En CCNAS v11 Ch01
En CCNAS v11 Ch01
En CCNAS v11 Ch01
! To protect assets!
! Historically done through physical security and closed networks.
10
University, Robert Tappan Morris, and launched on November 2, 1988 from MIT.
! It is considered the first worm and
11
! According to Morris, the worm was not written to cause damage, but to
! But the worm was released from MIT, not Cornell where Morris was a student. ! The Morris worm worked by exploiting known vulnerabilities in Unix
12
CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies. Fraud and Abuse Act.
! Robert Morris was tried and convicted of violating the 1986 Computer ! After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.
13
! The Code Red worm was a DoS attack and was released on July
19, 2001 and attacked web servers globally, infecting over 350,000 hosts and in turn affected millions of users.
14
! Code Red:
! Defaced web pages. ! Disrupted access to the infected servers and local networks hosting the servers, making them very slow or unusable.
15
! Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Indexing Service. ! The same exploit (HTTP GET request) is sent to other randomly chosen
16
! If the exploit was successful, the worm began executing on the victim
host.
! In the earlier variant of the worm, victim hosts experienced the following defacement on all pages requested from the server:
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
! Day 1 - 19: The infected host will attempt to connect to TCP port 80 of randomly chosen IP addresses in order to further propagate the worm. ! Day 20 - 27: A packet-flooding denial of service attack will be launched against a particular fixed IP address. ! Day 28 - end of the month: The worm "sleeps"; no active connections or denial of service.
17
! However, patching the system for the underlying vulnerability remains imperative since the likelihood of re-infection is quite high due to the rapid propagation of the worm. ! Network security professionals must develop and implement a security
policy which includes a process to continually keep tabs on security advisories and patches.
18
! It was a wake up call for network administrators. ! It made it very apparent that network security administrators must patch their systems regularly. ! If security patches had been applied in a timely manner, the Code Red
19
! http://www.cert.org/advisories/CA-2001-19.html
20
21
22
23
! Phreaker
! An individual that manipulates the phone network in order to cause it to perform a function that is normally not allowed such as to make free long distance calls. ! Captain Crunch (John Drapper)
! Spammer
! Individual that sends large quantities of unsolicited email messages. ! Spammers often use viruses to take control of home computers to send out their bulk messages.
! Phisher
! Individual uses email or other means in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords.
24
! 1960s - Phone Freaks (Phreaks) ! 1980s - Wardialing (WarGames) ! 1988 - Internet Worm ! 1993 - First def Con hacking conference held ! 1995 - First 5 year federal prison sentence for hacking ! 1997 - Nmap released ! 1997 - First malicious scripts used by script kiddies ! 2002 - Melissa virus creator gets 20 months in jail
25
26
! The first email virus, the Melissa virus, was written by David Smith and
! David Smith was sentenced to 20 months in federal prison and a US$5,000 fine.
27
! Robert Morris created the first Internet worm with 99 lines of code. ! When the Morris Worm was released, 10% of Internet systems were brought to a halt.
28
29
! MafiaBoy was the Internet alias of Michael Calce, a 15 year old high
30
sentenced him on September 12, 2001 to eight months of "open custody," one year of probation, restricted use of the Internet, and a small fine. columnist on computer security topics for the Francophone newspaper Le Journal de Montral.
appearances.
31
! Increase of network attacks ! Increased sophistication of attacks ! Increased dependence on the network ! Wireless access ! Lack of trained personnel ! Lack of awareness ! Lack of security policies ! Legislation ! Litigation
32
substantial liability.
! http://en.wikipedia.org/wiki/Information_security#Laws_and_regulations
! US Federal legislation mandating security includes the following: ! ! ! ! ! ! Gramm-Leach-Blilely (GLB) bill financial services legislation Government Information Security Reform Act Health Insurance Portability and Accountability Act of 1996 (HIPAA) Children Internet Protection Act (CIPA) The Payment Card Industry Data Security Standard (PCI DSS) Sarbanes-Oxley Act of 2002
33
34
35
are:
! Computer Emergency Response Team (CERT) ! SysAdmin, Audit, Network, Security (SANS) Institute ! International Information Systems Security Certification Consortium (pronounce (ISC)2 as "I-S-C-squared")
36
37
38
39
40
41
42
43
44
45
46
47
48
49
generally intended to be harmless or merely annoying rather than to cause serious damage to computers. them for the sole purpose that they could or to see how far it could spread.
! In some cases the perpetrator did not realize how much harm their creations could do. ! As late as 1999, widespread viruses such as the Melissa virus appear to
50
51
52
file) that can copy itself and infect a computer without permission or knowledge of the user.
! A virus can only spread from one computer to another by:
! Sending it over a network as a file or as an email payload. ! Carrying it on a removable medium.
53
themselves and perhaps make their presence known by presenting text, video, or audio messages.
54
55
Worm slowed down global Internet traffic as a result of DoS. within 30 minutes of its release.
56
! Propagation mechanism
! After gaining access to devices, a worm replicates and selects new targets.
! Payload
! Once the device is infected with a worm, the attacker has access to the host often as a privileged user. ! Attackers could use a local exploit to escalate their privilege level to administrator.
57
Trojan Horses
58
and Elenore all turned up on underground markets selling for $300 to $500, Kandek says, and allow the attacker to install a Trojan program ready to download whatever malicious software a cybercriminal wishes, from spyware to click-fraud software. All three of those kits exploit three unique Adobe Reader bugs, along with a smaller number of bugs in Internet Explorer, Microsoft Office, Firefox and even Quicktime. Excerpt from the article at:
http://www.cbc.ca/technology/story/2009/12/16/f-forbes-adobe-hacked-software.html
59
a desirable function but, in fact, facilitates unauthorized access to the user's computer system.
! Trojan horses may appear to be useful or interesting programs, or
at the very least harmless to an unsuspecting user, but are actually harmful when executed.
! Trojan horses are not self-replicating which distinguishes them
60
61
! Probe phase: ! Vulnerable targets are identified using ping scans. ! Application scans are used to identify operating systems and vulnerable software. ! Hackers obtain passwords using social engineering, dictionary attack, brute-force, or network sniffing. ! Penetrate phase: ! Exploit code is transferred to the vulnerable target. ! Goal is to get the target to execute the exploit code through an attack vector, such as a buffer overflow, ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus. ! Persist phase: ! After the attack is successfully launched in the memory, the code tries to persist on the target system. ! Goal is to ensure that the attacker code is running and available to the attacker even if the system reboots. ! Achieved by modifying system files, making registry changes, and installing new code. ! Propagate phase: ! The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines. ! Propagation vectors include emailing copies of the attack to other systems, uploading files to other systems using file shares or FTP services, active web connections, and file transfers through Internet Relay Chat. ! Paralyze phase: ! Actual damage is done to the system. ! Files can be erased, systems can crash, information can be stolen, and distributed DDoS attacks can be launched.
62
63
to buffer overflows.
! Buffer overflows are usually the primary conduit through which viruses, worms, and Trojan Horses do their damage.
buffer overflows.
! A root buffer overflow is intended to attain root privileges to a system.
! Worms such as SQL Slammer and Code Red exploit remote root
buffer overflows.
! Remote root buffer overflows are similar to local root buffer overflows, except that local end user or system intervention is not required.
64
65
anti-virus software.
! For total protection, host-based intrusion prevention systems (HIPS), such as Cisco Security Agent should also be deployed. ! HIPS protects the OS kernel.
66
67
! Containment Phase:
! Limit the spread of a worm infection to areas of the network that are already affected. ! Compartmentalize and segment the network to slow down or stop the worm to prevent currently infected hosts from targeting and infecting other systems. ! Use both outgoing and incoming ACLs on routers and firewalls at control points within the network.
! Inoculation Phase:
! Runs parallel to or subsequent to the containment phase. ! All uninfected systems are patched with the appropriate vendor patch for the vulnerability. ! The inoculation process further deprives the worm of any available targets.
68
! Quarantine Phase:
! Track down and identify infected machines within the contained areas and disconnect, block, or remove them. ! This isolates these systems appropriately for the Treatment Phase.
! Treatment Phase:
! Actively infected systems are disinfected of the worm. ! Terminate the worm process, remove modified files or system settings that the worm introduced, and patch the vulnerability the worm used to exploit the system. ! In more severe cases, completely reinstalling the system to ensure that the worm and its by products are removed.
69
not block UDP port 1434 because it was required to access the SQL Server for legitimate business transactions.
! Permit only selective access to a small number of clients using SQL Server.
70
Reconnaissance Attacks
71
72
73
particular domain and what addresses have been assigned to that domain.
! Use tools such as whois, nslookup, !
74
at a time.
! Response received indicates whether the port is used and can therefore be probed for weakness.
75
76
adapter card in promiscuous mode to capture all network packets that are sent across a LAN.
! Packet sniffers can only work in the same collision domain as the network being attacked. ! Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing. ! Wireshark is an example of a packet sniffer.
77
78
Access Attacks
79
80
services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information for these reasons:
! Retrieve data ! Gain access ! Escalate their access privileges
81
including:
! ! ! ! ! Password attacks Trust exploitation Port redirection Man-in-the-middle attacks Buffer overflow
82
83
hashes of passwords and generates the plaintext passwords from them. one of two methods:
84
85
(DMZ) host that has a trust relationship with an inside host that is connected to the inside firewall interface.
! The inside host trusts the DMZ host.
! When the DMZ host is compromised, the attacker can leverage that trust relationship to attack the inside host.
86
87
uses a compromised host to pass traffic through a firewall that would otherwise have been dropped.
! Port redirection bypasses the firewall rule sets by changing the normal source port for a type of network traffic. ! You can mitigate port redirection by using proper trust models that are network-specific. ! Assuming a system is under attack, an IPS can help detect a hacker and prevent installation of such utilities on a host.
88
89
working for your ISP gains access to all network packets that transfer between your network and any other network.
90
DoS Attacks
91
92
bombs, CPU hogging, Malicious applets, Misconfiguring routers, the chargen attack, out-of-band attacks such as WinNuke, Land.c, Teardrop.c, and Targa.c.
93
94
95
broadcast addresses, all with spoofed source addresses on the same network as the respective directed broadcast.
! If the routing device delivering traffic to those broadcast addresses forwards the directed broadcasts, all hosts on the destination networks send ICMP replies, multiplying the traffic by the number of hosts on the networks. ! On a multi-access broadcast network, hundreds of machines might reply to each packet.
96
97
address.
! Each packet is handled like a connection request, causing the server to spawn a half-open (embryonic) connection by sending back a TCP SYN-ACK packet and waiting for a packet in response from the sender address. ! However, because the sender address is forged, the response never comes. ! These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.
98
DDoS
99
server, send extremely large numbers of requests over a network or the Internet.
! These many requests cause the target server to run well below optimum speeds. ! Consequently, the attacked server becomes unavailable for legitimate access and use. ! By overloading system resources, DoS and DDoS attacks crash applications and processes by executing exploits or a combination of exploits. ! DoS and DDoS attacks are the most publicized form of attack and are among the most difficult to completely eliminate.
100
101
102
spurious data which can overwhelm a link causing legitimate traffic to be dropped.
! DDoS uses attack methods similar to standard DoS attacks but operates on a much larger scale. ! Typically hundreds or thousands of attack points attempt to overwhelm a target.
103
Mitigating Attacks
104
organization without imposing an excessive burden on the system resources or the users.
! Using switched networks.
105
way to stop these scans and sweeps when a computer is connected to the Internet.
! There are ways to prevent damage to the system.
106
107
! Authentication
! Strong authentication is a first line for defense.
! Cryptography
! If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text.
! Anti-sniffer tools
! Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate.
! Switched infrastructure
! A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers effectiveness.
108
109
ensuring that systems inside a firewall never absolutely trust systems outside the firewall.
110
IPSec tunnel
Host A! Host B!
Router A !
ISP !
Router B !
111
112
113
114
115
basis.
develop strategies to validate identities over the phone, via email, or in person.
8.! Encrypt and password-protect sensitive data. 9.! Implement security hardware and software such as firewalls,
IPSs, virtual private network (VPN) devices, anti-virus software, and content filtering.
116
117
enemy, for every victory gained you will also suffer a defeat."
118
application.
! Hackers begin with little or no information about the intended
target.
! Their approach is always careful and methodicalnever rushed
representation of the method that hackers use and a starting point for an analysis of how to defeat it.
119
! Step 1 Perform footprint analysis (reconnaissance). ! Step 2 Detail the information. ! Step 3 Manipulate users to gain access. ! Step 4 Escalate privileges. ! Step 5 Gather additional passwords and secrets. ! Step 6 Install back doors. ! Step 7 Leverage the compromised system.
120
121
proprietary documents).
! Minimize the amount of information on your public website. ! Examine your own website for insecurities. ! Run a ping sweep on your network. ! Familiarize yourself with one or more of the five Regional Internet
122
123
! GetMAC: This application provides a quick way to find the MAC (Ethernet) layer address and binding order for a computer running Microsoft Windows 2000 locally or across a network. ! Software development kits (SDKs): SDKs provide hackers with the basic tools that they need to learn more about systems.
124
125
manipulate people inside the network to provide the information needed to access the network.
! A computer is not required!! ! Social engineering by telephone ! Dumpster diving ! Reverse social engineering
! Recommended reading:
! The Art of Deception: Controlling the Human Element of Security ! Mitnik, KD and Simon, WL; Wiley; New Ed edition
126
127
illustrated the vulnerability of help desks when he dialed up a phone company, got transferred around, and reached the help desk:
! ! ! ! Whos the supervisor on duty tonight? Let me talk to _____. (hes transferred) Hi _____, this is _____ from security in the IT center. Having a bad day? No, why?...Your systems are down.
! Response: my systems arent down, were running fine.
! Hmmm ! Really? Do me a favor then and sign off and on again. ! We didnt even show a blip, we show no change. Sign off again. ! Theres something funny going on here. Im going to have to sign on with your ID to figure out whats happening. Let me have your user ID and password.
128
surfing, (sometimes even using binoculars or camcorders) as telephone credit card numbers or ATM PINs are keyed.
129
enforcement, as someone in authority, as a new employee requesting help, as a vendor or systems manufacturer calling to offer a system patch or update. victim to call them for help.
! Offering help if a problem occurs, then making the problem occur, thereby manipulating the ! Sending free software or patch for victim to install. ! Sending a virus or Trojan Horse as an email attachment. ! Using a false pop-up window asking user to log in again or sign on with password. ! Leaving a USB stick, or CD around the workplace with malicious software on it. ! Using insider lingo and terminology to gain trust. ! Offering a prize for registering at a Web site with username and password. ! Dropping a document or file at company mail room for intra-office delivery. ! Modifying fax machine heading to appear to come from an internal location. ! Asking receptionist to receive then forward a fax. ! Asking for a file to be transferred to an apparently internal location. ! Getting a voice mailbox set up so call backs perceive attacker as internal. ! Pretending to be from remote office and asking for email access locally.
130
! Refusal to give call back number ! Out-of-ordinary request ! Claim of authority ! Stresses urgency ! Threatens negative consequences of non compliance ! Shows discomfort when questioned ! Name dropping ! Compliments or flattery ! Flirting
131
132
the host:
! Files containing user names and passwords ! Registry keys containing application or user passwords ! Any available documentation (for example, e-mail)
! If the host cannot be seen by the hacker, the hacker may launch a
133
! Hackers target:
! The local security accounts manager database ! The active directory of a domain controller
applications.
134
! Back doors:
! Provide a way back into the system if the front door is locked. ! The way into the system that is not likely to be detected.
! Port redirectors:
! Port redirectors can help bypass port filters, routers, and firewalls and may even be encrypted over an SSL tunnel to evade intrusion detection devices.
135
! Back doors and port redirectors let hackers attack other systems
in the network.
! Reverse trafficking lets hackers bypass security mechanisms. ! Trojans let hackers execute commands undetected. ! Scanning and exploiting the network can be automated. ! The hacker remains behind the cover of a valid administrator
account.
! The whole seven-step process is repeated as the hacker
136
! Keep patches up to date. ! Shut down unnecessary services and ports. ! Use strong passwords and change them often. ! Control physical access to systems. ! Avoid unnecessary web page inputs. ! Some websites allow users to enter usernames and passwords. ! A hacker can enter more than just a username and programmers should limit input characters and not accept invalid characters (| ; < >). ! Perform system backups and test them on a regular basis. ! Educate users about social engineering. ! Encrypt and password-protect sensitive data. ! Use appropriate security hardware and software. ! Develop a written security policy for the company.
2012 Cisco and/or its affiliates. All rights reserved. 137
138
areas:
! Control Plane - Responsible for routing data correctly. Consists of devicegenerated packets required for the operation of the network itself such as ARP message exchanges or OSPF routing advertisements. ! Management Plane - Responsible for managing network elements. Generated either by network devices or network management stations using processes and protocols such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+, RADIUS, and NetFlow. ! Data Plane (Forwarding Plane) - Responsible for forwarding data. Consists of user-generated packets being forwarded between end stations. Most traffic travels through the router, or switch, via the data plane.
139
overwhelming the route processor. CoPP treats the control plane as a separate entity and applies rules to the input and output ports.
140
accessibility.
! Present legal notification developed by legal counsel of a
corporation.
! Ensure the confidentiality of data by using management protocols
only granted to authenticated users, groups, and services. user, group, or service. access.
! Restrict the actions and views that are permitted by any particular ! Enable management access reporting to log and account for all
141
142
143