Cisco CCNA 200-301 – The Security Threat Landscape Part 2

3. Common Attacks

You’ll learn about the common attacks that hackers use in their attempts to compromise your systems. You learned in the last lecture that if it is a targeted attack, then the hacker will typically start off with doing reconnaissance of your organization. So we’ll start there reconnaissance, obtains information about the intended victim, and in a targeted attack, as I said earlier, the attacker will typically start with completely unobtrusive methods that even normal people would be doing.

Does not look like an attack at all, such as searching who is information, phone directories, and job listings. So if you use the who is database, that is just a database of information about people who are responsible for websites. So let’s say that you’re going to attack me. Please don’t. Then you could look up the who is information for flatbox. com, and you would see that I am responsible for that.

You now have some information about your intended victims public web services. Other things you can do are look for corporate phone directories. If the company has got a publicly listed corporate phone directory, then you can go in there, you can find out the names of people that work for the organization, their phone numbers, maybe their job roles and things like this.

This is going to be very useful information if you want to do social engineering, which we’re going to come to in a second. Other things that you probably wouldn’t have thought about, as well as things like job listings. For example, if you advertise a job position and in there, you say that you want a voice and video engineer, and they need to have skills in the Cisco call manager.

Well, if an attacker sees that, they can now be pretty sure that what you’re using for your voice and video system is Cisco call manager. So if they’re going to be attacking that, they already know what kind of system you’re using, so they can look for vulnerabilities specific to that. So with all this, you need to be very careful and be aware of the information that you’re making publicly available. For example, that example I just gave you about job listings, that’s the kind of thing that most people would never think about at all. But by doing that, you’re actually giving out information which is valuable to attackers.

So after the attacker has done this very high level reconnaissance, which is not going to register with any security tools at all, they’ll then proceed to do further reconnaissance. We’ll dig deeper using tools such as the ping sweeps, the port and vulnerability scanners.

Okay, so I mentioned social engineering a second ago. Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information, and it typically involves nothing more technical than the use of a telephone or email, and the attacker will often pretend to be somebody else to trick the victim. So an example of social engineering, let’s say that during the reconnaissance the attacker did find that your organization has got a public phone directory.

And then from that they find out the name of the It manager. And if you’re a large organization, they know not everybody is going to know the It manager personally. So maybe they phone up somebody inside the organization. Again, they know who this person is, they’ve got their phone number and Rajab Roll, they phone them up and they pretend to be the It manager. And then they try to trick this person into changing their password to a particular password or something like that, or maybe giving out information about the company, which again is going to be more valuable information for the attacker and they can escalate from there. A very popular, fairly recently and common type of social engineering is phishing. This is an attack where the attacker pretends to be from a reputable company to get individuals to reveal personal information such as passwords and credit card numbers. And the victim is often directed to enter their details into the attacker’s website, which looks like the reputable company’s legitimate website.

The attacker has now got their username and password. So if you’ve got an email address, I’m sure you do, then I’m sure you’re used to seeing these phishing attacks. She’ll used to seeing emails from Apple or somebody like that. She get an email supposedly from Apple, which says that there is an issue with your Apple account and it’s going to be locked out. Or maybe it says it’s from PayPal and it says your PayPal account is about to be locked out. An inverter will be a link. You click on the link, it takes you to a website that looks just like Apple, where PayPal’s website and it tries to trick you to put your username and password in there. So if for example, you put your PayPal details in there, the attacker has now got access to your PayPal account and they can take any money out of there. Next thing to talk about is data exfiltration. This is where data leaves an organization without or authorization. So this could be by a hacker who has compromised the system.

For example, if it was an attack by the hacker and they’ve got in there. This has happened several times in recent years where an attacker has managed to compromise the systems of a financial institution which have got a database of credit card details. So if the hacker is able to get this information, they can now steal the credit card details of all of our organizations customers. They can then use this to try to do fraud with those credit card details. Or another thing that they could do is they could blackmail that organization, telling them pay me a ransom or I’m going to let everybody know that I was able to steal all of your customers credit card details. It could also be by accident or maliciously by an internal staff member for example, a staff member sends an email which includes secret information.

They could do that just by accident because they don’t know any better, or they could do it maliciously. Another thing that could happen is a staff member could accidentally leave a USB stick on a bus which has got company sensitive information on there which is not encrypted. Next thing is Dos denial of service. This is an attack which prevents legitimate users from accessing an It resource. And it’s typically a brute force style of attack which floods the target system with more traffic than it can handle. So the target system gets more traffic than it can handle, can’t take any more, and then that just crashes the target system or at least stops it from accepting any more incoming connections. Dos attacks from a single source can be easily stopped by blocking traffic from that single source. So an example of a denial of service attack, well known one is the TCP Sin flood. Before I get to that on the next slide, let me explain the normal mechanism that it takes advantage of.

So the way that TCP works normally when everything is well is a user. So you can see a user here, they connect to a server. When they do that, their PC sends a Sin message to the server. The server will then send a Sin act back. So the Sin stands for synchronized. The server then sends a synchronized Acknowledgment back, and then the originating system then sends an acknowledgement. That then completes the TCP three way handshake. And a normal communication can occur after that. But with TCP traffic, it always starts with that three way handshake to set up the TCP connection.

A TCP Sin flood attack is a denial of service attack which uses this mechanism to attack the target server. So here you can see we’ve got the attacker, they send in the Sin to initiate the connection. The server then sends a synch back. What would normally happen at that point is the source system here would then send another acknowledgement to complete the three way handshake. But with a TCP syn flood attack, what the attacker does is they just don’t complete the connection by sending in that Acknowledgment. So it’s a half open connection.

You’ve got a Sin from the attacker and then the sync back from the server, and then they don’t send the act to complete it. And the attacker will not just open up one half open connection, they will open up so many half open connections that it exhausts the resources on the target system and then it’s not able to accept any new incoming connections. So by doing this, the attacker brings down that system to stop any other legitimate users from being able to open up a connection to that system. Okay, so as you saw earlier, if it’s a single attacker that’s doing that from a single IP address, it’s very easy to stop the attack. By just dropping all traffic coming in from that one source IP address. But there is a more damaging form of the attack, which is DDoS Distributed Denial of Service.

With a Distributed Denial of Service attack, it’s the same type of attack, but it comes from multiple sources, not just a single source IP address. To do this, the attacker builds and controls a botnet army of infected zombie hosts which they can control. And the botnet is built through malware such as worms and Trojan horses. So with that example about the Trojan horse I gave you before, let’s say that you’re a gaming fan. You go into a website, it promises to give you the passwords for all of the latest games. So you download that, you execute it, it then installs the attacker’s software onto your PC. Your PC has now become a zombie PC and it’s possible for the attacker to control your PC and launch Denial of Service attacks from there.

When the attacker gets a big enough botnet, a big enough army of zombie PCs, they can watch very damaging Distributed Denial of Service attacks from there. With the botnet, the infected hosts connect out to the attacker’s command and Control server. This circumvents firewall is because the connection is initiated from the inside. So if that PC is inside a firewall, then even if the attacker gets a software on there, if the attacker was going to initiate the connection to the zombie PC, it wouldn’t work because that would normally be blocked by the firewall. However, firewalls allow traffic from inside the network to go out of the network and then the return traffic to come back in. So what happens is you go and you download a Trojan horse, you inadvertently install the software on your PC. Your PC then connects out to the attacker’s command and control server. Your firewall allows that traffic because it’s going outbound and then the attacker can now send traffic back into you through the firewall. The firewall will allow it because it’s return of traffic and they can now control your PC and they can launch Denial of Service attacks from there. Distributed Denial of Service attacks are obviously more difficult to mitigate against because the attack comes from multiple sources which could normally be expected to send legitimate traffic.

So with a plain Dos attack, it’s coming from a single source, you can easily see that it’s attacking you and you can block traffic from that source. But if traffic is coming from a huge botnet of thousands of zombie PCs, it can be hard to protect against that. There are techniques you can use for which we’ll cover later on in this section. Next kind of attack that we have is Spoofing and Spoofing is where an attacker fakes their identity. Spoofing types include IP address spoofing, where the attacker spoofs their source IP address pretending to be somebody else mac address spoofing for example, ARP attacks which were covered earlier in the switch security section and application spoofing, for example, a rogue DHCP server. So the attacker can put in a rogue DHCP server in your organization. It’s not the legitimate DHCP server, but the attacker is pretending like it is.

Next, reflection and amplification attacks. A reflection attack is a denial of service attack where the attacker spoofs the victim’s source address. The attacker sends traffic supposedly from the victim, which elicits a response from reflectors. So for example, if the intended victim has the IP address 1010, the attacker sends traffic saying that it is 1010. So it says that that is its source address. It then sends that traffic in to some destination host which will send traffic back to the victim. And if it does enough of this, then all that return traffic going back to the victim can bring the victim down. Amplification causes a large amount of response traffic to the victim which causes that denial of service effect. In man in the middle attacks, the attacker inserts themselves into the communication path between legitimate hosts. So when the attacker is able to do this man in the middle attack, the traffic, the actual packets that are going between two legitimate hosts are passing through the attacker and it can then read and optionally modify the data in those packets.

ARP Spoofing is a well known man in the middle attack. We covered that back in this switch security section. Password attacks if an attacker has connectivity to a login window. So if they can get to that login window, then they can attempt to gain access to the system behind it. Enumeration techniques attempt to discover usernames so most modern software will guard against this. You’ve got old out of date software on there. Then it’s possible that the attacker can use a tool which will be able to find out the usernames that are legitimate on that system, and password cracking techniques attempt to learn user passwords. The different types of methods that are available to the attacker to crack passwords include just normal guessing. They can also use brute force and dictionary attacks. So with guessing, a study was done fairly recently and it found out that a huge amount of people use common passwords.

For example, password using an app instead of an A or the password of let me in and things like that. People use them thinking oh, this is a secure password, but actually they’re used all over the place. Those are the first ones that attackers will guess. If the system does not have an easily guessed password on there, then the attacker can use tools which can do brute force and dictionary attacks. With a dictionary attack, the tool goes through all the words in the dictionary to see if that is being used as a password. And with a brute force attack that is taking on a level which will take a bit longer for the attacker, rather than just using dictionary words, it will use combinations of words. It will also do things like using the at symbol instead of an A, et cetera, things like that. In an attempt to crack the password buffer overflow attacks, send malformed and or too much data to the target system.

So this is again where old out of date software is more likely to be vulnerable to this. If the software does not guard against malformed data coming in, then the attacker can do that. And then they can do that either as a denial of service attack where it crashes the target system, or worst case, sometimes it can actually compromise the system and give the attacker admin rights on that system. And finally, we have packet sniffers. If an attacker has compromised the target system or they’ve inserted themselves into the network path and they’re able to see packets going to or from that system, then packet sniffers such as wireshark can be used to read the sent and received packets.

And any unencrypted sensitive information that is in there can then be learned by the attacker. They can use this to damage the organization, for example, by blackmailing them with the sensitive information they have. Or if it includes security information, they can use that to escalate their attack and get access to more sensitive systems. Okay, so that was the main types of attacks that hackers will use against you. As we go through the rest of this section, we’ll talk about the solutions that are available to you to protect against them.

4. Firewalls and IDS/IPS

You’ll learn about firewalls IDs, intrusion detection systems and IPS intrusion prevention systems. So I’ll tell you about the characteristics of each, the differences between them, and how they best work together to provide security for an organization. So starting off with the IDs and the IPS, IDs Transfer Intrusion Detection System and IPS is an intrusion prevention system. The IDs, or IPS, uses signatures to inspect packets up to layer seven of the OSI stack, looking for traffic patterns which match knowing attacks. They can also use anomaly based inspection to look for unusual behavior, such as a host which is sending a lot more traffic than usual that would indicate that it has been infected by a worm. So your IDs and IPS actually are quite similar to the antivirus software that you’ll find on your PC and that they use signatures to look for knowing attacks.

They can also use heuristics to look for characteristics which would indicate an attack. So something out of the normal or something which looks similar to another known attack. The IDs and IPS require skilled staff to tune them to their own particular environment and minimize false positives and false negatives. A false positive is when the IPS triggers because it thinks there’s been an attack, when actually that was legitimate traffic, and a false negative is worse, that is when there is an attack, but the IPS does not recognize it and does not trigger. So your IDs and your IPS, they do need tuning because each separate environment has got its own separate traffic patterns. So something that might be legitimate in your organization would maybe indicate an attack in a different organization. So it does take some time to tune the IPS when you first install it to tune out, to filter out those false positives and false negatives. And as things can change in your network over time, it requires the IPS to be updated to reflect that the difference between an IDs and an IPS. So an IDs and Intrusion detection system sits alongside the traffic flow and informs security administrators of any potential concerns, anything that looks like an attack. An IPS and intrusion prevention system sits in line with the traffic flow and it can also block attacks as well as notify you about them.

An IDs may also have the capability to tell a firewall to block attacks if a firewall is in line with the traffic flow, but the IDs is not. Obviously you would need to have an IDs and a firewall which are compatible to be able to do that. The Cisco IDs. And firewall can do that. Okay, so here’s a diagram showing the difference between the IPS and the IDs. And you can see we’ve got the IPS on the top here. It is in line with the traffic flow. The traffic flow is going through it, so if it detects an attack, it can stop, it can block that traffic. An IDs on the other hand, is off to the side of the traffic flow. So here we’re going to be using mirroring to send a mirror copy of the traffic to the IDs. Because the traffic is actually going through a different path. We’re just sending a copy to the IDs.

The IDs itself cannot drop the traffic in line, but if there was a firewall gear and it was a compatible firewall, the IDs could send a message to the firewall telling the firewall to do it. The reason that we have the two different options here is that an IPS can sometimes be a bottleneck. If there’s not enough throughput on the IPS to handle the amount of traffic going through it, you don’t want it to slow down the network traffic. You could use an IDs instead in that situation. There are other things we can do to help with that, such as clustering as well. I’ll talk about clustering a little bit later on.

Okay, so that was the IDs and the IPS comparing them with firewalls. Now, IPS and IDs uses signatures to inspect packets up to layer seven of the OSI stack, looking for traffic patterns which match known attacks. So IPS uses signatures, firewalls block or permit traffic based on rules such as destination, IP address, and port number. So an IPS uses signatures, a firewall uses rules. Organizations will always deploy firewalls on their internet edge. There’s no way an organization would connect to the Internet without having a firewall there.

To protect themselves, they may also deploy firewalls at suitable security points inside their internal network. So for sure they’ll have a firewall between them and the Internet. They might also have a part of their network which has got sensitive servers there. Maybe we’d have another separate firewall there also as well. IPSes are typically seen as an option. So where firewalls are mandatory, you’re always going to have a firewall between you and the Internet. IPS are traditionally seen as optional rather than mandate. They may be deployed in conjunction with your firewalls. Now, the lines have blurred in recent years between IPS and Firewalls, so the things that they do are separate. But you can now get all in one devices. You get firewalls which have also got IPS capability built into them as well.

And that is becoming particularly prevalent since the emergence of next generation firewalls. So modern firewalls do also often have IPS capability as well as the firewall capability. They’re also often capable of acting as the endpoint of VPN tunnels as well. I’ll talk about VPN tunnels later in this section. So organizations have a choice. They can deploy an all in one solution with a firewall which also has IPS capability, or they might split out those functions to provide better scalability. Specialized devices to separate firewall. And IPS may also have more advanced features than would be available with an all in one solution. Another option for scalability and higher throughput is clustered devices. So you saw in the diagram earlier, I had that inline IPS you saw that it’s possible that it could become a bottleneck if it doesn’t support enough throughput for the amount of traffic going through it. Well, a solution that will often resolve that issue is by putting in multiple hardware devices there and sending the traffic through those multiple hardware devices. If the devices support clustering, then they act as a single solution for management and also for all of their features as well.

But because you’ve got multiple devices there, they now support higher throughput and it also gives you redundancy in case one of them fails as well. Okay, let’s wrap up this lecture with a look at an example network topology showing how firewalls and IPS can work together. So in the example network here, we’ve got a couple of departments on the inside, department A and department B. They’re connected into a layer three switch and then that’s connected to the inside interface on the firewall. The outside interface on the firewall is connected out to the Internet. We also have a DMZ here, that’s a demilitarized zone where we’re going to put our sensitive internal servers there. By having the servers in a DMZ rather than on the inside, that allows us to have a more suitable separate policies for our servers and for our normal internal hosts.

So you can see here, we’ve also got an IPS as well, which is protecting those internal servers. Now, some things to say here, if this firewall was an all in one solution, next generation firewall, which also had IPS capabilities such as the Cisco ASA with firepower, then we wouldn’t need to have a separate IPS here and that would also protect the inside hosts as well as the internal servers. Right now, if this firewall is just fulfilling the firewall duties, it doesn’t have any IPS features on there and we’ve got the IPS down here. Well, right now the IPS is just protecting our internal servers.

We don’t have an IPS protecting the internal hosts. Depending on your particular situation and environment, that might be acceptable. So you can see here just an example of one way that you could do it. You’re always going to have a firewall protecting yourself from the Internet. An IPS is typically seen as optional. The IPS can be a separate device or it can be built into the firewall. Okay, that’s everything that I needed to, to tell you here. In the next lecture, we’ll have a look at how firewalls work in some more detail and also compare them to packing.

• Category: Uncategorized