Data Protection a list of potential Network Attacks:
As the network has now evolved from just the physical connections to combine with software, peripherals, remote location access. VOIP, websites, CCTV the attack surface and nature of the vulnerabilities have changed and become more complex. In this ever-changing world the concept of a defined perimeter needs to be understood. The flow of information would require documentation as it moves between departments and personnel with separate authorisation rites.
The concept of multi defensive is to pre-empt possible intrusions. This is done by recognising an organisations asset, the motivations of attackers and possible defensive mechanisms.
This can categorise by:
• Return to a state of business as usual.
Possible attacks and countermeasures:
• This is practice of spying on the traffic on a network (also known is sniffing). This can be done by compromising a computer on a network, accessing an IP address or accessing a wireless network.
should include encrypting communications, rerouting traffic so that source address are hidden, defining trusted networks and passing traffic so timings are hidden.
Open Relay Systems/SPAM:
A mail server that allows communication from unauthorised SMTP servers. Primary open from SPAM emails.
Set up several filers that apply algorithms to block messages that are likely to be illegitimate (selling Viagra, etc). Intruders can vary spelling to bypass any text wording in the header or in the body. Administrator can apply a Tarpit (slows down connections). This causes a time out with excessive communications which prevents the volume of transactions.
This is the ability to interrogate the transport layer of a network. An initial handshake is sent and if connection live, sends a request to terminate the connection which bypasses the firewall. TCP number sequences can be analysed (packets have numbers spoiled for unsuccessful transmissions to be resent) and once the pattern is guessed can implant their own packets. IP spoofing.
Man in the Middle Attack/Session Hijacking:
Attack would intercept packets and replace them with modified versions, so he can access the communication between 2 entities. Used for gaining access rites to internet banking credentials.
Increase level of encryption between applications.
Elevation of Privileges:
Attack would intercept packets and reOnce a vulnerability is ascertained then an attacker can try access the system. Once inside the goal is to raise the level of privileges to administrator rites to do maximum damage or access privileged information. At administrator level an attacker can hide their presence by altering or deleting logs therefore their presence can remain anonymous. Can leave a back door to allow remote access later.place them with modified versions, so he can access the communication between 2 entities. Used for gaining access rites to internet banking credentials.
Keep access privileges up to date including deleting unused profiles and upgrading roles that have changed to keep their rites up to date. Constant monitoring who accesses what and when will help provide an overview of unusual activity.
Bots and Botnets:
Bots and Botnets are compromised computers that can be linked for combined under the control of a “bot herder”. These systems are usually used for sending SPAM from multiple locations or instigate denial of service by flooding systems with requests.
Manipulation of data packets to insert themselves behind a firewall into a system to deliver their payload.
• Teardrop: header packet is distorted and once through the firewall then reforms on the other side to deliver its payload.
• Overlapping packet attacks: The first header is harmless to fool filter then subsequent packets over write the header once through to become harmful.
• Source touring: Header has imprinted a final IP address. Sent between network interfaces that doesn’t allow forwarding which allows an attacker access.
Sends a request to the ICMP (Internet control message Protocol) that then broadcast a fake message with the source address to all known addresses and then flooded by invalid requests. Fraggle same thing but uses UDP.
Writes data behind a ICMP (Internet control message Protocol) header directly to another computer system. Uses a covert channel as Firewalls are designed to allow ICMP traffic to go through the system.
Denial of Service /Distributed:
Send a request that spawns multiple pings, usually through a compromised service that the network cannot cope with the number of requests and slows down or becomes unresponsive. Distributed is from multiple entities, either Botnets or an organised group that times their requests. (Russian activists took down Estonian banking system). SYN attack is sending a specific open an initial handshake or sync request and system is overwhelmed as SYN/ACK does not have time to respond. Maybe sent from a from a fake host so the system will hang as waiting for an ACK that will never arrive.
Refining a back log to vendor specifications so that requests from fake IP addresses are immediately ignored. Modify TCP/IP stack so that attacks can be identified.
Ping of Death:
Sending ICMP packets larger than specified size causing computers freeze or reboot.
Patch systems and filtering to identify types of attack.
The Address Resolution Protocol (ARP) defines the MAC address of the computer so that the data link can confirm the packet details to sedn to the end user. ARP poisoning is the ability to manipulate the ARP table and send the packet to an alternative address.
Implement IDS sensors to alert when an attack is taking place..
Instilling false information in the DNS cache for infant recall. Sends False queries. A DNS can also be manipulated with fake IP address that suspend anti virus updates or banking website to redirect to malicious sites.
Extra monitoring of the domain with and rules set to only accept from internal servers and users. Filtering on routers, switches and use of multiple firewall levels. Up to date Network Access controls and deleting redundant profiles. Load balancing volume request and dedicated services to maintain certain services even under attack. Use of Tarpits to slow responses.
Sending an email from an address that looks similar to an authentic source. Phishing is the term used for duping users into sending sensitive information by using similar address names.
Training and awareness of staff.
Tools for security practitioner:
Intrusion detection Systems (IDS).
These are automated detection systems that monitor traffic over a computer or a domain. They can be set to raise an alarm when encountering unusual traffic. Also compares with known signatures for trust.
Security Event Intrusion Management (SEIM).
Automates monitoring of logs from a variety of locations for summary reporting.
Network scanner: Is a tool that can be used by a security professional or an attacker alike. These ca:
• Check validity of devices connected to the network. Set to discovery by sending Ping
• Check that systems are complying with operational policies. Check for open ports and services.
• Check for vulnerabilities similar to a penetration test. Checks ports, responsiveness of applications and patch updates.
• Nesssus: Discovers open communication ports.
• Nmap: Looks over a server for active services.
• Network Tap: Measures network activity and analyses in real time. Used for monitoring or detective work after an event.