Scanning tools

Scanning tools are the category of tools that we use to find more information about our target environment, the systems within it, and the details of those systems. With such tools, we can be very general, in the case of running ping sweeps; somewhat more specific, in the case of running port scans; or very specific, in the case of grabbing banners or enumerating users on particular systems.

Given the limits of our discussion on tools in this chapter, we have grouped network mapping, port scanning, and enumeration tools together in one section. Each of these areas could deservedly be the focus of its own chapter, but we will go over some of the highlights here.

Nmap

Nmap is a wonderful tool. It is principally a port scanner, but can do quite a bit more as well. It can be used to ping IPs, detect vulnerabilities, fingerprint operating systems, run traceroutes, and much more. Almost all of the uses to which nmap can be put can also be tweaked in various ways to avoid detection, alter the speed at which it carries out its processes, change methods of communication, and more. Nmap is truly a versatile tool. Additionally,

Nessus

Nessus is primarily a vulnerability scanning tool, but, as we discussed with nmap, a variety of other features have crept in over the years in order to add to its utility. Nesssus was, once upon a time, an entirely free and open source tool. In 2005, Nessus was changed to a closed source license, and certain features were restricted to the commercial version.

A free version is still available, but is limited in the circumstances under which it may be used and the vulnerability listing that it is allowed to access. An alternative open source solution has been created, which we will discuss later in this section.

Nessus classifies vulnerabilities into sets of plugins, with each family of plugins focusing on a particular type of vulnerability. These families include a variety of different operating systems, databases, protocols, and services. The professional plugin feed includes swift access to the newest plugins, and some reserved categories of plugins as well, such as those for detecting vulnerabilities in Supervisory Control and Data Acquisition (SCADA) systems

Defense

Protecting information from scanners can be a difficult prospect. If a scanner is positioned in such a way as to have network access, or be able to eavesdrop on network traffic, particularly if the target is exposed to the Internet, then we are likely vulnerable to scanning attacks.

A common maxim in martial arts is that “the best defense is to not be there” [5]. This concept directly applies to preventing information leakage to scanners. In our case, not being there means not sending traffic out in ways that it is easily visible to unauthorized listeners, not running services on standard ports, not sending unencrypted traffic, and any of a number of similar hardening measures.

Many scanning tools depend on services existing on common ports and open access to information to generate their reports. In many cases, until a version scan has been attempted, scanning tools will report a service to be running based on the associated port being open. For example, if the scanner finds a port open on 21, it will generally assume that the service behind it is FTP. Changing these basic parameters in an environment can very quickly invalidate the information being returned by a scanning tool and can force the attacker to put quite a bit more time and effort into discovering what exactly is running on a given device.

Go back

Bitcoin Cryptocurrency

What is Bitcoin?

Bitcoin is a so-called virtual currency that has been devised for anonymous payments made entirely independently of governments and banks. In recent years, Bitcoin has generated a great deal of attention on several fronts. Bitcoin payments are based on a new interesting technical solution and function differently to traditional payments. In certain payment situations, Bitcoin can bring advantages in the form of lower costs, rapidity, anonymity, etc. over traditional payment methods. However, usage can also be more risky because Bitcoin is not directly covered by the laws that govern other payment mediation. Weak consumer protection is also a reason for why it may be difficult for Bitcoin to become generally accepted and viable as a means of payment. Use of Bitcoin for payments is low today, and although Bitcoin’s future is uncertain, it is an interesting innovation worthy of description. This article explains what a virtual currency is, and how Bitcoin works. Bitcoin use in Sweden – which is very limited – is also described. Finally, the future of Bitcoin and other virtual currencies is discussed.

Virtual currency

Bitcoin is what is known as a virtual currency. A virtual currency is a means of payment; that is, units of the virtual currency represent a value. It is intended for use in payments within a specific virtual community, such as a particular website, or in a network of users with special software for managing the virtual currency and making payments. This type of virtual community can thus be said to resemble a voluntary agreement to use a specific item as a means of payment. This is an important difference to national currencies, such as the Swedish krona. For the latter, it has been established in law that the monetary unit in Sweden shall be called the Swedish krona. The virtual currency thus has a different unit of account than national currencies. For Bitcoin, the unit of account is the Bitcoin itself. The issuer of the virtual currency can be a non-financial company or even a private individual, but such an issuer is not under the supervision of a government authority. The issuance of virtual currency is thus not a government-regulated activity. However, each virtual currency has some type of rules of its own governing where and how it may be used, and some form of technical infrastructure in which the payments are carried out. The virtual currency, the own set of rules and the technical infrastructure combined form a small payment system, hereinafter referred to as a virtual currency scheme. There are a large number of virtual currency schemes that have been built up, and function, in different ways. They can be broken down into different categories depending on the extent to which it is possible to buy and sell the virtual currency. Here, we divide them into virtual currency schemes that are closed, with unidirectional flow and bidirectional flows. In closed virtual currency schemes, the virtual currency can be neither bought nor sold, but only earned and used on certain websites (such as World-of-Warcraft Gold). If the virtual currency can be bought for national currency but not exchanged back, the scheme has a unidirectional flow (such as Amazon coins). When the virtual currency can both be bought and sold and used outside of a certain website, the scheme has bidirectional flows. As explained below, Bitcoin is an example of a scheme with bidirectional flows. However, these categories can overlap.

Security Design Considerations

Security is a high priority for customers in a multi-tenant environment. While virtual infrastructures are relatively secure in their basic installation, additional changes are required to adhere to certain security audit requirements. This section provides an overview of some of the security measures considered within the reference design, as they are subject to the wider security protocols required in an offering for managed services.

Hypervisor Hardening

VMware ESXi 5 is a small-footprint version of VMware’s hypervisor. This minimal footprint also reduces the attack surface. ESXi implements support for Intel TXT. The capability is managed and controlled by xStream software for trusted compute pools, providing visibility to the integrity of the platform and enforcement of trust policies for deployment and migration of virtual machines. The ESXi installation comes with a number of additional security features:

  • • LDAP integration
  • • Management interface firewall
  • • Lockdown mode
  • • Logging

These features have to be enabled corrected to ensure hardening. With the high priority attached to security in the multi-tenant paradigm being used in the cloud platform, using ESXi 5.x is recommended. In addition to this, basic security measures such as setting a strong root password should be used and compliance requirements that are necessary for compliance with the security standards selected for the platform are checked.

Firewalls and Network separation

To provide end-to-end separation of client data, it is important to ensure that no element in the infrastructure allows data to comingle or be accessed by another client. This is especially true of the networking design and infrastructure.

In order to achieve this, the reference design prescribes the infrastructure to be entirely separate from the customer VPN landing zone, through to the individual virtual machines and at all points in between. To achieve this, the reference design uses of the following technologies:

  • • VLAN
  • • Virtual switches
  • • Virtual appliances
  • • Firewalls and routing infrastructure

Every cloud customer is assigned one or more individual VLAN, as needed. Customer network traffic remains isolated from each other within a VLAN. The switch to which a VLAN is attached is also assigned the same VLAN tag. The only way for machines in VLAN A to talk to machines in VLAN B (and vice versa) is for the router to be configured to allow that conversation to occur. To ensure that the switch configuration is unified across all hosts in a cluster, the reference design uses distributed virtual switches. These ensure that the switch configuration associated VLAN tagged switch port groups are the same across all attached hosts, thereby limiting the chances of a misconfiguration of VLAN tagging on the virtual switch.

In addition to the VLAN tagging, the reference design also makes use of other traditional networking separation and security tools. A key technology is firewalling. Both virtual and physical firewalls are needed to ensure separations throughout the environment, from access to the physical network, including DMZ separation using physical firewall devices, and virtual firewalls to ensure visibility and separation across virtual machines.

Firewalls are required to scale to the highest VPN session counts, throughput, and connection speed and capacity to meet the needs of the most demanding customers. Offering protocol-agnostic client and clientless access for a broad spectrum of desktop and mobile platforms, the firewall device delivers a versatile, always-on remote access integrated with IPS and Web security for secure mobility and enhanced productivity.

The reference design ensures that throughout the network, be it virtual or physical, industry standard separation is enabled, and further guaranteed and improved by the inclusion of specific industry leading technologies that ensure even greater levels of granularity and visibility within the system.

Management Network Firewalling

For additional security, putting the hosts and management servers behind firewalls provides additional security and separation of the management services. Ports will be required to be opened for VMware virtual infrastructure to work.

Virtual Networking

VMware virtual infrastructure implements a virtual networking component that allows for virtual switches and port groups to be created at the software layer and operate as if they were physical infrastructure. There are certain features and ways to configure the networking to improve network segregation and prevent possible network vulnerabilities.

These are:

  • • Use VLAN tagging
  • • Disable MAC address changes
  • • Disable forged transmits
  • • Disable promiscuous mode
  • • Prevent and monitor for spoofing

Note that some of the features need to be enabled for certain customers— for example, for internal IDS scans—but should only be changed explicitly from defaults on an individual basis. As mentioned earlier, all customers will be assigned their own VLAN, and this will remain enabled. As a recommended practice, the reference design calls for use of different vSwitches to physically separate network traffic, disable forged transmits, and segregate management network traffic from virtual machine traffic.

Anti-Virus Software

Anti-virus and anti-malware software is always a consideration by any company when security is in question. For the management layer, anti-virus software is recommended on the virtual machine manager server and any other appropriate virtual machines. The definition of anti-virus policies and the deployment of anti-virus agents by a service provider to the tenant’s virtual machines fall outside the scope of this reference design. Tenant segregation and the use of security devices such as firewalls and IPSs—and, if selected, technologies such as virtual firewalls—will ensure that any viruses on a tenant’s virtual machines will not spread to other tenants. It is recommended that approved anti-virus software be installed on management layer virtual machines. Unless specified by the service provider, the tenant is generally responsible for installation of anti-virus software on production virtual machines.

Cloud Management Security

The cloud management layer provides the basis for all management functions surrounding the reference design. It ties into all the other technologies previously listed and provides some additional functionality to assist in the creation of a secure and auditable cloud environment. The security elements required by a cloud management portal are as follows:

  • • PCI/ISO/FedRAMP/NIST 800-53 associated security controls
  • • Governance, risk, and compliance (GRC)
  • • Trusted execution platform

Trusted execution platform is the one element that we have covered in depth in the earlier chapters, so we will not cover that here. Let’s cover the other two elements briefly in the next two sections.

Security Controls

The security controls implemented in the reference design are based on NIST 800-53/FedRAMP, GLB, iTAR/EAR, applicable security controls to measure and secure connectivity between data centres.

What is Cyber Warfare?

Definition for Cyber Warfare

A definition of Cyber Warfare is not easy. In fact definitions for Cyber or Warfare are both under debate. We will start with a simple definition of Cyber or Cyberspace. For the purpose of this chapter, we will frame the definition in the context of military environment. DoD defines cyberspace as the “notional environment in which digitized information is communicated over computer networks”. There is no official definition for just “cyber.” When you hear it by itself it could mean cybersecurity, computer network operations, electronic warfare or anything to do with the network. It is important to agree on what it means, for this book it will generally refer to cyberspace and be discussed in terms of computer network operations (attack, defend, and exploit).

The National Military Strategy for Cyberspace Operations defines cyberspace as the “domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and exchange data via networked systems and associated physical infrastructures”. DoD (Joint Publication 3.0 Joint Operations 17 September 2006 Incorporating Change 2, 22 March 2010) defines cyberspace as a “global domain within the information environment. It consists of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” Within cyberspace, electronics and the electromagnetic spectrum are used to store, modify, and exchange data via networked systems. Cyberspace operations employ cyberspace capabilities primarily to achieve objectives in or through cyberspace. Such operations include computer network operations and activities to operate and defend the Global Information Grid (GIG).

United Nations (UN) defines cyber as “the global system of systems of Internetted computers, communications infrastructures, online conferencing entities, databases and information utilities generally known as the Net.” This mostly means the Internet; but the term may also be used to refer to the specific, bounded electronic information environment of a corporation or of a military, government, or other organization.

For a definition of warfarewe cannot turn to an authoritative source. TheUNdoes not have a definition, so we will default to the two historical standards for military doctrine: On War, the exhaustive work documenting tactics during the Napoleonic War period in 1873 and The Art of War a more condensed version of how to conduct warfare composed in sixth century BC. Are these definitions applicable to what is happening on the Internet today? Can these historical concepts be applied to the virtual world? Is the military perspective the right one to look at this problem through? The answer to all questions is a declarative: YES. That is where this book becomes applicable: to help solidify what cyber warfare means. First there is no governing body to determine what definition we should use, so the definition is normally based on the perspective of the person speaking. Governments, finance companies, Internet providers, international corporations, organizations with a specific cause, and lawyers all give us a different answer. As for historical concepts, there are many that are based on geography which no longer apply, but most principles and practices can be modified to be useful when it comes to the new World Wide Web’s Wild West. Finally, we think if we are going to use the term warfare we should use the military perspective but throughout this book we will take the time to explore the other options because our systems are connected to the same battlefield on which the nation states are fighting!

What Does ‘Cyber’ Mean

The word cyber is generally believed to originate from the Greek verb κυβερεω (kybereo)—to steer, to guide, to control. At the end of the 1940s Norbert Wiener (1894–1964), an American mathematician, began to use the word cybernetics to describe computerized control systems. According to Wiener, cybernetics deals with sciences that address the control of machines and living organisms through communication and feedback. Pursuant to the cybernetic paradigm, information sharing and manipulation are used in controlling biological, physical and chemical systems. Cybernetics only applies to machine-like systems in which the functioning of the system and the end result can be mathematically modelled and determined, or at least predicted. The cybernetic system is a closed system, exchanging neither energy nor matter with its environment. (Porter 1969; Ståhle 2004) The prefix cyber is often seen in conjunction with computers and robots. William Gibson, a science-fiction novelist, coined the term cyberspace in his novel Neuromancer (Gibson 1984). Science-fiction literature and movies portray the Gibsonian cyberspace, or matrix, as a global, computerised information network in which the data are coded in a three-dimensional, multi-coloured form. Users enter cyberspace via a computer interface, whereafter they can ‘fly’ through cyberspace as avatars or explore urban areas by entering the buildings depicted by the data. Cyber, as a concept, can be perceived through the following conceptual model (Kuusisto 2012):

  • Cyber world: the presence of human post-modern existence on earth.
  • Cyber space: a dynamic artificial state formed by bits
  • Cyber domain: a precisely delineated domain controlled by somebody,
  • Cyber ecosystem: systems of a cyber-community and its environment
  • Cyber environment: constructed surroundings that provide the setting for human cyber activity and where the people, institutions and physical systems with whom they interact,
  • Cyber culture: the entirety of the mental and physical cyberspace-related achievements of a community or of all of humankind.

Many countries are defining what they mean by cyber world or cyber security in their national strategy documents. The common theme from all of these varying definitions, however, is that cyber security is fundamental to both protecting government secrets and enabling national defence, in addition to protecting the critical infrastructures that permeate and drive the 21st century global economy.