Upload
umarfarooque-mursal
View
215
Download
0
Embed Size (px)
Citation preview
8/18/2019 Network & Information Security Training
1/58
Network & Information SeSun
8/18/2019 Network & Information Security Training
2/58
What will be covered
•
Basics of Networks• Introduction to Network Security
• Security Threats Risks & Attacks
• Securing Networks & Data
8/18/2019 Network & Information Security Training
3/58
All
PeopleSeem
To
Need
DataProcessing
Application Layer (7)
Presentation Layer (6)
Session (5)
Transport (4)
Network (3)
Data Link (2)
Physical (1)
Complicated Way
OSI Model
8/18/2019 Network & Information Security Training
4/58
OSI Model
Porgi
DiliNahi
Tar
Saral
Palaun
Aana
Physical (1)
Data Link (2)
Network (3)
Transport (4)
Session (5)
Presentation Layer (6)
Application Layer (7)
Simple Way
8/18/2019 Network & Information Security Training
5/58
8/18/2019 Network & Information Security Training
6/58
TCP 3-WAY Handshake
The TCP 3-way handshake is how TCP sets up a TCP/IP connection over an IP-based net
name implies, to establish a TCP connection, there are three actions to establish the conne1. The client who would like to establish a connection with the remote server sends a SYN
synchronization packet.
2. The server responds with a SYN-ACK or synchronization acknowledgement packet.
3. The client receives the server's acknowledgement and responds with it's own ACK or
acknowledgement packet. Once received by the server, the connection is established.
8/18/2019 Network & Information Security Training
7/58
Introduction to Security
• Network is medium on which information travels.
• Security needs to be maintained because information is bepassed between computers and is vulnerable to attack.
• Network security is important to protect assets, critical da
unauthorized access, tamper and should always be availab
8/18/2019 Network & Information Security Training
8/58
8/18/2019 Network & Information Security Training
9/58
Why do we need security?
• Protect vital information while still allowing access to those
need it
– Trade secrets, medical records, Bank records
• Provide authentication and access control for resources
– Ex: Login
•
Guarantee availability of resources – Ex: 5 9’s (99.999% reliability)
8/18/2019 Network & Information Security Training
10/58
What are we even talking about!!!
• Confidentiality• Integrity
• Availability
CIA TRIAD
H
8/18/2019 Network & Information Security Training
11/58
How do we achieve
Network security controls cannot completely eliminate risks but
can only minimize risk as much as possible.
• People: Awareness
• Process: How to detect breaches, asset audits
• Tools: Various security software's
Security
Tools
Process
People
The more people are aware about security, more the
stringent the process , more technology is utilized properly
less the risk you carry of being under attack
k
8/18/2019 Network & Information Security Training
12/58
Security Risk
Malware
Virus
Rouge Security Software
Trojan Horse
Worm
Phishing
Spam
Botnets
Open Firewall ports
Missing Security patches
P i il l i
8/18/2019 Network & Information Security Training
13/58
Privilege escalation
Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight i
operating system or software application to gain elevated access to resources that are noprotected from an application or user.
T f Att k
8/18/2019 Network & Information Security Training
14/58
Types of Attacks
• Passive AttackA passive attack monitors unencrypted traffic and looks for clear-text passwords and sensitive information th
types of attacks. Passive attacks include traffic analysis, monitoring of unprotected communications, decrypting weakly encapturing authentication information such as passwords. Passive interception of network operations enables adversaries actions. Passive attacks result in the disclosure of information or data files to an attacker without the consent or knowledg
• Active AttackIn an active attack, the attacker tries to bypass or break into secured systems. This can be done through stealt
Trojan horses. Active attacks include attempts to circumvent or break protection features, to introduce malicious code, aninformation. These attacks are mounted against a network backbone, exploit information in transit, electronically penetraattack an authorized remote user during an attempt to connect to an enclave. Active attacks result in the disclosure or disfiles, DoS, or modification of data.
• Distributed AttackA distributed attack requires that the adversary introduce code, such as a Trojan horse or back-door program,
component or software that will later be distributed to many other companies and users Distribution attacks focus on themodification of hardware or software at the factory or during distribution. These attacks introduce malicious code such asproduct to gain unauthorized access to information or to a system function at a later date.
• Insider AttackAn insider attack involves someone from the inside, such as a disgruntled employee, attacking the network In
malicious or no malicious. Malicious insiders intentionally eavesdrop, steal, or damage information; use information in a fdeny access to other authorized users. No malicious attacks typically result from carelessness, lack of knowledge, or intenof security for such reasons as performing a task
T f Att k
8/18/2019 Network & Information Security Training
15/58
Types of Attacks…
• Close-in Attack
A close-in attack involves someone attempting to get physically close to network componentin order to learn more about a network Close-in attacks consist of regular individuals attaining close phynetworks, systems, or facilities for the purpose of modifying, gathering, or denying access to informatio
proximity is achieved through surreptitious entry into the network, open access, or both.
• Social engineering
The attacker compromises the network or system through social interaction with a person, thmessage or phone. Various tricks can be used by the individual to revealing information about the securinformation that the victim reveals to the hacker would most likely be used in a subsequent attack to gaaccess to a system or network.
• Phishing Attack
In phishing attack the hacker creates a fake web site that looks exactly like a popular site suchpaypal. The phishing part of the attack is that the hacker then sends an e-mail message trying to trick tha link that leads to the fake site. When the user attempts to log on with their account information, the husername and password and then tries that information on the real site.
• Hijack attack
Hijack attack In a hijack attack, a hacker takes over a session between you and another individisconnects the other individual from the communication. You still believe that you are talking to the ormay send private information to the hacker by accident.
T f Att k
8/18/2019 Network & Information Security Training
16/58
Types of Attacks…
• Spoof attack
Spoof attack In a spoof attack, the hacker modifies the source address of the packetsending so that they appear to be coming from someone else. This may be an attempt to byprules.
• Buffer overflow
Buffer overflow A buffer overflow attack is when the attacker sends more data to anis expected. A buffer overflow attack usually results in the attacker gaining administrative accin a command prompt or shell.
• Exploit attack
Exploit attack In this type of attack, the attacker knows of a security problem withinsystem or a piece of software and leverages that knowledge by exploiting the vulnerability.
• Password attack
Password attack An attacker tries to crack the passwords stored in a network accoupassword-protected file. There are three major types of password attacks: a dictionary attackattack, and a hybrid attack. A dictionary attack uses a word list file, which is a list of potentialbrute-force attack is when the attacker tries every possible combination of characters.
T f Att k
8/18/2019 Network & Information Security Training
17/58
Types of Attacks…
• Denial-of-Service Attack• the denial-of-service attack prevents normal use of your computer or network by valid users.
• After gaining access to your network, the attacker can do any of the following:
• Randomize the attention of your internal Information Systems staff so that they do not see the intruwhich allows the attacker to make more attacks during the diversion.
• Send invalid data to applications or network services, which causes abnormal termination or behaviapplications or services.
• Flood a computer or the entire network with traffic until a shutdown occurs because of the overload
• Block traffic, which results in a loss of access to network resources by authorized users.
• Man-in-the-Middle Attack•
As the name indicates, a man-in-the-middle attack occurs when someone between you and the perare communicating is actively monitoring, capturing, and controlling your communication transparethe attacker can re-route a data exchange. When computers are communicating at low levels of thecomputers might not be able to determine with whom they are exchanging data.
• Man-in-the-middle attacks are like someone assuming your identity in order to read your message. other end might believe it is you because the attacker might be actively replying as you to keep the gain more information. This attack is capable of the same damage as an application-layer attack, desection.
How do we secure network
8/18/2019 Network & Information Security Training
18/58
How do we secure network
• Firewalls
• Intrusion Detection Systems/ Intrusion Prevention Systems
• Routers
• Switches
• Encryption
• Vulnerability Management
• Antivirus Solution
• VPN
• DDoS protection• Privileged Identity Management
• Network Anomaly Detection
• SIEM
8/18/2019 Network & Information Security Training
19/58
8/18/2019 Network & Information Security Training
20/58
IDS/IPS
8/18/2019 Network & Information Security Training
21/58
IDS/IPS• Intrusion detection systems (IDS) is network security appliances that m
network and/or system activities for malicious activity.
• Intrusion detection systems (IPS) is network security appliances identif
activity, log information about this activity, attempt to block/stop it, and
Why IDS/IPS
8/18/2019 Network & Information Security Training
22/58
Why IDS/IPS
• Firewalls allow traffic only to legitimate hosts and services
• Traffic to the legitimate hosts/services can have attacks
– HTTP attacks, SQL Injection attacks
• Solution? – IDS/IPS
– Monitor data and behavior
– Report when attacks identified
Types of IDS/IPS
8/18/2019 Network & Information Security Training
23/58
Types of IDS/IPS
• Signature-based IDS
• Anomaly-based IDS
• Network-based IDS• Host-based IDS
Signature-based IDS
8/18/2019 Network & Information Security Training
24/58
Signature-based IDS
• Characteristics
– Uses known pattern matchingto signify attack
•
Advantages? – Widely available
– Fairly fast
– Easy to implement
– Easy to update
• Disadvantages?
– Cannot detect attacks for which it has no signature
Anomaly-based IDS
8/18/2019 Network & Information Security Training
25/58
Anomaly-based IDS
• Characteristics
– Uses statistical model or machine learning engine to characterize normal usage behavio
• Advantages?
– Can detect attempts to exploit new and unforeseen vulnerabilities
– Can recognize authorized usage that falls outside the normal pattern
• Disadvantages?
– Generally slower, more resource intensive compared to signature-based IDS
– Greater complexity, difficult to configure
– Higher percentages of false alerts
Network-based IDS/IPS
8/18/2019 Network & Information Security Training
26/58
Network based IDS/IPS
• Characteristics – NIDS examine raw packets in the network
passively and triggers alerts
•
Advantages? – Easy deployment – Difficult to evade if done at low level of
network operation
• Disadvantages? – Fail Open
– Different hosts process packets differently
–
Need to have the complete network topologyand complete host behavior
8/18/2019 Network & Information Security Training
27/58
Encryption
8/18/2019 Network & Information Security Training
28/58
Encryption
• Encryption is a way to enhance the security of a
message or file by scrambling the contents so
that it can be read only by someone who has the
right encryption key to unscramble it.
Ex: if you purchase something from a
website, the information for the transaction (such as
your address, phone number, and credit card
number) is usually encrypted to help keep it safe.
• Use encryption when you want a strong level of
protection for your information.
Encryption Usage
8/18/2019 Network & Information Security Training
29/58
Encryption Usage
• SSL certificate
• Digital Signature
•Drive Encryption
• File Encryption
• VPN
• Secure Email
Denial of Service
8/18/2019 Network & Information Security Training
30/58
Denial of Service
Denial of Service (DoS) attack is an attack against any system component that
attempts to force that system component to limit, or even halt, normal services
Temporarily or indefinitely interrupt or suspend services of a host connected to theInternet.
This is an attempt to make a machine or network resource unavailable to its
intended users.
8/18/2019 Network & Information Security Training
31/58
Facts
8/18/2019 Network & Information Security Training
32/58
Facts
Impact of DDoS
8/18/2019 Network & Information Security Training
33/58
Impact of DDoS
CloudFlare confirmed that the attac
around 400Gbps, making it the largattack in history
Types Of DDoS Attacks
8/18/2019 Network & Information Security Training
34/58
Types Of DDoS Attacks
There are basically three types of DDOS attacks:
Application-layer DDOS
attack
ProtocolDOS attack
Volume-based DDOS
attack
Types of Attacks
8/18/2019 Network & Information Security Training
35/58
Types of Attacks
• Volume-based DDOS attack or Bandwidth attacks: flood the
network with high volume of traffic.
• Protocol DOS attack or Connectivity attacks: flood a computer
with high volume of connection requests.
• Application-layer DDOS attack or Application Attacks: Send
specially crafted packets to application.
Volumetric DDoS Attack
8/18/2019 Network & Information Security Training
36/58
Volumetric DDoS AttackVolumetric DDoS attacks are designed to saturate and overwhelm network resource
brute force.
State Exhausting Attack - Resource Starva
8/18/2019 Network & Information Security Training
37/58
g
State-Exhausting DDoS attacks target stateful security devices.
Leads to exhaustion of state which render them useless.
DDoS Attack Types: Application Layer
8/18/2019 Network & Information Security Training
38/58
yp pp y
Application-Layer DDoS attacks target specific applications (HTTP, SSL, DNS, SMTP, SIP, etc.).
Successful Take Down by DDoS
8/18/2019 Network & Information Security Training
39/58
y
The Botnet as a DDoS Tool
8/18/2019 Network & Information Security Training
40/58
• A botnet is a collection of Internet-connected programs communicating with other
similar programs in order to perform tasks. it could be used to send spam email or
participate in distributed denial-of-service attacks. The word botnet is a combination
the words robot and network.
• Legal botnets :The term botnet is widely used when several IRC bots have been linke
and may possibly set channel modes on other bots and users while keeping IRC chan
free from unwanted users. This is where the term is originally from, since the first ille
botnets were similar to legal botnets.
• Illegal botnets :Botnets sometimes compromise computers whose security defenses
been breached and control conceded to a third party. Each such compromised devic
known as a "bot", is created when a computer is penetrated by software from
a malware (malicious software) distribution.
DIY vs. Cloud-Based DDoS Defense
8/18/2019 Network & Information Security Training
41/58
Why Firewalls/IPS fail to protect agains
8/18/2019 Network & Information Security Training
42/58
y / p g
Vulnerable to DDoS attacks
- Because these devices are in-line, stateful devices,- First to be affected by large flood or connection attacks.
Failure to ensure Availability
Built to protect against known (versus emerging) threats.- Designed to look for threats within single sessions, not across sessions
Protection limited to certain attacks
they must allow common attack traffic such as TCP port 80 (HTTP) or UDP port 53 (DNS). Do not handle attacks convalid requests.
Deployed in wrong location-
Very close to servers.- Too close to protect upstream router.
Incompatible with cloud DDoS protection systems
Fail to interoperate with cloud DDoS prevention solutions.- Increase time for response to DDoS
Lack of DDoS Expertise Require skilled security experts
Demand knowledge of attack types before attacks.
DDoS Protection Vendor
8/18/2019 Network & Information Security Training
43/58
8/18/2019 Network & Information Security Training
44/58
8/18/2019 Network & Information Security Training
45/58
If the network is secure but application are not th
are not secure.
Vulnerability
8/18/2019 Network & Information Security Training
46/58
• Vulnerability management is practice of identifying, classifying, remed
mitigating vulnerabilities especially in software and firmware.
• Vulnerability management is integral to computer security and networ
• Vulnerabilities can be discovered with a vulnerability scanner, which an
computer system in search of known vulnerabilities such as open ports
software configuration, and susceptibility to malware. Unknown vulne
as a zero-day attack
• Correcting vulnerabilities may variously involve the installation of a pat
in network security policy, reconfiguration of software (such as a firewa
educating users about social engineering.
8/18/2019 Network & Information Security Training
47/58
How do we protect ourselves
8/18/2019 Network & Information Security Training
48/58
• Security Awareness
• Antivirus Solution
•
Privileged Identity Management• Network Anomaly Detection
• SIEM
PIM Privileged Identity Management
8/18/2019 Network & Information Security Training
49/58
• Privileged Identity Management (PIM ) focused on powerful accounts
infrastructure of an enterprise.
• It is frequently used as an Information Security and governance tool to
companies in meeting compliance regulations and to prevent internal d
breaches through the use of privileged accounts.
• The management of privileged identities can be automated to follow p
determined or customized policies and requirements for an organizatio
PIM Vendors
8/18/2019 Network & Information Security Training
50/58
• Cyber-Ark.
• Hitachi ID Systems
•
Lieberman Software.• Dell / Quest / e-DMZ.
Network Identification Technologies
8/18/2019 Network & Information Security Training
51/58
• To be properly prepared to defend the network infrastructure from DD
attacks, it is extremely important to know as soon as possible that the
anomalous behavior, malicious or otherwise, occurring in the network
• To help aid in the detection, identification, and subsequent classificatio
anomalous network events. These tools and technologies will help foc
Indicators of Compromise (IOC).
8/18/2019 Network & Information Security Training
52/58
Cisco IOS NetFlow is a form of network telemetry that Cisco routers and switches can coll
Data provided through NetFlow is similar to information in a phone bill. The user can view
(source and destination IP address) and how long the conversations last (amount of traffic
and packets).
NetFlow Key Parameters
8/18/2019 Network & Information Security Training
53/58
The seven key parameters that are inspected in each packedetermine whether a new flow should be created. If any of the sefields differs from flows that have previously been created, a new is created and added to the NetFlow cache.
• The seven fields are as follows:
• Source IP address
• Destination IP address
•
Source port• Destination port
• Layer 3 protocol
• TOS byte
• Input interface
Lancope Stealtwatch
8/18/2019 Network & Information Security Training
54/58
SIEM
8/18/2019 Network & Information Security Training
55/58
• Security information and event management (SIEM) is an approach to
management that seeks to provide a holistic view of an organization's i
technology (IT) security
• A SEM system centralizes the storage and interpretation of logs and all
time analysis which enables security personnel to take defensive action
quickly.
• A SIM system collects data into a central repository for trend analysis a
automated reporting for compliance and centralized reporting.
•The two functions together SIEM systems provide quicker identificationrecovery of security events.
• They also allow compliance managers to confirm they are fulfilling an o
legal compliance requirements.
SIEM Vendors
8/18/2019 Network & Information Security Training
56/58
• ArcSight
• Splunk
• IBM Q-radar
• RSA Envision
• McAfee SIEM
Sample Dashboard
8/18/2019 Network & Information Security Training
57/58
8/18/2019 Network & Information Security Training
58/58
Questions???