ES eNOS EXPERT'S VOICE® IN, INFORMATION. SECURITY, cy OILS LLL LLE LLL LLL LS The InfoSec Handbook An Introduction to Information Security Umesh Hodeghatta Rao and Umesha Nayak LLL LLL Ld heh foelsiaNetwork Vulnerabilities and Threats With the advancement in computing, networking, and technology, the world is becoming more and more connected. Internet connects millions of computers and most of the geographies ofthis world, The Internet is a network of networks and consists of billions of users across private, public, university, and government networks sharing Information across the networks. The Internet uses TCP/IP protocol and the underlying physical media can be wire, optical, or wireless technologies. The Internet serves an extensive range of applications, starting with e-mail, the World Wide Web (www), and soctal networks, Each application may use one or more protocols. Thereis a large amount of personal, commercial, business, government, and, fon being shared on the Internet. ‘There are billions of users, both good and bad, accessing the Internet. The bad guys, known as hackers and such other persons with malicious intent are a concern. With so many computers, networking devices, protocols, and applications on the network, it as become a serious threat to information security. Any application, network device, or protocol can be vulnerable. The internet is crawling with people from all over the world who are continuously trying to test the security of various systems and networks. Some are simply testing for fun and others are fuelled by treacherous motives of stealing or revenge. {A threat is an event that can occur by taking advantage of any vulnerabilities that exist in the network. Any discussion on network security will include these thee common terms: * Vulnerability: An inherent weakness in the network, and network device. It could be hardware or software or both. Passible vulnerabilities could include routers, switches, servers, and security devices themselves. + Threat: threat is what can go wrong because of the exploit of the vulnerabilities or attack on the assets, such as data theft or unauthorized modification of the data, * Attack: An attack is an unauthorized action with the intent to eause damage, or hinder or breach security of network. An attack is launched by intruders to damage the networkand network resources such as end-point devices, servers, or desktops which are vulnerable. 195,(CHAPTER 9 © UNDERSTENOING NETWORKS AND NETWORK SECURITY Vulnerabilities One of the following three types of vulnerabilities or weaknesses ean exist in the network: + Security policy weakness + Technology weakness + Configuration weakness Security Policy Weaknesses Every organization should have security policies defined. However, the network can pose. security threat ifthe users do not follow the organizational security policy. Table 9-1 summarizes some of the common security policy weaknesses. ‘Table 9-1. Common Security Policy Weaknesses Weakness What can go wrong? Nowritten security policy No policy for hardware and software installations or updates Lack of Disaster recovery and Business continuity Plans NolIncident Response Team No policy on usage of official assets No policy on ‘Teleworking or Working from Home No enforcement of security policy across the organization leading to security incidents. Because of ignorance, mistakes may happen which can compromise the security. Intentional malicious acts also can be disguised as acts of ignorance. Unauthorized installations leading to theft of information; unauthorized modifications to the information. Unapproved modifications leading to unstable, attack prone network; ultimately leading to network crash, Unauthorized installations leading to malware infection. Intentional misuse of the network for personal gain, Confusion during disaster. Disasters may not be effectively and efficiently handled leading to reputation Loss, business loss, or customer loss Not able to handle security incidents crisis, sometimes further complicating the situation rather than solving the problem. Misuse of official assets. Reputation Loss. Productivity loss. Can lead to malware infection, Use of personal machines to connect to the network leading to the theft of data or infection of the office network. Technology Weaknesses Protocols are standards created to specify how an application should communicate. All connection oriented protocols havea state. Each state triggers certain events at certain time. Each state can be part of the connection, for example, a server waiting for response from a client or the transition between the close of connections. Specifications are not always complete, they are a good starting point and they could have limitations. Not all the applications are created by taking care of al the points mentioned in the specification. Such weaknesses in the protocol can be exploited. 196(CHAPTER 9 UNDERSTANDING NETWORKS AND NETWORK SECURITY All date traffic on the network is not malicious. However, trafficis allowed or denied by the security policies defined. By exploiting the weakness ofthe policy, attackers can bypass the security rules that can lead to policy violations. For example, TCP packets with SYN and RST flags enabled or an IP packet length can exceed the actual length specified in the standards. Although this packet can bypass security rules, ifthe remote device is not able to handle this erroneous packet, it leads to a possible attack. Table 9-2 sumimarizes the technology weaknesses that include protocol weaknesses, operating system weaknesses, and network equipment weaknesses. Table 9-2. Technology Weaknesses That Affect Networks Weakness Description TCP/IP Applications and protocols. HTTR, FTP, SNMP, SMTP, TCP, IP, and DNS are implemented as per the standards and specifications which have inherent limitations that canbe exploited Operating system Microsoft Windows, Apple Macintosh, IBM OS/2, UNIX, and other operating systems have several security issues Network device Password weaknesses like default passwords not changed or lack of strong passwords requirement, authentication weaknesses, firewall holes, and user interface weaknesses Configuration Weaknesses Network administrators need to have adequate skills to configure networks and network devices to prevent security threats, Table 9-3 describes some of the possible configuration weaknesses. Table 9-2. Configuration Weaknesses That Affect Networks Weakness: Description User Accounts User accounts stored on devices must be secured. Exposing usernames and passwords can be a security threat. Passwords Password policy should be enforced at the user level, Passwords of major devices such as servers, routers, databases, should follow password policy set by the IT policy of the organization. Default passwords should not, beallawed to be continued. The password secrecy should be preserved. These passwords have to be changed when an administrator leaves the organization. Passwords have to be periodically changed. Configuration of TCP ports and Should have a policy to define what application services should be allowed Internet services and for what purposes. A common problem is the lack of clarity in this regard and enabling some of the attack prone ones like Java Script and VB Script or enabling the remote services or such other services without understanding the risks. Default settings Ifthe network administrators do not change the default policy of the devices, itcan cause serious security threats, such as default passwords are known to public, default permissions may be continued giving scope for attacks. Misconfiguration ofsecurityand _—_-Misconfiguration of firewall and other network devices can cause serious network devices security problems. For example, miscanfiguration of access lists, routing protocol can cause serious security threats. 197(CHRPTER 9 © UNDERSTENOING NETWORKS AND NETWORK SECURITY Threats Internal threats and external threats are the two primary classes of threats to network security. They are illustrated in Figure 9-9. These threats are caused by attackers. + Internal Threats: Internal threats are threats from someone within the organization, who has proper access to the network and network resources, who understands the network infrastructure ‘well, who understands the security applications and the security loop holes. Someone within the organization can create and send out attacks by hiding his identity ashe already knows enough. inside information. According to the FBI, 80 percent of the reported security incidents are due to internal access and misuse of information by an insider of the company. «External Threats: External threats are threats from outside the organization. They do not possess authorized access to the network resources. They work by gaining unauthorized access to the network and network resources with the intention of damaging the resources oF for profit. These can be structured or unstructured: * Structured: Structured attacks come from technically competent hackers who belong toa class of highly motivated individuals. They understand vulnerabilities and develop sophisticated tools and techniques to penetrate without anyone knowing, These groups (also called hackers or crackers) may often be found to be involved in major crimes such ‘as eredit card theft or identity theft. * Unstructured: These threats are from inexperienced individuals testing their skills using some of the tools available in the public domain. Sometimes, these can do serious damage to company assets. Fi Compromised Host Figure 9-9. Types of Threats 198(CHAPTER 9 © UNDERSTANDING NETWORKS AND NETWORK SECURITY Attacks Attackers generally abuse the network “rules” established by security policies. The rules are broken in such a way that attackers send their traffic that appears to be normal traffic. Attacks can be classified into the following categories: + Reconnaissance * Denial of Service (DOS)/Distributed Denial of Service (DDoS) + Other network attacks Reconnaissance ‘Toeffectively launch an attack, the attacker should have the knowledge of the network, hardware used, software deployed, and its topology. Before an attack is launched, the attacker tries to gain this knowledge by scanning the network, which is called reconnaissance. Reconnaissance is not an attack by itself; however, this could cause a serious security threat by allowing the weaknesses of the network or network resources to be made known to the attacker. This is more an information-gathering mission. Quite often, reconnaissance is not detected for a considerable amount of time because they have no impacton the network. Sniffing is one of the important reconnaissance methods used by the attackers to collect the information, such as user IDs and passwords, other information like session id, transactions being carried out, other confidential details, and business discussions carried out. Other popular methods used are pinging, banner grabbing, and port scanning. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) ‘The purpose of the DoS attack, as shown in Figure 9-10, is to make the network resources inaccessible to the user and bring down the network itself by generating a huge amount of network traffic that overwhelms or crashes the server, exceeding the capacity of the routers and switches, overwhelming the CPU and memory utilization. In some cases, DoS attacks can target a specific device and cause the system to hang. 199(CHRPTER 9 UNDERSTENOING NETWORKS AND NETWORK SECURITY 4 _ Server to compromise Figure 9-10. Distributed Denial of Service Attack Sometimes, the attacker gets into one device in the network remotely and triggers simultancouss exploitation of systems on the network or uses multiple compromised machines to initiate simultaneous attacks, causing interruptions of network and network resources. The sudden increase in the network traffic can cause the server or router to go down quickly and become inaccessible to the legitimate users. This kind of an attackis called a Distributed Denial-of-Service (DDOS) attack which hides the true origin of the attack. 200(CHAPTER 9 » UNDERSTANDING NETWORKS AND NETWORK SECURITY ADoS (DDoS) attack is an explicit attack to prevent legitimate users from accessing network and network services, Examples include: + Flood the network, thereby preventing legitimate network traffic + Target single device with too many requests thus bringing down the device + Disrupt the connections between two legitimate devices thereby preventing access toa genuine service request + Destruction or alteration of network configurations * Consume the network bandwidth The list of DDoS attack victims includes some major players including Microsoft, Amazon, HSBC, and YAHOO. In November 2011, the international bank HSBC was under an attack which targeted their servers that resulted in numerous customers being unable to withdraw money from the cash machines, as well as affecting its HSBC and First Direct websites.” In. 2004, the Microsoft Corp. was assailed by @ DDoS attack induced by a Windows-based Mydoom-B worm* ‘The following are some of the common (D)DoS attacks (by name): + Ping of Death - This is an exploit of TCP/IP protocol implementation. As per the REC specification, the maximum size of an IP packet is 65536. The attacker uses the “ping” application to make up an IP packet whose size exceeds the maximum size specified. ‘The remote system may crash or reboot if it does not know how to handle the oversized packets * TCP SYN Flood Attack: This attackis an exploit of TCP implementation of connection establishment process. TCP connection establishment requires three handshakes, as shown in Figure 9-11, before the actual data starts being transmitted, Each time a client application, such asa web browser, attempts to open a connection with the server, it sends a request (SYN flag), to the server and waits for the acknowledgement from the server. Ifthe server accepts the connection, then it sends back an (SYN-ACK) acknowledgement and waits for the acknowledgement. Network Cloud ro Client Figure 9-11. TCP 3 Way Connection Handshake 201(CHRPTER 9 © UNDERSTANDING NETWORKS AND NETWORK SECURITY ‘Once the client receives the acknowledgement from the server, it sends one more segment (ACK) acknowledging the receipt ofthe server's information, Once both the server and client handshake completes, the actual data transmission starts. This is sometimes referred to as TCP 3-way handshake. Since each connection information takes up memory and CPU resources, only a limited number of in-progress connections are possible. When the server establishes connection with the client, the server considers the connection as ‘open and frees up the queued resources for accepting new connections. During a SYN flood attack, the server never sends back the ACK packet to the hostile client. Instead, the hostile client application keeps sending repeated SYN requests causing DoS, The attacking, application generates spoofed packets that appear to be valid new connections and enter into the queue, but connections are never completed (RFC 4987), E-mail bombs - An Application program that can send bulk e-mails to individuals, organizations, lists, or domains to vandalize an e-mail server ‘Teardrop - An IP protocol exploit where the IP packet is fragmented in such a way that reassembling the packet can cause the system to crash, ‘Smurf Attack: Internet Control Message Protocol (ICMP) is used to test the availability of network device by pinging the concerned node to determine its operational status. When the remote host sends a PING, the end device responds by sendinga “reply” message. A smurf is a type of DoS attack in which a system is flooded with spoofed ping (ICMP) messages. This creates high network traffic and high consumption of network bandwidth and leads ultimately tothe crashing of the remote system, Other Attacks on Networks Apart from the attacks that we have described previously, there are other attacks that can cause serious damage to the network security. Some common ones include spoofing attacks, HTTP Tunneling, and session hijacking 202 ‘Masquerade/Spoofing Attacks: The network intruder masquerades the TCP/IP packet by an illegal IP address, falsifying the source address. The intruder fools the remote machine by an illegitimate source address but with valid user access privileges. In an IP spoofing attack, a malicious hacker from outside the network hacks into the network pretending to be an a trusted user, of the organization, and spoofs the source address of a legitimate inside user thus gaining access to the network resources. This attack can also cause a broadcast in the network causing high network trafic. Ifthe attacker manages to alter the routing tables, then response from the network resource can go to the spoofed destination address. ARP Spoofing & DNS Spoofing: The Address Resolution Protocol (ARP) spoofing is used to confuse the system to map incorrect MAC address to a particular IP address in the ARP table. Similarly DNS (Domain Name Service protocol) spoofing is to change the mapping of DNS ‘entries in the DNS cache. Mac Flooding attacks are also similar to this. HTTP Tunneling: This method may be used by the insiders to overcome the firewall controls and send confidential information to the outside world without anyone inside being aware of the same. ‘SSH Tunneling: These may be used to directly connect toa network stealthily and initiate attacks. This is an illegitimate use of a legitimate tool. ‘Session Hijacking: A session between the user and the server can be hijacked by the attacker ‘Some of the methods used in this regard are session fixing and session prediction. Here, usually a valid session herween the user and server is taken aver by the attacker.(CHAPTER 9 ~ UNDERSTANDING NETWORKS AND NETWORK SECURITY + Attacks on Network Equipment including Routers: The network equipmentis traditionally prone to default password vulnerabilities because the network administrators not taking sufficient care in resetting these passwords, ‘The weakness of the network configurations of a router is a new point of vulnerability. In addition to the administrator passwords, some vendors have a so-called “back-door” to their system for debugging purposes and to support the client in case an admin password is forgotten or lost. This back-door could also be exploited, ifitis known to the attackers. How to counter the Network Attacks ‘The following measures can be taken to counter the network attacks: + Hardening of all network equipment with appropriate configurations and appropriate patching including firmware updates * Alldefault passwords to be substituted with strong passwords * Defense in depth is implemented to avoid attacks like session hijacking. + Use safe session ID handling + Session time-out to be set as appropriate to the application and its risks + Set complicated session ID creation logic + Use encrypted handshakes like SSL with Digital certificate or TLS, techniques like VPN + Donot store passwords or critical information in the cookies * Ensure that all the software used including utilities / tools are patched / updated + Seteasy-to-understand and clear security policies + Create awareness among the employees on what can go wrong and what is expected from, them - do's and don'ts, + Donot have the same user name and passwords for all the systems ~ use different ones + Logout promptly after the work is over + Ensure cookies, history, and offline content are removed after sensitive transaction sessions * Do notelick on the links in the suspect e-mails 203