Network & Information Security Training

8/18/2019 Network & Information Security Training

1/58

Network & Information SeSun


2/58

What will be covered

•

Basics of Networks• Introduction to Network Security

• Security Threats Risks & Attacks

• Securing Networks & Data


3/58

All

PeopleSeem

To

Need

DataProcessing

Application Layer (7)

Presentation Layer (6)

Session (5)

Transport (4)

Network (3)

Data Link (2)

Physical (1)

Complicated Way

OSI Model


4/58

OSI Model

Porgi

DiliNahi

Tar

Saral

Palaun

Aana

Physical (1)

Data Link (2)

Network (3)

Transport (4)

Session (5)

Presentation Layer (6)

Application Layer (7)

Simple Way


5/58


6/58

TCP 3-WAY Handshake

The TCP 3-way handshake is how TCP sets up a TCP/IP connection over an IP-based net

name implies, to establish a TCP connection, there are three actions to establish the conne1. The client who would like to establish a connection with the remote server sends a SYN

synchronization packet.

2. The server responds with a SYN-ACK or synchronization acknowledgement packet.

3. The client receives the server's acknowledgement and responds with it's own ACK or

acknowledgement packet. Once received by the server, the connection is established.


7/58

Introduction to Security

• Network is medium on which information travels.

• Security needs to be maintained because information is bepassed between computers and is vulnerable to attack.

• Network security is important to protect assets, critical da

unauthorized access, tamper and should always be availab


8/58


9/58

Why do we need security?

• Protect vital information while still allowing access to those

need it

– Trade secrets, medical records, Bank records

• Provide authentication and access control for resources

– Ex: Login

•

Guarantee availability of resources – Ex: 5 9’s (99.999% reliability)


10/58

What are we even talking about!!!

• Confidentiality• Integrity

• Availability

CIA TRIAD

H


11/58

How do we achieve

Network security controls cannot completely eliminate risks but

can only minimize risk as much as possible.

• People: Awareness

• Process: How to detect breaches, asset audits

• Tools: Various security software's

Security

Tools

Process

People

The more people are aware about security, more the

stringent the process , more technology is utilized properly

less the risk you carry of being under attack

k


12/58

Security Risk

Malware

Virus

Rouge Security Software

Trojan Horse

Worm

Phishing

Spam

Botnets

Open Firewall ports

Missing Security patches

P i il l i


13/58

Privilege escalation

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight i

operating system or software application to gain elevated access to resources that are noprotected from an application or user.

T f Att k


14/58

Types of Attacks

• Passive AttackA passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information th

types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encapturing authentication information such as passwords. Passive interception of network operations enables adversaries actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledg

• Active AttackIn an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealt

Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, aninformation. These attacks are mounted against a network backbone, exploit information in transit, electronically penetraattack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or disfiles, DoS, or modification of data.

• Distributed AttackA distributed attack requires that the adversary introduce code, such as a Trojan horse or back-door program,

component or software that will later be distributed to many other companies and users Distribution attacks focus on themodification of hardware or software at the factory or during distribution. These attacks introduce malicious code such asproduct to gain unauthorized access to information or to a system function at a later date.

• Insider AttackAn insider attack involves someone from the inside, such as a disgruntled employee, attacking the network In

malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information; use information in a fdeny access to other authorized users. No malicious attacks typically result from carelessness, lack of knowledge, or intenof security for such reasons as performing a task

T f Att k


15/58

Types of Attacks…

• Close-in Attack

A close-in attack involves someone attempting to get physically close to network componentin order to learn more about a network Close-in attacks consist of regular individuals attaining close phynetworks, systems, or facilities for the purpose of modifying, gathering, or denying access to informatio

proximity is achieved through surreptitious entry into the network, open access, or both.

• Social engineering

The attacker compromises the network or system through social interaction with a person, thmessage or phone. Various tricks can be used by the individual to revealing information about the securinformation that the victim reveals to the hacker would most likely be used in a subsequent attack to gaaccess to a system or network.

• Phishing Attack

In phishing attack the hacker creates a fake web site that looks exactly like a popular site suchpaypal. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick tha link that leads to the fake site. When the user attempts to log on with their account information, the husername and password and then tries that information on the real site.

• Hijack attack

Hijack attack In a hijack attack, a hacker takes over a session between you and another individisconnects the other individual from the communication. You still believe that you are talking to the ormay send private information to the hacker by accident.

T f Att k


16/58

Types of Attacks…

• Spoof attack

Spoof attack In a spoof attack, the hacker modifies the source address of the packetsending so that they appear to be coming from someone else. This may be an attempt to byprules.

• Buffer overflow

Buffer overflow A buffer overflow attack is when the attacker sends more data to anis expected. A buffer overflow attack usually results in the attacker gaining administrative accin a command prompt or shell.

• Exploit attack

Exploit attack In this type of attack, the attacker knows of a security problem withinsystem or a piece of software and leverages that knowledge by exploiting the vulnerability.

• Password attack

Password attack An attacker tries to crack the passwords stored in a network accoupassword-protected file. There are three major types of password attacks: a dictionary attackattack, and a hybrid attack. A dictionary attack uses a word list file, which is a list of potentialbrute-force attack is when the attacker tries every possible combination of characters.

T f Att k


17/58

Types of Attacks…

• Denial-of-Service Attack• the denial-of-service attack prevents normal use of your computer or network by valid users.

• After gaining access to your network, the attacker can do any of the following:

• Randomize the attention of your internal Information Systems staff so that they do not see the intruwhich allows the attacker to make more attacks during the diversion.

• Send invalid data to applications or network services, which causes abnormal termination or behaviapplications or services.

• Flood a computer or the entire network with traffic until a shutdown occurs because of the overload

• Block traffic, which results in a loss of access to network resources by authorized users.

• Man-in-the-Middle Attack•

As the name indicates, a man-in-the-middle attack occurs when someone between you and the perare communicating is actively monitoring, capturing, and controlling your communication transparethe attacker can re-route a data exchange. When computers are communicating at low levels of thecomputers might not be able to determine with whom they are exchanging data.

• Man-in-the-middle attacks are like someone assuming your identity in order to read your message. other end might believe it is you because the attacker might be actively replying as you to keep the gain more information. This attack is capable of the same damage as an application-layer attack, desection.

How do we secure network


18/58

How do we secure network

• Firewalls

• Intrusion Detection Systems/ Intrusion Prevention Systems

• Routers

• Switches

• Encryption

• Vulnerability Management

• Antivirus Solution

• VPN

• DDoS protection• Privileged Identity Management

• Network Anomaly Detection

• SIEM


19/58


20/58

IDS/IPS


21/58

IDS/IPS• Intrusion detection systems (IDS) is network security appliances that m

network and/or system activities for malicious activity.

• Intrusion detection systems (IPS) is network security appliances identif

activity, log information about this activity, attempt to block/stop it, and

Why IDS/IPS


22/58

Why IDS/IPS

• Firewalls allow traffic only to legitimate hosts and services

• Traffic to the legitimate hosts/services can have attacks

– HTTP attacks, SQL Injection attacks

• Solution? – IDS/IPS

– Monitor data and behavior

– Report when attacks identified

Types of IDS/IPS


23/58

Types of IDS/IPS

• Signature-based IDS

• Anomaly-based IDS

• Network-based IDS• Host-based IDS

Signature-based IDS


24/58

Signature-based IDS

• Characteristics

– Uses known pattern matchingto signify attack

•

Advantages? – Widely available

– Fairly fast

– Easy to implement

– Easy to update

• Disadvantages?

– Cannot detect attacks for which it has no signature

Anomaly-based IDS


25/58

Anomaly-based IDS

• Characteristics

– Uses statistical model or machine learning engine to characterize normal usage behavio

• Advantages?

– Can detect attempts to exploit new and unforeseen vulnerabilities

– Can recognize authorized usage that falls outside the normal pattern

• Disadvantages?

– Generally slower, more resource intensive compared to signature-based IDS

– Greater complexity, difficult to configure

– Higher percentages of false alerts

Network-based IDS/IPS


26/58

Network based IDS/IPS

• Characteristics – NIDS examine raw packets in the network

passively and triggers alerts

•

Advantages? – Easy deployment – Difficult to evade if done at low level of

network operation

• Disadvantages? – Fail Open

– Different hosts process packets differently

–

Need to have the complete network topologyand complete host behavior


27/58

Encryption


28/58

Encryption

• Encryption is a way to enhance the security of a

message or file by scrambling the contents so

that it can be read only by someone who has the

right encryption key to unscramble it.

Ex: if you purchase something from a

website, the information for the transaction (such as

your address, phone number, and credit card

number) is usually encrypted to help keep it safe.

• Use encryption when you want a strong level of

protection for your information.

Encryption Usage


29/58

Encryption Usage

• SSL certificate

• Digital Signature

•Drive Encryption

• File Encryption

• VPN

• Secure Email

Denial of Service


30/58

Denial of Service

Denial of Service (DoS) attack is an attack against any system component that

attempts to force that system component to limit, or even halt, normal services

Temporarily or indefinitely interrupt or suspend services of a host connected to theInternet.

This is an attempt to make a machine or network resource unavailable to its

intended users.


31/58

Facts


32/58

Facts

Impact of DDoS


33/58

Impact of DDoS

CloudFlare confirmed that the attac

around 400Gbps, making it the largattack in history

Types Of DDoS Attacks


34/58

Types Of DDoS Attacks

There are basically three types of DDOS attacks:

Application-layer DDOS

attack

ProtocolDOS attack

Volume-based DDOS

attack

Types of Attacks


35/58

Types of Attacks

• Volume-based DDOS attack or Bandwidth attacks: flood the

network with high volume of traffic.

• Protocol DOS attack or Connectivity attacks: flood a computer

with high volume of connection requests.

• Application-layer DDOS attack or Application Attacks: Send

specially crafted packets to application.

Volumetric DDoS Attack


36/58

Volumetric DDoS AttackVolumetric DDoS attacks are designed to saturate and overwhelm network resource

brute force.

State Exhausting Attack - Resource Starva


37/58

g

State-Exhausting DDoS attacks target stateful security devices.

Leads to exhaustion of state which render them useless.

DDoS Attack Types: Application Layer


38/58

yp pp y

Application-Layer DDoS attacks target specific applications (HTTP, SSL, DNS, SMTP, SIP, etc.).

Successful Take Down by DDoS


39/58

y

The Botnet as a DDoS Tool


40/58

• A botnet is a collection of Internet-connected programs communicating with other

similar programs in order to perform tasks. it could be used to send spam email or

participate in distributed denial-of-service attacks. The word botnet is a combination

the words robot and network.

• Legal botnets :The term botnet is widely used when several IRC bots have been linke

and may possibly set channel modes on other bots and users while keeping IRC chan

free from unwanted users. This is where the term is originally from, since the first ille

botnets were similar to legal botnets.

• Illegal botnets :Botnets sometimes compromise computers whose security defenses

been breached and control conceded to a third party. Each such compromised devic

known as a "bot", is created when a computer is penetrated by software from

a malware (malicious software) distribution.

DIY vs. Cloud-Based DDoS Defense


41/58

Why Firewalls/IPS fail to protect agains


42/58

y / p g

Vulnerable to DDoS attacks

- Because these devices are in-line, stateful devices,- First to be affected by large flood or connection attacks.

Failure to ensure Availability

Built to protect against known (versus emerging) threats.- Designed to look for threats within single sessions, not across sessions

Protection limited to certain attacks

they must allow common attack traffic such as TCP port 80 (HTTP) or UDP port 53 (DNS). Do not handle attacks convalid requests.

Deployed in wrong location-

Very close to servers.- Too close to protect upstream router.

Incompatible with cloud DDoS protection systems

Fail to interoperate with cloud DDoS prevention solutions.- Increase time for response to DDoS

Lack of DDoS Expertise Require skilled security experts

Demand knowledge of attack types before attacks.

DDoS Protection Vendor


43/58


44/58


45/58

If the network is secure but application are not th

are not secure.

Vulnerability


46/58

• Vulnerability management is practice of identifying, classifying, remed

mitigating vulnerabilities especially in software and firmware.

• Vulnerability management is integral to computer security and networ

• Vulnerabilities can be discovered with a vulnerability scanner, which an

computer system in search of known vulnerabilities such as open ports

software configuration, and susceptibility to malware. Unknown vulne

as a zero-day attack

• Correcting vulnerabilities may variously involve the installation of a pat

in network security policy, reconfiguration of software (such as a firewa

educating users about social engineering.


47/58

How do we protect ourselves


48/58

• Security Awareness

• Antivirus Solution

•

Privileged Identity Management• Network Anomaly Detection

• SIEM

PIM Privileged Identity Management


49/58

• Privileged Identity Management (PIM ) focused on powerful accounts

infrastructure of an enterprise.

• It is frequently used as an Information Security and governance tool to

companies in meeting compliance regulations and to prevent internal d

breaches through the use of privileged accounts.

• The management of privileged identities can be automated to follow p

determined or customized policies and requirements for an organizatio

PIM Vendors


50/58

• Cyber-Ark.

• Hitachi ID Systems

•

Lieberman Software.• Dell / Quest / e-DMZ.

Network Identification Technologies


51/58

• To be properly prepared to defend the network infrastructure from DD

attacks, it is extremely important to know as soon as possible that the

anomalous behavior, malicious or otherwise, occurring in the network

• To help aid in the detection, identification, and subsequent classificatio

anomalous network events. These tools and technologies will help foc

Indicators of Compromise (IOC).


52/58

Cisco IOS NetFlow is a form of network telemetry that Cisco routers and switches can coll

Data provided through NetFlow is similar to information in a phone bill. The user can view

(source and destination IP address) and how long the conversations last (amount of traffic

and packets).

NetFlow Key Parameters


53/58

The seven key parameters that are inspected in each packedetermine whether a new flow should be created. If any of the sefields differs from flows that have previously been created, a new is created and added to the NetFlow cache.

• The seven fields are as follows:

• Source IP address

• Destination IP address

•

Source port• Destination port

• Layer 3 protocol

• TOS byte

• Input interface

Lancope Stealtwatch


54/58

SIEM


55/58

• Security information and event management (SIEM) is an approach to

management that seeks to provide a holistic view of an organization's i

technology (IT) security

• A SEM system centralizes the storage and interpretation of logs and all

time analysis which enables security personnel to take defensive action

quickly.

• A SIM system collects data into a central repository for trend analysis a

automated reporting for compliance and centralized reporting.

•The two functions together SIEM systems provide quicker identificationrecovery of security events.

• They also allow compliance managers to confirm they are fulfilling an o

legal compliance requirements.

SIEM Vendors


56/58

• ArcSight

• Splunk

• IBM Q-radar

• RSA Envision

• McAfee SIEM

Sample Dashboard


57/58


58/58

Questions???

Documents

Network & Information Security Training