470 likes | 478 Views
INFORMATION SECURITY MANAGEMENT. Chapter 10: Protection Mechanisms. You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra. Windows XP. Zero days turn to "forever days". http://windows.microsoft.com/en-us/windows/end-support-help.
E N D
INFORMATION SECURITY MANAGEMENT Chapter 10: Protection Mechanisms You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra
Windows XP Zero days turn to "forever days" http://windows.microsoft.com/en-us/windows/end-support-help
Hacking Networks Phase 1: Reconnaissance • Physical Break-In • Dumpster Diving • Google, Newsgroups, Web sites • Social Engineering • Phishing: fake email • Pharming: fake web pages • WhoIs Database • Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT.COM Administrative Contact: Administrator, Domain domains@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft.com One Microsoft Way Redmond, WA 98052 US +1.4258828080 Registration Service Provider: DBMS VeriSign, dbms-support@verisign.com 800-579-2848 x4 Please contact DBMS VeriSign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27-Aug-2006. Record expires on 03-May-2014. Record created on 02-May-1991. Domain servers in listed order: NS3.MSFT.NET 213.199.144.151 NS1.MSFT.NET 207.68.160.190 NS4.MSFT.NET 207.46.66.126 NS2.MSFT.NET 65.54.240.126 NS5.MSFT.NET 65.55.238.126
Hacking NetworksPhase 2: Scanning War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Mapping: What IP addresses exist, and what ports are open on them? Vulnerability-Scanning Tools: What versions of software are implemented on devices?
Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping
Hacking Networks:Phase 3: Gaining Access Network Attacks: • Sniffing (Eavesdropping) • IP Address Spoofing • Session Hijacking System Attacks: • Buffer Overflow • Password Cracking • SQL Injection • Web Protocol Abuse • Denial of Service • Trap Door • Virus, Worm, Trojan horse,
Some Active Attacks Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage
Man-in-the-Middle Attack 10.1.1.1 10.1.1.3 (2) Login (1) Login (4) Password (3) Password 10.1.1.2
Hacking Networks:Phase 4: Exploit/Maintain Access Control system: system commands, log keystrokes, pswd Useful utility actually creates a backdoor. Backdoor Trojan Horse Replaces system executables: e.g. Login, ls, du User-Level Rootkit Bots Spyware/Adware Replaces OS kernel: e.g. process or file control to hide Kernel-Level Rootkit Slave forwards/performs commands; spreads, list email addrs, DOS attacks Spyware: Collect info: keystroke logger, collect credit card #s, AdWare: insert ads, filter search results
Botnets Botnets: Bots Handler Attacker China Hungary Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Zombies
Distributed Denial of Service Zombies Handler Victim Attacker Russia Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies
Introduction • Threats -> Vulnerabilities -> Risk ->Controls • Technicalcontrols • Must be combined with sound policy and education, training, and awareness efforts • Examples of technical security mechanisms
Sphere of Protection Source: Course Technology/Cengage Learning
Access Controls • The four processes of access control • Identification • Authentication • Authorization • Accountability • A successful access control approach always incorporates all four of these elements
Access Controls – Password Strength Table 10-1 Password power Source: Course Technology/Cengage Learning
Acceptability of Biometrics • Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security
Firewalls • Any device that prevents a specific type of information from moving between two networks Types: • Packet Filtering • Application Level • Stateful Inspection Firewalls
Packet filtering firewalls • Simple networking devices that filter packets by examining every incoming and outgoing packet header
Application-level firewalls • Consists of dedicated computers kept separate from the first filtering router (edge router) • Commonly used in conjunction with a second or internal filtering router - or proxy server • Implemented for specific protocols
Stateful inspection firewalls • Keeps track of each network connection established between internal and external systems using a state table • Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts
Firewall Architectures • Each firewall generation can be implemented in several architectural configurations • Common architectural implementations • Packet filtering routers • Screened-host firewalls
Firewall Architectures:Packet filtering routers Most organizations with an Internet connection use some form of router between their internal networks and the external service provider
Firewall Architectures:Screened-host firewall systems • Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server
Selecting the Right Firewall • Firewall Technology • Cost • Maintenance • Future Growth
Managing Firewalls • Any firewall device must have its own configuration • Firewall Rules • Policy regarding firewall use • Firewall best practices • All traffic from the trusted network allowed out • The firewall is never accessible directly from the public network • Email Policies
Intrusion Detection and Prevention Systems (IDPS) • The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies • Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired
Intrusion Detection and Prevention Systems (cont’d.) IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding Network or Host Based Protection
IDPS – Host vs. Network http://www.windowsecurity.com/articles-tutorials/intrusion_detection/Hids_vs_Nids_Part1.html
Signature-Based IDPS • Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures • Weakness: slow and methodical attacks may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events
Statistical Anomaly-Based IDPS • First collects data from normal traffic and establishes a baseline • Then periodically samples network activity, based on statistical methods, and compares the samples to the baseline • Advantage: Able to detect new types of attacks, because it looks for abnormal activity of any type
Managing IDPS • IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats • A properly configured IDPS can translate a security alert into different types of notifications • Most IDPSs monitor systems using agents • Consolidated enterprise manager
Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into • Purpose: Catch attackers • All traffic going to honeypot/net is suspicious • If successfully penetrated, can launch further attacks • Must be carefully monitored Firewall Honey Pot External DNS VPN Server IDS Web Server E-Commerce
Remote Access Protection • Network connectivity using external connections • Usually much simpler and less sophisticated than Internet connections • Simple user name and password schemes are usually the only means of authentication
Managing Connections • Organizations that continue to offer remote access must: • Determine how many connections the organization has • Control access to authorized modem numbers • Use call-back whenever possible • Use token-based authentication if at all possible
Wi-Fi security • SSID should be a non-default value • SSID broadcast should be disabled • MAC access control • Authentication • Require ID and password, may use a RADIUS server • Encryption • WEP (Wired Equivalent Privacy) • WPA (Wireless Protected Access) • WPA2 (superset of WPA, full standard)
Managing Wireless Connections • Regulate the wireless network footprint • Select WPA or WPA2 over WEP • Protect preshared keys
Scanning and Analysis Tools • Used to find vulnerabilities in systems • Security administrators may use attacker’s tools to examine their own defenses and search out areas of vulnerability • Scanning tools • Footprinting • Fingerprinting
Pen Testing Article “What is Penetration Testing?”
Port Scanners • Port scanning utilities (port scanners)
Vulnerability Scanners • Capable of scanning networks for very detailed information • Identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities http://www.tenable.com/products/nessus
Packet Sniffers • A network tool that collects and analyzes packets on a network • Connects directly to a local network from an internal location http://www.wireshark.org/
Content Filters • A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network • Common application of a content filter • Restriction of access to Web sites with non-business-related material, such as pornography, or restriction of spam e-mail Examples of Content Filters
Trap and Trace • Trap • Describes software designed to entice individuals who are illegally perusing the internal areas of a network • Trace • A process by which the organization attempts to determine the identity of someone discovered in unauthorized areas of the network or systems
Managing Scanning and Analysis Tools • The security manager must be able to see the organization’s systems and networks from the viewpoint of potential attackers • Drawbacks: • Tools do not have human-level capabilities • Most tools function by pattern recognition, so they only handle known issues • Some governments, agencies, institutions, and universities have established policies or laws that protect the individual user’s right to access content • Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions
Cryptography • Encryption • The process of converting an original message into a form that cannot be understood by unauthorized individuals • Cryptology • The science of encryption • Composed of two disciplines: • cryptography • cryptanalysis
Cryptography (cont’d.) Cryptosystem Encipher Decipher • Algorithm • Key • Keyspace