0
Chapter 12 Network Security Basics: Malware and Attacks
Objectives <ul><li>Work with connection control and transmission control concepts </li></ul><ul><li>Develop the planning a...
Network Security <ul><li>Guards against threats to electronic communication </li></ul><ul><ul><li>Network security has a d...
Engineering the Network: Ensuring a Proper Design <ul><li>Physical infrastructure – designed to ensure all required securi...
Engineering the Network: Ensuring a Proper Design <ul><li>Relation of physical and software components </li></ul>
Connection Control  <ul><li>Establishes and regulates the relationship between a computer and a network </li></ul><ul><li>...
Enforcing Connection Control: The Firewall <ul><li>Firewalls enforce access rights and protect the network from external s...
Enforcing Connection Control: The Firewall <ul><li>Types of firewalls  </li></ul><ul><ul><li>Personal firewall – regulates...
Transmission Control <ul><li>Regulates the actual transmission process </li></ul><ul><ul><li>Ensures that the communicatio...
Transmission Control <ul><li>Transmission protocols are built into the communications devices </li></ul><ul><ul><li>Common...
Defending Networks from Attacks <ul><li>Unique security problem with networks is their level of interconnectedness </li></...
Threats to Information <ul><li>Malicious code - three categories transmitted through networks:  </li></ul><ul><ul><li>Viru...
Threats to Information <ul><li>Common types of malicious code </li></ul>
Viruses <ul><li>Appropriate countermeasure to a common virus:  </li></ul><ul><ul><li>Virus checker that detects and remove...
Viruses <ul><li>Impact of viruses </li></ul><ul><ul><li>Virus is destructive if it damages a system function </li></ul></u...
Viruses <ul><li>Categories of viruses </li></ul><ul><ul><li>File-infecting viruses – affect executable programs, replicate...
Logic Bombs <ul><li>Dormant blocks of undocumented code activated when some prescribed set of criteria is met such as time...
Trojan Horses <ul><li>Not viruses because they do not replicate; they may transmit viruses or spyware </li></ul><ul><ul><l...
Malicious Attacks <ul><li>Best way to counteract a network attack is to anticipate it and have measures in place to either...
Malicious Attacks <ul><li>Password attacks  </li></ul><ul><ul><li>Password guessing </li></ul></ul><ul><ul><li>Dictionary ...
Malicious Attacks <ul><li>Insider attacks </li></ul><ul><ul><li>Misuse incidents originating from intentional or inadverte...
Role and Use of Policy Managers <ul><li>Automated policy managers are effective tools </li></ul><ul><ul><li>Defend against...
Use of Sniffers <ul><li>Sniffers are common utilities, employed to read any information in packets transmitted over a netw...
IP Spoofing <ul><li>IP spoofing is an address attack in which the malicious agent electronically impersonates another netw...
Denial of Service (DoS) <ul><li>DoS attacks affect the availability transmission media </li></ul><ul><ul><li>Degrades the ...
Man-in-the-Middle Attacks <ul><li>Ability to read and modify all messages passed between two parties without their knowled...
Application Layer Attacks <ul><li>They take advantage of weaknesses in popular applications and application services </li>...
Cyber-Terrorism <ul><li>Goal: to harm or control key computer systems or computer controls to achieve some indirect aim, s...
Managing and Defending a Network <ul><li>Network security management involves all actions to ensure authorization and use ...
Network Security Management and Planning   <ul><li>Based on a plan defining the approach to assuring the physical componen...
Network Security Management and Planning   <ul><li>Create usage policy statements </li></ul><ul><ul><li>Statement of a gen...
Network Security Management and Planning   <ul><li>Conduct risk analysis </li></ul><ul><ul><li>Risk assessment factors: </...
Network Security Management and Planning   <ul><li>A network security or NETSEC management team: </li></ul><ul><ul><li>Imp...
Network Defense in Depth: Maintaining a Capable Architecture <ul><li>Defense in depth </li></ul><ul><ul><li>Protection is ...
Network Defense in Depth: Maintaining a Capable Architecture <ul><li>Defining trust  </li></ul><ul><ul><li>Trusted network...
Network Defense in Depth: Maintaining a Capable Architecture <ul><li>Formulating assumption – security system designs are ...
Upcoming SlideShare
Loading in...5
×

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill ...

371

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
371
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill ..."

  1. 1. Chapter 12 Network Security Basics: Malware and Attacks
  2. 2. Objectives <ul><li>Work with connection control and transmission control concepts </li></ul><ul><li>Develop the planning and control techniques associated with network security </li></ul><ul><li>Work with various types of threats to networks </li></ul>
  3. 3. Network Security <ul><li>Guards against threats to electronic communication </li></ul><ul><ul><li>Network security has a dual mission </li></ul></ul><ul><ul><ul><li>It must ensure the accuracy of the data transmitted </li></ul></ul></ul><ul><ul><ul><li>It must also protect confidential information processed, stored on and accessible from networks, while ensuring network availability to authorized users </li></ul></ul></ul><ul><ul><li>Role is to ensure that the network components </li></ul></ul><ul><ul><ul><li>Operate correctly </li></ul></ul></ul><ul><ul><ul><li>Satisfy design requirements </li></ul></ul></ul><ul><ul><ul><li>Transmit information while retaining fundamental integrity </li></ul></ul></ul>
  4. 4. Engineering the Network: Ensuring a Proper Design <ul><li>Physical infrastructure – designed to ensure all required security functions are present </li></ul><ul><ul><li>Firewalls, intrusion detection systems (IDSs), and strong authentication </li></ul></ul><ul><li>Unique physical components of networks are switches, hubs, routers, and cables </li></ul>
  5. 5. Engineering the Network: Ensuring a Proper Design <ul><li>Relation of physical and software components </li></ul>
  6. 6. Connection Control <ul><li>Establishes and regulates the relationship between a computer and a network </li></ul><ul><li>Ensures reliable transfer of messages and performs some transmission error correction </li></ul><ul><ul><li>Configuration process – responsibility of the network administrator </li></ul></ul><ul><ul><ul><li>Establishes the authentication rules </li></ul></ul></ul><ul><ul><ul><li>Rules consider whom the network will trust </li></ul></ul></ul><ul><ul><li>Specifications of rules for the authentication of a trusted source balance the need for confidentiality and integrity with availability </li></ul></ul>
  7. 7. Enforcing Connection Control: The Firewall <ul><li>Firewalls enforce access rights and protect the network from external systems </li></ul><ul><ul><li>Regulate access between trusted networks and untrusted ones </li></ul></ul><ul><ul><li>Organizations may array multiple firewalls in a defense-in-depth configuration </li></ul></ul><ul><li>Firewalls are high-level software utilities that sit on the router end of the physical network </li></ul><ul><ul><li>Network security policies embedded in the firewall software dictate access </li></ul></ul>
  8. 8. Enforcing Connection Control: The Firewall <ul><li>Types of firewalls </li></ul><ul><ul><li>Personal firewall – regulates connections between a single computer and external sources </li></ul></ul><ul><ul><li>Stateless firewalls – accept or discard incoming packets </li></ul></ul><ul><ul><ul><li>Based on whether the IP address seems to correspond with services known to the network </li></ul></ul></ul><ul><ul><li>Stateful firewall – tracks of the status of network traffic traveling across it in a “state table” </li></ul></ul>
  9. 9. Transmission Control <ul><li>Regulates the actual transmission process </li></ul><ul><ul><li>Ensures that the communication between two devices is flowing properly </li></ul></ul><ul><ul><li>Supports the integrity and availability of network data </li></ul></ul><ul><ul><li>Facilitated through firmware drivers in communications devices and software in the operating system </li></ul></ul><ul><ul><ul><li>Transmission rules have to be agreeable and include: </li></ul></ul></ul><ul><ul><ul><ul><li>Mode in which the data will be transmitted </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Format of the data </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Rate of transmission </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Type of error checking </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Data compression method </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Sending device confirmation of process completion </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Mode of indicating receipt by the receiving device </li></ul></ul></ul></ul>
  10. 10. Transmission Control <ul><li>Transmission protocols are built into the communications devices </li></ul><ul><ul><li>Common modern transmission control is based on the OSI reference model </li></ul></ul><ul><ul><ul><li>It defines seven layers for communication among computer systems </li></ul></ul></ul><ul><ul><ul><li>It was defined by the International Organization for Standardization as ISO standard 7498-1 </li></ul></ul></ul><ul><ul><li>TCP/IP protocol used by the Internet is frequently shown with five layers </li></ul></ul><ul><ul><ul><li>Application layer, transport layer, network layer, datalink layer, and physical layer </li></ul></ul></ul>
  11. 11. Defending Networks from Attacks <ul><li>Unique security problem with networks is their level of interconnectedness </li></ul><ul><li>Networks have to be secured by specialized and very robust technologies and practices </li></ul><ul><li>Two broad categories of networks threats: </li></ul><ul><ul><li>Malicious code </li></ul></ul><ul><ul><li>Direct attacks </li></ul></ul>
  12. 12. Threats to Information <ul><li>Malicious code - three categories transmitted through networks: </li></ul><ul><ul><li>Viruses </li></ul></ul><ul><ul><li>Logic bombs </li></ul></ul><ul><ul><li>Trojan horses </li></ul></ul>
  13. 13. Threats to Information <ul><li>Common types of malicious code </li></ul>
  14. 14. Viruses <ul><li>Appropriate countermeasure to a common virus: </li></ul><ul><ul><li>Virus checker that detects and removes viruses </li></ul></ul><ul><ul><li>Most virus checkers follow the below process: </li></ul></ul><ul><ul><ul><li>Examines files in memory or storage for recognizable code fragments or key words </li></ul></ul></ul><ul><ul><ul><li>Compares scan results patterns with signatures of known viruses </li></ul></ul></ul><ul><ul><ul><li>Takes action when an identifiable pattern is detected </li></ul></ul></ul><ul><ul><ul><li>Sometimes performs an automatic repair </li></ul></ul></ul>
  15. 15. Viruses <ul><li>Impact of viruses </li></ul><ul><ul><li>Virus is destructive if it damages a system function </li></ul></ul><ul><ul><li>It can affect the operating system in undesirable ways such as: </li></ul></ul><ul><ul><ul><li>Corrupting or deleting files </li></ul></ul></ul><ul><ul><ul><li>Reformatting the hard drive </li></ul></ul></ul><ul><ul><ul><li>Executing denial-of-service attacks </li></ul></ul></ul><ul><ul><li>Often, the system becomes unusable, files are lost, and cannot be repaired automatically </li></ul></ul>
  16. 16. Viruses <ul><li>Categories of viruses </li></ul><ul><ul><li>File-infecting viruses – affect executable programs, replicate and spread by infecting other host programs </li></ul></ul><ul><ul><li>Boot-sector viruses – infect the boot sector or partition table of a system </li></ul></ul><ul><ul><li>Multipartite viruses – infect both the boot sector and the executable programs and files simultaneously </li></ul></ul><ul><ul><li>Macro viruses – infect systems through an application </li></ul></ul><ul><ul><li>Polymorphic and stealth viruses – defeat most signature-based counter-measures </li></ul></ul><ul><ul><li>Worm – self-contained program capable of spreading copies of itself or its segments to other computer systems via network connections or e-mail attachments </li></ul></ul>
  17. 17. Logic Bombs <ul><li>Dormant blocks of undocumented code activated when some prescribed set of criteria is met such as time, date, or status of the system </li></ul><ul><ul><li>It can be set prior to the termination and activated afterward for revenge </li></ul></ul><ul><li>High destructive potential </li></ul><ul><ul><li>Should be aggressively hunted down and eliminated </li></ul></ul><ul><ul><li>Requires extensive, expensive, code reviews by high-level professionals </li></ul></ul><ul><li>Resurfacing as an important part of cyber-terrorism </li></ul>
  18. 18. Trojan Horses <ul><li>Not viruses because they do not replicate; they may transmit viruses or spyware </li></ul><ul><ul><li>May assist in propagating denial-of-service (DoS) attacks </li></ul></ul><ul><ul><li>Can deliver unwelcome payloads – common payloads include: </li></ul></ul><ul><ul><ul><li>Spyware – propagates from websites </li></ul></ul></ul><ul><ul><ul><ul><li>Spamware, password capture, keyloggers, and cookie trackers </li></ul></ul></ul></ul><ul><ul><ul><li>Adware – not directly malicious </li></ul></ul></ul><ul><ul><ul><ul><li>Does use up valuable time and system resources </li></ul></ul></ul></ul>
  19. 19. Malicious Attacks <ul><li>Best way to counteract a network attack is to anticipate it and have measures in place to either stop it or mitigate the harm </li></ul><ul><ul><li>Network attacks fall into seven general categories: </li></ul></ul><ul><ul><ul><li>Password attacks </li></ul></ul></ul><ul><ul><ul><li>Insider attacks </li></ul></ul></ul><ul><ul><ul><li>Sniffing </li></ul></ul></ul><ul><ul><ul><li>IP spoofing </li></ul></ul></ul><ul><ul><ul><li>Denial of service </li></ul></ul></ul><ul><ul><ul><li>Man-in-the-middle attacks </li></ul></ul></ul><ul><ul><ul><li>Application layer attacks </li></ul></ul></ul>
  20. 20. Malicious Attacks <ul><li>Password attacks </li></ul><ul><ul><li>Password guessing </li></ul></ul><ul><ul><li>Dictionary attack – tries common words from the dictionary with common password names </li></ul></ul><ul><ul><li>Other, more resource-intensive approaches include: </li></ul></ul><ul><ul><ul><li>Key search </li></ul></ul></ul><ul><ul><ul><li>Exhaustive search </li></ul></ul></ul><ul><ul><ul><li>Brute force attack </li></ul></ul></ul><ul><ul><li>Social engineering – based on persuasion, disclosed by the user </li></ul></ul><ul><ul><li>Password sniffing – software based network management tools </li></ul></ul><ul><ul><ul><li>Countermeasure for sniffers: encryption </li></ul></ul></ul>
  21. 21. Malicious Attacks <ul><li>Insider attacks </li></ul><ul><ul><li>Misuse incidents originating from intentional or inadvertent actions of employees </li></ul></ul><ul><ul><li>First line of defense is good management supported by monitoring </li></ul></ul><ul><ul><ul><li>Supervisors are key security control points for employee monitoring </li></ul></ul></ul><ul><ul><ul><li>Automated software agents called policy managers or policy enforcement systems also help </li></ul></ul></ul>
  22. 22. Role and Use of Policy Managers <ul><li>Automated policy managers are effective tools </li></ul><ul><ul><li>Defend against unauthorized access to confidential data and proprietary information </li></ul></ul><ul><ul><li>Provide the ability to filter network transactions through custom policies </li></ul></ul><ul><ul><li>Control the distribution of unsuitable or offensive content and inappropriate activities </li></ul></ul><ul><ul><li>Regulate the enterprise’s e-mail traffic by defining and enforcing rules governing: </li></ul></ul><ul><ul><ul><li>Spam </li></ul></ul></ul><ul><ul><ul><li>Filter content </li></ul></ul></ul><ul><ul><ul><li>Implementation of encryption and digital signature policies </li></ul></ul></ul>
  23. 23. Use of Sniffers <ul><li>Sniffers are common utilities, employed to read any information in packets transmitted over a network </li></ul><ul><ul><li>Can be used to map the entire network topology </li></ul></ul><ul><ul><li>Captures information necessary to determine: </li></ul></ul><ul><ul><ul><li>Number of computers on the network </li></ul></ul></ul><ul><ul><ul><li>What they access </li></ul></ul></ul><ul><ul><ul><li>Which clients run what services </li></ul></ul></ul><ul><li>Defense against sniffing is: </li></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Strong physical security </li></ul></ul><ul><li>Internet-facing sniffers are a good countermeasure for network intrusion </li></ul>
  24. 24. IP Spoofing <ul><li>IP spoofing is an address attack in which the malicious agent electronically impersonates another network party through its IP address </li></ul><ul><li>Prevention of IP spoofing can be done using </li></ul><ul><ul><li>Programmed routers and firewall mechanisms </li></ul></ul><ul><ul><li>Encrypted systems such as SSH (secure shell) for authentication services </li></ul></ul>
  25. 25. Denial of Service (DoS) <ul><li>DoS attacks affect the availability transmission media </li></ul><ul><ul><li>Degrades the availability of information </li></ul></ul><ul><ul><li>Designed to cost the target time and money </li></ul></ul><ul><ul><li>Can be launched in numerous ways – most common form: </li></ul></ul><ul><ul><ul><li>DoS flood – overload the system’s servers, routers, or DNS to the extent that service to authorized users is delayed or prevented </li></ul></ul></ul><ul><ul><li>Disables a particular network service </li></ul></ul>
  26. 26. Man-in-the-Middle Attacks <ul><li>Ability to read and modify all messages passed between two parties without their knowledge </li></ul><ul><ul><li>Possible outcomes of such attacks include: </li></ul></ul><ul><ul><ul><li>Theft of information and hijacking of an ongoing session </li></ul></ul></ul><ul><ul><ul><li>Traffic analysis to derive information about a network and its users </li></ul></ul></ul><ul><ul><ul><li>Denial of service and corruption of transmitted data </li></ul></ul></ul><ul><ul><ul><li>Introduction of new information into network sessions </li></ul></ul></ul>
  27. 27. Application Layer Attacks <ul><li>They take advantage of weaknesses in popular applications and application services </li></ul><ul><ul><li>Common attacks include: </li></ul></ul><ul><ul><ul><li>Buffer overflows – which exploit poorly written code that improperly validates input to an application </li></ul></ul></ul><ul><ul><ul><li>Cross-site scripting flaw – which allows web applications to drop attack scripts on a user’s browser </li></ul></ul></ul><ul><ul><ul><li>Invalidated parameters – web requests that are not validated before being used by the application </li></ul></ul></ul><ul><ul><ul><li>Command injection attacks – web applications are allowed to pass parameters containing malicious commands to be executed on an external system </li></ul></ul></ul><ul><li>Favored approach against Internet-based attacks: </li></ul><ul><ul><li>Defense-in-depth strategy </li></ul></ul>
  28. 28. Cyber-Terrorism <ul><li>Goal: to harm or control key computer systems or computer controls to achieve some indirect aim, such as to destroy a power grid or to take over a critical process </li></ul><ul><li>The FISMA security requirements are built around three major national objectives: </li></ul><ul><ul><li>Prepare and prevent </li></ul></ul><ul><ul><li>Detect and respond </li></ul></ul><ul><ul><li>Build strong foundations </li></ul></ul>
  29. 29. Managing and Defending a Network <ul><li>Network security management involves all actions to ensure authorization and use </li></ul><ul><ul><li>Development and documentation of the method to authorize access to network files and network directories </li></ul></ul><ul><ul><ul><li>Specification of approach used to ensure reliability of data resources accessed or used over the network </li></ul></ul></ul><ul><ul><li>Implementation of safeguards for protecting users from network-based security threats </li></ul></ul>
  30. 30. Network Security Management and Planning <ul><li>Based on a plan defining the approach to assuring the physical components of the network </li></ul><ul><ul><li>Must detail steps taken to ensure that information stored, processed, and transmitted is secure </li></ul></ul><ul><ul><li>Must specify all technology and practices to be implemented and maintained for security </li></ul></ul><ul><ul><li>High-level steps required to implement an effective network management process are: </li></ul></ul><ul><ul><ul><li>Create usage policy statements </li></ul></ul></ul><ul><ul><ul><li>Conduct risk analysis </li></ul></ul></ul><ul><ul><ul><li>Formulate a security team </li></ul></ul></ul>
  31. 31. Network Security Management and Planning <ul><li>Create usage policy statements </li></ul><ul><ul><li>Statement of a general policy about system use </li></ul></ul><ul><ul><ul><li>Outline the thinking that defines the organization’s network management philosophy </li></ul></ul></ul><ul><ul><li>Documentation of usage statements to avoid the risks of misunderstandings and conflicting approaches </li></ul></ul><ul><ul><li>Tailor the rules for each component by indicating security violations and actions to be taken if detected </li></ul></ul><ul><ul><li>Define the acceptable use policies (AUP) including rules for account administration, policy enforcement, and privilege review </li></ul></ul><ul><ul><li>Aggressive training and awareness program to ensure that the members understand and will follow each rule </li></ul></ul>
  32. 32. Network Security Management and Planning <ul><li>Conduct risk analysis </li></ul><ul><ul><li>Risk assessment factors: </li></ul></ul><ul><ul><ul><li>Low Risk </li></ul></ul></ul><ul><ul><ul><li>Medium Risk </li></ul></ul></ul><ul><ul><ul><li>High Risk </li></ul></ul></ul><ul><ul><li>Potential types of users are: </li></ul></ul><ul><ul><ul><li>Administrators responsible for managing network resources </li></ul></ul></ul><ul><ul><ul><li>Privileged internal users needing an elevated level of access </li></ul></ul></ul><ul><ul><ul><li>Internal users with general access </li></ul></ul></ul><ul><ul><ul><li>Trusted external users needing access some resources </li></ul></ul></ul><ul><ul><ul><li>Other untrusted external users or customers </li></ul></ul></ul>
  33. 33. Network Security Management and Planning <ul><li>A network security or NETSEC management team: </li></ul><ul><ul><li>Implements and maintains the network configuration </li></ul></ul><ul><ul><li>Responsible for evolving the network as conditions change </li></ul></ul><ul><ul><li>Establishes and maintains the network security configuration from these requirements </li></ul></ul>
  34. 34. Network Defense in Depth: Maintaining a Capable Architecture <ul><li>Defense in depth </li></ul><ul><ul><li>Protection is established by controlling access through a number of boundaries </li></ul></ul>
  35. 35. Network Defense in Depth: Maintaining a Capable Architecture <ul><li>Defining trust </li></ul><ul><ul><li>Trusted networks – within the defined security perimeter </li></ul></ul><ul><ul><li>Untrusted networks – outside the security perimeter and not controlled </li></ul></ul><ul><ul><li>Unknown networks - neither trusted nor untrusted </li></ul></ul><ul><li>Establishing boundaries </li></ul><ul><ul><li>Defines the area to be protected </li></ul></ul><ul><ul><li>Dictates the level of organizational resources required to perform the security function </li></ul></ul>
  36. 36. Network Defense in Depth: Maintaining a Capable Architecture <ul><li>Formulating assumption – security system designs are </li></ul><ul><ul><li>Based on assumptions </li></ul></ul><ul><ul><ul><li>Anticipate who might want to breach the current security measures and why </li></ul></ul></ul><ul><ul><ul><li>Deploy an effective response </li></ul></ul></ul><ul><ul><li>Design and deployment of a network security scheme has to be done while justifying the likely costs and benefits </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×