Document 261561
Copyright ©2013 Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower Off C.G.Road Ahmedabad 380 006 India (Cyberoam). All rights reserved. No part of this training material may be reproduced in any form by any means (including but not limited to photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this training material) without permission in writing from Cyberoam. Requests for permission to make copies of any part of this training material should be mail to: Cyberoam Technologies Private Limited, 901, Silicon Tower, Off C. G. Road, Ahmedabad 380 006, India Warning: The doing of an unauthorized act in relation to a copyright work may result in both a civil claim for damages and criminal prosecution. Cyberoam, Cyberoam NetGenie, Cyberoam Central Console are Trademarks of Cyberoam. This training material may have referred few trademarks for the purpose of indentifying certain products and/or services. All those trademarks are owned by their respective owners. This training material is designed to provide accurate and authoritative information in regard to the subject matter. While Cyberoam has taken all due care and diligence at the time of editing and publishing training material, Cyberoam does not hold any responsibility for any mistake that may have inadvertently contained within training material. Cyberoam shall not be liable for any direct, consequential, or incidental damages arising out of the use of the training material. Networking Basics A network is a data communication system that allows users and devices to communicate with each other. A network that contains computers as a part of devices is known as a “Computer Network”. When a message is sent across from one point to another point, we say that communication has taken place. A message is a term used for the information and a single unit of communication transmitted over a network. A message can be anything like an email (Electronic Mail), a file, an image, or any piece of information. A PC or any other machine which is capable of processing information is known as a network node. In a communication process minimum 2 PC’s or devices are involved. The device which initiates the communication is known as a sender and the device which receives the message is a receiver. Sender and Receiver are connected to each other via a medium or media which is generally in the form of wires (nowadays, wireless). Types of Media Signals generated by the sender and receiver during the transmission process require a medium through which they should travel to their destination. The transmission media is divided into two broad categories. 1. Guided 2. Unguided The overall categorization of the transmission media is shown by the above figure, however the detail description of each is given below. Guided Media Guided Media are those types of media that provide a conduit from one point to another on the network. These include the twisted pair cable, Co-axial cable and the Fiber Optic cable. Twisted Pair Cable This cable comes in two forms 1. UTP (Unshielded Twisted Pair) 2. STP (Shielded Twisted Pair) UTP Cable UTP is the most commonly used cable today. The UTP consists of two cables wound on each other and jacketing a copper wire, each with its own colored plastic insulation. There are seven major categories of this type of cable. The category number of the cable tells us how many numbers of pairs of wires are contained in the cable. 3. Category 1 This type of cable contains a single pair of wires. This is the basic twisted pair cable generally used in telephone systems. This type of cable cannot be used to carry computer signals and hence are not suitable for computer – computer communication. 4. Category 2 This type of cable contains 2 pairs of wires (total 4 wires). It is suitable for voice and data communication up to 4 Mbps only. 5. Category 3 This type of cable has 3 pairs of wires (total 6 wires). It is suitable for data transmission up to 10 Mbps. It is now a standard cable for most of the telephone systems. 6. Category 4 This type of cable has 4 pairs of wires (total 8 wires). It is suitable for data transmission up to 16 Mbps and can be used for low speed computer – computer communication as well as voice communication. 7. Category 5 This type of cable is suitable for data transmission up to 100 Mb per second. This cable is mostly used for LAN’s. 8. Category 5e This cable is similar to a category 5 cable but can support up to (1024 Mb – 1 gigabit per second) transmission speed. 9. Category 6 This cable is the fastest copper cable. The speed of this cable is 10Gbps and it is said to be made out of the best copper material. Cable Pin outs There are two basic pin outs used in the cabling the Ethernet cables. The cables are connected to the computer using a RJ45 connector which is a standard defined by the TIA (Telecommunication Industry Association) 10. Straight Cable 11. Cross-Over Cable In a straight cable, the pins on the sender match the pins on the receiver. For Example, suppose pin no 1 is used for sending data and pin no 5 is used for receiving, then it is obvious that if communication is taking place from one computer to another computer without any interconnecting devices, then, the sending pins on the sender side should be bound to receiving pins on the receiving side, giving rise to a cross over cable. At the initial level, we can remember that if no switching devices are used, a cross over cable is used for computer to computer communication (peer to peer) and a straight cable is used for communication between computer and other devices like switches, hubs, and more. The Straight and Cross-over terminologies apply to cables Category 5 and 6 cables only. Each cable consists of four basic colors (Blue, Brown, Orange, and Green) with their corresponding white colored wires known as White-Blue, White-Brown, White-Orange and White-Green. The pin numbers on the connector can be understood from the diagram below. The cabling method according to the TIA standard can be understood from the below tables. Straight Through cable RJ45 Pin # (End 1) Wire Color Wire Diagram RJ45 Pin # (End 2) Wire Color 1 White/Green 1 White/Green 2 Green 2 Green 3 White/Orange 3 White/Orange 4 Blue 4 Blue 5 White/Blue 5 White/Blue 6 Orange 6 Orange 7 White/Brown 7 White/Brown 8 Brown 8 Brown Wire Diagram Cross Over cable Table RJ45 Pin # (End 1) 1 Wire Color White/Green Wire Diagram RJ45 Pin # (End 2) 1 Wire Color White/Orange Wire Diagram RJ45 Pin # (End 1) Wire Color Wire Diagram RJ45 Pin # (End 2) Wire Color 2 Green 2 Orange 3 White/Orange 3 White/Green 4 Blue 4 Blue 5 White/Blue 5 White/Blue 6 Orange 6 Green 7 White/Brown 7 White/Brown 8 Brown 8 Brown Wire Diagram STP Cable A shielded twisted pair cable has a protective shield (covering) within which the two ends of the wire run the entire length. A STP cable can be thought of as a UTP but with a jacketing. A shielded twisted pair has a metal foil or a braided-mesh covering the insulated wires. The major application of the STP cable is the electric industry. This cable is mostly used for powering up electrical devices. However, many ISP’s also use this type of cable to terminate the broadband link at customer premises. Co-Axial Cable A co-axial cable consists of a center wire which is surrounded by an insulation which in turn is surrounded by a braided wire and a shield above the braided wire. This type of cable is primarily used for cable television. This cable can also be used computer networks where high amount of data transfer is required, as this cable has a high frequency. Fiber Optic Cable A fiber optic cable works on the principle of reflection of light. We know that light travels at a very fast speed. Hence, communication can also be done in the form of light waves using the fiber optic cable. The structure of this cable includes a sheath of glass covered by an outer glass. The light travels through the core of the wire by reflecting over the surfaces of the glass and hence reaches the destination. Fiber cables are used in computer communication. Many other devices like audio players also use the fiber cables known as SPDIF (Sony Philips Digital Interface). Unguided Media The unguided media is usually the wireless medium and it can be in the form of radio waves and micro waves. The wireless media can broadly be classified into following categories Wi-Fi Wi-Fi is a wireless technology which allows user to send and receive data using radio waves. Wi-Fi can also provide intra-network and the Internet. The products complying to Wi-Fi define Wi-Fi as a Wireless Local Area Network (WLAN), To check if any device provides a Wi-Fi standard, we can check for the Wi-Fi logo on the device. Wi-Fi is an abbreviated term actually used for WLAN. 3G 3G or 3rd Generation mobile telecommunication is standard for mobile phones and mobile telecommunication giving services like wireless telephone, mobile internet, and Mobile TV. 4G 4G or 4th Generation mobile telecommunication is a successor of the 3G technology. A 4G system provides very high speed internet access wirelessly. Wi-max Wi-Max (World Interoperability for Microwave Access) is a standard in wireless communication which results into very high speed of data transfer, wirelessly. It is a part of the 4G (4 th Generation) wireless technology. Modes of Transmission There are three types of strategies used for data transmission between two communicating machines 12. Simplex 13. Half Duplex 14. Full Duplex In simplex type of communication, the data transfer is done in one way only. A data can travel from point A to point B only but the reverse does not apply true. Example of a simplex type of communication is a door-bell. A door-bell only informs the housemates that there is someone at the door, however, the housemates cannot inform anything to the visitor. In Half Duplex mode, the line between the two points is set up in such a fashion that it allows data to be transferred in both the directions, but only one at a time. While one node is busy sending the data, the other cannot send and vice-versa. Example of half-duplex type of communication can be considered as a hanging bridge where only one person can pass at a time. People can move in both the directions, but at any time, people moving in one direction are only allowed. Another example can be of a single way road with traffic controllers at each end. For more information refer Cyberoam Academy Courseware Overview The network security fundamental is a new concept because prior to the familiarization with the computers, they were not networked. The early day networks were mostly LAN’s. When first deployed, they were secure because they were physically isolated and did not have connection to other networks. Gradually, as WAN’s developed and with the increase of Internet usage, LAN security became a big question. In today’s time it is essential for everyone to secure their network as there are very few networks do not have an Internet connection. What is Network Security? Network Security is a methodology which consists of policies defined by a network administrator to monitor and prevent unauthorized access of the network. Unauthorized access also includes misuse, modification, and services of the network. This methodology includes the authorization to access data in the network which is controlled by the network administrator. More detailed description of each component and terminology used in network security will be discussed in this module. Why is Network Security important? When we talk about the importance of the network security, it becomes essential to talk about the usage of the network and the type of users. It is essential that while we use the internet we have to be sure that the device through which we are connecting the Internet is in a usable condition for the later stages. It is known that when we are connected to the internet, we are also connected to several thousands of networks with millions of users. So, network security becomes a vital component in the configuration of the network environment. We shall see the types of securities henceforth. Identifying Risks in the Network Network risk is a broader term and can be divided into many smaller terms which are discussed in the topics to follow. However, a network risk is any circumstance which can affect the network of an organization. We have classified risks into three main categories; Threats, Vulnerabilities, and Attacks. Threats A threat is any such incident which can harm the security of a computer network. Threats are categorized into internal and external threats. Internal Threat Till now we have only known that the threats to a network is from the Internet, and other outside world, but a study reveals that the actual threat to an organization is more internal than external. Internal threat hence can be considered as most serious type of threat. Insiders (the people who are associated and work in the network), whether them being an employee or a network administrator, have complete knowledge of what’s going inside and access the resources inside the network. An insider does not need to crack a password, or any other tool to get the data. They can easily and efficiently manage from within the network. Most of the network security defenses are not able to deal against the threats from inside. External Threat External threats are the threats which come from outside the network usually through the internet. An external threat relies on technical means to achieve its goals. The network security defense mechanisms fight most against the external threats. Firewalls, Intrusion Prevention System (IPS), and other such terms can help to reduce the threats to an organization. We shall see all these terms in detail in the later modules. External threats can also be the creation of god like Storms, Floods, Earthquakes, and fires. However, external threat can be a physical threat like burglar as well. Vulnerability Vulnerability is defined as an organization’s own weakness. Vulnerability is a loop hole in the network which could have been prevented but due to some lacks, it could not be prevented and becomes a threat to a network. Vulnerability is a combination of three major elements; a flaw in the system, an attacker can access the flaw, and attacker having a capability to exploit the flaw. A security risk can be classified as vulnerability. A vulnerability which is still working in many instances with implemented attacks is known as a exploitable vulnerability. Vulnerability can also be in the form of a security bug, which is fixed in a small duration of time after the exploitation. However, a security bug is a very small form of vulnerability. These types of security bugs are generally fixed by software patches and upgrades. Confidentiality Attacks A confidentiality attack talks about a person stealing or trying to steal an organization’s confidential data. A confidentiality attack is not necessary only physical but can be logical also. An attacker may try to copy sensitive files onto a USB Memory without the information of the owner, or even without leaving a trace. It is difficult to track any unauthorized copying or leakage of data without auditing and monitoring the data at all times. Confidentiality attacks are classified into two groups; physical and logical. Logical Attacks Packet Sniffing Packet sniffing is a technique used to intercept and log the traffic passing over a network. It is also known as a packet analyzer. A sniffer is basically a computer program or a piece of hardware that will capture each packet flowing in the network and check its contents. There are various such free and paid software’s available on the Internet. These attacks are discussed in the later module of “Ethical Hacking”. Port scanning Port scanning is a technique which scans a system for the ports open to communicate. As we have already seen in the previous module that each protocol and service uses a different port on the system to communicate. Therefore, in any system, there are many numbers of ports that are always open. These ports can be scanned by attacker, to breach the confidentiality of an organization. Social Engineering Social Engineering is when an attacker uses the social skills like relationships or other social media to manipulate or gather sensitive organization information. Bribing an employee, sending emails or links to a person within the organization to collect organization data is also coined as social engineering. The above given attacks are just the starting; more has been discussed on all the tools and techniques in the “ETHICAL HACKING” module. Physical Attacks Dumpster diving Dumpster diving is a technique in which an attacker can search for information, or try picturing a information from waste disposed by the company. In this technique an attacker can look for information like phone number, charts, memos, or any other organization material using which a valuable source of information can be built. Wiretapping Wiretapping is a physical confidentiality attack in which an attacker monitors the wires (telephones, Internet, etc) without the knowledge of the organization. In this case the attacker has his wiring attached to the wiring of the company, and as a third person, attacker simply taps the communication. Network Security Objectives From the earlier discussion we have seen how a network can be attacked. The only secured computer in a network is the one which is not connected to the network, is still inside the box and is thrown deep down in the ocean, but we know that such computer will have no meaning and no use. Our objective is to use the computers in the network and at the same time, secure them as well. Below given are some of the objectives of network security. Assumptions Before developing a security solution for a network, it is necessary to assume many fundamentals. To name a few, we need to think about the future expansion of the network, change in future operating systems, change in other software’s, change in internet connections, or change in physical location of an organization, etc. Like any software development application, a Life Cycle has to be calculated. A network engineer must be able to answer any physical and logical changes that can be done in a network. Requirements The basic security principles have a few requirements like confidentiality, Integrity and availability. We will discuss the above requirements as goals of a network security environment at the end of this module. Security Principles Network security can be in form of software or a hardware which guards us by not letting the objectionable traffic flow from an unknown network to our network. The network security can be shown by a security pyramid. Prevention Prevention is the foundation of the security pyramid. To provide security it is vital to execute measures for averting the network threat. In budding network security methods, organizations take precautionary measures over recognition and reaction. It is easy, and more money-making to prevent a security breach than to detect or respond. A company always wants that their preventative measures are strong enough to put off likely criminals (inside, and outside the network). Detection Once preventative processes are implemented, actions need to be introduced to detect potential problems or security breaches, in the event precautionary measures fail. It is important that problems be perceived immediately, the sooner a trouble is identified the easier it is to rectify and crackdown. Response Businesses need to develop a sketch which will classify the response to a protection breach. The plan should identify who is responsible for what actions and their responses and levels of intensification. A response is an answer that will be specified when a breach has been committed in the network. Implementing Network Security From all the above discussion, a network security solution has to be implemented in two broader categories; physical and logical. Physical Network Security Before trying to secure a network environment with a good security solution, it is necessary to secure the network using good physical and technical controls. To name a few, an intruder detection system (doesn’t let an outsider to enter an organization), security guards, locks, safes, racks, UPS (Uninterrupted Power Supply), Fire support systems, and Air-flow systems, etc. are some of the examples. Logical Network Security Logical network security is the actual security that is provided either as a piece of hardware of software installed in an organization’s network. The trending logical security started with the development of firewalls which is discussed in the sections below. Evolution of Firewalls When network security first started to be implemented, it was as a firewall solution. This solution restricted the flow of packets. A firewall does not have a fixed meaning. However, it can be understood as partially hardware and somewhat software which is used to block any objectionable traffic on a network. By the meaning of the word we can understand that a firewall is “a barrier inside a building, designed to limit the spread of fire”. For more information refer Cyberoam Academy Courseware Terminologies Before we can actually move on to what is ethical hacking and penetration testing it is essential for us to understand a few basic concepts about hacking like Why information security is important? In the modern era with digitization making the world a small place, it is very essential to safeguard sensitive information like credit card numbers, social security numbers, private details of a person, etc. In the case of an organization there are major examples like private data of a customer, organization’s own private data like design files, code files, marketing secrets, etc. Not only does it show that it is vital for an organization to protect the information, but also to take precautionary steps and be prepared for the worst case to happen. Hence what is required here is that the organization be prepared for any type of attack by a hacker. It is rightly said that to prevent a theft, think like a thief. Hence, to prevent a network from being hacked, think like a hacker and act like a hacker. In other words, an Ethical hacker is required to find the flaws in this system and provide security. What are the elements of security? We have already seen the elements of security in module 2. The elements of security are confidentiality, authenticity, integrity and availability. Before knowing what is hacking, it is mandatory to know the following terminologies Threat Any event that has the potential to compromise security is a threat. Threat can be any event or action. Vulnerability A loophole or bug in the system is known as its vulnerability. Vulnerabilities can be classified into two major categories, hardware vulnerability and software vulnerability. The other categories of vulnerability are based on its seriousness or severity. i.e. Low, Medium, High, Critical, etc. Attack Attack is an abstract term relating to the intention of an individual to either explore an already known vulnerability or generate an attack to find a new vulnerability. Exploit Exploit is the defined way in which using a vulnerability, the security can be compromised. Exploit can be a piece of code (normally known as a tool). A common example can be given for all the terminologies above A person starts thinking about compromising an organization’s security (Threat). The same person tries to break through an organization’s infrastructure (Attack). He finds a way (Vulnerability) in which attack can be done (Exploit). Phases of hacking Because it requires an ethical to know what a malicious hacker will do, we now see what an actual hacker will do. An actual hacker’s activity can be divided into 5 phases, please note, these phases are described in detail in the next section (“What is Ethical Hacking?”). The five phases are:1. Reconnaissance 2. 3. 4. Scanning Gaining Access Maintaining Access 5. Clearing Tracks Classes of Hackers There are four basic types of hackers or classes of hackers namely, Black Hats, Grey Hats, White Hats and Suicide Hackers. Black hats are the bad guys also known as crackers. They generally use destructive activities to take down the target, with a reason or without a reason. Black hats have extraordinary computing skills. White hats are the individuals who have good hacker skills and use them to defend against the black hats. These people are also known as security analysts and ethical hackers. Grey hats are the individuals who at times work as black hats and sometimes as white hats. Suicide hackers are those type of hackers whose aim is to compromise critical processes and do not care even if they were jailed for lifetime. Hence, from the above we now know that ethical hackers are the white hat community. Therefore to define an ethical hacker, we can say that an ethical hacker is a person who uses their hacking skills to defend against the black hats. Cyber laws As a learner who wants to be an ethical hacker, it is essential to know the Cyber laws prevailing in each country. To be specific, every country has their own law for hackers. Hackers are dealt with severely in each country. If any hacker is found to be doing an activity that can endanger life of an individual, they can even be given a life sentence. A few acts and laws are stated below for reference SPY Act U.S. Federal Law Given below is the list of US Federal Laws for Cyber Crimes. More of the laws can be found on the judicial website of your country. Posse Comitatus Act of 1879 Antitrust Laws and Section 5 of the Federal Trade Commission Act National Institute of Standards and Technology Act Federal Power Act Communications Act of 1934 National Security Act of 1947 US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) State Department Basic Authorities Act of 1956 Freedom of Information Act (FOIA) Omnibus Crime Control and Safe Streets Act of 1968 Racketeer Influenced and Corrupt Organizations Act (RICO) Federal Advisory Committee Act (FACA) Privacy Act of 1974 Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 Electronic Communications Privacy Act of 1986 (ECPA) Department of Defense Appropriations Act, 1987 High Performance Computing Act of 1991 Communications Assistance for Law Enforcement Act of 1994 (CALEA) Communications Decency Act of 1996 Clinger-Cohen Act (Information Technology Management Reform Act) of 1996 Identity Theft and Assumption Deterrence Act of 1998 Homeland Security Act of 2002 (HSA) Federal Information Security Management Act of 2002 (FISMA) Terrorism Risk Insurance Act of 2002 Cyber Security Research and Development Act, 2002 E-Government Act of 2002 Identity Theft Penalty Enhancement Act Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) U.K Cyber Laws European Law Japan’s Cyber Law Australia’s Cybercrime Act India’s Information Technology Act Germany’s Cyber Law Singapore’s Cyber Law Belgium Law Brazilian Law Canadian Laws France Law Italian Law What is ethical hacking? To understand “Ethical Hacking”, we must first understand what is hacking and how it can be ethical. Hacking is the terminology used for an activity in which a person (hacker) gains unauthorized access to a resource which he should not be using. Unlawful hacking is the process when the hacker not only gains unauthorized access, but also modifies the content of the information in such a way that it can harm the organization. Ethical means doing a deed by abiding the principles. Hacking is no way ethical, but ethical hacking involves the hacker to use the hacking techniques to find any vulnerability in an organization’s network. Purpose of ethical Hacking As from the above we now know that an ethical hacker is a computer and network expert who attacks the resources on behalf of its owners, seeking exploits that a malicious hacker could exploit. The primary purpose of perform ethical hacking is to test a security system. Ethical hackers use the same methods as the malicious hackers, but report problems instead of taking advantage of them. Phases of Ethical hacking Ethical hacking can be broadly divided into five major phases 1. Reconnaissance Reconnaissance is the phase in which information is gathered about the victim to be attacked. Reconnaissance is a very broad term which also includes creating a foot print of the network. More about reconnaissance and Footprinting can be understood from Footprinting in the later part of this module. In Reconnaissance gathering the details with the use of computers and without the use of computers is covered. In our case, we shall see Reconnaissance and Footprinting in which a computer is used to gather information about the victim. 2. Scanning Scanning involves the task to examine the information gathered from the reconnaissance. 3. Gaining Access This is the phase in which the hacker gains access to the vulnerability discovered. 4. Maintaining Access Once an access is gained, the hacker wants to keep the access for future use to launch other attacks. 5. Covering Tracks Once a hacker has been able to gain and maintain access, it becomes important for the hacker to cover the attack by adding a patch, or adding another layer of security. The major phases of ethical hacking discussed above, are discussed in detail in the later part of this module. Being ethical As we have discussed about hacking and ethical hacking, we now know that an ethical hacker is the good guy, also known as White Hat. A malicious hacker is known as a Black Hat. There are some hackers who sometimes are ethical, and sometimes malicious, these are categorized as Grey hats. When we talk about being ethical, we are talking of the white hats. Perform penetration test Penetration Testing is the first job that can be done by an ethical hacker, the main function in this type of a test is to carry out an entire test on the network and check for any loop holes. If loopholes exist, the ethical hacker shall report it to the owner of the network. In this module we shall see more of ethical hacking, penetration testing in the later part of this module. Footprinting Footprinting is a pre-attack phase which starts just after information is collected without the use of computer. We already know that during the reconnaissance phase, the hacker tries to collect as much information as possible about the target. Footprinting involves the hacker making a blueprint of the security profile defined by the organization. It is also said that the hacker spends 90% of the time collecting the information about the target and 10% to launch to the attack. Listed below are the areas which the hacker seeks during the Footprinting phase. The hacker tries to collect the following information about the target, irrespective of whether the target is on the Internet, or Intranet. 1. Domain name 2. 3. Network Blocks IP Addresses of systems that are reachable 4. 5. Open ports Running services (TCP & UDP) 6. 7. ACL’s Enumerating System Users, and Groups (getting SNMP info.) 8. And more… The major steps involved in Footprinting are described in the paragraphs to follow Gathering target information For an attack to take place, it is important that all the information about the target is gathered. It is rightly said that more time is spent over collecting the information about target than in launching the attack on the victim. The methodology adapted here includes In this process the hacker starts from the scratch, collecting all the information like company’s URL, getting an archive of the company website, getting more company information from search engines like Google, doing a people search over switchboard, yahoo, Google, etc., getting the company maps from Google earth, etc. The latest and proven technique to gather target information is also by scrolling job sites. Getting the initial target information Locating network range Finding active machines in the network Discovering open ports Detecting operating systems Mapping the network Using Google and other search engines Google is by far the most used search engine in the world today. Google can be used to find information about any individual or organization. Searching on Google is comparatively easy. Google and some other popular websites can be used to get the email address, Phone number, and other details on any victim. From the screen above, we can see that Google can be used for advanced searching. It allows the user to search the content matching all the words (1), exact phrases (2), any of the words (3), and many more. Moreover, Google also allows to search by the type of file. The most common file types that can be searched are Word documents (doc), Shockwave Flash object (swf), Adobe PDF file (pdf), Excel spreadsheet (xls), and a few more. DNS records In the context of a web site attack, the DNS records of the website can be searched to get the names of the registrant of the website. The DNS records also give the phone number and other contact details of the person in whose name a particular website is registered. In most cases, the registrant of a website is always the administrator, or the owner/CEO of the organization. Social engineering Social engineering is the best way to gain information about any person. Social engineering involves gathering information about target through socialization. Like for example, the attacker can send emails to a victim for friendship, or if in a case the attacker already knows the victim, they can directly approach the victim by offering some gifts and try to get the organization vital data. Social engineering is covered again at the end of this module. Tools In this section, we will see the some of tools used in gathering information. WHOIS WHOIS also pronounced as who is, is a well known tool to find the owner information from any domain name. Lookup in WHOIS is free and can be used any person over the globe. There are several websites which offer the WHOIS service like www.whois.com, www.whois.net, and many more. A sample from whois.com is shown below. For more information refer Cyberoam Academy Courseware Introduction Network Forensics can be treated as a separate branch of computer science which deals with investigation of computer security breach. Not only is forensics defined at the level of computer security breach but can also be defined in data breach or a policy breach. A data breach is when data of an individual or an organization is copied or transmitted in any form without the permission of the foresaid. A policy breach is when an individual attempts to breach a policy like for example, browsing restricted website, resource, etc. Companies like Cyberoam have been constantly researching these facts and have an free (open source) reporting software known as Cyberoam iView. iView is free to use, distribute and does not require licensing. However when the vendor like Cyberoam makes a UTM device, it also makes sure that the reporting solution iView is available on the appliance itself. In the topics to follow we will discuss the network forensics with help of 2 different case studies. What is Forensics? Network Forensics is monitoring, analyzing and recreating a scene for the purpose of information gathering, legal evidence or an intrusion. Network forensics has two uses. 1. To implement security, which consists of monitoring the network and logging all the activity like for example the Cyberoam appliance and its open source on-appliance reporting solution iView. 2. Relating to law enforcement, which consists of investigating/recreating a network crime scene. Generally, when the first use mentioned is well implemented, the second use can be easily achieved. For an example, iView offers compliance based reporting for compliances like CIPA, HIPA, etc. therefore in a case of breach the compliance reports can be sought to get evidences. We shall look into law enforcement and how iView can be used for network forensics in the case study which follows at the end of this module. Types of Forensics Forensics is a mammoth term, hence to break it down in order to simplify, we can list the types of forensics. This section will help us understand the types of forensics. Network Network forensics is when forensic activity is done on the network, meaning no individual computers are referred for information. Network forensics include each activity over the network like Email forensic Chat forensic Protocol forensic Application forensic (Applications which require Internet Connectivity) Computer Computer forensics is when an individual computer is used to recreate an event, or finding out the activity done from an individual computer. We are aware that any and all forensic activity requires Internet, any forensic activity to be carried out cannot be done on a computer which is not connected to the Internet merely because the computer will have its own data there will be no signs of breach, data leakage, or violation of laws. A computer when connected to the Internet is susceptible to network forensics. Therefore we can explicitly state that network forensics does most of the part of computer forensics as well and hence, network forensic is the major area to look at. For an example, if a threatening email is sent by a person X to person Y, we would not refer to Person X’s computer. The only information that probably can be sought from Person Y’s computer is the email headers. All other information can be obtained by Network forensics. Why forensics? The answer to this question is keeping an eye on the activities done by each user in order to keep the processes of an organization working smoothly and be able to respond to any incident. The forensic investigation and forensic reporting is required for the following Responding to a network incident Supporting a crime investigation Forensics in Action Monitoring user activity In the context of network security, it becomes essential for an organization to monitor each activity in the network. For forensics to happen, it is required that logging and reporting solution be in place. There are many network transactions that need to be captured and recorded like Authentication events Email activity Messenger/Internet application activity Internal Web Server(s) activity Web Traffic (HTTP/HTTPS) Other Protocol Traffic like FTP, etc. The above points discuss about an organization where there are no restrictions on any user to browse Internet resources, however we are aware that in most of the organizations, restrictions do apply. In that case also, a capturing and recording solution is required. According to a Gartner Survery, for most of the organizations social media should be blocked. The primary reason behind this is loss of productivity. To add more, an organization’s own personal information can be leaked and floating on social media. For an example, as of current date the popular social networking site Facebook is banned in several countries including Republic of China, Iran, Uzbekistan, Pakistan, Syria, and Bangladesh. Additional to this, many bandwidth hungry applications like online music, games, videos, etc. are also banned by organizations. However, users try bypassing the corporate network with help of a proxy server. Cyberoam application firewall can identify these types of bypassing activities and log them for the network administrator to look upon. Hence, to conclude, not only the organizations having unrestricted Internet access need to capture and record the network data, but the organizations with strict Internet policies also need it. Identifying source of data leak It has majorly been reported by organizations’ that their valuable data is leaked because of availability. The motive of data being available to its employee’s often leads to data leakage. Data leakage source involves two major contributors. Person/Individual/computer from where the data is leaked Media through which the data is leaked When we talk about a person or an individual leaking the data, it is very difficult to trace down an individual involved in data leakage. Primary reason for the difficulty in tracing is because of the organization’s dynamism. To name a few Dynamic IP address schema Roaming tendency of a user Bringing own devices like USB drives, Mobiles, etc. in organization network Using own network, example 3G. An individual who wants to leak the data can do the leak in several possible ways like for example Email Chat (Messenger) Web Upload FTP servers Cloud Storage Drives USB Sticks Mobile device memory Since our scope is limited to network forensics, we shall enhance more on network forensics only, however for the information, in cases like USB sticks and mobile device memory, computer forensics comes in handy. We shall also see a sample incident on data leakage in the case study to follow. Capturing and Recording Data For a network forensic solution it is essential from the previous explanation to capture and record all the data about “What’s going on?” in the network. An efficient forensic solution should be able to capture the following data Authentication data along with username in place of IP addresses Email transaction data; each small data from an email transaction like sender, receiver, number of bytes, date and time of email, subject line, etc. Website visit data; each website visited by a user data like website URL, sub domain, category of website, data upload/download to/from the website, total bytes transferred, etc. Messenger data like message sender, receiver, file name, file type, etc. Not only should the capturing solution be wise enough to record the above data, but it should also consider parameters like storage space and security of captured data. Storage space management techniques have to be employed so that a proper storage space is allotted to the capturing software. Also, it should be make sure that all the data is being captured, like in case of an organization with multiple branches, it has to be ensured that all branch office data is collected and sent to head office. Another point to be noted here is the safety of data, principles like 4eye authentication must be in place so that the captured data is seen only by authorized personnel. Discovering data Discovering data is primarily related to filtering the captured data, however, it is also related to discovering live data like live connections, packet capture, traffic discovery and real time traffic logs. A forensic solution must be able to filter data on many criteria’s listed in the sub topics below Email Filtering criteria should include sender name, sender email, sender IP address, receiver name, receiver email, receiving mail server IP address, subject line, body text search, etc. Chat (Messenger) Filtering should include username, message search, file name search, file type search, file MIME header search, etc. Web Upload Filtering criteria should include username, website name, URL search, category search, etc. Analyzing data Once the capturing, recording and discovering of data is done, there should be a mechanism where the forensic solution puts the data in proper place, meaning in a sensible format which can be easily understood by the investigator. The required analysis is different in different forensic situation, however to shorten it down, an investigator’s five questions should be answered by the forensic solution, namely, How? Where? What? When? & Why?. Managing the data When a forensic solution has loads to data to manage, it should be ensured that proper data management facilities are available. To list a few, the solution must be able to define the range of dates, asking the administrator to maintain data between a range, purge data between a range, etc. Also, it is the task of the solution to maintain proper place and availability on a physical hard disk where the data will be stored. Henceforth we will learn the forensic solution like iVIew which is available on the appliance like Cyberoam and also as an open-source reporting solution. Understanding Data Recording Reporting solution like iView offers a single view of the entire network activity. This allows organizations not just to view information across hundreds of users, applications and protocols; it also helps them correlate the information, giving them a comprehensive view of network activity. With iView, organizations receive logs and reports related to intrusions, attacks, spam and blocked attempts, both internal and external, enabling them to take rapid action throughout their network anywhere in the world. Firewall Captures The UTM captures are represented on the Log viewer page on the appliance. Log Viewer page allows to view the logs for modules like IPS, Web Filter, Anti Spam, Anti Virus and Firewall. This page gives consolidated information about all the events that have occurred. Web filter Application Filter Anti-Virus For more information Refer Cyberoam Academy Courseware
© Copyright 2024