introduction to information security
DESCRIPTION
A brief introduction to Information SecurityTRANSCRIPT
![Page 1: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/1.jpg)
What is Security ?
Part I
Meletis A. BelsisInformation Security Consultant
MPhil / MSc / BScCWNA/CWSP, C|EH, CCSA,
Network+, ISO27001LA
Computer Crime
![Page 2: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/2.jpg)
Setting the Scene
• Security is one of the oldest problem that governments ,commercial organizations and almost every person has to face
• The need of security exists since information became a valuable resource
• Introduction of computer systems to business has escalated the security problem even more
• The advances in networking and specially in distributed systems made the need for security even greater
• The Computer Security Institute report, notes that in year 2003 computer crime costs where increased to more than 450 million dollars in the USA alone.
![Page 3: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/3.jpg)
Profiling Adversaries
• Adversaries that target corporate system are numerous:
• These can be general classified in the following categories:– Hackers – Employees (both malicious and unintentional)– Terrorists groups– Governments– Opposing Industries
![Page 4: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/4.jpg)
Security
• So now we know that we need security.
BUT what is security anyway ?• Many people fail to understand the meaning of
the word.
• Many corporations install an antivirus software, and/or a firewall and believe they are protected.
Are they ?
![Page 5: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/5.jpg)
Security through obscurity
• Consider some cases :– An internal employee wants to revenge the company
and so publishes private corporate information on the NET.
– The terrorist attack on the twin towers (in USA) had as a result many corporations to close. Why ?
– An employee forgets his laptop into a café. This laptop contains all corporate private information.
HOW CAN A FIREWALL PROTECT FROM THE PREVIOUS ?
![Page 6: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/6.jpg)
Security: easy to understand, difficult to implement
“In the real world, security involves processes. It involves preventive technologies, but also detection and reaction processes, and an entire forensics system to hunt down and prosecute the guilty. Security is not a product; it itself is a process. …. ”
Bruce Schneier
(Secrets and Lies, Wiley and Sons Inc.)
![Page 7: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/7.jpg)
Security: easy to understand, difficult to implement
• Security contains a number of tools , processes and techniques.
• These in general cover three main requirements:– Confidentiality– Integrity– Availability
• Depending on the security requirements a system has, one can concentrate only on one of the previous or all of them.
• A new requirement enforced by the operation of e-markets is non-repudiation.
C
A I
Perspective
![Page 8: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/8.jpg)
Security: easy to understand, difficult to implement
• Computer Security is difficult to implement due to the following:– The cost of implementing a security system should not
exceed the value of the data to be secured.– Industries pay huge amount of money for industrial
espionage.– Users feel that security is going to take their freedom away
and so often they sabotage the security measures.– Computer prices have fallen dramatically and the number
of hackers have been multiplied.– Security managers work under strict money and time
schedule. Criminals do not have any time schedule and they do not need any specialised software.
– Hackers are often cooperate with known criminals.
That is why, total security is almost infeasible.
![Page 9: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/9.jpg)
The Art of Hacking Part II
Attacking Corporate Systems
![Page 10: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/10.jpg)
Information Gathering
• The first step to hacking is to gather as much information as possible for the target.
• This information is later used to draw a map of the corporate network.
• This map is used to define and design an attack methodology as well as identify the needed attack tools.
• The extreme case of information gathering is called dumpster diving
![Page 11: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/11.jpg)
Information Gathering : Searching the Corporate Web site
• Searching the corporate web site for information: – Statements like : “This site is best viewed with
Internet Explorer” could uncover that the company uses Microsoft Web Server.
– Email Addresses. These are used to identify user names. i.e. [email protected]
– Office Locations: Companies with office locations in different countries would probably use a VPN to interconnect.
– Company News
![Page 12: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/12.jpg)
Information Gathering : Searching the Internet
• Searching the WEB can provide valuable information– Using the link directive. i.e. link: www.somecompany.com
provides information on the sites that link to the corporate web site.
– Searching the greater WEB using the company’s name
• Searching public WHOIS databases :Provide information about the domain name of the company.
• Searching the ARIN Whois Database: Provide a database with all register IP addresses.
• Searching technical forums using either the name of the administrator or the name of the company.
![Page 13: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/13.jpg)
Information Gathering :Being Polite…..
• When the initial search has finished, it is now time to ASK the network itself. Believe it or not most networks are quite polite.– DNS Interrogation. It can be performed by simple
using the nslookup program.– Using the PING command (ICMP Echo ). Can unveil
hosts that are connected and are not protected by a firewall.
– Using the TraceRoute command we can identify which is the IP of the router that connects the corporate network to the Internet.
![Page 14: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/14.jpg)
NeoTrace: Windows Based TraceRT
![Page 15: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/15.jpg)
Information Gathering :Identify Running Services
• Having a map of the internet hosts that are accessible from the internet, we must now identify the services that they offer and the operating system that is installed on each host.
• Special programs like nmap and superscanner are used to interrogate each port in a host.
• Detecting Services– The Scanner tries to open a connection to each port of the target host (By
sending Syn messages) .
– The open ports that respond show the services that are running.
• Detecting the OS– The Scanner sends specific erroneous message to the ports. OS response with
different messages.
![Page 16: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/16.jpg)
SuperScan: Windows Based Port Scanner
![Page 17: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/17.jpg)
Information Gathering :Scanning undetected
• Many firewalls can detect these scanning attempts. So scanners use some alternate techniques:– Slow Scanning – Distributed Scanning – Half Open Connection – Fragmented packets – XMAS– FIN – FTP Bounce
![Page 18: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/18.jpg)
Password Cracking
• Adversaries use two methods to attack passwords.– Brute force: Try all key combination in the
password space.– Dictionary: Use a dictionary of known words and
try each word along with their combinations.
• These attacks can be performed either locally or remotely
![Page 19: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/19.jpg)
L0phtCrack: Windows Password Cracking
![Page 20: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/20.jpg)
VIRUSES
• Computer Viruses are categorised in:– Normal viruses– Trojan Horses– WORMS
• Today there are more than 2,500 virus ready to be downloaded.
• A user can get infected by:– Running a program– Opening an email– Visiting a web site (evil Trojan)– Opening a .doc file
• Today virus creation and mutation centres can be freely downloaded from the Internet
Initialization Code
Program Code
Ending Code
Virus Code
Initialization Code
Program Code
Ending Code
Virus Code
Pointer to VirusCode
Start Of Program
Infecting the startof a program
Infecting theEnd of aprogram
![Page 21: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/21.jpg)
SubSeven: Visual Interface to Control Infected PC
![Page 22: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/22.jpg)
Denial of Service Attack (DoS)
• The idea behind these attacks is to make the target system unavailable to its authorised users.
• Typical attacks include but not limited to :– Ping O’ Death (sending packets of size greater that
65,535)– SYN Flooding Attack (Starting Many half-open
connections)– Smurf Attack (sending requests to broadcast address
with a spoofed IP address)– Domain Name Server DoS (Requesting DNS quires
from multiple DNS Servers with a Spoofed IP
![Page 23: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/23.jpg)
Attacker
Server
Legitimate userr
Half Open Connection
Half Open Conenction
Half Open Conenction
Half Open Conenction
Legitimate Connection
SynFlood Attack
![Page 24: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/24.jpg)
Smurf Attack
Network C
Netwrok B
Network A
Attacker
Computer
ComputerComputer
Workstation Workstation Workstation
LaptopComputer
Computer Workstation
Broadcast Address
Broadcast Address
Broadcast Address
ICMP Echo
ICMP Echo
ICMP Echo
ICMP Echo
ICMP Echo
ICMP Echo
Target system
Replies from everyterminal in the
Network
Replies from everyterminal in the
Network
Replies from everyterminal in the
Network
![Page 25: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/25.jpg)
Domain Name System DoS
Attacker
DNS 2
DNS 3
DNS 4
Target
Query with spoofed IP
Query with spoofed IP
Query with spoofed IP
Query with spoofed IP
Results from attackers query
Results from attackers query
Results from attackers query
Results from attackers query
DNS 1
![Page 26: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/26.jpg)
Distributed Denial of Service (DDoS)
• Hackers have used the distributed power internet offers.
• Tools are now perform DoS attack from multiple hosts at the same time.
• Examples are:– Tribal Flood Network
– TFN2K
– Stacheldraft
Server Software(Zombie)
Server Software(Zombie)
Server Software(Zombie)
Server Software(Zombie)
Server Software(Zombie)
Client Software
Command
CommandCommand
Target Host
Packets
Packets
Packets
PacketsPackets
AttackerClient
Attacker’s Commands Attacker’s Coomand
![Page 27: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/27.jpg)
Sniffing
• Ethernet provides the ability to run a network card in Promiscuous mode. This allows the card to read any packet travelling on the network.
• Sniffing software are using this to read all data transmitted in the local net.
• Sniffers can be programmed to steal information associated only with specific protocols or programs. i.e. read all information from http packets only.
• Some sniffers can be even programmed to transmit sniffed passwords back to the attacker.
• The first and most used sniffer is the TCPDump .
![Page 28: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/28.jpg)
SnifferPro: A windows based Sniffer
![Page 29: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/29.jpg)
System Flaws and Exploits
• Most systems today contain bugs. These are coming either from the system designers, implementers or the ones that manage the system.
• Hackers can use these bugs to gain access to systems.• Examples of such are :
– Default accounts – Poor User Accounts – Allowing outside anonymous Telnet connections to the Web
Server – Allowing trusted connections – Buffer Overflows – Allowing Banners in services– Allowing NetBios over TCP/IP when not needed.
• The Internet has a vast amount of software that test a given server for a number of such exploits.
![Page 30: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/30.jpg)
Simpsons’: A CGI vulnerability scanner
![Page 31: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/31.jpg)
Social Engineering
• One of the oldest and easiest form of hacking. <Hacker is calling the administrator >
Hallo I am <<name of an employee>>. My user name <<user name as seen on email address>>. I am new to the company but I forgot my system password <<be very unhappy>> but my manager ask to find him some files. If I tell him that I forgot my password , I am afraid that he is going to fire me. Please help <<be persuasive>>>>
<Administrator wants to help a fellow employee>Ok. Do not cry now. That is why we are here for. I am going to
reset your password to newpassoword. Just do not forget it again. <Hacker thanks the polite employee>
Oh thank you so much. I am going to buy the coffee when we meet. You are a lifesaver….
(The scenario works even better is the hacker is a female and the administrator is a
male.)
![Page 32: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/32.jpg)
IP Spoofing
• Hackers usually change the IP address in their datagrams.• This happens for two reasons:
– To avoid getting caught.– To bypass security tools, and systems that allow trusted connections.
• Changing just the IP is called a blind attack, because the hacker never sees the response from the target.
• In order to see the response the hacker has a number of ways: – Install a sniffer to the target network.– Use Source Routing– Use ICMP redirect – If both hacker and target are located on the same network use ARP
spoofing.– DNS cache Poisoning.
• Software programs like A4 proxy allows hackers to use a number of anonymous servers before they attack. Thus their real IP is almost untraceable.
![Page 33: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/33.jpg)
A4 Proxy : Using multiple anonymous proxies to hide the IP address
![Page 34: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/34.jpg)
The Next Step
• So now I am in what am I doing next ?.1. If you do not already have, try to gain root
access.
2. Find and clear Log Files.
3. Install a Root Kit to ensure that you will have access in the future
![Page 35: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/35.jpg)
Protecting Corporate Systems
PART III
Information Security Measures
![Page 36: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/36.jpg)
Is it possible ?
• Total security is not feasible.• Systems must be secured depending on their value. • Security measures are applied according to the threat
level a system has.• The first step is to understand the threats, to your
corporate systems. This can be done by a risk analysis process.
• In this stage remember that security is a business requirement
![Page 37: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/37.jpg)
Creating a DMZ zone
• The first security measure is to seal the internal network from the outside world.
• This is performed by developing a network called Demilitarized Zone (DMZ).
• The DMZ contains all the servers that must be accessible from the outside world
• NOTE that we must always assume that servers in the DMZ are going to be hacked at some point.
Client
Internal Network
ClientFirewall
DMZ
Internet
Firewall
Web Server
SMTP Server
![Page 38: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/38.jpg)
Firewalls
• Firewalls exist into types:– Packet filters: Are operating on the protocol level. They use
a firewalling policy to allow the packet to pass or to drop the packet.
– Proxy Servers: They operate at the application level. They are always located between the user requests and the servers response. Thus allowing us to enforce policies on which users can access the internet and on which port.
• Packet Filters are usually located on the router, while Proxies are installed on computers
• A network may use any number of the previous depending its size and architecture.
• Known Firewalls are Checkpoint’s Firewall-1, Cisco PIX, Microsoft’s ISA.
![Page 39: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/39.jpg)
Intrusion Detection Systems (IDS)
• Intrusion detection systems are used to detect attacks to the network and inform the administrator.
• IDS are organised into two categories :– Signature based : They hold a
database of known attacks and they test packets against the data stored in the database.
– Anomaly based: They test the traffic against anomalies. I.e. why does the network has so heavy traffic at 2 in the morning ?
• When the IDS detects an attack it inform the administrator with a number of ways : email, sms, pager
Client
Internal Network
Client
DMZ
Internet
Web Server
SMTP Server IDS Sensor
Router
IDS Sensor
Security Management Console
![Page 40: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/40.jpg)
Honey Pots
• These are the sacrificed lamps of a network.• Honey pots are software programs that when installed on a
computer they can simulate a number of systems i.e.:• Windows NT Server.• Unix Server.• Apache Server• Microsoft Exchange Server
• These simulated systems look unprotected from the outside world (i.e. open ports, default accounts, known exploits.
• Hackers scanning for victims detect the simulated systems and try to hack them. The honey pots allow hackers to enter but record all their moves and inform the administrator.
• Honey pots can be installed either in the DMZ or in the local network.
![Page 41: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/41.jpg)
Anti sniffing
• The general idea is to make the sniffing host reply to a message that he should not be able to listen.– For example creating a packet with a fake MAC address
but with the IP address of the sniffing host. If the host acknowledges the packet the it is in promiscuous mode.
• Another way is to transmit unencrypted login details for a fake (honey pot) server to the network. If someone tries to use this account then someone is sniffing the network.
• NOTE that using switches instead of hubs will make a sniffers life much more difficult.
![Page 42: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/42.jpg)
L0pht Antisniff : A windows based program to detect sniffers
![Page 43: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/43.jpg)
Antivirus
• Antivirus programs are known to most users.• Such programs can be applied either as
– Standalone : Each copy of the program is responsible of protecting the specific host on which it is installed.
– Network based : Each copy of the program is responsible of protecting the specific host, but they are all managed by a Antivirus Server.
• Note that using an antivirus program without updating its virus database does not provide protection
![Page 44: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/44.jpg)
Security Awareness
• No matter what security tools are going to be used, if users do not know about security, hacks are going to be common.
• There are many ways to educate users on the issues of security:– Use of seminars – Use of posters– Use of e-mail messages– Enforce penalties
![Page 45: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/45.jpg)
Security Awareness
![Page 46: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/46.jpg)
Penetration Testing and Security analyzers
• Security systems must be regularly tested for flaws.
• These flaws are usually created from bugs in the software programs, or from bad management (i.e. bad passwords)
• The process of testing a system is called penetration testing.
• The process uses a number of hacking / security programs that test a system for a number of known flaws and provide advice on securing these flaws
![Page 47: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/47.jpg)
Microsoft Baseline Security Analyzer: Tests the systems for known bugs
![Page 48: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/48.jpg)
Additional Security Measures
• Encryption/ Decryption
• Digital Signatures / PKI
• AAA
• Security Protocols
• Physical Security– The Jaguar Paradigm– The polite Employees paradigm
• Security Policy
![Page 49: Introduction To Information Security](https://reader033.vdocuments.net/reader033/viewer/2022061220/54bc30164a7959346d8b45d9/html5/thumbnails/49.jpg)
Thank You.