Bài giảng Identifying Potential Risks

Identifying Potential RisksContentsDifferentiate among various systems’ security threats:Privilege escalationVirusWormTrojanSpywareSpamAdwareRootkitsBotnetsLogic bomb34567891011ContentsImplement security applications.Differentiate between the different ports and protocols, their respective threats and mitigation techniques.Antiquated protocolsTCP/IP hijackingNull sessionsSpoofingMan-in-the-middleReplayDoSDDoSDomain Name KitingDNS poisoningContentsExplain the vulnerabilities and mitigations associated with network devices.Privilege escalationWeak passwordsBack doorsDoSCarry out vulnerability assessments using common tools.Vulnerability scannersPassword crackersIndexAttack StrategiesRecognizing Common AttacksIdentifying TCP/IP Security ConcernsUnderstanding Software ExploitationSurviving Malicious CodeOther Attacks and FraudsAttack StrategiesAccess attack, someone who should not be able to wants to access your resources. Its purpose is to gain access to information that the attacker isn’t authorized to haveModification and repudiation attack, someone wants to modify information in your systemsDenial-of-service (DoS) attackAccess Attack TypesEavesdroppingEavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network trafficThis type of attack is generally passiveSnoopingOccurs when someone looks through your files hoping to find something interestingThe files may be either electronic or on paperAccess Attack TypesInterception can be either an active or a passive processIntercept (v): to stop something or someone that is going from one place to another before they get thereIn a networked environment, a passive interception would involve someone who routinely monitors network traffic.Active interception might include putting a computer system between the sender and receiver to capture information as it’s sent. The process is usually covert. Intercept missions can occur for years without the knowledge of the parties being monitored.Modification & Repudiation AttacksModification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the userThey’re similar to access attacks in that the attacker must first get to the data on the servers, but they differ from that point on.The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar.Website defacements are a common form of modification attack.Modification & Repudiation AttacksRepudiation attack is a variation of modification attacksrepudiate / rɪpjudieɪt /to refuse to accept or continue with somethingto state or show that something is not true or correctRepudiation attacks make data or information appear to be invalid or misleading.Repudiation attacks are fairly easy to accomplish because most e-mail systems don’t check outbound mail for validity.Repudiation attacks, like modification attacks, usually begin as access attacks.DoS AttacksDenial-of-ServiceDoS attacks prevent access to resources by users authorized to use those resourcesMost simple DoS attacks occur from a single systemTypes of DoS attacks:ping of deathbuffer overflowDoS AttacksWireless DoSRequires a powerful transmitterAn Easier Wireless DoSDDoS AttacksDistributed Denial-of-Service AttacksMultiple computer systems used to conduct the attackZombiesBotnet: the malicious software running on a zombieDDoS AttacksDDoS AttacksHow to face with Denial attacks?IndexAttack StrategiesRecognizing Common AttacksIdentifying TCP/IP Security ConcernsUnderstanding Software ExploitationSurviving Malicious CodeOther Attacks and FraudsBack Door AttacksBack doors?Spoofing AttacksA spoofing attack is an attempt by someone or something to masquerade as someone else.IP spoofing and DNS spoofingMan-in-the-Middle AttacksThis type of attack is also an access attack, but it can be used as the starting point for a modification attackPlaces a piece of software between a server and the user.Replay AttacksThe attacker captures the information and replay it later.The information can be username, passwords, certificates from authentication systems such as Kerboros.Wall of SheepCaptured passwords projected on the wall at DEFCONReplay AttacksSolutions: Certificates usually contain a unique session identifier and a time stamp.SidejackingRecords cookies and replays themThis technique breaks into Gmail accountsTechnical name: Cross Site Request ForgeryAlmost all social networking sites are vulnerable to this attackFacebook, MySpace, Yahoo, etc.Password-Guessing AttacksBrute-force attack.Dictionary attackHybrids: mixing the two above techniquesPrivilege EscalationPrivilege escalation can be the result of an error on an administrator’s part in assigning too high a permission set to a user, but it’s more often associated with bugs left in software.Cheat codes in video games. IndexAttack StrategiesRecognizing Common AttacksIdentifying TCP/IP Security ConcernsUnderstanding Software ExploitationSurviving Malicious CodeOther Attacks and FraudsOSI vs TCP/IPTCP/IP modelNetwork Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?Network = OSI layer 3 – defines addressing and routingTransport/Host to Host = OSI layer 4, 5 – defines a communication session between two applications on one or two hostsApplication = OSI layers 6,7 the application data that is being sent across a networkNetwork Access LayerMaps to Layer 1 and 2 of the OSI model The Level that a Network Interface Card Works onSource and Destination MAC addresses are used defining communications endpointsProtocols includeEthernetToken RingFDDINetwork Layer Routing, IP addressing, and packagingInternet Protocol (IP) is a routable protocol, and it’s responsible for:IP addressing.fragments and reassembles message packetsonly routes information; doesn’t verify it for accuracy(Accuracy checking is the responsibility of TCP)Host-to-Host or Transport LayerMaps to layer 4 and 5 of the OSI modelConcerned with establishing sessions between two applicationsSource and destination endpoints are defined by port numbersThe two transport protocols in TCP/IP are TCP and UDPTCP – Transmission Control ProtocolConnection oriented “guaranteed” delivery. AdvantagesEasier to program withTruly implements a “session”Adds securityDisadvantagesMore overhead / slowerUDP - User Datagram Protocol Connectionless, non-guaranteed delivery (best effort)AdvantagesFast / low overheadDisadvantagesHarder to program withNo true sessionsLess securityA pain to firewall (due to no connections)Application LayerMost programs, such as web browsers, interface with TCP/IP at this levelProtocols:Hypertext Transfer Protocol (HTTP)File Transfer Protocol (FTP)Simple Mail Transfer Protocol (SMTP)TelnetDomain Name Service (DNS)Routing Information Protocol (RIP)Post Office Protocol (POP3)EncapsulationEncapsulateto express or show something in a short wayto completely cover something with something else, especially in order to prevent a substance getting outModulation – Điều chếTo change data from a form to anotherAM (Amplitude Modulation)FM (Frequency Modulation)PM (Phase Modulation)Keying methodsCurrent State KeyingASKFSKState Transition KeyingPhase Shift Keying (PSK)Modulation and DemodulationUsed in modems and in transfering data units among OSI layersRecognizing TCP/IP AttacksPort MirroringSniffing the NetworkTCP AttacksPort MirroringSniffersA device that captures and displays network trafficTCP SYN or TCP ACK Flood AttackThe client and server exchange information in TCP packetsThe TCP client sends an ACK packet to the server ACK packets tell the server that a connection is requestedServer responds with an ACK packetThe TCP Client sends another packet to open the connectionInstead of opening the connection, the TCP client continues to send ACK packet to the server.TCP SYN or TCP ACK Flood AttackTCP Sequence Number AttackTCP sequence number attacks occur when an attacker takes control of one end of a TCP sessionEach time a TCP message is sent, either the client or the server generates a sequence numberThe attacker intercepts and then responds with a sequence number similar to the one used in the original sessionDisrupt or hijack a valid sessionWireless AttacksRogue access pointsRogue: not behaving in the usual or accepted way and often causing troubleEmployees often set up home wireless routers for convenience at workThis allows attackers to bypass all of the network security and opens the entire network and all users to direct attacksAn attacker who can access the network through a rogue access point is behind the company's firewallCan directly attack all devices on the networkWireless AttacksWireless AttacksWar drivingBeaconingAt regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the networkScanningEach wireless device looks for those beacon framesUnapproved wireless devices can likewise pick up the beaconing RF transmissionFormally known as wireless location mappingWireless AttacksBluetoothA wireless technology that uses short-range RF transmissionsProvides for rapid “on the fly” and ad hoc connections between devicesBluesnarfingStealing data through a Bluetooth connectionE-mails, calendars, contact lists, and cell phone pictures and videos, IndexAttack StrategiesRecognizing Common AttacksIdentifying TCP/IP Security ConcernsUnderstanding Software ExploitationSurviving Malicious CodeOther Attacks and FraudsSoftware ExploitationsDatabase exploitationIf a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information.Application exploitationE-mail exploitationSpywareRather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for itRootkitsEnables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applicationsIndexAttack StrategiesRecognizing Common AttacksIdentifying TCP/IP Security ConcernsUnderstanding Software ExploitationSurviving Malicious CodeOther Attacks and FraudsVirusesArmored Virusdesigned to make itself difficult to detect or analyzeCompanion VirusA companion virus attaches itself to legitimate programs and then creates a program with a different filename extensionMacro Virusa set of programming instructions in a language such as VBScript that commands an application to perform illicit actionsVirusesMultipartite Virus: attacks the system in multiple waysVirusesPhage VirusModifies and alters other programs and databaseThe only way to remove this virus is to reinstall the programs that are infectedPolymorphic VirusChange form in order to avoid detectionFrequently, the virus will encrypt parts of itself to avoid detectionVirusesStealth VirusAttempts to avoid detection by masking itself from applicationsLogic BombsLogic bombs are programs or snippets of code that execute when a certain predefined event occurs.IndexAttack StrategiesRecognizing Common AttacksIdentifying TCP/IP Security ConcernsUnderstanding Software ExploitationSurviving Malicious CodeOther Attacks and FraudsNull SessionsConnections to a Microsoft Windows 2000 or Windows NT computer with a blank username and passwordAttacker can collect a lot of data from a vulnerable systemCannot be fixed by patches to the operating systemsMuch less of a problem with modern Windows versions, Win XP SP2, Vista, or Windows 7Domain Name KitingCheck kitingA type of fraud that involves the unlawful use of checking accounts to gain additional time before the fraud is detectedDomain Name KitingRegistrars are organizations that are approved by ICANN to sell and register Internet domain namesA five-day Add Grade Period (AGP) permits registrars to delete any newly registered Internet domain names and receive a full refund of the registration feeDomain Name KitingUnscrupulous registrars register thousands of Internet domain names and then delete them Recently expired domain names are indexed by search enginesVisitors are directed to a re-registered siteWhich is usually a single page Web with paid advertisement linksVisitors who click on these links generate money for the registrarSNMP (Simple Network Management Protocol)Used to manage switches, routers, and other network devicesEarly versions did not encrypt passwords, and had other security flawsBut the old versions are still commonly usedDNS (Domain Name System)DNS is used to resolve domain names like www.ccsf.edu to IP addresses like 147.144.1.254DNS has many vulnerabilitiesIt was never designed to be secureDNS PoisoningLocal DNS PoisoningPut false entries into the Hosts fileC:\Windows\System32\Drivers\etc\hostsDNS Cache PoisoningAttacker sends many spoofed DNS responsesTarget just accepts the first one it getsSending Extra DNS RecordsDNS TransfersIntended to let a new DNS server copy the records from an existing oneCan be used by attackers to get a list of all the machines in a company, like a network diagramUsually blocked by modern DNS serversProtection from DNS AttacksAntispyware software will warn you when the hosts file is modifiedUsing updated versions of DNS server software prevents older DNS attacks against the serverBut many DNS flaws cannot be patchedEventually: Switch to DNSSEC (Domain Name System Security Extensions)But DNSSEC is not widely deployed yet, and it has its own problemsARP (Address Resolution Protocol)ARP is used to convert IP addresses like 147.144.1.254 into MAC addresses like 00-30-48-82-11-34ARP Cache PoisoningAttacker sends many spoofed ARP responsesTarget just accepts the first one it getsResults of ARP Poisoning Attacks