Chapter 4, Mitigating Risk When Connecting to the Internet
This lesson presents some material from chapter 4. Objectives
important to this lesson:
Threats from the Internet
Web site hosting
Protecting the connection from LAN to WAN
Best practices
Concepts:
Chapter 4
On page 77, the chapter begins a long section about risks
associated with connecting to the Internet. The text makes a good
point that even a computer that has no particular secrets on it
can become a zombie workstation, controlled by an attacker who
simply needs an army of connected devices. The text presents a
discussion about malware through page 82. Browse through this
material to see if any of it is new to you. It should not be new
by the time you are in this course.
Page 82 begins a section about personal attacks. It begins with a
list of features that might be indicators that a web site is
reputable. Unfortunately, all six features could be copied
from another site, or could be created from scratch to look
professional. They are no longer a guarantee that the site is
legitimate, not even the SSL padlock icon.
Page 83 begins a discussion of more personal attacks:
Harassment and cyberstalking - The text lists several
examples of harassment, including spam, IM spam, impersonation
of friends to gain information, creation of hate sites and
groups, and placing fake sex ads. The text recommends that you
start by sharing personal information only with known,
authenticated contacts, blocking communication from harassers,
blocking messages from harassers, and reporting harassment to
police.
Identity theft - The text mentions several of the ways
a thief can obtain personal information to steal an identity:
dumpster diving, phishing, searching discarded or stolen data
storage, and spyware. The text cautions us not to do business
with vendors who don't take care to protect our data, but most
consumers will pay no attention to that advice. The other
actions by the thief might be countered by destruction of data
devices that are no long used, shredding documents or burning
them instead of discarding them, and not trusting doubtful
software we install or email that asks for our data.
The section about email is more about email system features than
about the things we should do to protect ourselves. It mentions
blocking identified junk mail sources, and the rest of the page
doesn't matter much.
Moving to page 85, there is some hope for better advice. The text
lists five vulnerability categories, and some basic actions to
take:
End-user vulnerabilities
- Talk to your users, or better yet, train them to be users who
avoid scams and negligence that put the network at risk.
Security vulnerabilities
- Make sure that defenses are actually defending the network.
Configure the firewalls to filter out traffic that has no reason
to pass into or out of our network.
Port vulnerabilities -
The text points out that there are 65,535 possible ports on each
computer. Each is a possible door into that computer. Closing
all ports that are not expected to be used makes sense, and
setting a firewall to enforce that decision makes more sense.
Note, from the advice in the previous bullet point, that
firewalls do not protect in this way until they are configured
to do so.
Software vulnerabilities
- Most major software applications are regularly patched and
updated. This is something we have come to expect and accept.
Large applications, and operating systems, contain too much code
to be certain there are no security holes. It is a good thing
that good people are always looking for holes that need to be
patched. You should check for available patches regularly,
especially for software from publishers who do not notify you
about updates.
Malware vulnerabilities
- Let's take this to mean both malware and viruses, and make it
a point to run and update protective programs against both of
them.
On the bottom of page 86, the text begins a list of attacks that
various kinds of attackers might stage. Several will be familiar
to you.
Password attack - This presumes that the attacker has at least
a guess about user IDs. Often, the login ID for staff is
identical to their email ID, minus the email domain, so once you
know one you may be able to guess many more.
Cyberstalking - As noted above, this is an attack against an
individual, not against a network. To the person being attacked,
the difference is not important.
Social engineering - The short form is that the attacker
solicits help from the victim, either through pity or
intimidation. The "help" can be access to any kind of resource.
Eavesdropping - This would include the classic conversational
eavesdropping, as well as the interception of network signals,
whether wired or wireless. The text proposes encrypting all
network traffic to combat this.
Backdoor attack - Attacking through an intentionally created
point of access known to developers, troubleshooters, or
perpetrators who executed a program to provide such access.
Man-in-the-middle attack - Like eavesdropping, but it involves
interception of both sides in a session, and possibly changing
the data that is being sent/received.
Spoofing - Impersonation of a recognized ID or address to gain
unauthorized access or to pass along a file that will become
part of an exploit.
Dictionary attack - The attacker attempts to log in to a
network or device, using one potential password after another
from a file of words found in a dictionary. The text says that
this can be confounded by using passwords that include numbers,
but it is not uncommon for an attacker to use a file that
replaces letters with numbers (e.g. 0 for o, 1 for i) as people
often do.
Brute-force attack - The attacker uses a program that guesses
passwords based on an algorithm that tries every possible
combination of characters that could be in a password.
If you are not worried about password cracking, I suggest we
spend twenty minutes with Dr. Michael Pound who will demonstrate
what he can do with some captured password hashes.
The text also mentions four variations on Denial of Service
attacks:
Ping flood - The idea
here is to send a ping request to the broadcast address of the
network a target machine is on. This can be a problem if there
are a large number of devices on the target network (and they
all respond). This is a reasonable argument to segment your
network in a way that your important devices are on small
subnets. Another approach would be to configure devices to refuse response to broadcasts.
Of course, a better equipped attacker would set an army of
zombies pinging the actual target device.
Fraggle - This is
another attack that sends packets to a network's broadcast
address, this time UDP packets (pings are ICMP packets).A false
address is used in the attacker's packets. This
reference tells us that most routers should be
immune to this attack, and will not forward them.
Smurf - The same thing
as a Fraggle attack, except that it uses ICMP packets. The reference
I provided in the line above indicates that this is an obsolete
attack for the same reason.
Distributed Denial of Service
- This is a generic term that includes any kind of attack that
is staged through multiple computers under the control of the
attacker. The text says the army would number in the hundreds or
thousands, but I am not aware that an actual number is required
to qualify.
The text moves on to discuss web
site hosting. It reviews some common features that are
provided by most commercial and free hosting services, but pays
more attention to features that relate to e-commerce
sites:
disk space - How much space is included in your plan, and how
much do you need?
bandwidth - How much traffic will you have on your site,
including page reads, uploads, and transactions?
flexibility - Can you do what you want on the site, or are you
prevented from some activity you want as part of your business?
pricing - Can you afford the hosting service you are
considering, or the one you already have?
uptime guarantees - Is the hosting service up to providing
access by your customers when they want it?
backups - Things happen, don't they? Does the hosting service
keep backups of their clients' data? How often are they made?
Can we access copies of our own data?
security - The text tells us we must know what security is
used by the hosting provider. Sharing details with clients may
not be the best idea. What if the next attack comes from a
disgruntled client?
expectation of new services - Does the provider regularly
upgrade services provided? Will upgrades become available for a
price, once they are possible on the site?
support - What support is possible for frequent problems? How
about for rare problems? Is there an administrator or a web
master to consult?
Web hosting does not have to be done by a service company, if you
have the desire and knowledge to handle all the points above, as
well as to provide your own equipment and link to the Internet.
The text points out that a small company may not be able to
dedicate resources to this option. The text refers to this choice
as internal hosting, and the choice to use a hosting
company as external hosting.
Setting up a presence on the Internet also requires that there be
a URL for a customer to use, which means that you must have space
in someone's Internet domain, or you must register a domain
name of your own. This is the method most people on the
Internet choose, perhaps because it makes them look like they are
independent of anyone else. The text discusses doing a Whois
search for the domain name you want to register. This is not the
only way. You can run a search like that through the interface of
most domain registrars, as well.
The text discusses DNS service, how name resolution is passed up
and down the branches of the DNS tree (see page 95), and four ways
DNS can be attacked on page 96.
DDoS/DoS attacks - Flooding a particular DNS server
with requests can prevent it from responding to real requests.
This does not seem like big deal at first, but this link takes you to an article about DNS
defense that starts with a story about a botnet
attack against a DNS service that affected many of its clients.
Footprinting - This is tracking down network
information about a person or a website. This article discusses the concept more
fully, and leads you to tools that you can use to
determine what information is available about your sites.
Address spoofing - Address spoofing is impersonation,
temporarily transmitting and receiving with an IP address that
belongs to another device. This is more related to breaking
through firewalls than it is to DNS attacks.
Redirection - This attack is discussed in the article
in the link under DoS attacks. It sends false DNS resolutions to
requesters, sending them to web sites that are not the ones they
wanted. This can be part of a larger scam, or it may be done to
boot hits on a web page.
The text introduces the seven-domains-of-a-network model
on page 97. The best thing about the discussion is that the author
spends less than a page on it. The author uses the model to
explain that our defense of our network regarding the Internet
takes place at the point where our network connects to a Wide
Area Network, typically our connection to our Internet
Service Provider.
The material that follows, through the end of the chapter is just
basic advice about running and protecting a network. The summary
on page 107 hits the basic ideas, but it is written at a level for
end users. Review it
