The Cisco Security Intelligence Operations (SIO) provides alerts to network professionals regarding current network attacks.
common data loss:
- Email/Social networking
- Unencrypted devices
- Cloud Storage devices
- Removable media
- Hard copy
- Improper access control
The main focus of this course is on securing Campus Area Networks (CANs). Campus Area Networks consists of interconnected LANs within a limited geographic area.
A Cisco Email Security Appliance (ESA) and Web Security Appliance (WSA) provide advanced threat defense, application visibility and control, reporting, and secure mobility to secure and control email and web traffic.
Data center Networks
Data center physical security can be divided into two areas:
- Outside perimeter security – This can include on-premise security officers, fences, gates, continuous video surveillance, and security breach alarms.
- Inside perimeter security – This can include continuous video surveillance, electronic motion detectors, security traps, and biometric access and exit sensors.
Cloud and virtual networks
The actual Cloud network consists of physical and virtual servers which are commonly housed in data centers. However, data centers are increasingly using virtual machines (VM) to provide server services to their clients. Server virtualization takes advantage of idle resources and consolidates the number of required servers. This also allows for multiple operating systems to exist on a single hardware platform. However, VMs are also prone to specific targeted attacks:
- Hyperjacking: An attacker could hijack a VM hypervisor (VM controlling software) and then use it as a launch point to attack other devices on the data center network.
- Instant on activation: When a VM that has not been used for a period of time is brought online, it may have outdated security policies that deviate from the baseline security and can introduce security vulnerabilities.
- Antivirus Storms: This happens when all VMs attempt to download antivirus data files at the same time.
The core components of the Cisco Secure Data Center solution provide:
- Secure Segmentation: ASA devices and a Virtual Security Gateway integrated into the Cisco Nexus Series switches are deployed in a data center network to provide secure segmentation. This provides granular inter-virtual-machine security.
- Threat Defense: ASA devices and a Virtual Security Gateway integrated into the Cisco Nexus Series switches are deployed in a data center network to provide secure segmentation. This provides granular inter-virtual-machine security
- Visibility: Visibility solutions are provided using software such as the Cisco Security Manager which help simplify operations and compliance reporting.
To accommodate the BYOD trend, Cisco developed the Borderless Network. In a Borderless Network, access to resources can be initiated by users from many locations, on many types of endpoint devices, using various connectivity methods.
To support this blurred network edge, Cisco devices support Mobile Device Management (MDM) features.
Critical Functions by MDM:
- Data encryption: Most devices have built-in encryption capabilities, both at the device and file level. MDM features can ensure that only devices that support data encryption and have it enabled can access the network and corporate content.
- PIN enforcement: Enforcing a PIN lock is the first and most effective step in preventing unauthorized access to a device. Furthermore, strong password policies can also be enforced by an MDM, reducing the likelihood of brute-force attacks.
- Data wipe: Lost or stolen devices can be remotely fully- or partially-wiped, either by the user or by an administrator via the MDM.
- Data loss prevention: While data protection functions (like PIN locking, data encryption and remote data wiping) prevent unauthorized users from accessing data, DLP prevents authorized users from doing careless or malicious things with critical data.
- Jaibreak/root detection: Jailbreaking (on Apple iOS devices) and rooting (on Android devices) are a means to bypass the management of a device. MDM features can detect such bypasses and immediately restrict a device’s access to the network or other corporate assets.
Hacktivists do not hack for profit, they hack for attention. They are usually politically or socially motivated cyber attackers who use the power of the Internet to promote their message.
State-sponsored cyber hackers are the newest type of hacker. These are government-funded and guided attackers, ordered to launch operations that vary from cyber espionage to intellectual property theft.
An example of a state-sponsored attack involves the Stuxnet malware that was created to damage Iran’s nuclear enrichment capabilities.
Over the years, attack tools have become more sophisticated, and highly automated, requiring less technical knowledge to use them than in the past.
- Password crackers: John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
- Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities.
Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
- Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
- Packet crafting tools: These tools are used to probe and test a firewall’s robustness using specially crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
- Packet sniffers: These tools are used to probe and test a firewall’s robustness using specially crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
- Rootkit detectors:This is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
- Fuzzers are tools used by hackers when attempting to discover a computer system’s security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
Categories of Attack Tools
- Eavesdropping attack: This is when a hacker captures and “listens” to network traffic. This attack is also referred to as sniffing or snooping.
- Data Modification Attack: If hackers have captured enterprise traffic, they can alter the data in the packet without the knowledge of the sender or receiver.
- IP address spoofing attack: A hacker constructs an IP packet that appears to originate from a valid address inside the corporate intranet.
- Password-based attacks: If hackers discover a valid user account, the attackers have the same rights as the real user. Hackers could use that valid account to obtain lists of other users and network information. They could also change server and network configurations, modify, reroute, or delete data.
- Denial-of-service attack: A DoS attack prevents normal use of a computer or network by valid users. After gaining access to your network, a DoS attack can crash applications or network services. A DoS attack can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.
- Man in the middle attack: This attack occurs when hackers have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.
- Compromised-key attack: If a hacker obtains a secret key, that key is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.
- Sniffer attack: A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the attacker does not have access to the key.
A virus is malicious code that is attached to executable files which are often legitimate programs. Most viruses require end user activation and can lay dormant for an extended period and then activate at a specific time or date.
A simple virus may install itself at the first line of code on an executable file. When activated, the virus might check the disk for other executables so that it can infect all the files it has not yet infected.
The Trojan horse concept is flexible. It can cause immediate damage, provide remote access to the system, or access through a back door. It can also perform actions as instructed remotely, such as “send me the password file once per week.”
Trojan horses are usually classified according to the damage that they cause or the manner in which they breach a system:
- Remote-access Trojan horse – This enables unauthorized remote access.
- Data-sending Trojan horse – This provides the attacker with sensitive data, such as passwords.
- Destructive Trojan horse – This corrupts or deletes files.
- Proxy Trojan horse – This will use the victim’s computer as the source device to launch attacks and perform other illegal activities.
- FTP Trojan horse -This enables unauthorized file transfer services on end devices.
- Security software disabler Trojan horse – This stops antivirus programs or firewalls from functioning.
- DoS Trojan horse – This slows or halts network activity.
worm attacks consist of three components:
- Enabling vulnerability – A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system.
- Propagation mechanism – After gaining access to a device, the worm replicates itself and locates new targets.
- Payload – Any malicious code that results in some action is a payload. Most often this is used to create a backdoor to the infected host or create a DoS attack.
Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon successful exploitation, the worm copies itself from the attacking host to the newly exploited system and the cycle begins again. Their propagation mechanisms are commonly deployed in a way that is difficult to detect.
Five basic phases of a worm or virus attack:
probe, penetrate, persist, propagate, and paralyze
Types of network attacks
- Reconnaissance Attacks
- Access Attacks
- DoS Attacks
These are some of the techniques used by malicious hackers conducting reconnaissance attacks:
- Perform an information query of a target – The hacker is looking for initial information about a target. Various tools exist, including the Google search, organizations website, whois, and more.
- Initiate a ping sweep of the target network – The information query usually reveals the target’s network address. The hacker can now initiate a ping sweep to determine which IP addresses are active.
- Initiate a port scan of active IP addresses – This is to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
- Run Vulnerability Scanners – This is to query the identified ports to determine the type and version of the application and operating system that is running on the target host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.
- Run Exploitation tools – The hacker now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.
Three reasons that hackers would use access attacks on networks or systems:
- To retrieve data
- To gain access
- To escalate access privileges
Five common types of access attacks:
- Password attack – Hackers attempt to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing. Brute-force password attacks involve repeated attempts using tools such as Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, hashcat, Johny, and Medusa.
- Trust exploitation – A hacker uses unauthorized privileges to gain access to a system, possibly compromising the target.
- Port redirection – This is when a hacker uses a compromised system as a base for attacks against other targets.
- Man-in-the-middle attack – The hacker is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties.
- Buffer overflow – This is when a hacker exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. It is estimated that one third of malicious attacks are the result of buffer overflows.
- IP, MAC, DHCP Spoofing – Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data. There are multiple types of spoofing attacks. For example, MAC address spoofing occurs when one computer accepts data packets based on the MAC address of another computer.
Social Engineering Attacks
Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information.
Social engineers often rely on people’s willingness to be helpful. They also prey on people’s weaknesses.
The hacker could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.
There are many examples of social engineering tools available. Specific types of social engineering attacks include:
- Pretexting – This is when a hacker calls an individual and lies to them in an attempt to gain access to privileged data. An example involves an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
- Phishing – Phishing is when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source. The message intends to trick the recipient into installing malware on their device, or into sharing personal or financial information.
- Spearphishing – This is a targeted phishing attack tailored for a specific individual or organization.
- Spam – Hackers may use spam email to trick a user to click an infected link or download an infected file.
- Tailgating – This is when a hacker quickly follows an authorized person into a secure location. The hacker then has access to a secure area.
- Something for Something (Quid pro quo) – This is when a hacker requests personal information from a party in exchange for something like a free gift.
- Baiting – This is when a hacker leaves a malware-infected physical device, such as a USB flash drive in a public location such as a corporate washroom. The finder finds the device and loads it onto their computer, unintentionally installing the malware.
The Social Engineering Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks.
Denial of Service Attacks
Denial-of-Service (DoS) attacks are highly publicized network attacks. A DoS attack results in some sort of interruption of service to users, devices, or applications.
There are two major sources of DoS attacks:
- Maliciously Formatted Packets – This is when a maliciously formatted packet is forwarded to a host or application and the receiver is unable to handle an unexpected condition. For example, a hacker forwards packets containing errors that cannot be identified by the application, or forwards improperly formatted packets. This causes the receiving device to crash or run very slowly.
- Overwhelming Quantity of Traffic – This is when a network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.
Three early DoS attacks include:
- Ping of Death – In this legacy attack, the attacker sent a ping of death which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash.
- Smurf Attack – In this legacy attack, a hacker sent a large number of ICMP requests to various recipients. Using multiple recipients amplified the attack. In addition, the packet source address contained a spoofed IP address of an intended target. This was a type of reflection attack because the echo replies would all be reflected back to the targeted host in an attempt to overwhelm it. Smurf attacks are mitigated with the no ip directed-broadcast command, which is a default interface setting, as of Cisco IOS version 12.0. The reflection and amplification technique continues to be used in newer forms of attacks.
- TCP SYN Flood Attack – In this type of attack, a hacker sends many TCP SYN session request packets with a spoofed source IP address to an intended target. The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet. However, the responses never arrive, and the target hosts are overwhelmed with TCP half-open connections.
A Distributed DoS Attack (DDoS) is similar in intent to a DoS attack, except that a DDoS attack increases in magnitude because it originates from multiple, coordinated sources. DDoS attacks also introduce new terms such as botnet, handler systems, and zombie computers.
As an example, a DDoS attack could proceed as follows:
- A hacker builds a network of infected machines. A network of infected hosts is called a botnet. The compromised computers are called zombie computers, and they are controlled by handler systems.
- The zombie computers continue to scan and infect more targets to create more zombies.
- When ready, the hacker instructs the handler systems to make the botnet of zombies carry out the DDoS attack.
Note: There is an underground economy where botnets can be bought (and sold) for a nominal fee providing hackers with an army of infected hosts ready to launch a DDoS attack.