Slide 1

Chapter One Modern Network Security Threats

Slide 2

Major Concepts Rationale for network security Data confidentiality, integrity, availability Risks, threats, vulnerabilities and countermeasures Methodology of a structured attack Security model (McCumber cube) Security policies, standards and guidelines Selecting and implementing countermeasures Network security design

Slide 3

Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the rationale for network security 2. Describe the three principles of network security 3. Identify risks, threats, vulnerabilities and countermeasures 4. Discuss the three states of information and identify threats and appropriate countermeasures for each state 5. Differentiate between security policies, standards and guidelines

Slide 4

6. Describe the difference between structured and unstructured network attacks 7. Describe the stages and tools used in a structured attack 8. Identify security organisations that influence and shape network security 9. Identify career specialisations in Network Security

Slide 5

What is Network Security? National Security Telecommunications and Information Systems Security Committee (NSTISSC) Network security is the protection of information and systems and hardware that use, store, and transmit that information. Network security encompasses those steps that are taken to ensure the confidentiality, integrity, and availability of data or resources.

Slide 6

Rationale for Network Security Network Security initiatives and Network Security specialists can be found in private and public, large and small companies and organisations. The need for network security and its growth are driven by many factors: 1. Internet connectivity is 24/7 and is worldwide 2. Increase in cyber crime 3. Impact on business and individuals 4. Legislation & liabilities 5. Proliferation of threats 6. Sophistication of threats

Slide 7

Cyber Crime Fraud/Scams Identity Theft Child Pornography Theft of Telecommunications Services Electronic Vandalism, Terrorism and Extortion WASHINGTON, D.C. An estimated 3.6 million households, or about 3 percent of all households in the nation, learned that they had been the victim of at least one type of identity theft during a six- month period, according to the Justice Departments

Slide 8

Business Impact 1. Decrease in productivity 2. Loss of sales revenue 3. Release of unauthorized sensitive data 4. Threat of trade secrets or formulas 5. Compromise of reputation and trust 6. Loss of communications 7. Threat to environmental and safety systems 8. Loss of time Current Computer Crime Cases http://www.justice.gov/criminal/cybercrime /cccases.html

Slide 9

Proliferation of Threats In 2001, the National Infrastructure Protection Center at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Since that time, thousands of organizations rely on this list to prioritize their efforts so they can close the most dangerous holes first. The threat landscape is very dynamic, which in turn makes it necessary to adopt newer security measures. Just over the last few years, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past.

Slide 10

Network Security Threat A potential danger to information or a system An example: the ability to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network There may be weaknesses that greatly increase the likelihood of a threat manifesting Threats may include equipment failure, structured attacks, natural disasters, physical attacks, theft, viruses and many other potential events causing danger or damage

Slide 11

Sophistication of Threats

Slide 12

Types of Network Threats Impersonation Eavesdropping Denial-of-service Packet replay Man-in-the-middle Packet modification

Slide 13

Vulnerability A network vulnerability is a weakness in a system, technology, product or policy In todays environment, several organisations track, organize and test these vulnerabilities Each vulnerability is given an ID and can be reviewed by network security professionals over the Internet. The Common Vulnerability Exposure (CVE) list also publishes ways to prevent the vulnerability from being attacked.

Slide 14

Risk Management Terms Vulnerability a system, network or device weakness Threat potential danger posed by a vulnerability Threat agent the entity that indentifies a vulnerability and uses it to attack the victim Risk likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact Exposure potential to experience losses from a threat agent. Countermeasure put into place to mitigate the potential risk

Slide 15

Understanding Risk

Slide 16

Legislation Some of the EU directives: Directive on the authorisation of electronic communications networks and services (the Authorisation Directive); Directive on access to, and interconnection of, electronic communications networks and associated facilities (the Access Directive); Directive on the universal service (the Universal Service Directive); Directive on the processing of personal data (the Privacy and Electronic Communications Directive).

Slide 17

Network Security Organizations www.infosyssec.com www.sans.org www.cisecurity.org www.cert.org www.isc2.org www.first.org www.infragard.net www.mitre.org www.cnss.gov

Slide 18

Network Security Domains There are 12 network security domains specified by the International Organisation for Standardization (ISO). Risk Assessment Security Policy Organizations f information security Asset Management Human Resources Security Physical and environmental security Communication and Operations management Access Control Information system acquisitions, development and maintenance. Info-sec incident management Business continuity management Compliance

Slide 19

Security Policy One of the most important domains is security policy. A security policy is a formal statement of the rules by which people must abide who are given access to the technology and information assets of an organisation.

Slide 20

What Is a Security Policy? A document that states how an organisation plans to protect its tangible and intangible information assets - Management instructions indicating a course of action, a guiding principle, or appropriate procedure - High-level statements that provide guidance to workers who must make present and future decisions - Generalised requirements that must be written down and communicated to others

Slide 21

Documents Supporting Policies Standards dictate specific minimum requirements in our policies Guidelines suggest the best way to accomplish certain tasks Procedures provide a method by which a policy is accomplished (the instructions)

Slide 22

Example: The Policy All users must have a unique user ID and password that conforms to the company password standard. Users must not share their password with anyone regardless of title or position Passwords must not be stored in written or any readable form If a compromise is suspected, it must be reported to the help desk and a new password must be requested

Slide 23

Example: The Standards Minimum of 8 upper- and lowercase alphanumeric characters Must include a special character Must be changed every 30 days Password history of 24 previous passwords will be used to ensure passwords arent reused

Slide 24

Example: The Guideline Take a phrase Up and At em at 7! Convert to a strong password Up&atm@7! To create other passwords from this phrase, change the number, move the symbol, or change the punctuation mark

Slide 25

Example: The Procedure Procedure for changing a password 1. Press Control, Alt, Delete to bring up the log in dialog box 2. Click the change password button 3. Enter your current password in the top box 4.

Slide 26

Policy Elements Statement of Authority an introduction to the information security policies Policy Headings logistical information (security domain, policy number, name of organization, effective date, author, change control documentation or number) Policy Objectives states what we are trying to achieve by implementing the policy Policy Statement of Purpose why the policy was adopted, and how it will be implemented

Slide 27

Policy Elements, 2 Policy Audience states who the policy is intended for Policy Statement how the policy will be implemented (the rules) Policy Exceptions special situations calling for exception to the normal, accepted rules Policy Enforcement Clause consequences for violation Policy Definitions a glossary to ensure that the target audience understands the policy

Slide 28

Policy Example

Slide 29

Modern Network Security Threats Viruses Worms Trojan Horses

Slide 30

Virus A virus is a malicious code that is attached to legitimate programs or executable files. Most viruses require end-user activation. Viruses can be harmless, such as those that display a picture on the screen, or they can be destructive, such as those that modify or delete files on the hard drive. Most viruses are spread by USB memory sticks, CDs, DVDs, network shares, or email.

Slide 31

Worm Worms replicate themselves by independently exploiting vulnerabilities in networks. Worms usually slow down networks. Whereas a virus requires a host program to run, worms can run by themselves. They do not require user participation and can spread extremely fast over the network.

Slide 32

Worm Components Most worm attacks have three major components: Enabling vulnerability - A worm installs itself using an exploit mechanism (email attachment, executable file, Trojan Horse) on a vulnerable system. Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets. Payload - Any malicious code that results in some action. Most often this is used to create a backdoor to the infected host.

Slide 33

Trojan Horse A Trojan Horse is a malware that carries out malicious operations under the guise of a desired function. A virus or worm could carry a Trojan Horse. Trojan Horse example: FTP Trojan Horse opens port 21

Slide 34

Mitigating Threats A majority of the software vulnerabilities that are discovered relate to buffer overflows. A buffer is an allocated area of memory used by processes to store data temporarily. Buffer overflows are usually the primary conduit through which viruses, worms, and Trojan Horses do their damage. Canary words are use to protect/inform systems against buffer overflow.

Slide 35

Worm Mitigation The response to a worm infection can be broken down into four phases: Containment Inoculation Quarantine Treatment

Slide 36

Worm Mitigation Containment - involves limiting the spread of a worm infection to areas of the network that are already affected. Inoculation - all uninfected systems are patched with the appropriate vendor patch for the vulnerability.

Slide 37

Worm Mitigation Quarantine - tracking down and identifying infected machines within the contained areas and disconnecting, blocking, or removing them. Treatment - terminating the worm process, removing modified files or system settings that the worm introduced, and patching the vulnerability the worm used to exploit the system.

Slide 38

Mitigating Threats (1) The primary means of mitigating virus and Trojan horse attacks is anti-virus software. Anti-virus products are host-based. They do not prevent viruses from entering the network. AV database must always be up to date. Can not prevent Zero Day attacks

Slide 39

Mitigating Threats (2) Apart from well known, ports should normally be blocked by a firewall on the perimeter. Most attacks use well known port or backdoors Block the port on all devices through which worm is spreading on the internal network. Selective access does not guarantee to solve the problem, but it lowers the probability of infection.

Slide 40

Mitigating Threats (2) Another option for mitigating the effects of viruses, worms, and Trojan Horses is a Host- Based Intrusion Prevention System (HIPS). Network IPS Cisco Network Admission Control (NAC) Cisco Security Monitoring, Analysis, and Response System (MARS) Patching OS and S/ware

Slide 41

Network Threats There are four general categories of security threats to the network: Unstructured threats - Structured threats - External threats - Internal threats

Slide 42

Slide 43

Four Classes of Network Attacks - Reconnaissance attacks - Access attacks - Denial of service attacks -Worms, viruses, and Trojan horses

Slide 44

Specific Attack Types All of the following can be used to compromise your system: Packet sniffers IP weaknesses Password attacks DoS or DDoS Man-in-the-middle attacks Application layer attacks Trust exploitation Port redirection Virus Trojan horse Operator error Worms

Slide 45

Reconnaissance Attacks Network reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. An inspection or exploration of an area, especially one made to gather military information

Slide 46

Reconnaissance Attack Example

Slide 47

Reconnaissance Attack Mitigation Network reconnaissance cannot be prevented entirely. - IPSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.

Slide 48

Packet Sniffers

Slide 49

A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. The following are the packet sniffer features: -Packet sniffers exploit information passed in clear text. Protocols that pass information in the clear include the following: -Telnet -FTP -SNMP -POP - Packet sniffers must be on the same collision domain.

Slide 50

Packet Sniffer Mitigation

Slide 51

The following techniques and tools can be used to mitigate sniffers: - Authentication - Using strong authentication, such as one- time passwords, is a first option for defense against packet sniffers. - Switched infrastructure - Deploy a switched infrastructure to counter the use of packet sniffers in your environment. - Antisniffer tools - Use these tools to employ software and hardware designed to detect the use of sniffers on a network. - Cryptography - The most effective method for countering packet sniffers does not prevent or detect packet sniffers, but rather renders them irrelevant.

Slide 52

IP Spoofing IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted. -Uses for IP spoofing include the following: -IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. -A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.

Slide 53

IP Spoofing Mitigation The threat of IP spoofing can be reduced, but not eliminated, through the following measures: - Access controlThe most common method for preventing IP spoofing is to properly configure access control. - RFC 2827 filteringYou can prevent users of your network from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organization's own IP range. - Additional authentication that does not use IP-based authentication Examples of this include the following: Cryptographic (recommended) Strong, two-factor, one-time passwords

Slide 54

DoS Attacks

Slide 55

DDoS Attack Example

Slide 56

DoS Attack Mitigation The threat of DoS attacks can be reduced through the following three methods: - Antispoof features - Proper configuration of antispoof features on your routers and firewalls - Anti-DoS features - Proper configuration of anti-DoS features on routers and firewalls - Traffic rate limiting - Implement traffic rate limiting with the networks ISP

Slide 57

Password Attacks

Slide 58

Password Attack Example

Slide 59

Password Attacks Mitigation The following are mitigation techniques: - Do not allow users to use the same password on multiple systems. - Disable accounts after a certain number of unsuccessful login attempts. - Do not use plain text passwords. OTP or a cryptographic password is recommended. - Use strong passwords. Strong passwords are at least eight characters long and contain uppercase letters, lowercase letters, numbers, and special characters.

Slide 60

Man-in-the-Middle Attacks

Slide 61

Man-in-the-Middle Mitigation

Slide 62

Trust Exploitation

Slide 63

Trust Exploitation Mitigation

Slide 64

Port Redirection

Slide 65

Unauthorized Access

Slide 66

Social Engineering Attacks Hacker-speak for tricking a person into revealing some confidential information Social Engineering is defined as an attack based on deceiving users or administrators at the target site Done to gain illicit access to systems or useful information The goals of social engineering are fraud, network intrusion, industrial espionage, identity theft, etc.

Slide 67

Types of Attacks Structured attack Come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with themajor fraud and theft cases reported to law enforcement agencies. Unstructured attack Consists of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hackers skills can still do serious damage to a company.

Slide 68

Types of Attacks External attacks Initiated by individuals or groups working outside of a company. They do not have authorized access to the computer systems or network. They gather information in order to work their way into a network mainly from the Internet or dialup access servers. Internal attacks More common and dangerous. Internal attacks are initiated by someone who has authorized access to the network. According to the FBI, internal access and misuse account for 60 to 80 percent of reported incidents. These attacks often are traced to disgruntled employees.

Slide 69

Types of Attacks Passive Attack - Listen to system passwords - Release of message content - Traffic analysis - Data capturing Active Attack - Attempt to log into someone elses account - Wire taps - Denial of services - Masquerading - Message modifications

Slide 70

Stages of an Attack Todays attackers have a abundance of targets. In fact their greatest challenge is to select the most vulnerable victims. This has resulted in very well- planned and structured attacks. These attacks have common logistical and strategic stages. These stages include; - Reconnaissance - Scanning (addresses, ports, vulnerabilities) -Gaining access -Maintaining Access -Covering Tracks

Slide 71

Goals of an Information Security Program Confidentiality - Prevent the disclosure of sensitive information from unauthorized people, resources, and processes Integrity - The protection of system information or processes from intentional or accidental modification Availability - The assurance that systems and data are accessible by authorized users when needed

Slide 72

Information Security Model

Slide 73

Information Security Properties

Slide 74

Information States

Slide 75

Security Measures

Slide 76

Information Security Model

Slide 77

Risk Management Risk Analysis Threats Vulnerabilities Countermeasures

Slide 78

Mitigating Network Attacks

Slide 79

Summary

Slide 80

Slide 81

Slide 82

Next Week Securing Access to Network Devices.

Slide 83

Thank you