oss topic 1 part 1

Organisational Systems Security

TOPIC 1: Potential Threats to ICT Systems and OrganizationPART 1: Unauthorised Access

Alexie Erese BallonIT Academy

Introduction

In the management of any networked computer system, ICT professional need to consider every aspect of the system’s security to protect the corporate interest of the organization it supports.

This unit describes threats, methods of securing systems and their impact on various organizations.

1. Potential Threats to ICT Systems and Organization The landscape of threats to an organization

and the ICT which supports it is constantly changing with new, imaginative and often destructive ideas being inflicted on the world at large all the time. This topic looks at potential threats and their impact on organizations. These include: methods for gaining unauthorized access, damage and destruction of systems and information, information security, e-commerce threats, counterfeit goods and the overall impact of threats on organization.

1.1 Unauthorized Access

Gaining unauthorized access is the desire of all hackers and budding cyber criminals. Ensuring they do not achieve their heart’s desire is one of the many roles of the ICT professional.

1.1.1 Internal and External Threats

To appreciate the types of threats posed to any system, you need to identify the different internal and external threats in existence.

Unfortunately, you cannot rely on all the people using your network to be entirely trustworthy.

1.1.1 Internal and External Threats (continued) Internal threats and external threats may include the

following:

Internal threats

(from within your system)

External threats

(from outside the network infrastructure)

Use of scanners Virus attacks

Man in the middle attacks Trojans

Magic disk tactics Worms

Key logging Hacking with piggybacking, tunnels and probes

Forging data

Phishing and identity theft

Scanners

Scanners enable unscrupulous people to establish what methods may be used to ‘attack’ a system. They range from very simple to advanced, depending on the tactics used. On the Internet in the public domain it is possible to download scanners to scan a range of address, identifying whether they are active and learning what TCP ports are visible.

What does it mean?

Scanners are software utilities used to analyze vulnerabilities in a network.

Scanners (continued)

Some scanners use DNS to map the discovered IP address to a domain name. This tactic is used by hackers to establish what systems are active and therefore available to hack.

Scanners does have a legitimate use in allowing network professionals to check computers and other network devices remotely.


There are a range of scanners for legitimate purposes which can be obtained easily, each serving a different specialist purpose, including: looking at a range of addresses, conducting a deep probe of one system and scanning a wireless system.


Range of Addresses: A simple, visual and fast scanner which looks at a range of addresses is the Angry IP Scanner, which can be downloaded from the Angryziber Software website (go to www.heinemann.co.uk/hotlinks and enter the express code 2315P).

This can be used to scan a large range of IP addresses at high speed and can be used to check TCP ports during the scanning process.

Angry IP Scanner

Angry IP Scanner is an IP and port scanner tool for analyzing networks


Deep Probe: Completing a deep probe can reveal useful information about a device, and can be used when there is a remote fault as well as to gain illicit information. Considered by many to be the best at this is Nmap, which can be downloaded from the Insecure website (go to www.heinemann.co.uk/hotlinks and enter the express code 2315P).

Nmap is a command-based tool, which offers many scanning options.

Nmap featured in Movies

← Nmap featured in Die Hard 4: Live Free or Die Hard

Nmap featured in The Bourne

Ultimatum →


Scanning a wireless system: Wireless systems are especially vulnerable if there is no encryption. But in mobile networking, there is a need to establish where the wireless access points are and how they can be accessed if you are to connect your laptop, PDA or mobile phone.

Many ‘scanning’ tools for wireless networks are available via the Internet, many to gain illicit access. Tools such as the Retina Network Security Scanner (which can be downloaded from the eEye Digital Security website – accessed via www.heinemann.co.uk/hotlinks and enter the express code 2315P) allow professionals the legitimate opportunity to find access point within range of the mobile device.

ARP Poisoning

Switch-based networks have long been considered to be very secure as they create micro-segments within the system.

However, techniques such as “ARP poisoning” have rendered this idea useless, with the man in the middle attack being an issue on many corporate networks

ARP Poisoning con’t

VictimDefault

Gateway

VictimDefault Gateway

Man in the Middle

The Man in the Middle Attack

ARP Poisoning con’t

To overcome this threat, a network manager has to monitor the memory of any network switch, to check if any MAC address appears in more than one location, even momentarily.

Ettercap is considered by the networking industry to be the primary ARP poisoning tool and can be used to generate as well as prevent attacks (http://ettercap.sourceforge.net/download.php).

What does it mean?

Micro-segment are method of dividing network traffic into a “network per cable” system to increase speed and reliability.

ARP stands for Address Resolution Protocol. It is used to match IP addresses to Mac addresses.

A computer using man in the middle attack tricks the victim into thinking it is the default gateway, and tricks the default gateway into thinking it is the victim computer.

MAC stands for Media Access Control. The MAC address is the address hardcoded into you computer’s wired or wireless network card.

Magic Disks

“Magic disk” is a collective term for all the boot disks which can be downloaded from the Internet to restart a computer and subvert the operating system.

Some magic disks like the “Ultimate Boot CD” are useful in resolving issues with viruses and trojans as well as drive, hardware and operating system failures.

Magic Disks con’t

When you start a computer, your system can boot from the USB, CD/DVD or a floppy. As your operating system is resident on the hard drive, anyone with basic knowledge of BIOS configuration can select any of the other boot options.

Some magic disks are used to scan your hard drive for SAM (Security Accounts Manager) files; these contain username and password hashes. Once found, the magic disk will use analysis techniques such as rainbow tables to find the administrator password for the computer.

To prevent anyone from using a magic disk, it is prudent to password lock the BIOS and prevent anyone form being able to use USB sticks, floppy disks and CD/DVDs as boot devices.

Key Loggers

A key logger is an application which will record all key strokes (and in some cases mouse activity) and send the information to a file or, in many cases, to a remote network location.

Most key loggers are hidden applications and can be “found” using the latest definitions on an anti-virus application.

Key Loggers con’t

If you suspect there is an undetected key logger running on your system, an alternative technique to discover activity is to run a protocol scanner, which looks at the contents of each data packet.

Applications like Wireshark (formerly called Ethereal) can “watch” all outgoing traffic from your computer, which may reveal some interesting activity from many applications.

What does it mean?

A password hash is a mathematical representation of a password, not the password itself.

A rainbow table is a list of all possible hashes, often compressed and indexed for fast searching.

In the context of an anti-virus application, a definition is a database entry about application which are not trusted, trojans, worms or viruses.

1.1.2 Access Causing Damage to Data or Jamming Resources

In gaining unauthorised access, the software used may cause damage to data or jamming (restricting) resources. Some attacks may have the intent of accessing systems or data without damage, and the impact may initially go unnoticed.

Whatever the intent, an intrusion always has an impact on the system.

Virus Attacks

Virus attacks occur when rogue code has entered the system; a virus will hide itself inside ordinary executable code and can: be a nuisance by opening/closing the CD/DVD door, swapping key responses (£ for @, etc.); self-reproduce, spreading itself from application to application to evade detection and elimination; cause serious damage to data and cause critical damage to the hard drive.

Virus Attacks

Viruses are concealed by a simple deception. They will embed themselves inside an application, redirecting its commands and nodes around itself while running as a separate task.

How a virus is concealed

0000h

AAFFh

Application before virus

0000h

AFFDh

Application after virus

VIRUS

Application is unaware of

additional payload

Virus creates a link into application whilst it is running

Size of the application will change

Virus Attacks

Most virus scanners will detect a virus by opening the file and scanning the code, looking for this type of redirection.

Many anti-virus applications will create a hash (known as an MD5) for each application.

A virus quarantine

If the MD5 (Message-Digest algorithm 5 ) changes, this may be treated as a virus attack (or an application update). Once found, the anti-virus application offers the option to remove or isolate the virus (in a quarantine zone).

Trojans

Trojans are stealth application which are designed to allow others to access your system.

Transported via infected email attachments, infected downloads, infected CD/DVDs or worms which use vulnerabilities in your operating system, trojans have the potential to cause the most damage.

Trojans

• The most famous trojan is Sub-7, which has been used for key logging, pranks, remote attacks (controlling your computer to start the real attack) and distributed denial of service attacks.

What does it mean?

• Distributed Denial of Service is an attack where multiple systems will flood a single system with traffic, intending to block the network or device from being able to access the Internet.

Sub-7 being used for pranks

Worms

• Worms are self-transporting applications which carry an active payload such as trojan or a virus.

• Worms are active or passive: • Active worms self-transport without

human intervention• Passive worms rely on the user’s

innocence to transport themselves from one location to another

Worms

• Active worms use email, vulnerabilities in your operating system, the web and DNS servers, as well as other alternative ‘traffic’ systems, to move their payload around a network infrastructure.

• Many worms are currently attempting to exploit VoIP systems like Skype or chat systems like Windows Live Messenger.

Piggybacking, tunnels and probes

• Hacking using piggybacking, tunnels and probes can be accomplished with a level of expertise (not the ‘good’ sort of expertise) and attacks can be formed when network traffic is ‘corrupted’.


• With piggyback attacks, a normal, safe communication carries an additional harmful payload of a trojan or covert application.


• Tunnels can be formed via existing communication channels to send alternative data. Common data channels such as port 80 are used for HTTP.

• Someone with a level of network expertise could send any data they wish via this port and create a wide range of applications running underneath one innocent communication channel.


• A probe can use an open, and therefore available, port to start an in-depth analysis of a network or computer system. Once the open hole is found, it will start digging into the system.

Forging Data

• Forging, or spoofing, data requires knowledge of programming in networking languages, such as Java, C++ or VB.NET.

• A hacker could ‘hand craft’ a data packet to: force an application or server to give away information, cause a denial of service attack or piggyback / tunnel into a system via an ‘acceptable’ protocol.

• The code needed to accomplish this is on the Internet and is openly available on many non-hacking websites.

1.1.3 Phishing and Identity Theft

Phishing and identity theft are relatively recent development in methods for unauthorised access.

The purpose of a phish (pronounced as fish) is to lure you into revealing personal information; it does this by social engineering, i.e. using something or someone trusted by you.

1.1.3 Phishing and Identity Theft Phishing employs many tactics, which are

evolving all the time. For example: An email purporting to be from a long

forgotten school friend, looking for contact details; this leads to identity theft

An email that claims to be from your bank, ISP, etc., asking you to follow a link to their site to update your details – the email looks authentic and when you follow the link, the site looks very much like the site of the bank/ISP, except the protocol is unlikely to be HTTPS, and some links on the page may be inoperational.

1.1.3 Phishing and Identity Theft Phishing may also exploit

homographs and our detailed reading skills by directing us to domain names with similar spellings.Homographs are words with the same

spelling but with different meaning, e.g. fluke means both a parasite and a stroke of luck (as well as a networking company).

Phishing

To test your phishing detection skills, which of these is an incorrect domain? www.heinemann.com www.heinemann.co.uk www.heinneman.co.uk

The impact of phishing is that it results in unauthorised access to personal data, commercial data and financial information via deception (the legal term for which is fraud).

End of presentation.

NEXT:

Topic 2: Damage or Destruction of Systems or Information

oss topic 1 part 1

Documents