Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Chapter 15 Outline

advertisement 
Chapter 15 Outline
I.
Attacking Computer Systems and Networks
A. Attacks are attempts by unauthorized individuals to access or modify
information, to deceive the system so that an unauthorized individual can take
over an authorized session, or to disrupt service to authorized users.
B. Attacks on computer systems and networks can be grouped into two broad
categories - attacks on specific software (such as an application or the operating
system itself) and attacks on a specific protocol or service.
1.
Attacks on a specific application or operating system are generally possible
because of either an oversight in the code (and possibly in the testing of that
code) or because of a flaw or bug in the code (again indicating a lack of
thorough testing).
2.
Attacks on specific protocols or services are attempts to either take
advantage of a specific feature of the protocol or service or to use the
protocol or service in a manner for which it was not intended.
C. The target of an attacker can be of two types:
1.
Targets of opportunity where the attacker is attempting to find any machine
that is susceptible to a specific vulnerability.
2.
Defined targets where the attacker wants to gain access to a very specific
target and must attempt to find a vulnerability that exists in that target.
D. Denial-of-Service attacks.
1.
Denial-of-Service (DOS) attacks can exploit a known vulnerability in a
specific application or operating system, or they may attack features (or
weaknesses) in specific protocols or services. In this form of attack, the
attacker is attempting to deny authorized users access either to specific
information or to the computer system or network itself.
2.
The purpose of such an attack can be to simply prevent access to the target
system, or the attack can be used in conjunction with other actions to gain
unauthorized access to a computer or network.
3.
A SYN flooding attack may be used to prevent service to a system
temporarily to take advantage of a trusted relationship that exists between
that system and another. SYN flooding is an example of a DOS attack that
takes advantage of the way TCP/IP networks were designed to function. It
can be used to illustrate the basic principles of any DOS attack.
a)
SYN flooding utilizes the TCP three-way handshake that is used to
establish a connection between two systems.
b) In a SYN flooding attack, the attacker sends fake communication
requests to the targeted system.
c)
Each of these requests will be answered by the target system, which
then waits for the third part of the handshake.
d) Since the requests are fake (a nonexistent IP address is used in the
requests, so the target system is responding to a system that does not
exist), the target will wait for responses that will never come.
e)
The target system will drop these connections after a specific time-out
period, but if the attacker sends requests faster than the time-out period
eliminates them, the system will quickly be filled with requests.
f)
The number of connections a system can support is finite, so when
more requests come in than can be processed, the system will soon be
reserving all its connections for fake requests.
g) At this point, any further requests are simply dropped (ignored), and
legitimate users who want to connect to the target system are denied
access.
4.
Another simple DOS attack is the famous ping-of-death (POD) attack. It
illustrates attack targeted at a specific application or operating system, as
opposed to SYN flooding, which targets a protocol.
a)
In the POD attack, the attacker sends an Internet Control Message
Protocol (ICMP) “ping” packet equal to, or exceeding 64KB (which is
to say, greater than 64 * 1024 = 65,536 bytes).
b) This type of packet should not occur naturally (a ping packet should not
be larger than 64KB).
c)
Certain systems were not able to handle this size of packet, and the
system would hang or crash.
5.
A Denial-of-Service attack employing multiple attacking systems is known
as a distributed Denial-of-Service (DDOS) attack.
a)
The goal of a DDOS attack is to deny the use of or access to a specific
service or system.
b) In a DDOS attack, the method used to deny service is simply to
overwhelm the target with traffic from many different systems.
c)
A network of attack agents (sometimes called zombies) is created by
the attacker. Upon receiving the attack command from the attacker, the
attack agents start sending a specific type of traffic against the target.
d) The attack agents are not willing agents—they are systems that have
been compromised and on which the DDOS attack software has been
installed. To compromise these agents, the attacker needs to gain
unauthorized access to the system or trick authorized users to run a
program that installs the attack software.
e)
The creation of the attack network may in fact be a multistep process in
which the attacker first compromises a few systems that are then used
as handlers or masters, and which in turn compromise other systems.
f)
Once the network has been created, the agents wait for an attack
message that will include data on the specific target before launching
the attack.
6.
One important precaution to take to stop or mitigate the effects of a DOS or
DDOS attack is to ensure that the latest patches and upgrades have been
executed on systems and the applications running on them.
7.
Another approach involves changing the time-out option for TCP
connections so that attacks, such as the SYN flooding attack, are difficult to
perform because unused connections are dropped more quickly.
8.
For DDOS attacks, the workload can be distributed across several systems
so that any attack against the system would have to target several hosts to
be completely successful. This is an attempt to mitigate the effect of the
attack, as opposed to preventing or stopping an attack.
9.
To prevent a DDOS attack, it is important to either intercept or block the
attack messages or keep the DDOS network from being established in the
first place. The problem with this type of prevention approach, however, is
that it is not something that can be done to prevent an attack on the network.
It is something that can keep the network from being used to attack other
networks or systems.
10. An efficient way to counter several forms of DOS and DDOS attacks is to
block ICMP packets at the organization’s server end since many attacks rely
on ICMP.
E. Backdoors and trapdoors.
1.
Backdoors were originally methods used by software developers to ensure
that they could gain access to an application even if something were to
happen in the future to prevent normal access methods.
2.
A hard-coded password that could be used to gain access to the program in
the event that administrators forgot their own system password is
sometimes referred to as a trapdoor.
3.
The term backdoor is also used to refer to programs that attackers install
after gaining unauthorized access to a system to ensure that they can
continue to have unrestricted access, even if their initial access method is
discovered and blocked. Backdoors can also be installed by authorized
individuals inadvertently, should they run software that contains a Trojan
horse.
4.
A variation on the backdoor, are the rootkits. They are established not to
gain root access but rather to ensure continued root access. Rootkits are
generally installed at a lower level, closer to the actual kernel level of the
operating system.
F. Sniffing.
1.
A network sniffer is a software or hardware device used to observe traffic
as it passes through a network on shared broadcast media. The device can
be used to view all traffic, or it can target a specific protocol, service, or
even a string of characters.
a)
The network device that connects a computer to a network is designed
to ignore all traffic that is not destined for that computer.
b) Network sniffers ignore this friendly agreement and observe all traffic
on the network, whether destined for that computer or others.
c)
A network card that is listening to all network traffic and not just its
own is said to be in “promiscuous mode.”
d) Some network sniffers are designed not just to observe all traffic but to
modify traffic as well.
2.
For network sniffers to be most effective, they need to be on the internal
network. This means that the chances for outsiders to use them against the
organization are extremely limited.
G. Spoofing.
1.
Spoofing is nothing more than making data look like it has come from a
different source.
2.
Spoofing e-mail.
a)
E-mail spoofing means sending a message with an address that is
different from the one from which it was sent.
b) This can be easily accomplished, and there are several different ways to
do it.
(1) A very simple method often used to demonstrate how simple it is
to spoof an e-mail address is to telnet to port 25 (the port
associated with e-mail) on a system.
(c) A variation on e-mail spoofing, though it is not technically spoofing, is
for the attacker to acquire a URL close to the one they want to spoof so
that e-mail sent from their system appears to have come from the
official site unless the address is read carefully.
3.
IP address spoofing.
a)
The way the IP protocol is designed to work is to have the originators
of any IP packet include their own IP address in the “From” portion of
the packet.
b) While this is the intent, there is nothing that prevents a system from
inserting a different address in the “From” portion of the packet.
4.
Spoofing and trusted relationships.
a)
Spoofing can also take advantage of a trusted relationship between two
systems.
b) If two systems are configured to accept the authentication
accomplished by each other, an individual logged on to one system
might not be forced to go through an authentication process again to
access the other system.
(1) An attacker can take advantage of this arrangement by sending a
packet to one system that appears to have come from a trusted
system.
(2) Since the trusted relationship is in place, the targeted system may
perform the requested task without authentication.
c)
Often a reply is sent once a packet is received. However, the system
that is being impersonated could interfere with the attack, as it would
receive an acknowledgement for a request it never made.
(1) The attacker will often initially launch a DOS attack (such as a
SYN flooding attack) to disable the spoofed system temporarily
for the period of time that the attacker is exploiting the trusted
relationship.
(2) Once the attack is completed, the DOS attack on the spoofed
system would be terminated and possibly, apart from having a
temporarily non-responsive system, the administrators for the
systems may never notice that the attack occurred.
d) Administrators are encouraged to limit any trusted relationships
between hosts. Firewalls should also be configured to discard any
packets from outside of the firewall that have From addresses
indicating they originated from inside the network.
5.
Spoofing and sequence numbers.
a)
Spoofing attacks from inside a network are much easier to perform than
attacks from outside. This is because insiders can observe the traffic to
and from the target and can also formulate the necessary packets.
b) Formulating the packets is more complicated for external attackers
because there is a sequence number associated with TCP packets.
(1) A sequence number is a 32-bit number established by the host
that is incremented for each packet sent.
(2) Packets are not guaranteed to be received in order, and the
sequence number can be used to help reorder packets as they are
received and to refer to packets that may have been lost in
transmission.
c)
In the TCP three-way handshake, two sets of sequence numbers are
created.
(1) The first system chooses a sequence number to send with the
original SYN packet that it sends.
(2) The system receiving this SYN packet acknowledges with a
SYN/ACK.
(3) It sends back the first sequence number plus one (that is, it
increments the sequence number sent to it by one).
(4) It then creates its own sequence number and sends that along
with it.
(5) The original system receives the SYN/ACK with the new
sequence number.
(6) It increments the sequence number by one and uses it in an ACK
package that it responds to.
d) The difference in the difficulty of attempting a spoofing attack from
inside a network and from outside involves determining the sequence
number.
(1) An insider can observe the traffic the target host responds with
and the sequence number the system creates, and therefore, can
respond with the correct sequence number.
(2) If the attacker is external to the network, the sequence number the
target system generates will not be observed, making it difficult
for the attacker to provide the final ACK with the correct
sequence number.
e)
Predicting sequence numbers is possible.
(1) Sequence number for each session is not started from the same
number, so that different packets from different concurrent
connections will not have the same sequence numbers.
(2) Instead, the sequence number for each new connection is
incremented by some large number to keep them from being the
same.
(3) The sequence number may also be incremented by some large
number every second (or some other time period).
H. Man-in-the-middle attacks
1.
A man-in-the-middle attack generally occurs when attackers are able to
place themselves in the middle of two other hosts that are communicating in
order to view and/or modify the traffic.
a)
Ideally, this is done by ensuring that all communication going to or
from the target host is routed through the attacker's host (which may be
accomplished if the attacker can compromise the router for the target
host).
b) The attacker can then observe all traffic before relaying it and can
actually modify or block traffic.
2.
The amount of information that can be obtained in a man-in-the-middle
attack will be limited if the communication is encrypted.
3.
Man-in-the-middle attacks on encrypted traffic.
a)
The term “man-in-the-middle attack” is sometimes used to refer to a
more specific type of attack—one in which the encrypted traffic issue is
addressed.
b) To communicate securely with your friend Bob, you might ask him for
his public key so you could encrypt your messages to him and likewise,
you, in turn, would supply Bob with your public key.
(1) An attacker can conduct a man-in-the-middle attack by
intercepting your request for Bob's public key and sending your
public key to him.
(2) The attacker would replace your public key with the attacker's
public key, and would send it to Bob.
(3) The attacker's public key would also be sent to you by the
attacker instead of Bob's public key.
(4) Now, if a message is encrypted by you or Bob, it will be
encrypted using the attacker's public key.
(5) The attacker can now intercept it, decrypt it, and then send it by
re-encrypting it with the appropriate key for either you or Bob.
I. Replay attacks.
1.
A replay attack is where the attacker captures a portion of a communication
between two parties and retransmits later. These attacks are associated with
attempts to circumvent authentication mechanisms, such as capturing and
reusing a certificate.
2.
These attacks can be prevented using encryption, cryptographic
authentication, and time stamps. If a portion of the certificate or ticket
includes a date/time stamp or an expiration date/time, and this portion is
also encrypted as part of the ticket or certificate, replaying it later will prove
useless, since it will be rejected as having expired.
J. TCP/IP hijacking.
1.
The terms TCP/IP hijacking and session hijacking are used to refer to the
process of taking control of an already existing session between a client and
a server.
a)
An attacker attempting session hijacking does not have to circumvent
any authentication mechanisms, as the user has already authenticated
and established the session.
b) Once the user has completed the authentication sequence, the attacker
can then usurp the session and carry on as if the attacker, and not the
user, had authenticated with the system.
c)
To prevent the user from noticing anything unusual, the attacker may
decide to attack the user's system and perform a DOS attack on it. As a
result, the user is unlikely to notice the extra traffic that is taking place
on the system.
2.
Hijack attacks generally are used against Web and telnet sessions. Sequence
numbers are also applied to session hijacking, since the hijacker will need to
provide the correct sequence number to continue the appropriate sessions.
K. Attacks on encryption.
1.
Cryptography is the art of “secret writing,” and encryption is the process of
transforming plaintext into an unreadable format known as ciphertext using
a specific technique or algorithm.
2.
Cryptanalysis is the process of attempting to break a cryptographic system.
It is an attack on the specific method used to encrypt the plaintext.
3.
Weak keys.
a)
Certain encryption algorithms may have specific keys that yield poor,
or easily decrypted ciphertext.
b) Any key with long strings of 0's would yield portions of the ciphertext
that were the same as the plaintext.
4.
Exhaustive search of key space.
a)
Even if the specific algorithm used to encrypt a message is complicated
and has not been shown to have weak keys, the key length will still
play a significant role in how easy it is to attack the method of
encryption.
b) The longer a key is, the harder it will be to attack.
5.
Indirect attacks.
a)
One of the most common ways of attacking an encryption system is to
find weaknesses in mechanisms surrounding cryptography.
b) In attacks that target these types of weaknesses, it is not the
cryptographic algorithm itself that is being attacked, but rather the
implementation of that algorithm in the real world.
L. Password guessing.
1.
The most common form of authentication is the userID and password
combination.
2.
Poor password choices
a)
The least technical of the various password-attack techniques includes
an attacker attempting to guess the password of an authorized user of
the system or network.
b) Guessing passwords works because people generally pick poor
passwords. The problem users face is that they need to select a
password they can remember.
c)
An attacker can guess a user’s password if they can obtain a valid
userID and a little bit of information about the user.
(1) Obtaining valid userIDs is often a simple matter, because
organizations tend to use an individual's name in some
combination.
(2) Organizations sometimes make it even easier for attackers to
obtain this sort of information by posting the names of their
“management team” and other individuals, sometimes with short
biographies, on their Web sites.
d) Even if the person does not use some personal detail as their password,
the attacker may still get lucky, since many people pick a common
word for their password.
4.
Dictionary attack
a)
Another method of determining passwords is to use a passwordcracking program.
b) These programs often use a dictionary of words—the words can be
used by themselves, or two or more smaller ones may be combined to
form a single possible password.
c)
The programs often permit the attacker to create various rules that tell
the program how to combine words to form new possible passwords.
(1) Users commonly substitute certain numbers for specific letters. If
a rule were created that tried all words in the dictionary and then
tried the same words substituting the numbers for specific letters,
the password would be cracked.
(2) Rules can also be defined so that the cracking program will
substitute special characters for other characters, or combine
words together.
5.
Brute-force attack
a)
A brute-force attack entails the password-cracking program attempting
all possible password combinations.
b) The length of the password and the size of the set of possible characters
in the password will greatly affect the time a brute-force attack will
take.
c)
With the increase in computer speed, the time it takes to generate
password combinations makes it much more feasible to launch bruteforce attacks against certain computer systems and networks.
d) A brute-force attack on a password can take place at two levels.
(1) It can be an attack on a system where the attacker is attempting to
guess the password at the login prompt. The attack can be made
more difficult by locking the account after a few failed login
attempts.
(2) It can be an attack against the list of passwords contained in a
password file. The attack can be thwarted by securely
maintaining the password file so that others may not obtain a
copy of it.
6.
Birthday attack
a)
The birthday attack is a special type of brute-force attack.
b) It gets its name from something known as the birthday paradox, which
states that in a group of at least 23 people, the chance that there will be
two individuals with the same birthday is greater than 50 percent.
M. Software exploitation
1.
An attack that takes advantage of bugs or weaknesses in software is referred
to as software exploitation.
2.
These weaknesses can be the result of poor design, poor testing, or poor
coding practices.
3.
One common weakness that has been exploited on a number of occasions is
buffer overflows. A buffer overflow occurs when a program is provided
more data for input than it was designed to handle.
N. Wardialing and WarDriving
1.
Wardialing is the term used to describe an attacker's attempt to discover
unprotected modem connections to computer systems and networks.
2.
Wardialing is successful, mostly because of rogue modems which are
unauthorized modems attached to computers on a network by authorized
users.
3.
New technology has been developed to address this common backdoor into
corporate networks. Telephone firewalls have been created, which block
any unauthorized modem connections into an organization.
4.
Another avenue of attack on computer systems and networks has seen a
tremendous increase over the last few years because of the increase in the
use of wireless networks.
a)
Wireless networks allow access to a network and resources from
anywhere.
b) To ensure access throughout a facility, stations are often placed at
numerous locations, some of which may actually provide access to
areas outside of the organization in order to ensure that the farthest
offices in the organization can be reached.
(1) Frequently, access extends into adjacent offices or into the
parking lot or street.
(2) Attackers can locate these access areas that fall outside of the
organization and attempt to gain unauthorized access.
c)
The term WarDriving refers to the activity where attackers wander
throughout an area (often in a car) with a computer with wireless
capability, searching for wireless networks they can access.
O. Social engineering
1.
Social engineering relies on lies and misrepresentation, which an attacker
uses to trick an authorized user into providing information or access the
attacker would not normally be entitled.
2.
Social engineering also applies to physical access.
a)
Due to poor security practices, attackers can gain physical access to an
office. Given a little unsupervised time, a userID and password pair
might be found on a notepad or sticky note.
b) Unsupervised access may not even be required, depending on how poor
the security practices of the organization are.
II. Malware
A. The term Malware (which is also known as malicious code) refers to software
that has been designed for some nefarious purpose. Such software may be
designed to cause damage to a system by deleting all files, for example, or it may
be designed to create a backdoor in the system in order to grant access to
unauthorized individuals.
B. Generally, the installation of malicious code is done so that it is not obvious to the
authorized users.
C. Viruses
1.
A virus is a piece of malicious code that replicates by attaching itself to
another piece of executable code.
a)
When the other executable code is run, the virus also executes and has
the opportunity to infect other files and perform any other nefarious
actions it was designed to do.
b) The specific way that a virus infects other files, and the types of files it
infects, depends on the type of virus.
2.
Boot sector virus.
a)
A boot sector virus infects the boot sector portion of either a floppy
disk or a hard drive.
(1) When a computer is first turned on, a small portion of the
operating system is initially loaded from hardware.
(2) This small operating system then attempts to load the rest of the
operating system from a specific location (sector) on either the
floppy or the hard drive. A boot sector infects this portion of the
drive.
3.
Program virus.
a)
Another type of virus is the program virus, which attaches itself to
executable files—typically files ending in .exe or .com on Windowsbased systems.
b) The virus is attached in such a way that it is executed before the
program. Most program viruses also hide a nefarious purpose, such as
deleting the hard drive. It is triggered by a specific event, such as a date
or after a certain number of files is infected.
c)
Like other types of viruses, program viruses are often not detected until
after they execute their malicious payload.
4.
Macro virus.
a)
The proliferation of software that include macro-programming
languages has resulted in a new breed of virus— the macro virus.
b) This type of virus is so common today that it is considered a security
best practice not to open a document attached to an e-mail if it seems at
all suspicious.
5.
Avoiding virus infection.
a)
It is a good security practice to be always cautious about executing
programs or opening documents.
b) Another security best practice for protecting against virus infection is to
install and run an antivirus program.
c)
The introduction of stealth virus techniques and polymorphic viruses
has made it more difficult for antivirus software to detect viruses.
(1) A stealthy virus employs techniques to help evade being detected
by antivirus software that uses checksums or other techniques.
(2) Polymorphic viruses also attempt to evade detection, but they do
so by changing the virus itself (the virus “evolves”). Because the
virus changes, signatures for that virus may no longer be valid,
and the virus may escape detection by antivirus software.
6.
Virus hoaxes.
a)
In a virus hoax, users are informed about a new virus and the extreme
danger it poses.
c)
Hoaxes can actually be even more destructive than just wasting time
and bandwidth.
(1) Some hoaxes warning of a dangerous virus have included
instructions to delete certain files if found on the user's system
that may actually be part of the operating system. Deleting such
files could keep the system from booting properly.
(2) A good security practice is to ensure the authenticity and
accuracy of any virus report before following somebody's advice.
D. Trojan horses.
1.
A Trojan horse, or simply Trojan, is a piece of software that appears to do
one thing (and may, in fact, actually do that thing) but that hides some other
functionality.
2.
Unlike a virus, which reproduces by attaching itself to other files or
programs, a Trojan is a stand-alone program that must be copied and
installed by the user.
3.
An attacker entices the user to copy and run the program, which means that
the program must be disguised as something that the user would want to
run. Once it has been copied and is “inside” the system, the Trojan will
perform its hidden purpose with the user often still unaware of its true
nature.
4.
The best method to prevent the introduction of a Trojan to a system is not to
software if unsure of its origin, security, and integrity. A virus-checking
program may also be useful in detecting and preventing the installation of
known Trojans.
E. Logic bombs.
1.
Logic bombs are a type of malicious software that is deliberately installed,
generally by an authorized user.
2.
A logic bomb is a piece of code that sits dormant for a period of time until
some event invokes its often malicious payload.
a)
If the trigger is some event, such as not finding a specific name in the
personnel file, the code is referred to as a logic bomb.
b) If the event is a specific date or time, the program will often be referred
to as a time bomb.
3.
Logic bombs are difficult to detect because they are often installed by
authorized users and, in particular, have been installed by administrators
who are also often responsible for security.
a)
This demonstrates the need for a separation of duties and a periodic
review of all programs and services that are running.
b) It also illustrates the need to maintain an active backup program so that
if the organization loses critical files to malicious code, only those
transactions are lost since the most recent backup and not the entire
data.
F. Worms.
1.
Worms are pieces of code that attempt to penetrate networks and computer
systems.
a)
Once a penetration occurs, the worm creates a new copy of itself on the
penetrated system.
b) Reproduction of a worm thus does not rely on the attachment of the
virus to another piece of code or to a file, which is the definition of a
virus.
3.
The Morris worm.
a)
Also sometimes referred to as the Internet worm, because of its effect
on the early Internet, the worm was able to insert itself into many
systems connected to the Internet.
c)
The Morris worm was created by a graduate student named Robert
Morris.
(1) It utilized several known vulnerabilities to gain access to a new
system, and it also relied on password guessing to obtain access
to accounts.
(2) Once a system had been penetrated, a small bootstrap program
was inserted into the new system and executed.
(3) This program then downloaded the rest of the worm to the new
system.
(4) The worm had some stealth characteristics to make it difficult to
determine what it was doing.
(5) The worm would not be loaded if a copy of it was already found
on the new system, but it was designed to ignore this check
periodically, reportedly, to ensure that the worm could not be
easily eliminated.
(6) The problem with this plan was that interconnected systems were
constantly being reinfected and eventually the systems were
running so many copies of the worm that the system response
time ground to a stop.
d) While the Morris worm carried no malicious payload, it is entirely
possible for worms to do so.
4.
Code-Red.
a)
On July 19, 2001, over 350,000 computers connected to the Internet
were infected by the Code-Red worm in only 14 hours.
b) The cost estimate for how much damage the worm caused (included
variations of the worm released on later dates) exceeds $2.5 billion.
(1) The vulnerability exploited by the Code-Red worm was not
revealed as a result of the attack since the vulnerability it
exploited had been known for a month.
(2) The worm itself is memory resident so simply turning off the
machine eliminates the worm but unless the system is patched
there is a chance that the system will be re-infected soon after
rebooting and reconnecting to the Internet.
(3) The worm itself did not carry a malicious payload designed to
destroy data on the infected system. If the date was between the
1st and 19th of the month, the worm upon infecting a system
would generate a random list of IP addresses and attempt to
infect them.
(4) The first version of the worm used the same seed for the random
number generator so each system actually generated the same list
of random IP addresses. If the date was between the 20th and 28th
of the month, the worm attempted to launch a Denial-of-Service
attack against a Web Site owned by the White House. After the
28th, the worm remained dormant until the 1st of the next month.
(5) All of this changed when the second version of the worm was
released on July 19th. The second version of the worm did not use
the same seed for each infection, rather, new seeds were utilized
thus causing a different list of random IP addresses to be created.
This resulted in the more than 350,000 machines becoming
infected in 14 hours on July 19th.
(6) Additional problems were seen with this second version as
numerous routers, switches, and other networked devices not
susceptible to infection were sometimes still unable to handle the
data being sent to them causing many of them to crash or reboot.
5.
Slammer
a)
On Saturday, January 25, 2003, the Slammer virus was released which
exploited a buffer overflow vulnerability in computers running
Microsoft's SQL Server or Microsoft SQL Server Desktop Engine.
b) By the next day, the worm had infected at least 120,000 hosts and
caused network outages and disruption of airline flights, elections, and
ATM. At its peak, Slammer- infected hosts were generating a reported
1 terabit of worm-related traffic every second.
c)
The worm doubled in the number of infected hosts every 8 seconds. It
is estimated that it took less than ten minutes to reach global
proportions and infect 90 percent of the possible hosts it could infect.
d) Once a machine was infected (and it took a single packet to infect a
machine), the host would start randomly selecting targets and sending
packets to them to attempt infection at a rate of 25,000 per second.
e)
Like Code-Red, Slammer did not contain a malicious payload. The
problems it caused were a result of the massively overloaded networks,
which could not sustain the traffic being generated by the thousands of
infected hosts.
f)
The worm sent its single packet to a specific UDP port, 1434, which
provided an immediate fix for networks.
6.
Protection against worms
a)
The method of protecting a system depends on the type of worm.
(1) Those attached and propagated through e-mail can be avoided by
following the same guidelines about not opening files and not
running attachments unless users are sure of the origin and
integrity of the message.
(2) Protecting against the Morris type of Internet worm involves
securing systems and networks against penetration as against
human attackers.
b) Installing patches, eliminating unused and unnecessary services,
enforcing good password security, and utilizing firewalls and intrusion
detection systems.
G. Mobile Code
1.
Mobile Code is segments of code sent from another host that is executed on
the system.
2.
The threats to a system from hostile mobile code include disclosure of
information and modification or damage to information.
3.
Safe execution of mobile code requires controlled access to resources.
III. Auditing
A. Auditing is a process of assessing the security state of an organization compared
against an established standard.
B. Ensuring that employees are following established procedures and guidelines is
one of the methods to address the numerous possible attacks that have been
discussed in this chapter.
C. The important element in auditing is the standard that is used to evaluate
personnel and procedures.
1.
Organizations from different communities may have widely different
standards, and any audit will need to consider the appropriate elements for
the specific community.
2.
Audits differ from security or vulnerability assessments in that assessments
measure the security posture of the organization but may do so without any
mandated standards to compare them against.
a)
Penetration tests may also be encountered—these are tests conducted
against an organization to see if holes in the organization's security can
be found.
(1) The goal of the penetration test is to penetrate the security rather
than measuring it against some standard.
(2) Penetration tests are often viewed as white-hat hacking in that the
methods used often mirror those that an attacker might use.
D. It is important to conduct some form of security audit or assessment on a regular
basis.
1.
There are many things that may be evaluated during an assessment, but at a
minimum, the security perimeter (with all of its components, including
host-based security) should be examined, as well as the organization's
policies, procedures, and guidelines governing security.
2.
Employee training is another aspect that should be examined, since
employees are the targets of social engineering and password-guessing
attacks.
Related documents
Finding_26
Finding_26
Abstract
Abstract
BUS 3500 Management Information Systems
BUS 3500 Management Information Systems
Introduction to Information Security
Introduction to Information Security
CSCI4911 SPECIAL TOPICS: COMPUTER SECURITY FINAL EXAM
CSCI4911 SPECIAL TOPICS: COMPUTER SECURITY FINAL EXAM
Concerns for College Students - Sexual Assault Response Services
Concerns for College Students - Sexual Assault Response Services
How to Efficiently Communicate When Your Network is Under Attack
How to Efficiently Communicate When Your Network is Under Attack
CISCO ITE1: PC Hardware & Software Study Guide
CISCO ITE1: PC Hardware & Software Study Guide
Download
advertisement