introduction to informationsecurity 1208374783011543 8

7/31/2019 Introduction to Informationsecurity 1208374783011543 8

1/49

What is

Security ?Part I

Meletis A. BelsisInformation Security Consultant

MPhil / MSc / BSc

CWNA/CWSP, C|EH, CCSA,

Network+, ISO27001LA

Computer Crime


2/49

Setting the Scene

Security is one of the oldest problem that governments,commercial organizations and almost every personhas to face

The need of security exists since information became avaluable resource

Introduction of computer systems to business hasescalated the security problem even more

The advances in networking and specially in

distributed systems made the need for security evengreater

The Computer Security Institute report, notes that inyear 2003 computer crime costs where increased to

more than 450 million dollars in the USA alone.


3/49

Profiling Adversaries

Adversaries that target corporate system arenumerous:

These can be general classified in the

following categories:Hackers

Employees(both malicious and unintentional)

Terrorists groupsGovernments

Opposing Industries


4/49

Security

So now we know that we need security.

BUT what is security anyway ?

Many people fail to understand the meaning ofthe word.

Many corporations install an antivirus software,

and/or a firewall and believe they are protected.Are they ?


5/49

Security through obscurity

Consider some cases :An internal employee wants to revenge the company

and so publishes private corporate information on the

NET.

The terrorist attack on the twin towers (in USA) had as

a result many corporations to close. Why ?

An employee forgets his laptop into a caf. This laptop

contains all corporate private information.HOW CAN A FIREWALL PROTECT FROM THE

PREVIOUS ?


6/49

Security: easy to understand, difficult to implement

In the real world, security involves processes. It involves

preventive technologies, but also detection and reaction

processes, and an entire forensics system to hunt down

and prosecute the guilty. Security is not a product; it

itself is a process. .

Bruce Schneier

(Secrets and Lies, Wiley and Sons Inc.)


7/49


Security contains a number oftools , processes andtechniques.

These in general cover threemain requirements:

Confidentiality Integrity

Availability

Depending on the securityrequirements a system has, one

can concentrate only on one ofthe previous or all of them.

A new requirement enforcedby the operation of e-marketsis non-repudiation.

C

A I

Pers

pective


8/49


Computer Security is difficult to implement due to

the following: The cost of implementing a security system should not

exceed the value of the data to be secured.

Industries pay huge amount of money for industrialespionage.

Users feel that security is going to take their freedom awayand so often they sabotage the security measures.

Computer prices have fallen dramatically and the numberof hackers have been multiplied.

Security managers work under strict money and timeschedule. Criminals do not have any time schedule andthey do not need any specialised software.

Hackers are often cooperate with known criminals.

That is why, total security is almost infeasible.


9/49

The Art of

HackingPart II

Attacking Corporate Systems


10/49

Information Gathering

The first step to hacking is to gather as muchinformation as possible for thetarget.

This information is later used to draw a map of

the corporate network. This map is used to define and design an attack

methodology as well as identify the needed

attack tools. The extreme case of information gathering is

called dumpster diving


11/49

Information Gathering : Searching the

Corporate Web site

Searching the corporate web site forinformation:

Statements like :This site is best viewed withInternet Explorercould uncover that thecompany uses Microsoft Web Server.

Email Addresses. These are used to identify [email protected]

Office Locations: Companies with office locationsin different countries would probably use a VPN tointerconnect.

Company News


12/49

Information Gathering : Searching the Internet

Searching the WEB can provide valuable information Using the link directive. i.e. link:www.somecompany.com

provides information on the sites that link to the corporate web

site.

Searching the greater WEBusing the companys name

Searching public WHOIS databases :Provide information

about the domain name of the company.

Searching the ARIN Whois Database: Provide a

database with all register IP addresses.

Searching technical forums using either the name of the

administrator or the name of the company.


13/49

Information Gathering :Being Polite..

When the initial search has finished, it is now time toASK the network itself. Believe it or not most networks

are quite polite.

DNS Interrogation. It can be performed by simple

using the nslookup program.

Using the PING command (ICMP Echo ). Can unveil

hosts that are connected and are not protected by a

firewall.Using the TraceRoutecommand we can identify

which is the IP of the router that connects the

corporate network to the Internet.


14/49

NeoTrace: Windows Based TraceRT


15/49

Information Gathering :Identify Running

Services

Having a map of the internet hosts that are accessible from the

internet, we must now identify the services that they offer and the

operating system that is installed on each host.

Special programs likenmap andsuperscanner are used to

interrogate each port in a host.

Detecting Services

The Scannertries to open a connection to each port of the target host (By

sending Syn messages) .

The open ports that respond show the services that are running.

Detecting the OS

The Scanner sends specific erroneous message to the ports. OS response with

different messages.


16/49

SuperScan: Windows Based Port Scanner


17/49

Information Gathering :Scanning undetected

Many firewalls can detect these scanning attempts.So scanners use some alternate techniques:

Slow Scanning

Distributed Scanning

Half Open Connection

Fragmented packets

XMAS

FINFTP Bounce


18/49

Password Cracking

Adversaries use two methods to attackpasswords.

Brute force: Try all key combination in the

password space.Dictionary: Use a dictionary of known words and

try each word along with their combinations.

These attacks can be performed either locally orremotely


19/49

L0phtCrack: Windows Password Cracking


20/49

VIRUSES

Computer Viruses are

categorised in: Normal viruses

Trojan Horses

WORMS

Today there are more than 2,500virus ready to be downloaded.

A user can get infected by: Running a program

Opening an email

Visiting a web site (evil Trojan) Opening a .doc file

Today virus creation andmutation centres can be freelydownloaded from the Internet

Initialization Code

Program Code

Ending Code

Virus Code

Initialization Code

Program Code

Ending Code

Virus Code

Pointer to VirusCode

Start Of Program

Infecting the startof a program

Infecting theEnd of a

program


21/49

SubSeven: Visual Interface to Control Infected PC


22/49

Denial of Service Attack (DoS)

The idea behind these attacks is to make thetarget system unavailable to its authorised users.

Typical attacks include but not limited to :

Ping O Death (sending packets of size greater that

65,535)

SYN Flooding Attack(Starting Many half-openconnections)

Smurf Attack(sending requests to broadcast addresswith a spoofed IP address)

Domain Name Server DoS (Requesting DNS quiresfrom multiple DNS Servers with a Spoofed IP


23/49

Attacker

Server

Legitimate userr

Half Open Connection

Half Open Conenction



Legitimate Connection

SynFlood Attack


24/49

Smurf Attack

Network C

Netwrok B

Network A

Attacker

ComputerComputer Computer

Workstation Workstation Workstation

Laptop Computer

Computer Workstation

Broadcast Address

Broadcast Address

Broadcast Address

ICMP Echo

ICMP Echo

ICMP Echo

ICMP Echo

ICMP Echo

ICMP Echo

Target system

Replies from everyterminal in the

Network


Network


Network


25/49

Domain Name System DoS

Attacker

DNS 2

DNS 3

DNS 4

Target

Query with spoofed IP




Results from attackers query




DNS 1


26/49

Distributed Denial of Service (DDoS)

Hackers have used thedistributed power

internet offers.

Tools are now perform

DoS attack from

multiple hosts at the

same time.

Examples are: Tribal Flood Network

TFN2K

Stacheldraft

Server Software(Zombie)





Client Software

Command

CommandCommand

Target Host

Packets

Packets

Packets

PacketsPackets

Attacker

Client

Attackers Commands

Attackers Coomand


27/49

Sniffing

Ethernet provides the ability to run a network cardin Promiscuous mode. This allows the card to readany packet travelling on the network.

Sniffing software are using this to read all data

transmitted in the local net. Sniffers can be programmed to steal informationassociated only with specific protocols orprograms. i.e. read all information from http

packets only. Some sniffers can be even programmed to

transmit sniffed passwords back to the attacker.

The first and most used sniffer is the TCPDump .


28/49

SnifferPro: A windows based Sniffer


29/49

System Flaws and Exploits

Most systems today contain bugs. These are coming eitherfrom the system designers, implementers or the ones thatmanage the system.

Hackers can use these bugs to gain access to systems.

Examples of such are :

Default accounts Poor User Accounts

Allowing outside anonymous Telnet connections to the WebServer

Allowing trusted connections

Buffer OverflowsAllowing Banners in services

Allowing NetBios over TCP/IP when not needed.

The Internet has a vast amount of software that test a givenserver for a number of such exploits.


30/49

Simpsons: A CGI vulnerability scanner


31/49

Social Engineering

One of the oldest and easiest form of hacking.

Hallo I am . My user name . I am new to the company but I forgot my systempassword but my manager ask to find himsome files. If I tell him that I forgot my password , I am afraid thathe is going to fire me. Please help >>

Ok. Do not cry now. That is why we are here for. I am going toreset your password to newpassoword. Just do not forget it again.

Oh thank you so much. I am going to buy the coffee when wemeet. You are a lifesaver.

(The scenario works even better is the hacker is a female and the administrator is amale.)


32/49

IP Spoofing

Hackers usually change the IP address in their datagrams.

This happens for two reasons: To avoid getting caught.

To bypass security tools, and systems that allow trusted connections.

Changing just the IP is called a blind attack, because thehacker never sees the response from the target.

In order to see the response the hacker has a number of ways:

Install a sniffer to the target network.

Use Source Routing

UseICMP redirect

If both hacker and target are located on the same network useARPspoofing.

DNS cache Poisoning.

Software programs like A4 proxy allows hackers to use anumber of anonymous servers before they attack. Thus their

real IP is almost untraceable.


33/49

A4 Proxy : Using multiple anonymous proxies to

hide the IP address


34/49

The Next Step

So now I am in what am I doing next ?.1. If you do not already have, try togain root

access.

2. Find and clearLog Files.

3. Install aRoot Kit to ensure that you will have

access in the future


35/49

Protecting

CorporateSystems

PART III

Information Security Measures


36/49

Is it possible ?

Total security is not feasible.

Systems must be secured depending on their value.

Security measures are applied according to the threat

level a system has.

The first step is to understand the threats, to your

corporate systems. This can be done by a risk analysis

process. In this stage remember that security is a business

requirement


37/49

Creating a DMZ zone

The first security measure isto seal the internal networkfrom the outside world.

This is performed by

developing a network calledDemilitarized Zone (DMZ).

The DMZ contains all theservers that must beaccessible from the outside

world NOTE that we must alwaysassume that servers in theDMZ are going to be hackedat some point.

Client

Internal Network

ClientFirewall

DMZ

Internet

Firewall

Web Server

SMTP Server


38/49

Firewalls

Firewalls exist into types: Packet filters: Are operating on the protocol level. They usea firewalling policy to allow the packet to pass or to drop thepacket.

Proxy Servers: They operate at the application level. They

are always located between the user requests and the serversresponse. Thus allowing us to enforce policies on whichusers can access the internet and on which port.

Packet Filters are usually located on the router, whileProxies are installed on computers

A network may use any number of the previousdepending its size and architecture.

Known Firewalls are Checkpoints Firewall-1, CiscoPIX,Microsofts ISA.


39/49

Intrusion Detection Systems (IDS)

Intrusion detection systems are

used to detect attacks to thenetwork and inform theadministrator.

IDS are organised into twocategories :

Signature based : They hold adatabase of known attacks andthey test packets against the datastored in the database.

Anomaly based: They test thetraffic against anomalies. I.e. whydoes the network has so heavy

traffic at 2 in the morning ?

When the IDS detects an attack itinform the administrator with anumber of ways : email, sms,pager

Client

Internal Network

Client

DMZ

Internet

Web Server

SMTP Server

IDS Sensor

Router

IDS Sensor

Security Management Console


40/49

Honey Pots

These are the sacrificed lamps of a network.

Honey pots are software programs that when installed on acomputer they can simulate a number of systems i.e.:

Windows NT Server.

Unix Server.

Apache Server

Microsoft Exchange Server

These simulated systems look unprotected from the outsideworld (i.e. open ports, default accounts, known exploits.

Hackers scanning for victims detect the simulated systems and

try to hack them. The honey pots allow hackers to enter butrecord all their moves and inform the administrator.

Honey pots can be installed either in the DMZ or in the localnetwork.


41/49

Anti sniffing

The general idea is to make the sniffing host reply toa message that he should not be able to listen.

For example creating a packet with a fake MAC address

but with the IP address of the sniffing host. If the host

acknowledges the packet the it is in promiscuous mode. Another way is to transmit unencrypted login details

for a fake (honey pot) server to the network. If

someone tries to use this account then someone is

sniffing the network.

NOTE that using switches instead of hubs will make

a sniffers life much more difficult.


42/49

L0pht Antisniff : A windows based program to

detect sniffers


43/49

Antivirus

Antivirus programs are known to most users. Such programs can be applied either as

Standalone : Each copy of the program isresponsible of protecting the specific host on

which it is installed.Network based : Each copy of the program is

responsible of protecting the specific host, but theyare all managed by a Antivirus Server.

Note that using an antivirus program withoutupdating its virus database does not provideprotection


44/49

Security Awareness

No matter what security tools are going tobe used, if users do not know about security,hacks are going to be common.

There are many ways to educate users on theissues of security:

Use of seminars

Use of postersUse of e-mail messages

Enforce penalties


45/49

Security Awareness


46/49

Penetration Testing and Security analyzers

Security systems must be regularly tested forflaws.

These flaws are usually created from bugs in the

software programs, or from bad management (i.e.

bad passwords)

The process of testing a system is called

penetration testing.

The process uses a number of hacking / securityprograms that test a system for a number of known

flaws and provide advice on securing these flaws


47/49

Microsoft Baseline Security Analyzer: Tests the systems

for known bugs


48/49

Additional Security Measures

Encryption/ Decryption Digital Signatures / PKI

AAA

Security Protocols

Physical Security

The Jaguar Paradigm

The polite Employees paradigm

Security Policy


49/49

Thank You.

introduction to informationsecurity 1208374783011543 8

Documents