CHAPTER 2

FP611 INFORMATION SECURITY

SYSTEM

2.1 INTRODUCTION TO VULNERABILITIES, THREATS, AND

ATTACKS

When discussing network security, the three common terms

used are as follows:
VulnerabilityA weakness that is inherent in every
network and device. This includes routers, switches,
desktops, servers, and even security devices themselves.
ThreatsThe people eager, willing, and qualified to
take advantage of each security weakness, and they
continually search for new exploits and weaknesses.
AttacksThe threats use a variety of tools, scripts,
and programs to launch attacks against networks and
network devices. Typically, the network devices under
attack are the end points,such as servers and desktops.

2.1.1 VULNERABILITIES

Vulnerabilities in network security can be summed up as

the soft spots that are present in every network. The
vulnerabilities are present in the network and individual
devices that make up the network. Networks are typically
plagued by one or all of three primary vulnerabilities or
weaknesses:
Technology weaknesses

Configuration weaknesses

Security policy weaknesses

2.1.2 WEAKNESSES IN RELATION TO SECURITY

a. Technology - Computer and network technologies have

intrinsic security weaknesses. These include TCP/IP
protocol weaknesses, operating system weaknesses, and
network equipment weaknesses.
b.

Configuration - Network administrators or network

engineers need to learn what the configuration
weaknesses are and correctly configure their computing
and network devices to compensate

c. Security policy - Security policy weaknesses can create

unforeseen security threats. The network can pose
security risks to the network if users do not follow the
security policy.

2.1.3 DEFINE THE SECURITY

THREATS

A threat is an event that can take advantage of vulnerability

and cause a negative impact on the network. Potential
threats to the network need to be identified, and the related
vulnerabilities need to be addressed to minimize the risk of
the threat.

2.1.5 DIFFERENTIATE BETWEEN HACKERS AND

ATTACKERS.

HACKERS

ATTACKERS

A benign (good) hacker is a

generic term for a person who
likes getting into things. The
hacker is the person who likes to
get into his/her own computer
and understand how it works.

The malicious hacker is the

person who likes getting into
other people's systems. In any
event, the word used to denote
anybody trying to get into your
system in this paper is 'attacker'.
Script Kiddie is a term used to
describe a class of attacker who
does not have sophisticated
technical knowledge,
but rather simply has a collection
of tools created by advanced
hackers, and the basic
knowledge to use these tools to
perform an attack.

2.1.6 DESCRIBE VARIOUS

TYPES OF ATTACKS
a. Reconnaissance attack - The attacker will find out as much as
possible without actually giving himself away. He will do this by finding
public information or appearing as a normal user. In this stage, you
really can't detect an attacker. He will do a 'whois' look-up on your
registered domain names to find as much information as possible about
your network and people involved. The attacker might walk through
your DNS tables (using 'nslookup', 'dig', or other utilities to do domain
zone transfers) to find the names of your machines. The attacker will
browse other public information, such as your public web sites and
anonymous FTP sites. The attacker might search news articles and
press releases about your company. can consist of the following:
Packet sniffers
Port scans
Ping sweeps
Internet information queries

CONT

b.
Access
attacks
exploit
known
vulnerabilities
in
authentication services, FTP services, and web services to gain
entry to web accounts, confidential databases, and other
sensitive information. Access attacks can consist of the
following:

Password attacks
Trust exploitation

Port redirection

Man-in-the-middle attacks

Social engineering

Phishing

CONT

c. Denial of Service attack - Certainly the most publicized

form of attack, DoS attacks are also among the most difficult
to completely eliminate. Even within the hacker community,
DoS attacks are regarded as trivial and considered bad form
because they require so little effort to execute. Still, because
of their ease of implementation and potentially significant
damage, DoS attacks deserve special attention from security
administrators. If you are interested in learning more about
DoS attacks, Researching the methods employed by some of
the better-known attacks can be useful. DoS attacks take
many forms. Ultimately, they prevent authorized people from
using a service by using up system resources,

CONT

d. Distributed Denial of Service attacks - attacks are designed to

saturate network links with spurious data. This data can overwhelm an
Internet link, causing legitimate traffic to be dropped. DDoS uses
attack methods similar to standard DoS attacks but operates on a much
larger scale. Typically hundreds or thousands of attack points attempt
to overwhelm a target.
e. Malicious code attack - The primary vulnerabilities for end-user
workstations are worm, virus, and Trojan horse attacks. A worm
executes arbitrary code and installs copies of itself in the infected
computers memory, which infects other hosts. A virus is malicious
software that is attached to another program to execute a particular
unwanted function on a users workstation. A Trojan horse differs only
in that the entire application was written to look like something else,
when in fact it is an attack tool.

2.1.7 DIFFERENTIATE BETWEEN

WORMS, VIRUSES, AND TROJAN
HORSES

WORM

VIRUSES

TROJAN HORSES

An application that
executes arbitrary
code and installs
copies of itself in the
memory of the
infected computer,
which then infects
other hosts

Malicious software
that is attached to
another program to
execute a particular
unwanted function
on the user
workstation

An application
written to look like
something else that
in fact is an attack
tool

2.1.4 DESCRIBE DIFFERENT TYPES OF

THREATS

1. Unstructured threats - consist of mostly inexperienced

individuals using easily available hacking tools such as shell
scripts and password crackers. Even unstructured threats
that are only executed with the intent of testing and
challenging a hackers skills can still do serious damage to
a company. For example, if an external company website is
hacked, the integrity of the company is damaged. Even if
the external website is separate from the internal
information that sits behind a protective firewall, the public
does not know that. All the public knows is that the site is
not a safe environment to conduct business.

CONT

2. Structured threats - come from hackers who are more

highly motivated
and technically competent. These people know system
vulnerabilities and can understand and develop exploit code
and scripts. They understand, develop, and use
sophisticated hacking techniques to penetrate unsuspecting
businesses. These groups are often involved with the major
fraud and theft cases reported to law enforcement
agencies.

CONT

3. External threats - can arise from individuals or

organizations working outside of a company. They do not
have authorized access to the computer systems or
network. They work their way into a network mainly from
the Internet or dialup access servers.
4. Internal threats - occur when someone has authorized
access to the network
with either an account on a server or physical access to the
network. According to the FBI, internal access and misuse
account for 60 percent to 80 percent of reported incidents.

2.2 USE VARIOUS TOOLS IN

NETWORK SECURITY

2.2.1 The goals of security policy

Its security precautions.
People are far more accepting of
additional standards and guidelines
when they understand the benefits
these can provide.

2.2.2 DEVELOPING A
SECURITY POLICY

Developing a Security Policy

The first question most administrators ask is, Why do I
even need a formal security policy? A security policy
serves many functions. It is a central document that
describes in detail acceptable network activity and
penalties for misuse. A security policy also provides a forum
for identifying and clarifying security goals and objectives
to the organization as a whole. A good security policy
shows each employee how he or she is responsible for
helping to maintain a secure environment.

CONT

Security Policy Basics

Security policies tend to be issue driven. A focus on individual
issues is the easiest way to identifyand clarifyeach point you
wish to cover. While it may be acceptable in some environments to
simply state, Nonwork-related use of the Internet is bad, those
who must adhere to this policy need to know what nonworkrelated use and bad actually mean.
In order for a policy to be enforceable, it needs to be
Consistent with other corporate policies
Accepted by the network support staff as well as the appropriate
levels of management
Enforceable using existing network equipment and procedures
Compliant with local, state, and federal laws.

2.2.3 SECURITY POLICIES

CHARACTERISTICS
Be readily accessible to all members of the organization.
Define a clear set of security goals.
Accurately define each issue discussed in the policy.
Clearly show the organizations position on each issue.
Describe the justification of the policy regarding each issue.
Define under what circumstances the issue is applicable.
State the roles and responsibilities of organizational members with
regard to the described issue.
Spell out the consequences of noncompliance with the described
policy.
Provide contact information for further details or clarification
regarding the described issue.
Define the users expected level of privacy.
Include the organizations stance on issues not specifically defined.

2.2.3 HOW TO SECURE ASSET

Using the Tools:

1) Network Scanning Tools Network map,
Netstat, Superscan tool, hping tool
2) Security Analysis Tools knoppix tools
and MBSA (Microsoft Baseline Security
Analyzer)

GROUP ACTIVITY

Try to design your own company security policy.