McGraw-Hill/IrwinMcGraw-Hill/Irwin CopyrightCopyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.© 2007 by The McGraw-Hill Companies, Inc. All rights reserved.

Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by Schou and Shoemaker, by Schou and Shoemaker

Chapter 12

Network Security Basics: Malware and Attacks

12-12-22

Objectives

Work with connection control and transmission control concepts

Develop the planning and control techniques associated with network security

Work with various types of threats to networks

12-12-33

Network Security

Guards against threats to electronic communicationNetwork security has a dual mission

• It must ensure the accuracy of the data transmitted• It must also protect confidential information processed,

stored on and accessible from networks, while ensuring network availability to authorized users

Role is to ensure that the network components• Operate correctly• Satisfy design requirements• Transmit information while retaining fundamental

integrity

12-12-44

Engineering the Network: Ensuring a Proper Design

Physical infrastructure – designed to ensure all required security functions are presentFirewalls, intrusion detection systems (IDSs),

and strong authentication Unique physical components of networks are

switches, hubs, routers, and cables

12-12-55

Engineering the Network: Ensuring a Proper Design

Relation of physical and software components

12-12-66

Connection Control

Establishes and regulates the relationship between a computer and a network

Ensures reliable transfer of messages and performs some transmission error correctionConfiguration process – responsibility of the

network administrator• Establishes the authentication rules • Rules consider whom the network will trust

Specifications of rules for the authentication of a trusted source balance the need for confidentiality and integrity with availability

12-12-77

Enforcing Connection Control: The Firewall

Firewalls enforce access rights and protect the network from external systems Regulate access between trusted networks and

untrusted onesOrganizations may array multiple firewalls in a

defense-in-depth configuration Firewalls are high-level software utilities that sit

on the router end of the physical networkNetwork security policies embedded in the

firewall software dictate access

12-12-88

Enforcing Connection Control: The Firewall

Types of firewalls Personal firewall – regulates connections

between a single computer and external sourcesStateless firewalls – accept or discard incoming

packets • Based on whether the IP address seems to

correspond with services known to the network

Stateful firewall – tracks of the status of network traffic traveling across it in a “state table”

12-12-99

Transmission Control Regulates the actual transmission process

Ensures that the communication between two devices is flowing properly

Supports the integrity and availability of network data Facilitated through firmware drivers in communications

devices and software in the operating system• Transmission rules have to be agreeable and include:

• Mode in which the data will be transmitted

• Format of the data

• Rate of transmission

• Type of error checking

• Data compression method

• Sending device confirmation of process completion

• Mode of indicating receipt by the receiving device

12-12-1010

Transmission Control

Transmission protocols are built into the communications devicesCommon modern transmission control is based

on the OSI reference model • It defines seven layers for communication among

computer systems• It was defined by the International Organization for

Standardization as ISO standard 7498-1

TCP/IP protocol used by the Internet is frequently shown with five layers

• Application layer, transport layer, network layer, datalink layer, and physical layer

12-12-1111

Defending Networks from Attacks

Unique security problem with networks is their level of interconnectedness

Networks have to be secured by specialized and very robust technologies and practices

Two broad categories of networks threats: Malicious code Direct attacks

12-12-1212

Threats to Information

Malicious code - three categories transmitted through networks: VirusesLogic bombsTrojan horses

12-12-1313

Threats to Information

Common types of malicious code

12-12-1414

Viruses

Appropriate countermeasure to a common virus: Virus checker that detects and removes virusesMost virus checkers follow the below process:

• Examines files in memory or storage for recognizable code fragments or key words

• Compares scan results patterns with signatures of known viruses

• Takes action when an identifiable pattern is detected• Sometimes performs an automatic repair

12-12-1515

Viruses

Impact of virusesVirus is destructive if it damages a system

functionIt can affect the operating system in undesirable

ways such as:• Corrupting or deleting files• Reformatting the hard drive• Executing denial-of-service attacks

Often, the system becomes unusable, files are lost, and cannot be repaired automatically

12-12-1616

Viruses Categories of viruses

File-infecting viruses – affect executable programs, replicate and spread by infecting other host programs

Boot-sector viruses – infect the boot sector or partition table of a system

Multipartite viruses – infect both the boot sector and the executable programs and files simultaneously

Macro viruses – infect systems through an application Polymorphic and stealth viruses – defeat most signature-

based counter-measures Worm – self-contained program capable of spreading

copies of itself or its segments to other computer systems via network connections or e-mail attachments

12-12-1717

Logic Bombs Dormant blocks of undocumented code

activated when some prescribed set of criteria is met such as time, date, or status of the systemIt can be set prior to the termination and

activated afterward for revenge High destructive potential

Should be aggressively hunted down and eliminated

Requires extensive, expensive, code reviews by high-level professionals

Resurfacing as an important part of cyber-terrorism

12-12-1818

Trojan Horses

Not viruses because they do not replicate; they may transmit viruses or spywareMay assist in propagating denial-of-service (DoS)

attacksCan deliver unwelcome payloads – common

payloads include:• Spyware – propagates from websites

• Spamware, password capture, keyloggers, and cookie trackers

• Adware – not directly malicious • Does use up valuable time and system resources

12-12-1919

Malicious Attacks

Best way to counteract a network attack is to anticipate it and have measures in place to either stop it or mitigate the harmNetwork attacks fall into seven general

categories:• Password attacks• Insider attacks• Sniffing• IP spoofing• Denial of service• Man-in-the-middle attacks• Application layer attacks

12-12-2020

Malicious Attacks Password attacks

Password guessing Dictionary attack – tries common words from the

dictionary with common password names Other, more resource-intensive approaches include:

• Key search• Exhaustive search• Brute force attack

Social engineering – based on persuasion, disclosed by the user

Password sniffing – software based network management tools

• Countermeasure for sniffers: encryption

12-12-2121

Malicious Attacks

Insider attacksMisuse incidents originating from intentional or

inadvertent actions of employeesFirst line of defense is good management

supported by monitoring • Supervisors are key security control points for

employee monitoring• Automated software agents called policy managers or

policy enforcement systems also help

12-12-2222

Role and Use of Policy Managers Automated policy managers are effective tools

Defend against unauthorized access to confidential data and proprietary information

Provide the ability to filter network transactions through custom policies

Control the distribution of unsuitable or offensive content and inappropriate activities

Regulate the enterprise’s e-mail traffic by defining and enforcing rules governing:

• Spam • Filter content • Implementation of encryption and digital signature

policies

12-12-2323

Use of Sniffers Sniffers are common utilities, employed to read any

information in packets transmitted over a network Can be used to map the entire network topology Captures information necessary to determine:

• Number of computers on the network• What they access• Which clients run what services

Defense against sniffing is: Encryption Strong physical security

Internet-facing sniffers are a good countermeasure for network intrusion

12-12-2424

IP Spoofing IP spoofing is an address attack in which the

malicious agent electronically impersonates another network party through its IP address

Prevention of IP spoofing can be done usingProgrammed routers and firewall mechanismsEncrypted systems such as SSH (secure shell)

for authentication services

12-12-2525

Denial of Service (DoS)

DoS attacks affect the availability transmission mediaDegrades the availability of informationDesigned to cost the target time and moneyCan be launched in numerous ways – most

common form:• DoS flood – overload the system’s servers, routers, or

DNS to the extent that service to authorized users is delayed or prevented

Disables a particular network service

12-12-2626

Man-in-the-Middle Attacks Ability to read and modify all messages passed

between two parties without their knowledge

Possible outcomes of such attacks include:• Theft of information and hijacking of an ongoing session• Traffic analysis to derive information about a network and its

users• Denial of service and corruption of transmitted data• Introduction of new information into network sessions

12-12-2727

Application Layer Attacks They take advantage of weaknesses in popular

applications and application services Common attacks include:

• Buffer overflows – which exploit poorly written code that improperly validates input to an application

• Cross-site scripting flaw – which allows web applications to drop attack scripts on a user’s browser

• Invalidated parameters – web requests that are not validated before being used by the application

• Command injection attacks – web applications are allowed to pass parameters containing malicious commands to be executed on an external system

Favored approach against Internet-based attacks: Defense-in-depth strategy

12-12-2828

Cyber-Terrorism

Goal: to harm or control key computer systems or computer controls to achieve some indirect aim, such as to destroy a power grid or to take over a critical process

The FISMA security requirements are built around three major national objectives:Prepare and preventDetect and respondBuild strong foundations

12-12-2929

Managing and Defending a Network

Network security management involves all actions to ensure authorization and useDevelopment and documentation of the method

to authorize access to network files and network directories

• Specification of approach used to ensure reliability of data resources accessed or used over the network

Implementation of safeguards for protecting users from network-based security threats

12-12-3030

Network Security Management and Planning

Based on a plan defining the approach to assuring the physical components of the networkMust detail steps taken to ensure that information

stored, processed, and transmitted is secureMust specify all technology and practices to be

implemented and maintained for securityHigh-level steps required to implement an

effective network management process are:• Create usage policy statements• Conduct risk analysis• Formulate a security team

12-12-3131

Network Security Management and Planning

Create usage policy statements Statement of a general policy about system use

• Outline the thinking that defines the organization’s network management philosophy

Documentation of usage statements to avoid the risks of misunderstandings and conflicting approaches

Tailor the rules for each component by indicating security violations and actions to be taken if detected

Define the acceptable use policies (AUP) including rules for account administration, policy enforcement, and privilege review

Aggressive training and awareness program to ensure that the members understand and will follow each rule

12-12-3232

Network Security Management and Planning

Conduct risk analysis Risk assessment factors:

• Low Risk• Medium Risk• High Risk

Potential types of users are:• Administrators responsible for managing network resources• Privileged internal users needing an elevated level of access• Internal users with general access• Trusted external users needing access some resources• Other untrusted external users or customers

12-12-3333

Network Security Management and Planning

A network security or NETSEC management team:Implements and maintains the network

configuration Responsible for evolving the network as

conditions changeEstablishes and maintains the network security

configuration from these requirements

12-12-3434

Network Defense in Depth: Maintaining a Capable Architecture

Defense in depthProtection is established by controlling access

through a number of boundaries

12-12-3535

Network Defense in Depth: Maintaining a Capable Architecture

Defining trust Trusted networks – within the defined security

perimeterUntrusted networks – outside the security

perimeter and not controlledUnknown networks - neither trusted nor

untrusted Establishing boundaries

Defines the area to be protectedDictates the level of organizational resources

required to perform the security function

12-12-3636

Network Defense in Depth: Maintaining a Capable Architecture

Formulating assumption – security system designs areBased on assumptions

• Anticipate who might want to breach the current security measures and why

• Deploy an effective response

Design and deployment of a network security scheme has to be done while justifying the likely costs and benefits