Introduction to Network Security

1
Introduction to Network Security

• Charles Hill
• Director, Hawaii Operations
• E-mail chill_at_fsba.com
• Phone (808) 524-7786

2
What is Network Security?

• Network security addresses the vulnerabilities to
  which your organization is exposed as a
  consequence of being connected to a network.

3
Topics of Discussion

• Whos vulnerable?
• Whos attacking?
• What are the kinds of attacks?
• How do we protect ourselves?
• What do you do when youve been hacked?
• References and QA

4
Whos vulnerable?

• Everyone in your organization who uses computers
  or networks in the process of doing their job.
• Everyone in your organization who is affected by
  the information stored in computers.
• Everyone in your organization.
• Outsiders who rely on your organization your
  customers, the public.

5
Whos vulnerable?

• Both Servers and End-Users are subject to attack.
• Web servers, E-mail servers, File servers,
  Communications servers, Network devices
• End-users receiving e-mail, visiting web sites,
  downloading files, participating in online
  services

6
Whos vulnerable?

• You are exposed to network security threats by
• using e-mail (e.g. viruses, worms)
• using web-browsers (e.g. malicious applets and
  scripts)
• simply being connected to the network (protocol
  hacks, breaking and entering)

7
Whos vulnerable?

• From 2000 CSI/FBI Computer Crime and Security
  Survey of 643 US Organizations
• 90 of respondents detected computer security
  breaches w/in last 12 months
• 74 acknowledged financial losses due to computer
  breaches

8
Whos vulnerable?

• 70 reported a variety of serious computer
  security breaches other than viruses, laptop
  theft, or net abuse
• Quantified financial losses from 273 respondents
  totaled 265,589,940

9
Whos vulnerable?

• 20-year-old man arrested for breaking into two
  computers of NASAs Jet Propulsion Laboratory.
• Hacking started in 1998
• One computer was used to host chat room devoted
  to hacking
• Thousands of usernames and passwords were stolen
• Reuters News, July 12, 2000

10
Whos vulnerable?

• Hacker boosted stock price by posting fake merger
  press release
• A hacker boosted the stock of Aastrom Biosciences
  by 6.5 by posting a fake press release on the
  company's Web site announcing a merger with
  California biopharmaceutical company Geron.
• Reuters News, Feb. 17, 2000

11
Whos vulnerable?

• Thousands of Safeway customers received emails
  that appeared to come from the company, saying
  Safeway would raise its prices by 25 percent. The
  emails also said, If you wanted to shop
  elsewhere, you could.
• Safeway shut down U.K. site after hacker attack
  on August 12, 2000
• Bloomberg News, Aug. 14, 2000

12
Whos vulnerable?

• April 1998, Masters of Downloading cracked the
  DISN and stole software used to control vital
  military GPS satellites used to pinpoint missile
  strikes, guide troops and assess ground
  conditions

13
Whos vulnerable?

• ILOVEYOU Virus
• MELISSA Virus
• Anna Kournikova Virus ( Here you have, o) ) of
  last week
• Denial of Service attack against Microsoft two
  weeks ago
• Home users with network connections dialup or
  dedicated

14
Whos attacking?

• Attacks from within
• Within means originating from inside the
  LAN/intranet, a trusted source

15
Whos attacking?

• Case studies have shown that a vast majority of
  attacks originate from within an organization.
  In fact, some studies state that as much as 70
  of all attacks from someone within an
  organization or from someone with inside
  information (such as an ex-employee).
• Chris Brenton, Mastering Network Security, c.
  1999, SYBEX Network Press, p.6.

16
Whos attacking?

• Sometimes the damage is done without intent
• People making mistakes
• Only give root privileges to people who know what
  they are doing
• People experimenting with things theyve heard
  about
• I was just testing this downloaded script....

17
Whos attacking?

• Sometimes the damage is done on purpose
• Malicious attacks from disgruntled people (e.g.
  ex-employees)
• Snoop attacks from nosey co-workers
• Acts of vandalism
• Espionage

18
Whos attacking?

• Attacks from the Outside
• Outside means originating from anyone/anyplace
  outside of your LAN/intranet, an unknown source.
• Sometimes the damage is done without intent....
• Sometimes the damage is done on purpose.

19
Whos attacking?

• What do they hope to gain?
• bragging rights, simply to say I did it!
• theft of information
• theft of service
• theft of real assets/money
• defacement/vandalism
• destruction of data
• corruption of data

20
Whos attacking?

• What do they hope to gain, continued
• corruption of operational systems controlled by
  computers (phone system, TV systems, etc.)
• denial of service
• plant bots which can be remotely activated and
  controlled to accomplish any of the attacks
  listed above using your machine as the host

21
What are the kinds of attacks?

• Denial of Service (DoS) attacks
• DoS attacks have one goal to knock your service
  off the net.
• Crash your host
• Flood your host
• Flood the network connecting to your host

22
What are the kinds of attacks?

• Viruses
• A computer virus attaches itself to files on the
  target machine
• Master Boot Sector/Boot Sector viruses
• File viruses, Macro viruses
• Stealth viruses, Polymorphic viruses
• Hoax Viruses
• http//www.mcafee.com/anti-virus
• http//www.symantec.com/avcenter

23
What are the kinds of attacks?

• Trojans, Worms and Backdoors
• Trojans are programs that appear to perform a
  desirable and necessary function that perform
  functions unknown to (and probably unwanted by)
  the user.
• Worms are memory resident viruses. Unlike a
  virus, which seeds itself in the computer's hard
  disk or file system, a worm will only maintain a
  functional copy of itself in active memory.

24
What are the kinds of attacks?

• Worms frequently sleep until some event
  triggers their activity - send password file to
  hacker, send copy of registry to hacker.
• Worms and Trojans are frequently methods by which
  Backdoors are enabled on a system.
• Backdoors allow hidden access and control of a
  system (e.g. Back Orifice, BO2K, SubSeven).

25
What are the kinds of attacks?

• Scanners
• Programs that automatically detect security
  weaknesses in remote or local hosts.
• Tells the hacker
• What services are currently running
• What users own those services
• Whether anonymous logins are supported
• Whether certain network services require
  authentification

26
What are the kinds of attacks?

• Password Crackers
• Some actually try to decrypt....
• Most simply try brute force or intelligent
  brute force
• Dictionary words, days of year, initials
• Social Engineering
• This is MIS, I need to fix your e-mail box,
  whats your password?

27
What are the kinds of attacks?

• Sniffers
• Devices that capture network packets
• Extremely difficult to detect because they are
  passive

28
How do we protect ourselves?

• One product cannot provide full protection
• The computer networking environment consists of
  too many different subsystems for one product to
  provide full protection

29
How do we protect ourselves?

• Ethernet protocol
• IP protocol
• TCP protocol
• Routing protocols
• Operating Systems
• Presentation protocols - HTML, DHTML, XHTML, XML
• Remote Program execution protocols - VBS, ASP,
  DCOM, CORBA, JavaScript, Java Applets, Jini
• Applications - MS Outlook, Netscape Communicator,
  server SW (MS IIS, etc.)

30
How do we protect ourselves?

• Anti-virus software
• Personal Anti-virus SW on your machine
• Make sure it is set to scan all executables,
  compressed files, e-mail, e-mail attachments,
  web pages
• Keep your virus information files up to date!!!

31
How do we protect ourselves?

• Firewalls
• A combination of hardware and software resources
  positioned between the local (trusted) network
  and an untrusted network. The firewall ensures
  that all communication between an organization's
  network and the Internet connection conforms to
  the organization's security policy. Firewalls
  track and control communications, deciding
  whether to pass, reject, encrypt, or log
  communications.
• Checkpoint Firewall-1 Administration
  Guide

32
How do we protect ourselves?

• Types of Firewalls
• Static Packet Filtering - a.k.a. Access Control
  Lists
• Dynamic Packet Filtering - a.k.a. Stateful
  Inspection
• Proxy - a.k.a. Application Gateway
• Non-Transparent
• Transparent

33
How do we protect ourselves?
34
How do we protect ourselves?

• Todays firewalls are multi-purpose network
  security platforms. Well... the best firewalls
  are multi-purpose network security platforms
  (Checkpoint Firewall-1)
• CVP (Content Vector Protocol)
• UFP (URL Filter Protocol)
• Bandwidth Management
• VPN (Virtual Private Networking)
• Intrusion Detection (MAD)

35
How do we protect ourselves?

• E-mail Server filters
• Provide anti-virus protection for e-mail passing
  through the server
• Integrate directly with the E-mail Server
  software - MS Exchange, Lotus Notes, Netscape,
  ccMail, etc.
• Example products McAfee GroupShield, Trend Micro
  ScanMail

36
How do we protect ourselves?

• Web based protection filters
• Web Server protection
• Protects web server from hacking (e.g. AppShield
  (Sanctum Inc.))
• Web Access Control
• Restricts web sites to which you can connect.
  Can protect you by not allowing you to go to
  malicious web sites (e.g. WebSENSE)

37
How do we protect ourselves?

• More on Web Site/Application hackingSome
  examples....

38
How do we protect ourselves?

• Hidden Manipulation
• Parameter Tampering
• Cookie Poisoning
• Stealth Commanding
• Forceful Browsing
• BackDoors and Debug Options

• Configuration Subversion
• Buffer Overflow
• Vendor assisted hacking through 3rd-party
  software vulnerabilities

39
Example Medical Records Access

• Parameter Tampering - SQL Query via CGI Parameters

40
(No Transcript)
41
(No Transcript)
42
Example Money Theft

• Utilizing Debug Options

43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
Example Shutting Down a Site

• Buffer overflow

47
(No Transcript)
48
(No Transcript)
49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
How do we protect ourselves?

• VPN technologies
• Access Control
• Who can talk to us through the network?
• Authentication
• How do we know you're who you say you are?
• Integrity
• How can we guarantee that what we receive is what
  you sent?
• Confidentiality
• How can we guarantee that no one else can read
  this information?

53
How do we protect ourselves?

• Intrusion Detection Systems
• Suspicious Pattern Detection
• Looks for known patterns of types of traffic that
  are common to electronically "casing the joint"
• Bit Pattern Signature Detection
• Looks for known signatures of attacks
• Anomaly Detection - the AI approach
• Monitors network for a period of time to
  establish a statistical norm for traffic on the
  network. Generates alarms when abnormal traffic
  occurs

54
What do you do when youve been hacked?

• Too big of a topic to go into here.... but its a
  vital part of network security.
• What can you do to ensure the compromise has been
  abated?
• How do you identify whats been changed?
• What did you lose?
• What can you recover?

55
References

• Hacking Exposed, Network Security Secrets and
  Solutions, Joel Scambray, Stuart McClure, and
  George Kurtz, Osborne/McGraw-Hill
• Mastering Network Security, Chris Brenton, Sybex
  Network Press
• Maximum Security, A Hacker's Guide to Protecting
  Your Internet Site and Network, Anonymous, SAMS
• Secrets and Lies, Digital Security In A Networked
  World, Bruce Schneier, John Wiley and Sons

56
References

• Reputable sites
• www.hackingexposed.com
• www.securityfocus.com
• Questionable sites
• www.because-we-can.com
• www.digicrime.com
• www.insecure.org