Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Principles of Computer Security

advertisement 
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of Attacks and
Malicious Software
Chapter 15
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Objectives
• Describe various types of computer and network
attacks, including denial-of-service, spoofing,
hijacking, and password guessing.
• Identify the different types of malicious software
that exist, including viruses, worms, Trojan
horses, logic bombs, time bombs, and rootkits.
• Explain how social engineering can be used as a
means to gain access to computers and networks.
• Describe the importance of auditing and what
should be audited.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms
•
•
•
•
•
Backdoor
Birthday attack
Botnet
Buffer overflow
Denial-of-service (DoS)
attack
• Distributed denial-ofservice (DDoS) attack
• DNS kiting
• Drive-by download attack
© 2012
• Header manipulation
• Injection attack
• Man-in-the-middle
attack
• Null session
• Pharming
• Phishing
• Ping sweep
• Port scan
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms (continued)
•
•
•
•
•
•
•
•
•
© 2012
Replay attack
Sequence number
Smurf attack
Sniffing
Spear phishing
Spoofing
Spyware
SYN flood
Transitive attack
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Avenues of Attack
• Specific targets
– Chosen based on attacker’s motivation
– Not reliant on target system’s hardware and
software
• Targets of opportunity
– Systems with hardware or software vulnerable to a
specific exploit
– Often lacking current security patches
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
The Steps in an Attack
1.
2.
3.
4.
5.
6.
© 2012
Conducting reconnaissance
Scanning
Researching vulnerabilities
Performing the attack
Creating a backdoor
Covering tracks
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Conducting Reconnaissance
• Gather as much information as possible about
the target system and organization.
– Use the Internet.
– Explore government records.
– Use tools such as Whois.Net.
• Don’t worry yet whether the information being
gathered is relevant or not.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Scanning
• Identify target systems that are active and
accessible.
– Ping sweep
– Port scan
• Identify the operating system and other specific
application programs running on system.
– Analyzing packet response
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Researching Vulnerabilities
• Wealth of information available through the
World Wide Web
– Lists of vulnerabilities in specified OS and application
programs
– Tools created to exploit vulnerabilities
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Performing the Attack
• Matching an attack to an indentified
vulnerability
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Creating a Backdoor
• Provides future access to the attacker
– May create “authorization” for themselves
– Could install an agent
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Covering Their Tracks
• In an effort to remain undetected, attackers
endeavor to cover their tracks:
– Erase pertinent log files from the system.
– Change file time stamps to appear unaltered.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Minimizing Possible Avenues
of Attack
•
•
–
–
Ensure all patches are installed and current.
Limit the services being run on the system.
Limits possible avenues of attack
Reduces number of services the administrator must
continually patch
• Limit the amount of publicly available data
about the system and organization.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Attacking Computer Systems
and Networks
• An attack is an attempt by an unauthorized
person to:
– Gain access to or modify information
– Assume control of an authorized session
– Disrupt the availability of service to authorized
users
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Attacking Computer Systems
and Networks (continued)
• Variety of methods used to carry out attacks
• Attacks on specific software
– Rely on code flaws or software bugs
– Indicates lack of thorough code testing
• Attacks on a specific protocol or service
– Take advantage of or use a service or protocol in
an unintended manner
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of Attacks
•
•
•
•
•
•
•
•
© 2012
Denial-of-service
Backdoors/Trapdoors
Null sessions
Sniffing
Spoofing
Man-in-the-middle
Replay
TCP/IP hijacking
•
•
•
•
•
•
•
•
Drive-by downloads
Phishing/pharming
Attacks on encryption
Address system attacks
Password guessing
Hybrid attack
Birthday attack
Injection attack
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Denial-of-Service Attack
• Exploit known identified vulnerabilities
• Purpose is to prevent normal system
operations for authorized users
• Can be accomplished in multiple ways
– Take the system offline
– Overwhelm the system with requests
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
SYN Flood Attack
• An example of a DoS attack targeting a specific
protocol or service
– Illustrates basic principles of most DoS attacks
• Exploit a weakness inherent to the function of
the TCP/IP protocol
– Uses TCP three-way handshake to flood a system
with faked connection requests
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
TCP Three-Way Handshake
• System 1 sends SYN packet to System 2.
• System 2 responds with SYN/ACK packet.
• System 1 sends ACK packet to System 2 and
communications can then proceed.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Steps of a SYN Flood Attack
1.
2.
3.
4.
5.
© 2012
Communication request sent to target system.
Target responds to faked IP address.
Target waits for non-existent system response.
Request eventually times out.
If the attacks outpace the requests timing-out,
then systems resources will be exhausted.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
SYN Flood Attack
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Distributed Denial-of-Service
Attack (DDoS)
Goal is to deny access or service to authorized
users
– Uses resources of many systems combined into an
attack network
– Overwhelms target system or network
– With enough attack agents, even simple web traffic can
quickly affect a large website
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Denial-of-Service Attack
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Ping of Death (POD)
•
–
•
–
•
© 2012
Another example of a DoS attack.
Illustrates an attack targeting a specific application.
Attacker sends ICMP ping packet > 64KB.
This ping packet size should not occur naturally.
ICMP packet will crash certain systems unable
to handle it.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Preventing DoS & DDoS Attacks
• Ensure necessary patches and upgrades
remain current.
• Change time-out period for TCP connections.
• Distribute workload across several systems.
• Block external ICMP packets at border.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Trapdoors and Backdoors
• Trapdoor
– Hard-coded access built into the program
– Ensures access should normal access methods fail
– Creates vulnerability in systems using the software
• Backdoor
– Ensures continued unrestricted access in the future
– Attackers implant them in compromised systems
– Can be installed inadvertently with a Trojan horse
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Null Sessions
• A connection to a Windows inter-process
communication share (IPC$)
– Systems prior to XP and Server 2003 are vulnerable.
– Used by a variety of exploit tools and malware.
– No patch is available.
• Options to counter the vulnerability
– Upgrade systems to Windows XP or newer version
– Only allow trusted users access to TCP ports 139
and 445
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Sniffing
• Attacker observes all network traffic.
– Software, hardware, or combination of the two
– Ability to target specific protocol, service, string of
characters, etc.
– May be able to modify some or all traffic in route
• Network administrators can use to monitor and
troubleshoot network performance.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Sniffing
(continued)
Physical security is key in
preventing introduction of
sniffers on the internal
network.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spoofing
• True source of data is disguised:
– Commonly accomplished by altering packet header
information with false information
– Can be used for a variety of purposes
• Spoofing e-mail:
– From address differs from sending system
– Recipients rarely question authenticity of the e-mail
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
IP Address Spoofing
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spoofing and Trusted
Relationships
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Sequence Numbers
• SYN packets include an original sequence
number.
• Sequence numbers are incremented by 1 and
sent back with ACK packets.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spoofing and Sequence
Numbers
• Attacker must use correct sequence number:
– TCP packet sequence numbers are 32-bit.
– Sequence numbers are incremented by 1.
– Very difficult to guess.
• Insider attacks vs. external attacks
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Man-in-the-Middle Attack
•
–
–
•
–
–
•
–
© 2012
Attacker is positioned between two target hosts:
Typically accomplished through router manipulation
Traffic redirected to attacker, then forwarded on
Benefits:
Attacker can intercept, modify, and/or block traffic
Communication appears normal to target hosts
Limitation:
Useful data collection reduced if traffic is encrypted
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Man-in-the-Middle Attack (continued)
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Replay Attack
• Attacker intercepts part of an exchange between
two hosts and retransmits message later.
– Often used to bypass authentication mechanisms
• Prevented by encrypting traffic, cryptographic
authentication, and time-stamping messages.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
TCP/IP Hijacking
•
–
–
–
© 2012
Assume control of an already existing session:
Attacker circumvents authentication.
Can be disguised with a DoS attack.
Typically used against web and Telnet sessions.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Drive-by Download Attack
• Unsolicited malware downloads
– May be hidden in legitimate ads or hosted from web
sites that prey on unaware users
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Phishing and Pharming
• Phishing
– Fraudulent e-mails designed to trick users into
divulging confidential information
• Pharming
– Fake web sites created to elicit authentic user
credentials
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Attacks on Encryption
•
•
–
–
–
© 2012
Cryptanalysis attempts to crack encryption
Common methods
Weak keys
Exhaustive search of key space
Indirect attacks
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Password Attacks
• Most common user authentication is combination
of user ID and password.
• A compromised password typically indicates a
failure to adhere to good password procedures.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Password Attacks (continued)
•
–
–
–
–
–
© 2012
Password attack methods
Guess
Dictionary
Brute force
Hybrid
Birthday
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Injection Attacks
• SQL injection
• Command injection
• LDAP injection
• XML injection
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Software Exploitation
• Take advantage of software bugs/weaknesses
– Results from poor design, inadequate testing, or
inferior code practices.
• Buffer overflow attack
– Most common example of software exploitation
– Program receives more input than it can handle.
– Program may abort, crash the entire system, or allow
attacker to execute malicious commands
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Malicious Code
•
•
•
•
•
•
•
© 2012
Viruses
Trojan horses
Spyware
Logic bombs
Rootkits
Worms
Zombies and botnets
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Viruses
• Replicate and attach to executable code
– Best-known malicious code
• Common types:
– Boot Sector virus
– Program virus
– Macro virus
– Stealth virus
– Polymorphic virus
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Trojan Horses
• Software that appears to do one thing but
contains hidden functionality
– Standalone program that must be installed by user
– Disguised well enough to entice user
– Delivers payload without user’s knowledge
• Prevention
– Never run software of unknown origin or integrity.
– Keep virus-checking program running continuously.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spyware
• Software capable of recording and reporting a
users actions:
– Typically installed unbeknownst to users
– Monitors software and system use
– Can steal information through keylogging
• Many states have banned spyware and other
unauthorized software:
– Organizations circumvent with complex EULAs
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Logic Bombs
• Malicious code dormant until triggered by a
specified future event:
– Usually installed by authorized user
– Reinforces need for backups
• A time bomb is similar to the logic bomb, but
delivers payload at a predetermined time/date.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Rootkits
• Modifies OS kernel or other process on system
– Originally designed to grant root access
– Designed to avoid being detected and deleted
– Support a variety of malware
– Often operating unbeknownst to user
– Found in OS kernel, application level, firmware, etc.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of Rootkits
•
•
•
•
•
© 2012
Firmware
Virtual
Kernel
Library
Application level
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Worms
• Code that penetrates and replicates on systems
– Doesn’t need to attach to other files or code
– Spread by a variety of methods such as e-mail,
infected web sites, and P2P sharing networks
• Examples
– Morris worm, Love Bug, Code Red, and Samy worm
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Worms (continued)
• Key steps in preventing worms:
– Install all patches.
– Use firewalls.
– Implement an intrusion detection system.
– Eliminate unnecessary services.
– Use extreme caution with e-mail attachments.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Zombies and Botnets
• Malware installed on machines creates zombies
under the control of the attacker.
• Large networks of zombies are called botnets.
– Some attacker’s botnets have 1,000,000+ zombies.
– Botnets are responsible for millions of spam messages
daily.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Malware Defense
•
–
•
–
–
© 2012
Attacks typically exploit multiple vulnerabilities
Network, OS, application, and user level
Steps to prevent malware
Use an antivirus program.
Ensure all software is up-to-date.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
War-dialing and War-driving
• War-dialing attempts to find unprotected modem
connections to a system over phone lines.
– New telephone firewalls restrict access.
• War-driving involves traveling around an area in
search of vulnerable wireless networks.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Social Engineering
• Manipulating authorized users into providing
access to an attacker
• Applies to both virtual and physical access
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Security Auditing
•
•
•
•
–
–
–
© 2012
Should be conducted on a regular basis
May be mandated depending on the industry
Can be contracted out to a another party
Focus on
Security perimeter
Policies, procedures, and guidelines governing security
Employee training
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Chapter Summary
• Describe various types of computer and network
attacks, including denial-of-service, spoofing,
hijacking, and password guessing.
• Identify the different types of malicious software
that exist, including viruses, worms, Trojan
horses, logic bombs, time bombs, and rootkits.
• Explain how social engineering can be used to
gain access to computers and networks.
• Describe the importance of auditing and what
should be audited.
© 2012
Related documents
Chap10_R
Chap10_R
Principles of Computer Security
Principles of Computer Security
Chapter title
Chapter title
Principles of Computer Security
Principles of Computer Security
Performance Based Questions
Performance Based Questions
Principles of Computer Security
Principles of Computer Security
Principles of Computer Security
Principles of Computer Security
General Security Concepts - Digital Locker and Personal Web Space
General Security Concepts - Digital Locker and Personal Web Space
Principles of Computer Security
Principles of Computer Security
Download
advertisement