introduction to informationsecurity 1208374783011543 8
TRANSCRIPT
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
1/49
What is
Security ?Part I
Meletis A. BelsisInformation Security Consultant
MPhil / MSc / BSc
CWNA/CWSP, C|EH, CCSA,
Network+, ISO27001LA
Computer Crime
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
2/49
Setting the Scene
Security is one of the oldest problem that governments,commercial organizations and almost every personhas to face
The need of security exists since information became avaluable resource
Introduction of computer systems to business hasescalated the security problem even more
The advances in networking and specially in
distributed systems made the need for security evengreater
The Computer Security Institute report, notes that inyear 2003 computer crime costs where increased to
more than 450 million dollars in the USA alone.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
3/49
Profiling Adversaries
Adversaries that target corporate system arenumerous:
These can be general classified in the
following categories:Hackers
Employees(both malicious and unintentional)
Terrorists groupsGovernments
Opposing Industries
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
4/49
Security
So now we know that we need security.
BUT what is security anyway ?
Many people fail to understand the meaning ofthe word.
Many corporations install an antivirus software,
and/or a firewall and believe they are protected.Are they ?
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
5/49
Security through obscurity
Consider some cases :An internal employee wants to revenge the company
and so publishes private corporate information on the
NET.
The terrorist attack on the twin towers (in USA) had as
a result many corporations to close. Why ?
An employee forgets his laptop into a caf. This laptop
contains all corporate private information.HOW CAN A FIREWALL PROTECT FROM THE
PREVIOUS ?
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
6/49
Security: easy to understand, difficult to implement
In the real world, security involves processes. It involves
preventive technologies, but also detection and reaction
processes, and an entire forensics system to hunt down
and prosecute the guilty. Security is not a product; it
itself is a process. .
Bruce Schneier
(Secrets and Lies, Wiley and Sons Inc.)
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
7/49
Security: easy to understand, difficult to implement
Security contains a number oftools , processes andtechniques.
These in general cover threemain requirements:
Confidentiality Integrity
Availability
Depending on the securityrequirements a system has, one
can concentrate only on one ofthe previous or all of them.
A new requirement enforcedby the operation of e-marketsis non-repudiation.
C
A I
Pers
pective
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
8/49
Security: easy to understand, difficult to implement
Computer Security is difficult to implement due to
the following: The cost of implementing a security system should not
exceed the value of the data to be secured.
Industries pay huge amount of money for industrialespionage.
Users feel that security is going to take their freedom awayand so often they sabotage the security measures.
Computer prices have fallen dramatically and the numberof hackers have been multiplied.
Security managers work under strict money and timeschedule. Criminals do not have any time schedule andthey do not need any specialised software.
Hackers are often cooperate with known criminals.
That is why, total security is almost infeasible.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
9/49
The Art of
HackingPart II
Attacking Corporate Systems
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
10/49
Information Gathering
The first step to hacking is to gather as muchinformation as possible for thetarget.
This information is later used to draw a map of
the corporate network. This map is used to define and design an attack
methodology as well as identify the needed
attack tools. The extreme case of information gathering is
called dumpster diving
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
11/49
Information Gathering : Searching the
Corporate Web site
Searching the corporate web site forinformation:
Statements like :This site is best viewed withInternet Explorercould uncover that thecompany uses Microsoft Web Server.
Email Addresses. These are used to identify [email protected]
Office Locations: Companies with office locationsin different countries would probably use a VPN tointerconnect.
Company News
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
12/49
Information Gathering : Searching the Internet
Searching the WEB can provide valuable information Using the link directive. i.e. link:www.somecompany.com
provides information on the sites that link to the corporate web
site.
Searching the greater WEBusing the companys name
Searching public WHOIS databases :Provide information
about the domain name of the company.
Searching the ARIN Whois Database: Provide a
database with all register IP addresses.
Searching technical forums using either the name of the
administrator or the name of the company.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
13/49
Information Gathering :Being Polite..
When the initial search has finished, it is now time toASK the network itself. Believe it or not most networks
are quite polite.
DNS Interrogation. It can be performed by simple
using the nslookup program.
Using the PING command (ICMP Echo ). Can unveil
hosts that are connected and are not protected by a
firewall.Using the TraceRoutecommand we can identify
which is the IP of the router that connects the
corporate network to the Internet.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
14/49
NeoTrace: Windows Based TraceRT
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
15/49
Information Gathering :Identify Running
Services
Having a map of the internet hosts that are accessible from the
internet, we must now identify the services that they offer and the
operating system that is installed on each host.
Special programs likenmap andsuperscanner are used to
interrogate each port in a host.
Detecting Services
The Scannertries to open a connection to each port of the target host (By
sending Syn messages) .
The open ports that respond show the services that are running.
Detecting the OS
The Scanner sends specific erroneous message to the ports. OS response with
different messages.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
16/49
SuperScan: Windows Based Port Scanner
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
17/49
Information Gathering :Scanning undetected
Many firewalls can detect these scanning attempts.So scanners use some alternate techniques:
Slow Scanning
Distributed Scanning
Half Open Connection
Fragmented packets
XMAS
FINFTP Bounce
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
18/49
Password Cracking
Adversaries use two methods to attackpasswords.
Brute force: Try all key combination in the
password space.Dictionary: Use a dictionary of known words and
try each word along with their combinations.
These attacks can be performed either locally orremotely
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
19/49
L0phtCrack: Windows Password Cracking
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
20/49
VIRUSES
Computer Viruses are
categorised in: Normal viruses
Trojan Horses
WORMS
Today there are more than 2,500virus ready to be downloaded.
A user can get infected by: Running a program
Opening an email
Visiting a web site (evil Trojan) Opening a .doc file
Today virus creation andmutation centres can be freelydownloaded from the Internet
Initialization Code
Program Code
Ending Code
Virus Code
Initialization Code
Program Code
Ending Code
Virus Code
Pointer to VirusCode
Start Of Program
Infecting the startof a program
Infecting theEnd of a
program
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
21/49
SubSeven: Visual Interface to Control Infected PC
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
22/49
Denial of Service Attack (DoS)
The idea behind these attacks is to make thetarget system unavailable to its authorised users.
Typical attacks include but not limited to :
Ping O Death (sending packets of size greater that
65,535)
SYN Flooding Attack(Starting Many half-openconnections)
Smurf Attack(sending requests to broadcast addresswith a spoofed IP address)
Domain Name Server DoS (Requesting DNS quiresfrom multiple DNS Servers with a Spoofed IP
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
23/49
Attacker
Server
Legitimate userr
Half Open Connection
Half Open Conenction
Half Open Conenction
Half Open Conenction
Legitimate Connection
SynFlood Attack
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
24/49
Smurf Attack
Network C
Netwrok B
Network A
Attacker
ComputerComputer Computer
Workstation Workstation Workstation
Laptop Computer
Computer Workstation
Broadcast Address
Broadcast Address
Broadcast Address
ICMP Echo
ICMP Echo
ICMP Echo
ICMP Echo
ICMP Echo
ICMP Echo
Target system
Replies from everyterminal in the
Network
Replies from everyterminal in the
Network
Replies from everyterminal in the
Network
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
25/49
Domain Name System DoS
Attacker
DNS 2
DNS 3
DNS 4
Target
Query with spoofed IP
Query with spoofed IP
Query with spoofed IP
Query with spoofed IP
Results from attackers query
Results from attackers query
Results from attackers query
Results from attackers query
DNS 1
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
26/49
Distributed Denial of Service (DDoS)
Hackers have used thedistributed power
internet offers.
Tools are now perform
DoS attack from
multiple hosts at the
same time.
Examples are: Tribal Flood Network
TFN2K
Stacheldraft
Server Software(Zombie)
Server Software(Zombie)
Server Software(Zombie)
Server Software(Zombie)
Server Software(Zombie)
Client Software
Command
CommandCommand
Target Host
Packets
Packets
Packets
PacketsPackets
Attacker
Client
Attackers Commands
Attackers Coomand
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
27/49
Sniffing
Ethernet provides the ability to run a network cardin Promiscuous mode. This allows the card to readany packet travelling on the network.
Sniffing software are using this to read all data
transmitted in the local net. Sniffers can be programmed to steal informationassociated only with specific protocols orprograms. i.e. read all information from http
packets only. Some sniffers can be even programmed to
transmit sniffed passwords back to the attacker.
The first and most used sniffer is the TCPDump .
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
28/49
SnifferPro: A windows based Sniffer
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
29/49
System Flaws and Exploits
Most systems today contain bugs. These are coming eitherfrom the system designers, implementers or the ones thatmanage the system.
Hackers can use these bugs to gain access to systems.
Examples of such are :
Default accounts Poor User Accounts
Allowing outside anonymous Telnet connections to the WebServer
Allowing trusted connections
Buffer OverflowsAllowing Banners in services
Allowing NetBios over TCP/IP when not needed.
The Internet has a vast amount of software that test a givenserver for a number of such exploits.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
30/49
Simpsons: A CGI vulnerability scanner
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
31/49
Social Engineering
One of the oldest and easiest form of hacking.
Hallo I am . My user name . I am new to the company but I forgot my systempassword but my manager ask to find himsome files. If I tell him that I forgot my password , I am afraid thathe is going to fire me. Please help >>
Ok. Do not cry now. That is why we are here for. I am going toreset your password to newpassoword. Just do not forget it again.
Oh thank you so much. I am going to buy the coffee when wemeet. You are a lifesaver.
(The scenario works even better is the hacker is a female and the administrator is amale.)
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
32/49
IP Spoofing
Hackers usually change the IP address in their datagrams.
This happens for two reasons: To avoid getting caught.
To bypass security tools, and systems that allow trusted connections.
Changing just the IP is called a blind attack, because thehacker never sees the response from the target.
In order to see the response the hacker has a number of ways:
Install a sniffer to the target network.
Use Source Routing
UseICMP redirect
If both hacker and target are located on the same network useARPspoofing.
DNS cache Poisoning.
Software programs like A4 proxy allows hackers to use anumber of anonymous servers before they attack. Thus their
real IP is almost untraceable.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
33/49
A4 Proxy : Using multiple anonymous proxies to
hide the IP address
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
34/49
The Next Step
So now I am in what am I doing next ?.1. If you do not already have, try togain root
access.
2. Find and clearLog Files.
3. Install aRoot Kit to ensure that you will have
access in the future
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
35/49
Protecting
CorporateSystems
PART III
Information Security Measures
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
36/49
Is it possible ?
Total security is not feasible.
Systems must be secured depending on their value.
Security measures are applied according to the threat
level a system has.
The first step is to understand the threats, to your
corporate systems. This can be done by a risk analysis
process. In this stage remember that security is a business
requirement
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
37/49
Creating a DMZ zone
The first security measure isto seal the internal networkfrom the outside world.
This is performed by
developing a network calledDemilitarized Zone (DMZ).
The DMZ contains all theservers that must beaccessible from the outside
world NOTE that we must alwaysassume that servers in theDMZ are going to be hackedat some point.
Client
Internal Network
ClientFirewall
DMZ
Internet
Firewall
Web Server
SMTP Server
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
38/49
Firewalls
Firewalls exist into types: Packet filters: Are operating on the protocol level. They usea firewalling policy to allow the packet to pass or to drop thepacket.
Proxy Servers: They operate at the application level. They
are always located between the user requests and the serversresponse. Thus allowing us to enforce policies on whichusers can access the internet and on which port.
Packet Filters are usually located on the router, whileProxies are installed on computers
A network may use any number of the previousdepending its size and architecture.
Known Firewalls are Checkpoints Firewall-1, CiscoPIX,Microsofts ISA.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
39/49
Intrusion Detection Systems (IDS)
Intrusion detection systems are
used to detect attacks to thenetwork and inform theadministrator.
IDS are organised into twocategories :
Signature based : They hold adatabase of known attacks andthey test packets against the datastored in the database.
Anomaly based: They test thetraffic against anomalies. I.e. whydoes the network has so heavy
traffic at 2 in the morning ?
When the IDS detects an attack itinform the administrator with anumber of ways : email, sms,pager
Client
Internal Network
Client
DMZ
Internet
Web Server
SMTP Server
IDS Sensor
Router
IDS Sensor
Security Management Console
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
40/49
Honey Pots
These are the sacrificed lamps of a network.
Honey pots are software programs that when installed on acomputer they can simulate a number of systems i.e.:
Windows NT Server.
Unix Server.
Apache Server
Microsoft Exchange Server
These simulated systems look unprotected from the outsideworld (i.e. open ports, default accounts, known exploits.
Hackers scanning for victims detect the simulated systems and
try to hack them. The honey pots allow hackers to enter butrecord all their moves and inform the administrator.
Honey pots can be installed either in the DMZ or in the localnetwork.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
41/49
Anti sniffing
The general idea is to make the sniffing host reply toa message that he should not be able to listen.
For example creating a packet with a fake MAC address
but with the IP address of the sniffing host. If the host
acknowledges the packet the it is in promiscuous mode. Another way is to transmit unencrypted login details
for a fake (honey pot) server to the network. If
someone tries to use this account then someone is
sniffing the network.
NOTE that using switches instead of hubs will make
a sniffers life much more difficult.
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
42/49
L0pht Antisniff : A windows based program to
detect sniffers
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
43/49
Antivirus
Antivirus programs are known to most users. Such programs can be applied either as
Standalone : Each copy of the program isresponsible of protecting the specific host on
which it is installed.Network based : Each copy of the program is
responsible of protecting the specific host, but theyare all managed by a Antivirus Server.
Note that using an antivirus program withoutupdating its virus database does not provideprotection
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
44/49
Security Awareness
No matter what security tools are going tobe used, if users do not know about security,hacks are going to be common.
There are many ways to educate users on theissues of security:
Use of seminars
Use of postersUse of e-mail messages
Enforce penalties
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
45/49
Security Awareness
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
46/49
Penetration Testing and Security analyzers
Security systems must be regularly tested forflaws.
These flaws are usually created from bugs in the
software programs, or from bad management (i.e.
bad passwords)
The process of testing a system is called
penetration testing.
The process uses a number of hacking / securityprograms that test a system for a number of known
flaws and provide advice on securing these flaws
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
47/49
Microsoft Baseline Security Analyzer: Tests the systems
for known bugs
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
48/49
Additional Security Measures
Encryption/ Decryption Digital Signatures / PKI
AAA
Security Protocols
Physical Security
The Jaguar Paradigm
The polite Employees paradigm
Security Policy
-
7/31/2019 Introduction to Informationsecurity 1208374783011543 8
49/49
Thank You.