Threats and Network Vulnerabilities
In this chapter, we will discuss threats and network vulnerabilities facing computer users and systems today, and differentiate among them so you will be well equipped to both prevent them and remediate them when they occur. This chapter will cover types of malware and attacks, including viruses, spyware, Trojans, rootkits, DDoS attacks, smurf attacks, phishing, and vishing. It will also detail special types of attacks, such as those made using social engineering, over wireless networks, and utilizing application exploits. Finally, we will look at mitigation and deterrent techniques, as well as the tools available to test and find threats and vulnerabilities, and we will discuss penetration testing versus vulnerability scanning. The core Security+ exam objectives covered in this chapter are as follows:
- Analyze and differentiate among types of malware
- Analyze and differentiate among types of attacks
- Analyze and differentiate among types of social engineering attacks
- Analyze and differentiate among types of wireless attacks
- Analyze and differentiate among types of application attacks
- Analyze and differentiate among types of mitigation and deterrent techniques
- Implement assessment tools and techniques to discover security threats and vulnerabilities
- Within the realm of vulnerability assessments, explain the proper use of penetration testing versus vulnerability scanning
Types of Malware
Malware is a catchall term for software that runs or resides on a computer without the consent of the user. It can be classified broadly according to its purpose, method of execution, and method of propagation. This section will cover the following topics:
- Logic bombs
Adware is malware that seeks to hijack the attention of the user, usually causing additional advertisements to appear, or replacing advertisements that might normally appear with a new one of the adware’s choosing. This is the closest to a gray area when it comes to malware. Adware can be installed without user consent, but it is often installed as part of a software package, as a condition of “free” software. Whether installed with the consent of the user or not, the adware itself can cause an increase in distracting advertisements and pop-ups.
A virus is a form of malware with which people are most familiar. Because of the ubiquity of the term virus, many laymen use virus and malware interchangeably. A virus is not, however, simply any bad program. Most spyware and adware, for instance, are not properly designated as viruses. Viruses are a specific type of malware that modifies existing files in order to function. Another core attribute of a virus is its ability to self-replicate. Any self-replicating program that attaches itself to existing files and runs without user consent may be properly considered a virus.
Worms share an important attribute of viruses in that they are self-replicating and run without user consent. Unlike viruses, worms do not generally attach themselves to existing files, and they generally spread without requiring any user interaction. It is not uncommon for a worm to spread to every computer with a specific vulnerability on a network once a single computer is exposed and infected.
A helpful method for distinguishing between worms and viruses is to remember that worms are notable primarily for their ability to spread over networks and viruses are notable primarily for their ability to change files on a computer.
Another common type of malware gathers information from a targeted system and reports the information it gathers back to the malware controller. This type of malware is known as spyware. Common uses for spyware include gathering data from an infected computer’s disk drives, monitoring user input, such as usernames and passwords, or monitoring network traffic, such as unencrypted HTTPS communications. Spyware can expose private computer use to all types of unauthorized monitoring.
A Trojan is any malware that spreads by disguising itself as legitimate software. This makes these types of programs very similar to the fabled Trojan horse. An example of a Trojan would be a piece of malware that claims your PC may be infected with malware and offers to detect and clean it. The malware would not actually detect and remove real malware from the PC, but instead convince the user to install the Trojan malware instead.
It is not unusual for desirable pirated software to be modified from the original versions to include malware payloads. Any malware that disguises itself as legitimate software is properly classified as a Trojan.
A rootkit is a type of malware that can be extremely difficult to detect. This is because, unlike most malware, which runs as programs on top of the current operating system, rootkits function by inserting themselves between the operating system and the user environment, or by modifying the operation of the operating system itself.
Because rootkits function at such a low level, they are often able to hide their existence effectively from even a determined investigator, as they can simply change the information that is presented to an investigator. Rootkits are the most difficult type of malware to detect and remove. Ways of identifying rootkits are false positives from the anti-virus program as the rootkit surfaces and attempts to interact with the computer, and hooked processes (processes are executable code run in a computer’s RAM).
A backdoor is any piece of malware intended to increase the ease of access of an attacker to a system. Though the backdoor itself may not contain malicious code, it is often the precursor to a more serious attack. A backdoor will often function by opening holes in any anti-malware software installed on the targeted computer and alerting an outside host of the availability of a system for unauthorized access.
A logic bomb is malware with a destructive payload that is not activated immediately upon infection. The criteria for activation could be anything from a specific amount of time since infection or a certain number of “hops” of systems infected to a specific command from a control server. Logic bombs are dangerous because the prevention of damage is dependent on detecting them prior to their activation.
Logic bombs are often created for a specific purpose. As they are often single-use attacks, they are rarely detected by anti-malware software. An example of a logic bomb would be a simple script set to run in the event a user authorization fails. A disgruntled administrator might set a script to run in the event his primary user account is ever disabled, which would remove or modify information on the network.
Another type of malware does not target the information on the computer, or the attention of the user, but, rather, the bandwidth and computing resources of the computer itself. This type of malware, which aims to control many individual PCs, is said to create a botnet. A computer in a botnet is often used to participate in DDoS attacks, as a mail relay to send spam e-mail, or for whatever other use the attacker wants to harness computer power for.
Types of Attacks
Not every attack on a PC depends on placing executable code on the PC itself. Besides malware, a number of network attacks may be attempted. These are generally categorized according to the method of the malicious access or attack. This section will cover the following topics:
- Smurf attacks
- Spear phishing
- Xmas attacks
- Privilege escalation
- Malicious insider threat
- DNS poisoning and ARP poisoning
- Transitive access
- Client-side attacks
A man-in-the-middle attack is just what it sounds like it is. Communications from one point to another may be viewed and possibly changed by a third party, or a man-in-the-middle. In a successful man-in-the-middle attack, the information sent and received by the end-users is intercepted and possibly changed without their knowledge.
In a DDoS (Distributed Denial of Service) attack, hosts from multiple locations work together to create massive amounts of network traffic. This traffic effectively renders the targeted system unable to differentiate between legitimate and malicious traffic, and unable to effectively respond to any but a small portion of the traffic. These types of attacks rely on a large group of willing volunteers, such as the “hacktivist” group Anonymous, or a botnet.
A closely related attack is the simple DoS (Denial of Service) attack. The aim is the same, to render a server incapable of providing network services, but the DoS attack includes any number of methods. This may be as simple as attacking a small, unprotected server with large amounts of traffic from a single source, or as complex as targeting a specific exploit or vulnerability of an online store to corrupt a database. Whatever the specific method, any attack intended to bring a service offline is a DoS attack.
A replay attack is the capture of network communications, especially authentication communication, and the use of captured communications to impersonate an authenticated user. This type of attack can be successful against simple authentication protocols, such as those that accept the same hashed password for multiple authentication sessions.
A smurf attack is a simple method of generating a large amount of network traffic, in that it “pings” the network broadcast address from a spoofed source address. If the target’s network allows forwarding of ping traffic to the broadcast address, every host on the network will simultaneously receive a ping and respond to the target PC, creating an overload of network traffic.
Because this attack is so simple and so well known, most networks are configured to prevent it. For example, they may not allow incoming traffic that claims to be from internal networks, or external traffic that is directed to a network broadcast address.
Spoofing is a term for the common attack method of claiming the identity of another. This spoofing can be in a spam e-mail, where the “From:” or “Sent:” line is forged. It may be done on a network level, as in our Smurf example. It may even be done at the MAC address level, in order to intercept data sent to a shared switch but intended for another host. Any attack that impersonates another user or device is a spoofing attack.
Spam, or unsolicited bulk/commercial e-mail, is a fact of life on networks these days. Spam can be a drain on bandwidth and end-users’ attention. Spam can be reduced by a number of means, including creating approved lists of senders, heuristic/Bayesian filtering of keywords, and specialized identity confirming protocols, such as SPF to combat address spoofing. As long as spammers have incentives to keep sending spam, however, the fight to keep it out of end-user mailboxes will continue.
Phishing (pronounced just like “fishing”) is the practice of attempting to obtain sensitive user information by posing as a trusted third party. This often takes the form of a spam e-mail that seems to be from a trusted source, linking to a website that appears to be legitimate. This website, however, is a copy of the real site, and any information goes to the sender of the original phishing e-mail. Phishing is any form of social engineering that takes advantage of technology to acquire private information.
Spam instant messages, sometimes known as spim, are often used in phishing attacks. Another common vector for the delivery of phishing attacks is cell phone SMS or text messages. These instant messages often come from forged senders, just as in e-mail phishing, and they seek to trick the targets into revealing private information.
To differentiate these attacks from e-mail or web-based phishing attacks, IM and text message phishing can also be referred to as smishing, a combination of SMS and phishing. The goals of this type of phishing are no different – the spim/smishing moniker serves only to specify the media used in the phishing attack.
Phishing over the phone is known as vishing (voice phishing). Just as in e-mail and SMS phishing attacks, scammers who attempt to acquire personal information over the phone pose as a representative of a trusted third party in an attempt to acquire personal information. They will frequently spoof the caller ID information to match the information of the legitimate source they are impersonating. With the ascent of VoIP, mass automated vishing attacks have a lower barrier to entry. Additionally, forged caller ID may present a false sense of security in a way a forged e-mail address no longer does.
In contrast to standard phishing attacks, which are generally sent to massive numbers of recipients, sometimes phishing attacks are tailored for specific targets or groups of targets. If a phishing attack were to impersonate a company intranet site and sent spam e-mail only to employees of that company, as opposed to a public website and a large group of people, this targeted phishing attempt would be an example of spear phishing.
In an Xmas, or Christmas tree, attack, an attacker sends a packet with an unusual number of options or flags set. These types of packets would almost never be created in normal network traffic. The name of this type of attack is derived from the unusual nature of these packets. A packet with these options enabled is said to be lit up like a Christmas tree.
Different devices will react differently to these specially crafted packets. If an attacker knows the responses to be expected from different devices, he may be able to gather data regarding the network. Christmas tree packets can also be useful for creating a DoS attack in the case where network devices cannot process these unusual packets quickly or effectively.
Pharming (phishing + farming) is the practice of redirecting attempts to access a legitimate web page to another web page for the purpose of phishing. For instance, a DNS server may be compromised so that when users on a certain network attempt to access their bank, they are instead sent to a phisher’s copy of the bank’s page.
These attacks vary from a standard phishing attack in that the users are not tricked into attempting to visit a fake site; rather, they attempt to visit a legitimate site and the technology that performs name resolution silently sends them to the impostor’s site.
Any attack in which attackers are able to grant themselves greater permissions than they have been assigned is known as a privilege escalation attack. This can be done by assuming the identity of a more privileged user or process, or by using overlooked privileges to assign new and greater privileges. For example, the “secretaries” security group was accidentally assigned the permission to assign group memberships. If a secretary were to then assign herself as a member of the “administrators” security group, gaining access to log in to servers and delete configuration files, she would have performed a privilege escalation attack.
Malicious Insider Threat
We sometimes think of security threats as originating from external sources only. This is a mistake. A strong security plan takes into account the possible malicious intent of those inside an organization as well. Simply trusting everyone internal to an organization is impractical and unnecessarily risky. The principle of least privilege assignment is one of the primary means by which the malicious insider threat can be mitigated. Other means might include procedures that mitigate the damage any one person can do without being noticed, such as regular job rotation or monitoring.
DNS Poisoning and ARP Poisoning
DNS poisoning and ARP poisoning are the practice of sending false updates to DNS and ARP resolvers with the intent of redirecting traffic intended for certain hosts. A resolver that accepts a false update is said to be poisoned.
In DNS poisoning, the DNS servers are attacked. This can happen at any level of the hierarchy, not necessarily only the domain start of authority. Any DNS servers lower down on the hierarchy will also be poisoned if they query the compromised server for updated name resolution information.
ARP poisoning is a very similar process, but instead of relying on the DNS system to redirect user name resolution, it relies on ARP (Address Resolution Protocol) poisoning via MAC address spoofing to redirect traffic at an even lower level. All traffic on a local switched network intended for a target device can be intercepted with the aid of ARP poisoning. This can allow for man-in-the-middle attacks, including interception, alteration, or DoS attacks.
Transitive access occurs when a machine uses a series of trust to access a system for which trust has not been explicitly established. This can cause a problem where trust is granted accidentally. An example of unintended transitive access could be a client-based VPN that bypasses the firewall. This VPN is configured intentionally to allow a laptop on the outside world to gain access to the internal network. However, if the outside laptop’s user enables Internet connection sharing, any computer on the same outside network would now be able to access the internal network, bypassing the firewall.
Careful planning must be made when establishing trusts to minimize the possibility of unintentional establishment of transitive access.
Closely related to transitive access is the client-side attack. Client access must be granted on some level, but it may be possible for a malicious attacker to utilize the trust that must be granted to clients to gain a greater level of access than intended. The principle of least privilege is important in assigning client permissions, because it is not known when a client computer may be compromised. A trusted client computer that is compromised effectively becomes a trusted malicious user. For example, if users need to be able to query a database, they do not necessarily need to be able to change or remove data as well.
One potentially frightening change in security these days is the parallel processing ability of modern graphics cards, or GPUs. Hackers can potentially use this power to perform brute force attacks, or guesses of a password using random characters, against a client computer and crack passwords with some ease, compared to the limitations of CPUs. Password complexity rules are in danger of becoming useless.
Additionally, it is not recommended to use the LANMAN Protocol, as it is noticeably less secure than other protocols, such as NTLMv2 or Kerberos. LANMAN is especially weak against brute force attacks, as it only stores seven uppercase characters, meaning that passwords longer than seven characters are split into two pieces and can be cracked separately – which, mathematically, is much easier than cracking one long password.
Types of Social Engineering Attacks
There are technical as well as non-technical means of gaining unauthorized access to private data and secured areas. When an attack relies on old-fashioned cunning rather than technical means, the attack is known as social engineering. This section will cover the following topics:
- Shoulder surfing
- Dumpster diving
Shoulder surfing, or the practice of simply viewing information a user has open on his or her screen, is among the most simple ways to glean data. Users may not consider the sensitivity of data they access in public places, or among co-workers who may not be cleared to view certain data. They may leave sensitive data available on a computer screen when they walk away from their computer.
Some basic protections against shoulder surfing include the installation of privacy screens, which limit the angles from which the screen can be viewed; training users not to access private documents in non-private settings; and implementing a policy that automatically locks a computer that is not used after a period of time.
Dumpster diving, or the practice of examining the trash from an organization, is another low-tech way in which your organization’s security may be compromised. Sensitive data can end up in your trash in any number of ways. Sensitive documents should be shredded, and sensitive media or hardware should be destroyed. To protect against dumpster diving, remember that putting something in the trash does not destroy it. If you need to dispose of sensitive data securely, destroy it before it makes it to the trash, or hire a secure shredding and disposal service to destroy it for you.
It is often possible to evade the protections that physically secure an area by accompanying an authorized person though a checkpoint. This practice is known as tailgating. A secured door is ineffective if anyone who is authorized to go through it will allow anyone through.
At a minimum, users should be trained to allow access only to those who are personally known to them. This includes people who may have their arms full with equipment, or are pushing a cart or wearing a uniform. The corporate culture should stress that each person must authenticate. However, people may not be comfortable closing a door on someone who attempts to follow them through. There is a strong social expectation of helpfully holding doors open.
To protect against this “helpful” behavior, a security checkpoint may be instituted and monitored by a security guard. One such checkpoint is the mantrap. In a mantrap, a set of two doors controls access to a secure area. A person attempting to gain access to the secure area must pass through the first set of doors, which then must close behind the person. This small authentication area is generally not large enough for multiple people. Then, the person must authenticate before the second set of doors will open. If the person fails to authenticate, he or she will be trapped until a security response can be made.
Impersonation is another method in which an organization’s security may be compromised. This can happen in person, over the Internet, or over the phone. Users should be taught that it is okay to verify the identity of a person who contacts them but is not personally known to them. A quick verification method is calling the person back using information from a trusted source, or having another user personally known to both parties vouch for the person’s identity. Just as with phishing attacks, one of the strongest defenses against impersonation is an alert user.
While hoaxes themselves are generally not a security threat, they can be a tremendous waste of time. Users are often unduly credulous when it comes to supposed threats to their computers. You probably know someone who forwards every chain letter he or she gets. Encourage your users to inquire about the veracity of any claims they get in their inbox before resending them. This can be as simple as asking their network administrator or checking snopes.com. The keys to defeating hoaxes are to remain skeptical and verify before forwarding.
Whaling is a phishing attack, by whatever means, specifically targeted at an individual who is high up in an organization. The attack may be crafted taking into account personal information gleaned from other users in the organization, or from publicly available networks. The higher you go in an organization, the greater the payoff a successful phishing attack can be. This may mean a phishing attack directed at an organization’s executives can have a lot more effort put into it than a normal phishing attack. To protect against whaling, it may make sense to train the executives in spotting phishing attacks and drill them to a greater extent than the average user.
Vishing, as mentioned in the previous section, is just phishing run over a phone call. This type of phishing can be targeted spear phishing or whaling, or it could be an automated mass phishing attack. When a phone call is combined with forged Caller ID information, a false trust may be easy to establish. When returning calls from your service providers, you should use the same level of wariness as you would when responding to an e-mail. Instead of returning a call to whatever number is left, call the number already on file for the provider.
Types of Wireless Attacks
Because wireless networks do not require physical network access, they can be especially vulnerable to hacking attempts. A number of attacks or vulnerabilities may affect wireless networks. This section will cover the following topics:
- Rogue access points
- Evil twin
- IV attack (WEP)
- Packet sniffing
Rogue Access Points
A rogue access point is any unauthorized wireless access point on a network. In the absence of network access control protocols, adding an unauthorized wireless access point to an existing network is trivially simple. The addition of a wireless access point to a network may allow access to your network without requiring physical access.
To detect and combat rogue access points, it is advisable to perform a site survey with a wireless network detector or sniffer periodically, walking around the physical area of the network while monitoring for unauthorized wireless traffic.
Wireless networks operate over a certain range of radio frequencies. An attacker can perform a DoS attack on a wireless network by generating strong interference in the frequencies in which the network would operate.
An evil twin attack is the replacement of an authorized access point with a seemingly identical access point. Often, it is not even necessary to remove the “good twin” physically from the network, so long as the signal strength of the “evil twin” is stronger. The evil twin AP will have the same SSID and authentication information, allowing clients to connect in the same manner as usual. The evil twin gives an attacker access to all communication that travels over the wireless link, without alerting the end-users to any change in the network infrastructure.
Wardriving is the practice of driving around with a network detector in areas in which wireless communications may be accessible. The goal of wardriving is often to find open or low-security Wi-Fi hot spots for unauthorized use. As wireless networks are limited only by the physical propagation of a system, a Wi-Fi network may unintentionally extend into a publicly accessible area.
Bluetooth hijacking, or bluejacking, takes advantage of vulnerabilities in Bluetooth technology to send unauthorized messages or other information, such as images or contacts to Bluetooth-enabled devices. This does not grant an attacker control of the device, or access to data stored on the target device. Bluejacking is more akin to spam than to hacking.
Bluesnarfing is the name assigned to an attack on a Bluetooth-enabled device to access data from a remote device. This weakness was formerly widespread, and it may still exist on devices using older Bluetooth technology. Security advances in the Bluetooth Protocol now require devices to be paired before a remote device can access local content.
A successful bluesnarfing attack, especially against older Bluetooth technology, does not necessarily require any user action. It is possible to access data even from a locked device without any user notification.
Warchalking is the practice of publicly tagging an area in which wireless networks are accessible; it is commonly paired with wardriving. The idea behind warchalking was to make publicly known any areas in which open access points existed. Now, with the ubiquity of coffee shops and the like offering and advertising free Wi-Fi, the purpose and practice of warchalking has largely died out.
IV Attack (WEP)
The Wired Equivalent Privacy (WEP) Protocol makes use of two components to create a key to encrypt data to be sent and received. The 40-bit WEP key is one component, and the 24-bit initialization vector (IV), which is randomized and unique for each packet for the length of the use of the key, is the other component. Unfortunately, the small 24-bit IV keyspace only allows for fewer than 17 million possible unique IV variations.
Additionally, the IV is sent in the clear to the receiving device. This combination of eavesdrop-accessible IV’s and the eventual reuse of an IV for the same key created a weakness in WEP. An attacker could generate traffic to capture IV’s, observe the duplicate use of an IV, and use the gathered information to break the encryption for the duration of the use of the WEP key. Because of the relative ease with which WEP encryption can be broken, it is no longer considered a legitimate means of securing wireless communication.
Packet sniffing, the practice of monitoring traffic over a network, can be done on a wired network or wirelessly. On a wireless network (especially one with weak encryption), packet sniffing may be a greater concern because, like all things wireless, physical access is no longer required. Additionally, packet sniffing on a switched wired network will capture traffic only for a single segment, or traffic specifically redirected to the packet-sniffing device. On a wireless network, a sniffer, especially one near the access point, can see all the data.
Types of Application Attacks
Attacks can target infrastructure, users, or applications. In this section, we will be focusing on the different types of vulnerabilities user-facing applications and web hosts may have, and the types of attacks that may be employed on an application level against these services. This section will cover the following topics:
- Cross-site scripting (XSS)
- SQL injection
- LDAP injection
- XML injection
- Directory transversal/command injection
- Buffer overflow
- Zero day
- Cookies and attachments
- Malicious add-ons
- Session hijacking
- Header manipulation
Cross-site Scripting (XSS)
Cross-site scripting (or XSS, to differentiate from Cascading Style Sheets, CSS) is one of the most common types of attacks leveled against a web browser. In an XSS attack, unauthorized script code is executed by the client browser, which exposes client information to an unauthorized third site.
This script code may not come from the site itself, but, rather, from a vulnerability of a site that allows code from a third party to be executed by the client browser. Code from an unrelated site is common, which is why this type of attack is known as a cross-site scripting attack. Code can also come from a link a user is enticed into clicking, unauthorized editing of server-side scripts, links to scripts hosted on other sites, or even specially crafted “image” links designed to take advantage of certain browsers, such as an e-mail browser that renders HTML code.
Most browsers are designed to prevent sites from communicating with one another, but hackers are constantly working at bypassing these security features. A successful XSS attack can bypass these protections, revealing usernames and passwords, session IDs, or other confidential information.
In order to protect against XSS attacks, administrators should treat all code in web forms as potentially malicious, validating it to ensure it does not contain unauthorized code, such as the image links that point not to images but to malicious scripts.
Another type of attack that can be used against a hosted application is the SQL injection attack. This attack occurs when an attacker is able to input information that is interpreted by an SQL server as SQL commands. For instance, if a form allows a user to input information that is sent to an SQL database, and poor validation is in place, an attacker may be able to direct an SQL database to drop a table, or create a query that may reveal private data rather than just inserting new data.
Input validation to prevent SQL injection attacks may take many forms, but some basic steps are to make sure user input is treated as text strings, not code, and to limit input to certain character sets. A character set limitation name field might disallow numbers and special characters, such as the equals sign, parentheses, or punctuation.
An LDAP (Lightweight Directory Access Protocol) injection attack functions similarly to an SQL injection attack. The major difference is in the target of the attack. Instead of seeking to allow an attacker to inject executable SQL code into a web form, the attacker is now attempting to execute LDAP code.
Just as with SQL injection, the best protection against LDAP injection is input validation, and ensuring that all user input is stored as strings rather than interpreted as executable code.
XML (Extensible Markup Language) injection has a lot in common with LDAP and SQL injection. As with other types of code injection attacks, the goal of an XML injection attack is to insert executable code in place of standard user input, but using XML.
Directory Traversal/Command Injection
One last form of code injection to consider is the directory traversal or command injection attack. In this attack, an attacker may send special characters to be interpreted by the file API. For instance, a user may request a web page from a certain domain, which would normally be the filename of a file stored in a specific directory on a server, say in /var/www/html/index.htm. The user would normally go to example.com/index.htm to view this file/web page. An attacker, however, might attempt to go to example.com/../../../../../etc/passwd, or to any other location that might contain files of interest to the attacker.
Alternatively, an attacker might enter filesystem commands into web forms, in hopes that poor backend design will allow the file API to attempt to execute the command. For instance, a user might enter his or her name as “test; rm –rf /etc/passwd”. The attacks rely on passing information to the web server that is interpreted by the filesystem API.
As with the other injection attacks we have reviewed, the best protection is input validation and handling user input as strings explicitly, rather than interpretable code.
A buffer overflow is an attack where the amount of data sent to an area of memory exceeds the area of memory allocated to hold the data. In a well-crafted buffer overflow attack, an attacker may be able to execute arbitrary code. These attacks are generally more complex than many of the other attacks we have discussed, as they operate at a much lower level of the computing hierarchy. Once an attacker can modify instructions on the memory stack, they often have a route to root control of the machine.
Buffer overflow attacks are extremely difficult to counter, but, through fastidious memory management techniques, they may be prevented or reduced. Many tools, such as Microsoft’s Data Execution Prevention, attempt to mitigate and eliminate the methods attackers use to turn a buffer overflow into root control of a system.
Zero-day attacks are those that are not currently known to the public. Any attack, regardless of the means employed, that uses a previously undisclosed vulnerability is known as a zero-day attack. As these vulnerabilities are not known ahead of time, there is no way to protect against them if you have the services enabled that are targeted by the attack. Best practice is to disable all unnecessary services in order to limit the attack surface. A zero-day attack cannot take advantage of an exploit in a piece of software that is not in use.
Cookies and Attachments
Cookies are bits of information stored by a browser on a local hard drive. These cookies may store personal information that could be valuable for an attacker, such as a user’s personal browsing habits, or even persistent session IDs. If an attacker is able to acquire a session ID, the attacker may be able to hijack a session, effectively impersonating the user.
Attachments sent in e-mail messages may contain malicious code. Code that requires user interaction to spread may often find its way to e-mail inboxes disguised as legitimate attachments. Almost any type of file can be sent as an attachment over e-mail. It is important to run attachments from trusted sources only, and those that are expected. Just because an attachment appears to come from a trusted address does not necessarily mean the user was the sender. When it comes to opening e-mail attachments, it is safest to assume that any unexpected communication is untrusted.
Many user applications are customizable. For instance, Microsoft Office supports custom add-ons for easier formatting in Word or for complex calculations in Excel. Mozilla Firefox allows a wide variety of add-ons to customize the browsing experience. Not all add-ons are harmless. Some add-ons, in addition to performing their advertised function, have the ability to act as spyware, adware, or other malware. To protect against malicious add-ons, install add-ons only from trusted sources.
Using session hijacking, or sidejacking, an attacker can take advantage of a flaw in authentication procedures to impersonate a user. If an attacker is able to acquire the session ID, the attacker will be able to impersonate the user until the session is expired.
Session hijacking can be protected against by encrypting the entirety of the authentication exchange, including not ever sending the session ID in cleartext. This protects the session from being vulnerable to a sniffing attack, but the session could still be hijacked in other ways, for instance, an XSS attack or by gaining access to a session ID stored in a cookie. To protect against session hijacking further, it is recommended to expire sessions that are no longer in active use, such as through a log-out option or fast expiration of session IDs.
An attacker can impersonate an authorized user through the manipulation of the information sent by the user’s computer. The combination of stolen session IDs and forged headers will allow an attacker to present information to a server that is indistinguishable from that of the legitimate user. In the absence of strong session-based authentication, forged headers created using stored authentication information may be sufficient to impersonate an authentic user.
Types of Mitigation and Deterrent Techniques
Now that we have covered various threats and vulnerabilities in depth, we will take a closer looks at the types of protections and best practices available to deter attacks and mitigate the damage they can inflict. This section will cover the following topics:
- Manual bypassing of electronic controls
- Monitoring system logs
- Physical security
- Port security
- Security posture
- Detection controls versus prevention controls
Manual Bypassing of Electronic Controls
Electronic controls for adding physical security can include such devices as card or keyfob readers to open and operate doors. The linking of physical security with electronic control means an attacker who gains control of either portion of the system will be able to bypass the protections.
In the event of a failure of the electronic portion of an integrated security device, the physical portion can fail to a closed/secure/safe state or to an insecure/open state. For instance, an external door leading in to a secured area might be configured to fail to a closed state, while a mantrap should allow someone inside to back out in case of a power outage. Fail safe should be used in situations where security is paramount, while fail open should be used where ease of use/continuity of availability is more important.
Monitoring System Logs
Attackers often leave traces of their access and of failed attempts to gain access to secured systems. These traces, however, will not be of use in protecting your systems unless this information is seen and acted upon. Therefore, someone must be monitoring system logs.
An administrator who regularly reviews his logs will not have to rely on catching an attacker in the act if he knows where to check for evidence of infiltration. There are many types of logs, and it is important to know where to look to protect against threats.
Event logs are generated by network devices to create a record of actions a device takes or changes a device observes. If an attacker is starting service outside of a planned maintenance window, event logs may be the first sign of unauthorized access or use of the systems. Event logs can also track such important events as connections being interrupted, systems going offline, or unexpected errors in running processes.
Audit logs track changes made to a certain portion of a system. A complete audit log for a file, for instance, would track the creation of a file and every time the file was edited, and who made the changes to the file. One common use of audit logging is to track changes to values in a database. The balance of a bank account, for instance, would exist not just for the current time but also for a list of transactions going back for the length of the audit trail. Audit logs are useful for tracking changes to the state of systems, and verifying who made the changes.
Security and access logs track security-related events, such as login and authentication attempts. They will likely include the type of authentication attempted and the result of the authentication attempt. Security logs may include events where a security policy prevented an end-user from completing a certain action, such as accessing restricted data. Access logs will track every access or attempted access of sensitive data to deter unauthorized access the same way an audit log tracks every change to data to ensure data integrity.
Hardware locks can be used to prevent unauthorized access to an area as large as a building complex or an area even smaller than a jewelry box. Though locks come in all shapes and sizes, their intent is the same: to require the operator of the lock to authenticate before allowing access.
Mantraps are a type of security checkpoint that is often employed to protect access to highly sensitive areas. A mantrap functions by allowing a single person to enter into a small room between two sets of doors. Once the outside door has sealed shut, the authenticating person will be locked in the small room until he successfully authenticates, opening the second set of doors. This method of physical security must be monitored, but it is extremely effective at preventing unauthenticated access.
Video surveillance serves two primary purposes. Real-time CCTV monitoring as a detection control may allow a smaller number of security personnel to monitor a much larger area than could be effectively monitored directly. This allows a security force of the same size to secure a much larger area or to secure a smaller area in more detail, or with fewer people. Video surveillance that is archived can also be an excellent source of investigative information, as it provides an unbiased account of what happened in an area under surveillance at any given time.
Access to prohibited areas can be deterred by the addition of fencing. While no fence, by itself, is a guarantee to security, fences can help prevent your secure areas from being low-hanging fruit. A simple low chain-link fence may be a sufficient deterrent, or a barbed-wire fence, or a 12-foot fence with shake detectors to prevent scaling. Fences help to deter casual violation of secure spaces.
Electronic devices such as keycard, badge, or key-fob readers may be employed to require anyone accessing an area to be in possession of a device that is granted only to certain people. This approach has all the advantages of a key, with the added benefits of an increased layer of difficulty in replicating the electronic authentication mechanism, as well as having the ability to assign each user a unique and revocable keycard.
Physical security does not require additional technology. It can be as simple as a person standing at a door or a gate who allows only people on a pre-approved list to gain access.
When it comes to protecting systems from threats, one of the most basic and most effective steps you can take is to reduce the number of avenues an attacker can take to find successful exploits by disabling unneeded services. This is known as reducing the attack surface area, or hardening. Another basic step for initially securing systems is to establish secure settings when it comes to changing default usernames and passwords, and disabling those accounts that are not necessary or are not in use. Systems can be further secured by being configured to failsafe, or fail closed, so that an unexpected state causes a service interruption rather than a possible security breach.
Another basic step to establishing a secure system is to patch it to the current level. Patch not just the operating system but also the applications in use on the system. All the initial steps to establish basic security of a system are collectively known as hardening. A hardened server, just like a lot surrounded by a fence, is no longer as easy a target as it once was.
Physical port security is a concept that encompasses the security measures that can be put in place to prevent any given device with physical access to the areas the network exists from gaining access to the network. Often, hackers look for misconfigured proxy servers to hide their origins by bouncing their traffic off these “open relays”.
MAC addresses are unique identifiers that every Ethernet device is assigned. Filters can be set on switches or routers that allow only certain known-good MAC addresses on the network. This is a good basic protection that can completely protect against accidental unauthorized access to a local network. Unfortunately, MAC addresses may be easily spoofed, allowing an impersonator to bypass MAC address protection.
Network Access Control (NAC) can also be implemented on a network, requiring devices to authenticate to a central server upon connection to a network before the newly connected devices are able to send and receive most network traffic. 802.1X is a simple implementation of NAC, which allows a central server to authenticate clients as they connect to a network, and then assign them to certain VLANs depending on their authentication information. This can effectively segment a network, preventing unauthorized hosts from sending or receiving traffic.
As with hardening, the most effective means of preventing network access is disabling access to unnecessary ports altogether. For port security, this means requiring administrator intervention before the connection of any new network device.
Hardening is a vital first step to building a secure network services infrastructure. In addition to basic security steps such as hardening and configuring logging/surveillance of the systems, administrators should establish what “normal” use of their systems looks like on a day-to-day basis. Only by knowing what normal loads and activities are, can an administrator set triggers or be on the lookout for activity that is anomalous.
Even as the environment changes, new applications are installed, new threats emerge, and new systems are installed, your environment should maintain this baseline security level. This means that maintaining security is a constant process.
One of the ways an administrator can ensure the maintenance of a secure baseline is the constant monitoring of network servers and hosts. If a host is detected that does not meet the baseline security configuration, it can be quickly quarantined, and the configuration rectified. For example, a remote user may take a laptop offsite for a period of time and, upon returning to the office, be in need of updating the operating system patch level. Without continuous monitoring and remediation, this shortcoming may not be detected. Using monitoring and NAC, however, an administrator can place this device on a separate network for remediation immediately, without risking unprotected access to the existing network.
Data can be gathered and logged from a number of sources, as well as actively presented. This is known as reporting. In any monitoring system, it may be beneficial to configure alarms or alerts, or interpret logs to show trends over time.
Alarms might contact an administrator or group of administrators by e-mail, phone, or text message. Generally, alarms are reserved for important and urgent issues, such as a loss of power, an unexpected service outage, or a severe environmental issue.
Alerts may function identically to alarms, but usually react to less urgent events. Alerts are commonly configured for non-urgent but important information. Examples of events that might warrant alerts are a shortage of disk space, higher than normal network traffic, an unusual number of login attempts, or a shortage of spare supplies for a printer. These less urgent events normally do not require an immediate response from multiple people but do warrant attention and possibly a response.
Information gathered over time can be useful for spotting events at variance with expected standards. Alerts for high CPU usage might be very different from one server to another. In order to know where to set the alert and alarm thresholds, it is important to have a good baseline of the expected activity levels. One way to detect and address changes in the environment is to run reports to view trends in monitored metrics, such as available disk space. Keeping an eye on changes over time leads to more informed administrators who are more capable of address the changing needs of their environment.
Detection Controls versus Prevention Controls
In order to protect assets effectively, you can take steps to detect or deter unauthorized behavior. For example, a room can be secured by a lock to deter access. A lot may be secured by a simple fence to deter trespassers. A guard may be posted at a door to prevent just anyone from going through it. These are examples of physical prevention controls that can be put in place to prevent security violations.
Another method of security control that can be put in place is the detection control. These types of controls are more concerned with creating an accurate record of what happens than with preventing it in the first place. An example of a detection control might be a camera that is not actively monitored, but stores any video for later review, if necessary. Though knowledge of the detection system may act as a deterrent, the detection system itself does not prevent unauthorized access.
When protecting a computer network against unauthorized access, there are two types of technologies, intrusion detection systems (IDS) and intrusion prevention systems (IPS), that are roughly analogous to video recording cameras and guards, respectively.
IDS technology is well suited for detecting unauthorized activity and alerting an administrator. The role of an IDS is limited, so it does not require extensive network integration. If an IDS is able to view the network traffic, it can analyze the traffic and alert the administrator to anomalous behavior. Like a camera, an IDS watches and reports.
Rather than the simple observe and report of an IDS, an IPS has the ability to respond on its own to network threats before they reach the protected hosts on a network. This would not be possible unless network traffic were routed through the IPS. A strong IPS can detect a number of types of attacks, such as SQL or other injection attacks targeted at a web host, and stop them before they are able to deliver their payload.
Some advanced IPS and IDS deployments can perform network behavior analysis to respond intelligently to unusual network traffic patterns. This is similar to the way an administrator might create a baseline of expected behavior and configure alerts for anomalous behavior, but it is completely automated.
Though most IPS deployments monitor network traffic, there are also host-based intrusion prevention systems (HIPS). These are installed on a host to monitor the working of the host in a manner similar to anti-virus software. Instead of protecting the host from viruses, however, the role of the HIPS is to protect the host against attacks, such as buffer overflow exploits, and enforce security policies on the host.
Assessment Tools and Techniques Used to Discover Security Threats and Vulnerabilities
In striving for secure networks, it is important to be able to detect security weaknesses or breaches. This can often be accomplished through the use of assessment tools and techniques, also referred to as management controls. We will examine a number of these tools and techniques so that you have an understanding of some common ways to monitor a network to ensure it is not unnecessarily susceptible to known threats. This section will cover the following topics:
- Vulnerability scanning
- Risk calculations
- Assessment types
- Assessment techniques
- Design reviews
When a network administrator uses tools to seek out possible security weaknesses, he is performing vulnerability scanning. The goal of these scans is to detect and inform the administrator of possible security holes. As these methods help to make an administrator aware of possible threats, they are a vital component of any network security plan.
These tools and techniques simply seek to make the administrator aware. They are relatively passive attempts to identify weaknesses. The do not rectify any problems found, nor do they necessarily exploit any possible weaknesses to determine whether they are true threats, as a penetration tester would. They may create false positives, as they lack context to determine whether a certain configuration is intentional. Even considering their drawbacks, vulnerability scans are a great way to increase an administrator’s knowledge of the network.
There are a number of classes of tools, each with a specific function, when it comes to monitoring and assessing network security.
Raw data may not be intelligible to even a trained security analyst. In order to view data in a more human readable manner, an administrator may use a protocol analyzer. Any tool that monitors network traffic and reports on the content of that traffic is a protocol analyzer.
A sniffer captures available network traffic and allows an administrator to access the raw data. If, for instance, an administrator knows in advance what specific information to look for, a sniffer may be the best option. A sniffer may provide complete access to view all network traffic.
One basic method of viewing possible vulnerabilities is the use of what is known as a vulnerability scanner. These scanners normally operate over a local network and attempt to discover possible weaknesses, without exploiting those weaknesses, if found.
Vulnerability scanners will typically reveal the number and type of hosts on a network, as well as search for known vulnerabilities on those hosts and enumerate them on a per-host basis.
Vulnerability scanners come in many shapes and sizes, with different focuses. Some scanners may focus on OS or application vulnerabilities, while others scanners, such as nmap or Nessus, may be concerned with only network capabilities or vulnerabilities. Vulnerability scanners can detect and inform administrators of possible weaknesses; however, as with all assessment tools, rectifying any misconfiguration is left to the administrator.
A honeypot is a system placed on a network with the explicit purpose of drawing an attacker’s attentions. These systems are generally closely monitored and often intentionally left slightly less secure. The idea is to trick an attacker into thinking he has gained unauthorized access to a production system, and then monitor the system to gain insight into attack methods and aims. Because honeypots allow an administrator to view an attack as it would occur in the wild, they can be an extremely valuable tool in detecting and identifying the newest forms of attacks.
Rather than deploying a single fake system to draw an attacker’s attentions, a network administrator may deploy a collection of closely monitored systems that communicate with one another. When a number of physical systems or virtual machines are deployed, the resulting group of systems is known collectively as a honeynet. Both honeypots and honeynets should be segregated from any real production information.
A port scanner is a simple tool that attempts to determine which ports respond to network communications requests. An open port usually indicates a specific network service running on that port. As different types of systems respond differently to initial session requests, port scanners will also commonly be able to identify operating system and application versions.
When choosing to combat and mitigate threats, we may face situations of limited resources and declining marginal utility. It may not be possible or feasible to fully protect against every imaginable threat. In order to decide where to best invest our security time and money, it can be helpful to perform risk calculations.
Some threats are extremely common but generally low impact, such as a simple spam message. Others may be more impactful but far less frequent. When assessing the impact of a threat, it may be useful to concentrate on the threats that would likely come to fruition, even if there are larger threats that are extremely unlikely.
If you can only protect against a limited number of threats, you should assign protection not necessarily to those threats that are largest or those that are most frequent, but, rather, to those where you can get the best return on your investment.
There are a number of types of assessments that can be made before deciding where to allocate security resources.
When defending against security threats, it is important to take financial and business impacts into consideration. Your efforts at increasing security should be a net gain for the network once all is said and done.
To perform a quick sanity check on threat mitigation practices, you can multiply the loss expected from a single event (SLE, single loss expectancy) by how often the event would occur over the course of a year (ARO, annualized rate of occurrence) to establish an annual cost from the risk (ALE, annualized loss expectancy). If the cost of the mitigation plus the new ALE is lower than the older ALE, you have likely made a good investment.
A threat assessment attempts to determine which threats may be able to affect your network. Is there an uptick in phishing attempts against your users? Are spammers sending much more traffic to your networks than normal? Are port scans being run against your systems? It is important to be aware of threats that face your network before you can decide on a mitigation strategy.
As was discussed earlier, vulnerability scanners can be a great tool in determining which threats your systems may be insufficiently protected against. Knowing where your vulnerabilities are is a vital first step to eliminating those vulnerabilities.
There are important steps to take that can improve the security and reliability of a network. As security is an ongoing process, it can be useful to take everyday security measures to ensure sufficient knowledge of your computing environment.
One big red flag from a security standpoint can be significant variation from former or expected behavior. Unfortunately, the only way to detect these variations is to know what “normal” looks like for a certain system. Baseline reporting is the process of learning what a system looks like when it is functioning normally. Once a baseline is established, an administrator can much more easily detect significant variations.
For example, imagine an application log is showing 25 SSH login sessions per hour. In a large company, the administrator may not immediately be able to determine whether this is normal behavior or evidence of an attack in progress. With the aid of a baseline, the administrator should easily be able to determine whether this behavior is normal or anomalous.
Changes to applications and other internal development should not necessarily be trusted. Code review practices can ensure that before code is put into use, a second set of eyes views the code. This can protect against both intentional and unintentional lapses in security.
Attack surface is the amount of ways an attacker can interact with your network. Limiting the attack surface is a basic security principle. For instance, an administrator will want to know which ports are open, from where logins are permitted, and how much access each role is granted. The more methods of network interaction are available, the greater the possible attack surface.
You may have an application that relies on a framework that sits on a server that communicates over a network. A security breach in the application, framework, server, or network could put your private data at risk. Each of the components of your network needs to be individually secured, as the security of your data is dependent on end-to-end security, not just the security of any single component.
When making changes to any program or application, the purpose of the application and its methods of interaction should be considered from a high level. Will encryption be required? Does security need to be built into the application, and supported by the application, or will it be provided by another source? Will the changes to the function of an application increase the attack surface of the network? Can these increased risks be mitigated?
The best method to secure a program is not to attempt to add security after the functionality, but to consider security as a component of the development process.
Proper Use of Penetration Testing versus Vulnerability Scanning
Knowing all these threats are out there is merely one-half of solving the threats and vulnerabilities equation. The other half is knowing how to test your network for vulnerabilities. This section will cover the following topics:
- Penetration testing
- Vulnerability scanning
- Black box
- White box
- Gray box
A properly configured network in terms of accessibility is a good thing. A properly configured network in terms of security is a priceless asset every company hopes to have. It is possible to test your network and see whether it is properly configured for security by performing penetration testing on it.
Penetration testing does exactly what it sounds like it does: it tests your network by attempting to penetrate it, as a hacker or a malicious user would, but instead of causing chaos or harm to your network or data, you will use the information you gain about the security status of your network for good. This information is usually invaluable to companies, enabling them to make improvements to their security infrastructure.
This type of testing should be performed only on a network under controlled conditions and by highly trained professionals. This should also be done only with the network owner’s permission. As penetration testing can mimic hacking and attacks, it is important to know when such testing is going to occur, and to be able to account for network outages and instabilities due to testing.
Penetration testing is usually used to attempt the following on a network:
- Bypass security controls
- Actively test security controls
- Exploit vulnerabilities
Once again, the results of penetration testing should be reported to the networks’ owners so they can take appropriate action to remediate any security holes or vulnerabilities found.
One last note on penetration testing is on hacking itself. There are black hat, gray hat, and white hat hackers. Black hat hackers are malicious, and their only intent is to steal information or do harm to systems. Gray hat hackers usually have an agenda and perform attacks merely to raise awareness of security vulnerabilities or in order to stage a protest. White hat hackers are usually called “ethical hackers” and are the types of people who are hired to perform penetration testing: they are trusted and will not do harm to a network, though they have the tools and knowledge to do so. White hat hackers can do more than penetration testing; they can also be associated with the broader realm of network and computer security.
Vulnerability scanning is most often referred to as a more passive method of penetration testing. It does not involve network disruptions, which can benefit a network that requires high uptime and stability, as it only “scans” a network for vulnerabilities rather than attempts to break in.
Vulnerability scanning is usually employed to do the following on a network:
- Passively test security controls
- Identify vulnerabilities
- Identify lack of security controls
- Identify common misconfigurations
Common tests include port scanning for open ports and open access points.
Those individuals who are given the responsibility to perform penetration testing and vulnerability scanning are commonly presented with one of three testing scenarios: black box, white box, or grey box.
A black box testing scenario means that the technicians who are performing the testing have no prior knowledge of the network infrastructure and are performing as a hacker would from the outside. This gives more real-world results; however, black box testing also can omit major security issues simply because the security team did not know they were there and did not find them during testing.
A white box testing scenario is the opposite of black box: the testing party knows every detail about the network infrastructure to be tested. Testers have logon credentials, documentation, hardware information, and a test environment that emulates the production environment. While this provides much more in-depth testing, it reveals network information (usually an outside group or third party) and does not provide a real-world scenario in which hackers and malicious individuals may be seeking vulnerabilities from the outside without any prior knowledge of the network.
Gray box testing can fall anywhere between black box and white box testing. This means testers have some amount of knowledge of the network; specific amounts and types vary.