CISSP Prep: Network Attacks and Countermeasures

As a CISSP, you could wear any of a number of different hats at your company. However, more and more, the most important thing you can do is keep your organization safe from network attacks. This is why you’ll be asked to show your knowledge of the subject on the CISSP exam.

What Common Network Attacks Should I Know for the CISSP Exam?

In order to do well on your exam, you’ll want to understand the following common network attacks: what they are, how they work, and how to prevent them from happening.

Denial of Service (DoS)

DoS attacks have become increasingly popular, as they have become extremely easy to launch. People with only a moderate degree of technical skill can quickly employ a devastating attack against an individual’s website or an entire company’s.

The end result of this kind of attack can be an entire network going down, not just a site. Therefore, innocent people’s sites often become collateral damage simply because they shared a network with another party (who was, presumably, only guilty of making the wrong enemy).

The foundation of this attack is based on overwhelming the target. This can work in one of several ways:

• The network can be flooded.
• The connection between two computers can be disrupted.
• The services of specific systems or even a person can be attacked.
• An individual can be prevented from accessing their service.

The end results vary. People or companies can lose their Internet access, email services or, as we mentioned, their entire site can go offline. Some DoS attacks can consume all of a user’s bandwidth or even all of their system resources (e.g., their server memory).

Whatever the case, as we said, it starts with an overwhelming amount of traffic. An unmanageable amount – in terms of volume and the frequency in which it is sent – eventually accomplishes its goal.

For example, in the case of a small server, it may only be used to a small number of requests, say in the thousands. This is all that has ever needed to be supported in the past.

Then, a hacker decides to attack the server, so they send millions of requests at once. Naturally, it runs out of process space, swap space, or network connections and ceases operation.

What Countermeasures Should Be Taken Against DoS Attacks?

A CISSP should do the following to guard against DoS attacks:

• Install patches.
• Disable unneeded or unused network services. This will limit your exposure.
• Use quota systems for your operation systems.
• Establish baselines for acceptable activity and then use it to gauge unusual levels of activity that may signal an attack.
• Invest in fault-tolerant and redundant network configurations.

A big part of your defense will simply be remaining vigilant. Once your defenses are in place, you must make sure you’re aware of any red flags in terms of activity.

Eavesdropping

When most people think of eavesdropping, they imagine someone around the corner, listening to a conversation. Well, something very similar can happen over the Internet. Sometimes, it’s quite literal. Hackers can directly listen to digital or analog voice communications. However, they can intercept data passed through other media, as well.

Hackers use a specialized type of packet to monitor for specific types of data the criminal is interested in. When it senses this form of data, the information is recorded for the hacker to review.

For example, a local network using a HUB sends communications to every port, as non-recipients simply drop it. A “sniffer” can be used to grab all of that incoming data, which is now free to browse for the hacker.

What Countermeasures Should Be Taken Against Eavesdropping?

Encryption is the most important solution here. Only use applications and systems that have strong encryption applications. This is a simple, no-brainer solution every CISSP must be aware of.

That being said, it’s no longer sufficient all on its own, for a number of reasons. Another measure a CISSP should take is network segmentation. This will greatly limit the extent to which eavesdropping is possible.

Finally, NAC (network access control) and physical security are wise investments. Both of these will help prevent unauthorized users from getting on your network. After all, if a malicious party gets into your building, that’s really all it would take.

Impersonating/Masquerading

Another important type of network attack for a CISSP to know about is called masquerading, though you may also hear it referred to as impersonating. Either way, the approach is the same. The attack is carried out by a hacker using, essentially, a fake identity. For example, they may choose a network identity that will allow them access to personal computer information.

As they legitimately have the right credentials, no alarm bells go off, so the hackers basically walk right into your network’s secure areas.

The most common examples of masquerade attacks are perpetrated with the use of stolen passwords or other login credentials. The hacker could acquire them in any number of ways. Usually, it’s by finding gaps in programs or a way around the network’s authentication process.

Of course, the severity of a masquerade attack can vary greatly. Acquiring the login credentials that belong to someone in the mailroom is a lot different than obtaining those of the CEO or another executive.

Unfortunately, these types of attacks often happen because employees are being lazy. A hacker could use a terrifying piece of software called a keylogger to log every key you type on your computer (hence the name).This would make it very easy for them to access your passwords.

However, bad people don’t need this software or the knowledge of how to use it when employees leave terminals without logging out. A malicious coworker could quickly use another’s credentials to pull off a masquerading attack.

As with so many forms of cybercrime, phishing can be the source. Someone pretending to be an IT expert can send out hundreds of emails to employees. It only takes one to comply by handing over credentials for that hacker to begin their crime spree.

CISSP Training – Resources (InfoSec)

What Countermeasures Should Be Taken Against Masquerading?

One very common approach against this form of attack is to use innovative algorithms to detect suspicious actions on your network. For example, if someone who works in the business department tries to access HR’s database, this might be a sign something is amiss.

As a CISPP, a big part of your job is building awareness amongst the staff, too. This is a good remedy against masquerading, phishing, and other forms of cybercrime, as well. Employees need to understand the importance of logging out if they’re away from their terminals. They must be suspicious about emails that come out of the blue and request sensitive data and you should encourage them, when in doubt, to simply call the sender to confirm the message is truly from a trusted party.

Replay Attacks

Replay attacks get this name because they’re carried out by a hacker who essentially replays an authentication session to trick a computer into granting them access. Any retransmission of network data transmissions for the sake of unauthorized access to a system would fall under this type of attack.

A valid transmission can also be delayed to achieve the same result. Replay attacks and masquerading attacks are often used together. Once a replay attack is successful, the hacker can then leverage the credentials for masquerading.

Let’s use an example to make this easier to understand. Say you request access from a system. That system responds that you must first provide your password. You comply but, when you do, a third party intercepts the password. While you’re waiting for access to be granted, this third party requests it, is asked for a password and responds with yours.

What’s really scary about this kind of attack is that it can be done even when encryption is used. The hacker doesn’t actually need to know the contents of the message. They just have to resend it in many cases.

What Countermeasures Should Be Taken Against Replay Attacks?

If encryption can’t save you, what possible countermeasures can you take against replay attacks?

One option is an anti-replay protocol that leverages packet sequence numbers. When the source sends a message, it automatically adds a sequence number to the packet. This number starts at zero and goes up by one for every subsequent packet.

The destination keeps a “sliding window” record of the numbers used so far by validated packets it’s received. Any packet that has a sequence number below the lowest in this sliding window or which already appears in it is rejected.

Any time a validated packet is accepted, the sliding window is updated. Subsequently, the lowest number in the window is displaced (if it was already full).

Modification Attacks

This kind of attack deletes, inserts, and alters information in a way that is meant to make these actions look valid to the user. As such, they can be very difficult to detect.

Traditionally, most people in the industry used to think about these kinds of attacks as someone changing an email so it included malicious content or modifying the numbers on an electronic bank transfer.

CISSPs need to be aware of far more subtle versions, though. For example, someone could send an encrypted email to their intended party, but you’re able to intercept it and change the IP address – its destination. Now, the message gets forwarded right to you.

If you were able to do this, the encryption wouldn’t matter much. That’s because this forwarding maneuver would give you the decrypted version you need.

What Countermeasures Should Be Taken Against Modification Attacks?

To defend against this sneaky type of attack, leverage authenticated encryption with associated data (AEAD), which will perform encryption and authentication at the same time. It uses a block cipher and a single key together. As a result, the cipher text won’t get tampered with but neither will any unencrypted text accompanying it. Though this is a new form of protection, it’s quickly become a standby because of these attacks.

Note, too, that, as a CISSP, this is another example where it’s so important to increase awareness amongst your ranks. Even if a communication is mundane and carries no sensitive data, a hacker may still be interested in it. You could be sending a coworker your plans for lunch, but they could turn that message into something else completely.

DNS Poisoning/Spoofing/Hijacking

Domain name servers are like the phone book. They’re a directory of all the domain names and their corresponding IP addresses. Without DNSs, people would have to remember long numerical IP addresses instead of the simple words used for URLs.

As you might expect, something this important has also become a target for hackers. They can hijack a DNS so that your browser doesn’t go to the right “phonebook” to resolve your request for a URL. Instead, it gets sent to one of theirs and a dangerous site is returned.

Wouldn’t people recognize the site they got wasn’t the one they wanted? Sadly, no. Think about the homepage of Facebook before you log in. You probably visit enough that you take it for granted. You just automatically look for where to supply your login credentials.

Other hackers don’t care. Maybe they hate your company and want people to know why. They start using DNS hijacking to ensure that when people try to visit your site, they go to a different site containing criticisms against your organization.

What Countermeasures Should Be Taken Against DNS Hijacking?

CISSPs should use industry-leading anti-malware software to prevent DNS hijacking from happening. A strong firewall is important too, especially one that is based on hardware. Part of your job will be staying abreast of which are the best options the industry has to offer.

Regularly check to see if a DNS changer has changed yours. If it has, change your DNS settings right away.

Being a CISSP comes with a lot of requirements, not the least of which is keeping your company safe from the every-growing list of potential cyber attacks. However, at least you know which ones are the most common and what steps you can take to defend against them.

Sources

http://www.thewindowsclub.com/what-is-dns-hijacking-prevention

http://www.webopedia.com/DidYouKnow/Internet/DoS_attack.asp

http://www.thewindowsclub.com/what-is-dns-hijacking-prevention

http://www.computerweekly.com/opinion/How-to-defend-against-data-integrity-attacks

https://www.incapsula.com/ddos/ddos-attacks/denial-of-service.html

http://searchsecurity.techtarget.com/definition/denial-of-service

http://www.computerweekly.com/opinion/Tackling-the-network-eavesdropping-risk

https://www.techopedia.com/definition/13612/eavesdropping

http://www.cisco.com/c/dam/global/en_ae/assets/exposaudi2009/assets/docs/layer2-attacks-and-mitigation-t.pdf

http://www.careerride.com/Networking-replay-attacks.aspx

http://www.comptechdoc.org/independent/security/terms/replay-attack.html

https://sites.google.com/a/pccare.vn/it/security-pages/authentication-attacks-and-countermeasures

http://whatis.techtarget.com/definition/active-attack

http://etutorials.org/Networking/802.11+security.+wi-fi+protected+access+and+802.11i/Part+I+What+Everyone+Should+Know/Chapter+4.+Different+Types+of+Attack/Classification+of+Attacks/

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

Earn your CISSP the first time with InfoSec Institute and pass your exam, GUARANTEED!

Learn More!