GATHERING INFORMATION ABOUT THE ORGANIZATION WHAT IS A NON INTRUSIVE ATTACK?
Non intrusive attack:
The intent to gain information about an organization’s network in preparation for a more intrusive attack at a later time.
Examples of non intrusive attacks include:
Information reconnaissance
Port scanning
Obtaining host information using fingerprinting techniques
Network and host discovery
INFORMATION RECONNAISSANCE TECHNIQUES
Common types of information sought by attackers include:
System configuration
Valid user accounts
Contact information
Extra net and remote access servers
Business partners and recent acquisitions or mergers
Information about your network may be obtained by:
Querying registrar information
Determining IP address assignments Organization Web pages
Search engines
Public discussion forums
COUNTERMEASURES AGAINST INFORMATION RECONNAISSANCE
Steps to a successful penetration test include
Only provide information that is absolutely required to your Internet registrar
Review your organization’s Web site content regularly for inappropriate information
Use e-mail addresses based on job roles on your company Web site and registrar information
Create a policy defining appropriate public discussion forums usage
WHAT INFORMATION CAN BE OBTAINED BY PORT SCANNING?
Typical results of a port scan include:
Discovery of ports that are listening or open
Determination of which ports refuse connections
Determination of connections that time out
Port scanning tips include:
Start by scanning slowly, a few ports at a time
To avoid detection, try the same port across several hosts
Run scans from a number of different systems, optimally from different networks
PORT-SCANNING COUNTERMEASURES
Port scanning countermeasures include:
Implement defense-in-depth to use multiple layers of filtering
Plan for miss-configurations or failures
Implement an intrusion-detection system
Run only the required services
Expose services through a reverse proxy
WHAT INFORMATION CAN BE COLLECTED ABOUT NETWORK HOSTS?
Types of information that can be collected using fingerprinting techniques include:
IP and ICMP implementation
TCP responses
Listening ports
Banners
Service behaviour
Remote operating system queries
COUNTERMEASURES TO PROTECT NETWORK HOST INFORMATION
Countermeasures
Be conservative with the packets that you allow to reach your system
Use a firewall or inline IDS device to normalize traffic
Assume that your attacker knows what version of operating system is running, and make sure it is secure
Change the banners that give operating system information
Assume that your attacker knows what version of operating system and application is running, and make sure it is secure
Disable unnecessary services
Filter traffic coming to isolate specific ports on the host
Implement IPSec on all systems in the managed network
WHAT IS PENETRATION TESTING FOR INTRUSIVE ATTACKS?
Intrusive attack:
Performing specific tasks that result in a compromise of system information, stability, or availability
Examples of penetration testing for intrusive attack methods include:
Automated vulnerability scanning
Password attacks
Denial-of-service attacks
Application and database attacks
Network sniffing
WHAT IS AUTOMATED VULNERABILITY SCANNING?
Automated vulnerability scanning makes use of scanning tools to automate the following tasks:
Banner grabbing and fingerprinting
Exploiting the vulnerability
Inference testing
Security update detection
WHAT IS A PASSWORD ATTACK?
Two primary types of password attacks are:
Brute-force attacks
Password-disclosure attacks
Countermeasures to protect against password attacks include:
Require complex passwords
Educate users
Implement smart cards
Create policy that restricts passwords in batch files, scripts, or Web pages
WHAT IS A DENIAL OF SERVICE ATTACK?
Denial-of-Service (DoS) Attack:
Any attempt by an attacker to deny his victim’s access to a resource DoS attacks can be divided into three categories
Flooding attacks
Resource starvation attacks
Disruption of service
Note: Denial-of-service attacks should not be launched against your own live production network.
COUNTERMEASURES TO PROTECT NETWORK HOST INFORMATION
Countermeasures
Ensure that your routers have anti-spoofing rules in place and rules that block directed broadcasts
Set rate limitations on devices to mitigate flooding attacks
Consider blocking ICMP packets
Apply the latest updates to the operating system and applications
Set disk quotas
Make sure that the latest update has been applied to the operating system and applications
Test updates before applying to production systems
Disable unneeded services
UNDERSTANDING APPLICATION AND DATABASE ATTACKS
Common application and database attacks include:
Buffer overruns:
Write applications in managed code SQL injection attacks.
Validate input for correct size and type
WHAT IS NETWORK SNIFFING?
Network sniffing:
The ability of an attacker to eavesdrop on communications between network hosts An attacker can perform network sniffing by performing the following Tasks:
Compromising the host
Installing a network sniffer
Using a network sniffer to capture sensitive data such as network credentials
Using network credentials to compromise additional hosts
WHAT IS NETWORK SNIFFING?
COUNTERMEASURES FOR NETWORK SNIFFING ATTACKS
To reduce the threat of network sniffing attacks on your network consider the following:
Use encryption to protect data
Use switches instead of hubs
Secure core network devices
Use crossover cables
Develop policy
Conduct regular scans
HOW ATTACKERS AVOID DETECTION DURING AN ATTACK
Common ways that attackers avoid detection include:
Flooding log files
Using logging mechanisms
Attacking detection mechanisms
Using canonicalization attacks
Using decoys
Common ways that attackers avoid detection after an attack include:
Installing rootkits
Tampering with log files
0 Comments