Information And Network Security Essential
Transcript of Information And Network Security Essential
Information And Network Security EssentialBy Erwin Dusojan
Trend Micro - Girls In Tech –Training Week 1
10/21/2021
© 2020 Trend Micro Inc.2
Information Security Essentials
© 2019 Trend Micro Inc.3
What is the CIA?
Integrity
Confidentiality Availability
Information Security
© 2019 Trend Micro Inc.4
Understanding the CIA
Confidentiality
• Ensures that the data or system is accessed only by an authorized person.
• Confidentiality revolves around the principle of least privilege.
© 2019 Trend Micro Inc.5
Confidentiality – Countermeasures
• Encryption
• Strict Access Control
• Rigorous authentication procedures
• Data classification
© 2019 Trend Micro Inc.6
Understanding the CIA
Integrity
• Refers to protecting information from being modified by unauthorized parties
• Maintaining the expected state of our data or system
© 2019 Trend Micro Inc.7
Integrity – Countermeasures
• Hash Total Verification(hashing)
• Strict Access Control
• Intrusion Detection System
© 2019 Trend Micro Inc.8
• Subject of an activity or who caused an event cannot deny that the event occurred.
• Prevents a subject from:
– claiming not to have sent a message
– not to have performed an action
– or not to have been the cause of an event
Non-repudiation
© 2019 Trend Micro Inc.9
Understanding the CIA
Availability
• A guarantee of reliable access to the information by authorized people
• These aspects must be functioning correctly:
– Computing systems used to store and process the information
– Security controls used to protect assets
© 2019 Trend Micro Inc.10
Availability – Countermeasures
• Using Firewalls to prevent DDoS
• Redundancy/ High Availability
• Fault tolerance
• Maintaining backup
• Business continuity planning (BCP)
Current Version: 1.1
Network Security Essentials
© 2020 Trend Micro Inc.12
Network Traffic Analysis
• Networking Essentials
• Packet Sniffer
• Reconnaissance
© 2020 Trend Micro Inc.13
Networking Essentials
© 2020 Trend Micro Inc.14
TCP communication
© 2020 Trend Micro Inc.15
Overview of TCP communication
• Traditional TCP Control Flags / Bits▪ SYN - Start a connection
▪ ACK - Acknowledgement of received data
▪ RST – Reset or abort the connection
▪ FIN - Close a connection
▪ URG - Packet contains important data
▪ PSH - Send immediately even if the buffer isn't full
© 2020 Trend Micro Inc.16
TCP connection establishment
• Sequence and Acknowledgement number▪ Sequence number allow receivers to discard duplicate packets and properly
sequence reordered packets
▪ Acknowledgement number specifies the sequence number of the next byte it expects to receive
© 2020 Trend Micro Inc.17
Non-Conventional use of TCP/IP Packets• Reconnaissance
▪ a method of observing and collecting information about a potential target with the intention of finding a way to attack the target
• DoS / DDoS▪ Attacker sends TCP/IP packet in a large scale, usually with a fake source
address, to consume the resources of its target and prevent a legitimate traffic
▪ Types of DDoS Attacks:• Bandwidth Attack
• Application Attack
© 2020 Trend Micro Inc.18
Packet Sniffer
© 2020 Trend Micro Inc.19
Packet Sniffer
• also called Network Packet Analyzer
• a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network
• Popular Tool:
https://www.wireshark.org/
WIRESHARK
© 2020 Trend Micro Inc.20
Packet Sniffer
© 2020 Trend Micro Inc.21
Packet Sniffer
• Wireshark Essentials:
▪ Display Filter
▪ Examples:
• Show only the http traffic: http
• Show only HTTP download: http.request.method==GET
© 2020 Trend Micro Inc.22
Packet Sniffer
• Wireshark Essentials:
▪ Following TCP streams
© 2020 Trend Micro Inc.23
Packet Sniffer
• Wireshark Essentials:▪ Expert Info Entries
© 2020 Trend Micro Inc.24
Packet Sniffer
• Wireshark Essentials:▪ Filter Expression / Filter Buttons
© 2020 Trend Micro Inc.25
Packet Sniffer
• Wireshark Essentials:▪ Creating Filter Expression: Buttons
© 2020 Trend Micro Inc.26
• PCAP sampleWeb browsing to www.yahoo.com:
Packet Sniffer
Lab Activity
© 2020 Trend Micro Inc.27
Exercise 1: SMTP Packet Analysis
Exercise 2: HTTP Packet Analysis
Exercise 3: DNS Packet Analysis
© 2020 Trend Micro Inc.28
Reconnaissance
© 2020 Trend Micro Inc.29
Reconnaissance
• Probing targets with intent of gathering information ▪ Information can be used during later attack phases
• Use of TCP Control bits/flags to determine status of TCP ports
• Type of Scans:▪ Port Scan: Open ports and services
▪ Network Scan: IP address(Live host), Operating System, Services
▪ Vulnerability Scan: Presence of known weaknesses or security holes
© 2020 Trend Micro Inc.30
Port Scanners
• Software applications designed to probe hosts for open ports, verifying security policies
• Attackers utilize those to identify services running on a host ▪ Provide information to exploit vulnerabilities
• Popular applications:
https://angryip.org/https://nmap.org/https://www.kali.org/
Angry IP ScannerNMAPKALI LINUX TOOLS
© 2020 Trend Micro Inc.31
Reconnaissance: Port Scanning• ACK Scan
– Test if stateful firewall is present between the attacker and target
– Not used to check the state of the port
– Server response with RST packet
» Port is unfiltered and a stateful firewall is absent
– No response or response with TCP packet “ICMP type 3” (code 1, 2, 3, 9, 10 or 13)
» Port is filtered and a stateful firewall is present.
– Stateful Inspection => maintaining a table of open connections and allows to associate new connection requests with existing connections.
ACK+ PORT
RST
PORT IS UNFILTERED PORT IS FILTERED
ACK+ PORT
ICMP Error(Type 3, Code 1,2,3,9,10 OR 13)
or NO RESPONSE
© 2020 Trend Micro Inc.32
Reconnaissance: Port Scanning• SYN Scan (a.k.a TCP Stealth Scan)
– Response with SYN+ACK
» Port is open
– Response with RST packet
» Port is closed
– ICMP port unreachable or no reply
» likely blocked by a firewall
– Final ACK is not send by attacker
» Avoid opening a full TCP connection
SYN+PORT
SYN+ACK
RST
PORT IS OPEN
SYN+PORT
RST
PORT IS CLOSED
© 2020 Trend Micro Inc.33
Reconnaissance: Port Scanning
• FIN Scan
– Response with RST packet
» Port is closed
– No Response
» Port is open
FIN+PORT
( NO RESPONSE )
PORT IS OPEN
FIN+PORT
RST
PORT IS CLOSED
© 2020 Trend Micro Inc.34
Reconnaissance: Port Scanning
• XMAS scan
▪ Difficulties using XMAS scan:
• Multiple flags are combined, easy to identify
• Can either be dropped or ignored by modern systems
PSH,FIN,URG + PORT
( NO RESPONSE )
PORT IS OPEN
PSH,FIN,URG + PORT
RST
PORT IS CLOSED
© 2020 Trend Micro Inc.35
Reconnaissance: Port Scanning
• UDP Scan ▪ UDP = connectionless protocol, reacts different compared to TCP
▪ Technical challenges using UDP Scan:
• If a port is blocked by a firewall, this method will falsely report that the port is open.
• If the port unreachable message is blocked, all ports will appear open.
SYN+PORT
ICMP Port Unreachable
PORT IS CLOSED
UDP + PORT
PORT IS OPEN
( NO RESPONSE )
© 2020 Trend Micro Inc.36
Reconnaissance: Network Scan
• Host Discovery▪ Process of reducing a set of IP ranges into a list of active or
interesting hosts
▪ ICMP echo request/reply
• intended to determine whether a host is alive or not
▪ ICMP error response
• Means either host is not alive or ICMP Echo traffic is filtered / blocked
• Alternative to ICMP echo▪ Traceroute command discovers the route between the sender and
the targeted host by sending packets with varying TTLs
Lab Activity
© 2020 Trend Micro Inc.37
Exercise 4: vApp Preparation
Exercise 5: Host Discovery
© 2020 Trend Micro Inc.38
Reconnaissance: OS Fingerprinting
• OS Finger Printing
▪ A process to determine the operating system used by a host on a network
▪ Fingerprinting techniques are based differences in packets generated by different operating systems • E.g. IP TTL values, IP ID Values, TCP Windows size, TCP options etc.
Lab Activity
© 2020 Trend Micro Inc.39
Exercise 6: OS Fingerprinting• Nmap –O
• Nmap NSE scripting
© 2020 Trend Micro Inc.40
Reconnaissance: Netcat
• Simple UNIX utility
• Reads and writes data across network connections▪ using TCP or UDP protocol
• Functions as both, server and agent▪ can listen for inbound connections on arbitrary ports
▪ “nc host port” creates a TCP connection to the given port on the given target host
Lab Activity
© 2020 Trend Micro Inc.41
Exercise 7: Port Scan• Netcat Connect Scan
• SYN Scan
• UDP Scan
© 2020 Trend Micro Inc.42
Reconnaissance: Banner Grabbing
• Banner ▪ Response received when accessing services
▪ Contains information about the specific application / service
• Banner Grabbing▪ Technique use to gather information about a computer and its
running services
Lab Activity
© 2020 Trend Micro Inc.43
Exercise 8: Banner Grabbing• Netcat
• Nmap
© 2020 Trend Micro Inc.44
Reconnaissance: Vulnerability Scanning
• Vulnerability is a security hole or security weakness▪ often exploited with malicious intentions by hackers and malwares
• Vulnerability scanners ▪ Special type of automated utility designed to identify known holes or
weaknesses in operating systems and applications
▪ Used legitimately, however attackers may also employ similar tools to identify weaknesses in the target environment
© 2020 Trend Micro Inc.45
• Vulnerability scanners are designed to assess computers, computer systems, networks or applications for known weaknesses.
▪ Popular applications:
Vulnerability Scanners
https://www.rapid7.com/ja/https://tenable.com/https://www.openvas.org/https://www.metasploit.com/
NexposeNessusOpenVASmetasploit
Lab Activity
© 2020 Trend Micro Inc.46
Exercise 9: SNMP Enumeration• Enable SNMP and set community string
• SNMP Enumeration Metasploit
© 2020 Trend Micro Inc.47
Thank You!
Threats detected and blocked globally by Trend Micro in 2018. Created with real data by artist Daniel Beauchamp.