Network and Computer Security Tutorial

8/10/2019 Network and Computer Security Tutorial

1/26

Network and Computer Security Tutorial

Version 0.4.0 April 16, 2001ack!round

This computer security tutorial is written based on my experiences with computer

and network security along with my training and information I have read. The field ofsecurity is constantly changing so I cannot guarantee that information in thiscomputer security tutorial will be current. This computer security tutorial will definesome basic security issues and give insight into what causes security to be aconstant issue. This computer security tutorial will help you decide what to protectand provide some basic information about attacks that may be made against yournetwork, computer systems, or data. It will also provide computer and networksecurity recommendations for you or your organization. Although much usefulinformation can be derived from this document without the reader havingnetworking knowledge, to use this document in depth, I recommend that readers ofthis computer security tutorial have a fundamental knowledge about networking.

The information contained in The CT! "etworking #uidecontains the networkingdocumentation re$uired to understand this computer security tutorial.

"ntroductionIn this computer security tutorial, the terms computer security and network securitywill be used often. %hen the term computer security is used, it specifically refers tothe security of one computer, although the overall security of each individualcomputer is re$uired for network security. %hen the term network security is used, itrefers to the security of the network in general. This includes such issues aspassword security, network sniffing, intrusion detection, firewalls, network structureand so forth.

Security Violation #e$initionComputer or network security has been violated when unauthorized access by anyparty occurs.

%&y Security'Computer security is re$uired because most organizations can be damaged byhostile software or intruders. There may be several forms of damage which areobviously interrelated. These include& amage or destruction of computer systems. amage or destruction of internal data. 'oss of sensitive information to hostile parties. (se of sensitive information to steal items of monitary value.

(se of sensitive information against the organization)s customers which mayresult in legal action by customers against the organization and loss of customers. amage to the reputation of an organization. *onitary damage due to loss of sensitive information, destruction of data,hostile use of sensitie data, or damage to the organization)s reputation.The methods used to accomplish these unscrupulous ob+ectives are many andvaried depending on the circumstances. This guide will help administratorsunderstand some of these methods and explain some countermeasures.

Security "ssues
http://www.comptechdoc.org/independent/networking/guide/http://www.comptechdoc.org/independent/networking/guide/


2/26

Computer security can be very complex and may be very confusing to many people. It can evenbe a controversial sub+ect. "etwork administrators like to believe that their network is secure andthose who break into networks may like to believe that they can break into any network. I believethat overconfidence plays an important role in allowing networks to be intruded upon. There aremany fallacies that network administrators may fall victim to. These fallacies may allowadministrators to wrongfully believe that their network is more secure than it really is.This guide will attempt to clarify many issues related to security by doing the following&

elp you determine what you are protecting. -reak computer security into categories. xplain security terms and methods. !oint out some common fallacies that may allow administrators to be overconfident. Categorize many common attacks against networks and computers. xplain some attack methods. escribe tools that can be used to help make a network more secure.

Security "nterdependenceThere are many different aspects to computer and network security as you will read in thisdocument. These different areas of computer security are interdependent on each other in orderfor a network to be secure. If one or more areas of computer security are ignored, then the entire

security integrity of the organization)s network may be compromised. A clear example of this is inthe area of computer virus or worm protection. Computer virus protection programs can only filterknown viruses or worms. There are viruses or worms that are not yet recognized as virusprograms immediately after their release. The best way to make unrecognized virus or wormprograms less effective is by $uickly removing the vulneribilities that they use. /ome of thesevulnerabilities are operating system and application program errors. %hen security patches arecreated for software, they should be $uickly applied. In this way the vulnerabilty to viruses isminimized but not eliminated. There are other steps which may further reduce this vulnerability,but it can never be completely eliminated.

Security (imitations and ApplicationsIf you are reading this document and are thinking that you can get all the information re$uired to

make your network completely secure, then you are sadly mistaken. In many ways, computersecurity is almost a statistical game. 0ou can reduce but not eliminate the chance that you may bepenetrated by an intruder or virus. This is mainly for one reason."o one can ever know all the software vulnerabilities of all software used on a system.This is why even those who consider themselves hackers will say that the number one computersecurity threat is the lack of $uality in the applications and operating systems. At this point, I couldtalk about the various corporate entities that write software and why software lacks the $uality thatmany of us believe that it should possess, but that sub+ect is not only way beyond the scope ofthis document, but also way beyond the scope of this pro+ect.The bottom line here is that unless you can remove all the application and operating systemproblems that allow viruses and intruders to penetrate networks, you can never secure your

network. Additionally the users on your network are potentially a greater security risk than anyprograms. 1bviously removing all vulnerabilities is impossible and will not secure your networkagainst user errors. I have even considered the possibility that an operating system without anetwork interface can be completely secure, but even this cannot be guaranteed. (nknownviruses or tro+an programs can creep in with applications on Cs or floppies. This has been knownto happen. Although an attacker may not be able to get data from the system, they can damage ordestroy data.

(ayered SecurityThe fact that complete security is impossible is the reason security experts recommend 2layeredsecurity2. The idea is to have multiple ways of preventing an intrusion to decrease the chance that


3/26

intrusions will be successful. 3or example, you should have virus protection on your clientcomputers. To help layer this security you should also filter viruses at your email server. To helpeven more, you should block the most dangerous types of email attachments to preventunrecognized viruses and other hostile software from entering your network. Another gooddefense layer would also include educating your users about viruses, how they spread, and howto avoid them.

)ackers

There are many documents that attempt to define the term hacker. I believe that the term hackeris a connotative term. This means that it is more defined by people)s beliefs rather than by adictionary. /ome believe that a hacker is a very skilled computer person. 1thers believe thathackers are those that perform unauthorized break ins to computer systems. The media and manysources have caused many uninformed people to believe that a hacker is a threat to computerand network security while this is not the case. A hacker is no more likely to break the law thananyone else. I use the more accurate descriptive term, 2intruder2 to describe those who intrudeinto networks or systems without authorization.

*&ysical SecurityThis guide will not talk about physical computer security beyond this paragraph. 0our organizationshould be aware how physically secure every aspect of its network is because if an intruder gets

physical access, they can get your data. -e sure the your organization properly secures locationsand consider the following& /ervers 4 Contain your data and information about how to access that data. %orkstations 4 *an contain some sensitive data and can be used to attack othercomputers. 5outers, switches, bridges, hubs and any other network e$uipment may be used as anaccess point to your network. "etwork wiring and media and where they pass through may be used to access yournetwork or place a wireless access point to your network. xternal media which may be used between organizational sites or to other sites theorganization does business with.

'ocations of staff who may have information that a hostile party can use. /ome employees may take data home or may take laptops home or use laptops on theinternet from home then bring them to work. Any information on these laptops should beconsidered to be at risk and these laptops should be secure according to proper policy whenconnected externally on the network 6more on this later7.

Some TermsThis paragaph describes some commonly used computer security terms. Protocol4 %ell defined specification allowing computer communication. Confidentiality4 Information is available only to people with rightful access. Integrity4 Information can only be changed by authorized personnel. Integrity 4 Thereceiver of the message should be able to tell the message was not modified. 5e$uires key

exchange. Availability4 Information is available to only those who need it. Verification - nonrepudiation4 There is proof that the sender sent the message Authentification4 The receiver of the message should be able to be sure of the origin ofthe message. 5e$uires a digital signature 61ne way hash, public key algorithm, and symmetricalgorithm7 or a public key algorithm. Spyware4 A computer program whose purpose is to spy on your internet activities usuallyfor marketing purposes and usually done by a shady corporate entity.


4/26

Malware4 A computer program with some evil intent. It may on the surface have a good oruseful intent, but may be a tro+an 6with a hidden purpose7 which can be used to gain unauthorizedaccess to your computer.

Computer Security +euirementsThis page is about your computer security re$uirements and is intended to save many peopleunnecessary reading. If you are an individual who is only concerned about the security needs of

your home computer and do not want to learn alot about computer security, then there are somesimple guidelines that you should read and you do not need to read this entire manual. 0ou shouldread the ome Computer /ecurity Articleon this site. *ost home computers re$uire the following& A personal firewall when connecting to the internet over any type of connection. Anti4virus software that is kept updated. -ack up your data onto another computer, C451*, 8I! drive, or tape regularly. 5egular security updates to the operating system 6these are not as critical if a personalfirewall is installed, but this item is still important7. 5egular updates to the applications run on the system such as *icrosoft 1ffice.-e aware of the following& 0ou should also be aware that most data that you send or receive on the internet can be

read by other people. Therefore you should be aware of the sensitivity of the data or informationyou are sending. If you need to send confidential data you should only send it to sites that beginwith https&99 or use some software to encrypt your data. -e careful when opening email attachments since they may contain hostile programs evenif your antivirus software has not detected it. -e careful when downloading and installing programs on the internet. 0ou should scan anyprograms for viruses that you get on the internet, but also be aware that some programs may bespyware or other malware used to gain access to your system.If you are someone who is responsible for your orgainzation)s security and9or you are learningabout computer security, then you should read this complete document.

#eterminin! w&at to protect-efore you design your organization)s security plan and implement it, you must firstdetermine what to protect. Then you must determine what threats exist to what isprotected. This page will discuss how to determine what to protect and what itsvalue is. etermining the value to your organization of the data you are protectingwill help you determine how much it is worth spending to protect your data. Thisinformation will both help you determine your security re$uirements and yourdisaster recovery policy.

+ate -our #ata-ased on your organization)s structure, you must determine what the importanceand value of your data is. This can most likely be broken down by department and

you may accomplish it by sending $uestionnaires to your department managersthrough your management. %hat must be defined is the following& %hat data you have. %here it is stored 6%hat server or computer it is stored on and in whatdirectory7 4 The response may be it is in the I drive in some directory and it will beup to you to determine the server location for the I drive. Is it a database or a set of files:The data importance should be defined in a manner similar to the method shownbelow& ow well can you live without your data:
http://www.comptechdoc.org/docs/ctdp/homesec/http://www.comptechdoc.org/docs/ctdp/homesec/


5/26

;. < 4 I don)t care=. ; 4 I would like to have it>. = 4 *ust have it?. > 4 Can)t live without it As an organization or department how long can you live without access toyour data 6for each data item specified7: This may be minutes, hours, days, weeks,months, or years. This information will help you determine if your organization will

survive if this data is lost and whether this data is really vital to your organization. Itwill also help you with creation of your disaster recovery plan and its re$uirements. %hat is the maximum possible damage in monetary units if unauthorizedpersons had access to your data and could use it against your organization: %hat is the maximum possible damage in monetary units if unauthorizedpersons incorrectly modified your data or your data was lost:This information is best determined by department and depending on the type ofyour organization, the data may be more or less valuable by department. 3orexample assume an organization with the following departments. uman 5esources 3inance

5esearch and ngineering 'aw epartment

Consider which department)s data would be most important if the organization was any one of abank, law firm, or auto manufacturing company.5ating your data and considering the potential monetary loss if the data is destroyed orinaccessible for some period of time will also be instrumental in helping your organization developa disaster recovery plan.

Consider t&reats, risks, and possile dama!e%hen evaluating how to defend your data, you will need to consider each threat and the degree ofvulnerability to that threat. This is the risk which e$uals threat times vulnerability. Then considerthe cost if the conse$uences of the threat are realized. This will help determine how much you

should spend to reduce your vulnerabilities to each threat.

Computer Security *olicy Cate!ories and

Types1nce you have determined the value of your data, you need to develop a set ofpolicies to help protect it. These policies are called security policies and may applyto users, the IT department, and the organization in general. %hen writing yourpolicies, consider&;. %hat data may a user take home:=. If a user works from home or remote offices and uses the internet to transmit

data, how secure must the data be when in transmission across the internet:>. %hat policies, network structure, and levels of defenses are re$uired tosecure your data depending on its importance, value and the cost of defending it:The first items that should be defined are the policies related to the use and andhandling of your data. This will help you determine defensive measures andprocedures. I have categorized policies into three different areas listed below& (ser !olicies 4 efine what users can do when using your network or dataand also define security settings that affect users such as password policies. IT !olicies 4 efine the policies of the IT department used to govern thenetwork for maximum security and stability.


6/26

#eneral !olicies 4 igh level policies defining who is responsible for thepolicies along with business continuity planning and policies.

/ser *oliciesefine what users can and must do to use your network and organization)scomputer e$uipment. It defines what limitations are put on users to keep thenetwork secure such as whether they can install programs on their workstations,types of programs they can use, and how they can access data. /ome policies

include& !assword !olicies 4 This policy is to help keep user accounts secure. Itdefines how often users must change their passwords, how long they must be,complexity rules 6types of characters used such as lower case letters, upper caseletters, numbers, and special characters7, and other items. !roprietary Information (se 4 Acceptable use of any proprietary informationowned by the company. efines where it can be stored and where it may be taken,how and where it can be transmitted. Internet (sage 4 (se of internet mail, (se of programs with passwords orunencrypted data sent over the internet. /ystem (se 4 !rogram installation, "o Instant *essaging, "o file sharing

such as @azaa, *orpheus. 5estrictions on use of your account or password 6not tobe given away7. !" and remote user system use 6remote access7 4 *ust be checked forviruses9tro+ans9backdoors. *ust have firewall, must have A. Acceptable use of hardware such as modems 4 "o use of modems tointernet without a personal firewall.

"T *oliciesThese policies include general policies for the IT department which are intended tokeep the network secure and stable. irus incident and security incident 4 Intrusion detection, containment, and removal. ;.prepare 6policies, checklists9procedures7 = identify 6get evidence7 > contain 6pull off network,

modify passwords7 ? eradicate 6fix, determine cause, improve defenses, test for vulnerablilties7 Brecover 6validate the system, monitor for re4infection7 lessons learned 6make recommendationsto prevent a similar incident7 -ackup policy 4 efine what to back up, who backs it up, where it is stored, how long it isstored, how to test backups, what program is used to do backups. Client update policies 4 (pdate clients how often and using what means or tools. /erver configuration, patch update, and modification policies 6security7 4 5emove unneededservices 6harden server7. %hat servers should have I/. ow is it determined to do an update:%hat is done when someone works on the server: 3irewall policies 4 %hat ports to block or allow, how to interface to it or manage it, who hasaccess to the control console. %ireless, !", router and switch security, dmz policy, email retention, auto forwarded emailpolicy, ability for IT to audit and do risk assessment, acceptable encryption algorithms

eneral *olicies igh level program policy 4 efines who owns other policies, who is responsible for them,scope and purpose of policies, any policy exceptions, related documents or policies. -usiness continuity plan 4 Includes the following plans&o Crisis *anagement 4 %hat to do during the 6any7 crisis which may threaten theorganization.o isaster 5ecovery 4 /ubfunctions&


7/26

/erver recovery ata recovery nd4user recovery !hone system recovery mergency response plan %orkplace recovery

*olicy (eels

!olicies can exist on many levels of the organization from a group or team level, to departmentlevel, plant level, or global organizational level. some policies may only be effective on a locallevel while others may be enterprise wide throughout the organization.

Computer Security *olicy +euirements/ecurity policies are an excellent way to complement the hardware and softwaresecurity measures of your organization. /ecurity policies can determine the methodthat both hardware and software are used. The policies will enable everyone in theorganization to be on the same track.very organization should have a stated security policy. It should be carefullywritten and checked by an attorney to be sure it does not create unnecessary

liability.+euirements o$ t&e *olicy The policy must be consistantto be effective. There must be similar levelsof security in multiple areas such as physical security, remote access, internalpassword policy policies, and other policies. The policy statement should be assessable. Issues should be clearly definedand when they apply to the policy. efineservices affected such as email. Clearly define goalsof the policy. /taff and management must find the policy acceptable. This is why it isimportant tojustifyeach policy. Define rolesof the staff with respect to the policies and security issues. The policy must be enforceablefrom the network and system controls.!olicies must be set on servers to be sure domain passwords are reasonablycomplex, not repeated, changed periodically, etc. efine conseuencesof security policy violation. efine expected privacy for users. !rovide contact information for those interested in more information aboutthe policy.

*olicy #e$initions!olicies may define procedures to be used or limitations to what can and can not bedone in the organization. Items that policies should define may include& %hy the policy exists or why a procedure is done and what it is. %ho enforces the policy or performs the procedure and why. %here is the policy effective or where is the procedure done. %hen is the policy in effect or when is the procedure used.The where and the when items define the policy scope.

*olicy %ordin! Su!!estionsIf security policy is worded incorrectly, it can be ineffective or become a source of trouble. -ecareful not to imply guarantees over items you cannot fully control. 3or example, you cannotguarantee that employees will be unable to view pornographic web sites from their workplace. It


8/26

may also be worth considering a disclaimer to the policy indicating that the policy is not created toguarantee safety or circumvent accidental exposure of employees to ob+ectional material, but thepolicy is intended to protect the organizational network from abuses from within and without. Itshould be noted that the policy cannot guarantee that abuses cannot occur.It is worth making policy abuse statements at logon screens to indicate that anyone logging on toa particular machine or domain who is not authorized may be prosecuted. This wording should bedone in a legal manner and those who create the policies should consider consulting with their

attorneys about the proper wording of these statements.Access Control *olicyAn access control policy can be part ot the security policy document, or it may be separate.Access control policy will define how access to the network is allowed and how it can be done. Itshould also define how access to external resources such as the internet should be done. Thisaccess policy should define how access to other business resources 6places that yourorganization may regularly do business with or exchange data with7 is done. 3or example, thisaccess may be done over the internet using some form of irtual !rivate "etworking 6!"7, or itmay be done by modem. In any case, it should be covered in the policy to be sure these externalaccesses, whether incoming or outgoing are secure.1ne suggestion for this policy is to forbid employee access from inside the network to the internet

through any source other than the firewall. At the least, any access to the internet should bethrough an approved secure interface.This policy should state& Allowed access across the network both inside and outside. ow services are to be routed both in and out, and whether they are accepted in specificdirections. /ome services of concern include TT!, 3T!, and mail. Acceptable traffic should be specified and all other traffic should be blocked at the firewalland at other possible locations in the network. Include&o irectiono /erviceo ost6s7 where re$uired to use service6s7.

o (sers 6where re$uired7 and acceptable times they can access resources.

Computer Security "ncident *roceduresepending on your organization)s size and re$uirements, a computer securityincident response team may be re$uired or recommended. In any event, someonein your organization should be in charge of performing the security incidentprocedures. In addition, the personnel performing these procedures will re$uire acertain level of authority so the organization)s management must support this effort.If you have no security incident procedures an analysis should be done of the typesof security problems you are having. The following should be considered& %hat types of incidents are occurring: Are they virus attacks, denial of

service, hacked systems, user account compromise, or other attacks: ow much of your IT staff time is being spent dealing with each type ofattack: %hat is the damage in staff time and loss of productivity due to each type ofattack: %hat is the damage to data due to each type of attack and what is the costof this: %hat is the risk in damage to the organization due to compromised data orlost data due to each type of attack: %hat is the overall risk to the suvival of the organization due to each type of


9/26

attack:The answers to the above $uestions will help your organization decide how mucheffort should be put into defining the security response and how much should bespent on computer security measures in general.

Computer Security "ncident *rocedure StepsThere are three main actions that must occur during a security incident. These areintrusion detection, containment, and removal. The containment and removal

process are covered in the computer security incident procedure steps listed belowwhich are recommended by the /A"/ Institute and several government agencies.These steps are based on the /A"/ Institute)s guide on 2Computer /ecurityIncident andling& /tep4by4/tep2;. !repare 4 Create your policies, checklists, and procedures. !erform and testbackups regularly in case data must later be restored. !ost warning banners onagainst intruders. %hen writing policies and procedures consider outsideorganizations that may be affected if you have a security incident. etermine whohandles the security incidents.=. Identify 4 ave methods in place to detect an incident and provide a trail ofevidence. etermine if an incident really occurred and evaluate the evidence. "otify

and coordinate the appropriate incident handling personnel other appropriatepersonnel and managers who may be affected.>. Contain 4 Assess the situation in such a way the intruder does not know youare aware of their presence until you are ready to implement your response. !ullany critical data off the network that may yet be compromised. Takecountermeasures, possibly pull the affected system6s7 off the network and changepasswords.?. radicate 4 5emove malicious code or possibly re4install the system to besure to remove all back door or malicious code, and possibly restore from backups.etermine the cause of the incident, analyze the intrusion method and vulnerability,implement a protection techni$ue to prevent further intrusion, improve defenses,

and test for vulnerablilties.B. 5ecover 4 alidate the system, monitor for re4infection, restore operationswhen it is appropriate and the vulnerability has been removed.. 'essons learned 4 *ake recommendations to prevent a similar incident,create an incident report, and modify your computer security incident procedure ifnecessary.In order to contain and remove an intruder, a very important part of the processincludes detection. 0our organization must have some mechanism in place to detecta security incident. Therefore the following items are important to consider. 0our organization should have someone check your server status and logs on a regularbasis.

0ou should consider some type of intrusion detection device on your servers depending onthe importance of your data and cost of the intrusion detection device. 0ou should consider some type of intrusion detection device on your network 6search forsuspicious traffic7 depending on the importance of your data transmitted and stored on yournetwork with consideration for the cost of the intrusion detection device.

"ncident orm "tems/everal items that should be included in your computer security incident form include& Incident date and time Computer system6s7 name and9or numbers affected. Affected system location6s7


10/26

1perating system6s7 on the system affected. Type of system affected 6workstation, mail server, file server, etc.7 Type of intrusion 6data compromise, virus incident, denial of service attack, etc.7 ow the intrusion was discovered ffect of the intrusion ow the intrusion occurred ow the intrusion was removed

/teps taken to prevent the same type of intrusion again %ho was notified about the intrusion. Time spent handling the intrusion and cost of the intrusion to the organization

Security Cate!oriesThis page outlines the various technical and management areas that comprise network andcomputer system security. These categories include actions and areas of knowledge that will helpadministrators in securing a network. %hen administrators have proper knowledge about intruderattacks, networking, and security protocols, they can properly set up a network to be more secure. Application and !perating syste" vulnerability control4 Includes&o Inventoring softwareused on your network including all server and client software

operating systems, applications, and services. The version number of each software componentshould be recorded.o %atching security bulletinsfor new discovered vulnerabilities on software in use onyour network.o (pdating applicationsin a timely fashion when security vulnerabilities are found.o /ervice monitoring4 very network administrator should know what services andnetwork ports are active on each system on the network. /ervice and port use should be limited toonly those that are necessary on each system.o Approved /oftware4 1nly software approved by the Information /ystemsdepartment should be used in the organization. This is not to restrict someone)s rights, but toprotect the organization from potentially hostile software such as tro+an or spyware programs. #etwor$ Manage"ento *anagement of network structure4 %here routers, bridges and other devices areused. %hat network transmission media are used. "etwork layoout can be used to increase thenetwork security.o 3irewalls4 Implementation, configuration, management, and monitoring.o Intrusion detection4 etermining when an intruder has penetrated or attemptedpenetration of the network.o Traps4 Traps can be used to delay some intruders or prevent damage.o !asswords4 !asswords may have different methods of storage, transmittal, orpassword policies. ariations of these methods can affect the security of the passwords and thenetwork.o /ecurity tools4 arious tools can be used to check the security strength of thenetwork and various computers.o (ser ducation4 ducating users so they can be aware of what to do and what notto do to help keep the network secure.o Intruder attacks4 An administrator should have some knowledge of the various typesof intruder attacks in order to better be able to structure the network and various systems to beresistant to these attacks.o ardware management4 ardware devices which can connect to the networkindemendently of your normal connection such as modems should be managed to be sure theyare not used without approval and if used should be properly protected.


11/26

Virus Protection4 irus protection is used to identify and remove viruses from computersystems and should be actively running on all systems on the network. owever, virus protectionwill not defend against undocumented viruses. Security policy4 /ecurity policy outlines how the network is used and even may determinewording of warnings. These warnings may state something like 2(nauthorized use is prohibited2./ecurity policy may be used to determine password policies, external connection policies, use ofthe internet and so forth. The policy should also state how software will be used and only

approved software will be used. Security protocols4 @nowledge about various encryption protocols, their strengths andweaknesses, and how they are best used can help administrators make networks much moresecure.

So$tware Vulneraility ControlA software vulnerablilty is some defect 6commonly called a 2bug27 in software whichmay allow a third party or program to gain unauthorized access to some resource./oftware vulnerability control is one of the most important parts of computer andnetwork security for the following reasons. irus programs use vulnerabilities in operating system and application

software to gain unauthorized access, spread, and do damage. Intruders use vulnerabilities in operating system and application software togain unauthorized access, attack other systems, and do damage. /ome software itself may be hostile.If software vulnerabilities did not exist, I believe that viruses would not exist andgaining any unauthorized access to resources would be very difficult indeed. Theprimary tools for unauthorized access would then become& Tro+an horse programs 6described below7 "etwork sniffing. !assword cracking through network sniffing. *an in the middle attacks.

*ost unauthorized access would then most likely be done by employees of theorganization or the unauthorized access would be due to very sloppy firewalladministration or user error.

CountermeasuresThere are several countermeasures that may help ensure that unauthorized andpossibly hostile virus or tro+an software does not run on your systems. Thesecountermeasures also limit the scope of the vulnerability. Countermeasures include& 5un virus scan software on every organizational computer and update thevirus scan database at least twice per week. !erform a full scan at least once perweek. @eep software security patches updated 4 #et on computer security advisory

mailing lists and update applicable software. %ith some systems such as %indowssystems you can set up a server to automatically update systems on your network.1ne way to do thin in %indows =


12/26

servers. 5un vulnerability scanners both inside and outside your network to findcomputers with vulnerabilities so you will know which ones need patched. The costof this should be weighed against the security need.

+unnin! Virus Scan So$twareirus scan software should be run on every computer within the organization. This will detectknown viruses when they attempt to infiltrate the system if the virus scan software is setup

correctly. @eep in mind however that virus scan software will only detect viruses in its database,so there are two concerns& (nknown viruses will not be stopped by the scanner 4 This is why patching applications isvery important. !atching applications will help eliminate the vulnerabilities that virus programs willexploit. The virus database must be updated at least weekly so as new viruses are discovered,they will be found by your virus scanner programs. these updates may be downloaded from themaker of the virus scan software. They are normally executable files which update the databaseon the client computers. The executable file can be placed in the user)s network login scriptprogram so it will run when they boot their system. In some cases it may be best to test the virusupdate before runing it on the entire system.

To be most effective, virus scanner programs should be set up to do the following& !erform regular weekly or monthly scans of the entire computer system)s local drives. /can all files when a scan is performed and don)t allow any exclusions of any directoriessuch as the recycle bin. -e sure to prompt for user action when a virus is found. this way the user is more likely tobe aware of where the virus came from and they can call your IT staff. /et the system to scan files when a file is run, copied, renamed or created. /et up e4mail scanning to scan e4mail attachments. this can also be done at the firewall,but should be done at least either at the firewall or on all client computers. /canning at bothlocations may be a good idea if it is feasible. 0ou may also want to scan web content for hostile content either at the firewall or client

computer depending on your setup. 0ou should know that scanning for hostile e4mail or webcontent on the firewall may overburden your firewall. *any firewall organizations recommend thatthe scanning be done on a separate computer. ow this is done will depend on your situation, butyou should at least determine the process load on the firewall before adding this capability.

All virus incidents should be logged for future reference.

/pdate So$tware Security *atc&esThis process involves several steps which include&;. @now your software configuration on all systems. This can be most easily done with adatabase with information about all computers and software in the organization. The followinginformation is re$uired to have the ability to update software with security patches&o %hat each computer is used for.o The version of the operating system and the maker of the operating system.o The last update to the operating system.o The maker and version of all applications run on the system.o The last update to each application.o A list of or knowledge of services running on each system. A service is performed bya particular program on the system. an example is a service that allows network logons to thesystem.o A list of, or knowledge of network ports on each computer system that may be activeand any associated service. A network port is a number which is used for networking to direct anetwork transmission to a particular program to be processed.


13/26

=. #et on computer security advisory mailing lists and update applicable software. /ome ofthe websites associated with these lists can be found in the 2websites2 area of the security sectionof the Computer Technology ocumentation !ro+ect.>. valuate security advisory bulletins 4 %hen security advisories come in, they will mentionsecurity vulnerabilities in operating systems or application software. *any of these vulnerabilitiesmay be associated with web browser programs or *icrosoft operating systems or applications./ometimes the vulnerability is associated with a service on a platform such as (nix or 'inux. The

administrator must evaluate whether your organization is using this software and whether thevulnerability is a security risk to your organization. The steps at this point should be similar to&o The administrator determines whether there is risk.o The administrator should determine the amount of risk and possible damage. Thismay be presented to management. If management is involved in this decision process, somemethodology must be worked out between the administrator and management which allows therisk to be categorized. This will allow more sound decision making. In order for the network to besecure, the decision to apply the patch cannot be left strictly to non4technical management.o If necessary the administrator and management will decide whether to apply thepatcho If the security vulnerability is a threat, the patch should be applied as soon as

possible.This is not an endorsement of *icrosoft or %indows =


14/26

the program to be spread or information may be compromised. These are somefunctions that hostile software may perform& amaging operating systems. amaging or destroying data. /niffing the network for any data or passwords. Installing itself or some other hostile software on computer systems for lateruse.

Ac$uisition of unencrypted passwords on the network. 3orwarding compromised information to hostile parties through the firewall. arvesting e4mail addresses. !utting unsolicited advertisements on infected computer systems. Theseprograms are called adware and may come with other 2useful2 applications. /pyware 4 A type of program that usually comes with a useful application butsends information to its creator about what the computer user is doing on theinternet. /ome of these programs creators actually tell the user that the programcomes with ability to see what the user is doing on the internet. 1thers do not.0ou should be aware that all types of hostile programs such as viruses and tro+anscan perform any of the above functions. There is a tendency for viruses to only

damage systems or data, and tro+an programs to send compromised data to otherparties, but either type of program can perform any of the functions. This is why allunauthorized programs are a very serious matter.

Virusesiruses reproduce themselves by attaching themselves to other files that the useddoes not realize are infected. iruses are spread today mainly through 4mailattachments. The attachment may be a file that is a legitimate file but the virus maybe attached as a macro program in the file. An example is a *icrosoft word file.These files can contain macro programs which can be run by *icrosoft %ord. Avirus may infect these files as a macro and when they get on the next user)scomputer, they can infect other files. These virus programs normally take advantage

of a security vulnerability of the running application. In the case of this example a*icrosoft %ord macro permission security vulnerability is exploited. iruses candirectly affect executable files or ynamic 'ink 'ibrary 6'' 7 files that the operatingsystems and applications use to run.(sually the virus will spread before it will do anything that may alert the user to itspresence.The countermeasure to prevent virus programs from infiltrating your organization isto implement the countermeasures in the section titled 2/oftware vulnerabilityControl2. 5unning virus scanning software on every computer in the organization isa primary step in minimizing this step.

Tro3an )orse So$tware

The name 2Tro+an horse2 comes from the historical incident where the #reeks built a horse statueas a tool to take the city of Troy. They hid soldiers inside. The people of Troy thought that theywere victorious and the gods had given them the horse as a gift, they pulled the horse inside thecity. At night the soldiers inside the horse snuck out and opened the gates of the city letting themain #reek army into the city.Tro+an horse software is software that appears to have some useful function, but some hiddenpurpose awaits inside. This purpose may be to send sensitive information from inside yourorganization to the author of the software.The countermeasure to prevent tro+an horse programs from infiltrating your organization is toimplement the countermeasures in the section titled 2/oftware vulnerability Control2. Allowing only


15/26

approved software with proper testing to be run in the organization will minimize the threat ofthese programs. The organizational security policy can help ensure that all members of theorganization operate in compliance with this countermeasure.

Network (ayoutThe network layout has much influence over the security of the network. Theplacement of servers with respect to the firewall and various other computers can

affect both network performance and security. There may even be areas of thenetwork that are more secure than others. /ome of these areas may be furtherprotected with an additional firewall. A typical network is shown below.

In this network, the box labeled 2I/2 is an intrusion detection system which may be

a computer or deviced designed to log network activity and detect any suspiciousactivity. In this diagram it is shown outside the firewall, on the semi4private networkand protecting the servers on the private network. It may be a good idea to place anI/ +ust inside the firewall to protect the entire private network since an attack maybe first launched against a workstation before being launched against a server. TheI/ protecting the servers could be moved to protect the entire private network, butdepending on cost and re$uirements it is also good to protect your servers,especially the mail server.The semi4private network is commonly called a 2*82 6for e*ilitarized 8one7 inmany security circles. In this diagram the semi4private network contains a mail relay


16/26

box to increase security since the mail server is not directly accessed. The mail relaybox routes mail between the internet and the mail server.1ther network e$uipment used includes& 5outers 4 (sed to route traffic between physical networks. *any routersprovide packet filtering using access control lists 6AC's7. This can enhance networksecurity when configured properly. 5outers can be configured to drop packets forsome services and also drop packets depending on the source and9or destination

address. Therefore routers can help raise the security between different segments ona network and also help isolate the spread of viruses. /witches 4 A switch is used to regulate traffic at the data link layer of the 1/Inetwork model. This is the layer which uses the *edia /ccess Control 6*AC7address. It is used to connect several systems to the network and regulates networktraffic to reduce traffic on the network media. This can reduce collisions. *edia 4 The physical cable that carries the signal for the network traffic.5outers can be set up to perform packet filtering to enhance network security.

Network/ser unctionsThe consideration of how each computer system on the network is used is a veryimportant part of computer and network security. These considerations can even be

used to enhance cost savings where neccessary.*any times when security vulnerabilities are published, an older version of softwaremay not be supported by the manufacturer. This may re$uire an operating systemupgrade or an additional license to be purchased to upgrade specific software. Thismay be very cost prohibitive to many organizations. %hen dealing with thesesituations, it is important to consider your network layout and how it is used.1ne consideration that should be kept in mind when dealing with network security iswhat users can perform what functions and what computers these users can use.3or example the following situation may exist in an organization& /ome users can receive and send both internal and external e4mail while others can onlysend and receive internal e4mail.

(ser)s who can only send and receive internal e4mail will not have users on their systemswho can use external e4mail.Considering this situation, the computers that can only receive internal e4mail are less of asecurity risk than those who can receive external e4mail. *any viruses spread with e4mail. Ifcomputers that send and receive external email do not get the virus, then it is not likely to spreadto those computers that only deal with internal e4mail. Therefore it is more important to fixapplication vulnerabilities on computers that deal with external e4mail than on those that do not. Inthis way, a virtual perimeter of protection may be established in an organization. This may not bethe most secure network configuration, but it is much more secure than not updating anycomputers at all.

Tra$$ic ilterin!Traffic filtering is a method used to enhance network security by filtering network traffic based onmany types of criteria.

*acket ilterin!!acket filtering is a method of enhancing network security by examining network packets as theypass through routers or a firewall and determining whether to pass them on or what else to do withthem. !ackets may be filtered based on their protocol, sending or receiving port, sending orreceiving I! address, or the value of some status bits in the packet. There are two types of packet


17/26

filtering. 1ne is static and the other is dynamic. ynamic is more flexible and secure as statedbelow.

Static *acket ilterin!oes not track the state of network packets and does not know whether a packet is the first, amiddle packet or the last packet. It does not know if the traffic is associated with a response to are$uest or is the start of a re$uest.

#ynamic *acket ilterin!

Tracks the state of connections to tell if someone is trying to fool the firewall or router. ynamicfiltering is especially important when (! traffic is allowed to be passed. It can tell if traffic isassociated with a response or re$uest. This type of filtering is much more secure than staticpacket filtering.

Source +outin!In source routing, packets contain header information describing the route they are to take to thedestination. /ource routing is a security concern when an attacker may gain access to a networkthat has access to yours without going through your firewall./ource routing should be disabled on network routers, especially at the network perimeters.ackers may be able to break through other friendly but less secure networks and get access toyour network using this method.

5ail and Security*any attempts to intrude on organizational networks are made either through theorganization)s email server or through sending mail directly to users of the network.There are several steps which should be taken to reduce the chance of penetrationsuccess in this area. -lock many dangerous email attachments on your mail server or at yourfirewall. *any attachment types may contain code that can be run on workstationsor servers and create a method for an outsider to gain control of that machine. If anexecutable attachment is sent to one of your users and they double click on theattachment, it is likely that the code will run and the attack will succeed. The onlydefense in this case is your antivirus software on the machine. owever considerthe possibility that the virus program may not recognize the attachment as hostilecode either because it was not detected yet or because a hacker specifically wrotethe code to penetrate your network. %e block the following attachments becausethey either can point to dangerous code, are dangerous code or can containdangerous code&;. Dade 4 *icrosoft Access pro+ect extension can contain executablecode.=. Dadp 4 *icrosoft Access pro+ect can contain executable code.>. Dapp 4 *icrosoft 3ox!ro application is executable code.?. Dasp 4 Active server pagesB. Dasx 4. bas 4 -asic program source code is executable code.E. bat 4 -atch file which can call executable code.F. Dchm 4 Compiled T*' help file can contain executable code.G. cmd 4 %indows "T command script file is executable code.;. Dcsh


18/26

;?. 4dll 4 ynamic link library is executable code. Could be placed on yoursystem then run by the system later.;B. exe 4 -inary executable program is executable code.;. Dfxp 4 *icrosoft 3ox!ro is executable code.;E. Dhlp 4 elp file;F. Dhta 4 T*' program;G. Dinf 4 /etup information

=. +se 4 Hava/cript encoded file=?. Dksh 4 (nix shell file=B. Dlnk 4 'ink file=. Dmda 4 *icrosoft Access add4in program=E. Dmdb 4 *icrosoft Access program=F. Dmde 4 *icrosoft Access * database=G. Dmdt 4 *icrosoft Access file>;. Dmdz 4 *icrosoft Access wizard program>=. Dmsc 4 *icrosoft Common Console document>>. msi 4 *icrosoft windows installer package>?. Dmsp 4 %indows Installer patch>B. mst 4 isual Test source files>. Dops 4 3ox!ro file>E. pcd 4 2!hoto C image or *icrosoft isual Test compiled script2>F. pif 4 2/hortcut to */41/ program2>G. Dprf 4 2*icrosoft 1utlook !rofile /ettings2?. scr 4 /creen saver??. sct 4 %indows script component?B. Dshb 4 ocument shortcut?. Dshs 4 /hell scrap ob+ect?E. Durl 4 Internet address?F. vb 4 isual -asic file?G. vbe 4 isual -asic encoded script fileB. DvstB?. DvswBB. wsc 4 %indows script componentB. wsf 4 %indows script fileBE. wsh 4 %indows script host settings fileBF. xsl 4 J*' file may contain executable code*icrosoft 1utlook blocks these above attachments by default in 1utlook =


19/26

irewall3irewalls are used to protect an organization)s internal network from those on the outside6internet7. It limits and regulates the access from the outside to the internal network and alsoregulates traffic going out. It is used to keep outsiders from gaining information to secrets or fromdoing damage to internal computer systems. 3irewalls are also used to limit the access ofindividuals on the internal network to services on the internet along with keeping track of what isdone through the firewall.

3irewalls filter traffic based on their protocol, sending or receiving port, sending or receiving I!address, or the value of some status bits in the packet. There are several types of firewalls whichinclude packet filtering, circuit level relay, and application proxy.If your organization does not have a firewall, get one. At least implement a packet filtering firewallon a 'inux based computer, if money is the concern. The firewall should filter e4mail, 3T! file transfers, and web content traffic for potentialharmful or hostile code and viruses. "o computer should be directly connected to the internet without going through an I/approved firewall. This means independent modem connections to the internet should beforbidden.

irewall *olicy

/et up a 2spoofing filter2 on your firewall 4 on)t allow traffic from the internet that indicatesa source I! address matching any of your internal network addresses. This keeps attackers from2spoofing2 your machines and possibly causing them to crash. !revent spoofing from your network 4 !lace an outbound filter 6for addresses inside yournetwork attempting outside access7 on the firewall that only allows traffic from valid internalnetwork addresses to be serviced. This should prevent attacks against other networks from beingoriginated in your network.

Network "ntrusion #etection0our network should have some network intrusion detection system. %ith that said,the method of detecting intrusions, how to monitor, and how to interpret the data is

a complex sub+ect."ntrusion #etection Types "etwork 4 (sed to protect the network or a large part of it. It listens to allavailable network packets and tries to find any intrusion pattern based on theinformation in the packets. %here this type of I/ is placed on the network isimportant since it cannot analyze all packets behind routers, bridges, or switches. /ystem 4 (sed to protect a specific host such as a webserver. This kind ofintrusion system can be especially effective when a server is in an area off thefirewall such that it is neither on the internet or on the internal network K @nown as aemilitarized zone 6*87 L. These kinds of intrusion detection systems can usuallyonly protect one service well.

"ntrusion #etection +euirementsThe intrusion detection re$uirements mentioned in this section are generally fornetwork intrusion detection systems rather than system intrusion detection systems.The re$uirements mentioned here are general and will depend on the size of yournetwork, traffic load on your network, and the type of intrusion detection softwareyou install. 5ead the manufacturers instructions for specific recommendations.Intrusion detection systems typically consist of two parts which are an engineand acontrol console. These two parts are usually on separate computers. 1bviouslythe console is used to control and make changes to the behavior of the intrusiondetection engine. The engine analyzes the network traffic and takes appropriate


20/26

action if an intrusion is detected./ince network intrusion detection systems must process a lot of network data in ashort time, these systems re$uire a good deal of processing power. They alsore$uire much 5A* for high performance, and may re$uire much hard drive space tostore log information.

"ntrusion #etection eatures Attack patterns are saved in a database.

ata packet reassembly 4 /ome may or may not re4assemble I! packets thesame way a receiving system would reassemble them. *ost I/ do not reassemblethe packets in this manner. %ithout reassembling the packets as the receiver, someattacks may go unnoticed. Checksum verification 4 A good I/ will verify packet checksums to be surethe packet has not been tampered with.

"ntrusion #etection Actions 'og intrusion information or save raw packets. /end an alert to an administrator using email or another method. Interfere with the attack. There are several actions that may be taken&o /ession disruption 4 The I/ can send AC@43I" packets to both ends of a

connection 6by I! spoofing each computer7 to close a session. This may be done if a hackerappears to be gaining unauthorized access.o *odify the firewall or router behavior during an attack.

Network *ort Scanners!ort scanners are used to help increase the security of your network. !orts are mapped to specificservices. -y running a software program that tests to see what ports a specific computer respondson, a network administrator 6or potential hacker7 can get some indication about the types ofservices running on a particular machine. !ort scanning can be done inside your network to testvarious servers and workstation or it can be done from outside your network to determine whatservices can be accessed from the internet through your firewall.

oals o$ *ort Scannin! To determine services that a computer is running and shut down services not being used toincrease the security of the computer being scanned. To determine the vulnerabilities of the services that are being run in the computer beingscanned. The vulnerabilities can then be patched once they are identified.

"nternal and 7ternal *ort Scannin!There are some security service providers that will scan your network from the internet to test foropen ports and vulnerabilities on your servers. They may provide a printed or electronic report onthe results outlining your vulnerabilities and giving recommendations about how to fix them. *anyof these services are very useful especially since they stay current with current vulnerabilityinformation and update their software regularly to test for new vulnerabilities.ven if you hire someone to scan your network from the outside, you should still scan yournetwork with your own scanning tools from the inside. !lease note that before scanning or sniffingyour network, even as a network administrator, you should always get written permission fromyour management first up to the level of your CI1. This to avoid prosecution should someonedecide they do not like information being scanned. Also be sure you do not scan when systemcrashes due to scans could cause loss of data or interfere with work.If you scan your network, you should scan specific parts of your network rather than the wholenetwork at one time. I would recommend that you scan and secure your servers first, but do notdo this during normal business hours when your server usage is at a peak. Also you may want to


21/26

warn your users before a scan is done that some service interruption may occur due to systempreventative maintenance.

*ort ScannersThere are many port scanner types some of which may identify vulnerabilities along with ports thatare being serviced. 'inks to port scanners can be found athttp&99www.techtutorials.info9nsectools.html

Computer Security Tools1ther network tools include& oney !ots 4 (sed to fool a hacker into believing that a target exists which really does notexist. It may be uset to keep a hacker in a virtual environment which does not really exist as ameans of caputer or to prevent the attacker from attacking a real target. (tilities that can be used to analyze log files 4 *akes administrator +obs easire by scanninglog files to locate attempted unauthorized entry or suspicious activity. "etwork /niffers 4 Can be used to sniff and log network traffic which can helpadministrators find traffic on the network which may be suspicious or contain information whichshould be encrypted. -andwidth Testers 4 Tests the available bandwidth across certain network lines or between

two points on your network. !assword cracking programs 4 !rograms that take an encrypted or hashed value of apassword and guess at the password until they find the unencrypted password.

*asswords!asswords are a primary piece of information that intruders will try to ac$uire inorder to gain unauthorized access to systems or networks.

*assword Stora!e%hen users enter passwords for the network or operating system, they or somefacsimile of them must be stored so there is something to compare user loginattempts to. There are three primary choices for password storage&

Clear text ncrypted password ash value of a password 4 (sed by (nix and %indows "TThe storage locations may be& 5oot or administrator readable only 5eadable by anyone.!asswords are more secure when they can only be read by the administrator orroot account. Also the best password storage security is to store the hashed valueof a password.

Typical )as&in! unctions ("IJ 4 Algorithm similar to / with B bit key. There are two random

characters 6salt7 are added to the algorithm so two password values are not storedthe same even if they are the same. %indows "T 4 *? is used to generate a ;=F bit value.

*assword *rotection and Crackin!!asswords should be chosen wisely and a dictionary word should never be used.This is because if an attacker can get the hashed or encrypted value of a password,they can run password guessing programs to eventually guess the password bycomparing the encryped result of the guess to the actual encrypted password. Theeasiest password attack is a dictionary attack where dictionary words are used to
http://www.techtutorials.info/nsectools.htmlhttp://www.techtutorials.info/nsectools.html


22/26

guess the password. 1ther attacks include a brute force attack which can takemuch longer than a dictionary attack. This is why passwords should have aminimum length and a minimum degree of complexity. The complexity re$uirementsshould include three of four of the following four types of characters& 'owercase (ppercase "umbers

/pecial characters such as MNOPQRSD67KLU3or help in choosing passwords wisely see the article Tips for choosing !asswords that can beeasily remembered, but are secure

*rotocols to send passwords !A! 4 !assword Authentication !rotocol 4 (sed with !oint to !oint !rotocol 6!!!7. Thepassword is sent in the clear. CA! 4 Challenge handshake authentication protocol is preferred rather than !A! sincethe actual password is not sent across the internet or network.

Security AttacksThis page lists types of security attacks. This document will address security issues, measures,

and policies which take these types of attacks into consideration. o/4 enial of /ervice Tro+an orse 4 Comes with other software. irus 4 5eproduces itself by attaching to other executable files. %orm 4 /elf4reproducing program. Creates copies of itself. %orms that spread using e4mailaddress books are often called viruses. 'ogic -omb 4 ormant until an event triggers it 6ate, user action, random trigger, etc.7.

)acker AttacksI use the term 2hacker attacks2 to indicate hacker attacks that are not automated by programssuch as viruses, worms, or tro+an horse programs. There are various forms that exploit weaknesesin security. *any of these may cause loss of service or system crashes. I! spoofing 4 An attacker may fake their I! address so the receiver thinks it is sent from alocation that it is not actually from. There are various forms and results to this attack.o The attack may be directed to a specific computer addressed as though it is fromthat same computer. This may make the computer think that it is talking to itself. This may causesome operating systems such as %indows to crash or lock up. #aining access through source routing. ackers may be able to break through otherfriendly but less secure networks and get access to your network using this method. *an in the middle attack 4o /ession hi+acking 4 An attacker may watch a session open on a network. 1nceauthentication is complete, they may attack the client computer to disable it, and use I! spoofingto claim to be the client who was +ust authenticated and steal the session. This attack can beprevented if the two legitimate systems share a secret which is checked periodically during thesession. /erver spoofing 4 A C=*0A88 utility can be run on %indows GB stations to re$uest'A"*A" 6in the clear7 authentication from the client. The attacker will run this utility while actinglike the server while the user attempts to login. If the client is tricked into sending 'A"*A"authentication, the attacker can read their username and password from the network packetssent. "/ poisoning 4 This is an attack where "/ information is falsified. This attack cansucceed under the right conditions, but may not be real practical as an attack form. The attacker
http://www.comptechdoc.org/docs/ctdp/howtopass/http://www.comptechdoc.org/docs/ctdp/howtopass/http://www.comptechdoc.org/docs/ctdp/howtopass/http://www.comptechdoc.org/docs/ctdp/howtopass/


23/26

will send incorrect "/ information which can cause traffic to be diverted. The "/ informationcan be falsified since name servers do not verify the source of a "/ reply. %hen a "/ re$uestis sent, an attacker can send a false "/ reply with additional bogus information which there$uesting "/ server may cache. This attack can be used to divert users from a correctwebserver such as a bank and capture information from customers when they attempt to logon. !assword cracking 4 (sed to get the password of a user or administrator on a network andgain unauthorized access.

Some #oS Attacks !ing broadcast 4 A ping re$uest packet is sent to a broadcast network address where thereare many hosts. The source address is shown in the packet to be the I! address of the computerto be attacked. If the router to the network passes the ping broadcast, all computers on thenetwork will respond with a ping reply to the sttacked system. The attacked system will be floodedwith ping responses which will cause it to be unable to operate on the network for some time, andmay even cause it to lock up. The attacked computer may be on someone else)s network. 1necountermeasure to this attack is to block incoming traffic that is sent to a broadcast address. !ing of death 4 An oversized IC*! datagram can crash I! devices that were made before;GG. /murf 4 An attack where a ping re$uest is sent to a broadcast network address with the

sending address spoofed so many ping replies will come back to the victim and overload theability of the victim to process the replies. Teardrop 4 a normal packet is sent. A second packet is sent which has a fragmentationoffset claiming to be inside the first fragment. This second fragment is too small to even extendoutside the first fragment. This may cause an unexpected error condition to occur on the victimhost which can cause a buffer overflow and possible system crash on many operating systems.

Security *rotocol /se(se services that send passwords only in encrypted form. Avoid telnet and 3T!.

SN5*Avoid the use of /"*! on routers since information for this protocol is not encrypted and can

provide hackers with useful information about your network. (se /"*!v= is /"*! use isnecessary.

T*3T! uses port =; for commands and =< for data.There are two types of 3T!& /tandard 3T! 4 All inbound ports above ; must be open. !assive 3T! 4 All outbound ports above ; must be open.If 3T! must be supported, the most secure way to support it through the firewall is to supportpassive 3T!.

Security ntry *ointsConsider some of the following issues when designing your security and setting up your network,systems, and application programs. ow will you deal with a hostile takeover at one of your sites:o o users have limited access to only what they need:o Can we disable user access $uickly if necessary: *odems iruses through e4mail attachments ostile programs installed by your users

Security Cost


24/26

Vuantify the cost of your security effort versus the cost of recovery from damage. o the followingto help determine worthwhile security policy& Vuantify assets Analyze worth stimate recovery costs.

Application (eel *rotection

In order to avoid Tro+an orses, only I/ approved software should be allowed to beinstalled on any computers in the organization. @eep operating system and application program security patches updated. Therefore tosupport this effort, the following must be in place&;. /oftware architectures on all machines must be defined. This can be done bydepartment or individual computer or combination thereof. This policy is especially important for allserver computers. The operating system on all computers must be defined along with allapplications that are run on them. The latest security patches for all operating systems and applications must betracked and it must be known if each department or computer has the latest security patches.

5eliable patch sources for all operating systems and each application used inthe organization must be determined. These sources must be regularly used when new patchesare made available. Turn on *acro irus !rotection in *icrosoft applications such as %ord. /elect 2Tools2,21ptions2, select the 2#eneral2 tab, and select 2*acro irus !rotection2. In some later *icrosoft

Applications, this feature is always on and there is no checkbox to turn it on. Turn the auto4execute feature off in *icrosoft applications. Turn off scripts in 1utlook.

8mail /end 5ich Text 3ormat 6.5T37 email attachments rather than *icrosoft %ord 6.1C7 emailattachments. 5ich Text 3ormat files cannot contain %ord macro programs which may contain

viruses. %hen opening the file, first open it in a plain text editor such as "otepad 6%ordpad won)twork7 to be sure it is really a text file 6/ome viruses can disguise a 1C file as a 5T3 file7. Turn off 2Auto !review2 in 1utlook 6not 1utlook xpress7.

System *rotection "o networked computer without operating virus detection software shall be operated. irusdetection software shall be updated a minimum of once per month and a complete system scanfor viruses shall be done at least once per month. "o unprotected shares isable ActiveJ code in all web browsers. /tandard settings on web browsers for Hava and Havascript code. /ystems should be set not to hide file extensions for known file types. If hiding extensionsfor known file types is allowed, an attacker can disguise a file with a name like235I"'03I'.TJT.exe2. This file will appear to be a text file to a user. If the user attempts toopen it, it can be run in their system, and... To set this correctly, do the following&;. 1pen 2*y Computer2.=. 1n the menu, select 2iew2 and 23older 1ptions2.>. /elect the 2iew2 tab.?. (ncheck 2ide file extensions for known file types2. isable9remove %indows /cripting ost 6%/7;. Click on 2/ettings2


25/26

=. /elect 2Control !anel2>. Click 2Add95emove2?. Click on the 2%indows /etup2 tab.B. Click 2Accessories2.. (ncheck 2%indows /cripting ost2 and click 21@2.

/ser Security "ssues/ser ducation (se caution opening e4mails. o not open mail from unknown originators. *ake users aware of ability for hackers to hide executable files as text or other harmlessfile types. (sers must be educated not to use the same passwords at work that they may use overunsecured connections on the internet.

*assword *olicies 'ogon passwords must be changed at least every G< days 6>


26/26

asic Security +ecommendations+estoration1f course important data should be periodically backed up. 1ne additional protection mechanismis to use software such as "orton (tilities to take a snapshot of your system. It can record diskpartition information to a floppy, and this can be used to restore a system if a virus destroyscomputer system disk partition information.

9r!ani:ational *oliciesevelop an organizational security policy and educate all users about the policy. %rite a virusprocedure to be implemented when a virus is discovered.

Security Terms Ciphertext 4 Text or data that has been enciphered such that unauthorized persons shouldbe unable to read it. Cipher 4 A mathematical function that is used to perform encryption or decryption. Cryptoanalysis 4 The practice of analyzing ciphertext with the intent of breaking it. Cryptography 4 /cience dealing with keeping messages secure. Cryptology 4 The section of mathematics that deals with cryptography and cryptoanalysis.

ecipher 4 The act of taking text that is enciphered so unauthorized persons cannot read itand processing it into plain text or data that can be read or used. ecryption 4 The process of turning an encrypted message 6ciphertext7 back into plaintext. ncipher 4 The act of taking plain text or data nnd processing it into ciphertext sounauthorized personnel cannot read it or use it. ncryption 4 The process of hiding the contents of a message. 1ne way hash functions 4 A function that can be easily performed one way but is difficult orimpossible to reverse. !laintext 4 "ormal text or data, before the enciphering process or after the decipheringprocess. /alting 4 Adding random data to a password prior to performing a one way hash on it. This

is a means of stopping a dictionary attack.

Network and Computer Security Tutorial

Documents

Transcript of Network and Computer Security Tutorial