sodapdf-merged (2).pdf
Document Details
Uploaded by InsightfulNiobium
University of Westminster
Tags
Full Transcript
Network Threats 6COSC019W- Cyber Security Dr Ayman El Hajjar February 06, 2024 School of Computer Science and Engineering University of Westminster Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks O UTLINE 1. Snif...
Network Threats 6COSC019W- Cyber Security Dr Ayman El Hajjar February 06, 2024 School of Computer Science and Engineering University of Westminster Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks O UTLINE 1. Sniffers 2. Application layer attacks HTTP DNS Session layer attacks Transport layer attacks 3. Network layer attacks 4. Data Link layer attacks 5. Denial of Service attacks 1 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks M ALICIOUS ACTIVITY ON THE R ISE ❏ Examples of the malicious attacks are everywhere ❏ Data breaches occur in both public and private sectors ❏ In 2020, China was top country of origin for cyberattacks, at 41 percent. ❏ United States was second at 10 percent. ❏ Real time attacks maps below: ❐ DDoS real time attacks ❐ Cyberthreats real time map ❐ Cyberthreats real time map 2 Sniffers Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks ❏ An application or device designed to capture, or “sniff,” network traffc as it moves across the network ❏ A technology used to steal or observe information ❏ Allows viewing of email passwords, web passwords, File Transfer Protocol (FTP) credentials, email contents, and transferred fles ❏ When a network adapter is put in promiscuous mode (also called monitor mode), a sniffer then realise its full potential, including sniffng all traffc regardless of the destination address. In normal mode the network adaptor drops or ignores any packet not intended for it In promiscuous mode the network adaptor captures all traffc it can hear. 3 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks S NIFFERS T HREATS TO PROTOCOLS ❐ Telnet — Keystrokes can be easily sniffed if transmitted over Telnet ❐ Hypertext Transfer Protocol (HTTP) — Designed to send information in the clear without any protection and is a good target for sniffng ❐ Simple Mail Transfer Protocol (SMTP) — Commonly used in the transfer of email; is simple and effcient but does not include protection against sniffng ❐ Post Offce Protocol (POP) — Is designed to retrieve email from servers but does not include protection against sniffng because passwords and usernames can be intercepted ❐ File Transfer Protocol (FTP) — A protocol designed to send and receive fles; all transmissions are sent in the clear 4 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks 5 Application layer attacks Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks PASSIVE ATTACKS - HTTP BASIC AUTHENTICATION ❏ Example of such attacks is the HTTP authentication: ❏ HTTP basic authentication is a simple challenge and response mechanism with which a server can request authentication information (a user ID and password) from a client. The client passes the authentication information to the server in an Authorization header. ❏ Insecure as full credentials pass over the wire and are sent in the clear 6 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks DNS ATTACKS - DNS P HARMING ❏ An attacker attempt to change the IP associated with a server maliciously: 7 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks DNS ATTACKS - DNS CACHE POISONING ❏ Basic idea: Give DNS servers false records and get it cached ❏ There are 3 main different ways to do ❏ Cache may be poisoned when a name DNS cache poisoning. server: ❐ The frst relies on redirecting the Disregards identifers nameserver of the attacker’s Has predictable ids domain to the nameserver of the Accepts unsolicited DNS records target domain, and then assigning this target nameserver a fake IP address. ❐ The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. ❐ The third variant just involves “racing” the real nameserver to give 8 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks S ESSION H IJACKING ❏ Session hijacking builds on sniffng the network. ❏ The goal is not only to observe traffc and sessions currently active on the network but also to take over a session that has authenticated access to the resource ❏ Occurs when attackers use a valid session to gain unauthorised access to a system, information, or service ❏ Target authentication, which typically takes place at the beginning of a session, making session hijacking possible after that point ❏ Relies on a basic understanding of how messages and their packets fow over the Internet 9 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks S ESSION H IJACKING (C ONT.) ❏ In a session hijacking attack, an attacker takes control of or modifes any communications between two hosts by: ❐ placing themselves between Party A and Party B. ❐ Monitor the fow of packets using sniffng techniques. ❐ Analyse and predict the sequence number of the packets. ❐ Sever the connection between the two parties. ❐ Seize control of the session. ❐ Perform packet injection into the network. 10 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks I DENTIFYING AN ACTIVE SESSION ❏ For a session hijack to be successful, attacker must locate and identify a suitable session for hijacking ❏ An attacker must successfully determine or guess the sequence numbers to hijack a session. Sequence number prediction: ❏ When a client transmits a SYN packet to a server, the response will be a SYN/ACK. The client then responds to this SYN/ACK with an ACK. During this handshake, the starting sequence number will be assigned using a random method if the operating system supports this function. ❏ If this sequence number is predictable, the attacker can initiate the connection to the server with a legitimate address and then open up a second connection from a forged address. 11 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks A N E XAMPLE - H IJACKING A TCP SESSION ❏ Enter the attacker: ❐ Spoof the client’s IP address: Easy ❐ Determine the correct sequence number the server is expecting from the client. - Nothing a good network sniffer can’t fgure out. ❐ Inject data into the session before the client sends its next packet. ❏ Note: The attacker needs a way to ”hold down” the client from sending into the session new data that would shift sequence numbers forward (DoS) client or send before. 12 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks S ESSION H IJACKING (C ONT.) ❏ Session hijacking takes advantage of the fact that most communications are protected from the beginning at session setup, such as by providing credentials, but not during the session. ❏ Session hijacking attacks generally fall into the following three categories: ❐ Man in the middle attack ❐ Blind hijack attacks ❐ Session theft attacks 13 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks M AN IN THE MIDDLE ATTACK (M I TM) ❏ An attacker intercepts all communications between two hosts. ❏ The attacker positions themselves so that communications between a client and server must fow through them, which allows them to modify the communications. ❏ Protocols that rely on the exchange of public keys to protect communications, for example, are often the target of these types of attacks (ARP, DNS) 14 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks B LIND HIJACK ATTACK ❏ An attacker can inject data such as malicious commands into those communications ❏ This type of attack is called blind hijacking because the attacker can only inject data into the communications stream; ❏ The attacker cannot see the response to that data, such as ”The command completed successfully. ❏ This method of hijacking is still very effective. 15 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks S ESSION REPLAY ATTACK ❏ In a session replay attack also called session theft attack, the attacker is neither intercepting nor injecting data into existing communications between two hosts. ❏ Instead, the attacker creates new sessions or utilizes old sessions. ❏ Repeat sessions !! ❏ This type of session hijacking attack is most common at the application level, such as a Web application. 16 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks P ORT S CANNING ❏ Port scanning is an essential step in the reconnaissance phase. Several scans exist, each reveals different type of information: ❐ Ping Scan: The ping scan sends a single ICMP echo request from the source to the destination device. A response from an active device returns an ICMP echo reply, unless the IP address is not available on the network or the ICMP protocol is fltered. ❐ Connect scan: Fully connect to the target ip address and port in a complete TCP handshake. Reliable but very noisy. ❐ SYN Scan: also called half open, sends SYN requests to the target to gather information about open ports without completing the TCP handshake. When an open port is identifed, the TCP handshake is reset before it can be completed. FIN Scan: Sends a FIN (or fnish) packet to target. If that port is not listening, no response. If it is listening an error response is received. 17 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks P ORT KNOCKING ❏ Port knocking is the act of attempting to make connections to blocked ports in a certain order in an attempt to open a port ❏ Port knocking however is very susceptible to replay attacks. Someone can theoretically record port knocking attempts and repeat those to get the same open port again ❏ Port knocking is fairly secure against brute force attacks since there are 65536k combinations, where k is the number of ports knocked ❏ One good way of protecting against replay attacks would be a time dependent knock sequence. 18 Network layer attacks Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks IP V ULNERABILITIES ❏ Unencrypted transmission ❐ Eavesdropping possible at any intermediate host during routing ❏ No source authentication ❐ Sender can spoof source address, making it diffcult to trace packet back to attacker ❏ No integrity checking ❐ Entire packet, header and payload, can be modifed en route to destination, enabling content forgeries, redirections, and man-in-the-middle attacks ❏ No bandwidth constraints ❐ Large number of packets can be injected into network to launch a denial-of-service attack 19 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks IP SPOOFING ATTACKS ❐ IP Spoofng is an attempt by an intruder to send packets from one IP address that appear to originate at another ❐ If the server thinks it is receiving messages from the real source after authenticating a session, it could inadvertently behave maliciously ❐ There are two basic forms of IP Spoofng ❐ Blind Spoofng ❐ Spoof IP address without inherently knowing the ACK sequence pattern. ❏ Non-Blind Spoofng ❐ Spoof IP address after identifying correct ACK sequence. 20 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks IP SPOOFING ATTACKS ❏ For both to succeed, the spoofed IP cannot exist with another user on the network. ✦ Remember: Two devices with the same IP connect exist on a network. For this attack to be successful, the spoofed IP cannot exist on the network. For Non blind IP spoofng, the attacker usually conduct a Denial of Service attack on the genuine client rendering them unavailable. ❏ For Non Blind spoofng, the attacker would: ❐ Analyse the network packets using a packet sniffer, ❐ Determine the ACK sequence pattern ❐ Spoof the IP of an actual client and send packets with the correct sequenced acknowledgment number 21 Data Link layer attacks Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks MAC F LOODING ❏ The goal of MAC fooding is to food the switch with fake MAC addresses to all ports. ❏ This will cause the switch Content Addressable memory (CAM) to be flled and the switch overwhelmed. This will result in the switch failing. ❐ Content Addressable memory (CAM) is used to build a lookup table ❏ Lookup table tracks which MAC addresses are present on which ports on the switch ❏ CAM allows a lookup to be performed to let the switch get traffc to the correct port and host MAC Flooding MAC fooding is considered an active sniffng attack. 22 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks MAC F ILTERING AND MAC S POOFING MAC Filtering The network administrator can create a ”block” or ”allow” lists of MAC addresses to certain network. This is called MAC Filtering. ❐ For example Wireless Networks use MAC fltering to only allow certain devices to connect to the network. ❏ A MAC spoofng attack impersonates another machine ❏ Find out MAC address of target machine using a packet sniffer ❏ Reconfgure MAC address of rogue machine ❏ Turn off or unplug target machine ❐ Going back to the Wireless Networks example, and although it is meant to be a security control, it is very easy to spoof the MAC address making this control ineffective. 23 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks ARP S POOFING ❏ The ARP table is updated whenever an ARP response is received ❏ Requests are not tracked ❏ ARP announcements are not authenticated ❏ Machines trust each other ❏ A rogue machine can spoof other machines 24 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks ARP P OISONING ❏ A method of bypassing a switch where sniffng is performed on an IPv4 network ❏ The attacker frst need to stop ❏ The basic idea of ARP the client from sending into the poisoning is for the attacker to session new data attach itself to a network with a ❏ To do this, the attacker could valid IP address and a spoofed just send the data to inject and MAC address from the switch hope it is received before the real ARP table stored in the CAM. client can send new data or Dos ❏ ARP poisoning is considered the Client an active sniffng attack on IPv4 networks. ❏ An arp cache updates every time that it receives an arp reply! Even if it did not send any arp 25 request! Denial of Service attacks Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D ENIAL - OF -S ERVICE ATTACKS Denial-of-Service Attacks ❏ One of the most common types of attacks. It prevents legitimate users from accessing the system ❏ Intended to prevent services from being delivered ❏ A form of attack on the availability of some service ❏ Are frequently aimed to consume resources, but may also involve actual disruption of a service or server. The idea is that computers have physical limitations ❐ Number of users ❐ Size of fles ❐ Speed of transmission ❐ Amount of data stored ❏ Another type of DoS attacks aims to exploit programming defects causing them to crash 26 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D ISTRIBUTED D ENIAL OF SERVICE ATTACKS ❏ A DoS attack attempts to prevent valid users from accessing network resources. ❏ A distributed denial of service (DDoS) attack has the same goal but amplifes the DoS attack by using multiple hosts. ❏ Whereas a DoS attack would overwhelm the network connection for a targeted host through a more powerful host, a DDoS attack would use multiple intermediary hosts to generate enough traffc to disrupt server farms or a whole network segment, and possibly beyond. ❏ A challenge to detect a DDos is that traffc is coming from several ip addresses. That makes it more diffcult to detect until it is too late 27 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D ISTRIBUTED D ENIAL OF S ERVICE ATTACK ❏ Uses hundreds or thousands of systems to conduct attack DDoS ❏ Has primary and secondary victims ❏ Attack can be diffcult or impossible to track back to source ❏ Defence is diffcult, and impact is higher than DoS attack, due to number of attackers 28 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D O S/DD O S ATTACKS : E XPLOITATION OF P ROGRAMMING D E - FECTS ❏ The Ping of Death (PoD) ❐ Some systems cannot handle oversized packets;. ❐ An attacker sends them out in fragments, when fragments reach the system, they are reassembled by the victim; ❐ When the maximum size (65,536 bytes) allowed by the IP protocol is reached, some systems will crash ❏ Teardrop Attack ❐ Packets are sent in a malformed state with their offset values adjusted so they overlap, which is illegal; ❐ Victim system attempts to reconstruct message. when a system that does not know how to deal with this issue is targeted, a crash or lock may result ❏ Land Dos ❐A packet is sent to a victim’s system with the same source and destination address and port; systems that do not know how to 29 process this will crash Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D O S/DD O S ATTACKS : C ONSUMPTION OF R ESOURCES ❏ SYN food ❐ Uses forged packets with the SYN fag set; ❐ when the victim receives enough of the packets, the result is an overwhelmed system as the SYN food consumes connection resources to the point where no resources are available for legitimate connections ❏ ICMP food ❐ Comes in two variants: Smurf attack and ping food ❐ Smurf attack ❐ Carried out when a large amount of traffc is directed to the broadcast address of a network instead of to a specifc system; because the attacker confgures the packet with the intended victim as the source, all hosts on the network respond to the victim instead of to the attack 30 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D O S/DD O S ATTACKS : C ONSUMPTION OF R ESOURCES (C ONT.) Ping food ❐ Carried out by sending a large number of ping packets to the victim with the intent of overwhelming the victim; very simple attack ❐ Refected attack ❐ Is carried out by spoofng or forging the source address of packets or requests and sending them to numerous systems, which in turn respond to the request; a scaled-up version of what happens in the ping food attack ❐ DHCP starvation ❐ If enough requests fooded onto the network, the attacker can completely exhaust the address space allocated by the DHCP servers for an indefnite period of time. This is a DoS attack is called DHCP starvation. There are An attacker can use a tools such as The Gobbler that will do this for the attacker to easily commit this type of attack. 31 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks D O S/DD O S ATTACKS : C ONSUMPTION OF R ESOURCES (C ONT.) HTTP food ❐ Attack that bombards Web servers with HTTP requests ❐ Consumes considerable resources ❐ Slowloris - A more potent variant ❐ Attempts to monopolize by sending HTTP requests that never complete ❐ Eventually consumes Web server’s connection capacity ❐ Utilises legitimate HTTP traffc 32 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks B OTNETS AND THE I NTERNET OF T HINGS (I OT) ❏ Botnets ❐ Consist of computers and devices (Mainly Internet of Things devices) that are infected with software such as those used in DDoS attacks ❐ Can stretch across globe ❏ Botnets attacks include: ❐ DDoS attacks — This construct makes sense as an attack method based on the way a DDoS works and the number of systems that can be infected. ❐ Click fraud — This attack is where the attackers infect a large number of systems with the idea that they will use the infected systems to click on ads on their behalf, generating revenue for themselves. ❐ Stealing information — Attacks have also been carried out with botnets to steal information from unsuspecting users’ systems. 33 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks M APPING THE OSI M ODEL TO C YBER T HREATS 34 Sniffers Application layer attacks Network layer attacks Data Link layer attacks Denial of Service attacks R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 2- Networking Foundations, CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 5, Network and telecommunications, Fundamentals of Information Systems Security ❐ Chapter 19 Introduction, CyBOK, The Cyber Security Body of Knowledge 35 Networks Fundamentals and security 6COSC019W- Cyber Security Dr Ayman El Hajjar January 30, 2024 School of Computer Science and Engineering University of Westminster Networking Layering models Protocols in different layers O UTLINE 1. Networking Layering models 2. Protocols in different layers 1 Networking Layering models Protocols in different layers I NTRODUCTION TO N ETWORKING ❏ What is a Network? ❐ Set of technologies that connects computers ❐ Allows communication and collaboration between users ❐ Collection of computers and devices connected together ❏ The uses of a network ❐ Simultaneous access to data ❐ Shared Resources ❐ Personal communication ❐ Easier data backup ❏ Main types of Networks ❐ Wide Area Network (WAN): Connect systems over a large geographic area ❐ Local Area Network (LAN) : Provide network connectivity for computers located in the same geographic area 2 Networking Layering models Networking Layering models Protocols in different layers T HE OSI REFERENCE MODEL ❏ The OSI Reference Model is used mainly in today’s networking environment as both a reference model and an effective means of teaching distributed Figure 1: The OSI reference Model communication. ❏ OSI layers are also referred to by number (7 is the Application Layer, and 1 is the Physical Layer.) ❏ Each layer interacts with the layer above it and the layer below it. ❏ The OSI Reference Model is also implemented in two areas: hardware and software. The bottom two layers are implemented in hardware, and the top fve are implemented through software. 3 Networking Layering models Protocols in different layers OSI L AYERS Application layer ❏ The Application layer is responsible for interacting with end users applications. Is the point at which application software accesses network services and the is formatted in a format related to the application Presentation layer ❏ The Presentation Layer responsible for the coding of data. The Presentation Layer includes fle formats and character representations. From a security perspective, encryption generally takes place at the Presentation Layer. 4 Networking Layering models Protocols in different layers OSI L AYERS Session layer ❏ The Session Layer is responsible for maintaining communication sessions between computers. The Session Layer creates, maintains, and disconnects communications that take place between processes over the network. Transport layer ❏ The Transport Layer is responsible for breaking data into packets and properly transmitting it over the network. Flow control and error checking take place at the Transport Layer. Network layer ❏ The Network Layer is responsible for the logical implementation of the network. In TCP/ IP networking, logical addressing takes the familiar form of IP addresses. 5 Networking Layering models Protocols in different layers OSI L AYERS Data Link layer ❏ The Data Link Layer is responsible for framing data received from the Network Layer and preparing it for transmission over the Physical Layer such as the physical addressing, controls the access to the physical medium, and detecting and correcting errors that may occur during transmission Physical layer ❏ The Physical Layer is responsible for the physical operation of the network. The Physical Layer must translate the binary ones and zeros of computer language into the language of the transport medium. 6 Networking Layering models Protocols in different layers TCP/IP MODEL 7 Figure 2: TCP/IP model Networking Layering models Protocols in different layers I NTERNET PACKET E NCAPSULATION Figure 4: Encapsulated contents Figure 3: What we add at each layer 8 Networking Layering models Protocols in different layers W HAT IS A PROTOCOL ? Protocol ❏ A protocol is a set of rules and formats that govern the communication between communicating peers. ❐ set of valid messages ❐ meaning of each message ❏ A human protocol and a computer network protocol 9 Networking Layering models Protocols in different layers P ROTOCOLS ❏ A protocol defnes the rules for communication between computers ❏ Protocols are broadly classifed as connectionless and connection oriented ❏ Connectionless protocol ❐ Sends data out as soon as there is enough data to be transmitted ❐ E.g., user datagram protocol (UDP) ❏ Connection-oriented protocol ❐ Provides a reliable connection stream between two nodes ❐ Consists of set up, transmission, and tear down phases ❐ Creates virtual circuit-switched network ❐ E.g., transmission control protocol (TCP) 10 Networking Layering models Protocols in different layers PACKETS C ONTENTS 1 ❐ Control information for the packet: header and footer or Trailer ❐ Headers are added at the beginning of the packet. They contain information about the about the packet, such as its origin and destination IP addresses, type of protocol, the sequence number and acknowledgment ❐ Footers are placed at the end of the packet. They contain information such as error-checking data and the timestamp. 2 ❐ Data: payload 11 Networking Layering models Protocols in different layers E NCAPSULATION ❏ A network protocol N1 can use the services of another network protocol N2 ❐ A packet p1 of N1 is encapsulated into a packet p2 of N2 ❐ The payload of p2 is p1 ❐ The control information of p2 is derived from that of p1 Figure 5: Network packets Encapsulation 12 Protocols in different layers Networking Layering models Protocols in different layers D OMAIN N AME S YSTEM ❏ The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses ❏ DNS provides a distributed database over the internet that stores various resource records, including: ❐ Address (A) record: IP address associated with a host name ❐ Mail exchange(MX) record: mail server of a domain ❐ Name server (NS) record: authoritative server for a domain 13 Networking Layering models Protocols in different layers DNS C ACHING ❏ There would be too much network traffc if a path in the DNS tree would be traversed for each query ❐ Root zone would be rapidly overloaded ❏ DNS servers cache results for a specifed amount of time ❐ Specifed by ANS reply’s time-to-live feld ❏ Some operating systems maintain DNS caches ❐ Windows: ipconfg /displaydns ❐ Linux: If you are on Ubuntu , it is possible to kill the cache fle and create it again. ❑ sudo killall -USR1 systemd-resolved ❑ sudo journalctl -u systemd-resolved > /cachemydns.txt ❑ less cachemydns.txt ❏ Associated privacy issues ❏ DNS queries are typically issued over UDP on port 53 ❐ 16-bit request identifer in payload 14 Networking Layering models Protocols in different layers DNS C ACHING 1 ❏ query yourdomain.org 2 ❏ receive reply and cache at local NS and host 3 ❏ use cached results rather than querying the ANS 15 Networking Layering models Protocols in different layers T RANSPORT L AYER : U SER DATAGRAM P ROTOCOL (UDP) ✺ Lightweight and connectionless ✺ Small packet sizes (60% less than TCP), in header size UDP (8 bytes) & TCP (20 bytes) ✺ No connection to create and maintain ✺ More control over when data is sent ✺ Does not compensate for loss of packet ✺ Does not deliver or guarantee packet delivery in order ✺ Does not check if network is busy 16 Networking Layering models Protocols in different layers T RANSPORT L AYER : T RANSMISSION C ONTROL P ROTOCOL (TCP) ✺ Reliable and connection-based ☞ Sequence numbers, timeouts, and retransmissions protect against loss and reordering. ☞ Sequence numbers: loss, reordering, duplication. ☞ Timeouts: loss. ☞ Retransmission: loss ✺ TCP packets have a header section with a fags feld ✺ Consider 4 of the possible fags ☞ SYN (Synchronise) ☞ ACK (Acknowledge) ☞ FIN (Finished) ☞ RST (Reset) 17 Networking Layering models Protocols in different layers T RANSPORT L AYER : TCP PACKETS ✺ Three way handshake TCP packets exchange ☞ To initiate a TCP connection the initiating system sends a SYN packet to the destination. ☞ Destination sends an ACK to acknowledge the receipt of the frst packet (a combined SYN/ACK packet). ☞ The frst system sends an ACK packet to acknowledge receipt of the SYN/ACK ☞ Data Transfer can then begin! 18 Networking Layering models Protocols in different layers IP ADDRESSING IPv4 addresses ❏ Four-byte (32-bit) addresses that uniquely identify every device on the network ❏ Still the most common IPv6 addresses ❏ Are 128 bits long ❏ Provide more unique device addresses ❏ Are more secure 19 Networking Layering models Protocols in different layers IP V 4 A DDRESSING ❏ 32 bits Binary address ❏ Divided into 4 part, separated by a. of 8 binary each. ❏ Each 8 binary digits are converted to Decimal. Hence is called Dotted Decimal. ❏ Each IP represents the Network address and the host address ❏ For example, the IP address in this fgure tell us the following: ❐ 192.168.10.0 is the Network Address ❐ 192.168.10.255 is the Broadcast address ❐ Hosts can have any IP between 192.168.10.1 to 192.168.10.254 ❐ This is called a Class C IP address. In class C- the network part is the three frst dots. The host part is only the last decimal number of the IP. 20 Networking Layering models Protocols in different layers IP A DDRESSING - DYNAMIC Dynamic Host Confguration Protocol (DHCP) ❏ DHCP is used within a network to simplify the confguration of each user’s computer To obtain, renew or refresh a DHCP IP address dynamically you can use (as administrator): In windows: ipconfg /registerdns In Linux: sudo dhclient 21 Networking Layering models Protocols in different layers T HE LAB DHCP SCENARIO 22 Figure 7: A DHCP Class C Network Example: The lab scenario Networking Layering models Protocols in different layers MAC A DDRESS ❏ Most network interfaces come with a predefned MAC address ❏ A MAC address is a 48-bit number usually represented in hex ❐ E.g., 00-1A-92-D4-BF-86 ❏ On windows you can use getmac to obtain the MAC address of your machine. It is also listed when you type ipconfg. ❏ On Linux, you can see your MAC adddress when you type ip addr. it will be labelled by link/ether 23 Networking Layering models Protocols in different layers A DDRESS R ESOLUTION PROTOCOL (ARP) ❏ The address resolution protocol (ARP) connects the network layer to the data layer by converting IP addresses to MAC addresses ❏ ARP works by broadcasting requests and caching responses for future use ❏ The protocol begins with a computer broadcasting a message of the form ❐ who has tell ❏ When the machine with IP address1 or an ARP server receives this message, its broadcasts the response ❐ belongs to ❏ The Linux and Windows command arp - a displays the ARP table: 24 Networking Layering models Protocols in different layers N ETWORK I NTERFACE ❏ Although network interfaces are not particularly protocols and they are physical devices, they determine which network interface card the system will use. They are considered both Physical layer and Data link layer interface as they also give the MAC address of the interface. ❏ Network interface: device connecting a computer to a network ❐ Ethernet card ❐ WiFi adapter ❏ A computer may have multiple network interfaces ❏ Packets transmitted between network interfaces ❏ Most local area networks, (including Ethernet and WiFi) broadcast frames ❏ Each network interface gets the frames intended for it ❏ A hacker/pen-tester will conduct traffc sniffng by confguring the network interface to read all frames (promiscuous mode, sometimes called Monitor mode) 25 Networking Layering models Protocols in different layers R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 2- Networking Foundations, CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 5, Network and telecommunications, Fundamentals of Information Systems Security ❐ Chapter 19 Introduction, CyBOK, The Cyber Security Body of Knowledge 26 Cyber Security Concepts and Principles 6COSC019W- Cyber Security Dr Ayman El Hajjar January 26, 2024 School of Computer Science and Engineering University of Westminster Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers O UTLINE 1. Information Systems 2. Cyber Security Fundamentals 3. Threat modelling 4. Fundamental security design principles 5. Hackers and Pen Testers 1 Information Systems Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers W HAT ARE WE TRYING TO PROTECT ? What are we trying to protect? ❏ Financial Data ❏ Customer Data ❏ Services availability and ❏ IT and Network Infrastructure Productivity ❏ Intellectual Property ❏ Reputation 2 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers I NFORMATION S YSTEM A SSETS Figure 1: The Seven Domains of an Information System 1 1 David Kim, Michael Solomon, Fundamentals of Information Systems Security, Fourth Edition 3 Cyber Security Fundamentals Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers C YBER S ECURITY - A DEFINITION The NIST Computer Security Handbook defnition “The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confdentiality of information system resources (includes hardware, software, frmware, information/data, and telecommunications)” 4 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers T HE CIA T RIAD ❏ Confdentiality, Integrity, Availability are the three concepts form what is often referred to as the CIA triad. ❐ Confdentiality — Ensuring that only authorised subjects can access protected data ❐ Integrity — Ensuring that only authorised subjects can modify protected data ❐ Availability — Ensuring that information and the resources that manage information are Figure 2: CIA Triad- Confdentiality, available on demand to Integrity, Availability a authorised subjects 5 a Chapter 1, Hacker Techniques, Tools, and Incident Handling Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers C YBER S ECURITY OBJECTIVES Confdentiality ❏ Data Confdentiality- Assures that private information is not made available or disclosed to unauthorised individuals ❏ Privacy- Assures that individuals control or infuence what information related to them may be collected and stored and by whom and to whom that information may be disclosed Integrity ❏ Data Integrity- Assures that information and programs are changed only in a specifed and authorised manner ❏ System integrity- Assures that a system performs its intended function in an unimpaired manner, free from any manipulation. Availability ❏ Availability- Assures that systems work promptly and service is not denied to authorised users 6 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers A ND SOME POSSIBLE ADDITIONAL CONCEPTS O BJECTIVES ❏ Although the use of the CIA triad to defne security objectives is well established, some in the security feld feel that additional concepts are needed to present a complete picture. Two of the most commonly mentioned are as follows: Authenticity ❐ Authenticity- Verifying that users are who they say they are and that each input arriving at the system came from a trusted source Accountability ❏ Accountability- The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity 7 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers E XAMPLES OF S ECURITY R EQUIREMENTS ❏ Confdentiality ❐ Student grade information is an asset whose confdentiality is considered to be highly important. ❐ Regulated by the Data Protection Act in the UK. ❏ Integrity ❐ Inaccurate Patients information could result in serious harm or death to patients and expose the hospital to massive liability. ❐ A Web site that offers a forum to registered users to discuss some specifc topic would be assigned a moderate level of integrity. ❐ A low-integrity requirement example is an anonymous online poll ❏ Availability ❐ Critical components need a high level of availability. ❐ A moderate availability requirement is a public university Web site. ❐ An online telephone directory lookup application would be classifed as a low-availability requirement 8 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers 9 Threat modelling Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers T ERMS AS DEFINED BY THE NCSC Risk ❏ Risk is the possibility of loss, injury, or other adverse or welcome circumstance; Threat ❏ Threats are vulnerabilities, events, individuals or organisations that could cause something bad to happen if exploited. ❐ They represent potential security harm to an asset Breach ❏ If threats are exploited, they become a breach. ❏ A breach will result in a violation of any of the CIA security tenets Countermeasure ❏ Countermeasures, also called Security Controls are technical and non-technical measures that are put in place to 10 mitigate/courter identifed risks. Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers V ULNERABILITIES & ATTACKS ❏ A vulnerability is any weakness in a system that can be exploited by a threat actor, or can be affected by a hazard. ❏ Categories of vulnerabilities ❐ Corrupts data leads to integrity Violation ❐ leaks data leads to Confdentiality Violation ❐ Loss of service leads to availability Violation ❏ Attacks (threats carried out) ❐ Passive – attempt to learn or make use of information from the system that does not affect system resources ❐ Active – attempt to alter system resources or affect their operation ❐ Insider – initiated by an entity inside the security parameter ❐ Outsider – initiated from outside the perimeter 11 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers PASSIVE AND ACTIVE ATTACKS Passive Attack ❏ Attempts to learn or make use Active Attack of information from the system ❏ Attempts to alter but does not affect system system resources or resources affect their operation ❏ Eavesdropping on, or ❏ Involve some monitoring of, transmissions modifcation of the data ❏ Goal of attacker is to obtain stream or the creation information that is being of a false stream transmitted 12 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers B REACHES T HREATS ❏ Eavesdropping: the interception of information intended for someone else during its transmission over a communication channel. ❏ Alteration: unauthorised modifcation of information. ❏ Interruption: the interruption or degradation of a data service or information access can cause a system to become unavailable. ❏ Masquerading: the fabrication of information that is purported to be from someone who is not actually the author. ❏ Repudiation: the denial of a commitment or data receipt. 13 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers ATTACK S URFACE ❏ Consists of the reachable and exploitable vulnerabilities in a system ❏ Can be categorised in the following way: ❐ Network attack surface ❏ This category refers to vulnerabilities over an enterprise network, wide-area network, or Internet ❐ Software attack surface ❏ Vulnerabilities in application, utility, or operating system code ❐ Human attack surface ❏ Refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders 14 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers T HREAT MODELLING : ATTACK T REES ❏ Refers to vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted insiders 15 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Figure 4: Attack Tree- Gaining Access by obtaining the password 16 Fundamental security design principles Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers T HE T EN S ECURITY P RINCIPLES ❏ The National Centres of Academic Excellence in Information Assurance/Cyber Defence adopted a modifed Saltzer and Schroeder Principles (1975). They list the following as fundamental security design principles: 17 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Economy of mechanism ❏ The design of security measures embodied in both hardware and software should be as simple and small as possible Fail-safe defaults ❏ Access decisions should be based on permission rather than exclusion—the default situation is lack of access, and the protection scheme identifes conditions under which access is permitted Complete mediation ❏ Every access must be checked against the access control mechanism 18 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Open design ❏ The design of a security mechanism should be open rather than secret Separation of privilege ❏ This principle dictates that multiple conditions should be required to achieve access to restricted resources or have a program perform some action. Least privilege ❏ Every process and every user of the system should operate using the least set of privileges necessary to perform the task (the bare minimum privileges) 19 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Least common mechanism ❏ In systems with multiple users, mechanisms allowing resources to be shared by more than one user should be minimised. Psychological acceptability ❏ This principle states that user interfaces should be well designed and intuitive, and all security-related settings should adhere to what an ordinary user might expect. Work factor ❏ According to this principle, the cost of circumventing a security mechanism should be compared with the resources of an attacker when designing a security scheme. Compromise recording ❏ This principle states that sometimes it is more desirable to record the details of an intrusion than to adopt more sophisticated measures to prevent it. 20 Hackers and Pen Testers Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers P ROFILES AND M OTIVES OF D IFFERENT T YPES OF H ACKERS ❏ White Hackers are Information Security professionals who use hacking skills to expose vulnerabilities and makes their systems more secure ❏ Amateurs are entry-level hackers who use scripts and software from experienced hackers ❏ Hackers are hackers, also called crackers, who conduct illegal activities for fnancial gain. ❏ Hacktivists are activists hackers who conduct hacking activities for political or ideological goals ❏ Script Kiddies are hackers who use other people tools. Their knowledge is usually limited. They perform a cyberattack without actually understanding it. ❏ State-sponsored are hackers supported usually have a lot of resources and their attacks are complex. They usually have their own tools. 21 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Figure 5: The hacker Mindset 2 2 Chapter 1, Hacker Techniques, Tools, and Incident Handling 22 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers M OTIVATIONS ❏ Means — Does the attacker possess the ability to commit the crime in question? ❏ Motive — Does the attacker have a reason to engage in the commission of the crime? ❏ Opportunity — Does the Figure 6: Motivations a attacker have the necessary a Chapter 1, Hacker Techniques, Tools, and Incident Handling access and time to commit the crime? 23 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers M ODERN H ACKING AND C YBERCRIMINALS ❏ Typically, hacking methodologies contains fve distinct stages: ❐ Reconnaissance ❐ Scanning and enumeration ❐ Gaining Access ❐ Maintaining Access ❐ Covering Tracks ❏ Each stage uses different tools and techniques. Modern hackers now use a more detailed hacking methodology. 24 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Figure 7: Common Hacking Methodologies: Hacking Steps 25 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers E THICAL H ACKING AND P ENETRATION T ESTING ❏ Ethical hackers require permission to engage in penetration testing ❏ Penetration testing is the structured and methodical means of investigating, uncovering, attacking, and reporting on a target system’s strengths and vulnerabilities ❏ Penetration tests are commonly part of IT audits Black-Box Testing ❏ Used to simulate how attacker views system ❏ No knowledge of system provided to testing team White-Box Testing ❏ Advanced knowledge provided to testing team 26 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers Figure 8: Role of Ethical hackers 3 3 Chapter 1, Hacker Techniques, Tools, and Incident Handling 27 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers E THICAL H ACKING P ENETRATION TESTING S TEPS ❏ An ethical hacker, conducting a penetration testing goal is to audit an information system and its existing security controls (if any) and to identify any existing vulnerabilities ❐ They will defne the scope of the test and plan their test in a way that do not disrupt the system or operation ❐ Instead of exploiting a vulnerability (discovery), an ethical hacker will report it. ❐ They can suggest security controls to mitigate discovered vulnerabilities 28 Figure 9: Ethical hacking penetration testing process Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers P ERFORMING A P ENETRATION T EST ❏ Tests that can be part of a penetration test include the following: ❐ Technical attack — Designed to simulate an attack against technology from either the inside or the outside depending on the goals and intentions of the client. ❐ Administrative attack — Designed to fnd loopholes or shortcomings in how tasks and operational processes are performed. ❐ Physical attack — Includes anything that targets physical equipment and facilities with actions such as theft, breaking and entering, or similar actions. Can also include actions against people, such as social engineering–related threats. 29 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers R ECONNAISSANCE ❏ A large part of the information gathering stage is conducting using passive attacks such as by using public records and Open Source Intelligence (OSINT) ❏ Attackers then leverage information from a variety of factors to understand their target including identifying network layouts, domains, servers, infrastructure details). ❏ This will help the pen tester to understand how a network works, including its assets (applications, systems, devices, anything with an IP). ❏ The reconnaissance stage is crucial to thorough security testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided 30 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers S CANNING AND ENUMERATION OR (S CANNING ) ❏ The next step is to scan an organisation’s network to fnd entry points. ❐ This step of the process usually goes slowly, sometimes lasting months, as the attackers search for vulnerabilities. ❏ Enumeration Enumeration is basically counting. A hacker establishes an active connection to the target host. The vulnerabilities are then counted and assessed. It is done mainly to search for attacks and threats to the target system. ❐ Enumeration is used to collect usernames, hostnames, IP addresses, passwords, confgurations, etc. ❐ Enumeration is very important to programmers, as it poses signifcant challenges to the security of any system 31 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers G AINING ACCESS OR (I NFILTRATION AND E SCALATION ) ❐ Attackers break into the network, delivering targeted malware to vulnerable systems and people, often without the user being aware they are a target. ❐ They then map the organisation’s defences from the inside and create a battle plan for information they intend to target. ❐ Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorised access or other malicious activity is possible and identify which faws pose a threat to the application. ❐ After interpreting the results from the vulnerability assessment, penetration testers use manual techniques, human intuition, and their backgrounds to validate, attack, and exploit those vulnerabilities. 32 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers M AINTAINING ACCESS OR (E XFILTRATION , ACCESS E XTENSION AND A SSAULT ) ❏ Now that weaknesses in the target network are identifed, the next step in the cyber attack is to gain access and then escalate. ❏ In almost all such cases, privileged access is needed because it allows the attackers to move freely within the environment. ❏ Once the attackers gain elevated privileges, the network is effectively taken over and is now ”owned” by the intruders. ❏ This is another stage where malware can be benefcial. You may need to install a rootkit ❏ Data Exfltration is then conducted and the tester uses tools and techniques to extract data from the network, simulating the actions of hackers. 33 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers C OVERING T RACKS OR (O BFUSCATION ) ❏ Covering your tracks is where you hide or delete any evidence to which you managed to get access. ❏ Additionally, you should cover up your continued access. ❏ This can be accomplished with malware that ensures that your actions are not logged or perhaps misreports system information, like network connections. 34 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers S OCIAL E NGINEERING With that knowledge in mind, here are questions that come up with regard to information gathering: How can you gather information? What sources exist for social engineers to gather information? What can you glean from this information to profle your targets? How can you locate, store, and catalogue all this information for the easiest level of use? 35 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers S OCIAL E NGINEERING E XAMPLES Infuence: The Power Elicitation Pretexting-A good of Persuasion ❏ Elicitation is ”the liar... ❏ Persuasion and subtle extraction ❏ Some people say infuence involve of information Pretexting is just a emotions and during an story or lie during beliefs. You have apparently normal a social to know how and and innocent engineering what people are conversation.” engagement. thinking. Social Engineering example: Blocking you out of your account *click here for Youtube video* 36 Information Systems Cyber Security Fundamentals Threat modelling Fundamental security design principles Hackers and Pen Testers R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 1, Ethical Hacking, CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 1, Information Systems Security, Fundamentals of Information Systems Security ❐ Chapter 1 Introduction, CyBOK, The Cyber Security Body of Knowledge 37
