topic 4A : networks and security Flashcards
Reconnaissance attacks
- reconnaissance is also known as information gathering
- involve the unauthorized discovery and mapping of systems, services or vulnerabilities (like surveying for weak links in the system)
- usually comes before an access/DoS attack
Process of a reconnaissance attack
- intruder conducts a ping sweep of the target network to determine which IP addresses are active
- then determines which services or ports are available on the live IP addresses
- the intruder queries the ports to determine the type and version of the application and operating system that is running
- then they look for vulnerable services that can be exploited
Tools used during a RA
- packet sniffers
- ping sweeps
- port scans
- internet information queries
- other low-technology reconnaissance
Packet sniffer
- an application that uses a Network Interface Card (NIC) in promiscuous mode to capture all network packets that are sent across the LAN (Local Area Network)
(promiscuous mode : a network card configuration that passes all traffic received to the network adapter driver and protocol stack)
- if network packets are in unencrypted plaintext, it can be captured and understood by any application that can pick them off the network
Ping sweep
- a basic network scanning technique that scans a range of IP addresses (hosts) to determine if any hosts are alive
- consists of ICMP echo requests sent to multiple hosts, if a host address is alive, it will return an ICMP echo reply
ICMP : Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to diagnose network communication issues. ICMP is mainly used to determine whether or not data is reaching its intended destination in a timely manner
Port scan
- each service on a host is associated with a well-known port number
- port scanning : a scan of a range of TCP or UDP port numbers on a host to detect listening services
consists of sending a message to each port on a host, the response that the sender receives indicates whether the port is being used
Internet information queries
1) can reveal information such as :
- who owns a particular domain
- what IP addresses have been assigned to that domain
2) whois database (a public database that houses the information collected when someone registers a domain name or updates their DNS settings, available to everyone using the internet), the ‘white pages’ of the internet, storing:
- technical, administrative and billing contact names
- phone numbers and email addresses
- domain name servers (DNS)
Low-technology reconnaissance
1) social engineering
- duping someone over the phone to reveal sensitive information (a form of manipulation)
- clever attacker can easily get passwords
- social networking websites
2) physical break-in
- simply walking through the front-door
- piggybacking : connecting to a wireless network/internet without the owner’s/subscriber’s permission or knowledge
- get network connectivity, diagrams etc
3) dumpster diving
- the act of extracting information from discarded physical or digital waste
- also known as “trashing”
- can be disgusting but rewarding
- network diagrams and system documentation
- post-it notes with passwords
Access attacks
aim :
- retrieve data
- gain access
- escalate access privileges
types of access attacks :
1) password attack : to exploit a vulnerability in user authorization within a digital system
2) trust exploitation : an attacker takes advantage of a relationship of trust between computer systems
3) man-in-the-middle attack : when the attacker positions himself in a conversation to eavesdrop or impersonate one of the parties involved)
Password attacks
implemented using
- brute-force attacks : repeated attempts to identify a user ID and password based on the built-in dictionary
- trojan horse programs : keyloggers (keeps track of and records your keystrokes as you type)
- packet sniffers : capture un-encrypted passwords
Trust exploitation
goal :
to compromise a trusted host, using it to stage attacks on other hosts in the network
how it works :
1. attacker wants to attack system A
- system A only trusts system B, while system B trusts everyone
2. attacker compromises system B first
3. attacker creates “system A user” in system B to deceive them
4. attacker can attack system A from system B now
Man-in-the-middle attack
- the attacker is positioned in the middle of communications/a conversation between 2 machines (eg like a user and an application) and eavesdrop/read or modify the data passed between the 2 hosts
- a popular attack involves a laptop acting as a rogue access point and often, the user in a public location on a wireless hotspot
- can be active or passive
active attacks : intercept and alter the contents before they are sent on to the recipient
passive attacks : capture and record the contents and pass it on
Denial of service (DoS) attacks
attack on availability :
- a DoS attack is a network attack that results in an interruption of service to users, devices or applications
- victim resources like websites become unavailable for legitimate public access
Why are they major risks?
- they can easily disrupt business processes and cause significant losses
- relatively simple to conduct, even by an unskilled attacker
Distributed DoS attack
- DDoS attacks originate from multiple coordinated sources
- presents a challenge to the victim to identify and stop each distributed attacker
symptoms of DoS attacks:
1) dramatic increase in request for a particular service
2) unusually slow network performance
3) unavailability of a particular website
How does a DDos attack work?
1) the hacker distributes zombie software to numerous machines via internet
2) attack is initiated by sending attack command with victim’s IP address with a remote-control attack software
3) upon receiving attack command, all the zombies flood the victim with attack packets
4) some machines act as handlers to forward attack commands to other zombies
Best practices in network security
- shut down unnecessary/unused ports and services
- use strong passwords and change them often
- control physical access to systems
- perform regular backups and test the back up files
- encrypt and password-protect sensitive data
- develop a security policy for the company
Best practices in network security (2)
- deploy security devices (eg firewalls, intrusion detection system, virtual private network, anti-virus software)
- educate employees about the risks of social engineering & develop strategies to validate identities over the phone, via email or in person
- keep patches up-to-date by installing them weekly or daily (if possible)