with supplemental

info
CINS 3040 Lammle Chapter 12 Security
 Security
2

 Lammle Chapter 12 focuses on Access

Control Lists. I added information from
other sources to supplement more
general security concerns.
Security Threats and Vulnerabilities
Types of Threats

Attacks on a network can be devastating and can result in a loss of time and
money due to damage, or theft of important information or assets. Intruders
can gain access to a network through software vulnerabilities, hardware
attacks, or through guessing someone's username and password. Intruders
who gain access by modifying software or exploiting software vulnerabilities
are called threat actors.

After the threat actor gains access to the network, four types of threats may
arise:
• Information Theft
• Data Loss and manipulation
• Identity Theft
• Disruption of Service
 Security Threats and Vulnerabilities
Types of Vulnerabilities

Vulnerability is the degree of weakness in a network or a device. Some degree of

vulnerability is inherent in routers, switches, desktops, servers, and even security
devices. Typically, the network devices under attack are the endpoints, such as
servers and desktop computers.
There are three primary vulnerabilities or weaknesses:
• Technological Vulnerabilities might include TCP/IP Protocol weaknesses,
Operating System Weaknesses, and Network Equipment weaknesses.
• Configuration Vulnerabilities might include unsecured user accounts, system
accounts with easily guessed passwords, misconfigured internet services,
unsecure default settings, and misconfigured network equipment.
• Security Policy Vulnerabilities might include lack of a written security policy,
politics, lack of authentication continuity, logical access controls not applied,
software and hardware installation and changes not following policy, and a
nonexistent disaster recovery plan.
All three of these sources of vulnerabilities can leave a network or device open to
various attacks, including malicious code attacks and network attacks.
Security Threats and Vulnerabilities
Physical Security

If network resources can be physically compromised, a threat actor can deny

the use of network resources. The four classes of physical threats are as
follows:
• Hardware threats - This includes physical damage to servers, routers,
switches, cabling plant, and workstations.
• Environmental threats - This includes temperature extremes (too hot or
too cold) or humidity extremes (too wet or too dry).
• Electrical threats - This includes voltage spikes, insufficient supply
voltage (brownouts), unconditioned power (noise), and total power loss.
• Maintenance threats - This includes poor handling of key electrical
components (electrostatic discharge), lack of critical spare parts, poor
cabling, and poor labeling.

A good plan for physical security must be created and implemented to address
these issues.
Network Attacks
Types of Malware

Malware is short for malicious software. It is code or software specifically

designed to damage, disrupt, steal, or inflict “bad” or illegitimate action on data,
hosts, or networks. The following are types of malware:
• Viruses - A computer virus is a type of malware that propagates by
inserting a copy of itself into, and becoming part of, another program. It
spreads from one computer to another, leaving infections as it travels.
• Worms - Computer worms are similar to viruses in that they replicate
functional copies of themselves and can cause the same type of damage. In
contrast to viruses, which require the spreading of an infected host file,
worms are standalone software and do not require a host program or human
help to propagate.
• Trojan Horses - It is a harmful piece of software that looks legitimate.
Unlike viruses and worms, Trojan horses do not reproduce by infecting other
files. They self-replicate. Trojan horses must spread through user interaction
such as opening an email attachment or downloading and running a file from
the internet.
Network Attacks
Reconnaissance Attacks

In addition to malicious code attacks, it is also possible for networks to fall prey
to various network attacks. Network attacks can be classified into three major
categories:
• Reconnaissance attacks - The discovery
and mapping of systems, services, or
vulnerabilities.
• Access attacks - The unauthorized
manipulation of data, system access, or user
privileges.
• Denial of service - The disabling or
corruption of networks, systems, or services.
For reconnaissance attacks, external threat actors can use internet tools, such
as the nslookup and whois utilities, to easily determine the IP address space
assigned to a given corporation or entity. After the IP address space is
Network Attacks
Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP

services, and web services to gain entry to web accounts, confidential
databases, and other sensitive information.

Access attacks can be classified into four types:

• Password attacks - Implemented using brute force, trojan horse, and
packet sniffers
• Trust exploitation - A threat actor uses unauthorized privileges to gain
access to a system, possibly compromising the target.
• Port redirection: - A threat actor uses a compromised system as a base
for attacks against other targets. For example, a threat actor using SSH
(port 22) to connect to a compromised host A. Host A is trusted by host B
and, therefore, the threat actor can use Telnet (port 23) to access it.
• Man-in-the middle - The threat actor is positioned in between two
legitimate entities in order to read or modify the data that passes between
the two parties.
Network Attacks
Denial of Service Attacks

Denial of service (DoS) attacks are the most publicized form of attack and
among the most difficult to eliminate. However, because of their ease of
implementation and potentially significant damage, DoS attacks deserve
special attention from security administrators.
• DoS attacks take many forms. Ultimately, they prevent authorized people
from using a service by consuming system resources. To help prevent DoS
attacks it is important to stay up to date with the latest security updates for
operating systems and applications.
• DoS attacks are a major risk because they interrupt communication and
cause significant loss of time and money. These attacks are relatively
simple to conduct, even by an unskilled threat actor.
• A DDoS is similar to a DoS attack, but it originates from multiple,
coordinated sources. For example, a threat actor builds a network of
infected hosts, known as zombies. A network of zombies is called a botnet.
The threat actor uses a command and control (CnC) program to instruct the
botnet of zombies to carry out a DDoS attack.
Who Commits Computer
Crimes?
• Computer criminals come in all shapes and sizes, in
order of infractions they are:
1. Current or former employees; most organizations
report insider abuses as their most common crime
(CSI, 2011)
2. People with technical knowledge who commit
business or information sabotage for personal gain
3. Career criminals who use computers to assist in
crimes
 Studies show that only 10% of hackers attacks cause
4. Outside hackers—commit millions of intrusions per
damage
year
How Do They Do It?
• Technology  Exploiting human
– Vulnerability weaknesses
scanners  Phishing
– Packet sniffers  Social engineering
– Keyloggers  Shoulder surfing
– Brute force  Dumpster diving
Two Common Types of Computer
Crimes
• Unauthorized Access
– Stealing information
– Stealing use of computer resources
– Accessing systems with the intent to
commit information modification
• Information Modification
– Changing data for financial gain
(e.g., embezzlement)
– Defacing a Web site (e.g., hacktivists
making a statement)
– Often “insider threats” or “trusted
adversaries”
▪ Disgruntled employees
▪ Edward Snowden
 Federal Laws Against
Computer Crime
 The Computer Fraud and Abuse
Act of 1986
 A crime to access government computers or
communications
 A crime to extort money by damaging
computer systems
 A crime to threaten the president, vice
president, members of Congress,
administration officials
 Electronic Communications Privacy
Act of 1986
 A crime to break into any electronic
communications service, including telephone
services
 Prohibits the interception of any type of
electronic communications Security
Organizations
 C–I-A
15
Information Systems Security
Process

• Information systems security is an ongoing

process
17
Assessing IS Risks
• Options for addressing risk
– Risk Reduction
▪ Actively installing counter-
measures
– Risk Acceptance
▪ Accepting any losses that
occurs
– Risk Transference
▪ Have someone else absorb
the risk (insurance,
outsourcing) Interplay between threats,
– Risk Avoidance vulnerabilities, and
impacts
▪ Using alternative means,
avoiding risky tasks
 Types of Controls
(part of strategy)
19

 Preventative Controls
 Mitigate or stop a person from acting or an event
from occurring (e.g., locks, passwords, backup
circuits)
 Act as a deterrent by discouraging or restraining
 Detective controls
 Reveal or discover unwanted events (e.g.,
auditing)
 Documenting events for potential evidence
 Corrective controls
 Remedy an unwanted event or a trespass
Policies and Procedures
Not all security measures are technical in nature.
Managerial activities are important
 Policies and procedures include:

 Confidential information policy

 Security policy

 Use policy

 Backup policy

 Account management policy

 Incident handling procedures

 Disaster recovery plan

Implementing Controls and
Training
 Commonly used controls:
Two-factor
 Physical access restrictions
or multi-
 Authentication factor
 Something you have (key, smart card) authentica
tion uses a
 Something you know (password, PIN)
combinatio
 Something you are (biometrics) n of these
 Firewalls
 Encryption & VPN
 Virus monitoring and prevention
 Secure data centers
 Systems development controls
 Human controls
 Lammle Chapter 12
22

 PowerPoints cover these pages:

 482-middle of 489
 Bottom of page 490-top 492
 Skim 496-499
 For those with a different version, check
topic headers
 Typical Secured Network
Perimeter + Firewall + Internal
23
Router
 Internal routers
 Screen traffic to
various parts of the
protected corporate
network using access
lists
 DMZ (demilitarized
zone)
 Also called perimeter
network
 Kept separate from
corporate network
 Access Control Lists (ACL)
24

 List of conditions that categorize packets

 Useful to exercise control over network
traffic
 Work like a series of if-then statements
 Once a condition is met, the rest of the
statements are ignored.
 Can be applied to either inbound OR
outbound traffic on any interface.
 Once applied, a router uses the ACL to
analyze every packet that crosses that
 Three ACL Rules
25

1. Packet compared with each line of the

ACL in sequential order (1st line, 2nd, 3rd,
etc.)
2. Packet compared with lines of the ACL
until a match is made
 Once the match is made, action on the packet
is taken and no further comparisons are made
3. Implicit “deny” at the end of each ACL
 Meaning if a packet doesn’t match the
condition on any of the lines in the ACL, the
packet is discarded.
 Types of Access Lists
26

 Standard Access Lists

 Use only the source IP address in an IP
packet as the condition test
 Permit or deny an entire suite of protocols
 Don’t distinguish between types of IP traffic
(Web, Telnet, UDP, etc.)
 Extended Access Lists
 Evaluates many of the other fields in the
layer 3 and layer 4 headers of an IP packet:
 Can evaluate source and destination IP
addresses,
 Protocol field in the Network layer header
 Named Access Lists
27

 Either standard or extended access lists

 Created and referred to differently than
standard or extended access lists
 Functionally the same
 Allows the use of a name instead of
number (like FinanceLan)
 Requires small changes to syntax
 Applying the ACL
28

Once the Access List is created on the

router…
 Specify interface

 Specify direction (in or out)

 By specifying the direction of traffic, you

can and must use different access lists
for inbound and outbound traffic on a
single interface.
 Inbound and Outbound
29
Access Lists
 Access lists are on an interface of a router.
 Inbound Access Lists
 When an access list is applied to inbound
packets on an interface, those packet are
processed through the access list before being
routed to the outbound interface.
 Any packets denied won’t be routed!
 Outbound Access Lists
 When an access list is applied to outbound
packets on an interface, packets are routed to
the outbound interface and then processed
through the access list before being queued.
 Access List Guidelines
30

 Can only assign one access list per interface per

protocol per direction
 Organize list so that more specific tests are at the
top
 New entries are always added to the bottom of the
list
 Without a text editor, you can’t remove one line
from an access list without removing the entire list
 Unless the list ends with a “permit any” command,
all packets are discarded if they do not meet any of
the list’s tests Think
 Every list should have at least oneabout why
permit statement or
it will deny all traffic
 Access List Guidelines
31

 Create access lists and then apply them to

an interface
 ACLs filter traffic going through the router,
not originating from router
 Standard IP ACLs discouraged but if used,
place IP standard access lists as close to
the destination as possible so all
destinations not affected
 Place IP extended access lists as close to
the source as possible (deny as soon as
possible, use less bandwidth)
IP Spoofing

“IP spoofing” is a security threat
 Done by simply changing the source
address of incoming packets from their
real address to an address inside the
organization’s network
 Without proper security, firewall will
pass this packet as it looks like a valid
internal IP address
 In general, it’s a bad idea to allow into a
private network any external IP packets
that contain the source address of any
internal hosts or networks – Lammle
says: “just don’t do it!”
Denial of Service Attacks
 DoS attacks
 Most common attack on networks today
 Network disrupted by a flood of messages that prevents
messages from normal users
 Flooding web servers, email servers so server cannot
respond
 Distributed DoS (DDoS) come from many
different computers
 DDoS agents on several machines are controlled by a
DDoS handler, may issue instructions to computers to
send simultaneous messages to a target computer
 Difficult to prevent DoS and DDoS attacks
 Setup many servers around the world
 Use Intrusion Detection Systems
 Require ISPs to verify that all incoming messages have
valid IP addresses
 Mitigating Security Issues
34
with ACLs
 Security threats you can mitigate with
ACLs:
 IP address spoofing, inbound or outbound
 DoS TCP SYN attacks, blocking external
attacks
 DoS TCP SYN attacks, using TCP Intercept
 DoS smurf attacks (named after tool that
performs the attack)
 Denying/filtering ICMP messages, inbound
orNeed
outbound
intrusion detection system/instruction prevention
system (IDS/IPS)
 Denying/filtering Traceroute
 Rules to live by when
configuring ACLs from the
35
Internet to production network
 Deny any source addresses from your
internal networks
 Deny any local host addresses
(127.0.0.0/8)
 Deny any reserved private addresses
 Deny any addresses in the IP multicast
range (224.0.0.0/4)

 None of these source addresses should

ever be allowed to enter your
 { }means choose
ACL Syntax accordingly
{ } with | means choose
one
36
[ ] optional choice
STANDARD ACL
Router(config)# access-list {1-99} {permit | deny} source-addr
[source-wildcard]

EXTENDED ACL
Router(config)# access-list {100-199} {permit | deny} protocol
source-addr [source-wildcard] [operator operand] destination-
addr [destination-wildcard] [operator operand] [established]

WILDCARD MASKS (aka inverse mask)

0: exact match 1: no
192.168.1.0 0.0.0.255 means network 192.168.1
 ACL Examples (cisco)
37

 https://www.cisco.com/c/en/us/support/d
ocs/ip/access-lists/26448-ACLsamples.ht
ml#anc5
 Cisco Example (cont.)
38
 Cisco Example (cont.)
39
 Example Standard Access
List
40 (pages 490 – 492)
 Uses only the source
IP address in an IP
packet as the
condition test.
 User on the Sales
LAN should not have
access to the
Finance LAN.  Assign this to which
access-list 10 deny 172.16.40.0 interface?
0.0.0.255
access-list permit any  Inbound or outbound?
Deny source addresses
 0.0.0.255 matches the
from sales to finance int fa0/1
first 3(others
octetsok)exactly; the
 Cisco Example
41