Network Security Essentials
In a Nutshell - CIW Course Section 1, Part C, Chapter 8
Overview
Defence and protection are the watch words of network security. The International Organisation for Standardisation (ISO) published ISO 7498, which defines security as a means to reduce, to the greatest extent possible, the vulnerability of data and resources. It further refers to the protection of assets, defining assets as: data, applications, and resources on any computing system.
Defining Assets
- Local Resources - is largely about configuring workstations correctly and educating users in the correct operation of their system and the hazards present on the Internet.
- Network Resources - TCP/IP has no inherent protection available, so alternative means are required to prevent unauthorised access to the network.
- Server Resources - Web, e-mail and FTP servers are vulnerable to attack as they need to be visible to the outside world. This can, in turn, provide a route for a hacker into other servers.
- Database and Information Resources - As the likely storage point for company confidential information, these servers are more likely to be targeted, so security is very important.
Security Threats
Essentially there are two kinds of threat to your systems and network:
-
Accidental Threats - These come from ordinary, innocent users who, through lack of traing or lack of enforced policies, can perform an action which can damage systems or data, or expose sensitive information to unauthorised persons.
-
Intentional Threats - The Hacker! One who attempts to discover, penetrate and/or control system resources. The Casual Hacker: someone seeking information or simply seeking thrills. The Determined Hacker: Information seeking, perhaps industrial espionage or even an ideological reason.
Types of Attack
Hackers are constantly developing new techniques, tools and methods. But, attacks can usually be categorised by the following types:
- Spoofing Attacks - these occur when an unauthorised host assumes the identity of e legitimate network device.
- Man-in-the-Middle Attacks - these attacks occur when a hacker intercepts packets being sent from one host to another.
- Denial of Service Attacks - these are the most common type of attack. When a host under attack runs out of resources, after being flooded with malicious requests, it cannot perform it's intended function.
- Insider Attacks - may be a disgruntled employee who has obtained passwords inappropriately.
- Brute Force Attacks - by using software to try every possible password permutation to gain access.
- Trapdoor Attacks - exploiting weaknesses by finding diagnostic or guest logins that have not been disabled.
- Trojan Horse Attacks - a variation of the trapdoor attack. Hiding an unauthorised command within a commonly used function. (One my log-files reveal to be a frequently searched for term)
- Social Engineering Attacks - This involves the hacker attempting to gain the trust, or obtain knowledge about, an employee, in the hope that this will reveal an entry point.
- Viruses - A virus is a malicious program designed to damage network equipment, including stand-alone computers.
- Macros - small programs written in macro code for word processor or spreadsheet applications.
- Executables - viruses that attach themselves to executable programs and activate when that program is launched.
- Boot Sector - These viruses copy themselves to the boot sector of the hard drive(s), allowing themselves to be loaded each time the system starts.
- Stealth - A stealth virus attempts to blocks detection by redirecting hard drive read requests.
- Polymorphic - Changes the manner it runs each time it appears as a different process making it very difficult to detect.
Security Auditing Process
The only way to determine a network's ability to withstand discovery, penetration and control is to conduct a thorough auditing process. Auditing should be an ongoing activity, and effective security involves both manual and automated analysis. There are three key steps that should be taken when determining the level of security needed for a network:
- Status Quo Analysis - the first step must always be to determine the current level of security at the site in question.
- Risk Analysis - determine potential risks. For example: do the web server use CGI scripts, do the FTP servers have passwords and have the server default directories been changed.
- Threat Analysis - are the most likely attacks going to be from inside or outside the organisation? what might the motivation be for such an attack?