In this lesson, we will learn security fundamentals- that include possible security attacks, corresponding mitigation technique that is implemented to prevent the attack.
First we need to understand why an organization needs security?
There are 3 security principles i.e. CIA- confidentiality Integrity and Availability.
Confidentiality– A system is said to be trustworthy only when authorized users can access the resources and services. Confidentiality means only legitimate user should access the data.
Integrity: Data should be authentic; it means data should be secure and correct. No one is able to modify the data; only legitimate users should permissions to make the changes.
Availability: The resources should be operational and available to authorized users.
Attackers can threaten confidentiality, integrity and availability. For example –in DoS attack (denial-of-service), system is unavailable to authorized users. It means DoS attack threaten the availability.
So, to keep resources (data) confidential, authenticate, available and operational to authorized users, an organization needs security.
Vulnerability: Vulnerability is considered as the weakness of any system and attackers take the advantage of this weakness to harm the organization.
Exploit: Exploit is the tool that attacker used to take the benefit of vulnerability.
Threat: An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.
For more clarity, Here I am giving you a example – Think enterprise network as a closed box that is made with strong material and there is no way to come in and out. So, now data that are kept inside the box is completely safe, no one can access that data.
Now, a door is introduced in that box (now its look like a room with only one door, no other way to come in or out), this door is only for legitimate users.
To secure the data from bad guy (people who access the data to harm the organization), we put a lock on the door.
In above example consider close box as a enterprise network and door is vulnerability. How door is vulnerability? Let me explain- because apart from legitimate users bad guy can also enter the room by breaking the lock and misuse the data. The method that bad guy use to enter into the room is exploit, it could be a hammer or could be a key to open that door.
What is Mitigation Technique?
Mitigation is the prevention method that is implemented to secure the network.
The techniques which are implemented to prevent the system from malicious activities are called mitigation techniques. To apply mitigation technique a person should have clear understanding of all possible vulnerability and exploit that a system could have. Analyze the system properly and find out which parts have vulnerability (weakness) and what are the possible exploits (methods to break the vulnerability) that an attacker could use to harm your system.
Mitigation technique should be implemented everywhere a vulnerability can be exploited- client devices, servers, switches, routers and firewall etc.
Mitigation techniques are different for different type of attacks.
Common Security Attacks
Attacks that spoof address:
- DoS(Denial-of-service attacks)
- Reflection/amplification attacks
- Man-in –the middle attack
In general, when a machine sends an IP packet , everyone expects source IP address is the machine’s own IP address and in Ethernet frame, source MAC address is the machine’s own MAC address. Or in other words we can say LAN network is considered as trusted network, whenever a packet comes from LAN network, it is considered as trusted host.
And spoofing attacks take the advantage of this vulnerability.
What is DoS Attack?
DoS attack threaten the availability of a system. Its name itself defines its definition denial of service – In this attack system stop providing its services to the authorized users. And obviously this is not good for an organization if their authorized users are not able to access the resources.
Are you curious to know, how attackers do that? Let me explain.
Attackers generate a large number of requests for a targeted system. As a system has limited memory space and bandwidth, it can handle a specific amount of request at a time. If requests cross that limit it will stop working and attackers take the advantage of this.
Here I am giving a example for more clarity- Like at the time of result declaration, the day when result announce, website is not opened or opened slowly or it shows server-down message. So, it’s a same thing denial of services, but in this case this is not done by attackers, this time this is a normal phenomena, just because large number of people send request to server to check their result, and it’s difficult for server to manage the large number of requests at a same time.
One more relatable example is human brain, if someone putting lot of pressure and works then situation is like please pity on me I can’t handle that much pressure.
What are reconnaissance attacks?
Reconnaissance attacks are not real attacks because nothing is exploited as a result. These attacks are used to collect the information about a target which can be used for a future attack. This information is publicly available. But, attackers use this information to find out the vulnerability of a particular system so that in future a strong attack can be implemented.
In reconnaissance attack to gather information attackers use some tools like nslookup <domain name> command is used to resolve the IP address of a domain name. Whois and dig commands are used to gather detailed information like domain owners, contact information, mail servers, authoritative name servers, and so on.
What are buffer overflow attacks?
In general operating systems and application use buffers or temporary memory space to read and write data. When these buffers are full, overflow condition occurs and data stored at unexpected memory space that affects the system in a bad way. Due to result of buffer overflow, a particular service or entire system stop working (crashed).
Attackers take the advantage of this, and send large amount of data at a same time to a targeted host, in result buffer overflow condition occur and system crashed.
What are Malware?
Malware are malicious software that can infect a system.
Malware are mainly divided into 3 categories:
- Trozen Horse
Trozen horse malicious software that is hidden or packaged inside other software that looks normal and legitimate. When a person installs this type of software trozen horse software is also installed.
Trojan horse malware can spread from one computer to another only through user interaction such as opening email attachments, downloading software from the Internet, and inserting a USB drive into a computer.
Viruses: These kind of malicious software spreads more rapidly that’s the reason they are called as viruses. The virus spreads to other system when a user shared a infected software with other users. Same like corona-virus, if someone come in contact with covid infected person, then virus will infect that person.
Worm: These malicious software don’t depend on user’s interaction. They propate their own to other devices through their vulnerabilities. It means, these spread their own, find the vulnerability to enter the device and same process repeats and spreads go on.
What are social engineering attacks?
Social engineering attacks are straightforward attacks in which human trust and social behavior can become security vulnerabilities. An attacker approaches a person by using phone calls, emails or social media. And end goal of the attacker is to convince the person so that he/she reveals his/her login credentials(username and passwords). Fraud emails and fraud phone calls that are asking for aadhar numbers are examples of social engineering attacks.
Types of social engineering attacks
- Spear Phishing
- Watering hole attacks
Phishing– Phishing attacks are done over fraud emails. Attackers send fraud emails to users that appear to come from legitimate source. Attackers put a malicious link inside the email, when a user click on that link a registration type form is open and as user is unaware that it is a fraud email, he/she fills all the details.
Spear Phishing-In spear phishing attackers targets a similar group of people like employees of a particular company, employees who works in a same store and so on.
Whaling– In whaling attack, attacker targets high profile individuals like a company president.
Vishing : Voice phishing perform over the phone call. Fraud phone calls come in vishing category. For example: Hi, this is Monika, I am speaking from SBI bank. According to bank policy, in the end of financial year we need to update your KYC- so dear sir/mam please tell me your details.
Smishing– Extending form of Smishing is SMS Phishing. SMS phishing are done by sending fraud messages to targetted user. For example- congratulation! you won a lottery prize of 10 lakh kind of.
Watering hole attacks: In this attack, attackers keep a eye on targeted user activity to collect the information like which websites he/she frequently visited and try to place a malicious link on that website, as the user trust that site he/she might not hesitate to click it.
In an enterprise network, before giving access most system first ask for username and passwords to check either user is valid or not. If a person who is not genuine user but enters correct username and password then system will give access to the services. And attackers take the advantage of this, they guess the right password or sometime crack the password by using software and harm the system.
To avoid password vulnerability, a strong password should be use that contains capital letter, small letter, numbers, special character and length should be at least 8 or greater than 8.
Multi-factor security implementation is also good to avoid password attacks.
Dictionary attack and brute force attack are password attacks.
Controlling and monitoring user access
AAA stands for Authentication Authorization Accounting.
AAA is commonly used to control and monitor access to network devices like routers, switches, firewalls, and so on. A centralized authenticate server manages a database of users and their passwords and policies to authorize user’s activity. For greater security, AAA servers support multi-factor user credentials. Cisco implements AAA services in its Identity Service Engines (ISE) platforms.
What is AAA (Authentication Authorization Accounting)?
Authentication: Who is the user?
Authentication is the process of identifying user’s identity. It’s a similar process like when you enter in a examination hall, first they check your admit card and ID proof and then allow you to enter in the examination hall. Why they do so? And simple answer is to check either you are a real candidate or not.
Authorization: What is the user allowed to do?
Authorization is the process of granting the user appropriate access and permissions. After authentication they allow you to enter in the examination hall. Authorization process is same, first user’s identity checks either user is authorized or not after that user’s gets the access of resources.
Accounting: What did the user do?
Accounting is the process of recording user’s activities on the system.
When you are doing exam, there will be an invigilator that keeps an eye on you. Similar way, accounting process comes after authentication and authorization. It keeps a track of user activity.
It is 3 step process first checks the user identity and after then only valid user get access to the resources then using accounting methods it keeps an eye on the user’s activity. Enterprises typically use an AAA server to provide AAA services.
AAA server usually supports 2 AAA protocols.
RADIUS: open standard protocol
TACACS: Cisco proprietary protocol.