WHAT ARE THE THREE "CORE/KEY SKILLS"?
Download
Report
Transcript WHAT ARE THE THREE "CORE/KEY SKILLS"?
COMP3371
Cyber Security
Richard Henson
University of Worcester
November 2015
Week 7: Prevention Strategies
Objectives:
Relate B2B and B2C hesitancy over use of the
www to ignorance about the PKI
Use high level Information Security policy to drive
change in an organisation
Identify potential internal and external threats to
company data
Use vulnerability/penetration testing to check
access to the network from outside
Global Use of SSL/PKI
According to recent figures, nearly all top
companies in the US are now using SSL/PKI
for secure communications:
top 40 e-commerce sites
all Fortune 500 companies with a web presence
Conclusion: technology tried and tested; has
become industry-standard
Problem
is technology implemented correctly?
who bothers to check?
Security and Online trading
"Online shopping gets a bad rap in the press, but
most of the stories reported are anecdotal tales of
companies that haven't put successful defensive
measures in place“
"Web businesses running proper screening of
customer information are suffering very little, with
average fraud losses held to just over 1%.”
“Fraud control is clearly possible online, although
many companies do not implement stringent
screening and prevention measures.”
Why are security problems
STILL arising?
Repeating research findings:
SSL/PKI reliable
However…
Many companies not applying strict security
measures such as SSL/PKI are:
» being defrauded
» skewing the statistics for more responsible online
traders
````````````````Solution?
Encryption alone is
not enough!
The other aspect of SSL/PKI is the
establishment of trust between online vendors
and customers
usually achieved by providing a digital certificate
system:
» verifies the identity at each end of the communication link
» thereby authenticating the server/user
The savvy user knows about digital certificates
and expects to be able to view them online
Security Differences between
B2B and B2C
ASSUMING THAT business sets
themselves up properly for online trading
use server certificates for their servers
use SSL to ensure data is encrypted
train users to be aware of danger signs
A B2B customer using the web will
(SHOULD!!!) understand implications of
security messages from the browser
Organisational Data Security
Strategy: Where to start?
Can’t START with technology
needs to start with ISSUES that need addressing
Should be primarily “top down”
concerned with policies, not technical matters…
can be supplemented by “bottom up” approach
Technologies can be used to put policies into
practice
degree of success in the latter depends on:
» communication of policies
» understanding of technologies
Information Security Policy matters
Who will quantify the threats?
Head of IT?
External Consultant?
both?
Who will suggest strategies to mitigate
against those threats?
as above?
Who will make the policies?
Senior Management
» with guidance…
Creating a Policy
The same principles apply as with the
introduction of ANY change in organisational
policy
MUST come from the top!!!
Problem: senior management genereally don’t
understand IT…
Big responsibility on the IT manager to
convince senior management:
that policy (change) is necessary!
that the organisation won’t suffer financially
the consequences of NOT implementing such a
change
Going beyond a
Creating a Policy…
According to the latest BERR figures, the
majority of businesses say they have an
information security policy
but is it implemented???
One possible approach to making sure policy
gets through to all parts of an organisation is
to implement a quality standard
e.g. ISO27001… also ISACA, IASME, others
Role of the Adviser/Consultant
Specialist knowledge of Information Security
in organisations
Aware of the need to convince senior
management that the cost involved in
achieving a quality standard is worthwhile
In an SME:
the adviser can provide moral, intellectual, and
evidential support for the IT manager’s position
In a microbusiness:
there is no IT manager…
adviser will usually be supporting the most ITliterate employee against a sceptical senior mgt…
How achieving a quality standard
could help with business strategy
Whatever the business:
any new work will have a cost
that cost needs to be qualified
More cost means less profit…
what is the ROI of achieving a high level of
information security (assurance)?
Potential Financial Benefits
of Information Assurance
Need to be sold to senior mgt…
less risk of losing valuable (even strategically
important…) data
» less likely to get embarrassing leaks, which could even
get to the media (!)
» less likely to fall foul of the law (!)
an ever growing set of examples of businesses
who have done both of the above
» evidence that they lost customers and share price
dropped…
Role of Adviser/Consultant
Needs to have good credentials to be
credible:
plenty of experience in this area
contacts in the industry
good track record for:
» knowledgeability
» keeping up to date
» communication of knowledge
needs to be able to put technical problems into
terms that non-technologists can understand….
» very many technical “solutions” available that would be
unnecessary if systems and procedures were properly
implemented
Protection against the Threats
Internal threats?
should be addressed directed through
implementation of IS policy
External Threats?
Normally addressed through:
» 1. vulnerability scanning
» 2. action taken from vulnerability reports
Information Security Strategy
Identify and quantify ALL potential security
threat:
BOTH internal
» Policy should already exist!
» Most likely will need updating
AND external
» May have been neglected as the Internet creeped into
the network!
Need to set out a policy that, if implemented
correctly, WILL effectively secure data
What and Why of
“Footprinting”
Definition:
“Gathering information about a “target” system”
Could be Passive (non-penetrative) or active
Find out as much information about the digital and
physical evidence of the target’s existence as possible
» need to use multiple sources…
» may (“black hat” hacking) need to be done secretly
Rationale for “passive”
Footprinting
Real hacker may be able to gather what
they need from public sources
organisation needs to know what is “out
there”
Methodology:
start by finding the URL (search engine)
» e.g. www.worc.ac.uk
from main website, find other external-facing
names
» e.g. staffweb.worc.ac.uk
Information Gathered without
Penetration Testing
Domain Names
User/Group names
System Names
IP addresses
Employee Details/Company Directory
Network protocols used & VPN
start/finish
Company documents
Intrusion detection system used
Website Connections & History
History: use www.archive.org:
The Wayback Machine
Connections: use robtex.com
Business Intelligence:
sites that reveal company details
e.g. www.companieshouse.co.uk
More Company Information…
“Whois” & CheckDNS.com:
lookups of IP/DNS combinations
details of who owns a domain name
details of DNS Zones & subdomains
Job hunters websites:
e.g. www.reed.co.uk
www.jobsite.co.uk
www.totaljobs.com
People Information
Company information will reveal names
Use names in
search engines
Facebook
LinkedIn
Google Earth reveals:
company location(s)
Physical Network Information
(“active” footprinting or phishing)
External “probing”
should be detectable by a good defence
system… (could be embarrassing!)
e.g. Traceroute:
Uses ICMP protocol “echo”
» no TCP or UDP port
reveals names/IP addresses of intelligent
hardware:
» e.g. Routers, Gateways, DMZs
Email Footprinting
Using the email system to find the
organisation’s email names structure
“passive” monitor emails sent
» IP source address
» structure of name
“active” email sending programs :
» test whether email addresses actually exist
» test restrictions on attachments
Phishing to extract user data
(not intelligence gathering)
Send email user a message with a link
or attachment
link is a form which tries to get their
personal data
attachment contains malware which will
infect their system
Phishing a bit obvious to professionals…
» wouldn’t be used by network infiltrators trying to
hide their tracks
Utilizing Google etc.
(“passive”)
Google: Advanced Search options:
Uses [site:] [intitle:] [allintitle:] [inurl:]
In each case a search string should follow
e.g. “password”
Maltego
graphical representations of data
Network Layers and Hacking
Schematic TCP/IP stack interacting at three of
the 7 OSI levels (network, transport, application):
TELNET
ports
X
FTP
SMTP
NFS
DNS
X
X
X
X
TCP
UDP
IP
SNMP
X
TCP & UDP ports
Hackers use these to get inside firewalls etc.
Essential to know the important ones:
20, 21 ftp
22 ssh
23 telnet
25 smtp
53 dns
60 tftp
80 http
88 Kerberos
110 pop3
135 smb
137-9 NetBIOS
161 snmp
389 Ldap
443 https
636 Ldap/SSL
Reconnaissance/Scanning
Three types of scan:
Network (already mentioned)
» identifies active hosts
Port
» send client requests until a suitable active port has been
found…
Vulnerability
» assessment of devices for weaknesses that can be exploited
Scanning Methodology
Check for Live Systems
Check for open ports
“Banner Grabbing”
Scan for vulnerabilities
Draw Network diagram(s)
Prepare proxies…
Legality and Vulnerability
Scanning
Depends on whether you have asked!
running tests like this requires equipment
and an experts time
would charge for the service, so… yes,
would be normal!
Hacker wouldn’t want organisation to
know
wouldn’t ask!
illegal but gambles on not being caught!
Ethical Hacking Principles
Hacking is a criminal offence in the UK
covered through The Computer Misuse Act
(1990)
tightened in 2006
Can only be done ”legally” by a trained
(or trainee) professional
a computing student would be considered
in this context under the law
Ethical Hacking principles
Even if it legal, doesn’t mean it is ethical!
Professionals only hack without permission
if there is reason to believe a law is being
broken
if not… they must ask permission
otherwise definitely unethical (and illegal…
“gaining access without permission”)
“Scanning” Methodology
Check for Live Systems
Check for open ports
“Banner Grabbing”
e.g. bad html request
Scan for vulnerabilities
Draw Network diagram(s)
Prepare proxies…
Proxy Hacking (or Hijacking)
Attacker creates a copy of the targeted
web page on a proxy server
uses methods like:
» keyword stuffing
» linking to the copied page from external sites…
Artificially raises search engine ranking
authentic page will rank lower…
» may even be seen as duplicated content, in
which case a search engine may remove it
from its index
Typical Types of
External Attacks - 1
Exhaustive
“brute force” attacks using all possible
combinations of passwords to gain access
Inference
taking educated guesses on passwords, based on
information gleaned
TOC/TOU (Time of check/use)
1. use of a “sniffer” to capture log on data
2. (later) using captured data & IP address in an
attempt to impersonate the original user/client
Typical Types of
External Attacks - 2
Three other types of attacks that
firewalls should be configured to
protect against:
denial of service (DOS) attacks
distributed denial of service (DDOS)
attacks
IP Spoofing (pretence that the data is
coming from a “safe” source IP address
Blocking TCP ports
with a Firewall
Very many TCP and UDP ports:
0 - 1023 are tightly bound to application services
1024 – 49151 more loosely bound to services
49152 – 65535 are private, or “dynamic”
In practice, any port over 1023 could be
assigned dynamically to a service…
One of the more useful features of a firewall is
that ports can be configured, and therefore
data flow can be monitored and controlled
Blocking TCP ports
with a Firewall
Generally, TCP ports should be:
EITHER open for a service (e.g. HTTP on
port 80)
OR… blocked if no service, to stop
opportunists
But if the firewall only allows “official
services” this can cause problems for
legitimate users
e.g. if port 25 is blocked, email data
cannot be sent
Protecting Against TCP/IP
Attacks, Probes and Scans
TCP/IP protocol stack has been
largely unchanged since the early
1980's:
more than enough time for hackers to
discover their weaknesses
often attack through a particular TCP
port
TCP Port 21: FTP
(File Transfer Protocol)
FTP servers excellent
BUT by their very nature they open up very big
security holes
those that allow anonymous logins are used:
» to launch attacks on the server itself, by connecting to the
C: drive and downloading viruses or overwriting/deleting
files
» to store pirated files and programs
Precaution:
configure FTP servers NOT to accept anonymous
logins
only allow access to port 21 through the firewall to
that particular server
TCP Port 23: Telnet
Telnet is really good for providing access to
servers and other devices
accessing a server via Telnet is very much like being
physically located at the server console
Protecting against Telnet is simple:
block ALL access to port 23 from the outside
block perimeter networks to the inside
Protecting internal servers from attack from the
inside:
configure them to accept telnet connections from
very few sources
block port 23 completely…
TCP Port 25: SMTP
Email programs large, complex, accessible…
Therefore an easy target…
Buffer overrun:
» attacker enters more characters – perhaps including
executable code - into an email field (e.g. To: ) than is
expected by an email server
– error could be generated
– hackers could gain access to the server and the network
SPAM attack:
» protocol design allows a message to go directly from the
originator's email server to the recipient's email server
can ALSO be relayed by one or more mail servers in the middle
BUT… this is routinely abused by spammers
– forward message to thousands of unwilling recipients
Port 25 SMTP: solution…
Buffer Overrun:
Solution: put server on a perimeter
network
Spam Attack
Solution: DISABLE the relaying
facility…
TCP and UDP Port 53: DNS
(Domain Name Service)
One of the core protocols of the Internet
without it, domain name to IP address
translation would not exist
PROBLEMS: If a site hosts DNS,
attackers will try to:
modify DNS entries
download a copy of your DNS records (a
process called zone transfer)
Port 53 DNS: Solution…
Solution:
configure firewall to accept connections from the
outside to TCP port 53 only from your secondary
DNS server
» the one downstream from you e.g. your ISP
consider creating two DNS servers: one on your
perimeter network, the other on the internal
network:
» perimeter DNS will answer queries from the outside
» internal DNS will respond to all internal lookups
» configure a Stateful inspection firewall to allow replies to
internal DNS server, but deny connections being initiated
from it
TCP Port 79: Finger
A service that enumerates all the
services you have available on your
network servers:
invaluable tool in probing or scanning a
network prior to an attack!
To deny all this information about
network services to would-be attackers,
just block port 79…
TCP Ports 109-110: POP
(Post Office Protocol)
POP easy-to-use…
but sadly it has a number of insecurities
The most insecure version is POP3
which runs on port 110
if the email server requires POP3, block all
access to port 110 except to that server
if POP3 not used, block port 110 entirely…
TCP Ports 135 and 137
NetBIOS
The Microsoft Windows protocol used
for file and print sharing
last thing you probably want is for users on
the Internet to connect to your servers' files
and printers!
Block NetBIOS. Period!
UDP Port 161 SNMP
SNMP is important for remote management
of network devices:
but also it poses inherent security risks
stores configuration and performance parameters
in a database that is then accessible via the
network…
If network is open to the Internet, hackers can
gain a large amount of very valuable
information about the network…
So… if SNMP is used:
allow access to port 161 from internal network
only
otherwise, block it entirely
Denial of Service (DoS) Attacks
An attempt to harm a network by
flooding it with traffic so that network
devices are overwhelmed and unable to
provide services.
One of the primary DOS attacks uses
Ping, an ICMP (Internet Control
Message Protocol) service:
sends a brief request to a remote computer
asking it to echo back its IP address
“Ping” Attacks
Dubbed the "Ping of Death“
Two forms:
the attacker deliberately creates a very large ping
packet and then transmits it to a victim
» ICMP can't deal with large packets
» the receiving computer is unable to accept delivery and
crashes or hangs
an attacker will send thousands of ping requests
to a victim so that its processor time is taken up
answering ping requests, preventing the processor
from responding to other, legitimate requests
Protection:
block ICMP echo requests and replies
ensure there is a rule blocking "outgoing time
exceeded" & "unreachable" messages
Distributed Denial of Service
Attacks/IP Spoofing
Related :
A DDOS attack has occurred when attackers gain
access to a wide number of PCs and then use
them to launch a coordinated attack against a
victim
» often rely on home computers, since they are less
frequently protected (they can also use worms and
viruses)
If IP spoofing is used, attackers can gain access to
a PC within a protected network by obtaining its IP
address and then using it in packet headers
Protection against DDOS
& IP Spoofing
Block traffic coming into the network that contains
IP addresses from the internal network…
In addition, block the following private IP, illegal
and unroutable addresses:
Illegal/unroutable:
» 255.255.255.255, 27.0.0.0, 240.0.0.0, & 0.0.0.0
“Private” addresses useful for NAT, or Proxy Servers (RFC 1918):
» 10.0.0.0-10.255.255.255
» 172.16.0.0-172.31.255.255
» 192.168.0.0-192.168.255.255
Finally, keep anti-virus software up-to-date, &
firewall software patched and up-to-date