E N D
Methods of Attack NJ-CISSP
Attack • An assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system. RFC 2828, May 2000
Attacks Target Secure Computing Properties • Confidentiality • The property that information is not made available or disclosed to unauthorized individuals, entities, or processes. • Integrity • The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. • Availability • The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system; i.e., a system is available if it provides services according to the system design whenever users request them.
Attack Phases • PHASE 1 - INFORMATION GATHERING • First phase tools(Ping sweeps, Port scans, Social Engineering) • PHASE 2 - GAINING ACCESS • Second phase techniques (exploit of software bugs, buffer overflow exploit, FTP bugs) • PHASE 3 - DENYING SERVICES • Third phase attacks (Syn Flood, Ping of death, Teardrop Attack) • PHASE 4 - EVADE DETECTION
Brute Force • A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. For example, for ciphertext where the analyst already knows the decryption algorithm, a brute force technique to finding the original plaintext is to decrypt the message with every possible key.
Brute Force • Passwords • More successful against weak passwords • Encryption - DES • Obtain sample plaintext-ciphertext pair • Test each possible key in turn • Would take thousands of years, unless done in parallel. (20 hours by 1990) • Pop service (110) success • Did not have their login failures logged The key to a successful brute force attack is to select a target that has a high degree of success and a small chance of being logged.
Dictionary • An attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list. For example, an attack on an authentication service by trying all possible passwords; or an attack on encryption by encrypting some known plaintext phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup.RFC 2828, May 2000
Denial of Service • Denial Of Service (DOS) attacks attempt to slow or shut down targeted network systems or services. • There are two main types of DOS attacks: flaw exploitation and flooding.
Denial of Service • Flaw exploitation DOS Attacks • Flaw exploitation attacks exploit a flaw in the target system’s software in order to cause a processing failure or to cause it to exhaust system resources. • Flooding DOS Attacks • Flooding attacks simply send a system or system component more information than it can handle. In cases where the attacker cannot send a system sufficient information to overwhelm its processing capacity, the attacker may nonetheless be able to monopolize the network connection to the target, thereby denying anyone else use of the resource.
Distributed Denial of Service • DDOS attacks are a subset of DOS • DDOS attacks are simply flooding DOS attacks where the hacker uses multiple computers to launch the attack. These attacking computers are centrally controlled by the hacker’s computer and thus act as a single immense attack system.
Spamming • Attacks are a subset of DOS • A spammer uses your email system as a spam relay. Your system becomes the host and then tries to deliver all messages. • While your email server is spending time processing the spam mail, it is prevented from handling legitimate mail for your domain.
Spoofing • In a spoofing attack, the intruder sends messages to a computer indicating that the message has come from a trusted system. To be successful, the intruder must first determine the IP address of a trusted system, and then modify the packet headers to that it appears that the packets are coming from the trusted system http://www.sans.org/infosecFAQ/threats/intro_spoofing.htm
Spoofing • IP spoofing - IP spoofing involves forging one's source IP address. It is the act of using one machine to impersonate another. Many applications and tools in UNIX systems rely on source IP address authentication. • ARP spoofing - ARP spoofing involves forging packet source hardware address (MAC address) to the address of the host you pretend to be.
Man-in-the-middle • The "Man In The Middle" or "TCP Hijacking" attack is a well known attack where an attacker sniffs packets from network, modifies them and inserts them back into the network. There are few programs/source codes available for doing a TCP hijack. Juggernaut, T-Sight and Hunt are some these programs. http://www.sans.org/infosecFAQ/threats/middle.htm
Sniffers • Packet sniffers • A software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. • Captures plain text user account names, passwords, etc. • Can also interject new information or change existing information.
Crackers • Someone who tries to break the security of, and gain access to, someone else's system without being invited to do so.
Countermeasures • Adequate Security Controls • Documentation • Policy, Standards, Processes • Equipment • IDS, Firewall, Network Map • Personnel • Auditing, Monitoring, Configuring, etc • Education • CISSP Certified Staff
Questions? • Ask Jeanette!