Flylib.com

Books Software

 
 
 

Category list


Similar pages

Nonessential Services and Protocols


Buy on amazon.com >>
Crayton Ch. A.
    << Previous page
    Table of contents
    Next page >>
     < Day Day Up > 

    Nonessential Services and Protocols

    Many of the operating systems available today can be made to be somewhat secure. Unfortunately, it is common for many default installations of operating system software packages to leave systems vulnerable to outside attack. For security purposes, it is essential that you stop (disable) any unneeded services and remove or unbind any unnecessary protocols that are not needed by a system that has direct connection to an outside influence such as the Internet.

    If you are using the Windows operating system and have an external connection to the Internet, you should consider removing the following protocols from your external NIC cards TCP/IP protocol bindings. This can be accomplished through the Windows Control Panel:

    • Server

    • Workstation

    • NetBIOS interface

    You should also consider removing or disabling the following services from a system if they are not needed. Keep in mind that disabling particular services might render a system useless for particular tasks :

    • Computer browser service

    • IIS Admin service

    • FTP Server service

    • Spooler service

    • Netlogon service

    • DHCP (Dynamic Host Configuration Protocol)

    It is likely that the exam will ask you what unused services should be removed or disabled from a system to reduce the risk of malicious attack.

    From a network as well as operating systems perspective, the following items should always be taken into consideration when hardening an environment from outside destructive forces:

    • Always apply the most recent hot-fixes and service packs available from your operating systems manufacturer.

    • Block all TCP/IP and UDP ports that are not needed for network traffic. As a general rule, block TCP port 139 and UDP ports 137 and 138.

      Note 

      It is likely that the exam will target this issue. The blocking of these ports should be on the first page of any Security 101 book or procedure.

    • Enable a strong password structure.

    • Enable auditing and logging .


     < Day Day Up > 
     < Day Day Up > 

    Attack Methods

    You hear about them on the radio, you read about them in the newspapers and in newsgroups. They are receiving more and more media attention than ever. If you are unlucky enough, you might experience them first hand on your home PC or your office workstation. They are computer attacks! Computer attacks, intrusions, and information theft are well on the rise. If companies and PC owners alike do not invest in the proper resources such as training, information security personnel, and proper hardware and software to prevent the continuing growth of this illegal activity, there might soon be nothing left but metal boxes and electronic circuitry . Your company and your country need you to get educated and Security+ certified!

    This section concentrates on the most common types of computer attack methods that you are most likely to encounter on the current Security+ exam. In order for you to protect your network or PC, it is first important to gain an understanding of the methods intruders use to break into your system and ultimately, your privacy. We will concern ourselves with intrusion detection and protection later in this book. For now, here are the most common attack methods used to bypass security access controls and compromise your information or system.

    Note 

    It is very important that you understand each of these attack methods. It is likely that the exam will present you with a scenario. You will then have to choose which type of attack method is being implemented.

    Brute Force Attack

    A brute force attack comes in the form of a program that uses trial and error methods to guess or figure out passwords, encrypted keys, or PINs. This form of attack uses all possible combinations of characters and words in order to figure out a solution. Many administrators use software called LOphtcrack from Lopht Heavy Industries, which implements brute force algorithms to crack or test their own passwords. Brute force is considered to be a reliable but very exhaustive and time-consuming attack method. An excellent way to avoid this type of attack is to implement an OTP (One Time Password) authentication method. With OTP, a password can be used only once to access a resource. After that, the password is no good.

    Birthday Attack

    A birthday attack is the name used to identify a form or class of brute force attack that attempts to resolve a certain class of cryptic hash functions. The birthday attack gets its name from the birthday paradox , which states that for every 23 people, the probability that two will share the same birthday is greater than half. The birthday attack uses a formula based on this concept to calculate often collisions in hash functions.

    Denial of Service (DoS) Attacks

    A Denial of Service (DoS) attack is most commonly launched as a malicious attack with the intent of disabling or removing computer services or resources that are normally available. Although sometimes unintentional or accidental, most DoS attacks are intended to stop or destroy network related services such as Web sites or e-mail. Typically, this type of attack is designed to render a network or related service useless by flooding the network with worthless or useless network traffic. The following six attack methods are types of DoS attacks:

    • Buffer overflow attack: A buffer is a temporary data storage area, usually RAM (Random Access Memory) that holds a predefined amount of data that is shared by programs and devices. If a buffer gets full, data that is meant to be held in a particular buffer might overflow or go elsewhere, possibly overwriting data held in other buffer storage locations. Knowing this, attackers can target specific systems or network nodes with malicious packets they suspect might have been developed with weaknesses. A buffer overflow is the most typical type of DoS attack and can render a system or its resources useless.

    • SYN attack: When a session or request from a TCP (Transmission Control Program) sender or client and a network file server or host is started, a SYN (synchronize/start) request is sent to the host from the client. The host must answer with a SYN acknowledgement (ACK) before a complete connection is established. This request and acknowledgement between client and host is known as handshaking . There is a small buffer that exists on the host that handles the constant handshaking or transfer of acknowledgement packets before sessions are established completely. This buffer contains a SYN field , which identifies the sequence in the message exchange. Possible attackers can send packets to the host systems requesting a connection and fail to respond to the SYN acknowledgement. This type of attack leaves the SYN (synchronize/start) packet request in the buffer blocking other legitimate requests from being acknowledged . In other words, the attacker stops or impedes the ability of the server to establish or hand out sessions to clients . To best prevent this type of attack, administrators should implement the following operating system changes:

      • Increase the size of the connection buffer (SYN ACK queue).

      • Decrease the time-out waiting for the three-way handshake.

      • Obtain and employ vendor software patches that detect and avoid this type of attack.

    • Teardrop attack: IP (Internet protocol) uses a special technique to divide large network packets into what are called fragments . When fragment reassembly code does not properly handle the repackaging of these fragments into packets, a weakness is exposed. An attacker can insert code into these fragments before they are properly put back together. This method can exploit networks and cause systems to fail. Special vendor patches are the recommended solution to this weakness.

    • Ping of death attack: The IP protocol places a sending packet size limitation of 65,536 bytes per packet sent on an IP network. As mentioned earlier, IP can break down a packet into IP fragments or segments before they are sent out on a network. A known weakness of this method is that fragmented packets can be reassembled to equal a packet size greater than the 65,536 IP limit. Operating systems that attempt to receive these oversized packets can be overburdened with the reassembly of these confusing packets and crash. In order to hide the identity of the attacker, spoofing (mentioned again, shortly) can also be implemented during the type of DoS attack. Once again, operating system patches and protecting a network from Internet control message protocol (ICMP) broadcast messages at a network router or firewall are the recommended ways to protect a network from this attack method.

    • Smurf attack: This is another DoS attack where an attacker or perpetrator floods an IP network with echo replies in response to ping messages sent out by a victim. The packets that flood the network are sent to all possible IP nodes on a given network congesting the network until it is useless for normal IP traffic. The attacker typically uses a technique known as spoofing to carry out this attack. The packets are spoofed, meaning they are sent out with someone else’s return address. The best-known method of defending against a Smurf attack is to disable IP multicast broadcast addressing at each router on each subnet (sub-network) within a corporate network.

    • Land attack: This is another DoS attack where a malicious attacker attempts to set up a TCP session with a server computer. If the server establishes a session with the attacker, the server will fall into a closed loop and will have to be rebooted. This is also a form of IP spoofing.

    Dictionary Attack

    This type of attack typically uses a predefined list of words such as those found in an English dictionary. The attacking program runs through the list of words until it finds a match to the password it is searching for. Today, a brute force attack is used more commonly to calculate a password or figure out combinations of words in place of this outdated method of using predefined lists. A successful dictionary attack can be avoided by keeping password databases and lists in secured and secret areas of a network. Also, passwords stored in a database should be stored in a one-way hashed fashion or form. A one-way hash is a mathematical function that is difficult to reverse; it takes a variable-length input string and converts it into a fixed-length binary sequence. In simple terms, it makes the passwords hard to crack.

    Man-in-the-Middle Attack

    With this type of attack, the attacker uses a program that places them between the sender of information and the receiver, appearing to the sender as a client, and appearing to the receiver as a server. While “in the middle,” the attacker can intercept data and information and replace it with bad or destructive information.

    Note 

    A Man-in-the-Middle attack is not considered a DoS attack. You might be expected to know this on the exam. Be able to differentiate the individual attack methods as well as the attack types.

    Replay Attack

    A replay attack is considered a form of degradation of service attack as opposed to a Denial of Service attack. With a replay attack, small bursts of traffic are sent from multiple locations to a single host. This inundates the host with traffic. The functionality of the host declines over time until it is basically unable to provide resources and services.

    In order to combat and prevent this type of attack, the IETF (Internet Engineering Task Force) Internet Protocol Security IPSec standard uses an anti-replay protocol. This protocol makes it virtually impossible for packets to be intercepted by code inserting hacking programs that hijack packets transmitted between source and destination systems. In other words, use the IPSec standard to provide packet-level security and avoid this type of attack.

    TCP/IP Hijacking

    In networking security terms, hijacking means taking control of a communication session while it exists. There are several types of hijacking techniques used by modern-day hackers and would-be thugs. A man-in the-middle attack (mentioned earlier in this chapter) is a type of hijacking attack. There are also DNS (Domain Name Server) hijacking techniques.

    With a basic TCP/IP hijack, a perpetrator can gain control of a communication session if his or her attacking program can acquire a random initial sequence number (ISN) that is used by two systems to start a packet transmission sequence. This is an older form of hijacking that has supposedly been addressed in IPv6 (Internet protocol Version 6).

    For an excellent description of TCP port hijacking, please see the information located at http://cs.baylor.edu/~donahoo/NIUNet/hijack.html .

    Password Crackers

    Password crackers are programs such as Lophtcrack that can figure out easily passwords that are secret or encrypted. Password cracker programs can employ (for free) attack methods such as brute force, dictionary attacks, and other methods to break passwords.

    Sniffers

    Sniffers are programs or devices that gather network packets. They can be used for legitimate network administration purposes, such as monitoring network traffic, or for destructive and illegal purposes, such as extracting passwords, user IDs, PINs, credit card numbers , and other personal information. Sniffers are very dangerous tools in the wrong hands because they can be placed or inserted just about anywhere in a network and can go undetected easily avoiding intrusion detection implementations .

    Spamming

    Spam is the unsolicited proliferation of electronic advertisements, junk e-mail messages, and newsgroup postings on the Internet. “You’ve got spam” has become a familiar phrase among e-mail junkies. In short, it is considered rude and indecent to send or proliferate spam. Spam is often compared to those obnoxious phone calls you receive, while enjoying your dinner, asking you to change your phone service or purchase another wonderful plastic “I want to go further into debt” credit card.

    Spoofing Attack

    Spoofing is a technique used to pretend to be someone or something that one is not in order to gain access to a resource that belongs to another. Spoofing is most commonly used to fake an e-mail or IP address. As mentioned earlier in this chapter, most DoS attacks involve some sort of spoofing technique.

    Social Engineering

    Social engineering sounds like a pretty constructive and harmless set of words, doesn’t it? Don’t be fooled! Social engineering is like a spoofing attack. It means to fool someone or something into allowing unauthorized access with intent to cause destruction or obtain information illegally. Social engineering is based on the theory that humans are generally trustworthy. With this in mind, the social engineer or hacker typically uses a computer or phone to pursue their victims into providing information.

    Another form of social engineering is known as reverse social engineering whereby a hacker pretends to be an authoritative figure. While acting as the superior authority, the hacker is asked questions by company employees . Using this technique, the hacker can then gain useful information from the employee to access records, information, or bypass security measures. The receiving of fraudulent e-mail is a perfect example of social engineering.

    Note 

    You must know the difference between spoofing, spamming, and social engineering. It is likely that the exam will bombard you with questions in an attempt to trick you here.


     < Day Day Up > 

    Buy on amazon.com >>
    Crayton Ch. A.
      << Previous page
      Table of contents
      Next page >>

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy