The methodology of the attackers 1. การตรวจหา (Surveillance) find hosts (IP address search) find type of host (os fingerprint), firewalls too 2. Find KNOWN bugs (known to them) 3. Exploitation post break-in escalation of privilege, user attacks root 4. Hiding their tracks post Or pre break-in root shells on UNIX
Scanning is one basic methodology finding ip dst addresses single source multiple sources scanning one ip dst for tcp ports/udp ports open single source multiple sources then launch an exploit launcher may be human or program
Finding ip dst addresses There are many tool on the internet you may download and use to find available IP in one subnet work www.foundstone.com www.foundstone.com sectools.org SuperScan, LaySurveror, IPScan, etc.
Scanning one ip dst Right after discover a target IP, port scanning software can be employed. i.e. nmap, NetworkActivPortScann, etc Or nessus
email: another methodology send program via email user naively executes attachment or perhaps it is auto-launched in some cases social engineering may be of use » “hi handsome...” » “I love u …” malware uses address book to launch itself at next targets possibly with fake email sender
Define some terms (Must Know) exploit - a piece of code that exploits a software bug leading to a security hole virus - a malware program that somehow rides on the back of another vehicle but doesn’t move itself worm - a malware program that provides its own transit trojan-horse - a malware program that somehow appears as something else entirely
Define some terms (Must Know) cont. footprint/signature: some log entry or other trace left behind by an attack signature(in IDS sense): some way to identity a particular virus/worm/exploit attack perhaps use pattern matching to id that a file/email/packet has a known attack in it forensics: the process of figuring out just how an attack occured after the attack succeeded possibly may include collecting evidence for criminal case against criminal defendent
Define some terms (Must Know) cont. forensics again: important idea: if we can’t figure out how they got in, how can we keep them out next time? counter-measures: just what the whitehats do to keep the blackhats out or what you do to WATCH for them » on your network or hosts what did you do to make your webserver safer?
Define some terms (Must Know) cont. define “secure”: maybe we should all say: “safer” backdoor social engineering attack buffer overflow dictionary attack oh wait, we have the Morris worm for those terms
Security Principles and Component Asset and Risk Based INFOSEC (Information Security) Lifecycle model (ARBIL) A model represent an information security life cycle that can work for any organization