Chapter 1: Understanding Network Security Principles

Cisco Press

1 2 3 4 5 Page 5
Page 5 of 5
  • Salami attack: This is a collection of small attacks that result in a larger attack when combined. For example, if an attacker had a collection of stolen credit card numbers, he could withdraw small amounts of money from each credit card (possibly unnoticed by the credit card holders). Although each withdrawal is small, they add up to a significant sum for the attacker.

  • Data diddling: The process of data diddling changes data before it is stored in a computing system. Malicious code in an input application or virus could perform data diddling. For example, a virus, Trojan horse, or worm could be written to intercept keyboard input. It would display the appropriate characters on-screen so that the user would not see a problem. However, manipulated characters would be entered into a database application or sent over a network.

  • Trust relationship exploitation: Different devices in a network might have a trust relationship between themselves. For example, a certain host might be trusted to communicate through a firewall using specific ports, while other hosts are denied passage through the firewall using those same ports. If an attacker could compromise the host that had a trust relationship with the firewall, the attacker could use the compromised host to pass normally denied data through a firewall. Another example of a trust relationship is a web server and a database server mutually trusting one another. In that case, if the attacker gained control of the web server, he might be able to leverage that trust relationship to compromise the database server.

  • Password attack: A password attack, as the name suggests, attempts to determine a user’s password. As soon as the attacker gains the username and password credentials, he can attempt to log into a system as that user, and therefore inherit that user’s set of permissions. Various approaches are available for determining passwords:

    • Trojan horse: A program that appears to be a useful application captures a user’s password and then makes it available to the attacker.

    • Packet capture: A packet-capture utility can capture packets seen on a PC’s NIC. Therefore, if the PC can see a copy of a plain-text password being sent over a link, the packet-capture utility can be used to glean the password.

    • Keylogger: A keylogger is a program that runs in the background of a computer, logging the user’s keystrokes. After a user enters a password, it is stored in the log created by the keylogger. An attacker then can retrieve the log of keystrokes to determine the user’s password.

    • Brute force: A brute-force password attack tries all possible password combinations until a match is made. For example, the brute-force attack might start with the letter a and go through to the letter z. Then the letters aa through zz are attempted, until a password is determined. Therefore, using a mixture of uppercase and lowercase letters in passwords, in addition to special characters and numbers, can help mitigate a brute-force attack.

    • Dictionary attack: A dictionary attack is similar to a brute-force attack, in that multiple password guesses are attempted. However, the dictionary attack is based on a dictionary of commonly used words, rather than the brute-force method of trying all possible combinations. Picking a password that is not a common word can help mitigate a dictionary attack.

  • Botnet: A software “robot” typically is thought of as an application on a machine that can be controlled remotely (for example, a Trojan horse or a back door in a system). If a collection of computers is infected with such software robots, called “bots,” this collection of computers (each of which is called a “zombie”) is known as a “botnet.” Because of the potentially large size of a botnet, it might compromise the integrity of a large amount of data.

  • Hijacking a session: Earlier in this chapter, you read about how an attacker could hijack a TCP session (for example, by completing the third step in the three-way TCP handshake process between an authorized client and a protected server). If an attacker successfully hijacked a session of an authorized device, he might be able to maliciously manipulate data on the protected server.

Understanding Availability Attacks

Availability attacks attempt to limit a system’s accessibility and usability. For example, if an attacker could consume the processor or memory resources on a target system, that system would be unavailable to legitimate users.

Availability attacks vary widely, from consuming the resources of a target system to doing physical damage to that system. Attackers might employ the following availability attacks:

  • Denial of service (DoS): An attacker can launch a DoS attack on a system by sending the target system a flood of data or requests that consume the target system’s resources. Alternatively, some operating systems and applications might crash when they receive specific strings of improperly formatted data, and the attacker could leverage such operating system and/or application vulnerabilities to render a system or application inoperable. The attacker often uses IP spoofing to conceal his identity when launching a DoS attack, as shown in Figure 1-10.

Figure 1-10

Figure 1-10

Denial-of-Service Attack

  • Distributed denial of service (DDoS): DDoS attacks can increase the amount of traffic flooded to a target system. Specifically, the attacker compromises multiple systems. The attacker can instruct those compromised systems, called “zombies,” to simultaneously launch a DDoS attack against a target system.

  • TCP SYN flood: Earlier in this chapter you reviewed the three-way TCP handshake process. One variant of a DoS attack is for an attacker to initiate multiple TCP sessions by sending SYN segments but never completing the three-way handshake. As illustrated in Figure 1-11, the attack can send multiple SYN segments to a target system, with false source IP addresses in the header of the SYN segment. Because many servers limit the number of TCP sessions they can have open simultaneously, a SYN flood can render a target system incapable of opening a TCP session with a legitimate user.

Figure 1-11

Figure 1-11

TCP SYN Flood Attack

  • ICMP attacks: Many networks permit the use of ICMP traffic (for example, ping traffic), because pings can be useful for network troubleshooting. However, attackers can use ICMP for DoS attacks. One ICMP DoS attack variant called “the ping of death” uses ICMP packets that are too big. Another variant sends ICMP traffic as a series of fragments in an attempt to overflow the fragment reassembly buffers on the target device. Also, a “Smurf attack” can use ICMP traffic directed to a subnet to flood a target system with ping replies, as shown in Figure 1-12. Notice in the figure that the attacker sends a ping to the subnet broadcast address of 172.16.0.0/16. This collection of pings instructs devices on that subnet to send their ping replies to the target system at IP address 10.2.2.2, thus flooding the target system’s bandwidth and processing resources.

NOTE For illustrative purposes, Figure 1-12 shows only three systems in the subnet being used for the Smurf attack. However, realize that thousands of systems could potentially be involved and send ping replies to the target system.

Figure 1-12

Figure 1-12

Smurf Attack

  • Electrical disturbances: At a physical level, an attacker could launch an availability attack by interrupting or interfering with the electrical service available to a system. For example, if an attacker gained physical access to a data center’s electrical system, he might be able to cause a variety of electrical disturbances:

    • Power spike: Excess power for a brief period of time

    • Electrical surge: Excess power for an extended period of time

    • Power fault: A brief electrical outage

    • Blackout: An extended electrical outage

    • Power sag: A brief reduction in power

    • Brownout: An extended reduction in power

    To combat such electrical threats, Cisco recommends that you install uninterruptible power supplies (UPS) and generator backups for strategic devices in your network. Also, you should routinely test the UPS and generator backups.

  • Attacks on a system’s physical environment: Attackers could also intentionally damage computing equipment by influencing the equipment’s physical environment. For example, attackers could attempt to manipulate such environmental factors as the following:

  • Temperature: Because computing equipment generates heat (for example, in data centers or server farms), if an attacker interferes with the operation of the air conditioning system, the computing equipment could overheat.

  • Humidity: Because computing equipment is intolerant of moisture, an attacker could, over time, cause physical damage to computing equipment by creating a high level of humidity in the computing environment.

  • Gas: Because gas can often be flammable, if an attacker injects gas into a computing environment, small sparks in that environment could cause a fire.

    Consider the following recommendations to mitigate such environmental threats:

    • Computing facilities should be locked (and inaccessible via a dropped ceiling, a raised floor, or any other way other than a monitored point of access).

    • Access should require access credentials (for example, via a card swipe or a fingerprint scan).

    • Access points should be visually monitored (for example, via local security personnel or remotely via a camera system).

    • Climate control systems should maintain temperature and humidity and send alerts if specified temperature and humidity thresholds are exceeded.

    • The fire detection and suppression systems should be designed not to damage electronic equipment.

Best-Practice Recommendations

You now have a fundamental understanding of threats targeting network and computing environments. Cisco recommends the following best practices to help harden the security of your network:

  • Routinely apply patches to operating systems and applications.

  • Disable unneeded services and ports on hosts.

  • Require strong passwords, and enable password expiration.

  • Protect the physical access to computing and networking equipment.

  • Enforce secure programming practices, such as limiting valid characters that can be entered into an application’s dialog box.

  • Regularly back up data, and routinely verify the integrity of the backups.

  • Train users on good security practices, and educate them about social engineering tactics.

  • Use strong encryption for sensitive data.

  • Defend against technical attacks by deploying hardware- and software-based security systems (for example, firewalls, IPS sensors, and antivirus software).

  • Create a documented security policy for company-wide use.

Exam Preparation Tasks

Review All the Key Topics

Review the most important topics from this chapter, denoted with the Key Topic icon. Table 1-9 lists these key topics and the page where each is found.

Table 1-9 Key Topics for Chapter 1

Key Topic Element

Description

Page Number

List

Reasons for the severity of internal threats

10

List

The three primary goals of network security

12

Table 1-2

Government and military data classification example

14

Table 1-4

Data classification characteristics

15

List

Classification roles

15

List

Security controls

16

List

Control types

17

List

Legal elements needed to make a case

17

List

Three types of law

18

Table 1-5

Types of hackers

22

List

Categories of attacks

23

List

Defense in Depth recommendations

25

Table 1-6

Defending against different classes of attacks

26

List

Three-way TCP handshake

27

Table 1-7

Types of IP spoofing attacks

28

List

Types of source routing

29

Table 1-8

Confidentiality attack strategies

32-33

List

Integrity attack methods

34

List

Availability attack methods

36

List

Best-practice recommendations

40

Complete the Tables and Lists from Memory

Print a copy of Appendix D, “Memory Tables,” (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists so that you can check your work.

Definition of Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

confidentiality, integrity, availability, preventive control, deterrent control, detective control, vulnerability, exploit, phreaker, Defense in Depth, IP spoofing, data diddling, salami attack, denial of service (DoS)

© Copyright Pearson Education. All rights reserved.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2009 IDG Communications, Inc.

1 2 3 4 5 Page 5
Page 5 of 5
SD-WAN buyers guide: Key questions to ask vendors (and yourself)