Information Security Basics , Attacks , Prevention & Practices By Renjith K P , CISA , CISSP

Basics , Attacks , Prevention & Practices

By Renjith K P , CISA , CISSP

From History 19 Yr Old Russian hacker stole up to 300,000 credit card numbers from CD Universe customers in 1999 for $100000 Another Russian hacker stole more than 55,000 credit card numbers from CreditCards.com In September 2000, Western Union shut down its web site for five days after hackers stole more than 15,000 customer credit card numbers

19 Yr Old Russian hacker stole up to 300,000 credit card numbers from CD Universe customers in 1999 for $100000

Another Russian hacker stole more than 55,000 credit card numbers from CreditCards.com

In September 2000, Western Union shut down its web site for five days after hackers stole more than 15,000 customer credit card numbers

Amazon.com - credit card information of more than 98,000 customers was compromised 2001 April 2002, the Bank of the State of California found out that 265,000 state employees had their personal information stolen by a hacker In August 2002, Daewoo Securities found out that $21.7 million in stock was illegally sold. March 2005, hackers obtained 1.4 million credit card numbers by carrying out an attack on DSW Shoe Warehouse’s database. Yahoo cautioned that the http://mail.yahoo.com/ address must include the trailing slash after the yahoo.com in 2006 Yahoo indicated that http://www.yahoo.com:login&mode=secure&i=b35 870c196e2fd4a&q=1@16909060 is a bogus URL

Amazon.com - credit card information of more than 98,000 customers was compromised 2001

April 2002, the Bank of the State of California found out that 265,000 state employees had their personal information stolen by a hacker

In August 2002, Daewoo Securities found out that $21.7 million in stock was illegally sold.

March 2005, hackers obtained 1.4 million credit card numbers by carrying out an attack on DSW Shoe Warehouse’s database.

Yahoo cautioned that the http://mail.yahoo.com/ address must include the trailing slash after the yahoo.com in 2006

Yahoo indicated that http://www.yahoo.com:login&mode=secure&i=b35

870c196e2fd4a&q=1@16909060 is a bogus URL

During the Persian Gulf War in 1991, it was reported that hackers from the Netherlands penetrated 34 American military sites that supported Operation Desert Storm activities. during the 1999 Kosovo Air Campaign, false messages were injected into Yugoslavia’s computer-integrated air defense systems to point the weapons at false targets. In February 2004, Wells Fargo Bank suffered its second theft of a laptop computer that contained confidential information 200000 users

During the Persian Gulf War in 1991, it was reported that hackers from the Netherlands penetrated 34 American military sites that supported Operation Desert Storm activities.

during the 1999 Kosovo Air Campaign, false messages were injected into Yugoslavia’s computer-integrated air defense systems to point the weapons at false targets.

In February 2004, Wells Fargo Bank suffered its second theft of a laptop computer that contained confidential information 200000 users

What Does This Mean to Us? Good security does not begin and end with erecting a firewall and installing antivirus software. Good security should be planned, designed, implemented, maintained.

Good security does not begin and end with erecting a firewall and installing antivirus software.

Good security should be planned, designed, implemented, maintained.

CIA Triad Confidentiality Integrity Availability

Confidentiality

Integrity

Availability

Password Attack Password Guessing Dictionary Attack Social Engineering Dumpster Diving

Password Guessing

Dictionary Attack

Social Engineering

Dumpster Diving

TCP Segment Format

3 Way Handshaking Host A sends a TCP SYN packet to Host B Host B receives A's SYN Host B sends a SYN - ACK (Initial Sequence Number (ISN) ) Host A receives B's SYN-ACK Host A sends ACK Host B receives ACK . TCP connection is ESTABLISHED.

Host A sends a TCP SYN packet to Host B

Host B receives A's SYN Host B sends a SYN - ACK (Initial Sequence Number (ISN) )

Host A receives B's SYN-ACK Host A sends ACK

Host B receives ACK . TCP connection is ESTABLISHED.

Denial of Service Attacks SYN Flood

SYN Flood

Similar Attacks Ack Flood Reset (RST) Attack ( Calculate seq then RST) – Occurs at the middle of connection FIN Attack – At the End state of connection

Ack Flood

Reset (RST) Attack ( Calculate seq

then RST) – Occurs at the middle of connection

FIN Attack – At the End state of connection

Spoofing

Denial of Service Attacks Smurf

Smurf

Denial of Service Attacks Teardrop

Teardrop

Detecting IP spoofing An incoming packet cannot have a source address that belongs to the internal network. An outgoing packet cannot have a source address that does not belong to the internal network. A packet leaving or entering through a firewall cannot have the same source and destination address.

An incoming packet cannot have a source address that belongs to the internal network.

An outgoing packet cannot have a source address that does not belong to the internal network.

A packet leaving or entering through a firewall cannot have the same source and destination address.

Denial of Service Attacks DNS Poisoning – Hacking in to registrar account Ping of Death - ICMP packet is 65,536 bytes .What if the packet size is more

DNS Poisoning – Hacking in to registrar account

Ping of Death - ICMP packet is 65,536 bytes .What if the packet size is more

Firewall Architecture

Masquerading Attacks IP Spoofing Session Hijacking

IP Spoofing

Session Hijacking

Other Threats Virus - Malicious code. Worms- Code spread automatically, usually via the Internet Trojan - code hidden on a system to usually gain back door access. Phishing Spam Spy / Ad Ware

Virus - Malicious code.

Worms- Code spread automatically, usually via the Internet

Trojan - code hidden on a system to usually gain back door access.

Phishing

Spam

Spy / Ad Ware

Mitigation Up-to-date Patches Antivirus Softwares Antispam Antiphishing Training Physical Security Logging and Auditing Need to know privileges

Up-to-date Patches

Antivirus Softwares

Antispam Antiphishing

Training

Physical Security

Logging and Auditing

Need to know privileges

Incident Response Unplug the network Don't turn the computer off. Backup the system and keep the Back-ups. Investigate the cause Always, re-build Perform forensics on a backup Keep documentation and evidence

Unplug the network

Don't turn the computer off.

Backup the system and keep the Back-ups.

Investigate the cause

Always, re-build

Perform forensics on a backup

Keep documentation and evidence

Elements of Risks

Symmetric Cryptography

Symmetric examples DES (56) 3DES IDEA (128) Blowfish (32 to 448) Skipjack (80 bits , for US Government) AES (128:9 , 192:11,256:13)

DES (56)

3DES

IDEA (128)

Blowfish (32 to 448)

Skipjack (80 bits , for US Government)

AES (128:9 , 192:11,256:13)

Asymmetric

Asymmetric RSA - 1088 bits DSA – 1024 Bits EL Gamel Elliptic Curve – 160 bits

RSA - 1088 bits

DSA – 1024 Bits

EL Gamel

Elliptic Curve – 160 bits

Comparison

PKI – Public Key Infrastructure Certificate ( Serial , Issuer,Validity,Name , Public Key CA – Verisign , Thawte etc

Certificate ( Serial , Issuer,Validity,Name , Public Key

CA – Verisign , Thawte etc

SSL Credibility of the website Encrypted communication SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.

Credibility of the website

Encrypted communication

SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.

Hash Functions Unique output value derived from the content of the message SHA1 , MD4 , MD5

Unique output value derived from the content of the message

SHA1 , MD4 , MD5

Digital Signature The message truly came from the claimed Sender Message was not altered while in transit between the sender and recipient

The message truly came from the claimed Sender

Message was not altered while in

transit between the sender and recipient

Digital Signatures

VPN Point-to-Point Tunneling Protocol (PPTP) Layer 2 Tunneling Protocol (L2TP) IPsec

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

IPsec

Architecture - Protocols Authentication header (AH): access control, integrity, data origin authentication, confidentiality Encapsulating Security Payload (ESP): access control, confidentiality, traffic flow, confidentiality Key management protocols: IKE = OAKLEY + ISAKMP, . . .

Authentication header (AH): access control, integrity, data origin authentication, confidentiality

Encapsulating Security Payload (ESP): access control, confidentiality, traffic flow, confidentiality

Key management protocols: IKE = OAKLEY + ISAKMP, . . .

Cryptographic Algorithms for IPSec HMAC - SHA1 for integrity protection Triple DES - for confidentiality AES for confidentiality.

HMAC - SHA1 for integrity protection

Triple DES - for confidentiality

AES for confidentiality.

Crypto Attacks Man in the Middle Birthday Attack : substitute a digitally signed communication a different message that produces the same message digest Replay Attack : Same as 1 st one , use the captured session at later time Brute Force Attack

Man in the Middle

Birthday Attack : substitute a digitally signed communication a different message that produces the same message digest

Replay Attack : Same as 1 st one , use the captured session at later time

Brute Force Attack

Man In The Middle A and B Wants to Communicate each other and C is sniffing the communication. What if C captures both public keys and send C’s public key to A & B ?

A and B Wants to Communicate each other and C is sniffing the communication.

What if C captures both public keys and send C’s public key to A & B ?

Birthday Attack Suppose A wants to cheat B while signing the contract A prepare 2 contracts C and C’(Fraud) F(C’) = F(C) while Hashing the contracts B signs the Contract C A put the Digital signature of the contract to C’ and can prove that B signed the C’

Suppose A wants to cheat B while signing the contract

A prepare 2 contracts C and C’(Fraud)

F(C’) = F(C) while Hashing the contracts

B signs the Contract C

A put the Digital signature of the contract to C’ and can prove that B signed the C’

Brute Force Attack How long can the key be? How many possible values can each component of the key have? How long will it take to attempt each key?

How long can the key be?

How many possible values can each component of the key have?

How long will it take to attempt each key?

Attack Tools dsniff - A tool for SSH and SSL MITM attacks Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning Ettercap - A tool for LAN based MITM attacks Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks AirJack - A tool that demonstrates 802.11 based MITM attacks wsniff - A tool for 802.11 HTTP / HTTPS based MITM attacks

dsniff - A tool for SSH and SSL MITM attacks

Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning

Ettercap - A tool for LAN based MITM attacks

Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks

AirJack - A tool that demonstrates 802.11 based MITM attacks

wsniff - A tool for 802.11 HTTP / HTTPS based MITM attacks

Email Security Secure Multipurpose Internet Mail Extensions (S/MIME) Secure Electronic Transaction (SET) RSA & DES Privacy Enhanced Mail (PEM) protocol and uses RSA,DES, and X.509 Pretty Good Privacy (PGP) - IDEA

Secure Multipurpose Internet Mail Extensions (S/MIME)

Secure Electronic Transaction (SET) RSA & DES

Privacy Enhanced Mail (PEM) protocol and uses RSA,DES, and X.509

Pretty Good Privacy (PGP) - IDEA

Decoy Techniques Honey Pots Pseudo-Flaws Monitoring & Logging Traffic Analysis and trend Analysis Sniffing Ethical Hacking

Honey Pots

Pseudo-Flaws

Monitoring & Logging

Traffic Analysis and trend Analysis

Sniffing

Ethical Hacking

Operations Security Backup Need to Know and Least Privilege Trusted Recovery Media management Job rotation

Backup

Need to Know and Least Privilege

Trusted Recovery

Media management

Job rotation

BCP & Disaster Recovery Business Impact Assessment Risk Assessment Risk Acceptance Risk Mitigation Cold,Warm,Hot Sites

Business Impact Assessment

Risk Assessment

Risk Acceptance

Risk Mitigation

Cold,Warm,Hot Sites

Terms Policies Standards Baselines Guidelines Procedures

Policies

Standards

Baselines

Guidelines

Procedures