Organisational

Systems Security
TOPIC 1: Potential Threats to ICT
Systems and Organization
PART 1: Unauthorised Access
Alexie Erese Ballon
IT Academy
Introduction
 In the management of any networked
computer system, ICT professional
need to consider every aspect of the
system’s security to protect the
corporate interest of the organization
it supports.
 This unit describes threats, methods
of securing systems and their impact
on various organizations.
1. Potential Threats to ICT
Systems and Organization
 The landscape of threats to an organization
and the ICT which supports it is constantly
changing with new, imaginative and often
destructive ideas being inflicted on the
world at large all the time. This topic looks
at potential threats and their impact on
organizations. These include: methods for
gaining unauthorized access, damage and
destruction of systems and information,
information security, e-commerce threats,
counterfeit goods and the overall impact of
threats on organization.
1.1 Unauthorized Access

 Gaining unauthorized access is the

desire of all hackers and budding
cyber criminals. Ensuring they do not
achieve their heart’s desire is one of
the many roles of the ICT
professional.
1.1.1 Internal and External
Threats
 To appreciate the types of threats
posed to any system, you need to
identify the different internal and
external threats in existence.
 Unfortunately, you cannot rely on all
the people using your network to be
entirely trustworthy.
 1.1.1 Internal and External
Threats (continued)
 Internal threats and external threats may include the
following:
Internal threats External threats
(from within your system) (from outside the network infrastructure)
Use of scanners Virus attacks
Man in the middle attacks Trojans
Magic disk tactics Worms
Key logging Hacking with piggybacking, tunnels and
probes
Forging data
Phishing and identity theft
 Scanners

 Scanners enable unscrupulous people to

establish what methods may be used to
‘attack’ a system. They range from very
simple to advanced, depending on the
tactics used. On the Internet in the public
domain it is possible to download scanners
to scan a range of address, identifying
whether they are active and learning what
TCP ports are visible.
What does it mean?

 Scanners are software utilities used

to analyze vulnerabilities in a network.
 Scanners (continued)

 Some scanners use DNS to map the

discovered IP address to a domain
name. This tactic is used by hackers
to establish what systems are active
and therefore available to hack.
 Scanners does have a legitimate use
in allowing network professionals to
check computers and other network
devices remotely.
 Scanners (continued)

 There are a range of scanners for

legitimate purposes which can be
obtained easily, each serving a
different specialist purpose, including:
looking at a range of addresses,
conducting a deep probe of one
system and scanning a wireless
system.
 Scanners (continued)
 Range of Addresses: A simple, visual and
fast scanner which looks at a range of
addresses is the Angry IP Scanner, which
can be downloaded from the Angryziber
Software website (go to
www.heinemann.co.uk/hotlinks and enter
the express code 2315P).
 This can be used to scan a large range of
IP addresses at high speed and can be
used to check TCP ports during the
scanning process.
Angry IP Scanner

Angry IP Scanner is an IP and port scanner tool for

analyzing networks
 Scanners (continued)
 Deep Probe: Completing a deep probe can
reveal useful information about a device,
and can be used when there is a remote
fault as well as to gain illicit information.
Considered by many to be the best at this is
Nmap, which can be downloaded from the
Insecure website (go to
www.heinemann.co.uk/hotlinks and enter
the express code 2315P).
 Nmap is a command-based tool, which
offers many scanning options.
 Nmap featured in Movies

← Nmap featured in Die Hard 4:

Live Free or Die Hard

Nmap featured in The Bourne

Ultimatum →
 Scanners (continued)
 Scanning a wireless system: Wireless systems are
especially vulnerable if there is no encryption. But in
mobile networking, there is a need to establish where
the wireless access points are and how they can be
accessed if you are to connect your laptop, PDA or
mobile phone.
 Many ‘scanning’ tools for wireless networks are
available via the Internet, many to gain illicit access.
Tools such as the Retina Network Security Scanner
(which can be downloaded from the eEye Digital
Security website – accessed via
www.heinemann.co.uk/hotlinks and enter the express
code 2315P) allow professionals the legitimate
opportunity to find access point within range of the
mobile device.
 ARP Poisoning

 Switch-based networks have long

been considered to be very secure as
they create micro-segments within
the system.
 However, techniques such as “ARP
poisoning” have rendered this idea
useless, with the man in the middle
attack being an issue on many
corporate networks
 ARP Poisoning con’t
The Man in the Middle Attack

Default
Victim
Gateway

Default
Victim
Gateway

Man in the
Middle
 ARP Poisoning con’t

 To overcome this threat, a network

manager has to monitor the memory of any
network switch, to check if any MAC
address appears in more than one location,
even momentarily.
 Ettercap is considered by the networking
industry to be the primary ARP poisoning
tool and can be used to generate as well as
prevent attacks
(http://ettercap.sourceforge.net/download.php).
What does it mean?
 Micro-segment are method of dividing network traffic
into a “network per cable” system to increase speed
and reliability.
 ARP stands for Address Resolution Protocol. It is
used to match IP addresses to Mac addresses.
 A computer using man in the middle attack tricks the
victim into thinking it is the default gateway, and tricks
the default gateway into thinking it is the victim
computer.
 MAC stands for Media Access Control. The MAC
address is the address hardcoded into you computer’s
wired or wireless network card.
 Magic Disks

 “Magic disk” is a collective term for all

the boot disks which can be downloaded
from the Internet to restart a computer
and subvert the operating system.
 Some magic disks like the “Ultimate Boot
CD” are useful in resolving issues with
viruses and trojans as well as drive,
hardware and operating system failures.
 Magic Disks con’t
 When you start a computer, your system can boot
from the USB, CD/DVD or a floppy. As your operating
system is resident on the hard drive, anyone with basic
knowledge of BIOS configuration can select any of the
other boot options.
 Some magic disks are used to scan your hard drive for
SAM (Security Accounts Manager) files; these
contain username and password hashes. Once
found, the magic disk will use analysis techniques
such as rainbow tables to find the administrator
password for the computer.
 To prevent anyone from using a magic disk, it is
prudent to password lock the BIOS and prevent
anyone form being able to use USB sticks, floppy
disks and CD/DVDs as boot devices.
 Key Loggers

 A key logger is an application which

will record all key strokes (and in
some cases mouse activity) and send
the information to a file or, in many
cases, to a remote network location.
 Most key loggers are hidden
applications and can be “found” using
the latest definitions on an anti-virus
application.
 Key Loggers con’t
 If you suspect there is an undetected key
logger running on your system, an
alternative technique to discover activity is
to run a protocol scanner, which looks at the
contents of each data packet.
 Applications like Wireshark (formerly called
Ethereal) can “watch” all outgoing traffic
from your computer, which may reveal
some interesting activity from many
applications.
What does it mean?
 A password hash is a mathematical
representation of a password, not the
password itself.
 A rainbow table is a list of all possible
hashes, often compressed and indexed for
fast searching.
 In the context of an anti-virus application, a
definition is a database entry about
application which are not trusted, trojans,
worms or viruses.
1.1.2 Access Causing Damage
to Data or Jamming Resources
 In gaining unauthorised access, the
software used may cause damage to
data or jamming (restricting)
resources. Some attacks may have
the intent of accessing systems or
data without damage, and the impact
may initially go unnoticed.
 Whatever the intent, an intrusion
always has an impact on the system.
 Virus Attacks

 Virus attacks occur when rogue code has

entered the system; a virus will hide itself
inside ordinary executable code and can: be
a nuisance by opening/closing the CD/DVD
door, swapping key responses (£ for @,
etc.); self-reproduce, spreading itself from
application to application to evade detection
and elimination; cause serious damage to
data and cause critical damage to the hard
drive.
 Virus Attacks

 Viruses are concealed by a simple

deception. They will embed
themselves inside an application,
redirecting its commands and nodes
around itself while running as a
separate task.
How a virus is concealed
0000h 0000h
Application Application
before virus after virus

Application is
unaware of Virus creates
additional a link into
VIRUS application
payload
whilst it is
AAFFh running

Size of the
application
will change AFFDh
 Virus Attacks

 Most virus scanners will detect a virus

by opening the file and scanning the
code, looking for this type of
redirection.
 Many anti-virus applications will
create a hash (known as an MD5) for
each application.
 A virus quarantine

 If the MD5 (Message-Digest algorithm 5 ) changes, this may be

treated as a virus attack (or an application update). Once found,
the anti-virus application offers the option to remove or isolate
the virus (in a quarantine zone).
 Trojans

 Trojans are stealth application which

are designed to allow others to access
your system.
 Transported via infected email
attachments, infected downloads,
infected CD/DVDs or worms which
use vulnerabilities in your operating
system, trojans have the potential to
cause the most damage.
 Trojans

• The most famous trojan is Sub-7,

which has been used for key logging,
pranks, remote attacks (controlling
your computer to start the real attack)
and distributed denial of service
attacks.
What does it mean?

• Distributed Denial of Service is an

attack where multiple systems will
flood a single system with traffic,
intending to block the network or
device from being able to access the
Internet.
Sub-7 being used for pranks
 Worms

• Worms are self-transporting

applications which carry an active
payload such as trojan or a virus.
• Worms are active or passive:
• Active worms self-transport without
human intervention
• Passive worms rely on the user’s
innocence to transport themselves
from one location to another
 Worms

• Active worms use email, vulnerabilities

in your operating system, the web and
DNS servers, as well as other
alternative ‘traffic’ systems, to move
their payload around a network
infrastructure.
• Many worms are currently attempting to
exploit VoIP systems like Skype or chat
systems like Windows Live Messenger.
 Piggybacking, tunnels and probes

• Hacking using piggybacking, tunnels

and probes can be accomplished with
a level of expertise (not the ‘good’ sort
of expertise) and attacks can be formed
when network traffic is ‘corrupted’.
 Piggybacking, tunnels and probes

• With piggyback attacks, a normal, safe

communication carries an additional
harmful payload of a trojan or covert
application.
 Piggybacking, tunnels and probes

• Tunnels can be formed via existing

communication channels to send
alternative data. Common data channels
such as port 80 are used for HTTP.
• Someone with a level of network
expertise could send any data they wish
via this port and create a wide range of
applications running underneath one
innocent communication channel.
 Piggybacking, tunnels and probes

• A probe can use an open, and

therefore available, port to start an in-
depth analysis of a network or
computer system. Once the open hole
is found, it will start digging into the
system.
 Forging Data
• Forging, or spoofing, data requires knowledge of
programming in networking languages, such as
Java, C++ or VB.NET.
• A hacker could ‘hand craft’ a data packet to:
force an application or server to give away
information, cause a denial of service attack or
piggyback / tunnel into a system via an
‘acceptable’ protocol.
• The code needed to accomplish this is on the
Internet and is openly available on many non-
hacking websites.
1.1.3 Phishing and Identity
Theft
 Phishing and identity theft are
relatively recent development in
methods for unauthorised access.
 The purpose of a phish (pronounced
as fish) is to lure you into revealing
personal information; it does this by
social engineering, i.e. using
something or someone trusted by you.
1.1.3 Phishing and Identity
Theft
 Phishing employs many tactics, which are
evolving all the time. For example:
 An email purporting to be from a long
forgotten school friend, looking for contact
details; this leads to identity theft
 An email that claims to be from your bank,
ISP, etc., asking you to follow a link to their
site to update your details – the email looks
authentic and when you follow the link, the
site looks very much like the site of the
bank/ISP, except the protocol is unlikely to
be HTTPS, and some links on the page may
be inoperational.
1.1.3 Phishing and Identity
Theft
 Phishing may also exploit
homographs and our detailed
reading skills by directing us to
domain names with similar spellings.
 Homographs are words with the same
spelling but with different meaning,
e.g. fluke means both a parasite and a
stroke of luck (as well as a networking
company).
Phishing
 To test your phishing detection skills, which
of these is an incorrect domain?
 www.heinemann.com
 www.heinemann.co.uk
 www.heinneman.co.uk
 The impact of phishing is that it results in
unauthorised access to personal data,
commercial data and financial information
via deception (the legal term for which is
fraud).
End of presentation.

NEXT:
Topic 2: Damage or Destruction of
Systems or Information