A.M.

A COMPUTER COLLEGE LAS PIAS

A Partial Fulfillment of Requirements to ITNA02 and ITNA03

Submitted To: Roy, Paul Ryan

Submitted By: Mallari, Franklin C.

Abstract A network is set of devices or nodes by communication links. A network must be able to meet certain number of criteria and one of them is security. Network security issues including protecting data from unauthorized access, there are enemies to the data and also to the data which is transmitted through network and the most common enemies are hackers, unaware staff, snoops, viruses, Trojan horse program, and vandals. Network (Internet) communication has become an integral part of the infrastructure of todays world. The information communicated comes in numerous forms and is used in many applications. In a large number of these applications, it is desired that the communication be done in secret. Such secret communication ranges from the obvious cases of bank transfers, corporate communications, and credit card purchases, on down to a large percentage of everyday email. With email, many people wrongly assume that their communication is safe because it is just a small piece of an enormous amount of data being sent worldwide. After all, who is going to see it? But in reality, the Network (Internet) is not a secure medium, and there are programs out there which just sit and watch messages go by for interesting information. Hackers are computer enthusiast who takes pleasure in gaining access to other people's computers or network. Unaware staffs are employees who focus on their specific job duties often overlook Standard n\w security rules Employees Known as "snoops gaining

unauthorized access to confidential data to provide competitors with otherwise inaccessible information. What can these enemies do? Viruses are computer programs that are written by unauthorized programmers and are designed to replicate themselves and infect computers when triggered by a specific event. Some viruses are more destructive and cause such problems as deleting files from a hard drive or slowing down a system. Trojan horse programs are actually enemies undisguised. Trojans can delete data and open up computers to additional attacks. Innumerable types of networks attacks have been documented and they are dos attacks, access attacks. ACCESS ATTACKS are conducted to exploit vulnerabilities. Prevent access to part or all of a computer system. Social engineering is the increasingly prevalent act of obtaining network security information thru non - technical means. Spam is the most commonly used term for unsolicited electronic Mail or the action of broadcasting unsolicited advertising Messages via e - mail. Spam is usually harmless but it can be a nuisance, taking up the Recipient time and storage space. Organizations have extensive choice of technologies, ranging from anti - virus software packages to dedicated network security hardware, such as firewalls and intrusion detection systems, to provide protection for all areas of the network. Antivirus software is virus protection software is packaged with most computers and can counter most virus threats if the software is regularly updated and correctly maintained security policies or rules that are electronically programmed and stored within security equipment to control such areas access.

Introduction The frequency of computer network attacks and the subsequent sensational news reporting have alerted the public to the vulnerability of computer networks and the dangers of not only using them but also of depending on them. In addition, such activities and reports have put society in a state of constant fear always expecting the next big one and what it would involve, and forced people to focus on security issues. The greatest fear among professionals however, is that of a public with a hundred percent total dependency on computers and computer networks becoming desensitized, having reached a level where they are almost immune, where they no longer care about such fears. If this ever happens, we the professionals, and socirty in general, as creators of these networks, will have failed to ensure their security. Unfortunately, there are already signs that this is beginning to happen. We are steamrolling at full speed into total dependency on computers and computer networks, yet despite the multiplicity of sometimes confusing security solutions and best practices on the market, numerous security experts and proclaimed good intentions of implementation of these solutions, there is no one agreed on approach to the network security problem. In fact, if the current computer ownership, use, and dependency on computers and computer network keep on track, the number of such attacks is likewise going to keep rising at probably the same rate if not higher. Likewise the national critical infrastructures will become more

intertwined than they are now, making the security of these systems a great priority for national and individual security. The picture we have painted here of total dependency worries many, especially those in the security community. Without a doubt security professionals are more worried about computer system security and information security than the average computer user because they are the people in the trenches on the forefront of the system security battle, just as soldiers in a war might worry more about the prospects of a successful outcome than would the general civilian population. They are worried more because they know that whatever quantity of resources we have as a society, we are not likely to achieve perfect security because security is a continuous process based on a changing technology. As the technology changes, security parameters, needs, requirements, and standards change. We are playing a catch up game whose outcome is uncertain and probably un-winnable. There are several reasons for this. First, the overwhelming number of computer network vulnerabilities are software based resulting from either application or system software. As anyone with a first course in software engineering will tell you, it is impossible to test out all bugs in a software product with billions of possible outcomes based on just a few inputs. So unlike other branches of product engineering such as car and airplane manufacturing, where one can test all possible outcomes from any given inputs, it is impossible to do this in software. This results in an unknown number of bugs in every software product. Yet the role of software as the engine that drives

these networks is undisputable and growth of the software industry is only in its infancy. Computer and network security is a new and fast moving technology and as such, is still being defined and most probably will always be still defined. Security incidents are rising at an alarming rate every year. As the complexity of the threats increases, so do the security measures required to protect networks. Data center operators, network administrators, and other data center professionals need to comprehend the basics of security in order to safely deploy and manage networks today. Securing the modern business network and IT infrastructure demands an end-to-end approach and a firm grasp of vulnerabilities and associated protective measures. While such knowledge cannot prevent all attempts at network incursion or system attac, it can empower network engineers to eliminate certain general problems, greatly reduce potential damages, and quickly detect breaches. With the ever-increasing number and complexity of attacks, vigilant approaches to security in both large and small enterprises are a must. Network security originally focused on algorithmic aspects such as encryption and hashing techniques. While these concepts rarely change, these skills alone are insufficient to protect computer networks. As crackers hacked away at networks and systems, security courses arose that emphasized the latest attacks. There is always fault management, fault software, abuse of resources connecting to computer networks. These are the main reasons which cause security problems for a Network. Today, security problem becomes one of the main problems for computer network and internet

developing. However, there is no simple way to establish a secure computer network. In fact, we cannot find a network in the world, which does not have any security holes nowadays. The infrastructures of cyberspace are vulnerable due to three kinds of failure: complexity, accident, and hostile intent. Hundreds of millions of people now appreciate a cyber-context for terms like viruses, denial of service, privacy, worms, fraud, and crime more generally. Attacks so far have been limited. While in some network attacks the value of losses is in the hundreds of millions, damage so far is seen as tolerable. While preventing attack is largely based on government authority and responsibility, the detailed knowledge needed to prevent an attack on a cyber-system to prevent damage rests primarily with its owner. Protecting infrastructure systems arguably involves five coupled stages. First, it is necessary to attempt to determine potential attackers. Second, if attacked, the need is to prevent the attack and to prevent damage. Third, since success cannot be guaranteed in either preventing or thwarting an attack, the next stage is to limit the damage as much as possible. Fourth, having sustained some level of damage from an attack, the Defender must reconstitute the pre-attack state of affairs. Finally, since changing technology and incentives to attack influence both offence and defense, the final step is for the defender to learn from failure in order to improve performance, just as attackers will learn from their failures. The more specific defenses to be discussed may be usefully partitioned into two forms: passive and active.

Passive defense essentially consists in target hardening. Active defense, in contrast, imposes some risk or penalty on the attacker. Risk or penalty may include identification and exposure, investigation and prosecution, or pre-emptive or counter attacks of various sorts. FOCUS ON SECURITY The Network Security program emphasizes to secure a network. The following background information in security helps in making correct decisions. Some areas are concept-oriented: Attack Recognition: Recognize common attacks, such as spoofing, man-in-th-middle, (distributed) denial of service, buffer overflow, etc. Encryption techniques: Understand techniques to ensure confidentiality, authenticity, integrity, and no repudiation of data transfer. These must be understood at a protocol and at least partially at a mathematics or algorithmic level, in order to select and implement the algorithm matching the organizations needs. Network Security Architecture: Configure a network with security appliances and softwares, such as placement of firewalls, Intrusion Detection Systems, and log management. To secure a network, certain skills must also be practiced:

 Protocol analysis: Recognize normal from abnormal protocol sequences, using sniffers. Protocols minimally include: IP, ARP, ICMP, TCP, UDP, HTTP, and encryption protocols: SSH, SSL, IPSec. Access Control Lists (ACLs): Configure and audit routers and firewalls to filter packets accurately and efficiently, by dropping, passing, or protecting (via VPN) packets based upon their IP and/or port addresses, and state. Intrusion Detection/Prevention Sytems(IDS/IPS): Set and test rules to recognize and report attacks in a timely manner. Vulnerability Testing: Test all nodes (routers, servers, clients) to determine active applications, via scanning or other vulnerability test tools and interpret results. Application Software Protection: Program and test secure software to avoid backdoor entry via SQL injection, buffer overflow, etc. Incident Response: Respond to an attack by escalating attention, collecting evidence, and performing computer forensics. The last three skills incorporate computer systems security, since they are required to counteract internet hacking. The TCP/IP Protocol:

The attacks which are discussed in this paper are all utilizing weaknesses in the implementation of the TCP/IP protocols to make the attacked computer or network stop working as intended. To understand the attacks one has to have a basic knowledge of how these protocols are intended to function. TCP/IP is the acronym of Transmission Control Protocol / Internet Protocol and is one of severeal network protocols developed by the United States Department of Defense (DoD) at the end of the 1970s. The reason why such a protocol was designed was the need to build a network of computers being able to connect to other networks of the same kind (routing). This network was named ARPANET (Advanced Research Project Agency Internetwork), and is the predecessor of what we call internet these days. TCP/IP is a protocol suite which is used to transfer data through networks. Actually TCP/IP consists of several protocols. The most important are: IP Internet Protocol This protocol mainly takes care of specifying where to send the data. To do that, each IP packet has sender and receiver information. The most common DoS attacks at the IP level exploit the IP packet format. TCP Transmission Control Protocol This protocol handles the secure delivery of data to the address specified in the IP protocol. Most of the TCP level attacks exploit weaknesses present in the implementations of the TCP finite state machine. By attacking specific weaknesses in applications and implementations of TCP, it is possible for an attacker to make

services or systems crash, refuses service, or otherwise become unstable. A communication through a network using TCP/IP or UDP/IP will typically use several packets. Each of the packets will have a sending and a receiving address, some data and some additional control information. Particularly, the address information is part of the IP protocol being the other data in the TCP or the UDP part of the packet. ICMP has no separate TCP part all the necessary information is in the ICMP packet. In addition to the recipients address all TCP/IP and UDP/IP communication uses a special port number which it connects to. These port numbers determine the kind of service the sender wants to communicate to the receiver of information. Denial of Service Attacks DoS attacks today are part of every Internet users life. They are happening all the time, and all the Internet users, as a community, have some part in creating them, suffering from them or even loosing time and money because of them. DoS attacks do not have anything to do with breaking into computers, taking control over remote hosts on the Internet or stealing privileged information like credit card numbers. Using the Internet way of speaking DoS is neither a Hack nor a Crack. The sole purpose of DoS attacks is to disrupt the services offered by the victim. While the attack is in place, and no action has been taken to fix the problem, the victim would not be able to provide its services on the Internet. DoS attacks are really a form of vandalism against Internet Services. DoS attacks take

advantage of weaknesses in the IP protocol stack in order to disrupt Internet services. DoS attacks can take several forms and can be categorized according to several parameters. Particularly, in this study we differentiate denial of service attacks based on where is the origin of the attack being generated at. Normal DoS attacks are being generated by a single host (or small number of hosts at the same location). The only real way for DoS attacks to impose a real way for DoS attacks to impose a real threat is to exploit some software or design flaw. Such flaws can include, for example, wrong implementations of the IP stack, which crash the whole host when receiving a non-standard IP packet. Such an attack would generally have lower volumes of data. Unless some exploits exist at the victim hosts, which have not been fixed, a DoS attack should not pose a real threat to high-end services on todays Internet. Some solutions to Denial of Service Attacks The way DoS and DDoS attacks are perpetrated, by exploiting limitations of protocols and applications, is one of the main factors why they are continuously evolving, and because of that presenting new challenges on how to combat or limit their effects. Even if all of these attacks cannot be completely avoided, some basic rules can be followed to protect the network against some, and to limit the extent of the attack: Make sure the network has a firewall up that aggressively keeps everything out except legal traffic.

 Implement router filters. This will lessen the exposure to certain denial-of-service attacks. Additionaly, it will aid in preventing users on network from effectively launching certain denial-of-service attacks. Install patches to guard against TCP/IP attacks. This will substantially reduce the exposure to these attacks but may not eliminate the risk entirely. Observe the system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic. Firewalls By far the most common security measure these days is a firewall. A lot of confusion surrounds the concept of a firewall, but it can basically be defined as any perimiter device that permits or denies traffic based on a set of rules configured by the administrator. Thus a firewall may be as simple as a router with access-lists, or as complex as a set of modules distributed through the network controlled from one central location. The firewall protects everything 'behind' it from everything in front of it. Usually the 'front' of the firewall is its Internet facing side, and the 'behind' is the internal network. The way firewalls are designed to suit different types of networks is called the firewall topology. These are packages that are meant for individual desktops and are fairly easy to use. The first thing they do is make the machine invisible to pings and other network probes. Most of them also let you

choose what programs are allowed to access the Internet, therefore you can allow your browser and mail client, but if you see some suspicious program trying to access the network, you can disallow it. This is a form of 'egress filtering' or outbound traffic filtering and provides very good protection against trojan horse programs and worms. However firewalls are no cure all solution to network security woes. A firewall is only as good as its rule set and there are many ways an attacker can find common misconfigurations and errors in the rules. For example, say the firewall blocks all traffic except traffic originating from port 53 (DNS) so that everyone can resolve names, the attacker could then use this rule to his advantage. By changing the source port of his attack or scan to port 53, the firewall will allow all of his traffic through because it assumes it is DNS traffic. Bypassing firewalls is a whole study in itself and one which is very interesting especially to those with a passion for networking as it normally involves misusing the way TCP and IP are supposed to work. That said, firewalls today are becoming very sophisticated and a well installed firewall can severely thwart a would-be attackers plans. It is important to remember the firewall does not look into the data section of the packet, thus if you have a webserver that is vulnerable to a CGI exploit and the firewall is set to allow traffic to it, there is no way the firewall can stop an attacker from attacking the webserver because it does not look at the data inside the packet. This would be the job of an intrusion detection system (covered further on).

Partitioning and Protecting Network Boundaries with Firewalls A Firewall is a mechanism by which a controlled barrier is used to control network traffic into and out of an organizational intranet. Firewalls are basically application specific routers. They run on dedicated embedded systems such as an internet appliance or they can be software programs running on a general server platform. In most cases these systems will have two network interfaces, one for the external network such as the Internet and one for the internal intranet side. The firewall process can tightly control what is allowed to traverse from one side to the other. Firewalls can range from being fairly simple to very complex. As with most aspects of security, deciding what type of firewall to use will depend upon factors such as traffic levels, services needing protection and the complexity of rules required. The greater the number of services that must be able to traverse the firewall the more complex the requirement becomes. The difficulty for the firewalls is distinguishing between legitimate and illegitimate traffic. What do firewalls protect against and what protection do they not provide? Firewalls are like a lot of things; if configured correctly the can be a reasonable form of protection from external threats including some denial of service (DoS) attacks. If not configured correctly the can be major security holes in an organization. The most basic protection a firewall provides is the ability to block network traffic to certain destinations. This includes both IP addresses and particular network service ports. A site that wishes to provide external access to a web server can restrict all traffic to port 80 ( the standard http port).

Usually this restriction will only be applied for traffic originating from the un-trusted side. Traffic from the trusted side is not restricted. All other traffic such as mail traffic, ftp, snmp, etc. would not be allowed across the firewall and into the intranet. An example of a simple firewall is shown in [Figure 1].

Figure 1 An even simpler case is a firewall often used by people with home or small business cable or DSL routers. Typically these firewalls are setup to restrict ALL external access and only allow services originating from the inside. A careful reader might realize that in neither of these cases is the firewall actually blocking all traffic from the outside. If that were the case how could one surf the web and retrieve web pages? What the firewall is doing is restricting connection requests from the outside. In the first case all connection requests from the inside are passed to the outside as well as all subsequent data transfer on that connection. From the exterior, only a connection request to the web server is allowed to complete and

pass data, all others are blocked. The second case is more stringent as connections can only be made from the interior to the exterior. More complex firewall rules can utilize what is called stateful inspection techniques. This approach adds to the basic port blocking approach by looking at traffic behaviors and sequences to detect spoof attacks and denial of service attacks. Anti-Virus System Everyone is familiar with the desktop version of anti virus packages like Norton Antivirus and Mcafee. The way these operate is fairly simple -- when researchers find a new virus, they figure out some unique characteristic it has (maybe a registry key it creates or a file it replaces) and out of this they write the virus 'signature'. The whole load of signatures that your antivirus scans for what is known as the virus 'definitions'. This is the reason why keeping your virus definitions up-to-date is very important. Many anti-virus packages have an auto-update feature for you to download the latest definitions. The scanning ability of your software is only as good as the date of your definitions. In the enterprise, it is very common for admins to install anti-virus software on all machines, but there is no policy for regular update of the definitions. This is meaningless protection and serves only to provide a false sense of security. With the recent spread of email viruses, anti-virus software at the MTA (Mail Transfer Agent , also known as the 'mail server') is becoming increasingly popular. The mail server will automatically scan any email it recieves for viruses and quarantine the infections. The idea is that since all mail passes through the MTA, this is the

logical point to scan for viruses. Given that most mail servers have a permanent connection to the Internet, they can regularly download the latest definitions. On the downside, these can be evaded quite simply. If you zip up the infected file or trojan, or encrypt it, the antivirus system may not be able to scan it. End users must be taught how to respond to anti virus alerts. This is especially true in the enterprise -- an attacker doesn't need to try and bypass your fortress like firewall if all he has to do is email trojans to a lot of people in the company. It just takes one uninformed user to open the infected package and he will have a backdoor to the internal network. It is advisable that the IT department gives a brief seminar on how to handle email from untrusted sources and how to deal with attachments. These are very common attack vectors simply because you may harden a computer system as much as you like, but the weak point still remains the user who operates it. As crackers say 'The human is the path of least resistance into the network'. Tools an Attacker Uses General Network Tools As surprising as it might sound, some of the most powerful tools especially in the beginning stages of an attack are the regular network tools available with most operating systems. For example and attacker will usually query the 'whois' databases for information on the target. After that he might use 'nslookup' to see if he can transfer the whole contents of their DNS zone (called a zone transfer -- big surprise !!). This will let him identify high profile targets such as

webservers, mailservers, dns servers etc. He might also be able to figure what different systems do based on their dns name -- for example sqlserver.victim.com would most likely be a database server. Other important tools include traceroute to map the network and ping to check which hosts are alive. You should make sure your firewall blocks ping requests and traceroute packets. Exploits An exploit is a generic term for the code that actually 'exploits' a vulnerability in a system. The exploit can be a script that causes the target machine to crash in a controlled manner (eg: a buffer overflow) or it could be a program that takes advantage of a misconfiguration. A 0-day exploit is an exploit that is unknown to the security community as a whole. Since most vulnerabilities are patched within 24 hours, 0-day exploits are the ones that the vendor has not yet released a patch for. Attackers keep large collections of exploits for different systems and different services, so when they attack a network, they find a host running a vulnerable version of some service and then use the relevant exploit. Port Scanners Most of you will know what portscanners are. Any system that offers TCP or UDP services will have an open port for that service. For example if you're serving up webpages, you'll likely have TCP port 80 open, FTP is TCP port 20/21, Telnet is TCP 23, SNMP is UDP port 161 and so on. A portscanner scans a host or a range of hosts to determine what ports are open and what service is running on them. This tells the attacker which systems can be attacked.

For example, if I scan a webserver and find that port 80 is running an old webserver -- IIS/4.0, I can target this system with my collection of exploits for IIS 4. Usually the port scanning will be conducted at the start of the attack, to determine which hosts are interesting. This is when the attacker is still footprinting the network -- feeling his way around to get an idea of what type of services are offered and what Operating Systems are in use etc. One of the best portscanners around is Nmap (http://www.insecure.org/nmap). Nmap runs on just about every operating system is very versatile in how it lets you scan a system and has many features including OS fingerprinting, service version scanning and stealth scanning. Another popular scanner is Superscan (http://www.foundstone.com) which is only for the windows platform. Network Sniffers A network sniffer puts the computers NIC (network interface card or LAN card) into 'promiscuous mode'. In this mode, the NIC picks up all the traffic on its subnet regardless of whether it was meant for it or not. Attackers set up sniffers so that they can capture all the network traffic and pull out logins and passwords. The most popular network sniffer is TCPdump as it can be run from the command line -- which is usually the level of access a remote attacker will get. Other popular sniffers are Iris and Ethereal. When the target network is a switched environment (a network which uses layer 2 switches), a conventional network scanner will not be of any use. For such cases, the switched network sniffer Ettercap (http://ettercap.sourceforge.net) and WireShark

(http://www.wireshark.org) are very popular. Such programs are usually run with other hacking capable applications that allow the attacker to collect passwords, hijack sessions, modify ongoing connections and kill connections. Such programs can even sniff secured communications like SSL (used for secure webpages) and SSH1 (Secure Shell - a remote access service like telnet, but encrypted). Vulnerability Scanners A vulnerability scanner is like a portscanner on steroids, once it has identified which services are running, it checks the system against a large database of known vulnerabilities and then prepares a report on what security holes are found. The software can be updated to scan for the latest security holes. These tools are very simple to use unfortunately, so many script kiddies simply point them at a target machine to find out what they can attack. The most popular ones are Retina (http://www.eeye.com), Nessus (http://www.nessus.org) and GFI LanScan (http://www.gfi.com). These are very useful tools for admins as well as they can scan their whole network and get a detailed summary of what holes exist. Password Crackers Once an attacker has gained some level of access, he/she usually goes after the password file on the relevant machine. In UNIX like systems this is the /etc/passwd or /etc/shadow file and in Windows it is the SAM database. Once he gets hold of this file, its usually game over, he runs it through a password cracker that will usually guarantee him further access. Running a password cracker against your own password files can be a scary and enlightening

experience. L0phtcrack cracked my old password fR7x!5kK after being left on for just one night ! There are essentially two methods of password cracking: Dictionary Mode - In this mode, the attacker feeds the cracker a word list of common passwords such as 'abc123' or 'password'. The cracker will try each of these passwords and note where it gets a match. This mode is useful when the attacker knows something about the target. Say I know that the passwords for the servers in your business are the names of Greek Gods (yes Chris, that's a shout-out to you ;)) I can find a dictionary list of Greek God names and run it through the password cracker. Most attackers have a large collection of wordlists. For example when I do penetration testing work, I usually use common password lists, Indian name lists and a couple of customized lists based on what I know about the company (usually data I pick up from their company website). Many people think that adding on a couple of numbers at the start or end of a password (for example 'superman99') makes the password very difficult to crack. This is a myth as most password crackers have the option of adding numbers to the end of words from the wordlist. While it may take the attacker 30 minutes more to crack your password, it does not make it much more secure.

 Brute Force Mode - In this mode, the password cracker will try every possible combination for the password. In other words it will try aaaaa, aaaab, aaaac, aaaad etc. this method will crack every possible password -- its just a matter of how long it takes. It can turn up surprising results because of the power of modern computers. A 5-6 character alphanumeric password is crackable within a matter of a few hours or maybe a few days, depending on the speed of the software and machine. Powerful crackers include l0phtcrack for windows passwords and John the Ripper for UNIX style passwords. For each category, I have listed one or two tools as an example. At the end of this article I will present a more detailed list of tools with descriptions and possible uses. Password Attacks Password-guessing attacks are one of the most popular aspects of penetration testing. Passwords come from a lot of places you can guess them, you can find them lying around in files, and in some cases, you can obtain them from the operating system. Passwords obtained from the operating system are sometimes in the clear or are reversibly encrypted, and sometimes they are stored as a bash, often known as a password verifier. A bashing function is designed to take an input and convert it to an output in a nonreversible manner, so you will sometimes see password verifiers referred to as an OWF (one-way function).

Password hashes are typically attacked (or cracked) using a combination of dictionary attacks and brute-force methods. With a dictionary attack, the attacker obtains a large list of words and feeds the list and the password hashes to the cracking tool. A brute force attack in its simplest form iterates through all possible passwords using a specified character set. For example, aaa would be followed by aab, aac, and so on. Although password attacks seem simple, there can be more to them than is obvious at first. Where to Find Passwords Passwords are found in many places. Most likely, they will be associated with user accounts, either locally or collected into a domain. Passwords can also frequently be found in places like the following: In batch files and scripts On Web Pages In helpful applications and operating systems that offer to save passwords for you In service accounts, and in DCOM objects configured to run as a particular user Under users keyboards and on sticky notes on the monitor In Microsoft Excel spreadsheets hidden on a share In text files, such as AdminPasswords.txt, that are hidden deep inside a server the user hopes youll never get into

 On the network, especially where services accepting clear-text passwords run In files left during software installation In Simple Management Protocol (SNMP) community strings Associated with password-protected files All the locations in the preceding list were used during actual penetration tests. One penetration tester who worked for a major auditing firm had a batch file that he ran on systems to collect all the file types he knew about that might contain passwords. It is a useful approach. Remember that automated tools dont do a very good job of finding passwords hidden in odd places, so this batch file technique will often get you into systems even where routine network scans occur. Brute Force Attacks A brute force attack typically consists of two different approaches: the first approach is a dictionary attack, and the second approach is to simply try all possible passwords within a key place. These two approaches can be combined, either by appending all possible characters to a dictionary word or by making common substitutions, such as 1 for I, or 4 for a. Brute force attacks can be launched against both online systems and passwords hashes that you have obtained. Performing these attacks seems simple, but there are some twists you need to take into account. Lets also get an idea of the

scale of the problem. In general, the number of possible passwords is given by:

Number of Passwords = (key space)length Number of Possible Passwords for Common Scenarios______
Key space Possible Character Length Number of Passwords

Case-insensitive Alpha characters (a-z) Case-sensitive alpha char. Alphanumeric characters US English Keyboard char Case-insensitive alpha characters (a-z) Online Password Testing

26 52 62 94 26

7 7 7 7 7

8.03E+09 1.03E+12 3.52E+12 6.48E+13 1.68E+21

Online password testing is the process of attempting to find passwords by attempting a logon. Any service that allows you to authenticate can be used. Online password testing (sometimes called password grinding) is much slower than offline testing a typical password attempt rate might be on the order of 50 passwords a minute. As you might imagine, a true brute force attack takes a lot longer. Under these conditions, trying millions of passwords simply isnt an option. A better approach is a dictionary attack. The following password types will get you into many networks: Blank Using no password is much too common an occurrence

 password as the password This is the most common non-blank password, even in non-English speaking countries. Password same as machine name Try lowercase, uppercase and mixed-case variations. There are a number of issues to be concerned about with online password testing: locking out accounts, placing load on the system, and being detected. Account lockouts, especially permanent lockouts, can create a serious of denial of service (DoS) condition. Most operating systems and network devices can be configured to lock out accounts based on a certain number of failed passwords, the length of time between failures, and the length of lockout. You can use certain strategies to determine whether lockouts are in place, but first, experiment. Before you crank up a tool that will grind away at the passwords for an entire domain, try your strategy on one user and see what happens. In some cases, you will able to determine that you are being locked out. Windows systems will tell you the lockout policy if you have user-level access. If you are faced with lockouts, one strategy is to try a single password for all the users, then start the user list over again with the next password. However, a very large user database might keep you from trying password often enough to cause lockouts. If you are checking a small user database, all you can do is try fewer passwords than will trigger a lock out, wait, and then try some more. Typically, you wont find many

passwords using brute force attacks. On most networks, you can get into plenty of systems using the very weak passwords listed earlier. One exception to this is when you find a password by other means and you want to discover where else it its used. For example, if you find one system for which the administrator password is Passw0rd! , you should check other systems for use of the password. Frequently, checking other systems on the network for a discovered password is a productive approach. Offline Password Testing Offline password testing is sometimes known as cracking passwords and is named after crack, which is a tool created by Alec Muffett to test passwords from the UNIX systems password files. There are a number of these tools, so a feature comparison is not feasible here. Threats to Web services differ from service to service, but here are some common threats that you should look for in you penetration tests (assuming your organization provides a Web Service): Unauthorized Access Network Sniffing Tampering Information Disclosure Unauthorized Access

Unless your organization provides free public Web Services, special care should be taken to ensure that only authorized users are accessing these services. This is even more important when you r Web Services handles sensitive information such as credit card numbers and social security numbers. When you are testing your organizations Web Service for unauthorized access threats, look for credentials being passed as clear-text in SOAP messages, use of weak authentication schemes, or worse yet, no authentication at all. Countermeasures Your organization should be protecting its web services from unauthorized use with mechanisms such as password digests, Kerberos tickets, or X.509 certificates in SOAP authentication headers. Network Sniffing Network Sniffing refers to an attacker eavesdropping on communications between hosts. Your organizations Web service could be transmitting sensitive data, so the communications of these services are prime targets for attackers. Attackers might also try at a later time to reply to the communications they have captured. During your penetration tests, look for weaknesses such as transmitting credentials clear-text in SOAP messages, failing to use transport security, and not authenticating messages. Countermeasures In addition to the countermeasures to network sniffing threats, Tampering are those provided by the Web Services Enhancements (WSE) for the .NET Framework.

Even though messages are route between your organizations Web Services and clients, attackers might try to a tamper with the data in those messages through MITM attacks, for example. Look for Web Service communications that are not protected by transport security or by some authentication scheme. Countermeasures Digitally signing messages can provide recipients with confirmation that communications have not been modified. Also, communicating over secure transports will greatly help in mitigating tampering threats. Information Disclosure Your organizations Web service might expose extraneous information in error messages that could aid an attacker in later attacks. Look for detailed exception traces because of improperly handled exception data. Also, look for configuration data about you organizations Web service, such Web Service Description Language (WSDL) file (static or dynamically generated) , that might be exposed to unauthorized users. Countermeasures Perform a code and design review of your organizations Web service to ensure that all exceptions are being caught, especially those that inherit from System.Web.Services.Protocols.SoaException. Protect WSDL files with access control list (ACLs), and disable documentation protocols that dynamically generate this data if these protocols are not required. Intrusion Detection System

An intrusion detection system (IDS) monitors network traffic and monitors for suspicious activity and alerts the system or network administrator. In some cases the IDS may also respond to anomalous or malicious traffic by taking action such as blocking the user or source IP address from accessing the network. IDS come in a variety of flavors and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. There are IDS that detect based on looking for specific signatures of known threats- similar to the way antivirus software typically detects and protects against malware- and there are IDS that detect based on comparing traffic patterns against a baseline and looking for anomalies. There are IDS that simply monitor and alert and there are IDS that perform an action or actions in response to a detected threat. Well cover each of these briefly. IDS's have become the 'next big thing' the way firewalls were some time ago. There are bascially two types of Intrusion Detection Systems : Host based IDS Network based IDS Host based IDS - These are installed on a particular important machine (usually a server or some important target) and are tasked with making sure that the system state matches a particular set baseline. For example, the popular file-integrity checker Tripwire -this program is run on the target machine just after it has been installed. It creates a database of file signatures for the system and regularly checks the current system files against their known 'safe'

signatures. If a file has been changed, the administrator is alerted. This works very well as most attackers will replace a common system file with a trojaned version to give them backdoor access. Network based IDS - These are more popular and quite easy to install. Basically they consist of a normal network sniffer running in promiscuous mode (in this mode the network card picks up all traffic even if its not meant for it). The sniffer is attached to a database of known attack signatures and the IDS analyses each packet that it picks up to check for known attacks. For example a common web attack might contain the string '/system32/cmd.exe?' in the URL. The IDS will have a match for this in the database and will alert the administrator. Newer IDS' support active prevention of attacks - instead of just alerting an administrator, the IDS can dynamically update the firewall rules to disallow traffic from the attacking IP address for some amount of time. Or the IDS can use 'session sniping' to fool both sides of the connection into closing down so that the attack cannot be completed. Unfortunately IDS systems generate a lot of false positives (a false positive is basically a false alarm, where the IDS sees legitimate traffic and for some reason matches it against an attack pattern) this tempts a lot of administrators into turning them off or even worse -not bothering to read the logs. This may result in an actual attack being missed. NIDS

Network Intrusion Detection Systems are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network. Ideally you would scan all inbound and outbound traffic, however doing so might create a bottleneck that would impair the overall speed of the network. HIDS Host Intrusion Detection Systems are run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator of suspicious activity is detected Signature Based A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat. Anomaly Based An IDS which is anomaly based will monitor network traffic and compare it against an established baseline. The baseline will identify what is normal for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic

is detected which is anomalous, or significantly different, than the baseline. Intrusion Prevention Systems Prevent Network Intrusion The criminal act of breaking into computer networks, one definition of hacking, poses a major threat to everyone connected to the Internet. It threatens infiltration, loss of proprietary data, fraud, destruction and operational paralysis. The more prominent the organization is, the greater its risk is of being hacked and the bigger the challenge (and thus payoff) is for an illegal hacker. As hackers use their genius to develop sophisticated tools to realize their unlawful aims, businesses must take every precaution to prevent successful attacks. Firewalls have become ineffective as attacks move to the application level. Anti-virus programs are also not enough as they offer only reactive measures. Organizations must deploy a comprehensive network intrusion prevention system to constantly map and monitor activities to prevent hackers from slipping anything past their networks defenses. These include: Vulnerability-based threats such as: Worms and BotNets Trojan horses and the creation of backdoors

 Vendor-specific exploitation vulnerabilities in products e.g., Microsoft, Oracle Exploitation of vulnerabilities in applications such as web, mail, VoIP, DNS, SQL Spyware, Phishing, anonymizers Non-vulnerability-based threats that misuse application and server resources such as: Server brute force attacks; misuse of server authentication/authorization schemes Web application vulnerability scanning SIP application scanning SIP application flooding Strengthen Your Defenses Intrusion prevention systems (IPSs) are an integral part of a defense approach, since there arent other devices which exercise access control to protect computers from exploitation. IPSs were invented to resolve ambiguities in passive network monitoring by placing detection systems in-line (regarded by some to be an extension of intrusion detection system [IDS] technology, IPS technology is actually another form of access control, like an application-layer firewall). IPSs are a considerable improvement upon firewall technologies as they make access control decisions based on application content, rather than IP addresses or ports as is done by traditional firewalls.

The advanced intrusion detection and prevention capabilities offered by the DefensePro IPS NBA, DoS and Reputation Service provides maximum protection for network elements, hosts and applications. It is composed of different application-level protection features to prevent intrusion attempts such as worms, Trojan horses and single-bullet attacks, facilitating complete and high-speed cleansing of all malicious intrusions. Features include: Vulnerability-based signature protection powered by Radwares Security Update Service Zero-day worm propagation prevention Anti-scanning protection Security reports Methods of attack will continue to evolve, increasing in complexity and becoming at once more dangerous and difficult to detect. To effectively protect their network and its users, network intrusion prevention systems need to be one step ahead of any threat. Based on adaptive behavioral-based and signature based technologies, Radwares Intrusion Prevention System and network security solutions provide organizations with integrated network intrusion prevention and Denial of Service (DoS) protection. These defend against both network- and application-level attacks, delivering a holistic approach to application- and network-level threats, while enhancing the overall performance of security across the organization.

What is Malware? Malware (Malicious Software) is any program that works against the interest of the systems user or owner. Viruses, worms, Trojans, and bots are all part of a class of software called malware. Malware or malicious code (malcode) is short for malicious software. It is code or software that is specifically designed to damage, disrupt, steal, or in general inflict some other bad or illegitimate action on data, hosts, or networks. There are many different classes of malware that have varying ways of infecting systems and propagating themselves. Malware can infect systems by being bundled with other programs or attached as macros to files. Others are installed by exploiting a known vulnerability in an operating system (OS), network device, or other software, such as a hole in a browser that only requires users to visit a website to infect their computers. The vast majority, however, are installed by some action from a user, such as clicking an e-mail attachment or downloading a file from the Internet. Some of the more commonly known types of malware are viruses, worms, Trojans, bots, back doors, spyware, and adware. Damage from malware varies from causing minor irritation (such as browser popup ads), to stealing confidential information or money, destroying data, and compromising and/or entirely disabling systems and networks. Malware cannot damage the physical hardware of systems and network equipment, but it can damage the data and software residing on the equipment. Malware should also not be confused with

defective software, which is intended for legitimate purposes but has errors or bugs. Classes of Malicious Software Two of the most common types of malware are viruses and worms. These types of programs are able to self-replicate and can spread copies of themselves, which might even be modified copies. To be classified as a virus or worm, malware must have the ability to propagate. The difference is that a worm operates more or less independently of other files, whereas a virus depends on a host program to spread itself. These and other classes of malicious software are described below. Viruses A computer virus is a type of malware that propagates by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses can range in severity from causing mildly annoying effects to damaging data or software and causing denial-of-service (DoS) conditions. Almost all viruses are attached to an executable file, which means the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious host file or program. When the host code is executed, the viral code is executed as well. Normally, the host program keeps functioning after it is infected by the virus. However, some viruses overwrite other programs with copies of themselves, which destroys the host program altogether. Viruses spread when the software or document

they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected e-mail attachments. Worms Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms either exploit a vulnerability on the target system or use some kind of social engineering to trick users into executing them. A worm enters a computer through a vulnerability in the system and takes advantage of file-transport or information-transport features on the system, allowing it to travel unaided. Trojans A Trojan is another type of malware named after the wooden horse the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create back doors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread

through user interaction such as opening an e-mail attachment or downloading and running a file from the Internet.

Bots "Bot" is derived from the word "robot" and is an automated process that interacts with other network services. Bots often automate tasks and provide information or services that would otherwise be conducted by a human being. A typical use of bots is to gather information (such as web crawlers), or interact automatically with instant messaging (IM), Internet Relay Chat (IRC), or other web interfaces. They may also be used to interact dynamically with websites. Bots can be used for either good or malicious intent. A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or "botnet." With a botnet, attackers can launch broad-based, "remote-control," flood-type attacks against their target(s). In addition to the worm-like ability to self-propagate, bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. They have been known to exploit back doors opened by worms and viruses, which allows them to access

networks that have good perimeter control. Bots rarely announce their presence with high scan rates, which damage network infrastructure; instead they infect networks in a way that escapes immediate notice. Best Practices for Combating Viruses, Worms, Trojans, and Bots The first steps to protecting your computer are to ensure that your OS is up to date. This means regularly applying the most recent patches and fixes recommended by the OS vendor. Secondly, you should have antivirus software installed on your system and download updates frequently to ensure that your software has the latest fixes for new viruses, worms, Trojans, and bots. Additionally, you want to make sure that your antivirus program can scan e-mail and files as they are downloaded from the Internet. This will help prevent malicious programs from reaching your computer. You may also want to consider installing a firewall. Additional Definitions and References Exploit An exploit is a piece of software, a command, or a methodology that attacks a particular security vulnerability. Exploits are not always malicious in intentthey are sometimes used only as a way of demonstrating that a vulnerability exists. However, they are a common component of malware. Back Door A back door is an undocumented way of accessing a system, bypassing the normal authentication mechanisms. Some back doors

are placed in the software by the original programmer and others are placed on systems through a system compromise, such as a virus or worm. Usually, attackers use back doors for easier and continued access to a system after it has been compromised. The Threat to Home Users Many people underestimate the threat they face when they use the Internet. The prevalent mindset is "who would bother to attack me or my computer?", while this is true -- it may be unlikely that an attacker would individually target you, as to him, you are just one more system on the Internet. Many script kiddies simply unleash an automated tool that will scan large ranges of IP addresses looking for vulnerable systems, when it finds one, this tool will automatically exploit the vulnerability and take control of this machine. The script kiddie can later use this vast collection of 'owned' systems to launch a denial of service (DoS) attacks, or just cover his tracks by hopping from one system to another in order to hide his real IP address. This technique of proxying attacks through many systems is quite common, as it makes it very difficult for law enforcement to back trace the route of the attack, especially if the attacker relays it through systems in different geographic locations. It is very feasible -- in fact quite likely -- that your machine will be in the target range of such a scan, and if you haven't taken adequate precautions, it will be owned. The other threat comes from computer worms that have recently been the subject of a lot of media attention. Essentially a worm is just an exploit with a propagation mechanism. It works in a

manner similar to how the script kiddie's automated tool works -- it scans ranges of IP addresses, infects vulnerable machines, and then uses those to scan further. Thus the rate of infection increases geometrically as each infected system starts looking for new victims. In theory a worm could be written with such a refined scanning algorithm, that it could infect 100% of all vulnerable machines within ten minutes. This leaves hardly any time for response. Another threat comes in the form of viruses, most often these may be propagated by email and use some crude form of social engineering (such as using the subject line "I love you" or "Re: The documents you asked for") to trick people into opening them. No form of network level protection can guard against these attacks. The effects of the virus may be mundane (simply spreading to people in your address book) to devastating (deleting critical system files). A couple of years ago there was an email virus that emailed confidential documents from the popular Windows "My Documents" folder to everyone in the victims address book. So while you per se may not be high profile enough to warrant a systematic attack, you are what I like to call a bystander victim.. someone who got attacked simply because you could be attacked, and you were there to be attacked. As broadband and always-on Internet connections become commonplace, even hackers are targetting the IP ranges where they know they will find cable modem customers. They do this because they know they will find unprotected always-on systems here that can be used as a base for launching other attacks.

The Threat to the Enterprise Most businesses have conceded that having an Internet presence is critical to keep up with the competition, and most of them have realised the need to secure that online presence. Gone are the days when firewalls were an option and employees were given unrestricted Internet access. These days most medium sized corporations implement firewalls, content monitoring and intrusion detection systems as part of the basic network infrastructure. For the enterprise, security is very important -- the threats include: Corporate espionage by competitors, Attacks from disgruntled ex-employees Attacks from outsiders who are looking to obtain private data and steal the company's crown jewels (be it a database of credit cards, information on a new product, financial data, source code to programs, etc.) Attacks from outsiders who just want to use your company's resources to store pornography, illegal pirated software, movies and music, so that others can download and your company ends up paying the bandwidth bill and in some countries can be held liable for the copyright violations on movies and music. As far as securing the enterprise goes, it is not enough to merely install a firewall or intrustion detection system and assume that you are covered against all threats. The company must have a complete security policy and basic training must be imparted to all

employees telling them things they should and should not do, as well as who to contact in the event of an incident. Larger companies may even have an incident response or security team to deal specifically with these issues. One has to understand that security in the enterprise is a 24/7 problem. There is a famous saying, "A chain is only as strong as its weakest link", the same rule applies to security After the security measures are put in place, someone has to take the trouble to read the logs, occasionally test the security, follow mailing-lists of the latest vulnerabilities to make sure software and hardware is up-to-date etc. In other words, if your organisation is serious about security, there should be someone who handles security issues. This person is often a network administrator, but invariably in the chaotic throes of day-today administration (yes we all dread user support calls ! :) the security of the organisation gets compromised -- for example, an admin who needs to deliver 10 machines to a new department may not password protect the administrator account, just because it saves him some time and lets him meet a deadline. In short, an organisation is either serious about security issues or does not bother with them at all. While the notion of 24/7 security may seem paranoid to some people, one has to understand that in a lot of cases a company is not specifically targetted by an attacker. The company's network just happen to be one that the attacker knows how to break into and thus they get targetted. This is often the case in attacks where company ftp or webservers have been used to host illegal material. The attackers don't care what the company does - they just know that this

is a system accessible from the Internet where they can store large amounts of warez (pirated software), music, movies, or pornography. This is actually a much larger problem than most people are aware of because in many cases, the attackers are very good at hiding the illegal data. Its only when the bandwidth bill has to be paid that someone realises that something is amiss. Brief Walk-through of an Attack This is an account of how an attacker in the real world might go about trying to exploit your system. There is no fixed way to attack a system, but a large number will follow the similar methodology or at least the chain of events. Remember that attackers will usually choose the simplest way to get into the network. The path of least resistance principle always applies. Reconnaissance & Footprinting Here the attacker will try to gather as much information about your company and network as they can without making a noise. They will first use legitimate channels, such as google and your company webpage to find out as much about you as they can. They will look for the following information: Technical information is a goldmine, things like a webpage to help your employees log in from home will be priceless information to them. So also will newsgroup postings by your IT department asking how to set up particular software, as they now know that you use this software and perhaps they know of a vulnerability in it.

 Personal information about the company and its corporate structure. They will want information on the heads of IT departments, the CEO and other people who have a lot of power. They can use this information to forge email, or social engineer information out of subordinates. Information about your partners. This might be useful information for them if they know you have some sort of network connection to a supplier or partner. They can then include the supplier's systems in their attack, and find a way in to your network from there. General news. This can be useful information to an attacker as well. If your website says that it is going down for maintenance for some days because you are changing your web server, it might be a clue that the new setup will be in its teething stages and the admins may not have secured it fully yet. They will also query the whois databases to find out what block of IP addresses you own. This will give them a general idea of where to start their network level scans. After this they will start a series of network probes. The most basic of which will be to determine if you have a firewall, and what it protects. They will try and identify any systems you have that are accessible from the Internet. The most important targets will be the ones that provide public services. These will be : Webservers - usually the front door into the network. All webserver software has some bugs in it, and if you're running home made CGI scripts such as login pages etc, they might be vulnerable to techniques such as SQL injection.

 Mail servers - Sendmail is very popular and most versions have at least one serious vulnerability in them. Many IT heads don't like to take down the mail server for maintenance as doing without it is very frustrating for the rest of the company (especially when the CEO doesn't get his mail). DNS servers - Many implementations of BIND are vulnerable to serious attacks. The DNS server can be used as a base for other attacks, such as redirecting users to other websites etc. Network infrastructure - Routers and switches may not have been properly secured and may have default passwords or a web administration interface running. Once controlled they can be used for anything from a simple Denial of Service attack by messing up their configurations, to channeling all your data through the attackers machine to a sniffer. Database servers - Many database servers have the default sa account password blank and other common misconfigurations. These are very high profile targets as the criminal might be looking to steal anything from your customer list to credit card numbers. As a rule, a database server should never be Internet facing. The more naive of the lot (or the ones who know that security logs are never looked at) may run a commercial vulnerability scanner such as nessus or retina over the network. This will ease their work. Exploitation Phase After determining which are valid targets and figuring out what OS and version of software they are using (example which version of Apache or IIS is the web server running), the attacker can look for an exploit targeting that particular version. For example if they find you

are running an out of date version of Sendmail, they will look for an exploit targeting that version or below. They will first look in their collection of exploits because they have tested these. If they cannot find one, they will look to public repositories such as http://www.packetstormsecurity.nl. They will probably try to choose common exploits as these are more likely to work and they can probably test them in their own lab. From here they have already won half the game as they are behind the firewall and can probably see a lot more of the internal network than you ever intended for them to. Many networks tend to be very hard to penetrate from the outside, but are woefully unprotected internally. This hard exterior with a mushy interior is a recipe for trouble -- an attacker who penetrates the first line of defense will have the full run of your network. After getting in, they will also probably install backdoors on this first compromised system to provide them with many ways in, in case their original hole gets shut down. This is why when you identify a machine that was broken into, it should be built up again from scratch as there is no way of knowing what kind of backdoors might be installed. It could be tricky to find a program that runs itself from 2:00AM to 4:00AM every night and tries to connect to the attackers machine. Once they have successfully guaranteed their access, the harder part of the intrusion is usually over.

Conclusion The security issues in our networked systems as described in this paper identify some of the work that needs to be done, and the urgency with which concerns need to be addressed. Dependence on some of the IT-based infrastructures in several countries is such tat serious national consequences could result from the exploitation of their vulnerabilities. And as the density of networks increases, the necessity for transnational participation in improving network security increases. The changing technologies and the potential for changing threats is taxing our understanding of the threats and how to deal with them. Due to the complexity and entanglement among networks and communities internationally, any increases in network security must involve the concerted efforts of as many nations as possible. We have to understand that a great deal can be accomplished through such mechanism, but not without taking note of their earlier

trouble spots. We must learn from prior unexpected consequences in international cooperation, just as in the battle to secure networked systems, and be ever more cautious as we move forward toward some type of international action. But move forward quickly we must if the benefits from the use of our networked systems are to be realized in the myriad ways that they have been and are hoped in for in the future. Nations must cooperate fully within their capability in order to contain the actions of those who threaten our networks, and to realize the positive vision that we have for our societies.