Explain the operation of different intruder detection systems (M1)

Firewall

A firewall can be both software and hardware. The firewall analyses the incoming and outgoing network traffic determining whether or not to allow the data packets through the firewall. Rules can be added and taken away from the firewall settings depending on what the user wants to block and allow through. Most operating systems come pre-loaded with their own firewall as will most routers.

There are different types of firewall. These are packet-filtering firewalls, stateful firewalls and a proxy firewall.

Packet-filtering firewalls, as the name suggests analyses the packets that are attempting to come through the firewall. The packet-filtering takes place by using ACLs. ACLs are essentially a set of rules the the packets must be abiding by to be allowed through the firewall. Providing the packets are deemed as safe using the ACLs, then they will pass through the firewall. Packet-filtering is the method used by first generation  firewalls. It was the first type of firewall to be used and it was very effective but firewalls have evolved greatly from the first generation firewall. The advantages of  a packet-filtering firewall are that they have high performance and they are scalable. Packet filtering has weaknesses such as, they do not protect against advanced user authentication systems, most packet-filtering system do not protects against spoofing and if configured improperly they can be broken very easily.

A stateful inspection packet filtering firewall keeps a track of all communications between devices. This is achieved by retaining packets until enough information is available to make a judgement about its state. This type of filtering can be effective as you can have more complicated rules, such as allowing access to an open port as long and it is in response to a request. The firewall maintains a table of all communication between devices which makes it very effective. Al though it uses more resources than packet-filtering firewalls it doesn't have as much as a performance hit as proxy firewalls. Stateful firewalls are considered as a third generation firewall.

A proxy firewall makes the connection between trusted and untrusted sources.The use of a proxy firewall is that the proxy firewall receives all data before its actual destination. This means when a request is received, the proxy firewall will analyse it before it sends it on to the destination host. The proxy firewall can analyse the packet all the way to the application layer which is more effective than other firewalls. It provides better protection than packet filtering and breaks the connection between trusted and untrusted systems. Proxy firewalls do come with complications. It can slow traffic performance, it only support limited applications and although it breaks the connection between trusted and untrusted applications which is good for security, it is bad for functionality.

Honeypot

A honeypot is s a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorised use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.I honeypot isn't only used to detect attacks, it can be used to get the attackers IP and then add this to the firewall of the actual server so that the hacker cant access it.

Intrusion detection Systems (IDS)

An IDS can be either a device or software and it is used to monitor the network for malicious activities and policy violations. There are two ways that IDS work. These are; Host Intrusion detection systems (HIDS) or network detection system (NIDS). With NIDS, packets in the network will be analysed detecting malicious code that the firewall may have missed. HIDS will analyse the data on each individual computer (host). IDSs can be active or passive. Passive will mean that it will. notify the network administration if it notices suspicious activity. Active IDSs will detect, act on the problem and send a notification to the network manager. The two ways IDSs can detect malicious packets are with a knowledge based IDS ans a behaviour based IDS.

Knowledge based intrusion detection systems are far more common, they work much like anti-virus software. They have different attack methods in their knowledge, if something in the network or on the host matches one of these, an alarm will be triggered. The biggest advantage of this is. that it has a very low false alarm rate. The disadvantages include that the attacks have to have happened to them to be known about, is it is a new attack the chance are it will be undetected.

Behaviour based intrusion detection systems base their alerts on the behaviour of users. If a user does something unexpected, the IDS will alert the system administrator. To determine what 'normal use' is, the IDS generates a model by various means which it will compare the users action to. It can be very effective as an attack will not have to be known about for it to be detected. It can also prevent users accessing things that they shouldn't, as well as playing a big part in the discovery of new exploits. The largest disadvantage of a behaviour based IDS is that the false alarm rate is extremely large. This is a huge drawback and a nuisance that many network administrators don't want. Also the behaviour model can change regularly, what is seen as perfectly safe one day could be seen as an exploit another day.

Describe how networked systems can be protected (P2)

Protecting Network Systems

Securing Email

Spam is classed as sending an email(s) to recipients that would not usually want or choose to receive the message in a attempt to either scam or attract publicity to a certain website. Most spam is used for commercial advertising, often for things that aren't as legitimate as they may seem. Some spam is sent but with email hoaxing, this is making the email address appears as someone different in an attempt to gain interest although often, depending on the email provider, will be discarded into the junk or spam folder. Luckily there are ways we can protects ourselves from spam, the main things being S/MIME, email filtering and Spam Guard.

With many mailboxes a user can set up email filtering, this will filter all emails into selected folders, for example banking, statements, friends etc. This is an effective way to send unexpected emails directly into a spam folder. 

Spam Guard includes methods and protocols to protect against Spam, here are the main ones. Users can use a DNS blackhole list (DNSBL) or a real time blackhole list (RBL). Both of these methods will recognise the DNS of the email sender and if it matches a domain name on the blacklist the message will either be blocked or sent to the spam folder. Another way to protect emails is with S/MIME. This stands for secure multi-purpose Internet mail extension and it is a widely used method of securing emails. This protocol will encrypt all incoming and outgoing emails which is vitally important for any organisation that may be exchanging sensitive information.

Securing Wireless Networks 

There are many ways of protecting yourself when using wireless networks. The obvious being password protecting the network using WEP or WPA/WPA2. Both methods encrypt the used data when being broadcast on the wireless network. Wired equipment privacy (WEP) encrypts data over a wireless network and is designed to provide the same level of security as wired LAN networks. Wireless networks are broadcast using radio waves meaning they are more vulnerable to tampering. WEP is considered a very weak method of encryption data which results in interception being relatively easy if someone needed to. WPA stands for Wi-Fi protected access, it is another method used to secure wireless networks. WPA was designed to work with existing Wi-Fi products already configured with WEP and improve upon WEPs security features. WPA is considered for more secure than WEP.

There are extra ways that a user can protect themselves on a wireless network. Firstly is to change the SSID of the network. The SSID is just the name that the network is identified by. By default the SSID will probably include the routers provider name eg netgear, sky, virgin. This makes it easy for a hacker to be able to access the router settings as the default user name and password is generally the same on all models of each brand of router. Another way to protect the network is to disable DCHP unless it is absolutely necessary. DCHP assigns an IP address to each device when it connects to the network. Disabling this and giving each device a static IP address will help prevent unknown devices connecting to the network.

Lastly, and a more complicated but a secure way of securing the network is using MAC association. MAC association is configured by providing the DHCP server (within the router settings) with a list of all of the devices MAC addresses that you would allow to access the network. These devices will be assigned an IP address as usual when connecting but devices that are not registered on this list will be unable to connect. It is possible to mask you MAC address and pretend to be another device but this is very complicated and most hackers wouldn't waste the time.

Transmission media

There are two main types of cable for transferring data in a network. These are and unshielded cable and a shielded cable. Using shielded cable can provide more security, this is because when using an unshielded cable, an attacker would be able to place a tapping device on the cable and gain access to any data flowing through that cable. A shielded cable will provide an extra layer of protection meaning the attacker would not be able to listen in.

Personal Access Control

Personal Access Control allows users to have different methods to protect their data, these are:

Something you know - Such as passwords, PIN numbers etc. This is the most common type of access control although it certainly isn’t the most secure. Anybody can potentially guess a password using specialist software. Something you have - Such as an ID card. This is often paired with 'something you know' which together provides quite a secure access method but on its own can be very insecure, if someone can get gold of an ID card then they have access to everything. Something you are - Such as fingerprints. This is definitely the most secure as they can't be stolen or forged easily at all. Its still not a rock solid access method though as someone may force you to open whatever may be locked with the biometrics.

Describe How Networked Systems Can Be Attacked (P1 & D1)

How can a networked system be attacked?

 

Why might a system be attacked?

A hacker may attack a network for a number of reason, the main reasons being;

• Confidentiality
• Authenticity
• Integrity
• Availability

 

The five steps all hackers should adhear to are;

1. Reconnaissance (Passive and Active)
2. Scanning (IP scan, Port scan, OS scan)
3. Gaining access
4. Maintaining access
5. Covering tracks

 

Networked Systems can be attacked in various different ways. These are;

• Social Engineering
• Viruses
• Worms
• Rootkits
• Trojans
• Backdoors
• Shrink-wrap code (dropper)
• OS vulnerabilities
• Misconfiguration
• Phishing
• Spyware and Adware
• Keylogger
• DoS & DDoS
• Dictionary attack
• Brute Force attack
• Cross-site scripting
• SQL injection
• Google hacking

 

Social Engineering

Social engineering is a method of gaining important information. Social engineering is probably the most effective way of gaining sensitive information and also probably the easiest. There are two types of social engineering, person to person or computer based. Person to person, for example, you would ask a victim many questions whilst in conversation in order to try and discover the answers to their answers their security questions. You could call them pretending to be someone else (IT support) to find their user ID and password. Alternatively you can use computer based social engineering, known as phishing.

 

Phishing

Phishing is a term used to describe the act of attempting to acquire sensitive information by pretending to be a trusted source via electronic communication. This is often done with emails pretending to be a bank or similar. The link they give will often be a cloned site so that they can access the users details when entered.

 

Viruses

A virus infects another executable program and uses this carrier program in order to spread itself. The malicious code is infected into a previously safe program and once this program is run the virus will spread and start to cause damage in which ever way it has been designed to do so. Viruses can be injected into many types of program, the most common being macros, games, email attachments, visual basic scripts and animations. a virus will perform task without authentication or knowledge from the end user.

 

Worms

Worms and viruses are very similar although worms do not need a carrier program in order to infect the computer. A worm is very clever and will self-replicate and move from host to host. The Worm will spread from system to system automatically, unlike a virus which needs a carrier program. Like a virus, a worm will perform task without authentication or knowledge from the end user.

 

Rootkits

A rootkit is a very dangerous tool that hackers can use. The reason that it is so dangerous is that it is  a set of software tools that enable an unauthorised user to gain control of a computer system without being detected. The reason it is largely undetectable by standard anti-virus is that it is injected into the kernel of the computer, the base and core of the operating system. Anti-virus software is designed to scan the operating system and all applications and files on it, the kernel, in a chronological order is before the operating system, therefore malicious code in the kernel goes undetected. There are specific rootkit-removal kits that can be downloaded but are not as popular and standard anti-virus and few people are aware of the importance of them.

 

Trojans & Backdoors

A trojan is a malicious piece of code discussed as a benign application or program, often seen to be as desirable by the end-user. Once a trojan has been downloaded the hacked has access to this computer. Trojans can be the gateway to theft, data loss and system crashes. A backdoor is a method of bypassing normal authentication and securing illegal remote access to a computer, while attempting to remain undetected. The backdoor may take the form of an installed program and can also be created in the system through a rootkit.

 

Shrink-wrap code (Dropper)

Shrink-wrap code is malicious code that i concealed within a perfectly acceptable application that may be trusted by thousands. For example, the macros in Microsoft word can be used for a hackers to execute different programs from within the system.

 

OS Vulnerabilities & Misconfiguration

Many network administrators install the network operating system with the default settings. This can cause problems, for example, when installing Windows Server the default setting if for there to be a guest user, many hackers use this to gain access. Misconfiguration can cause problems as the system may be configured for the lowest security settings which can result in vulnerabilities and attacks.

 

Adware and Spyware

Spyware is a program installed on a computer that sends information from the user's computer without their knowledge whenever the computer connects to the Internet to whomever controls the Spyware. Adware is a software that is installed together with another software or via activex controls on the internet. This is often done without the user's knowledge, or without any disclosure that it will be used for obtaining personal information. Adware usually obtain information about it user's passwords, email addresses, web browsing history, their online buying habits.

 

Keylogger

A keylogger can be both hardware and software. A hardware keylogger is a small attachment to the port of the keyboard. A software keylogger is a piece of software that will listen and log the keystrokes of the keyboard. Many anti-viruses could pick a keylogger up but keyloggers can run in 'stealth mode' to try and prevent this. Some paid keyloggers can be installed into the kernel of the operating system and therefore avoiding the anti-virus altogether. Keyloggers do contain extra functions, like the ability to take screenshots and recognise mouse clicks.

 

DoS and DDoS

A DoS attack stands for a Denial of Service attack. This type of attack sends many ping commands to a server, the aim of this is to make the server so busy returning the ping commands so that it denies service to legitimate users (access to the website). DoS attacks can be blocked easily, the network administrator can simply block connections from the computer sending the pings. This is where a DDoS is used. DDoS stands for Distributed Dinial of Service attack and like a DoS attack it involves pinging a victims server, only this time, doing it from as many computers as possible so that the victim cant simply block one IP address. Spoofing is a type of DDoS, instead of gaining access to many computers for a DDoS a hacker can ping an entire network pretending to be the victim (using the credentials of the victim) so when all computers in the network return the ping, they return it to the victims computer. This is a very efficient but complex method for a DDoS.

 

Dictionary and Brute Force

A dictionary attack uses a piece of software to crack a password. The software uses dictionary entries to guess the password for an account. It just runs the software until it finds a match. This is the reason many sites now require a user to add capitals, numbers and alpha-numerics as well as letters in their password, to minimise the success of dictionary attacks. A  Brute force attack is very similar to a dictionary attack only a brute force attack formulates every combination of every symbol that can be used in a password for any length. A brute force attack can take a very long time, especially for long passwords, but with powerful software such as John the Ripper (a multi-platform password cracker) brute force attacks are very common.

Cross-Site Scripting (XSS)

Cross-Site Scripting is a vulnerability that is found in web applications and is used to inject malicious code. The vulnerabilities that allow this are widespread and they can be used in any part that takes user input and produces an output without validation or encoding it. The victim will view the web page and can then be infected without even knowing because the page usually will appear as normal. XSS can be used to gain credentials and bypass access controls.

SQL Injection

SQL Injection is a technique used to collect sensitive data from a website database this is done using putting an SQL query via the input data on the website. A successful SQL injection will allow an attacker to gain sesitive information from the database as well as allowing the attacker to modify data and execute desired operations from the database. To prevent this type of attack all entry fields must be correctly filtered to disallow any scripts running.

Google Hacking

The Google Hacking is a term used to describe when an attacker uses a Google search to uncover vulnerabilities of a website. The Google Hacking Database (GHDB) is a database of queries that can identify sensitive data. Google in fact does attempt and prevent hackers from gaining access to this information but it is virtually impossible to stop an attacker from crawling websites and launching the GHDB queries onto the crawled content. Using this information hackers can essentially see a list of websites that may be vulnerable to attack. The database contains information such as log in portal pages, passwords and sensitive directories.

Recent Security Breaches

Evernote

The popular note-taking software service Evernote had to reset the passwords of all of its 50 million users following a network breach. The company did not find any indication that content or payment information was stolen. However, usernames, email addresses, and encrypted passwords of users were accessed.

Twitter

On The 1st of February 2013, Twitter announced it had been subjected to unauthorized access attempts over the course of a week. Attackers were trying to gain user account information such as usernames, email addresses, session tokens, and encrypted versions of passwords. Twitter said approximately 250,000 users accounts were breached including those of corporate employees and reporters. Twitter said the attack was not the work of amateurs, and the methods used were extremely sophisticated.