Title: TSM 352
1Introduction
- TSM 352
- System Security
- Reference Sheldon Chs 1-3
2TCP Review
- TCP/IP, though funded by the Military was not
designed to be highly secure. - The protocol suite is robust in terms of
providing protection against failure of nodes and
lines - Early Windows systems had a very poor stack.
Microsoft has spent a lot of time and effort to
re-write the stack, and it has improved
considerably for Win2k and XP. - Some totally new features for Win2k TCP/IP Stack
- Designed to support plug-and-play
- Supports QoS
- Supports IPSec
- Not long after Win2k appeared, there were already
new attacks out against the Win2k TCP/IP stack.
UDP fragmentation was one example. It can cause
Win2k machines to lock up, using 100 of its CPU.
SP3 clears this up.
3OSI Model
- Review your OSI Model
- Pay particular attention to relationship to
TCP/IP Model
4Microsoft-specific Protocols
- Be aware of other lower layer protocols beyond
those in the TCP/IP suite. - Historically, Microsoft networking has been built
on top of NetBIOS. - NetBIOS really is a software interface, not a
protocol. - Most Microsoft networking implementations today
use NBT (NetBIOS over TCP/IP). - With the advent of Win2k, NetBIOS is being
deprecated. Other Microsoft protocols, such as
SMB and CIFS (which used to be associated with
NetBIOS), are still used, but now are running
directly on TCP or UDP.
5Security Threats
- Security breaches are on an exponential increase.
- There is a wide range of attacker profiles and
objectives. Remember that the attacker may be
after information or resources on your systems.
The attack may also be simply random. It may be
to damage your reputation. - Historically, Microsoft OSs have tended to be
primary targets for gathering info or reputation
attacks. With Win2k, there has been an increase
in resource type attacks, since the systems are
more powerful.
6Attack Methods Countermeasures
7Authentication Compromise
- The method focuses on acquiring an account and
password - This is a primary target for attackers
- Many ways to accomplish this
- Sniffers
- Guessing
- Plant bugs
- Tap into wires
- Set up hidden cameras
- Dumpster Diving
- Info-gathering through null sessions, snmp, etc.
- Obtaining the encrypted passwords (hashes) from
various sources
8Authentication Compromise cont
- Once an attacker has an account, s/he will
attempt to elevate their privilege level. - May also create a BackDoor.
- One of the worst things that can happen to you is
for an attacker to gain access to an
administrative account (get root). This gives
them ultimate control.
9Authentication Compromise Countermeasures
- Use Authentication System befitting the protected
resource - Something you have (smartcard)
- Something you know (password)
- Something you are (retina, fingerprint)
- Basically you want a system that is not subject
to MitM attacks, replay attacks, and
cryptanalysis attacks. Some common strong systems - Dial-back
- Remote Authentication (RADIUS)
- Global Positioning Systems
- Token devices
- Biometric devices
- Make strong passwords
- Control access to authentication files
10Improper Input Validation
- IIS Web server is notorious for this - form
variables, etc. - Buffer Overflows are similar, but encompass more
potential targets. Apply anytime a program
accepts input of any sort - even the TCP/IP
stack. - Countermeasures
- The fix is theoretically simple - evaluate the
input. - Though it seems simple, it is not - and typically
adds considerable programming time to the
development of an application. - There are new API calls appearing with every
system upgrade that provides a more secure call
than previous versions.
11Compromised Trust Relationships
- A trust relationship is where one system trusts
another system. Once the connection has been
verified as being the trusted system, a number of
permissions are granted. - An attacker will attempt to disguise himself as a
trusted system. - Obviously, obtaining account information fits
into this category, but there are other
possibilities
12Compromised Trusts Techniques
- IP Spoofing. Windows doesnt currently have any
trust relationships based on IPs, but Unix does - Session Hijacking. The author has confused this
topic slightly. An attacker can hijack a
session once it is established. By established
here we mean that the trusted system has already
identified itself. At this point, the hijacker
knocks off the trusted system and disguises
himself as the trusted system - thereby getting
access to all of the resources that the trusted
system could access.
13Compromised TrustsMan-in-the-Middle (MitM)
- In this approach, the attacker places his machine
between the two trusted machines. He fools the
client into thinking he is the server, and fools
the server into thinking he is the client. - The client sends all of his requests to the MitM.
- The MitM then forwards those requests to the
server. - The server responds to the MitM,
- and the MitM relays the responses back to the
client. - The MitM can subvert the requests, supplanting
them with his own - but this would often lead to
his discovery. - Most often, the MitM will simply listen, and
gather sensitive data. - MitM is typically only possible on a local basis
- using ARP poisoning to fool the client and
server. It is possible in a remote situation only
if source routing is allowed by all the
intermediate routers (which is very unlikely
today).
14Compromised TrustsDNS Cache Poisoning
- In this type of attack, the DNS resolution for a
particular domain name is changed, so that the
domain name points to the attackers machine. - The unaware client connects to the attackers
machine, believing that he is connecting to the
real server. - The attacker could then have a official-looking
site that continues to fool the client into
giving up sensitive information.
15Compromised Trusts War Dialing
- This is a technique to attempt to find a Modem to
connect to. - More often than not, Modems have connections that
bypass the institutions firewall. This gets the
attacker immediately on the inside. - Often also, Modem connections have weak
passwords, or none at all. - War dialing refers to running a program that
dials automatically through ranges of phone
numbers, and records whenever a Modem answers.
16Compromised Trusts War Dialing
- This is a technique to attempt to find a Modem to
connect to. - More often than not, Modems have connections that
bypass the institutions firewall. This gets the
attacker immediately on the inside. - Often also, Modem connections have weak
passwords, or none at all. - War dialing refers to running a program that
dials automatically through ranges of phone
numbers, and records whenever a Modem answers.
17Compromised Trusts Wireless
- Many companies are now going to wireless LANs.
- For the most part, wireless is inherently
insecure, since the information is transmitted
through the air, available to anyone in the area
with a receiver. - A new term War Driving has appeared - it refers
to driving around with a wireless receiver
attempting to find a signal. Once a signal is
found, it is a fairly easy process to get a
connection to the targets network and begin
sniffing and exploring.
18Compromised TrustsCountermeasures
- Use switches instead of hubs to help avoid
sniffing and MitM attacks. Also monitor network
for promiscuous-mode devices. Consider using
fiber optic cable runs which are out of your
physical control (fiber cannot be monitored with
EM devices). - Secure your DNS Structure. Be sure to define
which machines can do zone transfers and which
machines can supply updates. - Use your router filters to prevent IP spoofing.
- Use encryption where possible. IPSec is a
built-in W2k solution - Use wireless challenge-based authentication
before giving out IP - Eliminate Modems if possible. If not, insure that
they are OUTSIDE the firewall, and be sure they
have adequate authentication with solid passwords
19Network Services Attacks
- This is why we have computers on the network to
begin with. We want to supply services to workers
or customers via the network. - A network service is a PROGRAM that runs on a
computer. - When the service runs, it typically opens a port
and listens for incoming requests to connect. - Since services are programs, they are vulnerable
as any type of program - due primarily to
programming bugs or issues that were not
considered when the program was created.
20Network Services AttacksTraditionally Weak
Services
- Telnet. All traffic is transmitted as clear text
(including user IDs and passwords). Therefore,
passwords can easily be sniffed. - File Sharing. Two major file-sharing protocols
(NFS from Unix background and SMB from Microsoft)
have a number of vulnerabilities which we will
look at throughout the semester. - Email.
- There have been a lot vulnerabilities discovered
in almost every version of SMTP that has been
released. Microsoft Exchange is a relatively safe
implementation. - There are lots of ways email can be simply
forged. Forging return addresses can be used to
embarrass someone whose name has been forged, or
to convince a user to give up information. - Spamming is yet another email issue.
- Digital signatures help avoid such ploys.
21Network Services AttacksTraditionally Weak
Services
- Mime. (Multipurpose Internet Mail Extensions).
Provide a way to insert a variety of different
media formats into email. Potentially dangerous
since email can now contain viruses, etc. - FTP. Like telnet, transfers over FTP are clear
text. FTP is used to transfer files, so the files
themselves can be malicious. If not configured
correctly, FTP is often a gateway into the rest
of the file system. - DNS. If not configured correctly it can provide
an attacker with a lot of information concerning
the organizations network structure. Also, DNS
servers can be poisoned (as discussed earlier).
22Network Services AttacksTraditionally Weak
Services
- Web Server-to-Client attacks (often referred to
as data-driven or content-driven attacks). - These involve the use of Java, ActiveX, JS,
VBScript, etc to attack the client by doing
things like accessing the local file system,
gathering info, starting services, installing
services.
23Network Services AttacksCountermeasures
- We must have network services - otherwise we
wouldnt need the network. But, there are a few
fundamental principles that can be applied to
improve security - Remove/disable any and all services which are not
used. Many services are installed by default -
beware of these. - Insure that you have installed the latest tested
version of a service, and the latest patches and
upgrades for that service (particularly those
that pertain to security). - Subscribe to any listservs that deal with the
particular services that you run - paying special
attention to those that pertain to security for
that service.
24Denial of Service Attacks (DoS)
- An attack that focuses on removing a resource
from the network. - Feature- or protocol-driven, takes advantages of
vulnerabilities of particular features of a
service. They are basically impossible to prevent
unless you disable the feature or protocol.
Flooding attack is an example of this. - Configuration-based rely on improperly configured
services. - Programming-flaws often provide an avenue of
attack - quite often with a buffer overflow. - DDoS uses several machines to deliver a DoS at
the same time. DDoS are most effective when the
type of attack is a flood of packets.
25Denial of Service Attacks (DoS)Countermeasures
- DoS on features or protocols are hard to
prevent. - The best you can do is set limits.
- Protocol limits can typically only be set with
border devices, such as routers and firewalls. - Feature limitations are typically available
through the service configuration. If you see a
feature that you are not familiar with, disable
it. Only enable it when you find you need it.
26Malicious Software Attacks
- Malicious Software
- Viruses and Worms
- Trojan Horses
- Backdoors
- Countermeasures
- Insure that your companys employees are trained.
- Install and use AV software, and insure it stays
updated. - Use SMTP filters to remove malicious contents
of email
27Basic Countermeasure Principles
- Create policies
- Set up a response team
- Train employees to make good security decision in
everyday business - Check your own vulnerabilities
- Identify your important resources and weight them
- Identify your likely targets