Transcript Chapter 6 - Predicting and Mitigating Threats

Slides copyright 2010
by Paladin Group, LLC
used with permission by
UMBC Training Centers, LLC
Security+
Chapter 6 – Predicting and Mitigating
Threats
Brian E. Brzezicki
Malware (291)
malware – mal (bad) ware (software)
Software you would NEVER intentionally install or
execute on your computer. Type of malware we will
discuss
• Viruses
• Worms
• Trojans
• Logic Bombs
• Rootkits
• Spyware
Virus
Virus Characteristics (291)
• Code that attaches itself to other VALID software
• Harmful code gets run when you run the valid
application
• When run viri generally replicates into other
software on the system, infecting it with the virus.
• Virus usually also takes some unwanted actions
when the host application is executed.
• Viruses have signatures (the bad code) that can be
searched for and detected.
Virus replication Methods (292)
• Email
• Infected removable media
– Floppies
– USB drives
– Even some published software on CDROM
• Downloaded software
• Network Shares
Virus Hoaxes
What is a hoax?
How can a hoax cause damage?
What is the best countermeasure for hoaxes?
Worms (295)
Worms – work differently than viruses
• Self-propagate
• Do damage
Counter measures
• Remove un-necessary services
• Patch OS and applications
• Beware of code sent in email
Trojan Horses
Trojan (296)
Like the Trojan Horse of greek Mythology a Trojan program
seems like a “gift”. Disguised as a useful program. It
might even might do something useful to keep up the
disguise. But will cause you harm.
Countermeasures
• User Education
• Don’t run software that you are not familiar with and
that you don’t have “real distribution” media for.
• Software Digital Signing
• Anti-virus software to detect known Trojans
Logic Bombs (296)
Logic Bomb – Code or applications embedded into a
system that waits for a specific time or event then
goes off doing some type of damage.
Countermeasures
• Inventory all software and keep checksums.
Tripwire is a popular program that provides file
integrity verification.
Rootkits (297)
Software installed on a system to hide the presence
of an attacker.
Can consist of
• Replaced system software
• Loadable kernel modules
Adware and Spyware (298)
Adware - Software put on a system that tracks a
users usage, may cause pop ups to occur.
Spyware – Dangerous software that is install on a
system to have much more malicious impact.
keystroke loggers are a very dangerous type of
spyware.
Protection against Malware
•
•
•
•
User Education
File Integrity Verification
Software Signing
Anti-Virus software
– Signature Based
– Heuristic
• Anti Spyware software
– Lavasoft’s Ad-aware
– Windows Defender
– Spybot – Spybot Search and Destroy
Attacks
Privilege Escalation (n/b)
Once you have “user” access to a system trying to
use system tools and programs in ways that allow
you to raise your privileges beyond your normal
access levels.
• Buffer Overflows
Denial of Service Attacks
Ping of Death (n/b)
• Old bug in Microsoft TCP/IP stack that caused a
computer to “blue screen” / crash when an
oversized ping packet was received. Even though
the bug was fixed in re-appeared on later versions
of Windows.
SYN Flood
SYN Flood (302)
Attack
– Forge IP SYN packet from downed system
– Server responds to fake downed address,
which never responds
– Connections are “half-open” and use up
limited listen queue slots
– Stops real new connections from establishing
SYN Flood (302)
Countermeasures
• Stop forged packets at ingress/egress routers
• Patch OS
• Decrease 3 way handshake timeout values
• Increase 3 way handshake max connections
• Use a firewall as a middleman
• Set registry settings
\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\SynAttack
Protect = 1
\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\TcpMaxCo
nnectResponseRetransmissions >= 2
Mor information regarding SYN flood registry settings at
http://technet.microsoft.com/en-us/library/cc938202.aspx
Smurf Attack (303)
Smurf Attack (303)
How would a Smurf attack someone? (see next slide)
1. Find site to attack, say www.ebay.com
2. Forge Ping packet from www.ebay.com to a
BROADCAST network address
3. Watch as the computers on the network all start
pinging back www.ebay.com
Countermeasures
• Drop forged packets at routers
• Drop directed broadcasts
• Drop pings to broadcast addresses
Smurf Attack (303)
Tear Drop (n/b)
Distributed Denial of Service
DDoS (304)
Distributed Denial of Service – Overwhelm the
victim by sheer numbers.
• Take over computers (bots/zombies)
• Build a command and control network using
masters and slaves.
– Often using IRC or other pubic services
• Control hundreds or thousands of computers and
attack another.
DDoS (304)
Spoofing (304)
One entity pretends to be another
• IP spoofing
• Email spoofing
Man in the Middle (307)
Replay Attacks (308)
Capturing authentication or session credentials and
resending them to gain access.
Countermeasures
• Do not allow credentials to be reused
– Time stamps
– Counters
TCP/IP Hijacking (309)
When you cannot steal someone elses passwords or
break into a system, steal someone elses
connection.
1.
2.
3.
4.
Wait for a user to authenticate
Determine sequence numbers
Knock valid user off network
Steal their authenticated connection
ARP poisoning (309)
• ARP poisoning is an attack against a network,
where one computer sends a fake ARP reply, in
the attempt to trick another computer on the
same network to communicate with it instead of
the real machine. This can be used as a man in the
middle attack, or a straight hijacking attack.
DNS Poisoning (n/b)
Faking DNS responses in order to trick a computer
into going to an attackers site rather than a real
site.
Example. If I can “poison” your DNS cache and
redirect www.bankofamerica.com to my IP
address, I could put up a fake site and steal your
banking information! (or setup a MiM attack)
Reconnaissance (310)
Learning as much as you can about your target you
plan on attacking. This is the first step in the
hacking process.
• IP address identification
• DNS probing
• PING scanning
• OS fingerprinting
• Port Scanning
• Vulnerability identification
Null Sessions (311)
In early versions of Windows, un-authenticated users could “browse”
the network to see what resources existed on the network. This
browsing made use of “Null Sessions” which are network
connections allowed without any type of authentication.
Hackers can use Null Sessions and browsing to learn about the
network and Null sessions should be disabled or limited in their
functionality.
To fight NULL sessions on windows
HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous =
1
See http://support.microsoft.com/?kbid=246261
Domain Name Tasting and Kiting
Tasting – registering a domain for 5 days for “free”
Kiting – deleting the domain in the 5 day grace
period then re-registering it
Social Engineering (314 – 318)
Trying to trick people into giving you access to a
system.
•
•
•
•
•
Phishing
Piggybacking/tailgating
Impersonation
Dumpster Diving
Shoulder Surfing
Importance of User Education (318)
No security program can be successful if the users
are not properly trained on security issues and
procedures. Some attacks such as social
engineering attacks are best defended by
education rather than technical means. Some
methods of user education are
• Training Classes
• Login banners
• Centralized email/information dispersal
• Policies and procedures