Computer Systems Security Unit 1 Lecture 1: Introduction to Ethical Hacking - Class MCQ 20% for 28th October Portfolio Task 1 Draft for 15th November Portfolio Final Draft for 16th December Penetration Testing as a security role: - Hacker: Tries to get access to a system or network without authorization. Not necessarily to cause damage. Can be punishable by law. - Cracker: Breaks through network system defences to steal/destroy data. For personal benefit or to cause damage. Punishable by law. - Ethical Hacker: Test systems and network defences but performs all the activities with owners’ permissions. - Script Kiddie: Use what other people invented like scripts to hack systems. An Ethical Hacker must have knowledge of: - An operating system inside out A programming language like ruby or python Computer networks and learning how to attack a network or network system. Penetration Testing Methodologies BELOW: [Will be in MCQ] White Box Testing [CLEAR]: - Tester has complete knowledge of the systems and network Operating systems information and network diagram is provided. The tester has authorisation to carry out testing. Black Box Testing [DETECT]: - The tester has knowledge of the company, but nothing else, so the user has to find out everything else. Company staff don’t know about the test Permission is again given, but with them aim of testing whether the security personnel and the security systems will detect an attack. Should be done during off hours but can be done during working hours. Gray Box Testing [SCENARIO]: - The company gives the tester partial information. To create scenarios where the attacker has already social engineered information from insiders. A scenario where the attacker is a dissatisfied employee with some knowledge of the company systems. To test whether the security personnel and the system would detect an attack. To speed up procedures when the aim of the test is specific. Red Team Attack: - From the methodology: Red Team attacks, Blue Team defends Involves physical tests, social engineering, applications, data extraction. Most common at service providers. Certifications in Network Security: - Certified Ethical Hacker: Vulnerabilities and weaknesses on target systems CCNA: Cisco Certified Network Associates. Network Routing and Switching CCNP: Cisco Certified Network Professional. Network LANs and WANs. CISSP: System Security Pro: Security/Risk Management, Asset, Security Eng. CompTIA Security: Security Functions. SANS: Sys Admin, Audit, Network, Security. [Cyber Laws] What Ethical Hackers MUST do: - Find out legalities of ethical hacking, before doing activities. Knowledge of contract laws, consultation with specialists. Be aware of what is allowed and not allowed for their activities and tools. [Cyber Laws] Risks: - Your activities might be illegal in some countries. Permission might be obtained from a second party. Contracts are not explicitly written. Open to interpretation. There might be tough laws for cybercrime although you think it’s legal. Recent Hacks: - Equifax 2017. 145m records stolen from servers. Yahoo 2013. 3B accounts stolen. NSA 2017. Shadow brokers leaked government hacking tools. WannaCry 2017. Ransomware bought down the business. NotPetya 2017. Spread worldwide. UBER 2016. 57M records stolen. 100k ransom but later disclosed. Unit 2 Lecture 2: Information Operation [Will be coming in exam] Definitions: Cyberwarfare: - Activities designed to participate in cyberattacks and cyberespionage, offensive or defensive. Information Operations: COLLECT DATA OF A TARGET. - To achieve information superiority over a target. - Continuous operations which enable, enhance and protect the friendly forces ability to collect, process and act on information to achieve an advantage across the full range of military operations. Information Warfare: USING INFO AGAINST A TARGET. - Applying Information Warfare against a specific target in a time of crisis or war. - Includes actions for offensive and defensive. To preserve the integrity of one’s own system from corruption, whist corrupting a targets system using information advantage. Traditional Cyberwarfare Targets: - Military targets in conventional warfare - Acceptable targets - Cyber targets in unconventional warfare - Targets in asymmetric cyberwarfare - Total cyberwarfare Non-Traditional Cyberwarfare Targets: - Political activism and hacktivism: Anonymous, Syrian Electronic Army - Industrial espionage: Aurora: China vs. Google, Saudi Arabian ARAMCO, Shamoon. - Military Cyber Attacks on Non-traditional targets: US vs. Iraq. A cancelled attack. Domains of Conflict in IW: - National: Network Warfare, Economic, Political and Command and Control Warfare. - Corporate: Espionage, Sabotage, Destroying data, computer theft. - Personal: E-commerce fraud, spoofing, e-mail harassment, spamming, card theft. Information has 4 levels of abstraction: EXAM QUESTION - Data: o Observation and measurement of unprocessed information at the lowest level. Example: Human communication, text messages, queries. - Information: o Organised and processed sets of data. This is data that is sorted, classed and indexed. Then put into data elements for searching and analysis. - - Knowledge: o Information that is analysed and understood. Requires a degree of comprehension and understanding of the behaviour that object. This level of understanding is referred as intelligence. Expertise: o Information that is greatly understood by experts. The information look into issues relating to the information and splits into offensive and defensive warfare. EXAMPLE OF 4 INFORMATION LEVELS: - Data: There are high levels of Internet Traffic, Internet slows down. - Information: Understanding the global flow of Internet Traffic, looking for patterns. - Knowledge: Understanding who can be behind this information and causing traffic. - Expertise: Knowledge going to experts who can look into this issue. Splits in Offensive/Defensive Information Warfare. Cyber Domain Operations: - Offensive: o Actions taken to corrupt a targets information or functions - Defensive: o Actions taken to protect your information or functions DEFENSIVE Operations: - Threat Intelligence, Indicators and Warnings: o THREAT ASSESSMENT: Understanding of threats is essential to defence. ▪ Identify potential threat agents. State supported or not. ▪ Determine capability: Technical and time capability. ▪ Establish Indicators and Warnings. To indicate preparations. ▪ Perform vulnerability assessment. o PROTECTION MEASURES: Includes countermeasures or passive defences to stop attacks against your information infrastructure. ▪ Strategic level: Deterring my legal means. ▪ Operational level: Security for physical infrastructure, personnel and information. ▪ Tactical: Protecting hardware/software at their levels. o ATTACK RESPONSE & RESTORATION: Capability to detect, respond and restore from an attack. ▪ Defensive response: Alerts, access levels and removing vulnerable processes. ▪ Offensive response: Deterrent based attacks when source is found ▪ Tactical response: Surveillance, Mode control, Audit, Forensic Analysis [Determine pattern and behaviour], Reporting. OFFENSIVE Operations: Requirements: Identify target -> Attack -> Manage Perceptions. - PERCEPTION MANAGEMENT: o PUBLIC AFFAIRS -> Friendly forces, media, friendly populations o CIVIL AFFAIRS -> Foreign authorities, areas of conflict. o PSYOPS -> Hostile forces, foreign/neutral populations. o MILITARY -> Hostile military leaders and forces. [IN EXAM] Why cyber-warfare is asymmetric: - Don’t need military power to cause havoc on systems. A single person can execute this. This is why a strong defence is needed. Forms of Internet Warfare: - NETWAR: Information related conflict between nation-states at high level. o Damaging/Modifying target’s information. o Weapons include: Diplomacy, propaganda, interference with media. Infiltration of targets computer database. - POLITICAL WARFARE: Involves national governments. o Threats to move to more intense form of war. - ECONOMIC WARFARE: Targets economic performance of a target. o Economic factors are affected of a nation. Next step from political. - COMMAND/CONTROL: Conflict by military operations who target another military. Implements IW on battlefield and Involves physical destruction. INTERNET OPERATIONS: - Targets of Information Operations: o Network Attack -> Networks, computers, technology systems o Network Defence -> Inbound Attacks, malware, attackers o Intelligence gathering -> Stored data, communications, LIVE info. o Electronic warfare -> Broadcasting capabilities, channels, GPS signals o Psychological operations -> Social media, websites, email, communication o Operations security -> Attempts to access friendly information. NOTES: - - - - Psychological Operations: Planned operations to convey selected information to a selected audience to influence the emotions and motives. This involves a message and media. Operational Deception: Deliberate mislead a target by making the target do specific actions that will contribute to your mission. Involves misdirection Electronic Operations: Attack targets over a radiated electromagnetic spectrum. And NETOPS which focuses on access to targets via the Global, National and Defence Information Infrastructure. Physical Destruction: Physically incapacitating or stopping targets. Intelligence: Intelligence operations contribute to assessing threats, pre-attack warnings and post-attack investigation. Structured and Planned attacks require intelligence. Counterintelligence stops a planned attack. How intelligence can be obtained: Organisation threat intelligence, Technical threat intelligence, Suppliers of Anti-Virus, Surveillance to be ‘Pro-Active’, Penetration to acquire knowledge. Assets to protect of an Information System: - Hardware, Software - Communication and environmental control equipment, - Documentation - Data and information - Personal Information Security Involves: - Confidentially: encrypt the data, password protect accounts and emails - Integrity: check sum or access - Availability - Authentication - Nonrepudiation: Transaction if it happens or not. Someone cannot deny something. Nonrepudiation in Operation Security: Denying information regarding intentions and capabilities and plans by providing functional and physical protection to the target. This protects IO O/D. This makes sure acceptable risk measures and maintained. Operation Security Process: Identification of Critical information -> Threat Analysis -> Vulnerability Analysis -> Risk Assessment -> Countermeasures Unit 3 Lecture 3: Penetration Testing as a defensive operation CIA Triad: - Confidentiality: To guarantee the confidentiality of information. Only giving access to users where they need. No more. - Integrity: Relying on the integrity of information. Sender should not be able to deny sending data. Guaranteeing the authenticity of information. - Availability: Information should be available for authorised use. Price of Security: - Price paid for security should not exceed the value of the assets that need protecting. To know what to protect there should be risk analysis and know how assets can be damaged. Asset Examples: - Hardware: Laptops, servers, routers, phones, PDA etc. - Software: Applications, OS, Databases, Source code, object code etc - Data: Business data, design plans, customer and personal data - Services and revenue stats - Reputation and employees. Penetration Testing Penetration Testing: a form of testing that assesses the security of a network. - Simulates methods used by hackers to get unauthorised access to a system and compromise the network security. - Requires proprietary open source tools. - Can be automated or manually conducted on a target system. Purpose of Penetration Testing: - To test security protections. - Expose vulnerabilities of a system to its owners. - Provide information to audit teams. - Minimise the cost of security audits by providing realistic evidence. - Help prioritize the application security by fixes security patches. - Find out existing risks in the network and system. - Discover if the software requires updating. Importance of Penetration Testing: - Shows the state of security of any system. Shows how strong the systems security is for any organisation. - Points out vulnerabilities and gaps in a company’s security model. - Documents how a systems weakness can be exploited. - Reveals how an attacker can exploit a system and hack the system and network Types of Penetration Testing: - - - Blackbox Testing o Zero knowledge testing to simulate real world attacks. No information is given to the hacker. No network map or OS information. Whitebox Testing o Complete knowledge testing to assess the security model of an organisation. o Usually a specific kind of attack. Complete information is given to hackers. Including network map, OS information and more. o Done with or without informing IT Staff. Only top management are aware. Gray-box Testing o Malicious insider: most common approach to test vulnerabilities. o Attack teams given same access as normal users. o Social engineering is used to see if the attack can be done by insiders. Phases of Penetration Testing: - Pre-Phase Attack [PLAN]: o Gathering information about the target system. o Can be through invasive, scanning information o Can be non-invasive, reviewing government records. - Attack Phase: o Attack strategy is formed and carried out. - Post-Attack Phase: o Crucial part of testing, network is restored back to original state o Cleaning up testing process and removing vulnerabilities. Common Penetration Testing Techniques: - Passive Research: Uses public domain sources to show the configuration of an organisations system. - Spoofing: Using one machine to act as another in order to communicate with other machines. Internal and Externally used in Pen-testing. - Network Sniffing: Captures data travelling across a network. Sniffing packets can show traffic connections and data flow. - Trojan Attack: Malicious code or programs. Usually email attachments. These are sent to networks. - Brute-force Attack: Trying to crack passwords using all combinations. Can overload a system - Vulnerability Scanning: Examination of a targets network infrastructure. To test weaknesses in the system. - Scenario Analysis: Risk Assessment of vulnerabilities much more accurate. Social Engineering: - A technique used to exploit human vulnerabilities. - Can be through social media or direct contact. - Can be eavesdropping, dumpster driving, guessing passwords, observing access screens. Penetration Testing Methodologies: 1. Proprietary e.g. Foundstone, IBM, EC-Council 2. Open Source and Public Methodologies. - Open Source Security Testing Methodology Manual OSSTMM o Includes all steps involved in Penetration Testing. Assess ALL Security. - NIST Methodology o Planning – Discovery – Attack – Reporting. - OWASP Testing Guide - PCI Penetration Testing Guide - Penetration Testing Execution Standard PTES - Penetration Testing Framework Penetration Testing Required Skills: - Hardware: TCP/IP, Cabling, Routers, Firewalls - Software: Exploits, Hacking tools, Databases, Operating Systems - Open Sources: MySQL, Apache - Applications: Bluetooth, WAPs, Web servers, mail servers, SNMP/SFTP. - Services: Broadband, ISDN, VoIP, Troubleshooting. Rules of Engagement: - Permission to hack agreement must be signed by both parties - The scope of the engagement and what part of the system which needs to be tested must be specified. - Project duration. - Methodology used to penetrate the system. What is allowed and disallowed - Goals of the Pen-testing hack. - The liabilities and responsibilities. Not breaking into something disallowed. Causing a denial of service. Or accessing sensitive information. Unit 4 Lecture 4 – Intelligence Gathering Threat: - Intention to inflict pain or damage on someone. Intent is an actor’s desire to target an organisation Capability is their means to do so Opportunity is the opening the actor needs, such as weaknesses and vulnerabilities in a system. Cyber Threat Intelligence: - Evidence-based knowledge, including context and mechanisms about an existing asset that can be used to make decisions based on the response of the asset. Typical situation BANK NettiCash would like to know who is targeting their cash machine. Can you help? The brief from the bank says: ● Currently no visible threat ● We think we are secure It is obvious from the diagram that Cyber Threat Intelligence (CTI) methodology is a cycle of five steps. Planning & Direction – defines everything. For everything, plan first. This step answers the question ‘what’, establishing what the target is, what types of data we need to collect, what strategy we are going to follow, and what we want to achieve (aim, goal, direction). ● Data Collection and Data Processing – answer the question ‘how’, and they define how we are going to do what we planned to do. ● Analysis and Production – we identify what is important and why, what the biggest risks are and why, and we produce something as well. ● ● Who do we need to involve, who needs to know about the strategy? Who is going to use the new system? Who is going to get trained? Actions & Deliverables The attributes of good intelligence are: ● 1: Must be Relevant, Actionable and Valuable ● 2a: Prompt, some response in configuration ● 2b: Support making an informed decision NOT to act. As a result, we have to look at three concepts related to the value of intelligence - Awareness, Actionability and Effectiveness: Situational Awareness (Do you know when you are hacked/breached?) Actionable Events (Do you get the right information to be able to react?) Effective Response (Have you got the right people/tools/process to give the right response?) ● ● ● Do you know what and when has happened? = Situation Awareness. Can you do anything about it, does it lead to any actions? = Actionable Events Do you have everything you need to have, in order to give the right response? = Effective Response (you need to establish here first, what an effective response is. 1. The division of threat intelligence into four types Strategic – a Chief Security Officer or a Chief Information Officer think at high level Operational – a NOC manager, or a Security Centre manager thinks from the operational perspective ● Tactical - The Incident Response Team will consider the tactical aspects. ● Technical - The cybersecurity specialists dealing with the actual tools and dissecting the malware or tracing the security breach will be interested in the technical aspects. ● ● Analytical Model - the Diamond Model Spiral Processing Primary Analysis ● Stage 1: Threat/Adversary Investigation ● ● ● Stage 2: Victim Investigation Stage 3: Infrastructure Investigation Stage 4: Capability Investigation Grading the Value of Threat Information The 5x5x5 model is used for grading the information. Then the final step is to make changes in order to increase security. These three steps represent the process of using the intelligence to improve maturity and level of response to security incidents. Unit 5 Lecture 5: Port Scanning and Enumeration Detecting information which is useful for a break-in: - Live Machines - Network Topology - Firewall Configuration - Applications and OS Types - Vulnerabilities Port Scanning: - The process of examining a range of IP addresses to see what services are running on a network. - Port Scanning finds open ports and see what services are running. - Can be complex, useful to know strengths and weaknesses and when to use this. Example: HTTP uses port 80 to connect to a web service. IIS / Apache. Requirements: - IP addresses for the target network. Zone transfer with the Dig command can be used to obtain a networks IP address. - Scan all ports when doing a port scan. Not just the well-known ports 1-1023. - Many programs use port numbers outside well-known ports. - PCAnywhere operates on ports 65301, 22, 5631, 5632. SYN SCAN: - SYN Scan: In a TCP session: o A packet is sent to another computer with SYN flag set. o The receiving computer sends back a packet with SYN/ACK packet for acknowledgment. o The sending computer sends back a packet with ACK flag set. o If the destination port is closed, the computer responds with RST/ACK packet, closing the session. o If an attacker’s computer receives a SYN/ACK packet, it responds with RST/ACK, closing the session. o This is done so a full TCP connection is not made. This can be stealthy as attackers don’t want a transaction logged showing their connection. This would list their IP address. SYN scanning or synchronized scanning is a tactic that a malicious hacker (or cracker) can use to determine the state of a communications port without establishing a full connection. This approach, one of the oldest in the repertoire of crackers, is sometimes used to perform denial-of-service (DoS) attacks. Connect Scan: This type of scan relies on the attacked computers OS. More risker method. - Similar to SYN Scan but does not do a three-way handshake. - This means the attacked computer logs the transaction indicating a session took place. - This makes a Connect Scan detectable and not stealthy. TCP Connect Scan is the default TCP scan type when SYN scan is not an option. This is the case when a user does not have raw packet privileges or is scanning IPv6 networks. ... The system call completes connections to open target ports rather than performing the halfopen reset that SYN scan does. TCP RST packet is the remote side telling you that the connection on which the previous TCP packet is sent is not recognized, maybe the connection has closed, maybe the port is not open, and something like these. ... TCP RST means that connection is not valid. I.e. there is no associated session at remote side. NULL Scan: All packet flags are turned off. A closed port responds to a NULL scan with an RST packet, closing the session, so if no packet is received, the best guess is that the port is open. A Null Scan is a series of TCP packets that contain a sequence number of 0 and no set flags. ... If the port is closed, the target will send an RST packet in response. Information about which ports are open can be useful to hackers, as it will identify active devices and their TCP-based application-layer protocol. XMAS Scan: In this scan, the FIN, PSH, and URG flags are set. - Closed ports respond to this type of packet with an RST packet, closing the session. - This scan can be used to see which ports are open. o Example: an attacker can send a packet to port 53 and see if a RST packet is returned, if not, the DNS port might be open. ACK Scan: Attackers use ACK scans to get past firewalls or filtering device. A filtering device looks for SYN packet, the first packet in a three-way handshake, that the ACK packet is part of. SYN Packet Order: SYN -> SYN/ACK -> ACK. If the attacked port returns an RST packet, the filter was fooled, or the connection is having closed, or there is not packet filtering device. The attacked port is then considered as unfiltered. FIN SCAN: a FIN packet is sent to the target computer. If the port is closed, it sends back an RST packet. When a three-way handshake ends, both parties send a FIN packet to end the connection. UDP SCAN: a UDP packet is sent to the target computer. If the port sends back an ICMP Port Unreachable message, the port is closed. Not getting the message may mean the port is open, but not always true. A firewall of packet filtering device could be active. Hundreds of port-scanning tools are available for hackers and testers. Not all are accurate, so using more than one scanning tool is recommended. Nmap: This is the most common port scanner. This can be used for network discovery and security enumeration. - Example: Nmap 193.145.85.201 - Nmap scans every port on the computer with this IP address. - Must hide from network devices or IDSs that recognise an inordinate number of pings or packets being sent to their networks. - This ACK scan constituted a DoS attack on a network - Use stealth attack that are more difficult to detect. A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses. TTL: Transport Total Length, Time To LIVE, Topology Transmission Load. ICMP: Ping, Internet Control Media Protection, Internet Control Message Protocol. Network Mapping: - Finding LIVE hosts: o Ping sweep o TCP SYN sweep - Map Network Topology: o Traceroute ▪ Sends out ICMP or UDP packets with increasing TTL ▪ Gets back ICMP_TIME_Exceeded message from intermediate routers. Unicornscan: - Very fast, use multiple threads. Can handle TCP, ICMP and IP Port Scanning, it optimises. UDP scanning. Ping Sweeps: - Port scanners can be used to conduct ping sweep of a large network. This is to identity which IP addresses belong to active hosts. - The problem with relying on ping sweeps to identity love hosts is that a computer might be shut down at the time of the sweep and indicate that the IP address doesn’t belong to a live host. - Another problem is that many network administrators configure nodes to not respond to ICMP Echo Requests (type 8) to an ICMP Echo Reply (type 0) Fping: With the Fping tool you can ping multiple IP addresses at the same time on command prompt. Or you can create file of multiple IP addresses and use it. - For example: fping -f name.txt uses names as an input file. - Fping -g 193.145.85.201 193.145.85.220 this looks at IP addresses in this parameter when no input file is available. - fping is a like program which uses the Internet Control Message Protocol (ICMP) echo request to determine if a target host is responding. fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping. HPing: Used to bypass filtering devices by injecting crafted IP packets. Offers a wealth of features. - HPing -help - You can craft any type of packet you like. - hping is a free packet generator and analyser for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). It is a one type of a tester for network security. ... Like most tools used in computer security, hping is useful to both system administrators and hackers. Traceroute: Traceroute is a utility that records the route (the specific gateway computers at each hop) through the Internet between your computer and a specified destination computer. It also calculates and displays the amount of time each hop took. R1-R2-R3-www is my path to www.victim.com R1-R2-R3-db is my path to db.victim.com R1-R2-R3-mail is my path to mail.victim.com Enumeration is defined as the process of extracting usernames, machine names, network resources, shares and services from a system. ... The gathered information is used to identify the vulnerabilities or weak points in system security and tries to exploit in the System gaining phase. - Enumeration tools can be NetBIOS names scanners - Share scanners Nessus to scan vulnerabilities Defences against Port Scanning: - Close all unused ports - Remove unnecessary services - Filter out unnecessary traffic - Find openings before the attackers do - Use smart filtering, based on clients IP. Firewalls: It is important to determine firewall rules so that packet types don’t get through. - Find out distance to firewall using traceroute. - Ping arbitrary destination setting TTL – distance + 1 - If you receive ICMP_TIME_EXCEEDED message, the ping went through Unit 1: Notes: Career Path of a Cyber-Criminal • Script Kiddies: Lowest level of cyber-criminal. Finds code published on the internet and changes it slightly to launch a new variant of a virus. • Virus Writer: Has gained more code writing skills. Creates virus code in spare time and either publishes it on the internet or launches an attack via email. • Spare Time “Cyber-Criminal”: The thrill of virus writing has given way to greater risk taking. The virus writer has now become entrenched in the cyber -criminal world. However, still holds down a regular job. A number of spare time cybercriminals have jobs in the IT industry. • Professional “Cyber-Criminal”: Full time cyber-criminal who makes his money from stealing credit card information of victims or cracking into bank websites and either stealing money or blackmailing the bank. • Phisher: More complex skill set than a professional cyber-criminal. Creates websites that look like, for example, a high street bank. He then steals account passwords when users enter them thinking that they are in their usual site. • Cyber Criminal for Hire: New breed of cyber-criminal that hires out his skills to organised criminals for the highest price.