Chapter 4, Mitigating Risk When Connecting to the Internet
This lesson presents some material from chapter 4. Objectives important
to this lesson:
Threats from the Internet
Web site hosting
Protecting the connection from LAN to WAN
Best practices
Concepts:
Chapter 4
On page 77, the chapter begins a long section about risks associated
with connecting to the Internet. The text makes a good point that even
a computer that has no particular secrets on it can become a zombie workstation,
controlled by an attacker who simply needs an army of connected devices.
The text presents a discussion about malware through page 82. Browse through
this material to see if any of it is new to you. It should not be new
by the time you are in this course.
Page 82 begins a section about personal attacks. It begins with a list
of features that might be indicators that a web site is reputable. Unfortunately,
all six features could be copied from another site, or could be
created from scratch to look professional. They are no longer a guarantee
that the site is legitimate, not even the SSL
padlock icon.
Page 83 begins a discussion of more personal attacks:
Harassment and cyberstalking - The text lists several examples
of harassment, including spam, IM spam, impersonation of friends to
gain information, creation of hate sites and groups, and placing fake
sex ads. The text recommends that you start by sharing personal information
only with known, authenticated contacts, blocking communication from
harassers, blocking messages from harassers, and reporting harassment
to police.
Identity theft - The text mentions several of the ways a thief
can obtain personal information to steal an identity: dumpster diving,
phishing, searching discarded or stolen data storage, and spyware. The
text cautions us not to do business with vendors who don't take care
to protect our data, but most consumers will pay no attention to that
advice. The other actions by the thief might be countered by destruction
of data devices that are no long used, shredding documents or burning
them instead of discarding them, and not trusting doubtful software
we install or email that asks for our data.
The section about email is more about email system features than about
the things we should do to protect ourselves. It mentions blocking identified
junk mail sources, and the rest of the page doesn't matter much.
Moving to page 85, there is some hope for better advice. The text lists
five vulnerability categories, and some basic actions to take:
End-user vulnerabilities -
Talk to your users, or better yet, train them to be users who avoid
scams and negligence that put the network at risk.
Security vulnerabilities -
Make sure that defenses are actually defending the network. Configure
the firewalls to filter out traffic that has no reason to pass into
or out of our network.
Port vulnerabilities - The
text points out that there are 65,535 possible ports on each computer.
Each is a possible door into that computer. Closing all ports that are
not expected to be used makes sense, and setting a firewall to enforce
that decision makes more sense. Note, from the advice in the previous
bullet point, that firewalls do not protect in this way until they are
configured to do so.
Software vulnerabilities -
Most major software applications are regularly patched and updated.
This is something we have come to expect and accept. Large applications,
and operating systems, contain too much code to be certain there are
no security holes. It is a good thing that good people are always looking
for holes that need to be patched. You should check for available patches
regularly, especially for software from publishers who do not notify
you about updates.
Malware vulnerabilities -
Let's take this to mean both malware and viruses, and make it a point
to run and update protective programs against both of them.
On the bottom of page 86, the text begins a list of attacks that various
kinds of attackers might stage. Several will be familiar to you.
Password attack - This presumes that the attacker has at least a guess
about user IDs. Often, the login ID for staff is identical to their
email ID, minus the email domain, so once you know one you may be able
to guess many more.
Cyberstalking - As noted above, this is an attack against an individual,
not against a network. To the person being attacked, the difference
is not important.
Social engineering - The short form is that the attacker solicits
help from the victim, either through pity or intimidation. The "help"
can be access to any kind of resource.
Eavesdropping - This would include the classic conversational eavesdropping,
as well as the interception of network signals, whether wired or wireless.
The text proposes encrypting all network traffic to combat this.
Backdoor attack - Attacking through an intentionally created point
of access known to developers, troubleshooters, or perpetrators who
executed a program to provide such access.
Man-in-the-middle attack - Like eavesdropping, but it involves interception
of both sides in a session, and possibly changing the data that is being
sent/received.
Spoofing - Impersonation of a recognized ID or address to gain unauthorized
access or to pass along a file that will become part of an exploit.
Dictionary attack - The attacker attempts to log in to a network or
device, using one potential password after another from a file of words
found in a dictionary. The text says that this can be confounded by
using passwords that include numbers, but it is not uncommon for an
attacker to use a file that replaces letters with numbers (e.g. 0 for
o, 1 for i) as people often do.
Brute-force attack - The attacker uses a program that guesses passwords
based on an algorithm that tries every possible combination of characters
that could be in a password.
If you are not worried about password cracking, I suggest we spend twenty
minutes with Dr. Michael Pound who will demonstrate what he can do with
some captured password hashes.
The text also mentions four variations on Denial of Service attacks:
Ping flood - The idea here
is to send a ping request to the broadcast address of the network a
target machine is on. This can be a problem if there are a large number
of devices on the target network (and they all respond). This is a reasonable
argument to segment your network in a way that your important devices
are on small subnets. Another approach would be to configure devices
to refuse
response to broadcasts. Of course, a better equipped attacker
would set an army of zombies pinging the actual target device.
Fraggle - This is another
attack that sends packets to a network's broadcast address, this time
UDP packets (pings are ICMP packets).A false address is used in the
attacker's packets. This
reference tells us that most routers should be immune to
this attack, and will not forward them.
Smurf - The same thing as
a Fraggle attack, except that it uses ICMP packets. The reference
I provided in the line above indicates that this is an obsolete attack
for the same reason.
Distributed Denial of Service
- This is a generic term that includes any kind of attack that is staged
through multiple computers under the control of the attacker. The text
says the army would number in the hundreds or thousands, but I am not
aware that an actual number is required to qualify.
The text moves on to discuss web site
hosting. It reviews some common features that are provided by most
commercial and free hosting services, but pays more attention to features
that relate to e-commerce sites:
disk space - How much space is included in your plan, and how much
do you need?
bandwidth - How much traffic will you have on your site, including
page reads, uploads, and transactions?
flexibility - Can you do what you want on the site, or are you prevented
from some activity you want as part of your business?
pricing - Can you afford the hosting service you are considering,
or the one you already have?
uptime guarantees - Is the hosting service up to providing access
by your customers when they want it?
backups - Things happen, don't they? Does the hosting service keep
backups of their clients' data? How often are they made? Can we access
copies of our own data?
security - The text tells us we must know what security is used by
the hosting provider. Sharing details with clients may not be the best
idea. What if the next attack comes from a disgruntled client?
expectation of new services - Does the provider regularly upgrade
services provided? Will upgrades become available for a price, once
they are possible on the site?
support - What support is possible for frequent problems? How about
for rare problems? Is there an administrator or a web master to consult?
Web hosting does not have to be done by a service company, if you have
the desire and knowledge to handle all the points above, as well as to
provide your own equipment and link to the Internet. The text points out
that a small company may not be able to dedicate resources to this option.
The text refers to this choice as internal hosting, and the choice
to use a hosting company as external hosting.
Setting up a presence on the Internet also requires that there be a URL
for a customer to use, which means that you must have space in someone's
Internet domain, or you must register a domain name of your own.
This is the method most people on the Internet choose, perhaps because
it makes them look like they are independent of anyone else. The text
discusses doing a Whois search for the domain name you want to register.
This is not the only way. You can run a search like that through the interface
of most domain
registrars, as well.
The text discusses DNS service, how name resolution is passed up and
down the branches of the DNS tree (see page 95), and four ways DNS can
be attacked on page 96.
DoS attacks - Flooding a particular DNS server with requests
can prevent it from responding to real requests. This does not seem
like big deal at first, but this
link takes you to an article about DNS defense that starts with
a story about a botnet attack against a DNS service that affected many
of its clients.
Footprinting - This is tracking down network information about
a person or a website. This
article discusses the concept more fully, and leads you to tools
that you can use to determine what information is available about your
sites.
Address spoofing - Address spoofing is impersonation, temporarily
transmitting and receiving with an IP address that belongs to another
device. This is more related to breaking through firewalls than it is
to DNS attacks.
Redirection - This attack is discussed in the article in the
link under DoS attacks. It sends false DNS resolutions to requesters,
sending them to web sites that are not the ones they wanted. This can
be part of a larger scam, or it may be done to boot hits on a web page.
The text introduces the seven-domains-of-a-network model on page
97. The best thing about the discussion is that the author spends less
than a page on it. The author uses the model to explain that our defense
of our network regarding the Internet takes place at the point where
our network connects to a Wide Area Network, typically our connection
to our Internet Service Provider.
The material that follows, through the end of the chapter is just basic
advice about running and protecting a network. The summary on page 107
hits the basic ideas, but it is written at a level for end users. Review
it
Assignments
Continue the reading assignments for the course.
Download the new lab handouts as they become available.
Complete the lab assignments and class discussion in this module.