Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Week 10

Published byJonah Day Modified over 6 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Week 10"— Presentation transcript:

1 COMP3371 Cyber Security Week 10
Richard Henson University of Worcester December 2016

2 Learning Objectives… Weigh the cost of safeguarding data against the risk of losing various types of data Use of high level Information Security policy to drive change in an organisation Use of vulnerability/penetration testing to check access to the organisation’s network (and information about it!) from outside Known vulnerabilities exploited through specific TCP ports

3 The Cost of Losing Organisational Data
Plenty of data around to supporting the observation that organisations have been leaking data for years actual problem has to be worse… could be far worse… not all data losses ever get reported! Is there is a cost to the organisation of losing their data? can a figure be put on this cost?

4 The Direct Cost of Losing Personal Data
Same systemic failures and potential cover-ups as for organisation data… Direct cost to the organisation probably regarded as very low? why? public reaction to loss? is all personal data equal?

5 Costs of Tightening Up Security
Human cost of completing new documentation… essential part of tightening up procedures cost of re-educating and re-training staff to make best use of new procedures Associated with employing new technology cost of purchase cost of installation cost of auditing/day-to-day management

6 Indirect Costs of Losing Data
Cost of falling foul of the law… time spent in court fines Cost of bad publicity public embarrassment & loss of credibility making statements explaining how it wasn’t as bad as reported (!) stock market price may fall…

7 Indirect costs - continued
Cost of losing respect of customers send their personal data (and custom) elsewhere Cost of business insurance will be asked questions to get cyber liability insurance c.f. car insurance if assessed as higher risk premiums more expensive Research:

8 Changing an Organisation’s culture and attitude to Information Security
Change in culture takes time attitudes need to change first research: Accepted first stage… develop, agree, and share an information security policy covered in detail in COMP3357…

9 Putting Policy into Action
Whole point of having a policy is that it WILL effectively secure the data need a strategy to implement policy! Development of information security strategy… should include explaining purpose of policy awareness training, etc. MUST follow…

10 Vulnerability Testing
Finding out about the network, website, etc. to see how it could be exploited Similar to the more commonly known “penetration testing”… does not attempt to penetrate the network defences considered “ethical” and not illegal!

11 What & Why of “Footprinting”
Definition: “Gathering information about a “target” system” Could be Passive (non-penetrative) or Active (probing…) Purpose: find out as much information about the digital and physical evidence of the target’s existence as possible need to use multiple sources… may (“black hat” hacking) need to be done secretly

12 Rationale for “passive” Footprinting
The hacker may be able to gather what they need from public sources (e.g. the organisation’s website) organisation needs to know what it is telling the world about itself… Methodology: Use search engine start by finding the domain name & URLs of popular pages e.g. Use tools to map/mirror the main website…

13 Information Gathered without Penetration Testing
Domain Names User/Group names System Names IP addresses Employee Details/Company Directory Network protocols used & VPN start/finish Company documents Intrusion detection system used

14 Website Connections & History
History: use The Wayback Machine Connections: use robtex.com Business Intelligence: sites that reveal company details e.g.

15 More Company Information…
“Whois” & CheckDNS.com: lookups of IP/DNS combinations details of who owns a domain name details of DNS Zones & subdomains Job hunters websites: e.g.

16 People Information Company information will reveal names Use names in
search engines Facebook LinkedIn Google Earth reveals: company location(s)

17 Physical Network Information (“active” footprinting or phishing)
External “probing” should be detectable by a good defence system… (could be embarrassing!) e.g. Traceroute: Uses ICMP protocol “echo” reveals names/IP addresses of intelligent hardware: e.g. Routers, Gateways, DMZs

18 Footprinting Using the system to find the organisation’s names structure “passive” monitor s sent IP source address structure of name “active” sending programs : test whether addresses actually exist test restrictions on attachments

19 Phishing to extract user data (not intelligence gathering)
Send user a message with a link or attachment link is a form which tries to get their personal data attachment contains malware which will infect their system Rather obvious to IT professionals… accounts wouldn’t be used by network infiltrators trying to hide their tracks

20 Utilizing Google etc. (“passive”)
Google: Advanced Search options: Uses [site:] [intitle:] [allintitle:] [inurl:] In each case a search string should follow e.g. “password” Maltego graphical representations of data

21 Proxy Hacking (or Hijacking)
Attacker creates a copy of the targeted web page on a proxy server artificially raises search engine ranking with methods like: keyword stuffing linking to the copied page from external sites… authentic page will rank lower… may even be seen as duplicated content (!) and search engine may then remove it from its index

22 Reconnaissance/Scanning
Three types of scan: Network (already mentioned) identifies active hosts Port send client requests until a suitable active port has been found… Vulnerability assessment of devices for weaknesses that can be exploited

23 Legality and Vulnerability Scanning
Depends on whether you have asked! running tests requires equipment and an experts time… would normally charge for such a service, so… normal to contact org.! Hacker wouldn’t want organisation to know so… certainly wouldn’t ask permission! illegal but gambles on not being caught!

24 Ethical Hacking Principles
Hacking is a criminal offence in the UK covered through The Computer Misuse Act (1990) tightened in 2006 Can only be done ”legally” by a trained (or trainee) professional a computing student would be considered in this context under the law

25 Ethical Hacking principles
Even if it legal, doesn’t mean it is ethical! Professionals only hack without permission if there is reason to believe a law is being broken if not… they must ask permission otherwise definitely unethical (and illegal… “gaining access without permission”)

26 Typical Types of External Attacks - 1
Exhaustive “brute force” attacks using all possible combinations of passwords to gain access Inference taking educated guesses on passwords, based on information gleaned TOC/TOU (Time of check/use) 1. use of a “sniffer” to capture log on data 2. (later) using captured data & IP address in an attempt to impersonate the original user/client

27 Typical Types of External Attacks - 2
Three other types of attacks that firewalls should be configured to protect against: denial of service (DOS) attacks distributed denial of service (DDOS) attacks IP Spoofing (pretence that the data is coming from a “safe” source IP address

28 “Scanning” Methodology
Check for Live Systems Check for open ports “Banner Grabbing” e.g. bad html request Scan for vulnerabilities Draw Network diagram(s) Prepare proxies…

29 TCP & UDP ports Hackers use these to get inside firewalls etc.
Essential to know the important ones: 20, 21 ftp 80 http 389 Ldap 22 ssh 88 Kerberos 443 https 23 telnet 110 pop Ldap/SSL 25 smtp 135 smb 53 dns NetBIOS 60 tftp 161 snmp

30 Network Layers and Hacking
Schematic TCP/IP stack interacting at three of the 7 OSI levels (network, transport, application): HTTP FTP HTTPS NFS DNS SNMP ports X X X X X X TCP UDP IP

31

32 Secure web page service
client (browser) requests information (HTML page) using https… (port 443) server (IIS, web server) processes the request, sends HTML page back to the client as https… Client: can view digital certificate Server: has digital certificate

33 PKI/HTTPs Presentations?
First two sessions of Dates & locations to follow… details covered in seminars HTTPs/SSL etc… big changes afoot in 2017… for latest thinking (Symantec) see… (you’ll need to register)

34 Blocking TCP ports with a Firewall
Very many TCP and UDP ports: are tightly bound to application services 1024 – more loosely bound to services 49152 – are private, or “dynamic” In practice, any port over 1023 could be assigned dynamically to a service… One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled

35 Blocking TCP ports with a Firewall
Generally, TCP ports should be: EITHER open for a service (e.g. HTTP on port 80) OR… blocked if no service, to stop opportunists But if the firewall only allows “official services” this can cause problems for legitimate users e.g. if port 25 is blocked, data cannot be sent

36 Protecting Against TCP/IP Attacks, Probes and Scans
TCP/IP protocol stack has been largely unchanged since the early 1980's: more than enough time for hackers to discover their weaknesses often attack through a particular TCP port

37 TCP Port 21: FTP (File Transfer Protocol)
FTP servers excellent BUT by their very nature they open up very big security holes those that allow anonymous logins are used: to launch attacks on the server itself, by connecting to the C: drive and downloading viruses or overwriting/deleting files to store pirated files and programs Precaution: configure FTP servers NOT to accept anonymous logins only allow access to port 21 through the firewall to that particular server

38 TCP Port 23: Telnet Telnet is really good for providing access to servers and other devices accessing a server via Telnet is very much like being physically located at the server console Protecting against Telnet is simple: block ALL access to port 23 from the outside block perimeter networks to the inside Protecting internal servers from attack from the inside: configure them to accept telnet connections from very few sources block port 23 completely…

39 TCP Port 25: SMTP Email programs large, complex, accessible…
Therefore an easy target… Buffer overrun: attacker enters more characters – perhaps including executable code - into an field (e.g. To: ) than is expected by an server error could be generated hackers could gain access to the server and the network SPAM attack: protocol design allows a message to go directly from the originator's server to the recipient's server can ALSO be relayed by one or more mail servers in the middle BUT… this is routinely abused by spammers forward message to thousands of unwilling recipients

40 Port 25 SMTP: solution… Buffer Overrun: Spam Attack
Solution: put server on a perimeter network Spam Attack Solution: DISABLE the relaying facility…

41 TCP and UDP Port 53: DNS (Domain Name Service)
One of the core protocols of the Internet without it, domain name to IP address translation would not exist PROBLEMS: If a site hosts DNS, attackers will try to: modify DNS entries download a copy of your DNS records (a process called zone transfer)

42 Port 53 DNS: Solution… Solution:
configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server the one downstream from you e.g. your ISP consider creating two DNS servers: one on your perimeter network, the other on the internal network: perimeter DNS will answer queries from the outside internal DNS will respond to all internal lookups configure a Stateful inspection firewall to allow replies to internal DNS server, but deny connections being initiated from it

43 TCP Port 79: Finger A service that enumerates all the services you have available on your network servers: invaluable tool in probing or scanning a network prior to an attack! To deny all this information about network services to would-be attackers, just block port 79…

44 TCP Ports 109-110: POP (Post Office Protocol)
POP easy-to-use… but sadly it has a number of insecurities The most insecure version is POP3 which runs on port 110 if the server requires POP3, block all access to port 110 except to that server if POP3 not used, block port 110 entirely…

45 TCP Ports 135 and 137 NetBIOS The Microsoft Windows protocol used for file and print sharing last thing you probably want is for users on the Internet to connect to your servers' files and printers! Block NetBIOS. Period!

46 UDP Port 161 SNMP SNMP is important for remote management of network devices: but also it poses inherent security risks stores configuration and performance parameters in a database that is then accessible via the network… If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… So… if SNMP is used: allow access to port 161 from internal network only otherwise, block it entirely

47 Denial of Service (DoS) Attacks
An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services. One of the primary DOS attacks uses Ping, an ICMP (Internet Control Message Protocol) service: sends a brief request to a remote computer asking it to echo back its IP address

48 “Ping” Attacks Dubbed the "Ping of Death“ Two forms: Protection:
the attacker deliberately creates a very large ping packet and then transmits it to a victim ICMP can't deal with large packets the receiving computer is unable to accept delivery and crashes or hangs an attacker will send thousands of ping requests to a victim so that its processor time is taken up answering ping requests, preventing the processor from responding to other, legitimate requests Protection: block ICMP echo requests and replies ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages

49 Distributed Denial of Service Attacks/IP Spoofing
Related : A DDOS attack has occurred when attackers gain access to a wide number of PCs and then use them to launch a coordinated attack against a victim often rely on home computers, since they are less frequently protected (they can also use worms and viruses) If IP spoofing is used, attackers can gain access to a PC within a protected network by obtaining its IP address and then using it in packet headers

50 Protection against DDOS & IP Spoofing
Block traffic coming into the network that contains IP addresses from the internal network… In addition, block the following private IP, illegal and unroutable addresses: Illegal/unroutable: , , , & “Private” addresses useful for NAT, or Proxy Servers (RFC 1918): Finally, keep anti-virus software up-to-date, & firewall software patched and up-to-date

51 Organisational Data Security Strategy: Where to start?
Can’t START with technology needs to start with ISSUES that need addressing Should be primarily “top down” concerned with policies, not technical matters… can be supplemented by “bottom up” approach Technologies can be used to put policies into practice degree of success in the latter depends on: communication of policies understanding of technologies

52 Role of the Adviser/Consultant (1)
Specialist knowledge of Information Security in organisations Aware of the need to convince senior management that the cost involved in achieving a quality standard is worthwhile In an SME: the adviser can provide moral, intellectual, and evidential support for the IT manager’s position In a microbusiness: there is no IT manager… adviser will usually be supporting the most IT-literate employee against a sceptical senior mgt…

53 Role of Adviser/Consultant (2)
Needs to have good credentials to be credible: plenty of experience in this area contacts in the industry good track record for: knowledgeability keeping up to date communication of knowledge Needs to be able to put technical problems into terms that non-technologists can understand…. many expensive technical “solutions” available… would probably be unnecessary if systems and procedures were properly implemented!

54 How achieving a quality standard could help with business strategy
Whatever the business: any new work will have a cost cost needs to be qualified More cost means less profit… what is the ROI of achieving a high level of information security (assurance)?

55 Potential Financial Benefits of Information Assurance
Need to be sold to senior mgt… less risk of losing valuable (even strategically important…) data less likely to get embarrassing leaks, which could even get to the media (!) less likely to fall foul of the law (!) an ever growing set of examples of businesses who have done both of the above evidence that they lost customers and share price dropped…

56 Protection against the Threats
Internal threats? should be addressed directed through implementation of IS policy External Threats? normally addressed through: 1. vulnerability scanning 2. action taken from vulnerability reports

Download ppt "COMP3371 Cyber Security Week 10"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
EC-Council’s Certified Ethical Hacker (CEH) Richard Henson May 2012.

EC-Council’s Certified Ethical Hacker (CEH) Richard Henson May 2012.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

Similar presentations

Ads by Google