differentiate among various systems’ security threats: privilege escalation virus worm trojan ...
Post on 13-Jan-2016
238 Views
Preview:
TRANSCRIPT
Differentiate among various systems’ security threats: Privilege escalation Virus Worm Trojan Spyware Spam Adware Rootkits Botnets Logic bomb
Implement security applications. Differentiate between the different ports and protocols, their
respective threats and mitigation techniques. Antiquated protocols TCP/IP hijacking Null sessions Spoofing Man-in-the-middle Replay DoS DDoS Domain Name Kiting DNS poisoning
Explain the vulnerabilities and mitigations associated with network devices. Privilege escalation Weak passwords Back doors DoS
Carry out vulnerability assessments using common tools. Vulnerability scanners Password crackers
Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds
Access attack, someone who should not be able to wants to access your resources. Its purpose is to gain access to information that the attacker isn’t authorized to have
Modification and repudiation attack, someone wants to modify information in your systems
Denial-of-service (DoS) attack
Eavesdropping Eavesdropping is the process of listening in on or overhearing
parts of a conversation, including listening in on your network traffic
This type of attack is generally passive
Snooping Occurs when someone looks through your files hoping to find
something interesting The files may be either electronic or on paper
Interception can be either an active or a passive process Intercept (v): to stop something or someone that is going from
one place to another before they get there In a networked environment, a passive interception would
involve someone who routinely monitors network traffic. Active interception might include putting a computer system
between the sender and receiver to capture information as it’s sent. The process is usually covert.
Intercept missions can occur for years without the knowledge of the parties being monitored.
Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user
They’re similar to access attacks in that the attacker must first get to the data on the servers, but they differ from that point on.
The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar.
Website defacements are a common form of modification attack.
Repudiation attack is a variation of modification attacks repudiate / rɪpjudieɪt /
to refuse to accept or continue with something to state or show that something is not true or correct
Repudiation attacks make data or information appear to be invalid or misleading.
Repudiation attacks are fairly easy to accomplish because most e-mail systems don’t check outbound mail for validity.
Repudiation attacks, like modification attacks, usually begin as access attacks.
Denial-of-Service DoS attacks prevent access to resources by users
authorized to use those resources Most simple DoS attacks occur from a single system Types of DoS attacks:
ping of death buffer overflow
Requires a powerful transmitter
Distributed Denial-of-Service Attacks Multiple computer systems used to conduct the attack Zombies Botnet: the malicious software running on a zombie
How to face with Denial attacks?
Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds
Back doors?
A spoofing attack is an attempt by someone or something to masquerade as someone else.
IP spoofing and DNS spoofing
This type of attack is also an access attack, but it can be used as the starting point for a modification attack
Places a piece of software between a server and the user.
The attacker captures the information and replay it later. The information can be username, passwords,
certificates from authentication systems such as Kerboros.
Captured passwords projected on the wall at DEFCON
Solutions: Certificates usually contain a unique session identifier and a time stamp.
Records cookies and replays them This technique breaks into Gmail accounts Technical name: Cross Site Request Forgery Almost all social networking sites are vulnerable to this
attack Facebook, MySpace, Yahoo, etc.
Brute-force attack. Dictionary attack Hybrids: mixing the two above techniques
Privilege escalation can be the result of an error on an administrator’s part in assigning too high a permission set to a user, but it’s more often associated with bugs left in software.
Cheat codes in video games.
Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds
Network Access = OSI layers 1 & 2, defines LAN communication, what do I mean by that?
Network = OSI layer 3 – defines addressing and routing Transport/Host to Host = OSI layer 4, 5 – defines a
communication session between two applications on one or two hosts
Application = OSI layers 6,7 the application data that is being sent across a network
Maps to Layer 1 and 2 of the OSI model The Level that a Network Interface Card Works on Source and Destination MAC addresses are used
defining communications endpoints Protocols include
Ethernet Token Ring FDDI
Routing, IP addressing, and packaging Internet Protocol (IP) is a routable protocol, and it’s
responsible for: IP addressing. fragments and reassembles message packets only routes information; doesn’t verify it for accuracy(Accuracy
checking is the responsibility of TCP)
Maps to layer 4 and 5 of the OSI model Concerned with establishing sessions between two
applications Source and destination endpoints are defined by port
numbers The two transport protocols in TCP/IP are TCP and UDP
Connection oriented “guaranteed” delivery. Advantages
Easier to program with Truly implements a “session” Adds security
Disadvantages More overhead / slower
Connectionless, non-guaranteed delivery (best effort) Advantages
Fast / low overhead
Disadvantages Harder to program with No true sessions Less security A pain to firewall (due to no connections)
Most programs, such as web browsers, interface with TCP/IP at this level
Protocols: Hypertext Transfer Protocol (HTTP) File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Telnet Domain Name Service (DNS) Routing Information Protocol (RIP) Post Office Protocol (POP3)
Encapsulate to express or show something in a short way to completely cover something with something else, especially in
order to prevent a substance getting out
To change data from a form to another AM (Amplitude Modulation) FM (Frequency Modulation) PM (Phase Modulation)
Keying methods Current State Keying
ASKFSK
State Transition KeyingPhase Shift Keying (PSK)
Modulation and Demodulation Used in modems and in transfering data units among
OSI layers
Port Mirroring Sniffing the Network TCP Attacks
A device that captures and displays network traffic
TCP sequence number attacks occur when an attacker takes control of one end of a TCP session Each time a TCP message is sent, either the client or the server
generates a sequence number The attacker intercepts and then responds with a sequence
number similar to the one used in the original session Disrupt or hijack a valid session
Rogue access points Rogue: not behaving in the usual or accepted way and often
causing trouble Employees often set up home wireless routers for convenience
at work This allows attackers to bypass all of the network security and
opens the entire network and all users to direct attacks An attacker who can access the network through a rogue access
point is behind the company's firewallCan directly attack all devices on the network
War driving Beaconing
At regular intervals, a wireless AP sends a beacon frame to announce its presence and to provide the necessary information for devices that want to join the network
ScanningEach wireless device looks for those beacon frames
Unapproved wireless devices can likewise pick up the beaconing RF transmission
Formally known as wireless location mapping
Bluetooth A wireless technology that uses short-range RF transmissions Provides for rapid “on the fly” and ad hoc connections between
devices
Bluesnarfing Stealing data through a Bluetooth connection E-mails, calendars, contact lists, and cell phone pictures and
videos, …
Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds
Database exploitation If a client session can be hijacked or spoofed, the attacker can
formulate queries against the database that disclose unauthorized information.
Application exploitation E-mail exploitation Spyware
Rather than self-replicating, like viruses and worms, spyware is spread to machines by users who inadvertently ask for it
Rootkits Enables continued privileged access to a computer, while actively
hiding its presence from administrators by subverting standard operating system functionality or other applications
Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds
Armored Virus designed to make itself difficult to detect or analyze
Companion Virus A companion virus attaches itself to legitimate programs and
then creates a program with a different filename extension
Macro Virus a set of programming instructions in a language such as
VBScript that commands an application to perform illicit actions
Multipartite Virus: attacks the system in multiple ways
Phage Virus Modifies and alters other programs and database The only way to remove this virus is to reinstall the programs
that are infected
Polymorphic Virus Change form in order to avoid detection Frequently, the virus will encrypt parts of itself to avoid detection
Stealth Virus Attempts to avoid detection by masking itself from applications
Logic bombs are programs or snippets of code that execute when a certain predefined event occurs.
Attack Strategies Recognizing Common Attacks Identifying TCP/IP Security Concerns Understanding Software Exploitation Surviving Malicious Code Other Attacks and Frauds
Connections to a Microsoft Windows 2000 or Windows NT computer with a blank username and password
Attacker can collect a lot of data from a vulnerable system
Cannot be fixed by patches to the operating systems Much less of a problem with modern Windows versions,
Win XP SP2, Vista, or Windows 7
Check kiting A type of fraud that involves the unlawful use of checking
accounts to gain additional time before the fraud is detected
Domain Name Kiting Registrars are organizations that are approved by ICANN to sell
and register Internet domain names A five-day Add Grade Period (AGP) permits registrars to delete
any newly registered Internet domain names and receive a full refund of the registration fee
Unscrupulous registrars register thousands of Internet domain names and then delete them
Recently expired domain names are indexed by search engines
Visitors are directed to a re-registered site Which is usually a single page Web with paid advertisement
links
Visitors who click on these links generate money for the registrar
Used to manage switches, routers, and other network devices
Early versions did not encrypt passwords, and had other security flaws
But the old versions are still commonly used
DNS is used to resolve domain names like www.ccsf.edu to IP addresses like 147.144.1.254
DNS has many vulnerabilities It was never designed to be secure
Put false entries into the Hosts file C:\Windows\System32\Drivers\etc\hosts
Attacker sends many spoofed DNS responses Target just accepts the first one it gets
Intended to let a new DNS server copy the records from an existing one
Can be used by attackers to get a list of all the machines in a company, like a network diagram Usually blocked by modern DNS servers
Antispyware software will warn you when the hosts file is modified
Using updated versions of DNS server software prevents older DNS attacks against the server
But many DNS flaws cannot be patched Eventually: Switch to DNSSEC (Domain Name System
Security Extensions) But DNSSEC is not widely deployed yet, and it has its own
problems
ARP is used to convert IP addresses like 147.144.1.254 into MAC addresses like 00-30-48-82-11-34
Attacker sends many spoofed ARP responses Target just accepts the first one it gets
top related