Basics of Security and Attack

Basics of Security and
Attack
2009 Wipro Ltd Internal & Restricted
Agenda
1 Definitions of Security Terms
2 Security Technologies
3 VA , PT ,VM & Compliances
4 Security Attacks
5 Software Exploits
1. Definitions of Security Terms

When > Where >How
Definitions
Protected Resources / Asset: Things to protect

Entry/Exit Points: Ways to get at an asset
Threat: Risks to an asset
Attack / exploit: An action taken that harms an asset
Vulnerability: Vulnerability is a hole or a weakness in the system, which can
be a design flaw, an implementation bug etc., that allows an attacker to cause
harm to the stakeholders of the system. Stakeholders include the application
owner, administrators, users, and other entities that rely on the system.
Risk: Likelihood that vulnerability could be exploited

Mitigation / Countermeasure: Something that addresses a specific
vulnerability
Terminology Example
Asset(s):
$5,000,000 under the mattress
in guest bedroom
Threat(s):
Loosing the $5,000,000
Threat
Attack
Vulnerability
Risk
(0-100)
Loosing the
$5,000,000
Burglar breaks in
and steals
money
Plane glass windows
95
Windows can be lifted out of frame
85
No dead bolt on doors / doors can be

kicked in
75
No alarm system
100
No alarm system
100
House Burns
Down
Entry/Exit Points:
Front & Side Doors
Windows (guest bedroom &
elsewhere in residence
Note vulnerability can be shared across
attacks(!)
Hacker
The term "Hacker" may mean simply a person with mastery of
computers; however the mass media most often uses "Hacker" as
synonymous with a (usually criminal) computer intruder .
In a security context, a hacker is someone involved in computer
security/insecurity, specializing in the discovery of exploits in systems (for
exploitation or prevention), or in obtaining or preventing unauthorized
access to systems through skills, tactics and detailed knowledge
Types of Hackers
White hat - Someone who breaks security but who does so for altruistic or at least nonmalicious reasons. They generally have a clearly defined code of ethics, and will often
attempt to work with a manufacturer or owner to improve discovered security weaknesses.
Grey hat - A hacker of ambiguous ethics and/or borderline legality, often frankly admitted.
Bluehat - Someone outside computer security consulting firms that are used to bug test a
system prior to its launch, looking for exploits so they can be closed. Microsoft also uses the
term Bluehat to represent a series of security briefing events.
Black hat - Someone who subverts computer security without authorization or who uses
technology (usually a computer or the Internet) for terrorism, vandalism, credit card fraud,
identity theft, intellectual property theft, or many other types of crime. This can mean taking
control of a remote computer through a network, or software cracking.
Script kiddie - Script kiddie is a pejorative term for a computer intruder with little or no
skill; a person who simply follows directions or uses a cook-book approach without fully
understanding the meaning of the steps they are performing.
Hacktivist - A hacktivist is a hacker who utilizes technology to announce a political
message. Web vandalism is not necessarily hacktivism.
Types of Attacks
Criminal Attacks
Basis is in financial gain
Includes fraud, destruction and theft (personal, brand, identity)
Privacy Violations
Private/personal information acquired by organizations not authorized.
Includes surveillance, databases, traffic analysis
Publicity Attacks
Attacker wants to get their name(s) in the papers
Can affect ANY system, not just related to profit centers
Denial of service
Legal Attack
Setup situation to use discovery process to gather information
Rare, but possibly devastating
Methods of Attacking the Network
Password sniffing
Collect first parts of data packet and look for login attempts
IP Spoofing
Fake packet to hijack a session and gain access
DNS Overrides
Malicious access to a DNS server can compromise a network
Denial of Service Attacks Single and Distributed

Large number of SYN packets to establish dummy connections
System gets throttled handling all the hello requests
Massive number of e-mail messages will flood a system
Methods of Attacking the Network (Contd.)
Port scanning
Automated process that looks for open networking ports
Logs positive hits for later exploits
Buffer overrun packets

Attacker sends carefully built packet to computers on network that support
specific services. (E-mail, IIS)
Packet causes accepting process to abort, leaving system in unknown state,
potentially with root access
Packet contains code that executes to get root access
10
Methods of Defending a Network
Firewalls
Networking devices (routers) that check traffic coming into a private network
Needs to be complete and properly configured to ensure protection
Good protection for general networking traffic, but specific traffic will still get
through.
DMZs
Network space between two firewalls
VPNs
Provides encrypted access from outside a network.
Current versions arent reliable enough and arent useful against slow
attacks.
11
Methods of Defending a Network (Contd.)
Burglar alarms
Traps set on specific networked objects that go off if accessed
Honey pots
Dummy objects used to attract attacks. Range from single devices to whole
sub networks.
Vulnerability scanners
Tools that scan a network periodically for holes/open gateways /
misconfigured routers
Limited in scope because of potential damage to the network
Cryptography
Has potential, but complexity limits its use to local sites.
12
Wrap Up
Continue to monitor and evolve
Listen to CERT bulletins and evaluate those to your systems

Network with industry acquaintances for possibly new styles of attacks
Try to be proactive
Formalize a security strategy:
13
WHO is accessing your data?

WHAT is the key resource(s) you need to protect?
WHEN is data access expected?
WHERE are your users who are accessing your data?
2. Security Technologies
14
Firewalls
15
A firewall is a dedicated appliance, or software running on another

computer, which inspects network traffic passing through it; and denies
or permits passage based on a set of rules.
Firewalls make it possible to filter incoming and outgoing traffic that flows
through your system.
A firewall can use one or more sets of rules to inspect the network
packets as they come in or go out of your network connections and either
allows the traffic through or blocks it.
The rules of a firewall can inspect one or more characteristics of the
packets, including but not limited to the protocol type, the source or
destination host address and the source or destination port.
General Firewall Techniques
Service control
Type of service: inbound or outbound
Traffic filtering based on IP address & TCP port nr
Provides proxy software to receive or interpret service request before

passing it on
Could also host server software (e.g. Web or mail service)
Not recommended
User Control
Control access to service using ACLs
Behavior Control
16
Complicates it (more code => more vulnerabilities)
E.g. filter e-mail for spam
Firewall Characteristics
All traffic (incoming / outgoing) must pass through firewall
Only authorized traffic is allowed to pass
Firewall itself must be immune to penetration

i.e. It must use trusted system with secure OS (minimum size/complexity)
Usually implemented on dedicated device
Dedicated = only firewall functions performed on this device
Firewall code must be very well protected
17
Firewall Types
Basic kinds of firewalls:

Hardware firewalls
More common
implemented on router level
More expensive / more difficult to configure
Software firewalls
Used in single workstations
less expensive / easier to configure
18
Evolution of Firewalls
Deep Packet
Inspection
Stateful
Inspection
Application
Proxy
Packet
Filter
Stage of Evolution
19
Network Address Translation (NAT)
20
NAT is a technology that hides the private network.
It allows a single device to act as an intermediary between the Internet

and a local network. This effectively means that a single IP address can be
used for an entire group of computers.
Converts private addresses to legally registered public IP addresses.
NAT is commonly supported by WAN access routers and firewalls.
Challenges faced
Lots of vulnerabilities on hosts in network
Users dont keep systems up to date

Lots of patches
Lots of exploits in wild (no patch for them)
Solution?
Limit access to the network
Dont trust outsiders
Trust insiders(!!!)
Put firewalls across the perimeter of the network
21
Firewalls (Contd.)
Firewall inspects traffic through it

Has a pre-defined policy
Allows traffic specified in the policy
Drops everything else
Two Types
Packet Filters, Proxies
Firewall
Internet
Internet
22
Internal Network
Packet Filters
Packet filter selectively passes packets from one network interface to

another
Usually done within a router between external and internal networks

screening router
Can be done by a dedicated network element

packet filtering bridge
harder to detect and attack than screening routers
23
Example filters
Block all packets from outside except for SMTP servers
Block all traffic to a list of domains
Block all connections from a specified domain
Packet Filters (Contd.)
Data Available
Actions Available
24
IP source and destination addresses

Transport protocol (TCP, UDP, or ICMP)
TCP/UDP source and destination ports
ICMP message type
Packet options (Fragment Size etc.)
Allow the packet to go through

Drop the packet (Notify Sender/Drop Silently)
Alter the packet (NAT?)
Log information about the packet
Typical Firewall Configuration
Internal hosts can access DMZ and

Internet
External hosts can access DMZ

only, not Intranet
DMZ hosts can access Internet

only
Internet
Internet
DMZ
DMZ
Advantages?
If a service gets compromised in

DMZ it cannot affect internal hosts
Intranet
Intranet
25
Example Firewall Rules
26
Stateless packet filtering firewall

Rule (Condition, Action)
Rules are processed in top-down order
If a condition satisfied for a packet action is taken
All rules checked
Sample Firewall Rule
Allow SSH from external hosts to

internal hosts
Two rules
Client
Inbound and outbound
How to know a packet is for SSH?
SYN
Inbound: src-port>1023, dst-port=22

Outbound: src-port=22, dst-port>1023
Protocol=TCP
SYN/ACK
Ack Set?
Problems?
27
Server
ACK
Rule
Dir
Src Addr
Src Port
Dst Addr
Dst Port
Proto
Ack Set?
Action
SSH-1
In
Ext
> 1023
Int
22
TCP
Any
Allow
SSH-2
Out
Int
22
Ext
> 1023
TCP
Yes
Allow
Default Firewall Rules
Egress Filtering
Outbound traffic from external address Drop
Benefits?
Ingress Filtering
Inbound Traffic from internal address Drop
Benefits?
Default Deny
Why?
28
Rule
Dir
Src Addr
Src Port
Dst Addr
Dst Port
Proto
Ack Set?
Action
Egress
Out
Ext
Any
Ext
Any
Any
Any
Deny
Ingress
In
Int
Any
Int
Any
Any
Any
Deny
Default
Any
Any
Any
Any
Any
Any
Any
Deny
Packet Filters
Advantages
Transparent to application/user
Simple packet filters can be efficient
Disadvantages
Usually fail open
Very hard to configure the rules
Doesnt have enough information to take actions
Does port 22 always mean SSH?
Who is the user accessing the SSH?
29
What is the fix?
Alternatives
Stateful packet filters
Keep the connection states

Easier to specify rules connection level
More popular
Problems?
State explosion
State for UDP/ICMP?
30
Alternatives (Contd.)
Proxy Firewalls
Two connections instead of one
Either at transport level
SOCKS proxy
Or at application level
HTTP proxy
31
Requires applications (or dynamically linked libraries) to be modified to

use the proxy
Proxy Firewall
Data Available
Application level information
User information
Advantages:
Better policy enforcement
Better logging
Fail closed
Disadvantages:
Doesnt perform as well
One proxy for each application
Client modification
32
What is VPN?
33
A VPN is a means of carrying private traffic over a public network.

Often used to connect two private networks, over a public network, to
form a virtual network
The word virtual means that, to the users on either end, the two private
networks seem to be seamlessly connected to each other.
That is, they are part of a single virtual private network (although physically
they are two separate networks).
implication? connectivity, security, privacy
The VPN should provide the same connectivity and privacy you would find
on a typical local private network.
Different Types of VPNs

Based on encryption:
Encrypted VPNs
Nonencrypted VPNs
Based on OSI model:
Data link layer VPNs
Network layer VPNs
Application layer VPNs

Based on business functionality:
Intranet VPNs
Extranet VPNs
34
Brief Overview of How it Works
Two connections one is made to the Internet and the second is made to
the VPN.
Datagrams contains data, destination and source information.
Firewalls VPNs allow authorized users to pass through the firewalls.
Protocols protocols create the VPN tunnels.
2 main VPN architectures:
35
There are products based on IPSec and Point to Point Tunneling Protocol
(PPTP) or L2TP (Layer 2 Tunneling Protocol)
Although IP sec has become the de facto standard for LAN to LAN
VPNs, PPTP and L2TP are heavily used for single client to LAN
connections.
Therefore, many VPN products support IPSec, PPTP and L2TP.
Technologies
36
Tunneling
A virtual point-to-point connection
made through a public network. It transports
encapsulated datagram.
Original Datagram
Encrypted Inner Datagram
Datagram Header
Outer Datagram Data Area
Data Encapsulation [From Comer]
Two types of end points:

Remote Access
Site-to-Site
37
VPN Encapsulation of Packets
38
IPSec uses two Basic Security Protocols
39
Authentication Header (AH): It is the authenticating protocol
Encapsulating Security Payload (ESP): ESP is an authenticating and

encrypting protocol that provide source authentication, confidentiality,
and message integrity.
SSL Architecture
40
Authentication Protocols
41
Password Authentication Protocol (PAP)

Challenge Handshake Protocol (Chap)
Extensible Authentication Protocol (EAP)
MPLS Multi Protocol Label Switching
Terminal Access Controller Access-Control System (TACACS)
Remote Authentication Dial In User Service (RADIUS)
Secured Over Credential-based Kerberos Services - SOCKS
VPN Comparisons
42
IDS Definition
It is better to prevent attack than to detect it after it succeeds, Unfortunately,
not all attacks can be prevented.
Some attackers become intruders succeed in breaking defenses
Intrusion Prevention first line of defense
Intrusion Detection second line of defense
Intrusion Detection System (IDS) - a device (typically a seprate computer)
monitoring system activities to detect malicious / suspicious events like
attacks.
IDS runs constantly in the background - it alarms when it detects something

suspicious.
IDS should operate in stealth mode - be invisible to outside world
IDSs attempt to detect
Outsiders breaking into a system OR

Insiders (legitimate users) performing illegitimate actions accidentally or
deliberately
43
IDS Terminology
44
Anomaly
Misuse
Intrusion
Audit
Profiling
abnormal behavior
activity that violates the security policy
(subset of anomaly)
misuse by outsiders and insiders
activity of looking at user/system behavior,
its effects, or collected data
looking at users or systems to determine what they
usually do
Types of IDS
Host-based IDS (HIDS)

Runs on a host
Monitors activities on this host only
Network-based IDS (NIDS)

Standalone device
Monitors entire (sub) network
Hybrid types with respect to operation

i. Signature-based IDSs
ii. Anomaly-based IDSs (heristic IDSs)
(a) Misuse intrusion detection
iii. Other IDS types
45
Host-based IDS
Program on one specific host

Analyses activity on that host
System calls
file-system modifications
Memory integrity
46
Vulnerable to attacks, since they are part of

the monitored system
No protection against Do's attacks
Network-based IDS
Analyze network traffic by inspecting

packets
47
easy in non-switched networks

switched networks:
network tap or port mirroring
only monitor traffic in specific
segments (e.g. traffic via gateway)
Can become bottlenecks in

high-speed networks
Cannot analyze encrypted packets
Signature Recognition
48
Mostly for NIDS

Match ongoing activities against known patterns (signatures)
Pre-processing may be necessary (E.g. reassemble fragmented packets)
Analyze packet headers: port scans, SYN floods,
Analyze payload: malicious code,
Anomaly Detection
Create patterns for normal user activity

Detect deviations from this patterns
E.g. Secretary uses browser, email-client and text processor between 08.00
and 16.00; using nmap and gcc at 23.00 is abnormal
49
Neural nets could be used

Problem: Users behavior is analyzed means privacy is compromised
Limits of IDS
50
Attackers use avoidance strategies to avoid detection by IDS

IDS sensitivity is difficult to measure and adjust
Must strike a balance false alarms and missing attacks
Only as good as the process/people using it
HIDS are vulnerable to attacks since they run on the monitored
machine
NIDS can become bottlenecks in high speed networks
NIDS cannot deal with encrypted connections
Only known attacks can be detected
Heuristics and neural nets can produce false positives
IPS
51
Intrusion prevention system It is a computer security device that monitors

network and/or system activities for malicious or unwanted behavior and can
react, in real-time, to block or prevent those activities. Network-based IPS, for
example, will operate in-line to monitor all network traffic for malicious code or
attacks. When an attack is detected, it can drop the offending packets while still
allowing all other traffic to pass. Intrusion prevention technology is considered by
some to be an extension of intrusion detection (IDS) technology. The term
"Intrusion Prevention System" was coined by Andrew Plato.
Host Based
Network Based
Content Based
Protocol Analysis
Rate Based
Host Based IPS
52
A host based IPS (HIPS) is one where the intrusion-prevention application

is resident on that specific IP address, usually on a single computer
As with Host IDS systems, the Host IPS relies on agents installed directly
on the system being protected. It binds closely with the operating system
kernel and services, monitoring and intercepting system calls to the kernel
or APIs in order to prevent attacks as well as log them.
It may also monitor data streams and the environment specific to a
particular application (file locations and Registry settings for a Web server,
for example) in order to protect that application from generic attacks for
which no signature yet exists.
Since a Host IPS agent intercepts all requests to the system it protects, it
has certain prerequisites - it must be very reliable, must not negatively
impact performance, and must not block legitimate traffic.
Network Based IPS (NIPS)
53
A network based IPS is one where the IPS application/hardware and any
actions taken to prevent an intrusion on a specific network host(s) is done
from a host with another IP address on the network (This could be on a
front-end firewall appliance.)
Network intrusion prevention systems (NIPS) are purpose-built

hardware/software platforms that are designed to analyze, detect, and
report on security related events. NIPS are designed to inspect traffic and
based on their configuration or security policy, they can drop malicious
traffic.
Content Based IPS
54
A content-based IPS (CBIPS) inspects the content of network packets for

unique sequences, called signatures, to detect and hopefully prevent
known types of attack such as worm infections and hacks.
Protocol Analysis
55
Protocol analyzers can natively decode application-layer network protocols, like

HTTP or FTP. Once the protocols are fully decoded, the IPS analysis engine can
evaluate different parts of the protocol for anomalous behavior or exploits.
For example, the existence of a large binary file in the User-Agent field of
an HTTP request would be very unusual and likely an intrusion. A
protocol analyzer could detect this anomalous behavior and instruct the IPS engine
to drop the offending packets.
Since many vulnerabilities have dozens or even hundreds of exploit variants,

pattern recognition-based IPS/IDS engines can be evaded. For example, some
pattern recognition engines require hundreds of different signatures (or
patterns) to protect against a single vulnerability.
This is because they must have a different pattern for each exploit variant.
Protocol analysis-based products can often block exploits with a single signature
that monitors for the specific vulnerability in the network communications.
Rate Based IPS
56
Rate based IPS (RBIPS) are primarily intended to prevent Denial of Service and
Distributed Denial of Service attacks. They work by monitoring and learning
normal network behaviors.
Through real-time traffic monitoring and comparison with stored statistics, RBIPS
can identify abnormal rates for certain types of traffic e.g. TCP, UDP or ARP
packets, connections per second, packets per connection, packets to specific ports
etc. Attacks are detected when thresholds are exceeded. The thresholds are
dynamically adjusted based on time of day, day of the week etc., drawing on stored
traffic statistics.
Unusual but legitimate network traffic patterns may create false alarms. The
system's effectiveness is related to the granularity of the RBIPS rulebase and the
quality of the stored statistics.
Once an attack is detected, various prevention techniques may be used such as

rate-limiting specific attack-related traffic types, source or connection tracking, and
source-address, port or protocol filtering (black-listing) or validation (whitelisting).
Host based VS Network based IPS
57
HIPS can handle encrypted and unencrypted traffic equally, because it can analyze the data
after it has been decrypted on the host.
NIPS does not use processor and memory on computer hosts but uses its own CPU and
memory.
NIPS is a single point of failure, which is considered a disadvantage; however, this property
also makes it simpler to maintain. However, this attribute applies to all network devices like
routers and switches and can be overcome by implementing the network accordingly
(failover path, etc.).
A Bypass Switch can be implemented to alleviate the single point of failure disadvantage
though. This also allows the NIPS appliance to be moved and be taken off-line for
maintenance when needed.
NIPS can detect events scattered over the network (e.g. low level event targeting many
different hosts, like hostscan, worm) and can react, whereas with a HIPS, only the hosts data
itself is available to take a decision, respectively it would take too much time to report it to
a central decision making engine and report back to block.
Honeypot
58
Trap to attract attacks

Assign unused address space to one (dummy) host (honeypot)
Simulate services or proxy servers
Legitimate users never communicate with the honeypot
Automated attacks (e.g. worms) cannot distinguish the honeypot from a normal
host
All activity can be logged for evidence
New attacks can be analyzed. Eg:
Simulate open SMTP relay
Drop all incoming mail without looking at it
Spammers can be identified
Legal measures possible
Spam has been destroyed efficiently
Security Information Management (SIM)
SIM is the industry-specific term in computer security referring to the

collection of data (typically log files; e.g. eventlogs) into a central
repository for trend analysis.
SIM is a solution which allows automated integration of log analysis, event

correlation, and reporting of critical security event
information to enable organizations to immediately identify and respond to
various threats.
59
There are four major components of a SIM. They are client components,
correlation engine, signature database and a management console
SIM
Consolidation
Reporting
Meta Alerting
Traceability
SIM
Event
60
Event
Event
Event
Event
Event
Event
Event
Event
Need for SIM

The best way to increase the effectiveness of information security
architecture for an organization is through better analysis and an increasingly
popular analysis technique is event correlation. Unfortunately, conducting
correlation without using security event management software is nearly
impossible because of these issues:
Event data is logged in a variety of proprietary formats making comparison
difficult.
Event data is stored in multiple information silos, i.e. proprietary consoles,
syslogs etc.
Manually comparing event data from across the enterprise to find
similarities is time consuming, if not impossible.
No manual method exists that enables correlation to be conducted in real
time.
Constantly evolving threats necessitates continuously adding, modifying and
enhancing correlation techniques.
61
Aggregation and Correlation
62
Aggregation is the process by which the events collected from various

devices are normalized and indexed.
The correlation engine then analysis and validate the event logs sent by
the log collector components based on rules or statistics stored in the
database.
Once the event is validated then it is passed on to the management

console where the security professionals can view the alerts in one single
console.
The security professionals can view and monitor events related to various
devices or servers in one single format and in one single console.
SIM Architecture - Aggregation
63
SIM Architecture -Correlation

Policy Rules
Regulatory Asset Groups
Host Info Details
Vulnerability Details
Vulnerability Scanner
Correlation Engine
Statistical Threat
Analysis
Rule Based
Vulnerability
Asset Criticality weighing

Active List-Asset Groups
Active List-Business Units
Asset Management
64
SIM Architecture Output
65
SIM VS SEM
According to Gartner:
66
"Security information and event management (SIEM) technology delivers two basic
capabilities:
Security information management (SIM) SIM provides reporting and analysis of
data primarily from host systems and applications, and secondarily from security
devices to support regulatory compliance initiatives, internal threat management
and security policy compliance management. SIM can be used to support the
activities of the IT security, internal audit and compliance organizations.
Security event management (SEM) SEM improves security incident response
capabilities. SEM processes near-real-time data from security devices, network
devices and systems to provide real-time event management for security
operations.
SEM helps IT security operations personnel be more effective in responding to
external and internal threats.
SIM and SEM require a common set of base functions, but they differ both in scope
and the time frame for data analysis"
SIM VS SEM
67
3. VA , PT ,VM & Compliances
68
Network Vulnerabilities : Security Perspective

Limit & control access to
network elements, services &
applications
Examples: password, ACL,
firewall
Prevent ability to deny that an
activity on the network
occurred
Examples: system logs,
digital signatures
Ensure information only flows
from source to destination
Examples: VPN, MPLS,
L2TP
Access Control
Authentication
Non-repudiation
Provide Proof of Identity

Examples: shared secret,
PKI, digital signature, digital
certificate
Ensure confidentiality of data
Example: encryption
Data Confidentiality
Communication Security
Data Integrity
Ensure data is received as

sent or retrieved as stored
Examples: MD5, digital
signature, anti-virus software
Availability
Ensure network elements,
services and application
available to legitimate users
Examples: IDS/IPS, network
redundancy, BC/DR
Privacy
Ensure identification and

network use is kept private
Examples: NAT, encryption
Eight Security Dimensions applied to each Security Perspective (layer and plane)
69
Vulnerability Management
Vulnerability Management
To overcome the growing risk posed by vulnerabilities, an organization must develop a formal vulnerability
management program addressing the entire life cycle of vulnerability management as shown in FIG A. All of
these must be supported by an underlying foundation of people, process and technology initiatives.
Vulnerability Assessment
Asset Management
Asset
profile
Vulnerabilities list
Prioritization of assets
Asset
update
Prioritized asset list
Report
Information
Remediation
Monitoring
Report
information
Report
information
Reporting
Detailed report on
vulnerability
management
70
FIG A Vulnerability Management Lifecycle
Asset Management
Asset Management
To get a confident start to a VM process it is very important to have an accurate
inventory and profile of what the infrastructure contains. For an organization of any
significant size, this inventory will be complex and constantly changing as new
components are added and existing components are retired. The below mentioned
steps aid in making a comprehensive asset inventory
71
Identification of assets can be done either manually, or by using an automated tool

like an asset management software
Discovered assets must be reviewed to determine business criticality and risk
tolerance
The individuals accountable for the assets must be identified
Once the identification of the network assets is done, a vulnerability assessment
should be carried out to find the vulnerabilities existing in the network. Many software
tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a
computer system.
QualysGuard ,GFI LANguard Network Security Scanner ,Nessus
72
Though these tools can provide a good overview of possible vulnerabilities present,
they can not replace human judgment. Relying solely on scanners will yield false
positives and a limited-scope view of the problems present in the system. Therefore, a
proper vulnerability assessment system should make use of vulnerability scanner tools
to identify potential vulnerabilities and then carry out a detailed vulnerability analysis to
remove false positives.
Penetration Test
Attack and Penetration Testing is a systematic approach to
identifying weaknesses in deployed targets.
A target may be a network, a collection of hosts, or an
application that is part of an organization, function or
enterprise segment to be analyzed.
73
If a vulnerability is utilized by an unauthorized individual to access company resources,

company resources can be compromised.
A penetration test is used to show where security fails.
Penetration testing can be performed by anyone who is either knowledgeable in this area
and keeps up to date with the latest security news, penetration applications and researching
ways of attacks.
Types Of Penetration Testing

Black Box Penetration Testing
Pen tester has no information of the target network. Only the company
name or the IP address is known network topology etc..) of the remote
network environment
White Box Penetration Testing
Pen tester provided with significant knowledge of the target network.
Information about network devices (i.e. Routers, Switches), Web Server
details, Operating System type, Database platform ,Load balancers,
Firewalls.
74
Types of Environment
75
Wireless Networks
DMZ environments
Internet Data Centers (IDC)
Portal Environment
Extranet
VPN Termination points
Remote Access points
DialDial-In
Web Application
Database
Routers, switches, servers, FWs, IDSes
The organization as a whole
Individuals and their workstations
Other networking capable devices
Penetration Testing Methodology

Vulnerability
Detection
Analysis &
Planning
Privilege
Escalation
Information
Gathering
Penetration
Scope/Goal
Definition
76
Attack
Clean Up
Reporting
Network Penetration Testing
77
Information Gathering & Network Surveying

Foot printing or Fingerprinting
Ports Scanning & Services Identification
Automated Vulnerability Scanning
Exploiting Services for Known Vulnerabilities
Gaining Access
Escalation of Privileges
Exploiting WebWeb-Based Authorization
Password Cracking / Brute Forcing
Denial of Services (DoS) Testing
Report Preparation
Compliances and Standards

Ever Expanding Regulatory Universe
Sarbanes Oxley (SOX)

Payment Card Industry (PCI)
HIPAA
GLBA
FFIEC
FTC Red Flags
Etc.
Frameworks
78
COBIT
ISO
ITIL
BITS
Etc.
SOX
Sarbanes-Oxley Act of 2002
79
Congress passed the Sarbanes-Oxley Act (SOX) in large part to protect investors by
improving the accuracy and reliability of corporate disclosures made pursuant to the
securities laws.
Section 404 of Sarbanes-Oxley not only requires companies to establish and maintain an
adequate internal control structure, but also to assess its effectiveness on an annual basis.
SOX
Administrative Access to Financial Systems
SOX Section 306 (a)(4) & (D)
Lists all logon and privileged access attempts by the Administrator or SU
accounts.
Computer Account Logon Activity
ISO 17799 Section A.9.5.2
Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all local and remote logon activity for all monitored Windows, HP-UX, AIX
Unix, Sun Solaris and Red Hat Linux systems.
Computer Account Logon Activity - Windows Detail
ISO 17799 Section A.9.5.2
Sarbanes Oxley sec 306 (a)(4) & (D)
Lists all logon activity for all monitored Windows domains and systems. This
report is specific to monitored Windows systems, but provides a greater level of
detail than the Computer Account Logon Activity report.
80
PCI-DSS
81
Data Sources in PCI
Resource :Sensage
82
4. Security Attacks
83
Security Attacks
84
Attacks on Different Layers

IP Attacks
ICMP Attacks
Routing Attacks
TCP Attacks
Application Layer Attacks
Why the Flaws?
85
TCP/IP was designed for connectivity

Had its origins in an innocent world
Assumed to have lots of trust
Security not intrinsic to design
Host implementation vulnerabilities

Software bugs
Some elements in the specification were left to the implementers
Security Flaws in IP
The IP addresses are filled in by the originating host

Address spoofing
Using source address for authentication

r-utilities (rlogin, rsh, rhosts etc..)
2.1.1.1
Internet
Internet
1.1.1.3
A
86
1.1.1.1
Can A claim it is B to the

server S?
ARP Spoofing
Can C claim it is B to the
server S?
Much harder
Source Routing?
1.1.1.2
Security Flaws in IP
87
IP fragmentation attack
End hosts need to keep the fragments till all the fragments arrive
Traffic amplification attack

IP allows broadcast destination
Problems?
Ping Flood
Internet
Internet
Attacking System
Broadcast
Broadcast
Enabled
Enabled
Network
Network
Victim
System
88
ICMP Attacks
89
No authentication
ICMP redirect message

Can cause the host to switch gateways
Man in the middle attack, sniffing
ICMP destination unreachable

Can cause the host to drop connection
Many more
http://www.sans.org/rr/whitepapers/threats/477.php
Routing Attacks
90
Distance Vector Routing

Announce 0 distance to all other nodes
Blackhole traffic
Eavesdrop
Link State Routing

Can drop links randomly
Can claim direct link to any other router
A bit harder to attack than DV
BGP
ASes can announce arbitrary prefix
ASes can alter path
Could even happen due to misconfigurations
TCP Attacks
SYN x
SYN y | ACK x+1
ACK y+1
Client
Server
Issues?
Server needs to keep waiting for ACK y+1
Server recognizes Client based on IP address/port and y+1
91
TCP Layer Attacks
92
TCP SYN Flooding

Exploit state allocated at server after initial SYN packet
Send a SYN and dont reply with ACK
Server will wait for 511 seconds for ACK
Finite queue size for incomplete connections (1024)
Once the queue is full it doesnt accept requests
TCP Layer Attacks
93
TCP Session Hijack

When is a TCP packet valid?
Address/Port/Sequence Number in window
How to get sequence number?
Sniff traffic
Guess it
Many earlier systems had predictable ISN
Inject arbitrary data to the connection
TCP Layer Attacks
94
TCP Session Poisoning

Send RST packet
Will tear down connection
Do you have to guess the exact sequence number?
Anywhere in window is fine
For 64k window it takes 64k packets to reset
About 15 seconds for a T1
Application Layer Attacks
95
Applications dont authenticate properly
Authentication information in clear

FTP, Telnet, POP
DNS insecurity
DNS poisoning
DNS zone transfer
An Example
Showmount -e
Finger
Stephen (S)
SYN
Trusted (T)
Attack when no one is around
What other systems it trusts?
Determine ISN behavior
Finger @S
showmount e
Send 20 SYN packets to S
Mahendar
96
An Example
Stephen (S)
Syn flood
Trusted(T)
Finger @S
showmount e
Mahendar Determine ISN behavior
SYN flood T
97
An Example
SYN|ACK
Stephen (S)
trusted (T)
SYN
Finger @S
showmount e

SYN flood T
Send SYN to S spoofing as T
Send ACK to S with a guessed
number
98
ACK
Mahendar(M) Determine ISN behavior

T wont respond to packets
S assumes that it has a session with
T
An Example
X
Stephen (S)
Trusted (T)
++ > rhosts
Finger @S
showmount e
Determine ISN behavior
SYN flood T
Mahendar T wont respond to packets
Send SYN to S spoofing as T
S assumes that it has a session with T
Send ACK to S with a guessed

number
Give permission to anyone from

anywhere
Send echo + + > ~/.rhosts

99
Denial of Service
100
Objective make a service unusable, usually by overloading the server or

network
Consume host resources

TCP SYN floods
ICMP ECHO (ping) floods
Consume bandwidth
UDP floods
ICMP floods
Denial of Service
101
Crashing the victim

Ping-of-Death
TCP options (unused, or used incorrectly)
Forcing more computation

Taking slow path in processing of packets
Coordinated DoS
Attacker
Victim
Attacker
Victim
Attacker
Victim
The first attacker attacks a different victim to cover up the real attack
The Attacker usually spoofed source address to hide origin
Harder to deal with
102
Distributed DoS
Attacker
Handler
Agent
Agent
Handler
Agent
Victim
103
Agent
Agent
DDoS Defenses
104
Network Capabilities
Destination explicitly decides whether or not to allow packets
Indicate decision by inserting capabilities in packets
Routers en route check for valid capabilities in subsequent packets
Issues?
Traffic Scrubbers
Sink all traffic to a back-end
Scrub, scrub, scrub
Issues?
Attacks
105
Denial of Service (DoS)

SYN flood
Smurf
Distributed DoS
Spoofing
IP spoofing
ARP poisoning
Web spoofing
DNS spoofing
Attacks
106
Man-in-the-middle
Replays
TCP Session hijacking
Social Engineering
Dumpster diving
Online attacks
Web defacement
Attacks
107
Attacks on encrypted data

Weak keys
Birthday attack
Dictionary attack
Countermeasures
SYN flooding attack

This exploits how the 3-way handshake of TCP services for opening a
session works.
SYN packets are sent to the target node with incomplete source IP
addresses
The node under attack sends an ACK packet and waits for response
Since the request has not been processed, it takes up memory
Many such SYN packets clog the system and take up memory
Eventually the attacked node is unable to process any requests as it
runs out of memory storage space
108
TCP 3-way Handshake

PC
PC
TCP State
TCP Packet
Closed
TCP State
Listen
SEQ = 1000, CTL = SYN

SYN-sent
SYN-received
SEQ = 750, ACK = 1001, CTL = SYN | ACK
ACK-received
ACK-sent
SEQ = 1000, ACK = 751, CTL = ACK
Established
109
Established
Land attack
110
Similar to SYN attack

Uses the target address as the source address as well
Causes an infinite loop under the SYN/ACK process
Smurf attack
111
A brute force DOS attack and thus a non-OS specific attack

A large number of PING requests with spoofed IP addresses are generated from
within the target network
Each ping request is broadcast, resulting in a large number of responses from all
nodes on the network
Clogs the network and prevents legitimate requests from being processed
Port scanning
112
Scanning the source and destination ports for both TCP and UDP for data
capture
TCP ports are commonly monitored but UDP ports are not
Ping of death
113
The hacker sends an illegal echo packet with more bytes than allowed, causing the
data to be fragmented. This causes the data to be stored causing buffer overflows,
kernel dumps, and crashes
This was made possible by some Windows OSs allowing non-standard ICMP
(Internet Control Message Protocol) messages to be generated
Maximum ICMP packet size is 65507 bytes. Any echo packet exceeding this size
will be fragmented by the sender and the receiver will try to reconstitute the
packet, when overflow would occur
UDP-flood attack
114
Denial of service variant
Connects the target machines chargen and echo services to create an

infinite loop between two or more UDP services
Connectivity to the network is sufficient, no network account required for

this attack
Distributed Denial of Service
115
Hackers post malicious software on the web

Script kiddies (people who do not fully understand the code) launch the attacks
In DDoS, the hacker (also known as Black hat) identifies computers with weak
security as handlers. The software in the handlers scan for hosts to be used as
agents or zombies. Hundreds of thousands of zombies simultaneously launch the
DoS attack in a distributed manner.
IP Spoofing
116
Exploits trust relationships between routers

This is a difficult attack to launch since the communication set up is based
on an initial sequence number for packets. Systems no longer use
numbers sequentially. Identifying the algorithm used for numbering
packets during set up is important.
ARP Poisoning
117
ARP = Address Resolution Protocol

ARP is used by routers extensively to find the destination node. Routers
have IP addresses (32-bits). In order to deliver the packet to the
destination node, the router broadcasts the IP address of the destination
and obtains the MAC address (48-bits).
ARP Poisoning tools are:

ARPoison
Ettercap
Parasite
ARP Poisoning
118
Hosts store the IP-to-MAC address mapping in the ARP table. ARP
Poisoning means that the ARP communication is intercepted by
redirection from a router.
Example:
Assume routers IP is 10.1.1.0
Hosts IP is 10.1.1.1
Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to
requests from 10.1.1.0 with its MAC address
From this point on all packets meant for 10.1.1.1 is routed to
10.1.1.2 because the router has the MAC address of 10.1.1.2 in its
routing table
Web Spoofing
119
In this attack the malicious site pretends to be authentic

It is a form of man-in-the-middle attack
This is accomplished by accessing the victim website and putting a link to the
malicious site on a legitimate name. For example, www.nybank.com could be
linked to www.hacksite.com but the user would not be aware of this unless
they pay attention to the actual site linked.
DNS Spoofing
120
This is similar to web spoofing

DNS server could be a simple machine placed behind a firewall
Usually it is isolated from the rest of the nodes in functionality
Hacker gets access to the DNS server and changes in the lookup table the
mapping. For example, www.nybank.com is supposed to point to
199.230.116.100. The hacker could redirect it to his web server instead.
Replays
121
Replay involves capturing traffic while in transit and use that to gain access
to systems.
Example:
Hacker sniffs login information of a valid user
Even if the information is encrypted, the hacker replays the login
information to fool the system and gains access
Replays
122
A sniffer is a program that intercepts and reads traffic on the network

Sniffers work when the NIC is set to communicate in promiscuous mode
Replay Attack Diagram

Valid user
Sniffer
Sn
wd
p
and
d
di
e
f
if
Hacker
rep
123
id
s
y
la
an
wd
p
d
Server
TCP Session Hijacking
124
This means that the hacker has directed traffic to his server instead of a trusted
server that the victim is assuming
To hijack a session, the hacker ARP poisons the router to route all traffic to his
computer before it is delivered to the victim
See Figure 3-14 (p. 68) in the book for details of IP and MAC addresses needed to
understand this type of attack
Dictionary attack
Has an idea of the message

Has the hashed value from the message
Exhaustive search to find the original corresponding to the hash
Credit cards use 16 digits
255 = 1016
This is within the realm of possibility for

todays computers to do an exhaustive search
125
Does not involve any encryption
Birthday attack
126
A variation of brute-force attack

Studies have shown that if 23 people are in a room, the probability is
over 50% that two people have the same birthday
The similarity here is, knowing one value can you find the matching
value
Countermeasures
For SYN-flood attack:

Firewall can withhold or insert packets into the data stream, thus
providing one means from letting the SYN packets get through
Firewall responds immediately to the SYN with its ACK sent to the
spoofed address. This way the inquiry is not in the open queue taking
up space. Legitimate addresses would respond immediately and they
could be forwarded by the firewall to the internal systems. SYN-flood
attack packets would not receive a reply from the spoofed address
and so they will be sent a RST (reset) signal after the timeout set.
127
Countermeasures
128
For Smurf attack:

Routers should be configured to drop ICMP messages from outside
the network with a destination of an internal broadcast or multicast
Newer Oss for routers and workstations have protection for known
smurf attacks
Countermeasures
129
For IP Spoofing attack:

This is a difficult attack to start with for the hacker
Hacker should be able to guess correctly the Initial Sequence Number
that the spoofed IP would generate
To prevent IP spoofing, disable source routing on all internal routers
Filter entering packets with a source address of the local network
Countermeasures
130
For Man in the middle attack:

Routers should be configured to ignore ICMP redirect packets
Intrusion Detection System (IDS) is a software that can scan traffic in
real time and detect anomalies
Cisco, Computer Associates, Secure Works are some of the
companies that provide IDS software
Availability of IDS is a requirement in the medical and financial
industry for the business to get its license
The industry is now moving towards an Intrusion Prevention System
(IPS) as opposed to an IDS
Countermeasures
131
For Ping of death attack:

Prohibit creation of ICMP packets of invalid size
For Denial of Service attack:

Firewalls and routers at network boundaries can use filters to prevent
spoofed packets from leaving the network
Filter incoming packets with a broadcast address
Turning off direct broadcasts on all internal routers
Block known private IP addresses being used as destination IP (e.g.,
10.0.0.0, 172.16.24.0, 192.168.0.0, 224.0.0.0, 127.0.0.1)
5. Software Exploitation
132
Software Exploitation
133
Malicious software, also known as malware, includes worms, viruses, and

Trojan horses
How do these propagate?
Virus is meant to replicate itself into executables (e.g., Melissa)
Worm is meant to propagate itself across the network (e.g., Nimda,
Code Red)
Trojan horse is meant to entice the unsuspecting user to execute a
worm (e.g., I Love You)
Software exploitation
Malicious software (virus and worm)
Back door
Logic bombs
134
Malicious code
Type
Characteristics
Virus
Attaches itself to programs and propagates copies of itself to

other programs
Contains unexpected functionality
Triggers action when a condition occurs
Triggers action at a certain time
Allows unauthorized access to functionality
Propagates copies of itself through a network
Replicates without limit to exhaust resources
Trojan horse
Logic bomb
Time bomb
Trapdoor
Worm
Rabbit
135
Viruses
Viruses
String of computer code that attaches to other programs and
replicates
File infectors Oldest type of virus, now mostly extinct
Boot-sector viruses Reside on the boot portion of a disk.
Also mostly extinct
Macro viruses Written in a scripting language and affects data
files, not programs. Future of viruses.
No absolute cure for viruses
Antivirus programs work, but need continual updating.
Virus makers depend on laziness of users to let virus defs get
out of date.
136
Virus
137
Virus self-replicates
Early viruses (1980s to mid-90s) were placed on boot sector of hard and
floppy drives as they would not show up in the directory listing
Second type of virus is known as parasitic virus. This was prevalent in
mid-90s.
Parasitic virus attaches to files and infect files of type exe, sys, com, dll,
bin, drv
Third virus type is multipartite virus. This infected both boot sector and
files. This was also common in the mid-90s.
Current virus type is known as macro virus. These are application
specific as opposed to operating system specific. They propagate rapidly
through email. Most macro viruses are written in VB Script and they
exploit Microsofts applications such as Outlook.
Viruses and Worms
138
Virus is a program that reproduces itself by attaching its code to another program
They require human intervention to spread
Melissa, I LOVE YOU spread by e-mail
Worms actively replicate without a helper program
Is a subclass of virus, but does not require user intervention
Sasser and Blaster targeted machines with out of date software
Antivirus
Antivirus software is a term used to describe a computer program that attempts
to identify, neutralize or eliminate malicious software. This type of software is so
named because the earliest examples were designed exclusively to combat computer
viruses; however most modern antivirus software is now designed to combat a wide
range of threats, including worms, phishing attacks, rootkits, trojan horses.
Antivirus software typically uses two different techniques to accomplish this:

-Examining (scanning) files to look for known viruses matching definitions in a virus
dictionary
-Identifying suspicious behavior from any computer program which might indicate
infection. Such analysis may include data captures, port monitoring and other methods.
139
Worms & Trojan Horses

Worms
Particular to networked computer systems
Gains access to resources that point to other computers
Replicates itself to multiple systems
Rarely dangerous, mostly annoying
Trojan Horses
Code that imbeds itself into something useful
Collects information and sends to known site on the network
Also can allow external takeover of your system (Back Orifice)
140
Good viruses
141
Are hard to detect

Are hard to destroy
Spread widely
Can re-infect cleaned files
Are easy to create
Are machine independent
Hiding places
Boot sector
Memory- resident viruses
Macro, library etc. viruses
Boot Strap
Loader
System
Initialization
Normal Process
Virus Code
System
Initialization
Infection
142
Boot Strap
Loader
Effects and causes
143
Effect
Attach to executable
Program
How caused?
Modify file directory
Write to executable file
Attach to data or control
Modify directory
Rewrite data
Append to data
Append data to itself
Effects and causes

Effect
Remain in memory
Infect disks
Spread infection
144
How caused?
Intercept interrupts and modify handlers
Intercept interrupt
Intercept OS call
Modify system file
Modify ordinary executables
Infect boot sector

Infect system program
Infect ordinary program
Infect data that controls
ordinary programs
Malware
Malware is software designed to infiltrate or damage a computer system without the
owner's informed consent. It is a portmanteau of the words "malicious" and
"software". The expression is a general term used by computer professionals to mean
a variety of forms of hostile, intrusive, or annoying software or program code.
Software is considered malware based on the perceived intent of the creator rather
than any particular features. It includes computer viruses, worms, trojan horses, most
rootkits, spyware, dishonest adware, and other malicious and unwanted software. In
law, malware is sometimes known as a computer contaminant.
145
Malware
146
Modern Malicious Code Malware

Around 1999 was first occurrence of large propagation of e-mail infecting
malware
Virus protection is now more reactive
E-mail infections are insidious by bypassing firewalls.
Multi-module programs and plugins increase vulnerability
Dynamic linking increase problems also
Mobile code (Java, JavaScript, ActiveX, Plugins) allows for easier delivery
mechanism
Vulnerability to Malware
In this context, as throughout, it should be borne in mind that the system under
attack may be of various types, e.g. a single computer and operating system, a
network or an application.
Various factors make a system more vulnerable to malware:
Homogeneity e.g. when all computers in a network run the same OS, if you can
break that OS, you can break into any computer running it.
Defects most systems containing errors which may be exploited by malware.
Unconfirmed code code from a floppy disk, CD-ROM or USB device may be
executed without the users agreement.
Over-privileged users some systems allow all users to modify their internal
structures.
Over-privileged code most popular systems allow code executed by a user all
rights of that user.
147
Types of Malware
1. Worms and viruses are computer programs that replicate themselves without
human intervention. The difference is that a virus attaches itself to, and becomes
part of, another executable (i.e., runnable) program, whereas a worm is selfcontained and does not need to be part of another program to replicate itself.
2. A trojan, or trojan horse, is software that is disguised as a legitimate program in
order to entice users to download and install it. In contrast to worms and viruses,
trojans are not directly self-replicating. They can be designed to do various harmful
things, including corrupt files erase data and install other types of malware.
3. A backdoor (usually written as a single word) is any hidden method for obtaining
remote access to a computer or other system. Backdoors typically work by
allowing someone or something with knowledge of them to use special password(s)
and/or other actions to bypass the normal authentication (e.g., user name and
password) procedure on a remote machine (i.e., a computer located elsewhere on
the Internet or other network) to gain access to the all-powerful root (i.e.,
administrative) account.
148
Types of Malware (Contd.)

4.A rootkit is software that is secretly inserted into a computer and which allows an
intruder to gain access to the root account and thereby be able to control the computer
at will. Rootkits frequently include functions to hide the traces of their penetration, such
as by deleting log entries.
They typically include backdoors so that the intruder can easily gain access again at a
later date, for example, in order to attack other systems at specific times.
5.Spam is unwanted e-mail which is sent out in large volume. Although people receiving
a few pieces of spam per day might not think that it is anything to be too concerned
about, it is a major problem for several reasons, including the facts that its huge volume
(perhaps half or more of all e-mail) places a great load on the entire e-mail system, it
often contains other types of malware and much of its content is fraudulent.
Organizations typically have to devote considerable resources to attempting to filter out
and delete spam while not losing legitimate e-mail, thereby distracting them from their
primary tasks.
149
Steps to Counter Malware

There are a number of steps that computer users can take to minimize
the chances of becoming infected by malware.
-They include using relatively secure software,
-Providing physical security for computers and networks, enforcing the
use of strong passwords,
-Employing firewalls,
-Using malware detection programs,
-Avoiding opening e-mail attachments of unknown origin, avoiding the
downloading of dubious programs and avoiding use of the root account
except when absolutely necessary.
150
Trojan Horse
151
Malicious program disguised as an innocent one

Could modify/delete users file, send important info to cracker,
etc
The program has to get to the computer somehow
Cracker hides it as a new game, e-card, windows update site,
etc.
When run, Trojan Horse executes with users privileges
Examples:
Hide program in path directory as a common typo: la for ls
Malicious user puts malicious ls in directory, and attracts
superuser
Malicious ls could make user the superuser
Dennings paper 1999
Login Spoofing
Specialized case of Trojan Horse

Attacker displays a custom screen that user thinks belong to the
system
User responds by typing in user name and password
Can be circumvented by key sequence that user programs cannot

catch: e.g. CTRL+ALT+DEL in Windows
152
Logic Bombs
153
Piece of code, in the OS or app, which is dormant until a certain time has elapsed
or event has occurred
Event could be missing employee record from payroll
Could act as a Trojan Horse/virus once triggered
Also called slag code or time bomb
Recovery options for a firm include:
Calling the police
Rehiring the programmer
Trap Doors
154
Code in system inserted by programmer to bypass normal check

Ken Thompson Reflections on Trusting Trust
Hole in UNIX system utility; enforced by C compiler
Buffer Overflow
155
C compiler does no array bounds checking

A number of programs a written in C
Cracker can force his routine to run by violating array bounds
Policies, Standards &Baseline

Security Policy- an overall general statement produced by
senior management.
Standards Refers to mandatory activities, actions, rules or
regulations.
Baselines Minimum level of security that is required. A
consistent reference point.
Guidelines Recommended actions, Industry Best Practices.
Procedures-Detailed step by step task developed to provide
standardization of activities.
156
Common Threat Classification

Network
Host
Threats against
the network
Spoofed packets, etc.

Threats against the host
Buffer overflows, illicit paths, etc.

Threats against the application
SQL injection, XSS, input tampering, etc.
157
Application
Examples of Network Threats

Threat
Information gathering
Examples
Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet hosts
Eavesdropping
Using packet sniffers to steal passwords
Denial of service (DoS)
SYN floods
ICMP echo request floods
Malformed packets
Spoofing
158
Packets with spoofed source addresses
Examples of Host Threats

Threat
Arbitrary code execution
Examples
Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)
File disclosure
Malformed HTR requests (MS01-031)

Virtualized UNC share vulnerability (MS00-019)
Denial of service (DoS)
Malformed SMTP requests (MS02-012)

Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)
Brute-force file uploads
Unauthorized access
Resources with insufficiently restrictive ACLs

Spoofing with stolen login credentials
Exploitation of open ports and

protocols
159
Using NetBIOS and SMB to enumerate hosts

Connecting remotely to SQL Server
Examples of Application Threats

Threat
160
Examples
SQL injection
Including a DROP TABLE command in text typed into an input

field
Cross-site scripting
Using malicious client-side script to steal cookies
Hidden-field tampering
Maliciously changing the value of a hidden field
Eavesdropping
Using a packet sniffer to steal passwords and cookies from traffic

on unencrypted connections
Session hijacking
Using a stolen session ID cookie to access someone else's session

state
Identity spoofing
Using a stolen forms authentication cookie to pose as another

user
Information disclosure
Allowing client to see a stack trace when an unhandled exception

occurs
OWASP Top Ten Web Vulnerabilities
161
A1. Unvalidated Input

A2. Broken Access Controls
A3. Broken Authentication and Session Management
A4. Cross Site Scripting Flaws
A5. Buffer Overflows
A6. Injection Flaws
A7. Improper Error Handling
A8. Insecure Storage
A9. Denial of Service
A10. Insecure Configuration Management
Session Management
Authentication and Session Management:
Session hijacking
Hijack another user session by intercepting or predicting any cookies sent by

the site (allows impersonation by using established/authenticated access)
How do you protect it?
Integrity with hash?

Encryption?
Encode it with easily reversible scheme?
Timeouts for length of session ID?
Prohibit predictable session IDs and cookies
Hackers will test it by:

Logging on and off over and over again and across different times
162
Session Management
Authentication and Session Management: Session Hijacking
1st Try:
rbcSetCookie("F100","1/WL2/6a0yKsQJ13A3B4NnSan97lZARQN69zCMZDoezJ5De0AX8b
D5S5HScdvXE2DMuVESNApHR2SE5WNwRs4ngmvuEQ__/XQAAAA__/S0/PB", null,
"/");
2nd Try:
rbcSetCookie("F100","1/WK2/H2BlqWdlkC28v8o1dYQkeA9l3p5hmAEK3LsHyree7gKBXvu
WQgoGy52i5QDSsmOc4CasIZ7YqOBcUeuac96oyg__/XQAAAA__/S0/PB", null, "/");
163
Things to try:
Save code, modify and resubmit with new values
Modify cookie
Re-use same cookie 1 day later
Test limits
Test hidden forms and variables
Change variables
Expiry?
Cross Site Scripting
164
Cross-Site Scripting
a web application takes input from a user but fails to validate the input
the input is echoed directly in a web page.
input could be malicious JavaScript, when echoed and interpreted in
the destination browser any number of issues could result
Cross-Site Scripting (XSS) Attacks
Modified URL
URL parameters are modified on the URL to contain script code
Input is not validated and displayed as entered on the resulting dynamic
webpage
165
XSS Vulnerable Targets

Weblogs (online journals)
Web bulletin boards
Chat rooms
Guest books
Web mail clients
User confirmation forms in banking applications
XSS: Script Injection Demo
166
XSS: Script Injection Demo (Contd.)
167
SQL injection
SQL injection is a security vulnerability that occurs in the database layer of an
application.
Trick to inject Structured Query Language (SQL) query or command as an input
via web pages
SQL statements injected into an existing SQL command
Injection occurs through malformed application input:
Text box
Query string
Manipulated values in HTML
168
SQL injection
Example of attack:
SQL Query in Web application code:
SELECT * FROM users WHERE login = + userName + and password= +
password + ;
Hacker logs in as: or = ; - SELECT * FROM users WHERE login = or = ; --'; and password=;
Hacker deletes the users table with: or = ; DROP TABLE users; - SELECT * FROM users WHERE login = or =; DROP TABLE users; --'; and
password=;
169
SQL Injection The Problem

Expected:
Username: Akhi
Password: p@$$w0rd
SELECT COUNT(*)
FROM Users
WHERE username=Akhi' and password='p@$$w0rd'
The unexpected:
Username: ' OR 1=1 -Password:
SELECT COUNT(*)
FROM Users
WHERE username='' OR 1=1 -- and password=''
170
References
171
Network Security: A hackers perspective by A. Fadia, Course Technology, OH,

2003
Network Security Fundamentals by P. Campbell, B. Calvert, S. Boswell, Course
Technology, OH, 2003
Cryptography and Network Security, 2nd edition by W. Stallings, Prentice Hall, NJ,
1999
Web Security Basics by S. Bhasin, Course Technology, OH, 2003
Principles of Information Security by M. Whitman, H. Mattord, Course
Technology, OH, 2003
http://www.cert.org/advisories
louisville.edu/infosec/CIS480/Lectures/Attacks.ppt
pages.cs.wisc.edu/~akella/CS640/F06/.../F06_Lecture25_security.ppt
www.ietf.org/proceedings/05aug/slides/saag-3/saag-3.ppt
www.cs.cornell.edu/Courses/cs414/2005sp/lectures/38-attacks.ppt
VIRTUAL PRIVATE NETWORKS (VPN) by Diana Ashikyan,Nikhil Jerath, Connie
Makalintal, Midori Murata
Thank You

Basics of Security and Attack

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Basics of Security and Attack

Uploaded by

Copyright:

Available Formats

Basics of Security and

2009 Wipro Ltd Internal & Restricted

2009 Wipro Ltd Internal & Restricted

1. Definitions of Security Terms

2009 Wipro Ltd Internal & Restricted

Protected Resources / Asset: Things to protect

Risk: Likelihood that vulnerability could be exploited

2009 Wipro Ltd Internal & Restricted

Plane glass windows

Windows can be lifted out of frame

No dead bolt on doors / doors can be

2009 Wipro Ltd Internal & Restricted

2009 Wipro Ltd Internal & Restricted

2009 Wipro Ltd Internal & Restricted

2009 Wipro Ltd Internal & Restricted

Methods of Attacking the Network

Denial of Service Attacks Single and Distributed

2009 Wipro Ltd Internal & Restricted

Methods of Attacking the Network (Contd.)

Buffer overrun packets

2009 Wipro Ltd Internal & Restricted

Methods of Defending a Network

2009 Wipro Ltd Internal & Restricted

Methods of Defending a Network (Contd.)

2009 Wipro Ltd Internal & Restricted

Continue to monitor and evolve

Listen to CERT bulletins and evaluate those to your systems

WHO is accessing your data?

2009 Wipro Ltd Internal & Restricted

2009 Wipro Ltd Internal & Restricted

A firewall is a dedicated appliance, or software running on another

2009 Wipro Ltd Internal & Restricted

General Firewall Techniques

Type of service: inbound or outbound

Traffic filtering based on IP address & TCP port nr

Provides proxy software to receive or interpret service request before

Control access to service using ACLs

Complicates it (more code => more vulnerabilities)

E.g. filter e-mail for spam

2009 Wipro Ltd Internal & Restricted

All traffic (incoming / outgoing) must pass through firewall

Only authorized traffic is allowed to pass

Firewall itself must be immune to penetration

Firewall code must be very well protected

2009 Wipro Ltd Internal & Restricted

Basic kinds of firewalls:

2009 Wipro Ltd Internal & Restricted

2009 Wipro Ltd Internal & Restricted

Network Address Translation (NAT)

NAT is a technology that hides the private network.

It allows a single device to act as an intermediary between the Internet

Converts private addresses to legally registered public IP addresses.

NAT is commonly supported by WAN access routers and firewalls.

2009 Wipro Ltd Internal & Restricted

Lots of vulnerabilities on hosts in network

Users dont keep systems up to date

2009 Wipro Ltd Internal & Restricted

Firewall inspects traffic through it

2009 Wipro Ltd Internal & Restricted

Packet filter selectively passes packets from one network interface to

Usually done within a router between external and internal networks

Can be done by a dedicated network element

2009 Wipro Ltd Internal & Restricted

Packet Filters (Contd.)