INFORMATION SECURITY MANAGEMENT LECTURE 9 PROTECTION MECHANISMS You

INFORMATION SECURITY MANAGEMENT LECTURE 9: PROTECTION MECHANISMS You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Hacking Networks Phase 1: Reconnaissance n Physical Break-In n Dumpster Diving n Google, Newsgroups, Web sites n Social Engineering n n Phishing: fake email Pharming: fake web pages n Who. Is Database n Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT. COM Administrative Contact: Administrator, Domain domains@microsoft. com One Microsoft Way Redmond, WA 98052 US +1. 4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft. com One Microsoft Way Redmond, WA 98052 US +1. 4258828080 Registration Service Provider: DBMS Veri. Sign, dbms-support@verisign. com 800 -579 -2848 x 4 Please contact DBMS Veri. Sign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27 -Aug-2006. Record expires on 03 -May-2014. Record created on 02 -May-1991. Domain servers in listed order: NS 3. MSFT. NET 213. 199. 144. 151 NS 1. MSFT. NET 207. 68. 160. 190 NS 4. MSFT. NET 207. 46. 66. 126 NS 2. MSFT. NET 65. 54. 240. 126 NS 5. MSFT. NET 65. 55. 238. 126

Hacking Networks Phase 2: Scanning War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Mapping: What IP addresses exist, and what ports are open on them? Vulnerability-Scanning Tools: What versions of software implemented on devices?

Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping

Hacking Networks: Phase 3: Gaining Access Network Attacks: n Sniffing (Eavesdropping) n IP Address Spoofing n Session Hijacking System Attacks: n Buffer Overflow n Password Cracking n SQL Injection n Web Protocol Abuse n Denial of Service n Trap Door n Virus, Worm, Trojan horse,

Some Active Attacks Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage

Man-in-the-Middle Attack 10. 1. 1. 1 10. 1. 1. 3 (2) Login (1) Login (4) Password (3) Password 10. 1. 1. 2

Hacking Networks: Phase 4: Exploit/Maintain Access Control system: system commands, log keystrokes, pswd Backdoor Trojan Horse Useful utility actually creates a backdoor. Replaces system User-Level Rootkit executables: e. g. Login, ls, du Bots Slave forwards/performs commands; spreads, list email addrs, DOS attacks Spyware/Adware Spyware: Collect info: keystroke logger, collect credit card #s, Ad. Ware: insert ads, filter search results Replaces OS kernel: Kernel-Level e. g. process or file Rootkit control to hide

Botnets: Bots Attacker China Handler Hungary Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Zombies

Distributed Denial of Service Zombies Attacker Russia Handler Victim Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies

Introduction • Threats -> Vulnerabilities -> Risk ->Controls • Technical controls – Must be combined with sound policy and education, training, and awareness efforts • Examples of technical security mechanisms

Sphere of Protection Management of Information Security, 3 rd ed. Source: Course Technology/Cengage Learning

Access Controls • The four processes of access control – Identification – Authentication – Authorization – Accountability • A successful access control approach always incorporates all four of these elements

Access Controls – Password Strength Table 10 -1 Password power Source: Course Technology/Cengage Learning

Acceptability of Biometrics • Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security Google Offers New Alternative for Biometrics

Firewalls • Any device that prevents a specific type of information from moving between two networks Types: • • • Packet Filtering Application Level Stateful Inspection Firewalls

The Development of Firewalls • Packet filtering firewalls – Simple networking devices that filter packets by examining every incoming and outgoing packet header

The Development of Firewalls • Packet filtering firewalls

The Development of Firewalls • Application-level firewalls – Consists of dedicated computers kept separate from the first filtering router (edge router) – Commonly used in conjunction with a second or internal filtering router - or proxy server – Implemented for specific protocols

The Development of Firewalls • Application-level firewalls

The Development of Firewalls • Stateful inspection firewalls – Keeps track of each network connection established between internal and external systems using a state table – Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts

Firewall Configurations terminal host firewall A A A Router Packet Filtering: Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick

Firewall Configurations terminal host firewall A B Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume

Firewall Architectures • Each firewall generation can be implemented in several architectural configurations • Common architectural implementations – Packet filtering routers – Screened-host firewalls – Dual-homed host firewalls – Screened-subnet firewalls

Firewall Architectures: Packet filtering routers Most organizations with an Internet connection use some form of router between their internal networks and the external service provider

Firewall Architectures: Screened-host firewall systems • Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server

Firewall Architectures: Dual-Homed host firewalls • The bastion host contains two network interfaces 1. One is connected to the external network 2. One is connected to the internal network

Selecting the Right Firewall • Firewall Technology • Cost • Maintenance • Future Growth

Managing Firewalls • Any firewall device must have its own configuration • Firewall Rules • Policy regarding firewall use

Managing Firewalls (cont’d. ) • Firewall best practices – All traffic from the trusted network allowed out – The firewall is never accessible directly from the public network – Email Policies

Intrusion Detection and Prevention Systems (IDPS) • The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies • Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired

Intrusion Detection and Prevention Systems (cont’d. ) n IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding n Different Response Techniques n IDS vs. IPS n Network or Host Based Protection

IDPS – Host vs. Network http: //www. windowsecurity. com/articles-tutorials/intrusion_detection/Hids_vs_Nids_Part 1. html

Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Router IDS Firewall Network IDS=NIDS n Examines packets for attacks n Can find worms, viruses, orgdefined attacks n Warns administrator of attack n IPS=Packets are routed through IPS Host IDS=HIDS n Examines actions or resources for attacks n Recognize unusual or inappropriate behavior n E. g. , Detect modification or deletion of special files

Signature-Based IDPS • Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures • Weakness: slow and methodical attacks may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events

Statistical Anomaly-Based IDPS • First collects data from normal traffic and establishes a baseline – Then periodically samples network activity, based on statistical methods, and compares the samples to the baseline • Advantage: Able to detect new types of attacks, because it looks for abnormal activity of any type

Managing Intrusion Detection and Prevention Systems • IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats • A properly configured IDPS can translate a security alert into different types of notifications • Most IDPSs monitor systems using agents • Consolidated enterprise manager

Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into n n Purpose: Catch attackers All traffic going to honeypot/net is suspicious If successfully penetrated, can launch further attacks Must be carefully monitored Firewall Honey Pot External DNS IDS Web Server E-Commerce VPN Server

Remote Access Protection • Network connectivity using external connections – Usually much simpler and less sophisticated than Internet connections – Simple user name and password schemes are usually the only means of authentication

RADIUS and TACACS • Systems that authenticate the credentials of dial- up access users • Typical dial-up systems place the authentication of users on the system connected to the modems • Options: • • Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access Control(TACACS)

Authentication Protocols n RADIUS n Over-the-wire protocol from client to AAA (authentication, authorization, accounting) server n TACACS n Between access point or gateway and an AAA server n Replaced by TACACS+ and RADIUS

RADIUS and TACACS (cont’d. ) Source: Course Technology/Cengage Learning

Managing Connections • Organizations that continue to offer remote access must: – – Determine how many connections the organization has Control access to authorized modem numbers Use call-back whenever possible Use token-based authentication if at all possible

Wireless Networking Protection • Use IEEE 802. 11 protocol • War driving – Moving through a geographic area or building, actively scanning for open or unsecured WAPs • Common encryption protocols used to secure wireless networks – – Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA)

Wired Equivalent Privacy (WEP) • Provides a basic level of security to prevent unauthorized access or eavesdropping • Fundamental Cryptological Flaws – Resulting in vulnerabilities that can be exploited, which led to replacement by WPA

Wi-Fi Protected Access (WPA) • WPA is an industry standard • IEEE 802. 11 i – Has been implemented in products such as WPA 2 n – WPA 2 has newer, more robust security protocols based on the Advanced Encryption Standard WPA /WPA 2 provide increased capabilities for authentication, encryption, and throughput

Managing Wireless Connections • Regulate the wireless network footprint • Select WPA or WPA 2 over WEP • Protect preshared keys

Wi-Fi security SSID should be a non-default value n SSID broadcast should be disabled n MAC access control n Authentication n Require ID and password, may use a RADIUS server Encryption n WEP (Wired Equivalent Privacy) WPA (Wireless Protected Access) WPA 2 (superset of WPA, full standard

PSK v. RADIUS n WPA and WPA-2 operate in two modes n Pre-Shared Key (PSK) n Users must enter the key on each device n RADIUS server n Used with 802. 1 x authentication n Each user has an individual key n More secure, recommended for enterprises

Scanning and Analysis Tools • Used to find vulnerabilities in systems • Security administrators may use attacker’s tools to examine their own defenses and search out areas of vulnerability • • • Scanning tools Footprinting Fingerprinting

Port Scanners • Port scanning utilities (port scanners)

Vulnerability Scanners • Capable of scanning networks for very detailed information • Identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities http: //www. tenable. com/products/nessus

Packet Sniffers • A network tool that collects and analyzes packets on a network • Connects directly to a local network from an internal location http: //www. wireshark. org/

Content Filters • A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network • Common application of a content filter – Restriction of access to Web sites with nonbusiness-related material, such as pornography, or restriction of spam e-mail Examples of Content Filters

Trap and Trace • Trap – Describes software designed to entice individuals who are illegally perusing the internal areas of a network • Trace – A process by which the organization attempts to determine the identity of someone discovered in unauthorized areas of the network or systems

Managing Scanning and Analysis Tools • The security manager must be able to see the organization’s systems and networks from the viewpoint of potential attackers

Managing Scanning and Analysis Tools (cont’d. ) • Drawbacks: – Tools do not have human-level capabilities – Most tools function by pattern recognition, so they only handle known issues – Most tools are computer-based, so they are prone to errors, flaws, and vulnerabilities of their own – Tools are designed, configured, and operated by humans and are subject to human errors

Managing Scanning and Analysis Tools (cont’d. ) • Drawbacks: (cont’d. ) – Some governments, agencies, institutions, and universities have established policies or laws that protect the individual user’s right to access content – Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions