What process blocks unauthorized users from getting into a computer system?

Jailbreaking

Another way of extending capabilities of a mobile device is jailbreaking it. This involves exploiting a vulnerability in order to introduce unauthorized applications onto the device. This is how iPhone users get more applications and gain more direct access to both the operating system as well as the file system. In addition to the lack of control, there are a couple of legitimate concerns around jailbreaking. The first one is the possibility of introducing malware onto the phone since there isn’t the strict control over apps that get added after the jailbreak. Jailbreaking doesn’t prevent you from adding apps through the App Store, it just adds an additional means of obtaining apps. Once you have performed a jailbreak on your phone, you not only get access to an additional set of apps, you also get the ability to replace the default apps that Apple provides.

The network providers are concerned about the impact of jailbreaking on their network and that is a mixture of issues. The first is that jailbreaking may open the door to malicious software, and malicious software may generate a lot of network traffic. If a large number of iPhones were suddenly involved in a botnet and that botnet were called into service to create a distributed denial of service attack, it would be a critical issue for the network provider. There are a number of applications that are available through Cydia, the jailbreak equivalent of an app store, that may create more network traffic through the provider’s network.

They are also concerned, apparently, about the possibility of malicious software on the mobile devices attacking the network from the inside. They may be concerned that a mobile device running an OS that has been jailbroken could start sending malformed protocol requests to the network and that could have a negative impact, including the possibility of knocking cells offline, causing an outage. Any phone that has jailbroken software on it could potentially have more direct access to the cellular radio and that could be of some concern to the network providers. Apple also has concerns with devices that have been jailbroken, but that’s mostly a concern about the user experience. If the user jailbreaks their phone, they won’t be getting the experience Apple wants them to have, and they have legitimate concerns about an increase in support requests to repair phones that have been altered in this way.

Android is an open-source operating system and, as a result, there have been a lot of groups who have created distributions to run on mobile devices designed for Android. All of these distributions are based around a particular version of the operating system, but they may have added additional features or created a different look to the phone that may be more appealing to users. These custom ROMs, as they are called, are easily available, though it may take some effort to install one of them on your device. This is because there is a boot loader involved. The boot loader is the component of the operating system that locates and boots the actual operating system kernel. The phone manufacturers generally protect the boot loader in order to keep from having the custom ROMs installed on the phones, protecting the integrity of the device, its functionality, and the user experience they expect you to have.

Android is a very developer-friendly operating system. You can see this just by looking through the settings menus where you will find a Developer Options menu, as shown in Figure 7.4. Anyone can download the Android Developer Kit (ADK) and turn their phone or tablet into a development system, including using the ADK tools to directly interface with the phone as long as the phone is plugged into the computer where the ADK tools are located. This is part of why you can see the USB debugging switch. If you enable USB debugging, you can send commands directly to the phone over the USB cable to perform actions like rebooting the phone or installing software to it.

The difference between custom ROMs and a jailbroken iOS is that custom ROMs don’t unlock any new, otherwise unsupported apps. In order to get additional access on your phone or tablet, you need to get root access on your phone. It’s called root access because it’s named after the superuser account under UNIX/Linux systems. iOS and Android are both UNIX-based operating systems. Android is based on Linux while iOS is a custom version of Mac OS X, which is based on BSD UNIX. Normally, you would have the access of a regular user but after getting root access, you have complete control over the device to make any changes you want to make. This is, of course, a potentially dangerous proposition, depending on how skilled you are with these types of operating systems. In reality, the difference between a custom ROM on an Android device and getting an iPhone or iPad that has been jailbroken is fairly large. In the case of the iOS device, you can get direct access to the file system where you otherwise can’t. This can include making changes to operating system files. In the case of Android, you can get to the file system at any point if you want to install a file manager. In the case of my Galaxy S4, it came with a file manager already installed when I took it out of the box. This provided me the ability to move data easily between the internal storage and the SD card I installed to get some additional storage space.

Using Nmap for Security Auditing

Security auditing can be defined as creating a set of controls specific to the technology or infrastructure being reviewed and then applying those controls, like a filter, to your environment. Any gaps in or outside that filter become audit points and could negatively impact the audit’s overall assessment of your security framework.

Nmap can assist with such audit needs as:

Auditing firewalls by verifying the firewall filters are operating properly.

Searching for open ports on perimeter devices (perimeter being anything from Internet-edge, to extranet or intranet boundary lines).

Performing reconnaissance for certain versions of services.

Utilizing the OS detection feature to pin-point outdated or unauthorized systems on your networks.

Discovering unauthorized applications and services.

Tools & Traps…

Solutions Fast Track

Fine-Tuning Your Network and Performing Proactive Maintenance

The three elements to a healthy network are speed, reliability, and security.

Baselining your network gives you a point from which to determine the extent of a problem or if it's time to upgrade.

Use the Host Table to discover unknown network systems or resources.

Monitor your network Internet ports for unauthorized applications.

Finding Unnecessary Protocols with Sniffer Pro

Every protocol on the network has a cost in bandwidth and system processing time.

AppleTalk is a very chatty protocol and can often be replaced with TCP/IP.

NetWare's IPX/SPX protocols can decrease available bandwidth if not used correctly.

Optimizing LAN and WAN traffic with Sniffer Pro

The Spanning Tree Protocol (STP) improves switch performance by setting ideal paths on the network and removing redundant ones.

When using STP, your switches will use BPDUs to exchange information.

When attached directly to a switch, Sniffer Pro can mirror a port to decrease the load on the port being monitored.

Ethernet Optimization

Ethernet can experience collisions, but is generally faster and less expensive than Token Ring.

To optimize Ethernet traffic, keep the collision domain size to a minumim. If you are still using hubs, you need to monitor this closely and make sure utilization is within specs.

Hardware related errors such as jabbers, long or short frames, and CRC errors can be hard to diagnose.

NetWare Optimization and Microsoft Optimization

Place reference time servers strategically to decrease time synchronization messages.

Adjust the SPX keepalive parameters to decrease the amount of keepalive messages sent out on the network.

Make sure your Microsoft Server is optimally configured to utilize the system RAM.

Make sure your Microsoft WINS servers are replicating correctly.

File Type Restrictions

One of the ideas that I have tried to stress in this chapter is that although security geeks love blanket denial policies, they are rarely suitable for the real world. A lot of times you can't completely deny access to devices, because the users have legitimate business needs that require them to use the devices that you probably wish that you could completely block.

If you find yourself in this kind of dilemma, you will be happy to know that one additional way that you can regulate device access is by controlling what types of files users can use with the devices.

For example, suppose that I need my users to be able to use USB flash drives for whatever reason. At the same time, however, I know that Troy Thompson (uber geek and Technical Editor for this book) is the lead guitarist for the heavy metal/gospel band Bride (www.bridepub.com), and that Bride is working on a new album. Troy would probably get a little bit upset if my users were bringing in bootleg copies of his new album on their USB flash drives, so it might be a good idea to block access to MP3 files now, to avoid any copyright issues later on when the new album is released.

If this situation were to occur in the real world, I could just set up a protection policy that says that my users have access to USB devices, but that they aren't allowed to have access to any .MP3 or .WMA files residing on USB media.

We can accomplish this configuration through a file type filter. To create a file type filter such as the one that I just described, perform the following steps:

File type filters will only work if the specified users have access to the device. Otherwise, access is denied regardless of any file type filters that may exist.

Are You Owned?

Select the management console's Configuration tab, and then click on your protection policy.

Click on the File Type Filter link located in the console's File Control section.

Windows will now launch the File-Type Filter dialog box. Select the Allow All Files But Block The Usage of the Following File Types option, as shown in Figure 10.16.

Click the Add button.

Select the .MP3 option from the File Type drop down list.

Click the Add button.

Verify that your domain is listed in the From This Location field.

Enter the name of the security group that you want the file type ban to apply to.

Click the Check Names button to verify the group name.

Click OK.

The File-Type Filter dialog box should now display the file type and the group that you want to restrict, as shown in Figure 10.17. If you need to add additional security groups to the list, click the Add button, and repeat the procedure that you have just performed.

Click OK to return to the main File-Type Filter screen. As you can see in Figure 10.18, you can use this screen to view any existing file filters for the protection group, or to create, edit, or remove file type filters.

When you are done, click OK.

The File –Type Filter dialog box also gives you the option of only allowing specific types of files, rather than allowing all files other than the types that you specify.

Smart-Lists

The term “Smart-Lists” was first introduced at the SANS Institute’s 2010 European SCADA and Process Control Summit in London, United Kingdom. “Smart-Listing” combines the concept of behavioral whitelisting with a degree of deductive intelligence. Where blacklists block what is known to be bad, and whitelists only allow what is known to be good, Smart-Lists use the latter to help dynamically define the former.

For example, if a critical asset is using AWL to prevent malicious code execution, the AWL software will generate an alert when an unauthorized application attempts to execute. What can now be determined is that the application is not a known good application for that particular asset. However, it could be a valid application that is in use elsewhere, and has attempted to access this asset unintentionally. A quick correlation against other whitelists can then determine if the application under scrutiny is an acceptable application on other known assets. If it is, the “Smart-Listing” process might result in an informational alert and nothing more. However, if the application under scrutiny is not defined anywhere within the system as a known good application, the Smart-Listing process can deduce that it is malicious in nature. It then defines it within the system as a known bad application and proactively defends against it by initiating a script or other active remediation mechanism to block that application wherever it might be detected.

“Smart-Listing” therefore combines what we know from established whitelists with deductive logic in order to dynamically adapt our blacklist security mechanisms (such as firewalls and IPS devices) to proactively block newly occurring threats. This process is illustrated in Figure 11.5. First, an alert is generated that identifies a violation of an established policy. Next, the nature of that alert is checked against other system-wide behavior. Finally, a decision is made—if it is “bad” a script or other automation service may be used to dynamically update firewall, IDS/IPS, and other defenses so that they can actively block this activity. If not, the activity might generate an alert, or be ignored.

Smart-Listing is a relatively new concept that could greatly benefit zone defenses by allowing them to automatically adapt to evasive attacks as well as insider attacks. Smart-Listing is especially compelling when used with overarching security management tools (see Chapter 12, “Security Monitoring of Industrial Control Systems”), as it requires complex event association and correlation. Although it has yet to be determined how widely security analysis and information management vendors will adopt this technique and whether ICS suppliers will endorse this approach, at present the techniques can be performed manually, using any number of log management or SIEM tools.

13 Intrusion Prevention Capabilities

As previously mentioned, host-based IPS agents offer various intrusion prevention capabilities. Because the capabilities vary based on the detection techniques used by each product, the following activities (see checklist: An Agenda for Action for Intrusion Prevention Activities”) describe the capabilities by detection technique.

An Agenda for Action for Intrusion Prevention Activities

From the organizational perspective, preventing intrusions includes the following key activities (check all tasks completed):

Code Analysis: The code analysis techniques can prevent code from being executed, including malware and unauthorized applications.

Network Traffic Analysis: This can stop incoming network traffic from being processed by the host and outgoing network traffic from exiting it.

Network Traffic Filtering: Working as a host-based firewall, this can stop unauthorized access and acceptable use policy violations (use of inappropriate external services).

Filesystem Monitoring: This can prevent files from being accessed, modified, replaced, or deleted, which could stop malware installation, including Trojan horses and rootkits, as well as other attacks involving inappropriate file access.

Removable Media Restriction: Some products can enforce restrictions on the use of removable media, both Universal Serial Bus (USB-based (flash drive)) and traditional (CD). This can prevent malware or other unwanted files from being transferred to a host and can also stop sensitive files from being copied from the host to removable media.

Audiovisual Device Monitoring: A few host-based IPS products can detect when a host’s audiovisual devices, such as microphones, cameras, or IP-based phones, are activated or used. This could indicate that the host has been compromised by an attacker.

Host Hardening: Some host-based intrusion detection and prevention systems (IDPSs) can automatically harden hosts on an ongoing basis. For example, if an application is reconfigured, causing a particular security function to be disabled, the IDPS could detect this and enable the security function.

Process Status Monitoring: Some products monitor the status of processes or services running on a host, and if they detect that one has stopped, they restart it automatically. Some products can also monitor the status of security programs such as antivirus software.

Network Traffic Sanitization: Some agents, particularly those deployed on appliances, can sanitize the network traffic that they monitor. For example, an appliance-based agent could act as a proxy and rebuild each request and response that is directed through it. This can be effective at neutralizing certain unusual activity, particularly in packet headers and application protocol headers.

14 Summary

This chapter has made it very apparent that preventing network intrusions is no easy task. Like cops on the street—usually outnumbered and underequipped compared to the bad guys—you face enemies with determination, skill, training, and a frightening array of increasingly sophisticated tools for hacking their way through your best defenses. And no matter how good your defenses are today, it's only a matter of time before a tool is developed that can penetrate them. If you know that ahead of time, you'll be much more inclined to keep a watchful eye for what “they” have and what you can use to defeat them.

Your best weapon is a logical, thoughtful, and nimble approach to network security. You have to be nimble—to evolve and grow with changes in technology, never being content to keep things as they are because “Hey, they're working just fine.” Well, today's “just fine” will be tomorrow's “What the hell happened?”

Stay informed. There is no shortage of information available to you in the form of white papers, seminars, contract security specialists, and online resources, all dealing with various aspects of network security.

Invest in a good intrusion detection system. You want to know, as soon as possible, that a breach has occurred, what was stolen, and, if possible, where it went.

Have a good, solid, comprehensive, yet easy-to-understand network security policy in place. The very process of developing one will get all involved parties thinking about how to best secure your network while addressing user needs. When it comes to your users, you simply can't overeducate them where network security awareness is concerned. The more they know, the better equipped they'll be to act as allies against, rather than accomplices of, the hordes of crackers looking to steal, damage, hobble, or completely cripple your network.

Do your research and invest in good, multipurpose network security systems. Select systems that are easy to install and implement, are adaptable and quickly

An Agenda for Action for Intrusion Prevention Activities

From the organizational perspective, preventing intrusions includes the following key activities (check all tasks completed):

Code Analysis: The code analysis techniques can prevent code from being executed, including malware and unauthorized applications.

Network Traffic Analysis: This can stop incoming network traffic from being processed by the host and outgoing network traffic from exiting it.

Network Traffic Filtering: Working as a host-based firewall, this can stop unauthorized access and acceptable use policy violations (use of inappropriate external services).

Filesystem Monitoring: This can prevent files from being accessed, modified, replaced, or deleted, which could stop malware installation, including Trojan horses and rootkits, as well as other attacks involving inappropriate file access.

Removable Media Restriction: Some products can enforce restrictions on the use of removable media, both Universal Serial Bus (USB-based, or flash drive) and traditional (CD). This can prevent malware or other unwanted files from being transferred to a host and can also stop sensitive files from being copied from the host to removable media.

Audiovisual Device Monitoring: A few host-based IPS products can detect when a host's audiovisual devices, such as microphones, cameras, or IP-based phones, are activated or used. This could indicate that the host has been compromised by an attacker.

Host Hardening: Some host-based intrusion detection and prevention systems (IDPSs) can automatically harden hosts on an ongoing basis. For example, if an application is reconfigured, causing a particular security function to be disabled, the IDPS could detect this and enable the security function.

Process Status Monitoring: Some products monitor the status of processes or services running on a host, and if they detect that one has stopped, they restart it automatically. Some products can also monitor the status of security programs such as antivirus software.

Network Traffic Sanitization: Some agents, particularly those deployed on appliances, can sanitize the network traffic that they monitor. For example, an appliance-based agent could act as a proxy and rebuild each request and response that is directed through it. This can be effective at neutralizing certain unusual activity, particularly in packet headers and application protocol headers.

configurable, can be customized to suit your needs of today as well as tomorrow, and are supported by companies that keep pace with current trends in cracker technology.

Finally, let's move on to the real interactive part of this chapter: review questions/exercises, hands-on projects, case projects, and optional team case project. The answers and/or solutions by chapter can be found in the Online Instructor's Solutions Manual.

Geographical info

Many apps, both default and third party, store GPS data on the iPhone. As an example, both the Camera and Google Maps application prompts the user to store their current GPS location prior to taking a picture or searching directions. This type of data is stored within the iPhone's file system and can be recovered.

Attacking the Web Application

Probably the most severe type of attack against a Web application is the injection of executable malicious content. Depending on the platform that receives the injected input (SQL database, operating system, other application, or service), this could be an injection of application code, script, commands, or queries. Regardless of the platform, the end result of a successful exploit is unauthorized application execution. The platform will determine the type of injection possible, which in turn will help determine the immediate risk associated with a successful injection. For example, an injection targeting a SQL database (SQL Injection) could be used to extract sensitive data stored in database tables, insert new values into the database, or drop some tables for fun. Imagine your shiny new billing Web application has suddenly stopped working; all functionality in the application simply generates more and more error log file content. Then imagine sifting through those application log files – assuming there are log files to sift through – and coming across “userid = Owned'; DROP TABLE customers; – ” in the HTTP request. Hopefully your backup and recovery procedures were more effective than the application's input data validation and database querying code.

Injection attacks exploit a lack of proper input data validation and insecure interaction between the application and the receiving platform. Improper input data validation allows a client to submit requests with invalid or unexpected data, which could include more characters than the expected maximum length or may – in the case of an injection – include a partial command or set of commands to be executed as part of a predefined command built into the application code. The injected command submitting by the attacker is executed just as any normal command as long as the resulting command (intended + injected command) is in a valid form for the target platform. If it is invalid, an error is generated and said error message is often mistakenly sent to the client.

The reason that injection attacks are considered so severe is that the attacker's injected command will be executed with the privileges of the executing entity. For example, a SQL Injection query will be executed with the privileges of the application querying the database. Because many applications are configured with administrator level access to one or more databases, the SQL Injection query will be associated with administrator level access and thus allow the attacker to perform any desired query against any desired database table. Hopefully, this helps explain the reason Information Security professionals respond with a horrifying stare when you mention that the application is running with domain administrator privileges. Depending on the application configuration and other factors, a successful injection exploit could result in information disclosure, unauthorized access (by extracting user credentials), or full system compromise.

Although injection attacks may present the most risk to an application's security, there are many more types of attacks that could be used to achieve similar goals. The authentication component is often the first target in the search for vulnerabilities because most useful functionality (to an attacker) is inaccessible unless one provides valid authentication credentials. With most Web applications, pretty much any authentication attack could be used with almost certain success.

Brute force attacks can be easily automated, especially because most Web applications still only require user identification and password fields and almost never implement an account lockout control. If a brute force attack against user credentials doesn't work well enough, some Web applications may allow you to simply reset the accounts’ passwords. CAPTCHAs or other Turing tests8,9 are implemented to stop automated attacks, but they have been defeated with some percentage of success. Another common technique is to require users to provide answers to challenge questions when attempting to reset their password or perform other account management actions. Presumably, this technique is implemented because it is believed impossible that an attacker could automate a brute force attack with 2 or 3 answers to a set of 6 to 12 known questions. Please read that last sentence again with a very sarcastic tone in mind.

Additional types of attacks against the Web application include manipulation of data fields exposed to the client, analysis of encryption algorithms, and many others. The result of manipulating data fields exposed to the client will vary based on how the application uses the manipulated data fields. For example, one utility company's Web application authentication form includes a hidden parameter that is used as the target when a user submits the form with valid credentials as shown in Figure 7.5. This design aspect could be exploited with URL redirection, which could trick the user into requesting any URL following successful authentication. This type of attack could exploit browser bugs, install malicious software, or implement additional attacks against the utility company's Web application with the access privileges of the authenticated user.

These attacks exploit a variety of possible vulnerabilities and weaknesses that can be implemented in a Web application and, as described earlier, can have disastrous results. The point is that there are many types of vulnerabilities and exploits that attackers could use to carry out the attacks described throughout this book. And those vulnerabilities are already being implemented in smart grid Web applications.

4.1.3 Deactivation

This refers to the physical destruction of the node or unauthorized application of a “kill” command. Deactivation results in loss of availability in the network. We can imagine the following scenario to appreciate the need of mitigation methods against deactivation. Smart cities are filled with IoT devices, to sense and actuate, and are in the danger of being destroyed or stolen by people. This can re-define modern day cyber vandalism to a new level. An attacker can also attempt to enter the interface of the node, and try to shutdown, or kill the device. From network׳s perspective, both these attacks will lead the node to stop being detected, and cease to function. Password protection as well as physical security measures such as camouflage can provide some respite. However, a large scale application of this attack will result in the network falling apart and perhaps DoS may result in multi-hop environments.

Deactivation can be classified as a high impact attack in the wisdom that perhaps there are no software methods that can effectively prevent it. Remote triggering of the kill command can be disabled, but a physical damage cannot be. The only way out is to protect the node from external influences by enclosing in a protective case. Monitoring the status of IoT devices is important, which also includes monitoring the physical condition of the nodes. It may be argued that autonomic computing does not exactly fit as a possible solution for this attack, as the scope is more physical and is not affected by software mechanisms. However, monitoring the status and analysis of such data could help the user reduce the downtime of the system. The MAPE architecture could monitor the loss of any node, and then assign its offered services to some other node in the network, such that overall service levels are maintained. That would be one manner, where self-healing could be demonstrated for deactivation.