KEMBAR78
Chapter1 intro network_security_sunorganised | PPT
BU
Uploaded byBule Hora University
PPT, PDF308 views

Chapter1 intro network_security_sunorganised

The document provides an overview of network security concepts. It begins by defining various types of malware like viruses, worms, spyware, ransomware, and trojans. It then discusses security policies, information security, aspects of information security including threats and vulnerabilities. It defines network security and its goals of confidentiality, integrity and availability. It describes aspects of network security including privacy, message integrity, authentication and non-repudiation. It then discusses cyber security and its main categories. It defines the different levels of impact from security breaches and types of attacks like passive, active, interruption, fabrication and modification. Finally, it provides an overview of networking devices and protocols at different layers of the OSI model as well as firewall

Downloaded 13 times
Chapter 1 Introduction to Network Security Fifth Edition by William Stallings 1
Introduction What Is Malware? The term "malware" is a combination or blend of two words - malicious and software, and it means malicious software that can be utilized to harm any system, or network, or mobile devices or even the servers. These are unpleasant programs installed without any proper or actual user consent that can damage the performance of your system, erase your data, and mine your personal data. They can be even controlled remotely by malicious cybercriminals. So, from these activities, it is now clear that these malicious programs need to stop accessing any system. Security professionals and analysts are hired in almost all companies to keep track of all systems, networks, and servers to see if there is any malicious activity getting performed or not, or whether there is any data leakage and stealing happening within the organization's network or not. Malware may come from unknown phishing sites, spam emails, or unauthorized or illicit external USB or flash drives. Types of Malware Certain common types of malware can be seen in the wild. These are listed below: • Viruses • Worms • Spyware • Ransomware • Rootkits • Bots • Trojans • Adware
Introduction What Is Computer Virus? Computer viruses are malicious codes that can contaminate multiple files on any system. They get spread when these infected files are sent over emails or via flash or external drives and can replicate and delete useful information. Viruses are of different types: • Boot sector virus. • Polymorphic virus. • Web scripting virus. • Browser hijacking virus. • Direct action virus. • Resident virus. • File infectors. • Multipartite virus. • Macro virus.
Introduction What is Computer Worm? -Computer Worms are particular types of malware that are self-replicating, and through this technique, they spread to another computer. It gets spread by itself through the computer networks or by the use of other flash drives. What is Spyware? -Spywares are unwanted programs that will spy on your system without your knowledge and will steal your sensitive data and other browsing information and will or will take access to your system to damage it. What is Ransomware? -Ransomware's are malicious programs that will encrypt all your system's data and will ask for a ransom to decrypt these files. They take the support of the Bitcoins to get the ransom. What is Rootkit? -A rootkit is a unique harmful program used by cybercriminals to take privileged access to any system by hiding its presence in that system. What is Trojan? -A trojan is programmed for a particular purpose and can be destructive. They act as legitimate files but can bring unexpected changes to your system even when your system is in an idle state. What is Adware? -Adware is malicious software that will hide and will periodically pop up with ads. Some of them also keep track of your online activities and searches. How to Keep the Systems Safe From Malware and Viruses.These are some steps you can follow to protect yourself • Install Anti-Virus/Anti-Malware Software. • Make sure your Anti-Virus software is up to date. • Run scheduled scans for malicious threats and programs using your anti-virus software regularly. • Keep your Operating System updated. • Secure your network with WPA3, honey-pots, strong authentication mechanisms, and passwords. • Think before clicking any malicious or unknown links. • Keep a backup of your work and personal information safe. • Never use any public Wi-Fi while using your corporate work or using your company's system.
Security Policies This is a set of rules and procedures set up for all employees and individuals as to how the assets and information of that organization will be accessed and utilized. Various security policies will permit the employees to enforce corporate assets with rules and specific actions. These security policies are set on the firewalls of the network, which after all brings certain security restrictions on corporate data and other digital assets: • Security on specific file formats. • NAT (Network Address Translation). • Quality of Service (QoS), decryption procedures. • Policy-Based Forwarding (PBF). • Application Overriding policies. • Authentication policies. • Zone protection policies. • Denial of Service (DoS) prevention. These are some of the major policies set up in any organization or firm. All these diverse policies function jointly for allowing, denying, forwarding data packets, encrypting and decrypting packets, authenticating particular access, making exceptions, and prioritizing data packets as required for preserving the security of the organization's network.
information Security • Information security, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. • Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be physical or electrical one. 6
Aspects of information Security  3 aspects of information security:  security attack  security mechanism (control)  security service  note terms  threat – a potential for violation of security  vulnerability – a way by which loss can happen  attack – an assault on system security, a deliberate attempt to evade security services 7
Network security • Network security is protection of the access to files and directories in a computer network against hacking, misuse and unauthorized changes to the system. • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources 8
Goal of network security The primary goal of network security are Confidentiality, Integrity, and Availability. These three pillars of Network Security are often represented as CIA triangle. • Confidentiality − The function of confidentiality is to protect precious business data from unauthorized persons. Confidentiality part of network security makes sure that the data is available only to the intended and authorized persons. • Integrity − This goal means maintaining and assuring the accuracy and consistency of data. The function of integrity is to make sure that the data is reliable and is not changed by unauthorized persons. • Availability − The function of availability in Network Security is to make sure that the data, network resources/services are continuously available to the legitimate users, whenever they require it. 9
Aspects of network security • Privacy: Privacy means both the sender and the receiver expects confidentiality. The transmitted message should be sent only to the intended receiver while the message should be opaque for other users. Only the sender and receiver should be able to understand the transmitted message as eavesdroppers can intercept the message. Therefore, there is a requirement to encrypt the message so that the message cannot be intercepted.. • Message Integrity: Data integrity means that the data must arrive at the receiver exactly as it was sent. There must be no changes in the data content during transmission, either maliciously or accident, in a transit. As there are more and more monetary exchanges over the internet, data integrity is more crucial. The data integrity must be preserved for secure communication. • End-point authentication: Authentication means that the receiver is sure of the sender?s identity, i.e., no imposter has sent the message. • Non-Repudiation: Non-Repudiation means that the receiver must be able to prove that the received message has come from a specific sender. The sender must not deny sending a message that he or she send. The burden of proving the identity comes on the receiver. For example, if a customer sends a request to transfer the money from one account to another account, then the bank must have a proof that the customer has requested for the transaction. 10
What is Cyber Security? • Cyber-security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. .... -kaspersky • Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.-Cisco 11
5 main categories of cyber security: • Critical infrastructure security: Critical infrastructure security consists of the cyber-physical systems that modern societies rely on. ... • Application security: ... • Network security: ... • Cloud security: ... • Internet of things (IoT) security. 12
Levels of Impact  can define 3 levels of impact from a security breach  Low -The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.  Moderate -The loss could be expected to have a serious adverse effect on organizational operations, assets, or individuals.  High- The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals 13
Passive Attack - Interception 14
Passive Attack: Traffic Analysis Observe traffic pattern 15
Active Attack: Interruption Block delivery of message 16
Active Attack: Fabrication Fabricate message 17
Active Attack: Replay 18
Active Attack: Modification Modify message 19
Handling Attacks  Passive attacks – focus on Prevention • Easy to stop • Hard to detect  Active attacks – focus on Detection and Recovery • Hard to stop • Easy to detect 20
Protocols by layers 21
Networking Devices by layers 22
Devices at different layers Layer 7 – I put gateway here. This is not the same as a “Default Gateway”. This is a device that works kind of like a translator. It is able to understand application languages like HTTP, SMTP, etc. The term “Next Generation Firewalls” is some times applied to these devices. Layer 3 – Routers and “Swouters” devices go here. A Swouter is a layer 3 switch. It has more than a couple ports on the back and is capable of routing. Layer 2 – This is the typical layer where switches are put. Switches are able to look at traffic and filter data based on MAC addresses. Layer 1 – Typically Hubs and Repeaters are put here. You don’t really see them anymore because they tend to be slow and pretty brain dead. Because of this they only work “well” in a very small network design. 23
OSI model attacks by Layers OSI model Layer 1 attacks • Layer 1 refers to the physical aspect of networking – in other words, the cabling and infrastructure used for networks to communicate. • Layer 1 attacks focus on disrupting this service in any manner possible, primarily resulting in Denial of Service (DoS) attacks. • This disruption could be caused by physically cutting cable right through to disrupting wireless signals. OSI model Layer 2 attacks • Layer 2 of the OSI model is the data link layer and focuses on the methods for delivering data blocks. • Normally, this consists of switches utilising protocols such as the Spanning Tree Protocol (STP) and the Dynamic Host Configuration Protocol (DHCP), which is used throughout networking for dynamic IP assignment. • Attacks at this layer can focus on the insecurity of the protocols used or the lack of hardening on the routing devices themselves. • As switches focus is on providing LAN connectivity, the majority of threats come from inside the organisation itself. • Layer 2 attacks may also include MAC flooding or ARP poisoning. • In order to mitigate these risks, it is imperative network switches are hardened. • Additional controls may include ARP inspection, disabling unused ports and enforcing effective security on VLAN’s to prevent VLAN hopping. OSI model Layer 3 attacks • Layer 3 is the network layer and utilises multiple common protocols to perform routing on the network. • Protocols consist of the Internet Protocol (IP), packet sniffing and DoS attacks such as Ping floods and ICMP attacks. Because of their layer 3 nature, these types of attacks can be performed remotely over the Internet while layer 2 attacks primarily come from the internal LAN. • To reduce the risk of these types of attacks, routers should be hardened, packet filtering controls should be used and routing information should be controlled. 24
OSI model attacks by Layers OSI model Layer 4 attacks • Layer 4 is the transport layer and utilises common transport protocols to enable network communications. This may include the Transport Control Protocol (TCP) and Universal Data Protocol (UDP). • Port scanning, a method by which to identify vulnerable or open network ports, operates at layer 4 of the OSI model. Implementing effective firewalls and locking down ports only to those required can mitigate risks at this level. OSI model layer 5-7 • Above layer 4, we are looking primarily at application level attacks which result from poor coding practices. Vulnerabilities in applications can be exploited through attacks such as SQL injection, where the developer has failed to ensure that user input is validated against a defined schema. • The attacker would then input code to extract data from the database (e.g. SELECT * from USERS). As the application fails to validate this input, the command is run and data extracted. To reduce this risk, developers must ensure that best practice development guides are adhered to. 25
26
Firewall • Firewall is a network device that isolates organization’s internal network from larger outside network/Internet. It can be a hardware, software, or combined system that prevents unauthorized access to or from internal network. • All data packets entering or leaving the internal network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. • Deploying firewall at network boundary is like aggregating the security at a single point. It is analogous to locking an apartment at the entrance and not necessarily at each door. • Firewall is considered as an essential element to achieve network security for the following reasons −Internal network and hosts are unlikely to be properly secured • Internet is a dangerous place with criminals, users from competing companies, disgruntled ex-employees, spies from unfriendly countries, vandals, etc. • prevents an attacker from launching denial of service attacks on network resource. • prevents illegal modification/access to internal data by an outsider attacker. 27
Firewall Firewall is categorized into three basic types 1.Packet filter (Stateless & Stateful) 2. Application-level gateway 3. Circuit-level gateway These three categories, however, are not mutually exclusive. Modern firewalls have a mix of abilities that may place them in more than one of the three categories. 28
Packet Filtering Firewall • In this type of firewall deployment, the internal network is connected to the external network/Internet via a router firewall. The firewall inspects and filters data packet-by- packet. • Packet-filtering firewalls allow or block the packets mostly based on criteria such as source and/or destination IP addresses, protocol, source and/or destination port numbers, and various other parameters within the IP header. • The decision can be based on factors other than IP header fields such as ICMP message type, TCP SYN and ACK bits, etc. Packet filter rule has two parts − 1.Selection criteria − It is a used as a condition and pattern matching for decision making. 2. Action field − This part specifies action to be taken if an IP packet meets the selection criteria. The action could be either block (deny) or permit (allow) the packet across the firewall. • Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on routers or switches. ACL is a table of packet filter rules. • As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each incoming packet, finds matching criteria and either permits or denies the individual packets. 29
Packet Filtering Firewall 30
Packet Filtering Firewall Stateless firewall & Stateful firewalls • is a kind of a rigid tool. It looks at packet and allows it if its meets the criteria even if it is not part of any established ongoing communication. • Hence, such firewalls are replaced by stateful firewalls in modern networks. • This type of firewalls offer a more in-depth inspection method over the only ACL based packet inspection methods of stateless firewalls. • Stateful firewall monitors the connection setup and teardown process to keep a check on connections at the TCP/IP level. This allows them to keep track of connections state and determine which hosts have open, authorized connections at any given point in time. • They reference the rule base only when a new connection is requested. Packets belonging to existing connections are compared to the firewall's state table of open connections, and decision to allow or block is taken. This process saves time and provides added security as well. No packet is allowed to trespass the firewall unless it belongs to already established connection. It can timeout inactive connections at firewall after which it no longer admit packets for that connection 31
Packet Filtering Firewall Stateful firewalls 32
Application Gateways • An application-level gateway acts as a relay node for the application-level traffic. They intercept incoming and outgoing packets, run proxies that copy and forward information across the gateway, and function as a proxy server, preventing any direct connection between a trusted server or client and an untrusted host. • The proxies are application specific. They can filter packets at the application layer of the OSI model. Application-specific Proxies • An application-specific proxy accepts packets generated by only specified application for which they are designed to copy, forward, and filter. For example, only a Telnet proxy can copy, forward, and filter Telnet traffic. • If a network relies only on an application-level gateway, incoming and outgoing packets cannot access services that have no proxies configured. For example, if a gateway runs FTP and Telnet proxies, only packets generated by these services can pass through the firewall. All other services are blocked. Application-level Filtering • An application-level proxy gateway, examines and filters individual packets, rather than simply copying them and blindly forwarding them across the gateway. Application-specific proxies check each packet that passes through the gateway, verifying the contents of the packet up through the application layer. These proxies can filter particular kinds of commands or information in the application protocols. • Application gateways can restrict specific actions from being performed. For example, the gateway could be configured to prevent users from performing the ‘FTP put’ command. This can prevent modification of the information stored on the server by an attacker. Transparent • Although application-level gateways can be transparent, many implementations require user authentication before users can access an untrusted network, a process that reduces true transparency. Authentication may be different if the user is from the internal network or from the Internet. For an internal network, a simple list of IP addresses can be allowed to connect to external applications. But from the Internet side a strong authentication should be implemented. • An application gateway actually relays TCP segments between the two TCP connections in the two directions (Client ↔ Proxy ↔ Server). For outbound packets, the gateway may replace the source IP address by its own IP address. The process is referred to as Network Address Translation (NAT). It ensures that internal IP addresses are not exposed to the Internet. 33
Circuit-Level Gateway • The circuit-level gateway is an intermediate solution between the packet filter and the application gateway. • It runs at the transport layer and hence can act as proxy for any application. • Similar to an application gateway, the circuit-level gateway also does not permit an end-to-end TCP connection across the gateway. • It sets up two TCP connections and relays the TCP segments from one network to the other. But, it does not examine the application data like application gateway. Hence, sometime it is called as ‘Pipe Proxy’. 34
Firewall Deployment with DMZ • The firewall process can tightly control what is allowed to traverse from one side to the other. An organization that wishes to provide external access to its web server can restrict all traffic arriving at firewall expect for port 80 (the standard http port). All other traffic such as mail traffic, FTP, SNMP, etc., is not allowed across the firewall into the internal network. An example of a simple firewall is shown in the following diagram. • In the above simple deployment, though all other accesses from outside are blocked, it is possible for an attacker to contact not only a web server but any other host on internal network that has left port 80 open by accident or otherwise. • Hence, the problem most organizations face is how to enable legitimate access to public services such as web, FTP, and e-mail while maintaining tight security of the internal network. The typical approach is deploying firewalls to provide a Demilitarized Zone (DMZ) in the network. • In this setup (illustrated in following diagram), two firewalls are deployed; one between the external network and the DMZ, and another between the DMZ and the internal network. All public servers are placed in the DMZ. • With this setup, it is possible to have firewall rules which allow public access to the public servers but the interior firewall can restrict all incoming connections. By having the DMZ, the public servers are provided with adequate protection instead of placing them directly on external network. 35
Firewall Identification • Normally, firewalls can be identified for offensive purposes. Because firewalls are usually a first line of defense in the virtual perimeter, to breach the network from a hacker perspective, it is required to identify which firewall technology is used and how it’s configured. Some popular tactics are: • Port scanning Hackers use it for investigating the ports used by the victims. Nmap is probably the most famous port-scanning tool available. • Firewalking The process of using traceroute-like IP packet analysis in order to verify if a data packet will be passed through the firewall from source to host of the attacker to the destination host of the victim. • Banner grabbing This is a technique to enable a hacker to spot the type of operation system or application running on a target server. It works through a firewall by using what looks like legitimate connections. 36
Firewall Audit 37
Firewall Audit Firewall Log Analyzer • A firewall is an important component in your organization's network. It provides network administrators with the ability to control the flow of traffic into and out of the network. • Analyzing firewall logs keeps you up to date on all transactions between your organization's intranet and the internet, or any other external network. Here are a few possible uses for analyzing firewall logs: • List all connections denied by the firewall and flag the odd ones. • Show all remote and VPN connections to your network. • Monitor any changes to the rules on which the firewall is based. • Pick up and preempt any potential security attacks. 38
Firewall Audit 39
Intrusion Detection / Prevention System • The packet filtering firewalls operate based on rules involving TCP/UDP/IP headers only. They do not attempt to establish correlation checks among different sessions. • Intrusion Detection/Prevention System (IDS/IPS) carry out Deep Packet Inspection (DPI) by looking at the packet contents. For example, checking character strings in packet against database of known virus, attack strings. • Application gateways do look at the packet contents but only for specific applications. They do not look for suspicious data in the packet. • IDS/IPS looks for suspicious data contained in packets and tries to examine correlation among multiple packets to identify any attacks such as port scanning, network mapping, and denial of service and so on. 40
Basic variations of IDS Signature-based IDS • It needs a database of known attacks with their signatures. • Signature is defined by types and order of packets characterizing particular attack. • Limitation of this type of IDS is that only known attacks can be detected. This IDS can also throw up a false alarm. False alarm can occur when a normal packet stream matches the signature of an attack. • Well-known public open-source IDS example is “Snort” IDS. Anomaly-based IDS • This type of IDS creates a traffic pattern of normal network operation. • During IDS mode, it looks at traffic patterns that are statistically unusual. For example, ICMP unusual load, exponential growth in port scans, etc. • Detection of any unusual traffic pattern generates the alarm. The major challenge faced in this type of IDS deployment is the difficulty in distinguishing between normal traffic and unusual traffic 41
Types of IDS Network intrusion detection system (NIDS) • It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, a network switch configured for port mirroring, or a network tap. In a NIDS, sensors are placed at choke points in the network to monitor, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic. An example of a NIDS is Snort. Host-based intrusion detection system (HIDS) • It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC. • Intrusion detection systems can also be system-specific using custom tools and honeypots. 42
Types of IDS Perimeter Intrusion Detection System (PIDS) • Detects and pinpoints the location of intrusion attempts on perimeter fences of critical infrastructures. Using either electronics or more advanced fiber optic cable technology fitted to the perimeter fence, the PIDS detects disturbances on the fence, and if an intrusion is detected and deemed by the system as an intrusion attempt, an alarm is triggered. VM based Intrusion Detection System (VMIDS) • It detects intrusions using virtual machine monitoring. By using this, we can deploy the Intrusion Detection System with Virtual Machine Monitoring. It is the most recent type and it’s still under development. There’s no need for a separate intrusion detection system since by using this, we can monitor the overall activities. 43
IPS Intrusion Prevention Systems (IPS): • Fights for the same cause like firewall set up for any network that detects and prevents users from threats involving the external world and the internal network. • Intrusion Prevention Systems proactively rejects those traffics which do not meet the security profile and policies, or the data packets are malicious by nature. 44
Two types of IPS Currently, there are two types of IPSs that are similar in nature to IDS. They consist of 1. Host-based intrusion prevention systems (HIPS) 2. Products and network-based intrusion prevention systems (NIPS) 45
Classification of Intrusion Prevention System (IPS): Intrusion Prevention System (IPS) is classified into 4 types: • Network-based intrusion prevention system (NIPS): It monitors the entire network for suspicious traffic by analyzing protocol activity. • Wireless intrusion prevention system (WIPS): It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. • Network behavior analysis (NBAIPS): It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware and policy violations. • Host-based intrusion prevention system (HIPS): It is an inbuilt software package which operates on host for doubtful activity by scanning events that occur within that host. 46
Detection Method of Intrusion Prevention System (IPS): • Signature-based detection: Signature-based IPS operates on packets in the network and compares with pre-built and preordained attack patterns known as signatures. • Statistical anomaly-based detection: Anomaly based IPS monitors network traffic and compares it against an established baseline. The baseline will identify what is normal for that network and what protocols are used. However, It may raise a false alarm if the baselines are not intelligently configured. • Stateful protocol analysis detection: This IPS method recognizes divergence of protocols stated by comparing observed events with pre-built profiles of generally accepted definitions of not harmful activity. 47
Honeypot-Based IDS/IPS Systems • The purpose of the honeypot approach is to distract attacks away from real network devices. • By staging different types of vulnerabilities in the honeypot server, you can analyze incoming types of attacks and malicious traffic patterns 48
Honeypots Decoy systems- • appears to be the real system with valuable info • legitimate users would not access • filled with fabricated info • instrumented with monitors and event loggers • divert and hold attacker to collect activity info without exposing production (real) systems • If there is somebody in, then there is an attack benign or malicious • Initially honeypots were single computers • now network of computers that emulate the entire enterprise network 49
1.Outside firewall: • good to reduce the burden on the firewall; keeps the bad guys outside 2. As part of the service (DMZ) network: • firewall must allow attack traffic to honeypot (risky) 3. As part of the internal network: • same as 2; if compromised riskier; advantage is insider attacks can be caught Honeypot Deployment 50
Malware Statistics, Trends & Facts Resources: https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf https://portal.iansresearch.com/content/3792/cat/92-of-malware-is-delivered-through-email https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-cryptojacking-modern-cash-cow-en.pdf https://news.gallup.com/file/poll/244697/181108CrimeWorries.pdf https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-january-2019-1769185063-records-leaked https://hacken.io/research/industry-news-and-insights/no-more-privacy-202-million-private-resumes-exposed/ https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf https://newsroom.ibm.com/2018-07-10-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/ https://www.herjavecgroup.com/wp-content/uploads/2018/07/2017-Cybercrime-Report.pdf https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf https://www-03.ibm.com/press/us/en/photo/51069.wss https://cofense.com/wp-content/uploads/2018/02/PhishMe-Enterprise-Phishing-Susceptibility-and-Resiliency-Report_2016.pdf https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf https://www.pwc.com/us/en/advisory-services/publications/consumer-intelligence-series/protect-me/cis-protect-me-findings.pdf https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124- billion-in-2019 https://www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf 51
To be turned in in 7 days Assignment 1 1.Conduct a Search of Recent Malware Using your favorite search engine, conduct a search for recent malware. During your search, a) choose four examples of malware, each one from a different malware type, and be prepared to discuss details on what each does, how it each is transmitted and the impact each causes. Examples of malware types include: Trojan, Hoax, Adware, Malware, PUP, Exploit, and Vulnerability. Some suggested web sites to search malware are listed below: McAfee ,Malwarebytes, Security Week, TechNewsWorld b)Read the information about the malware found from your search choose one and write a short summary that explains what the malware does, how it is transmitted, and the impact it causes. 2.Write a key logger in any language you know… 3.Set audit policeies in your windows system, and get the snap shot, and explain the events.. 52

More Related Content

PPTX
Network Security
byManoj Singh
 
PPTX
23 network security threats pkg
byUmang Gupta
 
PPTX
Network Security
byAbdul Qadir Pattal
 
PDF
NSA and PT
byRahmat Suhatman
 
PPTX
презентация1
bysagidullaa01
 
PPTX
Computer security
byShashi Chandra
 
PPTX
Network Security and Firewall
byShafeeqaFarsana
 
PPTX
Data Network Security
byAtif Rehmat
 
Network Security
byManoj Singh
 
23 network security threats pkg
byUmang Gupta
 
Network Security
byAbdul Qadir Pattal
 
NSA and PT
byRahmat Suhatman
 
презентация1
bysagidullaa01
 
Computer security
byShashi Chandra
 
Network Security and Firewall
byShafeeqaFarsana
 
Data Network Security
byAtif Rehmat
 

What's hot

PPTX
Cyber attack
byManjushree Mashal
 
PPTX
Network security
bymena kaheel
 
DOCX
Computer security and privacy
byeiramespi07
 
PPT
Introduction To Computer Security
byVibrant Event
 
PPTX
NETWORK SECURITY
byafaque jaya
 
PPTX
IT Security Presentation
byelihuwalker
 
PPTX
Network security
byquest university nawabshah
 
PPTX
Introduction to Information Security
byShreedevi Tharanidharan
 
PPTX
Cybersecurity Training
byWindstoneHealth
 
PPTX
Presentation1 new (1) (1)cf
bytoamma
 
PPTX
What is network security and Types
byVikram Khanna
 
PDF
Computer Security
byFrederik Questier
 
PPTX
Network security
byHarsh Kishore Mishra
 
PDF
Anatomy of a cyber attack
byMark Silver
 
PPTX
Network security
byEshrak Rahman
 
PPTX
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
PPTX
Introduction to Network Security
byJohn Ely Masculino
 
PPTX
Network security
byEstiak Khan
 
PPT
11 Computer Privacy
bySaqib Raza
 
PPTX
5 Security Tips to Protect Your Login Credentials and More
byCommunity IT Innovators
 
Cyber attack
byManjushree Mashal
 
Network security
bymena kaheel
 
Computer security and privacy
byeiramespi07
 
Introduction To Computer Security
byVibrant Event
 
NETWORK SECURITY
byafaque jaya
 
IT Security Presentation
byelihuwalker
 
Network security
byquest university nawabshah
 
Introduction to Information Security
byShreedevi Tharanidharan
 
Cybersecurity Training
byWindstoneHealth
 
Presentation1 new (1) (1)cf
bytoamma
 
What is network security and Types
byVikram Khanna
 
Computer Security
byFrederik Questier
 
Network security
byHarsh Kishore Mishra
 
Anatomy of a cyber attack
byMark Silver
 
Network security
byEshrak Rahman
 
Network security (vulnerabilities, threats, and attacks)
byFabiha Shahzad
 
Introduction to Network Security
byJohn Ely Masculino
 
Network security
byEstiak Khan
 
11 Computer Privacy
bySaqib Raza
 
5 Security Tips to Protect Your Login Credentials and More
byCommunity IT Innovators
 

Similar to Chapter1 intro network_security_sunorganised

PDF
Sec0001 .pdf
bymah902110
 
PPTX
Cyber Sequrity.pptx is life of cyber security
byperweeng31
 
PPTX
Unit 1 Network Fundamentals and Security .pptx
byGuna Dhondwad
 
PPTX
Lecture 6 Cybersecurity-Basics and .pptx
byakatsesena2003
 
PPTX
Cyber Security Briefing
byMarshall Frett Jr.
 
PPTX
Cyber Security and data Security for all.pptx
byRajagopalKeshavan
 
PPTX
Internet safety and you
byArt Ocain
 
PPTX
Computer security
byEktaVaswani2
 
PPTX
What is Cyber & information security.pptx
byamnamahfooz615
 
PPTX
Computer-Security.pptx
byJoselitoJMebolos
 
PPTX
iIIBF Cyber Security Presentation 2.pptx
byNarinderKumarBhasin
 
PPTX
cybersecurity understanding in simple way
bymithubain20043897
 
PDF
Why is Cybersecurity Important in the Digital World
byExpeed Software
 
PPTX
Cyber Security
byBryCunal
 
PPTX
sc.pptx
byWorknehEdimealem
 
PPTX
Information Systems.pptx
byKnownId
 
PPTX
COMPUTER SEMINAR network security threats .pptx
bymanishae08
 
PDF
Cyber Ethics Notes.pdf
byAnupmaMunshi
 
PPTX
Network security presentation
byKudzai Rerayi
 
PPTX
cyber security presentation.pptx
bykishore golla
 
Sec0001 .pdf
bymah902110
 
Cyber Sequrity.pptx is life of cyber security
byperweeng31
 
Unit 1 Network Fundamentals and Security .pptx
byGuna Dhondwad
 
Lecture 6 Cybersecurity-Basics and .pptx
byakatsesena2003
 
Cyber Security Briefing
byMarshall Frett Jr.
 
Cyber Security and data Security for all.pptx
byRajagopalKeshavan
 
Internet safety and you
byArt Ocain
 
Computer security
byEktaVaswani2
 
What is Cyber & information security.pptx
byamnamahfooz615
 
Computer-Security.pptx
byJoselitoJMebolos
 
iIIBF Cyber Security Presentation 2.pptx
byNarinderKumarBhasin
 
cybersecurity understanding in simple way
bymithubain20043897
 
Why is Cybersecurity Important in the Digital World
byExpeed Software
 
Cyber Security
byBryCunal
 
sc.pptx
byWorknehEdimealem
 
Information Systems.pptx
byKnownId
 
COMPUTER SEMINAR network security threats .pptx
bymanishae08
 
Cyber Ethics Notes.pdf
byAnupmaMunshi
 
Network security presentation
byKudzai Rerayi
 
cyber security presentation.pptx
bykishore golla
 

More from Bule Hora University

PPT
Chapter 2_Process Models sunorgamisedASE_finalised.ppt
byBule Hora University
 
PPTX
Chapter 1_Introduction sunorganisedASE_finalised.pptx
byBule Hora University
 
PPT
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
byBule Hora University
 
PPT
Chapter 4 Software Testing_Finalised_BW.ppt
byBule Hora University
 
PPT
Chapter 3_Software Design sunorganisedASE_BW_finalised.ppt
byBule Hora University
 
PPT
Chapter1 Advanced Software Engineering overview
byBule Hora University
 
Chapter 2_Process Models sunorgamisedASE_finalised.ppt
byBule Hora University
 
Chapter 1_Introduction sunorganisedASE_finalised.pptx
byBule Hora University
 
Chapter 5 Software Quality Assurance-Finalised_BW.ppt
byBule Hora University
 
Chapter 4 Software Testing_Finalised_BW.ppt
byBule Hora University
 
Chapter 3_Software Design sunorganisedASE_BW_finalised.ppt
byBule Hora University
 
Chapter1 Advanced Software Engineering overview
byBule Hora University
 

Recently uploaded

PDF
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
PDF
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
PDF
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
PPTX
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
PDF
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
PPTX
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
PDF
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
PPTX
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
PPTX
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
PDF
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
PPTX
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
PPTX
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
PPTX
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
PPTX
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 
PPTX
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
PDF
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
PPTX
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
PDF
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 
Buying, Aged Twitter Accounts_ The Secret to Instant Growth.pdf
byBEST IT SMM
 
The 13 satanic codes for Self Power and Sovereignty
byhikariaoki1
 
Reality Drift: Cultural and Academic Footprints Across Media, Classrooms, and...
byDr. Samuel Wellington
 
The First Internet Message was sent on 29 Oct 1969. However . . .
byBob Mayer
 
Nome completo de Laurence Gregory Watkins
bydiariodocentrodomundo
 
Presentation contoso chart 1 2 3 4 5 6 7 8
byJohannReyes3
 
kjhhhhhhhhhhhhhhhhhhhhhhhhhhhhhkjhkkkkkkkkkkkkkkkkjh
bybishnoijordan29
 
Pembagian kelompok menentuan tema yntuk paud.pptx
bywiwiktriwahyuni13
 
一比一原版(StuttgartH毕业证书)斯图加特工程应用技术大学毕业证办理成绩单学历认证
by办硕士文凭昆士兰科技大学学历认证【Q微号:1954 292 140】QUT毕业证成绩单
 
WHMCS Croster 2.1.2 Nulled Pre Activated
byCroster 2.1.2 Nulled
 
UNIT –I community health CHN P.B.Sc ppt.pptx
byDr.Anjalatchi Muthukumaran
 
TREC_2024_Lateral_Reading_Purpose_and_Need.pptx
byGichxIocHiIvdug
 
Generating-Patterns: Arithmetic Sequences, Arithmetic Mean,
byChanelleObate
 
Protection from Cyber attacks and Security Firewall
byAjayTiwari684365
 
Hathway_Fiber_Bajaj_wi-Fi_Best internet_
byHATHWAY FIBER INTERNET SERVICE PROVIDER in Bajaj enclave
 
Unlocking-the-Future-AI-Software-Development-Services.pdf
byPrologicTechnologies
 
Viva_Digitally_Online_Meeting_Presentation.pptx
byHubraSEO
 
Dark Humanism 200 Principles for living a life in shadow
byhikariaoki1
 

Chapter1 intro network_security_sunorganised

  • 1.
    Chapter 1 Introduction to NetworkSecurity Fifth Edition by William Stallings 1
  • 2.
    Introduction What Is Malware? Theterm "malware" is a combination or blend of two words - malicious and software, and it means malicious software that can be utilized to harm any system, or network, or mobile devices or even the servers. These are unpleasant programs installed without any proper or actual user consent that can damage the performance of your system, erase your data, and mine your personal data. They can be even controlled remotely by malicious cybercriminals. So, from these activities, it is now clear that these malicious programs need to stop accessing any system. Security professionals and analysts are hired in almost all companies to keep track of all systems, networks, and servers to see if there is any malicious activity getting performed or not, or whether there is any data leakage and stealing happening within the organization's network or not. Malware may come from unknown phishing sites, spam emails, or unauthorized or illicit external USB or flash drives. Types of Malware Certain common types of malware can be seen in the wild. These are listed below: • Viruses • Worms • Spyware • Ransomware • Rootkits • Bots • Trojans • Adware
  • 3.
    Introduction What Is ComputerVirus? Computer viruses are malicious codes that can contaminate multiple files on any system. They get spread when these infected files are sent over emails or via flash or external drives and can replicate and delete useful information. Viruses are of different types: • Boot sector virus. • Polymorphic virus. • Web scripting virus. • Browser hijacking virus. • Direct action virus. • Resident virus. • File infectors. • Multipartite virus. • Macro virus.
  • 4.
    Introduction What is ComputerWorm? -Computer Worms are particular types of malware that are self-replicating, and through this technique, they spread to another computer. It gets spread by itself through the computer networks or by the use of other flash drives. What is Spyware? -Spywares are unwanted programs that will spy on your system without your knowledge and will steal your sensitive data and other browsing information and will or will take access to your system to damage it. What is Ransomware? -Ransomware's are malicious programs that will encrypt all your system's data and will ask for a ransom to decrypt these files. They take the support of the Bitcoins to get the ransom. What is Rootkit? -A rootkit is a unique harmful program used by cybercriminals to take privileged access to any system by hiding its presence in that system. What is Trojan? -A trojan is programmed for a particular purpose and can be destructive. They act as legitimate files but can bring unexpected changes to your system even when your system is in an idle state. What is Adware? -Adware is malicious software that will hide and will periodically pop up with ads. Some of them also keep track of your online activities and searches. How to Keep the Systems Safe From Malware and Viruses.These are some steps you can follow to protect yourself • Install Anti-Virus/Anti-Malware Software. • Make sure your Anti-Virus software is up to date. • Run scheduled scans for malicious threats and programs using your anti-virus software regularly. • Keep your Operating System updated. • Secure your network with WPA3, honey-pots, strong authentication mechanisms, and passwords. • Think before clicking any malicious or unknown links. • Keep a backup of your work and personal information safe. • Never use any public Wi-Fi while using your corporate work or using your company's system.
  • 5.
    Security Policies This isa set of rules and procedures set up for all employees and individuals as to how the assets and information of that organization will be accessed and utilized. Various security policies will permit the employees to enforce corporate assets with rules and specific actions. These security policies are set on the firewalls of the network, which after all brings certain security restrictions on corporate data and other digital assets: • Security on specific file formats. • NAT (Network Address Translation). • Quality of Service (QoS), decryption procedures. • Policy-Based Forwarding (PBF). • Application Overriding policies. • Authentication policies. • Zone protection policies. • Denial of Service (DoS) prevention. These are some of the major policies set up in any organization or firm. All these diverse policies function jointly for allowing, denying, forwarding data packets, encrypting and decrypting packets, authenticating particular access, making exceptions, and prioritizing data packets as required for preserving the security of the organization's network.
  • 6.
    information Security • Informationsecurity, sometimes shortened to infosec, is the practice of protecting information by mitigating information risks. It is part of information risk management. • Information Security is basically the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information can be physical or electrical one. 6
  • 7.
    Aspects of information Security 3 aspects of information security:  security attack  security mechanism (control)  security service  note terms  threat – a potential for violation of security  vulnerability – a way by which loss can happen  attack – an assault on system security, a deliberate attempt to evade security services 7
  • 8.
    Network security • Networksecurity is protection of the access to files and directories in a computer network against hacking, misuse and unauthorized changes to the system. • Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources 8
  • 9.
    Goal of networksecurity The primary goal of network security are Confidentiality, Integrity, and Availability. These three pillars of Network Security are often represented as CIA triangle. • Confidentiality − The function of confidentiality is to protect precious business data from unauthorized persons. Confidentiality part of network security makes sure that the data is available only to the intended and authorized persons. • Integrity − This goal means maintaining and assuring the accuracy and consistency of data. The function of integrity is to make sure that the data is reliable and is not changed by unauthorized persons. • Availability − The function of availability in Network Security is to make sure that the data, network resources/services are continuously available to the legitimate users, whenever they require it. 9
  • 10.
    Aspects of networksecurity • Privacy: Privacy means both the sender and the receiver expects confidentiality. The transmitted message should be sent only to the intended receiver while the message should be opaque for other users. Only the sender and receiver should be able to understand the transmitted message as eavesdroppers can intercept the message. Therefore, there is a requirement to encrypt the message so that the message cannot be intercepted.. • Message Integrity: Data integrity means that the data must arrive at the receiver exactly as it was sent. There must be no changes in the data content during transmission, either maliciously or accident, in a transit. As there are more and more monetary exchanges over the internet, data integrity is more crucial. The data integrity must be preserved for secure communication. • End-point authentication: Authentication means that the receiver is sure of the sender?s identity, i.e., no imposter has sent the message. • Non-Repudiation: Non-Repudiation means that the receiver must be able to prove that the received message has come from a specific sender. The sender must not deny sending a message that he or she send. The burden of proving the identity comes on the receiver. For example, if a customer sends a request to transfer the money from one account to another account, then the bank must have a proof that the customer has requested for the transaction. 10
  • 11.
    What is CyberSecurity? • Cyber-security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. .... -kaspersky • Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes. Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative.-Cisco 11
  • 12.
    5 main categoriesof cyber security: • Critical infrastructure security: Critical infrastructure security consists of the cyber-physical systems that modern societies rely on. ... • Application security: ... • Network security: ... • Cloud security: ... • Internet of things (IoT) security. 12
  • 13.
    Levels of Impact can define 3 levels of impact from a security breach  Low -The loss could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.  Moderate -The loss could be expected to have a serious adverse effect on organizational operations, assets, or individuals.  High- The loss could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals 13
  • 14.
    Passive Attack -Interception 14
  • 15.
    Passive Attack: TrafficAnalysis Observe traffic pattern 15
  • 16.
    Active Attack: Interruption Blockdelivery of message 16
  • 17.
  • 18.
  • 19.
  • 20.
    Handling Attacks  Passiveattacks – focus on Prevention • Easy to stop • Hard to detect  Active attacks – focus on Detection and Recovery • Hard to stop • Easy to detect 20
  • 21.
  • 22.
  • 23.
    Devices at differentlayers Layer 7 – I put gateway here. This is not the same as a “Default Gateway”. This is a device that works kind of like a translator. It is able to understand application languages like HTTP, SMTP, etc. The term “Next Generation Firewalls” is some times applied to these devices. Layer 3 – Routers and “Swouters” devices go here. A Swouter is a layer 3 switch. It has more than a couple ports on the back and is capable of routing. Layer 2 – This is the typical layer where switches are put. Switches are able to look at traffic and filter data based on MAC addresses. Layer 1 – Typically Hubs and Repeaters are put here. You don’t really see them anymore because they tend to be slow and pretty brain dead. Because of this they only work “well” in a very small network design. 23
  • 24.
    OSI model attacksby Layers OSI model Layer 1 attacks • Layer 1 refers to the physical aspect of networking – in other words, the cabling and infrastructure used for networks to communicate. • Layer 1 attacks focus on disrupting this service in any manner possible, primarily resulting in Denial of Service (DoS) attacks. • This disruption could be caused by physically cutting cable right through to disrupting wireless signals. OSI model Layer 2 attacks • Layer 2 of the OSI model is the data link layer and focuses on the methods for delivering data blocks. • Normally, this consists of switches utilising protocols such as the Spanning Tree Protocol (STP) and the Dynamic Host Configuration Protocol (DHCP), which is used throughout networking for dynamic IP assignment. • Attacks at this layer can focus on the insecurity of the protocols used or the lack of hardening on the routing devices themselves. • As switches focus is on providing LAN connectivity, the majority of threats come from inside the organisation itself. • Layer 2 attacks may also include MAC flooding or ARP poisoning. • In order to mitigate these risks, it is imperative network switches are hardened. • Additional controls may include ARP inspection, disabling unused ports and enforcing effective security on VLAN’s to prevent VLAN hopping. OSI model Layer 3 attacks • Layer 3 is the network layer and utilises multiple common protocols to perform routing on the network. • Protocols consist of the Internet Protocol (IP), packet sniffing and DoS attacks such as Ping floods and ICMP attacks. Because of their layer 3 nature, these types of attacks can be performed remotely over the Internet while layer 2 attacks primarily come from the internal LAN. • To reduce the risk of these types of attacks, routers should be hardened, packet filtering controls should be used and routing information should be controlled. 24
  • 25.
    OSI model attacksby Layers OSI model Layer 4 attacks • Layer 4 is the transport layer and utilises common transport protocols to enable network communications. This may include the Transport Control Protocol (TCP) and Universal Data Protocol (UDP). • Port scanning, a method by which to identify vulnerable or open network ports, operates at layer 4 of the OSI model. Implementing effective firewalls and locking down ports only to those required can mitigate risks at this level. OSI model layer 5-7 • Above layer 4, we are looking primarily at application level attacks which result from poor coding practices. Vulnerabilities in applications can be exploited through attacks such as SQL injection, where the developer has failed to ensure that user input is validated against a defined schema. • The attacker would then input code to extract data from the database (e.g. SELECT * from USERS). As the application fails to validate this input, the command is run and data extracted. To reduce this risk, developers must ensure that best practice development guides are adhered to. 25
  • 26.
  • 27.
    Firewall • Firewall isa network device that isolates organization’s internal network from larger outside network/Internet. It can be a hardware, software, or combined system that prevents unauthorized access to or from internal network. • All data packets entering or leaving the internal network pass through the firewall, which examines each packet and blocks those that do not meet the specified security criteria. • Deploying firewall at network boundary is like aggregating the security at a single point. It is analogous to locking an apartment at the entrance and not necessarily at each door. • Firewall is considered as an essential element to achieve network security for the following reasons −Internal network and hosts are unlikely to be properly secured • Internet is a dangerous place with criminals, users from competing companies, disgruntled ex-employees, spies from unfriendly countries, vandals, etc. • prevents an attacker from launching denial of service attacks on network resource. • prevents illegal modification/access to internal data by an outsider attacker. 27
  • 28.
    Firewall Firewall is categorizedinto three basic types 1.Packet filter (Stateless & Stateful) 2. Application-level gateway 3. Circuit-level gateway These three categories, however, are not mutually exclusive. Modern firewalls have a mix of abilities that may place them in more than one of the three categories. 28
  • 29.
    Packet Filtering Firewall •In this type of firewall deployment, the internal network is connected to the external network/Internet via a router firewall. The firewall inspects and filters data packet-by- packet. • Packet-filtering firewalls allow or block the packets mostly based on criteria such as source and/or destination IP addresses, protocol, source and/or destination port numbers, and various other parameters within the IP header. • The decision can be based on factors other than IP header fields such as ICMP message type, TCP SYN and ACK bits, etc. Packet filter rule has two parts − 1.Selection criteria − It is a used as a condition and pattern matching for decision making. 2. Action field − This part specifies action to be taken if an IP packet meets the selection criteria. The action could be either block (deny) or permit (allow) the packet across the firewall. • Packet filtering is generally accomplished by configuring Access Control Lists (ACL) on routers or switches. ACL is a table of packet filter rules. • As traffic enters or exits an interface, firewall applies ACLs from top to bottom to each incoming packet, finds matching criteria and either permits or denies the individual packets. 29
  • 30.
  • 31.
    Packet Filtering Firewall Statelessfirewall & Stateful firewalls • is a kind of a rigid tool. It looks at packet and allows it if its meets the criteria even if it is not part of any established ongoing communication. • Hence, such firewalls are replaced by stateful firewalls in modern networks. • This type of firewalls offer a more in-depth inspection method over the only ACL based packet inspection methods of stateless firewalls. • Stateful firewall monitors the connection setup and teardown process to keep a check on connections at the TCP/IP level. This allows them to keep track of connections state and determine which hosts have open, authorized connections at any given point in time. • They reference the rule base only when a new connection is requested. Packets belonging to existing connections are compared to the firewall's state table of open connections, and decision to allow or block is taken. This process saves time and provides added security as well. No packet is allowed to trespass the firewall unless it belongs to already established connection. It can timeout inactive connections at firewall after which it no longer admit packets for that connection 31
  • 32.
  • 33.
    Application Gateways • Anapplication-level gateway acts as a relay node for the application-level traffic. They intercept incoming and outgoing packets, run proxies that copy and forward information across the gateway, and function as a proxy server, preventing any direct connection between a trusted server or client and an untrusted host. • The proxies are application specific. They can filter packets at the application layer of the OSI model. Application-specific Proxies • An application-specific proxy accepts packets generated by only specified application for which they are designed to copy, forward, and filter. For example, only a Telnet proxy can copy, forward, and filter Telnet traffic. • If a network relies only on an application-level gateway, incoming and outgoing packets cannot access services that have no proxies configured. For example, if a gateway runs FTP and Telnet proxies, only packets generated by these services can pass through the firewall. All other services are blocked. Application-level Filtering • An application-level proxy gateway, examines and filters individual packets, rather than simply copying them and blindly forwarding them across the gateway. Application-specific proxies check each packet that passes through the gateway, verifying the contents of the packet up through the application layer. These proxies can filter particular kinds of commands or information in the application protocols. • Application gateways can restrict specific actions from being performed. For example, the gateway could be configured to prevent users from performing the ‘FTP put’ command. This can prevent modification of the information stored on the server by an attacker. Transparent • Although application-level gateways can be transparent, many implementations require user authentication before users can access an untrusted network, a process that reduces true transparency. Authentication may be different if the user is from the internal network or from the Internet. For an internal network, a simple list of IP addresses can be allowed to connect to external applications. But from the Internet side a strong authentication should be implemented. • An application gateway actually relays TCP segments between the two TCP connections in the two directions (Client ↔ Proxy ↔ Server). For outbound packets, the gateway may replace the source IP address by its own IP address. The process is referred to as Network Address Translation (NAT). It ensures that internal IP addresses are not exposed to the Internet. 33
  • 34.
    Circuit-Level Gateway • Thecircuit-level gateway is an intermediate solution between the packet filter and the application gateway. • It runs at the transport layer and hence can act as proxy for any application. • Similar to an application gateway, the circuit-level gateway also does not permit an end-to-end TCP connection across the gateway. • It sets up two TCP connections and relays the TCP segments from one network to the other. But, it does not examine the application data like application gateway. Hence, sometime it is called as ‘Pipe Proxy’. 34
  • 35.
    Firewall Deployment withDMZ • The firewall process can tightly control what is allowed to traverse from one side to the other. An organization that wishes to provide external access to its web server can restrict all traffic arriving at firewall expect for port 80 (the standard http port). All other traffic such as mail traffic, FTP, SNMP, etc., is not allowed across the firewall into the internal network. An example of a simple firewall is shown in the following diagram. • In the above simple deployment, though all other accesses from outside are blocked, it is possible for an attacker to contact not only a web server but any other host on internal network that has left port 80 open by accident or otherwise. • Hence, the problem most organizations face is how to enable legitimate access to public services such as web, FTP, and e-mail while maintaining tight security of the internal network. The typical approach is deploying firewalls to provide a Demilitarized Zone (DMZ) in the network. • In this setup (illustrated in following diagram), two firewalls are deployed; one between the external network and the DMZ, and another between the DMZ and the internal network. All public servers are placed in the DMZ. • With this setup, it is possible to have firewall rules which allow public access to the public servers but the interior firewall can restrict all incoming connections. By having the DMZ, the public servers are provided with adequate protection instead of placing them directly on external network. 35
  • 36.
    Firewall Identification • Normally,firewalls can be identified for offensive purposes. Because firewalls are usually a first line of defense in the virtual perimeter, to breach the network from a hacker perspective, it is required to identify which firewall technology is used and how it’s configured. Some popular tactics are: • Port scanning Hackers use it for investigating the ports used by the victims. Nmap is probably the most famous port-scanning tool available. • Firewalking The process of using traceroute-like IP packet analysis in order to verify if a data packet will be passed through the firewall from source to host of the attacker to the destination host of the victim. • Banner grabbing This is a technique to enable a hacker to spot the type of operation system or application running on a target server. It works through a firewall by using what looks like legitimate connections. 36
  • 37.
  • 38.
    Firewall Audit Firewall LogAnalyzer • A firewall is an important component in your organization's network. It provides network administrators with the ability to control the flow of traffic into and out of the network. • Analyzing firewall logs keeps you up to date on all transactions between your organization's intranet and the internet, or any other external network. Here are a few possible uses for analyzing firewall logs: • List all connections denied by the firewall and flag the odd ones. • Show all remote and VPN connections to your network. • Monitor any changes to the rules on which the firewall is based. • Pick up and preempt any potential security attacks. 38
  • 39.
  • 40.
    Intrusion Detection /Prevention System • The packet filtering firewalls operate based on rules involving TCP/UDP/IP headers only. They do not attempt to establish correlation checks among different sessions. • Intrusion Detection/Prevention System (IDS/IPS) carry out Deep Packet Inspection (DPI) by looking at the packet contents. For example, checking character strings in packet against database of known virus, attack strings. • Application gateways do look at the packet contents but only for specific applications. They do not look for suspicious data in the packet. • IDS/IPS looks for suspicious data contained in packets and tries to examine correlation among multiple packets to identify any attacks such as port scanning, network mapping, and denial of service and so on. 40
  • 41.
    Basic variations ofIDS Signature-based IDS • It needs a database of known attacks with their signatures. • Signature is defined by types and order of packets characterizing particular attack. • Limitation of this type of IDS is that only known attacks can be detected. This IDS can also throw up a false alarm. False alarm can occur when a normal packet stream matches the signature of an attack. • Well-known public open-source IDS example is “Snort” IDS. Anomaly-based IDS • This type of IDS creates a traffic pattern of normal network operation. • During IDS mode, it looks at traffic patterns that are statistically unusual. For example, ICMP unusual load, exponential growth in port scans, etc. • Detection of any unusual traffic pattern generates the alarm. The major challenge faced in this type of IDS deployment is the difficulty in distinguishing between normal traffic and unusual traffic 41
  • 42.
    Types of IDS Networkintrusion detection system (NIDS) • It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, a network switch configured for port mirroring, or a network tap. In a NIDS, sensors are placed at choke points in the network to monitor, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyze the content of individual packets for malicious traffic. An example of a NIDS is Snort. Host-based intrusion detection system (HIDS) • It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC. • Intrusion detection systems can also be system-specific using custom tools and honeypots. 42
  • 43.
    Types of IDS PerimeterIntrusion Detection System (PIDS) • Detects and pinpoints the location of intrusion attempts on perimeter fences of critical infrastructures. Using either electronics or more advanced fiber optic cable technology fitted to the perimeter fence, the PIDS detects disturbances on the fence, and if an intrusion is detected and deemed by the system as an intrusion attempt, an alarm is triggered. VM based Intrusion Detection System (VMIDS) • It detects intrusions using virtual machine monitoring. By using this, we can deploy the Intrusion Detection System with Virtual Machine Monitoring. It is the most recent type and it’s still under development. There’s no need for a separate intrusion detection system since by using this, we can monitor the overall activities. 43
  • 44.
    IPS Intrusion Prevention Systems(IPS): • Fights for the same cause like firewall set up for any network that detects and prevents users from threats involving the external world and the internal network. • Intrusion Prevention Systems proactively rejects those traffics which do not meet the security profile and policies, or the data packets are malicious by nature. 44
  • 45.
    Two types ofIPS Currently, there are two types of IPSs that are similar in nature to IDS. They consist of 1. Host-based intrusion prevention systems (HIPS) 2. Products and network-based intrusion prevention systems (NIPS) 45
  • 46.
    Classification of Intrusion PreventionSystem (IPS): Intrusion Prevention System (IPS) is classified into 4 types: • Network-based intrusion prevention system (NIPS): It monitors the entire network for suspicious traffic by analyzing protocol activity. • Wireless intrusion prevention system (WIPS): It monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. • Network behavior analysis (NBAIPS): It examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service attacks, specific forms of malware and policy violations. • Host-based intrusion prevention system (HIPS): It is an inbuilt software package which operates on host for doubtful activity by scanning events that occur within that host. 46
  • 47.
    Detection Method ofIntrusion Prevention System (IPS): • Signature-based detection: Signature-based IPS operates on packets in the network and compares with pre-built and preordained attack patterns known as signatures. • Statistical anomaly-based detection: Anomaly based IPS monitors network traffic and compares it against an established baseline. The baseline will identify what is normal for that network and what protocols are used. However, It may raise a false alarm if the baselines are not intelligently configured. • Stateful protocol analysis detection: This IPS method recognizes divergence of protocols stated by comparing observed events with pre-built profiles of generally accepted definitions of not harmful activity. 47
  • 48.
    Honeypot-Based IDS/IPS Systems •The purpose of the honeypot approach is to distract attacks away from real network devices. • By staging different types of vulnerabilities in the honeypot server, you can analyze incoming types of attacks and malicious traffic patterns 48
  • 49.
    Honeypots Decoy systems- • appearsto be the real system with valuable info • legitimate users would not access • filled with fabricated info • instrumented with monitors and event loggers • divert and hold attacker to collect activity info without exposing production (real) systems • If there is somebody in, then there is an attack benign or malicious • Initially honeypots were single computers • now network of computers that emulate the entire enterprise network 49
  • 50.
    1.Outside firewall: • goodto reduce the burden on the firewall; keeps the bad guys outside 2. As part of the service (DMZ) network: • firewall must allow attack traffic to honeypot (risky) 3. As part of the internal network: • same as 2; if compromised riskier; advantage is insider attacks can be caught Honeypot Deployment 50
  • 51.
    Malware Statistics, Trends& Facts Resources: https://www.accenture.com/_acnmedia/pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf https://portal.iansresearch.com/content/3792/cat/92-of-malware-is-delivered-through-email https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-cryptojacking-modern-cash-cow-en.pdf https://news.gallup.com/file/poll/244697/181108CrimeWorries.pdf https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-january-2019-1769185063-records-leaked https://hacken.io/research/industry-news-and-insights/no-more-privacy-202-million-private-resumes-exposed/ https://www.cisco.com/c/dam/m/hu_hu/campaigns/security-hub/pdf/acr-2018.pdf https://newsroom.ibm.com/2018-07-10-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses https://cybersecurityventures.com/ransomware-damage-report-2017-part-2/ https://www.herjavecgroup.com/wp-content/uploads/2018/07/2017-Cybercrime-Report.pdf https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf https://www-03.ibm.com/press/us/en/photo/51069.wss https://cofense.com/wp-content/uploads/2018/02/PhishMe-Enterprise-Phishing-Susceptibility-and-Resiliency-Report_2016.pdf https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf https://www.pwc.com/us/en/advisory-services/publications/consumer-intelligence-series/protect-me/cis-protect-me-findings.pdf https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124- billion-in-2019 https://www.knowbe4.com/hubfs/rp_DBIR_2017_Report_execsummary_en_xg.pdf 51
  • 52.
    To be turnedin in 7 days Assignment 1 1.Conduct a Search of Recent Malware Using your favorite search engine, conduct a search for recent malware. During your search, a) choose four examples of malware, each one from a different malware type, and be prepared to discuss details on what each does, how it each is transmitted and the impact each causes. Examples of malware types include: Trojan, Hoax, Adware, Malware, PUP, Exploit, and Vulnerability. Some suggested web sites to search malware are listed below: McAfee ,Malwarebytes, Security Week, TechNewsWorld b)Read the information about the malware found from your search choose one and write a short summary that explains what the malware does, how it is transmitted, and the impact it causes. 2.Write a key logger in any language you know… 3.Set audit policeies in your windows system, and get the snap shot, and explain the events.. 52