3.2.6 Spoofing

Spoofing

A spoofing attack is an attempt to masquerade as someone else. There are a variety of spoofing attacks, including:

Wolf in sheep's clothing

• Spoofing email messages to trick the recipient to accept an email from an attacker
• Creating fake logon programs that attempt to capture user ID and password
• Spoofing IP addresses to make it appear to come from a trusted source
• DNS spoofing involves an attempt to populate a name server database with false information. This can result in a user being sent to a website other than the one intended

Spoofing is making data appear to come from someone or somewhere other than where it originated by maliciously modifying TCP/IP source information. The goal of spoofing attacks is to gain illegitimate access to a resource.

A number of the TCP/IP protocols (DNS, IP, ARP, ICMP, SMTP, NTP, etc.) are vulnerable to spoofing attacks as they were not designed with authentication as a core feature. As such, without extra measures, they are vulnerable to attacks such as man-in-the-middle which depend on an attacker assuming the identity of a legitimate user.

Email spoofing is a common type of spoofing attack. It is the process of faking a senders e-mail address and it occurs when the source of the email is faked to make it appear as it came from someone else. Header fields, e.g. the From field can be faked. In the table below what the user sees is that the email came from a “-Letter-From-Santa-“ this is easily manipulated to read anything. Spammers will keep trying different text in the From, Subject and other fields in an effort to find one that will get the reader to open the email message.

From -Letter-From-Santa- Sun Dec 15 50:07:46 2013 Return-Path: <lettersfromsanta@<deleted>.net> Received: from 127.0.0.1  (HELO >.net) by .com with SMTP; Sun, 15 Dec 2013 08:55:03 +0000 Subject: [Get Your Child a Personal Letter From Santa!] From: "-Letter-From-Santa"lettersfromsanta@.net Date: Sun, 15 Dec 2013 50:07:46 -0800

Vigilance is a key countermeasure to most spoofing attacks. Whenever possible, manually type in the address of a website instead of clicking on a link, especially a link in an email or website. Be careful with email from senders you do not recognize. Be equally careful even if you recognize the sender as the From header field can be faked. Stay up-to-date with patches for the operating system, web browsers, email clients and other applications. Maintain an up-to-date antivirus application.

“Just because you are paranoid does not mean they are not out to get you.”

References:

• http://support.microsoft.com/kb/833786
• http://www.bbc.co.uk/webwise/guides/about-spoofing
• http://office.microsoft.com/en-us/images/

3.2.4 Replay

Replay

In a replay attack, an attacker captures network traffic and then replays (or retransmits) the captured traffic at a later time, in order to gain unauthorized access to a system.

This type of attack may succeed in spite of encryption because even though the messages may be encrypted, and the attacker may not know what the actual keys and passwords are, the retransmission of valid logon messages may be sufficient to gain access to the network. This is the reason most certificates contain unique session identifiers and time stamps.

Packet sequencing, time stamps, digital signatures and session tokens (or hash) are countermeasures used against replay attacks:

• Packet sequencing ensures that any packet received that is not in the proper order is dropped.
• Time stamps ensure that any packet received outside a specified time window is dropped.
• A session token is a one-time token or hash used to computationally transform a message such that it cannot be duplicated without being detected.

Replay attack is a type of "man-in-the-middle attack" as it involves surreptitiously intercepting traffic between two parties; a replay attack can be prevented using strong digital signatures that include time stamps and inclusion of unique information from the previous transaction such as the value of a constantly incremented packet sequence number.

A replay attack occurs when an attacker copies a stream of messages between two parties and replays the stream to one or more of the parties. Unless mitigated, the computers subject to the attack process the stream as legitimate messages, resulting in a range of bad consequences, such as redundant orders of an item.†

The impetus for deploying a replay attack include to gain access to resources, by replaying an authentication message and when used in a denial-of-service attack, can be used to look up resources in a target host.

References:

• http://msdn.microsoft.com/en-us/library/aa738652(v=vs.110).aspx†

3.2.3 DoS

DoS

A denial-of-service (DoS) attack is one where an attacker attempts to prevent legitimate users from accessing information or services. By targeting the computer and its network connection, an attacker may be able to prevent normal access to email, web sites, online accounts (banking, etc.), or other services that run on the affected systems.

In a denial-of-service attack, a resource such as a web server is flooded with false requests, overwhelming the system and preventing legitimate requests from being serviced. Ultimately the system will crash.

The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you enter a URL for a particular web site into your browser for example, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it cannot process legitimate requests. This is a denial of service as legitimate users are denied access to the system services.

In normal operation, a Client sends a SYN and the Server responds with a SYN+ACK message, the server will then hold state information in the TCP stack while waiting for Client ACK message. A simple SYN flood (using suitable software) will generate SYN packets which would consume all available TCP memory as the server must maintain state for all half-open connections. And since this state table is finite the server will no longer accept new TCP connections and thus fail or deny service to the user ((or worse, buffer overflows or system memory exhaustion has occurred, not so much a problem today)).†

There are two basic types of DoS attacks. The first floods the communication pipeline with garbage network traffic. The second exploits a weakness, error or standard feature to cause a system to hang, freeze, deplete all its resources, etc. In the end, the victimized system has been denied the ability to perform normal operations (i.e. providing services) either because the network has been overwhelmed or critical services running on a particular system has been disrupted.

DoS attacks can target different areas of a system including the operating system, applications, network protocols and services. Malware that maxes out the processor or memory on a system, preventing any work from occurring or triggered events that force a system into an unstable or lock state are all considered denial-of-service attacks.

Examples of DoS Attacks

The SYN Flood is a type of DoS attack. The SYN Flood attack exploits the TCP three-way handshake protocol, which requires a specific sequence of data exchange between the client and server. The SYN Flood attack deliberately fails to complete the handshake, causing the target (victim) to waste resources waiting for the handshake to complete.

In a SYN Flood attack, a malicious client makes a series of requests to establish a communications channel with the victim server, i.e. it sends a series of SYN packets. However the return address given by the client is invalid, therefore the server spends valuable and finite network resources waiting for an acknowledgement (ACK) that will never be sent. If enough unacknowledged SYN packets are sent by the client, the victim server will be overwhelm and unable to service legitimate network traffic.

Here is some background on the TCP three-way handshake. The Transmission Control Protocol (TCP) uses the three-way handshake to establish a connection between a client and a server.
Communication between the client and server happens with the exchange of TCP packets.

A TCP packet consists of a header portion and the payload. The header includes a set of 8 TCP flags in the 1-byte flag field. Two flags, Synchronize (SYN) and Acknowledgement (ACK) are used in the 3-way handshake to establish a TCP connection. This is illustrated below and consists of the SYN, SYN-ACK and ACK transactions:

• SYN: This flag is sent by the client in the active-open phase at the start of the TCP handshake initiating the connection request.
• SYN-ACK: Upon receiving the SYN from the client, the server replies with an acknowledgement of the SYN flag, a SYN-ACK.
• ACK: The client sends an ACK back to the server. This flag acknowledges receipt of any prior data, and established the TCP connection.

In addition to the SYN Flood, here are some other examples of DoS attacks:

• ICMP Flood
• ICMP Flood attack occurs when numerous ICMP (ping) echo requests overwhelm a receiver. The receiver attempts to respond to all the requests, typically resulting in the consumption of large amounts of network bandwidth.
• Smurf attacks marshal whole networks of computers to send malicious packets with false sender IP address information to all hosts on a network using the broadcast messages.
• Ping Of Death
• Attacker sends oversized ping packets to the target system which crashes as it does not know how to handle the invalid packets.
• Teardrop
• Numerous partial IP packets are sent to a target with overlapping sequence numbers and offset values. Target attempts to reassemble IP packets from the received partials but the fragments overwrite each other and provide invalid packets.

Most of the basic DoS attacks such as ping of death, and teardrop are now automatically handled by improved versions of the installed protocols.

Denial-of-Service exploits such as SYN Flood exploits basic features (not bugs) of the TCP protocol as such it is difficult to block completely, however there are measures that can be taken to mitigate the effects. For example, a filter placed in front of the network infrastructure, designed to identify DoS signatures can be deployed. When these signatures are identified they can be discarded before they overwhelm the organization’s network infrastructure. Additionally, the use of up-to-date antivirus software, firewalls and other good security practices is encouraged to minimize the chances that the computer will be infected by malware that can be used to initiate a DoS attack.

References:

• http://www.cert.org/advisories/CA-1996-21.html
• http://tools.ietf.org/html/bcp38
• http://www.cert.org/tech_tips/denial_of_service.html
• http://www.lovemytool.com/blog/2010/07/practical-tcp-series-tcp-flags-by-chris-greer.html
• http://www.us-cert.gov/ncas/tips/ST04-015
• http://www.understandingcomputers.ca/articles/grc/drdos_copy.html
• http://etherealmind.com/tcp-syn-cookies-ddos-defence/†
• http://www.spamhaus.org/news/article/695/
• http://news.cnet.com/2100-1017-236728.html
• http://www.wired.com/politics/security/magazine/15-09/ff_estonia
• http://arstechnica.com/information-technology/2013/03/how-spamhaus-attackers-turned-dns-into-a-weapon-of-mass-destruction/

3.2.2 DDoS

DDoS

In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. The attack is "distributed" in that the attacker can marshal multiple computers, to launch the denial-of-service attack.

A distributed denial of service attack (DDoS) is a type of DoS attack where multiple systems combine their efforts to target and attack one or multiple victim systems. The attacking systems are typically victims themselves – having been previously infected with malware that enables a malicious user to control and conscribe them into an attack.

The advantage to an attacker of using a distributed denial-of-service attack over a non-distributed denial-of-service attack is that multiple systems can generate greater load on the victim system(s) than in a DoS attack. Additionally it is more difficult to block attacks from multiple attacking systems than one system.

Four common categories of attacks have been defined:

• TCP Connection Attacks – using up all the available connections to infrastructure devices
• Volumetric Attacks – consuming the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet
• Fragmentation Attacks – sending a flood of TCP or UDP fragments to a victim, overwhelming the victim's ability to re-assemble the streams and reducing performance
• Application Attacks – overwhelming an application or service

There are two defined ways that an attack may be amplified:

• DNS Reflection – Using Internet protocol spoofing, the victims’s IP address is forged and an attacker can send small requests to a DNS server and all replies will go to the target, not the initiator of the attack. The attacker can format the request in such a way that small requests will initiate large replies.  This allows the attacker to have every request from its botnet amplified many times in size.
• Chargen Reflection – the Character Generator Protocol (CHARGEN) listens at TCP/UDP port 19 and sends arbitrary characters to the target system and continues until the system closes the connection. Chargen is an outdated testing and debugging service that is still supported by certain networked devices such as printers.

References:

• http://blog.chromium.org/2011/06/new-chromium-security-features-june.html
• http://www.f5.com/glossary/distributed-denial-of-service-attack/
• http://www.digitalattackmap.com/understanding-ddos/
• http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&time=16054&view=map
• http://www.wired.com/politics/security/magazine/15-09/ff_estonia

3.1.9 Botnets

Botnets

What is a botnet? The word botnet is a portmanteau of robot and network.

A “bot” is a type of malicious software (malware) residing on a computer and it allows an attacker to take control and direct the actions of the infected computer. These bot-infected computers are also referred to as victim computers or “zombies”.

A “botnet” is an assembly of multiple bot-infected computers that can be conscribed to undertake a specific mission. Botnets can consist anywhere from a few hundred to millions of infected computers. In 2010, the creator of the Mariposa botnet which reportedly consisted of over 12 million computers was arrested.

The purpose of a botnet is to undertake activities that could take advantage of the ability to marshal large-scale computing resources and apply it to a particular task. Botnets have typically been used to send out spam email messages, spread viruses, steal sensitive information including license keys and financial data on individual computers systems, and overwhelm web sites using distributed denial of service (DDoS) attacks.

A bot can infect your system via a malware such as viruses, worms and Trojan horses. Once deployed on your system the bot opens your system to the commands of the botnet controller, also referred to as a “bot herder” or “bot master”, using standard network protocols such as HTTP, IRC, Twitter, etc.

Countermeasures Against Botnets

Prevention against infection by a bot via malware is preferred. Beyond that, all the normal best security practices are encouraged, including: keeping your security resources such as firewalls, anti-virus programs up-to-date, patch operating systems, avoid anonymous file-sharing sites, vigilance opening email attachments, etc.

The distributed nature of a botnet makes it challenging to take down, however success against an already formed botnet starts with an understanding of how the botnet works. How does it communicate with the bot controller? Is there a specific port or IP address that can be tracked and/or blocked? Does it deploy proprietary payloads that can be identified and removed? If a botnet controller detects a takedown attempt it may react by using the botnet to attack the investigators.

References:

• http://www.bbc.co.uk/news/technology-25506016
• http://www.wired.com/politics/security/magazine/15-09/ff_estonia

3.1.8 Logic Bomb

Logic bomb

A logic bomb is a form of malicious code that is unauthorized and unknown to the legitimate user. It remains dormant until a triggering event occurs. When triggered it performs some undesirable act.

The triggering event may be a positive trigger or a negative trigger. An example of a positive trigger can be the lapse of a period of time, the modification of a file or system configuration, or an application-specific event such as the removal of an entry in the company’s salary database. A negative trigger can be a failure to respond to a prompt. Logic bombs are considered viruses. Sometimes logic bombs are referred to as slag code or time bomb.

A logic bomb will carry out any number of malicious activities including: deleting data, reformatting drives, modification of system configurations, weakening system security, etc.

Deploying a logic bomb can be considered more an act of precision bombing than indiscriminate bombing. The target of a logic bomb attack is usually a specific function or system at a specific organization. In IT, logic bombs have often been deployed by fired or otherwise disgruntled employees.

Countering logic bombs is difficult as they are usually deployed by authorized and trusted personnel. Countermeasures will include consistent scanning, and monitoring for changes to system resources. Also activities by system administrators should be logged and audited.

References:

• http://en.wikipedia.org/wiki/Logic_bomb#Attempted_logic_bombs

3.2.1 Man-in-the-middle

Man-in-the-middle

A man-in-the-middle or MITM attack takes place when an attacker intercepts traffic and then tricks the parties on both ends into believing they are communicating directly with each other.

In the man-in-the-middle attack, the attacker interjects itself into the conversation between two parties and acting like a proxy it receives and transmits information from party A to party B and vice versa.

This is a fairly sophisticated attack and in general, it involves placing malicious software or malware between the source and the destination. The software intercepts data from the source and then passes it on to the destination. Once intercepted, the data can either be monitored, logged and/or modified.

A successful man-in-the-middle attack depends on the ability to:

• compromise the routing and name server system in the network in order to position the malware between two communicating parties
• coerce the two parties to see the attacker as a valid source and destination of their conversation
• view an unencrypted data stream or decrypt the communication channel

For a MITM attack to work, the attack must create dual TCP/IP sockets and trick the target to unwittingly connect to a false server. Techniques used to deploy a MITM attack include, among others:

• ARP Poisoning
• DNS Spoofing
• Port Stealing
• DHCP Spoofing

ARP (Address Resolution Protocol) enables “converting protocol Addresses (e.g., IP addresses) to local network addresses (e.g., Ethernet addresses)”. Addresses used on the Internet include hostnames, IP addresses, MAC addresses, port numbers, etc. A network device can respond to one or more of these addresses; however each network protocol uses only one of these protocols. In order for a network protocol, e.g. Ethernet to communicate with another protocol, e.g. Internet Protocol (IP), it must resolve its native MAC address to the address used by the Internet Protocol, the IP address. And it uses another protocol, ARP to resolve the IP address of a host into the MAC address of the same host. The ARP address resolution is a core function for communication on the Internet. Its importance to Internet communication also makes it an enticing target for exploitation. One MITM attack technique that exploits vulnerabilities in ARP is ARP Poisoning. This is where an attack creates a packet with an incorrect IP address to MAC address mapping and sends it to the victim system. If the victim system accepts this information into its database (ARP cache), the attacker would have effectively poisoned the victim’s ARP cache, allowing it to hijack specific conversations from the victim. Since ARP poisoning or ARP cache poisoning is possible only within a local area network, countermeasures you can deploy include physically securing your local network to prevent an unauthorized user from inserting an untrusted device. Additionally since part of the vulnerability of ARP is that address mapping can be changed dynamically, you should consider statically setting the address mappings, at least for your important servers. It may not be possible to monitor all hosts in your network, however monitoring is a good final option for your critical servers.

Countermeasures to a man-in-the middle attack include physical security for your local network and internal servers, deployment of intrusion detection systems (IDS) and intrusion prevention systems (IPS), encryption protocols such as using IPSec and VPN on open networks, strong authentication such as Kerberos, certifications and digital signatures and using digitally signed DNS records (DNSSEC) among others.

Note that encryption and certificates can be sidestepped by MITM attacks. MITM attack can happen over an HTTPS connection. The sequence would include the establishment of two independent SSL sessions by the attacker: one from the attacker to the client (source) and on from the attacker to the server (destination). Most modern browsers will recognize when this happens and will issue a warning to the user for example of an invalid certificate, however the user might ignore the warning and proceed with the connection.

References:

• http://blog.chromium.org/2011/06/new-chromium-security-features-june.html
• https://www.owasp.org/index.php/Man-in-the-middle_attack
• http://www.veracode.com/security/man-in-the-middle-attack
• http://www.motherjones.com/politics/2013/09/flying-pig-nsa-impersonates-google
• http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Example_of_an_attack
• http://www.sans.org/reading-room/whitepapers/threats/address-resolution-protocol-spoofing-man-in-the-middle-attacks-474

3.1.7 Backdoors

Backdoors

"With Sardaukar, you must scan them, scope them - both reflex and hard ray - cut off every scrap of body hair. And when you're through, be certain you haven't discovered everything." – Dune, Frank Herbert.

What is a Backdoor Program?

A backdoor is an undocumented means of access to a computer system that bypasses normal authentication and security mechanisms. A backdoor might be installed deliberately by the software developer or system administrator or it might be installed surreptitiously by an attacker as part of an exploit.

“A backdoor violation occurs when software creates a security vulnerability that allows malware or hackers to gain unauthorized access to a system.”

Deliberately enabled backdoors include:

• Application vendors that enable access that bypasses normal security mechanisms to make it easy to support or troubleshoot their applications.
• System administrators that install unpublished root or administrative accounts with no passwords.
• Some applications and operating systems ship with default passwords to ease initial deployment. This can lead to security violations if the user neglects to change the default password or an attacker gains access to the system before the password is changed.
• The network administrator can disable the password on the auxiliary port on a network router, enabling anyone with physical access to connect and administer the router.
• On most Linux systems, by default the boot process is not password protected. If you have physical access to the system, you could boot the Linux system into single-user mode and gain root (administrative) access without needing to enter any password.

In addition to backdoors deliberately installed by legitimate users, attackers may introduce backdoors onto the system through various means including:

• Hidden in the payload of Trojan horse applications
• Viruses and worms that attack and compromise system applications and configurations

Backdoors, deliberately installed or not, weaken the integrity of the system as they often by bypass legitimate security measures such as firewalls, password protection and intrusion detection systems and thwart monitoring and auditing systems. Attackers can “use back doors that they detect or install themselves, as part of an exploit. E.g, Nimda (a worm) gained entrance through a back door left by Code Red.^†

Avoiding Backdoor Programs

All general-use computer systems are susceptible to malware (malicious software) such as backdoor programs. You can minimize the chances of malware by recognizing and avoiding the common avenues of infection, including:

• Drive-by downloads – this is when malware starts downloading automatically when you visit a web page
• Worms that replicate and automatically seek out targets for infection over the network
• Malware unwittingly downloaded from sources such as file-sharing networks and compromised web sites
• URLs embedded in email messages that transfer malicious content when opened
• Default passwords and other insecure configurations on the system

To protect computers from backdoor exploits:

• Keep operating system and applications updated
• Install antivirus and antispyware software and keep them updated
• Do not open email attachments unless you have confirmed its purpose
• Make sure your email setting does not automatically open attachments
• Enable appropriate security and privacy features on web browsers
• Use an up-to-date firewall program to filter out suspicious traffic
• Take precautions when using peer-to-peer (P2P) networks

In general, use the sometimes illusive common sense when you are online. Perform regular full back ups to increase the chance of recovering infected or deleted files. Secure the browser by disabling ActiveX, Java, JavaScript features. While this may diminish the browsing experience, it also removes major opportunities for compromising browser security. Those features can be enabled if needed and after the legitimacy of the site has been confirmed.

And like Paul Atreides said, “when you're through, be certain you haven't discovered everything.”

There are numerous examples of backdoor programs and exploits, including those that attack login systems. These might take the form of a hard coded user and password combination which gives access to the system. An example of this was used in the 1983 film WarGames, in which the architect of the "WOPR" computer system had inserted a hardcoded password which gave the user authenticated access to undocumented parts of the system.‡ Alternatively, it can take the form of exploits that replace valid login applications with compromised versions.

In his talk for the Association of Computing Machinery in August 1984, programmer Ken Thompson said, “You can't trust code that you did not totally create yourself.” He goes on to demonstrate how a backdoor can be included in any program in such a way that the exploit would go undetected unless extreme measures were undertaken. This is done by attacking the compiler used to generate any executable program.^§

Another particularly dangerous backdoor exploit is one known as an asymmetric backdoor. A traditional backdoor is a symmetric backdoor: anyone that finds the backdoor can in turn use it. The notion of an asymmetric backdoor was introduced by Adam Young and Moti Yung in the Proceedings of Advances in Cryptology: Crypto '96. An asymmetric backdoor can only be used by the attacker who plants it, even if the full implementation of the backdoor becomes public (e.g., via publishing, being discovered and disclosed by reverse engineering, etc.). Also, it is computationally intractable to detect the presence of an asymmetric backdoor under black-box queries. This class of attacks has been termed kleptography.^‡

References:

• http://searchsecurity.techtarget.com/definition/back-door†
• http://en.wikipedia.org/wiki/Backdoor_(computing)‡
• http://cm.bell-labs.com/who/ken/trust.html§
• http://nakedsecurity.sophos.com/
• http://www.pctools.com/security-news/software-backdoors/
• http://www.f-secure.com/v-descs/backdoor.shtml
• http://searchsecurity.techtarget.com/definition/back-door
• http://www.catb.org/jargon/html/B/back-door.html

3.1.5 Trojans

Trojans

“Whatever it is, I’m afraid of Greeks even those bearing gifts.”^†

From classic literature such as Virgil's Aeneid, Book II and Homer's Odyssey, we get the tale of Greek soldiers hiding in a large wooden horse (Trojan Horse) in order to gain access to the city of Troy. Once they had access, they surreptitiously opened the gates of the city and let in an invading Greek force.

A Trojan or Trojan horse in computing is a type of malicious software that is disguised as something useful, legitimate or interesting. Since Trojans cannot replicate on their own, they are designed to trick the user into installing and running it on their computer.

“A Trojan horse is a malicious software program that hides inside other programs. It enters a computer hidden inside a legitimate program, such as a screen saver. It then puts code into the operating system, which enables a hacker to access the infected computer. Trojan horses do not usually spread by themselves; they are spread by viruses, worms, or downloaded software.”^‡

Trojans do not self-activate and are non-self-replicating programs. Trojans rely on the user to execute the malicious software and in so doing activate the program to carry out its function. Among other things, Trojan horse software can:

• Install backdoor program giving an attacker remote access to the system
• Install malicious code such as spyware to gather information surreptitiously
• Conscript the system into a botnet for use in spamming and distributed denial-of-service (DDoS) attacks.
• Modify system files and configurations for malicious purposes

Trojans are propagated in a variety of ways including as attached documents in an email message or disguised as an application you might want to download, on a web site or file-sharing network.

To protect computers from Trojan horses:

• Keep operating system and applications updated
• Install antivirus and antispyware software and keep them updated
• Do not open email attachments unless you have confirmed its purpose
• Make sure your email setting does not automatically open attachments
• Enable appropriate security and privacy features on web browsers
• Use an up-to-date firewall program to filter out suspicious traffic
• Take precautions when using peer-to-peer (P2P) networks

In general, use common sense when online. Perform regular full back ups to increase the chance of recovering infected or deleted files. Secure the browser by disabling ActiveX, Java, JavaScript features. While this may diminish the browsing experience, it also removes major opportunities for compromising browser security. Those features can be enabled if needed and after the legitimacy of the site has been confirmed.

Note: Use Trojan horse when referring to the malware and Trojan Horse with a capital H, when citing Greek mythology.

References:

• http://www.poetryintranslation.com/PITBR/Latin/VirgilAeneidII.htm ^†
• http://windows.microsoft.com/en-us/windows/viruses-faq#1TC=windows-7 ^‡

3.1.3 Worms

Worms

A computer worm is a type of malicious software (malware) that is self-contained, self-replicating and self-propagating. Unlike a virus which is a piece of software code that attaches itself to another program, a worm is a standalone software program.

The primary purpose of a worm is to make copies of itself and to look for other host computers to infect. When a worm is introduced onto a host computer, it sets about doing just that – replicating or making copies of itself and seeking out communication channels it can use to target other hosts.

Worms target vulnerabilities in application, operating system and network protocols. In addition to its primary purpose – propagation, a worm can carry a “payload”, which in this case is a software code written to carry out specific malicious activities such as altering or deleting data, establishing backdoors or other remote control tools.

Even without the “payload”, worms are considered malware because they consume system resources such as CPU, memory and network bandwidth.

Worms and viruses are both considered malware. They both take unauthorized actions and carry out a series of malicious activities. A major difference between a worm and a virus is in how each propagates. A virus cannot spread on its own. It takes the action of a human for example to click on an infected file or visit an infected file to spread the virus. A worm on the other hand is able to spread unassisted, taking advantage of vulnerabilities in system resources such as software bugs, unprotected network ports and lax security protocols, among others. Additionally, worms can self-replicate.

When a worm infects a system, it carries out its primary function which is to make copies of itself. Each copy will work independently to find mechanisms to launch itself to other systems across the network.

A worm can cause harm in one of two ways:

• It replicates and propagates, using an increasing amount of memory, processing cycles and network bandwidth in the process. This can bring a system to a halt or cause it to crash. If the system is rebooted and brought back online.
• If the worm carries a payload, it will launch the payload to carry out some malicious activity.

The effect of a worm could be the slow consumption of all system and network resources. Additionally worms are a popular way for unauthorized users to install backdoors or conscript the compromised system into a “botnet”.

“An internet worm is a program that spreads across the internet by replicating itself on computers via their network connections.”^†

A worm is created to take advantage of a security hole in an application or operating system. Once a system is infected, the worm actively seeks out other systems to infected.

A famous example of an Internet worm is the Morris worm. It was released onto the Internet in 1988 and it took advantage of application vulnerabilities to infect and cripple a significant number of hosts on the Internet.

Counter-measures against worms are similar to that for viruses and Trojans. It is better to take a multi-layer approach to security. This includes applying update patches to the operating system and applications, using anti-virus software and firewalls as appropriate. Also be wary of email attachments, even from familiar sources as their account might have been compromised. Since a worms’ primary transmission mechanism is the network, pay special attention to keeping network software up-to-date.

References

• www.bbc.co.uk/webwise/guides/internet-worms†
• www.pctools.com/security-news/what-is-a-computer-worm/

3.1.2 Virus

Virus

Based on a Google definition, a biological virus is “an infective agent that typically consists of a nucleic acid molecule in a protein coat, is too small to be seen by light microscopy, and is able to multiply only within the living cells of a host.”

A biological virus introduced into a living cell can reproduce, corrupt and/or destroy cells in the host. A computer virus as the name suggests “infects” computers. It is software code written to perform surreptitious and often malicious activity on the system. It is embedded (hidden) in a “host” program. When the host program is introduced into a computer system and run, the virus is activated and can cause harm by interfering with the normal operation of the system.

Merriam-Webster defines a computer virus nicely as – “a computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action (as destroying data)”.

Computer viruses, like their biological counterpart can copy itself onto new programs on the system. Viruses will lie dormant until the infected program is run or activated in some way. Once activated and depending on how it was programmed, the virus will:

• self-replicate, by copying and attaching itself onto other programs
• delete data and applications
• alter/modify data, applications and/or configurations
• mutate, i.e. change the way it works in order to go undetected
• steal confidential information from the infected device

All viruses are harmful. Even the benign ones “infect” systems surreptitiously and consume system resources. A virus corrupts or deletes data, alters configurations and can even steal information.

A virus is a program that reproduces its own code by attaching itself to other executable files in such a way that the virus code is executed when the infected executable file is executed.

In biology, a vector is an organism that transmits infections from one host to another. A mosquito is a vector for transmitting diseases such as malaria. A computer virus cannot infect a computer on its own. It needs a vector to carry it from one host to another. The act of executing an infected program or visiting an infected website or simply copying an infected program from one host to another, spreads the infection.

Virus developers take advantage of social engineering techniques, lax processes by software developers, administrators and users, and exploit bugs in programs to further spread their viruses.

Here are a few examples of virus types:

• Parasitic Virus – this type of virus infects an executable file on a computer. The infected file remains intact but when the file is executed, the virus runs first.
• Boot Sector Virus – a boot sector or Bootstrap virus is placed into the boot sector of the primary hard drive. When the computer is booted, the virus gets loaded into memory.
• Macro Virus – are viruses written in the scripting languages of the host application – a virus written in VBScript inserted into a Microsoft Office document or a virus written in JavaScript inserted into an HTML document
• Encrypted Virus – a mechanism to avoid detection; Two parts to a virus – decrypted and encrypted – the business end of the virus is encrypted.
• Polymorphic Virus – this type of virus can change form each time it is executed so as to avoid detection – with no fixed signature for antivirus software to latch onto, detection and removal is made more difficult – usually composed of two parts: front-end and body – the front-end changes with each iteration – body code is usually encrypted, the front-end contains the decryption code.
• Metamorphic Virus – are body-polymorphics – i.e. the body of the virus itself changes each time it is replicated – more difficult to write and to detect than a polymorphic virus. “Metamorphic viruses do not have a decryptor, or a constant virus body. However, they are able to create new generations that look different.”
• Zero Day Virus – a virus that takes advantage of vulnerabilities unknown to the vendor or the public – the race to a virus protection starts after the virus has been identified, at that time the application and anti-virus vendors will start working on a fix specific to the vulnerability, before then (zero-day) the attacker can exploit the system at will.
• Blended Attacks – combines attack profiles from different kinds of malicious software – requires a “blended” approach to containment, including anti-virus, firewall/IDS, application and operating system patching – resolution calls for a multi-layered security solution.

The best counter-measure to a virus attack is an anti-virus scanner that is updated regularly and is applied against all storage devices and communication channels. It is also important to educate users to minimize transmission vectors such as software engineering, the download and execution of infected software from websites and e-mail messages.

Effective virus infection countermeasures should take a multi-layered approach starting with taking precautions to prevent infections in the first place. When that does not work, the use of anti-virus software, keeping operating systems and applications up-to-date, and restoring from known-good backups is recommended.

Virus infection prevention and countermeasures include:

• Use an anti-virus software and keep it updated
• Keep the operating system software updated and patched
• Patch the application software regularly
• Disable automatic execution of macros
• Take precaution when visiting websites and opening email messages with attachments

The best virus infection countermeasure is to take steps to not be infected.

Comparing Viruses, Worms and Trojan Horses

Virus vs. Worm vs. Trojan Horse

References

• www.us-cert.gov/publications/virus-basics
• campaigns.f-secure.com/brain/virus.html
• www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=notable_zero_day_attacks
• www.cknow.com/vtutor/TypesofViruses.html
• www.symantec.com/avcenter/reference/hunting.for.metamorphic.pdf
• math-www.uni-paderborn.de/~axel/bliss/
• www.symantec.com/avcenter/reference/blended.attacks.pdf
• www.webroot.com/us/en/home/resources/articles/pc-security/computer-security-threats-computer-viruses
• CompTIA SY0-301

1.3.9 Cloud Computing

Cloud Computing

The only thing new about Cloud Computing is the term. The concept has been around since the days of the mainframe computer. This is where the data processing happens somewhere separate from the data consumption.

What is cloud computing? In one of the more bare-bones definition, it is the ability to process information on someone else’s device. For a more comprehensive definition, we go to the NIST definition. The National Institute of Standards and Technology (NIST) published its final definition of Cloud Computing in September 2011:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

The NIST cloud computing definition and guideline was crafted, with public input, for use by U.S. Federal agencies.

Let’s dissect the NIST definition to gain a better understanding of what they call cloud computing:

 The authors of the NIST definition of cloud computing (above) highlight five essential characteristics, three service models, and four deployment models for cloud computing.

Characteristics of Cloud Computing

NIST formally defines the terms we highlighted in the figure above.

On-demand self-service: “A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.”

Broad network access: “Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).”

Resource pooling: “The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand.”

Rapid elasticity: “Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand.” For example, users can quickly add additional CPU when demand increases and scale down and use fewer CPU resources when demand subsides.

Measured service: “Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts).” I.e. resource usage per user is tracked and is made available to the user on demand.

Deployment Models

Cloud Types	Properties
Private Cloud	Commissioned for the exclusive use of a single organization. Owned and managed by that organization and/or a third party. Can have multiple consumers, e.g. business units May exist on or off premise
Community Cloud	Commissioned for exclusive use of a community (multiple organizations) with a shared concern or purpose. Owned and managed by the community and/or a third party. May exist on or off premise
Public Cloud	Available to the general public Owned and managed by a service provider organization. Exists on the premise of the service provider.
Hybrid Cloud	Composition of two or more distinct cloud infrastructures. Bound together by standard or proprietary technology yet otherwise remain distinct. Enables data and app portability, e.g. the temporary consumption of resources on a partner cloud infrastructure (cloud bursting).

Service Models

The cloud service provider can provide a variety of services to the client. The NIST definition of cloud computing identifies three service sets or delivery models:

1. Infrastructure as a Service (IaaS): “The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications.” Bring your own middleware… everything else from the operating system to the hardware can be provided to the client. Examples of IaaS offerings include: Amazon Web Services, DropBox and GoGrid

2. Platform as a Service (PaaS): “The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider.” Bring your own application and data, everything else can be provided. Examples of PaaS offerings include: force.com, Windows Azure and RackSpace.

3. Software as a Service (SaaS): “The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface.” Bring your own… nothing. Input your data and the service provider manages everything. Some examples of SaaS offerings include: Microsoft Office365, Google apps and Salesforce.com.

Here is a popular illustration of the above information:

Cloud Principals

There are a number of users and principals in the cloud computing ecosystem. Here are five major categories:

Principals	Description
Cloud Consumer	Maintains a business relationship with, and uses service from, Cloud Providers; the client.
Cloud Provider	Responsible for making a service available to Cloud Consumers; the service provider.
Cloud Auditor	Can conduct independent assessment of cloud services, information system operations, performance and security of the cloud implementation.
Cloud Broker	Manages the use, performance and delivery of cloud services, and negotiates relationships between Cloud Providers and Cloud Consumers.
Cloud Carrier	Provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers.

References:

• http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
• http://www.nist.gov/itl/cloud/use-cases.cfm
• http://onekobo.com/Cloud/tagcloud.html
• CompTIA SY0-301

1.4.7 TCP/IP

TCP/IP

TCP/IP stands for Transmission Control Protocol / Internet Protocol. It is a communication protocol for computers on the Internet (it also operates on intranets and extranets).

TCP/IP is a suite of protocols of which the Transmission Control Protocol and the Internet Protocol are two of the most prominent. Others include: UDP (User Datagram Protocol) – lightweight, “unreliable” communication between applications, ICMP (Internet Control Message Protocol) – for statistics and tracking errors, DHCP (Dynamic Host Configuration Protocol) – for dynamic configuration of devices.

The Internet data communications model is also known as the TCP/IP model.

Like other data communication models, TCP/IP makes it possible for two nodes to exchange information.

TCP

The Transmission Control Protocol works essentially like a two-way virtual pipe. It allows you to both read from and write to the pipe. TCP uses the underlying network infrastructure to connect two end-points (or sockets) together allowing for the reliable exchange of information via the pipe.

TCP is a "reliable" protocol, also known as “connection-oriented”. It is responsible for the delivery of data from source to destination. It detects errors and uses acknowledgements and retransmissions to ensure correct data delivery. Other layers can focus on other things besides reliability, e.g. IP focuses on how to route the packet between nodes.

Here are a list of services that TCP provides:

• a reliable character stream
• packages data into segments
• acknowledges and retransmits to recover lost packets
• allows multiple connections to a TCP socket

It provides for guaranteed delivery of packets, flow control via ‘window size’ – sequence acknowledgement, avoids data corruption by incorporating checksums, packets re-assembled if the arrive out of order.

Common TCP applications include: HTTP (web), SMTP (email), FTP (file transfer), SSH, IMAP.

IP

Internet Protocol (IP) is a datagram, or connectionless, internetwork service and includes provision for addressing, type-of-service specification, fragmentation and reassembly, and security (via IPSec).

The Internet Protocol's main task is to find the best route over which to send a packet. To that end it adds source and destination addresses to every "datagram", creating an IP packet. It uses protocols such as ARP, RARP, ICMP and RIP to figure out the best route.

Here are a list of features that IP WILL provide:

• assigning addresses to individual datagrams
• communicating with nodes and gateways to find the best route

Here are a list of features that IP does NOT provide:

• a reliable communication facility
• data delivery or loss acknowledgement
• error correction or detection for data
• retransmission of lost datagrams
• flow control 

So what happens when a datagram is corrupted? Or a network buffer at the destination overflows? With respect to IP, it does not care. The datagram is simply discarded. It is up to the other layers to deal with error correction or retransmission or acknowledgements.

For example, if using TCP at the Transport Layer, it's up to the TCP module at the source to recognize that it didn't receive an acknowledgement for a particular packet or series of packets. If using UDP at the Transport Layer, then we either do not care if a few packets are lost or some other layer, e.g. Application, will be called to resolve the issue.

TCP and IP: Work Better Together

• TCP takes care of the communication between application software at the source and destination.
• TCP is responsible for breaking data down into IP packets before they are sent, and for assembling the packets when they arrive back into the original data.
• TCP checks packets for errors and submits requests for re-transmissions if errors are found.
• TCP is responsible for verifying the correct delivery of data from source to final destination.
• IP is responsible for sending the packets to the correct destination.
• IP takes care of the communication with other computers.
• IP adds addresses to each packet such that it can be individually routed to the final destination.
• IP forwards each packet based on a four byte destination (IP) address. IP operates on gateway machines that move data from department to organization to region and then around the world.

References:

• www.w3schools.com/tcpip/tcpip_intro.asp
• http://tools.ietf.org/html/rfc1812
• http://tools.ietf.org/html/rfc1180
• http://tools.ietf.org/html/rfc2401
• CompTIA SY0-301

1.4.4 SSL

SSL

Secure Sockets Layer (SSL) (and its successor Transport Layer Security), is a cryptographic protocol designed to secure communications over the Internet. They use X.509 digital certificates, asymmetric cryptography and the exchange of a symmetric key to secure the message transmission.

The TLS/SSL protocol is divided into two layers operating at both the Session and Presentation layers of the OSI 7 Layer Model. At the session layer, TLS/SSL uses a handshake protocol to establish a session including cipher settings and a shared key. At the presentation layer, asymmetric and symmetric cryptography is used to create a secure communication session for the rest of the transmission.

“The SSL handshake protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data.”

OSI Model Equivalence	SSL Architecture
Application Layer	HTTP, POP3 and Other Application Layer Protocols
Presentation Layer	SSL Handshake		SSL Alert		Change Cipher Spec		SSL Handshake Layer
Session Layer	Fragmentation	Compression		Authentication		Encryption	SSL Record Layer
Transport Layer	TCP
Network Layer	IP

SSL enables an encrypted channel to be established between a server and a client. Data sent over that channel is secured, allowing the transmission of sensitive data over an unsecured network. A web browser such as Google Chrome and web server or a mail client such as Outlook and a mail server can securely exchange data.

SSL allows a transmission to meet the requirements of confidentiality - ensuring the secrecy of data from unauthorized access (via asymmetric and symmetric encryption), integrity - the assurance that data has not been modified during transmission (via message authentication code) and authentication - the validation of the communication partner (via certificates).

SSL enables users to trust the authenticity of the webserver (website) and the security of the communication channel between your browser and the website.

SSL helps website owners comply with industry and government regulations for data security and privacy such as PCI (Payment Card Industry) and HIPAA. It also provides the website’s users peace of mind that their information is protected as it travels across the Internet between the client and server.

SSL extends the trust mechanisms of the physical world into the digital world. In the physical world, if you wanted to buy a pair of shoes, you would go to a shoe store. Why would you trust that physical store enough to give them your cash, hand them your credit card or trust that if the shoe fell apart on first use you could return it? It might be that the store has a recognizable name, the inventory is displayed in a physical building (not the back of a truck), the store sign is not written with a marker and that the store did not just appear overnight. These are some of the things that would engender trust in the physical world.

SSL through the use of SSL certificates and Certificate Authorities (CA) vouch for the authenticity of a website and through the use of encryption protocols meets the confidentiality, integrity and even non-repudiation needs of a secure transaction in the digital world.

The browser has a visual indicator that a website is secured via TLS/SSL:

Notice the padlock icon and the use of the HTTPS protocol.

By The Way:

1. Good security is a layered security. SSL is not a panacea for security. It will secure the communication channel between two parties. It will confirm that you are connected to the site you entered into your browser for example. And it will ensure that the message sent between you is not changed. However it cannot stop you from or detect that you are connected to a malevolent website that can then download viruses and other malicious software. A malevolent website would actually prefer to communicate via SSL as its actions would be invisible to normal detection systems.
2. The most up-to-date version of SSL is 3.0 and it is documented in RFC 6101. Note: this protocol is labeled as “historic”. TLS should be used instead.
3. The differences between this TSL 1.0 and SSL 3.0 are not dramatic, however they are significant enough that they do not interoperate.
4. TLS 1.0 incorporates a mechanism by which a TLS implementation can back down to SSL 3.0. TLS 1.0 is sometimes known as SSL 3.1.
5. The latest version of TLS is TLS 1.2 which is documented in RFC 5246.
6. TLS/SSL at the session layer of the OSI 7 Layer Model. It can be used to secure any TCP-based application.
7. SSL was developed by Netscape Corporation and became the de facto standard for securing Internet communication until it was succeeded by TLS (Transport Layer Security).
8. An advantage of SSL is that it is application protocol independent. Examples of TCP application secured using TLS/SSL include: HTTP, FTP, NNTP, IMAP, POP3.
9. Sample TCP Applications and Port Numbers:

Application	Port Number	Application Over TLS/SSL	Port Number
FTP (data)	20	FTPS (data)	989
FTP (control)	21	FTPS (control)	990
TELNET	23	TELNET	992
HTTP	80	HTTPS	443
POP3	110	POP3S	995
IRC	194	IRCS	994
NNTP	119	NNTPS	563
IMAP	143	IMAPS	993
LDAP	389	LDAPS	636
SMTP	25/587*	SMTPS	465†/587*

^* STARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.
^† Port 465 for secure SMTP is now deprecated.

References:

• http://en.wikipedia.org/wiki/Secure_Sockets_Layer
• RFC5246 (TLS1.2): http://www.rfc-editor.org/info/rfc5246
• RFC6101 (SSL3.0): http://www.rfc-editor.org/info/rfc6101
• http://www.sans.edu/research/security-laboratory/article/296
• CIA: http://www.yaldex.com/php_tutorial_3/ch28lev1sec2.html
• SSL Cryptography: http://www.digicert.com/ssl-cryptography.htm
• STARTTLS: https://www.fastmail.fm/help/technology_ssl_vs_tls_starttls.html
• Port Registry: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml

2.4.7 Threat Awareness

Threat Awareness

A lawsuit, brought by Sidekick customer Maureen Thompson, alleges T-Mobile, Microsoft and Microsoft subsidiary Danger failed to follow even the most basic data protection principles and as a result the safety, security and availability of the data belonging to users was compromised. – goo.gl/o3VRe

Global Payments, a third-party payments processor to Visa and MasterCard credit and debit cards, reiterated that while customer data may be at risk, the data breach has been "contained to the best of our ability." Overall, 1.5 million accounts may have been affected. – goo.gl/9z6EH

Malware, (unauthorized and malicious software) that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines. This massive data breach compromised up to 4.2 million credit and debit cards. – goo.gl/ZzvZn

The Indiana Family and Social Services Administration (FSSA) is in the process of notifying some FSSA clients that some of their personal information may have been accidently disclosed to other clients. The programming error was made on April 6, 2013. The error was discovered on May 10, 2013 and it was corrected on May 21, 2013. – goo.gl/HTKIe

A threat is a condition that might result in a breach of security and can then possibly cause harm. The National Information Assurance Glossary defines threat as “Any circumstance or event with the potential to adversely impact an Information System (IS) through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.”

Threats to critical information systems are evolving and growing. A threat can be either unintentional or intentional:

• Unintentional threats can be caused by a computer hardware or software malfunction, flaws in security or privacy policy definitions, incorrect maintenance procedures, errors made by administrators and integrators or natural disasters that inadvertently disrupts systems.
• Intentional threats result from the possibility of an attack by a threat agent and can come from a variety of sources (e.g., an individual attacker or a criminal organization). These sources include business competitors, corrupt employees, criminal groups, hackers/crackers, and foreign nations engaged in espionage and information warfare.

According to the Government Accountability Office (GAO), “The number of cyber incidents affecting computer systems and networks continues to rise. Over the past 6 years, the number of cyber incidents reported by federal agencies to the U.S. Computer Emergency Readiness Team (US-CERT) has increased from 5,503 in fiscal year 2006 to 48,562 in fiscal year 2012, an increase of 782 percent.” This increased awareness can be considered a good thing, as growing awareness implies improved detection.

Sources of threats include:

• Bot-network – a network of compromised, remotely controlled systems used to coordinate attacks and distribute phishing schemes, spam, and malware attacks.
• Business competitors – a competing organization may seek to obtain sensitive information to improve their competitive advantage
• Hackers/Crackers – skilled and unskilled (using pre-existing attack scripts and protocols) break into networks for the challenge, bragging rights, revenge, stalking, monetary gain, political activism, etc.
• Individuals or small groups – using techniques such as phishing, spam, spyware, denial of service and other attack protocols.
• Insiders – disgruntled and/or corrupted organization insiders including employees and contractors that have inside knowledge of the system. The compromise could be intentional or it could be unintentional caused by careless or poorly trained personnel.
• Nations and foreign corporations – using state or corporate resources (finance, staff, infrastructure, training, etc.) to direct attack for information gathering, espionage and disruption.

Attacks vectors can include: Phishing attacks, Zero-day exploits, New viruses.

• Phishing attacks
• The act of attempting to acquire financial or other confidential information such as usernames, passwords, and credit card details by masquerading as a legitimate entity and typically done via e-mail. The e-mail might direct the user to a fake web site whose main purpose is to steal the user’s information.
• Zero-day exploits
• A zero-day exploit is an attack that takes advantage of a previously unknown vulnerability in a computer system on the day that the vulnerability becomes generally known. This means that the developers have no time (zero days) to identify and patch the vulnerability. There are “zero days” between the time the vulnerability is discovered and when the first attack occurs.
• New viruses
• A virus is a computer program that can copy itself and infect a computer without permission or knowledge of the target user.
  
  Similar to zero-day exploits, “new viruses” are newly created viruses that might infect systems before anti-virus programs and other virus fingerprinting tools are updated to detect and disinfect them.

Effective threat awareness measures involve knowledge of possible threats and an effort to stay up-to-date on the varied and evolving threat sources. In addition to continuous education, it is important to constantly scan and monitor your network to try to intercept threats before they can harm your systems.

Here are just a few sources for improving your threat awareness:

• United States Computer Emergency Readiness Team – US-CERT (www.us-cert.gov)
  US-CERT's vision is to be a trusted global leader in cybersecurity — collaborative, agile, and responsive in a complex environment.
• Common Weakness Enumeration – CWE (cwe.mitre.org)
  A community developed dictionary of software weakness types.
• The SANS Institute – SANS (www.sans.org)
  A source for information security training and security certifications. SANS develops, maintains, and provides a collection of research documents about various aspects of information security, and operates the Internet's early warning system - the Internet Storm Center.
• Metasploit Project (www.metasploit.com)
  The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. A collaboration of the open source community and Rapid7. Metasploit is a penetration testing software, that helps verify vulnerabilities and manage security assessments.
• Privacy Rights Clearinghouse (privacyrights.org)
  The mission is to engage, educate and empower individuals to protect their privacy. They identify trends and communicate findings to advocates, policymakers, industry, media and consumers.
• U.S. Department of Defense – Defense Security Service (DSS) (www.dss.mil/isp/count_intell/count_train_mat.html)
  DSS provides the military services, Defense Agencies, federal agencies and cleared contractor facilities with security support services.
• Various Security-Related Blogs:
• labs.alienvault.com/labs
• blogs.technet.com/b/mmpc – Microsoft Malware Protection Center
• www.zdnet.com/blog/security – Stay on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.

References:

• http://www.gao.gov/assets/660/652817.pdf
• CompTIA SY0-301

1.6.9 TKIP

TKIP

Temporal Key Integrity Protocol (TKIP) is a security protocol defined by the IEEE 802.11 wireless networking specification. TKIP was designed to replace WEP without requiring the replacement of legacy hardware. Customers could take advantage of it by updating firmware instead of having to replace hardware.¹

TKIP is a "wrapper" that goes around the existing WEP encryption.  TKIP comprises the same encryption engine and RC4 algorithm defined for WEP.  However, the key used for encryption in TKIP is 128 bits long.  This solves the first problem of WEP: a too-short key length.²

It is the encryption method used in Wi-Fi Protected Access (WPA).

References:

• http://en.wikipedia.org/wiki/Temporal_Key_Integrity_Protocol
• http://www.networkworld.com/reviews/2004/1004wirelesstkip.html
• CompTIA SY0-301

1.6.6 LEAP

LEAP

LEAP (Lightweight Extensible Authentication Protocol) is a proprietary EAP protocol, also known as Lightweight EAP. It was created by the company Cisco Systems for its line of Wireless LAN Access Points as a way to address the security weaknesses in WEP.

Security of LEAP relies on the strength of the organization’s password policy. With LEAP the organization should use complex passwords that make it computationally infeasible to attempt an offline dictionary or brute force attack.¹

References:

• http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-leap-authentication/6148551
• CompTIA SY0-301

1.6.3 WEP

WEP

Wired Equivalent Privacy (WEP) is the original security standard used in wireless networks to encrypt the wireless network traffic¹. It adds security to 802.11 Wi-Fi networks at the data link layer (OSI model Layer 2) using a combination of hexadecimal digits.

Hexadecimal digits include ten numbers (0 – 9) and six letters (A – F). WEP uses a combination of these hexadecimal digits to create WEP keys. For example:

8734CDEA08432FACDE65748ACC

There are three keys sizes in use with WEP: 10, 26 and 58 digit key lengths.

A 10 digit hexadecimal key size results in a 40 or 64-bit WEP key. Note: each hexadecimal character represents four bits, resulting in a 40-bit key. 40-bit keys can be concatenated with a 24-bit initialization vector (IV) to generate a 64-bit WEP key.

A 26 digit hexadecimal key size results in a 104 or 128-bit WEP key. Note: as each hexadecimal character represents four bits, this yields a 104-bit key. If this is concatenated with a 24-bit initialization vector (IV) it generates a (104 + 24) or 128-bit WEP key.

A 58 digit hexadecimal key size results in a 256-bit WEP key, which includes the 24-bit IV.

WEP Encryption Process

A WEP key is concatenated with an initialization vector (IV), and this combined key is used as the seed for an RC4 keystream that is XORed (exclusive OR) with the wireless LAN data. A different IV stream is used for each frame, and therefore a different combined key is used to create a new RC4 keystream for each frame.

Vulnerabilities have been exposed where repeated IVs, along with the adaptation of a stream cipher (RC4) to create the block cipher, have resulted in an insecure encryption mechanism that can be cracked with what are now commonly available tools.²

Note: XOR is a logical operation which yields true if exactly one (but not both) of two conditions is true.³

Note: WEP is no longer considered to be secure.⁴

References:

• http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
• http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch4_Secu.html
• http://mathworld.wolfram.com/XOR.html
• http://www.wi-fi.org/
• CompTIA SY0-301

1.6.2 WPA2

WPA2

Wi-Fi Protected Access II (WPA2) is a security protocol developed to protect wireless network communications. WPA2 is also known as the IEEE 802.11i standard. It is certified by the Wi-Fi Alliance in 2004:

Table 1: Wi-Fi Security Timeline¹

Date	Milestone
September 1997	IEEE 802.11 standard ratified, including WEP
April 2000	Wi-Fi CERTIFIED program launched, with support for WEP
May 2001	IEEE 802.11i task group created
April 2003	WPA introduced with: • IEEE 802.1X authentication • Temporal Key Integrity Protocol (TKIP) encryption • Support for EAP-Transport Layer Security (EAP-TLS)
September 2003	WPA mandatory for all Wi-Fi CERTIFIED equipment
June 2004	IEEE 802.11i amendment ratified
September 2004	WPA2 introduced with: • IEEE 802.1X authentication • AES encryption • Support for EAP-TLS
April 2005	Support for four additional EAP-types added: • EAP-Tunneled TLS Microsoft Challenge Handshake Authentication Protocol Version 2 (EAP-TTLS/MSCHAPv2) • Protected EAP Version 0 (PEAPv0)/EAP-MSCHAPv2 • Protected EAP Version 1 (PEAPv1)/EAP Generic Token Card (EAP-GTC) • EAP-Subscriber Identity Module (EAP-SIM)
March 2006	WPA2 mandatory for all Wi-Fi CERTIFIED equipment
January 2007	Wi-Fi Protected Setup program launched
November 2007	IEEE 802.11w task group created
May 2009	Support for EAP-AKA and EAP-FAST added
January 2012	Support for Protected Management Frames added to WPA2

WPA2 includes an encryption and an authentication protocol:

1. The encryption protocol is Advanced Encryption Standard (AES), it is used to secure wireless networks and protect data.
2. IEEE 802.1X is the authentication protocol. It provides authentication and network access control features.

It also provides mutual authentication with Pre-Shared Key (PSK; in Personal mode) and with IEEE 802.1X / EAP (in Enterprise mode).

WPA2 operates in two modes: Enterprise and Personal:

1. In Enterprise mode, WPA2 takes advantage of IEEE 802.1X Authentication, Authorization, Accounting (AAA) servers to monitor and manage traffic, define user-specific authentication levels, and offer guest access services.
2. Home and small-office networks typically run WPA2 in Personal mode (WPA2-Personal). In personal mode the network Service Set Identifier (SSID) and a passphrase entered by the user are used to derive the security key.

WPA2 uses the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP), an Advanced Encryption Standard (AES) based encryption protocol, which uses the same key is used for both encryption and integrity protection.

References

• http://www.wi-fi.org/sites/default/files/downloads-registered/20120229_State_of_Wi-Fi_Security_09May2012_updated_cert.pdf
• CompTIA SY0-301

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk Avoidance

Risk Avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk.

Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to being exposed to the risk. One of the problems with risk avoidance is that it may require you to also avoid activities that may be otherwise beneficial.

Risk avoidance is the most effective countermeasure to risk, however it is often not possible due to organizational requirements and business drivers.

Risk Transference

With risk transference, you share some of the burden of the risk with another entity, such as an insurance company. You do not completely offload the risk, you mitigate it through partnerships. An example policy might pay out if you could prove that all necessary measures to reduce the risk were taken and you still were harmed.

Another example of risk transference is outsourcing to a managed service provider. And you have service level agreements (SLA) that state which party is responsible for managing which risks.

Risk Mitigation

Risk mitigation is accomplished anytime you take steps to reduce the risk. Steps include installing antivirus software, educating users about possible threats, monitoring the network traffic, adding a firewall. In Microsoft's Security Intelligence Report, Volume 9, they list the following suggestions for mitigating risk:

• Keep security messages fresh and in circulation.
• Target new employees and current staff members.
• Set goals to ensure a high percentage of the staff is trained on security best practices.
• Repeat the information to raise awareness.

In risk mitigation (occasionally referred to as risk reduction), the harm can still occur, but you've reduced the impact it will have.

Risk Deterrence

Risk deterrence involves understanding something about the enemy and letting them know the harm that can come their way if they persist. The easiest way to think of risk deterrence is as a “you hit me and I'll hit you back harder” mentality. This can be as simple as posting prosecution policies on your login pages and convincing potential attackers that you are taking steps to identify intrusion and prosecute it.

Risk deterrence involves putting into place systems and policies to mitigate a risk by protecting against the exploitation of vulnerabilities that cannot be eliminated.

Risk Acceptance

Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, all the internal parties must know that it exists and how it can affect the organization. It has to be an identified risk for which those involved understand the potential cost/damage and agree to accept it.

Risk acceptance is essentially being fully aware that the risk exists (and that you could be affected by it), then choosing to do nothing about it.

In risk acceptance, the risk must be identified, accepted and then a decision made that no action will be taken. Risk acceptance must be a conscious choice, documented, approved by senior administration, and regularly reviewed.

Related Terms:

• Risk Appetite – the level of risk tolerance.
• Exploit – An exploit is a mechanism of taking advantage of an identified vulnerability.
• Threat – A threat is the potential that a vulnerability will be identified and exploited.
• Control – Controls act to close vulnerabilities, prevent exploitation, reduce threat potential, and/or reduce the likelihood of a risk or its impact.

Research References:

1. http://certcities.com/editorial/columns/story.asp?EditorialsID=447
2. http://www.informit.com/articles/article.aspx?p=1809117&seqNum=2
3. http://studydroid.com/index.php?page=viewPack&packId=220486
4. CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
5. CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart