C H A P T E R 1
Network Security
In the past, information security was a term used to describe the physical security measures used to keep vital government or business information from being accessed by the public and to protect it against alteration or destruction. This was done by storing valuable documents in locked filing cabinets or safes and restricting physical access to areas where those documents were kept. With the proliferation of computers and electronic media, the old way of accessing data changed. As technology continued to advance, computer systems were interconnected to form computer networks, allowing systems to share resources, including data. The ultimate computer network, which interconnects almost every publicly accessible computer network, is the Internet. Although the methods of securing data have changed dramatically, the concept of network security remains the same as that of information security.
Because computers can warehouse, retrieve, and process tremendous amounts of data, they are used in nearly every facet of our lives. Computers, networks, and the Internet are an integral part of many businesses. Our dependence on computers continues to increase as businesses and individuals become more comfortable with technology and as technology advances make systems more user-friendly and easier to interconnect.
A single computer system requires automated tools to protect data on that system from users who have local system access. A computer system that is on a network (a distributed system) requires that the data on that system be protected not only from local access but also from unauthorized remote access and from interception or alteration of data during transmission between systems.
Vulnerabilities
To understand cyber-attacks, you must remember that computers, no matter how advanced, are still just machines that operate based on predetermined instruction sets. Operating systems and other software packages are simply compiled instruction sets that the computer uses to transform input into output. A computer cannot determine the difference between authorized input and unauthorized input unless this information is written into the instruction sets. Any point in a software package at which a user can alter the software or gain access to a system (that was not specifically designed into the software) is called a vulnerability. In most cases, a hacker gains access to a network or computer by exploiting a vulnerability. It is possible to remotely connect to a computer on any of 65,535 ports. As
4 Chapter 1: Network Security
hardware and software technology continue to advance, the “other side” continues to search for and discover new vulnerabilities. For this reason, most software manufacturers continue to produce patches for their products as vulnerabilities are discovered.
Threats
Potential threats are broken into the following two categories:
•Structured threats—Threats that are preplanned and focus on a specific target. A structured threat is an organized effort to breach a specific network or organization.
•Unstructured threats—This threat is the most common because it is random and tends to be the result of hackers looking for a target of opportunity. An abundance of script files are available on the Internet to users who want to scan unprotected networks for vulnerabilities. Because the scripts are free and run with minimal input from the user, they are widely used across the Internet. Many unstructured threats are not of a malicious nature or for any specific purpose. The people who carry them out are usually just novice hackers looking to see what they can do.
Types of Attacks
The motivations for cyber-attackers are too numerous and varied to list. They range from the novice hacker who is attracted by the challenge to the highly skilled professional who targets an organization for a specific purpose (such as organized crime, industrial espionage, or state-sponsored intelligence gathering). Threats can originate from outside the organization or from inside. External threats originate outside an organization and attempt to breach a network either from the Internet or via dialup access. Internal threats originate from within an organization and are usually the result of employees or other personnel who have some authorized access to internal network resources. Studies indicate that internal threats perpetrated by disgruntled employees or former employees are responsible for the majority of network security incidents within most organizations.
There are three major types of network attacks, each with its own specific goal:
•Reconnaissance attacks—An attack designed not to gain access to a system or network, but only to search for and track vulnerabilities that can be exploited later.
•Access attacks—An attack designed to exploit a vulnerability and to gain access to a system on a network. After gaining access, the user can
—Retrieve, alter, or destroy data
—Add, remove, or change network resources, including user access
—Install other exploits that can be used later to gain access to the network
•Denial of service (DoS) attacks—An attack designed solely to cause an interruption on a computer or network.
Types of Attacks 5
Reconnaissance Attacks
The goal of this type of attack is to perform reconnaissance on a computer or network. The goal of this reconnaissance is to determine the makeup of the targeted computer or network and to search for and map any vulnerabilities. A reconnaissance attack can indicate the potential for other, more-invasive attacks. Many reconnaissance attacks are written into scripts that allow novice hackers or script kiddies to launch attacks on networks with a few mouse clicks. Here are some of the more common reconnaissance attacks:
•Domain Name Service (DNS) queries—A DNS query provides the unauthorized user with such information as what address space is assigned to a particular domain and who owns that domain.
•Ping sweeps—A ping sweep tells the unauthorized user how many hosts are active on the network. It is possible to drop ICMP at the perimeter devices, but this occurs at the expense of network troubleshooting.
•Vertical scans—This involves scanning the service ports of a single host and requesting different services at each port. This method allows the unauthorized user to determine what type of operating system and services are running on the computer.
•Horizontal scans—This involves scanning an address range for a specific port or service. A very common horizontal scan is the FTP sweep. This is done by scanning a network segment, looking for replies to connection attempts on port 21.
•Block scans—This is a combination of the vertical scan and the horizontal scan. In other words, it scans a network segment and attempts connections on multiple ports of each host on that segment.
Access Attacks
As the name implies, the goal of an access attack is to gain access to a computer or network. Having gained access, the user can perform many different functions. These functions can be broken into three distinct categories:
•Interception—Gaining unauthorized access to a resource. This could be access to confidential data such as personnel records, payroll, or research and development projects. As soon as the user gains access, he might be able to read, write to, copy, or move this data. If an intruder gains access, the only way to protect your sensitive data is to save it in an encrypted format (beforehand). This prevents the intruder from being able to read the data.
•Modification—Having gained access, the unauthorized user can alter the resource. This includes not only altering file content, but also altering system configurations, unauthorized system access, and unauthorized privilege escalation. Unauthorized system access is achieved by exploiting a vulnerability in either the operating system or a software package running on that system. Unauthorized privilege escalation is
6 Chapter 1: Network Security
when a user who has a low-level but authorized account attempts to gain higher-level or more-privileged user account information or increase his privilege level. This gives him greater control over the target system or network.
•Fabrication—With access to the target system or network, the unauthorized user can create false objects and introduce them into the environment. This can include altering data or inserting packaged exploits such as a virus, worm, or Trojan horse, which can continue attacking the network from within.
—Virus—Computer viruses range from annoying to destructive. They consist of computer code that attaches itself to other software running on the computer. This way, each time the attached software opens, the virus reproduces and can continue growing until it wreaks havoc on the infected computer.
—Worm—A worm is a virus that exploits vulnerabilities on networked systems to replicate itself. A worm scans a network, looking for a computer with a specific vulnerability. When it finds a host, it copies itself to that system and begins scanning from there as well.
—Trojan horse—A Trojan horse is a program that usually claims to perform one function (such as a game) but does something completely different (such as corrupting data on your hard disk). Many different types of Trojan horses get attached to systems. The effects of these programs range from minor user irritation to total destruction of the computer’s file system. Trojan horses are sometimes used to exploit systems by creating user accounts on systems so that an unauthorized user can gain access or upgrade his privilege level.
Denial of Service (DoS) Attacks
A DoS attack is designed to deny user access to computers or networks. These attacks usually target specific services and attempt to overwhelm them by making numerous requests concurrently. If a system is not protected and cannot react to a DoS attack, it can be very easy to overwhelm that system by running scripts that generate multiple requests. It is possible to greatly increase a DoS attack’s magnitude by launching it from multiple systems against a single target. This practice is called a distributed denial of service attack (DDoS). A common practice by hackers is to use a Trojan horse to take control of other systems and enlist them in a DDoS attack.