Basics of Information Security

Published on March 2017 | Categories: Documents | Downloads: 18 | Comments: 0 | Views: 272
of 16
Download PDF   Embed   Report

Comments

Content

Introduction to Information Security
Security can be defined as state of freedom from a danger, risk or attack. Information security can be defined as the task of guarding information which is processed by a server, stored on a storage device, and transmitted over a network like Local Area Network or the public Internet. Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction

Introduction to AAA
AAA stands for Authentication, Authorization and Accounting. AAA are a set of primary concepts that aid in understanding computer and network security as well as access control. These concepts are used daily to protect property, data, and systems from intentional or even unintentional damage. AAA is used to support the Confidentiality, Integrity, and Availability (CIA) security concept. Confidentiality: The term confidentiality means that the data which is confidential should remain confidential. In other words, confidentiality means secret should stay secret. Integrity: The term integrity means that the data being worked with is the correct data, which is not tampered or altered. Availability: The term availability means that the data you need should always be available to you. Authentication provides a way of identifying a user, typically requiring a Userid/Password combo before granting a session. Authentication process controls access by requiring valid user credentials. After the Authentication process is completed successfully, a user must be given authorization (permission) for carrying out tasks within the server. Authorization is the process that determines whether the user has the authority to carry out a specific task. Authorization controls access to the resources after the user has been authenticated. The last one is Accounting. Accounting keeps track of the activities the user has performed in the server.

Authentication
Authentication is the process which allows a sender and receiver of information to validate each other. If the sender and receiver of information cannot properly authenticate each other, there is no trust in the activities or information provided by either party. Authentication can involve highly complex and secure methods or can be very simple. The simplest form of authentication is the transmission of a shared password between entities wishing to authenticate each other. Today’s authentication methods uses some of the below factors. 1) What you know An example of this type of Authentication is a "Password". The simple logic here is that if you know the secret password for an account, then you must be the owner of that account. The problems associated with this type of Authentication is that the password can be stolen, someone might read it if you wrote it somewhere. If anyone came to know your password, he might tell someone else. If you have a simple dictionary password, it is easy to crack it by using password cracking software. 2) What you have Examples of this type of Authentication are smart cards, tokens etc. The logic here is if you have the smart card with you, you must be the owner of the account. The problems associated with this type of authentication are you might lose the smart card, it can be stolen, or someone can duplicate the smart card etc. 3) What you are Examples of this type of authentication are your fingerprint, handprint, retina pattern, voice, keystroke pattern etc. Problems associated with this type of authentication are that there is a chance of false

positives and false negatives. Chances are there that a valid user is rejected and an invalid user is accepted. Often people are not comfortable with this type of authentication. Network Authentication are usually based on Authentication protocols, Digital Certificates, Username/Password, smart card etc. Some of the most important authentication protocols which are used today are Kerberos, Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MSCHAP) etc. We will learn about these protocols in coming lessons.

Kerberos Authentication
Kerberos was originally developed by Massachusetts Institute of Technology (MIT) Project Athena. It was published as a suite of free software by Massachusetts Institute of Technology (MIT) that implements this protocol. The name "Kerberos" is taken from the three-headed dog of Greek mythology, Kerberos is designed to work across the Internet, an inherently insecure environment. The Kerberos protocol is a secure protocol, and it provides mutual authentication between a client and a server. In Kerberos protocol, the client authenticates against the server and also the server authenticates itself against the client. With mutual authentication, each computer or a user and computer can verify the identity of each other. Kerberos is extremely efficient for authenticating clients in large enterprise network environments. Kerberos uses secret key encryption for authentication traffic from the client. The same secret key is also used by the Kerberos protocol on the server to decrypt the authentication traffic. Kerberos protocol is built on top of a trusted third party, called as Key Distribution Center (KDC). Key Distribution Center (KDC) acts as both an Authentication Server and as a Ticket Granting Server. When a client needs to access a resource on the server, the user credentials (password, Smart Card, biometrics) are presented to the Key Distribution Center (KDC) for authentication. If the user credentials are successfully verified in the Key Distribution Center (KDC), Key Distribution Center (KDC) issues a Ticket Granting Ticket (TGT) to the client. The Ticket Granting Ticket (TGT) is cached in the local machine for future use. The Ticket Granting Ticket (TGT) expires when the user disconnects or log off the network, or after it expires. The default expiry time is one day (86400 seconds). When the client wants to access a resource on a remote server, the client presents the previously granted and cached Ticket Granting Ticket (TGT) to the authenticating KDC. The authenticating Key Distribution Center (KDC) returns a session ticket to the client to access to the resource. The client presents the session ticket to the remote resource server. The remote server allows the session to be established to the resource after accepting the session ticket.

Challenge Handshake Authentication Protocol (CHAP) Authentication
Challenge Handshake Authentication Protocol (CHAP) is a remote access authentication protocol used in conjunction with Point to Point Protocol (PPP) to provide security and authentication to users of remote resources. CHAP is described in RFC 1994, which can be viewed from http://www.rfc-editor.org/. Challenge Handshake Authentication Protocol (CHAP) uses a challenge method for authentication. Challenge Handshake Authentication Protocol (CHAP) doesn’t use a user ID/password mechanism. In Challenge Handshake Authentication Protocol (CHAP), the initiator sends a logon request to the server. The server sends a challenge back to the client. The challenge is encrypted and then sent back to the server. The server compares the value from the client and, if the information matches, grants the session. If the response fails, the session is denied, and the request phase starts over. Challenge Handshake Authentication Protocol (CHAP) periodically verifies the identity of the peer using a three-way handshake. The verification the identity of the peer is done initially, and may be repeated anytime after the link has been established. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) is the Microsoft implementation of Challenge Handshake Authentication Protocol (CHAP). There are two versions of Microsoft ChallengeHandshake Authentication Protocol (MS-CHAP), MS-CHAPv1 and MS-CHAPv2. Microsoft ChallengeHandshake Authentication Protocol (MS-CHAP) has some additional features, such as providing a method for changing passwords and retrying in the event of a failure.

Biometric Authentication

Each person has a set of unique characteristics that can be used for authentication. Biometrics uses these unique characteristics for authentication. Today’s Biometric systems examine retina patterns, iris patterns, fingerprints, handprints, voice patterns, keystroke patterns etc for authentication. But most of the biometric devices which are available on the market, only retina pattern, iris patterns, fingerprint and handprint systems are properly classified as biometric systems. Others are more classified as behavioral systems. Biometric identification systems normally work by obtaining unique characteristics from you, like a handprint, a retina pattern etc. The biometric system then compares that to the specimen data stored in the system. Biometrics authentication is much better when compared with other types of authentication methods. But the users are reluctant in using biometric authentication. For example, many users feel that retina scanner biometric authentication system may cause loss of their vision. False positives and false negatives are a serious problem with Biometric authentication.

Retina Pattern Biometric Systems
Everybody has a unique retinal vascular pattern. Retina Pattern Biometric system uses an infrared beam to scan your retina. Retina pattern biometric systems examine the unique characteristics of user’s retina and compare that information with stored pattern to determine whether user should be allowed access. Some other biometric systems also perform iris and pupil measurements. Retina Pattern Biometric Systems are highly reliable. Users are often worried in using retina scanners because they fear that retina scanners will blind or injure their eyes.

Iris Scans Biometric Systems
Iris scan verify the identity by scanning the colored part of the front of the eye. Iris scan is is much easier and very accurate.

Fingerprints Biometric Systems
Fingerprints are used in forensic and identification for long time. Fingerprints of each individual are unique. Fingerprint Biometric Systems examine the unique characteristics of your fingerprints and use that information to determine whether or not you should be allowed access. The theoretical working of the fingerprint scanner is as described below. The user’s finger is placed on the scanner surface. Light flashes inside the machine, and the reflection is captured by a scanner, and it is used for analysis and then verified against the original specimen stored in the system. The user is allowed or denied based on the result of this verification.

Handprints Biometric Systems
As in the case of finger print, everybody has unique handprints. A handprint Biometric Systems scans hand and finger sand the data is compared with the specimen stored for you in the system. The user is allowed or denied based on the result of this verification.

Voice Patterns Biometric Systems
Voice Patterns Biometric Systems can also be used for user authentication. Voice Patterns Biometric Systems examine the unique characteristics of user’s voice.

Keystrokes Biometric Systems
Keystroke Biometric Systems examine the unique characteristics of user’s keystrokes and use that information to determine whether the user should be allowed access.

Token Authentication
Token technology is another method that can be used to authenticate users. Tokens are physical devices used for the randomization of a code that can be used to assure the identity of the user. Tokens provide an extremely high level of authentication. There are different types of tokens. A particular type token is a small device with a keypad to key in values. The server issues a challenge with a number when the user try to login. The user keys this number into the token card, and the card displays a response. The user inputs this response and sends it to the server, which calculates the same result it expects to see from the token. If the numbers match, the user is authenticated.

Another type of token is based on time. This type of token display numbers at different intervals of time. The user who needs the authentication should key in this time based values also at the time of authentication. If the value from the token matches a value the server has calculated, the account is authenticated, the user is allowed access. Multi-Factor Authentication
In multi-factor authentication, we expand on the traditional requirements that exist in a single factor authentication. To accomplish this, multi-factor authentication will use another factor for authentication in addition to the traditional password authentication. For example, most password-based single authentication methods use a password. In multi-factor authentication methods, we can tighten the authentication by adding a finger print biometric scanner system also. Multi-factor authentication is more secure single factor authentication, because it adds steps that increase the layers of security.

Access Control
Access control can be a policy, software, or a hardware device which is used to allow or deny access to a resource. Access control can be by using devices like biometric device, switches, routers, Remote Access Service (RAS), virtual private networks (VPNs), etc. Access control can also be implemented on File System level like Microsoft's New Technology File System (NTFS), GNU/Linux's ext2/ext3/ext4 etc. The following are the three main concepts of Access Control. • Discretionary access control (DAC) • Mandatory access control (MAC) • Role-based access control (RBAC)

Discretionary Access Control (DAC)
Discretionary Access Control (DAC) allows authorized users to change the access control attributes of objects, thereby specifying whether other users have access to the object. A simple form of Discretionary Access Control (DAC) might be file passwords, where access to a file requires the knowledge of a

password created by the file owner. In Linux, the file permission is the general form of Discretionary Access Control (DAC). Discretionary Access Control (DAC) is the setting of permissions on files, folders, and shared resources. The owner of the object (normally the user who created the object) in most operating system (OS) environments applies discretionary access controls. This ownership may be transferred or controlled by root/administrator accounts. Discretionary Access Control (DAC) is controlled by the owner or root/administrator of the Operating System, rather than being hard coded into the system. The Discretionary Access Control (DAC) mechanisms have a basic weakness, and that is they fail to recognize a fundamental difference between human users and computer programs.

Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is another type of access control which is hard-coded into Operating System, normally at kernel level. Mandatory Access Control (MAC) can be applied to any object or a running process within an operating system, and Mandatory Access Control (MAC) allows a high level of control over the objects and processes. Mandatory Access Control (MAC) can be applied to each object, and can control access by processes, applications, and users to the object. Mandatory Access Control (MAC) cannot be modified by the owner of the object. Mandatory Access Control (MAC) mechanism constrains the ability of a subject (users or processes) to access or perform some sort of operation on an object (files, directories, TCP/UDP ports etc). Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Under Mandatory Access Control (MAC), the super user (root) controls all interactions of software on the system.

Role-based Access Control (RBAC)
Role-based Access Control (RBAC) is another method of controlling user access to file system objects. In Role-based Access Control (RBAC), the system administrator establishes Roles based on functional requirements or similar criteria. These Roles have different types and levels of access to objects. The easy way to describe Role-based Access Control (RBAC) is user group concept in Windows and GNU/Linux Operating Systems. A role definition should be defined and created for each job in an organization, and access controls are based on that role. In contrast to DAC or MAC systems, where users have access to objects based on their own and the object's permissions, users in an Role-based Access Control (RBAC) system must be members of the appropriate group, or Role, before they can interact with files, directories, devices, etc.

Auditing
Auditing is useful in tracking and logging the activities on computers and computer networks. By auditing, we can track the activities in computer or computer network and link these activities to specific user accounts or sources of activity. By using auditing or audit logs, later we can collect evidences for finding illegal activities. All the latest Operating Systems include functions for auditing. Next lesson we will learn how to configure auditing in Windows Server 2003 for illegal access to open files.

Introduction to Auditing in Windows 2003
Auditing is specifically designed into most features in Windows Server 2003.

Auditing waits for a specific event to occur, and then reports on it within the Event Viewer. Auditing events in Windows 2003 can be divided into two types and they are success events and failure events. Auditing can be used for user logon/logoff events and file access events. Auditing can be turned on through a Audit Policy, which is a part of Group Policy. There are nine auditing settings that can be configured on Windows 2003 computer Audit Account Logon Events: Tracks user logon and logoff events. Audit Account Management: Reports changes to user accounts Audit Directory Service Access: Reports access and changes to the directory service. Audit Logon Events: Reports user logging in and logging off or making a network connection to the computer configured to audit logon events. Audit Object Access: Reports file and folder access. Audit Policy Change: Reports changes to group policies Audit privilege use: Reports events that is related to a user performing a task that is controlled by a user right. Audit process tracking: Reports events that is related to processes running on the computer. Audit System Events: Reports standard system events. Not security related. Auditing can be configured on Audit Policy, which is a part of Group Policy as shown below. You should select the corresponding GPO according to your requirement.

Types of Network Attacks
Networks are always susceptible to unauthorized monitoring and different types of network attacks. If you have not implemented proper security measures and controls in your network, there is a chance for network attacks from inside and outside your network. Following chapters explain different types of networks attacks, which are listed below.

Types of attacks - Denial of Service (DoS) attack
The idea of DOS attack is to reduce the quality of service offered by server, or to crash server with heavy work load. DoS (Denial of Service) attack does not involve breaking into the target server. This is normally achieved by either overloading the target network or target server, or by sending network packets that that may cause extreme confusion at target network or target server. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Some of the examples are • Attempts to "flood" a network, thereby preventing legitimate network traffic. • Attempts to disrupt connections between two machines, thereby preventing access to a service. • Attempts to prevent a particular individual from accessing a service. • Attempts to disrupt service to a specific system or person. One simple DoS (Denial of Service) attack was called the "Ping of Death." The Ping of Death was able to exploit simple TCP/IP troubleshooting ping tool. Using ping tool, hackers would flood a network with large packet requests that may ultimately crash the target server.

How to minimize the Denial of Service (DoS) attack impact
The impact of Denial of Service (DoS) attack can be minimized if you take precaution against it. The following tips can help in minimizing the Denial of Service (DoS) attack. • Monitor the server's system performance and tabulate normal operating activity for disk, CPU, and network traffic. Monitor the server's system performance to detect any deviation from above values. • Monitor the amount of network packets and the type of nature that travel through your network or gateways. • Update your softwares with any available update and always watch reports from security organizations about any new threat. • Implement network security devices which can detect any Denial of Service (DoS) attack. • Record the details of any Denial of Service (DoS) attack to prevent future attacks. Log and report the following details. 1) The time of the attack 2) Your IP address at the time of attack 3) The attacker's IP address 4) Other details and the nature of attack

• Report the details of attack to your Service Provider and seek their help.

Types of attacks -Distributed Denial of Service (DDoS) attack
A Distributed Denial of Service (DDoS) attack is a type of Denial of Service (DoS). In Distributed Denial of Service (DDoS) attack multiple systems flood the bandwidth or overload the resources of a targeted server. In Distributed Denial of Service (DDoS), an intruder compromise one computer and make it Distributed Denial of Service (DDoS) master. Using this Distributed Denial of Service (DDoS) master, the intruder identifies and communicates with other systems that can be compromised. Then the intruder installs Distributed Denial of Service (DDoS) tools on all compromised systems. With a single command, the intruder instructs the compromised computers to launch flood attacks against the target server. Here thousands of compromised computers are flooding or overloading the resources of the target server preventing the legitimate users from accessing the services offered by the server.

Types of attacks - SYN attack
Before understanding what is SYN attack, we need to know about TCP/IP three-way handshake mechanism. Transmission Control Protocol/Internet Protocol (TCP/IP) session is initiated with a threeway handshake. The two communicating computers exchange a SYN, SYN/ACK and ACK to initiate a session. The initiating computer sends a SYN packet, to which the responding host will issue a SYN/ACK and wait for an ACK reply from the initiator. Click the following link to learn more about TCP/IP three-way handshake mechanism. The SYN flood attack is the most common type of flooding attack. The attack occurs when the attacker sends large number of SYN packets to the victim, forcing them to wait for replies that never come. The third part of the TCP three-way handshake is not executed. Since the host is waiting for large number of replies, the real service requests are not processed, bringing down the service. The source address of these SYN packets in a SYN flood attack is typically set to an unreachable host. As a result it is impossible to find the attacking computer. SYN cookies provide protection against the SYN flood. A SYN cookie is implemented by using a specific initial TCP sequence number by TCP software and is used as a defense against SYN Flood attacks. By using stateful firewalls which reset the pending TCP connections after a specific timeout, we can reduce the effect of SYN attack.

Types of attacks - Sniffer Attack
A sniffer is an application that can capture network packets. Sniffers are also know as network protocol analizers. While protocol analyzers are really network troubleshooting tools, they are also used by hackers for hacking network. If the network packets are not encrypted, the data within the network packet can be read using a sniffer. Sniffing refers to the process used by attackers to capture network traffic using a sniffer. Once the packet is captured using a sniffer, the contents of packets can be analyzed. Sniffers are used by hackers to capture sensitive network information, such as passwords, account information etc. Many sniffers are available for free download. Importenet sniffers are wireshark, Dsniff, Etherpeek, sniffit etc.

Types of attacks - Man-In-The-Middle (MITM) attack
Man-In-The-Middle (MITM) attack is the type of attack where attackers intrude into an existing communication between two computers and then monitor, capture, and control the communication. In Man-in-the-middle attack, an intruder assumes a legitimate users identity to gain control of the network communication. The other end of the communication path might believe it is you and keep on exchanging the data.

Man-in-the-Middle (MITM) attacks are also known as "session hijacking attacks", which means that the attacker hijacks a legitimate user's session to control the communication. Many preventive methods are available for Man-In-The-Middle (MITM) attack and some are listed below. • Public Key Infrastructure (PKI) technologies, • Verifying delay in communication • Stronger mutual authentication

Types of attacks - IP Address Spoofing Attack
IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP packets to make it appear as though the packet is coming from another valid IP address. In IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the IP header is not the real IP address of the source computer, where the packet was originated. By changing the source IP address, the actual sender can make it look like the packet was sent by another computer and therefore the response from the target computer will be sent to the fake address specified in the packet and the identity of tha attacker is also protected. Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network with a source address inside the network (ingress filtering) and blocking of packets from inside the network with a source address outside the network (egress filtering) can help preventing IP spoofing attacks.

Types of attacks - IP Address Spoofing Attack
IP address spoofing is a type of attack when an attacker assumes the source Internet Protocol (IP) address of IP packets to make it appear as though the packet is coming from another valid IP address. In IP address spoofing, IP packets are generated with fake source IP addresses in order to impersonate other systems or to protect the identity of the sender. To explain this clearly, in IP address spoofing, the IP address information placed on the source field of the IP header is not the real IP address of the source computer, where the packet was originated. By changing the source IP address, the actual sender can make it look like the packet was sent by another computer and therefore the response from the target computer will be sent to the fake address specified in the packet and the identity of tha attacker is also protected. Packet filtering is a method to prevent IP spoofing attacks. Blocking of packets from outside the network with a source address inside the network (ingress filtering) and blocking of packets from inside the network with a source address outside the network (egress filtering) can help preventing IP spoofing attacks.

ARP (Address Resolution Protocol) Spoofing Attacks
A computer connected to an IP/Ethernet Local Area Network has two addresses. One is the MAC (Media Access Control) which is a globally unique and unchangeable address which is burned on the network card itself. MAC addresses are necessary so that the Ethernet protocol can send data back and forth, independent of whatever application protocols are used on top of it. Ethernet send and receive data based on MAC addresses. MAC address is also known as Layer2 address, physical address or Hardware address. Other address is the IP address. IP is a protocol used by applications, independent of whatever network technology operates underneath it. Each computer on a network must have a unique IP address to

communicate. Applications use IP address to communicate. IP address is also known as Layer 3 address or Logical address. To explain it more clearly, the applications use IP address for communication and the low lying hardware use MAC address for communication. If an application running on a computer need to communicate with another computer using IP address, the first computer should resolve the MAC address of the second computer, because the lower layer Ethernet technologies use MAC addresses to deliver data. Click the following link to learn more about ARP (Address Resolution Protocol). Operating Systems keep a cache of ARP replies to minimize the number of ARP requests. ARP is a stateless protocol and most operating systems will update their cache if a reply is received, regardless of whether they have sent out an actual request. ARP (Address Resolution Protocol) Spoofing attacks (ARP flooding or ARP poisoning) help an attacker to sniff data frames on a local area network (LAN), modify the traffic etc. ARP Spoofing attacks are made by sending fake ARP messages to an Ethernet LAN. The purpose of this is to associate the attacker's MAC address with the IP address of another computer, generally the default gateway. Here any traffic sent to the default gateway would be mistakenly sent to the attacker instead. The attacker can then forward the traffic to the actual default gateway after sniffing or modify the data before forwarding it.

DNS (Domain Name System) Spoofing Attacks
DNS is the short for Domain Name System. DNS is a required service in TCP/IP networks and it translates domain names into IP addresses. Computers in the network communicate using IP address. IP addresses are a 32 bit numbers which are difficult to remember. Domain names are alphabetic and for humans they are easier to remember. When we use a domain name to communicate with another host, DNS service must translate the name into the corresponding IP address. DNS Servers keep a database of domain names and corresponding IP addresses. DNS Spoofing attacks are made by changing a domain name entry of a legitimate server in the DNS server to point to some IP other than it, and then hijacking the identity of the server. Generally there are two types of DNS poisoning attacks; DNS cache poisoning and DNS ID Spoofing. In DNS cache poisoning a DNS server is made to cache entries which are not originated from authoritative Domain Name System (DNS) sources. IN DNS ID spoofing, an attacker hack the random identification number in DNS request and reply a fake IP address using the hacked identification number.

Phishing and Pharming attacks
Phishing spoofing attack is a combination of e-mail spoofing and Web site spoofing attack. Phishing attacker starts the phishing attack by sending bulk e-mails impersonating a web site they have spoofed. Normally the phishing attack emails seems to be from legitimate financial organizations like banks, alerting the user that they need to login to their account for one reason or another. The link also will be provided in the email which is a fake web site, which is designed very similar to the bank web site. Normally the link’s anchor text will be the real URL of the bank’s website but anchor will be a URL with IP address of the web site which is in attacker’s control. Once the user enters the userid/password combination and submits those values, the attacker collect those values and the web page is redirected to the real site. Pharming is another spoofing attack, where the attacker tampers the DNS (Domain Name System) so that traffic to a Web site is secretly redirected to a fake site altogether, even though the browser seems to be displaying the Web address you wanted to visit.

Types of attacks - Backdoor Attacks
A backdoor in an Operating System or a complex application is a method of bypassing normal authentication and gain access. During the development of an Operating System or application, programmers add back doors for different purposes. The backdoors are removed when the product is ready for shipping or production. When a backdoor is detected, which is not removed, the vendor releases a maintenance upgrade or patch to close the back door. Another type of back door can be an installed program or could be a modification to an existing program. The installed program may allow a user log on to the computer without a password with administrative privileges. Many programs are available on internet to create back door attacks on systems. One of the more popular tools is Back Orifice which is also available for free download on internet.

Types of attacks - Password Guessing Attacks
Another type of network attack is Password Guessing attack. Here a legitimate users access rights to a computer and network resources are compromised by identifying the user id/password combination of the legitimate user. Password guessing attacks can be classified into two. Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying every possible code, combination, or password until you find the correct one. This type of attack may take long time to complete. A complex password can make the time for identifying the password by brute force long. Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the user’s password.

Defense against Network Attack The following tips will help you to keep your network secure against unauthorized monitoring and network attacks. Configuration Management
The main weapon in network attack defense is tight configuration management. The following measures should be strictly implemented as part of configuration management. • If the machines in your network should be running up-to-date copies of the operating system and they are immediately updated whenever a new service pack or patch is released. • All your configuration files in your Operating Systems or Applications should have enough security. • All the default passwords in your Operating Systems or Applications should be changed after the installation. • You should implement tight security for root/Administrator passwords.

Firewalls
Another weapon for defense against network attack is Firewall. Firewall is a device and/or software that stands between a local network and the Internet, and filters traffic that might be harmful. Firewalls can be classified in to four based on whether they filter at the IP packet level, at the TCP session level, at the application level or hybrid.

1. Packet Filtering: Packet filtering firewalls are functioning at the IP packet level. Packet filtering firewalls filters packets based on addresses and port number. Packet filtering firewalls can be used as a weapon in network attack defense against Denial of Service (DoS) attacks and IP Spoofing attacks. 2. Circuit Gateways: Circuit gateways firewalls operate at the transport layer, which means that they can reassemble, examine or block all the packets in a TCP or UDP connection. Circuit gateway firewalls can also Virtual Private Network (VPN) over the Internet by doing encryption from firewall to firewall. 3. Application Proxies: Application proxy-based firewalls function at the application level. At this level, you can block or control traffic generated by applications. Application Proxies can provide very comprehensive protection against a wide range of threats. 4. Hybrid: A hybrid firewall may consist of a pocket filtering combined with an application proxy firewall, or a circuit gateway combined with an application proxy firewall.

Encryption
Encryption is another great weapon used in defense against network attacks. Click the following link to get a basic idea of encryption. Encryption can provide protection against eavesdropping and sniffer attacks. Private Key Infrastructure (PKI) Technologies, Internet Protocol Security (IPSec), and Virtual Private Networks (VPN) when implemented properly, can secure you network against network attacks. Other tips for defense against network attack are • Privilege escalation at different levels and strict password policies • Tight physical security for all your machines, especially servers.

• Tight physical security and isolation for your back up data. Types of Malwares
Malware is abbreviation of "malicious software". Malware programs are designed to infiltrate a computer without the owner's knowledge. Malware includes all the malicious software like tracking cookies (which are used to monitor your surfing habits), keyloggers, Trojan horses, worms, and viruses. Following lessons give you a basic knowledge in different types of malwares like

Adwares, Toolbars and Hijackers Adwares
Adware is a type of malware which download advertisement content from internet and displays advertisements in the form of pop-ups, pop-unders etc. Once the Adware in installed on computer, they are not dependent on your browsers and they can display advertisements stand-alone. The pop-up blockers also cannot block these pop-ups. Adware is always an annoyance to the computer user.

Toolbars
Toolbars are available as plug-ins to browsers which provide additional functionality such as search forms or pop-up blockers. Examples of useful toolbars are Google Toolbar, Yahoo toolbar, Ask toolbar etc. There are malware toolbar plug-ins which are installed without the users consent and display advertisements and perform other nuisance activities.

Hijackers
Hijackers are another type of malware that take control of the behavior of your web browser like the home page, default search pages, toolbar etc. Hijackers redirect your browser to another URL if you mistype the URL of the website you want to visit. Hijackers can also prevent you from opening a particular web site. Hijackers are annoyance to the users who use the browser often.

Keyloggers
A keylogger or keystroke logger is a program or a hardware that logs every keystroke you make in your computer and then sends that information, including passwords, bank account numbers, and credit card numbers, to who is controlling the malware. A hardware key logger is a small hardware device which is normally installed between the keyboard port and the keyboard. The hardware key logger then track all user keystrokes and save the keystrokes to it's internal memory. Hardware keyloggers is available in different memory capacities. A software keylogger is a program which can track and save all the key strokes of the user in to computer. Software keyloggers are normally cheaper than hardware keyloggers. The software keyloggers run invisibly to the user being monitored and hide itself from the Task Manager and from the Add/Remove Programs. Many software keyloggers support remote installation also.

Computer Viruses
A Computer Virus is another type of malware which when executed tries to replicate itself into other executable code which is available in the infected computer. If the virus was able to replicate it to other executable code, it is then infected with the computer virus. When the infected executable code is executed can infect again other executable codes. The key difference between virus and other malwares is this self-replication capability. Normally, viruses propagate within a single computer, or may travel from one computer to another using storage media like CD-ROM, DVD-ROM, USB flash drive etc. A Computer Virus program normally has the following mechanisms. • A propagation mechanism that allows the virus to move from one computer to another computer. • A replication mechanism that allows the virus to attach itself to another executable program. • A trigger mechanism that is designed to execute the replication mechanism of the virus. • A different tasks to perform the mischievous activities on the victim computer.

Types of Computer Viruses
Computer Viruses are classified according to their nature of infection and behavior. Different types of computer virus classification are given below. • Boot Sector Virus: A Boot Sector Virus infects the first sector of the hard drive, where the Master Boot Record (MBR) is stored. The Master Boot Record (MBR) stores the disk's primary partition table and to store bootstrapping instructions which are executed after the computer's BIOS passes execution to machine code. If a computer is infected with Boot Sector Virus, when the computer is turned on, the virus launches immediately and is loaded into memory, enabling it to control the computer. • File Deleting Viruses: A File Deleting Virus is designed to delete critical files which are the part of Operating System or data files.

• Mass Mailer Viruses: Mass Mailer Viruses search e-mail programs like MS outlook for e-mail addresses which are stored in the address book and replicate by e-mailing themselves to the addresses stored in the address book of the e-mail program. • Macro viruses: Macro viruses are written by using the Macro programming languages like VBA, which is a feature of MS office package. A macro is a way to automate and simplify a task that you perform repeatedly in MS office suit (MS Excel, MS word etc). These macros are usually stored as part of the document or spreadsheet and can travel to other systems when these files are transferred to another computers. • Polymorphic Viruses: Polymorphic Viruses have the capability to change their appearance and change their code every time they infect a different system. This helps the Polymorphic Viruses to hide from antivirus software. • Armored Viruses: Armored Viruses are type of viruses that are designed and written to make itself difficult to detect or analyze. An Armored Virus may also have the ability to protect itself from antivirus programs, making it more difficult to disinfect. • Stealth viruses: Stealth viruses have the capability to hide from operating system or anti-virus software by making changes to file sizes or directory structure. Stealth viruses are anti-heuristic nature which helps them to hide from heuristic detection. • Polymorphic Viruses: Polymorphic viruses change their form in order to avoid detection and disinfection by anti-virus applications. After the work, these types of viruses try to hide from the anti-virus application by encrypting parts of the virus itself. This is known as mutation. • Retrovirus: Retrovirus is another type virus which tries to attack and disable the anti-virus application running on the computer. A retrovirus can be considered anti-antivirus. Some Retroviruses attack the anti-virus application and stop it from running or some other destroys the virus definition database. • Multiple Characteristic viruses: Multiple Characteristic viruses has different characteristics of viruses and have different capabilities.

Worms
A worm has similar characteristics of a virus. Worms are also self-replicating, but self-replication of a worm is in a different way. Worms are standalone and when it is infected on a computer, it searches for other computers connected through a local area network (LAN) or Internet connection. When a worm finds another computer, it replicates itself to the new computer and continues to search for other computers on the network to replicate. Due to the nature of replication through the network, a worm normally consumes much system resources including network bandwidth, causing network servers to stop responding. Different types of Computer Worms are: • Email Worms: Email Worms spread through infected email messages as an attachment or a link of an infected website. • Instant Messaging Worms: Instant Messaging Worms spread by sending links to the contact list of instant messaging applications. • Internet Worms: Internet worm will scan all available network resources using local operating system services and/or scan the Internet for vulnerable machines. If a computer is found vulnerable it will attempt to connect and gain access to them. • IRC Worms: IRC Worms spread through IRC chat channels, sending infected files or links to infected websites.

• File-sharing Networks Worms: File-sharing Networks Worms place a copy of them in a shared folder and spread via P2P network.

Logic Bombs
A logic bomb is a program, or a part of another program, which will trigger a malicious function when specified conditions are met. Normally a logic bomb does not replicate itself and therefore logic bomb will not spread to unintended victims. Logic bombs are written and targeted against a specific victim. A logic bomb is code which consists of two parts: • A pay load, which is an action to perform which normally, has malicious effect. • A trigger, a Boolean condition that is evaluated and controls when the payload is executed. The trigger can be date, the user logged in conditions, network conditions etc.

Trojan Horses
The Trojan Horse is another malware which got its name from mythological Trojan horse. In Trojan War, Greeks conquered and destroyed the city of Troy by constructing a huge wooden horse, and hiding Greek soldiers inside. Trojans pulled the Horse into their city as a victory trophy. At night the Greek soldiers came out of the Horse and opened the gates for the rest of the Greek army to capture the Troy city. The Trojan Horse malware, normally appear to be useful software but will actually do damage once installed or run on your computer. Trojan Horses are normally designed to give hackers access to system. Trojan Horses will appear as useful programs but gives hackers the ability to change file settings, steal files or passwords, damage or alter files, or monitor users on computers etc. Trojan Horses can alter or delete files from the infected computer, download files to the infected computer, modify registry settings, steal passwords, log keystrokes, disable anti-virus applications etc.

Rootkits
A rootkit is another type of malware that has the capability to conceal itself from the Operating System and antivirus application in a computer. A rootkit provide continuous root level (super user) access to a computer where it is installed. The name rootkit came from the UNIX world, where the super user is "root" and a kit. Rootkits are installed by an attacker for a variety of purposes. Root kits can provide the attacker root level access to the computer via a back door, rootkits can conceal other malwares which are installed on the target computer, rootkits can make the installed computer as a zombie computer for network attacks, Rootkits can be used to hack encryption keys and passwords etc. Rootkits are more dangerous than other types of malware because they are difficult to detect and cure. Different types of Rootkits are explained below. Application Level Rootkits: Application level rootkits operate inside the victim computer by changing standard application files with rootkit files, or changing the behavior of present applications with patches, injected code etc. Kernel Level Rootkits: Kernel is the core of the Operating System and Kernel Level Rootkits are created by adding additional code or replacing portions of the core operating system, with modified code via device drivers (in Windows) or Loadable Kernel Modules (Linux). Kernel Level Rootkits can have a serious effect on the stability of the system if the kit’s code contains bugs. Kernel rootkits are difficult to detect because they have the same privileges of the Operating System, and therefore they can intercept or subvert operating system operations.

Hardware/Firmware Rootkits: Hardware/Firmware rootkits hide itself in hardware such a network card, system BIOS etc. Hypervisor (Virtualized) Level Rootkits: Hypervisor (Virtualized) Level Rootkits are created by exploiting hardware features such as Intel VT or AMD-V (Hardware assisted virtualization technologies). Hypervisor level rootkits hosts the target operating system as a virtual machine and therefore they can intercept all hardware calls made by the target operating system. Boot loader Level (Bootkit) Rootkits: Boot loader Level (Bootkit) Rootkits replaces or modifies the legitimate boot loader with another one thus enabling the Boot loader Level (Bootkit) to be activated even before the operating system is started. Boot loader Level (Bootkit) Rootkits are serious threat to security because they can be used to hack the encryption keys and passwords.

SQL Injection Attacks

SQL injection attack is another type of attack to exploit applications that use client-supplied data in SQL statements. Here malicious code is inserted into strings that are later passed to database application for parsing and execution. The common method of SQL injection attack is direct insertion of malicious code into user-input variables that are concatenated with SQL commands and executed. Another type of SQL injection attack injects malicious code into strings and are stored in tables. An SQL injection attack is made later by the attacker. Following example shows the simplest form of SQL injection. var UserID; UserID = Request.form ("UserID"); var InfoUser = "select * from UserInfo where UserID = '" + UserID + "'"; If the user fills the field with correct information of his UserID (F827781), after the script execution the above SQL query will look like SELECT * FROM UserInfo WHERE UserID = 'F827781' Consider a case when a user fills the field with the below entry. F827781; drop table UserInfo-After the execution of the script, the SQL code will look like SELECT * FROM UserInfo WHERE UserID = ' F827781';drop table UserInfo-This will ultimately result in deletion of table UserInfo.

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close