attackers and their attacks security basic

8/3/2019 Attackers and Their Attacks Security Basic

1/105

Attackers and

Their Attacks


2/105

Objectives

Develop attacker profiles Describe basic attacks

Describe identit attacks

2

Identify denial of service attacks

Define malicious code (malware)


3/105

Developing Attacker Profiles

Six categories:

Hackers

Crackers

3

cr pt es Spies

Employees

Cyberterrorists


4/105

Hackers

Person who uses advanced computer skills to attack

computers, but not with a malicious intent

Use their skills to expose security flaws and improvesecurity.

4

Hacker Code of ethics: Breaking into anotherpersons computer is ethically acceptable as long as

they dont commit theft, damage, or break of

confidentiality.


5/105

Person who violates system security with maliciousintent

Have advanced knowledge of computers and

Crackers

5

ne wor s an e s s o exp o em Destroy data, deny legitimate users of service, or

otherwise cause serious problems on computers and

networks

"crackers are often mistakenly called hackers


6/105

Break into computers to create damage Are unskilled users

Download automated hackin software from Web

Script Kiddies

6

sites and use it to break into computers

Tend to be young computer users with almost

unlimited amounts of free time , which they can use

to attack systems


7/105

Person hired to break into a computer and stealinformation

Do not randomly search for unsecured computers to

Spies

7

a ac Hired to attack a specific computer that contains

sensitive information

Motivation is almost always financial.


8/105

One of the largest information security threats tobusiness

Employees break into their companys computer for

Employees

8

ese reasons: To show the company a weakness in their security

To say, Im smarter than all of you

For money.

A dissatisfied employee wanting to get back at thecompany


9/105

Experts fear terrorists will attack the network andcomputer infrastructure to cause panic

Cyberterrorists motivation may be defined as

Cyberterrorists

9

eo ogy, or a ac ng or e sa e o e r pr nc p esor beliefs

One of the targets highest on the list of

cyberterrorists is the Internet itself


10/105

Three goals of a cyberattack: Deface electronic information to spread disinformation

and propaganda

Cyberterrorists (continued)

10

Deny service to legitimate computer users Commit unauthorized intrusions into systems and

networks that result in critical infrastructure outagesand corruption of essential data


11/105

Developing Attacker Profiles(continued)

11


12/105

Attack classifications

Passive Attacks: Attackers goal is to obtain information

Attacker doesnt modify data or harm the system.

The system continues its normal operation.

Difficult to detect.

Which principle, goal, or information characteristic

does this class of attacks threaten?


13/105

Attack classifications

Active Attacks: Attacker may change the data or harm the system.

Easier to detect.

Which principle, goal, or information characteristicdoes this class of attacks threaten?


14/105

Attack Categories

Basic attacks Identity attacks

Denial of services DoS

Malicious code


15/105

Today, the global computing infrastructure is mostlikely target of attacks

Attackers are becoming more sophisticated, moving

Understanding Basic Attacks

15

away rom searc ng or ugs n spec c so wareapplications toward inquiring the underlying softwareand hardware infrastructure itself


16/105

Understanding Basic Attacks

Social Engineering. Password guessing.

Software ex loitation

Weak keys.

Mathematics attacks.

16


17/105

Easiest way to attack a computer system requiresalmost no technical ability and is usually highlysuccessful

Social Engineering

17

oc a eng neer ng re es on r c ng an ece v ngsomeone to access a system

Social engineering is not limited to telephone calls or

dated credentials

Examples: Customer service representative, helpdesk personneletc


18/105

Social Engineering (continued)

18

s ng: sen ng peop e e ec ron c reques s orinformation that appear to come from a valid source


19/105

Social Engineering (continued)Phishing attacks examples:

19


20/105

Social Engineering (continued)Phishing attacks examples:

20


21/105

Develop strong instructions or company policies

regarding:

When passwords are given out

Social Engineering (continued)

21

What to do when asked questions by anotheremployee that may reveal protected information

Educate all employees about the policies and ensure

that these policies are followed


22/105

Password Guessing

Password: secret combination of letters and numbersthat validates or authenticates a user

Passwords are used with usernames to log on to a

22

sys em us ng a a og ox

Attackers attempt to exploit weak passwords bypassword guessing


23/105

Password Guessing (continued)

23


24/105

Characteristics of weak passwords:

Using a short password (XYZ)

Using a common word (blue)


24

s ng persona n ormat on name o a pet

Using same password for all accounts

Writing the password down and leaving it under themouse pad or keyboard

Not changing passwords unless forced to do so


25/105

Password Exploitation attacks:1. Brute force: attacker attempts to create every possible

password combination by changing one character at a


25

,

the system.

E.g. Password = 6523.

Possible combinations are 10X10X10X10=10,000

Personal computer can create more than1,000,000 combinations per second.


26/105

Password Exploitation attacks:1. Brute force:

Time calculations:


26

Four digit = 10x10x10x10 = 10,000 (0.01 Second) Four capital letters = 26x26x26x26 = 456,976 (.45 Second)

Four capital and small letters = 52x52x52x52 = 7,311,616 (7.3 Seconds)

Four digit, capital and small letters= 62x62x62x62 = 14,776,336 (14.7Seconds)

Four digit, special character (10), capital and small letters = 72x72x72x72 =1,934,917,632 (32 Minutes)

Eight digit, special character (10), capital and small letters =72x72x72x72x72x72x72x72= 722,204,136,308,736 (23 Years)


27/105

Password Exploitation attacks:2. Dictionary attack: takes each word from a dictionary

and encodes it (hashing) in the same way the


27


28/105

Password Exploitation attacks:

3. Software exploitation: takes advantage of anyweakness in software to bypass security requiring a


28

Buffer overflow: occurs when a computer programattempts to stuff more data into a temporary storagearea than it can hold

SQL Injection.

Defenses: Code Review, Code Testing and IDS.


29/105


30/105

Encryption: changing the original text to a secretmessage using cryptography

Success of cryptography depends on the process

Weak Keys

33

use o encryp an ecryp messages

Process is based on algorithms


31/105

Algorithm is given a key that it uses to encrypt themessage

Any mathematical key that creates a detectable

Weak Keys (continued)

34

pa ern or s ruc ure wea eys prov es an a ac erwith valuable information to break the encryption


32/105

Cryptanalysis: process of attempting to break anencrypted message

Mathematical attack: analyzes characters in an

Mathematical Attacks

35

encryp e ex o scover e eys an ecrypthe data


33/105

Category of attacks in which the attacker attempts toassume the identity of a valid user.

Man-In-the-Middle attacks.

Examining Identity Attacks

38

Replay attacks. TCP/IP Hijacking.


34/105

Make it seem that two computers are communicating

with each other, when actually they are sending andreceiving data with a computer between them

Man-in-the-Middle Attacks

39


35/105


Can be active or passive:

Passive attack: attacker captures sensitive data beingtransmitted and sends it to the original recipient without

Active attack: contents of the message are interceptedand altered before being sent on

40


36/105


Defenses:

Educate users

Deploy PKI

Secure the DNS

Secure the wiring/ wireless access (e.g. use networkdevices that are prohibited from forwarding redirectedmessages)

Mutual authentication between the end points.

41


37/105


38/105

TCP/IP Hijacking

In TCP/IP Hijacking, an attacker sets up a device onthe network that tricks other devices on the networkinto sending their packets to it instead of where they

are intended to o.

43

TCP/IP hijacking uses a technique called spoofing.

Spoofing is basically the act of pretending to be

something you are not ( e.g. the legitimate owner)

One particular type of spoofing is Address ResolutionProtocol (ARP) spoofing


39/105

TCP/IP Hijacking (continued)

In ARP spoofing, each computer using TCP/IP musthave a unique IP address.

Certain types of local area networks (LANs), such as

44

erne , mus a so ave ano er a ress, ca e e

media access control (MAC) address, to moveinformation around the network

Computers on a network keep a table that links an IP

address with the corresponding address

In ARP spoofing, a hacker changes the table so

packets are redirected to his computer.


40/105

TCP/IP Hijacking (continued)

45


41/105

Identifying Denial of Service Attacks

Denial of service (DoS) attack attempts to make aserver or other network device unavailable byflooding it with requests

46

er a s or me, e server runs ou o resources

and can no longer function.

DoS Attacks:

SYN Attack

Ping Attack

Distributed DoS (DDoS).


42/105

Identifying Denial of Service Attacks(continued)

SYN Attack:

47

Normal Operation

SYN Flood


43/105


Ping Attack:

Another DoS attack tricks computers into responding toa false request

48

An attacker can send a request to all computers on thenetwork making it appear a server is asking for aresponse.

Each computer then responds to the server,

overwhelming it, and causing the server to crash or beunavailable to legitimate users.


44/105


Distributed denial-of-service (DDoS) attack:

Instead of using one computer, a DDoS may use

hundreds or thousands of computers

50

DDoS works in stages


45/105

Understanding Malicious Code(Malware)

Consists of computer programs designed to breakinto computers

.

Most common types:

51

Viruses Worms

Logic bombs

Trojan horses

Back doors


46/105

Programs that secretly attach to another document orprogram and execute when that document orprogram is opened

Viruses

52

g con a n ns ruc ons a cause pro ems

toerasing files from a hard drive or causing a computer

to crash repeatedly


47/105

Viruses (continued)

Types of viruses:

Boot-sector: This type of virus is placed into the firstsector of the hard drive so when the computer boots,

.

Polymorphic: This type of virus can change form eachtime it is executed.

Macro: This type of virus is inserted into a MicrosoftOffice document and emailed to unsuspecting users.

53


48/105

Viruses (continued)

Types of viruses:

Stealth Virus: it attempts to avoid detection by redirectcommands around itself, reports different file size

Retrovirus: an anti-antivirus, attack your antivirussoftware and potentially destroy the virus definition fileof your antivirus software.

Multipartite Virus: attacks your system in multiple ways

54


49/105

Viruses (continued)

Antivirus software defends against viruses.

Drawback of antivirus software is that it must beupdated to recognize new viruses

55

Updates (definition files or signature files) can bedownloaded automatically from the Internet to ausers computer


50/105

Worms

Although similar in nature, worms are different from

viruses in two regards:

A virus attaches itself to a computer document, such

56

- ,

with the document

A virus needs the user to perform some type of action,such as starting a program or reading an e-mailmessage, to start the infection


51/105

Worms (continued)

Worms are usually distributed via e-mail attachments

as separate executable programs

In many instances, reading the e-mail message starts

57

e worm

If the worm does not start automatically, attackerscan trick the user to start the program and launch the

worm


52/105

Logic Bombs

Computer program that lies dormant until triggered by

a specific event, for example:

A certain date being reached on the system calendar

58

A persons rank in an organization dropping below aspecified level


53/105

Trojan Horses

Programs that hide their true intent and then reveals

themselves when activated

59

Common strategies:

Combining two or more executable programs into asingle filename


54/105

Trojan Horses (continued)

Defend against Trojan horses with the following

products:

Antivirus tools, which are one of the best defenses

60

Special software that alerts you to the existence of aTrojan horse program

Anti-Trojan horse software that disinfects a computer

containing a Trojan horse


55/105

Back Doors

Secret entrances into a computer of which the user is

unaware

Hidden account, unmonitored, unlogged

61

Created by software manufacturer or crackers Many viruses and worms install a back door allowing

a remote user to access a computer without thelegitimate users knowledge or permission


56/105

Summary

Six categories of attackers: hackers, crackers, script

kiddies, spies, employees, and cyberterrorists

Password guessing is a basic attack that attempts to

63

earn a user s passwor y a var e y o means

Cryptography uses an algorithm and keys to encryptand decrypt messages


57/105

Summary (continued)

Identity attacks attempt to assume the identity of a

valid user

Denial of service (DoS) attacks flood a server or

64

ev ce w reques s, ma ng una e o respon o

valid requests

Malicious code (malware) consists of computer

programs intentionally created to break into

computers or to create havoc on computers


58/105

Security Basics


59/105


60/105

3

Identifying Who Is Responsible forInformation Security

When an organization secures its information, it completes a

few basic tasks:

It must analyze its assets and the threats these assets face

from threat agents

It identifies its vulnerabilities and how they might beexploited

It regularly assesses and reviews the security policy to

ensure it is adequately protecting its information


61/105

4

Identifying Who Is Responsible forInformation Security (cont.)

Although the tasks involved in securing information is clear, in

many organizations the responsibility for performing it is not.

Because the threat of security attacks is huge and an attack can

cost a lot of money in lost productivity, organizations should

identify personnel who perform security tasks, and make these

tasks a primary responsibility.


62/105

5

Identifying Who Is Responsible forInformation Security (cont.) Bottom-up approach: major tasks of securing information are

accomplished from the lower levels(grassroots workers) of theorganization upwards

This approach has one key advantage: the bottom-level

employees have the technical expertise to understand how to

secure information It has a weakness: without approval from top levels of

management, security schemas created by grassroots workers

has small chance of success.


63/105

6



64/105

7


Top-down approach: starts at the highest levels of the

organization and works its way down

Advantage: the security plan initiated by top-level managers has

the backing to make the plan work (funding and timing has the

high level of support)


65/105

8


Chief information security officer (CISO): helps develop the

security plan and ensures it is carried out

Human firewall: describes the security-enforcing role of each

employee


66/105

9

Understanding Security Principles

Ways information can be attacked:

Crackers can launch distributed denial-of-service (DDoS)

attacks through the Internet

Spies can use social engineering

Employees can guess other users passwords

Hackers can create back doors


67/105

10

Understanding Security Principles (cont.)

Protecting against the wide range of attacks calls for a wide

range of defense mechanisms:

Layering

Limiting

Diversity

Obscurity

Simplicity


68/105

11

Layering

Layered security approach has the advantage of creating a

barrier of multiple defenses that can be coordinated to prevent avariety of attacks

Information security likewise must be created in layers

All the security layers must be properly coordinated to be

effective


69/105


70/105

13

Limiting

Limiting access to information reduces the threat against it

Only those who must use data should have accessto it

Access must be limited for a subject (a person or a computer

program running on a system) to interact with an object (a

computer or a database stored on a server) The amount of access granted to someone should be limited to

what that person needs to know or do


71/105

14

Limiting (cont.)


72/105

15

Diversity

Diversity is closely related to layering

You should protect data with diverse layers of security, so if

attackers penetrate one layer, they cannot use the same

techniques to break through all other layers

Using diverse layers of defense means that breaching one

security layer does not compromise the whole system


73/105

16

Diversity (cont.)

You can set a firewall to filter a specific type of traffic, such as all

inbound traffic, and a second firewall on the same system tofilter another traffic type, such as outbound traffic

Using firewalls produced by different vendors creates even

greater diversity

Using both physical and electronic security measures.


74/105

17

Obscurity

Obscuring what goes on inside a system or organization and

avoiding clear patterns of behavior make attacks from theoutside difficult

It is some time criticized as being weak (when used alone)


75/105

18

Simplicity

Complex security systems can be difficult to understand,

troubleshoot, and feel secure about

The challenge is to make the system simple from the inside but

complex from the outside


76/105

19

Using EffectiveAuthentication Methods

Information security rests on three key pillars (AAA):

Authentication: prove your identity

Identification vs. Authentication:

Identification is the process whereby a network element

recognizes a valid user's identity.

Authentication is the process of verifying the claimed identity of

a user.

Authorization/Access control: what you are permitted to do Accounting/Auditing: tracks what has been done


77/105

20

Using Effective AuthenticationMethods (cont.)

Authentication:

Process of providing identity

i.e. are you Sara?

Can be classified into three main categories:

what you know (password)

what you have (key, card, token)

what you are (fingerprint)


78/105

21

Authentication Methods

Username and Password

Biometric

Certificate

Kerberos

CHAP

Token

Mutual Authentication

Multifactor Authentication


79/105

22

Username and Password

Most popularmethod and weakest.

ID management (Single-Sign-On, SSO):

Users single authenticated ID is shared across multiple

networks or online businesses

Attempts to address the problem of users having individual

usernames and passwords for each account (thus, resorting

to simple passwords that are easy to remember)

Can be for users and for computers that share data


80/105

23

Username and Password (cont.)Issues:

Retention (How long to keep the same password!)

Guessing Spyware/ Keylogger

How to improve?

Long password/ passphrase Combination of numbers, letters, Symbol

Different password to different accounts

Change frequently

Do not share it!

Do not write it down next to the access point


81/105


82/105

25

Tokens (cont.)

Proximity card: plastic card with an embedded, thin metal strip

that emits a low-frequency, short-wave radio signal


83/105

26

Tokens (cont.)

Drawback:

Can be stolen.

Solution:

BIN & password


84/105

27

Biometrics

Uses a persons unique characteristics to authenticate them

Is an example of authentication based on whatyou are

Human characteristics that can be used for identificationinclude:

Fingerprint Face

Hand geometry Iris

Retina Voice


85/105

28

Biometrics (cont.)


86/105

29

Biometrics (cont.)

Drawback:

Expensive

Sometime in accurate (False positive, false negative)

Human characteristics can be stolen

C tifi t


87/105

30

Certificates

The key system does not prove that the senders are actually

who they claim to be Certificates let the receiver verify who sent the message

Certificates link or bind a specific person to a key

Digital certificates are issued by a certification authority (CA), anindependent third-party organization

C tifi t ( t )


88/105

31

Certificates (cont.)

K b


89/105

32

Kerberos

Authentication system developed by the

Massachusetts Institute of Technology (MIT) Used to verify the identity of networked users, like

using a drivers license to cash a check

Typically used when someone on a network

attempts to use a network service and the servicewants assurance that the user is who he says he

is

K b ( t )


90/105

33

Kerberos (cont.) A state agency, such as the DMV, issues a drivers license that

has these characteristics:

It is difficult to copy

It contains specific information (name, address, height, etc.)

It lists restrictions (must wear corrective lenses, etc.)

It expires on a specified date

The user is provided a ticket that is issued by the Kerberos

authentication server (AS), much as a drivers license is issued

by the DMV

Achieve Single-Sign-On (SSO) or the ability to log on once and

access all necessary resources without having to log on again

K b ( t )


91/105

34

Kerberos (cont.)

Weakness:

Single point of failure (availability)

Vulnerable to password guessing

Challenge Handshake

A th ti ti P t l (CHAP)


92/105

35

Authentication Protocol (CHAP)

Considered a more secure procedure for connecting to a

system than using a password User enters a password and connects to a server; server

sends a challenge message to users computer

Users computer receives message and uses a specific

algorithm to create a response sent back to the server Server checks response by comparing it to its own

calculation of the expected value; if values match,authentication is acknowledged; otherwise, connection isterminated

Challenge Handshake Authentication

P t l (CHAP) ( t )


93/105

36

Protocol (CHAP) (cont.)



94/105

37


Two-way authentication (mutual authentication) can be used to

combat identity attacks, such as man-in-the-middle and replayattacks

The server authenticates the user through a password, tokens,

or other means; and the server is likewise authenticated.

Mutual Authentication (cont )


95/105

38

Mutual Authentication (cont.)



96/105

39


Multifactor authentication: implementing two or more types of

authentication Being strongly proposed to verify authentication of cell phone

users who use their phones to purchase goods and services

Controlling Access to Computer

Systems


97/105

40

Systems

After using Authentication to verify that a user is who he claims

to be, restricting the user to access only resources he needs todo his job (access control) is needed.

Restrictions to user access are stored in an access control list

(ACL)

An ACL is a table in the operating system that contains theaccess rights each subject (a user or device) has to a particular

system object (a folder or file)

Controlling Access to Computer

Systems (cont )


98/105

41

Systems (cont.)

In Microsoft Windows, an ACL has one or more access control entries

(ACEs) consisting of the name of a subject or group of subjects

Inherited rights: user rights based on membership in a group

Read, write, executeRead, write, executeRead, write, executeAdministrator

ReadUser2

ReadRead, writeRead, writeUser1

File-CFile-BFile-A

Access Control Models


99/105

42

Access Control Models

Mandatory Access Control (MAC)

Role Based Access Control (RBAC)

Discretionary Access Control (DAC)



100/105

43


A more restrictive model

The subject is not allowed to give access to another subject touse an object

If applied right, network can be truly locked down

For highly sensitive data. It requires a lot of administrative overhead to manage and

maintain.



101/105

44


Instead of setting permissions for each user

or group, you can assign permissions to aposition or role and then assign users and

other objects to that role

Users and objects inherit all of the

permissions for the role



102/105

45


Least restrictive model

One subject can adjust the permissions for other subjects overobjects

Type of access most users associate with their personal

computers

Auditing Information

Security Schemes


103/105

46

Security Schemes

Two ways to audit a security system

Logging records which user performed a specific activity andwhen

System scanning to check permissions assigned to a user or

role; these results are compared to what is expected to

detect any differences

Summary


104/105

47

Summary Creating and maintaining a secure environment cannot be

delegated to one or two employees in an organization

Major tasks of securing information can be accomplished usinga bottom-up approach, where security effort originates with low-

level employees and moves up the organization chart to the

CEO

In a top-down approach, the effort starts at the highest levels ofthe organization and works its way down

Summary (cont.)


105/105

48

Summary (cont.) Basic principles for creating a secure environment: layering,

limiting, diversity, obscurity, and simplicity

Basic pillars of security:

Authentication: verifying that a person requesting access to

a system is who he claims to be

Access control: regulating what a subject can do with anobject

Auditing: review of the security settings

attackers and their attacks security basic

Documents