Modern Network

Security Threats

Lecturer: Sayeed Jaweed Naderi

Information Technology Department
Computer Science Faculty
Kabul University
Email: sayeedjaweednaderi@gmail.com
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Purpose of Security
• To protect assets!
– Network security is a term that describes the policies and procedures
implemented by a network administrator to avoid and keep track of
unauthorized access, exploitation, modification, or denial of the
network and network resources
• Securing a network, three major features of information security
are typically required:
– Confidentiality(Data Privacy)
– Integrity
– Availability

© 2012 Cisco and/or its affiliates. All rights reserved. 2

What is Network Security
• National Security Telecommunications and Information Systems
Security Committee (NSTISSC)
– Network security is the protection of information, systems and
hardware that use, store, and transmit that information.

– Network security encompasses(‫ )احاطه کردن‬those steps that are

taken to ensure the confidentiality, integrity, and availability of data or
resources.

© 2012 Cisco and/or its affiliates. All rights reserved. 3

The Network Today
• With the advent of personal computers, LANs, and the wide-open
world of the Internet, the networks of today are more open.

© 2012 Cisco and/or its affiliates. All rights reserved. 5

Threats
• A potential danger to information or a system or potential
danger posed(‫ )حالت گرفتن‬by a vulnerability
• Threats may include equipment failure, structured attacks,
natural disasters, physical attacks, theft, viruses and
many other potential events causing danger or damage

© 2012 Cisco and/or its affiliates. All rights reserved. 6

Threats
• There are four primary classes of threats to network security:
– Unstructured threats
– Structured threats
– External threats
– Internal threats

© 2012 Cisco and/or its affiliates. All rights reserved. 7

vulnerability
• A network vulnerability is a weakness in a system, technology, product
or policy
• In today’s environment, several organizations track, organize and test
these vulnerabilities
• The US government has a contract with an organization to track and
publish network vulnerabilities
• Each vulnerability is given an ID and can be reviewed by network
security professionals over the Internet.
• The common vulnerability exposure (CVE) list also publishes ways to
prevent the vulnerability from being attacked

© 2012 Cisco and/or its affiliates. All rights reserved. 8

Vulnerability appraisal
• It is very import that network security specialists understand the
importance of vulnerability appraisal
• A vulnerability appraisal is a snapshot of the security of the
organization as it now stands
• What current security weaknesses may expose the assets to these
threats?
• Vulnerability scanners are tools available as free Internet downloads
and as commercial products
• These tools compare the asset against a database of known
vulnerabilities and produce a discovery report that exposes the
vulnerability and assesses its severity

© 2012 Cisco and/or its affiliates. All rights reserved. 9

Network Security Models

© 2012 Cisco and/or its affiliates. All rights reserved. 10

Open Security Model

© 2012 Cisco and/or its affiliates. All rights reserved. 11

Restrictive Security Model

© 2012 Cisco and/or its affiliates. All rights reserved. 12

Closed Security Model

© 2012 Cisco and/or its affiliates. All rights reserved. 13

Evolution of
Network
Security

© 2012 Cisco and/or its affiliates. All rights reserved. 14

Sophistication of Tools vs. Technical Knowledge

© 2012 Cisco and/or its affiliates. All rights reserved. 15

Morris Worm
• The Morris worm or Internet worm
was the first computer worm
distributed via the Internet.
• It was written by a student at Cornell
University, Robert Tappan Morris,
and launched on November 2, 1988
from MIT.
• It is considered the first worm and
was certainly the first to gain
significant mainstream media
attention.
– It also resulted in the first conviction in the
US under the 1986 Computer Fraud and
Abuse Act.

© 2012 Cisco and/or its affiliates. All rights reserved. 16

Morris Worm
• According to Morris, the worm was not written to cause damage,
but to gauge the size of the Internet.
– But the worm was released from MIT, not Cornell where Morris was a student.

• The Morris worm worked by exploiting known vulnerabilities in

Unix sendmail, Finger, rsh/rexec and weak passwords.
• It is usually reported that around 6,000 major Unix machines
were infected by the Morris worm.
– The cost of the damage was estimated at $10M–100M.

© 2012 Cisco and/or its affiliates. All rights reserved. 17

Good Thing?
• The Morris worm prompted DARPA to fund the establishment of
the CERT/CC at Carnegie Mellon University to give experts a
central point for coordinating responses to network emergencies.

© 2012 Cisco and/or its affiliates. All rights reserved. 18

What is “Code Red”?
• The Code Red worm was a DoS attack and was released on July
19, 2001 and attacked web servers globally, infecting over
350,000 hosts and in turn affected millions of users.

© 2012 Cisco and/or its affiliates. All rights reserved. 19

What is “Code Red”?
• Code Red:
– Defaced web pages.
– Disrupted access to the infected servers and local networks hosting the
servers, making them very slow or unusable.

• Network professionals responded slowly to system patches which

only exacerbated the problem.

© 2012 Cisco and/or its affiliates. All rights reserved. 20

What Did It Do?

• Actual worm activity on a compromised machine was time

sensitive and different activity occurred based on the date of the
system clock:
– Day 1 - 19: The infected host will attempt to connect to TCP port 80 of
randomly chosen IP addresses in order to further propagate the worm.
– Day 20 - 27: A packet-flooding denial of service attack will be launched
against a particular fixed IP address.
– Day 28 - end of the month: The worm "sleeps"; no active connections or
denial of service.

© 2012 Cisco and/or its affiliates. All rights reserved. 21

How is it stopped?
• Although the worm resides entirely in memory, a reboot of the
machine will purge it from the system.
• Network security professionals must develop and implement a
security policy which includes a process to continually keep tabs
on security advisories and patches.

© 2012 Cisco and/or its affiliates. All rights reserved. 22

Code Red – A good thing?
• It was a wake up call for network administrators.
– It made it very apparent(‫ )ظاهر‬that network security administrators must
patch their systems regularly.

• If security patches had been applied in a timely manner, the Code

Red worm would only merit a footnote in network security history.

© 2012 Cisco and/or its affiliates. All rights reserved. 23

CERT Code Red
• http://www.cert.org/advisories/CA-2001-19.html

© 2012 Cisco and/or its affiliates. All rights reserved. 24

Drivers for
Network
Security

© 2012 Cisco and/or its affiliates. All rights reserved. 25

Hacker Titles
• Phreaker
– An individual that manipulates the phone
network in order to cause it to perform a
function that is normally not allowed such
as to make free long distance calls.
– Captain Crunch (John Drapper)

• Spammer
– Individual that sends large quantities of
unsolicited email messages.
– Spammers often use viruses to take
control of home computers to send out
their bulk messages.

• Phisher
– Individual uses email or other means in an
attempt to trick others into providing
sensitive information, such as credit card
numbers or passwords.

© 2012 Cisco and/or its affiliates. All rights reserved. 26

Evolution of Hacking
• 1960s - Phone Freaks (Phreaks)

• 1980s - Wardialing (WarGames)

• 1988 - Internet Worm

• 1993 - First def Con hacking conference held
• 1995 - First 5 year federal prison sentence for hacking

• 1997 - Nmap released

• 1997 - First malicious scripts used by script kiddies

• 2002 - Melissa virus creator gets 20 months in jail

© 2012 Cisco and/or its affiliates. All rights reserved. 27

Security firsts …

© 2012 Cisco and/or its affiliates. All rights reserved. 28

First Email Virus
• The first email virus, the Melissa virus, was written by David
Smith and resulted in memory overflows in Internet mail servers.
– David Smith was sentenced to 20 months in federal prison and a US$5,000
fine.

© 2012 Cisco and/or its affiliates. All rights reserved. 29

First Worm
• Robert Morris created the first Internet worm with 99 lines of
code.
– When the Morris Worm was released, 10% of Internet systems were brought
to a halt.

© 2012 Cisco and/or its affiliates. All rights reserved. 30

First DoS Attack
• MafiaBoy was the Internet alias of Michael Calce, a 15 year old
high school student from Montreal, Canada.
• He launched highly publicized DoS attacks in Feb 2000 against
Yahoo!, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN.

© 2012 Cisco and/or its affiliates. All rights reserved. 31

Mafiaboy
• In 2001, The Montreal Youth Court
sentenced him on September 12,
2001 to eight months of "open
custody," one year of probation,
restricted use of the Internet, and a
small fine.
• In 2005, Mr. Calce wrote as a
columnist on computer security
topics for the Francophone
newspaper Le Journal de Montréal.
• In 2008, he published Mafiaboy:
“How I Cracked the Internet and
Why It's Still Broken.”
• He has also made numerous TV
appearances.

© 2012 Cisco and/or its affiliates. All rights reserved. 32

Trends Driving Network Security
• Increase of network attacks

• Increased sophistication of attacks

• Increased dependence on the network

• Wireless access

• Lack of trained personnel

• Lack of awareness

• Lack of security policies

© 2012 Cisco and/or its affiliates. All rights reserved. 33

Legal and Governmental Policy Issues
• Organizations that operate vulnerable networks will face increasing and
substantial liability(‫)مسوولیت اساسی‬.
– http://en.wikipedia.org/wiki/Information_security#Laws_and_regulations

• US Federal legislation mandating security includes the following:

– Gramm-Leach-Blilely (GLB) bill financial services legislation
– Government Information Security Reform(‫ )اصالحات‬Act
– Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– Children Internet Protection Act (CIPA)
– The Payment Card Industry Data Security Standard (PCI DSS)
– Sarbanes-Oxley Act of 2002

© 2012 Cisco and/or its affiliates. All rights reserved. 34

How to Keep on Top?
• Network security professionals must collaborate with professional
colleagues more frequently than most other professions.
– Attending workshops and conferences that are often affiliated(‫ )وابسته‬with,
sponsored or organized by local, national, or international technology
organizations.

• Must also know about various security organizations which

provide help on:
– Detecting and responding to both established and emerging information
security threats.
– Operating system weaknesses, best practices for security, and security
training and certification information is also available.

© 2012 Cisco and/or its affiliates. All rights reserved. 35

Network Security Professionals

© 2012 Cisco and/or its affiliates. All rights reserved. 36

Network
Security
Organizations

© 2012 Cisco and/or its affiliates. All rights reserved. 37

Information Security Organizations
• Three of the more well-established network security organizations
are:
– Computer Emergency Response Team (CERT)
– SysAdmin, Audit, Network, Security (SANS) Institute
– International Information Systems Security Certification Consortium
(pronounce (ISC)2 as "I-S-C-squared")

• Cisco also has the Security Intelligence Operations (SIO)

© 2012 Cisco and/or its affiliates. All rights reserved. 38

US-CERT

© 2012 Cisco and/or its affiliates. All rights reserved. 39

SANS

© 2012 Cisco and/or its affiliates. All rights reserved. 40

ISC2

© 2012 Cisco and/or its affiliates. All rights reserved. 41

Network
Security Polices
and Domains

© 2012 Cisco and/or its affiliates. All rights reserved. 42

Domains of Network Security
• It is also important to have an understanding of the various
network security domains.
– Domains provide an organized framework to facilitate learning about network
security.

• ISO/IEC 27002 specifies 12 network security domains.

– These 12 domains serve to organize at a high level the vast realm of
information under the umbrella of network security.
– The 12 domains are intended to serve as a common basis for developing
organizational security standards and effective security management
practices, and to help build confidence in inter-organizational activities.
– ‫دومین از امنیت شبکه یک چوکات کاری را برای ما فراهم میکند تا‬
‫آموزش امنیت شبکه را برای ما تسهیل سازد‬.
– ‫این دوازده دومین یک سطح وسیع از معلومات را تحت چتر امنیت شبکه‬
‫شکل میدهد‬.

© 2012 Cisco and/or its affiliates. All rights reserved. 43

Domains of Network Security

© 2012 Cisco and/or its affiliates. All rights reserved. 44

Security Policy

© 2012 Cisco and/or its affiliates. All rights reserved. 45

Security Policy

© 2012 Cisco and/or its affiliates. All rights reserved. 46

Malware /
Malicious Code

© 2012 Cisco and/or its affiliates. All rights reserved. 47

Types of Attacks
• There are four categories of attacks:
– Malicious Code (Malware) : Viruses, Worms and Trojan Horses
– Reconnaissance Attacks
– Access Attacks
– Denial of Service (DoS) Attacks

Let’s focus on Malicious Code

© 2012 Cisco and/or its affiliates. All rights reserved. 48

Malware
• “Malicious software” is software designed to infiltrate(‫ )نفوذ‬a
computer without the owner's informed consent(‫)رضایت‬.
• Malware includes:
– Computer viruses
– Worms
– Trojan horses
– Rootkits
– Backdoors (Method of bypassing normal authentication procedures and
usually installed using Trojan horses or worms.)
– For profit (Spyware, botnets, keystroke loggers, and dialers)

© 2012 Cisco and/or its affiliates. All rights reserved. 49

Spyware
• Spyware is a strictly for-profit category of malware designed to:
– Monitor a users web browsing.
– Display unsolicited advertisements.
– Redirect affiliate(‫ )وابسته‬marketing revenues to the spyware creator.

• Spyware programs are generally installed by exploiting security

holes or as Trojan horse programs such as most peer-to-peer
applications.

© 2012 Cisco and/or its affiliates. All rights reserved. 50

Why Write Malicious Code?
• Most early worms and viruses were written as experiments or
pranks generally intended to be harmless or merely(‫)فقد‬
annoying(‫ )ازردن‬rather than to cause serious damage to
computers.
• Young programmers learning about viruses and the techniques
wrote them for the sole purpose that they could or to see how far
it could spread.
– In some cases the perpetrator did not realize how much harm their creations
could do.

• As late as 1999, widespread viruses such as the Melissa virus

appear to have been written chiefly as pranks.

© 2012 Cisco and/or its affiliates. All rights reserved. 51

Malicious Code Writing Today
• Malicious code writing has changed for profitable reasons.
– Mainly due to the Internet and broadband access.
– Since 2003 the majority of viruses and worms have been designed to take
control of users' computers for black-market exploitation.
– Infected "zombie computers" are used to send email spam, to host
contraband data(‫)دیتای قاچاق‬, or to engage(‫ )بکار گماشتن‬in DDoS attacks
as a form of extortion.

© 2012 Cisco and/or its affiliates. All rights reserved. 52

Viruses, Trojan horses, and Worms
• A virus is malicious software that is attached to another program
to execute a particular unwanted function on a user's workstation.
• A worm executes arbitrary code and installs copies of itself in the
infected computer’s memory, which infects other hosts.
• A Trojan horse is different only in that the entire application was
written to look like something else, when in fact it is an attack tool.

© 2012 Cisco and/or its affiliates. All rights reserved. 53

Viruses
• A computer virus is a malicious computer program (executable
file) that can copy itself and infect a computer without permission
or knowledge of the user.
• A virus can only spread from one computer to another by:
– Sending it over a network as a file or as an email payload.
– Carrying it on a removable medium.

• Viruses need USER INTERVENTION to spread …

© 2012 Cisco and/or its affiliates. All rights reserved. 54

Viruses
• Some viruses are programmed to damage the computer by
damaging programs, deleting files, or reformatting the hard disk.
• Others are not designed to do any damage, but simply replicate
themselves and perhaps make their presence known by
presenting text, video, or audio messages.

© 2012 Cisco and/or its affiliates. All rights reserved. 55

Worms
• Worms are a particularly dangerous type of hostile(‫خصومت‬
‫ )آمیز‬code.
– They replicate themselves by independently exploiting vulnerabilities in
networks.
– Worms usually slow down networks.

• Worms DO NOT NEED USER INTERVENTION!

– Worms do not require user participation and can spread extremely fast over
the network.

© 2012 Cisco and/or its affiliates. All rights reserved. 56

SQL Slammer Worms
• In January 2001, the SQL Slammer
Worm slowed down global Internet
traffic as a result of DoS.
• Over 250,000 hosts were affected
within 30 minutes of its release.
• The worm exploited a buffer
overflow bug in Microsoft's SQL
Server.
– A patch for this vulnerability was released
in mid-2002, so the servers that were
affected were those that did not have the
update patch applied.

© 2012 Cisco and/or its affiliates. All rights reserved. 57

Anatomy of a Worm
• The enabling vulnerability
– A worm installs itself using an exploit vector on a vulnerable system.

• Propagation mechanism
– After gaining access to devices, a worm replicates and selects new targets.

• Payload
– Once the device is infected with a worm, the attacker has access to the host –
often as a privileged user.
– Attackers could use a local exploit to escalate their privilege level to
administrator.

© 2012 Cisco and/or its affiliates. All rights reserved. 58

Trojan Horses

© 2012 Cisco and/or its affiliates. All rights reserved. 59

Trojan Horse
• A Trojan horse is a program that appears, to the user, to perform
a desirable function but, in fact, facilitates unauthorized access to
the user's computer system.
• Trojan horses may appear to be useful or interesting programs, or
at the very least harmless to an unsuspecting user, but are
actually harmful when executed.
• Trojan horses are not self-replicating which distinguishes them
from viruses and worms.

© 2012 Cisco and/or its affiliates. All rights reserved. 60

Trojan Horse Classification
• Remote-access Trojan Horse
– Enables unauthorized remote access

• Data sending Trojan Horse

– Provides the attacker with sensitive data such as passwords

• Destructive Trojan Horse

– Corrupts or deletes files

• Proxy Trojan Horse

– User's computer functions as a proxy server

• FTP Trojan Horse (opens port 21)

– Security software disabler Trojan Horse (stops anti-virus programs or firewalls
from functioning)

• Denial of Service Trojan Horse (slows or halts network activity)

© 2012 Cisco and/or its affiliates. All rights reserved. 61

Five Phases of a Virus/Worm Attack
• Probe phase:
– Vulnerable targets are identified using ping scans.
– Application scans are used to identify operating systems and vulnerable software.
– Hackers obtain passwords using social engineering, dictionary attack, brute-force, or network sniffing.

• Penetrate phase:
– Exploit code is transferred to the vulnerable target.
– Goal is to get the target to execute the exploit code through an attack vector, such as a buffer overflow,
ActiveX or Common Gateway Interface (CGI) vulnerabilities, or an email virus.

• Persist phase:
– After the attack is successfully launched in the memory, the code tries to persist on the target system.
– Goal is to ensure that the attacker code is running and available to the attacker even if the system reboots.
– Achieved by modifying system files, making registry changes, and installing new code.

• Propagate phase:
– The attacker attempts to extend the attack to other targets by looking for vulnerable neighboring machines.
– Propagation vectors include emailing copies of the attack to other systems, uploading files to other systems
using file shares or FTP services, active web connections, and file transfers through Internet Relay Chat.

• Paralyze phase:
– Actual damage is done to the system.
– Files can be erased, systems can crash, information can be stolen, and distributed DDoS attacks can be
launched.

© 2012 Cisco and/or its affiliates. All rights reserved. 62

Exploit Comparison

© 2012 Cisco and/or its affiliates. All rights reserved. 63

How Do You Mitigate Viruses and Trojan Horses ?

© 2012 Cisco and/or its affiliates. All rights reserved. 64

Viruses and Trojan Horses - Mitigation
• The primary means of mitigating virus and Trojan horse attacks is
anti-virus software.
– For total protection, host-based intrusion prevention systems (HIPS), such as
Cisco Security Agent should also be deployed.
– HIPS protects the OS kernel.

• Anti-virus software helps prevent hosts from getting infected and

spreading malicious code.
– However, antivirus software must be used properly.
– Always update with the latest antivirus .dat and application versions.
– Consider that it requires much more time to clean up infected computers than
it does to maintain up-to-date anti-virus software and anti-virus definitions on
the same machines.

© 2012 Cisco and/or its affiliates. All rights reserved. 65

Mitigating an Active Worm
• Worm attack mitigation requires diligence(‫ )کوشش پیوسته‬on
the part of system and network administration staff.
• There is a four phase process to mitigate an active worm attacks.

© 2012 Cisco and/or its affiliates. All rights reserved. 66

Worms - Mitigation
• Containment Phase:
– Limit the spread of a worm infection to areas of the network that are already
affected.
– Compartmentalize and segment the network to slow down or stop the worm to
prevent currently infected hosts from targeting and infecting other systems.
– Use both outgoing and incoming ACLs on routers and firewalls at control
points within the network.

• Inoculation Phase:
– Runs parallel to or subsequent to the containment phase.
– All uninfected systems are patched with the appropriate vendor patch for the
vulnerability.
– The inoculation process further deprives(‫ )بی بهره کردن‬the worm of any
available targets.

© 2012 Cisco and/or its affiliates. All rights reserved. 67

Worms - Mitigation
• Quarantine Phase:
– Track down and identify infected machines within the contained areas and
disconnect, block, or remove them.
– This isolates these systems appropriately for the Treatment Phase.

• Treatment Phase:
– Actively infected systems are disinfected of the worm.
– Terminate the worm process, remove modified files or system settings that the
worm introduced, and patch the vulnerability the worm used to exploit the
system.
– In more severe cases, completely reinstalling the system to ensure that the
worm and its by products are removed.

© 2012 Cisco and/or its affiliates. All rights reserved. 68