Transcript Authentication

Basic Network Security
Lesson 9
Objectives
Exam Objective Matrix
Technology Skill Covered
Exam Objective
Exam Objective Number
Explain common threats, vulnerabilities, and
mitigation techniques.
• Wireless:
• War driving
• War chalking
• WEP cracking
• WPA cracking
• Evil twin
• Rogue access point
• Attacks:
• DoS
• DDoS
• Man-in-the-middle
• Social engineering
• Virus
• Worms
• Buffer overflow
• Packet sniffing
• FTP bounce
• Smurf
5.4
Network Security Considerations
Basic Network Security
Objectives
Exam Objective Matrix
Technology Skill Covered
Exam Objective
Exam Objective Number
Countering Basic Security Threats
Given a scenario, use the appropriate
network monitoring
resource to analyze traffic.
• SNMP
• SNMPv2
• SNMPv3
Explain methods of user authentication.
• PKI
• Kerberos
• AAA (RADIUS, TACACS+)
• Network access control (802.1x, posture
assessment)
• CHAP
• MS-CHAP
4.4
5.3
Network Security Considerations
• Security policies should address:
– Security threats your organization has to
combat
– What you can do to combat a security threat
– What you should do after a security violation
has taken place
Social Engineering
• Tricking or manipulating a person into
revealing important information
Phishing
Stealing
passwords
Identity
theft
Dumpster
diving
Phishing
• Using various means to trick people into
revealing passwords, account numbers,
social security numbers, and various other
sensitive pieces of information
• Common phishing scenarios
– Foreign/unknown entities offering large
transfers of money
– E-mail requests to update banking
information
Phishing (Continued)
• Countering threats
– Verification of identifying picture
– Verification of identifying question(s)
– Development of other methods
Stealing Passwords
• Hackers find stealing passwords easier than
breaking into a computer system
– Many passwords are obvious phrases
specific to users
• Methods used to steal passwords
– Phishing/asking user about family, pets,
friends, and so on
– Printed document hidden nearby computer
Stealing Passwords (Continued)
• Protecting passwords
– Do not write password on paper
– Create passwords that are easy to remember
but difficult to crack
– Check the strength of the password
– Do not discuss password development
techniques
Identity Theft
• The act of presenting yourself as someone
you are not in order to steal in one way or
another from the person you are presenting
yourself to be
• Common techniques
– Stealing pin and/or bank account number
and illegitimately representing self as owner
– Elaborate phishing schemes
Identity Theft (Continued)
• Ways to protect information
– Closely monitor financial activities
– Pay third-party to monitor financial activities
– Vigorously investigate and resolve any
unusual transactions
Dumpster Diving
• The act of going through someone's garbage
looking for personal information that can be
used for identity theft
• Information sources
– Preapproved credit card applications
– Company intellectual property
Malicious Software
• A broad category that includes any software
that is used against a company or person
• Intent behind the malicious software varies
– A harmless prank
– A deliberate attempt to cause extreme harm
– To capture information from a victim; used
for identity theft or targeted marketing
Spyware
• Software that is slipped onto a computer for
the purpose of gaining private information
about the target computer or how the
computer is used
• Can be slipped onto computers:
– Via web browsers
– By tricking people into installing it along with
software they intended to install
– Through e-mail
Viruses
• A type of malicious software that modifies
the code of existing programs in an attempt
to cause harm, reproduce itself, and/or to
escape detection
– A macro virus attaches to documents
produced by common software applications
– Anti-virus software greatly reduces
occurrences
– Software updates limit damage with built-in
warnings
Worms
• Complete stand-alone programs that are
smuggled onto a computer via some
legitimate-seeming method and designed to
carry out specific instructions that are
detrimental to the computer or its user
without the user's knowledge
– Identification of worms
– Ways smuggled in
– Options to avoid
Trojans
• Malicious programs that actively
masquerade as legitimate programs that
belong on your computer
• Designed to sneak onto a target system and
run without interference
• Used to create botnet systems
Threats from Attackers
• Social engineering
• Denial of Service (DoS) and Distributed
Denial of Service (DDoS) threats
• Smurf attacks
• Buffer overflow
• Man-in-the-middle attacks
• Packet sniffing
• FTP bounce
Social Engineering
• Social engineering is single biggest threat
from attacked network
• Effective network protection gained through
training
– To identify and understand
– To thwart attackers
– To report observed or suspected activity
Denial of Service
• Denial of Service (DoS) and Distributed
Denial of Service (DDoS)
• DoS threats attempt to deny computer
services in some way or another
• DDoS attacks are launched from multiple
locations against one or multiple targets all
at once
– Zombie network or botnet
Forming a Zombie Network or Botnet
Distributed Denial of Service (DDoS) Attack
Using a Zombie Network or Botnet
Smurf Attacks
• A DoS attack in which the target server or
network is flooded with Internet Control
Message Protocol (ICMP) replies
– Causes overloading of inbound network lines
– Named after Smurf Trojan; similar to a
Fraggle attack
– No longer common
Buffer Overflows
• Buffer is a section of memory that has been
set aside to use for actions related to a
program
• Buffer overflow (overrun) occurs when too
much data in one section causes it to take
space in adjacent memory locations
– Overflow attacks vary with operating systems
– Different attacks produce different results
Man-in-the-Middle (MITM) Attacks
• A person positions him- or herself between
two other people and eavesdrops on them
• MITM attacks also known as
– Bucket-brigade, fire-brigade, monkey-in-the
middle, session and TCP hijacking
• Attacks used to intercept
– HTTP and HTTPS communications
– E-mail communications
– Encryption key exchanges
Mallory Perpetrating a Nan-in-theMiddle Attack Against Bob
Packet Sniffing
• The practice of capturing packets as they go
by on the network and then opening them to
see what is in them
• Is used to
– Spoof addresses
– Determine network protocols
– View contents of captured packets
FTP Bounce
• An exploit against the FTP protocol in which
the attacker uses the PORT command to
indirectly gain access to ports that are
opened on the computer they are attempting
to attack
• Ports may be reassigned for another
purpose
• Attack minimizes scan being detected
• nmap program can utilize FTP bounce
Wireless Threats
• War driving
– Warchalking
• WEP cracking
• WPA cracking
• Rogue access points
– Evil twin
War Driving
• The practice of driving around in a car in an
area or neighborhood looking for open
wireless networks that can be used by the
driver for their own purposes
• Warchalking (variation on war driving)
– Symbols placed on outdoor surfaces
indicating availability and type of wireless
access points
Commonly Used Warchalking Symbols
WEP Cracking
• Breaking or decoding an encryption scheme
used for passwords, wireless network
access, or any other encrypted object
• Easiest scheme to crack
• Downloadable tools available
WPA Cracking
• Same as WEP cracking except encryption
protocol targeted is WPA
• Has both encryption and authentication
functions
• Downloadable tools available
Rogue Access Points
• Unauthorized access points added to a
wireless network
• May be malicious or benign
• Often used in many man-in-the-middle
attacks
• Determining legitimate access points
• Evil twin
Rogue Access Point
Countering Basic Security Threats
Device
security
Passwords
Certificates
Encryption
Authentication
Device Security
• Physical security
• Restricting local and remote access
– Local access via LAN
– Remote access via WAN
• Secure versus unsecure access methods
– What you know
– What you have
– What you are
Device Security (Continued)
• Protocols
– Predefined standardized sets of rules used to
communicate on a network
• Secure protocols
– Predefined standardized sets of rules used to
secure communications on a network
• Security strives for:
– Confidentiality, integrity, authentication
Device Security (Continued)
• Examples of secure protocols
– Secure Shell (SSH)
– Hypertext Transfer Protocol Secure (HTTPS)
– Simple Network Management Protocol
Version 3 (SNMPV3)
– Secure File Transfer Protocol (SFTP)
– Secure Copy Protocol (SCP)
Device Security (Continued)
• Examples of unsecure protocols
– Telnet
– Hypertext Transfer Protocol (HTTP)
– File Transfer Protocol (FTP)
– Remote Shell (RSH)
– Fibre Channel Protocol (FCP)
– Simple Network Management Protocol
Versions 1 and 2 (SNMPV1/2)
Passwords
• Are used to verify that the person attempting
to access a system is the person they claim
to be
• Should be complex enough to not be easily
guessed
• Should be renewed and changed periodically
• Should not use the same password for
everything
Encryption
• The process by which a mathematical
algorithm is run on a set of data to make it
unreadable to someone who does not know
the mathematical algorithm used to encode
it
– Private key encryption
– Public key encryption
• Network security through confidentiality and
integrity
Private Key Encryption
Public Key Encryption
Certificates
• Are certifications that a public key is valid
• Also called public key certificates or digital
certificates
• Identify owner of public key (holder)
• Contain actual public key
• Identify issuer of public key and digital
certificate (certificate authority)
• Public Key Infrastructure (PKI)
• Temporal Key Integrity Protocol (TKIP)
Authentication
• The process of verifying a user or computer
to be who or what they claim to be
• Includes:
– Multi-factor authentication
– Two-factor authentication
– Single sign-on
– More
Public Key Infrastructure (PKI)
• A set of people, policies, software, and
equipment needed to handle digital
certificates for various applications
– End user is person that wishes to use PKI
– Registration authority (RA) verifies that a specific
public key belongs to a specific end user
– Certificate authority (CA) issues digital certificate to
end user, sends information about certificate to a
validation authority (VA)
– VA verifies certificate when requested by ecommerce site or other online service
How PKI Works
Kerberos
• An authentication protocol that
authenticates clients over an unsecured
network, most commonly LANs
• Most commonly used by Windows-based
client/server networks
• Composed of an authentication service (AS),
a ticket granting service (TGS), and a
network services (NS)
How Kerberos Works in a Windows
Environment
Challenge-Handshake Authentication Protocol
(CHAP)
• An authentication method used by Point-toPoint Protocol (PPP) to verify the identity of a
client after a connection has been
successfully established
• Sends the challenge and response in clear
text
• Uses three-way handshake to maintain
security
How CHAP Works
Microsoft Challenge-Handshake
Authentication Protocol (MS-CHAP)
• Closely related to standard CHAP
• Designed to work with Microsoft OSs
• How MS-CHAP differs from CHAP
– Does not require authenticator to store a
clear text or reversible encryption secret
– Includes mechanisms for allowing retries and
changing passwords
– Returns failure codes to client if client failed
to authenticate on the authenticator
Extensible Authentication Protocol (EAP)
• An authentication protocol used primarily in
wireless communications
• Defines a wide variety of methods to
authenticate packets on a network
• WAP and WAP2 use EAP authentication
methods
802.11x
• A standard used to secure wireless LANs
(WLANs) that follow 802.11 standards
• Allows a user on a WLAN to be authenticated
by a central authentication authority
• Key components
– Supplicant
– Authenticator
– Authentication server
– Unauthorized state
How 802.11x Works
Authentication, Authorization, and Accounting
(AAA)
• Authentication: An identity verification process
• Authorization: A process that verifies an entity’s
permission to perform some activity or access
to a resource
• Accounting: Tracking network events
• Includes
– Remote Authentication Dial-In User Service
(RADIUS)
– Terminal Access Controller Access-Control
System Plus (TACACS+)
Network Access Control (NAC)
• Limits what a host, client, or device can do
on a proprietary network
• Includes authentication and additional
security assets
– Intrusion detection/prevention software
– Antivirus software
– Anti-spyware components
• Posture assessment
After an Attack Has Occurred
Mitigation
techniques
Incident
response
Mitigation Techniques
• Things that limit the impact of security
threats and/or breaches
– Training and awareness
– Patch management
Incident Response
• Assess the attack using networking tools
• Things to review after an attack
– How access was gained
– Whether attack was stopped before or after
imparting damage or suffering theft
– Point at which network was breached
– Determine what attacker was after or what
was stolen
– Action needed to avoid future attacks
Network Tools that Can Be Used for Good or
Bad
• Intrusion detection software (IDS)
• Intrusion prevention software (IPS)
• Packet sniffers
• Port scanners
• Key loggers
• Password capturing/cracking software
Intrusion Detection Software (IDS)
• Software able to detect an intruder has
broken into a network or computer
– Software firewall
– Different from traditional firewall
• Detects intruders through
– Intrusion database definitions
– Comparison of baseline to current activity
• Warns of suspected activity
Intrusion Prevention Software (IPS)
• An extension of IDS
• Capable of taking action against intruders
– Closes ports
– Blocks specific protocols
– Blocks suspiciously behaving IP addresses
• Modern IDSs are a combination IDS/IPS
Packet Sniffers (Packet Analyzers)
• Programs designed to capture and analyze
network packets
• Visible data
– Source and destination logical addresses
– Source and destination MAC addresses
– Protocols to transport data
– Kind and type of data transported
• Results used to detect and take action
against intruders
Port Scanners
• Programs designed to search for port
addresses that are open but not in use
• Network administrators search for ports to
be closed
• Hackers search ports that can be exploited
Key Loggers
• Software programs or hardware devices
loaded or plugged into a computer to record
the keystrokes typed into the keyboard
– Useful tool to troubleshoot data entry
mistakes
– Hackers use to determine usernames and
passwords
– Parents use to monitor kids’ activities
Password Capturing/Cracking Software
• Password capturing is used to capture
passwords
– Differs from key loggers by capturing
encrypted usernames or passwords
• Password cracking software is designed to
take a captured password and decrypt it
– Dictionary attack on password wordlists
– Brute force attack with continuing
substitution of letters, numbers, and special
characters
Summary
• Network security considerations should
address ways to recognize, combat, and
prevent attacks
• Social networking includes tricking a person
into revealing important information through
phishing, stealing passwords, identity theft,
and dumpster diving
• Malicious software such as spyware, viruses,
worms, and Trojans may be used against a
company or person
Summary (Continued)
• Threats from attackers are undertaken
through social engineering, Denial of Service
(DoS) and Distributed Denial of Service
(DDoS) threats, Smurf attacks, buffer
overflows, man-in-the-middle attacks, packet
sniffing, and FTP bouncing
• Wireless threats include war driving,
warchalking, WEP cracking, WPA cracking,
and exploiting rogue access points
Summary (Continued)
• Effective methods to counter basic security
threats integrate device security, passwords,
encryption, valid certificates, and
authentication
• Network access control limits access to a
proprietary network through authentication
and additional security assets to develop
and continually refine a posture assessment
Summary (Continued)
• Mitigation techniques and incident
responses are to be launched after an
attack has occurred
• Network tools include IDSs, IPSs, packet
sniffers, port scanners, key loggers, and
password capturing/cracking software