Transcript Slide 1 - McGraw Hill Higher Education

Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker
Chapter 12
Network Security Basics:
Malware and Attacks
McGraw-Hill/Irwin
Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Objectives
Work with connection control and transmission
control concepts
 Develop the planning and control techniques
associated with network security
 Work with various types of threats to networks

12-2
Network Security

Guards against threats to electronic
communication

Network security has a dual mission
• It must ensure the accuracy of the data transmitted
• It must also protect confidential information processed,
stored on and accessible from networks, while
ensuring network availability to authorized users

Role is to ensure that the network components
• Operate correctly
• Satisfy design requirements
• Transmit information while retaining fundamental
integrity
12-3
Engineering the Network: Ensuring a
Proper Design

Physical infrastructure – designed to ensure all
required security functions are present


12-4
Firewalls, intrusion detection systems (IDSs),
and strong authentication
Unique physical components of networks are
switches, hubs, routers, and cables
Engineering the Network: Ensuring a
Proper Design

12-5
Relation of physical and software components
Connection Control
Establishes and regulates the relationship
between a computer and a network
 Ensures reliable transfer of messages and
performs some transmission error correction


Configuration process – responsibility of the
network administrator
• Establishes the authentication rules
• Rules consider whom the network will trust

12-6
Specifications of rules for the authentication of a
trusted source balance the need for
confidentiality and integrity with availability
Enforcing Connection Control: The
Firewall

Firewalls enforce access rights and protect the
network from external systems
Regulate access between trusted networks and
untrusted ones
 Organizations may array multiple firewalls in a
defense-in-depth configuration


Firewalls are high-level software utilities that sit
on the router end of the physical network

12-7
Network security policies embedded in the
firewall software dictate access
Enforcing Connection Control: The
Firewall

Types of firewalls
Personal firewall – regulates connections
between a single computer and external sources
 Stateless firewalls – accept or discard incoming
packets

• Based on whether the IP address seems to
correspond with services known to the network

12-8
Stateful firewall – tracks of the status of network
traffic traveling across it in a “state table”
Transmission Control

Regulates the actual transmission process



Ensures that the communication between two devices is
flowing properly
Supports the integrity and availability of network data
Facilitated through firmware drivers in communications
devices and software in the operating system
• Transmission rules have to be agreeable and include:
•
•
•
•
•
•
•
12-9
Mode in which the data will be transmitted
Format of the data
Rate of transmission
Type of error checking
Data compression method
Sending device confirmation of process completion
Mode of indicating receipt by the receiving device
Transmission Control

Transmission protocols are built into the
communications devices

Common modern transmission control is based
on the OSI reference model
• It defines seven layers for communication among
computer systems
• It was defined by the International Organization for
Standardization as ISO standard 7498-1

TCP/IP protocol used by the Internet is frequently
shown with five layers
• Application layer, transport layer, network layer,
datalink layer, and physical layer
12-10
Defending Networks from Attacks
Unique security problem with networks is their
level of interconnectedness
 Networks have to be secured by specialized and
very robust technologies and practices
 Two broad categories of networks threats:

Malicious code
 Direct attacks

12-11
Threats to Information

Malicious code - three categories transmitted
through networks:
Viruses
 Logic bombs
 Trojan horses

12-12
Threats to Information

12-13
Common types of malicious code
Viruses

Appropriate countermeasure to a common virus:
Virus checker that detects and removes viruses
 Most virus checkers follow the below process:

• Examines files in memory or storage for recognizable
code fragments or key words
• Compares scan results patterns with signatures of
known viruses
• Takes action when an identifiable pattern is detected
• Sometimes performs an automatic repair
12-14
Viruses

Impact of viruses
Virus is destructive if it damages a system
function
 It can affect the operating system in undesirable
ways such as:

• Corrupting or deleting files
• Reformatting the hard drive
• Executing denial-of-service attacks

12-15
Often, the system becomes unusable, files are
lost, and cannot be repaired automatically
Viruses

Categories of viruses






12-16
File-infecting viruses – affect executable programs,
replicate and spread by infecting other host programs
Boot-sector viruses – infect the boot sector or partition
table of a system
Multipartite viruses – infect both the boot sector and the
executable programs and files simultaneously
Macro viruses – infect systems through an application
Polymorphic and stealth viruses – defeat most signaturebased counter-measures
Worm – self-contained program capable of spreading
copies of itself or its segments to other computer systems
via network connections or e-mail attachments
Logic Bombs

Dormant blocks of undocumented code
activated when some prescribed set of criteria is
met such as time, date, or status of the system


It can be set prior to the termination and
activated afterward for revenge
High destructive potential
Should be aggressively hunted down and
eliminated
 Requires extensive, expensive, code reviews by
high-level professionals


12-17
Resurfacing as an important part of cyberterrorism
Trojan Horses

Not viruses because they do not replicate; they
may transmit viruses or spyware
May assist in propagating denial-of-service (DoS)
attacks
 Can deliver unwelcome payloads – common
payloads include:

• Spyware – propagates from websites
• Spamware, password capture, keyloggers, and cookie
trackers
• Adware – not directly malicious
• Does use up valuable time and system resources
12-18
Malicious Attacks

Best way to counteract a network attack is to
anticipate it and have measures in place to
either stop it or mitigate the harm

Network attacks fall into seven general
categories:
•
•
•
•
•
•
•
12-19
Password attacks
Insider attacks
Sniffing
IP spoofing
Denial of service
Man-in-the-middle attacks
Application layer attacks
Malicious Attacks

Password attacks



Password guessing
Dictionary attack – tries common words from the
dictionary with common password names
Other, more resource-intensive approaches include:
• Key search
• Exhaustive search
• Brute force attack


Social engineering – based on persuasion, disclosed by
the user
Password sniffing – software based network
management tools
• Countermeasure for sniffers: encryption
12-20
Malicious Attacks

Insider attacks
Misuse incidents originating from intentional or
inadvertent actions of employees
 First line of defense is good management
supported by monitoring

• Supervisors are key security control points for
employee monitoring
• Automated software agents called policy managers or
policy enforcement systems also help
12-21
Role and Use of Policy Managers

Automated policy managers are effective tools
Defend against unauthorized access to
confidential data and proprietary information
 Provide the ability to filter network transactions
through custom policies
 Control the distribution of unsuitable or offensive
content and inappropriate activities
 Regulate the enterprise’s e-mail traffic by
defining and enforcing rules governing:

• Spam
• Filter content
• Implementation of encryption and digital signature
policies
12-22
Use of Sniffers

Sniffers are common utilities, employed to read any
information in packets transmitted over a network


Can be used to map the entire network topology
Captures information necessary to determine:
• Number of computers on the network
• What they access
• Which clients run what services

Defense against sniffing is:



12-23
Encryption
Strong physical security
Internet-facing sniffers are a good countermeasure for
network intrusion
IP Spoofing

IP spoofing is an address attack in which the
malicious agent electronically impersonates
another network party through its IP address

Prevention of IP spoofing can be done using
Programmed routers and firewall mechanisms
 Encrypted systems such as SSH (secure shell)
for authentication services

12-24
Denial of Service (DoS)

DoS attacks affect the availability transmission
media
Degrades the availability of information
 Designed to cost the target time and money
 Can be launched in numerous ways – most
common form:

• DoS flood – overload the system’s servers, routers, or
DNS to the extent that service to authorized users is
delayed or prevented

12-25
Disables a particular network service
Man-in-the-Middle Attacks

Ability to read and modify all messages passed
between two parties without their knowledge

Possible outcomes of such attacks include:
• Theft of information and hijacking of an ongoing session
• Traffic analysis to derive information about a network and its
users
• Denial of service and corruption of transmitted data
• Introduction of new information into network sessions
12-26
Application Layer Attacks

They take advantage of weaknesses in popular
applications and application services

Common attacks include:
• Buffer overflows – which exploit poorly written code that
improperly validates input to an application
• Cross-site scripting flaw – which allows web applications to drop
attack scripts on a user’s browser
• Invalidated parameters – web requests that are not validated
before being used by the application
• Command injection attacks – web applications are allowed to
pass parameters containing malicious commands to be executed
on an external system

Favored approach against Internet-based attacks:

12-27
Defense-in-depth strategy
Cyber-Terrorism
Goal: to harm or control key computer systems
or computer controls to achieve some indirect
aim, such as to destroy a power grid or to take
over a critical process
 The FISMA security requirements are built
around three major national objectives:

Prepare and prevent
 Detect and respond
 Build strong foundations

12-28
Managing and Defending a Network

Network security management involves all
actions to ensure authorization and use

Development and documentation of the method
to authorize access to network files and network
directories
• Specification of approach used to ensure reliability of
data resources accessed or used over the network

12-29
Implementation of safeguards for protecting
users from network-based security threats
Network Security Management and
Planning

Based on a plan defining the approach to
assuring the physical components of the
network
Must detail steps taken to ensure that information
stored, processed, and transmitted is secure
 Must specify all technology and practices to be
implemented and maintained for security
 High-level steps required to implement an
effective network management process are:

• Create usage policy statements
• Conduct risk analysis
• Formulate a security team
12-30
Network Security Management and
Planning

Create usage policy statements

Statement of a general policy about system use
• Outline the thinking that defines the organization’s network
management philosophy




12-31
Documentation of usage statements to avoid the risks of
misunderstandings and conflicting approaches
Tailor the rules for each component by indicating security
violations and actions to be taken if detected
Define the acceptable use policies (AUP) including rules
for account administration, policy enforcement, and
privilege review
Aggressive training and awareness program to ensure
that the members understand and will follow each rule
Network Security Management and
Planning

Conduct risk analysis

Risk assessment factors:
• Low Risk
• Medium Risk
• High Risk

Potential types of users are:
•
•
•
•
•
12-32
Administrators responsible for managing network resources
Privileged internal users needing an elevated level of access
Internal users with general access
Trusted external users needing access some resources
Other untrusted external users or customers
Network Security Management and
Planning

A network security or NETSEC management
team:
Implements and maintains the network
configuration
 Responsible for evolving the network as
conditions change
 Establishes and maintains the network security
configuration from these requirements

12-33
Network Defense in Depth: Maintaining
a Capable Architecture

Defense in depth

12-34
Protection is established by controlling access
through a number of boundaries
Network Defense in Depth: Maintaining
a Capable Architecture

Defining trust
Trusted networks – within the defined security
perimeter
 Untrusted networks – outside the security
perimeter and not controlled
 Unknown networks - neither trusted nor
untrusted


Establishing boundaries
Defines the area to be protected
 Dictates the level of organizational resources
required to perform the security function

12-35
Network Defense in Depth: Maintaining
a Capable Architecture

Formulating assumption – security system
designs are

Based on assumptions
• Anticipate who might want to breach the current
security measures and why
• Deploy an effective response

12-36
Design and deployment of a network security
scheme has to be done while justifying the likely
costs and benefits