module 3 Cyberpatriot Powerpoint
Download
Report
Transcript module 3 Cyberpatriot Powerpoint
•Introduction to Computer Security
and Information Assurance
Objectives
• Recognize voice and
data systems use the
same communications
networks
• Describe the
components of a
typical network
• Describe
countermeasures for
network-related threats
Module 03: 1
•Introduction to Computer Security
and Information Assurance
Objectives
• Describe the concept of “defense-in-depth”
• Identify technologies used to apply
countermeasures for network-related threats
• Identify components that comprise wireless
networks
• Identify threats related to wireless
technologies
• Identify countermeasures for wireless related
threats
Module 03: 2
•Introduction to Computer Security
and Information Assurance
Communication Networks
• History
– Moving ideas
– Electric communication
– Circuit switching
Module 03: 3
•Introduction to Computer Security
and Information Assurance
Voice Communications
• Public Switched Telephone Network (PSTN)
• Private Branch Exchange (PBX)
– Acts as organization’s internal phone company
– Cost savings
Module 03: 4
•Introduction to Computer Security
and Information Assurance
Voice Networks
• History
– Introduction of packetswitched networks in
1960s
– Computers used for
switching instead of
relays
– Now voice
communication is
treated as data
Module 03: 5
•Introduction to Computer Security
and Information Assurance
The News
Module 03: 6
•Introduction to Computer Security
and Information Assurance
PBX Threats
•
•
•
•
•
Toll fraud
Disclosure of information
Unauthorized access
Traffic analysis
Denial of Service (DoS)
Module 03: 7
•Introduction to Computer Security
and Information Assurance
PBX Threat
Countermeasures
•
•
•
•
•
Implement physical security
Inhibit maintenance port access
Enable alarm and audit trails
Remove all default passwords
Review the configuration of your PBX
against known hacking techniques
Module 03: 8
•Introduction to Computer Security
and Information Assurance
Data Networks
• International voice network already existed
– For computers to communicate, less
expensive to use same network
– Modems designed to leverage this asset
Module 03: 9
•Introduction to Computer Security
and Information Assurance
Modem Threats
• Unauthorized and misconfigured modems
• Authorized but misconfigured modems
Module 03: 10
•Introduction to Computer Security
and Information Assurance
Wardialing Experiment
Peter Shipley conducted a wardialing
exercise in the San Francisco Bay area
from April 1997 to January 2000, looking
for unsecured modems.
• Dialed 5.7 million phone numbers
• Area codes: 408, 415, 510, 650
• Carriers found: 46,192
• Experiment and results presented at
DEFCON
Module 03: 11
•Introduction to Computer Security
and Information Assurance
Common Wardialers
• ToneLoc (DOS, Windows NT, 2000)
• ShokDial (UNIX/Linux)
• PhoneSweep (Commercial – Windows)
Module 03: 12
•Introduction to Computer Security
and Information Assurance
•
•
•
•
•
•
Modem Threat
Countermeasures
Policy
Scanning
Administrative action
Passwords
Elimination of modem connections
Use a device to protect from telephonybased attacks and abuses
Module 03: 13
•Introduction to Computer Security
and Information Assurance
Voice Over Internet Protocol (VoIP)
• Transmission of voice conversations using
traditional “data network” transmission
methods
• Taking calls off the regular phone lines
and sending them on a data network
Module 03: 14
•Introduction to Computer Security
and Information Assurance
VoIP Benefits
•
•
•
•
Less expensive
Increased functionality
Flexibility
Mobility
Module 03: 15
•Introduction to Computer Security
and Information Assurance
VoIP Threats
•
•
•
•
•
•
Service theft
Eavesdropping
Spam/SPIT (SPam over Internet Telephony)
Denial of Service (DoS)
Vishing (VoIP Phishing)
Call tampering
Module 03: 16
•Introduction to Computer Security
and Information Assurance
VoIP Threat Countermeasures
•
•
•
•
Physical control
Authentication and encryption
Develop appropriate network architecture
Employ VoIP firewall and security devices
Module 03: 17
•Introduction to Computer Security
and Information Assurance
Data Networks: History Refresher
• Modems put on voice network to carry
data
– No need to build new, separate network
– Early on most data networks used modems
over voice network
• 1960s, data networks include introduction
of satellites and radios
– Also packet switching
Module 03: 18
•Introduction to Computer Security
and Information Assurance
Data Networks
• Computers linked together
• Components found in most networks
– Hosts (computers)
• Workstations (desktops, laptops, etc.)
• Servers (e-mail, web, database, etc.)
– Switches and hubs
– Routers
Module 03: 19
•Introduction to Computer Security
and Information Assurance
Common Network Terms
• Local Area Network (LAN)
• Wide Area Network (WAN)
• Wireless LAN (WLAN)
Module 03: 20
•Introduction to Computer Security
and Information Assurance
Data Network Protocols
• Common protocols
– Transmission Control Protocol (TCP)
– User Datagram Protocol (UDP)
– Internet Control Message Protocol (ICMP)
– Hypertext Transfer Protocol (HTTP)
Module 03: 21
•Introduction to Computer Security
and Information Assurance
• TCP
Common Protocols
– Moves data across networks with a connectionoriented approach
• UDP
– Moves information across networks with a
connectionless-oriented approach
• ICMP
– Often used by operating systems to send error
messages across networks
• HTTP
– Transfers web pages, hypermedia, and other query
response communications
Module 03: 22
•Introduction to Computer Security
and Information Assurance
Data Network Threats
• Information gathering: assessing targets to plan
attacks
• Denial of Service (DoS): degrading or preventing
communication through or across specific
network(s)
• Other exploitation/interception:
– Disinformation: fooling users or network
components/services
– Man-in-the-middle: getting between communicators
– Session hijacking: illicitly assuming control of a
legitimate connection
Module 03: 23
•Introduction to Computer Security
and Information Assurance
Information Gathering Threats
• Attackers want to determine nature of
targets
– Reduce wasted effort
– Formulate attack plans
• Pick specific tools
• Select tactics
Module 03: 24
•Introduction to Computer Security
and Information Assurance
Network Scanning
Finding Active Machines
• An organization has a range of IP
addresses assigned to it
– May not use them all
• Ping sweep finds IP addresses in use
– Ping utility designed to determine whether
remote system is active
Module 03: 25
•Introduction to Computer Security
and Information Assurance
Ping Sweep
• Using ping, attacker sends ICMP echo
request to range of addresses
– Every functional system responds with echo
reply
• Provides a list of potential targets
Module 03: 26
•Introduction to Computer Security
and Information Assurance
Ping Sweep
Unused Address
10.1.1.9
Echo Request
Attacker
Echo Request
Echo Reply
10.1.1.10
Echo Request
Unused Address
10.1.1.11
Target List
10.1.1.9
10.1.1.10
10.1.1.11
Module 03: 27
•Introduction to Computer Security
and Information Assurance
Ping
Module 03: 28
•Introduction to Computer Security
and Information Assurance
Activity 03.1: Perform Ping
Sweep Using nmap
• Purpose:
– In this activity, you will perform a scan in the
form of a ping sweep. This will familiarize you
with one of the most common techniques to
gather information about a target
environment.
• Estimated completion time:
– 10 – 15 minutes
Module 03: 29
•Introduction to Computer Security
and Information Assurance
Activity 03.1: Perform Ping
Sweep Using nmap
What did we detect?
Is this a useful tool?
– From an attacker’s perspective
– From an administrator’s perspective
Module 03: 30
•Introduction to Computer Security
and Information Assurance
Port Scanning
• Checks a computer for open ports
– 65,535 possible ports
• 1-1,023 are considered “well-known”
• 1,024-49,151 are called “registered ports”
• 49,152-65,535 are dynamic or private ports
Module 03: 31
•Introduction to Computer Security
and Information Assurance
Some Well-Known Ports
Port #
20
21
23
25
53
79
80
110
443
Network Service
File Transfer Protocol (FTP) Data
File Transfer Protocol (FTP) Control
Telnet
Simple Mail Transfer Protocol (SMTP)
Domain Name Server (DNS)
Finger
World Wide Web (HTTP)
Post Office Protocol – Version 3
HTTPS
Module 03: 32
•Introduction to Computer Security
and Information Assurance
How Port Scanning Works
Attacker
79
80
80
81
Web server
82
Services List
HTTP
Module 03: 33
•Introduction to Computer Security
and Information Assurance
Activity 03.2: Perform Port
Scanning Using Different Tools
• Purposes:
– In this activity, you will perform port scans
using different scanning tools. This will
familiarize you with one of the most common
techniques to gather information about a
target environment, and learn the efficacy of
various tools.
• Estimated completion time:
– 50 – 55 minutes
Module 03: 34
•Introduction to Computer Security
and Information Assurance
Activity 03.2: Perform Port
Scanning Using Different Tools
What were the results of our port scanning
tests?
– What did they mean?
Would this be helpful for an attacker?
Would this be helpful for an administrator?
Module 03: 35
•Introduction to Computer Security
and Information Assurance
Sniffing
• Monitoring traffic flow across a network
– Pull all packets
– Be selective
• Only grab packets to and from certain addresses
• Only grab packets carrying a certain type of traffic
• Needs to view all traffic on the network
– On internal network
– On main connection into/out of a network
Module 03: 36
•Introduction to Computer Security
and Information Assurance
Denial of Service (DoS)
• Degrade and prevent
operations/functionality
• Distributed denial of service (DDoS) attack
uses multiple attack machines
simultaneously
Module 03: 37
•Introduction to Computer Security
and Information Assurance
Ping Flood / Ping Of Death
• Ping flood
– Too much ping traffic drowns out all other
communication
• Ping of Death
– Oversized or malformed ICMP packets cause
target to reboot or crash
• Hosts can’t handle packets over maximum 65,535
bytes
• Causes a type of buffer overflow
Module 03: 38
•Introduction to Computer Security
and Information Assurance
Smurf Attack
• Large stream of spoofed Ping packets sent to a
broadcast address
• Source address listed as the target’s IP address
(spoofed)
• Broadcast host relays request to all hosts on
network
• Hosts reply to victim with Ping responses
• If multiple requests sent to broadcast host, target
gets overloaded with replies
Module 03: 39
•Introduction to Computer Security
and Information Assurance
Smurf Attack (ICMP Flooding)
Multiple Ping Replies
Multiple Ping Requests
System or Network
Overloaded
Ping Broadcast
Request
(Spoofed)
Attacker
Ping Broadcast
Request (Actual)
Module 03: 40
•Introduction to Computer Security
and Information Assurance
SYN Flooding
• Exploits synchronization protocol used to initiate
connections
• Subverts the normal process
– In the customary “three-way handshake”:
•
•
•
•
Initiator sends synchronization (SYN) packet
Target replies with a SYN/ACK (acknowledgement)
Initiator sends ACK
Machines are now ready to communicate
– In SYN flooding, attacker sends SYN packets, but no ACK
• Target replies with SYN/ACK
• Target waits for ACK, eventually gives up
• If enough SYNs are received, communication capacity will deplete
Module 03: 41
•Introduction to Computer Security
and Information Assurance
SYN Flooding
Handshake
(Normal)
1. SYN
Handshake
(SYN Flood)
1. SYN
1. SYN
1. SYN
3. ACK
Module 03: 42
•Introduction to Computer Security
and Information Assurance
DDOS With Zombies/Botnet
Module 03: 43
•Introduction to Computer Security
and Information Assurance
Man-In-The-Middle Attacks
• Instead of shutting down target networks,
attackers may want access
• Types of attacks
– Eavesdropping
– Session hijacking
Module 03: 44
•Introduction to Computer Security
and Information Assurance
Network Attack Countermeasures
• Discussion: countering the threats
– Scans/Sniffing/Ping sweeps
– DoS/DDoS
• Ping of Death
• SYN flood
• Smurf attack
– Others
• Session hijacking
• Eavesdropping
Module 03: 45
•Introduction to Computer Security
and Information Assurance
Ways To Recognize Scanning
•
•
•
•
System log file analysis
Network traffic
Firewall and router logs
Intrusion Detection Systems (IDSs)
Module 03: 46
•Introduction to Computer Security
and Information Assurance
Defending Against Scanning
•
•
•
•
•
Block ports at routers and firewalls
Block ICMP, including echo
Segment your network properly
Hide private, internal IP addresses
Change default account settings and
remove or disable unnecessary services
• Restrict permissions
• Keep applications and operating systems
patched
Module 03: 47
•Introduction to Computer Security
and Information Assurance
Sniffing Countermeasures
• Strong physical security
• Proper network segmentation
• Communication encryption
Module 03: 48
•Introduction to Computer Security
and Information Assurance
DoS And DDoS Countermeasures
•
•
•
•
•
•
•
Stop the attack before it happens
Block “marching orders”
Patch systems
Implement IDS
Harden TCP/IP
Avoid putting “all eggs in one basket”
Adjust state limits
Module 03: 49
•Introduction to Computer Security
and Information Assurance
Other Countermeasures
• All countermeasures already mentioned
• Encrypted session negotiation
• Repeating credential verification during
session
• User training
Module 03: 50
•Introduction to Computer Security
and Information Assurance
Defense-In-Depth
Module 03: 51
•Introduction to Computer Security
and Information Assurance
Perimeter Defense
Countermeasures
•
•
•
•
•
•
•
Router
“Demilitarized” Zone (DMZ)
Bastion host
Firewalls
Intrusion Detection Systems (IDSs)
Intrusion Prevention Systems (IPSs)
Virtual Private Network (VPN)
Module 03: 52
•Introduction to Computer Security
and Information Assurance
Routers
• First line of perimeter defense
– Connects external environment to internal
network
• Securely configured
• Audit regularly
• Keep patched and
updated
Module 03: 53
•Introduction to Computer Security
and Information Assurance
Demilitarized Zone (DMZ)
• Machine or machines accessible by the
Internet, but not located on the internal
network or the Internet
– Web server
– E-mail server
• Should not contain much valuable data
Module 03: 54
•Introduction to Computer Security
and Information Assurance
Network With DMZ
Internet
Router
DNS
Firewall
Web
Mail
Firewall
Internal
Network
Module 03: 55
•Introduction to Computer Security
and Information Assurance
Bastion Host
• Highly exposed to attacks
– Web server
– E-mail server
• Locked down/hardened system
– Unnecessary services disabled
– No unnecessary applications
– Fully patched
– Unnecessary ports closed
– Unnecessary accounts disabled
Module 03: 56
•Introduction to Computer Security
and Information Assurance
Firewalls
• Control connections from one network (or
portion of a network) to another
– Usually between an organization’s network
and Internet
• Enforce security policy
• Hardware or software
Module 03: 57
•Introduction to Computer Security
and Information Assurance
A Firewall Will Not
• Monitor
connections not
passing directly
through it
• Prevent physical
access to the
network
Module 03: 58
•Introduction to Computer Security
and Information Assurance
Common Types Of Firewalls
• Packet filtering
• Proxies
• Stateful inspection
Module 03: 59
•Introduction to Computer Security
and Information Assurance
Common Firewall Configurations
• Dual-homed
• Multi-homed
Module 03: 60
•Introduction to Computer Security
and Information Assurance
Intrusion Detection System (IDS)
• Detects suspicious activity
• Alerts upon discovery of possible
compromise attempts
• Comprised of several components
– Sensors
– Analyzers
– Administrator interfaces
Module 03: 61
•Introduction to Computer Security
and Information Assurance
Common Types Of IDS
• Host-based (HIDS): monitors activity
within a particular computer system
• Network-based (NIDS): monitors network
communications
– Usually works with a central console/database
– To function correctly, must see ALL monitored
network traffic
– Reactive NIDS also known as Network
Intrusion Prevention Systems (NIPS)
Module 03: 62
•Introduction to Computer Security
and Information Assurance
Virtual Private Network (VPN)
• A secure, private data connection through
a non-secure public network
– Often, through the Internet
• Uses encryption and tunneling protocols
– PPTP, L2TP, IPSec
Module 03: 63
•Introduction to Computer Security
and Information Assurance
Rogue Modem Threats
Internet
Attacker
PSTN
Router
Web
Server
X
Intrusion
Detection
Dial-in
Servers
Firewall
Users
PBX
Module 03: 64
•Introduction to Computer Security
and Information Assurance
Defended
Any other ways to attack your information
without coming through the Internet?
Module 03: 65
•Introduction to Computer Security
and Information Assurance
Wireless Technology
• Allows communications between multiple
systems/devices without physical connection
• Complexity ranges from simple devices to
enterprise networks
• Much less expensive than wired solutions
• Wireless LAN (WLAN)
– Wireless client: system with wireless capability
– Access point (AP): device that connects different
wireless stations
Module 03: 66
•Introduction to Computer Security
and Information Assurance
Wireless
Threats And Countermeasures
•
•
•
•
•
•
•
Access point mapping
Service Set Identifier (SSID) broadcasting
Default SSID
Radio frequency management
Default settings
Authentication
Bluetooth security
Module 03: 67
•Introduction to Computer Security
and Information Assurance
Access Point (AP) Mapping
• WLAN version of wardialing
– Wardriving/warwalking/warflying/warchalking
– Software
• Net Stumbler
• Air Snort
• Void11
Module 03: 68
•Introduction to Computer Security
and Information Assurance
Service Set Identifier (SSID)
Broadcasting
Module 03: 69
•Introduction to Computer Security
and Information Assurance
Default SSID
SSID = tsunami
SSID = tsunami
Default SSID
Cisco = tsunami
3COM = 101
Agere = WaveLAN
Linksys = Linksys
Dlink = default
Module 03: 70
•Introduction to Computer Security
and Information Assurance
Radio Frequency Management
Parking Lot
Building I
Module 03: 71
•Introduction to Computer Security
and Information Assurance
Default Settings
Many access points arrive with no security
mechanisms in place.
Module 03: 72
•Introduction to Computer Security
and Information Assurance
Authentication Issues
Open System Authentication
• SSID
• Negotiation in clear text
• Subject to sniffing
Shared Key Authentication
• SSID and WEP Encrypted key
required
• Subject to man-in-the-middle
attack
Request SSID
Request (SSID)
Accepted (SSID)
Challenge Text (WEP)
Challenge Response (WEP)
Accepted (SSID)
Module 03: 73
•Introduction to Computer Security
and Information Assurance
Authentication Issues
• WEP standard proven insufficient
– Mathematical weakness entailed relatively
fast repeat of key transmission
• Automated exploits followed identification of flaw
• Used in massive criminal activity
– Replaced with Wi-Fi Protected Access (WPA)
– WPA demonstrates its own weaknesses
– Replaced by WPA2, which is viewed as more
secure
Module 03: 74
•Introduction to Computer Security
and Information Assurance
Bluetooth Security
• Popular short-range technology
– Used for many personal electronic devices,
such as phones, music players, etc.
• Threats
– Bluejacking
– Bluesnarfing
– Bluebugging
Module 03: 75
•Introduction to Computer Security
and Information Assurance
Networking / Internet
•
•
•
•
•
•
•
History of communication
PBX security threats and countermeasures
Modem security threats and countermeasures
VoIP security threats and countermeasures
Network components
Common protocols
Network security threats and countermeasures
– Scanning / sniffing / DoS / DDoS
• Wireless security threats and countermeasures
– WLAN / Bluetooth
Module 03: 76