McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Chapter 12 Network Security Basics: Malware and Attacks

12-2 Objectives Work with connection control and transmission control concepts Develop the planning and control techniques associated with network security Work with various types of threats to networks

12-3 Network Security Guards against threats to electronic communication Network security has a dual mission It must ensure the accuracy of the data transmitted It must also protect confidential information processed, stored on and accessible from networks, while ensuring network availability to authorized users Role is to ensure that the network components Operate correctly Satisfy design requirements Transmit information while retaining fundamental integrity

12-4 Engineering the Network: Ensuring a Proper Design Physical infrastructure – designed to ensure all required security functions are present Firewalls, intrusion detection systems (IDSs), and strong authentication Unique physical components of networks are switches, hubs, routers, and cables

12-5 Engineering the Network: Ensuring a Proper Design Relation of physical and software components

12-6 Connection Control Establishes and regulates the relationship between a computer and a network Ensures reliable transfer of messages and performs some transmission error correction Configuration process – responsibility of the network administrator Establishes the authentication rules Rules consider whom the network will trust Specifications of rules for the authentication of a trusted source balance the need for confidentiality and integrity with availability

12-7 Enforcing Connection Control: The Firewall Firewalls enforce access rights and protect the network from external systems Regulate access between trusted networks and untrusted ones Organizations may array multiple firewalls in a defense-in-depth configuration Firewalls are high-level software utilities that sit on the router end of the physical network Network security policies embedded in the firewall software dictate access

12-8 Enforcing Connection Control: The Firewall Types of firewalls Personal firewall – regulates connections between a single computer and external sources Stateless firewalls – accept or discard incoming packets Based on whether the IP address seems to correspond with services known to the network Stateful firewall – tracks of the status of network traffic traveling across it in a “state table”

12-9 Transmission Control Regulates the actual transmission process Ensures that the communication between two devices is flowing properly Supports the integrity and availability of network data Facilitated through firmware drivers in communications devices and software in the operating system Transmission rules have to be agreeable and include: Mode in which the data will be transmitted Format of the data Rate of transmission Type of error checking Data compression method Sending device confirmation of process completion Mode of indicating receipt by the receiving device

12-10 Transmission Control Transmission protocols are built into the communications devices Common modern transmission control is based on the OSI reference model It defines seven layers for communication among computer systems It was defined by the International Organization for Standardization as ISO standard TCP/IP protocol used by the Internet is frequently shown with five layers Application layer, transport layer, network layer, datalink layer, and physical layer

12-11 Defending Networks from Attacks Unique security problem with networks is their level of interconnectedness Networks have to be secured by specialized and very robust technologies and practices Two broad categories of networks threats: Malicious code Direct attacks

12-12 Threats to Information Malicious code - three categories transmitted through networks: Viruses Logic bombs Trojan horses

12-13 Threats to Information Common types of malicious code

12-14 Viruses Appropriate countermeasure to a common virus: Virus checker that detects and removes viruses Most virus checkers follow the below process: Examines files in memory or storage for recognizable code fragments or key words Compares scan results patterns with signatures of known viruses Takes action when an identifiable pattern is detected Sometimes performs an automatic repair

12-15 Viruses Impact of viruses Virus is destructive if it damages a system function It can affect the operating system in undesirable ways such as: Corrupting or deleting files Reformatting the hard drive Executing denial-of-service attacks Often, the system becomes unusable, files are lost, and cannot be repaired automatically

12-16 Viruses Categories of viruses File-infecting viruses – affect executable programs, replicate and spread by infecting other host programs Boot-sector viruses – infect the boot sector or partition table of a system Multipartite viruses – infect both the boot sector and the executable programs and files simultaneously Macro viruses – infect systems through an application Polymorphic and stealth viruses – defeat most signature- based counter-measures Worm – self-contained program capable of spreading copies of itself or its segments to other computer systems via network connections or attachments

12-17 Logic Bombs Dormant blocks of undocumented code activated when some prescribed set of criteria is met such as time, date, or status of the system It can be set prior to the termination and activated afterward for revenge High destructive potential Should be aggressively hunted down and eliminated Requires extensive, expensive, code reviews by high-level professionals Resurfacing as an important part of cyber- terrorism

12-18 Trojan Horses Not viruses because they do not replicate; they may transmit viruses or spyware May assist in propagating denial-of-service (DoS) attacks Can deliver unwelcome payloads – common payloads include: Spyware – propagates from websites Spamware, password capture, keyloggers, and cookie trackers Adware – not directly malicious Does use up valuable time and system resources

12-19 Malicious Attacks Best way to counteract a network attack is to anticipate it and have measures in place to either stop it or mitigate the harm Network attacks fall into seven general categories: Password attacks Insider attacks Sniffing IP spoofing Denial of service Man-in-the-middle attacks Application layer attacks

12-20 Malicious Attacks Password attacks Password guessing Dictionary attack – tries common words from the dictionary with common password names Other, more resource-intensive approaches include: Key search Exhaustive search Brute force attack Social engineering – based on persuasion, disclosed by the user Password sniffing – software based network management tools Countermeasure for sniffers: encryption

12-21 Malicious Attacks Insider attacks Misuse incidents originating from intentional or inadvertent actions of employees First line of defense is good management supported by monitoring Supervisors are key security control points for employee monitoring Automated software agents called policy managers or policy enforcement systems also help

12-22 Role and Use of Policy Managers Automated policy managers are effective tools Defend against unauthorized access to confidential data and proprietary information Provide the ability to filter network transactions through custom policies Control the distribution of unsuitable or offensive content and inappropriate activities Regulate the enterprise’s traffic by defining and enforcing rules governing: Spam Filter content Implementation of encryption and digital signature policies

12-23 Use of Sniffers Sniffers are common utilities, employed to read any information in packets transmitted over a network Can be used to map the entire network topology Captures information necessary to determine: Number of computers on the network What they access Which clients run what services Defense against sniffing is: Encryption Strong physical security Internet-facing sniffers are a good countermeasure for network intrusion

12-24 IP Spoofing IP spoofing is an address attack in which the malicious agent electronically impersonates another network party through its IP address Prevention of IP spoofing can be done using Programmed routers and firewall mechanisms Encrypted systems such as SSH (secure shell) for authentication services

12-25 Denial of Service (DoS) DoS attacks affect the availability transmission media Degrades the availability of information Designed to cost the target time and money Can be launched in numerous ways – most common form: DoS flood – overload the system’s servers, routers, or DNS to the extent that service to authorized users is delayed or prevented Disables a particular network service

12-26 Man-in-the-Middle Attacks Ability to read and modify all messages passed between two parties without their knowledge Possible outcomes of such attacks include: Theft of information and hijacking of an ongoing session Traffic analysis to derive information about a network and its users Denial of service and corruption of transmitted data Introduction of new information into network sessions

12-27 Application Layer Attacks They take advantage of weaknesses in popular applications and application services Common attacks include: Buffer overflows – which exploit poorly written code that improperly validates input to an application Cross-site scripting flaw – which allows web applications to drop attack scripts on a user’s browser Invalidated parameters – web requests that are not validated before being used by the application Command injection attacks – web applications are allowed to pass parameters containing malicious commands to be executed on an external system Favored approach against Internet-based attacks: Defense-in-depth strategy

12-28 Cyber-Terrorism Goal: to harm or control key computer systems or computer controls to achieve some indirect aim, such as to destroy a power grid or to take over a critical process The FISMA security requirements are built around three major national objectives: Prepare and prevent Detect and respond Build strong foundations

12-29 Managing and Defending a Network Network security management involves all actions to ensure authorization and use Development and documentation of the method to authorize access to network files and network directories Specification of approach used to ensure reliability of data resources accessed or used over the network Implementation of safeguards for protecting users from network-based security threats

12-30 Network Security Management and Planning Based on a plan defining the approach to assuring the physical components of the network Must detail steps taken to ensure that information stored, processed, and transmitted is secure Must specify all technology and practices to be implemented and maintained for security High-level steps required to implement an effective network management process are: Create usage policy statements Conduct risk analysis Formulate a security team

12-31 Network Security Management and Planning Create usage policy statements Statement of a general policy about system use Outline the thinking that defines the organization’s network management philosophy Documentation of usage statements to avoid the risks of misunderstandings and conflicting approaches Tailor the rules for each component by indicating security violations and actions to be taken if detected Define the acceptable use policies (AUP) including rules for account administration, policy enforcement, and privilege review Aggressive training and awareness program to ensure that the members understand and will follow each rule

12-32 Network Security Management and Planning Conduct risk analysis Risk assessment factors: Low Risk Medium Risk High Risk Potential types of users are: Administrators responsible for managing network resources Privileged internal users needing an elevated level of access Internal users with general access Trusted external users needing access some resources Other untrusted external users or customers

12-33 Network Security Management and Planning A network security or NETSEC management team: Implements and maintains the network configuration Responsible for evolving the network as conditions change Establishes and maintains the network security configuration from these requirements

12-34 Network Defense in Depth: Maintaining a Capable Architecture Defense in depth Protection is established by controlling access through a number of boundaries

12-35 Network Defense in Depth: Maintaining a Capable Architecture Defining trust Trusted networks – within the defined security perimeter Untrusted networks – outside the security perimeter and not controlled Unknown networks - neither trusted nor untrusted Establishing boundaries Defines the area to be protected Dictates the level of organizational resources required to perform the security function

12-36 Network Defense in Depth: Maintaining a Capable Architecture Formulating assumption – security system designs are Based on assumptions Anticipate who might want to breach the current security measures and why Deploy an effective response Design and deployment of a network security scheme has to be done while justifying the likely costs and benefits