Introduction to Network Security
This world is changing rapidly with advancing network technologies. Unfortunately, sometimes the convenience of technology can outpace its security and safety. Technologies such as the Internet of Things are ushering in a new era of network communication. There are some who predict that by the year 2020 over 50 billion devices will be connected by the Internet of Things. Technologies such as the Internet of Things have created a critical need for network security professionals. There is currently a great shortfall within the network security field. We want to help change that by writing this book. We also want to change the mindset in the field of network security. Most current cyber security professionals practice defensive and passive security. They mostly focus on mitigation and forensic tactics to analyze the aftermath of an attack. We want to change this mindset to one of offensive security. Becoming a threat hunter and aggressively going after network attacks is how we want those who read this book to think. By writing this book, we will teach you how to become a threat hunter. We strongly believe that learning offensive security will help restore some balance to the networking world. The volume of cybercrime has gotten completely out of hand. Another main reason we are writing this book is to teach the reader how to apply network security. Network theory can only take you so far in understanding network security. It is necessary to use applied knowledge to fully learn all aspects of network security. Reading this book will provide detailed step-by-step instructions on how to use applied network security tools and methods. We also wrote this book to promote an understanding on how hackers attack and what tools they use. This book will give an insight into how a hacker thinks and what methods they use. Having knowledge of a hacker's tactics will give the reader a great advantage in protecting any network from attacks.
Network security is the same as Murphy's law in the sense that, if something can go wrong it will go wrong. To be successful at understanding and applying network security, a person must master the three Ps: persistence, patience, and passion.
A cyber security professional must be persistent in their pursuit of a solution to a problem. Giving up is not an option. The answer will be there; it just may take more time than expected to find it. Having patience is also an important trait to master. When dealing with network anomalies, it is very easy to get frustrated. Taking a deep breath and keeping a cool head goes a long way towards finding the correct solution to your network security problems. Finally, developing a passion for cyber security is critical to being a successful network security professional. Having that passion will drive you to learn more and evolve on a daily basis to get better. Once you learn, then you will improve and perhaps go on to inspire others to embrace similar aspirations in cyber security.
Hackers (and their types) defined
A hacker is a person who uses computers to gain unauthorized access to data. There are many different types of hackers. There are white hat, grey hat, and black hat hackers. Some hackers are defined by their intention. For example, a hacker that attacks for political reasons may be known as a hacktivist. A white hat hacker has no criminal intent, but instead focuses on finding and fixing network vulnerabilities.
Often companies will hire a white hat hacker to test the security of their network for vulnerabilities. A grey hat hacker is someone who may have criminal intent, but not often for personal gain. Often a grey hat will seek to expose a network vulnerability without the permission from the owner of the network. A black hat hacker is purely criminal. Their sole objective is personal gain. Black hat hackers take advantage of network vulnerabilities however they can for maximum benefit. A cyber-criminal is another type of black hat hacker, who is motivated to attack for illegal financial gain. A more basic type of hacker is known as a script kiddie. A script kiddie is a person who knows how to use basic hacking tools, but doesn't understand how they work. They often lack the knowledge to launch any kind of real attack, but can still cause problems on a poorly protected network.
There are a range of many different hacking tools. A tool such as Nmap, for example, is a great tool for both reconnaissance and scanning for network vulnerabilities. Some tools are grouped together to make toolkits and frameworks, such as the Social Engineering Toolkit and Metasploit framework.
The Metasploit framework is one of the most versatile and best supported hacking tool frameworks available. Metasploit is built around a collection of highly effective modules, such as msfvenom, and it provides access to an extensive database of exploits and vulnerabilities. There are also physical hacking tools. Devices such as the Rubber Ducky and Wi-Fi Pineapple are good examples. The Rubber Ducky is a USB payload injector that automatically injects a malicious virus into the device it's plugged into.
The Wi-Fi Pineapple can act as a rogue router and it can be used to launch man-in-the-middle attacks. The Wi-Fi Pineapple also has a range of modules that allow it to execute multiple attack vectors. These types of tool are known as penetration testing equipment. We will explore these tools and others in more detail, later in the book.
The hacking process
There are five main phases to the hacking process:
- Reconnaissance: The reconnaissance phase is often the most time-consuming. This phase can last days, weeks, or even months sometimes depending on the target. The objective during the reconnaissance phase is to learn as much as possible about the potential target.
- Scanning: In this phase the hacker will scan for exploitable vulnerabilities in the network. These scans will look for weaknesses such as open ports, open services, outdated applications (including operating systems), and the type of equipment being used on the network.
- Access: In this phase the hacker will use the knowledge gained in the previous phases to gain access to sensitive data or use the network to attack other targets. The objective of this phase is to have the attacker gain some level of control over other devices on the network.
- Maintaining access: During this phase a hacker will look at various options, such as creating a backdoor to maintain access to devices they have compromised. By creating a backdoor, a hacker can maintain a persistent attack on a network, without fear of losing access to the devices they have gained control over. However, when a backdoor is created, it increases the chance of a hacker being discovered. Backdoors are noisy and often leave a large footprint for IDS to follow.
- Covering your tracks: This phase is about hiding the intrusion of the network by the hacker as to not alert any IDS that may be monitoring the network. The objective of this phase is to erase any trace that an attack occurred on the network.
Ethical hacking issues
Ethics can be different from person to person. Many times, ethics are a matter of interpretation and intent in terms of what your actions are trying to achieve. Ethical hacking can be perceived in a few different ways. For some, ethical hacking is a great and noble pursuit. It is a way to understand how a hacker thinks and attacks. Having this knowledge gives a big advantage to protecting a network from an attack.
- Sun Tzu
The majority of ethical hackers are white hat, although sometimes the methods an ethical hacker uses could be considered grey hat in application. It is important to always get clear, written permission and define the scope of what you can and cannot do while working on a network. Having written permission and a defined scope of what is expected will protect you should you ever become a scapegoat from some anomaly you have no knowledge about.
Since the 1986 Computer Fraud and Abuse Act was passed, it is illegal to access a computer without authorization and steal private government information or financial/credit card information. Breaking into a computer system is the technological version of trespassing. A hacker would say that no harm is done when they break into a computer system. People have a certain expectation of privacy. When that sense of privacy is taken away, a person loses something priceless, even if it seems intangible. There are many people who are unaware that there are different types of hacker, such as white, black, and grey hat hackers. They assume all hackers are malicious and not to be trusted. Being an ethical hacker comes with some stigmatization. An ethical hacker may cause fear and uncertainty within some people who lack this type of knowledge. That fear is often driven by the unknown, that unknown being the extent of an ethical hacker's capabilities.
As mentioned earlier, privacy is priceless. When an individual has the ability to take that away, they may be seen as a potential threat. That is why, as an ethical hacker, it is important to maintain a high ethical standard. Sometimes an ethical hacker may find themselves facing a complicated ethical situation. For example, it is not uncommon to find illegally pirated material on workplace computers such as music, movies, and games. Unless defined by the scope of the job, it may be up to the individual to inform the management about misuse of company computers and network resources. That would be more of an ethical decision made by the individual working on the network/user devices. A different twist on that scenario is finding child pornography on a workplace computer. In that situation, the network security individual who found the illegal material must immediately report it to both law enforcement and management. Failing to report something like that to law enforcement may leave the person who found it liable for criminal prosecution. An ethical hacker may have a complex role within network security, but as long as that person keeps a strong ethical standard they will be fine.
New technologies are continuously changing the landscape of network security. One of the best examples of this is the Internet of Things. A device, car, or building that is embedded with software, sensors, actuators, and some type of network connection is considered to contain the Internet of Things.
Objects with the Internet of Things collect and share data across the Web. Smart energy management systems have fully embraced this technology with great success. The Internet of Things has some amazing benefits, but also has some major and potentially devastating drawbacks. In 2014 two cyber security researchers demonstrated that it was possible to hack into a Jeep Cherokee and disable its brakes and transmission. This was done remotely using a vulnerability found in the Internet of Things.
Medical devices have also been subject to attacks. Some people now disable the Wi-Fi capability on their pacemaker, out of a real fear that a hacker could send a fatal electric shock through the device itself. Another interesting technology that is growing is called Software-defined networks (SDN). SDN allows network admins to manage network services through the abstraction of lower-level functionality. SDN architectures separate network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services. This allows for much greater flexibility and scalability when working with modern computing environments.
The rise of smartphones, cloud services, and mobile data content has led to a change in how network architecture and infrastructure are implemented. Although these technologies are helping set new standards in efficiency and capacity, they come with many vulnerabilities that can cause great harm to individuals and businesses. That is why it is important for network security professionals to stay current on new technologies and practices to best protect their networks.
Recent events and statistics of network attacks
The news has been full of cyber-attacks in recent years. The number and scale of attacks are increasing at an alarming rate. It is important for anyone in network security to study these attacks. Staying current with this kind of information will help in defending your network from similar attacks.
Since 2015, the medical and insurance industries have been heavily targeted for cyber-attacks. On May 5th, 2015, Premera Blue Cross was attacked. This attack is said to have compromised at least 11 million customer accounts containing personal data. The attack exposed customer names, birth dates, social security numbers, phone numbers, bank account information, mailing, and e-mail addresses. Another attack that was on a larger scale was the attack on Anthem. It is estimated that 80 million personal data records were stolen from customers, employees, and even the Chief Executive Officer of Anthem. Another more infamous cyber-attack recently was the Sony hack. This hack was a little different from the Anthem and Blue Cross attacks, because it was carried out by hacktivists instead of cyber criminals.
Even though both types of hacking are criminal, the fundamental reasoning and objectives underlying the attacks are quite different. The objective in the Sony attack was to disrupt and embarrass the executives at Sony as well as prevent a film from being released. No financial data was targeted. Instead the hackers went after personal e-mails of top executives. The hackers then released the e-mails to the public, causing humiliation to Sony and its executives. Many apologies were issued by Sony in the following weeks of the attack.
Large commercial retailers have also been a favorite target for hackers. An attack occurred against Home Depot in September of 2014. That attack was on a large scale. It is estimated that over 56 million credit cards were compromised during the Home Depot attack. A similar attack but on a smaller scale was carried out against Staples in October 2014. During this attack, over 1.4 million credit card numbers were stolen. The statistics on cyber security attacks are eye-opening.
It is estimated by some experts that cybercrime has a worldwide cost of 110 billion dollars a year. In a given year, over 15 million Americans will have their identity stolen through cyber-attacks, it is also estimated that 1.5 million people fall victim to cybercrime every day. These statistics are rapidly increasing and will continue to do so until more people take an active interest in network security.
The baseline for preventing potential security issues typically begins with hardening the security infrastructure, including firewalls, DMZ, and physical security platforms, and entrusting only valid sources or individuals with personal data and or access to that data. That also includes being compliant with all regulations that apply to a given situation or business, and being aware of the types of breach as well as your potential vulnerabilities. Also understanding whether an individual or an organization is a higher risk target for attacks is beneficial. The question has to be asked, does one's organization promote security? This is done both at the personal and the business level to deter cyber-attacks.
After a decade of responding to incidents and helping customers recover from and increase their resilience against breaches, organizations may already have a security training and awareness (STA) program, or other training and programs. As the security and threat landscape evolves, organizations and individuals need to continually evaluate practices that are required and appropriate for the data they collect, transmit, retain, and destroy. Encryption of data at rest/in storage and in transit is a fundamental security requirement and the respective failure is frequently being cited as the cause for regulatory action and lawsuits.
Enforce effective password management policies. Least privilege user access (LUA) is a core security strategy component, and all accounts should run with as few privileges and access levels as possible. Conduct regular security design and code reviews including penetration tests and vulnerability scans to identify and mitigate vulnerabilities. Require e-mail authentication on all inbound and outbound mail servers to help detect malicious e-mails including spear phishing and spoofed e-mails. Continuously monitor in real time the security of your organization's infrastructure including collecting and analyzing all network traffic, and analyzing centralized logs (including firewall, IDS/IPS, VPN, and AV) using log management tools and reviewing network statistics. Identify anomalous activity, then investigate and revise your view of anomalous activity accordingly. User training is the biggest challenge, but it is arguably the most important defense.
Security for individuals versus companies
One of the fundamental questions individuals need to ask themselves is, Is there a difference between individuals and an organization? Individual security is less likely due to the attack service area. However, there are tools and sites on the Internet that can be utilized to detect and mitigate data breaches for both: https://haveibeenpwned.com/ or http://map.norsecorp.com/ are good sites to start with. The issue is that individuals believe they are not a target because there is little to gain from attacking individuals, but in truth everyone has the ability to become a target.
Protecting wireless networks can be very challenging at times. There are many vulnerabilities that a hacker can exploit to compromise a wireless network. One of the basic Wi-Fi vulnerabilities is broadcasting the Service Set Identifier (SSID) of your wireless network. Broadcasting the SSID makes the wireless network easier to find and target.
Another vulnerability in Wi-Fi networks is using Media Access Control (MAC) addresses for network authentication. A hacker can easily spoof or mimic a trusted MAC address to gain access to the network. Using weak encryption such as Wired Equivalent Privacy (WEP) will make your network an easy target for attack. There are many hacking tools available to crack any WEP key in under five minutes.
We will explore some of these tools later in this book. A major physical vulnerability in wireless networks is access points (APs). Sometimes APs will be placed in poor locations that can be easily accessed by a hacker. A hacker may install what is called a rogue AP. This rogue AP will monitor the network for data that a hacker can use to escalate their attack.
Often this tactic is used to harvest the credentials of high ranking management personnel, to gain access to encrypted databases that contain the personal/financial data of employees and customers, or both. Peer-to-peer technology can also be a vulnerability for wireless networks.
A hacker may gain access to a wireless network by using a legitimate user as an accepted entry point. Not using and enforcing security policies is also a major vulnerability found in wireless networks. Using security tools such as Active Directory (deployed properly) will make it harder for a hacker to gain access to a network. Hackers will often go after low-hanging fruit (easy targets), so having at least some deterrence will go a long way in protecting your wireless network.
Using Intrusion Detection Systems (IDS) in combination with Active Directory will immensely increase the defense of any wireless network, although the most effective factor is having a well-trained and informed cyber security professional watching over the network. The more a cyber security professional (threat hunter) understands the tactics of a hacker, the more effective that threat hunter will become in discovering and neutralizing a network attack. Although there are many challenges in protecting a wireless network, with the proper planning and deployment those challenges can be overcome.
Knowns and unknowns
The toughest thing about unknown risks to security is that they are unknown. Unless they are found, they can stay hidden. A common practice to determine an unknown risk would be to identify all the known risks and attempt to mitigate them as best as possible. There are many sites available that can assist in this venture. The most helpful are reports from CVE sites that identify vulnerabilities.
|True||TP: correctly identified||TN: correctly rejected|
|False||FP: incorrectly identified||FN: incorrectly rejected|
As it is related to detection for an analyzed event, there are four situations that exist in this context, corresponding to the relationship between the results of the detection for an analyzed event. In this case, each of the corresponding situations is outlined as follows:
- True positive (TP): This is when the analyzed event is correctly classified as an intrusion or as harmful/malicious.
For example, a network security administrator enters their credentials into the Active Directory server and is granted administrator access.
- True negative (TN): This is when the analyzed event is correctly classified and correctly rejected.
For example, an attacker uses a port such as 4444 to communicate with a victim's device. An intrusion detection system detects network traffic on the authorized port and alerts the cyber security team to this potential malicious activity. The cyber security team quickly closes the port and isolates the infected device from the network.
- False positive (FP): This is when the analyzed event is innocuous or otherwise clean in the context of security, however, the system classifies it as malicious or harmful.
For example, a user types their password into a website's login text field. Instead of being granted access, the user is flagged for an SQL injection attempt by input sanitation. This is often caused when input sanitation is misconfigured.
- False negative (FN): This is when the analyzed event is malicious, but it is classified as normal/innocuous.
For example, an attacker inputs an SQL injection string into a text field found on a website to gain unauthorized access to database information. The website accepts the SQL injection as normal user behavior and grants access to the attacker. For detection, having systems correctly identify the given situation is paramount.
Mitigation against threats
There are many threats that a network faces. New network threats are emerging all the time. As a network security professional, it would be wise to have a good understanding of effective mitigation techniques. For example, a hacker using a packet sniffer can be mitigated by only allowing the network admin to run a network analyzer (packet sniffer) on the network. A packet sniffer can usually detect another packet sniffer on the network right away.
Although there are ways a knowledgeable hacker can disguise the packet sniffer as another piece of software, a hacker will not usually go to such lengths unless it is a highly-secured target. It is alarming that most businesses do not properly monitor their network or even at all.
It is important for any business to have a business continuity/disaster recovery plan. This plan is intended to allow a business to continue to operate and recover from a serious network attack. The most common deployment of the continuity/disaster recovery plan is after a DDoS attack. A DDoS attack could potentially cost a business or organization millions of dollars in lost revenue and productivity. One of the most effective and hardest to mitigate attacks is social engineering.
All the most devastating network attacks have begun with some type of social engineering attack. One good example is the hack against Snapchat on February 26th, 2016. "Last Friday, Snapchat's payroll department was targeted by an isolated e-mail phishing scam in which a scammer impersonated our Chief Executive Officer and asked for employee payroll information," Snapchat explained in a blog post. "Unfortunately, the phishing e-mail wasn't recognized for what it was - a scam - and payroll information about some current and former employees was disclosed externally." Socially engineered phishing e-mails, such as the one that affected Snapchat, are common attack vectors for hackers.
The one difference between phishing e-mails from a few years ago and those in 2016 is the level of social engineering hackers are putting into the e-mails. The Snapchat HR phishing e-mail indicated a high level of reconnaissance on the Chief Executive Officer of Snapchat. This reconnaissance most likely took months. This level of detail and targeting of an individual (The Chief Executive Officer) is more accurately known as a spear-phishing e-mail. Spear phishing campaigns go after one individual (fish) compared to phishing campaigns that are more general and may be sent to millions of users (fish). It is the same as casting a big open net into the water and seeing what comes back.
The only real way to mitigate against social engineering attacks is training and building awareness among users. Properly training the users that access the network will create a higher level of awareness of socially engineered attacks.
Building an assessment
Creating a network assessment is an important aspect of network security. A network assessment will allow for a better understanding of where vulnerabilities may be found within the network. It is important to know precisely what you are doing during a network assessment. If the assessment is done incorrectly, you could cause great harm to the network you are trying to protect.
Before you start the network assessment, you should determine the objectives of the assessment itself. Are you trying to identify if the network has any open ports that shouldn't be? Is your objective to quantify how much traffic flows through the network at any given time or a specific time?
Once you decide on the objectives of the network assessment, you will then be able to choose the types of tool you will use. Network assessment tools are often known as penetration testing tools. A person who employs these tools is known as a penetration tester or pen tester.
These tools are designed to find and exploit network vulnerabilities, so that they can be fixed before a real attack occurs. That is why it is important to know what you are doing when using penetration testing tools during an assessment. Later in this book, we will discuss and provide applied labs for some of the most powerful penetration testing tools available. We will also explain how to use them properly.
Sometimes network assessments require a team. It is important to have an accurate idea of the scale of the network before you pick your team. In a large enterprise network, it can be easy to become overwhelmed by tasks to complete without enough support. Once the scale of the network assessment is complete, the next step is to ensure you have written permission and scope from management. All parties involved in the network assessment must be clear on what can and cannot be done to the network during the assessment.
After the assessment is completed, the last step is creating a report to educate concerned parties about the findings. Providing detailed information and solutions to vulnerabilities will help keep the network up-to-date in terms of defense. The report will also be able to determine if there are any viruses lying dormant, waiting for an opportune time to attack the network. Network assessments should be conducted routinely and frequently to help ensure strong network security.
This chapter covered the fundamentals of network security. It began by explaining the importance of having network security and what should be done to secure the network. It also covered the different ways physical security can be applied. The importance of having security policies in place and wireless security was discussed. This chapter also spoke about wireless security policies and why they are important.
Chapter 2, Sniffing the Network, will cover various tools and methods to monitor network traffic.