Chapter 3: Network Security - Panko

brokenroomΔίκτυα και Επικοινωνίες

21 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

2.221 εμφανίσεις

Page
1

of
39


3

NETWORK SECURITY

LEARNING OBJECTIVES

By the end of this c
hapter, you should be able to:



Describe the threat environme
nt, including types of attacks

and types of
attack
er
s.



Explain in detail the protection of dialogues by cryptography, including
symmetric key

encryption for confidentiality and

electronic signatures
.



Evaluate
alternative
authentication mechanisms, including passwords, smart
cards, biometrics, digital certificate authentication, and two
-
factor
authentication.



Describe firewall prote
ction, including stateful inspection

and deep inspection
.

Compare firewalls with intrusion detection systems (IDSs)

STEUBEN ARC

Steuben ARC is a nonprofit

organization in Bath, New York.

It

provides care for
developmentally disabled adults. In September 20
09, cyberthieves stole ne
arly
$200,000 from the company.
1

The attack began when a cybercriminal sent a fake invoice in an e
-
mail message to
one of the company’s accountants. The message had an attachment, dhlinvoice.zip.
When the accountant opened the atta
chment, it installed a very sophisticated keystroke
logger on the accountant’s computer. This program captured the accountant’s
username and password on the company’s accounting server and sent it to the attacker.




1

Brian Krebs, “Cyber Gangs Hit Healthcare Providers,” Washington Post, September 28, 2009.
voices.
washingtonpost.com/securityfix/2009/09/online_bank_robbers_targe
t_hea.html?wprss=security
fix.Mar
y Pernham, “Alleged cyber
-
theft: Hackers take $50K from Arc,”
The Corning Leader,
October 1, 2009. www. the
-
leader.com/news/x1699607673/Alleged
-
cyber
-
theft
-
Hackers
-
take
-
50K
-
from
-
Arc.

Page
2

of
39


Armed with this information, the thieves
w
ent online and
transferred money out
of the company’s bank accounts in two batches. Instead of sending it
directly
to
themselves, the thieves had the banks send the money to 20 money mules around the
country.
The

mules forwarded
most of
the money to offsho
re accounts controlled by
the attackers
, receiving a fee for each transaction
. Using money mules allowed the
attackers to avoid shipping the money directly to offshore accounts, which could have
raised the bank’s suspicions.

It also made identifying the ac
tual attackers more difficult.

The bank
finally

did become suspicious. It blocked some of the transfers to money
mules and by
the
money mules to offshore banks. However,
it only recovered some of
the money
. Overall, it was a successful attack.

Test Your Un
derstanding


1.

a) How did the attacker get the credentials for the company’s bank account? b)
Why were money mules used? c) List indications that this was a sophisticated
attack. d) How might the company have been able to avoid this compromise? e)
What mo
tivated the attacker? f) What would you say to executives in small
companies who believe that they are too little to be attacked?

INTRODUCTION

Most book chapters begin with
a motivating section for the material they will covered
.
There is no need
for motiv
ation
in

a chapter
about

security. Security pervades every
discussion of IT today. Networks give us access to almost anything,
anytime, anywhere.
T
hey

give the same access to criminals, national governments, terrorists, and just plain
jerks.
Wherever there

has been opportunity, there has been crime and vandalism.
Networks are no exception. Security is the snake in the network garden.

One major factor

makes security thinking different from normal network thinking.
Normal network thinking is concerned about s
uch things as adequate planning, software
bugs, and mechanical breakdowns. In contrast, security is concerned with intelligent
adversaries who will try many different things to succeed and who will adapt to the
defenses you put in place.

Sun Tzu, in
The Ar
t of War
, warned that you
must

know your enemy. This is
also
true in
c
ybersecurity. Companies today must understand the
threat environment

they face

the adversaries who are attacking them and the attack methods
that adversaries

are
using. In the next two s
ections, we will look at the threat environment today.
T
his threat
environment is constantly changing. New threats are appearing constantly, and
adversaries are
becoming more skilled
. Keeping up with th
e threat environment is a
never
-
ending task for everyo
ne in IT.

Page
3

of
39


After looking at these threats, we will survey the defensive tools available to companies
to defend themselves
in their specific threat environments
. We will begin with
cryptography
, which is the use of mathematics to provide security.
Cryptograp
hy

is
important
by itself
, but we begin with
“crypto”

because nearly every protection relies on
cryptography to some extent, if only to protect communication between security
devices. Cryptography introduces us to authentication.
T
he
following

section

look
s
at
the broad spectrum of authentication tools available to defenders. The chapter closes
with firewalls
,

intrusion
detection systems, and
extrusion detection
systems
.

A
fundamental

theme is
access control
. If they cannot get to your resources, they canno
t
read them or damage them.

Giving you even a broad view of security is too much for one chapter. The next chapter
looks at how to manage security as part of overall network
management. As security
expert

Bruce Schneier

has said

in many of his writings
, “S
ecurity is a process, not a
product.


Test Your Understanding


2
.

a)

What is access control
?

b)

Why is it important?

TYPES OF ATTACKS

As just noted, we will begin by looking at the threat environment that corporations face.
In this section, we will look at
types of attacks
. Later, we will
look at
types of attackers
.

Figure 3
-
1
: Malware and Vulnerabilities
(3
-
2 in

N9)

Malware Attacks

Malware

is a
generic
name for evil software.
It

includes viruses, worms, Trojan horses,
and other dangerous attack software. Malware attacks are the most frequent attacks
that companies face
. Nearly every firm has one or more significa
nt malware
compromises each year.

Malware is
any
evil software.

Test Your Understanding


3
.

a)

What is malware?

b)

What are the most frequent attacks on companies?

VULNERABILITIES

AND PATCHES

Many types of malware (and other types of attacks)
can
only succ
eed if a program under
attack has a security vulnerability.
A
vulnerability

is a flaw in a program that permits a
Page
4

of
39


specific attack or set of attacks
to succeed
against
the

program.
Attacks that can only
succeed if a
particular
vulnerability is present are
called
vulnerability
-
specific

attack
s
.

A vulnerability is a flaw in a program that permits a specific attack or set of attacks
against this program

to succeed
.

When
a software vendor discovers
a vulnerability, the
company

issues a
patch
,
which is a small p
rogram designed to
fix

the
security
vulnerability. After patch
installation, the program is safe from attacks based on that particular vulnerability. Too
often, users fail to install patches, and their programs continue to be vulnerable. Even if
they do in
stall patches, furthermore, they may delay
,

giving the attacker

a long window
of opportunity.

Of course, if attacks begin before the program vendor creates a patch (or even
learns about the attack),
then
all

attacks
against vulnerable computers
will succee
d. A
vulnerability
-
specific attack that occurs before a patch is available is called a
zero
-
day
attack
.

In such cases, there would be no signature yet to check for.
On the security black
market, well
-
funded
adversaries

can often purchase information that a
llows them to
create zero
-
day attacks.

A vulnerability
-
specific attack that occurs before a patch is available is called a zero
-
day attack.

Not all malware is vulnerability
-
specific.
Universal malware

works whether or not
the computer has a security vulner
ability. In general, universal malware programs
require the human victim to do something risky, such as downloading “free” software,
pornography,

or an electronic greeting card, or, as in the case of Steuben ARC at the
beginning of this chapter, opening an

e
-
mail attachment.

Test Your Understanding


4
.

a) What is a vulnerability? b) How can

users eliminate
vulnerabilities

in
their
programs? c)

What name do we give to attacks that occur

before a patch is
available
?
d)

Does all malware require a vulnerability

to succeed
?

Antivirus Programs

To thwart malware, users should have
antivirus
(AV)
programs
, which, despite the
name, attempt to
detect
,
disable
, and
delete

a broad range of malware, not just viruses.
The name
antivirus program

dates back to simpler times when these programs only had
to
cope with

viruses.

Figure 3
-
2
: Antivirus Programs

SIGNATURE DETECTION

Traditionally, AV programs have looked for specific
snippets of code that
are the characteristic
signature of a

particular piece of malware.
This is
signature detection
. Although antivirus programs continue to do signature
Page
5

of
39


detection,
it

obviously will not work against zero
-
day attacks. In addition, malware
writers today often create mutating code that

changes its characteristics frequently to
thwart signature detection.

Furthermore
, the number of malware programs in circulation is enormous. To test
a program for every known signature would require so much time that users would not
continue to use a
n AV

program that tried to do that. Consequently, antivirus program
vendors
use

a limited but still potent
signatures
list

of

malware they
will look for
.
Vendors

change this list constantly as threats evolve.
Typically
, antivirus programs catch
70 percent to 9
0 percent of malware programs.

ANOMALY DETECTION

Consequently, antivirus programs today also do
anomaly
detection
, in which they look for characteristics of a program’s
behavior

to identify that
the program has been infected. This protects against malware

for which there is no
current signature. However, anomaly detection may mislabel a legitimate program as
malware. Consequently, most antivirus programs will ask for permission before
removing a program
or

disinfecting a program.

WHERE TO DO ANTIVIRU
S
FILT
ERING


Traditionally, AV filtering has been
performed

on user PCs and on individual servers. This limits the size of the AV program,
its signatures database, and its ability to do advanced anomaly detection. Consequently,
many firms now do antivirus filter
ing at their mail servers, before delivering mail to
users. These servers have the power, memory, and storage to do
analysis that is more
sophisticated
. For example, a mail server AV program can execute a suspicious program
in a
sandbox

that does not allow it to do harm outside the sandbox. This allows the AV
program to study the program’s behavior. Many firms do antivirus filtering on both the
mail server and user PCs.

PERSPECTIVE


Overall, antivirus programs do a good job of detecting,

disabling,
and deleting malware, but users must not expect them to be perfect. Users should avoid
visiting disreputable website
s
, opening attachments they are not highly confident about,
and generally practicing safe computing.
However, even if they do, t
hey are never 100
percent safe. An antivirus program is a tool, not a cure for the cancer of malware.

Test Your Understanding


5
.

a)
What type of malware does an antivirus program act against
? b)
In AV software,
what is signature detection
? c)
Why is it no
t enough
? d)
What is a zero
-
day attack
?

e)

Why is it dangerous? f)

Why is an antivirus program’s particular signatures list
important?
g
)

What type of AV filtering can potentially stop zero
-
day attacks?
h
)

For what reasons are antivirus programs unable to
stop all malware?

Page
6

of
39


Viruses and Worms

Figure 3
-
3
: Viruses and Worms

Viruses


Pieces of executable code that attach themselves to other programs are
called
viruses
. Within a computer, whenever an infected program executes, the virus
s
preads by attaching

itself to other programs on that computer.

Viruses are pieces of executable code that attach themselves to other programs on
that computer.

WORMS

A similar type of malware is a
worm
. While a virus must be attached

to
another program (like a cold virus), worms are stand
-
alone programs like, well, worms.

On an infected computer, a worm will multiply itself and hide itself in multiple folders to
attempt to thwart deworming attempts by antivirus programs.

Worms are sta
nd
-
alone programs.

PROPAGATION VECTORS

A

virus
or worm
spreads

between

computers when an
infected program
or a worm
is transferred to another computer via a USB RAM stick, an
e
-
mail attachment, a webpage download, a peer
-
to
-
peer file
-
sharing transfer, a s
ocial
networking site, or some other
propagation vector

(method for malware to move to a
victim computer). Once on another machine, if the infected program
or worm

spreads
the infection
to other programs on that machine.

More than 90 percent of viruses
and

worms
today spread via
e
-
mail

attachments
.
Viruses
and worms
find addresses in the infected computer’s e
-
mail directories. They
then send messages with infected attachments to all of these addresses. If a receiver
opens the attachment, the infected progra
m
or worm
executes, and the receiver’s
programs become infected.

Another popular propagation vector is
visiting a website

and having the website
download a virus
, worm, or other type of malware

to your computer.
(This is called a
drive
-
by download.)
Obviou
sly, the
danger

is greatest if you visit a
risky

website, such as
a site for “free” software or pornography. However, even if you visit a known legitimate
website daily, you may become infected if an attacker has planted malware on its
webpages. (In 2009,
this happened to subscribers who went to the
New York Times

website.)
Many

infected websites are legitimate websites

that have been compromised
.

Social networking sites

are already popular with
malware attackers
. By their
nature, social networking sites ar
e designed for sharing, and if a malware writer can
inject malware into the sharing process, spread can be very rapid. USB RAM sticks and
peer
-
to
-
peer file transfers are two examples of these other propagation vectors.

DIRECTLY PROPAGATING

WORMS

In

general, viruses and worms propagate
between hosts in similar ways. However, some
worms (but not all) have
an additional
and very dangerous

propagation vector. A
directly propagating worm

tries to jump
from the infected computer to many other computers. T
arget computers that have a
Page
7

of
39


specific vulnerability will accept the directly propagating worm. They then become sites
from which the worm
can jump

further.

A directly propagating worm tries to jump from the infected computer to many other
computers.

Freed f
rom the need for human intervention, directly propagating worms can
spread with incredible speed. In 2003, the Blaster worm infested 90 percent of all
vulnerable hosts on the entire Internet within 10 minutes.
Fortunately, only a
few

hosts
on the Internet
were vulnerable.
The nightmare scenario for security professionals is the
prospect of a fast
-
spreading worm that exploits a vulnerability in a large percentage of
all computers on the Internet.

Test Your Understanding


6
.

a
) How do viruses and worms differ?
b
)

What is a propagation vector?
c
)

What are
common propagation ve
ctors for normally propagating viruses and worms?
d)

What other propagation do some worms use? Why is it especially dangerous?

Stopping Viruses and Worms

T
here is no single way to stop all viruses and worms. Companies must use a toolbox of
methods for stopping them. In addition, the tools that
may

be able to stop normally
propagating viruses may not be the same tools that thwart directl
y
propagating worms.
Figure 3
-
4

summarizes the differences between how to thwart normally propagating
viruses and worms and directly propagating worms.

Figure 3
-
4
: Thwarting Normally Propagating Viruses and Worms and Directly Propagating
Worms (
3
-
3 in N9)

Propagation Vector

Antivirus Program

Firewall

Patching Vulnerabilities

Normally propagating virus or
worm (e
-
mail, visiting website,
etc.
)

May be able to stop

Will not stop

May be able to stop

Directly
-
propagating worm

Will not stop

May be able to stop

May be able to stop


STOPPING
NORMALLY PROPAGATING

VIRUSES

AND WORMS


For example,
c
onsider three
fundamental

tools and how effective or ineffe
ctive they are against
normally
propagating viruses and worms.

Antivirus Programs
.
As we saw earlier
, a company must protect its computers
with
antivirus programs

that scan each arriving e
-
mail message or file for
pattern
s that identify
malware.

This is the primary protection for normally
propagating viruses and worms.

Page
8

of
39


Patching
.
For
many normally propagating viruses and worms
, it is also useful to
patch security vulnerabilities
. However,
as noted earlier, some normally
pr
opagating malware does not depend on a vulnerability to spread
.

Firewalls
.


Firewalls
examine each packet passing through a certain part of a
network.
Unfortunately,

firewalls do
not

stop normall
y propagating worms and
viruses because few firewalls do
antivirus scanning. They leave that to AV
programs.

Antivirus programs also scan for other types of malware.

STOPPING
DIRECTLY PROPAGATING

WORMS

The fact that
directly
propagating
worms are full programs and may even be able to jump between programs
means

that different approaches to stopping them are needed than those used to stop
viruses.

Patching


Almost all

directly propagating worms
require a vulnerability in the
target machine to succeed.
Patching deprives

them of that vulnerability
and
stops their
ability to attack.

Firewalls

To jump to another program, a directly propagating worm typically
must pass through a firewall

if the computer has one
. Firewall filtering
will

be
able to stop it

if the firewall has an appropriate rule set.

Antivirus Programs


However
, a
ntivirus programs do nothing to stop directly
propagating worms

because the worm’s jump takes them past AV programs
.

Antivirus programs do nothing to stop directly propagating worms. However,
firewalls and patching vulnerabilities
may be able t
o

stop them.

Note that directly propagating worms cannot be stopped using techniques used to
stop traditionally propagating worms.

Test Your Understanding


7
.

Consider patching, firewalls, and antivirus programs. a)

Which will stop norma
lly
propagating
viruses? b)

Whic
h will stop normally propagating worms? c)

Which will
stop directly propagating worms.

OTHER TYPES OF MALWA
RE

Viruses and worms are arguably the most common type
s

of malware, but they are
certainly not the only
types of rogue programs
.

Figu
re 3
-
5
: Other Types of Malware

MOBILE CODE

ON WEBPAGES

An HTML webpage can contain a
script
, which is
a group of commands written in a simplified programming language. Scripts
execute

Page
9

of
39


when the webpage
loads
. Scripts can enhance th
e user’s experience, and many
webpages will not work unless script execution is enabled, which
is

usually
done

by
default.

Scripts are
called

mobile code

because they travel with the downloaded webpage
from the webserver to the browser. Mobile code
is wide
ly used, and it
normally is safe
and beneficial. However, if the user’s browser has a vulnerability, a script may be able to
do harm. A script may do damage itself or may download a more complex program to
do damage.

TROJAN HORSES

In The Iliad, the Trojan

horse was supposed to be a gift offering.
It was really a trap. In malware, Trojan horses have two characteristics.



First, it disguises itself as a legitimate system file. This makes it difficult to
detect.



Second, in contrast to viruses, worms, and mobil
e code, a Trojan horse cannot
propagate to another computer on its own initiative. It must be placed there by
another piece of malware or by a human hacker.

A Trojan horse cannot spread from one computer to another by itself.

An especially problematic cate
gory of Trojan horses is
spyware

a name given to
Trojan horses that
surreptitiously

(without your knowledge) collect information about
you and send this information to the attacker.



Keystroke loggers

record
user

keystrokes. Within these keystrokes, they lo
ok
for passwords, social security numbers, and other information that can help the
person who receives the keystroke logger’s data.



Data mining spyware
, in contrast, searches through files on your hard drive for
potentially useful information and sends
this information to the attacker.

Data
mining software is much more sophisticated.

SPAM

Perhaps t
he most annoying type of malware on a day
-
in, day
-
out basis is
spam
,
2

which is unsolicited commercial e
-
mail. Spammers send the same solicitation e
-
mail messa
ge to millions of e
-
mail addresses in the hope that a small percentage of all
recipients will respond.

Spam is unsolicited commercial e
-
mail.

DOWNLOADERS

Some malware exists to download other malware onto the
victim’s computer. These
downloaders

can be sm
all, making insertion relatively simple.
When it gains a foothold, however, it can download a very large program stealthily




2

Except at the beginnings of sentences, e
-
mail spam is spelled in lowercase. This distinguishes
unsolicited commercial e
-
mail from the

Hormel Corporation’s meat product, Spam, which should
always be capitalized. In addition, Spam is not an acronym for “spongy pink animal matter.”

Page
10

of
39


Test Your Understanding


8
.

a) What is a script? b) Are scripts normally bad? c) Under what circumstances are
scripts likely to be d
angerous? d) Why are scripts on webpages called mobile code?


9
.

a
) What are Trojan horses?
b
) How do Trojan horses propagate to computers?
c
)
What is spyware?
d
) What is a keystroke logger?
e
) What does data mining
spyware

do?


10
.

What is the definition
of spam?


11.

a)

What do downloaders do? b)

Why are they used?

Payloads

I
n war, when a bomber aircraft reaches its target, it releases its payload of bombs.
Similarly, after they spread, viruses, worms, and other types of malware may execute
pieces of code

called
payloads
. Malicious payloads can completely erase hard disks and
do other significant damage. In some cases, they can take the victim to a pornography
site whenever the victim mistypes a URL. In other cases, they can turn the user’s
computer into a

spam generator or a pornography download site. Not all malware has
malici
ous payloads or payloads at all, but even malware without
a

payload

can cause the
victim’s computer to crash or run slowly.

Figure 3
-
6
: Payloads

Test Your Un
derstanding


1
2
.

a
) What are payloads?

b)

Give two examples of the damage they can do.

Attacks on
Human Judgment

In many cases, malware will only succeed if the victim uses poor judgment, say by
allowing a program to install itself on the user’s PC or smar
tphone. In some cases, the
victim knows that he or she is taking a risk, say by visiting an unsavory website.
However, in many cases, the
adversary

must make

it seem like taking the wrong action
is the correct thing to do.

Figure 3
-
7
:
Attacks on Human Judgment (Study Figure) (3
-
4 in N9)

SOCIAL ENGINEERING

As technical defenses have improved, malware writers
have focused more heavily on
social engineering
, which is a
euphemism

for tricking the
victim into doing something against
per
sonal or organizational security interests
. Viruses
and worms have long tried to do this with e
-
mail attachments

say, by telling the user
that he or she has won a lottery and needs to open the attachment for the details. The
range of social engineering att
acks has expanded greatly in the last few years.

Page
11

of
39


Social engineering is tricking the victim into doing something against
personal or
organizational security

interests
.

OPENING
E
-
MAIL ATTACHMENTS

If
an e
-
mail attachment

is program

(or data
files with
a
macro
), opening on
e

can infect the user. To entice users to open
attachments, social engineering tries to present a convincing rationale for doing so.
For
instance, a message may say that it is an electronic greeting card.
Receivers

are

told that
a program

must be downloaded to read the greeting card. The “reader” program, of
course, is malware.

CLICKING ON

A LINK TO A WEBSITE
THAT HAS MALWARE

E
-
mail

message
bodies

can also
entice

victims to
visit an attacker

website.
A direct

way
is

include a link
to
the

website. If the receiver clicks on the link, he or she will be taken to a website that
will complete the
attack

or download malware into the victim’s computer.

Again, social
engineering is needed to provide plausibility. Malware that controls a computer’s
e
-
mail
program my send messages in the name of that users and add have a message body
that says, “Wow. You have GOT to see this.” The link may even appear to be innocent,
say appearing to connect the user to a news website. If you have learned HTML, you
kn
ow that the way a link appears to the user may have nothing to do with the actual
link.

PHISHING ATTACKS

Many

social networking attacks use some type of

phishing,
3

which is the use of authentic
-
looking e
-
mail or websites to entice the user to send his or
her username, password, or other sensitive information to the attacker. One typical
example of phishing is an e
-
mail message that appears to be from the person’s bank.
The message asks the person to “confirm” his or her username and password in a return
me
ssage. Another typical example is an e
-
mail message with a link to what appears to
be the victim’s bank website but that is, in fact, an authentic
-
looking fake website.

The
critical thing in phishing is to make the user believe in the authenticity of the t
rick.

Adversaries

are getting extremely good at this.

Phishing is the use of authentic
-
looking e
-
mail or websites to entice the user to send
his or her username, password, or other sensitive information to the attacker.

SPEAR PHISHING

Phishing attacks are

designed to
be attractive

certain
groups

of
victims, such as
customers

of particular banks. In
spear phishing
,
in turn
, attacks are
directed at
a particular individual
, such as a company’s purchasing manager. The
attacker learns a great deal about the person and crafts a message with specific details
that will cause the victim to believe that this
must

be a legitimate message. For
example, if the person’s boss is travel
ing, the message may purport to come from the
boss and contain details about the boss’ trip and recent events in the department.

Success rates in spear fishing are extremely high.




3

IT attackers often replace f with ph. For example, phone freaking (dialing long
-
distance
numbers illegally)

became phone phreaking and later just phreaking.

Page
12

of
39


In spear phishing, attacks are directed at a
particular individual
, such as
a company’s
purchasing manager.

CREDIT CARD NUMBER T
HEFT

A common goal of attacks on human judgment is
to steal credit card numbers. A

message may convince the user to type a credit card
number to purchase goods. The attacker will not deliver the goods. I
nstead, the
carder

(credit card number thief) will use the credit card number to make unauthorized
purchases. Most credit card firms will refund money spent by the carder, but this can be
a painful process, and the victim must notify the credit card firm p
romptly to get a
refund.

Ideally, the thief will also obtain the three
-
digit security code on the back of the
card, the person’s full name, and their mailing address

for billing
. This will help them get
past protections that e
-
commerce sites have in place
to thwart credit card number
fraud.

IDENTITY THEFT

In
some

cases, thieves collect enough data about a victim
(name, address, social security number, driver’s license number, date of birth, etc.) to
impersonate the victim
in

complex crimes. This impersonation is called
identity theft
.
Thieves commit identity theft in order to purchase expensive goods, take out major
loans using the victim’s assets as collateral, commit crimes, obtain prescription
medicines, get a job, enter t
he country illegally, and do many other things. Identity theft
is more damaging than credit card theft because it can involve large monetary losses

that are not reimbursed by anyone. In addition, correcting
the victim’s credit rating can
take months. Some
victims have even been arrested for crimes committed by the
identity thief.

In identity theft, thieves collect enough data about a victim to impersonate the victim
during complex crimes.

Test Your Understanding


1
3
.

a) What is social engineering?
b
)

How is

social engineering used to get victims to
open e
-
mail attachments? c)

How is social engineering used to get victims to click
on links in e
-
mail messages or on websites? d)

Distinguish between social
engineering in general and phishing

in particular
. e)

Di
stinguish between phishing
and spear phishing.


1
4
.

a
) Distinguish between credit card number theft and identity theft.
b
) What are
carders?
c)

What specific information do carders wish to collect? d
) Which tends to
produce more damage

credit card theft or

identity theft? Explain.

Page
13

of
39


Human Break
-
Ins (Hacking)

Figure 3
-
8
:
Human Break
-
Ins (Hacking)
[Study Figure]
(3
-
5 in N9)

A virus or worm typically has a single
attack
method. If that method fails, the attack
fails. However, human
adversaries

can also

break into a specific company’s computers
manually. A
n expert

human adversary can attack a company with a variety of
different
approaches until one succeeds. This flexibility makes human break
-
ins much more likely
to succeed than malwa
re break
-
ins.

WHAT IS HACKING?

Hacking

is defined as intentionally using a computer
resource without authorization or in excess of authorization.
The key issue is
authorization.
4

If you see a password written on a note attached to a computer screen,
this

does not mean that you have authorization to use it. Also, note that it is hacking
even if a person
has legitimate access to

an account but uses the
account

for
unauthorized purposes.

Hacking is intentionally using a computer resource without authorizatio
n or in excess
of authorization.

All hacking is illegal. P
enalties differ by the type of asset that is hacked and by the
amount of damage done
, but it is very easily to do enough harm accidentally to merit a
jail term, and “intentionally” only applies to u
se, not to damage.

THE SCANNING PHASE

When a hacker attacks a firm, he or she usually begins by
scanning the network
.
Figure 3
-
9

shows that this involves sending
prob
e packets

into
the firm’s network. Responses to these probe packets tend to reveal information about
the firm’s general network design and about its individual hosts. Usually there are two
phases to these probe attacks.




4

Note also that the unauthorized access must be intentional. Proving intentionality is almost
always necessary in criminal prosecution, and hacking is no exception.

Page
14

of
39


Figure 3
-
9
:
Scanning Probes and Exploit Packets (3
-
6 in N9)


Figure 3
-
10
: Stages in an Attack



The first probe packet in the figure is an IP address probe. It is sent to the IP
address 128.171.17.13. If the host at that IP address responds,
this means that
there is a potential victim at that IP address. The attacker typically probes a
large range of IP addresses to get a list of potential victims.



The attacker then sends port number probes to previously identified IP
addresses. This second ro
und of probes is sent to particular ports on these
hosts. In the figure, the probe packet is sent to Port 80. As we saw in Chapter 2,
this is the well
-
known port number for webservers. If the server responds, the
attacker knows that Host 128.171.17.6 is a
webserver.

THE BREAK
-
IN

The colored server is a webserver that the attacker has
selected
after the two probing phases
. The attacker has an
exploit

(attack method) for
webservers. He or she uses this exploit to take over the host by sending exploit packets
.
Confusingly, the act of breaking into a computer is also called an
exploit
, as is the
program the attacker uses during the break
-
in.

AFTER THE BREAK
-
IN

After the break
-
in, the real work begins.



Typically, the first thing a hacker does is
download
5

a
hac
ker toolkit
to the
victim computer. The toolkit is a collection of tools that automate some tasks
the hacker will have to perform after the break
-
in.




5

Some students find the use of the term

download to be confusing. Look at it this way. The
hacker is now logged into the victim computer. So he or she
loads

software
from a toolkit server

down to

to the victim computer and installs the software on the victim computer.

Page
15

of
39




Second, the hacker typically uses the hacker toolkit to erase the operating
system’s log files that record

user activities. This makes it difficult for the
computer’s rightful owner to trace how the attacker broke in or what the hacker
did after the break
-
in.



Third, the hacker typically uses the hacker toolkit to create a
backdoor

that will
allow the hacker ba
ck in later, even if the vulnerability used to break in is
repaired. The backdoor may simply be a new account with a known password
and full privileges.
The backdoor

can also be a Trojan horse program
, which is

difficult to detect. The Trojan horse will al
low the attacker to log into itself. The
Trojan horse will have extensive permissions, which become the
adversary’s

permissions after login.



Fourth, once invisible and having a way back in, the attacker does damage at
leisure by giving commands as a
logged
-
in user with extensive permissions. For
long
-
term exploitation, the hacker may download a Trojan horse, which will
continue to cause damage after the hacker leaves. For instance, the Trojan may
turn the host into a pornography download site or use t
he compromised host to
attack other computers. Keystroke loggers that collect whatever the user types
are also popular Trojan horses. The most dangerous Trojan horses are bots,
which we will learn about in the next subsection.



Fifth, the hacker may be able

to achieve
privilege escalation
. When an
adversary

breaks into a computer, he or she may only have limited privileges on
the computer. This limits what the attacker can do. The attacker will attempt to
escalate his or her privileges,
ideally

to the extent

of having total control over
the victim computer. Privilege escalation is not always possible, but
if

it
succeeds
, it greatly increases

the hacker’s
power
.

Although hacker toolkits and Trojan horses automate a great deal of what the
hacker wishes to do, h
ackers also work manually. With full access to the computer, the
attacker can give ordinary operating system commands to read any file on the
computer, change files, delete them, or do anything else that a legitimate user with
extensive permissions can do.

Test Your Understanding


1
5
.

a) What is hacking? b)

If you see a username and password
o
n a Post
-
It note on a
monitor, is it hacking if you use this information to log in? Explain.

c)

Y
ou discover
that you can get into other e
-
mail accounts after you ha
ve

logged in under your
account. You spend just a few minutes looking at another user’s mail. I
s

that
hacking? Is that hacking? Explain.

d)

If you click on a link expecting to go to a
legitimate website but are directed to a website containing information yo
u are
not authorized to see, is that hacking? Explain.

Page
16

of
39



1
6
.

a
) What are the purposes of
the two types of
probe packets?
b
) What is an exploit?
c
) What steps does a hacker usually take immediately after a break
-
in?
d
) What
software does the hacker download
to help him or her do work after
compromising a system?
e
) After breaking in, what does a hacker do to avoid being
caught?
f
) What is a backdoor?
g
) What are the two types of backdoors?

h)

What is
privilege escalation?

Denial
-
of
-
Service (
DOS
) Attacks Using

Bots[x3]

T
he goal of
denial
-
of
-
service (
DOS
) attacks

is to make a computer or entire network
unavailable to its legitimate users.

The goal of denial
-
of
-
service (
DOS
) attacks is to make a computer or entire network
unavailable to its legitimate users.

DIST
RIBUTED DENIAL OF SE
RVICE (D
DOS
) ATTACK

As
Figure 3
-
11

shows,
most
DOS

attacks involve flooding the victim computer with attack packets. The victim
computer becomes so busy processing this flood of attack packets that it cannot process
legitimate

packets. The overloaded host may even fail.

Figure 3
-
11
:
Distributed Denial of Service (D
DOS
) Attack Using Bots (
Based on
3
-
7 in N9)

More specifically, the attack shown in the figure is a
distributed
DOS

(D
DOS
)
attack
. In this typ
e of
DOS

attack, the attacker first installs programs called
bots

on
hundreds or thousands of PCs or servers.
This collection of compromised computers is
called a
botnet
.
When the user sends these bots an attack command, they all begin to
flood the victim
with packets.

Typically, the
adversary

does not communicate with
b
ots directly.
Rather
, he or
she sends orders to a
command and control server
, which then sends attack commands
to the bots. In effect, the attacker is two levels removed from the attack, mak
ing the
botmaster difficult to locate.

BOT VERSATILITY

Bots are not limited to D
DOS

attacks.
Bots

are general
-
purpose exploitation programs that
the botmaster
can be remotely
update

after
installation. As
Figure 3
-
11

shows, the
adversary

can
have the command and control
computer

push updates out

to all of the bots. Some upgrades are bug fixes. Others
change the bots’ core functionality. For example, the

bots may be programmed to send
out spam initially. As spam blockers succeed in shunting aside traffic for these bots, the
bots can be reprogrammed as D
DOS

attack machines or for other attack purposes.

Bots are general
-
purpose exploitation programs that ca
n be remotely controlled after
installation and can even be upgraded remotely with new capabilities.

Bot masters may sell their botnets to other attackers. They may also rent a subset
of their bots to a specific attacker for a specific purpose. In either c
ase,
botmasters

give
Page
17

of
39


the
buyer or renter

access to the command and control server. (Given the importance of
command and control servers, most botnets have several in case one is disabled.)

Test Your Understanding


1
7
.

a) What is the purpose of a denial
-
of
-
service attack?
b)

What programs directly
attack the victim in a distributed denial of service attack? c)

What is a collection of
compromised computers called?
d)

What is
the person who controls them

called?
e
) What gives bots flexibility?
f
)
Explain the s
teps of a distributed
DOS

attack.

Advanced Persistent Threats

In the past, criminal attacks were brief and
limited

electronic equivalent of a
smash
-
and
-
grab
theft i
n a jewelry store. Increasingly, however, we are experiencing
advanced
persistent threats
(APTs)

in which the
adversary

has multiple objectives that he or she
continues to exploit for a period of months or even years. These are true nightmares for
corporations.

Figure 3
-
12
: Advanced Persistent Threats [Study Figure] [Ne
w]

The
adversary

must first break into the firm. In a large majority of cases, he or she
does this through an extremely well
-
crafted spear
ph
ishing attack that gives the attacker
access to criti
cal authentication credentials.

“Advanced” refers to the degre
e of skill
exhibited by APT adversaries in everything they do.

The
adversary

uses the initial foothold

to visit
explore

and break into other
parts of
the firm’s IT infrastructure
. T
he attacker may
also
install Trojan horse program
and
other exploitation pr
ograms
.

“Persistent” means that t
he
adversary

continues to conduct surveillance on the
network, learning more about its operations and fining additional weaknesses.
Gradually, over a period of months or even years, the
adversary

can exploit
much

of the
network.

Persistent presence without detection requires great skill. It also requires
ample resources over a long
period
. Not surprisingly, most APTs are undertaken by
government agencies
, although well
-
funded criminal groups have done it.

Test You
r Understanding


1
8
.

a)
Explain “advanced” in the term advanced persistent theft. b)

Explain
“persistence” in the context of APTs. c)

Why are APTs expensive to
carry out
?

Page
18

of
39


TYPES OF ATTACKERS

The threat environment consists of types of attacks and types of a
ttackers. As
Figure 3
-
13

shows, there are many different types of attackers facing organizations today.

Figure 3
-
13
:
Types of Attackers

Traditional Attackers

When most people think of attackers, they normally have three pictures in their minds:
hackers driven by curiosity, virus writers, and disgruntled employees and ex
-
employees.
Indeed, these used to be the three most important types of
adversaries
.

HACKERS

Traditionally, some
hackers

have been motivated primarily by curiosity
and the sense of power they get from breaking into computers. In many cases, they are
also motivated by a desire to increase their reputation among their hacker pe
ers by
boasting about their exploits. This typically is the image of hackers presented in
Hollywood movies. However, these ar
e not the typical hackers today, as we will see in
the next subsection.

MALWARE WRITERS

Malware writers
, as the name suggests, cre
ate malware.
Malware writers appear to enjoy the excitement of seeing their programs spread
rapidly. These malware writers tend to be blind to the harm that they do to people.

In most countries, including the United States, it generally is not illegal to
w
rite

malware. These activities are protected under freedom of speech. However,
releasing

malware is illegal in nearly all countries.

DISGRUNTLED EMPLOYEE
S AND EX
-
EMPLOYEES

Other traditional types of
adversaries

are
disgruntled employees

and
disgruntled ex
-
employees

who attack their
own or their former firms. Employee attackers tend to do extensive damage when they
strike because they typically already have access to systems, have broad knowledge of
how the systems work, often know how to avoid detection, a
nd tend to be trusted
because they are part of the corporate “family.”

Many companies use contractors to carry out IT and other functions in the firm. In
such cases, contractors have many of the characteristics of employees and are therefore
more dangerous

than other “outsiders.” When Edward Snowden stole files from the
National Security Agency in
early 2013
, he was a
n employee of

contractor
Booz Allen
Hamilton in Hawaii
.

He was able to succeed because of his access to government
computers.

The most dangero
us employees of all are IT staff members and especially IT
security staff members. They typically have far more access than other employees, have
much better knowledge of corporate systems, and have extensive knowledge of how to
avoid detection. In fact, t
hey may even be in charge of identifying attackers. The ancient
Page
19

of
39


Roman question, “Quis custodiet ipsos custodes?” means “Who guards the guardians?”
It is a serious question in security.

Test Your Understanding


1
9
.

a) Are most attackers today driven by curi
osity and a sense of power? b) Is it
generally illegal to write malware? c) For what four reasons are employees
dangerous?
d)

Why are contractor firms more dangerous than other outside firms?
e
) What are the mos
t dangerous types of employees?

Criminal Atta
ckers

Today, there are still many traditional attackers of the types we have just seen.
However, even collectively they do not make up the majority of attackers today. Today,
most

adversaries

are
career criminals
, who steal credit card numbers to commit
credit
card fraud, who extort firms, and who steal trade secrets to sell to competitors.

Today,
most

adversaries

are career criminals.

Funded by their crimes, many criminals can afford to hire the best hackers and to
enhance their own security
-
breaking ski
lls. Consequently, criminal attacks are not just
growing in numbers; they also are growing very rapidly in technical sophistication.

Test Your Understanding


20
.

a
) What type of
adversary

are most attackers today
?

b)

Why is this type of attacker
extremely
dangerous?

Cyberterrorists and National Governments

On the horizon is the danger of far more massive
cyberterror attacks

by terrorists and
even worse
cyberwar attacks

by national governments. These could produce
unprecedented damages in the hundreds of billions of dollars.

Cyberwar is not a theory. The United States has acknowledged that it has long had
cyberwar capabilities, and it established a consolidated Cyberwar
Command in 2009. It
is clear that several other countries have these capabilities as well (especially China).
Countries could use IT to do espionage to gather intelligence, conduct attacks on
opponents’ financial and power infrastructures, or destroy enemy

command and control
facilities during physical attacks.

A 2009 article in the
New York Time
6

reported that before the 2003 invasion of
Iraq, the United States considered an attack that would shut down Iraq’s entire financial
infrastructure. This attack wa
s not approved, b
ut this was not because it was i
nfeasible.



6

Markoff, John, and Shank
er, Thom, “ ‘03 Plan Displays Cyberwar Risk,” New York Times, August
1, 2009. www.msnbc.msn.com/id/3032619/%2328368424.

Page
20

of
39


It was not approved because its impact might have spread beyond Iraq and might even
have damaged the U.S. financial system.

Cyberterror is also likely. During physical attacks, terrorists might di
sable
communication systems to thwart first responders and to spread confusion and terror
among the population. Cyberterrorists could also conduct purely IT
-
based attacks. While
the United States was afraid of side effects of cyberwar attacks on Iraq, terr
orists would
have no such qualms.

Cyberwar and cyberterror are particularly dangerous for three reasons. First,
funding allows them to be extremely sophisticated. Second, they focus on doing damage
instead of committing limited crimes. Third, they are dang
erous because they
will attack

many targets simultaneously.

Test Your Understanding


2
1
.

a
) What are cyberterror and cyberwar attacks?
b
) Why are cyberwar and
cyberterror
attacks especially dangerous
?

PROTECTING DIALOGUES CRYPTOGRAPHY

Having looked at the
threat environment, we will now begin to look at the tools that
companies use to attempt to thwart attackers. One of these is cryptography. Companies
send massive volumes of messages. Formally,
c
ryptography

is the use of mathematics
to protect
information
.

Cryptography is the use of mathematics to protect
information
.

Cryptography is important in and of itself. We begin with “crypto,” however,
because it is used within many other protections that companies use to thwart
attackers. A general foundation in cr
yptography is necessary to understand how they
work.

Symmetric Key Encryption for Confidentiality

ENCRYPTION FOR CONFI
DENTIALITY

When most people think of
cryptography
,
they think of
encryption for confidentiality
, which
Figure 3
-
14

illustrates.
Confidentiality

means that
even if an eavesdropper intercepts

a

message
, he or she

will
not be able to read it. The sender uses an encryption method, called a
cipher
, to create

a message that an eavesdropper cannot read. However, the receiver

can

decrypt

the
message in order to read it.

Page
21

of
39


Figure 3
-
14
:
Symmetric Key Encryption for Confidentiality (3
-
22 in 9e)


SYMMETRIC KEY ENCRYP
TION

Most encryption for
confidentiality uses
symmetric key encryption

ciphers, in which the two sides
share

a single

key to encrypt
messages to each other and to decrypt incoming messages.
Figure 3
-
14

shows
how

symmetric key encryption
works. When Party A sends to Party B,

Party A
encrypts with
the single key,
Party B

decrypts with the key
. When Party B sends to Party A, in turn,
Party B uses the single key to encrypt, while Party A uses the single key to decrypt.
The
process is symmetric because the same key is used in both directions.
The dominant
symmetric key encryption cipher today is
the
Advanced Encryption Cipher (AES)
.

KEY LENGTH

Earlier, we looked at brute force password guessing. Symmetric and
keys also can be guessed by the attacker’s trying all possible keys. This is called
exhaustive search
. The way to defeat exhaustive key sea
rches is to use long keys, which
are merely binary strings. For symmetric key ciphers, symmetric key lengths of 100 bits
or greater are considered to be strong. AES supports multiple strong key lengths up to
256 bits.

Keys are long strings of bits.

Test Yo
ur Understanding


2
2
.

a) What is a cipher? b) What protection does confidentiality provide? c) In two
-
way
dialogues, how many keys are used in symmetric key encryption? d) What is the
minimum size for symmetric keys to be considered strong?

Electronic Sign
atures
: Message Authentication and Integrity

In addition to encrypting each packet for confidentiality, cryptographic systems
normally add
electronic signatures

to each packet. This is illustrated in
Figure 3
-
15
.
Page
22

of
39


Electronic signatures are small bit strings that provide messa
ge
-
by
-
message
authentication
, much as people use signatures to authenticate individual written letters.
Authentication means pro
ving a sender’s identity.
An electronic signature allows the
receiver to detect a message added to the dialogue by an impostor.

Figure 3
-
15
:
Electronic Signature for Authentication (Figure 3
-
22 in 9e)

Authentication means proving a

sender’s identity.

Electronic signatures also provide
message integrity
, meaning that the receiver will
be able to detect it if the packet is changed in transit. Consequently, cryptographic
systems provide three protections to every packet
. Encryption for

confidentiality
provides

message
-
by
-
message confidentiality,
while electronic signatures provide
message
-
by
-
message
authent
ication

and message integrity.
7

Test Your Understanding


2
3
.

What two protections do electronic signatures provide?

AUTHENTICATION

BROADLY

Electronic signatures provide message
-
by
-
message authentication. However,
there are
many types of authentication in use today, each with strengths and weaknesses.
Authentication is crucial to controlling access to resources so that
adversaries

can

be
prevented from reaching them.

Terminology and Concepts

Figure 3
-
16

illustrates the main terminology and concepts in authentication. The user
trying to prove his o
r her identity is the
supplicant
. The party requiring the supplicant to
prove his or her identity is the
verifier
. The supplicant tries to prove his or her identity
by providing
credentials

(proofs of identity) to the verifier.

Figure 3
-
16
:
General
Authentication
Concepts
(Figure 3
-
12 in 9e)

The type of authentication tool that is used with each resource must be
appropriate for the risks to that particular resource
. Sensitive personnel information
should be protected by very strong
authentication methods. However, strong
authentication is expensive and inconvenient. For relatively nonsensitive data, weaker
but less expensive authentication methods may be sufficient. Strength of
authentication, like everything else in security, is a m
atter of risk management.

Page
23

of
39


Test Your Understanding


2
4
.

a) What is authentication? b) Distinguish between the supplicant and the verifier.
c) What are credentials? d) Why must authentication be appropriate for risks to an
asset?

Reusable Passwords

The most
common authenticati
on credential is the
reusable password, which

is a string
of characters that a user types to gain access to the resources associated with a certain
username

(account) on a computer. These are called
reusable passwords

because the
user will type the password each time he or she needs access to the resource. The
reusable password is the weakest form of authentication, and it is appropriate only for
the least s
ensitive assets.

Figure 3
-
17
:
Reusabl
e Password Authentication
[Study Figure]
(3
-
13 in 9e)

The reusable password is the weakest form of authentication, and it is appropriate
only for the least sensitive assets.

EASE OF USE AND LOW
COST

The popularity of password authentication is
hardly sur
prising. For users, passwords are familiar and relatively easy to use. For
corporate IT departments, passwords add no additional cost because operating systems
and many applications have built
-
in password authentication.

WORD/NAME PASSWORDS
AND DICTIONARY
ATTACKS

The main problem
with passwords is that most users pick very weak passwords.

The main problem with passwords is that most users pick very weak passwords.

For example, they often pick ordinary
dictionary words

or the
names

of family
members, pets, sports teams, or celebrities.
Dictionary
word and name passwords

often can be
cracked

(guessed) in a few seconds if the attacker can get a copy of the
password file (which contains an encrypted list of account names and passwords)
. The
attacker uses a
dictionary attack
, trying all words in a standard or customized dictionary

as well as common names for people, sports teams, and other entities
. There are only a
few thousand dictionary words and names in any language
. Consequently
, d
ictionary
attacks can crack dictionary
-
word and name passwords almost instantly.

There are also
hybrid d
ictionary attacks
, in which they look for simple variations
on words

and names
, such as a word with the first letter capitalized, followed by a single
d
igit (e.g., Dog1). Hybrid
dictionary attacks usually can crack
word or name
variants

almost as quickly as passwords made of
actual

words and names.

Names, words, and simple variants of words and names that can be cracked by
dictionary
or
hybrid dictionary
attacks
are never

adequately strong
, regardless of how
long they are. They can always be cracked too quickly for safety.

Page
24

of
39


Names, words, and simple variants of words and names that can be cracked by
dictionary and
hybrid dictionary attacks are never
adequately strong, regardless of
how long they are.

COMPLEX PASSWORDS

Dictionary and hybrid dictionary attacks fail if
passwords are more complex than dictionary words, names, and simple variations.
Good
complex passwords

have
a mix

of the following:



Lowe
rcase letters.



Uppercase letters, not simply at the start of the password.



The digits from 0 to 9, not simply at the end of the password.



Other keyboard symbols, such as & and #, which serve as swear words in
cartoons

not simply at the end of the password.

Complex passwords can
only
be cracked by
brute force attacks

that try all possible
combinations of characters. First, all combinations of a single character are tried, all
combinations of two characters, all combinations of three characters, and so forth.

Brute force attacks take far longer than dictionary attacks.

COMPLEX PASSWORD LEN
GTH

Even a complex password is weak if it is short. If
it only has three or four characters, brute force attacks will succeed in seconds.
Fortunately, i
ncreasing
password le
ngth

(the number of characters in the password)
can
make brute force attacks practically impossible
. If the password
is complex,
then each
additional character increases cracking time by a factor of about 70.

Given the speed of brute force cracking today,
passwords should be complex and
at least eight characters long to be considered adequate. Even longer passwords are
highly desirable.

Only passwords that are complex and at least eight characters long should be
considered to be adequately strong.

Unfortuna
tely, complex passwords are difficult for users to remember, so they
tend to write them on a sheet of paper that they keep next to their computers. This
makes passwords easy to steal so that there is no need to crack them by dictionary or
brute force attac
ks.

Test Your Understanding


2
5
.

a) Distinguish between usernames and reusable passwords. b) Why are passwords
widely used? c) What types of passwords are susceptible to dictionary attacks? d)
What types of passwords are susceptible to
hybrid
dictionary at
tacks? e) Can a
password that can be broken by a dictionary a dictionary attack be adequately
strong if it is very long? f) What is a brute force attack? g) What types of passwords
can be broken only by brute force attacks? h) Why is password length import
ant? i)
How long should passwords be?

Page
25

of
39



2
6
.

Critique each of the following passwords. First, describe the type of attack that
would be used to crack it, justifying your answer. Second, say
whether

it is of
adequate strength, justifying your answer. a) veloc
iraptor; b) Viper1; c) NeVeR; d)
R7%t&.

Other Forms of Authentication

Companies are beginning to look for stronger types of authentication for most of their
resources. This will allow them to replace most or all of their reusable password access
systems. W
e
have space to mention only the few types of authentication shown in
Figure 3
-
18
.

Figure 3
-
18
:
Other Forms of Authentication
(Figure 3
-
14 in N9)

Access Cards

To get into your hotel room, you may have to swipe your
access card

through a card reader before being allowed through. For door and computer access,
many companies also use these handy access cards, including
proximity ac
cess cards

that use radio signals and can be read with a simple tap against a reader. Companies
need to control the distribution of access cards, and they need to rapidly disable any
access card that has been lost or stolen.

Biometrics

Access

cards are easy to use, but if you lose your access card, you
cannot get entry. In hotels, of course, you simply walk down to the front desk. They
disable the code on your room card reader and give you a new card that will open your
room. In corporate envi
ronments, the process takes a good deal longer.

In biometrics, in contrast, access control is granted based on something you always
have with you

your body.
Biometrics

is the use of body measurements to authenticate
you.

Biometrics is the use of body measu
rements to authenticate you.

There are several types of biometrics that differ in cost, precision, and
susceptibility to deception by someone wishing to impersonate a legitimate user.



At the low end on price, precision, and the ability to reject deception
is
fingerprint
recognition
, which looks at the loops, whorls, and ridges in your
fingerprint. Although fingerprint
recognition

is not
a strong

form of
authentication, its low price makes it ideal for low
-
risk applications.
For
relatively low
-
cost devices s
uch as

laptop computers and smart phones,
fingerprint
recognition

may be preferred to reusable passwords, given the
tendency of people to pick poor passwords and forget them.

Page
26

of
39




At the high end of the scale on price, precision, and the ability to reject
decep
tion is
iris
recognition
,
7

which looks at the pattern in the colored part of
your eye. Although extremely precise, iris scanners are too expensive to use for
computer access. They are normally used for access to sensitive rooms.



One controversial form of b
iometrics is
facial
recognition
, in which each
individual is identified by his or her facial features. This is controversial because
facial
recognition

can be done
surreptitiously

without the knowledge of the
person being scanned. This raises privacy issue
s.

Digital Certificate Authentication

The strongest form of authentication is
digital
certificate authentication
.
Figure 3
-
19

illustrates this form
of authentication.

Figure 3
-
19
:
Digital Certificate Authentication (
Based on
3
-
15 in N9)




I
n this form of authentication, each
party

has a secr
et
private key

that only he
or she knows.



Each
party

also has a
public key
, which anyone can know.

It is not kept secret.



A trusted organization called a
certificate authority
(CA)

distributes the public
key of a person in a document called a
digital certi
ficate
. A digital certificate
is
cryptographically protected
for message integrity,
so that it
cannot be changed
without this
change being obvious in a way that causes the verifier to reject it.




7

In science fiction movies, eye scanners are depicted as shining light into the supplicant’s eye.
This does not really happen. Iris sca
nners merely require the supplicant to look into a camera. In
addition, science fiction movies use the term retinal scanning. The retina is the back part of the
eye and has distinctive vein patterns. Retinal scanning is not used frequently because the
supp
licant must press his or her face against the scanner.

Page
27

of
39


First, the supplicant claims to be someone we will call the
t
rue party
.
To test this
claim, the verifier sends the subject a
challenge message
. This is just a random stream
of bits. It is not even encrypted for confidentiality.

Second, t
o prove
its

claim

to being the true party
, th
e supplicant
encrypts the
challenge

message

with his or her private key

and sends this
response message

to the
verifier.

Again, there is no encryption for confidentiality.

Third
, the verifier gets the true party’s digital certificate, which contains the true
party’s public key. The verifier

tests
the response message by decrypting it with the
public key of the true party, which is contained in the digital certificate. If the decryption
produces the original challenge message, then the supplicant knows the private key of
the true party. Only
the true party should know this key. Therefore, it is reasonable to
authenticate the supplicant as the true party.

Note that the verifier uses the public key of the true party

not the supplicant’s
public key. If the verifier used the supplicant’s public ke
y, the test would always
succeed
. The supplicant’s public key would decrypt the message correctly. Impostors
would
always

be authenticated
.

Note that the verifier uses the public key of the true party

not the supplicant’s
public key.

TWO
-
FACTOR AUTHENTICAT
ION

Debit cards are potentially dangerous
because if someone finds a lost debit card, the finder might be able to use it to make
purchases. So possession of the debit card is not enough to use it. To use a debit card,
the user must type a
personal identif
ication number (PIN)
, which usually is four or six
digits long. Requiring two credentials for authentication is called
two
-
factor
authentication
. Two
-
factor authentication increases the strength of authentication.

However, if a user’s computer is compromis
ed, the attacker typically controls both
of the credentials, so two
-
factor authentication buys no extra security
. Two
-
factor
authentication may also break down if an eavesdropper can intercept authentication
communication between the two parties.

Two
-
facto
r

authentication is desirable, but
factors that limit its use must be understood.

Two
-
factor authentication requires two forms of authentication.

Test Your Understanding


2
7
.

a) What security problem do access cards have? b) What is biometrics? c) By what
three criteria should biometric methods be judged? d) Why may fingerprint
recognition

be used to authenticate access to a laptop? e) Why is iris
recognition

desirable? f) Why is face recognition controversial?


2
8
.

a) In digital certificate authentication,

what does the supplicant do? b) What does
the verifier do? c) Does the verifier
decrypt with

the true party’s public key or the
supplicant’s public key? d) How does the verifier get the public key? e) From what
type of organization does the verifier get t
he digital certificate?

Page
28

of
39



2
9
.

a) Why is two
-
factor authentication desirable? b) Will two
-
factor authentication
still be strong if the attacker controls the supplicant’s computer? c) Will two
-
factor
authentication still be strong if the
adversary

can interce
pt all authentication
communication?

FIREWALLS

In hostile military environments, travelers must pass through checkpoints. At each
checkpoint, their credentials will be examined. If the guard finds the credentials
insufficient, the guard will stop the
arriving person from proceeding and note the
violation in a checkpoint log.

Dropping and Logging Provable Attack Packets

Figure 3
-
20

shows that firewalls operate in s
imilar ways. Whenever a packet arrives, the
firewall

examines the packet. If the firewall identifies a packet as a
provable attack
packet
, the firewall discards it.
8

On the other hand, if the packet is not a provable attack
packet, the firewall allows it to pass.

If a firewall identifies a packet as a provable attack packet, the firewall discards it.

Figure 3
-
20
:
General Firewall Operation (3
-
16 in N9)

The firewall copies information about the discarded packet into a
firewall log file
.
Firewall managers should read their firewall log files every day to understand the types
of attacks coming against the resources that the firewall is protecting.

Note that firewalls pass
all

packets that are not provable attack packets. Some
attack packets will not be provable attack packets. Consequently, some attack packets
inevitably get through the firewall to reach internal hosts. It is important to harden al
l
internal hosts against attacks by adding firewalls, adding antivirus programs, installing
all patches promptly, and taking other precautions. This chapter focuses on network
security, rather than host security, so we will not consider host hardening.

Ing
ress and Egress Filtering

When most people think of firewalls, they think of filtering packets arriving at a network
from the outside
.
Figure 3
-
20

illustrates this
in
gress filtering
.

Most firms also do
egress filtering
, that is, they filter packets going from the
network
to the outside
. By doing egress filtering, the corporation is acting as a good
citizen, ensuring that its computers are not used in attacks against ou
tside firms. Egress



8

Synonyms for provable are certain, etc. The point is that there is no doubt.

Page
29

of
39


filtering also attempts to prevent sensitive corporate information from being sent
outside the firm.

Test Your Understanding


30
.

a) What does a firewall do when a packet arrives? b) Does a firewall drop a packet
if it probably is an at
tack packet? c) Why is it important to read firewall logs daily?
d) Distinguish between ingress and egress filtering.

Stateful Packet

Inspection (SPI) Firewalls

How do firewalls examine packets to see if they are attack packets? Actually, there are
several

firewall filtering mechanisms
. We will only look at two

stateful packet
inspection (
SPI) and application
-
aware firewalls.

The most widely used
firewall filtering method today

is
stateful

packet

inspection

(SPI)
,

which treats different types of packets differently, spending the most resources on the
most risky packets, which are relatively few, and spending less time on less risky
packets.

STATES AND FILTERING

INTENSITY

When you talk with someone on the
telephone
, there are two basic stages to your conversation.



At the beginning of a call, you need to identify the other party and decide
whether you are both willing to have a conversation.



Afterward, if you do decide to talk, you usually don’t have to constantly wo
rry
about whether the conversation should go on with this person.

The key point here is that you do different things in different stages of a
conversation. In the first stage, you have to pay careful attention to identifying the caller
and making a decisio
n about whether it is wise to talk. After that, you simply talk and
normally do not have to spend much time thinking about whether to talk to the person.

Most firewalls today
use stateful packet inspection (SPI)

filtering, which uses
the
insight that there

are also stages in network conversations and that not all stages
require the same amount of firewall attention. At the simplest level,
Figure 3
-
21

shows
that there ar
e two stages, which SPI firewalls call
states
: opening a connection
(conversation) and
not attempting
to open a communication

in other words

ongoing
communication.
9




9

Sometimes, stateful packet inspection firewalls use other states as well. For instance, after a
connection begins, there may be a stage in which a new port must be opened in the firewall. In
voice over IP, there typically is one port to connect the VoIP p
rograms. The actual call uses a new
port designated for that purpose. The SPI firewall will conduct appropriate inspections during this
process.

Page
30

of
39


Figure 3
-
21
:
Stateful Packet Inspection (SPI) (The Big One in secu
rity book
)


SPI FILTERING IN THE

CONNECTION
-
OPENING STATE

SPI firewalls focus
heavily on the opening state. They have complex rules to tell them
whether

to allow the
conversation (connection). If they decide to allow a connection, however, they give
minimal attention to packets in the ongoing communication state. This makes sense
because the decision to allow a connection is the most complex and dangerous

stage in
the connection.

For example, suppose that a packet arriving at a firewall contains a TCP SYN
segment. This clearly is a connection
-
opening request to the destination host.
From
Figure 3
-
21
, we see that
the firewall
compares the

features of the packet to the rules in
its
access control list

(ACL)
.
Figure 3
-
22

shows a very simplified access control list. This
ACL has only three rules.

Figure 3
-
22
:
Access Control List (ACL) (3
-
19 in 9e)

Rule

Destination IP Address or
Range

Service

Action

1

ALL

25

Allow connection

2

10
.47.122.79

80

Allow connection

3

ALL

ALL

Do not allow connection

Note: ACLs are only applied to packets that attempt to open a connection.



Rule 1
is checked first. It
allows connections to all hosts (all IP addresses) on Port
25. We saw in Chapter
1

that Port 25 is the well
-
known port number for SMTP.
This rule permits connections to all internal mail servers.



If Rule 1 does not match the packet, the firewall looks at
Rule 2
in the ACL. This
rule
permits connections to a single internal host, 10.47.1
22.79, on Port 80. This
rule allows access to a single internal webserver

the webserver at IP address
Page
31

of
39


10.47.122.79. This is safer than Rule 1 because Rule 1 opens the firewall to
every

internal mail server, while Rule 2 opens the firewall only to connectio
ns to
a single

server.



If Rule 2 does not match the packet, the firewall looks at the third (and final)
rule. This

rule is the
called
default rule

for incoming packets that try to open a
connection. (The default is what you get if you do not explicitly spe
cify
something else.) This last rule ensures that unless a packet is explicitly allowed
by an earlier rule, it is dropped and logged.

What happens if a packet
containing a SYN segment
arrives
with

the destination
address 10.20.12.220 and
the

destination port number 80?
This is an attempt to open a
connection. Consequently,
the SPI firewall takes the left fork in
Figure 3
-
21
. It passes the
connection infor
mation to the access control list.

The firewall tests it against the first rule

in the ACL.

The rule

does not apply
because the port number in the rule is 25 instead of 80. The firewall goes on to the next
rule. This rule also does not apply, becaus
e the I
P address does not match the IP address
in the connection.

The third and final rule matches
, of course
.
Consequently, the firewall decides

to
reject the connection.

Note that the decision is to reject a
connection
, not just an
individual packet
. This is
an

important decision, so doing all of the processing to pass the packet through the ACL
is justified.

What if the SPI firewall decides instead to permit a connection? Then it adds the
connection to its connections table. Each connection is a row containing
the IP address
and port number of the internal host and the IP address and port number of the
external host. In other words, the row has the internal and external sockets

for each
connection
.

Figure
3
-
23
: Connections Table for a
Stateful Packet Inspection (SPI) Firewall


Internal Host

External Host

Connection

IP Address

Port Number

IP Address

Port Number

1

128.171.17.13

3270

10.74.118.4

80

2

128.171.34.5

4747

60.3.5.75

25












Although ACL rules generally are not complex, there tend to be many
rules

in real
access control lists
.
Comparing a

single

connection
-
opening attempt
against

the access
control list can be time consuming. Fortunately, only a very small percentage of all
pa
ckets arriving at a firewall
are connection
-
opening attempts

probably under one
percent.

Page
32

of
39


HANDLING PACKETS DUR
ING ONGOING COMMUNIC
ATION

If a packet does
not attempt to open a connection or is not part of a connection
-
opening attempt, then
either the packet

is

part of an approved connection
in the connections table (
Figure
3
-
23
)
or the packet is spurious. When a packet that does not attempt to open a
connection arrives, then the stateful firewall does the following (see
Figure 3
-
21
).



If the pa
cket is part of an established connection, it is passed without further
inspection. (However, these packets can be further filtered if desired.)

An
example would be a packet with an internal socket of 128.171.34.5:4747 and an
external socket of 60.3.5.75:2
5:80. This matches Connection 2 in
Figure
3
-
23
.

T
he packet should be passed.



If the packet is not part of an established connection, then it must be spurious.
It is d
ropped and logged.

An example would be a packet with an internal socket
of 128.171.34.5:4747 and an external socket of 60.3.5.75:25. This is not a match
to either row.

The packet is dropped and logged.

What kind of packet does not attempt to open a connect
ion? The answer is simple
for TCP
.

Only packets with SYN segments attempt to open a connection. For UDP, the
answer is somewhat more complex. Essentially, if an arriving packet containing a UDP
datagram arrives and the connection is in the database, the pa
cket is allowed through. If
the packet does not match the connection table, it is considered an attempt to open a
connection and is passed through the ACL. Although UDP is not connection
-
oriented. A
series of UDP exchanges between two sockets is treated li
ke a connection.

Note that the SPI firewall only makes a decision whether or not to pass the
packet
.
It does not have to make a decision about the entire
connection

as must do in
connection
-
opening attempts.

If processing a packet that does not attempt to
open a connection sounds simple,
it is
.
Nearl
y all packets

perhaps 99%

are not part of connection
-
opening attempts.
Consequently, most packets are handled with very little processing power. This makes
stat
eful firewalls very inexpensive overall.

PERSPECTIV
E


Although the simple operation of stateful inspection makes it
inexpensive, stateful filtering provides a great deal of protection against attacks coming
from the outside. This combination of low cost and strong security is responsible for the
dominance
of stateful inspection today.

Test Your Understanding


3
1
.

a) Why are states important? b)
When

are ACLs needed for stateful firewalls? c)
When a packet that is part of an ongoing connection arrives at a stateful inspection
firewall, what does the firewall

do? d) When a packet that is not part of an ongoing
connection and that does not attempt to open a connection arrives at a stateful
inspection firewall, what does the firewall do? e) Why are stateful firewalls
Page
33

of
39


attractive? f) What type of firewalls do most

corporations use for their main
border firewalls?


3
2
.

a) How will an SPI firewall handle a packet containing a TCP
segment that

is an
acknowledgement? b) How will an SPI firewall handle a packet containing a TCP
SYN segment? c) How will an SPI firewall h
andle a packet containing a TCP FIN
segment?
d)

How will a firewall handle a packet containing a UDP datagram? e
)
How will the access control list (ACL) in Figure 3
-
19 handle a packet that attempt to
open a connection to an FTP server? Explain.

Application
-
Aware

Firewalls

A problem with stateful packet inspection firewalls is that they only look at IP addresses
and port numbers in their rules. In many firms, all connections to external hosts on Port
80 are permitted. This reflects a policy saying

that internal users should be able to
connect to external webservers. Realizing this, attackers have developed many pieces of
malware that communicate on Port 80 but do not use HTTP. A basic SPI firewall will not
catch this
port spoofing
.

It must identify

applications and create filtering rules for
specific applications.

Figure
3
-
24
: Application
-
Aware Firewalls

Fortunately
, vendors are now producing
application
-
aware

firewalls that look beyond
the port number to identify the actual application using the port. This might allow the
company to enforce a rule that only connections to external webservers running HTTP
will be allowed. Or, a rule might be added to forbid con
nections to external servers
running a specific application

on Port 80
.

Application
-
aware firewalls must do two things to make appli
cation identification
possible.



First, they cannot look
only
at individual packets. For example, if an application
program u
ses TCP at the transport layer, its messages will be divided into
segments and placed in multiple packets. Consequently, the application
-
aware
firewall must identify the stream of packets for a particular message and
reassemble the application message.



Sec
ond, the application
-
aware firewall must
identify the application based on
message content. This is the more difficult step. Rules for identifying particular
attack programs is evolving rapidly. Attackers are also evolving in their ability to
change their
applications to avoid being caught by existing rules.

These two processes are complex and require many machine cycles to perform.
Consequently, application
-
aware firewalls are more expensive per packet handled than
SPI firewalls. However, many companies be
lieve that the additional cost is necessary
because the additional control is necessary.

Page
34

of
39


Test Your Understanding


3
3
.

a)
Why are application
-
aware firewalls desirable? b)

What two things
must

application
-
aware

firewalls do
in filtering that SPI firewalls d
o not do? c)

How does
this additional work affect cost?

Intrusion
and Extrusion
Detection
Systems

Figure 3
-
25
: Intrusion Detection Systems (IDSs) and Extrusion Detection Systems (EDSs) (Study Figure)

When there is a security

compro
mise, it is important to detect it as quickly as possible. If
given time, attackers will “dig in” by deleting log files, creating backdoors, and doing
many other things to make themselves difficult to find. With time, they can also explore
your system to f
ind weaknesses and to spread beyond their initial
toeholds
. Despite the
importance of detecting intrusions quickly, post mortems conducted on security
compromises often find that the
adversary

had

been in the company’s systems for
months and sometimes years. Firewalls, authentication tools, encryption for
confidentiality and other protections we have looked at so far attempt to
prevent

incursions. That is not enough. We also need to
detect

the incu
rsions the protections
cannot protect us from.

INTRUSION DETECTION
SYSTEMS (IDSS)

In security,
intrusion detection
systems (IDSs)

have existed for many years. They are rather like car alarms. When they
see something suspicious, they
can
alert an administr
ator. IDSs also write information
about the suspicious incident in their log files.

Unfortunately, also like car alarms, IDSs often give false alarms (
false positives

in
security
-
speak). To reduce this problem, companies usually “tune” their IDSs by
only
h
aving the system alert administrators to potentially
high
-
risk

suspicious incidents. This
reduces false alarms, but it means that administrators should be diligent about reading
log files to scan unreported incidents. Even with tuning, intrusion detection
systems
create a large volume of false positives relative to correct warnings. Using an IDS
requires a strong commitment to allocating the necessary resources to examine
warnings carefully.

EX
TRUSION DETECTION SY
STEMS


By definition,
intrusion

detection s
ystems
examine

packets coming into a firm. However, companies also need to detect improper
packets going
out

of the firm. If they do not, an
adversary

is free to steal large volumes
of sensitive information without
being

caught. In 2013, Edward Snowden dow
n
loaded
an extensive volume of N
SA documents to his computer at Booz Allen Hamilton

in
Hawaii
. How could he do that without detection? The problem may be that NSA simply
lacked adequate extrusion controls. In fact, there are many examples of gigabytes of
d
ata being stolen over months or even years without detection.
Extrusion detection
Page
35

of
39


systems (EDSs)

attempt to address this problem by looking for unusual or forbidden
patterns of data leaving the firm or a site.

At a minimum, they should provide alerts a
n
d
l
og files. For extremely sensitive files, they should be able to take action and prevent
their unauthorized extrusion.

Test Your Understanding


3
4
.

a)
Why are intrusion detection systems needed
?

b)

What two things may IDSs do
when they detect suspicious behavior?
c)

Why do companies only have
the IDS
produce
alerts for potentially severe incidents?
d)

What implications does
curtailing alerts have for log file reading practices?
e)

Why are extrusi
on detection
systems necessary?
f)

Should extrusion detection systems actively prevent the
outward transmission of information? g)

If so, under what circumstances?

CONCLUSION

Synopsis

Security is now an integral part of every network project from requireme
nts to ongoing
operations.
It is important to design security into networks
up front
instead of trying to
add it later at far higher cost and at a
substantially
lower change of success. We discuss
network security throughout the book. In this chapter and t
he next, we will look at
security in depth.

We began with a discussion of the threat environment

the types of people and
organizations
that

attack you and the types of attacks they use.
Attackers include
hackers, malware writers, insider
s
, terrorists, and
national governments.
Hackers today
are mainly career criminals, who are dangerous because they are well
-
funded, work in
gangs, and can buy attack software on the Internet. Insider attacks are common and
tend to be damaging because insiders have access to
systems, know systems well, know
how to avoid detection, and
tend to be trusted. Attacks by
c
yberterrorists and national
governments tend to be very dangerous because
they can afford to engage in highly
sophisticated attacks, focus on
doing
damage instead
of
committing
isolated crimes
,

and
execute their attacks

against many targets

all at once
. Cyberwar attacks by national
governments would overwhelm normal corporate

defenses.
Already, g
overnments and
some criminal organizations have the resources to engage

in advanced persistent
threats, in which a
re highly
sophisticated attack
s

that
take place over
months or years

and
give the attacker broad access to the organization’s system.

Attack methods are also diverse. Malware is a generic name for evil software

vi
ru
ses, worms (especially directly
propagating worms), Trojan horses, and spam, to
name only
a few
.
A
ntivirus programs, despite the

name, are gene
ric tools for fighting
Page
36

of
39


malware. Malware often propagates between computers and then executes a payload,
which i
s a program
that does

damage to the victim
’s

computer.

Hackers break into a computer resource and then can do a wide range of damage.
We discussed how they often initially scan a system by sending probe packets, perform
an exploit (break
-
in), do damage
manually
,

and
plant

malware in the system to keep
doing damage.
We discussed the
specific
definition of hacking, which is intentionally
using a computer resource without authorization or in excess of a
uthorization.

In distributed denial
-
of
-
service attack,
a botmaster

builds an army of bot programs
on compromised computers. The
botmaster

then overwhelms a
selected
victim with
a
flood of
attack packets. Bots can be upgraded to fix bugs or to
equip

them to do a
different kind of attack.

Many attacks attempt to

bypass technical security through social
engineering,
which is a
euphemism

for tricking people into taking actions
that compromise

personal
or

organizational security. In

phishing, the
adversary

crafts

an e
-
mail message or
website
that looks

official

and
reputable. In spear
phishing, the
enticing
content is
customized to a particular
target
individual. Advanced persistent threats typically begin
with a successful spear
-
phishing attack.

Companies defend against attacks in many ways. One is cryptography, whi
ch is the
use of mathematics to provide security. For example, a company may encrypt all
transmissions for confidentiality, so that an attacker cannot read them. This normally
uses symmetric key encryption. Messages can also be given electronic signatures
so that
their authenticity can be checked and to provide message integrity

assurance that the
message has not been tampered with en route.

Knowing
whom

you are communicating with can reduce risks. In authentication, a
supplicant presents credentials to pro
ve its identity to a verifier. Traditionally,
authentication meant reusable passwords, and
passwords are widely used today
.
However, companies are trying to move away from them because they are not very
secure. People typically use dictionary words, names,

and hybrids (such as capitalizing
the first letter and adding a number at the end.) Password cracking programs can break
these passwords in seconds. Unless passwords are long (at least eight characters) and
have a complex mix of keyboard characters, passw
ord cracking is far too easy, and long
and complex passwords are often written down

or forgotten
. Today, companies
increasingly are using

physical access cards, biometrics (such as fingerprint, iris, and face
recognition), and cryptographic methods using d
igital certificate authentication. Using
two forms of authentication

two
-
factor authentication

provides stronger
authentication in most circumstances.

Firewalls stop definite attack packets from entering or leaving the firm. They do
not stop suspicious pac
kets, so they
are not a panacea
. Most firewalls today use stateful

packet
inspection

(SPI)
, in which the intensity of packet examination depends on the
state of the conversation. Packets attempting to open a new connection are particularly
dangerous and ar
e given extensive scrutiny.
The
packet’s characteristic are compared to
a long list of rules in the
firewall’s
access control list

(ACL)
.

In contrast, packets that do
Page
37

of
39


not attempt to open a new connections are given only cursory scrutiny. If they are part
o
f an approved connection, they are passed. If not, they are dropped. By
focusing

expensive filtering resources on comparatively rare
but risky
connection
-
opening
packets,
SPI

firewalls can provide very good security at reasonable cost. To overcome
the limi
tations of stateful packet inspection,
however,
companies are beginning to
adopt application
-
aware firewalls, which can base accept/deny rules on the specific
application used in the connection, not simply IP addresses and port numbers.

It is important to
stop attacks quickly when they occur. This requires
firms to
detect attacks

quickly. Intrusion detection systems (IDSs) examine packets to detect
suspicious packets (in contrast of firewalls, which focus on provable attack packets). An
IDS documents suspic
ious activities in its log file and may alert an administrator
immediately
in the case of a potentially very serious attack in progress. Unfortunately,
IDSs have a high rate of false positives (false alarms). In turn, extrusion detection
systems look at pa
ckets going
out

of the corporation. They look for indications of credit
card numbers, other personal information, and the transmission of documents
containing trade secrets.

In this chapter, we discussed security threats and defenses. In Chapter 4, we will

discuss how to manage security. As security expert
Bruce Schneier has often

warned
,
“Security is a process, not a product.” Unless
companies manage security

consistently
and well, the best technical tools will be useless. Chapter 4’s purpose is actually
broader, to discuss network management in general. Security management is only part
of network management.

END
-
OF
-
CHAPTER QUESTIONS

Thought Questions


1
.

a) W
hat form of authentication would you recommend for relatively unimportant
resources? Justify your answer. b) What form of authentication would you
recommend for your most sensitive resources?


2
.

For each of the following passwords, first state the kind of

attack that would be
necessary to crack it. Justify your answer. Then say
whether

it is an adequate
password, again giving specific reasons. a) swordfish; b) Processing1; c) SeAtTLe; d)
3R%t; and e) 4h*6tU9$^l.


3
.

Keys and passwords must be long. Yet mos
t personal identification numbers (PINs)
that you type when you use a debit card are only four or six characters long. Yet
this is safe. Why?


4
.

Revise the ACL in
Figure 3
-
22

to permit access to an FTP server with IP address
10.32.67.112.

Rewrite the entire ACL.

Page
38

of
39



5
.

In digital certificate authentication, the supplicant could impersonate the true
party by doing the calculation with the true party’s private key. What pre
vents
impostors from doing this?


6.

What are the implications for digital certificate authentication if the tru
e party’s
private key is stolen?

Case Study: Patco

In 2009, the Patco Construction Company had $588,000 drained from its bank accounts
at Ocean Bank. The theft involved six withdrawals on May 8, May 11, May 12, May 13,
May 14, and May 15. The money in each withdrawal was s
ent to a group of money
mules who
took a cut and sent the rest to the attacker.

After thieves stole all of the company’s cash, they continued to make withdrawals.
Patco’s bank continued to allow withdrawals, covering them with over $200,000 from
Patco’s line of credit. Although the bank wa
s able to recover or block $243,406 in
transfers, Patco was still out $345,400. In addition, the bank began charging Patco for
interest on the money that had been withdrawn us
ing Patco’s line of credit.

Although the transactions were far larger than Patco
normally made, Ocean Bank
did not inform Patco of any problems until one of the account numbers entered by the
thieves was invalid. It sent a notification by mail,
which was not read

at Patco until
several days later. Patco notified the bank of probl
ems th
e next morning. T
he bank had
already sent out $111,963 that day,
although
some
was recovered.

The bank used account numbers and passwords. For transactions over $1,000,
Patco employees had to answer two challenge questions. Most withdrawals were over
$1,00
0, so employees had to answer these same challenge questions many times. Patco
believes that these challenge mess
ages were too easy.

The State of Maine has stringent banking laws. The Federal Financial Institutions
Examination Council in 2005 required bank
s to use at least two
-
factor authentication
and specifically noted that usernames and passwords were not enough. Patco sued
People’s United Bank for its losses, claiming that the challenge questions were nothing
more than a second set of passwords and that

the bank should have required much
stronger credentials.

Patco also claimed that Ocean Bank should have been suspicious when such large
unprecedented withdrawals were made and when they were sent to 30 different
accounts. Normally, Patco only withdrew mon
ey for payrolls on Fridays. Its previous
largest single
-
day withdrawal had been under $37,000. Patco’s complaint stated that
based on belief and information from the bank, Patco assumed that antifraud
monitoring was

being done by the bank.

Ocean Bank did n
ot comment on the case, but most banks in a similar situation use
the defense that they were not negligent. A bank can be found negligent only if it has
lower protections than are the no
rm in the industry.

Page
39

of
39


CAUTION: The information in this case is based
pri
marily
on Patco’s complaint.
10

Consequently, the statements made in the case have not been validated and may be
disputed by Ocean Bank as being nonfactual. Analyze the case based on Patco’s
allegations, but do not draw firm conclusions agains
t the bank.

1.

a) According to the information in the case, do you think the bank satisfied the
legal
requirement to use two
-
factor authentication? b) According to the
information in the case, do you think the bank was doing antifraud monitoring? c)
According to the info
rmation in the case, do you think Ocean Bank was negligent?
d) According to the information in the case, if you were the head of Ocean Bank,
what would you do to prevent the reoccurrence of this problem?

PERSPECTIVE QUESTION
S


1.

What was the most surprisi
ng thing you learned in this chapter?


2.

What was the most difficul
t part of this chapter for
you?




10

Patco Construction Company, Inc., plaintiff, v. People’s United Bank, d/b/a Ocean Bank,
defendant. State of M
aine, York SS Superior Court Civil Action, Docket No. 09
-
CV.