Information Systems Security Attacks, Detection, and Prevention

Common Types of Attack Organizational Attacks Hackers Automated Connection Fails Organizational Attacks Restricted Data Accidental Breaches in Security Automated Hackers Viruses, Trojan Horses, and Worms Denial of Service (DoS) DoS Organizational attacks involve one organization breaking into your network to try to access confidential information in order to gain a business advantage. Hackers enjoy exercising their skills by attempting to bypass security safeguards and gain illegal access to your network. Automated attacks use software to scan for network vulnerabilities or to implement an electronic brute force attack. Brute force attacks involve trying many different user names, passwords, or other credentials to gain access to your resources. Denial of service (DoS) attacks flood a server with requests for action, thus rendering it incapable of providing its normal service. Viruses, Trojan horses, and worms are harmful programs that act by exploiting some known vulnerability to install themselves on a computer (perhaps by entering as an attachment to an e-mail). Once they are present on a computer, they distribute copies of themselves to other connected computers, and these copies also replicate themselves, resulting in a rapid infection of the computer network. Accidental breaches in security often result from poor practices or procedures. For example, if security information, such as user names and passwords, is exposed, an attacker can exploit that information to gain access to your network.

Social Engineering Attack An attack where the goal is to obtain sensitive data, including user names and passwords, from network users through deception and trickery

Eavesdropping Attack An attacker tries to gain access to private network communication using a sniffing tool in order to steal the content of the communication itself or to obtain user names and passwords.

IP Spoofing Attack An attacker creates IP packets with a forged IP address and uses those packets to gain access to a remote system

Hijacking Attack The attacker takes control (hijacks) a TCP session (after authentication at the beginning of the session) to gain access to data or network resources using the identity of the legitimate user.

Replay Attack An attacker captures network traffic in the form of packets and stores it for retransmission at a later time to gain unauthorized access to a specific host or network

Man-in-the-middle Attack An attacker inserts himself between two hosts to gain access to their data transmission. Instead of just listening to and capturing network traffic, the attacker is making the sender and receiver believe they are communicating with each other, when in fact they are communicating with the attacker’s computer

Denial of Service Attack The attacker attempts to disable systems that provide services by Flooding the network link Sending flaw data to an application Consuming the system’s resources to the point that it shuts down

Malicious Code Attack An attacker inserts malicious code into a user’s system to disrupt or disable the operation system or an application Virus Worms Trojans Logic bombs

Virus Originally refers to poison and other noxious substances. A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus needs to attach to a program for replication.

Worm A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program

Trojan horse A malware that appears to perform a desirable function but in fact performs undisclosed malicious functions. Therefore, a computer worm or virus may be a Trojan horse. The term is derived from the classical story of the Trojan Horse.

Root kit A malware to help intruders gain access to systems while avoiding detection, usually by modifying the OS. It takes control of the root access, (in Windows "Administrator" access) so as to seize control of the operating system

Attacks against default security configuration An attacker attempts to gain access or disrupt the operation of a computer by exploiting the security flaws that exists in the operating system as it is installed out of the box

Software Exploitation Attacks An attacker attempts to gain access to a system or sensitive data by exploiting a flaw or feature in an application

Password Attack An attacker tries to guess passwords or crack encrypted password files

Backdoor Attack An attacker creates a mechanism for gaining access to a computer bypassing the normal security checking path

Defending Principles Secure the network Secure the host Secure the application Apply security principles

Defense against Network Attack Good configuration management Up-to-date OS Patch applied Default password removed Proper network architecture Router Firewall Switch

Terminology Firewall A device of program that controls the flow of network traffic between networks or hosts

Terminology Packet Filter Firewall A routing device that includes access control functionality for host addresses and communication sessions Stateful Inspection Firewall A firewall that can filter packets, track the state of connections, and block packets that deviate from the expected state

Terminology Circuit Level Proxy A form of proxy that validates each connection before it is established, in the same manner as stateful inspection Application Proxy Gateway An advanced firewall that combines lower layer access control with upper layer functionality, and includes a proxy agent that acts as an intermediary between two hosts that wish to communicate with each other

Terminology Demilitarized Zone (DMZ) An interface on a routing firewall leading to a protected network that is different from the main network. This is a buffer Network Address Translation (NAT) Used to hide internal IP addresses from an external network through use of an addressing scheme (DHCP)

Firewall A firewall is a combination of hardware and software that sits in the entry point to the company network It monitors the type of traffic that comes into the company network, and it decides whether a packet is allowed to enter. All traffic (data packets) are screened by the firewall and only authorized packets are allowed to gain entry into the network.

Types of Firewall Packet filtering (also called screening routers) Circuit level gateways Application proxies

Packet filtering Screening routers can look at the packet IP address (network layer) and the types of connections (transport layer). Then they provide filtering based on that information. The router connects two networks often performs packet filtering to control traffic between the networks. Administrators program the device with a set of rules that define how packet filtering is done.

Proxy and proxy server Proxy means to do something on other people’s behalf A proxy server is a server which services the requests of its clients by forwarding requests to other servers. The information on who uses the Internet and the transfer details are logged by the proxy user for further analysis

Proxy and proxy server When a client connects to the Internet through a proxy, its IP address is not revealed. This increase the security of the computer. A computer in a local area network would has a private IP. It must use a proxy and NAT to use a public IP to access the Internet.

Circuit Level Gateway It is a proxy and has all the benefits mentioned before. It operates at the session layer. It monitors TCP handshaking between packets to determine whether a requested session is legitimate. It does not filter individual packets

Application Proxy Application proxy is a proxy It acts on the application layer, say web proxy, ftp proxy etc. It only allows packets of that particular application to pass and inspects the contents of the traffic, blocking what the firewall administrator views as inappropriate content.

VPN Virtual Private Networking (VPN) is a process by which organizations take advantage of the public network (Internet) to achieve connectivity for their branches as well as their remote users. The security of this connection is achieved by authentication and encryption. This function can be provided by a firewall.

Use of firewall

De-militarized Zone

2 firewall architecture

Multi-DMZ Architecture

Network Architecture

Network Architecture

Network Architecture

Secure the Host Harden the system Apply latest patch for known vulnerabilities Install anti-virus software Install personal firewall Apply security policy Carry out security audit

Host configuration Patches and updates Services Protocols Accounts Files and directories Shares Ports Auditing and logging Registry

Secure the Application Most application suffers from the following vulnerabilities: Input validation Authentication Authorization Configuration management Sensitive data

Secure the Application Session management Cryptography Parameter manipulation Exception management Auditing and logging

Security Principles Compartmentalize Use least privilege Apply defense in depth Do not trust user input Check at the gate Fail securely

Security Principles Secure the weakest link Create secure defaults Reduce your attack surface

Intrusion Detection A burglar alarm for network A program to detect attacks on computers and networks Host-based IDS Network-based IDS

Intrusion Detection Principles Actions of users and processes are statistically predictable Actions of users and processes do not include sequences of commands that subvert security Actions of processes lie inside the set permitted by the security policy Violation of any of the above is an indicator of an attack

Goals of IDS Detect a wide variety of intrusions (including insiders) Detect intrusions in a timely manner Present summary to human expert Accuracy (false positive)

Construction of IDS Traffic collector Analysis engine Signature database User interface and reporting

Modes of operation Integrity check Signature recognition Anomaly detection

Host-based IDS Keep an eye on the critical files and analyse the log files Login at odd hours Login authentication failures Modification or access of critical files Use of certain programs Privilege escalation

Network-based IDS Look at the network traffic in and out of the organization at the major links Should operate at high speed and able to handle large amount of traffic

Limitations Cannot deal with encrypted traffic Only known attacks can be detected HIDS are vulnerable to attacks since they are on the monitored machine NIDS can be bottleneck of the network Still a young topic and lots of work to be done

IDS products Cisco IDS by CISCO eTrust by Computer Associates RealSecure by Internet Security Systems Netscreen IDP by Netscreen Intruder Alert by Symantec Corp. Tripwire by Tripware Inc. Snort by Snort