Principles of Computer Security

advertisement
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of Attacks and
Malicious Software
Chapter 15
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Objectives
• Describe various types of computer and network
attacks, including denial-of-service, spoofing,
hijacking, and password guessing.
• Identify the different types of malicious software
that exist, including viruses, worms, Trojan
horses, logic bombs, time bombs, and rootkits.
• Explain how social engineering can be used as a
means to gain access to computers and networks.
• Describe the importance of auditing and what
should be audited.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms
•
•
•
•
•
Backdoor
Birthday attack
Botnet
Buffer overflow
Denial-of-service (DoS)
attack
• Distributed denial-ofservice (DDoS) attack
• DNS kiting
• Drive-by download attack
© 2012
• Header manipulation
• Injection attack
• Man-in-the-middle
attack
• Null session
• Pharming
• Phishing
• Ping sweep
• Port scan
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms (continued)
•
•
•
•
•
•
•
•
•
© 2012
Replay attack
Sequence number
Smurf attack
Sniffing
Spear phishing
Spoofing
Spyware
SYN flood
Transitive attack
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Avenues of Attack
• Specific targets
– Chosen based on attacker’s motivation
– Not reliant on target system’s hardware and
software
• Targets of opportunity
– Systems with hardware or software vulnerable to a
specific exploit
– Often lacking current security patches
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
The Steps in an Attack
1.
2.
3.
4.
5.
6.
© 2012
Conducting reconnaissance
Scanning
Researching vulnerabilities
Performing the attack
Creating a backdoor
Covering tracks
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Conducting Reconnaissance
• Gather as much information as possible about
the target system and organization.
– Use the Internet.
– Explore government records.
– Use tools such as Whois.Net.
• Don’t worry yet whether the information being
gathered is relevant or not.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Scanning
• Identify target systems that are active and
accessible.
– Ping sweep
– Port scan
• Identify the operating system and other specific
application programs running on system.
– Analyzing packet response
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Researching Vulnerabilities
• Wealth of information available through the
World Wide Web
– Lists of vulnerabilities in specified OS and application
programs
– Tools created to exploit vulnerabilities
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Performing the Attack
• Matching an attack to an indentified
vulnerability
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Creating a Backdoor
• Provides future access to the attacker
– May create “authorization” for themselves
– Could install an agent
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Covering Their Tracks
• In an effort to remain undetected, attackers
endeavor to cover their tracks:
– Erase pertinent log files from the system.
– Change file time stamps to appear unaltered.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Minimizing Possible Avenues
of Attack
•
•
–
–
Ensure all patches are installed and current.
Limit the services being run on the system.
Limits possible avenues of attack
Reduces number of services the administrator must
continually patch
• Limit the amount of publicly available data
about the system and organization.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Attacking Computer Systems
and Networks
• An attack is an attempt by an unauthorized
person to:
– Gain access to or modify information
– Assume control of an authorized session
– Disrupt the availability of service to authorized
users
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Attacking Computer Systems
and Networks (continued)
• Variety of methods used to carry out attacks
• Attacks on specific software
– Rely on code flaws or software bugs
– Indicates lack of thorough code testing
• Attacks on a specific protocol or service
– Take advantage of or use a service or protocol in
an unintended manner
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of Attacks
•
•
•
•
•
•
•
•
© 2012
Denial-of-service
Backdoors/Trapdoors
Null sessions
Sniffing
Spoofing
Man-in-the-middle
Replay
TCP/IP hijacking
•
•
•
•
•
•
•
•
Drive-by downloads
Phishing/pharming
Attacks on encryption
Address system attacks
Password guessing
Hybrid attack
Birthday attack
Injection attack
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Denial-of-Service Attack
• Exploit known identified vulnerabilities
• Purpose is to prevent normal system
operations for authorized users
• Can be accomplished in multiple ways
– Take the system offline
– Overwhelm the system with requests
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
SYN Flood Attack
• An example of a DoS attack targeting a specific
protocol or service
– Illustrates basic principles of most DoS attacks
• Exploit a weakness inherent to the function of
the TCP/IP protocol
– Uses TCP three-way handshake to flood a system
with faked connection requests
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
TCP Three-Way Handshake
• System 1 sends SYN packet to System 2.
• System 2 responds with SYN/ACK packet.
• System 1 sends ACK packet to System 2 and
communications can then proceed.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Steps of a SYN Flood Attack
1.
2.
3.
4.
5.
© 2012
Communication request sent to target system.
Target responds to faked IP address.
Target waits for non-existent system response.
Request eventually times out.
If the attacks outpace the requests timing-out,
then systems resources will be exhausted.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
SYN Flood Attack
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Distributed Denial-of-Service
Attack (DDoS)
Goal is to deny access or service to authorized
users
– Uses resources of many systems combined into an
attack network
– Overwhelms target system or network
– With enough attack agents, even simple web traffic can
quickly affect a large website
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Denial-of-Service Attack
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Ping of Death (POD)
•
–
•
–
•
© 2012
Another example of a DoS attack.
Illustrates an attack targeting a specific application.
Attacker sends ICMP ping packet > 64KB.
This ping packet size should not occur naturally.
ICMP packet will crash certain systems unable
to handle it.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Preventing DoS & DDoS Attacks
• Ensure necessary patches and upgrades
remain current.
• Change time-out period for TCP connections.
• Distribute workload across several systems.
• Block external ICMP packets at border.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Trapdoors and Backdoors
• Trapdoor
– Hard-coded access built into the program
– Ensures access should normal access methods fail
– Creates vulnerability in systems using the software
• Backdoor
– Ensures continued unrestricted access in the future
– Attackers implant them in compromised systems
– Can be installed inadvertently with a Trojan horse
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Null Sessions
• A connection to a Windows inter-process
communication share (IPC$)
– Systems prior to XP and Server 2003 are vulnerable.
– Used by a variety of exploit tools and malware.
– No patch is available.
• Options to counter the vulnerability
– Upgrade systems to Windows XP or newer version
– Only allow trusted users access to TCP ports 139
and 445
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Sniffing
• Attacker observes all network traffic.
– Software, hardware, or combination of the two
– Ability to target specific protocol, service, string of
characters, etc.
– May be able to modify some or all traffic in route
• Network administrators can use to monitor and
troubleshoot network performance.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Sniffing
(continued)
Physical security is key in
preventing introduction of
sniffers on the internal
network.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spoofing
• True source of data is disguised:
– Commonly accomplished by altering packet header
information with false information
– Can be used for a variety of purposes
• Spoofing e-mail:
– From address differs from sending system
– Recipients rarely question authenticity of the e-mail
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
IP Address Spoofing
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spoofing and Trusted
Relationships
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Sequence Numbers
• SYN packets include an original sequence
number.
• Sequence numbers are incremented by 1 and
sent back with ACK packets.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spoofing and Sequence
Numbers
• Attacker must use correct sequence number:
– TCP packet sequence numbers are 32-bit.
– Sequence numbers are incremented by 1.
– Very difficult to guess.
• Insider attacks vs. external attacks
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Man-in-the-Middle Attack
•
–
–
•
–
–
•
–
© 2012
Attacker is positioned between two target hosts:
Typically accomplished through router manipulation
Traffic redirected to attacker, then forwarded on
Benefits:
Attacker can intercept, modify, and/or block traffic
Communication appears normal to target hosts
Limitation:
Useful data collection reduced if traffic is encrypted
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Man-in-the-Middle Attack (continued)
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Replay Attack
• Attacker intercepts part of an exchange between
two hosts and retransmits message later.
– Often used to bypass authentication mechanisms
• Prevented by encrypting traffic, cryptographic
authentication, and time-stamping messages.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
TCP/IP Hijacking
•
–
–
–
© 2012
Assume control of an already existing session:
Attacker circumvents authentication.
Can be disguised with a DoS attack.
Typically used against web and Telnet sessions.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Drive-by Download Attack
• Unsolicited malware downloads
– May be hidden in legitimate ads or hosted from web
sites that prey on unaware users
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Phishing and Pharming
• Phishing
– Fraudulent e-mails designed to trick users into
divulging confidential information
• Pharming
– Fake web sites created to elicit authentic user
credentials
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Attacks on Encryption
•
•
–
–
–
© 2012
Cryptanalysis attempts to crack encryption
Common methods
Weak keys
Exhaustive search of key space
Indirect attacks
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Password Attacks
• Most common user authentication is combination
of user ID and password.
• A compromised password typically indicates a
failure to adhere to good password procedures.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Password Attacks (continued)
•
–
–
–
–
–
© 2012
Password attack methods
Guess
Dictionary
Brute force
Hybrid
Birthday
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Injection Attacks
• SQL injection
• Command injection
• LDAP injection
• XML injection
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Software Exploitation
• Take advantage of software bugs/weaknesses
– Results from poor design, inadequate testing, or
inferior code practices.
• Buffer overflow attack
– Most common example of software exploitation
– Program receives more input than it can handle.
– Program may abort, crash the entire system, or allow
attacker to execute malicious commands
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Malicious Code
•
•
•
•
•
•
•
© 2012
Viruses
Trojan horses
Spyware
Logic bombs
Rootkits
Worms
Zombies and botnets
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Viruses
• Replicate and attach to executable code
– Best-known malicious code
• Common types:
– Boot Sector virus
– Program virus
– Macro virus
– Stealth virus
– Polymorphic virus
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Trojan Horses
• Software that appears to do one thing but
contains hidden functionality
– Standalone program that must be installed by user
– Disguised well enough to entice user
– Delivers payload without user’s knowledge
• Prevention
– Never run software of unknown origin or integrity.
– Keep virus-checking program running continuously.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Spyware
• Software capable of recording and reporting a
users actions:
– Typically installed unbeknownst to users
– Monitors software and system use
– Can steal information through keylogging
• Many states have banned spyware and other
unauthorized software:
– Organizations circumvent with complex EULAs
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Logic Bombs
• Malicious code dormant until triggered by a
specified future event:
– Usually installed by authorized user
– Reinforces need for backups
• A time bomb is similar to the logic bomb, but
delivers payload at a predetermined time/date.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Rootkits
• Modifies OS kernel or other process on system
– Originally designed to grant root access
– Designed to avoid being detected and deleted
– Support a variety of malware
– Often operating unbeknownst to user
– Found in OS kernel, application level, firmware, etc.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Types of Rootkits
•
•
•
•
•
© 2012
Firmware
Virtual
Kernel
Library
Application level
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Worms
• Code that penetrates and replicates on systems
– Doesn’t need to attach to other files or code
– Spread by a variety of methods such as e-mail,
infected web sites, and P2P sharing networks
• Examples
– Morris worm, Love Bug, Code Red, and Samy worm
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Worms (continued)
• Key steps in preventing worms:
– Install all patches.
– Use firewalls.
– Implement an intrusion detection system.
– Eliminate unnecessary services.
– Use extreme caution with e-mail attachments.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Zombies and Botnets
• Malware installed on machines creates zombies
under the control of the attacker.
• Large networks of zombies are called botnets.
– Some attacker’s botnets have 1,000,000+ zombies.
– Botnets are responsible for millions of spam messages
daily.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Malware Defense
•
–
•
–
–
© 2012
Attacks typically exploit multiple vulnerabilities
Network, OS, application, and user level
Steps to prevent malware
Use an antivirus program.
Ensure all software is up-to-date.
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
War-dialing and War-driving
• War-dialing attempts to find unprotected modem
connections to a system over phone lines.
– New telephone firewalls restrict access.
• War-driving involves traveling around an area in
search of vulnerable wireless networks.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Social Engineering
• Manipulating authorized users into providing
access to an attacker
• Applies to both virtual and physical access
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Security Auditing
•
•
•
•
–
–
–
© 2012
Should be conducted on a regular basis
May be mandated depending on the industry
Can be contracted out to a another party
Focus on
Security perimeter
Policies, procedures, and guidelines governing security
Employee training
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Chapter Summary
• Describe various types of computer and network
attacks, including denial-of-service, spoofing,
hijacking, and password guessing.
• Identify the different types of malicious software
that exist, including viruses, worms, Trojan
horses, logic bombs, time bombs, and rootkits.
• Explain how social engineering can be used to
gain access to computers and networks.
• Describe the importance of auditing and what
should be audited.
© 2012
Download