Chapter 1

Introduction to Network Security

Chapter Objectives

After reading this chapter and completing the exercises, you will be able to do the following:

images Identify the most common dangers to networks.

images Understand basic networking.

images Employ basic security terminology.

images Find the best approach to network security for your organization.

images Evaluate the legal issues that will affect your work as a network administrator.

images Use resources available for network security.

Introduction

Finding a week without some major security breach in the news is difficult. University web servers hacked, government computers hacked, banks’ data compromised, health information exposed—the list goes on. It also seems as if each year brings more focus to this issue. Finding anyone in any industrialized nation who had not heard of things such as websites being hacked and identities stolen would be difficult.

More venues for training also exist now. Many universities offer Information Assurance degrees from the bachelor’s level up through the doctoral level. A plethora of industry certification training programs are available, including the CISSP, EC Council’s CEH, Mile2 Security, SANS, and CompTIA’s Security+. There are also now a number of universities offering degrees in cyber security, including distance learning degrees.

Despite this attention from the media and the opportunities to acquire security training, far too many computer professionals—including a surprising number of network administrators—do not have a clear understanding of the type of threats to which network systems are exposed, or which ones are most likely to actually occur. Mainstream media focuses attention on the most dramatic computer security breaches rather than giving an accurate picture of the most plausible threat scenarios.

This chapter looks at the threats posed to networks, defines basic security terminology, and lays the foundation for concepts covered in the chapters that follow. The steps required to ensure the integrity and security of your network are methodical and, for the most part, already outlined. By the time you complete this book, you will be able to identify the most common attacks, explain how they are perpetrated in order to prevent them, and understand how to secure your data transmissions.

The Basics of a Network

Before diving into how to protect your network, exploring what networks are would probably be a good idea. For many readers this section will be a review, but for some it might be new material. Whether this is a review for you, or new information, having a thorough understanding of basic networking before attempting to study network security is critical. Also, be aware this is just a brief introduction to basic networking concepts. Many more details are not explored in this section.

A network is simply a way for machines/computers to communicate. At the physical level, it consists of all the machines you want to connect and the devices you use to connect them. Individual machines are connected either with a physical connection (a category 5 cable going into a network interface card, or NIC) or wirelessly. To connect multiple machines together, each machine must connect to a hub or switch, and then those hubs/switches must connect together. In larger networks, each subnetwork is connected to the others by a router. We look at many attacks in this book (including several in Chapter 2, “Types of Attacks”) that focus on the devices that connect machines together on a network (that is, routers, hubs, and switches). If you find this chapter is not enough, this resource might assist you: http://compnetworking.about.com/od/basicnetworkingconcepts/Networking_Basics_Key_Concepts_in_Computer_Networking.htm.

Basic Network Structure

Some connection point(s) must exist between your network and the outside world. A barrier is set up between that network and the Internet, usually in the form of a firewall. Many attacks discussed in this book work to overcome the firewall and get into the network.

The real essence of networks is communication—allowing one machine to communicate with another. However, every avenue of communication is also an avenue of attack. The first step in understanding how to defend a network is having a detailed understanding of how computers communicate over a network.

The previously mentioned network interface cards, switches, routers, hubs, and firewalls are the fundamental physical pieces of a network. The way they are connected and the format they use for communication is the network architecture.

Data Packets

After you have established a connection with the network (whether it is physical or wireless), you need to send data. The first part is to identify where you want to send it. We will start off discussing IP version 4 addresses; we will look at IPv6 a bit later in this chapter. All computers (as well as routers) have an IP address that is a series of four numbers between 0 and 255 and separated by periods, such as 192.0.0.5 (note that this is an IPv4 address). The second part is to format the data for transmission. All data is ultimately in binary form (1s and 0s). This binary data is put into packets, all less than about 65,000 bytes. The first few bytes are the header. That header tells where the packet is going, where it came from, and how many more packets are coming as part of this transmission. There is actually more than one header, but for now, we will just discuss the header as a single entity. Some attacks that we will study (IP spoofing, for example) try to change the header of packets to give false information. Other methods of attack simply try to intercept packets and read the content (thus compromising the data).

A packet can have multiple headers. In fact, most packets will have at least three headers. The IP header has information such as IP addresses for the source and destination, as well as what protocol the packet is. The TCP header has information such as port number. The Ethernet header has information such as the MAC address for the source and destination. If a packet is encrypted with Transport Layer Security (TLS), it will also have a TLS header.

IP Addresses

The first major issue to understand is how to get packets to their proper destination. Even a small network has many computers that could potentially be the final destination of any packet sent. The Internet has millions of computers spread out across the globe. How do you ensure that a packet gets to its proper destination? The problem is not unlike addressing a letter and ensuring it gets to the correct destination. Let’s begin by looking at IP version 4 addressing because it is the most common in use today, but this section also briefly discusses IP version 6.

An IP version 4 address is a series of four three-digit numbers separated by periods. (An example is 107.22.98.198.) Each of the three-digit numbers must be between 0 and 255. You can see that an address of 107.22.98.466 would not be a valid one. The reason for this rule is that these addresses are actually four binary numbers: The computer simply displays them to you in decimal format. Recall that 1 byte is 8 bits (1s and 0s), and an 8-bit binary number converted to decimal format will be between 0 and 255. The total of 32 bits means that approximately 4.2 billion possible IP version 4 addresses exist.

The IP address of a computer tells you a lot about that computer. The first byte (or the first decimal number) in an address tells you to what class of network that machine belongs. Table 1-1 summarizes the five network classes.

TABLE 1-1 Network Classes

Class

IP Range for the First Byte

Use

A

0–126

Extremely large networks. No Class A network IP addresses are left. All have been used.

B

128–191

Large corporate and government networks. All Class B IP addresses have been used.

C

192–223

The most common group of IP addresses. Your ISP probably has a Class C address.

D

224–247

These are reserved for multicasting (transmitting different data on the same channel).

E

248–255

Reserved for experimental use.

These five classes of networks will become more important later in this book (or should you decide to study networking on a deeper level). Observe Table 1-1 carefully, and you probably will discover that the IP range of 127 was not listed. This omission is because that range is reserved for testing. The IP address of 127.0.0.1 designates the machine you are on, regardless of that machine’s assigned IP address. This address is often referred to as the loopback address. That address will be used often in testing your machine and your NIC. We will examine its use a bit later in this chapter in the section on network utilities.

These particular classes are important as they tell you what part of the address represents the network and what part represents the node. For example, in a Class A address, the first octet represents the network, and the remaining three represent the node. In a Class B address, the first two octets represent the network, and the second two represent the node. And finally, in a Class C address, the first three octets represent the network, and the last represents the node.

There are also some very specific IP addresses and IP address ranges you should be aware of. The first, as previously mentioned, is 127.0.0.1, or the loopback address. It is another way of referring to the network interface card of the machine you are on.

Private IP addresses are another issue to be aware of. Certain ranges of IP addresses have been designated for use within networks. These cannot be used as public IP addresses but can be used for internal workstations and servers. Those IP addresses are

images 10.0.0.10 to 10.255.255.255

images 172.16.0.0 to 172.31.255.255

images 192.168.0.0 to 192.168.255.255

Sometimes people new to networking have some trouble understanding public and private IP addresses. A good analogy is an office building. Within a single office building, each office number must be unique. You can only have one 305. And within that building, if you discuss office 305 it is immediately clear what you are talking about. But there are other office buildings, many of which have their own office 305. You can think of private IP addresses as office numbers. They must be unique within their network, but there may be other networks with the same private IP.

Public IP addresses are more like traditional mailing addresses. Those must be unique worldwide. When communicating from office to office you can use the office number, but to get a letter to another building you have to use the complete mailing address. It is much the same with networking. You can communicate within your network using private IP addresses, but to communicate with any computer outside your network, you have to use public IP addresses.

One of the roles of a gateway router is to perform what is called network address translation (NAT). Using NAT, a router takes the private IP address on outgoing packets and replaces it with the public IP address of the gateway router so that the packet can be routed through the Internet.

We have already discussed IP version 4 network addresses; now let’s turn our attention to subnetting. If you are already familiar with this topic, feel free to skip this section. For some reason this topic tends to give networking students a great deal of trouble. So we will begin with a conceptual understanding. Subnetting is simply chopping up a network into smaller portions. For example, if you have a network using the IP address 192.168.1.X (X being whatever the address is for the specific computer), then you have allocated 255 possible IP addresses. What if you want to divide that into two separate subnetworks? Subnetting is how you do that.

More technically, the subnet mask is a 32-bit number that is assigned to each host to divide the 32-bit binary IP address into network and node portions. You also cannot just put in any number you want. The first value of a subnet mask must be 255; the remaining three values can be 255, 254, 252, 248, 240, 224, or 128. Your computer will take your network IP address and the subnet mask and use a binary AND operation to combine them.

It may surprise you to know that you already have a subnet mask even if you have not been subnetting. If you have a Class C IP address, then your network subnet mask is 255.255.255.0. If you have a Class B IP address, then your subnet mask is 255.255.0.0. And finally, if it is Class A, your subnet mask is 255.0.0.0.

Now think about these numbers in relationship to binary numbers. The decimal value 255 converts to 11111111 in binary. So you are literally “masking” the portion of the network address that is used to define the network, and the remaining portion is used to define individual nodes. Now if you want fewer than 255 nodes in your subnet, then you need something like 255.255.255.240 for your subnet. If you convert 240 to binary, it is 11110000. That means the first three octets and the first 4 bits of the last octet define the network. The last 4 bits of the last octet define the node. That means you could have as many as 1111 (in binary) or 15 (in decimal) nodes on this subnetwork. This is the basic essence of subnetting.

Subnetting only allows you to use certain, limited subnets. Another approach is CIDR, or classless interdomain routing. Rather than define a subnet mask, you have the IP address followed by a slash and a number. That number can be any number between 0 and 32, which results in IP addresses like these:

192.168.1.10/24 (basically a Class C IP address)

192.168.1.10/31 (much like a Class C IP address with a subnet mask)

When you use this, rather than having classes with subnets, you have variable-length subnet masking (VLSM) that provides classless IP addresses. This is the most common way to define network IP addresses today.

You should not be concerned that new IP addresses are likely to run out soon. The IP version 6 standard is already available, and methods are in place already to extend the use of IPv4 addresses. The IP addresses come in two groups: public and private. The public IP addresses are for computers connected to the Internet. No two public IP addresses can be the same. However, a private IP address, such as one on a private company network, has to be unique only in that network. It does not matter if other computers in the world have the same IP address, because this computer is never connected to those other worldwide computers. Network administrators often use private IP addresses that begin with a 10, such as 10.102.230.17. The other private IP addresses are 172.16.0.0–172.31.255.255 and 192.168.0.0–192.168.255.255.

Also note that an ISP often will buy a pool of public IP addresses and assign them to you when you log on. So, an ISP might own 1,000 public IP addresses and have 10,000 customers. Because all 10,000 customers will not be online at the same time, the ISP simply assigns an IP address to a customer when he or she logs on, and the ISP un-assigns the IP address when the customer logs off.

IPv6 utilizes a 128-bit address (instead of 32) and utilizes a hex numbering method in order to avoid long addresses such as 132.64.34.26.64.156.143.57.1.3.7.44.122.111.201.5. The hex address format appears in the form of 3FFE:B00:800:2::C, for example. This gives you 2128 possible addresses (many trillions of addresses), so no chance exists of running out of IP addresses in the foreseeable future.

There is no subnetting in IPv6. Instead, it only uses CIDR. The network portion is indicated by a slash followed by the number of bits in the address that are assigned to the network portion, such as

/48

/64

There is a loopback address for IPv6, and it can be written as ::/128. Other differences between IPv4 and IPv6 are described here:

images Link/machine-local.

images IPv6 version of IPv4’s APIPA or Automatic Private IP Addressing. So if the machine is configured for dynamically assigned addresses and cannot communicate with a DHCP server, it assigns itself a generic IP address. DHCP, or Dynamic Host Configuration Protocol, is used to dynamically assign IP addresses within a network.

images IPv6 link/machine-local IP addresses all start with fe80::. So if your computer has this address, that means it could not get to a DHCP server and therefore made up its own generic IP address.

images Site/network-local.

images IPv6 version of IPv4 private address. In other words, these are real IP addresses, but they only work on this local network. They are not routable on the Internet.

images All site/network-local IP addresses begin with FE and have C to F for the third hexadecimal digit: FEC, FED, FEE, or FEF.

images DHCPv6 uses the Managed Address Configuration Flag (M flag).

images When set to 1, the device should use DHCPv6 to obtain a stateful IPv6 address.

images Other stateful configuration flag (O flag).

images When set to 1, the device should use DHCPv6 to obtain other TCP/IP configuration settings. In other words, it should use the DHCP server to set things like the IP address of the gateway and DNS servers.

Uniform Resource Locators

For most people, the main purpose for getting on the Internet is web pages (but there are other things such as e-mail and file downloading). If you had to remember IP addresses and type those in, then surfing the Net would be cumbersome at best. Fortunately, you don’t have to. You type in domain names that make sense to humans and those get translated into IP addresses. For example, you might type in www.chuckeasttom.com to go to my website. Your computer, or your ISP, must translate the name you typed in (called a Uniform Resource Locator, or URL) into an IP address. The DNS (Domain Name Service) protocol, which is introduced along with other protocols a bit later in Table 1-2, handles this translation process. So you are typing in a name that makes sense to humans, but your computer is using a corresponding IP address to connect. If that address is found, your browser sends a packet (using the HTTP protocol) to TCP port 80. If that target computer has software that listens and responds to such requests (like web-server software such as Apache or Microsoft Internet Information Services), then the target computer will respond to your browser’s request and communication will be established. This method is how web pages are viewed. If you have ever received an Error 404: File Not Found, what you’re seeing is that your browser received back a packet (from the web server) with error code 404, denoting that the web page you requested could not be found. The web server can send back a series of error messages to your web browser, indicating different situations.

E-mail works the same way as visiting websites. Your e-mail client will seek out the address of your e-mail server. Then your e-mail client will use either POP3 to retrieve your incoming e-mail, or SMTP to send your outgoing e-mail. Your e-mail server (probably at your ISP or your company) will then try to resolve the address you are sending to. If you send something to [email protected], your e-mail server will translate that e-mail address into an IP address for the e-mail server at yahoo.com, and then your server will send your e-mail there. Note that newer e-mail protocols are out there; however, POP3 is still the most commonly used.

IMAP is now widely used as well. Internet Message Access Protocol operates on port 143. The main advantage of IMAP over POP3 is it allows the client to download only the headers to the machine, and then the user can choose which messages to fully download. This is particularly useful for smart phones.

MAC Addresses

MAC addresses are an interesting topic. (You might notice that MAC is also a sublayer of the data link layer of the OSI model.) A MAC address is a unique address for an NIC. Every NIC in the world has a unique address that is represented by a six-byte hexadecimal number. The Address Resolution Protocol (ARP) is used to convert IP addresses to MAC addresses. So, when you type in a web address, the DNS protocol is used to translate that into an IP address. The ARP protocol then translates that IP address into a specific MAC address of an individual NIC.

Protocols

Different types of communications exist for different purposes. The different types of network communications are called protocols. A protocol is, essentially, an agreed-upon method of communications. In fact, this definition is exactly how the word protocol is used in standard, non-computer usage. Each protocol has a specific purpose and normally operates on a certain port (more on ports in a bit). Table 1-2 lists some of the most important protocols.

TABLE 1-2 Logical Ports and Protocols

Protocol

Purpose

Port

FTP (File Transfer Protocol)

For transferring files between computers.

20 & 21

SSH

Secure Shell. A secure/encrypted way to transfer files.

22

Telnet

Used to remotely log on to a system. You can then use a command prompt or shell to execute commands on that system. Popular with network administrators.

23

SMTP (Simple Mail Transfer Protocol)

Sends e-mail.

25

WhoIS

A command that queries a target IP address for information.

43

DNS (Domain Name Service)

Translates URLs into web addresses.

53

tFTP (Trivial File Transfer Protocol)

A quicker, but less reliable form of FTP.

69

HTTP (Hypertext Transfer Protocol)

Displays web pages.

80

POP3 (Post Office Protocol Version 3)

Retrieves e-mail.

110

NNTP (Network News Transfer Protocol)

Used for network news groups (Usenet newsgroups). You can access these groups over the web via www.google.com.

119

NetBIOS

An older Microsoft protocol for naming systems on a local network.

137, 138, 139

IRC (Internet Relay Chat)

Chat rooms.

194

HTTPS (Hypertext Transfer Protocol Secure)

HTTP encrypted with SSL or TLS.

443

SMB (Server Message Block)

Used by Microsoft Active Directory.

445

ICMP (Internet Control Message Protocol)

These are simply packets that contain error messages, informational messages, and control messages.

No specific port

You should note that this list is not complete. Hundreds of other protocols exist, but for now discussing these will suffice. All of these protocols are part of a suite of protocols referred to as TCP/IP (Transmission Control Protocol/Internet Protocol). The most important thing for you to realize is that the communication on networks takes place via packets, and those packets are transmitted according to certain protocols, depending on the type of communication that is occurring. You might be wondering what a port is. Don’t confuse this type of port with the connections on the back of your computer, such as a serial port or parallel port. A port in networking terms is a handle, a connection point. It is a numeric designation for a particular pathway of communications. All network communication, regardless of the port used, comes into your computer via the connection on your NIC. You might think of a port as a channel on your TV. You probably have one cable coming into your TV but you can view many channels. You have one cable coming into your computer, but you can communicate on many different ports.

So the picture we’ve drawn so far of networks is one of machines connected to each other via cables, and perhaps to hubs/switches/routers. Networks transmit binary information in packets using certain protocols and ports. This is an accurate picture of network communications, albeit a simple one.

Basic Network Utilities

Now that you know what IP addresses and URLs are, you need to be familiar with some basic network utilities. You can execute some network utilities from a command prompt (Windows) or from a shell (Unix/Linux). Many readers are already familiar with Windows, so the text’s discussion will focus on how to execute the commands and discuss them from the Windows command-prompt perspective. However, it must be stressed that these utilities are available in all operating systems. This section covers the essential or common utilities.

ipconfig

The first thing you want to do is get information about your own system. To accomplish this fact-finding mission, you must get a command prompt. In Windows, you do this by going to the Start menu, selecting All Programs, and then choosing Accessories. You can also go to Start, Run, and type cmd to get a command prompt. In Windows 10 you go to Search and type cmd. Now you can type in ipconfig. (You could input the same command in Unix or Linux by typing in ifconfig from the shell.) After typing in ipconfig (ifconfig in Linux), you should see something much like Figure 1-1.

A command prompt window displays the information about the user system.

FIGURE 1-1 ipconfig

This command gives you some information about your connection to a network (or to the Internet). Most importantly you find out your own IP address. The command also has the IP address for your default gateway, which is your connection to the outside world. Running the ipconfig command is a first step in determining your system’s network configuration. Most commands this text mentions, including ipconfig, have a number of parameters, or flags, that can be passed to the commands to make the computer behave in a certain way. You can find out what these commands are by typing in the command, followed by a space, and then typing in hyphen question mark: -?.

As you can see, you might use a number of options to find out different details about your computer’s configuration. The most commonly used method would probably be ipconfig/all, shown in Figure 1-2.

A command prompt window displays the details of a user system configuration.

FIGURE 1-2 ipconfig/all

You can see that this option gives you much more information. For example, ipconfig/all gives the name of your computer, when your computer obtained its IP address, and more.

ping

Another commonly used command is ping. ping is used to send a test packet, or echo packet, to a machine to find out whether the machine is reachable and how long the packet takes to reach the machine. This useful diagnostic tool can be employed in elementary hacking techniques. Figure 1-3 shows the command.

A command prompt window displays the details of 32 bytes data using ping.

FIGURE 1-3 ping

This figure tells you that a 32-byte echo packet was sent to the destination and returned. The ttl means “time to live.” That time unit is how many intermediary steps, or hops, the packet should take to the destination before giving up. Remember that the Internet is a vast conglomerate of interconnected networks. Your packet probably won’t go straight to its destination. It will have to take several hops to get there. As with ipconfig, you can type in ping -? to find out various ways you can refine your ping.

tracert

The next command we will examine in this chapter is tracert. This command is a sort of “ping deluxe.” tracert not only tells you whether the packet got there and how long it took, but it also tells you all the intermediate hops it took to get there. (This same command can be executed in Linux or Unix, but there it is called traceroute rather than tracert.) You can see this utility in Figure 1-4.

A command prompt window displays the list of intermediate hops.

FIGURE 1-4 tracert

With tracert, you can see (in milliseconds) the time the IP addresses of each intermediate step listed, and how long it took to get to that step. Knowing the steps required to reach a destination can be very important. If you use Linux, it is traceroute rather than tracert.

netstat

netstat is another interesting command. It is an abbreviation for Network Status. Essentially, this command tells you what connections your computer currently has. Don’t panic if you see several connections; that does not mean a hacker is in your computer. You will see many private IP addresses. This means your network has internal communication going on. You can see this in Figure 1-5.

Certainly, other utilities can be of use to you when working with network communications. However, the four we just examined are the core utilities. These four (ipconfig, ping, tracert, and netstat) are absolutely essential to any network administrator, and you can commit them to memory.

A command prompt window displays the list of active connections.

FIGURE 1-5 netstat

The OSI Model

The Open Systems Interconnect (OSI) model describes how networks communicate (see Table 1-3). It describes the various protocols and activities and tells how the protocols and activities relate to each other. This model is divided into seven layers. It was originally developed by the International Organization for Standardization (ISO) in the 1980s.

TABLE 1-3 The OSI Model

Layer

Description

Protocols

Application

This layer interfaces directly to applications and performs common application services for the application processes.

POP, SMTP, DNS, FTP, Telnet

Presentation

The presentation layer relieves the application layer of concern regarding syntactical differences in data representation within the end-user systems.

Telnet, Network Data Representation (NDR), Lightweight Presentation Protocol (LPP)

Session

The session layer provides the mechanism for managing the dialogue between end-user application processes.

NetBIOS

Transport

This layer provides end-to-end communication control.

TCP, UDP

Network

This layer routes the information in the network.

IP, ARP, ICMP

Data link

This layer describes the logical organization of data bits transmitted on a particular medium. The data link layer is divided into two sublayers: the Media Access Control layer (MAC) and the Logical Link Control layer (LLC).

SLIP, PPP

Physical

This layer describes the physical properties of the various communications media, as well as the electrical properties and interpretation of the exchanged signals. In other words, the physical layer is the actual NIC, Ethernet cable, and so forth.

IEEE 1394, DSL, ISDN

Many networking students memorize this model. At least memorizing the names of the seven layers and understanding basically what they each do is good. From a security perspective, the more you understand about network communications, the more sophisticated your defense can be. The most important thing for you to understand is that this model describes a hierarchy of communication. One layer communicates only with the layer directly above it or below it.

What Does This Mean for Security?

This book covers security from numerous angles, but ultimately only three venues exist for attack, and thus three venues for security (note this is not about attack vectors, of which there are many):

images The data itself: After data leaves your network, the packets are vulnerable for interception and even alteration. Later in this book, during the discussion of encryption and virtual private networks, you will learn how to secure this data. Data can also be attacked at rest, when stored on a computer.

images The network connection points: Whether it is the routers or the firewall, any place where one computer connects to another is a place that can be attacked, and one that must be defended. When looking at a system’s security, you should first look at the connectivity points.

images The people: People always pose a security risk. Either through ignorance, malicious intent, or simple error, people on a system can compromise the system’s security.

As you proceed through this book, don’t lose sight of the basic purpose, which is to secure networks and the data they store and transmit.

Assessing Likely Threats to the Network

Before you can explore the topic of computer security, you must first formulate a realistic assessment of the threats to those systems. The key word is realistic. Clearly one can imagine some very elaborate and highly technical potential dangers. However, as a network security professional, you must focus your attention—and resources—on the likely dangers. Before delving into specific threats, let’s get an idea of how likely attacks, of any type, are on your system.

In this regard, there seem to be two extreme attitudes toward computer security. The first viewpoint holds that little real danger or threat exists to computer systems and that much of the negative news is simply a reflection of unwarranted panic. People of this attitude often think that taking only minimal security precautions should ensure the safety of their systems. Unfortunately, some people in decision-making positions hold this point of view. The prevailing sentiment of these individuals is, “If our computer/organization has not been attacked so far, we must be secure.”

This viewpoint often leads to a reactive approach to computer security, meaning that people will wait until after an incident to decide to address security issues. Waiting to address security until an attack occurs might be too late. In the best of circumstances, the incident might have only a minor impact on the organization and serve as a much-needed wake-up call. In less fortunate cases, an organization might face serious, possibly catastrophic consequences. For example, some organizations did not have an effective network security system in place when the WannaCry virus attacked their systems. In fact, WannaCry would have been completely avoided, if systems had been patched. Avoiding this laissez faire approach to security is imperative.

Any organization that embraces this extreme—and erroneous—philosophy is likely to invest little time or resources in computer security. They might have a basic firewall and antivirus software, but most likely expend little effort ensuring that they are properly configured or routinely updated.

The second viewpoint is that every teenager with a laptop is a highly skilled hacker who can traverse your systems at will and bring your network to its knees. Think of hacking skill like military experience. Finding someone who was in the military is not too hard, but encountering a person who was in Delta Force or Seal Team 6 is rare. Although military experience is fairly common, high levels of special operations skills are not. The same is true with hacking skills. Finding individuals who know a few hacking tricks is easy. Finding truly skilled hackers is far less common.

In Practice

In the Real World

Whenever I am asked to perform some consulting or training task, I get to see a number of diverse network environments. From this experience, I have developed the opinion that a disturbingly large segment of the business world takes a very lax approach to computer security. Following are a few examples of behavior that indicate (to me) a lax view toward security:

images Companies that do not have any type of intrusion-detection system (IDS, covered in Chapter 5, “Intrusion-Detection Systems”)

images Companies that have inadequate antivirus/anti-spyware (covered in Chapter 10, “Defending Against Trojan Horses, Spyware, and Adware”)

images Companies that have unsecured backup media (see the discussion in Chapter 11, “Security Policies”)

images Companies with no plan for implementing patches (discussed in Chapter 8, “Operating System Hardening”)

These are just a few examples of organizations that are not addressing network security in an appropriate manner.

At the other end of the spectrum, some executives overestimate security threats. They assume that very talented hackers exist in great numbers and that all of them are an imminent threat to their system. They might believe that virtually any teenager with a laptop can traverse highly secure systems at will. This viewpoint has, unfortunately, been fostered by a number of movies that depict computer hacking in a somewhat glamorous light. Such a worldview makes excellent movie plots, but is simply unrealistic. The reality is that many people who call themselves hackers are less knowledgeable than they think. Systems protected by even moderate security precautions have a low probability of being compromised by a hacker of this skill level.

This does not mean that skillful hackers do not exist. They most certainly do. However, people with the skill to compromise relatively secure systems must use rather time-consuming and tedious techniques to breach system security. These hackers must also weigh the costs and benefits of any hacking mission. Skilled hackers tend to target systems that have a high benefit, either financially or ideologically. If a system is not perceived as having sufficient benefit, a skilled hacker is less likely to expend the resources to compromise it. Burglars are one good analogy: Certainly, highly skilled burglars exist; however, they typically seek high-value targets. The thief who targets small businesses and homes usually has limited skills. The same is true of hackers.

FYI: Skilled Versus Unskilled Hackers

Skilled hackers usually target only highly attractive sites. Attractive sites offer valuable information or publicity. Military computers—even simple web servers with no classified information—offer a great deal of publicity. Banks, on the other hand, generally have very valuable information. Novice hackers usually start with a low value and, consequently, often less secure system. Low value systems might not have any data of substantial value or offer much publicity. A college web server would be a good example. Although novice hackers’ skills are not as well developed, their numbers are greater. Also, monetary gains are not the only factor that might make a system attractive to a skilled hacker. If a hacker objects to an organization’s ideological stance (for example, if an organization sells large sport utility vehicles that the hacker feels is poor environmental policy), then she might target its system.

Both extreme attitudes regarding the dangers to computer systems are inaccurate. It is certainly true that people exist who have both the comprehension of computer systems and the skills to compromise the security of many, if not most, systems. However, it is also true that many who call themselves hackers are not as skilled as they claim. They have ascertained a few buzzwords from the Internet and are convinced of their own digital supremacy, but they are not able to effect any real compromises to even a moderately secure system.

You might think that erring on the side of caution, or extreme diligence, would be the appropriate approach. In reality, you do not need to take either extreme view. You should take a realistic view of security and formulate practical strategies for defense. Every organization and IT department has finite resources: You only have so much time and money. If you squander part of those resources guarding against unrealistic threats, then you might not have adequate resources left for more practical projects. Therefore, a realistic approach to network security is the only practical approach.

You might be wondering why some people overestimate dangers to their networks. The answer, in part at least, lies with the nature of the hacking community and with the media. Media outlets have a tendency to sensationalize. You don’t get good ratings by downplaying danger; you get them by emphasizing, and perhaps outright exaggerating. Also, the Internet is replete with people claiming significant skill as hackers. As with any field of human endeavor, the majority is merely average. The truly talented hacker is no more common than the truly talented concert pianist. Consider how many people take piano lessons at some point in their lives, and then consider how many of those ever truly become virtuosos.

The same is true of computer hackers. Keep in mind that even those who do possess the requisite skill also need the motivation to expend the time and effort necessary to compromise your system. Keep this fact in mind when considering any claims of cyber prowess you might encounter.

The claim that many people who describe themselves as hackers lack real skill is not based on any study or survey. A reliable study on this topic would be impossible because hackers are unlikely to identify themselves and submit to skills tests. I came to this conclusion based on two considerations:

images The first is simply years of experience traversing hacker discussion groups, chat rooms, and bulletin boards. In more than two decades of work in this field, I have encountered talented and highly skilled hackers, yet I encounter far more who claim to be hackers but clearly demonstrate a lack of sufficient skill. I have also been a frequent speaker at hacking conferences, including DEF CON, and have published in hacking magazines such as 2600. I have had the opportunity to interact extensively with the hacking community.

images The second is that it is a fact of human nature that the vast majority of people in any field are, by definition, mediocre. Consider the millions of people who work out at a gym on a regular basis, and consider how few ever become competitive body builders. In any field, most participants will be mediocre. That is not meant as a derogatory statement, it is just a fact of life.

This statement is also not meant to minimize the dangers of hacking. That is not my intent at all. Even an unskilled novice attempting to intrude on a system will get in, in the absence of appropriate security precautions. Even if the would-be hacker does not successfully breach security, he can still be quite a nuisance. Additionally, some forms of attack don’t require much skill at all. We discuss these later in this book.

A more balanced view (and therefore, a better way to assess the threat level to any system) is to weigh the attractiveness of a system to potential intruders against the security measures in place. As you shall see, the greatest threat to any system is not actually hackers. Viruses and other attacks are far more prevalent. Threat assessment is a complex task with multiple facets.

Classifications of Threats

Your network certainly faces real security threats, and these threats can manifest themselves in a variety forms. There are a variety of ways one might choose to classify the various threats to your system. You could choose to classify them by the damage caused, the level of skill required to execute the attack, or perhaps even by the motivation behind the attack. For our purposes we categorize attacks by what they actually do. Based on that philosophy most attacks can be categorized as one of three broad classes:

images Intrusion

images Blocking

images Malware

Figure 1-6 shows the three categories. The intrusion category includes attacks meant to breach security and gain unauthorized access to a system. This group of attacks includes any attempt to gain unauthorized access to a system. This is generally what hackers do. The second category of attack, blocking, includes attacks designed to prevent legitimate access to a system. Blocking attacks are often called denial of service attacks (or simply DoS). In these types of attacks the purpose is not to actually get into your system but simply to block legitimate users from gaining access.

A figure shows a PC on the left pointed by three categories of attack one below the other from the right as follows: Intrusion, Blocking, and Malware.

FIGURE 1-6 Types of attacks

FYI: What About Other Attacks?

Chapter 2 covers attacks such as buffer overflows that can be used for more than one category. For example, a buffer overflow can be used to shut down a machine, thus making it a blocking attack, or it can be used to breach system security, making it an intrusion attack. However, once it’s implemented, it will be in one category or the other.

The third category of threats is the installation of malware on a system. Malware is a generic term for software that has a malicious purpose. It includes virus attacks, Trojan horses, and spyware. Because this category of attack is perhaps the most prevalent danger to systems, we examine it first.

Malware

Malware is probably the most common threat to any system, including home users’ systems, small networks, and large enterprise wide-area networks. One reason is that malware is often designed to spread on its own, without the creator of the malware having to be directly involved. This makes this sort of attack much easier to spread across the Internet, and hence more widespread.

The most obvious example of malware is the computer virus. You probably have a general idea of what a virus is. If you consult different textbooks you will probably see the definition of a virus worded slightly differently. One definition for a virus is “a program that can ‘infect’ other programs by modifying them to include a possibly evolved copy of itself.” That is a very good definition, and one you will see throughout this book. A computer virus is analogous to a biological virus in that both replicate and spread. The most common method for spreading a virus is using the victim’s e-mail account to spread the virus to everyone in his address book. Some viruses do not actually harm the system itself, but all of them cause network slowdowns or shutdowns due to the heavy network traffic caused by the virus replication.

In Practice

Real Viruses

The original MyDoom worm is discussed in detail in Chapters 2 and 9. MyDoom.BB virus is a variation on MyDoom that began to spread early in 2005. This particular worm appears on your hard drive as either java.exe or services.exe. This is an important thing to learn about viruses. Many try to appear as legitimate system files, thus preventing you from deleting them. There have been many viruses since that time, including well-known viruses such as Stuxnet, Flame, WannaCry, and many others.

This particular worm sends itself out to everyone in your address book, thus spreading quite rapidly. This worm attempts to download a backdoor program giving the attacker access to your system.

From a technological point of view, this worm was most interesting for how it extracts e-mail addresses. It should be noted that the worm uses a much improved algorithm for e-mail address recognition. Now it can catch such e-mail addresses as

images [email protected]

images chuck-at-domain-dot-com

These addresses are translated by the worm to the usable format. Many other e-mail extraction engines are foiled by these sorts of e-mail address permutations (which is why they are used).

Another type of malware, often closely related to the virus, is the Trojan horse. The term is borrowed from the ancient tale. In this tale, the city of Troy was besieged for a long period of time, but the attackers could not gain entrance. They constructed a huge wooden horse and left it one night in front of the gates to Troy one night. The next morning, the residents of Troy saw the horse and assumed it to be a gift, consequently rolling the wooden horse into the city. Unbeknownst to them, several soldiers were hidden inside the horse. That evening, the soldiers left the horse, opened the city gates, and let their fellow attackers into the city. An electronic Trojan horse works in the same manner, appearing to be benign software but secretly downloading a virus or some other type of malware onto your computer from within. In short, you have an enticing gift that you install on your computer, and later find it has unleashed something quite different from what you expected. It is a fact that Trojan horses are more likely to be found in illicit software. There are many places on the Internet to get pirated copies of commercial software. Finding that such software is actually part of a Trojan horse is not at all uncommon.

Trojan horses and viruses are the two most widely encountered forms of malware. A third category of malware is spyware, which is increasing in frequency at a dramatic pace. Spyware is software that literally spies on what you do on your computer. This can be as simple as a cookie—a text file that your browser creates and stores on your hard drive. Cookies are downloaded onto your machine by websites you visit. This text file is then used to recognize you when you return to the same site. That file can enable you to access pages more quickly and save you from having to enter your information multiple times on pages you visit frequently. However, in order to do this, that file must be read by the website; this means it can also be read by other websites. Any data that the file saves can be retrieved by any website, so your entire Internet browsing history can be tracked.

Another form of spyware, called a key logger, records all of your keystrokes. Some also take periodic screen shots of your computer. Data is then either stored for retrieval later by the party who installed the key logger or is sent immediately back via e-mail. In either case, every single thing you do on your computer is recorded for the interested party.

FYI: Key Loggers

Although we defined a key logger as software, note that hardware-based key loggers do indeed exist. Hardware-based key loggers are much less common than software-based key loggers. The reason for this is that software key loggers are easier to place on a targeted machine. Hardware key loggers require you to physically go to the machine and install hardware. If the key logger is being installed without the computer user’s knowledge, then installing a physical device can be quite difficult. A software key logger can be installed via a Trojan horse with the perpetrator not even being in the same city as the target computer.

Compromising System Security—Intrusions

One could make the argument that any sort of attack is aimed at compromising security. However, intrusions are those attacks that are actually trying to intrude into the system. They are different from attacks that simply deny users access to the system (blocking), or attacks that are not focused on a particular target such as viruses and worms (malware). Intrusion attacks are designed to gain access to a specific targeted system and are commonly referred to as hacking, although that is not the term hackers themselves use. Hackers call this type of attack cracking, which means intruding onto a system without permission, usually with malevolent intent. Any attack designed to breach security, either via some operating system flaw or any other means, can be classified as cracking. As you progress through this book you will encounter a few specific methods for intruding on a system. In many cases, if not most, the idea is to exploit some software flaw to gain access to the target system.

Using security flaws is not the only method for intruding into a system. In fact, some methods can be technologically much easier to execute. For example, one completely not technologically based method for breaching a system’s security is called social engineering, which, as the name implies, relies more on human nature than technology. This was the type of attack that the famous hacker Kevin Mitnick most often used. Social engineering uses standard con artist techniques to get users to offer up the information needed to gain access to a target system. The way this method works is rather simple. The perpetrator obtains preliminary information about a target organization, such as the name of its system administrator, and leverages it to gain additional information from the system’s users. For example, he might call someone in accounting and claim to be one of the company’s technical support personnel. The intruder could use the system administrator’s name to validate that claim. He could then ask various questions to learn additional details about the system’s specifications. A savvy intruder might even get a person to provide a username and password. As you can see, this method is based on how well the intruder can manipulate people and actually has little to do with computer skills.

Social engineering and exploiting software flaws are not the only means of executing an intrusion attack. The growing popularity of wireless networks gives rise to new kinds of attacks. The most obvious and dangerous activity is war-driving. This type of attack is an offshoot of war-dialing. With war-dialing, a hacker sets up a computer to call phone numbers in sequence until another computer answers to try and gain entry to its system. War-driving, using much the same concept, is applied to locating vulnerable wireless networks. In this scenario, a hacker simply drives around trying to locate wireless networks. Many people forget that their wireless network signal often extends as much as 100 feet (thus, past walls). At DEF CON 2003, the annual hackers’ convention, contestants participated in a war-driving contest in which they drove around the city trying to locate as many vulnerable wireless networks as they could.

Denial of Service

The third category of attacks is blocking attacks, an example of which is the denial of service attack (DoS). In this attack, the attacker does not actually access the system, but rather simply blocks access to the system from legitimate users. In the words of the CERT (Computer Emergency Response Team) Coordination Center (the first computer security incident response team), “A ‘denial-of-service’ attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.” One often-used blocking method is flooding the targeted system with so many false connection requests that it cannot respond to legitimate requests. DoS is an extremely common attack method, second only to malware.

Likely Attacks

We have been examining various possible threats to a network. Clearly, some threats are more likely to occur than others. What are the realistic dangers facing individuals and organizations? What are the most likely attacks, and what are common vulnerabilities? Understanding the basics of existing threats and the likelihood that they will cause problems for users and organizations is important.

FYI: Likelihood of Attacks

The likelihood of a particular attack depends on the type of organization the network serves. The data presented here is applicable to most network systems. Clearly, a number of factors (including how much publicity a system gets and the perceived value of the data on that system) influence the likelihood of an attack targeting a particular system. Always err on the side of caution when estimating the threats to your network.

The most likely threat to any computer or network is the computer virus. For example, in just the month of October 2017, McAfee listed 31 active viruses (https://home.mcafee.com/virusinfo/virus-calendar). Each month, several new virus outbreaks are typically documented. New viruses are constantly being created, and old ones are still out there.

Note that many people do not update their antivirus software as often as they should. The evidence for this fact is that many of the viruses spreading around the Internet already have countermeasures released, but people are simply not applying them. Therefore, even when a virus is known and protection against it exists, it can continue to thrive because many people do not update their protection or clean their systems regularly. If all computer systems and networks had regularly updated security patches and employed virus-scanning software, a great many virus outbreaks would be avoided altogether, or their effects would at least be minimized.

Blocking has become the most common form of attack besides viruses. As you will learn later in this book, blocking attacks are easier to perpetrate than intrusions and therefore occur more often. A resourceful hacker can find tools on the Internet to help her launch a blocking attack. You will learn more about blocking attacks, as well as malware, in Chapter 2.

Regardless of the nature of the computer crime, the fact is that cyber crimes are prevalent. A 2016 survey of computer crime found that 32% of organizations have been affected by cyber crime, with some experiencing losses in excess of $5 million. Only 37% of respondents have a fully operational incident response plan.

In Practice

What Is “Misuse of Systems”?

Employers and employees often view misuse of a system differently. All systems at a workplace are the property of the employer. Computers, hard drives, even e-mail are all the property of the employer. United States law has consistently maintained that employers have a right to monitor employees’ web usage and even e-mail.

Most organizations have policies that strictly forbid use of computer equipment for any purpose other than work. The Internet connection is restricted to work-related use, not for reading the headlines on the web. Some companies do not mind if an employee uses the Internet for personal purposes during lunch. From a security perspective, administrators must be concerned about the websites employees visit. Are they downloading Flash animations? Are they downloading their own screen savers? Anything that is downloaded is a potential threat to a system. Even without downloading, the possibility exists that websites are tracking information about users and their computers. From a security perspective, the less information about your network someone outside the organization has, the better. Any piece of information is potentially useful to a hacker.

As you will learn in Chapter 4, “Firewall Practical Applications,” many firewall solutions allow administrators to block certain websites, a feature many use. At a minimum, companies should have a very clearly defined policy that describes exactly which activities are permissible and which are not. Any ambiguity in your policies can cause problems later. You can learn more about defining and implementing security policies in Chapter 11.

Threat Assessment

When attempting to assess the threat level for an organization, administrators must consider a number of factors. The first has already been mentioned: The attractiveness of the system to hackers. Some systems attract hackers due to the systems’ monetary value. The systems of financial institutions provide tempting targets for hackers. Other systems attract hackers because of the public profile of the organizations they support. Hackers are attracted to government systems and computer security websites simply because of their high profiles. If a hacker successfully gets into one of those systems, he will achieve fame and prestige in the hacker community. Academic institutions also receive a high frequency of hacking attempts. High schools and colleges have a large population of younger, computer-savvy students. The number of hackers and would-be hackers among such a group is likely to be higher than in the general populace. Additionally, academic institutions do not have a good reputation on information security.

The second risk factor is the nature of the information on the system. If the system has sensitive or critical information, then its security requirements are higher. Personal data such as Social Security numbers, credit card numbers, and medical records have a high security requirement. Systems with sensitive research data or classified information have even higher security needs.

A final consideration is traffic to the system. The more people who have some sort of remote access to the system, the more security dangers exist. For example, a number of people access e-commerce systems from outside the network. Each of these connections represents a danger. If, on the other hand, a system is self-contained with no external connections, its security vulnerabilities are reduced.

Considering the attractiveness of the system to hackers, the nature of the information the system stores, and the number of remote connections to your system together allows administrators to provide a complete assessment of security needs.

The following numerical scale can provide a basic overview of a system’s security requirements.

Three factors are considered (attractiveness, information content, and security devices present). Each of those factors is given a numeric designation between 1 and 10. The first two are added together, and then the third number is subtracted. The final score ranges from –8 (very low risk, high security) to 19 (very high risk, low security); the lower the number the less vulnerable the system, the higher the number the greater the risk. The best rating is for a system that

images Receives a 1 in attractiveness to hackers (that is, a system that is virtually unknown, has no political or ideological significance, etc.).

images Receives a 1 in informational content (that is, a system that contains no confidential or sensitive data).

images Receives a 10 in security (that is, a system with an extensive layered, proactive security system complete with firewalls, ports blocked, antivirus software, IDS, antispyware, appropriate policies, all workstations and servers hardened, etc.).

Evaluating attractiveness is certainly quite subjective. However, evaluating the value of informational content or the level of security can be done with rather crude but simple metrics. This system will be reiterated and then further expanded in Chapter 12, “Assessing System Security.”

Obviously, this evaluation system is not an exact science and is contingent to some extent on a personal assessment of a system. This method does, however, provide a starting point for assessing a system’s security but is certainly not the final word in security metrics.

Understanding Security Terminology

When studying the field of computer security, you must be cognizant of the fact that this discipline is an overlap of security professionals and amateur hackers. As such, the field combines terminology from both domains. This book’s Glossary will be a useful reference tool throughout this course.

Hacking Terminology

Let’s begin by examining hacker terminology. Note that this terminology is not precise, and that many definitions can be debated. No “official” hacker vocabulary exists. The terms evolve through their use by the hacker community. Clearly, beginning this examination by defining hacker, a term used in movies and news broadcasts, would be prudent. Most people use it to describe any person who breaks into a computer system. However, security professionals and hackers themselves use this term differently. In the hacking community a hacker is an expert on a particular system or systems who wants to learn more about the system. Hackers feel that looking at a system’s flaws is the best way to learn about it.

For example, someone well-versed in the Linux operating system who works to understand that system by learning its weaknesses and flaws would be a hacker. However, this does often mean seeing whether a flaw can be exploited to gain access to a system. This “exploiting” part of the process is where hackers differentiate themselves into three groups:

images White hat hackers, upon finding vulnerability in a system, will report the vulnerability to the vendor of that system. For example, if they were to discover some flaw in Red Hat Linux, they would then e-mail the Red Hat company (probably anonymously) and explain what the flaw is and how it was exploited.

images Black hat hackers are the people normally depicted in the media (e.g., movies and news). After they gain access to a system, their goal is to cause some type of harm. They might steal data, erase files, or deface websites. Black hat hackers are sometimes referred to as crackers.

images Gray hat hackers are typically law-abiding citizens, but in some cases will venture into illegal activities. They might do so for a wide variety of reasons. Commonly, gray hat hackers conduct illegal activities for reasons they feel are ethical, such as hacking into a system belonging to a corporation that the hacker feels is engaged in unethical activities. Note that this term is not found in many textbooks, but is a commonly used term in the hacking community itself.

Regardless of how hackers view themselves, intruding on any system without permission is illegal. This means that, technically speaking, all hackers, regardless of the color of the metaphorical hat they wear, are in violation of the law. However, many people feel that white hat hackers actually perform a service by finding flaws and informing vendors before those flaws are exploited by less ethically inclined individuals.

The various shades of hackers are only the beginning of learning hacker terminology. Recall that a hacker is an expert in a given system. If so, what is the term for someone who calls herself a hacker but lacks expertise? The most common term for an inexperienced hacker is script kiddy. The name derives from the fact that the Internet is full of utilities and scripts that one can download to perform some hacking tasks. Someone who downloads these tools without really understanding the target system would be considered a script kiddy. A significant number of the people who call themselves hackers are, in reality, merely script kiddies.

This discussion brings us to some specific types of hackers. A cracker is someone whose goal is to compromise a system’s security for purposes other than to learn about the system. No difference exists between a black hat hacker and a cracker. Both terms refer to a person who breaks through a system’s security and intrudes on that system without permission from the appropriate parties, with some malicious intent.

When and why would someone give permission to another party to hack/crack a system? The most common reason is to assess the system’s vulnerabilities. This is yet another specialized type of hacker—the ethical hacker or sneaker (an older term, not often used these days), a person who legally hacks/cracks a system in order to assess security deficiencies. In 1992, Robert Redford, Dan Aykroyd, and Sydney Poitier starred in a movie about this very subject, named Sneakers. Consultants exist who perform work of this type, and you can even find firms that specialize in this activity as more and more companies solicit these services to assess their vulnerabilities. Today, these are usually called penetration testers (or simply pen testers). And the profession has matured since the first edition of this book.

A word of caution for readers either considering becoming or hiring a pen tester: Any person hired to assess the vulnerabilities of a system must be both technically proficient and morally sound. This means that a criminal background check should be done before engaging his/her services. You certainly would not hire a convicted burglar as your night watchman. Neither should you consider hiring someone with any criminal background, especially in computer crimes, as a penetration tester/ethical hacker. Some people might argue that a convicted hacker/cracker has the best qualifications to assess your system’s vulnerabilities. This is simply not the case, for several reasons:

images You can find legitimate security professionals who know and understand hacker skills but have never committed any crime. You can get the skills required to assess your system without using a consultant with a demonstrated lack of integrity.

images If you take the argument that hiring convicted hackers means hiring talented people to its logical conclusion, you could surmise that the person in question is not as good a hacker as he would like to think, because he was caught.

images Most importantly, giving a person with a criminal background access to your systems is comparable to hiring a person with multiple DWI convictions as your driver. In both cases you are inviting problems and, perhaps, assuming significant civil and criminal liabilities.

A thorough review of a penetration tester’s qualifications is also recommended. Just as some people falsely claim to be highly skilled hackers, there are those who will falsely claim to be skilled pen testers. An unqualified pen tester might pronounce your system sound when in fact it was a lack of skill that prevented him from successfully breaching your security. Chapter 12 covers the basics of assessing a target system as well as the necessary qualifications of any consultant hired for this purpose.

Another specialized branch of hacking involves breaking into telephone systems. This sub-specialty of hacking is referred to as phreaking. The New Hackers Dictionary actually defines phreaking as “The action of using mischievous and mostly illegal ways in order to not pay for some sort of telecommunications bill, order, transfer, or other service” (Raymond, 2003). Phreaking requires a rather significant knowledge of telecommunications, and many phreakers have some professional experience working for a phone company or other telecommunications business. This type of activity is often dependent upon specific technology required to compromise phone systems more than simply knowing certain techniques. For example, certain devices are used to compromise phone systems. Phone systems are often dependent on frequencies. (If you have a touchtone phone, you will notice that, as you press the keys, each has a different frequency.) Machines that record and duplicate certain frequencies are often essential to phone phreaking.

Security Terminology

Security professionals have specific terminology as well. Readers with any training or experience in network administration are probably already familiar with most of these terms. Although most hacking terminology describes either the activity or the person performing it (phreaking, sneaker, etc.), much of the security terminology you will learn in this book deals with devices and policies. This is quite logical because hacking is an offensive activity centered on attackers and attack methodologies, and security is a defensive activity concerned with defensive barriers and procedures.

The first and most basic security device is the firewall. A firewall is a barrier between a network and the outside world. Sometimes a firewall is a stand-alone server, sometimes a router, and sometimes software running on a machine. Whatever its physical form, the purpose is the same: to filter traffic entering and exiting a network. Firewalls are related to, and often used in conjunction with, a proxy server. A proxy server hides your internal network IP addresses and presents a single IP address (its own) to the outside world.

Firewalls and proxy servers are added to networks to provide basic perimeter security. They filter incoming and outgoing network traffic but do not affect traffic on the network. Sometimes these devices are augmented by an intrusion-detection system (IDS). An IDS monitors traffic looking for suspicious activity that might indicate an attempted intrusion.

Access control is another important computer security term that will be of particular interest to you in several of the later chapters. Access control is the aggregate of all measures taken to limit access to resources. This includes logon procedures, encryption, and any method that is designed to prevent unauthorized personnel from accessing a resource. Authentication is clearly a subset of access controls, perhaps the most basic security activity. Authentication is simply the process of determining whether the credentials given by a user or another system, such as a username and password, are authorized to access the network resource in question. When a user logs in with a username and password, the system attempts to authenticate that username and password. If they are authenticated, the user will be granted access.

Non-repudiation is another term you encounter frequently in computer security. It is any technique that is used to ensure that someone performing an action on a computer cannot falsely deny that they performed that action. Non-repudiation provides reliable records of what user took a particular action at a specific time. In short, it is methods to track what actions are taken by what user. Various system logs provide one method for non-repudiation. One of the most important security activities is auditing. Auditing is the process of reviewing logs, records, and procedures to determine whether they meet standards. This activity is discussed throughout this book and is the focus of Chapter 12. Auditing is essential to do because checking that systems have appropriate security in place is the only way to ensure system security.

Least privileges is a concept you should keep in mind when assigning privileges to any user or device. The concept is that you only assign the minimum privileges required for that person to do his job, no more. Keep this simple but critical concept in mind.

You should also keep in mind the CIA triangle, or Confidentiality, Integrity, and Availability. All security measures should affect one or more of these areas. For example, hard drive encryption and good passwords help protect confidentiality. Digital signatures help ensure integrity, and a good backup system, or network server redundancy, can support availability.

An entire book could be written on computer security terminology. These few terms you have been introduced to here are ubiquitous and being familiar with them is important. Some of the exercises at the end of this chapter will help you expand your knowledge of computer security terminology. You might also find these links helpful:

images https://niccs.us-cert.gov/glossary (National Initiative for Cybersecurity Careers and Studies Glossary)

images https://www.sans.org/security-resources/glossary-of-terms/ (SANS Institute Glossary of Security Terms)

images http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf (NIST Glossary of Key Information Security Terms)

FYI: Auditing and Penetration Testing

The process a penetration tester uses is really just a special type of audit. You might wonder what the difference is between penetration testing and auditing. The distinction between a normal audit and pen testing lies in the methodology. Audits usually involve checking compliance with regulations, laws, and standards, whereas penetration tests actually attempt to breach the system in order to assess security. The traditional audit consists of reviewing logs, checking system settings, and ensuring that the security meets some arbitrary standard. Penetration testers simply try to break into the system. If they can, they then document how they did it, and how you can prevent someone else from doing the same.

Choosing a Network Security Approach

Organizations can choose from several approaches to network security. A particular approach, or paradigm, will influence all subsequent security decisions and set the tone for the entire organization’s network security infrastructure. Network security paradigms can be classified by either the scope of security measures taken (perimeter, layered) or how proactive the system is.

Perimeter Security Approach

In a perimeter security approach, the bulk of security efforts are focused on the perimeter of the network. This focus might include firewalls, proxy servers, password policies, and any technology or procedure that makes unauthorized access of the network less likely. Little or no effort is made to secure the systems within the network. In this approach, the perimeter is secured, but the various systems within that perimeter are often vulnerable.

This perimeter approach is clearly flawed. So why do some companies use it? A small organization might use the perimeter approach if they have budget constraints or inexperienced network administrators. This method might be adequate for small organizations that do not store sensitive data, but it rarely works in a larger corporate setting.

Layered Security Approach

A layered security approach is one in which not only is the perimeter secured, but individual systems within the network are also secured. All servers, workstations, routers, and hubs within the network are secure. One way to accomplish this is to divide the network into segments and secure each segment as if it were a separate network so that, if perimeter security is compromised, not all internal systems are affected. Layered security is the preferred approach whenever possible.

You should also measure your security approach by how proactive and/or reactive it is. You do this by gauging how much of the system’s security infrastructure and policies are dedicated to preventive measures as opposed to how much are devoted to simply responding to an attack after it has occurred.

A passive security approach takes few or no steps to prevent an attack. Conversely a dynamic security approach, or proactive defense, is one in which steps are taken to prevent attacks before they occur. One example of a proactive defense is the use of an IDS, which works to detect attempts to circumvent security measures. These systems can tell a system administrator that an attempt to breach security has been made, even if that attempt is not successful. An IDS can also be used to detect various techniques intruders use to assess a target system, thus alerting a network administrator to the potential for an attempted breach before the attempt is even initiated.

Hybrid Security Approach

In the real world, network security is rarely completely in one paradigm or another. Networks generally fall along a continuum with elements of more than one security paradigm. The two categories also combine to form a hybrid approach. One can have a network that is predominantly passive but layered, or one that is primarily perimeter, but proactive. Considering approaches to computer security along a Cartesian coordinate system, with the x axis representing the level of passive-active approaches and the y axis depicting the range from perimeter to layered defense, can be helpful. The most desirable hybrid approach is a layered paradigm that is dynamic.

Network Security and the Law

An increasing number of legal issues affect how administrators approach network security. If your organization is a publicly traded company, a government agency, or does business with either, there may be legal constraints to choosing your security approach. Legal constraints include any laws that affect how information is stored or accessed. Sarbanes-Oxley (discussed in more detail later in this section) is one example. Even if your network is not legally bound to these security guidelines, reviewing the various laws impacting computer security and perhaps deriving ideas that can apply to your own security standards is useful.

One of the oldest pieces of legislation in the United States affecting computer security is the Computer Security Act of 1987 (100th Congress, 1987). This act requires government agencies to identify sensitive systems, conduct computer security training, and develop computer security plans. This law is a vague mandate ordering federal agencies in the United States to establish security measures without specifying any standards.

This legislation established a legal mandate to enact specific standards, paving the way for future guidelines and regulations. It also helped define certain terms, such as what information is indeed “sensitive,” according to the following quote found in the legislation itself:

Sensitive information is any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.

Keep this definition in mind, for it is not just Social Security information or medical history that must be secured. When considering what information needs to be secure, simply ask the question: Would the unauthorized access or modification of this information adversely affect my organization? If the answer is “yes,” then you must consider that information “sensitive” and in need of security precautions.

Another more specific federal law that applies to mandated security for government systems is OMB Circular A-130 (specifically, Appendix III). This document requires that federal agencies establish security programs containing specified elements. This document describes requirements for developing standards for computer systems and for records held by government agencies.

Most states have specific laws regarding computer security, such as legislation like the Computer Crimes Act of Florida, the Computer Crime Act of Alabama, and the Computer Crimes Act of Oklahoma. Any person responsible for network security might potentially be involved in a criminal investigation. This could be an investigation into a hacking incident or employee misuse of computer resources. Whatever the nature of the crime instigating the investigation, being aware of the computer crime laws in your state is invaluable. A list of computer crime laws by state is available at http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws. This government list is from the Advanced Laboratory Workstation (ALW), National Institutes for Health (NIH), and Center for Information Technology.

Keep in mind that any law that governs privacy (such as the Health Insurance Portability and Accountability Act [HIPAA], for medical records) also has a direct impact on computer security. If a system is compromised and data that is covered under any privacy statute is compromised, you might need to prove that you exercised due diligence to protect that data. A finding that you did not take proper precautions can result in civil liability.

A law that is probably even more pertinent to business network security is Sarbanes-Oxley, often called SOX (http://www.soxlaw.com/) This law governs how publicly traded companies store and report on financial data, and keeping that data secure is a vital part of this. Obviously, full coverage of this law is beyond the scope of this chapter, or even this book. It is mentioned to point out to you that in addition to network security being a technical discipline, you must also consider business and legal ramifications.

Using Security Resources

As you read this book and when you move out into the professional world, you will have frequent need for additional security resources. This section highlights a few of the most important ones and those you may find useful now.

images CERT (www.cert.org/). CERT stands for Computer Emergency Response Team, a group sponsored by Carnegie-Mellon University. CERT was the first computer incident-response team and is still one of the most respected in the industry. Anyone interested in network security should visit the site routinely. On the website is a wealth of documentation, including guidelines for security policies, cutting-edge security research, security alerts, and more.

images Microsoft Security TechCenter (https://technet.microsoft.com/en-us/security). This site is particularly useful because so many computers run Microsoft operating systems. This site is a portal to all Microsoft security information, tools, and updates. Users of Microsoft software should visit this website regularly.

images F-Secure Corporation (www.f-secure.com/). This site is, among other things, a repository for detailed information on virus outbreaks. Here you will find notifications and detailed information about specific viruses. This information includes how the virus spreads, ways to recognize the virus, and specific tools for cleaning an infected system of a particular virus.

images F-Secure Labs (www.f-secure.com/en/web/labs_global/home).

images SANS Institute (www.sans.org/). This site provides detailed documentation on virtually every aspect of computer security. The SANS Institute also sponsors a number of security research projects and publishes information about those projects on its website.

Summary

Threats to networks are growing. We are seeing an increase in the number of hacking attacks and viruses, as well as other forms of attack. Couple this growing danger with increasing legal pressures (such as HIPAA and SOX) and network administrators have an ever-increasing demand on network security. To meet this demand you must have a thorough understanding of the threats to your network, as well as the countermeasures you can employ. This begins with a realistic assessment of the dangers to your network.

This chapter has introduced you to the basic concepts of network security, the general classes of danger, and basic security terminology. Subsequent chapters elaborate on this information.

Test Your Skills

MULTIPLE CHOICE QUESTIONS

1. Which of the following is not one of the three major classes of threats?

A. Denial of service attacks

B. A computer virus or worm

C. Actually intruding on a system

D. Online auction fraud

2. Which of the following is the most accurate definition of a virus?

A. Any program that spreads via e-mail

B. Any program that carries a malicious payload

C. Any program that self-replicates

D. Any program that can damage your system

3. Are there any reasons not to take an extreme view of security, if that view errs on the side of caution?

A. No, there is no reason not to take such an extreme view.

B. Yes, that can lead to wasting resources on threats that are not likely.

C. Yes, if you are going to err, assume there are few if any realistic threats.

D. Yes, that can require that you increase your security skills in order to implement more rigorous defenses.

4. What is a computer virus?

A. Any program that is downloaded to your system without your permission

B. Any program that self-replicates

C. Any program that causes harm to your system

D. Any program that can change your Windows registry

5. Which of the following gives the best definition of spyware?

A. Any software that logs keystrokes

B. Any software used to gather intelligence

C. Any software or hardware that monitors your system

D. Any software that monitors which websites you visit

6. Which of the following is the best definition for the term ethical hacker?

A. An amateur who hacks a system without being caught

B. A person who hacks a system by faking a legitimate password

C. A person who hacks a system to test its vulnerabilities

D. An amateur hacker

7. What is the term for hacking a phone system?

A. Telco-hacking

B. Hacking

C. Cracking

D. Phreaking

8. Which of the following is the best definition of malware?

A. Software that has some malicious purpose

B. Software that self-replicates

C. Software that damages your system

D. Any software that is not properly configured for your system

9. Which of the following is the best definition for war-driving?

A. Driving while hacking and seeking a computer job

B. Driving while using a wireless connection to hack

C. Driving looking for wireless networks to hack

D. Driving and seeking rival hackers

10. Which of the following is the most basic security activity?

A. Installing a firewall

B. Authenticating users

C. Controlling access to resources

D. Using a virus scanner

11. Blocking attacks seek to accomplish what?

A. Install a virus on the target machine

B. Shut down security measures

C. Prevent legitimate users from accessing a system

D. Break into a target system

12. What are the three approaches to security?

A. Perimeter, layered, and hybrid

B. High security, medium security, and low security

C. Internal, external, and hybrid

D. Perimeter, complete, and none

13. An intrusion-detection system is an example of:

A. Proactive security

B. Perimeter security

C. Hybrid security

D. Good security practices

14. Which of the following would most likely be classified as misuse(s) of systems?

A. Looking up information on a competitor using the web

B. Getting an occasional personal e-mail

C. Using your business computer to conduct your own (non-company) business

D. Shopping on the web during lunch

15. The most desirable approach to security is one which is:

A. Perimeter and dynamic

B. Layered and dynamic

C. Perimeter and static

D. Layered and static

16. When assessing threats to a system, what three factors should you consider?

A. The system’s attractiveness, the information contained on the system, and how much traffic the system gets

B. The skill level of the security team, the system’s attractiveness, and how much traffic the system gets

C. How much traffic the system gets, the security budget, and the skill level of the security team

D. The system’s attractiveness, the information contained on the system, and the security budget

17. Which of the following is the best definition for non-repudiation?

A. Security that does not allow the potential intruder to deny his attack

B. Processes that verify which user performs what action

C. It is another term for user authentication

D. Access control

18. Which of the following types of privacy laws affect computer security?

A. Any state privacy law

B. Any privacy law applicable to your organization

C. Any privacy law

D. Any federal privacy law

19. The first computer incident response team is affiliated with what university?

A. Princeton University

B. Carnegie-Mellon University

C. Harvard University

D. Yale University

20. Which of the following is the best definition of “sensitive information”?

A. Military- or defense-related information

B. Any information that is worth more than $1,000

C. Any information that, if accessed by unauthorized personnel, could damage your organization in any way

D. Any information that has monetary value and is protected by any privacy laws

21. Which of the following best defines the primary difference between an ethical hacker and an auditor?

A. There is no difference.

B. The ethical hacker tends to be less skilled.

C. The auditor tends to be less skilled.

D. The ethical hacker tends to use more unconventional methods.

EXERCISES

EXERCISE 1.1: How Many Virus Attacks Have Occurred This Month?

1. Using various websites, determine the number of virus attacks reported this month. You may find that sites such as www.f-secure.com are helpful for finding this information.

2. Compare that figure to the number of virus outbreaks per month in the last three, nine, and twelve months.

3. Are virus attacks increasing or decreasing in frequency? Give examples to support your answer and state the estimated amount of change in virus attacks over the past year.

EXERCISE 1.2: Trojan Horse Attacks

1. Using the Internet, journals, books, or other resources, find one incident of a Trojan horse attack in the past nine months.

2. How was this Trojan horse delivered? What damage did it cause?

3. Describe the Trojan horse attack, including:

images Any specific targets

images Whether the perpetrators of the attack have been caught and/or prosecuted

images What types of security warnings were issued about the attack as well as measures prescribed to defend against it

EXERCISE 1.3: Recent Trends in Computer Crime

1. Using your preferred search engine, find its most recent survey on computer crime.

2. Note which areas of computer crime have increased and decreased.

3. Describe the changes between this survey and the one published in 2002.

4. What do the two surveys tell you about trends in computer crime?

5. What area of computer crime appears to be increasing most rapidly?

EXERCISE 1.4: Hacking Terminology

Using the New Hacker’s Dictionary (http://www.outpost9.com/reference/jargon/jargon_toc.html), define the following terms. Then check the Internet (web pages, chat rooms, or bulletin boards) to find an example of each term being used.

images daemon

images dead code

images dumpster diving

images leapfrog attack

images kluge

images nuke

EXERCISE 1.5: Security Professional Terminology

Using one of the three glossaries discussed in this chapter, define the following terms:

images access control list

images adware

images authentication

images backdoor

images buffer

images HotFix

PROJECTS

PROJECT 1.1: Learning About a Virus

1. Searching with your preferred search engine, find a virus that has been released in the last six months. You might find information on sites such as www.f-secure.com.

2. Describe how the virus you chose worked, including the method it used to spread.

3. Describe the amount of damage caused by the virus.

4. Were any specific targets identified?

5. Were the perpetrators of the virus attack caught and/or prosecuted?

6. What types of security warnings were issued about the virus attack?

7. What measures were prescribed to defend against it?

8. Would the virus most properly be described as a virus or a worm?

PROJECT 1.2: Security Profession

Using various resources including the web, find out qualifications required for computer security administrator jobs. You will need to find out specific technologies required, years of experience, educational level, and any certifications. This project should help you see what topics the industry considers most important for a security professional to understand. Websites that might help you include:

images www.computerjobs.com

images www.dice.com

images www.monster.com

PROJECT 1.3: Finding Web Resources

This chapter provides several good web resources for security information. You should now use the Internet to identify three websites you think provide reliable and valid information that would be beneficial to a security professional. Explain why you believe these to be valid sources of information.

Note: You will likely use these sources in later chapter exercises and projects, so make certain you can rely on the data they provide.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.236.255