Network and System Security Flashcards
2 sections of memory for hacking
Heap section
o Stores dynamic variables (malloc)
o Grows from lower memory to higher memory
Stack section o Track function calls o Local variables o Grows from higher memory to lower memory o For static memory allocation
Both stored in the computer’s RAM
Application-level gateway (FW)
aka Application Proxy
- Acts as a relay of application-level traffic
- If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall
- High level of granular configuration options
- Tend to be more secure than packet filters
Disadvantage
o The additional processing overhead on each connection
Circuit-level gateway (type of FW)
aka Circuit-level Proxy
A firewall that provides UDP and TCP connection security, and works between an OSI network model’s transport and application layers such as the session layer.
- Can be a stand-alone system or a specialized function performed by an application-level gateway for certain applications
- Does not permit an end-to-end TCP connection
- The security function consists of determining which connections will be allowed
- Typical use is a situation in which a system administrator trusts the internal users
- Can be configured to support application-level or proxy service on inbound connections and circuit-level functions for outbound connections
- Example of implementation is the SOCKS package
- Work at the session layer of the OSI model, or as a “shim-layer” between the application layer and the transport layer of the TCP/IP stack
7 layers of OSI model – from highest to lowest
Open Systems Interconnection (OSI) Model
- Application
- Presentation
- Session
- Transport layer
- Network layer
- Data link layer
- Physical layer
2 types of Enumeration
Passive
o Search of interwebs with minimal traces in targets log files
o Using public sources to gather intelligence
o Correlating separate sources to draw meaning
Active
o Goal: identify as many systems, services, and potential vulnerabilities as possible
o Used on external or internal to a target
o Ping sweeps and port scans
Scanners examples
Masscan
o Scan entire internet in 6 minutes
Netdiscover
o LAN sniffing tool
o Good to discover MAC addresses
o Can now identify the types of devices on the network
Sparta
o GUI to run nmap, Nikto and more
Nikto
o Web server scanner
o Scans for known vulnerable files
o Output from nmap can be fed into Nikto
WAF
Web application firewalls are special FWs that protect a service
Broadcast address
The last address of the network
A broadcast address is an IP address that is used to target all systems on a specific subnet network instead of single hosts. In other words broadcast address allows information to be sent to all machines on a given subnet rather than to a specific machine
Fuzzing
Process where an attacker sends malformed packets to a service or application listening on the network
The goal is to force the application to fail or produce errors
Symmetric key
More commonly used since faster and easier – better performance
Same key used to encrypt and decrypt
Faster compared to public key encryption
Problem
o Key needs to be stored securely – hackable
o Both need the key
o Better to combine with assymetric
Hash
Examples?
A string or number generated from a string of text
The resulting string or number is a fixed length
The best hashing algorithms are designed so that it’s impossible to turn a hash back into its original string
o MD5
o SHA
o SHA-2
Used when storing passwords
Encryption
- Turns data into a series of unreadable characters that aren’t a fixed length
- CAN be reversed back into their originally decrypted form if you have the right key
Two primary types of Encryption
Symmetric key
The key to both encrypt and decrypt is exactly the same
Public key
Has two different keys
• One used to encrypt the string (the public key)
• One used to decrypt it (the private key)
3 classes of intruders
Masquerader
o An individual who is not authorized to user the computer and who penetrates a system’s access controls to exploit a legitimate user’s account
Misfeasor
o A legitimate user who access data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges
Clandestine user
o An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection
Examples of intrusion (10)
- Performing a remote root compromise of an email server
- Defacing a web server
- Guessing and cracking passwords
- Copying a database containing credit card numbers
- Viewing sensitive data, including payroll records and medical information without authorization
- Running a packet sniffer on a workstation to capture usernames and passwords
- Using a permission error on an anonymous FTP server to distribute pirated software and music files
- Dialing into an unsecured modem and gaining internal network access
- Posing as an executive, calling the help desk, resetting the executive’s email passwords, and learning the new password
- Using an unattended, logged-in workstation without permission
Hackers
Prevention?
Traditionally for the thrill of it or for status
- Intrusion detection systems (IDSs)
- Intrusion prevention systems (IPSs) are designed to counter hacker threads
- Consider restricting remote logons to specific IP addresses and/or use virtual private network technology
CERTS
Computer Emergency Response Teams
- They collect information about system vulnerabilities and disseminate it to the systems managers
- Hackers also routinely read CERT reports
- It is important for system administrators to quickly insert all software patches to discovered vulnerabilities
Criminal Hackers
- Organized groups of hackers
- Usually have specific targets, or at least classes of targets in mind
- Once a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting
- IDSs and IPSs can be used for these types of attackers, but may be less effective because of the quick in-and-out nature of the attack
Insider attacks
countermeasures
Among the most difficult to detect and prevent
Can be motivated by revenge of simply a feeling of entitlement
Countermeasures
o Enforce least privilege
o Set logs to see what users access and what commands they are entering
o Protect sensitive resources with strong authentication
o Upon termination, delete computer and network access
o Upon termination, make a mirror image of employee’s hard drive before reissuing it (used as evidence if your company information turns up at a competitor)
Intrusion objective
Objective of the intruder is to gain access to a system or to increase the range of privileges accessible on a system
Most initial attacks use system or software vulnerabilities that allow a user to execute code that opens a backdoor into the system
Ways to protect a password file
One -way functional
The system stores only the value of a function based on the user’s password
Access control
Access to the password file is limited to one or a very few accounts
Password guessing techniques (8)
- Try default passwords used with standard accounts – many don’t change
- Try all short passwords (2-3 characters)
- Try words in the system’s online dictionary or a list of likely passwords – examples available on hacker bulletin boards
- Collect information about users: full names, spouse and children, pictures in their office, books related to hobbies
- Try user’s phone numbers, SSN, room numbers
- Try all legitimate license plate numbers for this state
- Use a Trojan horse to bypass restrictions on access
- Ta; the line between a remote user and the host system
Intrusion detection
considerations
A system’s 2nd line of defense (1st is prevention)
Based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified
o Considerations
If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data is compromised
An effective system can serve as a deterrent so acting to prevent intrusions
Enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility
2 Approaches to intrusion detection
Statistical anomaly detection
o Involves the collection of data relating to the behavior of legitimate users over a period of time
o Then statistical tests are applied to observed behavior to determine whether that behavior is not legitimate user behavior
o Threshold detection
Involves defining thresholds, independent of user, for the frequency of occurrence of various events
o Profile based
A profile of the activity of each user is developed and used to detect changes in the behavior of individual accounts
Rule-based detection
o Involves an attempt to define a set of rules or attack patterns that can be used to decide that a given behavior is that of an intruder
o Often referred to as signature detection
IP address spoofing attack
Countermeasure
The intruder transmits packets from the outside with a source IP address field containing an address of an internal host
Countermeasure
o Discard packets with an inside source address if the packet arrives on an external interface
Source routing attacks
Countermeasure
The source station specifies the route that a packet should take as it crosses the internet in the hopes that this will bypass security measures that do not analyze the source routing information
Countermeasure
o Discard all packets that use this option
Tiny fragment attacks
The intruder uses the IP fragmentation option to create extremely small fragments and force the TCP header information into a separate packet fragment
o Enforce a rule that the first fragment of a packet must contain a predefined minimum amount of the transport header
Convincing an organization to invest in security
Investing in security will save your business from becoming a victim of security breach
Breaches are costly and can ruin business rep
Investing could avoid lawsuits
o Consumers
o Organization may not be in compliance with government regulations
Invest
o Identity management
o High-level firewall and network security system
How to detect and prevent threats (3)
Snort can run in the background to defend against port scanning
o Must be running to be effective
o Does not prevent information from coming through – alerts only
Install a firewall that has a built-in intrusion prevention system
o Protects the entire network – detects port scanning
Install a separate IPS dedicated to detecting and blocking port scanning
o Ports are occasionally open on a network – standard firewalls are ill-equipped to detect
o Install separate hardware/software that specifically checks for port scanning
o At the same time blocks or makes the ports appear invisible
Identity Management
• The “organizational process for identifying, authenticating and authorizing individuals or groups of people to have access to applications, systems or networks by associating user rights and restrictions with established identities
o Every individual in an organization has an identity
o Only give what they need
o Make sure old permissions are removed
o Keep data updated
o Monitor activities of employee logins
o Have a record tracking system in place
o Bad data due to duplicates of one employee with different permissions
o Delete terminated employees
May be disgruntled
Profiles may accessed unknowingly and may be hard to trace
Firewall design goals
ALL TRAFFIC from inside to outside and vice versa must pass through firewall
Only authorized traffic will be allowed to pass
The firewall itself is immune to penetration
4 Firewall characteristics
Service control – determines the types of internet services that can be accessed, in or out
Directional control – determines the direction the service requests may be initiated and allows to flow through the firewall
User control – controls access to a service according to which user is attempting to access it
Behavior control – controls how particular services are used
Firewall expectations
Defines a single choke point that keeps bad out
o Unauthorized users out of protected network
o Prohibits potentially vulnerable services from entering or leaving the network
o Provides protection from various kinds of IP spoofing and routing attacks
Provides a location for monitoring security-related events
Can server as a platform for IPsec
Convenient platform for several internet functions not security related
Firewall limitations (4)
Cannot protect against attacks that bypass the firewall
May not protect fully against internal threats
o Disgruntled employees
o Tricked user
Cannot guard against wireless communications between local systems on different sides of the internal firewall
A laptop, PDA, or portable storage device may be used and infected outside the corporate network, and then attached and used internally
Packet Filtering firewalls
Strengths/Weaknesses
Strengths
o Simplicity
o Transparent to users
o Fast
Weaknesses
o Open to attacks that employ application-specific vulnerabilities or functions
o Limited log functionality
o Most packet filter firewalls do not support advanced user authentication schemes
o Generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack
o Misconfiguration
Host-based firewall
A software module used to secure an individual host
Available in many operating systems or can be provided as an add-on package
Filters and restricts the flow of packets
Common location is a server
Advantages
o Filtering rules can be tailored to the host environment
o Protection is provided independent of topology
o Used in conjunction with stand-alone firewalls, provides an additional layer of protection
Personal firewall
Controls the traffic between a personal computer or workstation on one side and the Internet or enterprise network on the other side
Can be used in the home or on corporate intranets
Typically, is a software module on the personal computer
Can also be housed in a router that connects all of the home computers to a DSL, cable modem, or other Internet interface
Primary role is to deny unauthorized remote access to the computer
Can also monitor outgoing activity in an attempt to detect and block worms and other malware
OSI Model
Application layer
Example protocols
Supports application and end user processes
HTTP, FTP, IRC, SSH, DNS
OSI Model
Presentation layer
Example protocols
Transforms data into the form that the application layer can accept
(SSL, FTP, IMAP, SSH)
OSI Model
Session layer
Example protocols
Manages and terminates connections between applications
API’s, Sockets
OSI Model
Transport layer
Example protocols
Transparent transfer of data between end systems or hosts, responsible for flow control - end to end
(TCP, UDP, SCTP, DCCP, ECN)
OSI Model
Network layer
Example protocols
Provides switching and routing technologies, transmitting data from node to node via logical paths
(IP, IPSec, ICMP, IGMP)
OSI Model
Data link layer
Example protocols
Data layers are encoded and decoded into bits - handles the moving of data into and out of a physical link in a network
(Ethernet, SLLIP, PPP)
OSI Model
Physical layer
Example protocols
This layer conveys the bit stream thru the network at the electrical and mechanical level - Media, Signal, and Binary Transmission
(Coax, Fiber, Wireless)
Enumeration definition
The process of extracting user names, machine names, network resources, and other services from a system.
All the gathered information is used to identify the vulnerabilities or weak points in system security and then tries to exploit it.
