Network Security

- Challenge, curiosity, status gain among hackers

- political agenda or revenge

- financial gain

- Fraud/theft (e.g. credit card details or identity)

- violation of data integrity

- vandalism/sabotage

- denial of service

- Client, server, communication

- Hardware, software, data, people

- Threats are blocked by the control of vulnerabilities

Confidentiality (access only to authorised parties)

Integrity (modification only by authorised parties)

Availability (access available at all appropriate times to the authorised people)

- internet protocols must be open

- large amounts of data stored in one place

- all computers are networked (ease of access)

- little forensic evidence of crimes

-incomplete legislation

- pressure to release software quickly without full security measures

- physical hardware

- software

- data encryption

- policies and procedures

Security measures should be commensurate to the value of the asset

Assets should only be protected until they lose their value

-Prevention

-Deterrence

-Deflection

-Detection

-Recovery

-controls should be used properly, must be efficient, easy to use and appropriate

-awareness of problems

-overlapping controls

-periodic review

1. Non technical (physical access)

2. Intercepting communications

3. Password cracking

4. Buffer overflow

5. Denial of service

6. Viruses, worms, trojan horses

7. Port scanners

8. Spoofing

9. Back doors

10. Scripting vulnerabilities

11. Database vulnerabilities

12. Executable content

13. Cookies

-Often the weakest link (insider abusing position, employees not failing policies, collecting social media data)

- social engineering e.g. phishing

- Vetting personnel

- Education and awareness

- Strict security policies

- Access control

- Anti spam filters to detect phishing

- computers, data centres, mobile devices, routers, data storage

- can be lost, stolen, destroyed, modified

- physically secure computing system

- secure or control access to rooms

- back ups and mirror sites

- password protected devices

- controlling access from mobile devices to company network (VPN)

- access to cables, network taps, or intercepting wireless communications if in range

- shielded and alarmed cables

- using strong wireless protocols ensuring confidentiality, authentication, integrity

- non technical (looking over someone's shoulders)

-default accounts and passwords

- password crackers (likely passwords)

- download encrypted password file and crack passwords offline

- recording keystrokes

- same password across different sites

- passwords sent unencrypted can be intercepted by sniffers

- Common sense (don't write them down)

- Choose strong passwords

- masked with ***'s in forms

- change default passwords

- timed out sessions

- locking after a number of incorrect attempts

- store as a hash, or a hash and salt

- only submitting passwords through encrypted connections (e.g. SSL)

A random number stored in clear with the hash to prevent attackers using pre-computed hashes of common passwords

Buffers are designed to hold data of a certain length (larger data can cause unexpected behaviours such as overwriting other areas of memory)

- this is a very common vulnerability

- typical targets for overwriting (stack used for procedure calls, heap used for dynamic memory allocation)

- buffer over-read (reading more data than the length of the buffer (e.g. heartbleed)

writing secure programs

- always check number of arguments for functions

- check parameters passed via URL

- check range for indices

- check for special characters in input (can introduce commands)

- SYN Flood

- Ping

- Reflection and Amplification

- Distributed Denial of Service (DDoS)

Uses TCP/IP protocol - does not complete the last step of the three way handshake so that the connection is left open until it times out. The source of the attack is often spoofed

Unix and Windows

- Set shorter timeout/longer queue

- Block IP address (although this can be spoofed)

- SYN cookies

Command used to check if host is reachable, by sending a request to which the host should respond

Sends more pings than the host can handle

send a fragmented oversized ping packet causing buffer overflow

- Can set hosts to not respond to ping

- Firewall (can filter incoming echo request packets, prevents measuring latency from legitimate users, limit number of echo request packets during a given time)

Attacker spoofs their IP address to IP address of the intended victims, then send IP packets to a third party who will respond to the victim's IP address, so the attack is reflected through the third party

Attacker exploits some protocol/application where they send a small amount of data but the reply is a considerably larger amount of data. This is often combined with Reflection

Attacker sends a request to a DNS or NTP server with source address spoofed to be the IP address of intended victim. Often use a command that returns a large amount of data

Large number of computers send a large number of legitimate looking requests to a target server at the same set time, or do a reflection/amplification on this target

Multiple machines can generate more attack traffic than one machine

Usually through a virus/worm infection. They form a bot-net that can be controlled remotely, or there are bot-nets for hire

- Distinguish legitimate packets

- Avoid infection by virus/worm

- Limit requests from certain IP addresses

- Use large capacity servers (load balancing)

- closing NTP servers to external enquiries

- Firewalls can prevent some outgoing DDoS

These check for open ports on a machine that are listening for incoming connections e.g. http server

Can be used by system admins to check if system is working according to the policy

Firewalls or Intrusion Detection Systems

Packet analysers intercept network traffic. Usually open packets addressed to them. Used for legitimate purposes e.g. intrusion detection or to monitor performance

For intercepting sensitive data

Encrypt sensitive data

A program that infects files, and can replicate itself in other files, usually performing malicious/disruptive operations on the host computer

- executable files

- data files

- boot sector to launch at boot time

- may write entries in the registry

- viruses code (signature) is inserted into the target file

They recognise the virus 'signature' (code) to identify them

Virus code is encrypted and only the encryption module and the key are left clear

Produce variations of the virus code to prevent detection

Independent malicious programs that can spread through a network without the help of other infections and do not need to attach themselves to other programs

programs that look legitimate but also perform malicious operations in the background such as installing key loggers or backdoors

- regularly update antivirus software

- install patches of operating systems

- protect the boot sector by disabling from removable media

- don't open suspicious attachments/download from suspicious sources

-make back ups for restoring after an infection

After gaining access to a computer, an intruder may install a back door to allow remote access later

Worms or trojan horses may also install them automatically

Fake websites masquerading as another trusted site to extract information. Often rely on typo's to divert traffic. Phishing attacks often use spoofed websites

- server authentication using digital certificates (as in SSL)
- common sense, only using known urls

Used to redirect the response to another host, or make it hard to trace origin of attacks

Prevention: outgoing packets can be filtered by firewall so only packets having an IP address on the internal network can get through

The 'from' and 'reply to' fields can be spoofed. Used for sending spam, phishing emails, spreading worms and defamation

SenderID, SPF, DKIM, DMARC

most mail servers have built in filters to check server authentication of incoming mails and automatically ignore or quarantine suspicious looking emails

Cookies are files that a webserver can pass into a client web browser and be stored on a client's computer. Once received it is sent to the same server each time a document is requested from that server. They can be transient or permanent

- maintaining a state between pages e.g. basket

- display personalised information e.g. ads

- store subscription information

- store an ID which is a key into a DB storing user info

- allowing web analystics

Data is stored on client computer not server

- Ethical problems from profiling users

- Anyone intercepting cookies can impersonate client and gain access to their information if a cookie stores access permission information

- cookies can be modified by the users

- Lots of legislation including UK law in 2011

- Requires site to obtain users' consent for setting cookies

- most sites are compliant by informing user and assuming consent

- some sites allow users to opt out of all but essential cookies, however this is stored in a cookie

- can be disabled by client

- can be encrypted by server

- should have extra authentication for cookies containing sensitive information e.g. changing account details

- Identity theft

- Browsing history on shared computers

- Web bugs (1x1 pixels) on sites or emails to track users and collect statistics

- Act as a filter for traffic between two networks

- They provide a single point of access

- Ideally installed on a dedicated computer with only strictly necessary software installed to prevent lower performance or infection

- Often combined with routers

LAN and webservers

DMZ is demilitarised zone for e-commerce websites consist of an inner and outer firewall around the web server

- Packet filters

- Circuit level gateway

- Proxies (Application level gateway)

- Stateful inspection

Routers that filter packets at network layer level according to rules set up by the administrator

Packet by packet, depending on source and destination IP addresses, and port/protocol numbers

Default permit and default deny

Do not care about data content, just destination

Simplistic inspection

Works at transport layer, establishing two TCP connections and then replaying segments

Monitors the TCP handshake and only allows in data which is part of an established connection

non-requested data from outside the firewall is not permitted - all ports are closed until the firewall opens them

Any type of data requested from inside the firewall will be allowed through

Proxies act as an intermediary handling sent and received information for a particular application

There is a proxy for each application protocol (http, ftp, telnet) (protocols with no proxy will not work

- more in depth than a circuit level gateway

- considered very secure because of the offered level of control

Require significant configuration and slower because of the proxy applications

Combine filtering a 3 layers (network, transport, application)

Keeps track of connections and takes filtering decisions based on the context

Holds in memory the state of each connection from start to finish

- different scale, typically designed by end users so will only protect the computer on which it is installed

1. alert user to outgoing connection attempts

2. allows user to control program permissions

3. hide computer from port scans

4. monitor connections and traffic

5. prevent unwanted network traffic from local applications

6. options to block ICMP message e.g. ping

1. defines a single access point - easier to control

2. protection against network scanners, remote login, IP spoofing and routing

3. can be used to implement VPN's

- does not protect against internal threats

- does not protect from data driven attacks (e.g. viruses, flaws in web server software)

- can create a false sense of security

- software tools that scan the network/host as it runs, alerting admin to signs of suspicious activity

- keeps activity logs for auditing

- very similar to IPS or IDPS

a host or a network (can run in stealth mode)

- statistical anomaly detection

- rule-based/signature based detection (for known attacks)