1/14/15 1 ETHICAL HACKING AND INTRUSION DETECTION/ FORENSICS Instructor: Dr. Avinash Srinivasan Chapter Objectives Identify ◦ components of TCP/IP computer networking ◦ fundamentals of security policies ◦ essential terminology associated with ethical hacking Understand ◦ basic elements of information security ◦ incident management steps Define ◦ ethical hacker and classifications of hackers ◦ five stages of ethical hacking ◦ types of system attacks 2 Lecture Outline Fundamentals of TCP/IP Networks Fundamentals of Information Security Ethical Hacking Basics and Terminology System Attacks - Taxonomy Cyber Crime Laws ◦ U.S. Federal Laws ◦ International Laws 3
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1/14/15
1
ETHICAL HACKING AND INTRUSION DETECTION/FORENSICS
Instructor: Dr. Avinash Srinivasan
Chapter Objectives � Identify ◦ components of TCP/IP computer networking ◦ fundamentals of security policies ◦ essential terminology associated with ethical hacking
� Understand ◦ basic elements of information security ◦ incident management steps
� Define ◦ ethical hacker and classifications of hackers ◦ five stages of ethical hacking ◦ types of system attacks
2
Lecture Outline � Fundamentals of TCP/IP Networks � Fundamentals of Information Security � Ethical Hacking Basics and Terminology
� System Attacks - Taxonomy � Cyber Crime Laws ◦ U.S. Federal Laws ◦ International Laws
3
1/14/15
2
Networking 101
4
� OSI Reference Model ◦ 7 layers
� TCP/IP Model ◦ 4 layers
5
6
1/14/15
3
7
TRANSPORT LAYER
8
Overview
9
� At the transport layer, two methods of data transfer are available:
1. Connectionless – UDP 2. Connection-oriented – TCP
1/14/15
4
TCP vs UDP
10
UDP Header
11
TCP Header
12
1/14/15
5
TCP 3-way Handshake
13
3-way Handshake PCAP file
14
NETWORK LAYER
15
1/14/15
6
IPv4 Header
16
Minimum length = 20 bytes Maximum length = 60 bytes
IPv6 Header
17
LINK LAYER
18
1/14/15
7
Ethernet Frame Format
19
Ethernet Frames in Transit
20
End-to-End Communication
21
1/14/15
8
1-22
Message
Seg-n Seg-2 … Seg-1
Message
Seg-1
Header
Packet-1
Seg-2
Header
Packet-2
Seg-n
Header
Packet-n
…
Seg-n Seg-2 … Seg-1
Seg-1
Header
Packet-1
Seg-2
Header
Packet-2
Seg-n
Header
Packet-n
…
Sender Receiver
1
2
3
4
5
Application/Used Data Encapsulation
23
Information Security 101 Information Security Concepts
24
1/14/15
9
Security – Functionality – Ease of Use Triangle
25
� The more secure something gets, the less usable and functional it becomes.
� Want to completely secure a computer? ◦ Leave it in the box and never turn it on…J
� Want to make the system easy for anyone and everyone to use? ◦ Be prepared for the inevitable security breach
26
Objective � Start in the middle of the triangle – ◦ If you move the point toward Security � you move away from Functionality and Ease-of-Use ◦ If you move the point toward Ease-of-Use � you move away from Security and Functionality
27
Axiom: as security increases, the system’s functionality and ease of use decrease
1/14/15
10
ELEMENTS OF RISK Risk Analysis and Mitigation
28
� Goal: Identify what risks are present, quantify them on a measurement scale, come up with solutions to: ◦ mitigate, eliminate, or accept the risks.
� To fully accomplish the goal: ◦ be aware of the three basic elements of risk � asset, threat, and vulnerability
� Combine them with: ◦ probability of an attack + what would be the impact of
a successful attack ◦ identify the associated risks as high, medium, and low.
29
Risk Analysis Matrix – Example
30
1/14/15
11
Terminology � Asset is an item of economic value owned by an
organization or an individual. � Threat ◦ any agent, circumstance, or situation that could cause
harm or loss to an IT asset. ◦ Two broad classes- Human and Natural
� Vulnerability is any weakness, such as a software flaw or
logic design, that could be exploited by a threat to cause damage to an asset.
31
Security Controls 1. Preventive ◦ Example: smartcard for auth. , encryption, etc.
2. Detective ◦ Example: alarm bells for unauthorized access to a
physical location, alerts on unauthorized access to resources, and audits.
3. Corrective ◦ Example: is designed for swift recovery - backups
and restore options.
32
Security Controls 1. Physical ◦ Example: guards, lights, cameras, etc.
2. Technical ◦ Example: encryption, smartcards, and access control
lists.
3. Administrative ◦ Example: training, awareness, and policy.
33
1/14/15
12
Security Triad � Three most widely accepted requirements of Information
Systems security: 1. Confidentiality C 2. Integrity I 3. Availability A
� Known as the CIA of Security or Security Triad
� CIA – constitute the hall-marks of security we strive for
34
Security Triad
35
Data & Services
C
I A
36
1/14/15
13
Confidentiality � Measures taken to prevent the disclosure of information
or data to unauthorized individuals or systems § Most common method to enforce confidentiality:
§ user ID + password based authentication – however applicable only to data at rest.
37
Confidentiality � Usefulness of login credentials – user ID + password: ◦ helps in confidentiality preservation
� If another user accesses your login credentials (user ID + password) – leads to confidentiality breach
� Impact of confidentiality breach 1. Unauthorized access to resources 2. Attacker could masquerade as you throughout the
session
38
Confidentiality � Various other enhanced security measures used for
providing confidentiality include:
1. Encryption data-in-transit data-at-rest
2. Biometrics data-at-rest
3. Smart Cards data-at-rest
39
1/14/15
14
Integrity � Refers to methods & actions taken to protect information
from unauthorized alteration: ◦ Applies to both data-at-rest and data-in-transit
� Purpose of Integrity measures ◦ ensure data sent by sender arrives at the receiver
without any alteration.
40
Integrity � Example:
◦ Buying agent sends e-mail to customer with an offer price of $300
◦ Attacker alters offer price (in-transit) to $3,000
� integrity breach (security failure)
§ Most common method to enforce Integrity:
§ through the use of a hash ◦ e.g., MD5, SHA1, SHA2, etc.
41
Availability � Refers to the communications systems (resources) and
data being ready for use when legitimate users need them.
� Many methods are used to ensure availability: ◦ Method used depends on the element under
consideration: 1. System 2. Network resource 3. Data
42
1/14/15
15
Availability � All methods attempt to ensure one thing: ◦ when a system or data is needed, it can be accessed
by appropriate personnel. � Note: All availability attacks fall under Denial-of-Service (DoS)
43
Denial of Service (DoS) Attack � Attack against Availability � Designed to prevent legitimate users from having access
to a computer resource or service � DoS can take many forms –
1. Consume all available bandwidth 2. Destroy authentication methods 3. Unplug the system/hardware 4. Unsuccessful login attempt � with incorrect credentials – locks user account
44
Additional Concepts: 1. Authenticity: security requirement verifying that – ◦ users are who they say they are ◦ each input arriving came from a trusted source
2. Accountability ◦ Security goal that generates the requirement for
actions of an entity to be traced uniquely to that entity ◦ Supports: � nonrepudiation, deterrence, fault isolation, IDS/IPS,
and recovery & legal action
45
1/14/15
16
ACCESS CONTROL SYSTEMS
46
� National Computer Security Center (NCSC): DoD worked with NSA in 1983 for protection of information (government information).
� This group created all sorts of security manuals and steps, and published them in a book series known as the “Rain- bow Series.”
� Orange Book: The centerpiece of the above effort which held something known as the Trusted Computer System Evaluation Criteria (TCSEC).
47
TCSEC – A DoD Standard � Goal – sets basic requirements for testing the effectiveness
of computer security controls built into a computer system.
� Idea – if a computer system (network) was going to handle classified information, it needed to comply with basic security settings. TCSEC defined how to assess whether these controls were in place, and how well they worked.
� The settings, evaluations and notices in the Orange Book
survived all the way up to 2005.
48
1/14/15
17
Common Criteria (CC)
� TCSEC replaced by Common Criteria for Info. Technology Security Evaluation (aka Common Criteria, or CC).
§ Designed to provide assurance – § system is designed, implemented, and tested
according to a specific security level. § basis for Gov. certifications; usually tested for US
Gov. agencies.
49
� Evaluation Assurance Level (EAL) – ◦ controls and testing procedures a vendor follows to
have their tools, applications, or computer systems and desire to make a security declaration. ◦ Has seven levels (1–7)
50
CC (cont.)
ACCESS CONTROL IMPLEMENTATIONS
51
1/14/15
18
Mandatory Access Control (MAC) � security policy is controlled by a security administrator. � users can’t set access controls themselves. � OS restricts the ability of an entity. � Example: ◦ when an entity (process) attempts to access or alter an object
(files, ports, etc.), if appropriate security attributes are in place, then action is allowed.
52
Discretionary Access Control (DAC) � allows users to set access controls on the resources they
own or control. � a means of restricting access to objects based on the
identity of subjects and/or groups to which they belong. � Example: ◦ NTFS permissions in Windows machines and Unix use of users,
groups, and read-write-execute permissions.
53
Security Policies 1. Information Security Policy
2. Information Protection Policy
3. Password Policy
4. E-mail Policy
5. Information Audit Policy
54
1/14/15
19
INTRODUCTION TO ETHICAL HACKING
The term “Ethical Hacking” was first coined by IBM
55
Who needs Ethical Hackers? � Companies and government agencies ask for penetration
tests for different reasons. Below are a few such reasons: 1. Accreditation Requirement:
� Sometimes rules and regulations force the issue. � Example: HIPAA
2. Security Conscious Leadership: � Wants to know just how well existing security
controls are functioning.
3. After-the-fact Requirement: � effort to rebuild trust and reputation after a security breach
has already occurred.
56
EC-Council Definition � Ethical Hacker helps an organization take pre-emptive
measures against malicious attacks by attacking the system himself.
� Ethical Hacker always stays within legal limits.
57
1/14/15
20
Renowned Ethical Hackers � Mark Abene � Eric Corley � Przemysław Frasunek � Raphael Gray � Kevin Mitnick � Robert Tappan Morris � Kevin Poulsen
Source: https://en.wikipedia.org/wiki/White_hat_(computer_security)
58
Hacker Classification White – Gray – Black
59
� Hackers are classified into three groups based on their intent. 1. Black Hat: � Non-ethical hackers with malicious intentions
2. White Hat: ◦ Ethical hackers with good intentions + permission to hack
3. Gray Hat: ◦ Hackers that can flip-flop between back & white hat ◦ Don’t have owner’s approval at any point in time ◦ Often feel a compelling social responsibility
60
1/14/15
21
Contract/Agreement
61
Owner Consent & Ethical Hacking
� Always work within the confines of an agreement made with a client.
� Client may restrict the types of attacks you can run: ◦ Example: � Password hacks may be OK � DoS may not be OK
62
Owner Consent & Ethical Hacking
� Agreement is: a carefully laid-out plan, meticulously arranged, and documented to protect both the EH and the client
� Agreement isn’t: a smile, a conversation, and a handshake just before you flip open a laptop and start hacking away.
63
BIG BIG NO
1/14/15
22
Attack Types � Once the EH is engaged, several different categories or
labels are placed on the actual type of attack being used.
� EC Council broadly defines attacks in four categories: 1. Operating system attacks 2. Application-level attacks 3. Shrink-wrap code attacks 4. Misconfiguration attacks
64
Operating System Attacks � Targets common mistakes users make when installing
OS – accepting default settings and configurations. ◦ Example: � administrator accounts with no passwords � all ports left open � guest accounts enabled/created …
� OSs are never released fully secure – hackers benefit ◦ potential for an old vulnerability in newly installed OS.
65
Application Level Attacks � Attacks on the actual programming codes of an
application. � Users secure their OS and network – but a vast
majority often overlook the apps they are running. � Many apps aren’t tested for vulnerabilities as part of
their creation – can have vulnerabilities built into them. � Vulnerable apps on a network are a goldmine for most
hackers.
66
1/14/15
23
Shrink-wrap Code Attacks � Take advantage of the built-in code and scripts which
most “off-the-shelf” applications come with. � Scripts and code pieces are designed to make
installation and administration easier. � Same scripts and code pieces can lead to vulnerabilities
if not managed appropriately.
67
Misconfiguration Attacks � Take advantage of systems that are – on purpose or by
accident – not configured appropriately for security. � Take advantage of the admin who simply wants to make
things as easy as possible for the users: ◦ Leaves security settings at the lowest possible level ◦ Enables every service ◦ Opens all firewall ports
� Note: It’s certainly easier for the users, but creates a goldmine for the hacker.
68
Ethical Hacking Phases � Once an Ethical Hacker is within the assessment phase
of the pen test – it’s time to begin the actual attack – the Ethical Hack.
� There are many different terms for these phases and
EC Council has defined the standard hack as having five separate phases.
� Irrespective of the attacker’s intentions – ethical
(White Hat) or malicious (Black Hat) – these five phases capture the full breadth of the attack.
69
1/14/15
24
Ethical Hacking Phases
70
Scanning & Enumeration
Reconnaissance
Gaining Access
Maintaining Access
Covering Tracks
Escalation of Privilege
RECONNAISSANCE (RECON) – PHASE 1
71
Overview � The most difficult phase to understand
� Steps taken to gather evidence and information on the targets you wish to attack
� Can be classified into: 1. Passive reconnaissance 2. Active reconnaissance
72
1/14/15
25
73
§ Passive reconnaissance – gathering information about your
target without their knowledge. – Example:
• simply watch the outside of the building to see what physical security measures are in place.
• Search information about the target on the Internet.
§ Active reconnaissance – uses tools and techniques that
may or may not be discovered. – puts your activities at greater risk
of discovery. – Example:
• walk up to the entrance or guard shack and try to open the door (or gate).
• Make DNS queries.
SCANNING & ENUMERATION – PHASE 2
74
� Use recon information (phase 1) and actively apply tools and techniques to gather more in-depth information on the targets.
� Example: ◦ Can be as simple as running a ping sweep or a network
mapper to see what systems are on the network. ◦ Can also be as complex as running a vulnerability
scanner to determine which ports may be open on a particular system.
75
1/14/15
26
GAINING ACCESS – PHASE 3
76
� Attack targets enumerated during the scanning & enum phase (phase 2).
� Example: ◦ Can be as simple as accessing an open and non-secured
wireless AP and later manipulating it for other purpose OR ◦ Can be as complex as writing and delivering a buffer
overflow or SQL injection against a web application.
77
MAINTAINING ACCESS – PHASE 4
78
1/14/15
27
� This phase is the Hackers’ attempt to ensure they have a way back into the already compromised machine or system.
� Back doors are left open by the attacker for future use – especially if: ◦ system in question has been turned into a zombie and/or ◦ system is used for further information gathering � Ex: sniffer placed on a compromised machine to
watch traffic on a specific subnet. � Access can also be maintained through the use of
Trojans, rootkits, or a number of other methods.
79
COVERING TRACKS – PHASE 5
80
� Attackers attempt to conceal their success and avoid detection by security professionals.
� Steps taken here include but are not limited to: 1. removing or altering log files – aka log scrubbing 2. hiding files with hidden attributes or directories 3. using tunneling protocols to communicate with the
system
81
1/14/15
28
� Auditing turned on: ◦ Log files are an indicator of attacks on a machine ◦ Clearing log files completely is just as big an indicator
of spurious activity ◦ Selective editing of log files is your best bet ◦ Another great method - simply corrupt the log file
� Phase 5 truly defines a good pen tester.
82
Penetration Testing � Ethical Hacking and Pen Testing are often used either in
combination and/or interchangeably
� We will treat the two independently
� Pen Test: is a clearly defined, full-scale test of the security controls of a system or a network in order to identify the security risks and vulnerabilities.
� Pen Test has three major phases (remember it as PAC)
◦ Preparation
◦ Assessment
◦ Conclusion
83
PEN TEST PHASES
84
1/14/15
29
1. Preparation phase: ◦ time period during which actual contract is
hammered out. ◦ scope of the test, types of attacks allowed,
individuals assigned to perform the activity are all agreed upon in this phase.
2. Assessment phase: ◦ aka the security evaluation phase ◦ actual assaults on security controls happens during
this phase.
85
3. Conclusion (or post-assessment) phase: ◦ time when final reports are prepared for the
customer ◦ reports include details of test findings including
types of tests performed ◦ at times even provides recommendations to
improve security for the customer.
86
Ethical Hacking Testing Types 1. Black Box
2. White Box
3. Grey Box
87
1/14/15
30
Black Box Testing � EH has absolutely no knowledge of the Target of
Evaluation (TOE) � Designed to simulate an unknown, outside attacker � Most time consuming and the most expensive � Drawback: focuses solely on the threat outside the
organization; does not take into account any trusted users on the inside – insider threat.
88
White Box Testing � Exact opposite of black box testing � EH has complete knowledge of the TOE � Process is easier, quicker and cheaper � Designed to simulate a knowledgeable internal threat
89
Grey Box Testing � Also known as partial knowledge testing � Different from black box testing in the assumed level
of elevated privileges the tester has � Assumes only that the attacker is an insider
90
1/14/15
31
Computer and Cyber Crime � All computer crimes fall into one of two major categories:
1. Crimes where a computer or network was used in the commission of a crime
2. Crimes where the computer or network itself was
the target of the crime
91
U.S. CYBER CRIME LAWS
92
� Hacking specifically is addressed under the law in
� Other regulations and laws are also described in this
section.
93
“United States Code Title 18: Crimes and Criminal Procedure, Part I: Crimes, Chapter 47: Fraud and False Statements, 1029 and 1030.”
1/14/15
32
� Section 1029: “Fraud and related activity in connection with access devices,” ◦ Has several subsections and statutes defined. ◦ Gives the U.S. government authority to prosecute
criminals who traffic in, or use, counterfeit access devices. ◦ Criminalizes the misuse of credentials- passwords, PIN
numbers, token cards, credit card numbers, and the like. ◦ Creating or selling devices that fake credentials, or if
they traffic the credentials created by the fake machines- punishable under the law.
94
� The SPY Act (2007) – Securely Protect Yourself Against Cyber Trespass
� Freedom of Information Act (FoIA) & the Privacy Act of
1974 � Federal Information Security Management Act – FISMA � USA PATRIOT Act of 2001: Uniting and Strengthening
America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.
95
More US Cyber Crime Laws Cyber
96
1/14/15
33
INTERNATIONAL CYBER CRIME LAWS
97
� Cyber Crime Law in Mexico Section 30-45-5: ◦ Unauthorized computer use
� Cyber Crime Law in Brazil Art. 313-A: ◦ Entry of false data into the information system. Art. 313-
B: Unauthorized modification or alteration of the information system
� Cyber Crime Law in Canada ◦ Canadian Criminal Code Section 342.1
� Cyber Crime Law in the United Kingdom ◦ Computer Misuse Act 1990 and Police and Justice Act
2006
98
� Cyber Crime Law in Europe Section 1: ◦ Substantive Criminal Law
� Cyber Crime Law in France Chapter III: ◦ Attacks on Systems for Automated Data Processing,
Article 323-1 and Article 323-2 � Cyber Crime Law in Australia ◦ The Cybercrime Act 2001
� Cyber Crime Law in India ◦ The Information Technology Act, 2000
� Cyber Crime Law in Japan ◦ Law No. 128 of 1999
99
1/14/15
34
� Cyber Crime Law in Singapore Chapter 50A: ◦ Computer Misuse Act
� Cyber Crime Laws in Korea Chapter VI: ◦ Stability of the Information and Communications
Network: Article 48, Article 49, and Chapter IX Penal Provisions: Article 61
� Cyber Crime Law in Malaysia ◦ Computer Crimes Act 1997
100
Summary
� In this chapter you learn about ◦ Basic elements of information security- CIA ◦ Relationship among security, functionality, ease of use ◦ Hacker Classification and terminology ◦ Three stages of pen testing ◦ Five stages of ethical hacking ◦ Types of system attacks ◦ U.S. federal laws related to cyber crime ◦ Various international laws related to cyber crime
101
Questions? Floor open for discussions
102