Messages
Proposals
Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.
Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
2
Contents 1. Cover Page 2. Title Page 3. Copyright Page 4. Contents at a Glance 5. Contents 6. About This E-Book 7. Preface 8. About the Author 9. Dedication
10. Acknowledgments 11. About the Technical Reviewers 12. We Want to Hear from You! 13. Reader Services 14. Chapter 1: Introduction to Network Security
1. Introduction 2. The Basics of a Network
1. Basic Network Structure 2. Data Packets 3. IP Addresses 4. Uniform Resource Locators 5. MAC Addresses 6. Protocols
3. Basic Network Utilities
3
1. ipconfig 2. ping 3. tracert 4. netstat
4. The OSI Model 5. What Does This Mean for Security? 6. Assessing Likely Threats to the Network 7. Classifications of Threats
1. Malware 2. Compromising System Security—Intrusions 3. Denial of Service
8. Likely Attacks 9. Threat Assessment
10. Understanding Security Terminology
1. Hacking Terminology 2. Security Terminology
11. Choosing a Network Security Approach
1. Perimeter Security Approach 2. Layered Security Approach 3. Hybrid Security Approach
12. Network Security and the Law 13. Using Security Resources 14. Summary
15. Chapter 2: Types of Attacks
4
1. Introduction 2. Understanding Denial of Service Attacks
1. DoS in Action 2. SYN Flood 3. Smurf Attack 4. Ping of Death 5. UDP Flood 6. ICMP Flood 7. DHCP Starvation 8. HTTP Post DoS 9. PDoS
10. Distributed Reflection Denial of Service 11. DoS Tools 12. Real-World Examples 13. Defending Against DoS Attacks
3. Defending Against Buffer Overflow Attacks 4. Defending Against IP Spoofing 5. Defending Against Session Hijacking 6. Blocking Virus and Trojan Horse Attacks
1. Viruses 2. Types of Viruses 3. Trojan Horses
7. Summary
16. Chapter 3: Fundamentals of Firewalls
1. Introduction 2. What Is a Firewall?
5
1. Types of Firewalls 2. Packet Filtering Firewall 3. Stateful Packet Inspection 4. Application Gateway 5. Circuit Level Gateway 6. Hybrid Firewalls 7. Blacklisting/Whitelisting
3. Implementing Firewalls
1. Host-Based 2. Dual-Homed Hosts 3. Router-Based Firewall 4. Screened Hosts
4. Selecting and Using a Firewall
1. Using a Firewall
5. Using Proxy Servers
1. The WinGate Proxy Server 2. NAT
6. Summary
17. Chapter 4: Firewall Practical Applications
1. Introduction 2. Using Single Machine Firewalls 3. Windows 10 Firewall 4. User Account Control
6
5. Linux Firewalls
1. Iptables 2. Symantec Norton Firewall 3. McAfee Personal Firewall
6. Using Small Office/Home Office Firewalls
1. SonicWALL 2. D-Link DFL-2560 Office Firewall
7. Using Medium-Sized Network Firewalls
1. Check Point Firewall 2. Cisco Next-Generation Firewalls
8. Using Enterprise Firewalls 9. Summary
18. Chapter 5: Intrusion-Detection Systems
1. Introduction 2. Understanding IDS Concepts
1. Preemptive Blocking 2. Anomaly Detection
3. IDS Components and Processes 4. Understanding and Implementing IDSs
1. Snort 2. Cisco Intrusion-Detection and Prevention
7
5. Understanding and Implementing Honeypots
1. Specter 2. Symantec Decoy Server 3. Intrusion Deflection 4. Intrusion Deterrence
6. Summary
19. Chapter 6: Encryption Fundamentals
1. Introduction 2. The History of Encryption
1. The Caesar Cipher 2. ROT 13 3. Atbash Cipher 4. Multi-Alphabet Substitution 5. Rail Fence 6. Vigenère 7. Enigma 8. Binary Operations
3. Learning About Modern Encryption Methods
1. Symmetric Encryption 2. Key Stretching 3. PRNG 4. Public Key Encryption 5. Digital Signatures
4. Identifying Good Encryption 5. Understanding Digital Signatures and Certificates
8
1. Digital Certificates 2. PGP Certificates 3. MD5 4. SHA 5. RIPEMD 6. HAVAL
6. Understanding and Using Decryption 7. Cracking Passwords
1. John the Ripper 2. Using Rainbow Tables 3. Using Other Password Crackers 4. General Cryptanalysis
8. Steganography 9. Steganalysis
10. Quantum Computing and Quantum Cryptography 11. Summary
20. Chapter 7: Virtual Private Networks
1. Introduction 2. Basic VPN Technology 3. Using VPN Protocols for VPN Encryption
1. PPTP 2. PPTP Authentication 3. L2TP 4. L2TP Authentication 5. L2TP Compared to PPTP
4. IPSec
9
5. SSL/TLS 6. Implementing VPN Solutions
1. Cisco Solutions 2. Service Solutions 3. Openswan 4. Other Solutions
7. Summary
21. Chapter 8: Operating System Hardening
1. Introduction 2. Configuring Windows Properly
1. Accounts, Users, Groups, and Passwords 2. Setting Security Policies 3. Registry Settings 4. Services 5. Encrypting File System 6. Security Templates
3. Configuring Linux Properly 4. Patching the Operating System 5. Configuring Browsers
1. Securing Browser Settings for Microsoft Internet Explorer
2. Other Browsers
6. Summary
10
22. Chapter 9: Defending Against Virus Attacks
1. Introduction 2. Understanding Virus Attacks
1. What Is a Virus? 2. What Is a Worm? 3. How a Virus Spreads 4. The Virus Hoax 5. Types of Viruses
3. Virus Scanners
1. Virus Scanning Techniques 2. Commercial Antivirus Software
4. Antivirus Policies and Procedures 5. Additional Methods for Defending Your System 6. What to Do If Your System Is Infected by a Virus
1. Stopping the Spread of the Virus 2. Removing the Virus 3. Finding Out How the Infection Started
7. Summary
23. Chapter 10: Defending Against Trojan Horses, Spyware, and Adware
1. Introduction 2. Trojan Horses
1. Identifying Trojan Horses
11
2. Symptoms of a Trojan Horse 3. Why So Many Trojan Horses? 4. Preventing Trojan Horses
3. Spyware and Adware
1. Identifying Spyware and Adware 2. Anti-Spyware 3. Anti-Spyware Policies
4. Summary
24. Chapter 11: Security Policies
1. Introduction 2. Defining User Policies
1. Passwords 2. Internet Use Policy 3. E-mail Attachments 4. Software Installation and Removal 5. Instant Messaging 6. Desktop Configuration 7. Final Thoughts on User Policies
3. Defining System Administration Policies
1. New Employees 2. Leaving Employees 3. Change Requests 4. Security Breaches
12
4. Defining Access Control 5. Defining Developmental Policies 6. Summary
25. Chapter 12: Assessing System Security
1. Introduction 2. Risk Assessment Concepts 3. Evaluating the Security Risk 4. Conducting the Initial Assessment
1. Patches 2. Ports 3. Protect 4. Physical
5. Probing the Network
1. NetCop 2. NetBrute 3. Cerberus 4. Port Scanner for Unix: SATAN 5. SAINT 6. Nessus 7. NetStat Live 8. Active Ports 9. Other Port Scanners
10. Microsoft Baseline Security Analyzer 11. NSAuditor 12. NMAP
6. Vulnerabilities
13
1. CVE 2. NIST 3. OWASP
7. McCumber Cube
1. Goals 2. Information States 3. Safeguards
8. Security Documentation
1. Physical Security Documentation 2. Policy and Personnel Documentation 3. Probe Documents 4. Network Protection Documents
9. Summary
26. Chapter 13: Security Standards
1. Introduction 2. COBIT 3. ISO Standards 4. NIST Standards
1. NIST SP 800-14 2. NIST SP 800-35 3. NIST SP 800-30 Rev. 1
5. U.S. DoD Standards 6. Using the Orange Book
14
1. D - Minimal Protection 2. C - Discretionary Protection 3. B - Mandatory Protection 4. A - Verified Protection
7. Using the Rainbow Series 8. Using the Common Criteria 9. Using Security Models
1. Bell-LaPadula Model 2. Biba Integrity Model 3. Clark-Wilson Model 4. Chinese Wall Model 5. State Machine Model
10. U.S. Federal Regulations, Guidelines, and Standards
1. The Health Insurance Portability & Accountability Act of 1996 (HIPAA)
2. HITECH 3. Sarbanes-Oxley (SOX) 4. Computer Fraud and Abuse Act (CFAA): 18
U.S. Code § 1030 5. Fraud and Related Activity in Connection
with Access Devices: 18 U.S. Code § 1029 6. General Data Protection Regulation (GDPR) 7. PCI DSS
11. Summary
27. Chapter 14: Physical Security and Disaster Recovery
1. Introduction
15
2. Physical Security
1. Equipment Security 2. Securing Building Access 3. Monitoring 4. Fire Protection 5. General Premises Security
3. Disaster Recovery
1. Disaster Recovery Plan 2. Business Continuity Plan 3. Determining Impact on Business 4. Testing Disaster Recovery 5. Disaster Recovery Related Standards
4. Ensuring Fault Tolerance 5. Summary
28. Chapter 15: Techniques Used by Attackers
1. Introduction 2. Preparing to Hack
1. Passively Searching for Information 2. Active Scanning 3. NSAuditor 4. Enumerating 5. Nmap 6. Shodan.io 7. Manual Scanning
3. The Attack Phase
16
1. Physical Access Attacks 2. Remote Access Attacks
4. Wi-Fi Hacking 5. Summary
29. Chapter 16: Introduction to Forensics
1. Introduction 2. General Forensics Guidelines
1. EU Evidence Gathering 2. Scientific Working Group on Digital
Evidence 3. U.S. Secret Service Forensics Guidelines 4. Don’t Touch the Suspect Drive 5. Leave a Document Trail 6. Secure the Evidence
3. FBI Forensics Guidelines 4. Finding Evidence on the PC
1. In the Browser 2. In System Logs 3. Recovering Deleted Files 4. Operating System Utilities 5. The Windows Registry
5. Gathering Evidence from a Cell Phone
1. Logical Acquisition 2. Physical Acquisition 3. Chip-off and JTAG
17
4. Cellular Networks 5. Cell Phone Terms
6. Forensic Tools to Use
1. AccessData Forensic Toolkit 2. EnCase 3. The Sleuth Kit 4. OSForensics
7. Forensic Science 8. To Certify or Not to Certify? 9. Summary
30. Chapter 17: Cyber Terrorism
1. Introduction 2. Defending Against Computer-Based Espionage 3. Defending Against Computer-Based Terrorism
1. Economic Attack 2. Compromising Defense 3. General Attacks 4. China Eagle Union
4. Choosing Defense Strategies
1. Defending Against Information Warfare 2. Propaganda 3. Information Control 4. Actual Cases 5. Packet Sniffers
18
5. Summary
31. Appendix A: Answers 32. Glossary 33. Index
1. i 2. ii 3. iii 4. iv 5. v 6. vi 7. vii 8. viii 9. ix
10. x 11. xi 12. xii 13. xiii 14. xiv 15. xv 16. xvi 17. xvii 18. xviii 19. xix 20. xx 21. xxi 22. 1 23. 2 24. 3 25. 4 26. 5 27. 6
19
28. 7 29. 8 30. 9 31. 10 32. 11 33. 12 34. 13 35. 14 36. 15 37. 16 38. 17 39. 18 40. 19 41. 20 42. 21 43. 22 44. 23 45. 24 46. 25 47. 26 48. 27 49. 28 50. 29 51. 30 52. 31 53. 32 54. 33 55. 34 56. 35 57. 36 58. 37 59. 38 60. 39 61. 40
20
62. 41 63. 42 64. 43 65. 44 66. 45 67. 46 68. 47 69. 48 70. 49 71. 50 72. 51 73. 52 74. 53 75. 54 76. 55 77. 56 78. 57 79. 58 80. 59 81. 60 82. 61 83. 62 84. 63 85. 64 86. 65 87. 66 88. 67 89. 68 90. 69 91. 70 92. 71 93. 72 94. 73 95. 74
21
96. 75 97. 76 98. 77 99. 78
100. 79 101. 80 102. 81 103. 82 104. 83 105. 84 106. 85 107. 86 108. 87 109. 88 110. 89 111. 90 112. 91 113. 92 114. 93 115. 94 116. 95 117. 96 118. 97 119. 98 120. 99 121. 100 122. 101 123. 102 124. 103 125. 104 126. 105 127. 106 128. 107 129. 108
22
130. 109 131. 110 132. 111 133. 112 134. 113 135. 114 136. 115 137. 116 138. 117 139. 118 140. 119 141. 120 142. 121 143. 122 144. 123 145. 124 146. 125 147. 126 148. 127 149. 128 150. 129 151. 130 152. 131 153. 132 154. 133 155. 134 156. 135 157. 136 158. 137 159. 138 160. 139 161. 140 162. 141 163. 142
23
164. 143 165. 144 166. 145 167. 146 168. 147 169. 148 170. 149 171. 150 172. 151 173. 152 174. 153 175. 154 176. 155 177. 156 178. 157 179. 158 180. 159 181. 160 182. 161 183. 162 184. 163 185. 164 186. 165 187. 166 188. 167 189. 168 190. 169 191. 170 192. 171 193. 172 194. 173 195. 174 196. 175 197. 176
24
198. 177 199. 178 200. 179 201. 180 202. 181 203. 182 204. 183 205. 184 206. 185 207. 186 208. 187 209. 188 210. 189 211. 190 212. 191 213. 192 214. 193 215. 194 216. 195 217. 196 218. 197 219. 198 220. 199 221. 200 222. 201 223. 202 224. 203 225. 204 226. 205 227. 206 228. 207 229. 208 230. 209 231. 210
25
232. 211 233. 212 234. 213 235. 214 236. 215 237. 216 238. 217 239. 218 240. 219 241. 220 242. 221 243. 222 244. 223 245. 224 246. 225 247. 226 248. 227 249. 228 250. 229 251. 230 252. 231 253. 232 254. 233 255. 234 256. 235 257. 236 258. 237 259. 238 260. 239 261. 240 262. 241 263. 242 264. 243 265. 244
26
266. 245 267. 246 268. 247 269. 248 270. 249 271. 250 272. 251 273. 252 274. 253 275. 254 276. 255 277. 256 278. 257 279. 258 280. 259 281. 260 282. 261 283. 262 284. 263 285. 264 286. 265 287. 266 288. 267 289. 268 290. 269 291. 270 292. 271 293. 272 294. 273 295. 274 296. 275 297. 276 298. 277 299. 278
27
300. 279 301. 280 302. 281 303. 282 304. 283 305. 284 306. 285 307. 286 308. 287 309. 288 310. 289 311. 290 312. 291 313. 292 314. 293 315. 294 316. 295 317. 296 318. 297 319. 298 320. 299 321. 300 322. 301 323. 302 324. 303 325. 304 326. 305 327. 306 328. 307 329. 308 330. 309 331. 310 332. 311 333. 312
28
334. 313 335. 314 336. 315 337. 316 338. 317 339. 318 340. 319 341. 320 342. 321 343. 322 344. 323 345. 324 346. 325 347. 326 348. 327 349. 328 350. 329 351. 330 352. 331 353. 332 354. 333 355. 334 356. 335 357. 336 358. 337 359. 338 360. 339 361. 340 362. 341 363. 342 364. 343 365. 344 366. 345 367. 346
29
368. 347 369. 348 370. 349 371. 350 372. 351 373. 352 374. 353 375. 354 376. 355 377. 356 378. 357 379. 358 380. 359 381. 360 382. 361 383. 362 384. 363 385. 364 386. 365 387. 366 388. 367 389. 368 390. 369 391. 370 392. 371 393. 372 394. 373 395. 374 396. 375 397. 376 398. 377 399. 378 400. 379 401. 380
30
402. 381 403. 382 404. 383 405. 384 406. 385 407. 386 408. 387 409. 388 410. 389 411. 390 412. 391 413. 392 414. 393 415. 394 416. 395 417. 396 418. 397 419. 398 420. 399 421. 400 422. 401 423. 402 424. 403 425. 404 426. 405 427. 406 428. 407 429. 408 430. 409 431. 410 432. 411 433. 412 434. 413 435. 414
31
436. 415 437. 416 438. 417 439. 418 440. 419 441. 420 442. 421 443. 422 444. 423 445. 424 446. 425 447. 426 448. 427 449. 428 450. 429 451. 430 452. 431 453. 432 454. 433 455. 434 456. 435 457. 436 458. 437 459. 438 460. 439 461. 440 462. 441 463. 442 464. 443 465. 444 466. 445 467. 446 468. 447 469. 448
32
470. 449 471. 450 472. 451 473. 452 474. 453 475. 454 476. 455 477. 456 478. 457 479. 458 480. 459 481. 460 482. 461 483. 462 484. 463 485. 464 486. 465 487. 466 488. 467 489. 468 490. 469 491. 470 492. 471 493. 472 494. 473 495. 474 496. 475 497. 476 498. 477 499. 478 500. 479 501. 480 502. 481 503. 482
33
504. 483 505. 484 506. 485 507. 486 508. 487 509. 488 510. 489 511. 490 512. 491 513. 492 514. 493 515. 494 516. 495 517. 496 518. 497 519. 498 520. 499 521. 500 522. 501 523. 502 524. 503 525. 504 526. 505 527. 506 528. 507 529. 508 530. 509 531. 510 532. 511 533. 512 534. 513 535. 514 536. 515 537. 516
34
538. 517 539. 518 540. 519 541. 520 542. 521 543. 522 544. 523 545. 524
35
About This E-Book EPUB is an open, industry-standard format for e- books. However, support for EPUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturer’s Web site.
Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the e-book in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a “Click here to view code
36
image” link. Click the link to view the print-fidelity code image. To return to the previous page viewed, click the Back button on your device or app.
37
Network Defense and Countermeasures Principles and Practices
Third Edition
Chuck Easttom
800 East 96th Street, Indianapolis, Indiana 46240 USA
38
Network Defense and Countermeasures Copyright © 2018 by Pearson Education, Inc.
All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein.
ISBN-13: 978-0-7897-5996-2
ISBN-10: 0-7897-5996-9
Library of Congress Control Number: 2018933854
Printed in the United States of America
1 18
Trademarks
39
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Pearson IT Certification cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark.
Microsoft and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published as part of the services for any purpose. All such documents and related graphics are provided “as is” without warranty of any kind. Microsoft and/ or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all warranties and conditions of merchantability, whether express, implied or statutory, fitness for a particular purpose, title and non-infringement. In no event shall Microsoft and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of
40
information available from the services.
The documents and related graphics contained herein could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Microsoft and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time. Partial screenshots may be viewed in full within the software version specified.
Microsoft® and Windows® are registered trademarks of the Microsoft Corporation in the U.S.A. and other countries. Screenshots and icons reprinted with permission from the Microsoft Corporation. This book is not sponsored or endorsed by or affiliated with the Microsoft Corporation.
Warning and Disclaimer
Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The author and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the
41
information contained in this book.
Special Sales
For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact intlcs@pearson.com.
Editor-in-Chief
Mark Taub
Product Line Manager
Brett Bartow
Executive Editor
Mary Beth Ray
Development Editor
Ellie C. Bru
Managing Editor
mailto:corpsales@pearsoned.com
mailto:governmentsales@pearsoned.com
mailto:intlcs@pearson.com
42
Sandra Schroeder
Senior Project Editor
Tonya Simpson
Copy Editor
Bill McManus
Indexer
Erika Millen
Proofreader
Abigail Manheim
Technical Editors
Akhil Behl Steve Kalman
Publishing Coordinator
Vanessa Evans
Cover Designer
Chuti Prasertsith
Compositor
codemantra
43
Contents at a Glance Preface
1 Introduction to Network Security
2 Types of Attacks
3 Fundamentals of Firewalls
4 Firewall Practical Applications
5 Intrusion-Detection Systems
6 Encryption Fundamentals
7 Virtual Private Networks
8 Operating System Hardening
9 Defending Against Virus Attacks
10 Defending against Trojan Horses, Spyware, and Adware
11 Security Policies
12 Assessing System Security
13 Security Standards
14 Physical Security and Disaster Recovery
15 Techniques Used by Attackers
16 Introduction to Forensics
44
17 Cyber Terrorism
Appendix A: Answers
Glossary
Index
45
Table of Contents Chapter 1: Introduction to Network
Security
Introduction
The Basics of a Network
Basic Network Structure
Data Packets
IP Addresses
Uniform Resource Locators
MAC Addresses
Protocols
Basic Network Utilities
ipconfig
ping
tracert
netstat
The OSI Model
What Does This Mean for Security?
Assessing Likely Threats to the Network
Classifications of Threats
Malware
46
Compromising System Security— Intrusions
Denial of Service
Likely Attacks
Threat Assessment
Understanding Security Terminology
Hacking Terminology
Security Terminology
Choosing a Network Security Approach
Perimeter Security Approach
Layered Security Approach
Hybrid Security Approach
Network Security and the Law
Using Security Resources
Summary
Chapter 2: Types of Attacks
Introduction
Understanding Denial of Service Attacks
DoS in Action
SYN Flood
Smurf Attack
Ping of Death
UDP Flood
47
ICMP Flood
DHCP Starvation
HTTP Post DoS
PDoS
Distributed Reflection Denial of Service
DoS Tools
Real-World Examples
Defending Against DoS Attacks
Defending Against Buffer Overflow Attacks
Defending Against IP Spoofing
Defending Against Session Hijacking
Blocking Virus and Trojan Horse Attacks
Viruses
Types of Viruses
Trojan Horses
Summary
Chapter 3: Fundamentals of Firewalls
Introduction
What Is a Firewall?
Types of Firewalls
Packet Filtering Firewall
Stateful Packet Inspection
Application Gateway
48
Circuit Level Gateway
Hybrid Firewalls
Blacklisting/Whitelisting
Implementing Firewalls
Host-Based
Dual-Homed Hosts
Router-Based Firewall
Screened Hosts
Selecting and Using a Firewall
Using a Firewall
Using Proxy Servers
The WinGate Proxy Server
NAT
Summary
Chapter 4: Firewall Practical Applications
Introduction
Using Single Machine Firewalls
Windows 10 Firewall
User Account Control
Linux Firewalls
Iptables
Symantec Norton Firewall
McAfee Personal Firewall
49
Using Small Office/Home Office Firewalls
SonicWALL
D-Link DFL-2560 Office Firewall
Using Medium-Sized Network Firewalls
Check Point Firewall
Cisco Next-Generation Firewalls
Using Enterprise Firewalls
Summary
Chapter 5: Intrusion-Detection Systems
Introduction
Understanding IDS Concepts
Preemptive Blocking
Anomaly Detection
IDS Components and Processes
Understanding and Implementing IDSs
Snort
Cisco Intrusion-Detection and Prevention
Understanding and Implementing Honeypots
Specter
Symantec Decoy Server
Intrusion Deflection
Intrusion Deterrence
50
Summary
Chapter 6: Encryption Fundamentals
Introduction
The History of Encryption
The Caesar Cipher
ROT 13
Atbash Cipher
Multi-Alphabet Substitution
Rail Fence
Vigenère
Enigma
Binary Operations
Learning About Modern Encryption Methods
Symmetric Encryption
Key Stretching
PRNG
Public Key Encryption
Digital Signatures
Identifying Good Encryption
Understanding Digital Signatures and Certificates
Digital Certificates
PGP Certificates
MD5
51
SHA
RIPEMD
HAVAL
Understanding and Using Decryption
Cracking Passwords
John the Ripper
Using Rainbow Tables
Using Other Password Crackers
General Cryptanalysis
Steganography
Steganalysis
Quantum Computing and Quantum Cryptography
Summary
Chapter 7: Virtual Private Networks
Introduction
Basic VPN Technology
Using VPN Protocols for VPN Encryption
PPTP
PPTP Authentication
L2TP
L2TP Authentication
L2TP Compared to PPTP
IPSec
52
SSL/TLS
Implementing VPN Solutions
Cisco Solutions
Service Solutions
Openswan
Other Solutions
Summary
Chapter 8: Operating System Hardening
Introduction
Configuring Windows Properly
Accounts, Users, Groups, and Passwords
Setting Security Policies
Registry Settings
Services
Encrypting File System
Security Templates
Configuring Linux Properly
Patching the Operating System
Configuring Browsers
Securing Browser Settings for Microsoft Internet Explorer
Other Browsers
53
Summary
Chapter 9: Defending Against Virus Attacks
Introduction
Understanding Virus Attacks
What Is a Virus?
What Is a Worm?
How a Virus Spreads
The Virus Hoax
Types of Viruses
Virus Scanners
Virus Scanning Techniques
Commercial Antivirus Software
Antivirus Policies and Procedures
Additional Methods for Defending Your System
What to Do If Your System Is Infected by a Virus
Stopping the Spread of the Virus
Removing the Virus
Finding Out How the Infection Started
Summary
Chapter 10: Defending Against Trojan Horses, Spyware, and Adware
Introduction
Trojan Horses
54
Identifying Trojan Horses
Symptoms of a Trojan Horse
Why So Many Trojan Horses?
Preventing Trojan Horses
Spyware and Adware
Identifying Spyware and Adware
Anti-Spyware
Anti-Spyware Policies
Summary
Chapter 11: Security Policies
Introduction
Defining User Policies
Passwords
Internet Use Policy
E-mail Attachments
Software Installation and Removal
Instant Messaging
Desktop Configuration
Final Thoughts on User Policies
Defining System Administration Policies
New Employees
Leaving Employees
Change Requests
55
Security Breaches
Defining Access Control
Defining Developmental Policies
Summary
Chapter 12: Assessing System Security
Introduction
Risk Assessment Concepts
Evaluating the Security Risk
Conducting the Initial Assessment
Patches
Ports
Protect
Physical
Probing the Network
NetCop
NetBrute
Cerberus
Port Scanner for Unix: SATAN
SAINT
Nessus
NetStat Live
Active Ports
Other Port Scanners
56
Microsoft Baseline Security Analyzer
NSAuditor
NMAP
Vulnerabilities
CVE
NIST
OWASP
McCumber Cube
Goals
Information States
Safeguards
Security Documentation
Physical Security Documentation
Policy and Personnel Documentation
Probe Documents
Network Protection Documents
Summary
Chapter 13: Security Standards
Introduction
COBIT
ISO Standards
NIST Standards
NIST SP 800-14
57
NIST SP 800-35
NIST SP 800-30 Rev. 1
U.S. DoD Standards
Using the Orange Book
D - Minimal Protection
C - Discretionary Protection
B - Mandatory Protection
A - Verified Protection
Using the Rainbow Series
Using the Common Criteria
Using Security Models
Bell-LaPadula Model
Biba Integrity Model
Clark-Wilson Model
Chinese Wall Model
State Machine Model
U.S. Federal Regulations, Guidelines, and Standards
The Health Insurance Portability & Accountability Act of 1996 (HIPAA)
HITECH
Sarbanes-Oxley (SOX)
Computer Fraud and Abuse Act
58
(CFAA): 18 U.S. Code § 1030
Fraud and Related Activity in Connection with Access Devices: 18 U.S. Code § 1029
General Data Protection Regulation (GDPR)
PCI DSS
Summary
Chapter 14: Physical Security and Disaster Recovery
Introduction
Physical Security
Equipment Security
Securing Building Access
Monitoring
Fire Protection
General Premises Security
Disaster Recovery
Disaster Recovery Plan
Business Continuity Plan
Determining Impact on Business
Testing Disaster Recovery
Disaster Recovery Related Standards
59
Ensuring Fault Tolerance
Summary
Chapter 15: Techniques Used by Attackers
Introduction
Preparing to Hack
Passively Searching for Information
Active Scanning
NSAuditor
Enumerating
Nmap
Shodan.io
Manual Scanning
The Attack Phase
Physical Access Attacks
Remote Access Attacks
Wi-Fi Hacking
Summary
Chapter 16: Introduction to Forensics
Introduction
General Forensics Guidelines
EU Evidence Gathering
Scientific Working Group on Digital Evidence
60
U.S. Secret Service Forensics Guidelines
Don’t Touch the Suspect Drive
Leave a Document Trail
Secure the Evidence
FBI Forensics Guidelines
Finding Evidence on the PC
In the Browser
In System Logs
Recovering Deleted Files
Operating System Utilities
The Windows Registry
Gathering Evidence from a Cell Phone
Logical Acquisition
Physical Acquisition
Chip-off and JTAG
Cellular Networks
Cell Phone Terms
Forensic Tools to Use
AccessData Forensic Toolkit
EnCase
The Sleuth Kit
OSForensics
61
Forensic Science
To Certify or Not to Certify?
Summary
Chapter 17: Cyber Terrorism
Introduction
Defending Against Computer-Based Espionage
Defending Against Computer-Based Terrorism
Economic Attack
Compromising Defense
General Attacks
China Eagle Union
Choosing Defense Strategies
Defending Against Information Warfare
Propaganda
Information Control
Actual Cases
Packet Sniffers
Summary
Appendix A: Answers
Glossary
Index
62
Preface The hottest topic in the IT industry today is computer security. The news is replete with stories of hacking, viruses, and identity theft. The cornerstone of security is defending the organizational network. Network Defense and Countermeasures: Principles and Practices offers a comprehensive overview of network defense. It introduces students to network security threats and methods for defending the network. Three entire chapters are devoted to firewalls and intrusion-detection systems. There is also a chapter providing a basic introduction to encryption. Combining information on the threats to networks, the devices and technologies used to ensure security, as well as concepts such as encryption provides students with a solid, broad- based approach to network defense.
This book provides a blend of theoretical foundations and practical applications. Each chapter ends with multiple choice questions and exercises, and most chapters also have projects. Students who successfully complete this textbook,
63
including the end of chapter material, should have a solid understanding of network security. Throughout the book the student is directed to additional resources that can augment the material presented in the chapter.
Audience
This book is designed primarily as a textbook for students who have a basic understanding of how networks operate, including basic terminology, protocols, and devices. Students do not need to have an extensive math background or more than introductory computer courses.
Overview of the Book
This book will walk you through the intricacies of defending your network against attacks. It begins with a brief introduction to the field of network security in Chapter 1, “Introduction to Network Security.” Chapter 2, “Types of Attacks,” explains the threats to a network—including denial of service attacks, buffer overflow attacks, and viruses.
Chapter 3, “Fundamentals of Firewalls,” Chapter 4,
64
“Firewall Practical Applications,” Chapter 5, “Intrusion-Detection Systems,” and Chapter 7, “Virtual Private Networks,” give details on various security technologies including firewalls, intrusion-detection systems, and VPNs. These items are the core of any network’s security, so a significant portion of this book is devoted to ensuring the reader fully understands both the concepts behind them and the practical applications. In every case, practical direction for selecting appropriate technology for a given network is included.
Chapter 6, “Encryption Fundamentals,” provides a solid introduction to encryption. This topic is critical because ultimately computer systems are simply devices for storing, transmitting, and manipulating data. No matter how secure the network is, if the data it transmits is not secure then there is a significant danger.
Chapter 8, “Operating System Hardening,” teaches operating system hardening. Chapter 9, “Defending Against Virus Attacks,” and Chapter 10, “Defending Against Trojan Horses, Spyware, and Adware,” give the reader specific defense strategies and techniques to guard against the
65
most common network dangers. Chapter 11, “Security Policies,” gives readers an introduction to security policies.
Chapter 12, “Assessing System Security,” teaches the reader how to do an assessment of a network’s security. This includes guidelines for examining policies as well as an overview of network assessment tools. Chapter 13, “Security Standards,” gives an overview of common security standards such as the Orange Book and the Common Criteria. This chapter also discusses various security models such as Bell-LaPadula. Chapter 14, “Physical Security and Disaster Recovery,” examines the often-overlooked topic of physical security as well as disaster recovery, which is a key part of network security.
Chapter 15, “Techniques Used by Attackers,” provides the tools necessary to “know your enemy,” by examining basic hacking techniques and tools as well as strategies for mitigating hacker attacks. Chapter 16, “Introduction to Forensics,” helps you understand basic forensics principles in order to properly prepare for investigation if you or your company become the victim of a computer crime. Chapter 17, “Cyber Terrorism,” discusses
66
computer-based espionage and terrorism, two topics of growing concern for the computer security community but often overlooked in textbooks.
67
About the Author Chuck Easttom is a computer scientist, author, and inventor. He has authored 25 other books on programming, Web development, security, and Linux. He has also authored dozens of research papers on a wide range of computer science and cyber security topics. He is an inventor with 13 computer science patents. Chuck holds more than 40 different industry certifications. He also is a frequent presenter/speaker at computer and cyber security conferences such as Defcon, ISC2 Security Congress, Secure World, IEEE workshops, and more.
You can reach Chuck at his website (www.chuckeasttom.com) or by e-mail at chuck@chuckeasttom.com.
http://www.chuckeasttom.com
mailto:chuck@chuckeasttom.com
68
Dedication This book is dedicated to all the people working in the computer security field, diligently working to
make computer networks safer.
69
Acknowledgments While only one name goes on the cover of this book, it is hardly the work of just one person. I would like to take this opportunity to thank a few of the people involved. First of all, the editing staff at Pearson worked extremely hard on this book. Without them this project would simply not be possible. I would also like to thank my wife, Teresa, for all her support while working on this book. She is always very supportive in all my endeavors, a one-woman support team!
70
About the Technical Reviewers Akhil Behl, CCIE No. 19564, is a passionate IT executive with key focus on cloud and security. He has more than 15 years of experience in the IT industry working in several leadership, advisory, consultancy, and business development profiles with various organizations. His technology and business specialization includes cloud, security, infrastructure, data center, and business communication technologies.
Akhil has authored multiple titles on security and business communication technologies. He has contributed as technical editor for a number of books on network and information security. He has published several research papers in national and international journals, including IEEE Xplore, and presented at various IEEE conferences, as well as other prominent ICT, security, and telecom events.
Akhil also holds CCSK, CHFI, PMP, ITIL, VCP, TOGAF, CEH, ISM, and several other industry certifications. He has bachelor’s in technology
71
degree and an MBA.
Steve Kalman is both an attorney and a professional security expert. He holds the following credentials from (ISC)2 for whom he worked as an authorized instructor: CISSP, CCFP- US, CSSLP, ISSMP, ISSAP, HCISPP, SSCP. Steve has been author or technical editor for more than 20 Pearson/Cisco Press books.
72
We Want to Hear from You! As the reader of this book, you are our most important critic and commentator. We value your opinion and want to know what we're doing right, what we could do better, what areas you'd like to see us publish in, and any other words of wisdom you're willing to pass our way.
We welcome your comments. You can email or write to let us know what you did or didn't like about this book—as well as what we can do to make our books better.
Please note that we cannot help you with technical problems related to the topic of this book.
When you write, please be sure to include this book’s title and author as well as your name and email address. We will carefully review your comments and share them with the author and editors who worked on the book.
Email: feedback@pearsonitcertification.com
Mail: Pearson IT Certification
mailto:feedback@pearsonitcertification.com
73
ATTN: Reader Feedback 800 East 96th Street Indianapolis, IN 46240 USA
74
Reader Services Register your copy of Network Defense and Countermeasures at www.pearsonitcertification.com for convenient access to downloads, updates, and corrections as they become available. To start the registration process, go to www.pearsonitcertification.com/register and log in or create an account*. Enter the product ISBN 9780789759962 and click Submit. When the process is complete, you will find any available bonus content under Registered Products.
*Be sure to check the box that you would like to hear from us to receive exclusive discounts on future editions of this product.
http://www.pearsonitcertification.com
http://www.pearsonitcertification.com/register
75
Chapter 1
Introduction to Network Security
CHAPTER OBJECTIVES
After reading this chapter and completing the exercises, you will be able to do the following:
Identify the most common dangers to networks.
Understand basic networking.
Employ basic security terminology.
Find the best approach to network security for your organization.
Evaluate the legal issues that will affect your work as a network administrator.
76
Use resources available for network security.
INTRODUCTION Finding a week without some major security breach in the news is difficult. University web servers hacked, government computers hacked, banks’ data compromised, health information exposed—the list goes on. It also seems as if each year brings more focus to this issue. Finding anyone in any industrialized nation who had not heard of things such as websites being hacked and identities stolen would be difficult.
More venues for training also exist now. Many universities offer Information Assurance degrees from the bachelor’s level up through the doctoral level. A plethora of industry certification training programs are available, including the CISSP, EC Council’s CEH, Mile2 Security, SANS, and CompTIA’s Security+. There are also now a number of universities offering degrees in cyber security, including distance learning degrees.
Despite this attention from the media and the opportunities to acquire security training, far too many computer professionals—including a
77
surprising number of network administrators—do not have a clear understanding of the type of threats to which network systems are exposed, or which ones are most likely to actually occur. Mainstream media focuses attention on the most dramatic computer security breaches rather than giving an accurate picture of the most plausible threat scenarios.
This chapter looks at the threats posed to networks, defines basic security terminology, and lays the foundation for concepts covered in the chapters that follow. The steps required to ensure the integrity and security of your network are methodical and, for the most part, already outlined. By the time you complete this book, you will be able to identify the most common attacks, explain how they are perpetrated in order to prevent them, and understand how to secure your data transmissions.
THE BASICS OF A NETWORK Before diving into how to protect your network, exploring what networks are would probably be a good idea. For many readers this section will be a review, but for some it might be new material.
78
Whether this is a review for you, or new information, having a thorough understanding of basic networking before attempting to study network security is critical. Also, be aware this is just a brief introduction to basic networking concepts. Many more details are not explored in this section.
A network is simply a way for machines/computers to communicate. At the physical level, it consists of all the machines you want to connect and the devices you use to connect them. Individual machines are connected either with a physical connection (a category 5 cable going into a network interface card, or NIC) or wirelessly. To connect multiple machines together, each machine must connect to a hub or switch, and then those hubs/switches must connect together. In larger networks, each subnetwork is connected to the others by a router. We look at many attacks in this book (including several in Chapter 2, “Types of Attacks”) that focus on the devices that connect machines together on a network (that is, routers, hubs, and switches). If you find this chapter is not enough, this resource might assist you: http://compnetworking.about.com/od/basicnetworkingconcepts/Networking_Basics_Key_Concepts_in_Computer_Networking.htm
http://compnetworking.about.com/od/basicnetworkingconcepts/Networking_Basics_Key_Concepts_in_Computer_Networking.htm
79
Basic Network Structure
Some connection point(s) must exist between your network and the outside world. A barrier is set up between that network and the Internet, usually in the form of a firewall. Many attacks discussed in this book work to overcome the firewall and get into the network.
The real essence of networks is communication— allowing one machine to communicate with another. However, every avenue of communication is also an avenue of attack. The first step in understanding how to defend a network is having a detailed understanding of how computers communicate over a network.
The previously mentioned network interface cards, switches, routers, hubs, and firewalls are the fundamental physical pieces of a network. The way they are connected and the format they use for communication is the network architecture.
Data Packets
After you have established a connection with the network (whether it is physical or wireless), you need to send data. The first part is to identify
80
where you want to send it. We will start off discussing IP version 4 addresses; we will look at IPv6 a bit later in this chapter. All computers (as well as routers) have an IP address that is a series of four numbers between 0 and 255 and separated by periods, such as 192.0.0.5 (note that this is an IPv4 address). The second part is to format the data for transmission. All data is ultimately in binary form (1s and 0s). This binary data is put into packets, all less than about 65,000 bytes. The first few bytes are the header. That header tells where the packet is going, where it came from, and how many more packets are coming as part of this transmission. There is actually more than one header, but for now, we will just discuss the header as a single entity. Some attacks that we will study (IP spoofing, for example) try to change the header of packets to give false information. Other methods of attack simply try to intercept packets and read the content (thus compromising the data).
A packet can have multiple headers. In fact, most packets will have at least three headers. The IP header has information such as IP addresses for the source and destination, as well as what protocol the packet is. The TCP header has
81
information such as port number. The Ethernet header has information such as the MAC address for the source and destination. If a packet is encrypted with Transport Layer Security (TLS), it will also have a TLS header.
IP Addresses
The first major issue to understand is how to get packets to their proper destination. Even a small network has many computers that could potentially be the final destination of any packet sent. The Internet has millions of computers spread out across the globe. How do you ensure that a packet gets to its proper destination? The problem is not unlike addressing a letter and ensuring it gets to the correct destination. Let’s begin by looking at IP version 4 addressing because it is the most common in use today, but this section also briefly discusses IP version 6.
An IP version 4 address is a series of four three- digit numbers separated by periods. (An example is 107.22.98.198.) Each of the three-digit numbers must be between 0 and 255. You can see that an address of 107.22.98.466 would not be a valid one. The reason for this rule is that these addresses are
82
actually four binary numbers: The computer simply displays them to you in decimal format. Recall that 1 byte is 8 bits (1s and 0s), and an 8-bit binary number converted to decimal format will be between 0 and 255. The total of 32 bits means that approximately 4.2 billion possible IP version 4 addresses exist.
The IP address of a computer tells you a lot about that computer. The first byte (or the first decimal number) in an address tells you to what class of network that machine belongs. Table 1-1 summarizes the five network classes.
TABLE 1-1 Network Classes
Class IP Range for the First Byte
Use
A 0–126 Extremely large networks. No Class A network IP addresses are left. All have been used.
B 128–191 Large corporate and government networks. All Class B IP addresses have been used.
C 192–223 The most common group of IP
83
addresses. Your ISP probably has a Class C address.
D 224–247 These are reserved for multicasting (transmitting different data on the same channel).
E 248–255 Reserved for experimental use.
These five classes of networks will become more important later in this book (or should you decide to study networking on a deeper level). Observe Table 1-1 carefully, and you probably will discover that the IP range of 127 was not listed. This omission is because that range is reserved for testing. The IP address of 127.0.0.1 designates the machine you are on, regardless of that machine’s assigned IP address. This address is often referred to as the loopback address. That address will be used often in testing your machine and your NIC. We will examine its use a bit later in this chapter in the section on network utilities.
These particular classes are important as they tell you what part of the address represents the network and what part represents the node. For example, in a Class A address, the first octet represents the network, and the remaining three
84
represent the node. In a Class B address, the first two octets represent the network, and the second two represent the node. And finally, in a Class C address, the first three octets represent the network, and the last represents the node.
There are also some very specific IP addresses and IP address ranges you should be aware of. The first, as previously mentioned, is 127.0.0.1, or the loopback address. It is another way of referring to the network interface card of the machine you are on.
Private IP addresses are another issue to be aware of. Certain ranges of IP addresses have been designated for use within networks. These cannot be used as public IP addresses but can be used for internal workstations and servers. Those IP addresses are
10.0.0.10 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Sometimes people new to networking have some trouble understanding public and private IP addresses. A good analogy is an office building.
85
Within a single office building, each office number must be unique. You can only have one 305. And within that building, if you discuss office 305 it is immediately clear what you are talking about. But there are other office buildings, many of which have their own office 305. You can think of private IP addresses as office numbers. They must be unique within their network, but there may be other networks with the same private IP.
Public IP addresses are more like traditional mailing addresses. Those must be unique worldwide. When communicating from office to office you can use the office number, but to get a letter to another building you have to use the complete mailing address. It is much the same with networking. You can communicate within your network using private IP addresses, but to communicate with any computer outside your network, you have to use public IP addresses.
One of the roles of a gateway router is to perform what is called network address translation (NAT). Using NAT, a router takes the private IP address on outgoing packets and replaces it with the public IP address of the gateway router so that the packet can be routed through the Internet.
86
We have already discussed IP version 4 network addresses; now let’s turn our attention to subnetting. If you are already familiar with this topic, feel free to skip this section. For some reason this topic tends to give networking students a great deal of trouble. So we will begin with a conceptual understanding. Subnetting is simply chopping up a network into smaller portions. For example, if you have a network using the IP address 192.168.1.X (X being whatever the address is for the specific computer), then you have allocated 255 possible IP addresses. What if you want to divide that into two separate subnetworks? Subnetting is how you do that.
More technically, the subnet mask is a 32-bit number that is assigned to each host to divide the 32-bit binary IP address into network and node portions. You also cannot just put in any number you want. The first value of a subnet mask must be 255; the remaining three values can be 255, 254, 252, 248, 240, 224, or 128. Your computer will take your network IP address and the subnet mask and use a binary AND operation to combine them.
It may surprise you to know that you already have a subnet mask even if you have not been
87
subnetting. If you have a Class C IP address, then your network subnet mask is 255.255.255.0. If you have a Class B IP address, then your subnet mask is 255.255.0.0. And finally, if it is Class A, your subnet mask is 255.0.0.0.
Now think about these numbers in relationship to binary numbers. The decimal value 255 converts to 11111111 in binary. So you are literally “masking” the portion of the network address that is used to define the network, and the remaining portion is used to define individual nodes. Now if you want fewer than 255 nodes in your subnet, then you need something like 255.255.255.240 for your subnet. If you convert 240 to binary, it is 11110000. That means the first three octets and the first 4 bits of the last octet define the network. The last 4 bits of the last octet define the node. That means you could have as many as 1111 (in binary) or 15 (in decimal) nodes on this subnetwork. This is the basic essence of subnetting.
Subnetting only allows you to use certain, limited subnets. Another approach is CIDR, or classless interdomain routing. Rather than define a subnet mask, you have the IP address followed by a slash and a number. That number can be any number
88
between 0 and 32, which results in IP addresses like these:
192.168.1.10/24 (basically a Class C IP address)
192.168.1.10/31 (much like a Class C IP address with a subnet mask)
When you use this, rather than having classes with subnets, you have variable-length subnet masking (VLSM) that provides classless IP addresses. This is the most common way to define network IP addresses today.
You should not be concerned that new IP addresses are likely to run out soon. The IP version 6 standard is already available, and methods are in place already to extend the use of IPv4 addresses. The IP addresses come in two groups: public and private. The public IP addresses are for computers connected to the Internet. No two public IP addresses can be the same. However, a private IP address, such as one on a private company network, has to be unique only in that network. It does not matter if other computers in the world have the same IP address, because this computer is never connected to those other worldwide computers. Network administrators often use
89
private IP addresses that begin with a 10, such as 10.102.230.17. The other private IP addresses are 172.16.0.0–172.31.255.255 and 192.168.0.0– 192.168.255.255.
Also note that an ISP often will buy a pool of public IP addresses and assign them to you when you log on. So, an ISP might own 1,000 public IP addresses and have 10,000 customers. Because all 10,000 customers will not be online at the same time, the ISP simply assigns an IP address to a customer when he or she logs on, and the ISP un- assigns the IP address when the customer logs off.
IPv6 utilizes a 128-bit address (instead of 32) and utilizes a hex numbering method in order to avoid long addresses such as 132.64.34.26.64.156.143.57.1.3.7.44.122.111.201.5. The hex address format appears in the form of 3FFE:B00:800:2::C, for example. This gives you 2 possible addresses (many trillions of addresses), so no chance exists of running out of IP addresses in the foreseeable future.
There is no subnetting in IPv6. Instead, it only uses CIDR. The network portion is indicated by a slash followed by the number of bits in the address
128
90
that are assigned to the network portion, such as
/48
/64
There is a loopback address for IPv6, and it can be written as ::/128. Other differences between IPv4 and IPv6 are described here:
Link/machine-local.
IPv6 version of IPv4’s APIPA or Automatic Private IP Addressing. So if the machine is configured for dynamically assigned addresses and cannot communicate with a DHCP server, it assigns itself a generic IP address. DHCP, or Dynamic Host Configuration Protocol, is used to dynamically assign IP addresses within a network.
IPv6 link/machine-local IP addresses all start with fe80::. So if your computer has this address, that means it could not get to a DHCP server and therefore made up its own generic IP address.
Site/network-local.
IPv6 version of IPv4 private address. In
91
other words, these are real IP addresses, but they only work on this local network. They are not routable on the Internet.
All site/network-local IP addresses begin with FE and have C to F for the third hexadecimal digit: FEC, FED, FEE, or FEF.
DHCPv6 uses the Managed Address Configuration Flag (M flag).
When set to 1, the device should use DHCPv6 to obtain a stateful IPv6 address.
Other stateful configuration flag (O flag).
When set to 1, the device should use DHCPv6 to obtain other TCP/IP configuration settings. In other words, it should use the DHCP server to set things like the IP address of the gateway and DNS servers.
Uniform Resource Locators
For most people, the main purpose for getting on the Internet is web pages (but there are other things such as e-mail and file downloading). If you had to remember IP addresses and type
92
those in, then surfing the Net would be cumbersome at best. Fortunately, you don’t have to. You type in domain names that make sense to humans and those get translated into IP addresses. For example, you might type in www.chuckeasttom.com to go to my website. Your computer, or your ISP, must translate the name you typed in (called a Uniform Resource Locator, or URL) into an IP address. The DNS (Domain Name Service) protocol, which is introduced along with other protocols a bit later in Table 1-2, handles this translation process. So you are typing in a name that makes sense to humans, but your computer is using a corresponding IP address to connect. If that address is found, your browser sends a packet (using the HTTP protocol) to TCP port 80. If that target computer has software that listens and responds to such requests (like web-server software such as Apache or Microsoft Internet Information Services), then the target computer will respond to your browser’s request and communication will be established. This method is how web pages are viewed. If you have ever received an Error 404: File Not Found, what you’re seeing is that your browser received back
http://www.chuckeasttom.com
93
a packet (from the web server) with error code 404, denoting that the web page you requested could not be found. The web server can send back a series of error messages to your web browser, indicating different situations.
E-mail works the same way as visiting websites. Your e-mail client will seek out the address of your e-mail server. Then your e-mail client will use either POP3 to retrieve your incoming e-mail, or SMTP to send your outgoing e-mail. Your e-mail server (probably at your ISP or your company) will then try to resolve the address you are sending to. If you send something to chuckeasttom@yahoo.com, your e-mail server will translate that e-mail address into an IP address for the e-mail server at yahoo.com, and then your server will send your e-mail there. Note that newer e-mail protocols are out there; however, POP3 is still the most commonly used.
IMAP is now widely used as well. Internet Message Access Protocol operates on port 143. The main advantage of IMAP over POP3 is it allows the client to download only the headers to the machine, and then the user can choose which messages to fully download. This is particularly
mailto:chuckeasttom@yahoo.com
http://yahoo.com
94
useful for smart phones.
MAC Addresses
MAC addresses are an interesting topic. (You might notice that MAC is also a sublayer of the data link layer of the OSI model.) A MAC address is a unique address for an NIC. Every NIC in the world has a unique address that is represented by a six-byte hexadecimal number. The Address Resolution Protocol (ARP) is used to convert IP addresses to MAC addresses. So, when you type in a web address, the DNS protocol is used to translate that into an IP address. The ARP protocol then translates that IP address into a specific MAC address of an individual NIC.
Protocols
Different types of communications exist for different purposes. The different types of network communications are called protocols. A protocol is, essentially, an agreed-upon method of communications. In fact, this definition is exactly how the word protocol is used in standard, non-computer usage. Each protocol has a specific purpose and normally operates on
95
a certain port (more on ports in a bit). Table 1-2 lists some of the most important protocols.
TABLE 1-2 Logical Ports and Protocols
Protocol Purpose Port
FTP (File Transfer Protocol)
For transferring files between computers.
20 & 21
SSH Secure Shell. A secure/encrypted way to transfer files.
22
Telnet Used to remotely log on to a system. You can then use a command prompt or shell to execute commands on that system. Popular with network administrators.
23
SMTP (Simple Mail Transfer Protocol)
Sends e-mail. 25
WhoIS A command that queries a target IP address for information.
43
DNS (Domain Name
Translates URLs into web addresses.
53
96
Service)
tFTP (Trivial File Transfer Protocol)
A quicker, but less reliable form of FTP.
69
HTTP (Hypertext Transfer Protocol)
Displays web pages. 80
POP3 (Post Office Protocol Version 3)
Retrieves e-mail. 110
NNTP (Network News Transfer Protocol)
Used for network news groups (Usenet newsgroups). You can access these groups over the web via www.google.com.
119
NetBIOS An older Microsoft protocol for naming systems on a local network.
137, 138, 139
IRC (Internet Relay Chat)
Chat rooms. 194
http://www.google.com
97
HTTPS (Hypertext Transfer Protocol Secure)
HTTP encrypted with SSL or TLS. 443
SMB (Server Message Block)
Used by Microsoft Active Directory.
445
ICMP (Internet Control Message Protocol)
These are simply packets that contain error messages, informational messages, and control messages.
No specific port
You should note that this list is not complete. Hundreds of other protocols exist, but for now discussing these will suffice. All of these protocols are part of a suite of protocols referred to as TCP/IP (Transmission Control Protocol/Internet Protocol). The most important thing for you to realize is that the communication on networks takes place via packets, and those packets are transmitted according to certain protocols, depending on the type of communication that is occurring. You might be wondering what a port is. Don’t confuse this type of port with the
98
connections on the back of your computer, such as a serial port or parallel port. A port in networking terms is a handle, a connection point. It is a numeric designation for a particular pathway of communications. All network communication, regardless of the port used, comes into your computer via the connection on your NIC. You might think of a port as a channel on your TV. You probably have one cable coming into your TV but you can view many channels. You have one cable coming into your computer, but you can communicate on many different ports.
So the picture we’ve drawn so far of networks is one of machines connected to each other via cables, and perhaps to hubs/switches/routers. Networks transmit binary information in packets using certain protocols and ports. This is an accurate picture of network communications, albeit a simple one.
BASIC NETWORK UTILITIES Now that you know what IP addresses and URLs are, you need to be familiar with some basic network utilities. You can execute some network utilities from a command prompt (Windows) or
99
from a shell (Unix/Linux). Many readers are already familiar with Windows, so the text’s discussion will focus on how to execute the commands and discuss them from the Windows command-prompt perspective. However, it must be stressed that these utilities are available in all operating systems. This section covers the essential or common utilities.
ipconfig
The first thing you want to do is get information about your own system. To accomplish this fact- finding mission, you must get a command prompt. In Windows, you do this by going to the Start menu, selecting All Programs, and then choosing Accessories. You can also go to Start, Run, and type cmd to get a command prompt. In Windows 10 you go to Search and type cmd. Now you can type in ipconfig. (You could input the same command in Unix or Linux by typing in ifconfig from the shell.) After typing in ipconfig (ifconfig in Linux), you should see something much like Figure 1-1.
100
FIGURE 1-1 ipconfig
This command gives you some information about your connection to a network (or to the Internet). Most importantly you find out your own IP address. The command also has the IP address for your default gateway, which is your connection to the outside world. Running the ipconfig command is a first step in determining your system’s network configuration. Most commands this text mentions, including ipconfig, have a number of parameters, or flags, that can be passed
101
to the commands to make the computer behave in a certain way. You can find out what these commands are by typing in the command, followed by a space, and then typing in hyphen question mark: -?.
As you can see, you might use a number of options to find out different details about your computer’s configuration. The most commonly used method would probably be ipconfig/all, shown in Figure 1-2.
102
FIGURE 1-2 ipconfig/all
You can see that this option gives you much more information. For example, ipconfig/all gives the name of your computer, when your computer obtained its IP address, and more.
ping
Another commonly used command is ping.
103
ping is used to send a test packet, or echo packet, to a machine to find out whether the machine is reachable and how long the packet takes to reach the machine. This useful diagnostic tool can be employed in elementary hacking techniques. Figure 1-3 shows the command.
FIGURE 1-3 ping
This figure tells you that a 32-byte echo packet was sent to the destination and returned. The ttl means “time to live.” That time unit is how many intermediary steps, or hops, the packet should take to the destination before giving up. Remember that the Internet is a vast conglomerate of interconnected networks. Your packet probably won’t go straight to its destination. It will have to take several hops to get there. As with ipconfig,
104
you can type in ping -? to find out various ways you can refine your ping.
tracert
The next command we will examine in this chapter is tracert. This command is a sort of “ping deluxe.” tracert not only tells you whether the packet got there and how long it took, but it also tells you all the intermediate hops it took to get there. (This same command can be executed in Linux or Unix, but there it is called traceroute rather than tracert.) You can see this utility in Figure 1-4.
FIGURE 1-4 tracert
With tracert, you can see (in milliseconds) the time the IP addresses of each intermediate step
105
listed, and how long it took to get to that step. Knowing the steps required to reach a destination can be very important. If you use Linux, it is traceroute rather than tracert.
netstat
netstat is another interesting command. It is an abbreviation for Network Status. Essentially, this command tells you what connections your computer currently has. Don’t panic if you see several connections; that does not mean a hacker is in your computer. You will see many private IP addresses. This means your network has internal communication going on. You can see this in Figure 1-5.
Certainly, other utilities can be of use to you when working with network communications. However, the four we just examined are the core utilities. These four (ipconfig, ping, tracert, and netstat) are absolutely essential to any network administrator, and you can commit them to memory.
106
FIGURE 1-5 netstat
THE OSI MODEL The Open Systems Interconnect (OSI) model describes how networks communicate (see Table 1-3). It describes the various protocols and activities and tells how the protocols and activities relate to each other. This model is divided into seven layers. It was originally developed by the International Organization for Standardization (ISO) in the 1980s.
TABLE 1-3 The OSI Model
Layer Description Protocols
107
Application This layer interfaces directly to applications and performs common application services for the application processes.
POP, SMTP, DNS, FTP, Telnet
Presentation The presentation layer relieves the application layer of concern regarding syntactical differences in data representation within the end-user systems.
Telnet, Network Data Representation (NDR), Lightweight Presentation Protocol (LPP)
Session The session layer provides the mechanism for managing the dialogue between end- user application processes.
NetBIOS
Transport This layer provides end- to-end communication control.
TCP, UDP
Network This layer routes the information in the network.
IP, ARP, ICMP
Data link This layer describes the logical organization of data bits transmitted on
SLIP, PPP
108
a particular medium. The data link layer is divided into two sublayers: the Media Access Control layer (MAC) and the Logical Link Control layer (LLC).
Physical This layer describes the physical properties of the various communications media, as well as the electrical properties and interpretation of the exchanged signals. In other words, the physical layer is the actual NIC, Ethernet cable, and so forth.
IEEE 1394, DSL, ISDN
Many networking students memorize this model. At least memorizing the names of the seven layers and understanding basically what they each do is good. From a security perspective, the more you understand about network communications, the more sophisticated your defense can be. The most important thing for you to understand is that this model describes a hierarchy of communication. One layer communicates only with the layer
109
directly above it or below it.
WHAT DOES THIS MEAN FOR SECURITY? This book covers security from numerous angles, but ultimately only three venues exist for attack, and thus three venues for security (note this is not about attack vectors, of which there are many):
The data itself: After data leaves your network, the packets are vulnerable for interception and even alteration. Later in this book, during the discussion of encryption and virtual private networks, you will learn how to secure this data. Data can also be attacked at rest, when stored on a computer.
The network connection points: Whether it is the routers or the firewall, any place where one computer connects to another is a place that can be attacked, and one that must be defended. When looking at a system’s security, you should first look at the connectivity points.
The people: People always pose a security
110
risk. Either through ignorance, malicious intent, or simple error, people on a system can compromise the system’s security.
As you proceed through this book, don’t lose sight of the basic purpose, which is to secure networks and the data they store and transmit.
ASSESSING LIKELY THREATS TO THE NETWORK Before you can explore the topic of computer security, you must first formulate a realistic assessment of the threats to those systems. The key word is realistic. Clearly one can imagine some very elaborate and highly technical potential dangers. However, as a network security professional, you must focus your attention—and resources—on the likely dangers. Before delving into specific threats, let’s get an idea of how likely attacks, of any type, are on your system.
In this regard, there seem to be two extreme attitudes toward computer security. The first viewpoint holds that little real danger or threat exists to computer systems and that much of the
111
negative news is simply a reflection of unwarranted panic. People of this attitude often think that taking only minimal security precautions should ensure the safety of their systems. Unfortunately, some people in decision- making positions hold this point of view. The prevailing sentiment of these individuals is, “If our computer/organization has not been attacked so far, we must be secure.”
This viewpoint often leads to a reactive approach to computer security, meaning that people will wait until after an incident to decide to address security issues. Waiting to address security until an attack occurs might be too late. In the best of circumstances, the incident might have only a minor impact on the organization and serve as a much-needed wake-up call. In less fortunate cases, an organization might face serious, possibly catastrophic consequences. For example, some organizations did not have an effective network security system in place when the WannaCry virus attacked their systems. In fact, WannaCry would have been completely avoided, if systems had been patched. Avoiding this laissez faire approach to security is imperative.
112
Any organization that embraces this extreme—and erroneous—philosophy is likely to invest little time or resources in computer security. They might have a basic firewall and antivirus software, but most likely expend little effort ensuring that they are properly configured or routinely updated.
The second viewpoint is that every teenager with a laptop is a highly skilled hacker who can traverse your systems at will and bring your network to its knees. Think of hacking skill like military experience. Finding someone who was in the military is not too hard, but encountering a person who was in Delta Force or Seal Team 6 is rare. Although military experience is fairly common, high levels of special operations skills are not. The same is true with hacking skills. Finding individuals who know a few hacking tricks is easy. Finding truly skilled hackers is far less common.
In Practice
In the Real World
Whenever I am asked to perform some consulting or training task, I get to see a
113
number of diverse network environments. From this experience, I have developed the opinion that a disturbingly large segment of the business world takes a very lax approach to computer security. Following are a few examples of behavior that indicate (to me) a lax view toward security:
Companies that do not have any type of intrusion-detection system (IDS, covered in Chapter 5, “Intrusion-Detection Systems”)
Companies that have inadequate antivirus/anti-spyware (covered in Chapter 10, “Defending Against Trojan Horses, Spyware, and Adware”)
Companies that have unsecured backup media (see the discussion in Chapter 11, “Security Policies”)
Companies with no plan for implementing patches (discussed in Chapter 8, “Operating System Hardening”)
These are just a few examples of organizations that are not addressing network security in an appropriate manner.
114
At the other end of the spectrum, some executives overestimate security threats. They assume that very talented hackers exist in great numbers and that all of them are an imminent threat to their system. They might believe that virtually any teenager with a laptop can traverse highly secure systems at will. This viewpoint has, unfortunately, been fostered by a number of movies that depict computer hacking in a somewhat glamorous light. Such a worldview makes excellent movie plots, but is simply unrealistic. The reality is that many people who call themselves hackers are less knowledgeable than they think. Systems protected by even moderate security precautions have a low probability of being compromised by a hacker of this skill level.
This does not mean that skillful hackers do not exist. They most certainly do. However, people with the skill to compromise relatively secure systems must use rather time-consuming and tedious techniques to breach system security. These hackers must also weigh the costs and benefits of any hacking mission. Skilled hackers tend to target systems that have a high benefit, either financially or ideologically. If a system is not
115
perceived as having sufficient benefit, a skilled hacker is less likely to expend the resources to compromise it. Burglars are one good analogy: Certainly, highly skilled burglars exist; however, they typically seek high-value targets. The thief who targets small businesses and homes usually has limited skills. The same is true of hackers.
FYI: Skilled Versus Unskilled Hackers
Skilled hackers usually target only highly attractive sites. Attractive sites offer valuable information or publicity. Military computers— even simple web servers with no classified information—offer a great deal of publicity. Banks, on the other hand, generally have very valuable information. Novice hackers usually start with a low value and, consequently, often less secure system. Low value systems might not have any data of substantial value or offer much publicity. A college web server would be a good example. Although novice hackers’ skills are not as well developed, their numbers are greater. Also, monetary gains are not the only factor that might make a system attractive to a skilled hacker. If a hacker
116
objects to an organization’s ideological stance (for example, if an organization sells large sport utility vehicles that the hacker feels is poor environmental policy), then she might target its system.
Both extreme attitudes regarding the dangers to computer systems are inaccurate. It is certainly true that people exist who have both the comprehension of computer systems and the skills to compromise the security of many, if not most, systems. However, it is also true that many who call themselves hackers are not as skilled as they claim. They have ascertained a few buzzwords from the Internet and are convinced of their own digital supremacy, but they are not able to effect any real compromises to even a moderately secure system.
You might think that erring on the side of caution, or extreme diligence, would be the appropriate approach. In reality, you do not need to take either extreme view. You should take a realistic view of security and formulate practical strategies for defense. Every organization and IT department has finite resources: You only have so much time and money. If you squander part of those resources
117
guarding against unrealistic threats, then you might not have adequate resources left for more practical projects. Therefore, a realistic approach to network security is the only practical approach.
You might be wondering why some people overestimate dangers to their networks. The answer, in part at least, lies with the nature of the hacking community and with the media. Media outlets have a tendency to sensationalize. You don’t get good ratings by downplaying danger; you get them by emphasizing, and perhaps outright exaggerating. Also, the Internet is replete with people claiming significant skill as hackers. As with any field of human endeavor, the majority is merely average. The truly talented hacker is no more common than the truly talented concert pianist. Consider how many people take piano lessons at some point in their lives, and then consider how many of those ever truly become virtuosos.
The same is true of computer hackers. Keep in mind that even those who do possess the requisite skill also need the motivation to expend the time and effort necessary to compromise your system. Keep this fact in mind when considering any
118
claims of cyber prowess you might encounter.
The claim that many people who describe themselves as hackers lack real skill is not based on any study or survey. A reliable study on this topic would be impossible because hackers are unlikely to identify themselves and submit to skills tests. I came to this conclusion based on two considerations:
The first is simply years of experience traversing hacker discussion groups, chat rooms, and bulletin boards. In more than two decades of work in this field, I have encountered talented and highly skilled hackers, yet I encounter far more who claim to be hackers but clearly demonstrate a lack of sufficient skill. I have also been a frequent speaker at hacking conferences, including DEF CON, and have published in hacking magazines such as 2600. I have had the opportunity to interact extensively with the hacking community.
The second is that it is a fact of human nature that the vast majority of people in any field are, by definition, mediocre. Consider the millions of people who work out at a gym on a
119
regular basis, and consider how few ever become competitive body builders. In any field, most participants will be mediocre. That is not meant as a derogatory statement, it is just a fact of life.
This statement is also not meant to minimize the dangers of hacking. That is not my intent at all. Even an unskilled novice attempting to intrude on a system will get in, in the absence of appropriate security precautions. Even if the would-be hacker does not successfully breach security, he can still be quite a nuisance. Additionally, some forms of attack don’t require much skill at all. We discuss these later in this book.
A more balanced view (and therefore, a better way to assess the threat level to any system) is to weigh the attractiveness of a system to potential intruders against the security measures in place. As you shall see, the greatest threat to any system is not actually hackers. Viruses and other attacks are far more prevalent. Threat assessment is a complex task with multiple facets.
CLASSIFICATIONS OF THREATS
120
Your network certainly faces real security threats, and these threats can manifest themselves in a variety forms. There are a variety of ways one might choose to classify the various threats to your system. You could choose to classify them by the damage caused, the level of skill required to execute the attack, or perhaps even by the motivation behind the attack. For our purposes we categorize attacks by what they actually do. Based on that philosophy most attacks can be categorized as one of three broad classes:
Intrusion
Blocking
Malware
Figure 1-6 shows the three categories. The intrusion category includes attacks meant to breach security and gain unauthorized access to a system. This group of attacks includes any attempt to gain unauthorized access to a system. This is generally what hackers do. The second category of attack, blocking, includes attacks designed to prevent legitimate access to a system. Blocking attacks are often called denial of service attacks (or
121
simply DoS). In these types of attacks the purpose is not to actually get into your system but simply to block legitimate users from gaining access.
FIGURE 1-6 Types of attacks
FYI: What About Other Attacks?
Chapter 2 covers attacks such as buffer overflows that can be used for more than one category. For example, a buffer overflow can be used to shut down a machine, thus making it a blocking attack, or it can be used to breach system security, making it an intrusion attack. However, once it’s implemented, it will be in one category or the other.
The third category of threats is the installation of
122
malware on a system. Malware is a generic term for software that has a malicious purpose. It includes virus attacks, Trojan horses, and spyware. Because this category of attack is perhaps the most prevalent danger to systems, we examine it first.
Malware
Malware is probably the most common threat to any system, including home users’ systems, small networks, and large enterprise wide-area networks. One reason is that malware is often designed to spread on its own, without the creator of the malware having to be directly involved. This makes this sort of attack much easier to spread across the Internet, and hence more widespread.
The most obvious example of malware is the computer virus. You probably have a general idea of what a virus is. If you consult different textbooks you will probably see the definition of a virus worded slightly differently. One definition for a virus is “a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself.” That is a very good definition, and one you will see throughout this book. A computer
123
virus is analogous to a biological virus in that both replicate and spread. The most common method for spreading a virus is using the victim’s e-mail account to spread the virus to everyone in his address book. Some viruses do not actually harm the system itself, but all of them cause network slowdowns or shutdowns due to the heavy network traffic caused by the virus replication.
In Practice
Real Viruses
The original MyDoom worm is discussed in detail in Chapters 2 and 9. MyDoom.BB virus is a variation on MyDoom that began to spread early in 2005. This particular worm appears on your hard drive as either java.exe or services.exe. This is an important thing to learn about viruses. Many try to appear as legitimate system files, thus preventing you from deleting them. There have been many viruses since that time, including well-known viruses such as Stuxnet, Flame, WannaCry, and many others.
124
This particular worm sends itself out to everyone in your address book, thus spreading quite rapidly. This worm attempts to download a backdoor program giving the attacker access to your system.
From a technological point of view, this worm was most interesting for how it extracts e-mail addresses. It should be noted that the worm uses a much improved algorithm for e-mail address recognition. Now it can catch such e- mail addresses as
chuck@nospam.domain.com
chuck-at-domain-dot-com
These addresses are translated by the worm to the usable format. Many other e-mail extraction engines are foiled by these sorts of e-mail address permutations (which is why they are used).
Another type of malware, often closely related to the virus, is the Trojan horse. The term is borrowed from the ancient tale. In this tale, the city of Troy was besieged for a long period of time, but the attackers could not gain entrance. They constructed a huge wooden horse and left it one
mailto:chuck@nospam.domain.com
125
night in front of the gates to Troy one night. The next morning, the residents of Troy saw the horse and assumed it to be a gift, consequently rolling the wooden horse into the city. Unbeknownst to them, several soldiers were hidden inside the horse. That evening, the soldiers left the horse, opened the city gates, and let their fellow attackers into the city. An electronic Trojan horse works in the same manner, appearing to be benign software but secretly downloading a virus or some other type of malware onto your computer from within. In short, you have an enticing gift that you install on your computer, and later find it has unleashed something quite different from what you expected. It is a fact that Trojan horses are more likely to be found in illicit software. There are many places on the Internet to get pirated copies of commercial software. Finding that such software is actually part of a Trojan horse is not at all uncommon.
Trojan horses and viruses are the two most widely encountered forms of malware. A third category of malware is spyware, which is increasing in frequency at a dramatic pace. Spyware is software that literally spies on what you do on your computer. This can be as simple as a cookie—a text file that your browser creates and stores on your
126
hard drive. Cookies are downloaded onto your machine by websites you visit. This text file is then used to recognize you when you return to the same site. That file can enable you to access pages more quickly and save you from having to enter your information multiple times on pages you visit frequently. However, in order to do this, that file must be read by the website; this means it can also be read by other websites. Any data that the file saves can be retrieved by any website, so your entire Internet browsing history can be tracked.
Another form of spyware, called a key logger, records all of your keystrokes. Some also take periodic screen shots of your computer. Data is then either stored for retrieval later by the party who installed the key logger or is sent immediately back via e-mail. In either case, every single thing you do on your computer is recorded for the interested party.
FYI: Key Loggers
Although we defined a key logger as software, note that hardware-based key loggers do indeed exist. Hardware-based key loggers are much less common than software-based key
127
loggers. The reason for this is that software key loggers are easier to place on a targeted machine. Hardware key loggers require you to physically go to the machine and install hardware. If the key logger is being installed without the computer user’s knowledge, then installing a physical device can be quite difficult. A software key logger can be installed via a Trojan horse with the perpetrator not even being in the same city as the target computer.
Compromising System Security—Intrusions
One could make the argument that any sort of attack is aimed at compromising security. However, intrusions are those attacks that are actually trying to intrude into the system. They are different from attacks that simply deny users access to the system (blocking), or attacks that are not focused on a particular target such as viruses and worms (malware). Intrusion attacks are designed to gain access to a specific targeted system and are commonly referred to as hacking, although that is not the term hackers themselves use. Hackers call this type of attack cracking,
128
which means intruding onto a system without permission, usually with malevolent intent. Any attack designed to breach security, either via some operating system flaw or any other means, can be classified as cracking. As you progress through this book you will encounter a few specific methods for intruding on a system. In many cases, if not most, the idea is to exploit some software flaw to gain access to the target system.
Using security flaws is not the only method for intruding into a system. In fact, some methods can be technologically much easier to execute. For example, one completely not technologically based method for breaching a system’s security is called social engineering, which, as the name implies, relies more on human nature than technology. This was the type of attack that the famous hacker Kevin Mitnick most often used. Social engineering uses standard con artist techniques to get users to offer up the information needed to gain access to a target system. The way this method works is rather simple. The perpetrator obtains preliminary information about a target organization, such as the name of its system administrator, and leverages it to gain additional information from the
129
system’s users. For example, he might call someone in accounting and claim to be one of the company’s technical support personnel. The intruder could use the system administrator’s name to validate that claim. He could then ask various questions to learn additional details about the system’s specifications. A savvy intruder might even get a person to provide a username and password. As you can see, this method is based on how well the intruder can manipulate people and actually has little to do with computer skills.
Social engineering and exploiting software flaws are not the only means of executing an intrusion attack. The growing popularity of wireless networks gives rise to new kinds of attacks. The most obvious and dangerous activity is war- driving. This type of attack is an offshoot of war- dialing. With war-dialing, a hacker sets up a computer to call phone numbers in sequence until another computer answers to try and gain entry to its system. War-driving, using much the same concept, is applied to locating vulnerable wireless networks. In this scenario, a hacker simply drives around trying to locate wireless networks. Many people forget that their wireless network signal often extends as much as 100 feet (thus, past
130
walls). At DEF CON 2003, the annual hackers’ convention, contestants participated in a war- driving contest in which they drove around the city trying to locate as many vulnerable wireless networks as they could.
Denial of Service
The third category of attacks is blocking attacks, an example of which is the denial of service attack (DoS). In this attack, the attacker does not actually access the system, but rather simply blocks access to the system from legitimate users. In the words of the CERT (Computer Emergency Response Team) Coordination Center (the first computer security incident response team), “A ‘denial-of-service’ attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.” One often-used blocking method is flooding the targeted system with so many false connection requests that it cannot respond to legitimate requests. DoS is an extremely common attack method, second only to malware.
131
LIKELY ATTACKS We have been examining various possible threats to a network. Clearly, some threats are more likely to occur than others. What are the realistic dangers facing individuals and organizations? What are the most likely attacks, and what are common vulnerabilities? Understanding the basics of existing threats and the likelihood that they will cause problems for users and organizations is important.
FYI: Likelihood of Attacks
The likelihood of a particular attack depends on the type of organization the network serves. The data presented here is applicable to most network systems. Clearly, a number of factors (including how much publicity a system gets and the perceived value of the data on that system) influence the likelihood of an attack targeting a particular system. Always err on the side of caution when estimating the threats to your network.
The most likely threat to any computer or network
132
is the computer virus. For example, in just the month of October 2017, McAfee listed 31 active viruses (https://home.mcafee.com/virusinfo/virus- calendar). Each month, several new virus outbreaks are typically documented. New viruses are constantly being created, and old ones are still out there.
Note that many people do not update their antivirus software as often as they should. The evidence for this fact is that many of the viruses spreading around the Internet already have countermeasures released, but people are simply not applying them. Therefore, even when a virus is known and protection against it exists, it can continue to thrive because many people do not update their protection or clean their systems regularly. If all computer systems and networks had regularly updated security patches and employed virus-scanning software, a great many virus outbreaks would be avoided altogether, or their effects would at least be minimized.
Blocking has become the most common form of attack besides viruses. As you will learn later in this book, blocking attacks are easier to perpetrate
https://home.mcafee.com/virusinfo/virus-calendar
| Writer | Writer Name | Amount | Client Comments & Rating |
|---|---|---|---|
ONLINE |
Instant Homework Helper |
$36 |
She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up! |
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
| Writer | Writer Name | Offer | Chat |
|---|---|---|---|
ONLINE |
Innovative WriterI have done dissertations, thesis, reports related to these topics, and I cover all the CHAPTERS accordingly and provide proper updates on the project. |
$48 | Chat With Writer |
ONLINE |
Math GuruI am an elite class writer with more than 6 years of experience as an academic writer. I will provide you the 100 percent original and plagiarism-free content. |
$37 | Chat With Writer |
ONLINE |
Assignment HelperAs an experienced writer, I have extensive experience in business writing, report writing, business profile writing, writing business reports and business plans for my clients. |
$40 | Chat With Writer |
ONLINE |
Online Assignment HelpI have done dissertations, thesis, reports related to these topics, and I cover all the CHAPTERS accordingly and provide proper updates on the project. |
$50 | Chat With Writer |
ONLINE |
Solutions StoreI am a PhD writer with 10 years of experience. I will be delivering high-quality, plagiarism-free work to you in the minimum amount of time. Waiting for your message. |
$46 | Chat With Writer |
ONLINE |
Math SpecialistThis project is my strength and I can fulfill your requirements properly within your given deadline. I always give plagiarism-free work to my clients at very competitive prices. |
$27 | Chat With Writer |
Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.