Hello everyone, we will start with the first content of BCSE course: Security Overview
This part will give you a general view about today network security.
Slide 2
Content
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
Content
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
Case-study:
To begin with, let’s talk about necessaries of network security. What is network security and its
roles? Network security is similar to life security, it is a broad concept, including issues related to
attack, penetration, law-breaking, defense, protection, security, etc, but these are on network
and computer environment. When mentioning about network security with a system, we can
understand in general that these are security, ability of preventing attack of this system.
Slide 4
Otherwise, network security is to prevent attacker from penetrating to the system by all ways,
through network, through “people” or even penetrating to location of computer. What will
happen if a computer network system, which is operating well, suddenly has computer(s) does
(do) not operate as initial program, or even is (are) deleted with entire data? Or a computer
containing strictly confidential document is set with malware and then silently sends these
information to outside? => these are certainly huge loss.
Slide 5
In order to understand roles of network security, let’s review which should be protected in
computer when being set in network environment
Data? Yes, certainly. This is the first thing people consider, and it is really important. From
personal computer to computer network system of a company or organization, there is
confidential data needed to protection. For examples, personal computer of director contains
many important documents, or server of one company contains database of customer. If these
data are lost and sent to outside, it will cause a very serious damage.
Secondly, it is source, this is a important thing needed to protect. For example, if a computer is
set with malware, it can be taken advantage in order to attack other system, costing source of
this computer as well as network line; and if a system is attacked, it will cost bandwidth and
block network.
Another important factor which also easily influenced when the network system is attacked, is
reputation. A company has website to receive order from customer, but suddenly it cannot be
accessed or even be penetrated and changed content on homepage, this will cause a huge
damage to its business and reduce its reputation strongly. Or, an electronic newspaper is DdoS,
then its regular readers cannot access it to get information, however, this does not mean that
they will not read newspaper anymore, they will find other newspaper => If the situation of
being attacked or refused service prolongs, this newspaper will loss a huge amount of regular
reader.
Thus, with data, source and reputation needed to protect, we should have methods of ensuring
network security, However, we have to apply various methods for various systems; this depends
on specific characteristics of each system. And, there is not detailed method will be immediately
integral to all systems. Many people, including directors of company, think that if they buy an
expensive equipment to set up in their system, this can ensure their system safe. It is wrong in
fact, there is no equipment can ensure this. There are many factors affecting safety of system:
from equipment, procedure, operator to user, etc. Thus, general method for network security is
necessary.
- Another point about network security is that: nothing is absolutely safe. We need to
understand this to enhance protection and be willing to cope with attacks.
Slide 6
Another reason for necessaries of network security today is that the network model of company
is becoming open. Because of demand for work and development of technology, tasks is related
to computer more; one system normally has more access and entry connections, which leads to
higher threats of network security than ever before
Slide 7
Moreover, concerning age aspect, tools for attack have appeared more and more, stronger and
stronger, which makes requirements of these tools have been reduced. As previous, attack to a
system requests hacker to have much understandings about this system, then discover ways to
penetrate and build took to attack by himself. Today, there are many available tools with steps
from finding to attacking, with interface easy to use, or even instructions to use on internet,
which make attack very simple. Implementer just needs to enter and press button without
sharp understanding about programming. Increasing number of attacker and strong tools, the
system clearly has to cope with more threats of attack.
Slide 8
Threats of attack
With purpose
Without purpose
From outside
From inside
- Attack without purpose is mainly because of being curious, mischievous and fond of.
- Attacker often does not have specialized knowledge, just reading instructions and
then find victims, test attack
Slide 10
1. Dan Tri
2. Vietnamnet
3. Tuoi tre
- In July, 2013, many big electronic newspapers in Vietnam were attacked, including Dân trí,
Vietnamnet, Tuổi trẻ
- On first days, there were signals of unstable access, and then entire systems were paralyzed
completely.
- Then, an electronic newspaper connected to Bkav and functional agency for support and
treatment.
Slide 15
IP List
- . In accordance with statistic at the moment we came for assistance, there was 14,000 IP
connected to this system within 1 second.
Slide 16
By this statistic, it could be seen that these IP mostly came from Vietnam and were scattered in
provinces and cities.
Slide 17
This is statistic map about allocation of attack sources. As you can see, the attack sources were
scattered in everywhere: from America to countries in Europe or China, Japan, etc; but these
were concentrated in Vietnam
Slide 18
In this example, victim s of these attacks are electronic newspapers, which are accessed much
and contain huge sources. And, their technician groups are well- trained about DDoS attack with
much experience; but they were still miserable, so, how can our government’s sites be
protected if being attacked with the similar scope.
Slide 19
Analyzing malware
In the incident mentioned above, Bkav assisted a newspaper, localized attack source and
collected model of malware implemented attack.
Slide 20
This malware poses as Bluetooth service which is a familiar service for many users
Slide 21
- Analysis result of this file shows that it continuously connected to 3 outside server address to
receive attack command.
Slide 22
This is summary table of this malware’s action, including 2 main parts: connecting to controlling
service to receive attack command, and configuration file containing information about target
and message package for attack.
Slide 23
Vietnamnet
•vietnamnet.vn
•m.vietnamnet.vn
•batdongsan.vietnamnet.vn
•m.batdongsan.vietnamnet.vn
Dan Tri
•dantri.vn
•s.dantri.com.vn
•m.dantri.com.vn
•dantri.com
•dantri.com.vn
Tuoi Tre
•tuoitre.vn
•sevice.tuoitre.vn
•wa2.tuoitre.vn
•m.tuoitre.vn
•s.tuoitre.vn
•wa3.tuoitre.vn
•wa4.tuoitre.vn
Thus, this malware sends message package to many sub-domain names of newspapers, not just
main domain name.
Slide 24
This model was updated continuously with new variants from controlling server, and in
accordance with our recognition, it was updated for the last variant on July 25 th
Slide 26
This is analysis of another malware with the similar function, it also receives command from
controlling server and then attacks to many newspaper of Vietnam,
Slide 27
Thus, how is malware dissipated? Why are many computer infected and taken advantage to
attack?
Slide 28
In accordance with our observation, there are many ways for attacker to dissipate malware,
however, in the examples mentioned above, the major manipulation is to affix malware to
software installer and share it to the network. They can create new nicks on forums to share
software containing malware by articles, or they can find ways to attack, gaining accounts of
some positive members or administrator of these forums to correct their articles posted before.
Installers in these articles will be downloaded and installer more thanks to reputation of the
nickname posting them.
Slide 29
2. Spyware
We have just talked about DDoS attack. Now, let’s move to another way of attack in network
security: spyware. This is a popular trend, a big threat to consider today
Slide 30
Tr 30
In fact, in accordance with our research in recent years, there have been many attacks to
Vietnam State agencies, including many important cases. As this image, emails attached with
files containing malware are sent to the target. This is a popular scenarios being applied today.
Now, we will consider more about popular scenarios used to dissipate spyware in Vietnam
Slide 31
Spyware in Vietnam
The first scenarios: Inject spyware onto download
websites:
Example 1: Vietnamese Keyboard: Unikey.org was
hacked and injected with spyware
Example 2: 3c.com.vn – a popular download website in
Vietnam
Tr 31
The first scenarios, like malware dissipation for purpose of building bonnet, as well as malware
dissipation in general, attacker will affix spyware to websites, forums allowing software
download. Even they can find ways to attack formal and reputed website of software share such
as case recognized of Unikey.org and 3c.com.vn, when these websites were hacked and affixed
with malware. The two websites have a enormous number of downloader, which leads to high
threat of spyware infection.
Slide 32
Spyware in Vietnam
Tr 32
The second scenarios, happened popularly with attacks to Ministers, Departments, Branches, is
when attacker steals email account to dissipate email containing malware to other addresses in
contact list. This way of attack is specially dangerous when bad person penetrates email account
of senior manager, then steal his important confidential documents, and use this account in
order to send document (affixed with malware) to other persons in contact list who can be
other senior managers, which leads to chain attack.
Slide 33
Spyware in Vietnam
The second
scenario:
Steal email
accounts
and send
“document
file”
Tr 33
This image was taken when we associated to deal with a case reported that a person did not
send email to his relatives, but they still received them. We saw account log and realized that
other than normal times logged in from Vietnam, there was 1 time logged in from China while
he had not went to China and used proxy ever before.
Slide 34
Spyware in Vietnam
The second scenario : Steal email account sand send
“document file”
Tr 34
These images are content of emails in State agencies to which we associated for investigation.
They have heading, content and name of file attached in conformity with context in internal of
this unit, which make receivers easily intended to open them, not like other spam email with
irrelevant contents.
Slide 35
Spyware in Vietnam
The third scenarios: Fake email
Tr 35
In case attacker has not penetrated real email account to contact with target of attack, he will
fake address of sender to dissipate malware.
Slide 36
1
2
1 2
Tr 36
Tr 37
Files attached with emails in these attack cases can contain file .zip compressed with files of
.exe , .dat…; however, these files are often suspected and more difficult to be open , Thus, a
popular file format is document file (.doc, .ppt, .xls ), exploiting vulnerabilities of applications
dealing with them.
Slide 38
Actions of spyware
Keylog
Print screen/record video
Eavesdrop
Collect document/Browse file/Steal file
Tr 38
When a spyware is installed in computer of victim , it will silently implement spy actions such
as: recording keyword operation, printing screen of computer, even recording voice or browsing
file, stealing documents, then sending them to outside.
Slide 39
Example 1
Tr 39
This image analyzes file attached with a specific email, this file exploit vulnerabilities of
Microsoft Office to dissipate malware with name of YahooMsg.exe with spy functions shown in
this image.
Slide 40
Example 2
Tr 40
Or this image analyzes of file .scr, but it take advantage of RLO technology of Windows to display
itself into format of .ppt
Slide 41
Tr 41
Tr 42
Tr 43
…
Slide 44
In reality
How many computers/servers were
infected ?
How much data was stolen ?
How much data was changed ?
What will happen if the malware gets
command to destroy hardware ?
Tr 44
These are just examples we recognized, just like the tip of the iceberg; because in real, there
have been many computers installed with spy software, and maybe there have been many spy
attacks happened silently; and their damages are enormous.
Slide 45
3. Web attack
Another popular way of attack is to attack website to gain controlling right and deface content
of this website.
Slide 46
.gov.vn
Nguồn Zone-H
Tr 46
In last May, there was mass of websites in Vietnam attacked, including websites of .gov.vn
belong to government.
Slide 47
47
Although total number of websites in Vietnam attacked in last May increases, but as observed,
these sites are not big ones, including sites belong to government which are only owned by
small units, not by important Ministries, Departments or Branches. With message of hacker left
on website attacked, it can be guessed that these are spontaneous attacks related to recent
situation of South China Sea. This is general trend today, when conflict in real life will lead to
conflict in the network.
Slide 48
Banks are often special target of hacker and attacker because of finance purpose.
Slide 49
Tr 49
Tr 50
For examples, at the end of 2011, a big bank named Citibank was attacked by hacker and stolen
with 200,000 credit cards, or in accordance with information about 6 big banks in America were
attacked at the beginning of 2012, and many banks and television stations were attacked at the
beginning of 2013
Slide 51
Tr 51
The latest one is when people discovered an attack to a bank in Europe for purpose of stealing
information of 190 customers with a quite huge money amount only within a short duration.
Slide 52
Tr 52
Tr 53
This is similar situation for domestic banks , when there are many attacks implemented based
on software vulnerabilities or operation process. Many virus model are detected as having
actions of penetrating and stealing information of bank account.
Slide 54
Tr 54
The most remarkable case in 2012 is actions of gaining telephone number and then taking
advantage to steal by transferring money up to millions of Vietnamese dong.
Slide 55
Thus, by actual situation of network security, we can see that the threats for a network system
always come from anywhere and at any when. So, it is necessary to take precaution and
enhance protection
Slide 56
And, there is no detailed methods ensuring safety for all systems, it needs general method
including many factor in conformity with each system. It should be considered, executed within
a continuous process, regularly observed and updated in order to have appropriate solutions.
Slide 57
These are some common concepts when concerning solutions for ensure network security for a
system. These concepts will be mentioned more detailed in later lessons.
Slide 58
Content
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
To continue, let’s move to the second content of the lesson today: Basic access
Slide 60
Authentication
Access control
Distinguishing individuals
Distinguishing resources
Authorization
Depended on authentication process
Controlled by Access Control List (ACL)
Accounting
Unique document on database
For investigating and seeking track
In network security, there are three familiar concepts when concerning access. All of them start
with letter A in English, that are:
Authentication: this is identification process, authenticating real owner of account. It is the first
step in all system having user to distinguish accounts, then give appropriate policies of
authorization and access control.
Authorization : as mentioned above, after authenticating an account, the system will give
appropriate authorization for this account to access and interact with the system. It is often
controlled by Access Control List (ACL)
Accounting: after being granted authorization for access, actions and operations of user are still
recognized and recorded by system. It is a step ensuring information storage for purpose of
consideration, investigation and trace later.
Slide 61
More details about authentication step, depending on function characteristic, each system
often uses one of three factors below to authenticate user:
What you know: Password, PIN, for examples: password of Windows, password of Facebook
account.
What you have: Token. USB Token, Smart card.., for examples: in my company, in order to
access to servers, other than password of Windows, user need to to have digital signature on
the equipment.
What you are: Biometrics, based on distinguished factor of each person such as: finger print,
face. For examples, today, many companies have applied finger print identification for entrance
and exit of company or a place.
Slide 62
Content
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
Overview
As mentioned above, authentication is a base to give use administration for user with the
system. And, the most popular method for authentication is username/password
Slide 64
One-way/Two-way
Authentication system can be classified with 2 types: one way authentication and two ways
authentication.
In terms of one way authentication, Client need to prove itself to server without reverse way
In term of two ways authentication, both sides authenticate for each other.
For examples, one way is to log in FTP server
Two ways is to authenticate for both server and client if using Access server as Radius or Tacacs
Slide 65
Username/password
More details about the most popular method of authentication: username/password. By this
method, client will send username/password for server to authenticate. There are many
examples for this method, and may all of us daily use our username/password to log in website
or a system.
Slide 66
Username/Password
Maintaining
How long is user allowed to maintain his password?
Is password changed regularly ?
At risk of being stolen
Some questions given to consider safety of a system using this authentication method:
In terms of time for work session for a log in? Require client to re-authenticate after certain
duration of not using.
In terms of request for changing password? Need policies requiring password change after
certain duration, may be monthly, quarterly or annually, depending on each system.
Storage of log in information on server also should be considered more. Along with building
solutions for safety protection and security for server, information about password stored on
server are also needed to code in order to prevent bad cases/
Slide 67
Username/Password
Keyloggers
Software – tracking user’s keystrokes
Hardware – equipment placed between keyboard
and computer, tracking every keystrokes
The biggest threat today for username/password authentication is Keyloggers. This is a program
silently recording punch button key on keyboard, used to track, steal account/password.
Keyloggers is popular under format of Trojan, however, there are some hardware equipment
having this characteristic for spy purpose as well.
Slide 68
Username/Password solution
Long password
Including letter, number, symbol
Should not be changed too regularly – should be at least once a month
Should not be used for many different accounts
Considering provision of password to others
For user, there are some notice when using password to minimize threats of losing password as
follows:
Set strong password
Change password for appropriate period.
Do not use the same password for various systems and services.
Do not share and provide password for others many times.
Slide 69
CHAP concept
CHAP vs PAP
Alternative to Password Authentication Protocol
(PAP)
Safer: MD5
Password is not transmitted through the Internet
Used in remote login, PPP, RRAS, and
authentication to Web services
CHAP protocol brings a higher safety than PAP (this is a traditional way of transmitting
authentication password) because information transmitted through network without password,
only sent with hash code for comparison. (Hash code is given by an algorithm ensuring that
each different input will give a different output which cannot find the initial input. MDS is a
popular mode of hash and used in this protocol). Moreover, CHAP exchange process requires ID
field identifying work session, preventing relay attack
This protocol is used popularly in many services such as: remote login, PPP, RRAS, and
authenticated in Web services.
Slide 71
This is illustration of process when 2 routers implement authentication using CHAP (including
MD5)
Slide 72
CHAP operation
Detailed action of this protocol implement three ways – handshake as follows: both server and
client know password, when client connects to, server will send ID of work session (in order to
prevent relay attack on line) with a random number to the client, then this client will base on
the information received from server to combine with its password to give a hash code (this
code cannot be translated reversely) and send it to Server. The server also bases on similar
information, algorithm with Client to give a hash code and compare it to the code sent from
Client; if these codes are identical, the authentication is successful’ if it is not, the
authentication is failed.
Slide 73
Kerberos
Another code protocol protecting safety for authentication process is Kerberos; this protocol
was developed by Massachusetts Institute of Technology at end of 1980s; and Microsoft
brought this protocol from Windows 2000
Slide 74
Kerberos
Terminologies
Ticket
Specific permission
Ticket Granting Ticket (TGT)
Given by central authority to enable user to request for a
service
Key Distribution Center (KDC)
Server, providing client with TGT, authenciating and allowing
user to request for a service
Kerberos Operation
This is operation model of Kerberos, other than Client and Server to be authenticated, there are
intermediary server assisting to this authentication.
Slide 76
Kerberos process
Authenticate user
Client contacts with Key Distribution Center (KDC)
to request for authentication
One time password is also a safe solution in method of user/password used in many
systems. This password type can be send “clear text” in unsafe environment (can be overheard)
without loss of information security because this password is only used for one time and cannot
be re-used
Slide 78
Token Password
Certificates
Certificates or digital signature is also a solution bringing high safety for important systems. This
solution needs a reputed ”the third unit” to provide signature and authenticate it. The data
transmitted by this protocol is coded by Public key and only decoded by Private key of receiver
Slide 80
Certificates
We can easily meet this model daily in many applications: access to website with https, use
smart cards, electrical signature in email
Slide 81
Problems of Certificate
This solution brings high safety but it costs sources and material
Slide 82
Biometrics
Advantages
Maybe really accurate
Quick
All authentication lasts in less than 1 second
Impact from user is low
Combination of many factors: finger print, iris, voice, etc.
Biometrics
Problems
Cost
Implementing authentication system by Biometrics
requires budgets for hardware and software
May identify wrong
Right person is not accepted.
However, expenses of implementing system by this model are normally not small, and
sometimes it makes it difficult to log in because of wrong identification.
Slide 84
Multifactor
Combine of many authentication methods is solution for system requiring high safety.
Slide 85
Muti-factors
Disadvatages of Mutifactors
Increasing cost
Implementation: investing in equipment,
training users and administrators
Maintenance: not always be compatible
among manufactures
Upgrade: Instability of manufacturers, new
technology invented
The problem is that safety often accompanies with expenses. Establishment and operation of a
system having many authentication factors certainly require more expenses than that of a
simple authentication system.
Slide 87
Mutifactors
Advantages
Reduce dependence on passwords
Stronger authentication system
Provide ability for Public Key Infrastructure
(PKI)
Content
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
Overview
After when user is authenticated, the system will grant appropriate authorization for user to
access to a source.
Slide 90
Discretionary access control – DAC is an access policy when owner of file or owner of a source
will self-determine. It’s owner decide who is allowed to access to the file and which privileges
he is allowed to execute.
Slide 91
Role-based access control – RBAC is an authorization solution when access right for source
of system is determined by role of user.
Slide 93
Content
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
Overview
Logging
Logging :
- Record actions, serving to statistic of events in the network
- Examples, for purpose of controlling who accessed file server, at which moment, and for what?
Slide 96
Scanning
Scanning is to scan the system in order to control services run on it, then analyze possible
threats. There are many tools supporting scanning of a network system.
Slide 97
Monitoring
Monitoring is a process of supervising the system, analyzing file log in order to check how
source are accessed and used.
Slide 98
Case-study:
In order to finish our lesson today, we will discuss to have more information about popular
methods of network attack and some small tools used by attacker.
Slide 99
Attack Methods
Probe attack
Intrusion attack
Denial of Service attack
Methods of attack can be classified with 3 types: attack for probe, attack for access and attack
for refusing service
Slide 100
Attack Methods
Probe attack
Intrusion attack
Denial of Service attack
Probing
Sniffing
Attacker finds way to sniff traffic to collect important information such as
username/password
It is difficult to implement in switch network
Appropriate with unencrypted information
For example: Ethereal, Dsniff, Packet Inspector
Probe is aimed to collect information about the system, including sniffing attack, which can help
attacker to gain important information. Some tools supporting attack for probe are: Cain & Abel,
Ethereal, Dsniff…
Slide 102
Probing
Ping sweep
Ping sweep is a method used to test and check connection, then determine computers and
equipments participating in the network system. There are many tools supporting scanning of
entire network band in order to find computer in network.
Slide 103
Probing
Port Sweep
Check which gates opened and which services running on server
Some popular gates
HTTP: 80
FTP: 20.21
SMTP: 25
DNS: 53
For example: Nmap, SuperScan
Check gates opened on computer in the network, which is aimed to collect information about
services in this system. Nmap or SuperScan is one of many tools supporting this action.
Slide 104
Probing
By collecting information about service gates, software can be determine and guess about
operating system of that computer. Nmap is a typical tool for this.
Slide 105
Attack Methods
Probing attack
Intrusion attack
Denial of Service attack
Intrusion attack
Man-in-the-middle
Hacker stands in the middle of data exchanged between two
computers
Collect data/password
Then, information is sent back to victim computer
For example
Ethercap
Intrusion attack
Relay
Hacker sniffs in the network
Password, authentication information are recorded by hacker
Hacker changes authentication information and re-transmit s by posing
as user
For example: user sends command of transferring money (via web),
hacker gains this URL, and then tries to re-send it, and user will lose
money
Relay attack is a method of attack when hacker is in the middle, then try to act as user to re-
send message package recorded in order to implement similar operations as that implemented
previously by user.
Slide 108
Intrusion attack
Backdoor
A code inserted in a program, enabling attacker to take
advantage of holes to access the system
For example: Sobig, Mydoom taking advantage of Windows
vulnerability to install backdoor and send spams
Intrusion attack
Social Engineering
Attacker exploits “human” factor
Social Engineering
Attacker takes advantage of “human” to exploit, for example frivolity of a person, by contacting
and communicating to know log in password to a system
Slide 110
Intrusion attack
A software or website can have latent vulnerabilities about information security. If hacker
detects these vulnerable, he can attack and penetrate, gain controlling right of this system.
For example, software vulnerabilities under model of Buffer Overflow or website vulnerabilities
under model of SQL Injection are dangerous and popular ones, which are ways for hacker to
attack and penetrate to the system.
Slide 111
Intrusion attack
Attacker also usually uses method of using tool to detect password to a system.
Slide 112
Intrusion attack
Probing attack
Intrusion attack
Denial of Service attack
The last one is attack for refusing service; this method paralyses controlling system of service
and cannot be met as normally.
.
Slide 114
Distributed Denial of Service (DDoS) is an attack implemented from many computers at the
same time
Slide 116
Tr 117
Slide 118
Conclusion
Probing Attack
Sniffing
Ping Sweep
Port SweepHijacking
MIMD
Intrusion Attack
Relay
Backdoor
Social Engineering
Technology
Password
Denial of Service Attack
DoS
DDoS