360 likes | 526 Views
Chapter 12. Network Security Basics: Malware and Attacks. Objectives. Work with connection control and transmission control concepts Develop the planning and control techniques associated with network security Work with various types of threats to networks. Network Security.
E N D
Chapter 12 Network Security Basics: Malware and Attacks
Objectives • Work with connection control and transmission control concepts • Develop the planning and control techniques associated with network security • Work with various types of threats to networks
Network Security • Guards against threats to electronic communication • Network security has a dual mission • It must ensure the accuracy of the data transmitted • It must also protect confidential information processed, stored on and accessible from networks, while ensuring network availability to authorized users • Role is to ensure that the network components • Operate correctly • Satisfy design requirements • Transmit information while retaining fundamental integrity
Engineering the Network: Ensuring a Proper Design • Physical infrastructure – designed to ensure all required security functions are present • Firewalls, intrusion detection systems (IDSs), and strong authentication • Unique physical components of networks are switches, hubs, routers, and cables
Engineering the Network: Ensuring a Proper Design • Relation of physical and software components
Connection Control • Establishes and regulates the relationship between a computer and a network • Ensures reliable transfer of messages and performs some transmission error correction • Configuration process – responsibility of the network administrator • Establishes the authentication rules • Rules consider whom the network will trust • Specifications of rules for the authentication of a trusted source balance the need for confidentiality and integrity with availability
Enforcing Connection Control: The Firewall • Firewalls enforce access rights and protect the network from external systems • Regulate access between trusted networks and untrusted ones • Organizations may array multiple firewalls in a defense-in-depth configuration • Firewalls are high-level software utilities that sit on the router end of the physical network • Network security policies embedded in the firewall software dictate access
Enforcing Connection Control: The Firewall • Types of firewalls • Personal firewall – regulates connections between a single computer and external sources • Stateless firewalls – accept or discard incoming packets • Based on whether the IP address seems to correspond with services known to the network • Stateful firewall – tracks of the status of network traffic traveling across it in a “state table”
Transmission Control • Regulates the actual transmission process • Ensures that the communication between two devices is flowing properly • Supports the integrity and availability of network data • Facilitated through firmware drivers in communications devices and software in the operating system • Transmission rules have to be agreeable and include: • Mode in which the data will be transmitted • Format of the data • Rate of transmission • Type of error checking • Data compression method • Sending device confirmation of process completion • Mode of indicating receipt by the receiving device
Transmission Control • Transmission protocols are built into the communications devices • Common modern transmission control is based on the OSI reference model • It defines seven layers for communication among computer systems • It was defined by the International Organization for Standardization as ISO standard 7498-1 • TCP/IP protocol used by the Internet is frequently shown with five layers • Application layer, transport layer, network layer, datalink layer, and physical layer
Defending Networks from Attacks • Unique security problem with networks is their level of interconnectedness • Networks have to be secured by specialized and very robust technologies and practices • Two broad categories of networks threats: • Malicious code • Direct attacks
Threats to Information • Malicious code - three categories transmitted through networks: • Viruses • Logic bombs • Trojan horses
Threats to Information • Common types of malicious code
Viruses • Appropriate countermeasure to a common virus: • Virus checker that detects and removes viruses • Most virus checkers follow the below process: • Examines files in memory or storage for recognizable code fragments or key words • Compares scan results patterns with signatures of known viruses • Takes action when an identifiable pattern is detected • Sometimes performs an automatic repair
Viruses • Impact of viruses • Virus is destructive if it damages a system function • It can affect the operating system in undesirable ways such as: • Corrupting or deleting files • Reformatting the hard drive • Executing denial-of-service attacks • Often, the system becomes unusable, files are lost, and cannot be repaired automatically
Viruses • Categories of viruses • File-infecting viruses – affect executable programs, replicate and spread by infecting other host programs • Boot-sector viruses – infect the boot sector or partition table of a system • Multipartite viruses – infect both the boot sector and the executable programs and files simultaneously • Macro viruses – infect systems through an application • Polymorphic and stealth viruses – defeat most signature-based counter-measures • Worm – self-contained program capable of spreading copies of itself or its segments to other computer systems via network connections or e-mail attachments
Logic Bombs • Dormant blocks of undocumented code activated when some prescribed set of criteria is met such as time, date, or status of the system • It can be set prior to the termination and activated afterward for revenge • High destructive potential • Should be aggressively hunted down and eliminated • Requires extensive, expensive, code reviews by high-level professionals • Resurfacing as an important part of cyber-terrorism
Trojan Horses • Not viruses because they do not replicate; they may transmit viruses or spyware • May assist in propagating denial-of-service (DoS) attacks • Can deliver unwelcome payloads – common payloads include: • Spyware – propagates from websites • Spamware, password capture, keyloggers, and cookie trackers • Adware – not directly malicious • Does use up valuable time and system resources
Malicious Attacks • Best way to counteract a network attack is to anticipate it and have measures in place to either stop it or mitigate the harm • Network attacks fall into seven general categories: • Password attacks • Insider attacks • Sniffing • IP spoofing • Denial of service • Man-in-the-middle attacks • Application layer attacks
Malicious Attacks • Password attacks • Password guessing • Dictionary attack – tries common words from the dictionary with common password names • Other, more resource-intensive approaches include: • Key search • Exhaustive search • Brute force attack • Social engineering – based on persuasion, disclosed by the user • Password sniffing – software based network management tools • Countermeasure for sniffers: encryption
Malicious Attacks • Insider attacks • Misuse incidents originating from intentional or inadvertent actions of employees • First line of defense is good management supported by monitoring • Supervisors are key security control points for employee monitoring • Automated software agents called policy managers or policy enforcement systems also help
Role and Use of Policy Managers • Automated policy managers are effective tools • Defend against unauthorized access to confidential data and proprietary information • Provide the ability to filter network transactions through custom policies • Control the distribution of unsuitable or offensive content and inappropriate activities • Regulate the enterprise’s e-mail traffic by defining and enforcing rules governing: • Spam • Filter content • Implementation of encryption and digital signature policies
Use of Sniffers • Sniffers are common utilities, employed to read any information in packets transmitted over a network • Can be used to map the entire network topology • Captures information necessary to determine: • Number of computers on the network • What they access • Which clients run what services • Defense against sniffing is: • Encryption • Strong physical security • Internet-facing sniffers are a good countermeasure for network intrusion
IP Spoofing • IP spoofing is an address attack in which the malicious agent electronically impersonates another network party through its IP address • Prevention of IP spoofing can be done using • Programmed routers and firewall mechanisms • Encrypted systems such as SSH (secure shell) for authentication services
Denial of Service (DoS) • DoS attacks affect the availability transmission media • Degrades the availability of information • Designed to cost the target time and money • Can be launched in numerous ways – most common form: • DoS flood – overload the system’s servers, routers, or DNS to the extent that service to authorized users is delayed or prevented • Disables a particular network service
Man-in-the-Middle Attacks • Ability to read and modify all messages passed between two parties without their knowledge • Possible outcomes of such attacks include: • Theft of information and hijacking of an ongoing session • Traffic analysis to derive information about a network and its users • Denial of service and corruption of transmitted data • Introduction of new information into network sessions
Application Layer Attacks • They take advantage of weaknesses in popular applications and application services • Common attacks include: • Buffer overflows – which exploit poorly written code that improperly validates input to an application • Cross-site scripting flaw – which allows web applications to drop attack scripts on a user’s browser • Invalidated parameters – web requests that are not validated before being used by the application • Command injection attacks – web applications are allowed to pass parameters containing malicious commands to be executed on an external system • Favored approach against Internet-based attacks: • Defense-in-depth strategy
Cyber-Terrorism • Goal: to harm or control key computer systems or computer controls to achieve some indirect aim, such as to destroy a power grid or to take over a critical process • The FISMA security requirements are built around three major national objectives: • Prepare and prevent • Detect and respond • Build strong foundations
Managing and Defending a Network • Network security management involves all actions to ensure authorization and use • Development and documentation of the method to authorize access to network files and network directories • Specification of approach used to ensure reliability of data resources accessed or used over the network • Implementation of safeguards for protecting users from network-based security threats
Network Security Management and Planning • Based on a plan defining the approach to assuring the physical components of the network • Must detail steps taken to ensure that information stored, processed, and transmitted is secure • Must specify all technology and practices to be implemented and maintained for security • High-level steps required to implement an effective network management process are: • Create usage policy statements • Conduct risk analysis • Formulate a security team
Network Security Management and Planning • Create usage policy statements • Statement of a general policy about system use • Outline the thinking that defines the organization’s network management philosophy • Documentation of usage statements to avoid the risks of misunderstandings and conflicting approaches • Tailor the rules for each component by indicating security violations and actions to be taken if detected • Define the acceptable use policies (AUP) including rules for account administration, policy enforcement, and privilege review • Aggressive training and awareness program to ensure that the members understand and will follow each rule
Network Security Management and Planning • Conduct risk analysis • Risk assessment factors: • Low Risk • Medium Risk • High Risk • Potential types of users are: • Administrators responsible for managing network resources • Privileged internal users needing an elevated level of access • Internal users with general access • Trusted external users needing access some resources • Other untrusted external users or customers
Network Security Management and Planning • A network security or NETSEC management team: • Implements and maintains the network configuration • Responsible for evolving the network as conditions change • Establishes and maintains the network security configuration from these requirements
Network Defense in Depth: Maintaining a Capable Architecture • Defense in depth • Protection is established by controlling access through a number of boundaries
Network Defense in Depth: Maintaining a Capable Architecture • Defining trust • Trusted networks – within the defined security perimeter • Untrusted networks – outside the security perimeter and not controlled • Unknown networks - neither trusted nor untrusted • Establishing boundaries • Defines the area to be protected • Dictates the level of organizational resources required to perform the security function
Network Defense in Depth: Maintaining a Capable Architecture • Formulating assumption – security system designs are • Based on assumptions • Anticipate who might want to breach the current security measures and why • Deploy an effective response • Design and deployment of a network security scheme has to be done while justifying the likely costs and benefits