Professional Documents
Culture Documents
Attacks
Technical Solutions
Acknowledgments
Material is sourced from:
CISA Review Manual 2011, 2010, ISACA. All rights reserved. Used by
permission.
CISM Review Manual 2012, 2011, ISACA. All rights reserved. Used by
permission.
Many other Network Security sources
http://www.csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Reviewers/Contributors: Todd Burri, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.
Objectives
The student should be able to:
Define attacks: script kiddy, social engineering, logic bomb, Trojan horse,
phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL
injection, virus, worm, root kit, dictionary attack, brute force attack, DOS,
DDOS, botnet, spoofing, packet reply.
Describe defenses: defense in depth, bastion host, content filter, packet filter,
stateful inspection, circuit-level firewall, application-level firewall, demilitarized zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signaturebased IDS, statistical-based IDS, neural network, VPN, network access
server (RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption,
public key encryption, digital signature, PKI, vulnerability assessment
Identify techniques (what they do): SHA1/SHA2, MD2/MD4/MD5, DES, AES,
RSA, ECC.
Describe and define security goals: confidentiality, authenticity, integrity, nonrepudiation
Define services & servers data in the correct sensitivity class and roles with
access
Define services that can enter and leave a network
Draw network Diagram with proper zones and security equipment
Hacking Networks
Phase 1: Reconnaissance
Physical Break-In
Dumpster Diving
Google, Newsgroups,
Web sites
Social Engineering
Registrant:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
Domain name: MICROSOFT.COM
Administrative Contact:
Administrator, Domain domains@microsoft.com
One Microsoft Way
Redmond, WA 98052
US
+1.4258828080
Technical Contact:
Hostmaster, MSN msnhst@microsoft.com
One Microsoft Way
Redmond, WA 98052 US
+1.4258828080
Registration Service Provider:
DBMS VeriSign, dbms-support@verisign.com
800-579-2848 x4
Please contact DBMS VeriSign for domain updates,
DNS/Nameserver
changes, and general domain support questions.
Registrar of Record: TUCOWS, INC.
Record last updated on 27-Aug-2006.
Record expires on 03-May-2014.
Record created on 02-May-1991.
Domain servers in listed order:
NS3.MSFT.NET 213.199.144.151
NS1.MSFT.NET 207.68.160.190
NS4.MSFT.NET 207.46.66.126
NS2.MSFT.NET 65.54.240.126
NS5.MSFT.NET 65.55.238.126
Hacking Networks
Phase 2: Scanning
War Driving: Can I find a wireless network?
War Dialing: Can I find a modem to connect to?
Network Mapping: What IP addresses exist, and what
ports are open on them?
Vulnerability-Scanning Tools: What versions of software
are implemented on devices?
Passive Attacks
Eavesdropping: Listen to
packets from other
parties = Sniffing
Traffic Analysis: Learn
about network from
observing traffic patterns
Footprinting: Test to
determine software
installed on system =
Network Mapping
Carl
Bob
Jennie
Hacking Networks:
Phase 3: Gaining Access
Network Attacks:
Sniffing
(Eavesdropping)
IP Address Spoofing
Session Hijacking
System Attacks:
Buffer Overflow
Password Cracking
SQL Injection
Web Protocol Abuse
Denial of Service
Trap Door
Virus, Worm, Trojan
horse,
Bill
Denial of Service
Joe
Bill
Spoofing
Joe (Actually Bill)
Ann
Message
Modification
Joe
Ann
Packet Replay
Joe
Bill
Bill
Ann
Ann
Man-in-the-Middle Attack
10.1.1.1
10.1.1.3
(2) Login
(1) Login
(4) Password
(3) Password
10.1.1.2
SQL Injection
Welcome to My System
Login:
Password:
Password Cracking:
Dictionary Attack & Brute Force
Pattern
Calculation
Result
Time to Guess
(2.6x1018/month)
20
Manual 5 minutes
Social Engineering
Manual 2 minutes
80,000
< 1 second
American Dictionary
4 chars: lower case alpha
264
5x105
268
2x1011
8 chars: alpha
528
5x1013
8 chars: alphanumeric
628
2x1014
3.4 min.
728
7x1014
12 min.
958
7x1015
2 hours
12 chars: alphanumeric
6212
3x1021
96 years
12 chars: alphanumeric + 10
7212
2x1022
500 years
9512
5x1023
16
5x1028
16 chars: alphanumeric
62 Draft
NIST SP 800-118
Hacking Networks:
Phase 4: Exploit/Maintain Access
Control system:
system commands,
log keystrokes, pswd
Backdoor
Trojan Horse
Replaces system
User-Level Rootkit executables: e.g.
Login, ls, du
Bots
Spyware/Adware
Replaces OS kernel:
Kernel-Level Rootkit e.g. process or file
Slave forwards/performs Spyware: Collect info:
control to hide
commands; spreads,
keystroke logger,
list email addrs, DOS
collect credit card #s,
attacks
AdWare: insert ads,
filter search results
Botnets
Botnets: Bots
Attacker
China
Handler
Hungary
Bots: Host illegal movies,
music, pornography,
criminal web sites,
Forward Spam for
financial gain
Zombies
Attacker
Handler
Victim
Russia
Bulgaria
United
States
Zombies
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Network Security
Network Defense
Encryption
Border Router
Perimeter firewall
Internal firewall
Intrusion Detection System
Policies & Procedures & Audits
Authentication
Access Controls
Bastion Host
Computer fortified
against attackers
Applications turned
off
Operating system
patched
Security configuration
tightened
Private Network
Filters
The good, the bad &
the ugly
Filter
The Good
DNS Request
Ping Request
Illegal Source IP Address
Email Response
FTP request
Microsoft NetBIOS Name Service
Email Connect Request
Telnet Request
Web
Response
Firewall
Configurations
terminal
host
firewall
A
terminal
host
firewall
A
A
Stateful Inspection
State retained in firewall memory
Most multi-packet attacks caught
More fields in packet header inspected
Little overhead in firewall: quick
Firewall
Configurations
terminal
host
firewall
A
B
A
terminal
host
firewall
B
A
Circuit-Level Firewall:
Packet session terminated and recreated
via a Proxy Server
All multi-packet attacks caught
Packet header completely inspected
High overhead in firewall: slow
Application-Level Firewall
Packet session terminated and recreated
via a Proxy Server
Packet header completely inspected
Most or all of application inspected
Highest overhead: slow & low volume
Multi-Homed Firewall:
Separate Zones
Internet
Screening
Device
Screened
Host
With Proxy
Interface
Router
IDS
Firewall
Demilitarized Zone
External
DNS
IDS
Web
Server
E-Commerce
VPN
Server
Protected
Internal
Network
Zone
IDS
Database/File
Servers
Writing Rules
Policies
Corrections
Write Rules
Audit Failures
Protected Network
Sensitivity
Roles
Server
Grades
StudentScholastic
Billing
StudentBilling
Students, Employees,
Public
Web services
The Internet
De-Militarized
Zone
WLAN
Private Network
Router/Firewall
Serviced Applications
Workbook
Applicatio
Sources of
ns
Entry
Grades University
Graduates Registration
Servers
Graduate
Scholastic
Grades
Current
Students
United States
Student
Scholastic
Confidentiality, Integrity,
Authentication
Billing
Payment:
International
Reports: Univ.
Student
Scholastic
Confidentiality,
Authentication, Integrity,
Non-repudiation
DMZ:
PublicFace
Network Diagram
Workbook
Internet
Router
Demilitarized Zone
External
DNS
Firewall
Public
Web
Server
E-Commerce
Zone 1:
Student
Labs &
Files
Student
Scholastic
Zone 2:
Faculty
Labs &
Files
Student
Records
Student
Billing
Student
Billing
Student
History
Transcripts
IDS
Firewall
Network IDS=NIDS
Examines packets for attacks
Can find worms, viruses, orgdefined attacks
Warns administrator of attack
IPS=Packets are routed
through IPS
Host IDS=HIDS
Examines actions or resources
for attacks
Recognize unusual or
inappropriate behavior
E.g., Detect modification or
deletion of special files
NastyVirus
NastyVirus
Normal
BlastWorm
Signature-Based:
Specific patterns are recognized
as attacks
90
80
70
60
Sales
Personnel
Factory
50
40
30
20
10
0
Mon.
Tues.
Wed.
Thurs.
Statistical-Based:
The expected behavior of the
system is understood
If variations occur, they may be
attacks (or maybe not)
Neural Networks:
Statistical-Based with self-learning
(or artificial intelligence)
Recognizes patterns
Firewall
Honey
Pot
External
DNS
IDS
Web
Server
E-Commerce
VPN
Server
Bill
Data Privacy
Confidentiality: Unauthorized
parties cannot access
information (->Secret Key
Encryption
Authenticity: Ensuring that
the actual sender is the
claimed sender. (->Public Key
Encryption)
Integrity: Ensuring that the
message was not modified in
transmission. (->Hashing)
Nonrepudiation: Ensuring
that sender cannot deny
sending a message at a later
time. (->Digital Signature)
Confidentiality
Joe
Bill
Authenticity
Joe (Actually Bill)
Ann
Ann
Integrity
Joe
Non-Repudiation
Joe
Bill
Ann
Ann
plaintext
Encrypt
Ksecret
ciphertext
Decrypt
Ksecret
P = D(Ksecret, E(Ksecret,P))
plaintext
Joe
Joe
Encrypt
Kpublic
Encryption
(e.g., RCS)
Message,
private key
Decrypt
Kprivate
Authentication,
Non-repudiation
Decrypt
Kpublic
Digital
Signature
Encrypt
Kprivate
P = D(kPUB, E(kPRIV,P))
Key owner
Key
owner
NIST Recommended:
RSA 1024 bit
2011: RSA 2048 bit
The Internet
VPN
Concentrator
Message H
Message H
H
Compare
Message
H
K
H
Message H
Message H
H
K
D
One Way Hash
H
Compare
H
Digital Signature
Electronic Signature
Uses public key
algorithm
Verifies integrity of
data
Verifies identity of
sender: nonrepudiation
Message
Encrypted
K(Senders Private)
Msg Digest
Digital
Certificate
User: Sue
Public Key:
2456
Certificate Authority
(CA)
3. Send approved
Digital Certificates
2. Registration Authority
(RA) verifies owners
Vulnerability Assessment
Penetration testing
Serviced Applications
Workbook
Applicatio
Sources of
ns
Entry
Grades
United States
Current
Students
Billing
Student
Confidentiality: Encryption,
Scholastic HTTPs
Authentication: VPN/IPsec
Integrity, Hashing, IDS
Non-repudiation: Digital
Signature
Payment:
International
Reports: Univ.
Servers
Question
A map of the network that shows where service
requests enter and are processed
1. Is called the Path of Physical Access
2. Is primarily used in developing security policies
3. Can be used to determine whether sufficient
Defense in Depth is implemented
4. Helps to determine where antivirus software
should be installed
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Question
1.
2.
3.
4.
Jamie Ramon MD
Doctor
Chris Ramon RD
Dietician
Terry
Pat
Licensed
Software Consultant
Practicing Nurse
Service
Name
Privileged
Contracts
Sensitivity
Class.
Roles
Access
Public
Web Pages
Service
Source
Destination
(e.g., home,
world, local
computer)
(local server,
home, world,
etc.)
Service
Server
Required Controls
(Conf., Integrity, Auth., Nonrepud.,
with tools: e.g., Encryption/VPN)
Router
Demilitarized Zone
External
DNS
Firewall
Public
Web
Server
E-Commerce
Zone 1:
Student
Labs &
Files
Student
Scholastic
Zone 2:
Faculty
Labs &
Files
Student
Records
Student
Billing
Student
Billing
Student
History
Transcripts
Reference
Slide #
Slide Title
Source of Information
Passive Attacks
10
12
14
Botnets
15
23
24
Firewall Configurations
25
Firewall Configurations
26
33
34
35
37
38
39
40
41
Digital Signature
42