Transcript Slide 1

CIST 1601 Information Security Fundamentals
Chapter 4 Monitoring Activity and Intrusion Detection
Collected and Compiled
By JD Willard
MCSE, MCSA, Network+,
Microsoft IT Academy Administrator
Computer Information Systems Instructor
Albany Technical College
Monitoring the Network
Recognizing the Different Types of Network Traffic
Novell Protocols
NetWare, a server-based networking environment/operating
system, offers network protocols, services, and applications.
NetWare is susceptible to DoS attacks. In addition to TCP/IP,
NetWare supports two other proprietary protocols:
Internetwork Packet Exchange (IPX) and Sequenced Packet
Exchange (SPX) are unique to Novell 4.x and earlier NetWare
networks. Since NetWare 5, NetWare has been able to use TCP/IP as
its only transport protocol. IPX and SPX are fast, efficient, and well
documented. They’re also susceptible to communications
interception using internal monitoring. Microsoft created NWLink, an
IPX-/SPX-compatible protocol that it owns.
NetWare Directory Services (NDS) manages all the resources in a
network. NDS provides a database of all network objects or
resources.
Monitoring the Network
Recognizing the Different Types of Network Traffic
The figure below shows an NDS tree. Notice that the NDS tree treats print
devices, disk volumes, users, and groups as leaf objects, or resources, in the
tree. Earlier versions of NetWare used bindery services; the bindery kept track
of resources on a server-by-server basis. In the most recent versions of
NetWare, NDS has been expanded and renamed eDirectory.
Monitoring the Network
Recognizing the Different Types of Network Traffic
Microsoft Protocols
NetBIOS
The biggest vulnerability with NetBIOS is
that it opens ports for file and print
sharing.
These ports (which can include 135
through 139 and 445) can be accessed
across the Internet as well as by devices on
the local LAN.
NetBEUI
NetBEUI is a nonroutable protocol,
meaning that it can’t be sent across
routers. NetBEUI traffic is easy to intercept
internally using a network sniffer.
WINS Service
Windows Internet Naming Service (WINS)
translates NetBIOS names to TCP/IP
addresses. Because WINS is providing a
service to clients who request information
from it, it’s susceptible to DoS attacks.
When left unpatched, it is also available
for remote code execution.
WINS Server
Resolving TCP/IP
address to
NetBIOS Name
Monitoring the Network
Recognizing the Different Types of Network Traffic
Network File System Protocol
Network File System (NFS) is the default file-sharing protocol for Unix systems. NFS allows
a remote user to mount drives on a machine in the network. To be secure, NFS requires
special configuration. NFS is equivalent to Distributed File System (DFS), which tends to
exist outside of the Unix world.
The Apple Protocol
Most manufacturers support AppleTalk, which isn’t intended for secure applications.
Modern Macintosh systems can also use TCP/IP for connections.
Most AppleTalk vulnerabilities are exploitations of programs that offer this service. For
example, there are known vulnerabilities with programs that allow Linux to offer
AppleTalk, but those weaknesses are with the programs themselves and not with
AppleTalk per se.
A remote system
mounting a
drive on a local
machine using
NFS.
Monitoring Network Systems
Reporting (07:32)
Monitoring can occur on individual systems, on servers, or as a separate component of
the network. The connection used is called a tap. The figure below illustrates some of
the places where a network tap can occur. Each tap location presents a different view of
the network. For effective security, multiple taps are probably needed.
Your system faces both internal and external threats.
Heavy traffic makes it necessary to dedicate personnel to monitoring. Network activity is
also reported in system logs and audit files. It’s a good practice to periodically review
these files. Automated tools make this process more manageable.
Network sniffers and NIDSs are used to monitor network traffic. Network sniffers are
manually oriented, whereas an NIDS can be automated.
Tap locations used
to monitor
network traffic
Understanding Intrusion
Detection Systems
Network Intrusion Detection and Prevention (5:40)
Detection vs. Prevention (6:06)
Intrusion detection (ID) is the process of monitoring
events in a system or network to determine if an
intrusion is occurring.
An intrusion is defined as any activity or action that
attempts to undermine or compromise the
confidentiality, integrity, or availability of resources.
An IDS reports and monitors intrusion attempts.
An IDS will announce an event through an alert when
suspicious activity is encountered.
Understanding Intrusion
Detection Systems
An activity is an element of a data source that is of interest to the operator. This is
usually a specific occurrence or event.
The administrator is the person responsible making decisions about, the
deployment and configuration of the IDS, alarm levels, historical logging, and
session monitoring capabilities, and determining the appropriate responses to
attacks and ensuring that those responses are carried out.
An alert is the message from an IDS analyzer that indicates something of interest
has happened. An alert is a message from the IDS indicating that an event has
occurred. Alerts occur when activities of a certain type exceed a preset threshold.
The analyzer is the component that analyzes the data collected by the sensor.
The analyzer function uses data sources from sensors to analyze and determine
whether an attack is under way.
The data source is the raw information used by the IDS to detect suspicious
activity. Data sources include audit files, system logs, or current network activity.
An event is an occurrence in the data source that indicates a suspicious event.
Not every activity ends up as an event, and not every event generates an alert.
The event might trigger an alert if a deviation from normal network traffic
patterns occurred or if an activity threshold was crossed.
The manager is the component that the operator uses to manage the IDS. The
manager may be a graphical interface, a real-time traffic screen, or a commandline-driven environment.
Notification is the process or method by which the IDS manager makes the
operator aware of an alert. This might include a graphic display or an e-mail sent
to the administrative staff.
The operator is the person primarily responsible for the IDS.
A sensor collects data from the data source and passes it on to the analyzer. If the
analyzer determines that unusual activity has occurred, an alert may be
generated.
The components of an IDS
working together to provide
network monitoring
Understanding Intrusion
Detection Systems
A signature-based system, also commonly known as
misusedetection IDS (MD-IDS), is primarily focused
on evaluating attacks based on a known identity,
attack signature, or audit trail.
All attack signatures are contained in a signature
database. The signature database must be updated to
remain effective. The user can examine the signature
database, and quickly determine which intrusive
activity the misuse detection system is programmed
to alert on.
Signature-based systems have an advantage because
of their simplicity and their ability to operate online
in real time. Other advantages include:
Low number of false positives
Detailed text logs
Use of few system resources
Signature-based detection has several limitations,
including being based excessively on passive
monitoring and the rule sets need constant updating.
They can detect only known attacks with identified
signatures.
A signature-based IDS in action
False Positives (3:23)
Understanding Intrusion
Detection Systems
Anomaly-detection IDS (AD-IDS) detects any changes or deviations in network
traffic. It is also called statistical anomaly detection. Anomaly detection is
analogous to credit card fraud detection. Credit card companies maintain
“spending profiles” for their customers.
Anomaly detectors work by creating profiles or models on the normal behavior
pattern of individual users, hosts, or network connections. There is an initial
learning period before anomalies can be detected. Once the baselines are
established, anomaly-based monitoring can detect anomalies. Sometimes the
baseline is established through a manual process.
The classifications of anomaly detection techniques include statistical methods,
rule-based methods, distance-based methods, profiling methods, and modelbased approaches.
Anomaly-based monitoring is useful for detecting these types of attacks:
Protocol and port exploitation
New exploits or buffer overflow attacks
DoS attacks based on payloads or volume
Normal network failures
Variants of existing attacks in new environments
Highly secure environments might use complex patterns of behavior analysis, in
some cases learning individual patterns of use common to each user profile, so
that variations can be identified.
One of the disadvantages of anomaly-based IDS is that it generates false positives
because the pattern of behavior can vary, or the pattern of behavior is too
dynamic to analyze properly.
AD-IDS using expert system technology
to evaluate risks
Understanding Intrusion
Detection Systems
Behavior-based monitoring works by looking at the way certain executable files make
your computer behave. It determines whether a program is malicious by inspecting the
stream of system calls that the program issues to the operating system.
This monitoring method can be used to identify internal misuse by recognizing actions
outside of normal access patterns or authorized events occurring outside of normal
profile usage, such as the access of protected files during off hours.
Behavior-based monitoring is not likely to produce a false alert because you defined nonacceptable behavior. Rules must be in place. If you do not properly define inappropriate
behaviors, then attacks can occur. When you define a rule that prevents an e-mail client
from executing the cmd.exe command and alerts you when this is attempted, you are
using behavior-based monitoring.
Behavior-based monitoring advantages include the following: It can identify malware
before it is added to signature files, monitor for malware activities, and learn about
malware based on previous detection.
Behavior-based detection has several limitations, including high incidence of false alarms
and slow file checking.
Working with a Network-Based IDS
The primary advantage of an network-based IDS (N-IDS) is the low maintenance
involved in analyzing traffic in the network. An NIDS is easy and economical to
manage because the signatures are not configured on all the hosts in a network
segment.
Violations of policy, monitoring of all HTTP traffic, and monitoring of all FTP
traffic are examples of the types of information an NIDS is designed to monitor.
An NIDS is not capable of analyzing encrypted information. For example, the
packets that travel through a VPN cannot be analyzed by the NIDS. The lack of
this capability is a primary disadvantage of an NIDS.
The performance of an NIDS can be affected in a switched network environment
because the NIDS will not be able to properly analyze all the traffic that occurs
on the network on which it does not reside.
Two basic types of responses can be formulated at the network level: passive
and active.
Working with a Network-Based IDS
A network-based IDS (N-IDS) approach
to IDS attaches the system to a point in
the network where it can monitor and
report on all network traffic.
Placing the N-IDS in front of the firewall
provides monitoring of all network
traffic going into the network.
Putting the N-IDS behind the firewall
only allows you to see the traffic that
penetrates the firewall.
The best solution to creating a secure
network is to place IDS in front of and
behind the firewall.
N-IDS placement in a network determines what data will
be analyzed
The N-IDS can be attached to a switch or
a hub, or it can be attached to a tap.
Intrusion is monitored on the network
segment on which the NIDS is placed,
and not on individual systems.
A hub being used to attach the N-IDS to the network
Implementing a Passive Response
A passive response is the most common type of response to
many intrusions and the easiest and cheapest to develop and
implement. A passive threat response does nothing to prevent
the threat or attack, just acknowledges that one is or is about to
happen. The following list includes some passive response
strategies:
Logging involves gathering sufficient information on the attack to
assist administrators in implementing measures to divert it. Logging
usually involves recording of events and the circumstances under
which they occurred.
Notification involves informing the designated administrator when
a security related event occurred and communicating information on
the event. If the IDS is manned full time, messages can be displayed
on the manager’s console to indicate that the situation is occurring.
Shunning basically involves ignoring the attack because the
specific attack will not work. The IDS can make a note of it in a log
and move on to other more pressing business.
Implementing an Active Response
An active response involves
taking an action based on
an attack or threat. An
active response will include
one of the reactions briefly
described here:
Terminating processes or
sessions
If a flood attack is detected,
the IDS can cause the
subsystem, such as TCP, to
force resets to all the
sessions that are under way.
IDS instructing TCP to reset all connections
Implementing an Active Response
Network configuration
changes
If a certain IP address or a
particular socket or port
is being attacked, the IDS
can instruct a border
router or firewall to reject
any requests or traffic
from that address or
port. This configuration
change can remain in
effect permanently or for
a specified period.
IDS instructing the firewall to close port 80 for 60
seconds to thwart an IIS attack
Implementing an Active Response
Deception
A deception active response fools the
attacker into thinking the attack is
succeeding while the system monitors
the activity and potentially redirects
the attacker to a system that is
designed to be broken.
This allows the operator or
administrator to gather data about
how the attack is unfolding and the
techniques being used in the attack.
This process is referred to as sending
them to the honeypot.
It’s dangerous to allow a hacker to
proceed into your network, even if
you’re monitoring the events.
This approach is frequently used
when law enforcement is gathering
evidence to ensure a successful
prosecution of the attacker.
A network honeypot deceives an attacker and gathers
intelligence
Working with a Host-Based IDS
A Host Intrusion Detection System (HIDS) is designed to detect
hacker attacks on a single computer system. HIDS software is
installed on each host that needs IDS capabilities.
Because the HIDS is installed on the local computer, the computer
is completely compromised once a hacker penetrates the HIDS
software.
HIDS can monitor:
Network traffic specific to the host
Checksums of important system files
Ports used by the system or incoming connections
Processes running on the system
HIDS can include filters and antivirus modules.
HIDSs are good at detecting unauthorized file modifications and
user activity.
HIDS runs on a host in the network to:
Monitor communications
Monitor system logs and file systems
Detect suspicious activities, including failed login attempts
A host-based IDS cannot see information within encrypted
tunnels.
To monitor the internal network and external traffic the NIDSs and
HIDs should be used together.
A host-based IDS interacting with the operating
system
Working with NIPS
A network intrusion prevention system (NIPS) detects network intrusion
attempts and controls access to the network for the intruders. A NIPS is
an improvement over an IDS because an IPS actually prevents intrusion.
An inline NIPS works like a Layer 2 bridge. It sits between the systems
that need to be protected and the rest of the network.
NIPS proactively protect machines against damage from attacks that
signature-based technologies cannot detect, as most NIPS solutions have
the ability to look at application layer protocols such as HTTP, FTP, and
SMTP.
When implementing a NIPS, keep in mind that the sensors must be
physically inline to function properly. This adds single point of failure to
the network. A good way to prevent this issue is to use fail-open
technology. This means that if the device fails, it does not cause a
complete network outage; instead, it acts like a patch cable.
Utilizing Honeypots
Honeypots are computer systems designed to be vulnerable points of attack on a separate network away
from the corporate network. Honeypots lure a hacker by appearing to be a legitimate server with security
holes that are ripe and ready for exploitation.
A honeypot simulates a network of vulnerable devices, and have logging and tracing enabled. To attract
hackers, a honeypot has its security level purposefully set quite low, so as to draw attackers to it, and divert
them from the private network.
This security technique is used to allow administrators to observe hackers in action while not exposing vital
network resources.
Law enforcement agencies use honeypots to gather evidence for prosecution.
A honeypot is most often deployed on the DMZ or screened subnet.
When compared to IDSs and firewalls, honeypots are usually easier to configure and monitor. In addition to
this, IDSs and firewalls collect vast quantities of information while honeypots provide valuable information
on only the specific attack.
Before implementing a honeypot, you need to understand the concepts of enticement and entrapment:
Enticement is the process of luring someone into your plan or trap. You might accomplish this by advertising that
you have free software, or you might brag that no one can break into your machine. If you invite someone to try,
you’re enticing them to do something that you want them to do.
Entrapment is the process of encouraging an individual to perform an unlawful act that they wouldn’t normally
have performed.
While enticement is legally acceptable, entrapment isn’t. You should seek legal advice before you
implement a honeypot on your network.
Understanding Incident Response
An incident is the occurrence of any event
that endangers a system or network.
Incident response encompasses forensics
(identifying what has occurred) and refers
to the process of identifying, investigating,
repairing, documenting, and adjusting
procedures to prevent another incident.
It’s a good idea to include the procedures
you’ll generally follow in an incident
response plan (IRP). The IRP outlines what
steps are needed and who is responsible
for deciding how to handle a situation.
A chain of custody tells how the evidence
made it from the crime scene to the
courtroom, including documentation of
how the evidence was collected,
preserved, and analyzed.
Understanding Incident Response
Step One: Identifying the Incident
The first step is to identify the incident and determine if it is an incident, or just
a false positive.
A false positive occurs when the software classifies an action as a possible
intrusion when it is actually a nonthreatening action.
When a suspected incident pops up, first responders are those who must
ascertain if it truly is an incident or a false alarm.
When the response team has determined that an incident occurred, the next
step in incident analysis involves considering how to handle it by taking a
comprehensive look at the incident activity to determine the scope, priority,
and threat of the incident.
Escalation, involves consulting policies and appropriate management, and
determining how best to conduct an investigation into the incident.
Understanding Incident Response
Step Two: Investigating the Incident
The process of investigating an incident involves searching
logs, files, and any other sources of data about the nature
and scope of the incident.
If possible, you should determine whether this is part of a
larger attack, a random event, or a false positive.
You might find that the incident doesn’t require a response
if it can’t be successful.
Your investigation might conclude that a change in policies
is required to deal with a new type of threat.
Understanding Incident Response
Step Three: Repairing the Damage
In keeping with the severity of the incident, the organization can act to mitigate the
impact of the incident by containing it and eventually restoring operations back to
normal.
Most operating systems provide the ability to create a disaster-recovery process using
distribution media or backups of system state files.
In the case of a DoS attack, a system reboot may be all that is required.
Your operating system manufacturer will typically provide detailed instructions or
documentation on how to restore services in the event of an attack.
Just as every network, regardless of size, should have a firewall, it should
also be protected by antivirus software that is enabled and current.
If a system has been severely compromised it may need to be regenerated from scratch.
In that case, you’re highly advised to do a complete disk format or repartition to ensure
that nothing is lurking on the disk, waiting to infect your network again.
Understanding Incident Response
Step Four: Documenting and Reporting the Response
You should document the steps you take to identify, detect, and repair
the system or network .
It is important to accurately determine the cause of each incident so that
it can be fully contained and the exploited vulnerabilities can be
mitigated to prevent similar incidents from occurring in the future.
Many help-desk software systems provide detailed methods you can use
to record procedures and steps.
You should also report the incident to the law and/or CERT
(www.cert.org) so that others can be aware of the type of attack and
help look for proactive measures to prevent this from happening again.
You might also want to inform the software or system manufacturer.
Understanding Incident Response
Step Five: Adjusting Procedures
After an incident has been successfully managed, revisit the
procedures and policies in place in your organization to
determine what changes, if any, need to be made.
The following questions might be included in a policy or
procedure manual:
How did the policies work or not work in this situation?
What did we learn about the situation that was new?
What should we do differently next time?
These simple questions can help you adjust procedures. This
process is called a postmortem, the equivalent of an autopsy.
Working with Wireless Systems
Wireless transport layer security (WTLS) is the security layer for wireless connections
that use the wireless access protocol (WAP). Wireless Application Protocol (WAP) is an
open international standard for applications that use wireless communication.
WTLS provides authentication, encryption, and data integrity for wireless devices in the
WAP environment.. WTLS provides reasonable security for mobile devices, and it’s being
widely implemented in wireless devices.
WAP provides the functional equivalent of TCP/IP for wireless devices. Many devices,
including newer cell phones and PDAs, include support for WTLS as part of their
networking protocol capabilities.
WTLS as part of the WAP
environment
IEEE 802.11x Wireless Protocols
The 802.11 standard specifies the technologies that are used for wireless LANs.
The Institute of Electrical and Electronics Engineers (IEEE) developed the 802.11
standard.
802.1x transmissions generate detectable radio-frequency signals in all directions
The 802.11 standard defines wireless LANs transmitting at 1Mbps or 2Mbps
bandwidths using the 2.4GHz frequency spectrum and using either frequency-hopping
spread spectrum (FHSS) or direct-sequence spread spectrum (DSSS) for data encoding.
The 802.11a standard provides wireless LAN bandwidth of up to 54Mbps in the 5GHz
frequency spectrum. The 802.11a uses orthogonal frequency division multiplexing
(OFDM) for encoding.
The 802.11b standard provides for bandwidths of up to 11Mbps in the 2.4GHz frequency
spectrum. This standard is also called Wi-Fi or 802.11 high rate. The 802.11b standard
uses only DSSS for encoding.
The 802.11g standard provides for bandwidths of up to 54Mbps in the 2.4GHz frequency
spectrum.
The 802.11n standard provides for bandwidths of up to 300Mbps in the 5GHz
frequency spectrum (it can also communicate at 2.4GHz for compatibility). It offers
higher speed and a frequency with less interference.
IEEE 802.11x Wireless Protocols
Direct-sequence spread spectrum (DSSS) transmits a signal that is a combination of an
artificial and a real signal.
DSSS accomplishes communication by adding the data to a higher speed transmission.
The higher speed transmission contains redundant information to ensure data accuracy.
Each packet can then be reconstructed in the event of a disruption.
The receiving end utilizes the additional signal to maintain the integrity of the real signal
when interference is experienced. Both ends must agree upon the method for
generating the signal.
DSSS offers superior range, the ability to block interference, and a transmission rate of 11
Mbps.
Frequency-hopping spread spectrum (FHSS) accomplishes communication by hopping
the transmission over a range of predefined frequencies. The changing or hopping is
synchronized between both ends and appears to be a single transmission channel to
both ends. FHSS signals are difficult for malicious users to pick up.
Orthogonal Frequency-Division Multiplexing (OFDM) is a modulation scheme used with
networks in the IEEE 802.11a standard. ODFM accomplishes communication by breaking
the data into subsignals and transmitting them simultaneously. These transmissions
occur on different frequencies or subbands.
IEEE 802.11x Wireless Protocols
The Wireless Application Protocol (WAP) is the technology designed for use with wireless devices. WAP
functions are equivalent to TCP/IP functions in that they’re trying to serve the same purpose for wireless
devices.
The gateway converts information back and forth between HTTP and WAP as well as encodes and decodes
between the security protocols. If the interconnection between the WAP server and the Internet isn’t
encrypted, packets between the devices may be intercepted, creating a potential vulnerability. This
vulnerability is called a gap in the WAP.
WEP and WPA (4:30)
Wired Equivalent Privacy (WEP) is a standard for wireless devices that encrypts data to provide data security.
WEP is vulnerable due to weaknesses in the way the encryption algorithms are employed. It can potentially
be cracked in as few as five minutes using available PC software. This makes WEP one of the more vulnerable
protocols available for security.
The Wi-Fi Protected Access (WPA) and Wi-Fi Protected Access 2 (WPA2) technologies were designed to
address the core problems with WEP. These technologies implement the 802.11i standard. The difference
between WPA and WPA2 is that the WPA implements most of 802.11i in order to be able to communicate
with older wireless cards, while WPA2 implements the full standard and is not compatible with older cards.
WPA2 is currently the highest standard for Wi-Fi communication security.
Wireless Vulnerabilities to Know
MAC Filtering and SSID Management (3:20)
Wireless systems are vulnerable to all the attacks that wired networks are
vulnerable to. However, because these protocols use radio frequency signals for
data emanation, they can be easily intercepted. To intercept 802.11x traffic, all
you need is a PC with an appropriate 802.11x card installed.
Without the use of a mandated encryption standard, data transmitted over an
802.1x wireless link may be passed in clear form. Additional forms of encryption
may be implemented, such as WEP and AES, but transport encryption
mechanisms suffer from the fact that a determined listener can obtain enough
traffic data to calculate the encoding key in use.
Wireless networks often announce their service set identifier (SSID) to allow
mobile devices to discover available WAPs. Turning off this broadcast can
reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP.
Turning off SSID broadcast should be considered a “best practice,” along with
conducting the site survey, selecting channels not already in use in the area,
requiring WPA2 (or newer) encryption, and restricting access to a known list of
Wi-Fi MAC addresses where possible.
Wireless Vulnerabilities to Know
A site survey is the process of monitoring a wireless network using a
computer, wireless controller, and analysis software. Site surveys
generally produce information on the types of systems in use, the
protocols in use, and other critical information.
You should periodically complete a site survey to ensure that no
unauthorized wireless access points are established.
You will also want to perform a site survey before implementing any
WLAN solution. This is particularly important in wireless networks
spanning multiple buildings or open natural areas, where imposing
structures and tree growth may affect network access in key areas.
Site surveys are easily accomplished and hard to detect.
To protect against unauthorized site surveys, change the default SSID and
disable SSID broadcasts. Upon discovering a WAP using a site survey,
physically locate the device and disconnect it.
Wardriving and Warchalking (4:22)
War driving is the act of driving about with a laptop looking for wireless
LANs in a geographic area announcing their SSID broadcasts and WEP
keys.
Wireless Vulnerabilities to Know
When a client attempts to contact a wireless access point (AP), the AP authenticates the
client through a basic challenge-response method, and then provides connectivity to a
wired network or servers.
Rogue Access Points and Evil Twins (5:21)
Because the client request is an omnidirectional open broadcast, it is possible for a
hijacker to act as an access point to the client, and as a client to the true network access
point, allowing the hijacker to follow all data transactions with the ability to modify,
insert, or delete packets at will. By implementing a rogue AP with stronger signal
strength than more remote permanent installations, the attacker can cause a wireless
client to preferentially connect to their own stronger nearby connection using the
wireless device’s standard roaming handoff mechanism.
Bluejacking and Bluesnarfing (5:44)
Blue jacking is an attack that sends unsolicited messages over a Bluetooth connection. It
can be considered spamming in a Bluetooth environment. Mobile devices equipped for
Bluetooth short-range wireless connectivity, such as laptops, cell phones, and PDAs, are
vulnerable.
Attackers use blue jacking to generate messages that appear to be from the device itself.
This leads users to follow prompts and establish an open Bluetooth connection to the
attacker’s device. Once paired with the attacker’s device, the user’s data becomes
available for unauthorized access, modification, or deletion, which is an attack referred
to as bluesnarfing.
Understanding Instant Messaging’s Features
Instant messaging (IM) has become a hugely popular application on the
Internet. Millions of users use instant messaging.
America Online and Microsoft provide IM services to their subscribers.
IM users can send photos, play network games, conduct chats, send e-mail, and
even have IM conferences.
Clients use software to connect to IM servers to communicate. These servers
might be synchronized worldwide to allow instantaneous communications
between any two users in the world.
Clients connecting
to an IM server
system similar to
the ones used by
Microsoft and
AOL
Understanding IM Vulnerabilities
Jamming is the process of intentionally disrupting communications in an IM session.
Jamming is a loosely defined term, and it refers to any intentional disruption that isn’t a
DoS attack.
IM users are highly susceptible to malicious code attacks such as worms, viruses, and
Trojan horses. Ensure that IM users have up-to-date antivirus software installed.
Most IM systems allow broadcasts. The broadcasting capability allows an attacker to
potentially send a “bait message” to millions of people simultaneously. The acronym
SPIM has even been added recently to the vernacular to describe spam over instant
messaging.
An IM user complaining that his system is unresponsive and about a million web browser
windows have opened on his screen has just encountered an application-level DoS
attack. This type of attack is common and isn’t usually fatal, but it’s very annoying. Your
user should restart his system, verify that the website didn’t transmit a virus, and stay
away from broadcasted websites.
IM systems allow unsuspecting users to download files that may contain viruses. Due to
a weakness in the file extension naming conventions, a file that appears to have one
extension may actually have another extension. For example, the file account.doc.vbs
would appear in many applications as account.doc, but it’s actually a Visual Basic script
and could contain malicious code.
Working with 8.3 File Naming
The 8.3 format allows eight characters
for the filename and three characters
for the file type or extension. Certain file
extensions tell the operating system to
immediately start executing a file (for
example, .bat, .com, and .exe).
Windows hides the file extension from
the user.
If a file type is indicated the system
automatically opens the program that
has been registered to be associated
with the file.
If the file is an executable or a script, it
will start executing using the
appropriate language or command
processor. If this file is a Trojan horse, a
worm, or some other form of malicious
code, the system has potentially been
compromised.
Common Executable File Types That PC Systems Use
Understanding Protocol Analyzers
Protocol Analyzers (2:35)
A protocol analyzer provides information regarding traffic flow and
statistical information for your network. It is used to capture network
traffic and generate statistics for creating reports.
A protocol analyzer is a software utility used on a hub, a switch
supervisory port, or inline with network connectivity to allow the
analysis of network communications. Individual protocols, specific
endpoints, or sequential access attempts may be identified using this
utility.
A protocol analyzer is also referred to as a network analyzer or packet
sniffer.
Windows Server operating systems come with a protocol analyzer called
Network Monitor.
Understanding Signal Analysis and Intelligence
The terms signal analysis and signal intelligence refer to capturing and analyzing electronic signals. The purpose is to
identify and evaluate the enemy, identify and track communications patterns, and identify what types of technologies are
being used to send them.
Footprinting involves identifying your network and its security posture. Footprinting is done using multiple sources of
information to determine what systems you may be using.
DNS footprinting involves a hacker using a lookup tool (such as NSLOOKUP) to gain access to your DNS server.
Footprinting obtains the active blueprint of an organization’s infrastructure and security profile. It includes using the WhoIs
and NsLookup tools.
Scanning is the process of gathering data about your network configuration and determining which systems are live.
Hackers will use scanning programs to look for paths to systems in your network.
A port-scanning software utility will scan a single machine or a range of IP addresses, checking for a response on service
ports. Port scanners are useful in creating an inventory of services hosted on networked systems.
A vulnerability scanner is a software utility that will scan a range of IP addresses, testing for the presence of known
vulnerabilities in software configuration and accessible services. Unlike port scanners, which only test for the availability of
services, vulnerability scanners may check for the particular version or patch level of a service to determine its level of
vulnerability.
A network mapper is a software utility used to conduct network assessments over a range of IP addresses. It compiles a
listing of all systems and network hardware present within a network segment, which can be used to identify single points
of failure, conduct a network inventory, and create graphical details suitable for reporting on network configurations.
Penetration testing involves footprinting, scanning, and enumerating.
Scanning identifies active computers, ports, and services. It includes using the Ping, Nmap, and TraceRt tools.
Enumerating involves compiling the information from the scanning phase and identifying target systems. During this phase, actual user
and group accounts are obtained using DNS queries, NBT scans, and the snmputil tool.
The End