Information And Network Security Essential

Information And Network Security EssentialBy Erwin Dusojan

Trend Micro - Girls In Tech –Training Week 1

10/21/2021

© 2020 Trend Micro Inc.2

Information Security Essentials


What is the CIA?

Integrity

Confidentiality Availability

Information Security


Understanding the CIA

Confidentiality

• Ensures that the data or system is accessed only by an authorized person.

• Confidentiality revolves around the principle of least privilege.


Confidentiality – Countermeasures

• Encryption

• Strict Access Control

• Rigorous authentication procedures

• Data classification



Integrity

• Refers to protecting information from being modified by unauthorized parties

• Maintaining the expected state of our data or system


Integrity – Countermeasures

• Hash Total Verification(hashing)

• Strict Access Control

• Intrusion Detection System


• Subject of an activity or who caused an event cannot deny that the event occurred.

• Prevents a subject from:

– claiming not to have sent a message

– not to have performed an action

– or not to have been the cause of an event

Non-repudiation



Availability

• A guarantee of reliable access to the information by authorized people

• These aspects must be functioning correctly:

– Computing systems used to store and process the information

– Security controls used to protect assets


Availability – Countermeasures

• Using Firewalls to prevent DDoS

• Redundancy/ High Availability

• Fault tolerance

• Maintaining backup

• Business continuity planning (BCP)

Current Version: 1.1

Network Security Essentials


Network Traffic Analysis

• Networking Essentials

• Packet Sniffer

• Reconnaissance


Networking Essentials


TCP communication


Overview of TCP communication

• Traditional TCP Control Flags / Bits▪ SYN - Start a connection

▪ ACK - Acknowledgement of received data

▪ RST – Reset or abort the connection

▪ FIN - Close a connection

▪ URG - Packet contains important data

▪ PSH - Send immediately even if the buffer isn't full


TCP connection establishment

• Sequence and Acknowledgement number▪ Sequence number allow receivers to discard duplicate packets and properly

sequence reordered packets

▪ Acknowledgement number specifies the sequence number of the next byte it expects to receive


Non-Conventional use of TCP/IP Packets• Reconnaissance

▪ a method of observing and collecting information about a potential target with the intention of finding a way to attack the target

• DoS / DDoS▪ Attacker sends TCP/IP packet in a large scale, usually with a fake source

address, to consume the resources of its target and prevent a legitimate traffic

▪ Types of DDoS Attacks:• Bandwidth Attack

• Application Attack


Packet Sniffer


Packet Sniffer

• also called Network Packet Analyzer

• a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network

• Popular Tool:

https://www.wireshark.org/

WIRESHARK

https://www.wireshark.org/


Packet Sniffer


Packet Sniffer

• Wireshark Essentials:

▪ Display Filter

▪ Examples:

• Show only the http traffic: http

• Show only HTTP download: http.request.method==GET


Packet Sniffer

• Wireshark Essentials:

▪ Following TCP streams


Packet Sniffer

• Wireshark Essentials:▪ Expert Info Entries


Packet Sniffer

• Wireshark Essentials:▪ Filter Expression / Filter Buttons


Packet Sniffer

• Wireshark Essentials:▪ Creating Filter Expression: Buttons


• PCAP sampleWeb browsing to www.yahoo.com:

Packet Sniffer

Lab Activity


Exercise 1: SMTP Packet Analysis

Exercise 2: HTTP Packet Analysis

Exercise 3: DNS Packet Analysis


Reconnaissance


Reconnaissance

• Probing targets with intent of gathering information ▪ Information can be used during later attack phases

• Use of TCP Control bits/flags to determine status of TCP ports

• Type of Scans:▪ Port Scan: Open ports and services

▪ Network Scan: IP address(Live host), Operating System, Services

▪ Vulnerability Scan: Presence of known weaknesses or security holes


Port Scanners

• Software applications designed to probe hosts for open ports, verifying security policies

• Attackers utilize those to identify services running on a host ▪ Provide information to exploit vulnerabilities

• Popular applications:

https://angryip.org/https://nmap.org/https://www.kali.org/

Angry IP ScannerNMAPKALI LINUX TOOLS

https://angryip.org/

https://nmap.org/

https://www.kali.org/


Reconnaissance: Port Scanning• ACK Scan

– Test if stateful firewall is present between the attacker and target

– Not used to check the state of the port

– Server response with RST packet

» Port is unfiltered and a stateful firewall is absent

– No response or response with TCP packet “ICMP type 3” (code 1, 2, 3, 9, 10 or 13)

» Port is filtered and a stateful firewall is present.

– Stateful Inspection => maintaining a table of open connections and allows to associate new connection requests with existing connections.

ACK+ PORT

RST

PORT IS UNFILTERED PORT IS FILTERED

ACK+ PORT

ICMP Error(Type 3, Code 1,2,3,9,10 OR 13)

or NO RESPONSE


Reconnaissance: Port Scanning• SYN Scan (a.k.a TCP Stealth Scan)

– Response with SYN+ACK

» Port is open

– Response with RST packet

» Port is closed

– ICMP port unreachable or no reply

» likely blocked by a firewall

– Final ACK is not send by attacker

» Avoid opening a full TCP connection

SYN+PORT

SYN+ACK

RST

PORT IS OPEN

SYN+PORT

RST

PORT IS CLOSED


Reconnaissance: Port Scanning

• FIN Scan

– Response with RST packet

» Port is closed

– No Response

» Port is open

FIN+PORT

( NO RESPONSE )

PORT IS OPEN

FIN+PORT

RST

PORT IS CLOSED



• XMAS scan

▪ Difficulties using XMAS scan:

• Multiple flags are combined, easy to identify

• Can either be dropped or ignored by modern systems

PSH,FIN,URG + PORT

( NO RESPONSE )

PORT IS OPEN

PSH,FIN,URG + PORT

RST

PORT IS CLOSED



• UDP Scan ▪ UDP = connectionless protocol, reacts different compared to TCP

▪ Technical challenges using UDP Scan:

• If a port is blocked by a firewall, this method will falsely report that the port is open.

• If the port unreachable message is blocked, all ports will appear open.

SYN+PORT

ICMP Port Unreachable

PORT IS CLOSED

UDP + PORT

PORT IS OPEN

( NO RESPONSE )


Reconnaissance: Network Scan

• Host Discovery▪ Process of reducing a set of IP ranges into a list of active or

interesting hosts

▪ ICMP echo request/reply

• intended to determine whether a host is alive or not

▪ ICMP error response

• Means either host is not alive or ICMP Echo traffic is filtered / blocked

• Alternative to ICMP echo▪ Traceroute command discovers the route between the sender and

the targeted host by sending packets with varying TTLs

Lab Activity


Exercise 4: vApp Preparation

Exercise 5: Host Discovery


Reconnaissance: OS Fingerprinting

• OS Finger Printing

▪ A process to determine the operating system used by a host on a network

▪ Fingerprinting techniques are based differences in packets generated by different operating systems • E.g. IP TTL values, IP ID Values, TCP Windows size, TCP options etc.

Lab Activity


Exercise 6: OS Fingerprinting• Nmap –O

• Nmap NSE scripting


Reconnaissance: Netcat

• Simple UNIX utility

• Reads and writes data across network connections▪ using TCP or UDP protocol

• Functions as both, server and agent▪ can listen for inbound connections on arbitrary ports

▪ “nc host port” creates a TCP connection to the given port on the given target host

Lab Activity


Exercise 7: Port Scan• Netcat Connect Scan

• SYN Scan

• UDP Scan


Reconnaissance: Banner Grabbing

• Banner ▪ Response received when accessing services

▪ Contains information about the specific application / service

• Banner Grabbing▪ Technique use to gather information about a computer and its

running services

Lab Activity


Exercise 8: Banner Grabbing• Netcat

• Nmap


Reconnaissance: Vulnerability Scanning

• Vulnerability is a security hole or security weakness▪ often exploited with malicious intentions by hackers and malwares

• Vulnerability scanners ▪ Special type of automated utility designed to identify known holes or

weaknesses in operating systems and applications

▪ Used legitimately, however attackers may also employ similar tools to identify weaknesses in the target environment


• Vulnerability scanners are designed to assess computers, computer systems, networks or applications for known weaknesses.

▪ Popular applications:

Vulnerability Scanners

https://www.rapid7.com/ja/https://tenable.com/https://www.openvas.org/https://www.metasploit.com/

NexposeNessusOpenVASmetasploit

https://www.rapid7.com/ja/

https://www.openvas.org/

https://www.openvas.org/

https://www.metasploit.com/

Lab Activity


Exercise 9: SNMP Enumeration• Enable SNMP and set community string

• SNMP Enumeration Metasploit


Thank You!

Threats detected and blocked globally by Trend Micro in 2018. Created with real data by artist Daniel Beauchamp.

Documents

Information And Network Security Essential