Network Security Attacks Technical Solutions Acknowledgments Material is

Network Security Attacks Technical Solutions

Acknowledgments Material is sourced from: n CISA® Review Manual 2011, © 2010, ISACA. All rights reserved. Used by permission. n CISM® Review Manual 2012, © 2011, ISACA. All rights reserved. Used by permission. n Many other Network Security sources n http: //www. csrc. nist. gov/publications/drafts/800 -118/draft-sp 800 -118. pdf Author: Susan J Lincke, Ph. D Univ. of Wisconsin-Parkside Reviewers/Contributors: Todd Burri, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

Objectives The student should be able to: n Define attacks: script kiddy, social engineering, logic bomb, Trojan horse, phishing, pharming, war driving, war dialing, man-in-the-middle attack, SQL injection, virus, worm, root kit, dictionary attack, brute force attack, DOS, DDOS, botnet, spoofing, packet reply. n Describe defenses: defense in depth, bastion host, content filter, packet filter, stateful inspection, circuit-level firewall, application-level firewall, demilitarized zone, multi-homed firewall, IDS, IPS, NIDS, HIDS, signature-based IDS, statistical-based IDS, neural network, VPN, network access server (RADIUS/TACACS), honeypot, honeynet, hash, secret key encryption, public key encryption, digital signature, PKI, vulnerability assessment n Identify techniques (what they do): SHA 1/SHA 2, MD 2/MD 4/MD 5, DES, AES, RSA, ECC. n Describe and define security goals: confidentiality, authenticity, integrity, nonrepudiation n Define service’s & server’s data in the correct sensitivity class and roles with access n Define services that can enter and leave a network n Draw network Diagram with proper zones and security equipment

The Problem of Network Security The Internet allows an attacker to attack from anywhere in the world from their home desk. They just need to find one vulnerability: a security analyst need to close every vulnerability.

Hacking Networks Phase 1: Reconnaissance n n Physical Break-In Dumpster Diving Google, Newsgroups, Web sites Social Engineering ¨ ¨ n n Phishing: fake email Pharming: fake web pages Who. Is Database & arin. net Domain Name Server Interrogations Registrant: Microsoft Corporation One Microsoft Way Redmond, WA 98052 US Domain name: MICROSOFT. COM Administrative Contact: Administrator, Domain domains@microsoft. com One Microsoft Way Redmond, WA 98052 US +1. 4258828080 Technical Contact: Hostmaster, MSN msnhst@microsoft. com One Microsoft Way Redmond, WA 98052 US +1. 4258828080 Registration Service Provider: DBMS Veri. Sign, dbms-support@verisign. com 800 -579 -2848 x 4 Please contact DBMS Veri. Sign for domain updates, DNS/Nameserver changes, and general domain support questions. Registrar of Record: TUCOWS, INC. Record last updated on 27 -Aug-2006. Record expires on 03 -May-2014. Record created on 02 -May-1991. Domain servers in listed order: NS 3. MSFT. NET 213. 199. 144. 151 NS 1. MSFT. NET 207. 68. 160. 190 NS 4. MSFT. NET 207. 46. 66. 126 NS 2. MSFT. NET 65. 54. 240. 126 NS 5. MSFT. NET 65. 55. 238. 126

Hacking Networks Phase 2: Scanning War Driving: Can I find a wireless network? War Dialing: Can I find a modem to connect to? Network Mapping: What IP addresses exist, and what ports are open on them? Vulnerability-Scanning Tools: What versions of software implemented on devices?

Passive Attacks Eavesdropping: Listen to packets from other parties = Sniffing Traffic Analysis: Learn about network from observing traffic patterns Footprinting: Test to determine software installed on system = Network Mapping Jennie Carl Pa B C Bob t e ck A

Hacking Networks: Phase 3: Gaining Access n n n Network Attacks: Sniffing (Eavesdropping) IP Address Spoofing Session Hijacking n n n n Login: Ginger Password: Snap System Attacks: Buffer Overflow Password Cracking SQL Injection Web Protocol Abuse Denial of Service Trap Door Virus, Worm, Trojan horse,

Some Active Attacks Denial of Service: Message did not make it; or service could not run Masquerading or Spoofing: The actual sender is not the claimed sender Message Modification: The message was modified in transmission Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage Bill Denial of Service Joe Bill Spoofing Joe (Actually Bill) Ann Message Modification Joe Bill Ann Packet Replay Joe Bill Ann

Man-in-the-Middle Attack 10. 1. 1. 1 10. 1. 1. 3 (2) Login (1) Login (4) Password (3) Password 10. 1. 1. 2

SQL Injection n n n Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”; Inserted Password: Aa’ OR ‘’=’ Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘; Inserted Password: foo’; DELETE FROM users_table WHERE username LIKE ‘% Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’ Inserted entry: ‘|shell(“cmd /c echo “ & char(124) & “format c: ”)|’ Welcome to My System Login: Password:

Password Cracking: Dictionary Attack & Brute Force Pattern Calculation Result Time to Guess (2. 6 x 1018/month) Personal Info: interests, relatives 20 Manual 5 minutes Social Engineering 1 Manual 2 minutes 80, 000 < 1 second American Dictionary 4 chars: lower case alpha 264 5 x 105 8 chars: lower case alpha 268 2 x 1011 8 chars: alpha 528 5 x 1013 8 chars: alphanumeric 628 2 x 1014 3. 4 min. 8 chars alphanumeric +10 728 7 x 1014 12 min. 8 chars: all keyboard 958 7 x 1015 2 hours 12 chars: alphanumeric 6212 3 x 1021 96 years 12 chars: alphanumeric + 10 7212 2 x 1022 500 years 12 chars: all keyboard 9512 5 x 1023 16 chars: alphanumeric 62 NIST SP 800 -118 Draft 16 5 x 1028

Hacking Networks: Phase 4: Exploit/Maintain Access Control system: system commands, log keystrokes, pswd Backdoor Trojan Horse Useful utility actually creates a backdoor. Replaces system User-Level Rootkit executables: e. g. Login, ls, du Bots Spyware/Adware Replaces OS kernel: Kernel-Level Rootkit e. g. process or file Slave forwards/performs Spyware: Collect info: control to hide commands; spreads, keystroke logger, list email addrs, DOS collect credit card #s, attacks Ad. Ware: insert ads, filter search results

Botnets: Bots Attacker China Handler Hungary Bots: Host illegal movies, music, pornography, criminal web sites, … Forward Spam for financial gain Zombies

Distributed Denial of Service Zombies Attacker Handler Victim Russia Bulgaria United States Can barrage a victim server with requests, causing the network to fail to respond to anyone Zombies

Question An attack where multiple computers send connection packets to a server simultaneously to slow the firewall is known as: 1. Spoofing 2. DDOS 3. Worm 4. Rootkit

Question A man in the middle attack is implementing which additional type of attack: 1. Spoofing 2. Do. S 3. Phishing 4. Pharming

Network Security Network Defense Encryption

Security: Defense in Depth Border Router Perimeter firewall Internal firewall Intrusion Detection System Policies & Procedures & Audits Authentication Access Controls

Bastion Host Computer fortified against attackers n Applications turned off n Operating system patched n Security configuration tightened

Attacking the Network What ways do you see of getting in? Border Router/Firewall The Internet De-Militarized Zone Commercial Network WLAN Private Network

Filters The good, the bad & the ugly… Filter The Good The bad & the ugly Route Filter: Verifies sources and destination of IP addresses Packet Filter: Scans headers of packets and discards if ruleset failed (e. g. , Firewall or router) Content Filter: Scans contents of packets and discards if ruleset failed (e. g. , Intrusion Prevention System or firewall)

Packet Filter Firewall Web Response Illegal Dest IP Address Web Request Email Response SSH Connect Request DNS Request Ping Request Illegal Source IP Address Email Response FTP request Microsoft Net. BIOS Name Service Email Connect Request Telnet Request Web Response

Firewall Configurations terminal host firewall A A A Router Packet Filtering: Packet header is inspected Single packet attacks caught Very little overhead in firewall: very quick High volume filter Stateful Inspection State retained in firewall memory Most multi-packet attacks caught More fields in packet header inspected Little overhead in firewall: quick

Firewall Configurations terminal host firewall A B A B Circuit-Level Firewall: Packet session terminated and recreated via a Proxy Server All multi-packet attacks caught Packet header completely inspected High overhead in firewall: slow Application-Level Firewall Packet session terminated and recreated via a Proxy Server Packet header completely inspected Most or all of application inspected Highest overhead: slow & low volume

Multi-Homed Firewall: Separate Zones Internet Screening Device Screened Host With Proxy Interface Router IDS Firewall Demilitarized Zone External DNS IDS Web Server E-Commerce VPN Server Protected Internal Network Zone IDS Database/File Servers The router serves as a screen for the Firewall, preventing Denial of Service attacks to the Firewall.

Writing Rules Policies Corrections Network Filter Capabilities Write Rules Audit Failures Protected Network

Services and Servers Workbook Service Sensitivity Roles Server Grades Confidential For Graduates: Transcripts For Current Students: Advising, Students, Faculty Student. Scholastic Billing Confidential, For Current Students: Registration, Accounting, Advising Payment: Students Student. Billing Students, Employees, Public Web services Web Pages Public

Path of Logical Access How would access control be improved? Border Router/ Firewall The Internet De-Militarized Zone WLAN Private Network Router/Firewall

Protecting the Network Border Router: Packet Filter The Internet De-Militarized Zone Bastion Hosts WLAN Private Network Proxy server firewall

Serviced Applications Workbook Applicatio Sources of ns Entry Grades University Graduates Registration Servers Graduate Scholastic Required Controls (e. g. , Encryption) Confidentiality, Integrity, Authentication Grades – Current Students United States Student Scholastic Confidentiality, Integrity, Authentication Billing Payment: International Reports: Univ. Student Scholastic Confidentiality, Authentication, Integrity, Non-repudiation Web Pages International DMZ: Public. Face

Network Diagram Workbook Internet Router Demilitarized Zone External DNS Email Firewall Public Web Server E-Commerce Zone 3: Student Data Zone 1: Student Labs & Files Student Scholastic Zone 2: Faculty Labs & Files Student Records Student Billing Student History Transcripts

Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Router IDS Firewall Network IDS=NIDS n Examines packets for attacks n Can find worms, viruses, orgdefined attacks n Warns administrator of attack n IPS=Packets are routed through IPS Host IDS=HIDS n Examines actions or resources for attacks n Recognize unusual or inappropriate behavior n E. g. , Detect modification or deletion of special files

Nasty. Virus IDS Intelligence Systems NIDS: ALARM!!! Attacks: Nasty. Virus Normal Blast. Worm Signature-Based: n Specific patterns are recognized as attacks Statistical-Based: n The expected behavior of the system is understood n If variations occur, they may be attacks (or maybe not) Neural Networks: n Statistical-Based with self-learning (or artificial intelligence) n Recognizes patterns

Honeypot & Honeynet Honeypot: A system with a special software application which appears easy to break into Honeynet: A network which appears easy to break into n Purpose: Catch attackers n All traffic going to honeypot/net is suspicious n If successfully penetrated, can launch further attacks n Must be carefully monitored Firewall Honey Pot External DNS IDS Web Server E-Commerce VPN Server

Data Privacy n n Confidentiality: Unauthorized parties cannot access information (->Secret Key Encryption Authenticity: Ensuring that the actual sender is the claimed sender. (->Public Key Encryption) Integrity: Ensuring that the message was not modified in transmission. (->Hashing) Nonrepudiation: Ensuring that sender cannot deny sending a message at a later time. (>Digital Signature) Bill Confidentiality Joe Bill Authenticity Joe (Actually Bill) Ann Integrity Joe Bill Ann Non-Repudiation Joe Ann

Encryption – Secret Key Examples: DES, AES plaintext Encrypt Ksecret ciphertext Decrypt Ksecret P = D(Ksecret, E(Ksecret, P)) NIST Recommended: 3 DES w. CBC AES 128 Bit plaintext

Public Key Encryption Examples: RSA, ECC, Quantum P = D(k. PRIV, E(k. PUB, P)) Joe Encrypt Kpublic Decrypt Kpublic Encryption (e. g. , RCS) Message, private key Authentication, Non-repudiation Digital Signature Decrypt Kprivate Encrypt Kprivate P = D(k. PUB, E(k. PRIV, P)) Key owner NIST Recommended: RSA 1024 bit 2011: RSA 2048 bit

Remote Access Security Firewall The Internet VPN Concentrator Virtual Private Network (VPN) often implemented with IPSec n n n Can authenticate and encrypt data through Internet (red line) Easy to use and inexpensive Difficult to troubleshoot, less reliable than dedicated lines Susceptible to malicious software and unauthorized actions Often router or firewall is the VPN endpoint

Secure Hash Functions Examples: SHA 1, SHA 2, MD 4, MD 5 Ensures the message was not modified during transmission Message H H Compare K H H Message Authentication Code Message H E K K H Message H H H One Way Hash K D H Compare H NIST Recommended: SHA-1, SHA-2 2011: SHA-2

Digital Signature n n Electronic Signature Uses public key algorithm Verifies integrity of data Verifies identity of sender: nonrepudiation Message Encrypted K(Sender’s Private) Msg Digest

Public Key Infrastructure (PKI) 7. Tom confirms Sue’s DS 5. Tom requests Sue’s DC 6. CA sends Sue’s DC Tom 4. Sue sends Tom message signed with Digital Signature Digital Certificate User: Sue Public Key: 2456 Certificate Authority (CA) 3. Send approved Digital Certificates 1. Sue registers with CA through RA Sue Register(Owner, Public Key) 2. Registration Authority (RA) verifies owners

Network Access Server 1. Dial up and authenticate 2. Call back 3. Connect RADIUS or TACACS n NAS: Network Access Server ¨ ¨ ¨ Handles user authentication, access control and accounting Calls back to pre-stored number based on user ID Prone to hackers, DOS, misconfigured or insecure devices RADIUS: Remote Access Dial-in User Service TACACS: Terminal Access Control Access

Web Page Security SQL Filtering: Filtering of web input for SQL Injection Encryption/Authentication: Ensuring Confidentiality, Integrity, Authenticity, Nonrepudiation Web Protocol Protection: Protection of State

Vulnerability Assessment n Scan servers, work stations, and control devices for vulnerabilities ¨ Open services, patching, configuration weaknesses n Testing controls for effectiveness ¨ Adherence to policy & standards n Penetration testing

Serviced Applications Workbook Applicatio Sources of ns Entry Grades – United States Current Students Billing Payment: International Reports: Univ. Servers Student Scholastic Required Controls (e. g. , Encryption) Confidentiality: Encryption Integrity: Hashing, IDS Authentication: VPN/IPsec, secure passwords Confidentiality: Encryption, HTTPs Authentication: VPN/IPsec Integrity, Hashing, IDS Non-repudiation: Digital Signature

Summary of Network Controls Network Security Techniques n Encryption: Public and Private key, Wireless WPA 2 n Virtual Private Network (VPN): Secure communications tunnel n Secure Hashing n Digital Signature n Bastion Host Configuration n Certificate Authority: PKI Network Protection Devices n Firewall: Packet, Stateful, Circuit, Application-Level n Proxy server n Demilitarized Zone (DMZ) n Intrusion Detection System n Intrusion Prevention System n Network access server (RADIUS or TACACS) n Honeypot, honeynet Secure Protocols n SSL: Secure web n SSH: Secure telnet/rlogin or file transfer n S/MIME: Secure email n Secure Information Mgmt: Log mgmt

Question A map of the network that shows where service requests enter and are processed 1. Is called the Path of Physical Access 2. Is primarily used in developing security policies 3. Can be used to determine whether sufficient Defense in Depth is implemented 4. Helps to determine where antivirus software should be installed

Question The filter with the most extensive filtering capability is the 1. Packet filter 2. Application-level firewall 3. Circuit-level firewall 4. State Inspection

Question The technique which implements nonrepudiation is: 1. Hash 2. Secret Key Encryption 3. Digital Signature 4. IDS

Question Anti-virus software typically implements which type of defensive software: 1. Neural Network 2. Statistical-based 3. Signature-based 4. Packet filter

Question MD 5 is an example of what type of software: 1. Public Key Encryption 2. Secret Key Encryption 3. Message Authentication 4. PKI

Question A personal firewall implemented as part of the OS or antivirus software qualifies as a: 1. Dual-homed firewall 2. Packet filter 3. Screened host 4. Bastion host

Jamie Ramon MD Doctor Chris Ramon RD Dietician Terry Pat Licensed Software Consultant Practicing Nurse HEALTH FIRST CASE STUDY Designing Network Security

Define Services & Servers n Which data can be grouped together by role and sensitivity/criticality? Confidential – Management Privileged – Contracts Service Name Sensitivity Class. Public – Web Pages Roles with Server Name Access

Defining Services which can Enter and Leave the Network Service Source Destination (e. g. , home, world, local computer) (local server, home, world, etc. )

Defining Zones and Controls Compartmentalization: n Zone = Region (E. g. , DMZ, wireless, internet) n Servers can be physical or virtual Zone Service Server Required Controls (Conf. , Integrity, Auth. , Nonrepud. , with tools: e. g. , Encryption/VPN)

Draw the Network Diagram Internet Router Demilitarized Zone External DNS Email Firewall Public Web Server E-Commerce Zone 3: Student Data Zone 1: Student Labs & Files Student Scholastic Zone 2: Faculty Labs & Files Student Records Student Billing Student History Transcripts

Reference Slide # Slide Title Source of Information 7 Passive Attacks CISA: page 331, 333, 352 9 Some Active Attacks CISA: page 330, 332, 352 10 Man-in-the –Middle Attack CISA: page 331 12 Password Cracking: dictionary Attack & Brute Force CISA: page 330 14 Botnets CISA: page 330 15 Distributed Denial of Service CISA: page 330 23 Packet Filter Firewall CISA: page 353, 354 24 Firewall Configurations CISA: page 353 – 355 25 Firewall Configurations CISA: page 354 26 Multi-Homed Firewall: Separate Zones CISA: page 355 33 Intrusion Detection Systems (IDS) Intrusion Prevention System (IPS) CISA: page 355, 356 34 IDS Intelligence Systems CISA: page 356 35 Honeypot & Honeynet CISA: page 356, 357 37 Encryption – Secret Key CISA: page 357 38 Public Key Encryption CISA: page 357, 358 39 Remote Access Security CISA: page 361 40 Secure Hash Functions CISA: page 359, 361, 362 41 Digital Signature CISA: page 359 42 Public Key Infrastructure (PKI) CISA: page 359, 360