CIS 450 Network Security

1
CIS 450 Network Security

• Chapter 2 How and Why Hackers Do It

2

• What is an Exploit Anything that can be used to
  compromise a machine/network
• Compromises Include
• Gaining access
• Simplifying gaining access
• Taking a system offline
• Desensitizing sensitive information
• Critical to minimize the risk while reducing the
  impact it has on overall functionality

3
The Attackers Process

• Passive Reconnaissance
• Attacker must have some general information
• Used to properly position themselves
• Sniffing sitting on a network segment watching
  and recording all traffic (especially passwords
• Information gathering to help launch as active
  attack

4
The Attackers Process

• Active Reconnaissance
• Gather the additional information hacker is after
• Active probing of system to find out additional
  information
• Find out IP address of firewall and routers
• Version of Operating System
• It is critical that there be some form of logging
  review to catch active reconnaissance.

5
The Attackers Process

• Exploiting the System
• Gaining Access
• Operating System Attacks The default install of
  most operating systems has large number of
  services running and ports open
• Application-level Attacks take advantage of
  less-than-perfect security found in most of
  todays software
• Scripts Sample Program Attacks Sample files
  and scripts that come with operating
  systems/applications

6
The Attackers Process

• Exploiting the System
• Gaining Access continued
• Misconfiguration Attacks Dont bother to remove
  unneeded services or software
• Elevating Privileges Goal is to gain either root
  or administrator access to a system
• Denial of Service Deny legitimate users access
  to a resource

7
The Attackers Process

• Uploading Programs Can be used to
• Increase access
• Compromising other systems on network
• Upload tools to compromise other systems
• Downloading Data
• Keeping Access
• Put back door in for when attacker wants to
  return (use Trojan horse program)

8
The Attackers Process

• Covering Tracks
• Clean up the log files
• Turn off logging as soon as access is gained
• Change properties to original settings. To combat
  use programs that calculate checksums.

9
The Types of Attacks

• Active Attacks a deliberate action on the part
  of the attacker to gain access to the information
  he is after
• Denial of Service
• Intelligence gathering
• Resource usage
• Deception
• Passive Attacks geared to gathering information
  rather than gaining access

10
Categories of Exploits

• Over the Internet
• Coordinated attacks coordinate with other users
  and machines on a network (other users do not
  have to be aware that they are being used in
  attack)
• Session hijacking taking over a session after a
  legitimate user has gained access
  authentication
• Spoofing the impersonating of assuming an
  identity that is not your own. Very effective
  with trust relationships.

11
Categories of Exploits

• Over the Internet continued
• Relaying an attacker relays or bounces an
  attack through a third partys machine so it
  looks like the attack came from the third party
  and not from him
• Trojan Horses or Viruses

12
Categories of Exploits

• Over the LAN
• Large number of attacks come from trusted
  insiders
• Attacker, if breaking in as a legitimate user,
  gets full access that the user would have
• Sniffing Traffic easier on a hub than a
  switched network. Network cards should not be set
  to promiscuous mode.

13
Categories of Exploits

• Over the LAN continued
• Sniffing Hub vs. Switch
• The difference is in what a switch does versus
  what a hub does. A hub is really a layer 1
  device, simply a repeater. Putting a sniffer on a
  hub truly allows you to monitor ALL traffic on
  that network segment.
•  A switch operates at layer 2, and sorts traffic
  based on destination MAC address. Thus, if a
  packet is sent to one specific host, and the
  switch knows which port that host lives on, only
  that host will get the traffic. If a packet is
  broadcast to the whole network, then the switch
  forwards that to all ports, since there cannot
  be a MAC address correlated to a broadcast
  address. Putting a sniffer on a standard switch
  port then will only be able to see traffic in
  and outbound from itself, plus the local network
  segment broadcast traffic.
• Most switches, at least at the enterprise level,
  allow configuring at least 1 port as a
  "monitoring" port. When this mode is enabled, the
  switch will pass all traffic to the destination
  port and to the monitoring port. So if you hang
  a sniffer off that port, you can then see all
  traffic on the segment, at least from those
  devices attached to that switch.

14
Categories of Exploits

• Over the LAN continued
• Broadcasts using TCP/IP broadcast address which
  will send a packet to every machine on the
  network segment
• File Access
• Remote Control controlling the machine as if
  you were sitting at it
• Application Hijacking similar in concept to
  session hijacking. Involves taking over an
  application gaining unauthorized access.

15
Categories of Exploits

• Locally
• Shoulder Surfing watching someone as they type
  in their password
• Unlocked Terminals
• Written Passwords
• Unplugging Machines
• Local Logon
• Offline
• Download Password File

16
Categories of Exploits

• Offline continued
• Download Encrypted Text the longer the key the
  longer it will take to break
• Copying large amounts of data to a removable
  drive to look at offsite later

17
Routes Attackers Use to Get In

• Ports the windows and doors of a computer
  system - the more ports that are open the more
  points of vulnerability
• http//www.stengel.net/tcpports.htm
• http//www.iss.net/security_center/advice/Exploits
  /Ports/default.htm
• Services programs running on a machine to
  perform a specific function - If a service is
  running as root, any command it executes runs as
  root. Have to limit number of services running
  and at what priority they are running.

18
Routes Attackers Use to Get In

• Third-Party Software
• Operating System default install is to leave
  most of ports open and services running
• Passwords
• Social Engineering
• Trojan Horses overt (open)/covert (hidden
  feature)
• Inference Channels gathers information from
  open sources and surrounding events

19
Routes Attackers Use to Get In

• Covert Channels involves a trusted insider who
  is sending information to an unauthorized outsider

20
Goals Attackers Try to Achieve

• Goals of information Security
• Confidentiality Preventing, detecting, or
  deterring the improper disclosure of information
• Hackers Goal credit card information,
  competitor information, identity theft
• Integrity preventing, detecting, or deterring
  the improper modification of data
• Hackers Goal change data for own purposes
• Availability preventing, detecting, or
  deterring the unauthorized denial of service to
  data
• Hackers Goal denieing access to all key
  components of system