1 modern network security threats source: ccna security cisco networking academy

1

Modern Network Security Threats

Source:CCNA SecurityCisco Networking Academy

2

Modern Network Security Threats 1.1 Fundamental Principles of a Secure

Network 1.2 Viruses, Worms, and Trojan Horses 1.3 Attack Methodologies

3

1.1 Fundamental Principles of a Secure Network

1.1.1 Evolution of Network Security

1.1.2 Drivers for Network Security

1.1.3 Network Security Organizations

4

1.1.1 Evolution of Network Security

In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts.

Security of the network is ultimately the responsibility of everyone that uses it.

5

Evolution of Network Security

"Necessity is the mother of invention."

6

Evolution of Network Security

7

Evolution of Network Security

Internal threats can cause even greater damage than external threats.

8

Evolution of Network Security

Confidentiality Integrity Availability

9

Evolution of Network Security

Confidentiality Prevent the disclosure of sensitive information from

unauthorized people, resources, and processes Integrity

The protection of system information or processes from intentional or accidental modification

Availability The assurance that systems and data are

accessible by authorized users when needed

10

1.1.2 Drivers for Network Security

Hackers Negative Positive

Hacking is a driving force in network security.

11

Drivers for Network Security

Hacker: 1960s: Phreaking,

John Draper 1980s: Wardialing

1990s: Wardriving ……

12

Drivers for Network Security

13

Drivers for Network Security Network security professionals

14

1.1.3 Network Security Organizations

www.infosyssec.com

www.sans.org

www.cisecurity.org

www.cert.org

www.isc2.org

www.first.org

www.infragard.net

www.mitre.org

www.cnss.gov

15

1.2 Viruses, Worms, and Trojan Horses 1.2.1 Virus Malicious software which attaches to another program to

execute a specific unwanted function on a computer. 1.2.2 Worm

Executes arbitrary code and installs copies of itself in the memory of the infected computer, which then infects other hosts.

1.2.3 Trojan Horse An application written to look like something else. When a

Trojan Horse is downloaded and opened, it attacks the end-user computer from within.

1.2.4 Mitigating Virus, Worms, and Trojan Horse

16

1.2.1 Viruses

17

1.2.2 Worms

18

Worms Three major components to most worm attacks:

Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system.

Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets.

Payload - Any malicious code that results in some action. Most

often this is used to create a backdoor to the infected host.

19

Worms Five basic phases of attack of worm and virus:

20

1.2.3 Trojan Horses The term Trojan Horse originated from Greek mythology. A Trojan Horse in the world of computing is malware

software. It have to be “spread” via human engineering or by manually

emailing them. It does not replicate itself, and it does not infect other files.

21

Trojan Horses Classify of Trojan horse:

Remote-access Trojan Horse (enables unauthorized remote access)

Data sending Trojan Horse (provides the attacker with sensitive data such as passwords)

Destructive Trojan Horse (corrupts or deletes files) Proxy Trojan Horse (user's computer functions as a proxy

server) FTP Trojan Horse (opens port 21) Security software disabler Trojan Horse (stops anti-virus

programs or firewalls from functioning) Denial of Service Trojan Horse (slows or halts network

activity)

22

1.2.4 Mitigating Viruses, Worms, and Trojan Horses

Viruses and Trojan Horses tend to take advantage of local root buffer overflows. A root buffer overflow is a buffer

overflow intended to attain root privileges to a system.

Worms such as SQL Slammer and Code Red exploit remote root buffer overflows.

The primary means of mitigating virus and Trojan horse attacks is anti-virus software. Anti-virus products are host-based

and do not prevent viruses from entering the network.

Network security professional needs to be aware of the major viruses and keep track of security updates regarding emerging viruses.

23

Mitigating Viruses, Worms, and Trojan Horses

Worms are more network-based than viruses. The response to a worm infection can be

broken down into four phases: Containment Inoculation Quarantine Treatment

24

Mitigating Viruses, Worms, and Trojan Horses

Containment (抑制 ) Limiting the spread of a worm infection to areas of the

network that are already affected. Requires compartmentalization and segmentation of the

network to slow down or stop the worm and prevent currently infected hosts from targeting and infecting other systems.

Requires using both outgoing and incoming ACLs on routers and firewalls at control points within the network.

Inoculation (防疫注射 ) All uninfected systems are patched with the appropriate

vendor patch for the vulnerability. The process further deprives the worm of any available targets.

A network scanner can help identify potentially vulnerable hosts.

25

Mitigating Viruses, Worms, and Trojan Horses

Quarantine (隔離 ) Involves tracking down and identifying infected machines

within the contained areas and disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase.

Treatment (治療 ) Actively infected systems are disinfected of the worm. This

can involve terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system.

In more severe cases, can require completely reinstalling the system to ensure that the worm and its byproducts are removed.

26

Mitigating Viruses, Worms, and Trojan Horses

Example ( SQL Slammer worm): Malicious traffic was detected on UDP port 1434. Prevent the spreading:

Block this port on all devices throughout the internal network. In some cases, the port on which the worm is

spreading might be critical to business operation: Require to access the SQL Server for legitimate

business transactions. In such a situation, alternatives must be considered. If

the network devices using the service on the affected port are known, permitting selective access is an option.

27

1.3 Attack Methodologies Reconnaissance (偵察 ) Attacks

Reconnaissance attacks involve the unauthorized discovery and mapping of systems, services, or vulnerabilities.

Known as information gathering and, in most cases, precedes an access or DoS attack.

Access Attacks Access attacks exploit known vulnerabilities in authentication

services, FTP services, and web services. Denial of Service Attacks

Denial of service attacks send extremely large numbers of requests over a network or the Internet.

These excessive requests cause the target device to run suboptimally.

Consequently, the attacked device becomes unavailable for legitimate access and use.

Social Engineering Attacks Class of attacks that uses trickery (欺騙 ) on people instead of

computers.

28

1.3.1 Reconnaissance Attack Reconnaissance attacks use various tools to

gain access to a network: Packet sniffers Ping sweeps Port scans Internet information queries

29

Reconnaissance Attack A packet sniffer is a software application. Uses a network adapter card in promiscuous (混雜 )

mode to capture all network packets that are sent across a LAN.

Some network applications distribute network packets in unencrypted plaintext.

Numerous freeware and shareware packet sniffers.

30

Reconnaissance Attack

31

Reconnaissance Attack Keep in mind that reconnaissance attacks are typically the

precursor to further attacks. A network security professional can detect when a

reconnaissance attack is underway by configured alarms that are triggered when certain parameters are exceeded, such as ICMP requests per second.

Host-based intrusion prevention systems and standalone network-based intrusion detection systems can also be used to notify when a reconnaissance attack is occurring.

Cisco IOS security images running on ISRs

32

1.3.2 Access Attacks Hackers use access attacks on networks or systems

for three reasons: retrieve data, gain access, and escalate access privileges.

There are five types of access attacks: Password attack Trust exploitation Port redirection Man-in-the-middle attack Buffer overflow

33

Access Attacks Password attack

An attacker attempts to guess system passwords. Most password attacks refer to brute-force attacks,

which involve repeated attempts based on a built-in dictionary to identify a user account or password.

34

Access Attacks Password attack

Example A user can run the L0phtCrack, or LC5, application to

perform a brute-force attack to obtain a Windows server password.

When the password is obtained, the attacker can install a keylogger, which sends a copy of all keystrokes to a desired destination.

Or, a Trojan Horse can be installed to send a copy of all packets sent and received by the target to a particular destination, thus enabling the monitoring of all the traffic to and from that server.

35

Access Attacks Trust exploitation

An attacker uses privileges granted to a system in an unauthorized way, possibly leading to compromising the target.

36

Access Attacks Port redirection

A compromised system is used as a jump-off point for attacks against other targets. An intrusion tool is installed on the compromised system for session redirection.

37

Access Attacks Man-in-the-middle attack

An attacker is positioned in the middle of communications between two legitimate entities in order to read or modify the data that passes between the two parties.

A popular man-in-the-middle attack involves a laptop acting as a rogue access point (惡意存取點 ) to capture and copy all network traffic from a targeted user. Often the user is in a public location on a wireless hotspot.

38

Access Attacks Man-in-the-middle attack

39

Access Attacks Buffer overflow

A program writes data beyond the allocated buffer memory resulting in that valid data is overwritten or exploited to enable the execution of malicious code.

40

Access Attacks Detect the Access Attacks:

Reviewing logs Check the numbers of failed login attempts.

Bandwidth utilization Detect the Man-in-the-middle attacks.

Man-in-the-middle attacks often involve replicating data. An indication of such an attack is an unusual amount of network activity and bandwidth utilization.

Process loads Detect the buffer overflow attacks.

A compromised system would likely be revealed by sluggish activity due to ongoing buffer overflow attacks, as indicated by active process loads viewable on a Windows or UNIX system.

41

1.3.3 Denial of Service Attacks A DoS attack (阻斷服務攻擊 ) is a network attack. DoS attacks attempt to compromise the availability of a

network, host, or application. There are two major reasons a DoS attack occurs:

A host or application fails to handle an unexpected condition. A network, host, or application is unable to handle an

enormous quantity of data.

42

Denial of Service Attacks DDoS — Distribute DoS

A Distributed Denial of Service Attack (DDoS) is similar in intent to a DoS attack, except that a DDoS attack originates from multiple coordinated sources.

In addition to increasing the amount of network traffic from multiple distributed attackers, a DDoS attack also presents the challenge of requiring the network defense to identify and stop each distributed attacker.

43

Denial of Service Attacks DDoS — Distribute DoS

Example A hacker scans for systems that

are accessible. After the hacker accesses several "handler" systems, the hacker installs zombie (殭屍 ) software on them.

Zombies then scan and infect agent systems. When the hacker accesses the agent systems, the hacker loads remote-control attack software to carry out the DDoS attack.

Source:Security+ Guide to Network Security Fundamentals, Thomson

44

Denial of Service Attacks Three common DoS attacks:

Ping of Death Smurf Attack TCP SYN Flood

45

Denial of Service Attacks Ping of Death

A hacker sends an echo request in an IP packet larger than the maximum packet size of 65,535 bytes.

Sending a ping of this size can crash the target computer.

A variant of this attack is to crash a system by sending ICMP fragments, which fill the reassembly buffers of the target.

ping -t -l 65550 192.168.1.1

46

Denial of Service Attacks Smurf Attack

In a smurf attack, a perpetrator (犯罪者 ) sends a large number of ICMP requests to directed broadcast addresses, all with spoofed source addresses.

If the routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the networks.

On a multi-access broadcast network, hundreds of machines might reply to each packet.

47

Denial of Service Attacks Smurf Attack

48

Denial of Service Attacks TCP SYN Flood

A flood of TCP SYN packets is sent, often with a forged sender address. Each packet is handled like a connection request, causing the server to spawn a half-open connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address.

However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

The three-way handshake is correctly performed

Source:http://en.wikipedia.org/wiki/SYN_flood

49

Denial of Service Attacks TCP SYN Flood

50

Denial of Service Attacks To date, hundreds of DoS attacks have been documented. There are five basic ways that DoS attacks can do harm:

Consumption of computational resources, such as bandwidth, disk space, or processor time

Disruption of configuration information, such as routing information Disruption of state information, such as unsolicited resetting of TCP

sessions Disruption of physical network components Obstruction of communication between the victim and others.

51

1.3.4 Social Engineering Attacks Social Engineering Attacks

Tricking a person into revealing some confidential information. An attack based on deceiving users or administrators at the

target site. Done to gain illicit (不法的 ) access to systems or useful

information. The goals of social engineering are fraud, network intrusion,

industrial espionage, identity theft, etc.

52

1.3.5 Mitigating Network Attacks

Reconnaissance attacks can be mitigated (緩解 ) in several ways: Using strong authentication such as a One-Time

Password (OTP). Encryption makes the captured data not readable. Antisniffer tools to determine whether the hosts are

processing more traffic than their own traffic loads would indicate.

A switched infrastructure which makes it difficult to capture any data except that on your immediate collision domain, which probably contains only one host.

Network-based IPS and host-based IPS can usually notify an administrator when a reconnaissance attack is under way.

53

Mitigating Network Attacks

54

Mitigating Network Attacks Techniques are available for

mitigating access attacks: Strong password policy:

Disabling accounts after a specific number of unsuccessful logins. This practice helps to prevent continuous password attempts.

Not using plaintext passwords. Use either a one-time password (OTP) or encrypted password.

Using strong passwords. Strong passwords are at least eight characters and contain uppercase letters, lowercase letters, numbers, and special characters.

55

Mitigating Network Attacks Techniques are available for mitigating access

attacks: Principle of minimum trust

The principle of minimum trust should also be designed into the network structure.

This means that systems should not use one another unnecessarily.

For example, if an organization has a server that is used by untrusted devices, such as web servers, the trusted device (server) should not trust the untrusted devices (web servers) unconditionally.

Cryptography Using encryption for remote access to a network is

recommended.

56

Mitigating Network Attacks

57

Mitigating Network Attacks Mitigating DDoS attacks requires careful diagnostics,

planning, and cooperation from ISPs. The most important elements for mitigating DoS attacks

are firewalls and IPSs.

58

Mitigating Network Attacks Social Engineering Countermeasures

Take proper care of trash and discarded items. Ensure that all system users have periodic

training about network security.

Source:Security+ Guide to Network Security Fundamentals, Thomson

59

Mitigating Network Attacks There are 10 best practices for your network:1. Keep patches up to date by installing them weekly or daily, if possible,

to prevent buffer overflow and privilege escalation attacks.

2. Shut down unnecessary services and ports.

3. Use strong passwords and change them often.

4. Control physical access to systems.

5. Avoid unnecessary web page inputs.

6. Perform backups and test the backed up files on a regular basis.

7. Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.

8. Encrypt and password-protect sensitive data.

9. Implement security hardware and software firewalls, IPSs, virtual private network (VPN) devices, anti-virus software, and content filtering.

10. Develop a written security policy for the company.

60

Mitigating Network Attacks