Sunday, November 28, 2010

Understanding Network Attacks

A network attack can be defined as any method, process or means used to maliciously attempt to compromise the security of the network.

There are a number of reasons why an individual(s) would want to attack corporate networks. The individuals performing network attacks are commonly referred to as network attackers or hackers or crackers.

A few different types of malicious activities performed by network attackers and hackers are summarized here:

  • Illegally using user accounts and privileges.

  • Stealing hardware.

  • Stealing software.

  • Running code to damage systems.

  • Running code to damage and corrupt data.

  • Modifying stored data.

  • Stealing data.

  • Using data for financial gain or for industrial espionage

  • Performing actions that prevent legitimate authorized users from accessing network services and resources.

  • Performing actions to deplete network resources and bandwidth.

A few reasons why network attackers attempt to attack corporate networks are listed here:

  • Individuals seeking fame or some sort of recognition. Script kiddies usually seek some form of fame when they attempt to crash Web sites and other public targets on the Internet. A script kiddie could also be looking for some form of acceptance or recognition from the hacker community or from black hat hackers.

  • Possible motives for structured external threats include:

    • Greed

    • Industrial espionage

    • Politics

    • Terrorism

    • Racism

    • Criminal payoffs

  • Displeased employees might seek to damage the organization's data, reliability, or financial standing.

  • There are though some network attackers that simply enjoy the challenge of trying to compromise the security systems of highly secured networks. These types of attackers simply see their actions as a means by which existing security vulnerabilities can be exposed.

Network attacks can be classified into the following four types of attacks:

  • Internal threats

  • External threats

    • Unstructured threats

    • Structured threats

Threats to the network can be initiated from a number of different sources, hence the reason why network attacks are classified as either external network attacks/threats, or internal network attacks/threats:

  • External threats: External threats or network attacks are carried out by individuals with no assistance from internal employees or contractors. These attacks are typically performed by a malicious experienced individual, a group of experienced individuals, an experienced malicious organization, or by inexperienced attackers (script kiddies). External threats are usually performed by using a predefined plan and the technologies (tools) or techniques of the attacker(s). One of the main characteristics of external threats is that it usually involves scanning and gathering information. You can therefore detect an external attack by scrutinizing existing firewall logs. You can also install an Intrusion Detection System to quickly identify external threats.
    External threats can be further categorized into either structured threats or unstructured threats:

    • Structured external threats: These threats originate from a malicious individual, a group of malicious individual(s) or from a malicious organization. Structured threats are usually initiated from network attackers that have a premeditated thought on the actual damages and losses which they want to cause. Possible motives for structured external threats include greed, politics, terrorism, racism and criminal payoffs. These attackers are highly skilled on network design, the methods on avoiding security measures, Intrusion Detection Systems (IDSs), access procedures, and hacking tools. They have the necessary skills to develop new network attack techniques and the ability to modify existing hacking tools for their exploitations. In certain cases, the attacker could be assisted by an internal authorized individual.

    • Unstructured external threats: These threats originate from an inexperienced attacker, typically from a script kiddie. A script kiddie is the terminology used to refer to an inexperienced attacker who uses cracking tools or scripted tools readily available on the Internet, to perform a network attack. Script kiddies are usually inadequately skilled to create the threats on their own. Script kiddies can be considered as being bored individuals seeking some form of fame by attempting to crash Web sites and other public targets on the Internet.

    External attacks can also occur either remotely or locally:

    • Remote external attacks: These attacks are usually aimed at the services which an organization offers to the public. The various forms which remote external attacks can take are listed here:

      • Remote attacks aimed at the services available for internal users. This remote attack usually occurs when there is no firewall solution implemented to protect these internal services.

      • Remote attacks aimed at locating modems to access the corporate network.

      • Denial-of-service (DoS) attacks to place an exceptional processing load on servers in an attempt to prevent authorized user requests from being serviced.

      • War-dialing of the corporate private branch exchange (PBX).

      • Attempts to brute force password authenticated systems.

    • Local external attacks: These attacks typically originate from situations where computing facilities are shared, and access to the system can be obtained.

  • Internal threats: Internal attacks originate from dissatisfied or unhappy inside employees or contractors. Internal attackers have some form of access to the system and usually try to hide their attack as a normal process. For instance, internal disgruntled employees have local access to some resources on the internal network already. They could also have some administrative rights on the network. One of the best means to protect against internal attacks is to implement an Intrusion Detection System, and to configure it to scan for both external and internal attacks. All forms of attacks should be logged and the logs should be reviewed and followed up.

With respect to network attacks, the core components which should be included when you design network security are:

  • Network attack prevention.

  • Network attack detection.

  • Network attack isolation.

  • Network attack recovery.

What is hacking?

The terminology, hacking, was initially used to refer to the process of finding solutions to rather technical issues or problems. These days, hacking is used to refer to the process whereby intruders maliciously attempt to compromise the security of corporate networks to destroy, interpret or steal confidential data; or to prevent an organization from operating.

Different terminology is used to refer to criminal hacking:

  • Cracking

  • Cybercrime

  • Cyberespionage

  • Phreaking

To access a network system, the intruder (hacker) performs a number of activities:

  • Footprinting: This is basically the initial step in hacking a corporate network. Here the intruder attempts to gain as much information on the targeted network by using sources which the public can access. The aim of footprinting is to create a map of the network to determine what operating systems, applications and address ranges are being utilized, and to identify any accessible open ports.
    The methods used to footprint a network are listed here:

    • Access information publicly available on the company Web site to gain any useful information.

    • Try to find any anonymous File Transfer Protocol (FTP) sites and intranet sites which are not secured.

    • Gather information on the domain name of the company and the IP address block being used.

    • Test for hosts in the IP address block of the network. Tools such as Ping or Flping are typically used.

    • Using tools such as Nslookup, the intruder attempts to perform Domain Name System (DNS) zone transfers.

    • A tool such as Nmap is used to find out what the operating systems are which are being used.

    • Tools such as Tracert are used to find routers and to collect subnet information.

  • Port scanning: Port scanning or simply scanning, is the process whereby which intruders collect information on the network services on a target network. Here, the intruder attempts to find open ports on the target system.
    The different scanning methods used by network attackers are:

    • Vanilla scan/SYNC scan: TCP SYN packets are sent to the ports of each address in an attempt to connect to all ports. Port numbers 0 - 65,535 are utilized.

    • Strobe scan: Here, the attacker attempts to connect to a specific range of ports which are typically open on Windows based hosts or UNIX/Linux based hosts.

    • Sweep: A large set of IP addresses are scanned in an attempt to detect a system that has one open port.

    • Passive scan: Here, all network traffic entering or leaving the network is captured and traffic is then analyzed to determine what the open ports are on the hosts within the network.

    • User Datagram Protocol (UDP) scan: Empty UDP packets are sent to the different ports of a set of addresses to determine how the operating responds. Closed UDP ports respond with the Port Unreachable message when any empty UDP packets are received. Other operating systems respond with the Internet Control Message Protocol (ICMP) error packet.

    • FTP bounce: To hide the location of the attacker, the scan is initiated from an intermediary File Transfer Protocol (FTP) server.

    • FIN scan: TCP FIN packets that specify that the sender wants to close a TCP session are sent to each port for a range of IP addresses.

  • Enumeration: The unauthorized intruder uses a number of methods to collect information on applications and hosts on the network, and on the user accounts utilized on the network. Enumeration is particularly successful in networks that contain unprotected network resources and services:

    • Network services that are running but which are not being utilized.

    • Default user accounts which have no passwords specified.

    • Guest accounts which are active.

  • Acquiring access: Access attacks are performed when an attacker exploits a security weakness so that he/she can obtain access to a system or the network. Trojan horses and password hacking programs are typically used to obtain system access. When access is obtained, the intruder is able to modify or delete data; and add, modify or remove network resources.
    The different types of access attacks are listed here:

    • Unauthorized system access entails the practice of exploiting the vulnerabilities of operating systems, or executing a script or a hacking program to obtain access to a system.

    • Unauthorized privilege escalation is a frequent type of attack. Privilege escalation occurs when an intruder attempts to obtain a high level of access like administrative privileges to gain control of the network system.

    • Unauthorized data manipulation involves interpreting, altering and deleting confidential data.

  • Privilege escalation: When an attacker initially gains access to the network, low level accounts are typically used. Privilege escalation occurs when an attacker escalates his/her privileges to obtain a higher level of access, like administrative privileges, in order to gain control of the network system.
    The privilege escalation methods used by attackers are listed here:

    • The attacker searches the registry keys for password information.

    • The attacker can search documents for information on administrative privileges.

    • The attacker can execute a password cracking tool on targeted user accounts.

    • The attacker can use a Trojan in an attempt to obtain the credentials of a user account that has administrative privileges.

  • Install backdoors: A hacker can also implement a mechanism such as some form of access granting code with the intent of using it at some future stage. Backdoors are typically installed by attackers so that they can easily access the system at some later date. After a system is compromised, you can remove any installed backdoors by reinstalling the system from a backup which is secure.

  • Removing evidence of activities: Attackers typically attempt to remove all evidence of their activities.

What are hackers or network attackers?

A hacker or network attacker is someone who maliciously attacks networks, systems, computers, applications; and who captures, corrupts, modifies, steals or deletes confidential company information.

A hacker can refer to a number of different individuals who perform activities aimed at hacking systems and networks, and it can also refer to individuals who perform activities that have nothing to do with criminal activity:

  • Programmers who hack complex technical problems to come up with solutions.

  • Script kiddies who use readily available tools on the Internet to hack into systems.

  • Criminal hackers who steal or destroy company data.

  • Protesting activists who deny access to specific Web sites as part of their protesting strategy.

Hackers these days are classified according to the hat they wear. This concept is illustrated below:

  • Black hat hackers are malicious or criminal hackers who hack at systems and computers to damage data or who attempt to prevent businesses from rendering their services. Some black hat hackers simply hack security protected systems to gain prestige in the hacking community.

  • White hat hackers are legitimate security experts who are trying to expose security vulnerabilities in operating system platforms. White hat hackers have the improvement of security as their motive. They do not damage or steal company data, nor do they seek any fame. These security experts are usually quite knowledgeable on the hacking methods utilized by black hat hackers.

  • Grey hat hacker: These are individuals who have motives between that of black hat hackers and white hat hackers.

The Common Types of Network Attacks

While there are many different types of network attacks, a few can be regarded as the more commonly performed network attacks. These network attacks are discussed in this section of the Article:

  • Data modification or data manipulation pertains to a network attack where confidential company data is interpreted, deleted, or modified. Data modification is successful when data is modified without the sender actually being aware that it was tampered with.
    A few methods of preventing attacks aimed at compromising data integrity are listed here:

    • Use digital signatures to ensure that data has not been modified while it is being transmitted or simply stored.

    • Implement access control lists (ACLs) to control which users are allowed to access your data.

    • Regularly back up important data.

    • Include specific code in applications that can validate data input.

  • Eavesdropping: This type of network attack occurs when an attacker monitors or listens to network traffic in transit, and hen interprets all unprotected data. While you need specialized equipment and access to the telephone company switching facilities to eavesdrop telephone conversations, all you need to eavesdrop on an Internet Protocol (IP) based network is a sniffer technology to capture the traffic being transmitted. This is basically due to the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol being an open architecture which transmits unencrypted data over the network.
    A few methods of preventing intruders from eavesdropping on the network are listed here:

    • Implement Internet Protocol Security (IPSec) to secure and encrypt IP data before it is sent over the network.

    • Implement security policies and procedures to prevent attackers from attaching a sniffer on the network.

    • Install antivirus software to protect the corporate network from Trojans. Trojans are typically used to discover and capture sensitive, valuable information, such as user credentials.

  • IP address spoofing or IP spoofing or identity spoofing: IP address spoofing occurs when an attacker assumes the source Internet Protocol (IP) address of IP packets to make it appear as though the packet originated from a valid IP address. The aim of an IP address spoofing attack is to identify computers on a network. The majority of IP networks utilize the IP address of the user to verify identities, and routers also typically ignore source IP addresses when routing packets. Routers use the destination IP addresses to forward packets to the intended destination network.
    These factors could enable an attacker to bypass a router and to launch a number of subsequent attacks, including:

    • Initiation of a denial of service (DoS) attacks.

    • Initiation of man-in-the-middle (MITM) attacks to hijack sessions.

    • Redirect traffic.

    A few methods of preventing IP address spoofing attacks are listed here:

    • Encrypt traffic between routers and external hosts.

    • Define ingress filters on routers and firewalls to stop inbound traffic where the source address is from a trusted host on the internal network

  • Sniffer attacks: Sniffing refers to the process used by attackers to capture and analyze network traffic. The contents of packets on a network are analyzed. The tools which attackers use for sniffing are called sniffers or more correctly, protocol analyzers. While protocol analyzers are really network troubleshooting tools, they are also used by hackers for malicious purposes. Sniffers are used to monitor, capture and obtain network information, such as passwords and valuable customer information. When an individual has physical access to a network, he/she can easily attach a protocol analyzer to the network and then capture traffic. Remote sniffing can also be performed and is typically used by network attackers.
    There are protocol analyzers or sniffers available for most networking technologies including:

    • Asynchronous Transfer Mode (ATM)

    • Ethernet

    • Fiber Channel

    • Serial connections

    • Small Computer System Inter-face (SCSI)

    • Wireless

    There are a number of common sniffers which are used by network security administrators and malicious hackers:

    • Dsniff

    • Ethereal

    • Etherpeek

    • Network Associates's Sniffer

    • Ngrep

    • Sniffit

    • Snort

    • Tcpdump

    • Windump

    To protect against sniffers, implement Internet Protocol Security (IPSec) to encrypt network traffic so that any captured information cannot be interpreted.

  • Password attacks: Password based attacks or password crackers are aimed at guessing the password for a system until the correct password is determined. One of the primary security weaknesses associated with password based access control is that all security is based on the user ID and password being utilized. But who is the individual using the credentials at the keyboard? There are some of the older applications that do not protect password information. The password information is simply sent in clear or plain text - no form of encryption is utilized! Remember that network attackers can obtain user ID and password information and can then pose as authorized users and attack the corporate network. Attackers can use dictionary attacks or brute force attacks to gain access to resources with the same rights as the authorized user. A big threat would be present if the user has some level of administrative rights to certain portions of the network. An even bigger threat would exist if the same password credentials are used for all systems. The attacker would then have access to a number of systems.
    There are two ways in which password based attacks are performed:

    • Online cracking: The network attacker sniffs network traffic to seize authentication sessions in an attempt to capture password based information. There are tools which are geared at sniffing out passwords from traffic.

    • Offline cracking: The network attacker gains access to a system with the intent of gaining access to password based information. The attacker then runs some password cracker technology to decipher valid user account information.

    A dictionary attack occurs when all the words typically used for passwords are attempted to detect a password match. There are some technologies that can generate a number of complex word combinations and variations.
    Modern operating systems only stores passwords in an encrypted format. To obtain password credentials, you have to have administrative credentials to access the system and information. Operating systems these days also support password policies. Password policies can be used to define how passwords are managed, and to define the characteristics of passwords which are considered acceptable.

    Password policy settings can be used to specify and enforce a number of rules for passwords:

    • Define whether passwords are simple or complex.

    • Define whether password history is maintained.

    • Define the minimum length for passwords.

    • Define the minimum password age.

    • Define the maximum password age.

    • Define whether passwords are stored using reversible encryption or irreversible encryption.

    Account lockout policies should be implemented if your environment is particularly vulnerable to threats arising from passwords which are being guessed. Implementing an account lockout policy ensures that the account of a user is locked after an individual has unsuccessfully tried for several times to provide the correct password. The important factor to remember when defining an account lockout policy is that you should implement a policy that permits some degree of user error, but that also prevents hackers from using your user accounts.
    The following password and account lockout settings are located in the Account Lockout Policy area in Account Policies:

    • Account lockout threshold: This setting controls the number of times after which an incorrect password attempt results in the account being locked out of the system.

    • Account lockout duration: This setting controls the duration that an account which is locked, remains locked. A setting of 0 means that an administrator has to manually unlock the locked account.

    • Reset account lockout counter after: This setting determines the time duration that must pass subsequent to an invalid logon attempt occurring prior to the reset account lockout counter being reset.

  • Brute force attack: Brute force attacks simply attempt to decode a cipher by trying each possible key to find the correct one. This type of network attack systematically uses all possible alpha, numeric, and special character key combinations to find a password that is valid for a user account. Brute force attacks are also typically used to compromise networks that utilize Simple Mail Transfer Protocol (SNMP). Here, the network attacker initiates a brute force attack to find the SNMP community names so that he/she can outline the devices and services running on the network.
    A few methods of preventing brute force attacks are listed here:

    • Enforce the use of long password strings.

    • For SNMP use long, complex strings for community names.

    • Implement an intrusion detection system (IDS). By examining traffic patterns, an IDS is capable of detecting when brute force attacks are underway.

  • Denial of Service (DoS) attack: A DoS attack is aimed at preventing authorized, legitimate users from accessing services on the network. The DoS attack is not aimed at gathering or collecting data. It is aimed at preventing the normal use of computers or the network by authorized, legitimate users. The SYN flood from 1996 was the earliest form of a DoS attack which exploited a vulnerability of the Transmission Control Protocol (TCP). A DoS attack can be initiated by sending invalid data to applications or network services until the server hangs or simply crashes. The most common form of a DoS attack is TCP attacks.
    DoS attacks can use either of the following methods to prevent authorized users from using the network services, computers, or applications:

    • Flood the network with invalid data until traffic from authorized network users cannot be processed.

    • Flood the network with invalid network service requests until the host providing that particular service cannot process requests from authorized network users. The network would eventually become overloaded.

    • Disrupt communication between hosts and clients through either of the following methods:

      • Modification of system configurations.

      • Physical destruction of the network. Crashing a router for instance would prevent users from accessing the system.

    There are a number of tools easily accessible and available on the Internet which can be used to initiate DoS attacks:

    • Bonk

    • LAND

    • Smurf

    • Teardrop

    • WinNuke

    A network attacker can increase the enormity of a DoS attack by initiating the attack against a single network from multiple computers or systems. This type of attack is known as a distributed denial of service (DDoS) attack. Network administrators can experience great difficulty in fending off DDoS attacks, simply because blocking all the attacking computers, can also result in blocking authorized users.
    The following measures can be implemented to protect a network against DoS attacks:

    • Implement and enforce strong password policies.

    • Back up system configuration data regularly.

    • Disable or remove all unnecessary network services.

    • Implement disk quotas for your user and service accounts.

    • Configure filtering on your routers and patch operating systems.

    The following measures can be implemented to protect a network against DDoS attacks:

    • Limit the number of ICMP and SYN packets on router interfaces.

    • Filter private IP addresses using router access control lists.

    • Apply ingress and egress filtering on all edge routers.

  • Man-in-the-middle (MITM) attack: A man-in-the-middle (MITM) attack occurs when a hacker eavesdrops on a secure communication session and monitors, captures and controls the data being sent between the two parties communicating. The attacker attempts to obtain information so that he/she can impersonate the receiver and sender communicating.
    For a man-in-the-middle (MITM) attack to be successful, the following sequence of events has to occur:

    • The hacker must be able to obtain access to the communication session to capture traffic when the receiver and sender establish the secure communication session.

    • The hacker must be able to capture the messages being sent between the parties and then send messages so that the session remains active.

    There are some public key cryptography systems, such as Diffie-Hellman (DH) key exchange which are rather susceptible to man-in-the-middle attacks. This is due to the Diffie-Hellman (DH) key exchange using no authentication.

What are viruses?

A virus can be defined as a malicious code which affects and infects files on a system. Numerous instances of the files are then recreated. Viruses usually lead to some sort of data loss, and/or system failure.

There are numerous methods by which a virus can get into a system:

  • Through infected floppy disks.

  • Through an e-mail attachment infected with the virus.

  • Through downloading software infected with the virus.

A few common types of viruses are listed here:

  • Boot sector viruses: These are viruses that infect a hard-drive's master boot record. The virus is then loaded into memory whenever the system starts or is rebooted.

  • File viruses or program viruses or parasitic viruses: These are viruses that are attached to executable programs. Whenever the particular program is executed, the viruses are loaded into memory.

  • Multipartite viruses: These are viruses which are a combination of a boot sector virus and a file virus.

  • Macro viruses: These are viruses that are written in macro languages utilized by applications, of which Microsoft Word is one. Macro viruses usually infect systems through e-mail.

  • Polymorphic viruses: These viruses can be considered as being the more difficult viruses to fend against because they can modify their code. Virus protection software often finds polymorphic viruses harder to detect and remove.

If you discover that a virus has infected your system, use the recommendations listed here:

  • Scan each of your systems to gauge how infected your infrastructure is.

  • To prevent the virus from spreading any further. You should immediately disconnect all infected systems.

  • All infected systems should be installed from a clean backup copy, that is, a back up which was taken when the system was clean from virus infections.

  • Inform the antivirus vendor so that the vendor's virus signature database is updated accordingly.

A few methods of protecting your network infrastructure against viruses are listed here:

  • Install virus protection software on systems.

  • Regularly update all installed virus protection software.

  • Regularly back up systems after they have been scanned for viruses, and are considered clean from virus infection.

  • Your users should be educated to not open any e-mail attachments which were sent from individuals they do not recognize.

What are worms?

As mentioned previously, a virus is a form of malicious code that infects files on the system. A worm on the other hand is an autonomous code that propagates over a network, targeting hard drive space and processor cycles. Worms not only infects files on one system but can propagate to other systems on the network. The purpose of a worm is to deplete available system resources. Hence the reason why a worm makes copies of itself over and over and over. Worms basically make copies of itself or replicate until available memory is used, bandwidth is unavailable, and legitimate network users are no longer able to access network resources or services.

There are a few worms that are sophisticated enough to corrupt files, render systems un-operational, and even steal data. These worms usually have one or numerous viral codes.

A few previously encountered worms are listed here:

  • Te ADMw0rm worm took advantage of a buffer overflow in Berkeley Internet Name Domain (BIND).

  • The Code Red worm utilized a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) version 4 and IIS version 5.

  • The LifeChanges worm exploited a Microsoft Windows weakness which allowed scrap shell files to be utilized for running arbitrary code.

  • The LoveLetter worm used a Visual Basic Script to replicate or mass mail itself to all individuals in the Windows address book.

  • The Melissa worm utilized a Microsoft Outlook and Outlook Express vulnerability to mass mail itself to all individuals in the Windows address book.

  • The Morris worm exploited a Sendmail debug mode vulnerability.

  • The Nimda worm managed to run e-mail attachments in Hypertext Markup Language (HTML) messages through the exploitation of HTML IFRAME tag.

  • The Slapper worm exploited an Apache Web server platform buffer overflow vulnerability.

  • The Slammer worm exploited a buffer overflow vulnerability on un-patched machines running Microsoft SQL Server.

What are Trojan Horses?

A Trojan horse or simply Trojan, is a file or e-mail attachment which is disguised as being a friendly, legitimate file. When executed though, the file corrupts data and can even install a backdoor which hackers can utilize to access the network.

A Trojan horse differs to a virus or worm in the following ways:

  • Trojan horses disguise themselves as friendly programs. Viruses and worms are much more obvious in their actions.

  • Trojan horses do not replicate like worms and viruses do.

A few different types of Trojan horses are listed here:

  • Keystroke loggers monitor the keystrokes that a user types and then e-mails the information to the network attacker.

  • Password stealers are disguised as legitimate login screens which wait for users to provide their passwords so that they can be stolen by hackers. Password stealers are aimed at discovering and stealing system passwords for hackers.

  • Remote administration tools (RATs) are used by hackers to gain control over the network from some remote location.

  • Zombies are typically used to initiate distributed denial of service (DDoS) attacks on the hosts within a network.

Predicting Network Threats

To protect your network infrastructure, you need to be able to predict the types of network threats to which it is vulnerable. This should include an analysis of the risks that each identified network threat imposes on the network infrastructure.

A model known as STRIDE is used by security experts to classify network threats:

  • Spoofing identity: These are attacks that are aimed at obtaining user account information. Spoofing identity type attacks typically affect data confidentiality.

  • Tampering with data: These are attacks that are aimed at modifying company information. Data tampering usually ends up in affecting the integrity of data. A man-in-the-middle attack is a form of data tampering.

  • Repudiation: Repudiation takes place when a user performs some form of malicious action on a resource and then later denies carrying out that particular activity. Network administrators usually have no evidence which they can use to back up their suspicions.

  • Information disclosure: Here, private and confidential information is made available to individuals who should not have access to the particular information. Information disclosure usually impacts data confidentiality and network resource confidentiality.

  • Denial of service: These attacks affect the availability of company data and network resources and services. DoS attacks are aimed at preventing legitimate users from accessing network resources and data.

  • Elevation of privilege: Elevation of privilege occurs when an attacker escalates his/her privileges to obtain a high level of access like administrative privileges, in an attempt to gain control of the network system.

Identifying Threats to DHCP Implementations
A few threats specific to DHCP implementations are listed here:

  • Because the IP address number in a DHCP scope is limited, an unauthorized user could initiate a denial of service (DoS) attack by requesting or obtaining a large numbers of IP addresses.

  • A network attacker could use a rogue DHCP server to offer incorrect IP addresses to your DHCP clients.

  • A denial of service (DoS) attack can be launched through an unauthorized user performing a large number of DNS dynamic updates via the DHCP server.

  • Assigning DNS IP addresses and WINS IP addresses through the DHCP server increases the possibility of hackers using this information to attack your DNS and WINS servers.

protect your DHCP environment from network attacks, use the following strategies:

  • Implement firewalls

  • Close all open unused ports

  • If necessary, use VPN tunnels.

  • You can use MAC address filters.

Identifying Threats to DNS Implementations
A few threats specific to DNS implementations:

  • Denial of service (DoS) attacks occurs when DNS servers are flooded with recursive queries in an attempt to prevent the DNS server from servicing legitimate client requests for name resolution. A successful DoS attack can result in the unavailability of DNS services, and in the eventual shut down of the network.

  • In DNS, footprinting occurs when an intruder intercepts DNS zone information. When the intruder has this information, the intruder is able to discover DNS domain names, computer names, and IP addresses which are being used on the network. The intruder then uses this information to decide on which computers he/she wants to attacks.

  • IP Spoofing: After an intruder has obtained a valid IP address from a footprinting attack, the intruder can use the IP address to send malicious packets to the network, or access network services. The intruder can also use the valid IP address to modify data.

  • In DNS, a redirection attack occurs when an intruder is able to make the DNS server forward or redirect name resolution requests to the incorrect servers. In this case, the incorrect servers are under the control of the intruder. A redirection attack is achieved by an intruder corrupting the DNS cache in a DNS server that accepts unsecured dynamic updates.

To protect an external DNS implementation from network attacks, use the following list of recommendations:

  • DNS servers should be placed in a DMZ or in a perimeter network.

  • Access rules and packet filtering should be configured firewalls to control both source and destination addresses and ports.

  • Host your DNS servers on different subnets and ensure that the DNS servers have different configured routers.

  • Install the latest service packs on your DNS servers

  • All unnecessary services should be removed.

  • Secure zone transfer data by using VPN tunnels or IPSec.

  • Ensure that zone transfer is only allowed to specific IP addresses.

  • For Internet facing DNS servers, disable recursion, disable dynamic updates, and enable protection against cache pollution

  • You can use a stealth primary server to update secondary DNS servers which are registered with ICANN.

Identifying Threats to Internet Information Server (IIS) servers (Web servers)
The security vulnerabilities of the earlier versions of Internet Information Server (IIS), including IIS version 5, were continuously patched up by service packs and hotfixes available from Microsoft. Previously when IIS was installed, all services were enabled and started; all service accounts had high system rights; and permissions were assigned to the lowest levels. This basically meant that the IIS implementation was vulnerable to all sorts of attacks from hackers. Microsoft introduced the Security Lockdown Wizard in an attempt to address the security loopholes and vulnerabilities which existed in the previous versions of IIS. The Security Lockdown Wizard in IIS 6 has been included in the Web Service Extensions (WSE).

IIS is installed in locked-down mode with IIS 6. The only feature immediately available is to access static content. You actually need to utilize the WSE feature in the IIS Manager console tree to manually enable IIS to run applications and its features. By default, all applications and extensions are prohibited from running.

To protect IIS servers from network attacks, use the following recommendations:

  • To prevent hackers from using default account names, all default account names, including the Administrator account and Guest account should be changed. You should utilize names for these accounts which are difficult to guess.

  • To prevent a hacker from compromising Active Directory should the Web server be compromised, the Web server should be a stand-alone server or a member of a forest, other than the forest which is used by the private network.

  • All the latest released security updates, service packs, and hotfixes should be applied to the Web server.

  • All sample applications should be removed from a Web server. A few sample application files are installed by default with IIS 5.0.

  • All unnecessary services should be removed or disabled. This would ensure that network attackers cannot exploit these services to compromise the Web server.

  • Disable the utilization of parent paths. Hackers typically attempt to access unauthorized disk subsystem areas through parent paths.

  • Apply security to each content type. Content should be categorized into separate folders, based on content type. You should then apply discretionary access control lists for each content type you have identified.

  • To protect commonly attacked ports, use IPSec.

  • To protect the secure areas of the Web server, use the Secure Socket Layer (SSL) protocol.

  • To detect hacking activity, implement an intrusion detection system (IDS).

  • A few recommendations for writing secure code for ASP or ASP.NET applications are summarized here:

    • ASP pages should not contain any hard-coded administrator account names and administrator account passwords.

    • Sensitive and confidential information and data should not be stored in hidden input fields on Web pages and in cookies.

    • Verify and validate form input prior to it being processed.

    • Do not use information from HTTP request headers to code decision branches for applications.

    • Be wary of buffer overflows generated by unsound coding standards.

    • Use Secure Sockets Layer (SSL) to encrypt session cookies.

Identifying Threats to Wireless Networks
A few threats specific to DNS implementations:

  • Eavesdropping attacks: The hacker attempts to capture traffic when it is being transmitted from the wireless computer to the wireless access point (WAP).

  • Masquerading: Here, the hacker masquerades as an authorized wireless user to access network resources or services.

  • Denial of service (DoS) attacks: The network attacker attempts to prevent authorized wireless users from accessing network resources by using a transmitter to block wireless frequencies.

  • Man-in-the-middle attacks: If an attacker successfully launches a man-in-the-middle attack, the attacker could be able to replay, and modify wireless communications.

  • Attacks at wireless clients: The attacker starts a network attack at the actual wireless computer which is connected to an untrusted wireless network.

To protect wireless networks from network attacks, use the following strategies:

  • Administrators should require all wireless communications to be authenticated and encrypted. The common technologies used to protect wireless networks from security threats are Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and IEEE 802.1X authentication

  • Regularly apply all firmware updates to your wireless devices.

  • Place the wireless network in a wireless demilitarized zone (WDMZ). A router or firewall should isolate the private corporate network from the WDMZ. DHCP should not be used in the wireless demilitarized zone.

  • To ensure a high level of wireless security, your wireless devices should support 802.1X authentication using Extensible Authentication Protocol (EAP) authentication; Temporal Key Integrity Protocol (TKIP); and use IPSec to secure communication between the AP and the RADIUS server.

  • The default administrative password utilized to manage the AP should be a complex, strong password.

  • The SSID should not contain the name of the company, the address of the company, and any other identification-type information

  • You should not utilize shared key encryption because it can lead to the compromise of the WEP keys.

  • To protect the network from site survey mechanisms, disable SSID broadcasts.

Determining Security Requirements for Different Data Types

When determining security requirements for different data types it is often helpful to categorize data as follows:

  • Public data: This category includes all data which is already publicly available on the company's Web site or news bulletins. Because the data is already publicly available, no risk is typically associated with the data being stolen. You do however need to maintain and ensure the integrity of public data.

  • Private data: Data that falls within this category is usually well-known within your organization's environment but is not well-known to the outside public. A typical example of data that falls within this category is data on the corporate intranet.

  • Confidential data: Data that falls within this category is data such as private customer information that should be protected from unauthorized access. The organization would almost always suffer some sort of loss if confidential data is intercepted.

  • Secret data: This is data which can be considered more confidential and sensitive in nature than confidential data. Secret data consists of trade secrets, new product and business strategy information, and patent information. Secret data should have the highest levels of security.

Creating an Incidence Response Plan

The terminology, incident response, refers to planned actions in response to a network attack or any similar event that affects systems, networks and company data. An Incident Response plan is aimed at outlining the response procedures that should take place when a network is being attacked or security is being compromised.

The Incident Response plan should assist an organization with dealing with the incident in an orderly manner. Reacting to network attacks by following a planned approach defined by a security policy is the better approach.

These security policies should clearly define the following:

  • The response to follow for each different type of incident.

  • The individual(s) who are responsible for dealing with these incidents.

  • The escalation procedures which should be followed.

An Incident Response plan can be divided into the following four steps:

  • Response: Determine how network attacks and security breaches will be dealt with.

  • Investigation:Determine how the attack occurred, why the specific attack occurred, and the extent of the attack.

  • Restoration: All infected systems should be taken offline and then restored from a clean backup.

  • Reporting: The network attack or security breach should be reported to the appropriate authorities.

Before you attempt to determine the existing state of a machine that is being attacked, it is recommended that you first record the information listed here:

  • The name of the machine.

  • The IP address of the machine.

  • The installed operating system, operating system version, and installed service packs.

  • All running processes and services.

  • List all parties that are dependent on the server. These are the individuals which you need to inform of the current situation.

  • Obtain the following valuable information:

    • Application event log information.

    • System event log information.

    • Security event log information.

    • All other machine specific event logs, such as DNS logs, DHCP logs, or File Replication logs.

  • Record all information which indicates malicious activities. This should include:

    • All files that have been modified, corrupted, or deleted.

    • All unauthorized processes running.

  • Try to identify and record the source of the network attack.