Advanced Cyber Security Techniques PDF
Document Details
Uploaded by Deleted User
2016
Tags
Summary
This document is a study material for a postgraduate diploma in cybersecurity. It covers various topics including network attacks, threat landscape, firewalls, and intrusion detection systems. The material is aimed at learners from Uttarakhand Open University in 2016.
Full Transcript
Post-Graduate Diploma in Cyber Security Advanced Cyber Security Techniques (PGDCS-07) Title Advanced Cyber Security Techniques Advisors(CEMCA) Mr. R. Thyagarajan, Head, Admn. & Finance...
Post-Graduate Diploma in Cyber Security Advanced Cyber Security Techniques (PGDCS-07) Title Advanced Cyber Security Techniques Advisors(CEMCA) Mr. R. Thyagarajan, Head, Admn. & Finance and Acting Director, CEMCA Dr. Manas Ranjan Panigrahi, Program Officer(Education), CEMCA Editor Mr. Manish Koranga, Senior Consultant, Wipro Technologies, Bangalore Block I> Unit I, Unit II, Unit III & Unit Mr. Ashutosh Bahuguna, Scientist- Indian IV Computer Emergency Response Team (CERT-In), Department of Electronics & IT, Ministry of Communication & IT, Government of India Block II> Unit I, Unit II, Unit III & Unit Mr. Sani Abhilash, Scientist- Indian IV Computer Emergency Response Team Block III> Unit I, Unit II, Unit III & Unit (CERT-In), Department of Electronics & IT, IV Ministry of Communication & IT, Government of India ISBN: 978-93-84813-95-6 Acknowledgement The University acknowledges with thanks the expertise and financial support provided by Commonwealth Educational Media Centre for Asia(CEMCA), New Delhi, for the preparation of this study material. Uttarakhand Open University, 2016 © Uttarakhand Open University, 2016. Advanced Cyber Security Techniques is made available under a Creative Commons Attribution Share-Alike 4.0 Licence (international): http://creativecommons.org/licenses/by-sa/4.0/ It is attributed to the sources marked in the References, Article Sources and Contributors section. Published by: Uttarakhand Open University INDEX BLOCK I.................................................................................................................................. 15 1.1 LEARNING OBJECTIVES..................................................................................................1 1.2 INTRODUCTION.................................................................................................................1 1.3 NETWORK ATTACKS........................................................................................................1 1.3.1 Man-in-the-Middle (MITM) Attack................................................................................1 1.3.2 Replay Attack.................................................................................................................2 1.3.3 Denial of Service (DoS) and Distributed Denial of Service (DDoS)................................2 1.3.4 Password Based Attacks.................................................................................................3 1.3.5 Spoofing.........................................................................................................................4 1.3.6 Eavesdropping................................................................................................................4 1.3.7 Installation of malicious programs - Backdoor or rooting................................................4 1.4 THREAT LANDSCAPE - NETWORK SECURITY.............................................................5 1.4.1 Threats to watch.............................................................................................................5 1.4.1.1 Hactivist attacks.......................................................................................................5 1.4.1.2 DDoS Attacks..........................................................................................................5 1.4.1.3 TOR- Onion Routing...............................................................................................5 1.4.1.4 Web application attacks...........................................................................................6 1.4.1.5 Malware propagation through Web..........................................................................6 1.4.1.6 Targeted Attacks......................................................................................................6 1.4.1.7 Exploit Pack Toolkit................................................................................................6 1.4.1.8 Ransomware............................................................................................................7 1.4.1.9 Attacks targeting Industrial Control Systems Networks............................................7 1.4.1.10 Social Network Sites (SNS) Threats.......................................................................8 1.4.1.11 Threats to Mobile Devices and Mobile Communication.........................................8 1.4.1.12 Threats to Client System........................................................................................9 1.4.1.13 Attacks on Certifying Authorities - Trust Infrastructure..........................................9 1.4.2 Emerging Threats.........................................................................................................10 1.4.2.1 Emerging threats targeting Industrial Control Systems (ICS).................................10 1.4.2.2 Emerging Threats to cloud computing environment...............................................10 1.4.2.3 Emerging threats in Big Data.................................................................................11 1.4.2.4 Emerging threats in Internet of Things...................................................................12 1.4 CASE STUDY.................................................................................................................... 12 Case Study - Operation Payback and similar activist operations............................................12 1.7 LET US SUM UP............................................................................................................... 15 1.8 CHECK YOUR PROGRESS..............................................................................................15 1.9 MODEL QUESTIONS........................................................................................................ 16 2.1 LEARNING OBJECTIVES................................................................................................17 2.2 INTRODUCTION............................................................................................................... 17 2.3 FIREWALL........................................................................................................................17 2.3.2.1 Network Firewalls.................................................................................................20 2.3.2.2 Host-Based Firewalls.............................................................................................21 2.3 INTRUSION DETECTION AND PREVENTION SYSTEM.............................................. 22 2.3.1 IDPS - Detection Technologies.....................................................................................23 2.3.1.2 Anomaly-Based Detection.....................................................................................23 2.3.1.3 Stateful Protocol Analysis......................................................................................23 2.3.2 Types of Intrusion Detection and Prevention system (IDPS).........................................24 2.3.2.1 Network Based Intrusion Detection and Prevention Systems (NBIDPS)................24 2.3.2.2 Host Based Intrusion Detection and Prevention System (HBIDPS)........................25 2.3.2.3 Wireless Intrusion Detection and Prevention Systems (WIDPS).............................26 2.3.2.4 Network Behavior Analysis (NBA)........................................................................26 2.4 SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM).............................26 2.5 HONEYPOT....................................................................................................................... 28 2.6 LET US SUM UP............................................................................................................... 29 2.7 CHECK YOUR PROGRESS..............................................................................................30 2.8 ANSWERS TO CHECK YOUR PROGRESS..................................................................... 30 2.9 FURTHER READINGS...................................................................................................... 31 2.10 MODEL QUESTIONS...................................................................................................... 31 3.1 LEARNING OBJECTIVES................................................................................................32 3.2 INTRODUCTION............................................................................................................... 32 3.3NETWORK INFRASTRUCTURE SECURITY BEST PRACTICES................................... 32 3.3.1 Threats to the organization network Infrastructure........................................................32 3.3.2 Best practices for network infrastructure security..........................................................33 3.3.2.1 Secure the Network Infrastructure Edge.................................................................33 3.3.2.2 Protect Infrastructure Device Access......................................................................33 3.3.2.3 Routing infrastructure Security..............................................................................34 3.3.2.5 Monitoring, Analysis and Correlation....................................................................35 3.3.2.6 Network Policy Enforcement.................................................................................37 3.3.2.7 Switching Infrastructure Security...........................................................................37 3.3.2.8 Threat Control and Containment............................................................................38 3.3.2.9 Endpoints Security.................................................................................................38 3.3.2.10 Secure Third-Party Connectivity..........................................................................38 3.4 CRITICAL SECURITY CONTROLS................................................................................. 39 3.4.1 SANS 20 critical controls for cyber defense..................................................................39 3.4.2 Brief description of Critical Controls- Need of Critical Control....................................40 3.5 LET US SUM UP............................................................................................................... 46 3.6 CHECK YOUR PROGRESS..............................................................................................46 3.7 MODEL QUESTIONS........................................................................................................ 47 4.1 LEARNING OBJECTIVES................................................................................................48 4.2 INTRODUCTION............................................................................................................... 48 4.3 PHYSICAL SECURITY- INFORMATION AND COMMUNICATIONS TECHNOLOGY................................................................................................................................................. 48 4.3.1 Strategy for Physical Security.......................................................................................49 4.3.2 Physical Security - Best Practices.................................................................................49 4.3.3 Physical Security - Guidelines......................................................................................51 4.3.3.1 Physical security of Information and Communications Technology (ICT) Equipment..........................................................................................................................................51 4.3.3.2 Physical security of Information and communications Technology (ICT) system equipment..........................................................................................................................52 4.3.3.3 Physical security of ICT facilities...........................................................................53 4.4 DATA CENTER SECURITY - GUIDELINES................................................................... 55 4.4.1 Securing the Data Centre..............................................................................................61 4.4.2 Best Practices in the Data Centre..................................................................................62 4.5 ENVIRONMENT SECURITY - INFORMATION AND COMMUNICATIONS TECHNOLOGY....................................................................................................................... 63 4.5.1 Strategy for Environmental Security.............................................................................64 4.5.2 Environmental Security - Best Practices.......................................................................64 4.5.3 Environmental Security - Guidelines............................................................................65 4.6 LET US SUM UP............................................................................................................... 67 4.7 CHECK YOUR PROGRESS..............................................................................................67 4.8 MODEL QUESTIONS........................................................................................................ 67 BLOCK II................................................................................................................................. 69 1.1 LEARNING OBJECTIVES................................................................................................70 1.2 INTRODUCTION............................................................................................................... 70 1.3 ADDRESSING THREATS................................................................................................. 73 1.4 BAISC DEPLOYMENT QUESTIONS............................................................................... 73 1.4.1 Identification of Server role..........................................................................................73 1.4.2 Identification of network services.................................................................................74 1.4.3 Methods of authentication.............................................................................................74 1.4.4 Security plan.................................................................................................................74 1.4.5 Physical security...........................................................................................................74 1.5 INSTALLATION & CONFIGURATION........................................................................... 75 1.5.1 OS Hardening...............................................................................................................75 1.5.1.1 Patches..................................................................................................................75 1.5.2 Disabling unwanted services and protocols...................................................................76 1.5.3 OS authentication.........................................................................................................76 1.5.4 Protecting server against unauthorized network access..................................................77 1.5.5 Encryption....................................................................................................................77 1.5.6 Intelligent usage of ACL‘s............................................................................................77 1.5.7 Access Control and Permissions...................................................................................77 1.5.7.1 Tools.....................................................................................................................78 1.6 SECURING THE SERVER PLATFORM........................................................................... 78 1.6.1 Access / resource Restrictions.......................................................................................78 1.7 ENFORCING AND MAINTAING SECURITY BEST PRACTICES................................. 79 1.7.1 Account Policy.............................................................................................................79 1.7.1.1 User privileges & rights.........................................................................................79 1.7.1.2 Audit & logs Management.....................................................................................79 1.8 OPERATIONS & MAINTENANCE................................................................................... 82 1.8.1 Patches.........................................................................................................................82 1.8.2 Anti-virus.....................................................................................................................82 1.8.3 System monitoring........................................................................................................83 1.8.3.1 Performance...........................................................................................................83 1.8.3.2 Incident detection tools..........................................................................................83 1.8.4 Backups........................................................................................................................83 1.8.5 Recovery......................................................................................................................84 1.9 INCIDENT HANDLING.................................................................................................... 84 1.9.1 Define incident.............................................................................................................84 1.9.2 Incident detection.........................................................................................................84 1.9.3 Safeguard measures after incident.................................................................................84 1.10 LETS SUM UP................................................................................................................. 84 1.11 MODEL QUESTIONS...................................................................................................... 85 2.1 LEARNING OBJECTIVES................................................................................................86 2.2 INTRODUCTION............................................................................................................... 86 2.3 WEB SERVERS SECURITY.............................................................................................86 2.3.1 Defense in depth...........................................................................................................87 2.3.2 Third party hosting.......................................................................................................88 2.3.2.1 CERT-In Guidelines, security auditing: Third party hosting service provider........89 2.4 EMAIL SECURITY............................................................................................................ 90 2.4.1 Security Threats to Email Service.................................................................................90 2.4.2 Security Guidelines-email server..................................................................................91 2.5 DATABASE SERVER SECURITY.................................................................................... 93 2.5.1 Database Vulnerabilities...............................................................................................94 2.5.2 Database Security.........................................................................................................94 2.5.2.1 Planning.................................................................................................................94 2.5.2 Installation & Configuration.........................................................................................96 2.5.3 Operations & Maintenance...........................................................................................97 2.5.4 Backup & Recovery......................................................................................................98 2.5.5 Web Based Databases..............................................................................................99 2.5.6 Security Checklist for a Database Administrator.........................................................100 2.6 DNS SERVERS SECURITY............................................................................................ 101 2.6.1 Threats to DNS Server................................................................................................102 2.6.2 DNS Security............................................................................................................. 102 2.7 LET US SUM UP............................................................................................................. 103 2.8 CHECK YOUR PROGRESS............................................................................................ 103 2.9 MODEL QUESTIONS...................................................................................................... 103 3.1 LEARNING OBJECTIVES.............................................................................................. 105 3.2 INTRODUCTION............................................................................................................. 105 3.3 WEB-APPLICATION SECURITY VERSUS PERIMETER SECURITY......................... 106 3.4 ATTACK SURFACE........................................................................................................ 106 3.4.1 Web application Attacks.............................................................................................106 3.4.1.1 Cross-Site Scripting (XSS or CSS)....................................................................... 106 3.4.1.2 SQL Injection (SQL-i).........................................................................................108 3.4.1.3 Remote File Inclusion (RFI)................................................................................. 108 3.4.1.4 Cross Site Request Forgery (CSRF)..................................................................... 109 3.4.1.5 HTTPS Cookie Hijacking.................................................................................... 109 3.4.1.6 File Upload Vulnerabilities.................................................................................. 109 3.4.1.7 Insecure Data Transfer and Storage...................................................................... 110 3.5 SECURE WEB APPLICATION DEVELOPMENT- BEST PRACTICES........................ 110 3.5.2 Input validation.......................................................................................................... 110 3.5.3 Output encoding......................................................................................................... 111 3.5.4 Error Handling............................................................................................................ 111 3.5.5 SQL statements.......................................................................................................... 111 3.5.6 Least privilege model................................................................................................. 111 3.5.7 Re-authentication for important transactions...............................................................111 3.5.8 Proper use of encryption.............................................................................................112 3.5.9 Manual security testing...............................................................................................112 3.5.10 Training and Awareness...........................................................................................112 3.5.11 Security is a continuous process................................................................................ 112 3.6 WEB APPLICATION SECURITY TESTING.................................................................. 112 3.6.1 The OWASP Testing Framework............................................................................... 113 3.6.2 OWASP Testing Guide...............................................................................................118 3.7 LET US SUM UP............................................................................................................. 118 3.10 MODEL QUESTIONS.................................................................................................... 119 4.1 LEARNING OBJECTIVES.............................................................................................. 120 4.2 WHAT DO WE NEED TO SECURE?.............................................................................. 120 4.2.1 Authentication............................................................................................................ 122 4.2.2 Integrity...................................................................................................................... 122 4.2.3 Confidentiality............................................................................................................ 122 4.2.4 Non-repudiation.......................................................................................................... 122 4.3 SECURITY PROTOCOLS............................................................................................... 123 4.3.1 Secure HTTP.............................................................................................................. 123 4.3.2 S/MIME..................................................................................................................... 124 4.3.2.1 How S/MIME work?............................................................................................124 4.3.3 PRETTY GOOD PRIVACY (PGP)............................................................................ 125 4.3.3.1 How PGP works?................................................................................................. 125 4.3.3.2 PGP Web of trust................................................................................................. 127 4.3.4 Secure Electronic Transaction..................................................................................... 127 4.3.5 SECURE SOCKETS LAYER (SSL) /TRANSPORT LAYER SECURITY................ 128 4.3.5.1 How SSL works?..................................................................................................... 128 4.3.5.2 The main objectives of SSL are Specific Protocol................................................ 130 4.3.5.3 SSL SESSION AND CONNECTION.................................................................. 131 4.3.5.4 The Handshake Protocol...................................................................................... 131 4.3.5.4 SSL Record Protocol............................................................................................134 4.3.5.6 The Alert Protocol...............................................................................................135 4.3.5.7 The Change Cipher Specification Protocol...........................................................135 4.3.6 IPSec..........................................................................................................................135 4.3.6.1 THE IP DATAGRAM.........................................................................................136 4.3.6.2 IPSec:AH: AUTHENTICATION HEADER - AUTHENTICATION ONLY....... 137 4.3.6.3 ESP-ENCAPSULATING SECURITY PAYLOAD............................................. 139 4.3.7 DNSSEC.................................................................................................................... 142 4.3.8 SECURE SHELL (SSH).............................................................................................144 4.3.9 Mailing protocols....................................................................................................... 145 4.4 LETS SUM UP................................................................................................................. 146 4.5 CHECK YOUR PROGRESS............................................................................................ 146 BLOCK III.............................................................................................................................. 148 1.1 LEARNING OBJECTIVE................................................................................................ 149 1.2 INTRODUCTION............................................................................................................. 149 1.3 WINDOWS SECURITY CONTROLS ESSENTIAL FOR HOME USER......................... 151 1.3.1 Passwords................................................................................................................... 152 1.3.2 Windows Updates....................................................................................................... 153 1.4 PRINCIPLE OF LEAST PRIVILEGE(PLP)..................................................................... 154 1.4.1 Learning objective...................................................................................................... 157 1.4.2 EMET(Enhanced Mitigation Experience Toolkit) anti exploitation tool- silver bullet from Microsoft.................................................................................................................... 157 1.5 AUTORUN /AUTOPLAY................................................................................................ 162 1.5.1 Disabling Auto Run/ AutoPlay in Windows Operating Systems.................................. 162 1.5.1.1 Disable Autorun in Windows 7/ Vista with Group policy Settings.......................164 1.5.2 Disable AutoPlay in Windows 7 /Vista................................................................... 167 1.6 SOFTWARE RESTRICTOIN POLICY............................................................................ 167 1.7 BROWSERS AND SECURITY........................................................................................ 169 1.7.1 IE security settings................................................................................................169 1.7.2 Mozilla Firefox........................................................................................................... 171 1.7.2.1 Low Integrity Firefox...........................................................................................172 1.7.2 Chrome.......................................................................................................................173 1.7.3 Sandboxing your Browser...........................................................................................174 1.8 MBSA (MICROSOFT BASELINE SECURITY ANALYSER)........................................ 178 1.9 SET UP AND CONFIGURE WINDOWS FIREWALL.................................................... 179 1.9.1 Advanced Settings for Firewall................................................................................... 180 1.9.2 Example for setting windows update service outbound allow...................................... 181 1.10 PHYSICAL SECURITY................................................................................................. 183 1.10.1 BitLocker Drive Encryption...................................................................................... 183 1.10.2 Enabling SysKey functionality to Enhace Desktop Security...................................... 185 1.10.2.2 Set restore points................................................................................................185 1.10.2.3 Do an Image Backup of the Hard Drive take regular backup..............................186 1.11 BASIC GUIDELINES FOR ENABLING SECURITY IN YOUR DESKTOP................. 186 1.11.1 Basic Desktop Hardening..........................................................................................186 1.11.2 Basic Network Hardening.........................................................................................188 1.12 ENABLING SECURITY FEATURES IN MS OFFICE.................................................. 189 1.13 SUMMARY.................................................................................................................... 191 1.14 CHECK YOUR PROGRESS.......................................................................................... 191 1.15 ANSWERS TO CHECK YOUR PROGRESS.............................................................. 192 1.16 MODEL QUESTIONS................................................................................................. 192 2.1 LEARNING OBJECTIVES.............................................................................................. 193 2.2 INTRODUCTION............................................................................................................. 193 2.3 WIRELESS NETWORK SECURITY: VULNERABILITIES, THREATS AND COUNTERMEASURES......................................................................................................... 195 2.3.1 What is WLAN........................................................................................................... 195 2.3.2 WLAN components.................................................................................................... 196 2.3.3 WLAN 802.11 security...............................................................................................197 2.3.4 WAP Version 1.......................................................................................................... 198 2.3.5 WPA1 addendum....................................................................................................... 198 2.3.6 Wi-Fi Protected Access II (WPA2)............................................................................. 199 2.3.7 Issues with WAP........................................................................................................ 199 2.4 WLAN THREATS............................................................................................................ 199 2.4.1 WLAN Attacks causing Loss of confidentiality..........................................................200 2.4.2 Traffic Analysis.......................................................................................................... 200 2.4.3 Eavesdropping............................................................................................................ 201 2.4.4 Man-in-the-Middle Attack..........................................................................................201 2.4.5 Evil Twin AP.............................................................................................................. 201 2.5 ATTACKS CAUSE LOSS OF INTEGRITY..................................................................... 202 2.5.1 Session Hijacking....................................................................................................... 202 2.5.2 Replay Attack......................................................................................................... 202 2.5.3 802.11 Frame Injection Attack.................................................................................... 202 2.5.4 802.11 Data deletion................................................................................................... 202 2.6 ATTACKS CAUSING LOSS OF AVAILABILITY......................................................... 202 2.6.1 Denial-of-Service Attack............................................................................................203 2.6.2 Radio frequency (RF) Jamming.................................................................................. 203 2.6.3 802.11 Beacon Flood.................................................................................................. 203 2.6.4 802.11 Associate/Authentication Flood....................................................................... 203 2.6.5 Queensland DoS / Virtual carrier-sense attack............................................................203 2.6.6 Fake SSID flooding.................................................................................................... 203 2.6.7 EAPOL flood............................................................................................................. 203 2.6.8 GreenField Mode........................................................................................................ 204 2.7 AUTHENTICATION ATTACKS................................................................................. 204 2.7.1 Dictionary & Brute force attack.................................................................................. 204 2.7.2 Attacks targeting Access Controls.............................................................................. 204 2.7.2.1 MAC spoofing..................................................................................................... 204 2.7.2.2 War Driving/ access point mapping...................................................................... 204 2.7.2.3 Rogue Access Point.............................................................................................205 2.8 ATTACKS ON ENCRYPTION STANDARDS................................................................ 205 2.8.1 WEP attacks............................................................................................................... 205 2.8.1.1 FMS (Fluhrer, Mantin and Shamir) attack............................................................205 2.8.1.2 Korek CHOPCHOP Attack.................................................................................. 205 2.8.1.3 Coolface attack.................................................................................................... 205 2.9 HOME WIRELESS THREATS........................................................................................ 206 2.10 PUBLIC WIRELESS THREATS.................................................................................... 208 d. Unauthorized Computer Access:............................................................................ 208 2.10.1 Safe Wireless Networking in Public Spaces..............................................................209 2.10.2 Wireless Client Device Security and best practices................................................... 210 2.10.3 Mobile devices threats..............................................................................................211 2.10.4 Mobile malware prevention steps.............................................................................. 211 2.11 SUMMARY.................................................................................................................... 212 2.12 CHECK YOUR PROGRESS.......................................................................................... 213 2.13 ANSWERS TO CHECK YOUR PROGRESS................................................................. 213 2.14 MODEL QUESTIONS.................................................................................................... 214 3.1 LEARNING OBJECTIVES.............................................................................................. 215 3.2 INTRODUCTION........................................................................................................ 215 3.3 MALWARE ANALYSIS FUNDAMENTALS................................................................. 216 3.3.1 Various approaches to malware analysis..................................................................... 216 3.3.1.1 Basic static analysis.............................................................................................216 3.3.1.2 Behavioral analysis..............................................................................................216 3.3.1.3 Automatic Analysis..............................................................................................216 3.3.1.4 Volatile Memory Analysis................................................................................... 216 3.1.5 Advanced dynamic analysis.................................................................................... 216 3.3.1.6 Advanced static analysis...................................................................................... 217 3.4 SETTING UP MALWARE ANALYSIS FACILITY........................................................ 217 3.4.1 Creating sandboxed / virtual environments................................................................. 217 3.5 STATIC ANALYSIS........................................................................................................ 219 3.5.1 Detecting Packers and Cryptors.................................................................................. 220 3.5.2 Notable strings............................................................................................................ 221 3.5.3 PE structure Analysis.................................................................................................. 222 3.6 DYNAMIC ANALYSIS................................................................................................... 224 3.6.1 Dynamic Analysis Tools.............................................................................................224 3.6.2 Baseline the guest machine with Capture Bat..............................................................224 3.7 AUTOMATIC ANALYSIS............................................................................................... 227 3.8 MALWARE COLLECTION PROCESS WOTH MALWARE HONEYPOTS.................. 228 3.8.1 Installing Nepenthes................................................................................................... 229 3.8.1.1 Installing Nepenthes............................................................................................229 3.8.2 Dionaea Honeypot installation.................................................................................... 230 3.8.2.1 Installing Dionaea................................................................................................230 3.8.3 Installing Thug for web based malware....................................................................... 231 3.9 MEMORY ANALYSIS.................................................................................................... 234 3.9.1 Capturing Memory..................................................................................................... 234 3.9.2 Memory Analysis using Volatility......................................................................... 238 3.10 SUMMARY.................................................................................................................... 244 3.11 MODEL QUESTIONS.................................................................................................... 244 4.1 LEARNING OBJECTIVES.............................................................................................. 245 4.2 INTRODUCTION............................................................................................................. 245 4.3 APT LIFE CYCLE............................................................................................................ 246 4.4 CASE STUDY.................................................................................................................. 253 4.4.1 Information gathering................................................................................................. 253 4.4.2 Delivery..................................................................................................................... 253 4.4.3 Initial Compromise..................................................................................................... 253 4.4.4 Exploit detected inside crafted/malicious document.................................................... 254 4.4.5 Command and Control mechanisms............................................................................ 257 4.4.6 Lateral movement....................................................................................................... 258 4.4.7 Data Exfiltration......................................................................................................... 259 4.5 SUMMARY...................................................................................................................... 263 4.6 MODEL QUESTIONS...................................................................................................... 263 Appendix-A............................................................................................................................ 264 Microsoft Vulnerability /Risk Assessment Tools................................................................. 264 Appendix –B........................................................................................................................... 266 Data Classification and Protection.......................................................................................266 Appendix –C........................................................................................................................... 268 Monitoring, Auditing, and Reporting................................................................................... 268 References, Article Source & Contributors.......................................................................... 269 BLOCK I UNIT I: NETWORK SEURITY - THREATS 1.1 LEARNING OBJECTIVES After going through this unit, you will be able to: Understand the network security need. Understand the threat landscape. Understand the current threat scenario. Know the different weaknesses of the computer networks. Understand the different attacks on computer networks. Understand the emerging threats to network technologies. Understand the impact of the different network attacks. 1.2 INTRODUCTION Organizations of all types and sizes which deals with information for meeting its objectives, faces a range of risks that may affect the functioning of information assets. Computer Networks are used to store, transfer and process information for meeting variety of objectives of the organization. Network security is a technology and methods to protect confidentiality, integrity and availability of the network. Network security involves all activities that organizations do to protect the value and ongoing usability of assets and the integrity and continuity of operations. An effective network security strategy requires identifying threats and then choosing the most effective set of tools to combat them. In this unit we are going to discuss network attacks, threat landscape - current threats and emerging threats and possible risks to computer networks associated with these threats. We will conclude unit with the attack case study. 1.3 NETWORK ATTACKS In this section, you will be going to explore common network Attacks. However the list of attacks is not comprehensive in fact no list of attacks can be complete as new vulnerabilities and attacks are emerging on daily basis. Students are advised to explore the case studies and example of the attacks from internet resources to better understand the methodology of attacker and impact of the attack. 1.3.1 Man-in-the-Middle (MITM) Attack Man-In-The-Middle (MITM) attack occurs when someone between user and the entity with whom user are communicating is actively monitoring, capturing, and controlling the communication. For example, the attacker can read the data exchanged or modify the capture data before forwarding. Figure 1 below explains the MITM attack Victim was connected to the server by original connection which is then somehow modified by attacker and connection is 1 routed through the attacker system. Now attacker can actively monitor, capture and control the network traffic between victim and server. Figure 1: Man-In-The-Middle (MITM) attack 1.3.2 Replay Attack Replay attack occurs when a message, or part of a message, is repeated to produce an malicious impact. A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated. This is carried out either by the originator or by attacker who intercepts the data and retransmits it. For example a valid username & password combination packet of victim can be replayed by attacker in order to authenticate itself. Consider the following scenario to understand replay attack: (i) Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of identity, which Alice dutifully provides. (ii) Meanwhile, Eve was eavesdropping on the conversation and keeps the password. (iii) After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of identity, Eve sends Alice's password read from the last session, which Bob accepts thus granting access to Eve. 1.3.3 Denial of Service (DoS) and Distributed Denial of Service (DDoS) Denial of Service (DoS) is an attempt to make a computer resource unavailable to its intended users. A distributed denial of service attack (DDoS) occurs when multiple compromised computer systems flood the communication link (called bandwidth) or resources of a targeted system. DDoS attacks are generally launched through a Botnet which is a network of compromised computer systems called ‗Bots‘. NTP based Distributed Reflected Denial of Service (DrDoS) Attacks are new techniques of conducting DDoS attacks on the target. Denial-of-service (or DoS) attacks are usually launched to make a particular service unavailable to someone who is authorized to use it. These attacks may be launched using one single computer or many computers across the world. In the latter scenario, the attack is known as a 2 distributed denial of service attack. The attack is initiated by sending excessive demands to the victim‘s resources, exceeding the limit that the victim‘s infrastructure can support. Ping of Death ,SYN attacks, UDP flooding are some methods of conducting DoS/DDoS attacks. A Ping of Death attack involves a very large Internet Control Messaging Protocol (ICMP) packet and the receiving computer gets it in the form of data packets. Reassembled packet at the target cause buffer overflow due to improper routine for handling large size of data. The impact cause service crash and hence DoS. In SYN flooding attack implementation of three-way handshake of the TCP/IP protocol is exploited. In three-way handshake (1) first the client sends a SYN packet to the server, (2) server then responds with a SYN-ACK. (3) then the client responds to this SYN-ACK and handshake is completed and data transfer starts. In SYN flood attack the attacker does not respond to the SYN-ACK. Server keep up waiting for attacker response and in this manner sending multiple syn request to the server consume resources of the server causing DoS/DDoS attack. There are three means of achieving the DoS/DDoS: Consumption of resources like server computing capacity, bandwidth of network, etc. Exploitation of vulnerability to crash the service. Destruction or alteration of configuration information of the system. physical destruction or alteration of information processing assets. Figure 2: DDoS Attack 1.3.4 Password Based Attacks Password based authentication rely on the principle of "something you know". Password-based access control is generally implemented in network assets for controlling the access to resource. 3 Attacks on password based authentication include eavesdropping, password stealing, brute force and dictionary attack. Objective of these attacks are to get the valid password of system. When attacker finds a valid user account, the attacker has the same rights as the real user. So, if the compromised account has administrator-level rights, the attacker will have same rights. Brute-force password attack involves trying every password combination until the correct password is found. Due to the number of possible combinations of letters, numbers, and symbols, a brute force attack may take a long time to complete. Dictionary based password attacks are method of breaking into a password-protected resource by systematically entering every word in a dictionary as a password. Dictionary is prepared by the attacker based on the knowledge and information of resources and its environment. 1.3.5 Spoofing In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system. Similar concept applies to Media Access Control (MAC) address spoofing or hardware address spoofing. Most networks and operating systems use the IP address of a computer to identify a valid entity. An attacker can use packet crafting tool to construct IP packets that appear to originate from other source. In MAC spoofing factory-assigned Media Access Control (MAC) address of a network interface on a networked device is modified to hide identity of the device or to impersonate another device. There are packet crafting and other similar tools available, which can be used for IP spoofing or MAC spoofing. 1.3.6 Eavesdropping In cases, where communication on computer networks happen in unsecured or cleartext format allows an attacker to read the traffic. When an attacker is eavesdropping on communications, it is referred to as sniffing or snooping. Without strong encryption services data can be read by others as it traverses the network. Attacker may focus on reading the secret information like passwords, keys or financial details like credit card information on vulnerable network. 1.3.7 Installation of malicious programs - Backdoor or rooting A backdoor or rooting is a malicious means of access to a network that bypasses security mechanisms in place. An insider may install a backdoor so that he can access the network remotely. Attackers also often use backdoors that they as part of an exploit. Backdoor provide complete control of the system to the attacker that to in many cases remotely. Using backdoor attacker can access the resources remotely. Many computer worms, such as Sobig and Mydoom, install a backdoor on the affected computer. Such backdoors appear to be installed so that spammers can send junk e-mail from the infected machines. 4 1.4 THREAT LANDSCAPE - NETWORK SECURITY In this section we will study current threats to the Information & Communication Technology (ICT) including computer networks and emerging threats to the new technologies like cloud, big data and Internet of Things (IoT). This Section is divided into two parts consist of threats to watch and emerging threats, section is followed by the activities for the students. 1.4.1 Threats to watch 1.4.1.1 Hactivist attacks The hacktivist term is derived by combining hack and activism. Hacktivism is the act of hacking, or breaking into a computer system, for a politically or socially motivated purpose. The individual who performs an act of hacktivism is said to be a hacktivist. A hacktivist uses the same tools and techniques as a hacker, but does so in order to disrupt services and bring attention to a political or social cause. Cyber attacks carried out by hactivist groups such as Anonymous, ranged from defacement to large scale DDoS. Some of the hacker groups posted documents claimed to be stolen on public websites. The attackers distributed tools and used activists distributed across various countries to simultaneously run the tools capable of generating flood of requests to target website and networks to cause disruption of services. 1.4.1.2 DDoS Attacks A large scale Domain Name Server (DNS) and Network Time Protocol (NTP) based Distributed Reflection Denial of Service (DrDoS) attacks were reported onto reputed ecommerce, banking and public/private sector websites all over the world. The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. DNS translates domain names, which can be easily memorized by humans, to the numerical IP addresses needed for the purpose of computer services and devices worldwide. Attackers are using technique known as DNS amplification attack to conduct DdoS on target. Network Time Protocol (NTP) is a networking protocol used for clock synchronization, server administration, maintenance, and monitoring. Certain NTP implementations that use default unrestricted query configuration are susceptible to a reflected denial-of-service (DrDoS) attack. In a reflected denial-of-service attack, the attacker spoofs the source address of attack traffic, replacing the source address with the target's address. These attacks were being carried out by exploiting vulnerability in the ―monlist‖ feature of NTP which allows unauthenticated remote attackers to misuse the vulnerable NTP servers to carryout large scale reflected denial of service (DrDoS) attacks. NTP servers that respond to MONLIST Mode 7 command requests will generate responses that are more than 5000 times bigger in size than the requests. With the help of IP address spoofing this attack allows the attacker to send a huge number of requests toward a number of known public NTP servers and solicit a huge response toward the spoofed address of the (source) victim. 1.4.1.3 TOR- Onion Routing 5 Tor is an implementation of the concept of onion routing, where a number of nodes located on the Internet that serve as relays for Internet traffic. TOR client in user system would contact a Tor directory server, where it gets a list of nodes. The user‘s Tor client would select a path for the network traffic via the various Tor nodes to the destination server. Attackers are making use of TOR for hiding their track of malicious activities. TOR help attacker to conduct the attack while remaining anonymous posing challenge for law enforcement and other investigation agencies. Malwares are also making use of TOR networks to hide their communications to the master server. 1.4.1.4 Web application attacks The website of organization is its primary mass communication medium enabled through cyber space. Websites are favorite targets for cyber criminals and a hacked website is used in several ways to cause disruption of services and damage of reputation. The number of websites is increasing at rapid rate and proportionately the web intrusions and defacements are also rising. In most of web intrusions, the vulnerabilities being exploited at the application level are relatively high compared to those in other layers of network. Unsecured coding , Mis- configurations make the web applications vulnerable to various types of attacks such as SQL Injection, Cross site scripting (XSS), Malicious file upload, Abuse of the functionality etc. 1.4.1.5 Malware propagation through Web Despite the continuing presence of threats via movable hardware, such as USB, the web is by far the biggest opportunity for malware infection. It transmits e-mails bearing malicious links and attachments, web sites carrying exploit targeting browsers and other software, drive-by downloads, phishing scams and all other malice of the cyber world. Numbers of legitimate web sites are compromised resulting in redirection of visitors to malicious websites that exploit vulnerabilities in end-systems to deliver malware such as key loggers and info stealers. Attackers are targeting the web browser plugins to deliver malicious contents. The codes injected into the websites are heavily obfuscated and polymorphic making them harder to detect. 1.4.1.6 Targeted Attacks Target attacks are on rise.Recently new category of targeted attack watering hole attack is discovered. Watering hole is an attack vector using the technique of determining surfing habits of target persons/organizations and compromising the same and hosting exploits of client side application to compromise systems of potential visitors. If the payloads happened to be backdoor, attackers can perform spying and monitoring the activities of the target organization. Because an attacker was able to infiltrate a targeted organization‘s network, they can also initiate attacks that are harmful to the organization‘s operations, which include modifying or deleting files with crucial information. Recently observed Operation Snowman was leveraging zero day vulnerability in IE (CVE-2014-0322), attacker after compromising a target (watering hole) website added an iframe into the website‘s HTML code which redirect user browser to the exploit code. 1.4.1.7 Exploit Pack Toolkit 6 An exploit pack is a toolkit that facilitates the automation of client-side vulnerability exploitation. The modus operandi normally revolves around targeting browsers and programs that a website can invoke through the browser. The exploit kits typically conceals client side software vulnerabilities in Adobe reader, java, Adobe flash Player, Media Players, browsers etc. Some of the notable noted exploit packs are WhiteLotus, InCognito, Magnitude / Death Touch , Sakura , Whitehole, Blackhole, Phoenix, Redkit, etc. 1.4.1.8 Ransomware A Malware type, that restricts access to PC and files/resource until being paid to decrypt the files. The ransom ware generally encrypts personal files/folders. Files are deleted once they are encrypted and generally there is a text file in the same folder as the now-inaccessible files with instructions for payment. CryptoLocker is a file encryptor that recently reported with large infections. On the other hand, WinLocker variants- 'Locks' the screen (presents a full screen image that blocks all other windows) and demands payment. 1.4.1.9 Attacks targeting Industrial Control Systems Networks Attackers are targeting Industrial Control Systems Network. Stuxnet malware is one of the most complex threats analyzed so far. It is a large, complex piece of malware with many different components and functionalities. It was primarily written to target industrial control systems or set of similar systems. Its final goal is to reprogram industrial control systems (ICS) by modifying code on programmable logic controllers (PLCs) to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment. It is the first to exploit 4 zero-day vulnerabilities, compromise two digital certificates, and inject code into industrial control systems and hide the code from the operator. Stuxnet is of such great complexity—requiring significant resources to develop—that few attackers will be capable of producing a similar threat, unless backed by sources with clear ulterior motives. Another malware called ―Duqu‖ was reported that has some portions of code of ―Stuxnet‖. This malware was delivered to specific targeted organizations in Industrial sector through spear phishing and exploitation of zero-day vulnerability in parsing of certain fonts by MS Word. The malware gathers information about Industrial engineering and control systems, though does not disrupt their functionality. This threat is perceived as a pre-cursor to more destructive malware that can affect Industrial Control Systems. Nitro, another malware was observed primarily targeting chemical sector. These attacks used emails convincing target users to open password protected zip files (pretending to be software updates) followed by installation of Remote Administration Tools (RATs) on infected system. These RATs facilitate attackers to access the target system and steal business critical data. Flame malware shares many characteristics with cyber weapons Stuxnet and Duqu which specifically targets certain sectors. It is basically a backdoor with worm like features allowing it to spread in local network and removable devices. Flame is capable of performing several complex operations including network traffic sniffing, Scanning network resources, collecting lists of vulnerable passwords, capturing screen, capturing video, recording audio, capturing keystrokes, scanning disk for specific file extension & content, 7 and information stealing. If Bluetooth is available, it could collect information about discoverable devices in range of infected system. 1.4.1.10 Social Network Sites (SNS) Threats Hacktivist, Scammers and malware creators target this massive and committed user based with diverse and steadily growing attacks. Social networking site data are useful for the attackers. Attackers are abusing social media data for various malicious activities such as identity theft, fake social accounts, fake news, misinformation, command & control for botnets, drive-by- download etc. Additionally series of malware attacks creates pandemonium on the SNS sites such as My Webcam Thingy (Twitter), FireFoxed (click jacking intrusions), Dislike Scam(Facebook), Over The rainbow(Twitter). 1.4.1.11 Threats to Mobile Devices and Mobile Communication Usage of mobile phones is exponentially rising globally as well as in the country. It is predicted that significant amount of mobile phones will be replaced by smart phones which have almost all features of typical desktop computer systems. In most of the organizations, business processes are spreading to mobile devices and tablets. As such, security of data residing on mobile devices is gaining importance from user and organizational perspective. Malicious methods/techniques are migrating to the mobile computing. There need to be change in organizations protection strategy due to introduction of mobile computing. Adversaries are focusing on discovering new vulnerabilities in mobile ecosystem. Recent malware trend indicates that malware targeting operating systems used in mobile devices such as Android, Symbian, Apple iOS etc. Some of the mobile malware distribution methods are: Automated App repackaging, Browser Attacks, Visiting 3rd party app stores, Mal- Advertising, Clicking on a shortened URL (e.g. bitly link) in an SMS message or on a social networking site. Due to the high prevalence of Android enabled mobile devices, they tend to become primary target.Mobile counterparts for the banking Trojans were came into existence on major platforms such as Zitmo (Zeus in the mobile), Spitmo (Spyeye in the mobile), carberp etc. The android malware families prevalent were Opfake, Android Kungfu, Plangton, FakeInst, SMSreg, GAMEX, RootSmart, Lotoor capable of performing premium based texting / subscribe the user to expensive services, install backdoors, exfiltrate confidential data, reading and intercepting SMS‘es and send it to remote servers and wait for the command from cybercriminals and effectively becoming part of botnets. Generally mobile malware are interested in: MITM and snoops sensitive information, Send location coordinates (fine location), Send device identifiers (IMEI and IMSI), Download and prompt the user to install/unistall an app and Enumerate and send a list of installed apps to the server. A myriad number of andoid exploit were found, capable of rooting the devices and taking completely control of the infected devices. Some of the vulnerabilities reported were: KillingintheNameof, RageAgainstTheCage(RATC), Exploid and Zimperlich. Mobile Botnet that targets mobile devices such as smartphones, attempting to gain complete access to the device and its contents as well as providing control to the botnet creator. Mobile botnets take advantage of un-patched exploits to provide hackers with root permissions over the 8 compromised mobile device, enabling hackers to send e-mail or text messages, make phone calls, access contacts and photos, and more. Most mobile botnets go undetected and are able to spread by sending copies of themselves from compromised devices to other devices via text messages or e-mail messages. Some of the known botnet families were: Android Bmaster, SpamSoldier, Tigerbot, Geinimi etc. 1.4.1.12 Threats to Client System The security risks and challenges most users face on a daily basis are from the products typically found on end point PCs and related vulnerabilities. The variety and prevalence of programmes found on typical end point PCs, coupled with unpredictable usage patterns of users, make end point PCs an attractive attack vector for cyber criminals. Vulnerabilities on end point PCs are commonly exploited when the user of the vulnerable computer visits a malicious site, or opens data, files or documents with one of the numerous programmes and plug-ins installed on the PCs. The end points PCs contain most valuable data but continue to be least protective. Complexity of security patching on the end point PC is the biggest contributor for the infections. This issue is complicated by the fact that barring few vendors, most of the software product vendors do not imply easy to use and effective security patch updating mechanism, neglecting the end point PC and leaving the issue of updating to the end user. The best ways to reduce the risks that people are exposed to by using software and the Internet would certainly be by reducing the number of vulnerabilities and the window of opportunity to exploit vulnerabilities. Two major steps towards this goal are: (1) Increasing general awareness among the users on the risk of third party programs and (2) Adopting unified patching techniques to reduce the complexity of patching end point systems, as a security patch in time provides better security by eliminating the root cause. 1.4.1.13 Attacks on Certifying Authorities - Trust Infrastructure Trust infrastructure components such as Digital certificates and cryptographic keys are used at various levels of cyber space ranging from products, applications and networks. Trust infrastructures are extremely important for information security as they build the basis for securing information at many levels; and help authenticating partners or systems by establishing trusted interactions. With the introduction of electronic identity systems for the identification of people, trust infrastructures play a significant role in the overall internet transactions. Compromise of infrastructure of Certifying authority or key management systems of product/application owners may result in breakdown of trust of users and misuse of authentication mechanisms. Recent trend indicates that adversaries are targeting infrastructure of Certifying Authorities and authentication mechanism to steal sensitive key related information that facilitates creation of Rogue Certificates. Sophisticate malware such as Stuxnet and Duqu used stole certificates to create fake drivers to thwart detection by security systems. Implementations of trust functions and security of associated infrastructure need to be reviewed regularly. Providers of App stores will need to pay special attention to implementation of trust and security functions in order to avoid serious impact on the user trust. In the emerging area of 9 cloud computing, cryptographic functions and corresponding key material will need to be better protected. 1.4.2 Emerging Threats 1.4.2.1 Emerging threats targeting Industrial Control Systems (ICS) Different vulnerabilities were reported in ICS systems and devices. Trends indicate that focus of adversaries is on finding new vulnerabilities and creating exploits for the same. Further, attempts to scan and probe the SCADA systems are also reported in the wild. Future hold great degree of cyber threats to the Industrial Control Systems (ICS).This emphasizes the need for conducting comprehensive risk assessment for the critical infrastructure and devise appropriate controls to isolate critical systems for general business networks. 1.4.2.2 Emerging Threats to cloud computing environment Cloud computing is the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). Organizations use the cloud computing facilities through virtual resources allotted to them. Primary models of Cloud services are as follows: Infrastructure as a service (IaaS) Platform as a service (PaaS) Software as a service (SaaS) Network as a service (NaaS) Storage as a service (STaaS) Security as a service (SECaaS) Rapidly growing adoption in the field of ―cloud computing‖ also increasing severe security risks. Security has remained a constant issue when the services are used via internet. There are several security issues in cloud computing which starts from securing data to examining the utilization of cloud by the cloud computing vendors. The rapid development in cloud computing has came out with lots of security risks for the consumers and service providers. Few commonly perceived cloud computing risks are: a. Change in the business model: Cloud computing services come with changes the way IT services are delivered. The IT services are no longer delivered from an on-site location, servers, storage. All applications are provided by external service providers through which the IT services could be used. Organizations need to evaluate the risks associated with the loss of control of the infrastructure and data. b. Data loss and leakage: Ineffective implementation of security controls including authentication system of cloud services may lead to the compromise of organization data. Shared infrastructure resources, are also issue of concern. Organizations should be aware of encryption methodology, data disposal procedures and business continuity management of service provider. 10 c. Risk profile: Cloud computing service providers may have more focus on functionality and benefits and less on security. Without appropriate security solutions like software updates, intrusion prevention and firewalls the customer organization will be at risk. d. Malicious insiders: While taking the benefits of cloud computing the organization need not to know the technical details of how the services are implemented and delivered. Malicious insider at service provider organization may lead to the security breach of the organization data. Malicious insider could be a current employee, a contractor, or a business partner of the service provider, who have access to a network, system or data. The service provider's Policy, procedures, physical access to systems, monitoring of employees and compliance related issues should be made transparent to the customer. As the Cloud computing gains wider adoption due to the benefits, the focus of adversaries to exploit the vulnerabilities in the same is also rising. The concentration of large amount of data in a connected logical location makes cloud infrastructure a favorite target for the cyber criminals. The integration of cloud service on mobile devices increased the attack and risk surface. Cloud computing services provide both business and technical benefits. Risk assessments help organizations identify, manage and reduce risk associated with cloud computing. Risk assessment enable organization to achieve the benefits of cloud at the lowest level of risk. Prominently perceived threats to cloud computing are: Application level attacks Malware and Botnets Drive-by-download attacks Data breaches by internal or external threat agents affecting multiple users Denial of Service attacks Targeted attacks using cloud infrastructure for Command & Control Attacks on the virtual systems performing security jobs such as encryption Attacks on Insecure interfaces and authentication system 1.4.2.3 Emerging threats in Big Data Large collections of data that emerge from the operation and usage of large infrastructure, applications, web services, user interaction, etc. is a critical asset to protect from adversaries. Big data provides valuable information to the attackers to launch the attacks and gather the information about users and organizations. Perceived threats to Big Data are: Espionage/data breach Information Disclosure Targeted Attacks Identity Theft Malware Drive-by-download attacks 11 1.4.2.4 Emerging threats in Internet of Things The Internet of Things (IoT) is the network of physical objects or "things" embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. Interconnected devices and smart environments are one at the target of the attackers. Poor security in design, development and implementation lead to this domain vulnerable to the attacks. Perceived threats to Internet of Things are: Malware and Botnet Data breach & Information disclosure Phishing & Spam Denial of Service Identity Theft Targeted attacks 1.4 CASE STUDY In this section we will discuss the case study of Distributed Denial of Service (DDoS) attack. Focus of the case study is on type of tools used in attack and techniques adopted by the attackers. Case Study - Operation Payback and similar activist operations As reported, Operation Payback was a series of DDoS attacks organized by users of 4chan‘s board against major entertainment industry websites such as the websites for the Recording Industry Association of America and the Motion Picture Association of America. The attacks have continued unabated for over one month. It was a coordinated, decentralized group of attacks on high profile opponents of Internet piracy by Internet activists using the "Anonymous" moniker. Operation Payback started as retaliation to distributed denial of service (DDoS) attacks on torrent sites; piracy proponents then decided to launch DDoS attacks on piracy opponents. The initial reaction snowballed into a wave of attacks on major pro-copyright and anti-piracy organizations, law firms, and individuals. Figure 3: Operation payback 12 Tools and communication Members of Operation Payback reportedly used an IRC channel to communicate about which targets to select, after which "attack posters" were produced and posted on various boards. Social media such as Twitter and Facebook were also been utilized for coordination. Operation Payback members used a modified version of the Low Orbit Ion Cannon (LOIC) to execute the DDoS attacks. Anonymous group used different tools for conducting attacks, In following paragraphs we will discuss different tools and techniques used by anonymous for conducting operation payback and similar attacks. Anonymity One of the first and foremost tools Anonymous uses is to maintain its anonymity by various methods. Reportedly, they made use of VPN servers, proxy chains and TOR. The Guy Fawkes mask, which is prominently used at physical rallies and protests, has become a symbol of the group. Figure 4: Symbol of operation payback This possesses challenge of tracking attacker location for law enforcement and other organizations who might like to identify repeat protestors. TOR - Onion Routing is used by anonymous to keep attacking devices anonymous. The Onion Router was first developed by the U. S. Naval Research Laboratory as a means to keep Internet traffic anonymous. It was made available to the public and now ensures secure Internet access and communications for anyone. TOR service works by utilizing a number of pre-designated Tor routing nodes around the world. Internet traffic is made up of data packets and routing headers. The routing headers contain information on the source of the request, the destination, the size of the packets, etc. By using traffic analysis, one‘s origin can be tracked by examining the headers. Tor helps to reduce the risks of both simple and sophisticated traffic analysis by distributing transactions over several places on the Internet, so no single point can link you to original source. Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several relays that cover tracks so no observer at any single point can tell where the data came from or where it's going. By installing the Tor client software on device and using the service exclusively for all transactions, anonymity can be maintained. The Tor software will obtain a list of current Tor nodes around the world when logged into the service. 13 Flooding Tools Reportedly LOIC and HOIC are used by group for conducting DDoS attack; in some cases modified versions of these tools are used. i. Low Orbit Ion Cannon(LOIC): LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets in anonymous DDoS attacks. The LOIC allows someone who has zero technical ability to participate in collective attacks. LOIC is point and click tool, which with just click on button, point the ―cannon‖ at a particular URL or IP address , and the software does the rest job of flooding the target. ii. Figure 5: Low Orbit Ion Cannon iii. High Orbit Ion Cannon(HOIC): is an open source network stress testing and denial- of-service attack application written in BASIC designed to attack as many as 256 URLs at the same time. HOIC is tool for launching HTTP POST and GET requests at a targeted server. According to the documentation, it can be used to open up 256 attack sessions simultaneously either targeting a single server, or going after multiple targets. The user can control the number of threads used per attack. iv. Figure 6: High Orbit Ion Cannon 14 Vulnerability Scanning and Website Defacement: In some cases it is reported that group scanned for the vulnerabilities in target environment and exploited it usually to deface and paste the message on website of target. Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. Web defacement is sometimes used by activist to spread some message or political propaganda. Figure 7: Sample screenshot of defaced website 1.7 LET US SUM UP In this unit we discussed common attacks on the networks, current threat landscape and emerging threats to new technologies. Threat landscape is dynamic and changes regularly as new vulnerabilities and exploits are discovered. It is advised to student to keep learning as new threats and vulnerabilities emerge to keep themselves updated. It is utmost important to understand attack and threat landscape to better protect the network. In remaining units of this block we will be discussing securing the network against threats and attacks. Activities: Activity 1: Explore and write note on five network attacks, other than listed in this section. Activity 2: write note on spoofing and password attacks with examples. Activity 3: Write brief on some recent attacks on computer network reported in news. Activity 4: Prepare a write-up on security issues in cloud computing. Activity 5: Prepare case study on cyber attack on Estonia. 1.8 CHECK YOUR PROGRESS 1. Discuss five common attacks to computer network. 2. What is IP spoofing. 3. Write note on Distributed Denial of Service (DDoS) attack. 4. What is watering hole attack. 5. Discuss Threats to mobile computing. 6. Discuss the emerging threats to Internet of Things (IoT). 15 1.9 MODEL QUESTIONS 1. Write a short note network security. 2. Discuss Current threat landscape. 3. Discuss emerging threats to Cloud computing and Internet of Things. 4. Discuss five common attacks possible on computer networks with example. 5. What is MITM attack, discuss impact of MITM. 6. Write note on DoS/DDoS attack. 7. Discuss SYN flooding and UDP flooding. 8. Discuss tools and communication methods used by hacker groups. 9. ―Website as a vector for propagating malware‖, discuss. 10. Discuss possible attacks on Internet trust infrastructure. 16 UNIT II: NETWORK SEURITY TECHNOLOGIES 2.1 LEARNING OBJECTIVES After going through this unit, you will be able to: Understand the network security technology. Understand the concept and requirement of firewall. Understand the application of Intrusion Detection and Prevention System (IDPS). Know impact of the different network attacks. And honeypot. Understand importance of log management. Know Security Information and Event Management (SIEM). 2.2 INTRODUCTION Network security is a technology and methods to protect confidentiality, integrity and availability of the network. Network security technology refers to the technological safeguards and managerial procedure which can ensure that organizational assets and individual privacy are protected over the network. Network security is needed to secure the data and protect the network from attacks. In this unit we are going to discuss technological methods to secure the network, sometimes also referred as perimeter security devices. We will discuss firewall, Intrusion Detection and Prevention System (IDPS), Security Information and Event Management (SIEM), Honeypots. 2.3 FIREWALL A firewall refers to a network system (hardware or software) which blocks certain kinds of network traffic, forming a barrier between a trusted and un-trusted network. It is analogous to a physical firewall in the sense that firewall security attempts to block the spread of computer attacks. Firewall allows or blocks the network traffic between devices based on the set of rules, by the administrator. Each rule defines a specific traffic pattern and the action to be taken, when the pattern is detected.. Figure 8:Firewall in a Computer1 1 https://commons.wikimedia.org/wiki/File:Gateway_firewall.svg 17 A firewall can only operate on the traffic that physically passes through it. It has no impact on the traffic between the devices on the same side of the firewall.hen an organization is connected to internet without firewall (as shown in Figure 8), the exposure to attack is called the ―zone of risk‖. Every host on the internet is accessible and can attack every host on the private network. To reduce the zone of risk, we require implementing a firewall system. The zone of risk will now be the firewall system itself. Now, every host in the internet can attack the firewall system, but systems of network are protected by the firewall, also it becomes easy to monitor all the risk at one place (firewall). In data networking, a firewall is a device with set of rules to permit or deny network access by unauthorized services. It is as similar to the originated fire wall in terms of functionality. Many operating systems support software based firewall to deny access against the private internet. Software firewalls acts between network card drivers and operating system. The firewall must be positioned in the network to control all the incoming and outgoing traffic. Usually firewall is positioned as shown in the diagram above, which have the control of entire network traffic filtering the packets that physically passes through it. As a analogy we can say that job of networking firewall is similar to a physical firewall that keeps a fire from spreading from one area to the next. A firewall is actually a device or program that blocks undesired Internet traffic, including known viruses, from accessing protected computers. Firewalls make it possible to filter incoming and outgoing traffic that flows through the network. The rules of a firewall inspect one or more characteristics of the packets, including but not limited to the protocol type, the source or destination host address and the source or destination port. Based on the set rule firewall take action on the packet such as forward the packet, drop the packet, etc. By default firewall should drop all packets, if it is not specially allowed in ruleset. Table 1: Example rule for firewall Rule Direction Source IP Destination IP Protocol Destination Action no. Port 3 OUT 192.168.4.10 192.168.4.25 TCP 80 Allow Rule states that, it is rule no 3 in access list of firewall, it is applicable to outbound traffic, traffic with source IP 192.168.4.10, destination IP address 192.168.4.25 and destination port 80 is allowed through the firewall. Firewalls can greatly enhance the security of a host or a network. They can be used to do one or more of the following things: To protect and insulate the applications, services and machines of internal network from unwanted traffic coming in from the public Internet. To limit or disable access from hosts of the internal network to services of the public Internet. To support network address translation (NAT), which allows internal network to use private IP addresses and share a single connection to the public Internet. 18 2.3.1 Types of Firewall - based on filtering methods Based on the different methods of filtering network packets, we can broadlly classify firewalls in following five types: 2.3.1.1 Packet Filtering Firewall All internet traffic in the network is of the packets form. A packet consist the following information Source IP address Destination IP address The data Error checking information Protocol information And additional options In packet filtering, protocol and address information in each packet is considered, this type of filtering pays no attention to the existing stream of packets. Instead, it filters depending on examining incoming or outgoing packets, it allows or deny the packets, relying on the acceptance policy in the configuration rules. Packet filtering firewall, operates at the IP layer of the protocol stack. Traffic is filtered in this layer, based on the characteristics including source address, destination address and port numbers. Filtering policies rely completely on allowing or disallowing the IP address, Port or Protocol. 2.3.1.2 Application Layer Firewall These firewall understand and work on layer 7 of OSI i.e; application layer of the network stack. Application firewall inspect the payload of the IP packet that contains a TCP/UDP segment within which it inspects the application layer data. 2.3.1.3 NAT Firewalls Network Address Translation (NAT) is method to translate the current IP address to a new IP address at the firewall, to represent the packet receiver that as though it were coming from a single IP address. This prevents the attacker to know the original IP addresses in the network. The NAT creates a table in memory that holds all these information of translation Firewalls and connections. The ability of mapping the entire network behind a single ip is based on the port number assigned by NAT firewall. Example of the NAT IP address: Source IP Source Port NAT IP NAT port Destination IP Destination Port 192.168.0.1 3144 172.28.230.55 3144 10.100.100.44 80 Rule no. Direction Source IP Source Port NAT IP NAT PORT 3 OUT 192.168.4.10 8080 192.168.4.40 8080 19 Here, when a packet is originated from source IP (192.168.4.10), NAT changes the source IP address to 192.168.4.40 in each packet and forwarded to destination IP. The destination IP can never trace the original source IP address. 2.3.1.4 Circuit Level Firewall Circuit level filtering works at the session layer of OSI model. Traffic to the remote compute is made as though the traffic is originated from a circuit level firewall. This modification will partially allow to hide the information about the protected network but has a drawback that it does not filter individual packets in a given connection. 2.3.1.4 Stateless and Statefull Firewall Statefull filtering are the most modern approach of firewall, it combines the capabilities of NAT firewalls, circuit level firewalls and application firewalls into a common system. This approach validates connection before allowing data to be transferred. These firewalls filters traffic initially with packet characteristics and rules and also includes the session validation check to make sure that the specific session is allowed. Stateless firewalls watch the traffic packet by packet and filter them based on Firewalls individual rules. Each packet is individually checked and filtered. They do not attempt to correlate the packets that came before and then judge if there is a malicious potential or intention. However, it is necessary to watch a set of packets between a source and a destination to infer any malicious intent. Statefull firewalls can watch traffic streams from end to end. They are aware of communication paths. This implies that the firewall can identify flows. A flow table that provides the source and destination IP addresses is built dynamically in the firewall. The firewall then monitors packets pertaining to each flow in both directions and applies filtering rules. 2.3.2 Firewall Types - Based on deployment Based on the place of deployment, there are two main types of firewalls: network firewalls and host-based firewalls. Network firewalls are deployed at network perimeter while host based firewalls are deployed at host system. 2.3.2.1 Network Firewalls Network firewalls protect an entire network by guarding the perimeter of that network. Network firewalls forward traffic to and from computers on an internal network and filter that traffic based on the criteria the administrator has set. Network firewalls come in two flavors: hardware firewalls and software firewalls. Network firewalls such as from CISCO, Juniper, etc. Firewall System, protect the perimeter of a network by watching traffic that enters and leaves. Linux box can also be converted into the firewall using the IP tables. 20 Figure 9: Network Based Firewall2 2.3.2.2 Host-Based Firewalls Host-based firewalls are usually software firewalls installed on each individual system. Depending on the software user choose, a host-based firewall can offer features beyond those of network firewalls, such as protecting computer from malware infection and data leakage. Today generally all Operating systems have inbuilt software features that user can enable to act as host based firewall. Apart from inbuilt firewall features third party firewall software (In both categories open source and commercial) like zoneAlarm, personal firewall, softwall etc. are available Figure 10: Host based Firewall To Do Activity 1: Enable inbuilt firewall on your system and understand the rules. Activity 2: Write a rule to block access to google.com, test the rule and clean the rule after activity is done. Activity 3: Download and setup any third party open source firewall in your system. 2 http://www.online-sciences.com/technology/software-firewalls-and-hardware-firewalls-advantages-and- disadvantages/ 21 2.3 INTRUSION DETECTION AND PREVENTION SYSTEM An Intrusion Detection and Prevention system (IDPS) is a device or software application that monitors network or system activities for malicious activities or policy violations and react produces reports to a management station, prevention component of IDPS react based on the incident/event and try to thwart the intrusion attempt. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on iden