The specific technique used for exploiting vulnerabilities is called an attack. Attacks can be categorised in to two categories - passive and active. It is difficult for detecting passive attacks as they are occur as a hidden activity like packet sniffing or traffic analysis of a network. Passive attacks are designed gathering information which could be used later like monitor and record traffic of the network. Active threats are more open actions on the network or system like denial of service or active probing of system which can be easily detected, but at the same time it can be more devastating. Some of the general types of threats the network administrators face every day are described below.
Computer virus is software program or script or macro designed for infecting, destroying and modifying computer software programs. A virus is called so as it is a parasitic program that could not function independently. The virus requires host to function. The computer viruses attach themselves with other programs to spread themselves. It normally spreads by running an infected program or by sending the infected program to others like virus spreading through email.
They are malicious software applications self-contained and independent program usually spread them on infected system seeking systems through available networks. In other words, worms can also be said as viruses which are independent in spreading. Once they get installed on a computer, they immediately generate the copies of their own email themselves to other recipients. Worms also could penetrate firewalls and other security measures when they are inside a network.
It is a program that appears to be legitimate but performing some illicit activity as it executes. It could be used for locating the information about passwords or making the system more vulnerable for future attacks like making way for a virus entry or by simply destroying data in the hard disk. They stay in the computer without replicating but they make path for someone from remote destination for taking control of the computer. They mostly come as attachment from a free game or other programs.
They are piece of code which is inserted intentionally into a system for performing a malicious function when some specific conditions are met. Viruses and worms often contain logic bombs for executing a certain payload at a predefined time or when some conditions are met.
Port scanning is nothing but a series of messages sent by someone for learning more about a system for breaking into it. They are the favourite approach for the computer crackers as port scanning is used in probing for weakness. The port scan sends message to each port one at a time and with the kind of response received, the port is used for exploiting vulnerabilities.
Spoofing is faking identity or impersonating someone's identity for gaining access to a system or network or gaining information for some malicious purpose. Spoofing can be done in different ways. Different types of spoofing are as follows
IP Address Spoofing
Every device in a network has unique IP address which is for identification of the device. IP spoofing takes over the advantage of system in networks relying on IP address. Exactly it is a security exploit in which an intruder attempts sending packets to a system appear to originate from a source other than the intruder's own.
Sequence Number Spoofing
Sequence numbers are used in each transmission for each transmission of TCP/IP network connections. Sequence number is based on the computer's internal clock based on the SET algorithm. A hacker could record the exchange of sequence number in the network connection and could predict next sequence number. So with this information, the hacker can take over the connection.
In session hijacking, the connection session would be taken over by a hacker between a client and server. This is achieved by gaining access to some network devices acting as gateway between user and server using IP spoofing.
Domain Name System is used for translating internet domain to IP address. The DNS could be seen as a look up table which allows users to specify remote computers by host names instead of their IP address. So the advantage with this is that the users don't have to remember the IP address for every internet server. They can be used to configure the use of sequence in name server.
It is one of the methods under DNS attack, the attacker compromises a web link is such a way, that the common user thinks that they were in the appropriate site, but it is not so, the hacker takes the control over the user. If such attempt fails then the hacker tries by manipulating the domain name system registry, thereby transferring domains and redirecting the actual users to the sites maintained by them. One other method that is used by
The hacker, the MIM attack, this attack is used by the attacker by monitoring the interaction between the client and the server, in fact there is no proper method that could be followed to prevent the attack, as this only needs a valid digital certificate for the hacker to enable the SSL. The use of encryption techniques could not even protect the actual attack as it is very minimal and could be decrypted.
A replay attack is used by the hacker by intercepting and storing a successful transmission between the legitimate users. The usage of session keys could prevent such attacks. A time stamp for every transmission and by deploying time-dependent message digest would prevent attacks.
Password cracking could be defined as a process of reproducing the passwords and data's that is present within or transmitted from the system. This attack is also called as dictionary based attacks. Dictionary based attacks are nothing but, decipher programs for the purpose of deciphering passwords. The program operates by comparing the recorded known words with the ciphers. There are various websites which offers the source code for the deciphering passwords.
One of the very common non technical methods used for hacking is by social networking; the hackers generally use this method by making the users to reveal their personal information, one of the common methods deployed in this kind of attack is to get the personal information like password of the organisations user information by pretending as an actual IS employee of the organisation. There is another method by which a information could be extracted from the normal user, by gathering information from the dumps like print leaks, garbage etc, these information could be used by the common user could be revealed unknowingly, hence proper policy should be in place for providing an appropriate security at all levels. Any personnel information's should not be allowed to share with anyone including the organisations IS employees for any purpose.
Sniffing is a process of monitoring and gathering information from a network, which is used by the attacker with hacking tools. The packet transfer from a network could be monitored by a hacker and useful information's like passwords, IP addresses could be obtained resulting in an illegitimate use. There are various tools that could be used for sniffing; the task of this product is to detect the features of a network interface card which are in promiscuous mode, but this could be countered by doing a just cutting the network interface cable, so that it cannot send data packets onto the network which would be detected by a sniffer.
This is a technique in which a modem is used to automatically identify a definite list of telephone numbers by scanning; it is mostly used by the hackers for the purpose of identifying the computers connected with the broad band systems, thereby sensitive data could be identified and hacked. It could identify various devices like computers, fax machines and many others for exploration of useful data.
Denial of Service:
This type of attack generally used to shutdown a system or introduces disorders to the systems functions. The objective of this attack is not to gain information about the system but to destroy the functionalities of the system, so that it could not be used by other users. The attacks are done primarily to exact revenge, punishing particular person etc. It is not a real hacking but the attack is done for the purpose of proving a point, usually done by immature programmers. Some of the denial of service attacks are ping of death, SYN flooding, SPAMS, Smurf attack etc.
Ping of Death:
It's a basic denial of service attack, if vulnerability is found in a system, then it could be exploited by using the ping to death attack, it does not take any extra effort to skill to exploit it but it takes skill to discover vulnerability. It requires more a flood of pings for crashing a system. Patches are used by the operating system vendors for eliminating the problems which causes the vulnerability.
One of the denial of service attacks, which is performed by exploiting a TCP/IP connection, the three- way handshake which is normally done when a connection is established could be exploited by this mode attack, a particular system is targeted by the attacker, thereby many half open connections are produced, which results in denial of service.
SPAM is an e-mail which is totally unwanted, any email account holder could receive it, and it could be used basically to crash the system by consuming the network bandwidth resulting in overloading of available disk space and causing log files to grow really large. This kind of attack could be used in such a way that the real person who sends the SPAM could not be identified as it looks like a third party attack. By deploying e-mail filtering option this could be prevented.
Smurf attack is also a denial of service attack, this crashes the system by producing a considerable amount of traffic, the ICMP echo request is send as ping to the specifically targeted IP, the source of this IP are spoofed, if the reply is from multiple of hosts in the network, it will result in generating a huge traffic, eventually resulting in system crash.(kir)
Wireless Network Security:
Due to the rapid growth in the wireless technology, and the proliferation of the mobile device, the need for security is alarming. Since much attack occur in between the end user and the access point. Many Organisations aim to secure their weak links using encryption. Thus this draws the attention of the security engineers to focus upon the existing WiFi(IEEE 802.11) Wireless LAN Systems.
Wireless Security can be classified into two parts viz.
Authentication is the process of identifying a wireless client to an access point and vice versa.
Authentication is an important network security aspect used for Identification.
Encryption is a mathematic of solving cipher. A cipher is a code word which is used to convert a plain text into an encrypted format. This art of hiding information is called encryption and the reverse process of retrieving the information from the encrypted text using the cipher is called Decryption. Encryption is also used in wireless technology to secure the data, this help in preventing possible interception and data decoding.
MAC address authentication is a type of authentication technique used to identify legitimate user. In this type of authentication only a valid MAC address stored in the RADIU SERVER or the database of the access point is validated , traffic from other MAC address will be dropped. This authentication technique is quite primitive and could be easily circumvented, counterfeited. Since there are software that exists to change the MAC address of the
802.11 cards. The identification of a person is hardware base and hence anyone using that particular hardware is identified as a legitimate user. Besides these disadvantages the authorisation is unidirectional that only the access point authenticates not the client.
WEP: Wired Equivalent Protection:
WEP Wired Equivalent Privacy encryption standard defined in 802.11. WEP is a week algorithm for securing the network despite of this weakness WEP is used in many places for securing the network as it is better to have some sort of security than to be totally unsecure. WEP is not up to the mark of an Industrial security but is still used because of the administrative convenience it offers. WEP uses an initialization vector (IV) in combination with the data to encrypt it and any weak IV choosen will be cracked easy. There are a lot of freely available tools Airsnort, airpeek and many more. These tools can easily crack WEP, this proves WEP is fundamentally flawed adding to this fact fragmentation attack on WEP elevates the overhead of long time data capture and enables real time attacks.
WAP: Wifi Access Protection:
WAPWiFi Protected Access-The birth of WPA came into existence as a new standard for WLAN protection at the cost of WEP. WPA offers strongly increased data protection, access control in comparison with WEP. WPA is designed to run as software and it has timely up gradations, which is indeed a boon to WPA. WPA offers well level of security when installed, and assures that the Wireless LAN user is given a good level of protection as soon as WPA is alive in the network. WPA provides a good interoperable security which is enhanced and strongly protected. WPA can be used by both home and the enterprise users.
WPA enhancement with TKIP:
WPA with TKIP. The WPA encryption is enhanced by uses of Temporal Key Integrity Protocol used in 802.11wireless network standard. TKIP was developed by the 802.11i group of people as a part of its development. Some of the good features of TKIP is the per packet key mixing function, MIC a Message Integrity Checker, an extended Initial Vector, rekeying mechanism these improved features in solves know vulnerability of WEP.
WPA in combination 802.1 x and the EAP (Extensible Authentication Protocol) is an improved framework for wireless security. This technology allows the admin to have user level authentication. WPA authenticates the user with an authentication server, the pros of using this type of framework provides bidirectional authentication which means both the server and wireless client have to authenticate each other.
What is WPAPSK:
WPAPSK WPA a powerful encryption method uses PSK (Pre Shared Key) to authenticated users and grants access, unlike WPA Enterprise PSK do not require individual user credentials to authenticate. PSK is the most common mechanism used with WPA to authenticate home user. Many home users share a common Pre Shared Key (Password) to gain access. Once the password matches the client is granted access. Since the key is shared in common it has technical difficulties in preventing a user from again connecting to it.
WPAPSK is commonly used in home network is because of the power encryption, comfort it offer for practical implementation, this mechanism of authenticating user and keeping away others who are looking to gain access makes it ubiquitous in home networking.
Using Wireless Technology Securely:
With the increase in the wireless network the need to secure it has also increased, since hackers are opportunist they look for the vulnerabilities in a network to probe in. Hackers do not have to break an encryption to probe in but they can circumvent it, if there is a design flaw.
Public wireless Threats (needed) (page 45)
Home wireless Threats (page 12)
It is referred as accessing a wireless internet connection by bringing a mobile device in the range of someone's wireless network and using them without the permission or knowledge of subscriber. (B)
Components of a Typical Patch Management Process
Research: This process is used to identify new vulnerabilities and solutions required by the organization though it can be a time consuming if it is done manually. So in contrast, automatic approach will save time and take care of separation of the related security websites, email notification and press releases.
Analysis: In this stage, we need to have a general idea on whether the patch is applicable to organisation and knowing the number systems that can be resolved using patch. Patch is then compared to the existing solution to analyse the pros and cons of the old and new patch thereby coming up with general idea on up to what extent this patch can be applied on severe vulnerabilities.
Testing: Here we apply patch in order to find its practical capability in resolving vulnerabilities. First we need to apply the new patch to the system which is affected or attacked by the threat or attacker, and then monitor the results and side effects stage by stage.
Preparation: Depending on testing results, in the preparation stage we need to decide to deploy a patch, to include package of patches and to exclude the machines which does not support. Handling the reboots, roll outs and maintaining timing details such as deadlines and maintenance windows is also important in this stage.
Deployment: The patches are deployed as a patch package and subsequent troubleshooting is performed as per requirements by either automated system or by manual approach. In case of manual, results in more time and but can be effective at times.
Monitoring: Patch released is monitored regularly by generating report statistics of performance status and validating all the patches which has been installed. Validation should be done periodically due to new service and upgrades which might need a new patch if old patch unable to resolve.
2. Integrated Network Vulnerability Scanning and Penetration testing
Before we looks into function of network vulnerability scanning and penetration testing. We should know about what is vulnerability and its types?
Vulnerabilities: It is a form of something running on one's computer which turns to be threat by compromising security of the system which breach confidentiality, integrity or availability of information or services somewhere in any network. The tools which are used to detect the vulnerabilities in the network is termed as Network security tools.
Types of vulnerabilities
Some of the common vulnerabilities include password breaching, file hacking and altering information. The different types of vulnerabilities are buffer overflows, Missing format strings, web application vulnerabilities, malicious content vulnerabilities.
Proactive network security is result of both Network vulnerability scanning and penetration testing. Network Vulnerabilities are detected and resolved by the integration of Network Vulnerability Scanning and Penetration Testing so far the best method in commercial world.
2.1 Network Vulnerability Scanning.
It can also be termed as malicious activity scanning as it finds the malicious activity present in the network. Network security tool detects the threat in and outside network. This scanning helps to protest against attackers both in internal and external presence. External threat in the network includes attackers and worms. An internal threat includes malicious users present within the network. The Network scanner can only detect vulnerabilities if it has access to particular service, scanning may be or may not detect vulnerabilities which present based on placement of the scanning machine.
Vulnerability scan results helps the administrator to know the current security status of his network, whether any vulnerabilities are present or not. It serves as main purpose of organisation's security, network security plays crucial part in commercial world for maintaining confidentiality, integrity and availability. Network security tool even provide
Vulnerability Scanning Cycle
Networks should perform a periodical scan in order to routine check for the old threat which are resolved and check for new vulnerabilities as result new upgrade, update or new services which are introduced in the network and check the unknown vulnerability which have been reported earlier but not resolved due to lack of scanner capability but to overcome with by adding capability to scanner and getting scanner which has appropriate capability. The problem with vulnerability scanners is that after performing vulnerability check, the scan reports are big burden for administrators to go through them manually.
2.2 Penetration Testing
It is performed by assessing the vulnerabilities impact by applying the different action that actually attacker or threat can perform. The process of simulating attacker action and by prioritizing remediation is known as Penetration testing. Penetration testing can be detected by IDS and is done either manually or automatic using respective tools.
The benefit of this testing is that simulation of threats action helps administrator to know prior knowledge and requirement in what to do when vulnerability is detected and how well it can be resolved.
3. Comparing Passwords, Tokens and Biometrics for User Authentication
Authentication: The process of verification of identity either in the form of user, device or entity in a computer system. The most familiar form of authentication is the user authentication e.g. Password. The SSL stands as an example of machine to machine authentication. Authentication is performed based on the authenticators such as passwords, tokens (smart card, debit card etc.) and Biometrics. User authentication is more vulnerable to threats when compared to machine-machine authentication.
3.1 Passwords, Tokens and Biometrics.
Passwords can be a secret word or number (PIN), which is most familiar form of authentication among end users and as a first level authentication in commercial world but they are more vulnerable to threats when compared to tokens and biometrics. Passwords in the short form without much complicated combination of character are easily breakable. Passwords which are longer with combination of letters, numbers and symbols turn to be less vulnerable in the real world.
Tokens are in the form of physical device such as bank cards and smart cards which are used to authenticate one's identity based on the machine generated codes or secret number or can be a stored number. Tokens often combine with password authentication to provide more security.
Biometric is recognition of authorised user based on one's body characteristics. Biometrics combined with one of the other two authentication forms two level authentication which is becoming most popular and secure authentication now. Biometrics can be divided into two: Physical and Behavioural. Physical Biometrics is the recognition of user identity based on body features such as face, eye, hand and finger prints. Physical Biometric in existence are facial recognition, retinal recognition, hand recognition and fingerprint recognition. Behavioural biometrics is based on the gestures such as users voice, signatures etc. The behavioural biometrics in use are voice recognition and digital signature.
These biometric techniques are susceptible to machine errors such as verification errors and identification errors. Verification error may occur when trying one-one match and identification error may occur when it is one to many matches. So Biometrics is most secure user authentication method when compared to others though it can result in various errors.