13 Security Flashcards
Network Security Threats
There are four primary threats to network security
Unstructured Threats
Structured Threats
This kind of hacker is much more sophisticated, technically competent
and calculating. Both structured and unstructured threats typically come from the Internet.
External Threats
These typically come from people on the Internet or from someone who
has found a hole in your network from the outside.
Internal Threats
These come from users on your network, typically employees.
Three Primary Network Attacks
Reconnaissance Attacks
An unauthorized familiarization session. An attacker on reconnaissance is out for discovery—mapping the network, its resources, systems, and vulnerabilities. This is often preliminary. The information gathered
will often be used to attack the network later.
Access Attacks
Waged against networks or systems to retrieve data,
gain access, and/or escalate their access privilege. This can be as easy as finding network
shares with no passwords.
Denial of Service (DoS) Attacks
They deny legitimate users from accessing the network resources. Their sole purpose is to disable
or corrupt network services. The result of a DoS attack will usually either crash a system or
slow it down to the point that it’s rendered useless. DoS attacks are usually aimed at web servers and are surprisingly easy to carry out.
Most common threats
■ Eavesdropping
■ Denial-of-service attacks
■ Unauthorized Access
■ WareZ
■ Masquerade attack (IP spoofing)
■ Session replaying or hijacking
■ Rerouting
■ Repudiation
■ Smurfing
■ Password attacks
■ Man-in-the-middle attacks
■ Application-layer attacks
■ HTML attacks
Eavesdropping
Eavesdropping (network snooping and packet sniffing), is the act of a
hacker “listening in” to your system. There’s a product called a packet sniffer that enables us to read packets of information sent across a network because a network’s packets aren’t encrypted by default. Some applications send all information across the network in clear text. If hackers manage to gain admin or root access, they can even create a new user ID to use at any time as a back door into your network.
Denial-of-Service Attacks
Denial-of-service (DoS) attacks can cripple a corporations ability to conduct business. These attacks are alarmingly simple in design and execution. The idea is to keep open all available connections supported by the key server. This locks
out valid attempts to gain access because legitimate users like customers and employees are shut out due to all services being overwhelmed and all bandwidth consumed.
DoS attacks are often implemented using common Internet protocols like TCP and
ICMP—TCP/IP weaknesses for which Cisco offers some safeguards, but nothing bulletproof.
TCP attacks are carried out when a hacker opens up more sessions than the targeted server can handle rendering it inaccessible to anyone else.
ICMP attacks, sometimes called “The Ping of Death,” are executed by an attacker in one of two ways: The first way is by sending so many pings to a server; it’s thoroughly
overwhelmed dealing with pings instead of serving its corporation. The second method is achieved by modifying the IP portion of a header, making the server believe there’s more
data in the packet than there really is. If enough of these packets are sent, they’ll overwhelm and crash the server.
Chargen
Massive amounts of UDP packets are sent to a device causing huge congestion on the network.
SYN flood
Randomly opens up lots of TCP ports, tying up the network equipment with
bogus requests, denying sessions to real users.
Packet fragmentation and reassembly
This attack exploits the buffer overrun bug in hosts or internetwork equipment, creating fragments that can’t be reassembled, crashing the system.
Accidental
DoS of service attacks can happen by legitimate users using misconfigured network devices.
E-mail bombs
Many free programs exist that allow users to send bulk e-mail to individuals,
groups, lists, or domains, taking up all the e-mail service.
Land.c
Uses the TCP SYN packet that specifies the target host’s address as both the
source and destination. Land.c also uses the same port on the target host as source and destination,
causing the target to crash.
Firewall features to help stop DoS attacks
The Cisco IOS gives us some nice firewall features to help stop DoS attacks, but you just can’t prevent them completely right now without cutting off legitimate users.
Context-Based Access Control (CBAC)
CBAC provides advanced traffic filtering services
and can be used as an integral part of your network’s firewall.
Java blocking
Helps stop hostile Java applet attacks.
DoS detection and monitoring
You’ve really have to understand exactly how much protective power your network actually needs from this feature because going with too much will keep out attackers as well as legitimate users!
Audit trails
Audit trails are great for keeping track of who’s attacking you, which is awesome because you can then send those logs to the FBI.
Real-time alerts log Keeping a log of the attacks in real-time is helpful in exactly the
same way audit trails are: For helping the authorities go after the bad guys.
Unauthorized Access
Gaining access to the root or administrator can exploit access to powerful privileges. Adding additional accounts to use as backdoors permits them access any time they want. Sometimes intruders gain access into a network so they can place unauthorized files or
resources on another system for ready access by other intruders. Other goals could be to steal software and distribute it if possible. The Cisco IOS offers us help with something called Lock and Key . Another tool is Terminal Access Controller Access Control System ( TACACS+) server—a remote authentication server. There’s also an authentication protocol called Challenge Handshake Authentication Protocol (CHAP). All of these technologies provide additional security against unauthorized access attempts.
In addition to a TACACS+ server and CHAP, you can implement a mechanism that authenticates a user beyond an IP network address. It supports things like password token cards and creates other challenges to gaining access.
WareZ
WareZ applies to unauthorized distribution of software. The intruder’s goal is theft and piracy—they want to either sell someone else’s software or distribute the unlicensed versions
of it for free. It’s a favorite of present or former employees, but could
be executed by anyone on the Internet with a cracked version of the software. The only thing that can protect products from a
WareZ is to include some type of activation key and licensing preventing illegal use.
Masquerade Attack (IP Spoofing)
Masquerading or IP spoofing is pretty easy to prevent once you understand how it works.
An IP spoofing attack happens when someone outside your network pretends to be a trusted computer by using an IP address that’s within the range of your network’s IP
addresses. The attacker’s plan is to steal an IP address from a trusted source for use in gaining access to network resources. A trusted computer is one that you either have administrative
control over or one you’ve decided to trust on your network. You can head off this attack by placing an access control list (ACL) on the corporate router’s interface to the Internet denying access to your internal addresses from that interface. This approach easily stops IP spoofing but only if the attacker is coming in from
outside the network. In order to spoof a network ID, a hacker would need to change the routing tables in your router in order to receive any packets. Once they do that, the odds are good that they’ll gain access to user accounts and passwords.
Session Hijacking or Replaying
When two hosts communicate, they typically use the TCP protocol at the Transport layer to set up a reliable session. This session can be “hijacked,” by making the hosts believe that they
are sending packets to a valid host, when in fact, they’re delivering their packets to a hijacker. You don’t see this so much anymore because a network sniffer can gather much more information. You can protect yourself from session hijacking or replaying by using a strongly authenticated,
encrypted management protocol.
Rerouting
A rerouting attack is launched by a hacker who understands IP routing. The hacker breaks into the corporate router and then changes the routing table to alter the course of IP packets so they’ll go to the attacker’s unauthorized destination instead. Some types of cookies and Java or Active X scripts can also be used to manipulate routing tables on hosts.
To stop a rerouting attack, you can use access control with an ASA and/or Cisco
Firepower device.
Repudiation
Repudiation is a denial of a transaction so that no communications can be traced by erasing or altering logs to hide the trail providing deniability. Doing this can prevent a third party from being able to prove that a communication between two other parties ever took place. Non-repudiation is the opposite—a third party can prove that a communication between two other parties took place. So because you generally want the ability to trace your communications, as well as prove they actually did take place, non-repudiation is the
preferred transaction.
Attackers who want to create repudiation attack can use Java or Active X scripts to do so. They can also use scanning tools that confirm TCP ports for specific services, network
or system architecture, and OS. Once information is obtained, the attacker will try and find vulnerabilities associated with those entities. To stop repudiation, set your browser security setting to “high.” You can also block any corporate access to public e-mail sites. In addition, add access control and authentication
on your network. Non-repudiation can be used with digital signatures.
Smurfing
This attack sends a large amount of ICMP (Internet Control Message Protocol) echo (ping) traffic to IP broadcast addresses
from a supposedly valid host that is traceable. The framed host then gets blamed for the attack. The targets IP address is used as the source address in the ping and all system reply to the target eating up its resources. Smurf attacks send a layer two (Data-Link layer) broadcast. Most hosts on the attacked IP network will reply to each ICMP echo request with an echo reply, multiplying the traffic by the number of hosts responding. This eats up tons of bandwidth and results in a denial
of service to valid users because the network traffic is so high. The smurf attack’s cousin is called fraggle, which uses UDP echo packets in the same
fashion as the ICMP echo packets. Fraggle is a simple rewrite of smurf to use a layer 4 (Transport layer) broadcast. To stop a smurf attack, all networks should perform filtering either at the edge of the network where customers connect (the access layer), or at the edge of the network with
connections to the upstream providers. Your goal is to prevent source-address-spoofed packets from entering from downstream networks or leaving for upstream ones.
Password Attacks
Even if your users pick really great passwords, programs that record a username and password
can still be used to gather them up. If a hacker creates a program that repeatedly attempts
to identify a user account and/or password, it’s called a brute-force attack. And if it’s successful, the hacker will gain access to all resources the stolen username and password usually provides to the now ripped-off corporate user.
Man-in-the-Middle Attacks
A man-in-the-middle attack is just that—a person that is between you and the network you are connected to gathering everything you are sent and received. For a man-in-the middle attack to be possible, the attacker must have access to network packets traveling across the networks. This means your middleman could be an internal user, someone who spoofed— even someone who works for an Internet service provider (ISP). Man-in-the-middle attacks are usually implemented by using network packet sniffers, routing protocols, or even
Transport layer protocols.
Your middleman attacker’s goal is any or all of the following:
■ Theft of information
■ Hijacking of an ongoing session to gain access to your internal network resources
■ Traffic analysis to derive information about your network and its users
■ Denial of service
■ Corruption of transmitted data
■ Introduction of new information into network sessions
