Information_Security

1) Introduction: Today’s, financial institutions like Bank’s are facing enormous network security challenges. Attacks on critical information assets and infrastructure can seriously degrade an organization’s ability to do business. The most effective risk mitigation requires a solution that combines multiple trusted security technologies working in concert. The growth of the Internet and increased reliance on electronic financial exchanges has enabled customers and employees to access account information and perform banking transactions between their branches, Data centre and outlets. Unfortunately, this expanded access has also increased Vulnerability to a host of ever- growing network security risks such as worm and virus outbreaks, information and identity theft, and distributed denial of service attacks. We need to protect network from different form of intrusion and malicious attacks such as discredited denial of service (DDOS) attacks, worm, viruses, spy ware, phising etc. Information assets and infrastructure form the core of the modern enterprise. Networked enterprises benefit from increased business efficiency and effectiveness, as well as a sustainable competitive advantage. However, this dependence on the network exposes the organization to risk. The growing number of attacks on the network, in concert with the increasing sophistication of these attacks, poses serious risks to the core business. In today’s marketplace, businesses rely on the Internet for their productivity, efficiency, customer interaction, and financial success. At the same time, the Internet has become a source of network threats from benign to severe, including viruses, spyware, phishing, and other malicious threats. 2) Common Attack Types to consider: Denial of Service (DOS/DDOS) - A denial of service attack is any attack used to achieve the disruption of any service to legitimate users. DDOS is the ‘distributed’ form of such an attack where many ‘Zombies’ that have been taken over by hackers launch simultaneous attacks to achieve a more effective denial of service attack Back Door - Any opening left in a functional piece of software that allows ‘unknown’ entry into the system/application without the owner knowledge. Many times, back doors are left in by the software creators. Spoofing - Spoofing is a technique used to gain unauthorized access to computers. A hacker must first find an IP address of a trusted host. Once this information is gotten, then the hacker can use this information to make the recipient think that the hacker is the trusted sender. Please use the link I provided to investigate spoofing deeper. It is very important that you fully understand it Man in the Middle - A Man in the Middle attack is when an attacker is able to intercept traffic by placing themselves in the middle of the conversation. Man in the Middle attacks involve a malicious attacker intercepting communications and fooling both parties into believing they are communicating with each other when they are really being watched. The attacker can then do anything to the transmission they are now apart of to include eavesdropping or planting information. Wireless systems are very susceptible to this form of attack. Replay - A Replay attack is when a Hacker uses a Sniffer to grab packets off the wire. After packets are captured, then the hacker can simply extract information from the packets like authentication information and passwords. Once the information is extracted, the captured data can be placed back on the network or replayed. TCP/IP Hijacking - This is also called “Session Hijacking”. A hacker can take over a TCP session between two machines. A popular method is using source-routed IP packets. DNS Poisoning - DNS Poisoning is when your DNS files are poisoned with bad information. In other words, if you have an A record that points to a trusted host, a hacker can change it and point you in the wrong direction for malicious intent. Weak Keys - Weak keys are secret keys with a certain value for which the block cipher in question will exhibit certain regularities in encryption or, in other cases, a poor level of encryption. Mathematical - Mathematical (or Algebraic) attacks are a class of techniques that rely for their success on block ciphers exhibiting a high degree of mathematical structure. Social Engineering - Most times hackers try to attack the actual ‘systems’ to exploit their weaknesses. Another form of attack is to exploit ‘end user’ weakness. Exploiting the weakness of human nature to get someone to hand over there credentials to you from either peer pressure or trickery. Birthday - A birthday attack is a name used to refer to a class of brute-force attacks. Please use the link provided to research this deeper. You have to understand hash functions and password cracking to fully understand this and the link provided will do that. Password Guessing - Password Guessing or ‘cracking’ is the attack on authentication credentials for any given system Brute Force - A form of Password Cracking. Brute Force attacks will try every single key combination known to crack your password. The only protection against them is to either have a key length too long to crack anytime in this lifetime, or change the password frequently. Dictionary - A form of Password Cracking. The term ‘dictionary’ comes from the actual book of known words… this is transferred into a file and loaded into a tool to try to help a hacker to crack your password. The defense against this is to not use simple to guess and known dictionary words as passwords Software Exploitation - Attacks against a systems bugs or flawed code. Use Hot Fixes and Service packs to fix them War Dialing - The process of running modem scanning tools against a PBX or any given dialup modem for the purpose of penetration. A war dialer is a computer program used to identify the phone numbers that can successfully make a connection with a computer modem. The program will dial a range of numbers you ask it to dial and will log failure and success ranges in a database War Driving - The process of using an attack tool to penetrate wireless systems from outside the facility where the wireless system sits. A wireless Ethernet card set to work in promiscuous mode is needed to War drive, and you will also need a powerful antenna if you are going to remain at a distance Buffer Overflow - Buffer Overflow attacks take advantage of poorly written code. If the code will not check the length of variable arguments then it can be susceptible to this kind of attack. SYN flood - SYN Flood attacks exploit the three-way handshaking mechanism of the TCP/IP protocol. A large number of half-opened connections is used to deny access to legitimate requestors Smurfing - Exploits ICMP. Performed by transmitting an echo request packet to a network’s broadcast address with a spoofed source address. The victim is then quickly overwhelmed by a large number of echo replies Sniffing - Sniffing attacks use protocol analyzers to capture network traffic for password and other data capture Ping of Death - Used to attempt to crash your system by sending oversized packets to a host. Ping of death can actually be run from older versions of Windows, Linux and Cisco routers. At a Windows command line, simply type: ping -l 65550 192.168.1.X. At a Linux command line, simply type: ping -s 65550 192.168.1.X Port Scanning - Port Scanning is performed by running a vulnerability scanner on a system to see what open ports are open. The second have of the attack is to then exploit whatever you find via other attacks Chargen - A flaw with TCP port 19 where if you connect via the port. You can run what’s called a Character Generator attack Fragment Attack - An exploit that targets IP fragmentation and reassembly code are common. Numerous attacks have been performed upon the premise of overlapping fragments. Malicious Content and Malware: ➢ Viruses - A Virus is a form of malicious code that spreads from system to system by infecting programs or files. ➢ Worms - A worm is a form of malicious code that replicates itself from computer to computer over the network due to network vulnerabilities. ➢ Trojans - A Trojan horse is a form of malicious code that you run because you think it is legitimate or safe. However, upon execution it becomes malicious and can be either annoying or destructive. ➢ Logic Bomb - A logic bomb is a form of malicious code that sits dormant until a certain time or action takes place. Once activated, it usually is destructive in nature. 3) Recent Attack Trends: In the following lines, we give a brief overview of recent trends in network attacks that affect the ability of organizations (and individuals) to use the Internet safely. Trend 1 – Automation (Speed of attack tools): The level of automation in attack tools continues to increase. Automated attacks commonly involve four phases, each of which is changing. ➢ Scanning for potential victims - Widespread scanning has been common since 1997. Today, scanning tools are using more advanced scanning patterns to maximize impact and speed. ➢ Compromising vulnerable systems - Previously, vulnerabilities were exploited after a widespread scan was complete. Now, attack tools exploit vulnerabilities as a part of the scanning activity, which increases the speed of propagation. ➢ Propagate the attack - Before 2000, attack tools required a person to initiate additional attack cycles. Today, attack tools can self-initiate new attack cycles. We have seen tools like Code Red and Nimda self-propagate to a point of global saturation in less than 18 hours. ➢ Coordinated management of attack tools - Since 1999, with the advent of distributed attack tools, attackers have been able to manage and coordinate large numbers of deployed attack tools distributed across many Internet systems. Today, distributed attack tools are capable of launching denial of service attacks more efficiently, scanning for potential victims and compromising vulnerable systems. Coordination functions now take advantage of readily available, public communications protocols such as Internet Relay Chat (IRC) and instant messaging (IM). Trend 2 – Increasing sophistication of attack tools: Attack tool developers are using more advanced techniques than previously. Attack tool signatures are more difficult to discover through analysis and more difficult to detect through signature-based systems such as antivirus software and intrusion detection systems. Three important characteristics are the anitforensic nature, dynamic behavior, and modularity of the tools. ➢ Anti-forensics - Attackers use techniques that obfuscate the nature of attack tools. This makes it more difficult and time consuming for security experts to analyze new attack tools and to understand new and rapidly developing threats. Analysis often includes laboratory testing and reverse engineering. ➢ Dynamic behavior - Early attack tools performed attack steps in single defined sequences. Today’s automated attack tools can vary their patterns and behaviors based on random selection, predefined decision paths, or through direct intruder management. ➢ Modularity of attack tools - Unlike early attack tools that implemented one type of attack, tools now can be changed quickly by upgrading or replacing portions of the tool. This causes rapidly evolving attacks and, at the extreme, polymorphic tools that self-evolve to be different in each instance. In addition, attack tools are more commonly being developed to execute on multiple operating system platforms. As an example of the difficulties posed by sophisticated attack tools, many common tools use protocols like IRC or HTTP Hyper Text Transfer Protocol) to send data or commands from the intruder to compromised hosts. As a result, it has become increasingly difficult to distinguish attack signatures from normal, legitimate network traffic. Trend 3 – Faster discovery of vulnerabilities: The number of newly discovered vulnerabilities reported to the CERT/CC continues to more than double each year. It is difficult for administrators to keep up to date with patches. Additionally, new classes of vulnerabilities are discovered each year. Subsequent reviews of existing code for examples of the new vulnerability class often lead, over time, to the discovery of examples in hundreds of different software products. Intruders are often able to discover these exemplars before the vendors are able to correct them. Because of the trend toward the automated discovery of new vulnerabilities in technologies, the so-called “time to patch” is becoming increasingly small. Trend 4 – Increasing permeability of firewalls: Firewalls are often relied upon to provide primary protection from intruders. However, Technologies are being designed to bypass typical firewall configurations, for example, IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning). Some protocols marketed as being “firewall friendly” are, in reality, designed to bypass typical firewall configurations Certain aspects of “mobile-code” (ActiveX controls, Java, and JavaScript) make it difficult for vulnerable systems to be protected and malicious software to be discovered. Trend 5 – Increasingly asymmetric threat: Security on the Internet is, by its very nature, highly interdependent. Each Internet system’s exposure to attack depends on the state of security of the rest of the systems attached to the global Internet. Because of the advances in attack technology, a single attacker can relatively easily employ a large number of distributed systems to launch devastating attacks against a single victim. As the automation of deployment and the sophistication of attack tool management both increase, the asymmetric nature of the threat will continue to grow. Trend 6 – Increasing threat from infrastructure attacks: Infrastructure attacks are attacks that broadly affect key components of the Internet. They are of increasing concern because of the number of organizations and users on the Internet and their increasing dependency on the Internet to carry out day-to-day business.