Network Security Problems
Wide area networks allow attacks from anywhere, often via several compromised intermediary machines, since enforcement of international laws is difficult.
Commonly used protocols not designed for hostile environment:
- authentication missing or based on source address, cleartext password, or integrity of remote host
- missing protection against denial-of-service attacks<
Use of broadcast technologies, promiscuous-mode network interfaces.
Vulnerable protocol implementations.
Distributed denial-of-service attacks.
Why is it so bad?
Home Users increase vulnerabilities.
Today most homes are connected, particularly with the advent of DSL and cable modems.
Most home users:
- are unaware of vulnerabilities;
- don’t use firewalls;
- think they have nothing to hide or don’t care if others get their data;
- don’t realize their systems can serve as jump off points for other attacks (zombies).
Why is it so bad?
Computer security is reactive:
- usually reacting to latest attack;
- offense is easier than defense.
Security is expensive (in dollars and in time).
There is not now, and never will be, a system with perfect security.
- Buffer overflows,
- SQL injection,
- Input tampering,
Example of common attacks
- Password guessing/cracking,
- denial of service,
- viruses, trojan horses.
Social engineering and user mistakes:
- an employee accidentally revealing confidential data by sending the wrong email;
- an employee reveals confidential data to just met people.
Guessing weak passwords:
- name of partner, child, pet, favourite movie, book title, band name, birthdays, …;
- guesses based on known previous passwords;
- keyboard sequences.
- attempts to reverse the password computation process.
Password attacks (cont’d)
Dictionary attacks (UNIX Crack, L0pht Crack for Windows NT).
Cached passwords in cleartext:
- storing cleartext passwords in temporary files;
- caching passwords on servers;
- weak XOR encryption.
Denial of service (DOS)
Flood of maliciously generated packets “swamp” receiver
- filter out flooded packets (e.g., SYN) before reaaching host: throw out good with bad;
- traceback to source of floods (most likely an innocent, compromised machine).
Distributed DOS (DDOS): multiple coordinated sources (compromised hosts) swamp receiver:
- the Attacker controls and activates an attack;
- the Masters are compromised hosts that control Agents;
- the Agents are compromised hosts that effectively perform the attack.
Distributed DOS: phases
- Scan thousands of hosts looking for known vulnerabilities.
- Exploit vulnerabilities to compromise hosts and get access.
- Install tools for the DDoS on compromised hosts: the tools allow hosts to scan and exploit vulnerabilities of other hosts, too.
- Once a large number of hosts is compromised, the attack can begin and it is activated by a remote client.
- Inserting false source IP address.
- Obscures real source of attack.
- Possible session hijacking.
- Two-way communication with spoofing must employ redirection of replies.
Ways to gain unauthorised access
- Poor or no authentication.
- Weak, sniffed or stolen passwords.
- “Forgotten” services.
- Server buffer overruns.
- Backdoors, trojan horses and poor implementation of OS code and services.
- Spoofing trusted hosts.
- Listens to all traffic on a local network.
- Privileged access needed on UNIX systems (Windows 95/98: every user is a “privileged” users).
- Specialised sniffers grab and log passwords in nice human-readable form.
- Generally undetectable over network.
Examples of TCP/IP vulnerabilities
Implementations have predictable start sequence numbers, so even without having access to reply packets sent from D to S, an attacker can:
- impersonate S by performing the entire handshake without receiving the second message (“sequence number attack”);
- disrupt an ongoing communication by inserting data packets with the right sequence numbers (“session hijacking”).
The connectionless User Datagram Protocol (UDP) has no sequence numbers and is therefore more vulnerable to address spoofing.
Network services are usually configured with alphanumeric names mapped by the Domain Name System (DNS), which features its own set of vulnerabilities: DNS implementations cache query results, and many older versions even cache unsolicited ones, allowing an attacker to fill the cache with desired name/address mappings before launching an impersonation attack.
Virus and Worms
Self-replicating code and data.
Typically requires human interaction before exploiting an application vulnerability:
- running an e-mail attachment;
- clicking on a link in an e-mail;
- inserting/connecting “infected” media to a PC.
Then searches for files to infect or sends out e-mail with an infected file
Self-replicating, self-propagating code and data.
Use network to find potential victims.
Typically exploit vulnerabilities in an application running on a machine or the machine’s operating system to gain a foothold.
Then search the network for new victims.
- Code Red 1 and 2.
- Code Blu.
- SQL Slammer.
Few minutes to:
- scan millions of IP addresses,
- bandwidth saturation,
- infect thousands of hosts
Propagate by exploiting applications and operating system vulnerabilities.
Trojan horses are programs disguised as useful tools platform/OS specific
Trojans: BackOrifice, BO2k, NetBus, DeepThroat, Girlfriend:
- target MS Windows systems;
- install as a service at boot time;
- accepts network connections (some encrypt their traffic);
- allow full access to the system (specialised commands for grabbing dial-up passwords).
Detection and prevention
- Use clean tools (commands on the system can be replaced by attacker);
- use intrusion detection systems and firewalls;
- use session encryption (e.g. Secure Shell);
- use one-time passwords (e.g. S/Key);
- use antiviral tools (with regular updates);
- user education:
- problems with downloads from untrusted sites;
- be careful with received executable content.
Establish security policies (for all security requirements).
Install latest versions of software and apply recommended patches.
Strip down default services.
Connect the system to your network
Design your network and restrict access to hosts (segmentation, DMZ, private IP classes,…).
Stay current with new security issues.
Apply OS and server patches immediately.
Do regular backups.
Monitor system activity and integrity.
Implement firewalls and IDS.
Site security policy
- Who is authorised to use specific services from where (and when)?
- Who is given privileged access?
- Plan division of your network to
public and private segments
- Inform users of risks.
- Seek approval of your policy.
Security policy development
Step 1: Security requirements analysis
- Identify assets and their value.
- Identify vulnerabilities, threats and risk priorities.
- Identify legal and contractual requirements.
Step 2: Work out a suitable security policy
The security requirements identified can be complex and may have to be abstracted first into a high-level security policy, a set of rules that clarifies which are or are not authorised, required, and prohibited activities, states and information flows.
Step 3: Security policy document
Once a good understanding exists of what exactly security means for an organisation and what needs to be protected or enforced, the high level security policy should be documented as a reference for anyone involved in implementing controls. It should clearly lay out the overall objectives, principles and the underlying threat model that are to guide the choice of mechanisms in the next step.
Step 4: Selection and implementation of controls
- issues addressed in a typical low-level organisational security policy:
- general (affecting everyone) and specific responsibilities for security;
- names manager who “owns” the overall policy and is in charge of its continued enforcement, maintenance, review, and evaluation of effectiveness.
Step 4 (cont.)
- Names individual managers who “own” individual information assets and are responsible for their day-to-day security;
- reporting responsibilities for security incidents, vulnerabilities, software malfunctions;
- mechanisms for learning from incidents;
- personnel security (depending on sensitivity of job);
- regulation of third-party access;
- physical security (Definition of security perimeters, locating facilities to minimise traffic across perimeters, entrance controls, handling of visitors and public access, visible identification, location of backup equipment at safe distance, redundant power supplies, access to cabling, clear desk/screen policy, etc.);
- segregation of duties;
- audit trails (what activities are logged, how are log files protected from manipulation);
- separation of development and operational facilities;
- protection against unauthorised and malicious software;
- organising backup and rehearsing restoration;
- file/document access control, sensitivity labeling of documents and media;
- disposal of media;
- network and software configuration management;
- line and file encryption, authentication, key and password management;
- duress alarms, terminal timeouts, clock synchronisation, . . .
Stay informed and updated …
Subscribe to mailing lists.
Check for new exploits.
Advisories often offer links to vendor patches.
If those are absent, consider a temporary service restriction.