04Lecture-NetworkSecurity2.pdf

Full Transcript

1901 Lecture Four: Network Security 2 Overview   Cryptography: how it is used for data security and data communications. Networking and Server Attacks: review the different types of network based attacks and server attacks Cryptography Basics      Cryptography: scrambling information so that only authorized individuals can use it. o Encryption: the process of changing the original data into scrambled data. o Decryption: the process of changing the scrambled data back to its original state. o Plaintext: unencrypted data that is the input for encryption or the output of decryption. o Ciphertext: the scrambled and unusable output of encryption. o Cleartext: usable (unencrypted) data that is transmitted or stored and is not intended to be encrypted. o Cipher (or Algorithm): procedures based on a mathematical formula to encrypt and decrypt the data. o Key: a mathematical value entered into a cipher to produce the ciphertext. o Cryptoanalysis: sophisticated statistical analysis on ciphertext to try to discover the underlying key to the cryptographic algorithm. Steganography: hiding the existence of data. Steganography typically takes the data, divides it into smaller pieces, and hides these in unused portion of a file. Cryptography relies on the generation of random numbers – the more random, the better. But, computers cannot generate truly random numbers – they generate pseudorandom numbers. A pseudorandom number generator (PRNG) is an algorithm for creating a sequence of numbers whose properties approximate those of a random number. Cryptography can support the following basic protections: o Confidentiality: ensures that only authorized individuals can access the data. o Integrity: ensures that unauthorized individuals cannot modify the data. o Authentication: can be used to verify the identity of the sender/receiver of the data. o Non-Repudiation: can be used to verify that data has been sent or received (example: a receiver cannot deny that they did not get the data). Repudiation means to deny, and non-repudiation means the inability to deny. o Obfuscation: making the functions of something (like a program) obscure or unclear. This leads to a security approach called security through obscurity: virtually any system can be made secure so long as outsiders are unaware of it or how it functions – this approach is not always successful since a determined and talented individual can ‘see through’ the obfuscation. There are three broad categories of cryptographic algorithms: o Hash Algorithms: a one-way process that creates a ‘digital fingerprint’ for a set of data and often used as a check to verify that the original contents have not been changed. This process is called hashing, and the resulting fingerprint is a digest (sometimes called a message digest or hash) that represents the data.  Common hash algorithms include MD5 (Message Digest version 5), SHA (Secure Hash Algorithm), RIPEMD (RACE Integrity Primitives Evaluation Message Digest), and HMAC (Hashed Message Authentication Code) o Symmetric Cryptographic Algorithms: use the same single key to encrypt and decrypt data – but the key must be kept secure to be effective.  Common symmetric cryptographic algorithms include DES (Data Encryption Standard), 3DES (Triple Data Encryption Standard), AES (Advanced Encryption Standard), RC (Rivest Cipher), IDEA (International Data Encryption Algorithm), Blowfish, and Twofish. o Asymmetric Cryptographic Algorithms (or Public Key Cryptography): uses two keys (key pairs) that are mathematically related called the public key and the private key. The public key is known to everyone and can be freely distributed, while the private key is known only to the individual to whom it belongs. The public key is used to encrypt data and the private key is used to decrypt the data. Example: I give you my public key to encrypt data but only I can decrypt the data using my private key. Some public key algorithms allow for data to be encrypted by a private key and decrypted by a public key.  Common asymmetric cryptographic algorithms include RSA (the initials of the last names of the developers), ECC (Elliptic Curve Cryptography), and DSA (Digital Signature Algorithm)  Key Exchange: sending and receiving keys need to be kept private. Different methods of key exchange exist including DH (Diffie-Hellman), DHE (Diffie-Hellman Ephemeral), ECDH (Elliptic Curve Diffie-Hellman), and Perfect Forward Secrecy.  The following table list the scenarios when each key is used – assuming 2 individuals (A & B) and each have their own public and private key pair: Action Key Used Explanation B wants to send A an encrypted message A wants to read an encrypted message sent by B B wants to send a copy of the encrypted message sent to A to themselves A’s public key When an encrypted message is to be sent, the recipient’s, not the sender’s, key is used An encrypted message can be read only by using the recipient’s private key An encrypted message can be read only by the recipient’s private key. B would need to encrypt it with their own public key and then use their own private key to decrypt it. The recipient’s private key is used to decrypt received messages. The message should be encrypted with the other person’s public key for them to decrypt and read with their own private key. B’s private key is used to encrypt the hash. B receives an encrypted reply message from A B wants another person to read A’s reply message that they received B wants to send A a message with a digital signature A wants to see B’s digital signature   A’s private key B’s public key to encrypt B’s private key to decrypt B’s private key Other person’s public key B’s private key B’s public key Because B’s public and private keys work in both directions, A can use B’s public key to decrypt the hash. Attacking cryptography usually involves attacking the underlying algorithm… o Known Ciphertext Attack: the use of statistical tools that can be used to attempt to discover a pattern in the ciphertext, which then may be useful in revealing the plaintext or key. o Downgrade Attack: forcing the system to use a less secure mode of encryption which makes it easier to attack. o Using Deprecated Algorithms: the use of an algorithm that is known to have a security weakness. o Improper Implementation: many cryptographic algorithms have several configuration options, and unless careful consideration is given to these options, the cryptography may be improperly implemented. o Collision Attacks: used for attacking hash algorithms – an attempt is made to find two input strings of a hash function that produces the same hash result as the original hash. Implementing encryption through software…examples include: o Operating System Encryption: Microsoft’s EFS (Encrypting File System) and Apple’s FileVault is used mostly for encrypting folders and the files stored in those folders. o Pretty Good Privacy (PGP): uses both symmetric and asymmetric encryption. PGP generates a random symmetric key and uses it to encrypt the message. The symmetric key is then encrypted using the receiver’s public key and sent along with the message. When the recipient receives a message, PGP first decrypts the symmetric key with the recipient’s private key. The decrypted symmetric key is then used to decrypt the rest of the message.  Similar products include GNU Privacy Guard (GNuPG) and OpenPGP o   Full Disk Encryption (FDE): the entire drive is encrypted which prevents attackers from accessing data by booting from another operating system or placing the hard drive in another computer. Microsoft’s BitLocker does full disk encryption. Implementing encryption through hardware…examples include: o USB Device Encryption: an encryption chip is embedded inside a USB device. o Self-Encrypting Drives (SEDs): hard drives with an embedded encryption chip. o Trusted Platform Module (TPM): a chip on the computer’s motherboard that provides cryptographic services. TPM includes a true random number generator and support for asymmetric encryption (can generate public/private key pairs). o Hardware Security Module (HSM): a secure cryptographic processor that has accelerated (faster) symmetric and asymmetric encryption, and can even back up data in an encrypted form. Typically used in network devices (like servers or routers). Other concepts involving cryptography include: o Digital Certificate: a technology used to associate a user’s identity to a public key and that has been digitally signed by a trusted third party. Used to verify a sender’s identity to the receiver. o Public Key Infrastructure (PKI): manages the public keys used in digital certificates and includes the hardware, software, people, policies, and procedures used to create, store, distribute, and revoke digital certificates. Cryptographic Transport Protocols In addition to protecting data-in-use and data-at-rest, cryptography is most often used to protect data-in-transit across a network. The most common cryptographic transport algorithms include:        Secure Sockets Layer (SSL): an older (and somewhat obsolete) protocol used mostly for web servers and browsers. Transport Layer Security (TLS): a newer and more secure protocol derived from SSL, mostly used for web servers and browsers. Secure Shell (SSH): protocol used to access remote computers (typically Unix/Linux based). Hypertext Transport Protocol Secure (HTTPS): HTTP protocol that uses SSL or TLS encryption. Secure/Multipurpose Internet Mail Extensions (S/MIME): protocol used for encrypted email. Secure Real-time Transport Protocol (SRTP): protocol to encrypt audio and video communications over the Internet. IP Security (IPsec): a protocol suite for securing IP communications. IPsec encrypts and authenticates each IP packet of a session between hosts or networks. IPsec can provide protection to a much wider range of applications than SSL or TLS. Networking and Server Attacks Threat actors place a high priority on targeting networks since a single vulnerability could expose hundreds or thousands of devices.  Interception: designed to intercept network communications. o Man-in-the-Middle (MITM): involves a threat actor who inserts themselves between two entities, intercepting the data they are sending to each other. The treat actor can then modify the data to their advantage. MITM attacks can occur between two people or between a person and a server. o Man-in-the-Browser (MITB): involves an attack between the web browser and the underlying operating system. This usually begins with a Trojan infecting the computer and installing an extension into the browser so that when the browser is launched, the extension is activated. The browser extension can then do a number of different things including stealing username and passwords that the user enters in the infected browser. o  Replay Attack: a variation of MITM with the threat actor not modifying the data but storing it for later use. The captured data could be logon credentials that the threat actor resends after the legitimate user has logged out. Poisoning: injecting a threat vector into a normal network process to facilitate an attack. o ARP Poisoning: involves attacks to the Address Resolution Protocol (ARP) which uses a networking device’s MAC address to determine their IP address (used on local area networks). A poisoned ARP would have the threat actor’s MAC address assigned to the victim’s IP address so any data being sent to the victim would be rerouted to the attacker. o DNS Poisoning: substitutes a valid DNS address with an invalid one – this would redirect traffic from the legitimate web site to an attacker’s site. DNS poisoning can be done to a user’s local host file or to an external DNS server. o Privilege Escalation: exploiting a vulnerability in software to gain access to resources that the user normally would be restricted from accessing. Where some attacks are directed at the network itself, other attacks are directed specifically at network servers.      Denial of Service (DoS): an attack that overwhelms a server with a large number of false requests that the server cannot respond to legitimate requests (the server may even stop working – or worse, expose a vulnerability that a threat actor can take advantage of). Most DoS attacks are DDoS (distributed denial of service) attacks that involve a large number computers making false requests. Web Server Application Attacks: typically target input from users… o Cross-Site Scripting (XSS): the threat actor takes advantage of web applications that accept user input without validating it and uses that input in a response. Example: A threat actor posts a comment to web site but the comment contains a hidden script that can perform a malicious action. When someone clicks on the comment, the script is downloaded and executed. o Cross-Site Request Forgery (XSRF): this attack uses the user’s web browser settings to impersonate that user. If a user is currently authenticated on a website and is then tricked into loading another webpage, the new page inherits the identity and privileges of the victim to perform an undesired function on the attacker’s behalf. o Injection Attacks: the introduction of new input to exploit a vulnerability. A common example is an SQL injection that inserts statements to manipulate a database server. Hijacking: several server attacks are the result of threat actors taking control over something and then using it for an attack… o Session Hijacking: an attack in which an attacker attempts to impersonate the user by using their session token.  Session Token: usually a string of letters and numbers of variable length which is used by either the URL, the header/body of HTTP document, or in a web cookie. o URL Hijacking (or Typo Squatting): a threat attacker registers domain names that are similar to a legitimate domain name – the false domain names would use common misspellings of the legitimate name (goggle.com instead of google.com for example). o Domain Hijacking: a threat actor that tricks the domain registry process to register their IP to a domain name instead of the real IP address. (You need to register your domain name with someone…the attacker attacks this process.) o Clickjacking: a user is tricked into clicking a link that is not what it appears to be. Example: Click here to play video may not play a video at all but instead do something undesirable. Overflow Attacks: some attacks are designed to overflow areas of memory with instructions from the attacker… o Buffer Overflow: occurs when a process attempts to store data in memory beyond the boundaries allocated to it (the storage buffer). The problem is that the next area of memory often contains a reference (or pointer) to another area of memory – if that reference is changed to point to malicious code, the malicious code will execute. o Integer Overflow: an attacker changes the value of a variable to something outside the range that the programmer had intended – this can result in a buffer overflow or unintended results (like a negative number which in some situations indicates a refund instead of how much is owed). Advertising Attacks: several attacks attempt to use ads or manipulate the advertising system in their attack… o  Malvertising: malicious advertising or a poisoned ad attack. When a user goes to a web site, the user’s browser silently connects to dozens of advertising network sites from which ad banners, popup ads, video files, and pictures are sent to the user’s computer – anyone of these can contain malicious code or false advertising links. o Ad Fraud: some videos have a pre-video ad that appears before the real video plays (like some YouTube videos). This pre-video can be one that a threat actor can make money from – so it is not really a threat to you but to the advertising companies that pay for the ads to be placed. Browser Vulnerabilities: the added functionality of a web page (through scripting) or a browser (through add-ons) provides potential vulnerabilities… o Scripting Code: the script (like JavaScript) that is attached to a web page can be malicious. o Extensions: since extensions (most are written in JavaScript) act as part of the browser itself, they generally have wider access privileges than JavaScript running in a webpage. (So, a bad extension can be more malicious that a web page.) o Plug-ins: is a third-party binary library that runs outside of the browser and runs external programs. The most common plug-ins are Java, Adobe Flash player, and Adobe Acrobat Reader. The problem here is that the Java code can be malicious or the flash animation can have malicious code – ultimately, these plug-ins allow for other code to execute. o Add-ons: add a greater degree of functionality to the entire browser and not just to a single webpage (as a plug-in or an extension would do). Add-ons can create additional web browser toolbars and menus, be aware of other open tabs in the browser, and process the content of every webpage that is loaded. So, a bad add-on can do a lot of malicious things.