SYP: Network Security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 72

SYP: Network Security PowerPoint PPT Presentation


  • 43 Views
  • Uploaded on
  • Presentation posted in: General

SYP: Network Security . Security. Why is it important to understand how attacks work ? Golden Age of Hacking How bad is the problem? How did this happen?. Security Breach Example. 2003 group of hackers were “testing” security of various banks and noticed that one was extremely vulnerable

Download Presentation

SYP: Network Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Syp 3a network security

SYP: Network Security


Security

Security

  • Why is it important to understand how attacks work ?

  • Golden Age of Hacking

  • How bad is the problem?

  • How did this happen?


Security breach example

Security Breach Example

  • 2003 group of hackers were “testing” security of various banks and noticed that one was extremely vulnerable

  • Within a couple of hours, they transferred over $10 million dollars from the bank to a private account

  • Due to bank’s poor network security, attackers tracks were difficult to find

  • To ensure no prosecution, hackers contacted bank president and gave two options:

    • Bank could prosecute, but attackers would deny everything and notify media on bank’s poor security

    • Sign proposal indicating that hacker’s were forming a security assessment at bank’s request for $5 million dollars and hackers would then return the other $5 million.

  • What choice do you think the bank president chose?


Organizational problems

Organizational Problems

  • Why companies don’t report attacks

    • Ignorance

    • Bad publicity

  • Cost and ineffectiveness of Fixing Existing Systems

  • Intangible Nature of Security Benefits


The attacker s process

The Attacker’s Process

  • Many ways an attacker can gain access or exploit a system

  • Some basic steps that hackers follow:

    • Passive reconnaissance

    • Active reconnaissance (scanning)

    • Exploiting the system

    • Uploading programs

    • Downloading data

    • Keeping access by using backdoors and trojan horses

    • Covering tracks


Passive reconnaissance

Passive Reconnaissance

  • To exploit a system an attacker must have some general information about the user or company

  • Information gathering

  • Sniffing


Active reconnaissance

Active Reconnaissance

  • At this point, an attacker has enough information to try active probing or scanning against a site.

  • Key information that an attacker will try to discover:

    • Hosts that are accessible

    • Locations of routers and firewalls

    • Operating systems running on key components

    • Ports that are open

    • Services that are running

    • Versions of applications that are running


Exploiting the system

Exploiting the System

  • 3 areas to exploit on a system:

    • Gaining access

      • Operating system attacks

      • Application-level attacks

      • Scripts and sample program attacks

      • Misconfiguration attacks

    • Elevation of privileges

    • Denial of service


Uploading and downloading programs

Uploading and Downloading Programs

  • After an attacker has gained access, they usually perform some set of actions on the server.

  • Most often, hacker will load some programs to the system.

  • With some attacks, such as corporate espionage, an attacker is after information


Keeping access

Keeping Access

  • Most cases, after attacker gains access to a system, he will put a back door so that he can return whenever he wants.

  • Basic back door: are highly detectable

  • Sophisticated back door: more difficult to detect

  • Gaining access to the system and create a back door simultaneously


Covering tracks

Covering Tracks

  • After an attacker compromises a machine and creates a back door, the last thing he does is make certain that he does not get caught

  • Clean up log files

  • Turn off logging

  • To protect against hackers – use a program that makes sure key files on the system have not been changed


Information gathering

Information Gathering


Information gathering1

Information Gathering

  • Many companies only concentrate on protecting their systems from a specific exploit when they start building a security infrastructure

  • Key for a user or organization to know what information an attacker can acquire about them and minimize the potential damage

    • If the attacker can only gain limited information about the network, they will most likely move on to the next victim


Step 1 gathering initial information

Step 1 Gathering Initial Information

  • Find out initial information:

    • Open Source

    • Whois

    • Nslookup


Step 2 discover address range of the network

Step 2: Discover address range of the network

  • Find out address range of the network:

    • ARIN (American Registry for Internet Numbers)

    • Traceroute


Step 3 discovering active machines

Step 3 Discovering Active Machines

  • Find active machines:

    • Ping


Step 4 find open ports or access points

Step 4Find Open Ports or Access Points

  • Applications used to find open ports or access points:

    • Portscanners

    • Nmap

    • ScanPort

    • War Dialers

    • THC-Scan


Step 5 figure out the operating system

Step 5Figure Out the Operating System

  • Tools used to determine Operating Systems

    • Queso

    • Nmap


Step 6 figure out which services are running on each port

Step 6: Figure Out Which Services are Running on Each Port

  • Tools used to determine which services are running on each port

    • Default port and OS

    • Telnet

    • Vulnerability scanners


Step 7 map out the network

Step 7 Map Out the Network

  • Tools used to map out the network

    • Traceroute

    • Visual Ping

    • Cheops


Spoofing

Spoofing


Types of spoofing

Types of Spoofing

  • Types of Spoofing Techniques

    • IP Spoofing

    • Email Spoofing

    • Web Spoofing

    • Non-Technical Spoofing


Ip spoofing

IP Spoofing

  • Basic Address Change

    • Protection Against Address Changes


Ip spoofing continued

IP Spoofing Continued

  • Source Routing

    • Allows you to specify the path a packet will take through the Internet

    • Types:

      • Loose Source Routing (LSR)

      • Strict Source Routing (SSR)

  • Protection Against Source Routing


Ip spoofing continued1

IP Spoofing Continued

  • Trust Relationships

    • Protection Against Trust Relationships


Email spoofing

EMAIL Spoofing

  • Similar Email Address

    • Protection Against Similar Email Address


Email spoofing1

EMAIL Spoofing

  • Modifying a Mail Client

    • Protection Against Modifying a Mail Client


Email spoofing2

EMAIL Spoofing

  • Telnet to Port 25

    • Protection Against Telnetting to Port 25


Web spoofing

Web Spoofing

  • Basic Web Spoofing

    • Protection Against Basic Web Spoofing


Web spoofing1

Web Spoofing

  • Man-in-the-Middle Attacks

    • Protection Against Man-in-the-Middle Attacks


Web spoofing2

Web Spoofing

  • URL Rewriting

    • Protection Against URL Rewriting

      From Anonymizer.com


Web spoofing3

Web Spoofing

Tracking State:

  • Cookies

    • Protection Against Cookies


Web spoofing4

Web Spoofing

Tracking State:

  • URL Session Tracking

    • Protection Against URL Session Tracking


Web spoofing5

Web Spoofing

Tracking State:

  • Hidden Form Elements

    • Protection Against Hidden Form Elements


General web spoofing protection

General Web Spoofing Protection

  • Disable JavaScript, ActiveX, etc.

  • Validate that application is properly tracking users

  • Make certain users can’t customize their browsers to display important information

  • Educate the users

  • Make certain that any form of ID used to track user is long and random


Non technical spoofing

Non-Technical Spoofing

  • Social Engineering

  • Reverse Social Engineering

  • Non-Technical Spoofing Protection


Denial of service dos

Denial of Service (DOS)


What is a dos attack

What is a DOS Attack?

  • Attack through which a person can render a system unusable or significantly reduced by overloading the system’s resources

  • DOS attacks can be intentional or accidental

  • Often used by an attacker if they are unable to gain access to a network or machine


Some types of dos attacks

Some Types of DOS Attacks

  • Ping of Death

  • SSPing

  • Smurf

  • CPU Hog


Password security

Password Security


Typical attack

Typical Attack

  • Two of the most common weaknesses on computer systems:

    • Weak Passwords

    • Modems


Current state of passwords

Current State of Passwords

  • Current state of passwords in most companies and home systems are poor

    • Software often has default passwords that are rarely changed

    • Passwords are often chosen that are trivial to guess or have no password at all

    • Password intervals are too long


History of passwords

History of Passwords

  • Users often choose simple passwords

    • Wife’s name

    • Favorite sport

    • Date of user’s birthday

  • Complex passwords are often written down since they are difficult to remember

    • Ex: [email protected]%d10


Future of passwords

Future of Passwords

  • Single Sign On (SSO)

    • One password for user’s various applications

  • Biometrics

    • Fingerprint scan

    • Hand scan

    • Retinal scan

    • Facial scan

    • Voice scan


Strong passwords

Strong Passwords

  • Subject to technology

  • Strong Password criteria:

    • Changes every 45 days

    • Minimum length of 10 characters

    • Must contain at least on alpha, one number, and one special character

    • Alpha, number, and special characters must be mixed up and not append to the end

      • Ex: abdheus#7 = Bad

      • Ex: fg#g3^hs5gw = Good

    • Cannot contain dictionary workds

    • Cannot reuse previous five passwords

    • Minimum password age of 10 days

    • After 3 failed logon attempts, password is locked for several hours


Why is password cracking important

Why is Password Cracking Important?

  • To audit the strength of passwords

  • To recover forgotten/unknown passwords

  • To migrate users

  • To use a checks and balance system


Types of password attacks

Types of Password Attacks

  • Dictionary Attacks

  • Brute Force Attacks

  • Hybrid Attacks

  • Social Engineering Attacks


Securing microsoft passwords

SecuringMicrosoft Passwords


Where are passwords stored in microsoft

Where Are Passwords Stored in Microsoft?

  • Password hashes for each account are stored in the Security Account Manager (SAM)

  • \Windows-directory\system32\config\SAM

  • \Windows-directory\repair


How does ms encrypt passwords

How Does MS Encrypt Passwords?

  • 2 hash algorithms

    • One for regular NT hash

      • MD4 hash algorithm

    • One for LANMAN hash

      • Pad password with 0’s to equal 14 character

      • Combined to attain 16-byte hash value


Why is it easier to crack ms passwords

Why is it Easier to Crack MS Passwords?

  • LAN Manager hashing scheme

    • Maximum 7 character passwords

  • No Salts


Microsoft password cracking programs

Microsoft Password-Cracking Programs

  • L0phtcrack

  • NTSweep

  • NTCrack

  • PWDump2


L0phtcrack

L0phtcrack

  • Computes passwords from variety of sources using a variety of methods

  • 3 modes used to crack passwords:

    • Dictionary

    • Hybrid

    • Brute-Force


L0phtcrack interface

L0phtcrack Interface


L0phtcrack performance statistics

L0phtcrack Performance Statistics

  • Cracks 90% of passwords under 5 hours

  • 18% of passwords cracked in under 5 minutes

  • Most domain admin accounts cracked

  • Most companies only require a minimum of 8 character passwords but have no other restrictions


Hiding l0phtcrack on desktop

Hiding L0phtcrack on Desktop


Ntsweep

NTSweep

  • Takes advantage of Microsoft’s method of password changes

  • User is unaware of the password change

  • Can be run through a firewall without having special privileges

  • Can be run by anyone on the Internet


Ntsweep s limitations

NTSweep’s Limitations

  • Slow to perform

    • Ex: Dictionary Attack

  • Information can be logged and can be displayed through Event Viewer

  • Guessing programs are not always accurate

    • May return failure even though the password was correct


Network monitoring

Network Monitoring

  • Some Examples of Network Monitoring Tools Are:

  • HP OpenView

  • SolarWinds

  • Big Brother

  • Netsaint

  • Nagios


Monitoring

Monitoring

  • Good monitoring infrastructure will help detect attacks as they occur and stop them before there is a problem

  • Monitoring and logging are often used interchangeably

  • Monitoring 2 characteristics:

    • Secure

    • Intelligent

  • Problems w/running multiple monitor programs


What to monitor

What to Monitor

  • Focus on network devices that will impact more than one user if they fail

    • Servers

    • Routers and Switches

    • Security Monitoring

  • What services need to be monitored on each device


Syp 3a network security

SNMP

  • SNMP (Simple Network Management Protocol) is the most popular method of monitoring network devices

  • SNMP’s popularity due to:

    • Modularity

    • Scalability

    • Adaptability

  • UDP-based protocol that uses Port 161 to exchange information

  • Uses Protocol Data Units (PDUs) to communicate between manager and agent


Snmp security

SNMP Security

  • SNMP has not proven to be very secure

  • SNMP is common attack target

  • Community Strings – passwords used to determine whether a device has read or read/write access to the network device

  • SNMP Version 1.0

    • Only included community strings to secure communications

    • Passwords not encrypted and sent clear-text

  • SNMP Version 3.0

    • Supports DES encryption between managers and agents

    • PDUs can use authentication to ensure validity of information

    • Agents configured to only allow certain groups access


Snmp types

SNMP Types

  • Nagios

  • WhatsUp Gold

  • Netcool

  • Big Brother

  • HP Openview

  • Solarwinds


Nagios defined

NAGIOS Defined

  • Nagios® is a host and service monitor designed to inform of network problems before clients, end-users or administration realize that they have occurred.

  • It has been designed to run under the Linux Operating System, but works fine under most variants as well. Runs CGI (Common Gateway Interface) scripts to be used to process Web forms, taking data entered by the end-user, processing, and dynamically writing HTML code on-the-fly to be returned to the end-user's browser. The monitoring daemon runs intermittent checks on hosts and services you specify using external "plugins" which return status information to Nagios. When problems are encountered, the daemon can send notifications out to administrative contacts in a variety of different ways (email, instant message, pager, etc.). Current status information, historical logs, and reports can all be accessed via a web browser.


Features of nagios

Features of Nagios

  • Monitoring of network services (SMTP, POP3, HTTP, NNTP, PING, etc.)

  • Monitoring of host resources (processor load, disk and memory usage, running processes, log files, etc.)

  • Monitoring of environmental factors such as temperature.

  • Simple plug-in design that allows users to easily develop their own host and service checks

  • Ability to define network host hierarchy, allowing detection of and distinction between hosts that are down and those that are unreachable

  • Contact notifications when service or host problems occur and get resolved (via email, pager, or other user-defined method)

  • Support for implementing redundant and distributed monitoring servers

  • Scheduled downtime for suppressing host and service notifications during periods of planned outages

  • Ability to acknowledge problems via the web interface


Nagios monitoring

Nagios Monitoring


Nagios 3 d status screen

Nagios 3-D Status Screen


Nagios status map

Nagios Status Map


Nagios service information

Nagios Service Information


Nagios service alert

Nagios Service Alert


Nagios wap interface

Nagios WAP Interface


  • Login