11Figure 1-2: Other Empirical Attack Data RiptechAnalyzed 5.5 billion firewall log entries in 300 firms in five-month periodDetected 128,678 attacks—an annual rate of 1,000 per firmOnly 39% of attacks after viruses were removed were directed at individual firms
12Figure 1-2: Other Empirical Attack Data SecurityFocusData from 10,000 firms in 2001Attack Frequency129 million network scanning probes (13,000 per firm)29 million website attacks (3,000 per firm)6 million denial-of-service attacks (600 per firm)
13Figure 1-2: Other Empirical Attack Data SecurityFocusAttack Targets31 million Windows-specific attacks22 million UNIX/LINUX attacks7 million Cisco IOS attacksAll operating systems are attacked!
14Figure 1-2: Other Empirical Attack Data Honeynet projectNetworks set up for adversaries to attackWindows 98 PC with open shares and no password compromised 5 times in 4 daysLINUX PCs took 3 days on average to compromise
15Figure 1-3: Attack Trends Growing Randomness in Victim SelectionIn the past, large firms were targetedNow, targeting is increasingly randomNo more security through obscurity for small firms and individuals
16Figure 1-3: Attack Trends Growing MalevolenceMost early attacks were not maliciousMalicious attacks are becoming the norm
17Figure 1-3: Attack Trends Growing Attack AutomationAttacks are automated, rather than humanly-directedEssentially, viruses and worms are attack robots that travel among computersAttack many computers in minutes or hours
18Figure 1-4: Framework for Attackers Elite HackersHacking: intentional access without authorization or in excess of authorizationSome call this cracking, not hacking, which they equate to any skilled computer useCharacterized by technical expertise and dogged persistence, not just a bag of toolsUse attack scripts to automate actions, but this is not the essence of what they doDeviants and often part of hacker groups that reinforce deviant behavior
19Figure 1-4: Framework for Attackers Script KiddiesUse pre-written attack scripts (kiddie scripts)Viewed as lamers and script kiddiesLarge numbers make dangerousNoise of kiddie script attacks masks more sophisticated attacks
20Figure 1-4: Framework for Attackers You may hear the terms “white hat” (good guys) and “black hat” bad guys“gray Hat” (Back and Forth between “white hat” and “black hat”“Black hat” hackers break in for their own purposes“White hat” can mean multiple thingsStrictest: Hack only by invitation as part of vulnerability testingSome who hack without permission but report vulnerabilities (not for pay) also call themselves white hat hackers
29กระบวนการในการควบคุมการเข้าถึง 1. แจกแจงรายละเอียดที่สำคัญในระบบ (Enumeration of Resources)2. วิเคราะห์ความสำคัญและความอ่อนไหวของแหล่งข้อมูล (Sensitivity of Each Resources)3. กำหนดผู้ที่สามารถเข้าถึงแหล่งข้อมูล (Determine who should have access)4. กำหนดสิทธ์ในการเข้าถึง (Access Permissions – Authorizations)5. กำหนดขอบเขตในการป้องกันการเข้าถึงให้แก่แต่ละแหล่งข้อมูล (Determine Access Control Protection for Each Resources)
30Access Control Access Control Access control is the policy-driven limitation of access to systems, data, and dialogsPrevent attackers from gaining access, stopping them if they do
31Access Control First Steps Next, who Should Have Access? Enumeration of ResourcesSensitivity of Each ResourceNext, who Should Have Access?Can be made individual by individualMore efficient to define by roles (logged-in users, system administrators, project team members, etc.)
32Access ControlWhat Access Permissions (Authorizations) Should They Have?Access permissions (authorizations) define whether a role or individual should have any access at allIf so, exactly what the role or individual should be allowed to do to the resource.Usually given as a list of permissions for users to be able to do things (read, change, execute program, etc.) for each resource
33Access Control How Should Access Control Be Implemented? For each resource, need an access protection plan for how to implement protection in keeping with the selected control policyFor a file on a server, for instance, limit authorizations to a small group, harden the server against attack, use a firewall to thwart external attackers, etc.…
34Access Control Policy-Based Access Control and Protection Have a specific access control policy and an access protection policy for each resourceFocuses attention on each resourceGuides the selection and configuration of firewalls and other protectionsGuides the periodic auditing and testing of protection plans
35Server Password Cracking Hacking RootSuper accounts (can take any action in any directory)Hacking root in UNIXSuper accounts in Windows (administrator) and NetWare (supervisor)Hacking root is rare; usually can only hack an ordinary user accountMay be able to elevate the privileges of the user account to take root action
36Server Password Cracking Physical Access Password Crackingl0phtcrackLower-case L, zero, phtcrackPassword cracking programRun on a server (need physical access)Or copy password file and run l0phtcrack on another machine.System Administrators can test the host hardening with this program.
37Server Password Cracking Physical Access Password CrackingBrute-force password guessingTry all possible character combinationsLonger passwords take longer to crackUsing more characters also takes longerAlphabetic, no case (26 possibilities)Alphabetic, case (52)Alphanumeric (letters and numbers) (62)All keyboard characters (~80)
38Server Password Cracking Physical Access Password CrackingBrute Force AttacksTry all possible character combinationsSlow with long passwords lengthDictionary attacksTry common words (“password”, “ouch,” etc.)There are only a few thousand of theseCracked very rapidlyHybrid attacksCommon word with single digit at end, etc.
39Server Password Cracking Password PoliciesGood passwordsAt least 6 characters longChange of case not at beginningDigit (0 through 9) not at endOther keyboard character not at endExample: triV6#ial
41Server Password Cracking Password PoliciesPassword sharing policies: Generally, forbid shared passwordsRemoves ability to learn who took actions; loses accountabilityUsually is not changed often or at all because of need to inform all sharers
42Server Password Cracking Password PoliciesLost passwordsPassword resets: Help desk gives new password for the account (need proved)Opportunities for social engineering attacksLeave changed password on answering machineBiometrics: voice print identification for requestor (but considerable false rejection rate)
43Server Password Cracking Password PoliciesLost passwordsAutomated password resetsEmployee goes to websiteMust answer a question, such as “In what city were you born?”Problem of easily-guessed questions that can be answered with research
44Figure 2-5: UNIX/etc/passwd File Entries Without Shadow Password Fileplee:6babc345d7256:47:3:Pat Lee:/usr/plee/:/bin/cshPasswordGroup IDHome DirectoryUser NameUser IDGCOSShellWith Shadow Password FilePlee:x:47:3:Pat Lee:/usr/plee/:/bin/cshThe x indicates that the password is storedin a separate shadow password file
45Figure 2-5: UNIX/etc/passwd File Entries Unfortunately, many software processes run with root privileges and so can read the password file. If the attacker can take over such a program, the attacker will have access to the shadow password file.
46Figure 2-2: Server Password Cracking Password PoliciesWindows passwordsObsolete LAN manager passwords (7 characters maximum) should not be usedTwo 7-character strings are available but very easy to be cracked.Windows NTLM passwords are betterOption (not default) to enforce strong passwords
47Windows Client PC Passwords Login Password- Bypass by hitting escape.BIOS Password- Remove the small battery.Screensaver Password- Should com quickly after user steps away.
48Figure 2-6: Building Security Building Security BasicsSingle point of (normal) entry to buildingFire doors, etc.: use closed-circuit television (CCTV) and alarms to monitor themSecurity centersMonitors for closed-circuit TV (CCTV)Videotapes that must be retained (Don’t reuse too much or the quality will be bad)Alarms
49Figure 2-8: Access CardsMagnetic Stripe Cardsบัตรเครดิต, บัตรประจำตัวนักศึกษาที่มีแถบแม่เหล็กด้านหลัง เป็นต้นSmart CardsHave a microprocessor and RAMMore sophisticated than mag stripe cardsRelease only selected information to different access devices
52TCP/IP Standards Frames and Packets Frames are messages at the data link layerPackets are messages at the internet layerPackets are carried (encapsulated) in framesThere is only a single packet that is delivered from source to destination hostThis packet is carried in a separate frame in each network
53Layer Cooperation Through Encapsulation on the Source Host ApplicationProcessHTTPMessageEncapsulation of HTTPmessage in data field ofa TCP segmentTransportProcessHTTPMessageTCPHdrEncapsulation of TCPsegment in data fieldof an IP packetInternetProcessHTTPMessageTCPHdrIPHdr
54Layer Cooperation Through Encapsulation on the Source Host InternetProcessHTTPMessageTCPHdrIPHdrEncapsulationof IP packet indata field ofa frameData LinkProcessDLTrlrHTTPMessageTCPHdrIPHdrDLHdrPhysicalProcessConverts Bits of Frame into Signals
55Layer Cooperation Through Encapsulation on the Source Host Note: The following is the final frame for supervisory TCP segments:DLTrlrTCPHdrIPHdrDLHdr
56Layer Cooperation Through Decapsulation on the Destination Host ApplicationProcessHTTPMessageDecapsulation of HTTPmessage from data field ofa TCP segmentTransportProcessHTTPMessageTCPHdrDecapsulation of TCPsegment from data fieldof an IP packetInternetProcessHTTPMessageTCPHdrIPHdr
57Layer Cooperation Through Decapsulation on the Destination Host InternetProcessHTTPMessageTCPHdrIPHdrDecapsulation of IPpacket from datafield of a frameData LinkProcessDLHdrHTTPMessageTCPHdrIPHdrDLHdrPhysicalProcessConverts Signals into the Bits of the Frame
58TCP/IP Standards Internet and Transport Layers Internet Protocol (IP) IP at the internet layer is unreliable — does not correct errors in each hop between routersThis is good: reduces the work each router along the route must do so the cost of the router itself is much cheaper.
59TCP/IP Standards Transport Layer Standards Transmission Control Protocol (TCP)Reliable and connection-oriented service at the transport layerCorrects errorsUser Datagram Protocol (UDP)Unreliable and connectionless service at the transport layerLightweight protocol good when catching errors is not important
60Internet Protocol (IP) Connection-Oriented Service and Connectionless ServiceConnection-oriented services have distinct starts and closes (telephone calls) (ต้องทำการจองช่องทางก่อน เริ่มการส่งข้อมูล)Connectionless services merely send messages (postal letters) (ไม่ต้องจองช่องทางก่อนการส่งข้อมูล)IP is connectionless, TCP is connection-oriented
61Hierarchical IP Address Network Part (not always 16 bits)Subnet Part (not always 8 bits)Host Part (not always 8 bits)Total always is 32 bits.The InternetUH Network ( )CBA Subnet(17)Host 13
62IP Address Classes 8 bits 8 bits 8 bits 8 bits Class A: Class B: NetworkHostClass A:Class B:Class C:Class D: MulticastClass E: ResearchNetworkHostNetworkHostPurpose: This graphic describes the three most common classes of IP address.Emphasize: Discuss classes of addresses. Each address contains information about the network number and the host number of the device. Class A addresses are for very large organizations. Class B addresses are for smaller organizations, and Class C addresses for even smaller ones.As the number of networks grows, classes may eventually be replaced by another addressing mechanism, such as classless interdomain routing (CIDR). RFC 1467, Status of CIDR Deployment in the Internet, presents information about CIDR. RFC 1817, CIDR and Classful Routing, also presents CIDR information.
63IP Address Masking with Network and Subnet Masks Example 1Network MaskingSubnet MaskingIP AddressMaskResultMeaning16-bit network part isCombined 24-bit network plus subnet part areExample 28-bit network part is 60Combined 16-bit network plus subnet parts are 60.47
64IP Address Spoofing 1. Trust Relationship 3. Server Accepts Attack PacketTrusted ServerVictim Server2.Attack PacketSpoofed Source IP AddressAttacker’s Identity isNot RevealedAttacker’s Client PC
65Transmission Control Protocol (TCP) Connections: Opens and ClosesFormal open and closeThree-way open: SYN, SYN/ACK, ACKNormal four-way close: FIN, ACK, FIN, ACKAbrupt close: RST
66Transmission Control Protocol (TCP) Port NumberPort numbers identify applicationsWell-known ports (0-1023) used by applications that run as rootRegistered ports ( ) for other applications with lower authorityEphemeral/Private/Dynamic ports ( ) for ClientsHTTP=80, Telnet=23, FTP=21 for supervision, 20 for data transfer, SMTP=25Source Port Number (16 bits)Destination Port Number (16 bits)