Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP3371 Cyber Security Week 8

Published byVukosava Milenković Modified over 5 years ago

Similar presentations

Presentation on theme: "COMP3371 Cyber Security Week 8"— Presentation transcript:

1 COMP3371 Cyber Security Week 8
Richard Henson University of Worcester November 2018

2 Learning Objectives… See the network through the eyes of an attacker…
Use of vulnerability/penetration testing to check access to the organisation’s network (and information about it!) from outside Stop exploitation of known software vulnerabilities through specific TCP ports

3 Defensive and Offensive Approaches to Security
Generally, the best way to protect data is to put it in a safe place and build walls around it (defensive approach) Also wise to get someone to attack the organisation and try to breach its defences (offensive approach) then report back on findings…

4 Summary of Basic Defensive Security…
Firewalls… appropriately configured on Internet gateways… and end-point devices Use of effective antivirus software Patching and Updating software Enforced information Security Policy Correct use of PKI for www data Covered in Cyber Essentials!

5 Offensive Security: 1. Vulnerability Scanning
“Passive” Scanning finding out about the network, website, etc. to see how it could be exploited Similar to the more commonly known “penetration testing”… does not attempt to penetrate the network defences considered “ethical” and not illegal!

6 2. Penetration Testing “Active” scanning: requires the investigator/hacking to penetrate the organisation’s defences, rather than “peer in” from the outside. Would be illegal if permission not granted! Requirement for Cyber Essentials Plus

7 What & Why of “Footprinting”
Definition: “Gathering information about a “target” system” Could be Passive (non-penetrative) or Active (probing…) Purpose: find out as much information about the digital and physical evidence of the target’s existence as possible need to use multiple sources… may (“black hat” hacking) need to be done secretly

8 Rationale for “passive” Footprinting
The hacker may be able to gather what they need from public sources (e.g. the organisation’s website) organisation needs to know what it is telling the world about itself… Methodology: Use search engine start by finding the domain name & URLs of popular pages e.g. Use tools to map/mirror the main website…

9 Information Gathered without Penetration Testing
Domain Names User/Group names System Names IP addresses Employee Details/Company Directory Network protocols used & VPN start/finish Company documents Intrusion detection system used

10 Website Connections & History
History: use The Wayback Machine Connections: use robtex.com Business Intelligence: sites that reveal company details e.g.

11 More Company Information…
“Whois” & CheckDNS.com: lookups of IP/DNS combinations details of who owns a domain name details of DNS Zones & subdomains Job hunters websites: e.g.

12 People Information Company information will reveal names Use names in
search engines Facebook LinkedIn Google Earth reveals: company location(s)

13 Physical Network Information (“active” footprinting or phishing)
External “probing” should be detectable by a good defence system… (could be embarrassing!) e.g. Traceroute: Uses ICMP protocol “echo” reveals names/IP addresses of intelligent hardware: e.g. Routers, Gateways, DMZs

14 Footprinting Using the system to find the organisation’s names structure “passive” monitor s sent IP source address structure of name “active” sending programs : test whether addresses actually exist test restrictions on attachments

15 Phishing to extract user data (not intelligence gathering)
Send user a message with a link or attachment link is a form which tries to get their personal data attachment contains malware which will infect their system Rather obvious to IT professionals… accounts wouldn’t be used by network infiltrators trying to hide their tracks

16 Utilizing Google etc. (“passive”)
Google: Advanced Search options: Uses [site:] [intitle:] [allintitle:] [inurl:] In each case a search string should follow e.g. “password” Maltego graphical representations of data

17 Proxy Hacking (or Hijacking)
Attacker creates a copy of the targeted web page on a proxy server artificially raises search engine ranking with methods like: keyword stuffing linking to the copied page from external sites… authentic page will rank lower… may even be seen as duplicated content (!) and search engine may then remove it from its index

18 Reconnaissance/Scanning
Three types of scan: Network (already mentioned) identifies active hosts Port send client requests until a suitable active port has been found… Vulnerability assessment of devices for weaknesses that can be exploited

19 Legality and Vulnerability Scanning
Depends on whether you have asked! running tests requires equipment and an experts time… would normally charge for such a service, so… normal to contact org.! Hacker wouldn’t want organisation to know so… certainly wouldn’t ask permission! illegal but gambles on not being caught!

20 Ethical Hacking Principles
Hacking is a criminal offence in the UK covered through The Computer Misuse Act (1990) tightened in 2006 Can only be done ”legally” by a trained (or trainee) professional a computing student would be considered in this context under the law

21 Ethical Hacking principles
Even if a practice is currently legal, doesn’t mean it is ethical! Professionals only hack without permission if there is reason to believe a law is being broken if not… they must ask permission otherwise definitely unethical (and illegal… “gaining access without permission”)

22 “Scanning” Methodology
Check for Live Systems Check for open ports “Banner Grabbing” e.g. bad html request Scan for vulnerabilities Draw Network diagram(s) Prepare proxies…

23 Why use “offensive” security?
Recognised that manager(s) of an internal network: can’t objectively mark their own homework! can see out, but can’t see in! Makes good sense for a third party to attempt to hack in with permission (therefore not illegal)… test firewalls, patching, PKI implementation report back to management…

24 The “Cyber Kill Chain” (1) (Lockheed Martin…)
Reconnaissance find the weakness(es) Weaponisation figure out how it can be exploited Delivery send the malicious software into the victims network

25 The “Cyber Kill Chain” (2) (Lockheed Martin…)
Exploitation run the software on the victims network Installation install the hack into the victims network Command and Control control the victims network in such a way as to achieve mission objectives Actions on Objectives “wash down” on how well it went…

26 Reminder of Port Vulnerability
Simplified OSI model for TCP/IP… levels 5/6/7 combined as application level 4: transport (TCP/UDP) TCP or UDP packets can attack the network… HTTP FTP HTTPS NFS DNS SNMP TCP UDP IP (network)

27 Blocking TCP ports with a Firewall
Very many TCP and UDP ports: are tightly bound to application services 1024 – more loosely bound to services 49152 – are private, or “dynamic” In practice, any port over 1023 could be assigned dynamically to a service… One of the more useful features of a firewall is that ports can be configured, and therefore data flow can be monitored and controlled

28 Protecting Against TCP/IP Attacks, Probes and Scans
TCP/IP protocol stack has been largely unchanged since the early 1980's: more than enough time for hackers to discover their weaknesses often attack through a particular TCP port

29 TCP Port 21: FTP (File Transfer Protocol)
FTP servers by their very nature they open up very big security holes especially if anonymous login allowed: connect to the C: drive using NFS download viruses overwrite/delete files to store pirated files and programs Defence: DO NOT to accept anonymous logins only allow access via port 21 to that particular server

30 TCP Port 25: SMTP Easy target! programs/data large, complex, accessible… Buffer overrun: attacker enters more characters – perhaps including executable code - into an field (e.g. To: ) error generated hackers get enough information to gain access SPAM attack: SMTP protocol design allows a message to go directly from the originator's server to the recipient's server ALSO can be relayed by one or more mail servers in the middle Spammers forward message to thousands of unwilling recipients!

31 Port 25 SMTP: Defending… Threat: Buffer Overrun: Spam Attack
Solution: put server on a perimeter network Spam Attack Solution: DISABLE the relaying facility…

32 UDP Port 53: DNS (Domain Name Service)
Without DNS, domain name to IP address translation would not exist!!! Threat: if a site hosts DNS, attackers will try to: modify DNS entries download a copy of your DNS records (a process called zone transfer)

33 Port 53 DNS: Solution… Defence:
configure firewall to accept connections from the outside to TCP port 53 only from your secondary DNS server the one downstream from you e.g. your ISP two DNS servers: one on perimeter network, the other on the internal network: perimeter DNS will answer queries from the outside internal DNS will respond to all internal lookups

34 TCP Port 79: Finger A service that enumerates all the services you have available on your network servers: invaluable tool in probing or scanning a network prior to an attack! Defence: block port 79… would-be attackers denied all this information about network services!

35 TCP Ports 109-110: POP (Post Office Protocol)
POP used to download data to a client… POP3 (port 110) least secure version! Defence: block all access to port 110 except for that server if POP3 not being used, block port 110!!!

36 TCP Ports 135 and 137 NetBIOS The Microsoft Windows protocol used for file and print sharing last thing you probably want is for users on the Internet to connect to your servers' files and printers! Block NetBIOS. Period!

37 UDP Port 161 SNMP SNMP is important for remote management of network devices: but also it poses inherent security risks stores configuration and performance parameters in a database that is then accessible via the network… If network is open to the Internet, hackers can gain a large amount of very valuable information about the network… So… if SNMP is used: allow access to port 161 from internal network only otherwise, block it entirely

38 Denial of Service Attacks
An attempt to harm a network by flooding it with traffic so that network devices are overwhelmed and unable to provide services Happen through the ICMP port, which the ping service uses close off ICMP port: thwarts denial of service (DoS) attacks… and distributed denial of service (DDoS) attacks

39 Mechanism of (D)DoS Attacks
Ping “normally” sends a brief request to a remote computer asking it to echo back its IP address "Ping of Death“ EITHER the attacker deliberately creates a very large ping packet and then transmits it to victim IP ICMP can't deal with large packets the receiving computer is unable to accept delivery and crashes or hangs OR sends thousands of ping requests to a victim CPU time is taken up answering ping requests, preventing it responding to other, legitimate requests

40 DDoS attacks Much more dangerous…
attackers gain access to a wide number of PCs or other devices often rely on home computers, since they are less frequently protected can also use previously “installed” worms and viruses use these devices to launch a coordinated attack against a victim IP address

41 Protecting against “Ping of Death”
Simple! block ICMP echo requests and replies If ICMP is needed… ensure there is a rule blocking "outgoing time exceeded" & "unreachable" messages

42 IP Spoofing Use software to change source IP address of a packet!
Attackers can gain access to a PC within a protected network… obtain its IP address use it in packet headers so the Internet firewall lets the malicious packets through

43 Protection against IP Spoofing
Block traffic coming into the network that contains IP addresses from the internal network… Use a Proxy Server so internal IP addresses never exposed Block traffic associated with “private” (NAT) and illegal/unrouteable IP addresses: Illegal/unrouteable: , , , & “Private” (NAT addresses as defined in RFC 1918): (often used by Wireless Routers)

44 Other Typical Types of External Attacks – human/tech
Exhaustive “brute force” attacks using all possible combinations of passwords to gain access Inference taking educated guesses on passwords, based on information gleaned TOC/TOU (Time of check/use) 1. use of a “sniffer” to capture log on data 2. (later) using captured data & IP address in an attempt to impersonate the original user/client

Download ppt "COMP3371 Cyber Security Week 8"

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
EC-Council’s Certified Ethical Hacker (CEH) Richard Henson May 2012.

EC-Council’s Certified Ethical Hacker (CEH) Richard Henson May 2012.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google