Slide 1

BCSE - Security Overview

Hello everyone, we will start with the first content of BCSE course: Security Overview
This part will give you a general view about today network security.
Slide 2

Content

1. The Importance of Security

2. Basic Access

3. Authentication Methods

4. Authorization

5. Accounting

There are 5 parts of our lesson today: …

1. The Importance of Security
2. Basic Access
3. Authentication Methods
4. Authorization
5. Accounting
Slide 3

Content

1. The Importance of Security

2. Basic Access

3. Authentication Methods

4. Authorization

5. Accounting

Case-study:

Common cyber attack types

To begin with, let’s talk about necessaries of network security. What is network security and its
roles? Network security is similar to life security, it is a broad concept, including issues related to
attack, penetration, law-breaking, defense, protection, security, etc, but these are on network
and computer environment. When mentioning about network security with a system, we can
understand in general that these are security, ability of preventing attack of this system.
Slide 4

The Importance of Security

Why we need security?

Otherwise, network security is to prevent attacker from penetrating to the system by all ways,
through network, through “people” or even penetrating to location of computer. What will
happen if a computer network system, which is operating well, suddenly has computer(s) does
(do) not operate as initial program, or even is (are) deleted with entire data? Or a computer
containing strictly confidential document is set with malware and then silently sends these
information to outside? => these are certainly huge loss.
Slide 5

The Importance of Security

 Which do you need to protect?

Data
Resource
Reputation
 Security needs a comprehensive solution
 Nothing is absolutely safe

In order to understand roles of network security, let’s review which should be protected in
computer when being set in network environment
Data? Yes, certainly. This is the first thing people consider, and it is really important. From
personal computer to computer network system of a company or organization, there is
confidential data needed to protection. For examples, personal computer of director contains
many important documents, or server of one company contains database of customer. If these
data are lost and sent to outside, it will cause a very serious damage.
Secondly, it is source, this is a important thing needed to protect. For example, if a computer is
set with malware, it can be taken advantage in order to attack other system, costing source of
this computer as well as network line; and if a system is attacked, it will cost bandwidth and
block network.
Another important factor which also easily influenced when the network system is attacked, is
reputation. A company has website to receive order from customer, but suddenly it cannot be
accessed or even be penetrated and changed content on homepage, this will cause a huge
damage to its business and reduce its reputation strongly. Or, an electronic newspaper is DdoS,
then its regular readers cannot access it to get information, however, this does not mean that
they will not read newspaper anymore, they will find other newspaper => If the situation of
being attacked or refused service prolongs, this newspaper will loss a huge amount of regular
reader.
Thus, with data, source and reputation needed to protect, we should have methods of ensuring
network security, However, we have to apply various methods for various systems; this depends
on specific characteristics of each system. And, there is not detailed method will be immediately
integral to all systems. Many people, including directors of company, think that if they buy an
expensive equipment to set up in their system, this can ensure their system safe. It is wrong in
fact, there is no equipment can ensure this. There are many factors affecting safety of system:
from equipment, procedure, operator to user, etc. Thus, general method for network security is
necessary.
- Another point about network security is that: nothing is absolutely safe. We need to
understand this to enhance protection and be willing to cope with attacks.
Slide 6

The Importance of Security

Older network system – Closed

Present network system – Opened

Another reason for necessaries of network security today is that the network model of company
is becoming open. Because of demand for work and development of technology, tasks is related
to computer more; one system normally has more access and entry connections, which leads to
higher threats of network security than ever before
Slide 7

The Importance of Security

 Attack tools become stronger
 Technical knowledge required reduces

Moreover, concerning age aspect, tools for attack have appeared more and more, stronger and
stronger, which makes requirements of these tools have been reduced. As previous, attack to a
system requests hacker to have much understandings about this system, then discover ways to
penetrate and build took to attack by himself. Today, there are many available tools with steps
from finding to attacking, with interface easy to use, or even instructions to use on internet,
which make attack very simple. Implementer just needs to enter and press button without
sharp understanding about programming. Increasing number of attacker and strong tools, the
system clearly has to cope with more threats of attack.
Slide 8

Threats of attack

 With purpose
 Without purpose

 From outside
 From inside

We will classify threats of attack

In terms of purpose, there are 2 types :
+ With purpose
+ Without purpose
In terms of scope and origin of attack :
+ From outside
+ From inside
Slide 9

Threat of attack– Without purpose

 Attack only because he likes to do so

 Have no specialized knowledge
 Sometimes be victims taken advantage by
others (DDoS attack)

- Attack without purpose is mainly because of being curious, mischievous and fond of.
- Attacker often does not have specialized knowledge, just reading instructions and
then find victims, test attack
Slide 10

Threat of attack – With purpose

 Have specific target

 Supported: time, money, tool
 Have specialized knowledge

This type of attack is more dangerous

- Attacker determines sighting target from the beginning, and attacks with high effort to reach
the target.
- Normally, attacker is supported and invested with time and money in this attack.
- Generally, attacker with purpose has sharper knowledge than that of attacker without
purpose.
Slide 11

Threat of attack – From outside

 Attacker is a person who is not allowed to access

 From outside of network system

Next, we will consider attack direction

Attacker from outside implements attack from outside to internal network system. Like a normal
guest in Internet, this attacker does not have right to access to the internal network, he only
pays attention on method of publishing services of the system. Normally, attacker from outside
does not understand clearly internal configuration of the system, thus, he needs to implement
attack for probe and collect information.
This attack type is about 30%
Slide 12

Threat of attack – From inside

 From inside of the network

 Attacker is a person who is allowed to access the network
 70% of threat of attack is from inside

Remaining 70% are internal attack

- This type of attack is more dangerous because attacker contacts closely to the system and can
make more operations with this system and grasp its configuration as well as operation process,
user habit-
Slide 13

1. DDoS attack targeting Vietnamese

electronic newspapers

Let’s review incidents related to network security in Vietnam in recent time.

Firstly, it is DdoS to electronic newspaper
Slide 14

1. Dan Tri

2. Vietnamnet

3. Tuoi tre

- In July, 2013, many big electronic newspapers in Vietnam were attacked, including Dân trí,
Vietnamnet, Tuổi trẻ
- On first days, there were signals of unstable access, and then entire systems were paralyzed
completely.
- Then, an electronic newspaper connected to Bkav and functional agency for support and
treatment.
Slide 15

IP List

Botnet: at least 14,000 zombies

- . In accordance with statistic at the moment we came for assistance, there was 14,000 IP
connected to this system within 1 second.
Slide 16

By this statistic, it could be seen that these IP mostly came from Vietnam and were scattered in
provinces and cities.
Slide 17

This is statistic map about allocation of attack sources. As you can see, the attack sources were
scattered in everywhere: from America to countries in Europe or China, Japan, etc; but these
were concentrated in Vietnam
Slide 18

What will happen if government

websites are targeted?

In this example, victim s of these attacks are electronic newspapers, which are accessed much
and contain huge sources. And, their technician groups are well- trained about DDoS attack with
much experience; but they were still miserable, so, how can our government’s sites be
protected if being attacked with the similar scope.
Slide 19

Analyzing malware

In the incident mentioned above, Bkav assisted a newspaper, localized attack source and
collected model of malware implemented attack.
Slide 20

This malware poses as Bluetooth service which is a familiar service for many users
Slide 21

- Analysis result of this file shows that it continuously connected to 3 outside server address to
receive attack command.
Slide 22

This is summary table of this malware’s action, including 2 main parts: connecting to controlling
service to receive attack command, and configuration file containing information about target
and message package for attack.
Slide 23

Vietnamnet
•vietnamnet.vn
•m.vietnamnet.vn
•batdongsan.vietnamnet.vn
•m.batdongsan.vietnamnet.vn
Dan Tri
•dantri.vn
•s.dantri.com.vn
•m.dantri.com.vn
•dantri.com
•dantri.com.vn
Tuoi Tre
•tuoitre.vn
•sevice.tuoitre.vn
•wa2.tuoitre.vn
•m.tuoitre.vn
•s.tuoitre.vn
•wa3.tuoitre.vn
•wa4.tuoitre.vn

Thus, this malware sends message package to many sub-domain names of newspapers, not just
main domain name.
Slide 24

This is message package constituted to send request

Slide 25

Many daily variants. The last one was on July 25th

This model was updated continuously with new variants from controlling server, and in
accordance with our recognition, it was updated for the last variant on July 25 th
Slide 26

This is analysis of another malware with the similar function, it also receives command from
controlling server and then attacks to many newspaper of Vietnam,
Slide 27

How was the botnet formed?

Thus, how is malware dissipated? Why are many computer infected and taken advantage to
attack?
Slide 28

TuneUp Utilities, Photoshop, Pikachu, MS Word….

In accordance with our observation, there are many ways for attacker to dissipate malware,
however, in the examples mentioned above, the major manipulation is to affix malware to
software installer and share it to the network. They can create new nicks on forums to share
software containing malware by articles, or they can find ways to attack, gaining accounts of
some positive members or administrator of these forums to correct their articles posted before.
Installers in these articles will be downloaded and installer more thanks to reputation of the
nickname posting them.
Slide 29

2. Spyware

We have just talked about DDoS attack. Now, let’s move to another way of attack in network
security: spyware. This is a popular trend, a big threat to consider today
Slide 30

Targeted Attack in Vietnam

Tr 30

In fact, in accordance with our research in recent years, there have been many attacks to
Vietnam State agencies, including many important cases. As this image, emails attached with
files containing malware are sent to the target. This is a popular scenarios being applied today.
Now, we will consider more about popular scenarios used to dissipate spyware in Vietnam
Slide 31

Spyware in Vietnam
The first scenarios: Inject spyware onto download
websites:
Example 1: Vietnamese Keyboard: Unikey.org was
hacked and injected with spyware
Example 2: 3c.com.vn – a popular download website in
Vietnam

Tr 31

The first scenarios, like malware dissipation for purpose of building bonnet, as well as malware
dissipation in general, attacker will affix spyware to websites, forums allowing software
download. Even they can find ways to attack formal and reputed website of software share such
as case recognized of Unikey.org and 3c.com.vn, when these websites were hacked and affixed
with malware. The two websites have a enormous number of downloader, which leads to high
threat of spyware infection.
Slide 32

Spyware in Vietnam

The second scenario: Steal email

accounts and send “document file”

Real world docs

hack
+

A VIP email account Targeted Email addresses

Tr 32

The second scenarios, happened popularly with attacks to Ministers, Departments, Branches, is
when attacker steals email account to dissipate email containing malware to other addresses in
contact list. This way of attack is specially dangerous when bad person penetrates email account
of senior manager, then steal his important confidential documents, and use this account in
order to send document (affixed with malware) to other persons in contact list who can be
other senior managers, which leads to chain attack.
Slide 33

Spyware in Vietnam

The second
scenario:
Steal email
accounts
and send
“document
file”

Tr 33

This image was taken when we associated to deal with a case reported that a person did not
send email to his relatives, but they still received them. We saw account log and realized that
other than normal times logged in from Vietnam, there was 1 time logged in from China while
he had not went to China and used proxy ever before.
Slide 34

Spyware in Vietnam
The second scenario : Steal email account sand send
“document file”

Tr 34

These images are content of emails in State agencies to which we associated for investigation.
They have heading, content and name of file attached in conformity with context in internal of
this unit, which make receivers easily intended to open them, not like other spam email with
irrelevant contents.
Slide 35

Spyware in Vietnam
The third scenarios: Fake email

Tr 35

In case attacker has not penetrated real email account to contact with target of attack, he will
fake address of sender to dissipate malware.
Slide 36

1
2

1 2

Tr 36

As this image, sender part is displayed as Do Thang (dvthang@viettel.com.vn), but if we review

carefully header of this email, we will see that this email was sent from jingwei.li@tncr.com.
This is real address of sender, and maybe not a person in Viettel
Slide 37

What do the attached files contain?

.zip files compress executable files: .exe, .dat., etc.
Exploit vulnerabilities in processing applications:
.doc, .ppt, .xls
Use RLO technology (Right to Left Overwrite)

Tr 37

Files attached with emails in these attack cases can contain file .zip compressed with files of
.exe , .dat…; however, these files are often suspected and more difficult to be open , Thus, a
popular file format is document file (.doc, .ppt, .xls ), exploiting vulnerabilities of applications
dealing with them.
Slide 38

Actions of spyware
Keylog
Print screen/record video
Eavesdrop
Collect document/Browse file/Steal file

Tr 38

When a spyware is installed in computer of victim , it will silently implement spy actions such
as: recording keyword operation, printing screen of computer, even recording voice or browsing
file, stealing documents, then sending them to outside.
Slide 39

Example 1

Tr 39

This image analyzes file attached with a specific email, this file exploit vulnerabilities of
Microsoft Office to dissipate malware with name of YahooMsg.exe with spy functions shown in
this image.
Slide 40

Example 2

Tr 40

Or this image analyzes of file .scr, but it take advantage of RLO technology of Windows to display
itself into format of .ppt
Slide 41

Tr 41

Version information of the malware is faked like real Yahoo software.

Slide 42

Tr 42

Displays of this procedure are seen similar with normal one.

Slide 43

Tr 43

…
Slide 44

In reality
How many computers/servers were
infected ?
How much data was stolen ?
How much data was changed ?
What will happen if the malware gets
command to destroy hardware ?

Tr 44

These are just examples we recognized, just like the tip of the iceberg; because in real, there
have been many computers installed with spy software, and maybe there have been many spy
attacks happened silently; and their damages are enormous.
Slide 45

3. Web attack

Another popular way of attack is to attack website to gain controlling right and deface content
of this website.
Slide 46

.gov.vn

Nguồn Zone-H
Tr 46

In last May, there was mass of websites in Vietnam attacked, including websites of .gov.vn
belong to government.
Slide 47

47

Although total number of websites in Vietnam attacked in last May increases, but as observed,
these sites are not big ones, including sites belong to government which are only owned by
small units, not by important Ministries, Departments or Branches. With message of hacker left
on website attacked, it can be guessed that these are spontaneous attacks related to recent
situation of South China Sea. This is general trend today, when conflict in real life will lead to
conflict in the network.
Slide 48

4. Attacks targeting banks

Banks are often special target of hacker and attacker because of finance purpose.
Slide 49

Some information security incidents

happening to banks in the world

Tr 49

There have been many attacks to banks in recent years.

Slide 50

Tr 50

For examples, at the end of 2011, a big bank named Citibank was attacked by hacker and stolen
with 200,000 credit cards, or in accordance with information about 6 big banks in America were
attacked at the beginning of 2012, and many banks and television stations were attacked at the
beginning of 2013
Slide 51

Tr 51

The latest one is when people discovered an attack to a bank in Europe for purpose of stealing
information of 190 customers with a quite huge money amount only within a short duration.
Slide 52

Some information security

incidents happening to banks in
Vietnam

Tr 52

These are some information security incidents for banks in Vietnam

Slide 53

Taking advantage of vulnerabilities in

software and operation procedure to
transfer money illegally

Virus penetrating and stagnating

system, even penetrating ATM

Stealing, encrypting data for ransom

purposes

Penetrating, modifying data on website

Tr 53

This is similar situation for domestic banks , when there are many attacks implemented based
on software vulnerabilities or operation process. Many virus model are detected as having
actions of penetrating and stealing information of bank account.
Slide 54

Tr 54

The most remarkable case in 2012 is actions of gaining telephone number and then taking
advantage to steal by transferring money up to millions of Vietnamese dong.
Slide 55

Threats to network system

Thus, by actual situation of network security, we can see that the threats for a network system
always come from anywhere and at any when. So, it is necessary to take precaution and
enhance protection
Slide 56

Solutions to ensure security

Overview
Implement
Security is a
continuous
process, Policies
Enhance Supervise
accompanied with
information
security policies
Assess

And, there is no detailed methods ensuring safety for all systems, it needs general method
including many factor in conformity with each system. It should be considered, executed within
a continuous process, regularly observed and updated in order to have appropriate solutions.
Slide 57

Solutions to ensure security

Solutions
Security equipments: Firewall, IDS/IPS,..
VLAN

Virtual Private Network (VPN)

Antivirus

Execute security for servers, applications

Security Policy
 All will be introduced in BCSE course

These are some common concepts when concerning solutions for ensure network security for a
system. These concepts will be mentioned more detailed in later lessons.
Slide 58

Solutions to ensure security

This is a model of many components ensuring network security.

Slide 59

Content

1. The Importance of Security

2. Basic Access

3. Authentication Methods

4. Authorization

5. Accounting

To continue, let’s move to the second content of the lesson today: Basic access
Slide 60

Basic Access- Introduction

 Authentication
Access control
Distinguishing individuals
Distinguishing resources
 Authorization
Depended on authentication process
Controlled by Access Control List (ACL)
 Accounting
Unique document on database
For investigating and seeking track

In network security, there are three familiar concepts when concerning access. All of them start
with letter A in English, that are:
Authentication: this is identification process, authenticating real owner of account. It is the first
step in all system having user to distinguish accounts, then give appropriate policies of
authorization and access control.
Authorization : as mentioned above, after authenticating an account, the system will give
appropriate authorization for this account to access and interact with the system. It is often
controlled by Access Control List (ACL)
Accounting: after being granted authorization for access, actions and operations of user are still
recognized and recorded by system. It is a step ensuring information storage for purpose of
consideration, investigation and trace later.
Slide 61

Basic Access- Prove log in permission

 What you know

Password/Personal Identification Number (PIN)

 What you have

Smart card

 What you are

Biometrics

More details about authentication step, depending on function characteristic, each system
often uses one of three factors below to authenticate user:
What you know: Password, PIN, for examples: password of Windows, password of Facebook
account.
What you have: Token. USB Token, Smart card.., for examples: in my company, in order to
access to servers, other than password of Windows, user need to to have digital signature on
the equipment.
What you are: Biometrics, based on distinguished factor of each person such as: finger print,
face. For examples, today, many companies have applied finger print identification for entrance
and exit of company or a place.
Slide 62

Content

1. The Importance of Security

2. Basic Access

3. Authentication Methods

4. Authorization

5. Accounting

To continue, I will talk more details about authentication methods

Slide 63

Overview

 Verify user’s log in permission to resources

 Most common used is username/password combination

As mentioned above, authentication is a base to give use administration for user with the
system. And, the most popular method for authentication is username/password
Slide 64

One-way/Two-way

 One-way authentication: • Two-way authentication:

Server authenticates client  Client and server mutually
authenticate each other
Client cannot a authenticate
server

Authentication system can be classified with 2 types: one way authentication and two ways
authentication.
In terms of one way authentication, Client need to prove itself to server without reverse way
In term of two ways authentication, both sides authenticate for each other.
For examples, one way is to log in FTP server
Two ways is to authenticate for both server and client if using Access server as Radius or Tacacs
Slide 65

Username/password

 The most popular authentication type

 Transmit username/password to Server
 Example: dial up

More details about the most popular method of authentication: username/password. By this
method, client will send username/password for server to authenticate. There are many
examples for this method, and may all of us daily use our username/password to log in website
or a system.
Slide 66

Username/Password

 Maintaining
How long is user allowed to maintain his password?
 Is password changed regularly ?
 At risk of being stolen

Some questions given to consider safety of a system using this authentication method:
In terms of time for work session for a log in? Require client to re-authenticate after certain
duration of not using.
In terms of request for changing password? Need policies requiring password change after
certain duration, may be monthly, quarterly or annually, depending on each system.
Storage of log in information on server also should be considered more. Along with building
solutions for safety protection and security for server, information about password stored on
server are also needed to code in order to prevent bad cases/
Slide 67

Username/Password

Keyloggers
 Software – tracking user’s keystrokes
 Hardware – equipment placed between keyboard
and computer, tracking every keystrokes

The biggest threat today for username/password authentication is Keyloggers. This is a program
silently recording punch button key on keyboard, used to track, steal account/password.
Keyloggers is popular under format of Trojan, however, there are some hardware equipment
having this characteristic for spy purpose as well.
Slide 68

Username/Password solution

 Long password
 Including letter, number, symbol
 Should not be changed too regularly – should be at least once a month
 Should not be used for many different accounts
 Considering provision of password to others

For user, there are some notice when using password to minimize threats of losing password as
follows:
Set strong password
Change password for appropriate period.
Do not use the same password for various systems and services.
Do not share and provide password for others many times.
Slide 69

CHAP concept

 Challenge Handshake Authentication Protocol (CHAP)

Secret
Password of user
Random
Random number which helps increase safety when encrypting

In authentication method by username/password, CHAP protocol is used as a method for

enhancing safety during authentication process. We can call it as challenge protocol in three
ways – handshake process.
Slide 70

CHAP vs PAP
 Alternative to Password Authentication Protocol
(PAP)
 Safer: MD5
 Password is not transmitted through the Internet
 Used in remote login, PPP, RRAS, and
authentication to Web services

CHAP protocol brings a higher safety than PAP (this is a traditional way of transmitting
authentication password) because information transmitted through network without password,
only sent with hash code for comparison. (Hash code is given by an algorithm ensuring that
each different input will give a different output which cannot find the initial input. MDS is a
popular mode of hash and used in this protocol). Moreover, CHAP exchange process requires ID
field identifying work session, preventing relay attack
This protocol is used popularly in many services such as: remote login, PPP, RRAS, and
authenticated in Web services.
Slide 71

Hoạt động của CHAP

This is illustration of process when 2 routers implement authentication using CHAP (including
MD5)
Slide 72

CHAP operation

 Client makes request

 Server gives challenge
 Client encrypts (hash) challenge with
secret and sends to server
 Client is authenticated if results match

Detailed action of this protocol implement three ways – handshake as follows: both server and
client know password, when client connects to, server will send ID of work session (in order to
prevent relay attack on line) with a random number to the client, then this client will base on
the information received from server to combine with its password to give a hash code (this
code cannot be translated reversely) and send it to Server. The server also bases on similar
information, algorithm with Client to give a hash code and compare it to the code sent from
Client; if these codes are identical, the authentication is successful’ if it is not, the
authentication is failed.
Slide 73

Kerberos

 Start to be developed in MIT by the end of 1980

 Microsoft brought Kerberos into Windows 2000 and
.NET

Another code protocol protecting safety for authentication process is Kerberos; this protocol
was developed by Massachusetts Institute of Technology at end of 1980s; and Microsoft
brought this protocol from Windows 2000
Slide 74

Kerberos

 Terminologies
Ticket
Specific permission
Ticket Granting Ticket (TGT)
Given by central authority to enable user to request for a
service
Key Distribution Center (KDC)
Server, providing client with TGT, authenciating and allowing
user to request for a service

Ticket Granting Server (TGS)

Check whether client is allowed to receive 1 ticket or not
Slide 75

Kerberos Operation

This is operation model of Kerberos, other than Client and Server to be authenticated, there are
intermediary server assisting to this authentication.
Slide 76

Kerberos process
 Authenticate user
Client contacts with Key Distribution Center (KDC)
to request for authentication

 TGT received from KDC

Enable client to request a ticket for a service
 Ticket for service received from TGS
 Client gives tickets to application server
When being authenticated, log in permission is granted to
user

Summary of authentication procedure by Kerberos includes steps as follows:

Client contacts with Key Distribution Center (KDC) to request for authentication
KDC sends back to Client with Client/TGS Session Key message package coded by confidential
key of Client (KDC stores password of user in database) to re-authenticate Client, and a Ticket
Granting Ticket (TGT).
Client sends Ticket received to Ticket Granting Server (TGS)
TGS implements necessary steps of investigation and coding and then sends back to Client with
Client-to-server ticket
Client will use ticket to send to service server in order to post into the system.
Slide 77

One time Password

 User has password generating program

 Can be sent in plaintext through an unsafe
environment

One time password is also a safe solution in method of user/password used in many
systems. This password type can be send “clear text” in unsafe environment (can be overheard)
without loss of information security because this password is only used for one time and cannot
be re-used
Slide 78

Token Password

 Considered as one of the safest solutions

 Token contain some personal information
 Besides password, user must have token

Token (token) is considered as a very safe solution; it contain identification personal

information with a definite regulation.. In order to log in the system, other than “what they
know” (password), user also needs “what they have”
Slide 79

Certificates

 Another solution to build authentication system. One server or

Certificate Authority-CA creates certificate, may be physical one like
smartcard, maybe logic like electronic signature
 Use Public/private key. Any data encrypted by public key can only be
decrypted by private key
 Use “the third company” for authentication

Certificates or digital signature is also a solution bringing high safety for important systems. This
solution needs a reputed ”the third unit” to provide signature and authenticate it. The data
transmitted by this protocol is coded by Public key and only decoded by Private key of receiver
Slide 80

Certificates

 Used popularly in web authentication, smart

cards, electronic signature for email and
email encryption

We can easily meet this model daily in many applications: access to website with https, use
smart cards, electrical signature in email
Slide 81

Problems of Certificate

 PKI implementation is prolong and expensive

About 8 to 14 months
 Smart cards increase costs of implementation and maintenance
 CA service is expensive
VeriSign

This solution brings high safety but it costs sources and material
Slide 82

Biometrics

 Advantages
Maybe really accurate
Quick
All authentication lasts in less than 1 second
Impact from user is low
Combination of many factors: finger print, iris, voice, etc.

Use of identification and authentication by Biometrics brings advantages of convenience,

quickness and accuracy.
Slide 83

Biometrics

 Problems
Cost
Implementing authentication system by Biometrics
requires budgets for hardware and software
May identify wrong
Right person is not accepted.

However, expenses of implementing system by this model are normally not small, and
sometimes it makes it difficult to log in because of wrong identification.
Slide 84

Multifactor

 Use more than one authentication solution

What you know
Password/ Personal Identification Number (PIN)
What you have
Smart card
What you are
Biometrics

Combine of many authentication methods is solution for system requiring high safety.
Slide 85

Muti-factors

 Combine two or three authentication

solutions
 Protect by depth
Creating various protection layers

For examples: other than username, password, it requires card, Biometrics

Slide 86

Disadvatages of Mutifactors

 Increasing cost
Implementation: investing in equipment,
training users and administrators
Maintenance: not always be compatible
among manufactures
Upgrade: Instability of manufacturers, new
technology invented

The problem is that safety often accompanies with expenses. Establishment and operation of a
system having many authentication factors certainly require more expenses than that of a
simple authentication system.
Slide 87

Mutifactors

 Advantages
Reduce dependence on passwords
Stronger authentication system
Provide ability for Public Key Infrastructure
(PKI)

And of course, such an system will have a high safety.

Slide 88

Content

1. The Importance of Security

2. Basic Access

3. Authentication Methods

4. Authorization

5. Accounting

As procedure, after authentication, we will consider authorization method

Slide 89

Overview

 Authorization is enabling access to a resource

 Authorization follows authentication

After when user is authenticated, the system will grant appropriate authorization for user to
access to a source.
Slide 90

Discretionary Access Control

 User can create his own access permission

 Example: share printers with others

Discretionary access control – DAC is an access policy when owner of file or owner of a source
will self-determine. It’s owner decide who is allowed to access to the file and which privileges
he is allowed to execute.
Slide 91

Mandatory Access Control

 Data protection is not decided by user

 System requires data protection
 Example: user cannot change share folder on server

Mandatory Access Control - MAC is an access policy is determined by administrator of system,

not by owner of the source.
Slide 92

Role based Access Control

 Access permission is defined based on the role of user:

Administrator
Power user
Dialup user
.....

Role-based access control – RBAC is an authorization solution when access right for source
of system is determined by role of user.
Slide 93

Content

1. The Importance of Security

2. Basic Access

3. Authentication Methods

4. Authorization

5. Accounting

The last part is concepts related to statistic supervision.

Slide 94

Overview

 Is ability of controlling (accounting) network system

Logging
Scanning
Monitoring

In general, “statistic supervision” is ability of a network system, enabling to supervise and

recognize operations of user with the system for purpose of tracking, investigating and
considering a problem if necessary.
Slide 95

Logging

 Recording actions, used for statistic of events in the

network
 For example: For controlling who accessed file server,
when and what was done

Logging :
- Record actions, serving to statistic of events in the network
- Examples, for purpose of controlling who accessed file server, at which moment, and for what?
Slide 96

Scanning

 Scanning is to control which services are running, then

analyze potential threats to the network
 For example: Retina, Superscan, etc.

Scanning is to scan the system in order to control services run on it, then analyze possible
threats. There are many tools supporting scanning of a network system.
Slide 97

Monitoring

 Analyzing log file to

check how resources
are accessed and used
 For example: syslog servers

Monitoring is a process of supervising the system, analyzing file log in order to check how
source are accessed and used.
Slide 98

Case-study:

Popular cyber attack types

In order to finish our lesson today, we will discuss to have more information about popular
methods of network attack and some small tools used by attacker.
Slide 99

Attack Methods

 Probe attack
 Intrusion attack
 Denial of Service attack

Methods of attack can be classified with 3 types: attack for probe, attack for access and attack
for refusing service
Slide 100

Attack Methods

 Probe attack
 Intrusion attack
 Denial of Service attack

The first is attack for probe

Slide 101

Probing

 Sniffing
Attacker finds way to sniff traffic to collect important information such as
username/password
It is difficult to implement in switch network
Appropriate with unencrypted information
For example: Ethereal, Dsniff, Packet Inspector

Probe is aimed to collect information about the system, including sniffing attack, which can help
attacker to gain important information. Some tools supporting attack for probe are: Cain & Abel,
Ethereal, Dsniff…
Slide 102

Probing

 Ping sweep

Used to check which computers are

participating in the network
Use ICMP echo reply/request
For example: Superscan, Pinger

Ping sweep is a method used to test and check connection, then determine computers and
equipments participating in the network system. There are many tools supporting scanning of
entire network band in order to find computer in network.
Slide 103

Probing

 Port Sweep
Check which gates opened and which services running on server
Some popular gates
HTTP: 80
FTP: 20.21
SMTP: 25
DNS: 53
For example: Nmap, SuperScan

Check gates opened on computer in the network, which is aimed to collect information about
services in this system. Nmap or SuperScan is one of many tools supporting this action.
Slide 104

Probing

 Determining operating system

Attacker sends information to check which operating system is run by server
 Telnet to system, different operating systems will give different responses
For example: Nmap

By collecting information about service gates, software can be determine and guess about
operating system of that computer. Nmap is a typical tool for this.
Slide 105

Attack Methods

 Probing attack
 Intrusion attack
 Denial of Service attack

Next, how’s about attack for access

.
Slide 106

Intrusion attack

 Man-in-the-middle
Hacker stands in the middle of data exchanged between two
computers
 Collect data/password
 Then, information is sent back to victim computer
For example
Ethercap

Man-in-the-middle is a method of overhear attack when hacker is in the middle to exchange

data between two computers, then gain and filter many important information
Slide 107

Intrusion attack

 Relay
Hacker sniffs in the network
Password, authentication information are recorded by hacker
Hacker changes authentication information and re-transmit s by posing
as user
For example: user sends command of transferring money (via web),
hacker gains this URL, and then tries to re-send it, and user will lose
money

Relay attack is a method of attack when hacker is in the middle, then try to act as user to re-
send message package recorded in order to implement similar operations as that implemented
previously by user.
Slide 108

Intrusion attack

 Backdoor
 A code inserted in a program, enabling attacker to take
advantage of holes to access the system
For example: Sobig, Mydoom taking advantage of Windows
vulnerability to install backdoor and send spams

Backdoor is temporarily understood as a way opened by hacker on the system by a code

executed on this, which helps him to continue connection with the system from outside to
implement a purpose.
Slide 109

Intrusion attack

 Social Engineering
Attacker exploits “human” factor

Social Engineering
Attacker takes advantage of “human” to exploit, for example frivolity of a person, by contacting
and communicating to know log in password to a system
Slide 110

Intrusion attack

 Exploit vulnerabilities in software, website

A software or website can have latent vulnerabilities about information security. If hacker
detects these vulnerable, he can attack and penetrate, gain controlling right of this system.
For example, software vulnerabilities under model of Buffer Overflow or website vulnerabilities
under model of SQL Injection are dangerous and popular ones, which are ways for hacker to
attack and penetrate to the system.
Slide 111

Intrusion attack

 Attack to get password

Attacker wants to get password
Windows: Administrator
UNIX: root
There are 2 types
Brute Force
Dictionary

Attacker also usually uses method of using tool to detect password to a system.
Slide 112

Intrusion attack

 Attack to get password

 For example
pwdump2
L0pht Crack
YDump

This is example of a tool detecting password

Slide 113

 Probing attack
 Intrusion attack
 Denial of Service attack

The last one is attack for refusing service; this method paralyses controlling system of service
and cannot be met as normally.
.
Slide 114

Denial of Service attack

 Denial of Service (DoS)

Attack from a single computer
Target service is blockaded

Denial of Service (DoS) is a method of attack from a single computer

Slide 115

Denial of Service attack

 Distributed Denial of Service (DDoS)

Attack from many computers
Used to attack public targets

Distributed Denial of Service (DDoS) is an attack implemented from many computers at the
same time
Slide 116

Denial of Service attack

These are some illustrations of DDoS

Slide 117

Denial of Service attack - Botnet

Tr 117
Slide 118

Denial of service attack

Slide 119

Denial of service attack

 Master
Hacker computer controls other computers
(Zombie) to attack victim.
 Agent
Services running on Zombie to enable hacker to
control
 Target
Computer of victim

Concepts often mentioned when considering attack for refusing service

Master
Computer of hacker controls other computers (Zombie) to attack victim s.
Agent
Services run on Zombie enables hacker to control
Target
Computer of victim
Slide 120

Conclusion
 Probing Attack
Sniffing
Ping Sweep
Port SweepHijacking
MIMD

 Intrusion Attack
Relay
Backdoor
Social Engineering
Technology
Password
 Denial of Service Attack
DoS
DDoS

Conclusion of attack methods