[eBook] Seven Deadliest Network Attacks

[Fi8sVrs]

The Seven Deadliest Attacks Series

Seven Deadliest Network Attacks

Mike Borkin

Rob Kraus

Stacy Prowell

Introduction:

Security is heavily contextual; the effectiveness of any security measures depends on the context into which they are deployed. What if you give keys to the janitor, and he or she leaves them in his or her unlocked car? Further security is often not incremen- tal ; insecurity in one area can lead to insecurity in all areas. Hackers might break into your machines and steal your proposals and bidding information, so you carefully secure your network. Hackers might break into employees’ home networks to steal passwords, e-mail accounts, or even hijack “secure” connections to break into your corporate network, so you institute policies about remote access. Hackers might park outside your building and “listen in” on your wireless network, so you encrypt it and use special measures to prevent the wireless signal from leaking outside the building. Hackers might use e-mail “phishing” and other “social engineering” attacks to gain access, so you add more policies and carefully train your staff and test them from time to time. Finally, comfortably secure and ready for anything, you unknowingly hire the hackers and fall victim to an “insider” attack. Life’s tough. What we think of as security is really a collection of policies and procedures that are, ultimately, about giving out information. Your employees (or even other parts of your infrastructure) need information to accomplish their mission. Security stands between your employees and accomplishing that mission. All too often serious secu- rity breaches start with some otherwise well-intentioned effort to get some useful work done. Sometimes, it is your employees who break your security; not necessarily because they have some evil purpose, but sometimes because they believe the mission is more important or that the security measures are unnecessary. The mission may be short term and absolutely critical. The effects of a security breach can take years to evolve or even to be detected. It is late in the day and you have a very important bet-your-company deliverable due out in the morning. You desperately need Software X to run in order to finish the
 Introduction xii deliverable, but Software X is being blocked by your firewall. You’ve tried adding rules to the firewall, you’ve tried calling the vendor, but nothing is working. Finally you disable the firewall, finish the deliverable, and ship. Will you remember to re-enable the firewall? Did you monitor your network while the firewall was down? The view that security is a collection of tradeoffs, or a series of calculated risks, assumes a continuous nature to security. The belief that you can trade a little insecu- rity for some other gain is often a misunderstanding of the nature of security. This is akin to saying you will allow anyone to withdraw money from your bank account but only as much as they can withdraw in 10 minutes. The mistake is that the two things (in this case money and time) are not directly related. how thIs Book Is organIzed This book identifies seven classes of network attacks and discusses how the attack works, including tools to accomplish the attack, what are the risks of the attack, and how to defend against the attack. Seven attacks were chosen: denial of service, war dialing, penetration testing, protocol tunneling, spanning tree attacks, man-in-the- middle, and password replay. These are not mutually exclusive; you can exploit the spanning tree protocol, for example, to launch a denial-of-service attack. These were chosen because they help illustrate different aspects of network security; the principles on which they rely are unlikely to vanish any time soon, and they allow for the possi- bility of gaining something of interest to the attacker, from money to high-value data. Chapter 1, “Denial of Service,” illustrates how even sophisticated networks can be crippled by a determined hacker with relatively few resources. Chapter 2, “War Dialing,” illustrates how a hacker can circumvent the hardened security perimeter of a network to access “softer” targets. Chapter 3, “Penetration ‘Testing,’” discusses the various tools and techniques used for penetration testing that are readily available to both the defenders and the attackers. Chapter 4, “Protocol Tunneling,” presents a method for deliberately subverting your network perimeter to “tunnel” prohibited traffic into and out of your network. Chapter 5, “Spanning Tree Attacks,” discusses the “layer 2” network responsible for knitting together your switches, routers, and other devices into a reliable net- work, and illustrates one way in which to exploit the weak security of this layer. Chapter 6, “Man-in-the-Middle,” discusses a very common attack pattern and just what an attacker can accomplish once he or she has inserted himself or herself into your data stream. Chapter 7, “Password Replay,” focuses on the security of passwords and other static security measures and how an attacker can use various techniques to gain unauthorized access.
 Introduction xiii This book is intended to provide practical, usable information. However, the world of network security is evolving very rapidly, and the attack that works today may (hopefully) not work tomorrow. It is more important, then, to understand the principles on which the attacks and exploits are based in order to properly plan either a network attack or a network defense. The authors chose the contents of this book because we believe that, underlying the attacks presented here, there are important principles of network security. The attacks are deadly because they exploit princi- ples, assumptions, and practices that are true today and that we believe are likely to remain true for the foreseeable future. Increasingly sophisticated criminal organizations launch network attacks as a seri- ous, for-profit enterprise. Similarly, well-funded governmental actors launch network attacks for political reasons or for intelligence gathering. Cyberspace is already a battlefield. Even if your network doesn’t have high-value intelligence and you don’t have deep pockets, you may be the target of a sophisticated attack because you have something else of value: machines and network access. An attacker may exploit your network to launch malware or to launch a network attack. Your Internet Protocol address may serve to give the attacker a level of plausible deniability. After all, would you want to launch the virus you just finished creating through your own Internet ser- vice provider connection? Attackers may use your machines for storage of informa- tion ranging from child pornography to stolen credit card numbers. Once these show up on your machines, it becomes your job to explain how they got there. Attackers can use compromised machines for command and control of deployed and distributed malware. This can result in your network being blacklisted or blocked as a distribu- tion source for malware. Is this the company image you want your customers to see? As networks grow and incorporate more sophisticated technologies, it can become difficult to maintain the necessary situational awareness. What were once “dumb” network nodes such as printers and network hardware may now have exploitable – and unexpected – vulnerabilities. These components are – in reality – just other computers on the network. Some of them have multiple interfaces that need to be considered, including Bluetooth, wireless, and wired connections. If one interface is well protected and another disabled, there may still be a third that is available. Network security requires considering the role and security concerns of each device, not just delivering the device and plugging it in. There are many reasons why network security is hard, ranging from the fact that networks are increasingly sophisticated and complex to the fact that economic incen- tives can work against proper security. Network security is essentially asymmetric warfare ; your adversaries can probe anywhere, but you have to defend everywhere. This creates a technological bias in favor of the attackers. Further, criminal organiza- tions live in a target-rich environment. If they are unsuccessful with one attack, they can move on and attack a different organization. The market for computer security products can – and does – fall prey to the asym- metric information problem. This is a case in which buyers of a product do not have as much information about the relative merits of the product as the sellers do. This creates a downward pressure on prices that, in turn, creates a downward pressure on quality.
 Introduction xiv Consider a used car market in which there are 100 good cars (the “plums”), worth $3000 each, and 100 rather troublesome ones (the “lemons”), each of which is worth only $1000. The vendors know which is which, but the buyers don’t. So what will be the equilibrium price of used cars? If customers start off believing that the probability that they will get a plum is equal to the probability that they will get a lemon, then the market price will start off at $2000. However, at that price only lemons will be offered for sale, and once the buyers observe this, the price will drop rapidly to $1000 with no plums being sold at all.1 ConCLusIon Network security depends on many factors, and perfect network security is impossible. Network protocols can be inherently insecure in surprising ways. Cryptographic func- tions that are essential to network security can fall prey to sophisticated mathematical attacks. The algorithms that implement protocols or cryptography can contain bugs. Even otherwise correct code can fall prey to the effects of being run on a computer; errors exist in chip designs, and the use of finite-precision math on computers can result in unexpected effects that can be exploited. This is all good news for attackers—but not so much for defenders. Of course, all is not lost. As a network administrator, you may have other factors on your side, including support by law enforcement, governmental agencies, and trusted third parties such as CERTA and SANS.B You have to control what you can. Stay educated on threats and responses. Make sure procedures support good security, and that personnel are properly trained. Make plans to deal with attacks. Most impor- tantly, you need to understand how and why network attacks work. It is our hope that this book will contribute to that goal. endnote 1. Anderson R. Why information security is hard – an economic perspective. Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC); 2001 Dec. A See www.cert.org/ B See www.sans.org/

Download