590 likes | 784 Views
CIST 1601 Information Security Fundamentals. Chapter 4 Threats and Vulnerabilities. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College. Malware Overview (8:46).
E N D
CIST 1601 Information Security Fundamentals Chapter 4 Threats and Vulnerabilities Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College
Malware Overview (8:46) Understanding Software Exploitation A software exploitation attack attempts to exploit weaknesses in software. A common attack attempts to communicate with an established port to gain unauthorized access. Database exploitation Many database products allow sophisticated access queries to be made in the client/server environment. If a client session can be hijacked or spoofed, the attacker can formulate queries against the database that disclose unauthorized information. For this attack to be successful, the attacker must first gain access to the environment through one of the attacks outlined previously. Application exploitation A macro virus is a set of programming instructions in a language such as VBScript that commands an application to perform illicit actions. The macro virus takes advantage of the power offered by word processors, spreadsheets, or other applications. This exploitation is inherent in the product, and all users are susceptible to it unless they disable all macros. E‑mail exploitation Modern e‑mail clients offer many shortcuts, lists, and other capabilities to meet user demands. A popular exploitation of e‑mail clients involves accessing the client address book and propagating viruses. There is virtually nothing a client user can do about these exploitations, although antivirus software that integrates with your e‑mail client does offer some protection. Anti-Malware Best Practices (11:03)
Adware and Spyware (6:41) Understanding Software Exploitation Spyware Spyware often uses third-party tracking cookies to collect and report on a user’s activities to the spyware programmer without notifying the user. Spyware is associated with behaviors such as advertising, collecting personal information, or changing your computer configuration without appropriately obtaining prior consent. Not all spyware is adware, and not all adware is spyware: Spyware requires that your activities are monitored and tracked Adware requires that advertisements are displayed Spyware is NOT self-replicating. Microsoft OSs are most affected by spyware, and Microsoft has released Microsoft AntiSpyware to combat the problem. Spyware-eliminator programs can scan your machine, similarly to how antivirus software scans for viruses. Keep antispyware programs updated and regularly run scans.
Rootkits (5:43) Understanding Software Exploitation Rootkits Rootkits are software programs that can be installed on a computer mainly for the purpose of compromising the system and getting escalated privileges such as administrative rights. They have the ability to hide certain things from the operating system such as processes or connections that are running on a computer. The hacker first gains access to a single system, and then uploads the rootkit to the hacked system. Adware is a software application that displays advertisements while the application is executing. Some adware is also spyware if it monitors your Internet usage and personal information. Some adware will even allow credit card information theft. Rootkits have also been known to use encryption to protect outbound communication and piggyback on commonly used ports to communicate without interrupting other applications that use that port. Rootkit functionality requires full administrator rights. Therefore, you can avoid rootkit infection by running Windows from an account with lesser privileges. Rootkit analyzers detect rootkits that are running on a computer. Within any search engine, you can find a rootkit analyzer for your system, including Spybot, Spyware Doctor, and AdAware.
Understanding Software Exploitation Files with the following extensions should not be allowed as e-mail attachments: .bat – batch files are executable and should not be allowed .com .exe – exe files are executable and should not be allowed .hlp .pif – pif is a type of file that allows legacy executable programs to run and should not be allowed .scf - No legitimate user should be sending screensavers via e‑mail to your users
Understanding OVAL and Surviving Malicious Code Open Vulnerability and Assessment Language (OVAL) is a standard written in XML that provides open and publicly available security content. Its purpose is to standardize information between different security tools. OVAL is intended as an international language for representing vulnerability information using an XML schema for expression, allowing tools to be developed to test for identified vulnerabilities in the OVAL repository. Within US Governmental agencies, vulnerability may be discussed using the OVAL sponsored by the Department of Homeland Security’s National Cyber Security Division (NCSD). Malicious code refers to a broad category of software threats to your network and systems, including viruses, Trojan horses, bombs, and worms. When successful, these attacks can be devastating to systems, and they can spread through an entire network.
Viruses and Worms (9:30) Viruses A virus is a program or piece of code that runs on your computer without your knowledge. It is designed to attach itself to other code and replicate. It replicates when an infected file is executed or launched. A virus may also damage the data on your hard disk, destroy your operating system, and possibly spread to other systems. Some viruses won’t damage a system in an attempt to spread into all the other systems in a network. These viruses use that system as the carrier of the virus. A boot sector virus is placed into the first sector of the hard drive so that when the computer boots, the virus loads into memory. Viruses get into your computer in one of three ways: On contaminated media (floppy, USB drive, or CD-ROM) Through e‑mail and peer-to-peer sites As part of another program. Viruses can be classified as polymorphic, stealth, retroviruses, multipartite, armored, companion, phage, and macro viruses. Each type of virus has a different attack strategy and different consequences.
Symptoms of a Virus Infection You should look for some of the following symptoms when determining if a virus infection has occurred: The programs on your system start to load more slowly. This happens because the virus is spreading to other files in your system or is taking over system resources. Unusual files appear on your hard drive, or files start to disappear from your system. Many viruses delete key files in your system to render it inoperable. Program sizes change from the installed versions. This occurs because the virus is attaching itself to these programs on your disk. Your browser, word processing application, or other software begins to exhibit unusual operating characteristics. Screens or menus may change. The system mysteriously shuts itself down or starts itself up and does a great deal of unanticipated disk activity. You mysteriously lose access to a disk drive or other system resources. The virus has changed the settings on a device to make it unusable. Your system suddenly doesn’t reboot or gives unexpected error messages during startup.
How Viruses Work A virus, in most cases, tries to accomplish one of two things: Render your system inoperable Spread to other systems Many viruses will spread to other systems given the chance and then render your system unusable. If your system is infected, the virus may try to attach itself to every file in your system and spread each time you send a file or document to other users. A virus spreading from an infected system either through a network or by removable media. When you give removable media to another user or put it into another system, you then infect that system with the virus.
How Viruses Work Many newer viruses spread using e‑mail. The infected system attaches a file e‑mail sent to another user. The recipient opens the file and the virus infects the target system. The virus might then attach itself to all the e‑mails the newly infected system sends, in turn infecting the recipients of the e‑mails. An e-mail virus spreading geometrically to other users
Types of Viruses Armored Virus An armored virus is designed to make itself difficult to detect or analyze. Armored viruses will cover themselves with "protective code" that stops debuggers or dis-assemblers from examining critical elements of the virus. The virus may be written in such a way that some aspects of the programming act as a decoy to distract analysis while the actual code hides in other areas in the program. An armored virus is designed to hide the signature of the virus behind code that confuses the antivirus software or blocks it from detecting the virus. The key to stopping most viruses is to identify them quickly and educate administrators about them—the very things that the armor intensifies the difficulty of accomplishing.
Types of Viruses Companion Virus A companion virus attaches itself to legitimate programs and then creates a program with a different file extension. This file may reside in the temporary directory of your system. When the user types the name of the legitimate program, the companion virus executes instead of the real program. This effectively hides the virus from the user. Many of the viruses that are used to attack Windows systems make changes to program pointers in the Registry so that it points to the infected program. The infected program may perform its dirty deed and then start the real program.
Types of Viruses Macro Virus Macro viruses are programs written in Word Basic, Visual Basic, or VBScipt. Macro viruses are platform independent and pose a major threat because their underlying language is simple, so they are easy to develop. Macro viruses can infect files that are written in the same language as the macro virus is written. They do not rely on the size of the packet. A macro virus exploits the enhancements made too many application programs. Programs such as Word or Excel allow programmers to expand the capability of the application. Word for example, supports a mini-BASIC programming language that allows files to be manipulated automatically. These programs in the document are called macros. A macro can tell your word processor to spellcheck your document automatically when it opens. Macro viruses are typically used with Microsoft Office products. Macro viruses written in Visual Basic for Applications almost exclusively affect operating systems. Macro viruses can infect all of the documents on your system and spread to other systems using mail or other methods. Macro viruses are the fastest growing exploitation today.
Types of Viruses Multipartite Virus A multipartite virus is a hybrid of boot and program viruses. A Multipartite virus attacks your system in multiple ways. A multipartite virus can infect both executable files and boot sectors of hard disk drives. The multipartite virus resides in the memory and then infects boot sectors and executable files of the computer. The hope is that you will not be able to correct all of the problems and will allow the infestation to continue. A multipartite virus commencing an attack on a system
Types of Viruses Phage Virus A phage virus modifies and alters other programs and databases. The virus infects all of these files. The only way to remove this virus is to reinstall the programs that are infected. If you miss even a single incident of this virus on the victim system, the process will start again and infect the system.
Types of Viruses Polymorphic Virus Polymorphic viruses change form in order to avoid detection. These types of viruses attack your system, display a message on your computer, and delete files on your system. The virus will attempt to hide from your antivirus software. A polymorphic virus produces different operational copies of itself to ensure that in the event of an antivirus detection, only a few copies are caught. When the virus does this, it is referred to as mutation. A polymorphic virus is also capable of implementing encryption routines that will require different decryption routines to avoid detection. The polymorphic virus changing it’s characteristics
Types of Viruses Retrovirus A retrovirus virus attacks or bypasses anti-virus software. Retroviruses even attack the anti-virus program to destroy the virus definitions or to create bypasses for itself. Destroying this information without your knowledge would leave you with a false sense of security. Retroviruses are often referred to as anti-antiviruses. They can render your antivirus software unusable and leave you exposed to other, less-formidable viruses.
Types of Viruses Stealth Virus A stealth virus hiding in a disk boot sector A stealth virus will attempt to avoid detection by masking itself from applications. It may attach itself to the boot sector of the hard drive. When a system utility or program runs, the stealth virus redirects commands around itself in order to avoid detection. A stealth virus hides the changes it makes to system files and boot records, making it difficult for antivirus software to detect its presence. A stealth virus keeps a copy of a file before infecting it and presents the original copy to the monitoring software. The stealth virus modifies the actual file and makes it difficult to detect the presence of the virus. An infected file may report a file size different from what is actually present in order to avoid detection.
Types of Viruses Self-garbling Virus A self-garbling virus can hide itself from antivirus software by manipulating its own code. When a self-garbling virus spreads, it jumbles and garbles its own code to prevent the antivirus software from detecting its presence. A small part of the virus code later decodes the jumbled part to obtain the rest of the virus code to infect the system. The ability of the self-garbling virus to format its own code makes it difficult for an antivirus to detect its presence.
Hoaxes (4:24) Identifying Hoaxes Hoax messages may warn of emerging threats that do not exist. They might instruct users to delete certain files to ensure their security against a new virus, while actually only rendering the system more susceptible to later viral agents. Although hoaxes present issues such as loss of functionality or security vulnerabilities, they also use system resources and consume users’ time. This results in lost productivity and an undue burden on the organization’s resources, especially if many employees respond. Spam (5:43)
Trojans and Backdoors (8:52) Trojan Horses Trojans are programs disguised as useful application software but has code hidden inside that will attack your system directly or allow the system to be infiltrated by the originator of the code after it has been executed. Trojan horses may also arrive as part of an e-mail for a free game, software, or other file. When the Trojan horse activates and performs its task, it infects all of the word processing or template files. Trojans do no replicate themselves like viruses, but they can be just as destructive. Its ability to spread depends on the popularity of the software and a user’s willingness to download and install the software. Trojans can perform actions without the user’s knowledge or consent, such as collecting and sending data or causing the computer to malfunction. The best preventive measure is to not allow them entry into your system. Immediately before and after you install a new software program or operating system, back it up! If you suspect a Trojan horse, you can reinstall the original programs, which should delete the Trojan horse. A port scan may also reveal a Trojan horse on your system. If an application opens a TCP or UDP port that isn’t regularly used in your network, you can notice this and begin corrective action.
Logic Bombs (3:33) Logic Bombs A logic bomb is a virus or Trojan horse that is built to go off when a certain event occurs or a period of time goes by. A logic bomb notifies an attacker when a certain set of circumstances has occurred. This message informs the attacker that the user is ready for an attack and may in turn trigger an attack on your system. Notice that this bomb doesn’t begin the attack but tells the attacker that the victim has met the needed criteria or state for an attack to begin. In the attack the logic bomb sends a message back to the attacking system that it has loaded successfully. The victim system can then be used to initiate an attack such as a DDoS attack, or it can grant access at the time of the attacker’s choosing.
Worms Worms are similar in function and behavior to a virus with the exception that worms are self-replicating. A worm is built to take advantage of a security hole in an existing application or operating system and then find other systems running the same software and automatically replicate itself to the new host. A worm is designed to multiply and propagate. Worms may carry viruses that cause system destruction, but that isn’t their primary mission. The worm may not have come from the user’s system; rather, a system with the user’s name in the address book has attacked these people. Worms can use TCP/IP, e‑mail, Internet services, or any number of means to reach their target.
Antivirus Software Antivirus software is an application that is installed on a system to protect it and to scan for viruses as well as worms and Trojan horses. The most common method used in an antivirus program is scanning. Scanning searches files in memory, the boot sector, and on the hard disk for identifiable virus code. Scanning identifies virus code based on a unique string of characters known as a signature. Signature files contain information about viruses, such as examples of virus code and the types of files that a virus infects. Antivirus software looks for these characteristics, or fingerprints, to identify and neutralize viruses before they impact you. Virus scanners are typically more effective against known virus than they are against new or unknown viruses. Signature files should be periodically updated to ensure that a virus scanner has the most recent virus definitions. Antivirus software without the latest antivirus definitions is an example of a vulnerability. To provide optimum protection on the network, you should ensure that all, workstations and servers have Antivirus software installed on them. Users need to scan every disk, e‑mail, and document they receive before they open them. Your first step, should a system become infected with a new virus, would be to verify antivirus software is up to date including the virus definition files.
Calculating Attack Strategies An attack occurs when an unauthorized individual or group of individuals attempts to access, modify, or damage your systems or environment. These attacks can be fairly simple and unfocused, or they can appear to be almost blitzkrieg-like in their intensity. Attacks occur in many ways and for different reasons. They are generally used to accomplish one or more of these three goals: In an access attack, someone who should not be able to wants to access your resources. During a modification and repudiation attack, someone wants to modify information in your systems. A denial-of-service (DoS) attack is an attempt to disrupt your network and services. When your system becomes so busy responding to illegitimate requests, it can prevent authorized users from having access. Regardless of the motive, your job is to protect the people you work with from these acts of aggression.
Dumpster Diving (3:51) Understanding Access Attack Types An access attack is an attempt to gain access to information that the attacker isn’t authorized to have. Dumpster diving is a common physical access method. Dumpsters may contain information that is highly sensitive in nature. Equipment is sometimes put in the garbage because city laws do not require special disposal. Because intruders know this, they can scavenge through discarded equipment and documents and extract sensitive information from it without ever contacting anyone in the company. A second common method used in access attacks is to capture information en route between two systems. There are several common types of access attacks: Eavesdropping is the process of listening in on or overhearing parts of a conversation, including listening in on your network traffic. Eavesdropping also includes attackers listening in on your network traffic.This type of attack is generally passive. Snooping occurs when someone looks through your files hoping to find something interesting. The files may be either electronic or on paper. In the case of physical snooping, people might inspect your Dumpster, recycling bins, or even your file cabinets; they can look under the keyboard for Post-it notes or look for scraps of paper tacked to your bulletin board. Computer snooping, on the other hand, involves someone searching through your electronic files trying to find something interesting. Interception can be either an active or a passive process. A passive interception would involve someone who routinely monitors network traffic. From the perspective of interception, this process is a covert process. Active interception might include putting a computer system between the sender and receiver to capture information as it is sent. From the perspective of interception, this process is a covert process.
Recognizing Modification and Repudiation Attacks Modification attacks involve the deletion, insertion, or alteration of information in an unauthorized manner that is intended to appear genuine to the user. These attacks can be hard to detect. The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or something similar. Website defacements involve someone changing web pages in a malicious manner. Repudiation attacks make data or information that is used invalid or misleading, which can be even worse. An example of a repudiation attack might be someone accessing your e-mail server and sending inflammatory information to others. This information can prove embarrassing to you or your company if this happens. Repudiation attacks are fairly easy to accomplish because most e-mail systems do not check outbound mail for validity. Repudiation attacks usually begin as access attacks. A common type of repudiation attack would involve a customer who claims that they never received a service for which they were billed. In this situation, the burden of proof is on the company to prove that the information used to generate the invoice is accurate. If the data has been modified by an external attacker, accuracy verification of the information may be difficult.
Denial of Service (7:10) Identifying Denial-of-Service Attacks A denial-of-service (DoS) attack is intended to prevent authorized users access to network resources by overwhelming or flooding a service or network. DoS attacks are very common on the Internet. An attacker may attempt: To bring down an e-commerce website To prevent or deny usage by legitimate customers. A significant increase in network traffic might indicate that a network is undergoing a DoS attack. Performance baselines can help to determine if you are undergoing a DoS attack. Virtualization can help to prevent DoS attacks. Smurf attacks are well-known DoS attacks during which internal addresses are spoofed for the source of attack. The attack itself is an ICMP ping sent to the victim. A DoS attack that attempts to block service or reduce activity on a host by sending ping requests directly to the victim using ICMP is called a ping flood or Ping of Death. A SYN flood attack is the exploitation of the TCP handshake. A flood attack is designed to overload a protocol or service by repeatedly initiating a request for service. This type of attack usually results in a DoS situation occurring because the protocol freezes or excessive bandwidth is used in the network as a result of the requests. Buffer overflow attacks exploit poor programming techniques and code review. A buffer overflow occurs when a buffer receives more data than it is programmed to accept. These attacks are common on Web servers. A buffer overflow attack can be detected using a packet sniffer. A long string of numbers in the middle of a packet is indicative of a buffer overflow attack. The best countermeasure for a buffer overflow attack on a commercial application is to update the software with the latest patches, updates, and service packs. Another countermeasure for buffer overflow attacks is input validation, which can prevent the input of certain characters that would cause an application or database to lock up. Buffer Overflows (4:56)
Identifying Distributed Denial-of-Service Attacks Botnets (3:44) Distributed Denial of Service Attack (DDoS) attacks are an extension of the DoS attack. In DDoS, the attacker uses multiple computers to target a critical server and deny access to the legitimate users. A hacker might install malicious code on computers on a network to form a botnet and then remotely trigger the botnet to cause a flood of network traffic. The infected computers then act as “zombies” by performing malicious acts on behalf of the perpetrator. The primary components of a DDoS attack are: The client The masters or handlers Masters or handlers are systems on which the attacker has been able to gain administrative access and instruct the slaves to launch an attack against a target host. The slaves Slaves are typically systems that have been compromised through backdoors, such as Trojans, and are not aware of their participation in the attack. The target system It is difficult to detect DDoS attacks by using security technologies such as SSL and PKI. To detect the use of zombies in a DDoS attack, you should examine the firewall logs. Both zombies and botnets can be used in a DDoS attack. A bot, short for robot, is an automated computer program that needs no user interaction. Bots are systems that outside sources can control. A zombie is a remote-controlled malicious program. A botnet is formed when a malicious program is installed on several host computers and is remotely triggered. You may also hear a botnet referred to as a zombie army.
Recognizing Botnets Software running on zombie computers is often known as a botnet. Botnet has come to be the word used to describe malicious software running on a zombie and under the control of a bot-herder. Denial of Service attacks can be launched by botnets, as can many forms of adware, spyware, and spam (via spambots). Most bots are written to run in the background with no visible evidence of their presence. Many malware kits can be used to create botnets and modify existing ones. There is no universal approach to dealing with botnets. Some can be easily detected by looking at a database of known threats, while others have to be identified through analysis of their behavior.
Recognizing Common Attacks Most attacks are designed to exploit potential weaknesses, which can be in the implementation of programs or in the protocols used in networks. Many types of attacks require a high level of sophistication and are rare, but you need to know about them so that, should they occur, you can identify what has happened in your network. You need to be aware that many attacks are often launched in combination with each other.
Back Door Attacks Back doors are programs or services that system designers use to bypass security. During the development of a complicated operating system or application, programmers add back doors or maintenance hooks to allow rapid code evaluation and testing. These back doors allow them to examine operations inside the code while the code is running. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment. Back doors can also be put in place maliciously.
Back Door Attacks The second type of back door refers to gaining access to a network and inserting a program or utility that creates an entrance for an attacker. These applications work by installing a client application on the attacked computer and then using a remote application to gain access to the attacked computer. The program may allow a certain user ID to log on without a password or gain administrative privileges. A number of tools exist to create back door attacks on systems. One of the more popular is Back Orifice. Another popular back door program is NetBus. A back door attack is usually either an access or modification attack. Fortunately, most conventional antivirus software will detect and block these types of attacks. A back door attack can be used to bypass the security of a network. In this example, the attacker is using a back door program to utilize resources or steal information.
Spoofing Attacks Spoofing occurs when an attacker pretends to be something they are not in order to gain access.. In a spoofing attack, which is also referred to as a masquerading attack, a person or program is able to masquerade successfully as another person or program. Spoofing refers to modifying the source IP address field in an IP datagram to imitate the IP address of a packet originating from an authorized source. This results in the target computer communicating with the attacker’s computer and providing access to restricted resources. Spoofing attacks have to do with the misdirection of domain name resolution and Internet traffic. DNS poisoning is the practice of dispensing IP addresses and host names with the goal of traffic diversion. Basically, the Internet traffic is misdirected because the DNS server is resolving the domain name to an incorrect IP address. Properly configured DNS security on the DNS server can provide message validation, which, in turn, would prevent DNS poisoning. The latest release of DNS includes measures to defend against DNS cache poisoning. A very common spoofing attack that was popular for many years involved a programmer writing a fake logon program. This program would prompt the user for a user ID and password. Other types of spoofing attacks, apart from IP spoofing, are: E-mail spoofing Web spoofing A man-in-the-middle which is a spoofing as well as a session hijacking attack. This type of attack is usually considered an access attack.
A spoofing attack during logon Spoofing Attacks The attacker in this situation impersonates the server to the client attempting to log in. No matter what the client attempts to do, the impersonating system will fail the login. When this process is finished, the impersonating system disconnects from the client. The client then logs in to the legitimate server. In the meantime, the attacker now has a valid user ID and password.
Pharming Attacks • Pharming is a form of redirection in which traffic intended for one host is sent to another. This can be accomplished by changing entries in a DNS server (DNS Poisoning). • When a user attempts to go to a site, they are redirected to another site
Phishing and Spear Phishing Attacks Phishing (7:34) • Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity via an electronic communication, usually email. Ideally, users should not be able to directly access email attachments from within the email applications. However, the best defense is user education. • Spear Phishing is a unique form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party. With spear phishing, you might get a message that appears to be from you boss telling you that there is a problem with your direct deposit account and you need to access this HR link right now to correct it. • Spear phishing works better than phishing because it uses information it can find about you from email databases, friends lists, and the like. • It was this type of attack that was used against Google managers and employees in 2010 to open up an exploitation that factored heavily in the company’s decision to pull out of China.
Man-in-the-Middle and ARP Poisoning (8:08) Man-in-the-Middle Attacks A man-in-the-middle attack attempts to fool both ends of a communications session into believing the system in the middle is the other end. The hacker’s system appears to be the server to the real client and appears to be the client to the real server. The man-in-the-middle software may be recording information for someone to view later, altering it, or in some other way compromising the security of your system and session. A man-in-the-middle attack can be perpetrated by hijacking a communications session between a Web browser and a Web server. When a Web browser submits information to a Web server through a form, a hacker might be able to gain sensitive information, such as credit card numbers. The method used in these attacks clandestinely places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. This attack is common in wireless technologies. A common solution to this problem is to enforce a secure wireless authentication protocol such as WPA2. This type of attack is an access attack, but it can be used as the starting point for a modification attack.
Man-in-the-Middle Attacks Notice how both the server and client assume that the system they’re talking to is the legitimate system. The man in the middle appears to be the server to the client, and it appears to be the client to the server.
Replay Attacks An attacker presenting a previously captured certificate to a Kerberos enabled system. The attacker gets legitimate information from the client and records it. Then, the attacker attempts to use the information to enter the system. The attacker later relays information to gain access. Replay attacks are becoming quite common. These attacks occur when information is captured over a network and the attacker attempts to replay the results to gain access. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture this information and replay it again later. This can also occur with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity. Replay attacks are used for access or modification attacks. The best countermeasure for replay attacks it to implement timestamps and sequence numbers.
Password-Guessing Attacks A password guessing attack occurs when a user account is repeatedly attacked using a variety of different passwords. This is accomplished by utilizing applications known as password crackers, which send possible passwords to the account in a systematic manner. The attacks are initially carried out to gain passwords for an access or modification attack. A password cracker is a software utility that allows direct testing of user logon password strength by conducting a brute force password test using dictionary terms, specialized lexicons, or mandatory complexity guidelines. Passwords are susceptible to sniffing, dictionary attacks, brute force attacks, and social engineering attacks. In addition, passwords can sometimes be obtained by gaining access to a network and accessing the password file. Sniffing occurs when an attacker captures information from a network to obtain user passwords. Many times this technique provides the attacker with multiple user passwords. To prevent this, you should always encrypt your password when it is stored on electronic devices or transmitted across the network. There are two types of password-guessing attacks: Brute-force attack Dictionary attack
Brute-force attack A brute force password attack, also known as exhaustive attack, is when an attacker tries many different combinations (sometimes hundreds and thousands) of random alphanumeric characters to try and “guess” the password. A brute force password attack can include the use of rainbow tables. A rainbow table is a lookup table that recovers a plaintext password from a password hash. It usually works well in finding weak passwords in use. Weak passwords are those passwords that are not complex or long enough. To implement strong passwords, you should force users to create passwords of at least eight characters in length that include both uppercase and lowercase letters, numbers, and special characters. To protect against brute force attacks, an account lockout policy should be enforced that locks out a user’s account after a certain number of unsuccessful login attempts. A brute force attack can also be possible if a token and a personal identification number (PIN) are used to access a system and the token performs offline checking of the PIN.
Dictionary attack Dictionary attacks employ the use of a dictionary of words as the password to repeatedly attempt to access a system using a valid user account. A dictionary attack is based on the attacker’s efforts to determine the decryption key to defeat a cipher. This attack uses words from the dictionary and typically succeeds because many users choose passwords from a dictionary that are easy to remember. Therefore, the dictionary attack is a part of cryptanalysis. One-way encryption or one-way hashing protects against reading or modifying the password file, but an intruder can launch a dictionary attack after capturing the password file. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack. A long dictionary attack can be executed against an encrypted password file provided the attacker has access to the system, has read access to the password file, and knows the encryption mechanism used to encrypt the password file. A dictionary attack and a brute force attack are very similar in that they both focus on cracking the password. The tools used in dictionary and brute force attacks are sometimes referred to as password crackers.
Privilege Escalation Privilege escalation is a vulnerability represented by the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of privilege escalation is logging in to a system using your valid user account and then finding a way to access files that you do not have permissions to access. This usually involves invoking a program, that can change your account permissions, or by invoking a program that runs in an administrative context. Perhaps the most popular method of privilege escalation is a buffer overflow attack. Buffer overflows cause disruption of service and lost data. This condition occurs when the data presented to an application or service exceeds the storage-space allocation that has been reserved in memory for that application of service. It can also be the result of bugs or back doors left in an application. Privilege escalation takes advantage of a program’s flawed code, which then crashes the system and leaves it in a state where arbitrary code can be executed or an intruder can function as an administrator. When creating a software program, developers will occasionally leave a back door in the program that allows them to become a root user should they need to fix something during the debugging phase. After debugging is done and before the software goes live, these abilities are removed. If a developer forgets to remove the back door in the live version and the method of accessing them gets out, it leaves the ability for a miscreant to take advantage of the system. There are several methods of dealing with privilege escalation, including using least privilege accounts and privilege separation. Privilege escalation can lead to denial of service attacks.
Identifying TCP/IP Security Concerns You could say that the ease of connectivity TCP/IP offers is one of the most significant difficulties a security professional faces. Virtually all large networks, including the Internet, are built on the TCP/IP protocol suite. TCP/IP was designed to connect disparate computer systems into a robust and reliable network with capabilities and support for many different protocols. Unfortunately, a downside that comes with being an easy-to-use, well-documented network that has been around for many years is numerous holes. You can easily close most of these holes in your network, but you must first know about them. The four layers of TCP/IP have unique functions and methods for accomplishing work. Each layer talks to the layers that reside above and below it. Each layer also has its own rules and capabilities. The TCP/IP architecture protocol layers
Recognizing TCP/IP Attacks Attacks on TCP/IP usually occur at the host-to-host or Internet layer, although any layer is potentially vulnerable. External attacks are somewhat limited by the devices in the network, including the router. The router blocks many of the protocols from exposure to the Internet. Some protocols, such as ARP, aren’t routable and aren’t generally vulnerable to outside attacks. Other protocols, such as SMTP and ICMP, pass through the router and are part of Internet and TCP/IP traffic. TCP, UDP, and IP are all vulnerable to attack. Any network-enabled host has access to the full array of protocols used in the network, and a computer with a network card has the ability to act as a network sniffer with the proper configuration and software.
Sniffing the Network A networksniffer, or scanner, is a device that captures and displays network traffic. Any traffic in a particular segment is visible to all stations in that segment. In a normal networking environment, the data travels in clear text, making it easier for anyone to discover confidential information by using packet sniffers. Many advanced sniffers can reassemble packets and create entire messages, including user IDs and passwords. Computers running sniffer software must be set to Promiscuous mode in which a network adapter card captures and analyzes all forms of traffic, including that which is not addressed to that network adapter. Promiscuous mode provides a statistical picture of the network activity. Sniffers can be used both for legitimate network management functions and for stealing information off a network. An attacker could put a laptop or a portable computer in your wiring closet and attach it to your network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect. Microsoft’s Systems Management Server (SMS) package includes a network sniffer. A number of sniffers, such as Wireshark, are also available online.
Scanning Ports A scanning attack is used to identify the topology of the target network. Scanning is the process of gathering information about a network to find out vulnerabilities before attempting to commit a security breach. Also referred to as network reconnaissance, scanning involves: Identifying systems on the target network Verifying the TCP ports that are open Verifying services a system is hosting Identifying OS types Identifying applications running on a target host A port scanner attempts to communicate with different protocols over all ports and records which ports are open to which protocols. A hacker can also use stealth scanning to determine which operating systems are being used on a network. Stealth usually does not include determining which ports are open. After they know the IP addresses of your systems, external attackers can attempt to communicate with the ports open in your network, sometimes simply by using Telnet. Network mapping allows you to visually see everything that is available. The most well-known network mapper is nmap, which is free for download.