Table of Contents 1 Chapter 1 Modern network Security Threats 4 1.1 Section 1.0 Introduction 4 1.1.1 Topic 1.0.1 Introduction 4 1.1.1.1 Page 1.0.1.1 Introduction 4 1.2 Section 1.1 Fundamental Principles of a Secure Network 5 1.2.1 Topic 1.1.1 Evolution of Network Security 5 1.2.1.1 Page 1.1.1.1 Code Red Worm Attack 5 1.2.1.2 Page 1.1.1.2 Evolution of Security Threats 6 1.2.1.3 Page 1.1.1.3 Evolution of Network Security Tools 7 1.2.1.4 Page 1.1.1.4 Threats to Networks 8 1.2.1.5 Page 1.1.1.5 Encryption and Cryptography 9 1.2.2 Topic 1.1.2 Drivers for Network Security 10 1.2.2.1 Page 1.1.2.1 The Hacker 10 1.2.2.2 Page 1.1.2.2 Evolution of Hacking 11 1.2.2.3 Page 1.1.2.3 First Network Attacks 12 1.2.2.4 Page 1.1.2.4 Network Security Professionals 15 1.2.3 Topic 1.1.3 Network Security Organizations 16 1.2.3.1 Page 1.1.3.1 Network Security Organizations 16 1.2.3.2 Page 1.1.3.2 SANS Institute 17 1.2.3.3 Page 1.1.3.3 CERT 18 1.2.3.4 Page 1.1.3.4 (ISC)2 19 1.2.3.4.1 Security certifications offered by (ISC)2 19 1.2.3.5 Page 1.1.3.5 RSS 21 1.2.4 Topic 1.1.4 Domains of Network Security 22 1.2.4.1 Page 1.1.4.1 Network Security Domains 22 1.2.4.2 Page 1.1.4.2 Security Policy 24 1.2.5 Topic 1.1.5 Network Security Policies 25 1.2.5.1 Page 1.1.5.1Network Security Policy 25 1.2.5.2 Page 1.1.5.2 Cisco SecureX Architecture 26 1.2.5.3 Page 1.1.5.3 Cisco SecureX Product Categories 27 1.2.5.4 Page 1.1.5.4 Network Security Policy Objectives 28 1.3 Section 1.2 Viruses, Worms, and Trojan horses 29 1.3.1 Topic 1.2.1 Viruses 29 1.3.1.1 Page 1.2.1.1 Primary Vulnerabilities for End User Devices 29 1.3.1.2 Page 1.2.1.2 Comparison of a Human Virus and a Computer Virus 30 1.3.2 Topic 1.2.2 Worms 31 1.3.2.1 Page 1.2.2.1 Worms 31 1.3.2.2 Page 1.2.2.2 Worm Components 32 1.3.2.3 Page 1.2.2.3 Worm and Virus Exploit Comparison 33 1.3.3 Topic 1.2.3 Trojan horses 34 1.3.3.1 Page 1.2.3.1 Trojan horse Concept 34 1.3.3.2 Page 1.2.3.2 Trojan horse Classifications 35 1.3.4 Topic 1.2.4 Mitigating Viruses, Worms, and Trojan horses 36 1.3.4.1 Page 1.2.4.1 Buffer Overflows 36 1.3.4.2 Page 1.2.4. 2 Antivirus Software 37 1.3.4.3 Page 1.2.4.3 Worm Mitigation 38 1.3.4.4 Page 1.2.4.4 SQL Slammer Worm 39 1.4 Section 1.3 Attack Methodologies 40 1.4.1 Topic 1.3.1 Reconnaissance Attacks 40 1.4.1.1 Page 1.3.1.1 Types of Attacks 40 1.4.1.1.1 Reconnaissance Attacks 40 1.4.1.1.2 Access Attacks 40 1.4.1.1.3 DoS Attacks 40 1.4.1.2 Page 1.3.1.2 Types of Reconnaissance Attacks 41 1.4.1.3 Page 1.3.1.3 Packet Sniffer 42 1.4.1.4 Page 1.3.1.4 Ping Sweeps and Port Scans 43 1.4.1.4.1 Internet information query 43 1.4.1.4.2 Ping sweeps 43 1.4.1.4.3 Port scanning 44 1.4.1.5 Page 1.3.1.5 Mitigating Reconnaissance Attacks 45 1.4.2 Topic 1.3.2 Access Attacks 46 1.4.2.1 Page 1.3.2.1 Access Attacks 46 1.4.2.2 Page 1.3.2.2 Types of Access Attacks 47 1.4.2.2.1 Password attack 47 1.4.2.2.2 Trust exploitation 47 1.4.2.2.3 Port redirection 48 1.4.2.2.4 Maninthemiddle attack 48 1.4.2.2.5 Buffer overflow 49 1.4.2.3 Page 1.3.2. 3 Mitigating Access Attacks 50 1.4.3 Topic 1.3.3 Denial of Service Attacks 51 1.4.3.1 Page 1.3.3.1 DoS Attacks 51 1.4.3.2 Page 1.3.3.2 DoS and DDoS 52 1.4.3.3 Page 1.3.3.3 Types of DoS Attacks 54 1.4.3.3.1 Ping of Death 54 1.4.3.3.2 Smurf Attack 54 1.4.3.3.3 TCP SYN Flood Attack 55 1.4.3.4 Page 1.3.3. 4 DoS Attack Symptoms 56 1.4.4 Topic 1.3.4 Mitigating Network Attacks 57 1.4.4.1 Page 1.3.4.1 Mitigating Network Attacks 57 1.4.4.2 Page 1.3.4.2 Mitigating Reconnaissance Attacks 58 1.4.4.3 Page 1.3.4.3 Mitigating Access Attacks 59 1.4.4.4 Page 1.3.4. 4 Mitigating DoS Attacks 60 1.4.4.5 Page 1.3.4.5 Defending the Network 61 1.5 Section 1.4 Cisco Network Foundation Protection Framework 62 1.5.1 Topic 1.4.1 NFP 62 1.5.1.1 Page 1.4.1.1 NFP Framework 62 1.5.1.2 Page 1.4.1.2 Control Plane 63 1.5.1.3 Page 1.4.1.3 Management Plane 64 1.5.1.4 Page 1.4.1.4 Data Plane 65 1.6 Section 1.5 Chapter Summary 66 1.6.1 Topic 1.5.1 Chapter Summary 66 1.6.1.1 Page 1.5.1.1 Lab Researching Network Attacks and Security Audit Tools 66 1.6.1.2 Page 1.5.1.2 Chapter Summary 66 1.7 Reference 66
Trang 1Table of Contents
1 Chapter 1 Modern network Security Threats 4
1.1 Section 1.0 Introduction 4
1.1.1 Topic 1.0.1 Introduction 4
1.1.1.1 Page 1.0.1.1 Introduction 4
1.2 Section 1.1 Fundamental Principles of a Secure Network 5
1.2.1 Topic 1.1.1 Evolution of Network Security 5
1.2.1.1 Page 1.1.1.1 Code Red Worm Attack 5
1.2.1.2 Page 1.1.1.2 Evolution of Security Threats 6
1.2.1.3 Page 1.1.1.3 Evolution of Network Security Tools 7
1.2.1.4 Page 1.1.1.4 Threats to Networks 8
1.2.1.5 Page 1.1.1.5 Encryption and Cryptography 9
1.2.2 Topic 1.1.2 Drivers for Network Security 10
1.2.2.1 Page 1.1.2.1 The Hacker 10
1.2.2.2 Page 1.1.2.2 Evolution of Hacking 11
1.2.2.3 Page 1.1.2.3 First Network Attacks 12
1.2.2.4 Page 1.1.2.4 Network Security Professionals 15
1.2.3 Topic 1.1.3 Network Security Organizations 16
1.2.3.1 Page 1.1.3.1 Network Security Organizations 16
1.2.3.2 Page 1.1.3.2 SANS Institute 17
1.2.3.3 Page 1.1.3.3 CERT 18
1.2.3.4 Page 1.1.3.4 (ISC)2 19
1.2.3.4.1 Security certifications offered by (ISC)2 19
1.2.3.5 Page 1.1.3.5 RSS 21
1.2.4 Topic 1.1.4 Domains of Network Security 22
1.2.4.1 Page 1.1.4.1 Network Security Domains 22
1.2.4.2 Page 1.1.4.2 Security Policy 24
1.2.5 Topic 1.1.5 Network Security Policies 25
1.2.5.1 Page 1.1.5.1Network Security Policy 25
1.2.5.2 Page 1.1.5.2 Cisco SecureX Architecture 26
1.2.5.3 Page 1.1.5.3 Cisco SecureX Product Categories 27
Trang 21.3.2.3 Page 1.2.2.3 Worm and Virus Exploit Comparison 33
1.3.3 Topic 1.2.3 Trojan horses 34
1.3.3.1 Page 1.2.3.1 Trojan horse Concept 34
1.3.3.2 Page 1.2.3.2 Trojan horse Classifications 35
1.3.4 Topic 1.2.4 Mitigating Viruses, Worms, and Trojan horses 36
1.3.4.1 Page 1.2.4.1 Buffer Overflows 36
1.3.4.2 Page 1.2.4 2 Antivirus Software 37
1.3.4.3 Page 1.2.4.3 Worm Mitigation 38
1.3.4.4 Page 1.2.4.4 SQL Slammer Worm 39
1.4 Section 1.3 Attack Methodologies 40
1.4.1 Topic 1.3.1 Reconnaissance Attacks 40
1.4.1.1 Page 1.3.1.1 Types of Attacks 40
1.4.1.1.1 Reconnaissance Attacks 40
1.4.1.1.2 Access Attacks 40
1.4.1.1.3 DoS Attacks 40
1.4.1.2 Page 1.3.1.2 Types of Reconnaissance Attacks 41
1.4.1.3 Page 1.3.1.3 Packet Sniffer 42
1.4.1.4 Page 1.3.1.4 Ping Sweeps and Port Scans 43
1.4.1.4.1 Internet information query 43
1.4.1.4.2 Ping sweeps 43
1.4.1.4.3 Port scanning 44
1.4.1.5 Page 1.3.1.5 Mitigating Reconnaissance Attacks 45
1.4.2 Topic 1.3.2 Access Attacks 46
1.4.2.1 Page 1.3.2.1 Access Attacks 46
1.4.2.2 Page 1.3.2.2 Types of Access Attacks 47
1.4.2.2.1 Password attack 47
1.4.2.2.2 Trust exploitation 47
1.4.2.2.3 Port redirection 48
1.4.2.2.4 Man-in-the-middle attack 48
1.4.2.2.5 Buffer overflow 49
1.4.2.3 Page 1.3.2 3 Mitigating Access Attacks 50
1.4.3 Topic 1.3.3 Denial of Service Attacks 51
1.4.3.1 Page 1.3.3.1 DoS Attacks 51
1.4.3.2 Page 1.3.3.2 DoS and DDoS 52
1.4.3.3 Page 1.3.3.3 Types of DoS Attacks 54
1.4.3.3.1 Ping of Death 54
1.4.3.3.2 Smurf Attack 54
Trang 31.4.4 Topic 1.3.4 Mitigating Network Attacks 57
1.4.4.1 Page 1.3.4.1 Mitigating Network Attacks 57
1.4.4.2 Page 1.3.4.2 Mitigating Reconnaissance Attacks 58
1.4.4.3 Page 1.3.4.3 Mitigating Access Attacks 59
1.4.4.4 Page 1.3.4 4 Mitigating DoS Attacks 60
1.4.4.5 Page 1.3.4.5 Defending the Network 61
1.5 Section 1.4 Cisco Network Foundation Protection Framework 62
1.5.1 Topic 1.4.1 NFP 62
1.5.1.1 Page 1.4.1.1 NFP Framework 62
1.5.1.2 Page 1.4.1.2 Control Plane 63
1.5.1.3 Page 1.4.1.3 Management Plane 64
1.5.1.4 Page 1.4.1.4 Data Plane 65
1.6 Section 1.5 Chapter Summary 66
1.6.1 Topic 1.5.1 Chapter Summary 66
1.6.1.1 Page 1.5.1.1 Lab - Researching Network Attacks and Security Audit Tools 66
1.6.1.2 Page 1.5.1.2 Chapter Summary 66
1.7 Reference 66
Trang 41 Chapter 1 Modern network Security Threats
1.1 Section 1.0 Introduction
1.1.1 Topic 1.0.1 Introduction
1.1.1.1 Page 1.0.1.1 Introduction
Upon completion of this chapter you will be able to:
o Describe the evolution of network security
o Describe the various drivers for network security technologies and applications
o Describe the major organizations responsible for enhancing network security
o Describe a collection of domains for network security
o Describe network security policies
o Describe computer network viruses
o Describe computer network worms
o Describe computer network Trojan Horses
o Describe the techniques used to mitigate viruses, worms, and Trojan Horses
o Explain how reconnaissance attacks are launched
o Explain how access attacks are launched
o Explain how Denial of Service (DoS) attacks are launched
o Describe the techniques used to mitigate reconnaissance attacks, access attacks, and DoS attacks
o Explain how to secure the three functional areas of Cisco routers and switches
Network security is now an integral part of computer networking Network security involves protocols,technologies, devices, tools, and techniques to secure data and mitigate threats Network security solutionsemerged in the 1960s, but did not mature into a comprehensive set of solutions for modern networks until the2000s
Network security is largely driven by the effort to stay one step ahead of ill-intentioned hackers Just as medicaldoctors attempt to prevent new illness while treating existing problems, network security professionals attempt toprevent potential attacks while minimizing the effects of real-time attacks Business continuity is another majordriver of network security
Network security organizations have been created to establish formal communities of network securityprofessionals These organizations set standards, encourage collaboration, and provide workforce developmentopportunities for network security professionals Network security professionals should be aware of the resourcesprovided by these organizations
The complexity of network security makes it difficult to master all it encompasses Different organizations havecreated domains that subdivide the world of network security into more manageable pieces This division allowsprofessionals to focus on more precise areas of expertise in their training, research, and employment
Network security policies are created by companies and government organizations to provide a framework foremployees to follow during their day-to-day work Network security professionals at the management level areresponsible for creating and maintaining the network security policy All network security practices relate to and areguided by the network security policy
Just as network security is composed of domains of network security, network attacks are classified so that it iseasier to learn about them and address them appropriately Viruses, worms, and Trojan horses are specific types ofnetwork attacks More generally, network attacks are classified as reconnaissance, access, or denial of service (DoS)attacks
Trang 5The methods of network attack mitigation are introduced here, and the implementation of these methods comprisesthe remainder of this course.
Trang 61.2 Section 1.1 Fundamental Principles of a Secure Network
1.2.1 Topic 1.1.1 Evolution of Network Security
1.2.1.1 Page 1.1.1.1 Code Red Worm Attack
In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts, as shown in thefigure The worm not only disrupted access to the infected servers, but also affected the local networks hosting theservers, making them very slow or unusable The Code Red worm caused a denial of service to millions of users
If the network security professionals responsible for these Code Red-infected servers had developed andimplemented a security policy, security patches would have been applied in a timely manner The Code Red wormwould have been stopped and would only merit a footnote in network security history
Network security relates directly to an organization's business continuity Network security breaches can disrupte-commerce, cause the loss of business data, threaten people’s privacy, and compromise the integrity ofinformation These breaches can result in lost revenue for corporations, theft of intellectual property, and lawsuits,and can even threaten public safety
Maintaining a secure network ensures the safety of network users and protects commercial interests To keep anetwork secure requires vigilance on the part of an organization’s network security professionals Network securityprofessionals must constantly be aware of new and evolving threats and attacks to networks, and vulnerabilities ofdevices and applications This information is used to adapt, develop, and implement mitigation techniques.However, security of the network is ultimately the responsibility of everyone who uses it For this reason, it is the job
of the network security professional to ensure that all users receive security awareness training Maintaining asecure, protected network provides a more stable, functional work environment for everyone
Trang 71.2.1.2 Page 1.1.1.2 Evolution of Security Threats
“Necessity is the mother of invention.” This sayingapplies perfectly to network security In the early days ofthe Internet, commercial interests were negligible Thevast majority of users were research and developmentexperts The Internet did not implement securitymeasures, but early users rarely engaged in activities thatwould harm other users
Early on, networking involved connecting people andmachines through communications media The job of anetworker was to connect devices to improve a user’sability to communicate information and ideas The earlyusers of the Internet did not spend much time thinkingabout whether or not their online activities presented athreat to the network or to their own data
When the first viruses were unleashed and the firstDoS attack occurred, the world began to change for networking professionals To meet the needs of users, networkprofessionals learned techniques to secure networks The primary focus of many network professionals evolvedfrom designing, building, and growing networks to securing existing networks
Today, the Internet is a very different network compared to its beginnings More people are relying on thenetwork for their personal, financial and business needs This information must be protected However, attack toolsare much more sophisticated, and highly automated, requiring less technical knowledge to use them than in thepast Drag the red figure across the timeline to view the relationship between sophistication of attack tools versusthe technical knowledge required to use them
The job of a network security professional includes ensuring that appropriate personnel are well-versed in
Trang 81.2.1.3 Page 1.1.1.3 Evolution of Network Security Tools
The evolution of network security tools
2010 Cisco Security Intelligence Operations
2006 Cisco Zone-Based Policy Firewall
1991 DCE SEAL Application Layer Firewall
1989 AT&T Bell Labs Stateful Firewall
1988 DCE Packet Filter Firewall
As network security became an integral part of everyday operations, devices dedicated to particular networksecurity functions emerged
One of the first network security tools was the intrusion detection system (IDS), first developed by SRIInternational in 1984 An IDS provides real-time detection of certain types of attacks while they are in progress Thisdetection allows network security professionals to more quickly mitigate the negative impact of these attacks onnetwork devices and users In the late 1990s, the intrusion prevention system (IPS) began to replace the IDS solution.IPS devices enable the detection of malicious activity and have the ability to automatically block the attack in real-time
In addition to IDS and IPS solutions, firewalls were developed to prevent undesirable traffic from enteringprescribed areas within a network, thereby providing perimeter security In 1988, Digital Equipment Corporation(DEC) created the first network firewall in the form of a packet filter These early firewalls inspected packets to see ifthey matched sets of predefined rules, with the option of forwarding or dropping the packets accordingly Packetfiltering firewalls inspect each packet in isolation without examining whether a packet is part of an existingconnection In 1989, AT&T Bell Laboratories developed the first stateful firewall Like packet filtering firewalls,stateful firewalls use predefined rules for permitting or denying traffic Unlike packet filtering firewalls, statefulfirewalls keep track of established connections and determine if a packet belongs to an existing flow of data,providing greater security and more rapid processing
The original firewalls were software features added to existing networking devices, such as routers Over time,several companies developed standalone, or dedicated firewalls that enable routers and switches to offload thememory and processor-intensive activity of filtering packets Cisco’s Adaptive Security Appliance (ASA) is available as
a standalone context-aware firewall For organizations that do not require a dedicated firewall, modern routers, likethe Cisco Integrated Services Router (ISR), can be used as sophisticated stateful firewalls
Traditional security relied on the layering of products and using multiple filters However, as threats becamemore sophisticated, these filters were required to look deeper into network and application layer traffic Securityrequirements included more dynamic updates of information and quicker response times to threats For this reason,Cisco designed the Security Intelligence Operations (SIO) SIO is a cloud-based service that connects global threatinformation, reputation-based services, and sophisticated analysis to Cisco network security devices to providestronger protection with faster response times
Trang 91.2.1.4 Page 1.1.1.4 Threats to Networks
As shown in the figure, in addition to dealing with threats from outside of the network, network securityprofessionals must also be prepared for threats from inside the network Internal threats, whether intentional oraccidental, can cause even greater damage than external threats because of direct access to, and knowledge of, thecorporate network and data Despite this fact, it has taken more than 20 years after the introduction of tools andtechniques for mitigating external threats to develop tools and techniques for mitigating internal threats
A common scenario for a threat originating from inside the network is a disgruntled employee with sometechnical skills and a willingness to do harm Most threats from within the network leverage the protocols andtechnologies used on the local area network (LAN) or the switched infrastructure These internal threats fall into twocategories: spoofing and DoS
Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data There aremultiple types of spoofing attacks For example, MAC address spoofing occurs when one computer accepts datapackets based on the MAC address of another computer
DoS attacks make computer resources unavailable to intended users Attackers use various methods to launchDoS attacks
As a network security professional, it is important to understand the methods designed specifically for targetingthese types of threats and ensuring the security of the LAN
Trang 101.2.1.5 Page 1.1.1.5 Encryption and Cryptography
In addition to preventing and denying malicious traffic, network security also requires that data stay protected.Cryptography, the study and practice of hiding information, is used pervasively in modern network security Today,each type of network communication has a corresponding protocol or technology designed to hide thatcommunication from anyone other than the intended user
Network data can be encrypted (made unreadable to unauthorized users) using various cryptographyapplications The conversation between two IP phone users can be encrypted The files on a computer can also beencrypted These are just a few examples Cryptography can be used almost anywhere that there is datacommunication In fact, the trend is toward all communication being encrypted
Cryptography ensures data confidentiality, which is one of the three components of information security:confidentiality, integrity, and availability Information security deals with protecting information and informationsystems from unauthorized access, use, disclosure, disruption, modification, or destruction Encryption providesconfidentiality by hiding plaintext data, as shown in Figure 1 Data integrity, meaning that the data is preservedunaltered during any operation, is achieved by the use of hashing mechanisms Availability, which is dataaccessibility, is guaranteed by network hardening mechanisms and backup systems
Evolution of Data Protection Technologies
Trang 111.2.2 Topic 1.1.2 Drivers for Network Security
1.2.2.1 Page 1.1.2.1 The Hacker
The word ‘hackers’ has a variety of meanings For many, it means Internet programmers who try to gainunauthorized access to devices on the Internet It is also used to refer to individuals who run programs to prevent orslow network access to a large number of users, or corrupt or wipe out data on servers But for some, the termhacker has a positive interpretation as a network professional that uses sophisticated Internet programming skills toensure that networks are not vulnerable to attack Good or bad, hacking is a driving force in network security
From a business perspective, it is necessary to minimize the effects of hackers with bad intentions Businesseslose productivity when the network is slow or unresponsive Business profits are impacted by data loss and datacorruption
The job of a network security professional is to stay one step ahead of the hackers by attending training andworkshops, participating in security organizations, subscribing to real-time feeds regarding threats, and perusingsecurity websites on a daily basis The network security professional must also have access to state-of-the-artsecurity tools, protocols, techniques, and technologies Network security professionals should have many of thesame traits as law enforcement professionals They should always remain aware of malicious activities and have theskills and tools to minimize or eliminate the threats associated with those activities
Hacking has the unintended effect of creating a high demand for network security professionals However,relative to other technology professions, network security has the steepest learning curve and requires acommitment to continuous professional development
Trang 121.2.2.2 Page 1.1.2.2 Evolution of Hacking
Evolution of hacking timeline
1970 Phone Freaks
1980 Wardialing
1988 First internet worm
1993 First Def Con Hacking Conference
1994 First 5-year Federal Prison sentence for Hacking
1995 Kevin Mitnick initially sentenced to 4 years in prison for hacking credit card accounts
2009 First malicious iPhone worm
2011 Script kiddies hacked the NBC News Twitter account posting fake updates related to terrorist
attacks
Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies
to manipulate phone systems Phreaking began when AT&T introduced automatic switches to their phone systems.The AT&T phone switches used various tones, or tone dialing, to indicate different functions, such as call terminationand call dialing A few AT&T customers realized that by mimicking a tone using a whistle, they could exploit thephone switches to make free long-distance calls
As communication systems evolved, so did hacking methods, as shown in the figure Wardriving became popular
in the 1980s with the use of computer modems Wardriving programs automatically scanned telephone numberswithin a local area, dialing each one in search of computers, bulletin board systems, and fax machines When aphone number was found, password-cracking programs were used to gain access
Wardriving began in the 1990s and is still popular today Wardriving refers to users gaining unauthorized access
to networks via wireless access points This is accomplished using a wireless-enabled portable computer or PDA.Password-cracking programs are used to authenticate, if necessary, and there is even software to crack theencryption scheme required to associate to the access point
Other threats have evolved over time These include network scanning tools such as Nmap, John the Ripper, Cainand Abel and SATAN, as well as remote system administration hacking tools such as Back Orifice Network securityprofessionals must be familiar with all of these tools
Trang 131.2.2.3 Page 1.1.2.3 First Network Attacks
Transactions worth trillions of dollars are conducted over the Internet on a daily basis, and the livelihoods ofmillions of people depend on Internet commerce For this reason, criminal laws are in place to protect individual andcorporate assets There are numerous cases of individuals who have had to face the court system due to these laws
First Virus
Melissa Email Virus - March, 1999 Below is the actual email as distributed.
From: ******
Subject: Important Message From ******
To: (50 names from alias list)
Here is that document you asked for don’t show anyone else ;-)
Attachment: LIST.DOC
First Worm
The Morris Internet Worm
All the following events occurred on the evening of Nov 2, 1988
6:00 PM At about this time the Worm is launched
8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu) 9:09 PM – The Worm initiates
the first of its attacks to infect other computers from the infected VAX
9:21 PM The load average on the system reaches 5 (Load average is a measure of how hard the computer
system is working At 9:30 at night, the load average of the VAX was usually 1 Any load averagehigher than 5 cause’s delays in data processing.)
9:41 PM The load average reaches 7
10:01 PM The load average reaches 16
10:06 PM At this point there are so many worms infecting the system that no new processes can be started
No users can use the system anymore
10:20 PM The system administrator kills off the worms
10:41 PM The system is re-infected and the load average reaches 27
10:49 PM The system administrator shuts down the system The system is subsequently restarted
11:21 PM Re-infestation causes the load average to reach 37
Trang 14First Spam
First Spam on ARPAnet- 1978 Below is the actual spam message as distributed on ARPAnet.
To: Everyone
From:
Subject: Presentation Today
DIGITAL WILL BE GIVING A PRODUCT PRESENTATION OF THE NEWEST MEMBERS OF THE DECSYSTEM-20 FAMILY; THE DECSYSTEM-2020, 2020T, 2060, AND 2060T THE DECSYSTEM-20 FAMILY OF COMPUTERS HAS
EVOLVED FROM THE TENEX OPERATING SYSTEM AND THE DECSYSTEM-10 <PDP-10> COMPUTER ARCHITECTURE BOTH THE DECSYSTEM-2060T AND 2020T OFFER FULL ARPANET SUPPORT UNDER THE TOPS-20 OPERATING
SYSTEM THE DECSYSTEM-2060 IS AN UPWARD EXTENSION OF THE CURRENT DECSYSTEM 2040 AND 2050
FAMILY THE DECSYSTEM-2020 IS A NEW LOW END MEMBER OF THE DECSYSTEM-20 FAMILY AND FULLY
SOFTWARE COMPATIBLE WITH ALL OF THE OTHER DECSYSTEM-20 MODELS
WE INVITE YOU TO COME SEE THE 2020 AND HEAR ABOUT THE DECSYSTEM-20 FAMILY AT THE TWO
PRODUCT PRESENTATIONS WE WILL BE GIVING IN CALIFORNIA THIS MONTH THE LOCATIONS WILL BE:
(4 MILES SOUTH OF S.F AIRPORT AT BAYSHORE, RT 101 AND RT 92)
A 2020 WILL BE THERE FOR YOU TO VIEW ALSO TERMINALS ON-LINE TO OTHER DECSYSTEM-20 SYSTEMS THROUGH THE ARPANET IF YOU ARE UNABLE TO ATTEND, PLEASE FEEL FREE TO CONTACT THE NEAREST DEC OFFICE FOR MORE INFORMATION ABOUT THE EXCITING DECSYSTEM-20 FAMILY
First DoS Attack
Mafiaboy DoS Attack - February, 2000 Below is an article describing the sentencing of Mafiaboy shortly after conviction of the DoS Attack.
'Mafiaboy' Sentenced to 8 Months Wired News Report 09.13.01
"Mafiaboy," the Canadian teenager who launched a denial of service attack that paralyzed many of the Internet’smajor sites for one week in February 2000, will be spending the next eight months in a youth detention center.Judge Gilles Ouellet, who presided over the trial in Quebec's Youth Court, handed down the ruling onWednesday Ouellet said that the 17-year-old had committed a criminal act when he attacked Yahoo, eBay andAmazon and other major Internet sites "This is a grave matter This attack weakened the entire electroniccommunication system," Ouellet told the court "And the motivation was undeniable, this adolescent had acriminal intent." Prosecutor Louis Miville-Deschenes said that he hoped the sentence would send “a strongmessage to the hacker world." Mafiaboy will also serve one year of probation after his release from thedetention center During his probation he will be allowed to attend school and have a part-time job He was alsoordered by Ouellet to donate $250 to charity Mafiaboy's real name has not been released by the court, due tothe Canadian law that protects the identity of offenders under 18 years of age Defense lawyer Yan Romanowskisaid that his client was shocked and saddened by his sentence and is considering an appeal "He hoped the judgehad understood that he had learned his lesson and that detention was not a proper remedy in thesecircumstances," Romanowski said "Detention is too much as far as I am concerned," Romanowski added Themaximum sentence Mafiaboy could have received was two years in detention Prosecutor Louis Miville-Deschenes had asked the court to sentence Mafiaboy to one year of detention "We think it is a reasonableruling It sends a strong message to hackers that they will get caught if they do things like that," Miville-Deschenes told reporters after court was dismissed
The first virus was an email virus by the name of the Melissa virus It was written by David Smith of Aberdeen,
Trang 15Robert Morris created the first Internet worm with 99 lines of code When the Morris Worm was released, 10percent of Internet systems were brought to a halt Robert Morris was charged and received three years’ probation,
400 hours of community service, and a fine of$10,000 Click the First Worm button to learn about some of the eventsthat occurred when this worm was introduced
Spamming is the use of messaging technologies such as email and test messaging to send unsolicited bulkmessages The first spam message distributed on the Advanced Research Projects Agency Network (ARPAnet) was in1978.Click the First Spam button to view the actual spam messages that was distributed
A DoS attack is an attempt to make a service or machine unavailable to its intended users Click the First DoSAttack button from more information on the Mafiaboy DoS attack in February 2000
When hackers use their creativity for malicious purposes, such as attacks via spam, DoS, or breaking intoaccounts, they often end up going to jail and paying large fines They also lose access to the very environment inwhich they thrive
Trang 161.2.2.4 Page 1.1.2.4 Network Security Professionals
As a result of hacker exploits, the sophistication of hacker tools, and government legislation, network securitysolutions developed rapidly in the 1990s By the late 1990s, many sophisticated network security solutions had beendeveloped for organizations to strategically deploy within their networks With these solutions came new jobopportunities and increased compensation in the field of network security The figure shows common networksecurity specialist job roles
The annual income for a network security professional is on the high end of the scale for careers in technologybecause of the depth and breadth of knowledge required Network security professionals must constantly upgradetheir skill set to keep abreast of the latest threats The challenge of gaining and maintaining the necessaryknowledge often translates into a shortage of network security professionals
Network security professionals are responsible for maintaining data assurance for an organization and ensuringthe integrity and confidentiality of information A network security professional might be responsible for setting upfirewalls and intrusion prevention systems as well as ensuring encryption of company data Implementing enterpriseauthentication schemes is another important task The job entails maintaining detailed logs of suspicious activity onthe network to use for reprimanding or prosecuting violators As a network security professional, it is also important
to maintain familiarity with network security organizations These organizations often have the latest information onthreats and vulnerabilities
Trang 171.2.3 Topic 1.1.3 Network Security Organizations
1.2.3.1 Page 1.1.3.1 Network Security Organizations
Network security professionals must collaborate with professional colleagues more frequently than most otherprofessions This includes attending workshops and conferences that are often affiliated with, sponsored, ororganized by local, national, or international technology organizations, as shown in the figure
Three of the more well-established network security organizations are:
o SysAdmin, Audit, Network, Security (SANS) Institute
o Computer Emergency Response Team (CERT)
o International Information Systems Security Certification Consortium ((ISC)2 pronounced as squared")
"I-S-C-A number of other network security organizations are also important to network security professionals.InfoSysSec is a network security organization that hosts a security news portal, providing the latest breaking newspertaining to alerts, exploits, and vulnerabilities The Mitre Corporation maintains a list of common vulnerabilitiesand exposures (CVE) used by prominent security organizations Forum of Incident Response and Security Teams(FIRST) is a security organization that brings together a variety of computer security incident response teams fromgovernment, commercial, and educational organizations to foster cooperation and coordination in informationsharing, incident prevention and rapid reaction Finally, the Center for Internet Security (CIS) is a nonprofit enterprisethat develops security configuration benchmarks through a global consensus to reduce the risk of business and e-commerce disruptions
Trang 181.2.3.2 Page 1.1.3.2 SANS Institute
SANS was established in 1989 as a cooperative research and education organization, as shown in the figure The focus of SANS is information security training and certification SANS develops research documents about various aspects of information security
SANS relies upon a range of individuals that include: auditors, network administrators, and chief informationsecurity officers, to share lessons and solutions to various challenges At the heart of SANS are security practitionersfrom different global organizations, corporations, and universities working together to help the entire informationsecurity community
SANS resources are largely free upon request This includes the popular Internet Storm Center, the Internet’searly warning system; NewsBites, the weekly news digest; @RISK, the weekly vulnerability digest; flash securityalerts; and more than 1,200 award-winning, original research papers
SANS develops security courses that can be taken to prepare for Global Information Assurance Certification(GIAC) in auditing, management, operations, legal issues, security administration, and software security GIACvalidates the skills of network security professionals, ranging from entry-level information security to advancedsubject areas This can include auditing, intrusion detection, incident handling, firewalls and perimeter protection,data forensics, hacker techniques, Windows and UNIX operating system security, and secure software andapplication coding
Trang 191.2.3.3 Page 1.1.3.3 CERT
CERT is part of the U.S federally funded Software Engineering Institute (SEI) at Carnegie Mellon University CERT
is chartered to work with the Internet community in detecting and resolving computer security incidents The MorrisWorm motivated the formation of CERT at the directive of the Defense Advanced Research Projects Agency (DARPA).The CERT Coordination Center (CERT/CC) focuses on coordinating communication among experts during securityemergencies to help prevent future incidents
CERT responds to major security incidents and analyzes product vulnerabilities CERT works to manage changesrelating to progressive intruder techniques and to the difficulty of detecting attacks and catching attackers CERTdevelops and promotes the use of appropriate technology and systems management practices to resist attacks onnetworked systems, to limit damage, and to ensure continuity of services
CERT focuses on five areas:
o Software assurance
o Secure systems
o Organizational security
o Coordinated response
o Education and training
As shown in the figure, CERT disseminates information by publishing articles, research and technical reports, andpapers on a variety of security topics CERT works with the news media to raise awareness of the risks on theInternet and the steps that users can take to protect themselves CERT works with other major technologyorganizations, such as the global Forum for Incident Response and Security Teams (FIRST) and Internet EngineeringTask Force (IETF), to increase the commitment to security and survivability CERT also advises U.S governmentorganizations, such as the National Threat Assessment Center, the National Security Council, and the HomelandSecurity Council
Trang 20Most notably, (ISC)2 is universally recognized for its four information security certifications, including one of themost popular certifications in the network security profession, the Certified Information Systems SecurityProfessional (CISSP).These credentials help to ensure that employers with certified employees maintain the safety ofinformation assets and infrastructures.
(ISC)2 promotes expertise in handling security threats through its education and certification programs Asmembers, individuals have access to current industry information and networking opportunities unique to itsnetwork of certified information security professionals
1.2.3.4.1 Security certifications offered by (ISC)2
Systems Security Certified Practitioner (SSCP)
The SSCP Certification is only available to qualified candidates who subscribe to the (ISC) code of ethics and passthe SSCP Certification examination based on the relevant SSCP Common Body of Knowledge (CBK)
Candidates must also be able to prove at least one-year experience in one of the seven domains that comprisethe SSCP Certification:
Access Controls
Administration
Audit and Monitoring
Risk, Response and Recovery
Cryptography
Data Communications
Malicious Code/Malware
Certification and Accreditation Professional (CAP)
CAP was co-developed by the U.S Department of State’s Office of Information Assurance and (ISC)
The CAP credential is used as a measure of the knowledge, skills and abilities of personnel involved in assessingrisk and establishing security requirements, as well as ensuring that information systems possess appropriatesecurity measures
Certified Secure Software Lifecycle Professional (CSSLP)
The CSSLP is the newest certification from (ISC), and is the only certification in the industry that ensures security
is considered throughout the entire software lifecycle
It centers around seven domains:
Secure Software Concepts
Secure Software Requirements
Secure Software Design
Secure Software Implementation/Coding
Secure Software Testing
Software Acceptance
Software Deployment, Operations, Maintenance and Disposal
Trang 21Certified Information Systems Security Professional (CISSP)
The CISSP was the first credential in the field of information security, accredited by the ANSI to ISO Standard17024:2003
For CISSP credential, in addition to five years of experience, professional experience must be in two or more of
10 defined (ISC) CISSP domains:
Access Control
Application Security
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security and Risk Management
Legal, Regulations, Compliance and Investigations
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security
Trang 22RSS benefits professionals who want to subscribe to timely updates from favored websites or to aggregate feedsfrom many sites into one place RSS feeds can be read using a web-based RSS reader, typically built into a webbrowser The RSS reader software checks the user’s subscribed feeds regularly for new updates and provides aninterface to monitor and read the feeds By using RSS, a network security professional can acquire up-to-dateinformation on a daily basis and aggregate real-time threat information for review at any time.
For example, the US-CERT Current Activity web page is a regularly updated summary of the most frequent, impact types of security incidents being reported to the US-CERT, as shown in the figure A text-only RSS feed isavailable here This feed reports at all hours of the day and night, with information regarding security advisories,email scams, backup vulnerabilities, malware spreading via social network sites, and other potential threats
high-Note: The Chrome browser does not support RSS feeds by default An RSS extension must be used to view RSS feeds.
US-CERT RSS Feed
Trang 231.2.4 Topic 1.1.4 Domains of Network Security
1.2.4.1 Page 1.1.4.1 Network Security Domains
It is vital for a network security professional to understand the drivers for network security, be familiar with theorganizations dedicated to network security, and have an understanding of the various network security domains.Domains provide an organized framework to facilitate learning about network security
There are 12 network security domains specified by the International Organization for Standardization(ISO)/International Electro technical Commission (IEC) Described by ISO/IEC 27002, these 12 domains serve toorganize, at a high level, the vast realm of information under the umbrella of network security These domains havesome significant parallels with domains defined by the CISSP certification
Trang 24Security Policy
A document that addresses the constraints and behaviors of members of an organization and often specifieshow data can be accessed and what data is accessible by whom
Information Security Incident Management
This describes how to anticipate and respond to information security breaches
Organization of information security
This is the governance model set out by an organization for information security
Information Systems Acquisition, Development and Maintenance
This describes the integration of security into applications
Communications and Operations Management
This describes the management of technical security controls in systems and networks
Human Resources Security
This addresses security procedures relating to employees joining, moving within, and leaving anorganization
Asset Management
This is an inventory of and classification scheme for information assets
Physical and Environmental Security
This describes the protection of the computer facilities within an organization
Business Continuity Management
This describes the protection, maintenance, and recovery of business-critical processes and systems
The 12 domains are intended to serve as a common basis for developing organizational security standards andeffective security management practices, and to help facilitate communication between organizations
Trang 251.2.4.2 Page 1.1.4.2 Security Policy
The 12 domains of network security provide a convenient separation for the elements of network security While it isnot important to memorize these 12 domains, it is important to be aware of their existence and formal declaration
by the ISO They will serve as a useful reference in your work as a network security professional
One of the most important domains is the security policy domain A security policy is a formal statement of therules by which people must abide who are given access to the technology and information assets of an organization,
as shown in the figure The concept, development, and application of a security policy are critical to keeping anorganization secure It is the responsibility of a network security professional to weave the security policy into allaspects of business operations within an organization
Trang 261.2.5 Topic 1.1.5 Network Security Policies
1.2.5.1 Page 1.1.5.1Network Security Policy
The network security policy is a broad, end-to-end document designed to be clearly applicable to an
organization’s operations The policy is used to aid in network design, convey security principles, and facilitate network deployments
The network security policy outlines rules for network access, determines how policies are enforced, and
describes the basic architecture of the organization’s network security environment Because of its breadth of coverage and impact, it is usually compiled by a committee, as shown in the figure It is a complex document meant
to govern items, such as data access, web browsing, password usage, encryption, and email attachments
When a policy is created, it must be clear what services must be made available to specific users The network security policy establishes a hierarchy of access permissions, giving employees only the minimal access necessary to perform their work
The network security policy outlines what assets should be protected and gives guidance on how they should be protected This will then be used to determine the security devices and mitigation strategies and procedures that should be implemented on the network One possible guideline that administrators can use when developing the security policy, and when determining various mitigation strategies, is the Cisco SecureX architecture
Trang 271.2.5.2 Page 1.1.5.2 Cisco SecureX Architecture
The Cisco SecureX architecture is designed to provide effective security for any user, using any device, from anylocation, and at any time This new security architecture uses a higher-level policy language that takes into accountthe full context of a situation - who, what, where, when and how With highly distributed security policyenforcement, security is pushed closer to where the end user is working
This architecture includes the following five major components:
o Scanning Engines
o Delivery Mechanisms
o Security Intelligence Operations (SIO)
o Policy Management Consoles
o Next-generation Endpoint
Scanning Engines
These are the foundation of security enforcement and can be viewed as the workhorses of policy enforcement.They are the proxies or network-level devices that examine content, identify applications, and authenticateusers A scanning engine can be a firewall/IPS, a proxy, or an interesting fusion of the two Scanning engines canrun multiple layers of anti-malware signatures, behavioral analyses, and content inspection engines
Delivery Mechanisms
These are the mechanisms by which scanning elements are introduced into the network This includes thetraditional network appliance, a module in a switch or a router, or an image in a Cisco security cloud
Security Intelligence Operations (SIO)
The “brains” that distinguish good traffic from malicious traffic The Cisco SIO encompasses multi-terabyte trafficmonitoring databases, thousands of servers in multiple data centers, and hundreds of engineers and technicianswith a single purpose — identifying and stopping malicious traffic
Policy Management Consoles
These consoles are separate from the scanners that enforce policy By separating policy creation andmanagement from enforcement, it is possible to have a single point of policy definition that spans multipleenforcement points such as email, instant messaging, and the Web
Next-generation Endpoint
This is the critical piece that ties everything together The next-generation endpoint can be any of a multitude ofdevices Regardless of the endpoint type, all connections coming on or off of it must be routed by the devicethrough one of the network-based scanning elements previously described
Trang 281.2.5.3 Page 1.1.5.3 Cisco SecureX Product Categories
Increased user mobility, the influx of consumer devices, and movement of information to non-traditionallocations has created complexities for securing the IT infrastructure Deploying piecemeal security solutions can lead
to duplicated efforts and inconsistent access policies, and requires increased integration and staffing to support.Cisco SecureX products work together to provide effective security for any user, using any device, from anylocation, at any time This is one of the primary reasons for relying on the Cisco SecureX architecture to help shapethe security policy
Five major product categories of the SecureX architecture.
Secure Edge and Branch
Cisco ASA 5500 Series Adaptive
Security Appliance
Cisco Intrusion Prevention System Integrated Security on the ISR G2
Combines firewall, VPN, optional
content security, and intrusion
prevention
Identifies and stops malicious traffic, worms, viruses, and application abuse
Delivers firewall, intrusion prevention, VPN, and content filtering
Secure Email and Web
Cisco IronPort Email Security
Appliance
Cisco IronPort Web Security Appliance
Cisco ScanSafe Cloud Web Security
Fights spam, viruses, and blended
threats for organizations of all sizes
Integrates web-usage controls, datasecurity, reputation and malware filtering
Analyzes web requests for malicious, inappropriate, or acceptable content
Secure Access
Cisco Identity Services Engine Network Admission Control
Appliance
Cisco Secure Access Control System
Applies policy-based access control Enforces network security policies
by allowing access only to trusted devices
Controls network access based on dynamic conditions and attributes
Provides an intelligent, smooth, andreliable connectivity experience
Secure Data Center
Cisco ASA 5585-X Adaptive Security
Appliance
Cisco Catalyst 6500 ASA Services Module
Cisco Virtual Security Gateway
Combines a proven firewall,
Trang 291.2.5.4 Page 1.1.5.4 Network Security Policy Objectives
A network security policy drives all requirements for securing network resources, not just equipmentrequirements and procedures
A security policy is a set of objectives for the company, rules of behavior for users and administrators, andrequirements for system and management that collectively ensure the security of network and computer systems in
an organization A security policy is a "living document", meaning that the document is never finished and iscontinuously updated as technology, business, and employee requirements change
For example, an organization’s employee laptops will be subject to various types of attacks, such as emailviruses A network security policy explicitly defines how frequently virus software updates and virus definitionupdates must be installed Additionally, the network security policy includes guidelines for what users can andcannot do This is normally stipulated as a formal acceptable use policy (AUP) The AUP must be as explicit aspossible to avoid ambiguity or misunderstanding An AUP might, for example, list the Usenet newsgroups that areprohibited
While the security policy should be comprehensive, it should also be succinct enough to be usable by thetechnology practitioners in the organization The security policy should protect the assets of your organization byanswering several security questions, as shown in the figure
Trang 301.3 Section 1.2 Viruses, Worms, and Trojan horses
1.3.1 Topic 1.2.1 Viruses
1.3.1.1 Page 1.2.1.1 Primary Vulnerabilities for End User Devices
The primary threats for end devices are viruses, worms, and Trojan horses:
A virus is malicious software that executes a specific unwanted, often harmful, function on a computer
A worm executes arbitrary code and installs copies of itself in the memory of the infected computer Themain purpose of a worm is to automatically replicate itself and spread across the network from system tosystem
A Trojan horse is a non-self-replicating type of malware, often containing malicious code, designed to looklike something else, such as a legitimate application or file When an infected application or file isdownloaded and opened, the Trojan horse can attack the end device from within
Trang 311.3.1.2 Page 1.2.1.2 Comparison of a Human Virus and a Computer Virus
Traditionally, the term virus refers to an infectious organism that requires a host cell to grow and replicate A University of Southern California student named Frederick Cohen suggested the term “computer virus” in 1983 A computer virus, referred to as a virus in the rest of this course, is a program that can copy itself and infect a
computer without the knowledge of the user
The left side of the figure shows microscopic images of human viruses The right side of the figure illustrates thesimilarities between a human virus and a computer virus
A virus is a malicious code that is attached to legitimate programs or executable files Most viruses require enduser activation and can lay dormant for an extended period and then activate at a specific time or date A simplevirus may install itself at the first line of code on an executable file When activated, the virus might check the diskfor other executables, so that it can infect all the files it has not yet infected Viruses can be harmless, such as thosethat display a picture on the screen, or they can be destructive, such as those that modify or delete files on the harddrive Viruses can also be programmed to mutate to avoid detection
In the past, viruses were usually spread via floppy disks and computer modems Today, most viruses are spread
by USB memory sticks, CDs, DVDs, network shares, or email Email viruses are now the most common type of virus
Trang 321.3.2 Topic 1.2.2 Worms
1.3.2.1 Page 1.2.2.1 Worms
Worms are a particularly dangerous type ofhostile code They replicate themselves byindependently exploiting vulnerabilities in networks.Worms usually slow down networks
Whereas a virus requires a host program to run,worms can run by themselves They do not requireuser participation and can spread very quickly overthe network
Worms are responsible for some of the mostdevastating attacks on the Internet For example, theSQL Slammer Worm of January 2003 slowed globalInternet traffic as a result of denial of service Over250,000 hosts were affected within 30 minutes of itsrelease The worm exploited a buffer overflow bug inMicrosoft's SQL Server A patch for this vulnerabilitywas released in mid-2002, so the servers that wereaffected were those that did not have the updatepatch applied This is a great example of why it is soimportant for the security policy of an organization torequire timely updates and patches for operatingsystems and applications
Examples of other worms that have createdproblems across the Internet include:
o 1999 – Melissa Worm (a mass-mailing macro-virus)
o July 2001 – Code Red Worm (See Figure)
o January 2003 – SQL Slammer Worm
o August 2003 – Blaster Worm
o August 2003 – Nachi Worm
o November 2003 – Conficker Worm
o January 2006 – Nyxem Worm
o January 2007 – Storm Worm
o September 2012 – NGRBot
Trang 331.3.2.2 Page 1.2.2.2 Worm Components
Despite the mitigation techniques that have emerged over the years, worms have continued to evolve with theInternet and still pose a threat While worms have become more sophisticated over time, they still tend to be based
on exploiting weaknesses in software applications Most worm attacks have three major components:
Enabling vulnerability - A worm installs itself using an exploit mechanism, such as an email attachment, an
executable file, or a Trojan horse, on a vulnerable system
Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new