Protocols are the lifeblood of the internet as they carry the
traffic from host A to host B. There are a variety of protocols and
each have a specific function in order to accomplish the task at
hand. There are way to many protocols to cover in this blog post but
for the sake of at least covering a few of them, the most common you
will deal with are tcp, udp, icmp, rip, ospf, etc. Each one of these
can be used in an attack by modifying their original properties to do
something they were not originally designed to do.
One of the very visible to the world type of attacks is the Denial
of Service attack. The main goal of the Denial of Service attack is
deprive users from being able to access a resource. Services become
interrupted and productivity is lost. In this type of attack there
usually isn't the goal of destroying any data. Its more of being an
annoyance for the network under attack.
Why should you care about DoS when you arn't that big of a
company?
It goes back to how much money is lost when your company is dead
to the internet due to a denial of service. One of the big issues
here is if your company utilized Voip technology to talk to the rest
of the world. Does your Voip trunk use the same uplink to the world
as your data network? If it does then you could have some major
issues with customer complaints when they are unable to talk to
someone while your site is down. The secondary effect of bringing
your site down is the reputation you hold with your customers. If
they are unable to access your site when they want to then they may
think you went out of business or arn't stable enough to be a
business partner.
Sometimes these attacks arn't based soley on the consumption of
bandwidth but on the clogging of your web server or mail server.
When your web server is only able to handle a certain amount of
traffic and suddenly that limit is reached, legitimate traffic will
be ignored while the server tries to deal junk traffic and discard
it. In the case of the mail server, the queue could be so built up
with random massive amounts of email junk that other mail servers are
unable to connect and send legitimate emails. If you have a policy
of a 24 hour fix-or-free on issues then all an attacker has to do is
keep it up for a day or so and cause financial harm to your business.
Generally speaking most DoS attacks happen for days at a time.
I will cover DDoS at another time (didn't want to leave you
hanging) which will allow me to get into a little bit of depth when
it comes to a regular Denial of Service. Three of the mail types of
DoS is the SYN flood, smurf, and ping of death. Ping of death isn't
that common anymore but the basics of it is that the ping is so big
it causes the system to crash as it can't handle such a large packet.
The other attacks are of concern as the SYN flood attack simply
floods your server half-open connections. As your server tries to
deal with these the server can overwhelmed and start to ignore
legitimate traffic. Eventually they will time out but usually the
attack continues so long that when a new connection becomes
available, it is quickly filled with another SYN flood.
Generally speaking you need to be aware of these issues so that
when you see problems happening on your network you know what they
are. Keep a keen eye on your log files and watch for abnormal
traffic. Heck, even invest in an IDS :)
-- Joe McShinsky
Thursday, September 19, 2013
Tuesday, July 23, 2013
Security+ Topic - AAA
AAA, no not alcoholics anonymous after-party! We are talking
about Authentication, Authorization, and Accounting. These three
things are the key components to how users and other services are
able to work in conjunction with each other.
Authentication is the process where the server tries to correctly identify the user or system service in order to process further requests. This could be for secured information or services that require elevation to run. As of this writing there isn't anything as drastic as a blood sample to determine who you are but there are some cool technologies such as retina scanning that can provide for highly accurate detection of the correct authentication. Even still, the most basic way to provide the authentication is a simple username and password.
Authorization is the level of access that a user is given. The resources available at that level could be files or system processes.
Accounting is the process for which log files are created after events occur. Depending on the set detail level, the logs could contain simple timestamps or other more detailed actions that happened.
When it comes to the security of your credentials there are some basic rules to cover. They may seem redundant but in my history as a Network Administrator it astounds me that some people still don't see the importance of a complex password.
The main issue that I run into when dealing with people setting passwords is that they cannot remember it very easily. The complexity requirements are so high that even after they type it in, they forget it almost right away. To help with this situation, try to remember a phrase or song that you like and base the password off of the that. “Mary had a little lamb, her fleece was white as snow” = mh@L1h5WW@$ It sure looks complicated when you look at it but try singing the song as you look at the characters. It becomes quite simple after that. Also notice that it has all the requirements listed above. It is the passwords like this that will keep people from guessing it, and brute force attempts at bay.
One thing to mention here is the use of substitution. In the password above I used some common substitutions such as @ for a and $ for s. While this is ok to certain extent, you wouldn't want to make something obvious into a substitution. Take my last name of McShinsky. M3$h1n$kY would be a poor choice as it would be easy for an attack to make substitutions of the letters in my name when attempting to guess my password.
Lastly I would like to comment on password managers. Are they right for you? In some cases they can be. It is possible for you to never know the password to your websites you visit. A password manager could generate a very complex password and then remember it for the next time you visit the site. The passwords would never be the same between sites and even if one site got compromised, there would be no way to use that password to log into any other sites you visit.
-- Joe McShinsky
Authentication is the process where the server tries to correctly identify the user or system service in order to process further requests. This could be for secured information or services that require elevation to run. As of this writing there isn't anything as drastic as a blood sample to determine who you are but there are some cool technologies such as retina scanning that can provide for highly accurate detection of the correct authentication. Even still, the most basic way to provide the authentication is a simple username and password.
Authorization is the level of access that a user is given. The resources available at that level could be files or system processes.
Accounting is the process for which log files are created after events occur. Depending on the set detail level, the logs could contain simple timestamps or other more detailed actions that happened.
When it comes to the security of your credentials there are some basic rules to cover. They may seem redundant but in my history as a Network Administrator it astounds me that some people still don't see the importance of a complex password.
- Never write it down!
- Use a different password for different systems/websites
- Minimum 8 characters long
- Use at least one of each: Uppercase, Lowercase, Number,
Special Characters
- Change passwords ideally every 60 days, minimum twice a year
- Never use the same password
The main issue that I run into when dealing with people setting passwords is that they cannot remember it very easily. The complexity requirements are so high that even after they type it in, they forget it almost right away. To help with this situation, try to remember a phrase or song that you like and base the password off of the that. “Mary had a little lamb, her fleece was white as snow” = mh@L1h5WW@$ It sure looks complicated when you look at it but try singing the song as you look at the characters. It becomes quite simple after that. Also notice that it has all the requirements listed above. It is the passwords like this that will keep people from guessing it, and brute force attempts at bay.
One thing to mention here is the use of substitution. In the password above I used some common substitutions such as @ for a and $ for s. While this is ok to certain extent, you wouldn't want to make something obvious into a substitution. Take my last name of McShinsky. M3$h1n$kY would be a poor choice as it would be easy for an attack to make substitutions of the letters in my name when attempting to guess my password.
Lastly I would like to comment on password managers. Are they right for you? In some cases they can be. It is possible for you to never know the password to your websites you visit. A password manager could generate a very complex password and then remember it for the next time you visit the site. The passwords would never be the same between sites and even if one site got compromised, there would be no way to use that password to log into any other sites you visit.
-- Joe McShinsky
Saturday, June 22, 2013
Security+ Topic - Hashes
Creating a hash is like creating one of those math problems that
not even the creator knows how it happened or how to get the same
dang thing again. The algorithms used for the hashes are complex and
continue to get more complex due to the increasing computer power
available to crack weak hashes. In the simplest form, a hash is used
to create a unique identifier for a piece of information. This could
be to conceal the actual password or to verify a document has not
been changed. It is more than just taking one character of a
password or document and replacing it with another. These math
equations are so complex that even if you were to change one letter
of a word document the entire has would change. Ideally, every
single hash should be 100% unique. In the real world though we have
seen that the common MD5 has had duplicates discovered.
So why does the hashing algorithm really matter?
When it comes to the security of your systems, you want to have a strong password policy and keep your data out of the wrong hands. This is why the hashing algorithm is important. In the event that an exploit affects your systems and an attacker is able to get a copy of your password hashes you wouldn't want a weak algorithm. Imagine how easy someone would know all the passwords if you simply replace every A with a B and every B with a C. The one-way hash for passwords has to create make it so it would take an unreasonably long time to crack even if they tried every possible password.
There are more than just passwords to protect when it comes to a hashing algorithm. There is also data verification, message transmission on a network, and even the signing of documents. Imagine that you download a file and when you run it, your anti-virus comes up saying that the file is malicious and has gotten rid of it for you. You know that you downloaded it from a legitimate site and are really confused. One thing you can do is to check the hash posted on their website against a hash run on the file that you downloaded. If they match then it may be that the file is triggered as a false-positive by your anti-virus but if the hashes did not match then you know that you may have been a victim of a website compromise or man-in-the middle attack. That hash suddenly sounds important doesn't it?
Document signing is the one that gets most people confused. When working with securing data there needs to be a way that the receiver can verify the file they got is actually from the person who they are expecting it to be from. This is where digital signatures come into play. The recipient is able to verify your signature after they have decrypted the file and calculate their own digest. In this situation the encryption is asymmetric.
When it comes to picking a hashing algorithm, just make sure to try and pick the strongest one available for the systems you are using. As of this writing MD5 should start be phased out unless required by limitations and SHA-1 should be utilized where possible.
– Joe McShinsky
So why does the hashing algorithm really matter?
When it comes to the security of your systems, you want to have a strong password policy and keep your data out of the wrong hands. This is why the hashing algorithm is important. In the event that an exploit affects your systems and an attacker is able to get a copy of your password hashes you wouldn't want a weak algorithm. Imagine how easy someone would know all the passwords if you simply replace every A with a B and every B with a C. The one-way hash for passwords has to create make it so it would take an unreasonably long time to crack even if they tried every possible password.
There are more than just passwords to protect when it comes to a hashing algorithm. There is also data verification, message transmission on a network, and even the signing of documents. Imagine that you download a file and when you run it, your anti-virus comes up saying that the file is malicious and has gotten rid of it for you. You know that you downloaded it from a legitimate site and are really confused. One thing you can do is to check the hash posted on their website against a hash run on the file that you downloaded. If they match then it may be that the file is triggered as a false-positive by your anti-virus but if the hashes did not match then you know that you may have been a victim of a website compromise or man-in-the middle attack. That hash suddenly sounds important doesn't it?
Document signing is the one that gets most people confused. When working with securing data there needs to be a way that the receiver can verify the file they got is actually from the person who they are expecting it to be from. This is where digital signatures come into play. The recipient is able to verify your signature after they have decrypted the file and calculate their own digest. In this situation the encryption is asymmetric.
When it comes to picking a hashing algorithm, just make sure to try and pick the strongest one available for the systems you are using. As of this writing MD5 should start be phased out unless required by limitations and SHA-1 should be utilized where possible.
– Joe McShinsky
Saturday, February 9, 2013
Security+ Topic - Workstations
Did you try turning it off and back on again? I bet you have said
that more than once no matter your line of work. Any node on your
network needs to be protected by security measures and today we are
looking at workstations. Younger system admins and network admins
may look at the workstations as the end users little home and not
want to mess with them but I tell you now; lock them down! More
network and system issues come from those pesky things than anywhere
else. Users on your network can be either very tricky or very
stupid. Either way they somehow manage to always bring in some
unwanted software onto your network. You should own and protect
those pesky workstations just as much as you do your beloved company
servers.
The main goal here is operating system hardening. Whether you know it or not there will always be little holes in your system from the start and even after you think you have your system locked down as tight as possible. Well, ok, maybe if you disconnect from the network and remove any possible way of adding/removing media then that would help. Baseline here is that every system is able to be compromised and it is up to you to try and mitigate that threat. Here I will cover some of the main topics as to how to help with these little problem children.
Software, software, software. I don't know how many times I have been gotten the request from users to install some software just for fun on their computer. They say its safe and that they just want it to play music or for something to do while they are waiting on something from someone else. Bottom line here is that you need to create a software policy signed off by your management. Having a document in place that says exactly what can be on someones computer with a list of case-by-case software makes your job so much easier. When John Doe comes in asking about software, you just show them the list of approved software and that it was signed off by management, they have no other avenue of complaint.
Services. There are some helpful services and then there are some not so helpful. Why would your end user need to be running a web server from their workstation? If they are a web designer then ok I get it but otherwise you are opening yourself up for exploit. Problems are found every day with older web servers and if these are on your network un-checked then they present a potential problem. We are all great at keeping our servers up-to-date but some software on workstations will slip through the cracks and not get updated, ever.
It comes down to the obvious here. When you are taking a look at your network make sure to scan each segment of your network and look for things that are out of the ordinary. Make yourself a baseline of what a computer should look like and it will make your job easier. Take the results of your scan and compare it to your baseline to find computers that are out of normal. If it is legitimately needed on your network then add it to an exception list. If not, take actions right away to address something that looks funny. You never know; your network could already be transmitting confidential information to the competitors.
-- Joe McShinsky
The main goal here is operating system hardening. Whether you know it or not there will always be little holes in your system from the start and even after you think you have your system locked down as tight as possible. Well, ok, maybe if you disconnect from the network and remove any possible way of adding/removing media then that would help. Baseline here is that every system is able to be compromised and it is up to you to try and mitigate that threat. Here I will cover some of the main topics as to how to help with these little problem children.
Software, software, software. I don't know how many times I have been gotten the request from users to install some software just for fun on their computer. They say its safe and that they just want it to play music or for something to do while they are waiting on something from someone else. Bottom line here is that you need to create a software policy signed off by your management. Having a document in place that says exactly what can be on someones computer with a list of case-by-case software makes your job so much easier. When John Doe comes in asking about software, you just show them the list of approved software and that it was signed off by management, they have no other avenue of complaint.
Services. There are some helpful services and then there are some not so helpful. Why would your end user need to be running a web server from their workstation? If they are a web designer then ok I get it but otherwise you are opening yourself up for exploit. Problems are found every day with older web servers and if these are on your network un-checked then they present a potential problem. We are all great at keeping our servers up-to-date but some software on workstations will slip through the cracks and not get updated, ever.
It comes down to the obvious here. When you are taking a look at your network make sure to scan each segment of your network and look for things that are out of the ordinary. Make yourself a baseline of what a computer should look like and it will make your job easier. Take the results of your scan and compare it to your baseline to find computers that are out of normal. If it is legitimately needed on your network then add it to an exception list. If not, take actions right away to address something that looks funny. You never know; your network could already be transmitting confidential information to the competitors.
-- Joe McShinsky
Subscribe to:
Posts (Atom)