TSM 352 - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

TSM 352

Description:

TCP/IP, though funded by the Military was not designed to be ... Set up hidden cameras. Dumpster Diving. Info-gathering through null sessions, snmp, etc. ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 28
Provided by: johnmc1
Category:
Tags: tsm | camera | hidden

less

Transcript and Presenter's Notes

Title: TSM 352


1
Introduction
  • TSM 352
  • System Security
  • Reference Sheldon Chs 1-3

2
TCP Review
  • TCP/IP, though funded by the Military was not
    designed to be highly secure.
  • The protocol suite is robust in terms of
    providing protection against failure of nodes and
    lines
  • Early Windows systems had a very poor stack.
    Microsoft has spent a lot of time and effort to
    re-write the stack, and it has improved
    considerably for Win2k and XP.
  • Some totally new features for Win2k TCP/IP Stack
  • Designed to support plug-and-play
  • Supports QoS
  • Supports IPSec
  • Not long after Win2k appeared, there were already
    new attacks out against the Win2k TCP/IP stack.
    UDP fragmentation was one example. It can cause
    Win2k machines to lock up, using 100 of its CPU.
    SP3 clears this up.

3
OSI Model
  • Review your OSI Model
  • Pay particular attention to relationship to
    TCP/IP Model

4
Microsoft-specific Protocols
  • Be aware of other lower layer protocols beyond
    those in the TCP/IP suite.
  • Historically, Microsoft networking has been built
    on top of NetBIOS.
  • NetBIOS really is a software interface, not a
    protocol.
  • Most Microsoft networking implementations today
    use NBT (NetBIOS over TCP/IP).
  • With the advent of Win2k, NetBIOS is being
    deprecated. Other Microsoft protocols, such as
    SMB and CIFS (which used to be associated with
    NetBIOS), are still used, but now are running
    directly on TCP or UDP.

5
Security Threats
  • Security breaches are on an exponential increase.
  • There is a wide range of attacker profiles and
    objectives. Remember that the attacker may be
    after information or resources on your systems.
    The attack may also be simply random. It may be
    to damage your reputation.
  • Historically, Microsoft OSs have tended to be
    primary targets for gathering info or reputation
    attacks. With Win2k, there has been an increase
    in resource type attacks, since the systems are
    more powerful.

6
Attack Methods Countermeasures
7
Authentication Compromise
  • The method focuses on acquiring an account and
    password
  • This is a primary target for attackers
  • Many ways to accomplish this
  • Sniffers
  • Guessing
  • Plant bugs
  • Tap into wires
  • Set up hidden cameras
  • Dumpster Diving
  • Info-gathering through null sessions, snmp, etc.
  • Obtaining the encrypted passwords (hashes) from
    various sources

8
Authentication Compromise cont
  • Once an attacker has an account, s/he will
    attempt to elevate their privilege level.
  • May also create a BackDoor.
  • One of the worst things that can happen to you is
    for an attacker to gain access to an
    administrative account (get root). This gives
    them ultimate control.

9
Authentication Compromise Countermeasures
  • Use Authentication System befitting the protected
    resource
  • Something you have (smartcard)
  • Something you know (password)
  • Something you are (retina, fingerprint)
  • Basically you want a system that is not subject
    to MitM attacks, replay attacks, and
    cryptanalysis attacks. Some common strong systems
  • Dial-back
  • Remote Authentication (RADIUS)
  • Global Positioning Systems
  • Token devices
  • Biometric devices
  • Make strong passwords
  • Control access to authentication files

10
Improper Input Validation
  • IIS Web server is notorious for this - form
    variables, etc.
  • Buffer Overflows are similar, but encompass more
    potential targets. Apply anytime a program
    accepts input of any sort - even the TCP/IP
    stack.
  • Countermeasures
  • The fix is theoretically simple - evaluate the
    input.
  • Though it seems simple, it is not - and typically
    adds considerable programming time to the
    development of an application.
  • There are new API calls appearing with every
    system upgrade that provides a more secure call
    than previous versions.

11
Compromised Trust Relationships
  • A trust relationship is where one system trusts
    another system. Once the connection has been
    verified as being the trusted system, a number of
    permissions are granted.
  • An attacker will attempt to disguise himself as a
    trusted system.
  • Obviously, obtaining account information fits
    into this category, but there are other
    possibilities

12
Compromised Trusts Techniques
  • IP Spoofing. Windows doesnt currently have any
    trust relationships based on IPs, but Unix does
  • Session Hijacking. The author has confused this
    topic slightly. An attacker can hijack a
    session once it is established. By established
    here we mean that the trusted system has already
    identified itself. At this point, the hijacker
    knocks off the trusted system and disguises
    himself as the trusted system - thereby getting
    access to all of the resources that the trusted
    system could access.

13
Compromised TrustsMan-in-the-Middle (MitM)
  • In this approach, the attacker places his machine
    between the two trusted machines. He fools the
    client into thinking he is the server, and fools
    the server into thinking he is the client.
  • The client sends all of his requests to the MitM.
  • The MitM then forwards those requests to the
    server.
  • The server responds to the MitM,
  • and the MitM relays the responses back to the
    client.
  • The MitM can subvert the requests, supplanting
    them with his own - but this would often lead to
    his discovery.
  • Most often, the MitM will simply listen, and
    gather sensitive data.
  • MitM is typically only possible on a local basis
    - using ARP poisoning to fool the client and
    server. It is possible in a remote situation only
    if source routing is allowed by all the
    intermediate routers (which is very unlikely
    today).

14
Compromised TrustsDNS Cache Poisoning
  • In this type of attack, the DNS resolution for a
    particular domain name is changed, so that the
    domain name points to the attackers machine.
  • The unaware client connects to the attackers
    machine, believing that he is connecting to the
    real server.
  • The attacker could then have a official-looking
    site that continues to fool the client into
    giving up sensitive information.

15
Compromised Trusts War Dialing
  • This is a technique to attempt to find a Modem to
    connect to.
  • More often than not, Modems have connections that
    bypass the institutions firewall. This gets the
    attacker immediately on the inside.
  • Often also, Modem connections have weak
    passwords, or none at all.
  • War dialing refers to running a program that
    dials automatically through ranges of phone
    numbers, and records whenever a Modem answers.

16
Compromised Trusts War Dialing
  • This is a technique to attempt to find a Modem to
    connect to.
  • More often than not, Modems have connections that
    bypass the institutions firewall. This gets the
    attacker immediately on the inside.
  • Often also, Modem connections have weak
    passwords, or none at all.
  • War dialing refers to running a program that
    dials automatically through ranges of phone
    numbers, and records whenever a Modem answers.

17
Compromised Trusts Wireless
  • Many companies are now going to wireless LANs.
  • For the most part, wireless is inherently
    insecure, since the information is transmitted
    through the air, available to anyone in the area
    with a receiver.
  • A new term War Driving has appeared - it refers
    to driving around with a wireless receiver
    attempting to find a signal. Once a signal is
    found, it is a fairly easy process to get a
    connection to the targets network and begin
    sniffing and exploring.

18
Compromised TrustsCountermeasures
  • Use switches instead of hubs to help avoid
    sniffing and MitM attacks. Also monitor network
    for promiscuous-mode devices. Consider using
    fiber optic cable runs which are out of your
    physical control (fiber cannot be monitored with
    EM devices).
  • Secure your DNS Structure. Be sure to define
    which machines can do zone transfers and which
    machines can supply updates.
  • Use your router filters to prevent IP spoofing.
  • Use encryption where possible. IPSec is a
    built-in W2k solution
  • Use wireless challenge-based authentication
    before giving out IP
  • Eliminate Modems if possible. If not, insure that
    they are OUTSIDE the firewall, and be sure they
    have adequate authentication with solid passwords

19
Network Services Attacks
  • This is why we have computers on the network to
    begin with. We want to supply services to workers
    or customers via the network.
  • A network service is a PROGRAM that runs on a
    computer.
  • When the service runs, it typically opens a port
    and listens for incoming requests to connect.
  • Since services are programs, they are vulnerable
    as any type of program - due primarily to
    programming bugs or issues that were not
    considered when the program was created.

20
Network Services AttacksTraditionally Weak
Services
  • Telnet. All traffic is transmitted as clear text
    (including user IDs and passwords). Therefore,
    passwords can easily be sniffed.
  • File Sharing. Two major file-sharing protocols
    (NFS from Unix background and SMB from Microsoft)
    have a number of vulnerabilities which we will
    look at throughout the semester.
  • Email.
  • There have been a lot vulnerabilities discovered
    in almost every version of SMTP that has been
    released. Microsoft Exchange is a relatively safe
    implementation.
  • There are lots of ways email can be simply
    forged. Forging return addresses can be used to
    embarrass someone whose name has been forged, or
    to convince a user to give up information.
  • Spamming is yet another email issue.
  • Digital signatures help avoid such ploys.

21
Network Services AttacksTraditionally Weak
Services
  • Mime. (Multipurpose Internet Mail Extensions).
    Provide a way to insert a variety of different
    media formats into email. Potentially dangerous
    since email can now contain viruses, etc.
  • FTP. Like telnet, transfers over FTP are clear
    text. FTP is used to transfer files, so the files
    themselves can be malicious. If not configured
    correctly, FTP is often a gateway into the rest
    of the file system.
  • DNS. If not configured correctly it can provide
    an attacker with a lot of information concerning
    the organizations network structure. Also, DNS
    servers can be poisoned (as discussed earlier).

22
Network Services AttacksTraditionally Weak
Services
  • Web Server-to-Client attacks (often referred to
    as data-driven or content-driven attacks).
  • These involve the use of Java, ActiveX, JS,
    VBScript, etc to attack the client by doing
    things like accessing the local file system,
    gathering info, starting services, installing
    services.

23
Network Services AttacksCountermeasures
  • We must have network services - otherwise we
    wouldnt need the network. But, there are a few
    fundamental principles that can be applied to
    improve security
  • Remove/disable any and all services which are not
    used. Many services are installed by default -
    beware of these.
  • Insure that you have installed the latest tested
    version of a service, and the latest patches and
    upgrades for that service (particularly those
    that pertain to security).
  • Subscribe to any listservs that deal with the
    particular services that you run - paying special
    attention to those that pertain to security for
    that service.

24
Denial of Service Attacks (DoS)
  • An attack that focuses on removing a resource
    from the network.
  • Feature- or protocol-driven, takes advantages of
    vulnerabilities of particular features of a
    service. They are basically impossible to prevent
    unless you disable the feature or protocol.
    Flooding attack is an example of this.
  • Configuration-based rely on improperly configured
    services.
  • Programming-flaws often provide an avenue of
    attack - quite often with a buffer overflow.
  • DDoS uses several machines to deliver a DoS at
    the same time. DDoS are most effective when the
    type of attack is a flood of packets.

25
Denial of Service Attacks (DoS)Countermeasures
  • DoS on features or protocols are hard to
    prevent.
  • The best you can do is set limits.
  • Protocol limits can typically only be set with
    border devices, such as routers and firewalls.
  • Feature limitations are typically available
    through the service configuration. If you see a
    feature that you are not familiar with, disable
    it. Only enable it when you find you need it.

26
Malicious Software Attacks
  • Malicious Software
  • Viruses and Worms
  • Trojan Horses
  • Backdoors
  • Countermeasures
  • Insure that your companys employees are trained.
  • Install and use AV software, and insure it stays
    updated.
  • Use SMTP filters to remove malicious contents
    of email

27
Basic Countermeasure Principles
  • Create policies
  • Set up a response team
  • Train employees to make good security decision in
    everyday business
  • Check your own vulnerabilities
  • Identify your important resources and weight them
  • Identify your likely targets
Write a Comment
User Comments (0)
About PowerShow.com