McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill ...
Upcoming SlideShare
Loading in...5

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill ...






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill ... McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill ... Presentation Transcript

  • Chapter 12 Network Security Basics: Malware and Attacks
  • Objectives
    • Work with connection control and transmission control concepts
    • Develop the planning and control techniques associated with network security
    • Work with various types of threats to networks
  • Network Security
    • Guards against threats to electronic communication
      • Network security has a dual mission
        • It must ensure the accuracy of the data transmitted
        • It must also protect confidential information processed, stored on and accessible from networks, while ensuring network availability to authorized users
      • Role is to ensure that the network components
        • Operate correctly
        • Satisfy design requirements
        • Transmit information while retaining fundamental integrity
  • Engineering the Network: Ensuring a Proper Design
    • Physical infrastructure – designed to ensure all required security functions are present
      • Firewalls, intrusion detection systems (IDSs), and strong authentication
    • Unique physical components of networks are switches, hubs, routers, and cables
  • Engineering the Network: Ensuring a Proper Design
    • Relation of physical and software components
  • Connection Control
    • Establishes and regulates the relationship between a computer and a network
    • Ensures reliable transfer of messages and performs some transmission error correction
      • Configuration process – responsibility of the network administrator
        • Establishes the authentication rules
        • Rules consider whom the network will trust
      • Specifications of rules for the authentication of a trusted source balance the need for confidentiality and integrity with availability
  • Enforcing Connection Control: The Firewall
    • Firewalls enforce access rights and protect the network from external systems
      • Regulate access between trusted networks and untrusted ones
      • Organizations may array multiple firewalls in a defense-in-depth configuration
    • Firewalls are high-level software utilities that sit on the router end of the physical network
      • Network security policies embedded in the firewall software dictate access
  • Enforcing Connection Control: The Firewall
    • Types of firewalls
      • Personal firewall – regulates connections between a single computer and external sources
      • Stateless firewalls – accept or discard incoming packets
        • Based on whether the IP address seems to correspond with services known to the network
      • Stateful firewall – tracks of the status of network traffic traveling across it in a “state table”
  • Transmission Control
    • Regulates the actual transmission process
      • Ensures that the communication between two devices is flowing properly
      • Supports the integrity and availability of network data
      • Facilitated through firmware drivers in communications devices and software in the operating system
        • Transmission rules have to be agreeable and include:
          • Mode in which the data will be transmitted
          • Format of the data
          • Rate of transmission
          • Type of error checking
          • Data compression method
          • Sending device confirmation of process completion
          • Mode of indicating receipt by the receiving device
  • Transmission Control
    • Transmission protocols are built into the communications devices
      • Common modern transmission control is based on the OSI reference model
        • It defines seven layers for communication among computer systems
        • It was defined by the International Organization for Standardization as ISO standard 7498-1
      • TCP/IP protocol used by the Internet is frequently shown with five layers
        • Application layer, transport layer, network layer, datalink layer, and physical layer
  • Defending Networks from Attacks
    • Unique security problem with networks is their level of interconnectedness
    • Networks have to be secured by specialized and very robust technologies and practices
    • Two broad categories of networks threats:
      • Malicious code
      • Direct attacks
  • Threats to Information
    • Malicious code - three categories transmitted through networks:
      • Viruses
      • Logic bombs
      • Trojan horses
  • Threats to Information
    • Common types of malicious code
  • Viruses
    • Appropriate countermeasure to a common virus:
      • Virus checker that detects and removes viruses
      • Most virus checkers follow the below process:
        • Examines files in memory or storage for recognizable code fragments or key words
        • Compares scan results patterns with signatures of known viruses
        • Takes action when an identifiable pattern is detected
        • Sometimes performs an automatic repair
  • Viruses
    • Impact of viruses
      • Virus is destructive if it damages a system function
      • It can affect the operating system in undesirable ways such as:
        • Corrupting or deleting files
        • Reformatting the hard drive
        • Executing denial-of-service attacks
      • Often, the system becomes unusable, files are lost, and cannot be repaired automatically
  • Viruses
    • Categories of viruses
      • File-infecting viruses – affect executable programs, replicate and spread by infecting other host programs
      • Boot-sector viruses – infect the boot sector or partition table of a system
      • Multipartite viruses – infect both the boot sector and the executable programs and files simultaneously
      • Macro viruses – infect systems through an application
      • Polymorphic and stealth viruses – defeat most signature-based counter-measures
      • Worm – self-contained program capable of spreading copies of itself or its segments to other computer systems via network connections or e-mail attachments
  • Logic Bombs
    • Dormant blocks of undocumented code activated when some prescribed set of criteria is met such as time, date, or status of the system
      • It can be set prior to the termination and activated afterward for revenge
    • High destructive potential
      • Should be aggressively hunted down and eliminated
      • Requires extensive, expensive, code reviews by high-level professionals
    • Resurfacing as an important part of cyber-terrorism
  • Trojan Horses
    • Not viruses because they do not replicate; they may transmit viruses or spyware
      • May assist in propagating denial-of-service (DoS) attacks
      • Can deliver unwelcome payloads – common payloads include:
        • Spyware – propagates from websites
          • Spamware, password capture, keyloggers, and cookie trackers
        • Adware – not directly malicious
          • Does use up valuable time and system resources
  • Malicious Attacks
    • Best way to counteract a network attack is to anticipate it and have measures in place to either stop it or mitigate the harm
      • Network attacks fall into seven general categories:
        • Password attacks
        • Insider attacks
        • Sniffing
        • IP spoofing
        • Denial of service
        • Man-in-the-middle attacks
        • Application layer attacks
  • Malicious Attacks
    • Password attacks
      • Password guessing
      • Dictionary attack – tries common words from the dictionary with common password names
      • Other, more resource-intensive approaches include:
        • Key search
        • Exhaustive search
        • Brute force attack
      • Social engineering – based on persuasion, disclosed by the user
      • Password sniffing – software based network management tools
        • Countermeasure for sniffers: encryption
  • Malicious Attacks
    • Insider attacks
      • Misuse incidents originating from intentional or inadvertent actions of employees
      • First line of defense is good management supported by monitoring
        • Supervisors are key security control points for employee monitoring
        • Automated software agents called policy managers or policy enforcement systems also help
  • Role and Use of Policy Managers
    • Automated policy managers are effective tools
      • Defend against unauthorized access to confidential data and proprietary information
      • Provide the ability to filter network transactions through custom policies
      • Control the distribution of unsuitable or offensive content and inappropriate activities
      • Regulate the enterprise’s e-mail traffic by defining and enforcing rules governing:
        • Spam
        • Filter content
        • Implementation of encryption and digital signature policies
  • Use of Sniffers
    • Sniffers are common utilities, employed to read any information in packets transmitted over a network
      • Can be used to map the entire network topology
      • Captures information necessary to determine:
        • Number of computers on the network
        • What they access
        • Which clients run what services
    • Defense against sniffing is:
      • Encryption
      • Strong physical security
    • Internet-facing sniffers are a good countermeasure for network intrusion
  • IP Spoofing
    • IP spoofing is an address attack in which the malicious agent electronically impersonates another network party through its IP address
    • Prevention of IP spoofing can be done using
      • Programmed routers and firewall mechanisms
      • Encrypted systems such as SSH (secure shell) for authentication services
  • Denial of Service (DoS)
    • DoS attacks affect the availability transmission media
      • Degrades the availability of information
      • Designed to cost the target time and money
      • Can be launched in numerous ways – most common form:
        • DoS flood – overload the system’s servers, routers, or DNS to the extent that service to authorized users is delayed or prevented
      • Disables a particular network service
  • Man-in-the-Middle Attacks
    • Ability to read and modify all messages passed between two parties without their knowledge
      • Possible outcomes of such attacks include:
        • Theft of information and hijacking of an ongoing session
        • Traffic analysis to derive information about a network and its users
        • Denial of service and corruption of transmitted data
        • Introduction of new information into network sessions
  • Application Layer Attacks
    • They take advantage of weaknesses in popular applications and application services
      • Common attacks include:
        • Buffer overflows – which exploit poorly written code that improperly validates input to an application
        • Cross-site scripting flaw – which allows web applications to drop attack scripts on a user’s browser
        • Invalidated parameters – web requests that are not validated before being used by the application
        • Command injection attacks – web applications are allowed to pass parameters containing malicious commands to be executed on an external system
    • Favored approach against Internet-based attacks:
      • Defense-in-depth strategy
  • Cyber-Terrorism
    • Goal: to harm or control key computer systems or computer controls to achieve some indirect aim, such as to destroy a power grid or to take over a critical process
    • The FISMA security requirements are built around three major national objectives:
      • Prepare and prevent
      • Detect and respond
      • Build strong foundations
  • Managing and Defending a Network
    • Network security management involves all actions to ensure authorization and use
      • Development and documentation of the method to authorize access to network files and network directories
        • Specification of approach used to ensure reliability of data resources accessed or used over the network
      • Implementation of safeguards for protecting users from network-based security threats
  • Network Security Management and Planning
    • Based on a plan defining the approach to assuring the physical components of the network
      • Must detail steps taken to ensure that information stored, processed, and transmitted is secure
      • Must specify all technology and practices to be implemented and maintained for security
      • High-level steps required to implement an effective network management process are:
        • Create usage policy statements
        • Conduct risk analysis
        • Formulate a security team
  • Network Security Management and Planning
    • Create usage policy statements
      • Statement of a general policy about system use
        • Outline the thinking that defines the organization’s network management philosophy
      • Documentation of usage statements to avoid the risks of misunderstandings and conflicting approaches
      • Tailor the rules for each component by indicating security violations and actions to be taken if detected
      • Define the acceptable use policies (AUP) including rules for account administration, policy enforcement, and privilege review
      • Aggressive training and awareness program to ensure that the members understand and will follow each rule
  • Network Security Management and Planning
    • Conduct risk analysis
      • Risk assessment factors:
        • Low Risk
        • Medium Risk
        • High Risk
      • Potential types of users are:
        • Administrators responsible for managing network resources
        • Privileged internal users needing an elevated level of access
        • Internal users with general access
        • Trusted external users needing access some resources
        • Other untrusted external users or customers
  • Network Security Management and Planning
    • A network security or NETSEC management team:
      • Implements and maintains the network configuration
      • Responsible for evolving the network as conditions change
      • Establishes and maintains the network security configuration from these requirements
  • Network Defense in Depth: Maintaining a Capable Architecture
    • Defense in depth
      • Protection is established by controlling access through a number of boundaries
  • Network Defense in Depth: Maintaining a Capable Architecture
    • Defining trust
      • Trusted networks – within the defined security perimeter
      • Untrusted networks – outside the security perimeter and not controlled
      • Unknown networks - neither trusted nor untrusted
    • Establishing boundaries
      • Defines the area to be protected
      • Dictates the level of organizational resources required to perform the security function
  • Network Defense in Depth: Maintaining a Capable Architecture
    • Formulating assumption – security system designs are
      • Based on assumptions
        • Anticipate who might want to breach the current security measures and why
        • Deploy an effective response
      • Design and deployment of a network security scheme has to be done while justifying the likely costs and benefits