSK) • Modulation and Demodulation • Used in modems and in transfering data units among OSI layers
Recognizing TCP/IP Attacks • Port Mirroring • Sniffing the Network • TCP Attacks
Sniffers • A device that captures and displays network traffic
TCP SYN or TCP ACK Flood Attack • The client and server exchange information in TCP packets • The TCP client sends an ACK packet to the server • ACK packets tell the server that a connection is requested • Server responds with an ACK packet • The TCP Client sends another packet to open the connection • Instead of opening the connection, the TCP client continues to send ACK packet to the server.
TCP Sequence Number Attack • TCP sequence number attacks occur when an attacker takes control of one end of a TCP session • Each time a TCP message is sent, either the client or the server generates a sequence number • The attacker intercepts and then responds with a sequence number similar to the one used in the original session • Disrupt or hijack a valid session
Wireless Attacks • Rogue access points • Rogue: not behaving in the usual or accepted way and often causing trouble • Employees often set up home wireless routers for convenience at work • This allows attackers to bypass all of the network security and opens the entire network and all users to direct attacks • An attacker who can access the network through a rogue access point is behind the company's firewall • Can directly attack all devices on the network
Wireless Attacks • War driving • Beaconing • At regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the network • Scanning • Each wireless device looks for those beacon frames • Unapproved wireless devices can likewise pick up the beaconing RF transmission • Formally known as wireless location mapping
Wireless Attacks • Bluetooth • A wireless technology that uses short-range RF transmissions • Provides for rapid “on the fly” and ad hoc connections between devices • Bluesnarfing • Stealing data through a Bluetooth connection • E-mails, calendars, contact lists, and cell phone pictures and videos, …
Index • Attack Strategies • Recognizing Common Attacks • Identifying TCP/IP Security Concerns • Understanding Software Exploitation • Surviving Malicious Code • Other Attacks and Frauds
Software Exploitations • Database exploitation • If a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information. • Application exploitation • E-mail exploitation • Spyware • Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it • Rootkits • Enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications