This post will be about I.T security policy. Firstly, a Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
The policy statement of the I.T security policy is "It shall be the responsibility of the I.T. Department to provide adequate protection and confidentiality of all corporate data and proprietary software systems, whether held centrally, on local storage media, or remotely, to ensure the continued availability of data and programs to all authorised members of staff, and to ensure the integrity of all data and configuration controls." and the summary of main security policies are as follows:
1.1. Confidentiality of all data is to be maintained through discretionary and
mandatory access controls, and wherever possible these access
controls should meet with C2 class security functionality.
1.2. Internet and other external service access is restricted to authorised
personnel only.
1.3. Access to data on all laptop computers is to be secured through
encryption or other means, to provide confidentiality of data in the
event of loss or theft of equipment.
1.4. Only authorised and licensed software may be installed, and
installation may only be performed by I.T. Department staff.
1.5. The use of unauthorised software is prohibited. In the event of
unauthorised software being discovered it will be removed from the
workstation immediately.
1.6. Data may only be transferred for the purposes determined in the
Organisation’s data-protection policy.
1.7. All diskette drives and removable media from external sources must be
virus checked before they are used within the Organisation.
1.8. Passwords must consist of a mixture of at least 8 alphanumeric
characters, and must be changed every 40 days and must be unique.
1.9. Workstation configurations may only be changed by I.T. Department
staff.
1.10. The physical security of computer equipment will conform to
recognised loss prevention guidelines.
1.11. To prevent the loss of availability of I.T. resources measures must be
taken to backup data, applications and the configurations of all
workstations.
1.12 A business continuity plan will be developed and tested on a regular basis.
Saturday, April 28, 2012
This post is on "Common networking attack threats and solutions". I will be listing the different types of network attacks happening all around the world.
1) Spoofing
Any internet connected device necessarily sends IP datagrams into the network. Such internet data packets carry the sender's IP address as well as application-layer data. If the attacker obtains control over the software software running on a network device, they can then easily modify the device's protocols to place an arbitrary IP address into the data packet's source address field. This is known as IP spoofing, which makes any payload appear to come from any source. With a spoofed source IP address on a datagram, it is difficult to find the host that actually sent the datagram.
The countermeasure for spoofing is ingress filtering. Routers usually perform this. Routers that perform ingress filtering check the IP address of incoming datagrams and determine whether the source addresses that are known to be reachable via that interface. If the source addresses that are known to be reachable via that interface. If the source address is not in the valid range, then such packets will be discarded.
1) Spoofing
Any internet connected device necessarily sends IP datagrams into the network. Such internet data packets carry the sender's IP address as well as application-layer data. If the attacker obtains control over the software software running on a network device, they can then easily modify the device's protocols to place an arbitrary IP address into the data packet's source address field. This is known as IP spoofing, which makes any payload appear to come from any source. With a spoofed source IP address on a datagram, it is difficult to find the host that actually sent the datagram.
The countermeasure for spoofing is ingress filtering. Routers usually perform this. Routers that perform ingress filtering check the IP address of incoming datagrams and determine whether the source addresses that are known to be reachable via that interface. If the source addresses that are known to be reachable via that interface. If the source address is not in the valid range, then such packets will be discarded.
2) Sniffing
Packet sniffing is the interception of data packets traversing a network. A sniffer program works at the Ethernet layer in combination with network interface cards (NIC) to capture all traffic traveling to and from internet host site. Further, if any of the Ethernet NIC cards are in promiscuous mode, the sniffer program will pick up all communication packets floating by anywhere near the internet host site. A sniffer placed on any backbone device, inter-network link or network aggregation point will therefore be able to monitor a whole lot of traffic. Most of packet sniffers are passive and they listen all data link layer frames passing by the device's network interface. There are dozens of freely available packet sniffer programs on the internet. The more sophisticated ones allow more active intrusion.
The key to detecting packet sniffing is to detect network interfaces that are running in promiscuous mode. Sniffing can be detected two ways:
Host-based : Software commands exist that can be run on individual host machines to tell if the NIC is running in promiscuous mode.
Network-based : Solutions tend to check for the presence of running processes and log files, which sniffer programs consume a lot of. However, sophisticated intruders almost always hide their tracks by disguising the process and cleaning up the log files.
The best countermeasure against sniffing is end-to-end or user-to-user encryption.
3) Mapping ( Eavesdropping )
Before attacking a network, attackers would like to know the IP address of machines on the network, the operating systems they use, and the services that they offer. With this information, their attacks can be more focused and are less likely to cause alarm. The process of gathering this information is known as mapping.
In general, the majority of network communications occur in an unsecured or "clear text" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret the traffic. When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise.
Counter measures are strong encryption services that are based on cryptography only. Otherwise your data can be read by others as it traverses the network.
4) Hijacking
This is a technique that takes advantage of a weakness in the TCP/IP protocol stack, and the way headers are constructed. Hijacking occurs when someone between you and the person with whom you are communicating is actively monitoring, capturing, and controlling your communication transparently. For example, the attacker can re-route a data exchange. When computers are communicating at low levels of the network layer, the computers might not be able to determine with whom they are exchanging data.
Man-in-middle attacks are like someone assuming your identity in order to read your message. The person on the other end might believe it is you, because the attacker might be actively replying as you, to keep the exchange going and gain more information.
5) Trojans
These are programs that look like ordinary software, but actually perform unintended or malicious actions behind the scenes when launched. Most remote control spyware programs are of this type. The number of trojan techniques are only limited by the attacker's imagination. A torjanizes file will look, operate, and appear to be the same size as the compromised system file.
The only protection is early use of a cryptographic checksum or binary digital signature procedure.
6) Denial of Service
A denial of service attack is a special kind of Internet attack aimed at large websites. It is a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Denial of Service can result when a system, such as a Web server, has been flooded with illegitimate requests, thus making it impossible to respond to real requests or taks. Yahoo! and e-bay were both victims of such attacks in February 2000.
A Dos attack can be perpetrated in a number of ways. There are three basic types of attack.
Consumption of computational resources, such as band width, disk space or CPU time.
Disruption of configuration information, such as routing information.
Disruption of physical network components.
The consequences of a DoS attack are the following:
Unusually slow network performance.
Unavailability of a particular web site.
Inability to access any web site.
Dramatic increase in the amount of spam you receive in your account.
Common forms of DoS attacks are :
a) Buffer Overflow Attacks
The most common kind of DoS attack is simply to send more traffic to a network address than the programmer's expectation on size of buffers. A few of the better known attacks based on the buffer characteristics of a program or system include:
Sending e-mail messages that have attachments with 256 character file names to Netscape and Microsoft mail programs.
Sending over sized Internet Control Message Protocol (ICMP) packets.
Ending to a user of an e-mail program a message with a "From" address longer than 256 characters.
b) Smurf Attack
In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet specifies that, it is broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, which is the target site that is to receive the denial of service attack. The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
c) SYN floods
When a computer wants to make a TCP/IP connection to another computer, usually a server, an exchange of TCP/SYN and TCP/ACK packets of information occur. The computer requesting the connection, usually the client's or user's computer, sends a TCP/SYN packet which asks the server if it can connect. If the server is ready, it sends a TCP/SYN-ACK packet back to the client to say "Yes, you may connect" and reserves a space for the connection, waiting for the client to respond with a TCP/ACK packet. In a SYN flood, the address of the client is often forged so that when the server sends a TCP/SYN-ACK packet back to the client, the message is never received from client because the client either doesn't exist or wasn't expecting the packet and subsequently ignores it. This leaves the server with a dead connection, reserved for a client that will never respond. Usually this is done to one server many times in order to reserve all the connections for unresolved clients, which keeps legitimate clients from making connections.
REFERENCES:
http://www.ruskwig.com/docs/security_policy.pdf
http://en.wikipedia.org/wiki/Security_policy
http://ayurveda.hubpages.com/hub/Types-of-Network-Attacks
Subscribe to:
Comments (Atom)