Module 03: 1 •Introduction to Computer Security and Information Assurance Objectives • Recognize voice and data systems use the same communications networks • Describe the components of a typical network • Describe countermeasures for network-related threats
Objectives. Recognize voice and data systems use the same communications networks Describe the components of a typical network Describe countermeasures for network-related threats. Telecommunications and Network. Physical and Personnel. System. Application and Individual. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Module 03: 1
•Introduction to Computer Securityand Information Assurance
Objectives• Recognize voice and
data systems use the same communications networks
• Describe the components of a typical network
• Describe countermeasures for network-related threats
Module 03: 2
•Introduction to Computer Securityand Information Assurance
Objectives• Describe the concept of “defense-in-depth”• Identify technologies used to apply
countermeasures for network-related threats• Identify components that comprise wireless
networks• Identify threats related to wireless
technologies• Identify countermeasures for wireless related
threats
Module 03: 3
•Introduction to Computer Securityand Information Assurance
Communication Networks• History
– Moving ideas– Electric communication– Circuit switching
Module 03: 4
•Introduction to Computer Securityand Information Assurance
Voice Communications• Public Switched Telephone Network (PSTN)
•Introduction to Computer Securityand Information Assurance
Network Scanning Finding Active Machines
• An organization has a range of IP addresses assigned to it– May not use them all
• Ping sweep finds IP addresses in use– Ping utility designed to determine whether
remote system is active
Module 03: 26
•Introduction to Computer Securityand Information Assurance
Ping Sweep• Using ping, attacker sends ICMP echo
request to range of addresses– Every functional system responds with echo
reply• Provides a list of potential targets
Module 03: 27
•Introduction to Computer Securityand Information Assurance
Ping Sweep
Echo Request
Unused Address10.1.1.9
Attacker
Target List
Echo Request
Echo Request
Unused Address10.1.1.11
10.1.1.10
10.1.1.910.1.1.1010.1.1.11
Echo Reply
Module 03: 28
•Introduction to Computer Securityand Information Assurance
Ping
Module 03: 29
•Introduction to Computer Securityand Information Assurance
Activity 03.1: Perform Ping Sweep Using nmap
• Purpose:– In this activity, you will perform a scan in the
form of a ping sweep. This will familiarize you with one of the most common techniques to gather information about a target environment.
• Estimated completion time: – 10 – 15 minutes
Module 03: 30
•Introduction to Computer Securityand Information Assurance
Activity 03.1: Perform Ping Sweep Using nmap
What did we detect?
Is this a useful tool?– From an attacker’s perspective– From an administrator’s perspective
Module 03: 31
•Introduction to Computer Securityand Information Assurance
Port Scanning• Checks a computer for open ports
– 65,535 possible ports• 1-1,023 are considered “well-known”• 1,024-49,151 are called “registered ports”• 49,152-65,535 are dynamic or private ports
Module 03: 32
•Introduction to Computer Securityand Information Assurance
Some Well-Known PortsPort # Network Service 20 File Transfer Protocol (FTP) Data21 File Transfer Protocol (FTP) Control23 Telnet25 Simple Mail Transfer Protocol (SMTP)53 Domain Name Server (DNS)79 Finger80 World Wide Web (HTTP)110 Post Office Protocol – Version 3443 HTTPS
Module 03: 33
•Introduction to Computer Securityand Information Assurance
How Port Scanning Works
Attacker
Web server
80
79
82
81
80
Services List
HTTP
Module 03: 34
•Introduction to Computer Securityand Information Assurance
Activity 03.2: Perform Port Scanning Using Different Tools
• Purposes:– In this activity, you will perform port scans
using different scanning tools. This will familiarize you with one of the most common techniques to gather information about a target environment, and learn the efficacy of various tools.
• Estimated completion time: – 50 – 55 minutes
Module 03: 35
•Introduction to Computer Securityand Information Assurance
Activity 03.2: Perform Port Scanning Using Different Tools
What were the results of our port scanning tests?
– What did they mean?
Would this be helpful for an attacker?
Would this be helpful for an administrator?
Module 03: 36
•Introduction to Computer Securityand Information Assurance
Sniffing• Monitoring traffic flow across a network
– Pull all packets– Be selective
• Only grab packets to and from certain addresses • Only grab packets carrying a certain type of traffic
• Needs to view all traffic on the network– On internal network – On main connection into/out of a network
Module 03: 37
•Introduction to Computer Securityand Information Assurance
Denial of Service (DoS)
• Degrade and prevent operations/functionality
• Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously
Module 03: 38
•Introduction to Computer Securityand Information Assurance
Ping Flood / Ping Of Death • Ping flood
– Too much ping traffic drowns out all other communication
• Ping of Death– Oversized or malformed ICMP packets cause
target to reboot or crash• Hosts can’t handle packets over maximum 65,535
bytes• Causes a type of buffer overflow
Module 03: 39
•Introduction to Computer Securityand Information Assurance
Smurf Attack• Large stream of spoofed Ping packets sent to a
broadcast address• Source address listed as the target’s IP address
(spoofed)• Broadcast host relays request to all hosts on
network• Hosts reply to victim with Ping responses• If multiple requests sent to broadcast host,
target gets overloaded with replies
Module 03: 40
•Introduction to Computer Securityand Information Assurance
Smurf Attack (ICMP Flooding)
Attacker Ping Broadcast Request (Actual)
Multiple Ping Requests
Multiple Ping Replies
System or NetworkOverloaded
Ping Broadcast Request
(Spoofed)
Module 03: 41
•Introduction to Computer Securityand Information Assurance
SYN Flooding• Exploits synchronization protocol used to initiate
connections • Subverts the normal process
– In the customary “three-way handshake”:• Initiator sends synchronization (SYN) packet• Target replies with a SYN/ACK (acknowledgement)• Initiator sends ACK• Machines are now ready to communicate
– In SYN flooding, attacker sends SYN packets, but no ACK• Target replies with SYN/ACK• Target waits for ACK, eventually gives up• If enough SYNs are received, communication capacity will deplete
Module 03: 42
•Introduction to Computer Securityand Information Assurance
SYN FloodingHandshake
(Normal)Handshake(SYN Flood)
1. SYN
3. ACK
2. SYN-ACK
1. SYN
2. SYN-ACK
1. SYN
2. SYN-ACK
2. SYN-ACK
1. SYN
Module 03: 43
•Introduction to Computer Securityand Information Assurance
DDOS With Zombies/Botnet
Module 03: 44
•Introduction to Computer Securityand Information Assurance
Man-In-The-Middle Attacks• Instead of shutting down target networks,
attackers may want access
• Types of attacks– Eavesdropping– Session hijacking
Module 03: 45
•Introduction to Computer Securityand Information Assurance
Network Attack Countermeasures• Discussion: countering the threats
– Scans/Sniffing/Ping sweeps– DoS/DDoS
• Ping of Death• SYN flood• Smurf attack
– Others• Session hijacking• Eavesdropping
Module 03: 46
•Introduction to Computer Securityand Information Assurance
Ways To Recognize Scanning• System log file analysis
• Network traffic
• Firewall and router logs
• Intrusion Detection Systems (IDSs)
Module 03: 47
•Introduction to Computer Securityand Information Assurance
Defending Against Scanning• Block ports at routers and firewalls• Block ICMP, including echo• Segment your network properly• Hide private, internal IP addresses• Change default account settings and
remove or disable unnecessary services• Restrict permissions• Keep applications and operating systems
patched
Module 03: 48
•Introduction to Computer Securityand Information Assurance
Sniffing Countermeasures
• Strong physical security
• Proper network segmentation
• Communication encryption
Module 03: 49
•Introduction to Computer Securityand Information Assurance
DoS And DDoS Countermeasures
• Stop the attack before it happens
• Block “marching orders”
• Patch systems
• Implement IDS
• Harden TCP/IP
• Avoid putting “all eggs in one basket”
• Adjust state limits
Module 03: 50
•Introduction to Computer Securityand Information Assurance
Other Countermeasures
• All countermeasures already mentioned
• Encrypted session negotiation
• Repeating credential verification during session
• User training
Module 03: 51
•Introduction to Computer Securityand Information Assurance
Defense-In-Depth
Module 03: 52
•Introduction to Computer Securityand Information Assurance
• Router• “Demilitarized” Zone (DMZ)• Bastion host• Firewalls• Intrusion Detection Systems (IDSs)• Intrusion Prevention Systems (IPSs)• Virtual Private Network (VPN)
Perimeter Defense Countermeasures
Module 03: 53
•Introduction to Computer Securityand Information Assurance
Routers• First line of perimeter defense
– Connects external environment to internal network
• Securely configured
• Audit regularly
• Keep patched and updated
Module 03: 54
•Introduction to Computer Securityand Information Assurance
Demilitarized Zone (DMZ)• Machine or machines accessible by the
Internet, but not located on the internal network or the Internet– Web server– E-mail server
• Should not contain much valuable data
Module 03: 55
•Introduction to Computer Securityand Information Assurance
Network With DMZ
Web MailFirewall Firewall
DNS
Internet
Router
Internal Network
Module 03: 56
•Introduction to Computer Securityand Information Assurance
•Introduction to Computer Securityand Information Assurance
Service Set Identifier (SSID) Broadcasting
SS
ID SSID
Module 03: 70
•Introduction to Computer Securityand Information Assurance
Default SSID
SSID
SSID = tsunami
SSID = tsunami
SS
ID
Default SSIDCisco = tsunami
3COM = 101Agere = WaveLANLinksys = Linksys
Dlink = default
Module 03: 71
•Introduction to Computer Securityand Information Assurance
Radio Frequency Management
Building I
Parking Lot
Module 03: 72
•Introduction to Computer Securityand Information Assurance
Default SettingsMany access points arrive with no security mechanisms in place.
Module 03: 73
•Introduction to Computer Securityand Information Assurance
Authentication IssuesOpen System Authentication• SSID• Negotiation in clear text• Subject to sniffing
Shared Key Authentication• SSID and WEP Encrypted key
required• Subject to man-in-the-middle
attack
Request (SSID)
Accepted (SSID)
Challenge Text (WEP)
Challenge Response (WEP)
Accepted (SSID)
Request SSID
Module 03: 74
•Introduction to Computer Securityand Information Assurance
Authentication Issues• WEP standard proven insufficient
– Mathematical weakness entailed relatively fast repeat of key transmission
• Automated exploits followed identification of flaw• Used in massive criminal activity
– Replaced with Wi-Fi Protected Access (WPA)– WPA demonstrates its own weaknesses– Replaced by WPA2, which is viewed as more
secure
Module 03: 75
•Introduction to Computer Securityand Information Assurance
Bluetooth Security• Popular short-range technology
– Used for many personal electronic devices, such as phones, music players, etc.
• Threats– Bluejacking– Bluesnarfing– Bluebugging
Module 03: 76
•Introduction to Computer Securityand Information Assurance
Networking / Internet• History of communication• PBX security threats and countermeasures• Modem security threats and countermeasures• VoIP security threats and countermeasures• Network components• Common protocols• Network security threats and countermeasures
– Scanning / sniffing / DoS / DDoS
• Wireless security threats and countermeasures– WLAN / Bluetooth