Every day we use our computers and phones to connect to the internet, open emails, do online transactions, check our social media, create files, take photos of our friends, family or favorite places.
Security issues, threats, and attacks
IoT security risk
The next big thing, which is going to play a big role in our life, is going to be Internet of Thing (IoT). Everything will be connected to the internet—fans, tube lights, refrigerators, doors, cars, even in medical terms, our heart—could be connected to an IoT sensor. This list will be long. Think about the situation if a person's heart rate controlled by an IoT sensor is hacked.
One of the most prominent IoT security issues is the problem with individuals using the same login credentials for everything.
Computer security risk
Computer security risks are events that may damage or steal data or allow unauthorized access to a computer without notifying the user. Your computer is all about operating systems and applications, the majority of such attacks come along with malicious applications, or bad software, in other words. It is commonly believed that all damages are only done by computer viruses, but in reality there are several types of bad software. Features such as back door, dialer, spyware, virus and worm, key logger, adware, and many more can result in a computer security risk.
Security Risk-Border Gateway Protocol
In the networking world, imagine a situation where attackers plug their cable into your network, establish a Border Gateway Protocol (BGP) session, and sniff all the data going into the wire. This is not limited to sniffing your information, but you can cause a lot of trouble for others.
For example:
- YouTube blockage by PTA:
- Scenario: Pakistan telecom was connected to the global internet via PCCW telecom
- Problem: PCCW did not validate a prefix advertised by Pakistan telecom and there was no built-in mechanism in the BGP protocol to authenticate information
- Impact: DoS to customers, traffic redirection, prefix hijacking, and AS hijacking
- On 24 February 2008, Pakistan Telecom Authority (PTA) began to advertise a specific prefix of YouTube. PTA intended to block access to YouTube in Pakistan and advertised the specific prefix 208.65.153.0/24. This was part of the prefix used by YouTube 208.65.152.0/22-208.65.155.255. The intention was that YouTube's traffic would be forwarded to Null0 interface and, consequently, YouTube would get blocked within Pakistan. However, the same route was advertised to upstream ISP (PCCW AS number 3491). PCCW presented this information to other peers as well. YouTube then initiated a more specific prefix (208.65.153.128/25) to recover traffic.
- MAN in the Middle (MITM): This is another example. Think about a situation in which someone from your organization can do the sniffing inside your network by configuring SPAN for switch where all finance employees are connected. All username and password information can be extracted if they are not using a secure way to access the finance portal. This is the reason I say there should be HTTPS for everything. Even hackers can gain access to sniff data, but they cannot decode encrypted data from the system. All these types of hacking come under MITM where attackers have access to data wire or are able to divert traffic.
- Address Resolution Protocol (ARP): Spoofing can be a similar kind of attack. For local area network-address resolution protocol, it is required to know the computer identity on Local Area Network (LAN). Let's assume you are internet gateway configured in your LAN and all the internet traffic travels via that device. The attacker can do the ARP-spoofing and advertise a new system as an internet gateway. Now all the traffic for internet goes through the attacker's system, and they can sniff your data. There are many tools available on the market for spoofing, which do nothing but change the MAC address of your machine.
MITM attacks can be further divided into two categories: WAN and LAN.
Security and threats
In a growing connected world, security threats are constantly evolving to find new ways to steal or damage data. For any organization and any individual who has an internet enabled system, it becomes very important to protect that information. Malicious or ignorant human activity are major threats to computers. Malicious action always has a goal to achieve and a specific target to be attacked.
Attackers generally have motives or goals. These motives and goals usually abide by the following formula:
Motive + Method + Vulnerabilities = Attack:
As the following diagram shows, security threats are driven either by humans or natural disasters. Threats driven by humans can be further categorized into external or internal threats, or can be put down to user ignorance. We will discuss each of these in detail:
Natural disasters
A natural disaster is a major adverse event resulting from the natural processes of the earth. Examples include floods, hurricanes, tornadoes, volcanic eruptions, earthquakes, tsunamis, and other geologic processes. Nobody can prevent nature from taking its course. Such events can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery plans and Business Continuity Plans (BCP) in place.
Human threats
Human threats consist of inside attackers or outside attackers. Insiders can be employees, vendors, or contractors with privileged access to systems. They can also be organizations and outside attacks by non-employees or groups of individuals just looking to harm and disrupt an organization due to a motive or aim.
The most dangerous form of attackers are usually insiders, because they have access to the system and know security measures that are already in place. Insider attacks can be malicious or negligent and can also be accidental.
All companies in this world have to deal with employee work force reduction and expansion. Consequently, controlling and changing the permission on system assets is a very important action item. Lack of process and failure to remove access to sensitive assets for employees who no longer have a business requirement increase an asset's exposure to unauthorized access. This can be a common cause of insider attacks, which is often overlooked.
Since there is usually a trust between employee and employer, most employees are not out to harm them. However, there's no way to ensure that this is the case with all employees, so the best practice is to be cautious and take the appropriate measures to prevent inside threat.
Here is one classic example:
A company's important application was operated by the personal credentials of an employee who had been working there for many years. However, one day the company laid that employee off. The next day, the IS department deleted his credentials. The application then stopped working. An issue like this can cause major damage to a system, and it will definitely take time to identify and fix the problem.
Human security threats can be something as simple as a person opening an attachment loaded with malicious script or malware that opens the system's back door and allows outsiders to extract information. The worst-case scenario often isn't a hacker breaching internal systems, but an employee that loses his smartphone or has his laptop stolen. The best defense lies in securing the data, not just the devices. This means encrypting at the file-level, so confidential information is protected even it is stolen.
Security vulnerabilities
A malicious attacker uses a method to find the resources of a target, finds known vulnerabilities of targeted resources, and then exploits vulnerabilities in order to achieve a goal. Vulnerabilities are weaknesses, misconfigurations or loopholes in security that an attacker exploits in order to gain access to the network or resources on the network.
Security vulnerabilities are not limited to web, SQL DB, or operating systems. The same approach goes for any infrastructure networking gears.
These are the three main categories:
- Technology weaknesses
- Configuration weaknesses
- Security policy weaknesses
Technology weaknesses
These include TCP/IP protocol weaknesses, operating system weaknesses, software weaknesses running on operating systems and network equipment weaknesses.
TCP/IP is a protocol suite, which is used to transfer data through networks. The most important part of the suite is IP, which is the user identity on a network. The main protocols associated are:
- Transmission Control Protocol (TCP)
- User Datagram Protocol (UDP)
- Internet Control Message Protocol (ICMP)
TCP ports numbers identify an application. For example:
- Port 21: FTP
- Port 23: Telnet
- Port 80: HTTP
- Port 443: HTTPS
TCP/IP was meant to provide a reliable connection between two hosts but does not provide any inbuilt security functions, such as encryption or authentication. Protocols like HTTP, FTP, TFTP, and TELNET are insecure since all the information is in clear text.
A SYN flood is a form of DoS attack in which an attacker sends a succession of SYN requests to a targeted victim in an attempt to utilize all available server resources to make the system unavailable to legitimate traffic.
This is normal behavior for TCP three-way handshake. The SYN packet is sent by a user who is then acknowledged by the server and, finally, by ACK.
In the case of SYN, flood systems are unavailable to process SYN packets. Attackers in green send a series of SYN packets and get ACK as well. Meanwhile, attackers consume all server resources, hence real users in violet do not even get SYN-ACK.
The UNIX, Linux, Macintosh, Windows, and OS/2 operating systems all have security problems. Security updates and bug fixes are released by these companies from time to time.
Network equipment such as routers, firewalls, optical equipment, and switches have security weaknesses that must be recognized and protected.
In upcoming chapters, we will discuss these kind of attacks in detail, looking at how to deal with them in a live network.
Configuration weaknesses
As a network/system administrator, we should know what configuration weaknesses are and what the corrective measures are for their computing and network devices.
User account information might be transmitted in clear text across the network, exposing usernames and passwords to an intruder. For example, if you manage your devices over Telnet, your username and password can be sniffed. The same thing is also applicable when you manage devices using GUI on HTTP.
Misconfigurations of the devices can cause significant network equipment security problems and open doors for unauthorized access. For example, misconfigured access lists, routing protocols, or SNMP community strings can open large security holes. Misconfigured encryption, lack of encryption, or low encryption ciphers for remote-access controls can also cause significant security issues.
Authentication and authorization is a major concern. If you are interested in knowing who is doing what on a piece of network equipment or system, then you might want to centralize authentication with a single authentication platform by accounting logs enabled to perform an audit regularly.
To reduce the threats to your network, the best option is to disable any unused services on all your networking devices and computing system. For instance, if you have a web server, you should disable FTP, SMTP, and other services. Another example would be if you are managing your devices with SSH, you can disable Telnet, HTTP, and FTP running on the same box.
You should only run the applications that are necessary on a device. All unnecessary applications and services should be disabled, to minimize exposure to the outside world.
Security policy weaknesses
Security policy weaknesses can create unforeseen security threats. The network infrastructure can pose security risks to itself if the system administrator does not follow the security policy, and best practices being used in the industry. Every organization must have a security policy and that should be enforced to all users/admin/infrastructure. Security weaknesses emerge when there is no clear-cut or written baseline security policy document.
Always follow a baseline for all infrastructure gears and networks for compliance with the policy. Systems should be in place to verify non-compliance devices. For example, if you have millions of devices in a network, it's very hard to check if all of them are matching compliances or not. However, a system like HPNA and other tools can scan a baseline set of configuration for all devices and reports can be generated.
Single password verification: There are three basic methods for authentication:
- Username and password
- One-time password
- Certificates
In the first methods, passwords are basically user defined, and certificates are computer generated and based on keys. Brute-force attacks can easily crack passwords; passwords are easy to forget and are often reused on multiple services or applications. These passwords are like symmetric keys and are stored somewhere within the service. It is the duty of the service provider to protect your password. However, on the news we also often hear that password databases are hacked and millions of passwords are leaked. The third method is based on keys and strong algorithms, but even they are not 100% foolproof as private keys can be stolen as well.
Two-factor authentication (2FA), often referred to as two-step verification, is a security process in which the user provides password information by combing two methods to verify that users are who they say they are. Two-factor authentication provides an additional layer of security by keeping half of the part of a password static in nature and the rest of the part dynamic, constantly changing after a given interval. This makes it harder for attackers to gain access to a person's devices and online accounts; knowing the victim's password alone is not enough to pass the authentication check, because a combined password is dynamic in nature and has an expiry associated with it. Two-factor authentication has long been used to control access to sensitive systems and data, and online services are increasingly introducing 2FA to prevent their users' data from being accessed by hackers who have sniffed or stolen a password.
Best practices are being followed by companies like Google. Even if you change your smartphone or browsers you get notified immediately. Companies follow methods of smart card authentication along with phone authentication in order to validate the identity of users. The banking sector distributed RSA tokens for 2FA.
Using unencrypted or weak encryption for a website
Protocols such as Telnet, HTTP, or FTP opens doors for MITM attacks. The main reason behind that is that these protocols do not offer end-to-end encryption. File transfer protocol is used for data transfer between two hosts, and every time you need to enter usernames and passwords, which are in clear text, and it is very easy for attackers to sniff credentials and data being transferred. To protect information from attackers, we should not use any protocol that does not support encryption. For example, for management purposes, we should use SSH instead of Telnet on any device. All websites must offer HTTPS, and instead of FTP data transfer should be done using SCP or SFTP. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.
SSL SHA1, an extremely popular hashing function, is on the way out. Strictly speaking, this development is not new. The first signs of weaknesses in SHA1 appeared almost 10 years ago. In 2012, some calculations showed that breaking SHA1 is becoming feasible for those who can afford it. In November 2013, Microsoft announced that they wouldn't be accepting SHA1 certificates after 2016.
Protect Domain Controller: Eliminates use of LM and NTLM (v1) in favor of NTLMv2 or Kerberos. Kerberos is a token-based system. Refresh time is so fast that even if someone hacked your session, you would get new tokens as refresh time makes it more reliable.
In the same way, you should float guidelines for the secure management of assets. All the servers and assets should be managed by domain controller security groups. Using interactive logon with a service account can cause major damage too, hence interactive logon for service accounts should be disabled. The reason behind this is that if a system is compromised, attackers can gain access to the domain controller as well.
Connect to unsecured Wi-Fi network access: Connecting through a public Wi-Fi network or hotspot can compromise your computer/mobile security and put your information at risk. Whether you are on your computer or your mobile device, it's relatively easy for hackers to access the information you type and send over an unsecured Wi-Fi network, including your login and password information.
Users need to be educated on how to use Wi-Fi with their computer devices. Here are some important tips that every company employee should know:
- If possible, make sure that you connect to secure networks only
- Use strong passwords for all your online accounts and change them often
- Use VPN for accessing corporate resources