Threats and Risk

Assessment
A sample chapter from LFS216 Linux Security
Fundamentals, the online self-paced Linux Foundation
course.

The Linux Foundation Training Publication

www.training.linuxfoundation.org
Copyright 2017 The Linux Foundation. All rights reserved.

The training materials provided or developed by The Linux Foundation in connection with
the training services are protected by copyright and other intellectual property rights.
Threats and Risk Assessment

Threats and Risk Assessment is the third session in The Linux Foundations online, self-paced course, Linux Security
Fundamentals (LFS216).

This sample chapter builds a basic foundation of knowledge for the course. Subsequent chapters provide a
comprehensive look at the security challenges that can affect almost every system.

In its entirety, the course will teach you how to assess your current security needs, evaluate your current security
readiness, and implement security options as required.

Here you will find:

15 pages of security concepts from the course

3 sample test questions

2 labs on useful security tools

This sample is intended to give an overview of the course format and quality of the content, which is prepared and
presented by Linux Foundation Training course instructor Lee Elston.

Copyright 2017, The Linux Foundation. All rights reserved.

The training materials provided or developed by The Linux Foundation in connection with the training services are
protected by copyright and other intellectual property rights.
Open source code incorporated herein may have other copyright holders and is used pursuant to the applicable
open source license.
Although third-party application software packages may be referenced herein, this is for demonstration purposes
only and shall not constitute an endorsement of any of these software applications.
All The Linux Foundation training, including all the material provided herein, is supplied without any guarantees
from The Linux Foundation. The Linux Foundation assumes no liability for damages or legal action arising from
the use or misuse of contents or details contained herein.
Linux is a registered trademark of Linus Torvalds. Other trademarks within this course material are the property of
their respective owners.
If you believe The Linux Foundation materials are being used, copied, or otherwise improperly distributed, please
email training@linuxfoundation.org or call +1-415-723-9709(USA).

2
Threats and Risk Assessment

Contents
Course Introduction  4
Course Learning Objectives  6
Course Audience and Requirements 7
Lab Setup  8

Chapter 3 - Threats and Risk Assessment  9

3.2 Learning Objectives  10
3.3 Classes of Attackers 11
3.4. Attack Sources 12
3.5. Types of Attacks 13
3.6. Active Attacks 14
3.7. Passive Attacks 15
3.8. Trade-Offs 16
3.9. Costs - How Much?  17
3.10. Likelihood 18
3.11. Asset Value 19
3.12. Business Impact 20
3.13. Security Costs 21
3.14.a. Knowledge Check  22
3.14.b. Knowledge Check 23
3.14.c. Knowledge Check 24
Exercise 3.1 Introduction to tcpdump and wireshark 25
Exercise 3.2 Introduction to nmap 33
3.16. Learning Objectives (Review) 37

Conclusion 38

3
Threats and Risk Assessment

Course Introduction
Linux Security Fundamentals (LFS216)

Note: This page actually has a video introducing the course. The transcript of the video is below:

Hello, my name is Lee Elston. Im an instructor and a course maintainer for The Linux Foundation. Ive been around
since the 70s doing different types of computers, different types of networks, and different types of security.

This class is a very comprehensive look at the security challenges that can affect almost every system, especially
with the seamless connectivity we currently have from the Internet. Many of the features were going to look at are
built into Linux, either into the kernel or out of the various Linux distributions. There are some additional bolt-on
applications that are of note as well. This class supports many of these different options to secure your systems. In
some cases specialized appliances are going to be demonstrated in this class.

This class is of value to administrators to see how to do something, to managers to see what things can be done,
and even to developers who get to see how we use the wonderful products that they create for us.

The class is going to start with security basics. This is how does security fit into the corporation. Were also going to
have a look at threats and risk assessment to learn about assessing the need for security in your environment.

Well talk about physical access and learn that we require more than just a locked door to secure the physical server.
Were going to look at logging: various logs including kernel logs, and the kernel audit logging process as well.

Speaking of auditing, were going to talk about auditing your system and detection for intrusion so you can find out if
your system has, in fact, been compromised.

Were going to look at kernel vulnerabilities, and in fact we have an example of a kernel vulnerability that occurred a
number of years ago, quite inadvertently.

Were going to have a look at authentication, all of that is in a password. And were going to look at centralized
passwords and what challenges we have there.

Were going to turn our eyes back to our local systems again and look at unix permissions and extended file
permissions. Some of these extended file permissions will turn out to be quite handy.

Were going to look at network security, which services do we trust, and how security can affect the various services.

4
Threats and Risk Assessment

Were going to look at the services themselves and see what types of security arrangements that they may have built
into the applications.

Were going to discuss denial of service attacks. What is it and how do I mitigate the effects of an attack? Were
going to, of course, look at remote access. We need to access these machines. How do we do it safely and
securely?

Well have a discussion about firewalling and packet filter and the netfilter kernel module that does all the work for us.
Well look at response and mitigation. If your system has been compromised, what do you do?

Well learn about being prepared for an attack and how to safely recover from it. Welcome to class. Lets get started!

5
 Course Learning Objectives

By the end of this course, you should be able to :

Assess your current security needs.

Evaluate your current security readiness.

Implement security options, as required.

6
 Course Audience and Requirements

LFS216: Linux Security Fundamentals is intended for those involved with any security-related task, at
any level. The course focuses on understanding the basic configuration of the component parts, such
that, with the solutions provided, any technical level is sufficient to learn about Linux Security. Virtual
Appliances are used to demonstrate what happens when, rather than typing exercises to configure
complex servers. Everyone from Manager to Implementation Technician, and even Developers, will gain
additional expertise from this course.

You must be able to download files from the Internet, configure virtual machines, import a virtual
appliance and a host-only virtual private network. Basic Linux command line skills are required. To
maintain the focus on Security and not get sidetracked by differences between Linux Distributions,
CentOS7 was selected for the exercises in this course. Familiarity with Red Hat Linux, CentOS or
Fedora is highly recommended.

7
LFS216 Specific Lab Setup

Lab content is provided at the end of this chapter. Access to the lab environment is only possible for those enrolled
in the course. However, weve adapted the exercises for this sample chapter to run on any single machine or virtual
machine. You will not need the lab setup to complete the adapted exercises.

LFS216 - Specific Lab Setup

This course uses two virtual machines, Main and Secondary, that are on an isolated network. A separate
private network is used so our course exercises do not affect your local setup. The course VMs will need
access to the outside world to retrieve and install some software components. The IP addresses are not
fixed and may be changed for your convenience.
Figure 1.1 shows a Virtual Box hypervisor being used.

Figure 1.1: Lab Setup

8
Threats and Risk Assessment

Chapter 3 - Threats and Risk Assessment

Note: This page includes a video introducing the chapter topics. The transcript of the video is below:

In this chapter, threats and assessment, were going to look at the different types of attackers. Were also going to
look at the different types of attacks. And, unfortunately, were going to have to talk about compromises. Lets go
have a look.

9
 3.2. Learning Objectives

By the end of this chapter, you should be able to :

Differentiate the different classes of attackers.

Discuss the types of attacks.

Explain the trade-offs in security, including likelihood, asset value and business
impact.

10
 3.3. Classes of Attackers

In dealing with threats and risk assessment, there are different classes of attackers.
A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system
or while working for a security company which makes security software. The term white hat in Internet
slang refers to an ethical hacker. This classification also includes individuals who perform penetration
tests and vulnerability assessments within a contractual agreement.
A black hat hacker is a hacker who violates computer security to be malicious or for personal gain. Black
hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture. Black hat
hackers break into secure networks to destroy data or make the network unusable for those who are
authorized to use the network.
A script kiddie (also known as a skid or skiddie) is a non-expert who breaks into computer systems by
using prepackaged automated tools written by others, usually with little understanding of the underlying
concept.
A hacktivist is a hacker who utilizes technology to announce a social, ideological, religious, or political
message. In general, most hacktivism involves website defacement or denial-of-service attacks.
Nation state refers to intelligence agencies and cyber warfare operatives of nation states.
Organized crime refers to criminal activities carried out for profit.
Bots are automated software tools that are available for use by any type of hacker.

Figure 3.1: Classes of Attackers

11
 3.4. Attack Sources

An attack can be perpetrated by an insider or from outside the organization.

An inside attack is an attack initiated by an entity inside the security perimeter (an insider), i.e., an
entity that is authorized to access system resources but uses them in a way not approved by
those who granted the authorization.
An outside attack is initiated from outside the perimeter, by an unauthorized or illegitimate user of
the system (an outsider). On the Internet, potential outside attackers range from amateur
pranksters to organized criminals, international terrorists, and hostile governments.

A resource (both physical or logical), called an asset, can have one or more vulnerabilities that can be
exploited by a threat agent in a threat action. The result can potentially compromise the confidentiality,
integrity or availability properties of resources (potentially different from the vulnerable one) of the
organization and other involved parties (customers, suppliers).

12
 3.5. Types of Attacks

Attacks can be either active or passive:

An attack is referred to as active when it attempts to alter system resources or affect their
operation, so it compromises the Integrity or Availability.
A passive attack attempts to learn or make use of information from the system, but does not
affect system resources, so it compromises Confidentiality.

13
 3.6. Active Attacks

Next, let's look at different types of active attacks.

Denial of service attacks are generally done by flooding the service or network with more requests than
can be serviced, which results in the service becoming unreachable. This sometimes happens due to a
client mis-configuration.

Spoofing attacks take place when a valid or authorized system is impersonated via IP address
manipulation. The service thinks it is communicating with an authorized system when it is really talking to
an impostor. ARP (Address Resolution Protocol), DNS (Domain Name System), IP Address, and MAC
(Message Authentication Code) are susceptible to spoofing.

Port scanning can be done with the nmap utility and involves sending SYN packets to a range of ports
on the target systems. The replies, or lack of replies, from the target provide a significant amount of
information about the possible services running on the target.

Idle scans are variations on port scans that use a third system, referred to as zombie, to gain information
about a target system. To learn more about idle scans, you can go
to http://en.wikipedia.org/wiki/Idle_scan.

There are quite a variety of network attacks that are still widely used that take advantage of various
network protocols required in most infrastructures. ARP storms, session hijacking, packet injection
are all active network attack techniques.

14
 3.7. Passive Attacks

Now, let's take a look at a passive wiretapping attack.

Wiretapping is generally done with tcpdump or Wireshark to listen to traffic on the network. This is done
by placing network interfaces into a promiscuous mode, in which all packets the switch sends to the port
are then passed to the tcpdump application.

During normal operations, network interfaces throw away packets sent to them by the network devices
when the destinations do not match those configured on the host. Pretty much all communications
protocols and mechanisms are susceptible to wiretapping, including:

Ethernet.
Wi-Fi.
USB.
Cellular networks.

15
 3.8. Trade-Offs

Focusing on likely threats to the highest value assets is a reasonable place to start. A common method
for determining likelihood is to create a use case from the point of view of a malicious actor attempting to
cause harm to the system.
Calculating the value of the assets will help determine the amount of security that should be
implemented to protect those assets. It may not always be cost-effective to protect everything. Many
types of attacks can be mitigated by implementing minimal security. It is not likely possible to protect all
assets, all of the time.
Impact to business operations is also essential in determining the level of security required for any
particular asset. If the business is severely impacted due to a compromise, then more resources should
be dedicated to maintaining the security of the assets. Another business consideration is the impact of
adding additional security to the environment, possibly creating a perform ace challenge.

16
 3.9. Costs - How Much?

It is hard to calculate the Return on Investment that managers need in order to make decisions about how
to mitigate a risk. How much value does a reputation have? Estimating the cost of a cyber attack can be
difficult, if not impossible. There is little data on how often various industries suffer from different types of
intrusions. Until recent laws were passed, companies would often conceal attacks even from law
enforcement. These factors cause difficulties in making rational decisions about how to address the
different risks. Security measures may result in the loss of usability, performance, and even functionality.
Often, if usability concerns are not addressed in the design of a secure system, users respond by
circumventing security mechanisms.

17
 3.10. Likelihood

Evaluating the feasibility of a potential attack is also important. Is the threat real or theoretical?

Method: Are the skills, knowledge, tools, etc. available?

Opportunity: Is there time and access?
Motive: Is it an intentional act or an accidental damage?

Recently, it has been demonstrated that fingerprint scanners on smart phones can be fooled into thinking
an authorized user has scanned their fingerprint. The researchers claimed that the attack was rather easy
to accomplish. The reality is that the particular attack required a fair amount of specific things to happen
in proper order to be successful. This is rather unlikely.

Even if the methods are well-known, if the tools are difficult to acquire, only the most resource-wealthy will
be able to perpetrate the attack. Access and opportunity are also areas that can be designed into a
system, such that attacks can only be accomplished during certain windows. By limiting the opportunity to
certain situations, time-based or access-based, security costs can be reduced outside of those situations.

18
 3.11. Asset Value

A thorough inventory of business assets will be the basis for the valuation required when determining
what and how much security will be required.

Most environments handle this process via an Asset Management System. The roles of each asset will
also determine the importance of the asset in the business operations. Components that are not
expensive and yet carry large responsibility for operations should be considered highly valuable.
Estimating the impact of a service outage, damage to the infrastructure, or compromise will also be
necessary in determining the value of the assets.

To determine asset value, you should:

Identify network/system/service assets.

Determine asset roles and relationships.
Evaluate the impact of asset damage/failure/loss.

19
 3.12. Business Impact

The following questions should be evaluated on a regular basis in order to ensure that the security
position is optimal for the environment:
What is the cost of system repair/replacement?
Will there be lost business due to disruption?
How much lost productivity will there be for employees?
Will there be a loss of current customers?
Will this cause a loss of future customers?
Are business partners impacted?
What is your legal liability?

20
 3.13. Security Costs

There are many aspects to the costs associated with securing an IT environment. You should consider all
of them carefully:
Software
Staff
Training
Time for implementation
Impact to customers, users, workers
Network, Compute, and Storage resources
Support
Insurance.

21
 3.14.a. Knowledge Check

Attacks can come from:

a) Outside the organization

b) Inside the organization

c) Network connection

d) Physical access

e) All of the above

22
 3.14.b. Knowledge Check

Attacks on computer systems are always someone/something trying to extract data from the
environment.

True

False

23
 3.14.c. Knowledge Check

An attack can be a passive monitoring of network traffic.

True

False

24
Threats and Risk Assessment

Exercise 3.1 Introduction to tcpdump and wireshark

In this exercise, we learn about two of the most useful tools for troubleshooting networks. These tools will show what
is happening as network traffic is transmitted and received. The tools are tcpdump and wireshark.

These are passive tools; they simply listen to all traffic exposed to the system by the networking infrastructure.

A fair amount of network traffic is broadcasted to all the devices that are connected to the networking gear. Much of
the traffic is simply ignored by the individual systems because the traffics destination does not match the systems
address. The tools tcpdump and wireshark can see all of the traffic on the connection and display the traffic in a
format that can be analyzed.

tcpdump is a command-line, low-level tool that is generally available as part of a Linux distributions default package
installation. tcpdump has a filtering capability as described in the pcap-filter man page; both tcpdump and wireshark
use the pcap libraries to capture and decipher traffic data.

tcpdump lacks a graphical component as well as the ability to analyze the traffic it captures. For this reason, it is
typically used to capture network traffic during an interesting session and then the resulting capture files are copied
to a workstation for analysis using the wireshark utility.

Packet capture also requires placing the network interfaces into promiscuous mode, which requires root
permissions.

SET UP YOUR SYSTEM

Access to The Linux Foundations lab environment is only possible for those enrolled in the course. However, weve
created a standalone lab for this tutorial series to run on any single machine or virtual machine which does not need
the lab setup to be completed. The commands will be altered to comply with the standalone environment.

To make this lab exercise standalone, let us add a couple of IP aliases to the default adapter.

To add a temporary IP alias, determine the default adapter:

$ sudo ip a | grep inet

The result should be similar to:

inet 127.0.0.1/8 scope host lo

25
Threats and Risk Assessment

inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic enp0s3

inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

This system shows several adapters: the lo is the loopback device, enp0s3 is the adapter with the address
assigned by the DHCP server and is the default adapter. The virbr0 adapter is a network bridge adapter used by
the hypervisor, we will not use this one.

To add IP aliases on adapter enp0s3:

$ sudo ip addr add 192.168.52.101 dev enp0s3

Then add the following to /etc/hosts:

192.168.52.101 main

This /etc/hosts entry should be removed after the exercise is completed.

On our testing system the commands looked like:

26
Threats and Risk Assessment

START THE EXERCISE

Open a terminal and run the command:

$ sudo tcpdump -D

Notice that the adapters are shown by device name not by IP address. We will be using the adapter we added the
extra IP addresses to. In the case of our test system enp0s3 would be the logical choice. However, because we
have a single system with IP aliases we will use the interface any for our monitoring. If you had several interfaces
you could select traffic monitoring from any specific interface. Below is the output from our test system.

$ sudo tcpdump -i any

This will print a brief summary of each packet that the system sees on the interface, regardless of whether it is
intended for the system main. Leave the process running and open a second terminal. In this second terminal, run
ping, first pinging main and then pinging the broadcast address,(this is the same network as your adapter but with
a host number of 255, something like 192.168.56.255.

$ ping -c4 main

$ ping -c4 -b 192.168.56.255

There may be extra packets displayed that are not related to our purpose. As an example, the command ping -c4
www.google.com will generate traffice on the interface we are listening to -i any. We can add a pcap filter to our
tcpdump command to ignore packets that are not related to our subnet. The command would be:

$ sudo tcpdump -i any net 192.168.52.0/24

27
Threats and Risk Assessment

The tcpdump output from the ping -c2 main as captured by our test system is listed below:

The tcpdump output from the ping -c2 -b 192.168.52.255 as captured by our test system is listed below

Notice that our system can see the broadcast ping coming in but there is no reply, this is because of a system
tunable. Broadcast pings could be used as a denial of service attack so are disabled by default.

Next, explore the pcap-filter and tcpdump man pages. We are going to construct a tcpdump command that captures
HTTP traffic on our interface and save that traffic to a file.
Run the following commands:

For Fedora, RHEL, CentOS systems:

$ sudo yum install httpd elinks
$ sudo systemctl start httpd

28
Threats and Risk Assessment

For Ubuntu and Debian systems:

$ sudo apt-get install apache2 elinks
$ sudo systemctl start apache2

For all distributions, create a test file:

$ sudo su -c echo test page > /var/www/html/test.html

Note: If your system has the firewalld service running you may need to open some ports.
To test if firewalld is running:

$ sudo systemctl status firewalld

To open the http port:
$ sudo -i
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --reload

Start tcpdump listening for traffic on port 80:

$ sudo tcpdump -i any port 80

We could be more specific and say:

$ sudo tcpdump -i amy port 80 and host main

Now lets generate some HTTP traffic to test, first with a http get of a missing page then a good page:

$ elinks -dump http://main/no-file.html

$ elinks -dump http://main/file.html

29
Threats and Risk Assessment

Observe the output of tcpdump then terminate tcpdump command with a ctl-c

ANALYZE WITH WIRESHARK

First lets create some information to analyze, on one terminal session:

$ sudo tcpdump -i any port 80 -w http-dump.pcap

On another terminal session issue the following command to ask for a web page that is not available and generate a
404 not found error:
$ elinks -dump http://main/no-file.html

This command should return the text of the file we created earlier:
$ elinks -dump http://main/file.html

Terminate the http://main/no-file.html tcpdump command and verify the file http-dump.pcap exists and has bytes in
it.

Next, we will analyze the captured data with wireshark. Verify wireshark is installed:
$ sudo which wireshark

If the previous command fails, you will have to install the utility.

30
Threats and Risk Assessment

On RHEL-based systems:
$ sudo yum install wireshark wireshark-gnome

Or Debian based systems:

$ sudo apt-get install wireshark-gtk wireshark-qt

You can launch it by running /usr/sbin/wireshark or finding it the application menus on your desktop, e.g.,
under Applications -> Internet menu, you may find the Wireshark Network Analyzer. If wireshark is launched from the
GUI, go to the File -> Open dialog and browse to the capture file created above. Or launch wireshark with the capture
file from the command line:
wireshark http-dump.pcap

Explore the wireshark output. Wireshark can be run in an interactive mode without the requirement of tcpdump,
but requires a GUI. A text version of wireshark exists called tshark. The process of capturing with tcpdump and
analysing with wireshark, possibly on a different machine is handy for production type systems without GUI or
console access.

31
Threats and Risk Assessment

CLEANUP
Please remember to remove the entries from /etc/hosts. A reboot will remove the network alias we added.

32
Threats and Risk Assessment

Exercise 3.2 Introduction to nmap

nmap is another essential tool for troubleshooting and discovering information about the network and services
available in an environment. This is an active tool (in contrast to tcpdump and wireshark) which sends packets to
remote systems in order to determine information about the applications running and services offered by those
remote systems.

Be sure to inform the network security team as well as obtain written permission from the owners and admins of
the systems which you will be scanning with the nmap tool. In many environments, active scanning is considered an
intrusion attempt.

The information gleaned from running nmap can provide clues as to whether or not a firewall is active in between
your system and the target. nmap also indicates what the target operating system might be, based on fingerprints of
the replies received from the target systems. Banners from remote services that are running may also be displayed
by the nmap utility.

SET UP YOUR SYSTEM

Access to the Linux Foundations lab environment is only possible for those enrolled in the course. However,
weve created a standalone lab for this tutorial series to run on any single machine or virtual machine which does
not need the lab setup to be completed. The best results are obtained by using bridging rather than NAT in
your virtualization manager. Consult the documentation for your virtualization type ( ie: Oracle VirtualBox, VMware
Workstation, and others ) to verify or alter the networking connection type.

START THE EXERCISE

First, lets install nmap on your Linux machine.

For Red Hat, Fedora and Suse machines:

$ sudo yum install nmap

For Debian and Ubuntu machines:

$ sudo apt-get install nmap

33
Threats and Risk Assessment

Next, explore the nmap man page.

$ man nmap

For the best results run nmap as root or use sudo with the nmap command. Now, we will run nmap on the localhost:

# nmap localhost

Increase the information nmap acquires:

# nmap -sS -PO -sV -O localhost

34
Threats and Risk Assessment

By adding the -A option to the nmap program, we can see the OS fingerprint detection capabilities of nmap:

# nmap -A localhost

A common usage for nmap is to perform a network ping scan; basically, ping all possible IP addresses in a subnet
range in order to discover what IP addresses are currently in use. This is also sometimes referred to as network
discovery.

# nmap -sP 192.168.0.0/24

Another interesting nmap command to find all the active IP address on a locally attached network:

#nmap -T4 -sP 192.168.0.0/24 1>/dev/null && grep -v 00:00:00:00:00:00 /proc/net/arp

35
Threats and Risk Assessment

Addressing for nmap is very flexible DNS names can be used, IP addresses, IP ranges are all acceptable, consult the
man page for additional details.

Well cover more uses for this tool later on in the course. For now, have fun exploring the tool!

36
 3.16. Learning Objectives (Review)

You should now be able to:

Differentiate the different classes of attackers.

Discuss the types of attacks.

Explain the trade-offs in security, including likelihood, asset value and business
impact.

37
Threats and Risk Assessment

Conclusion
Thank you for your interest in this sample chapter. Now that youve had a sneak peek of the course, are you ready to
learn more? Sign up for LFS216 Linux Security Fundamentals today!

38
 Copyright

Copyright 2017, The Linux Foundation. All rights reserved.

The training materials provided or developed by The Linux Foundation in connection with the training services are
protected by copyright and other intellectual property rights.
Open source code incorporated herein may have other copyright holders and is used pursuant to the applicable open
source license.
Although third-party application software packages may be referenced herein, this is for demonstration purposes
only and shall not constitute an endorsement of any of these software applications.
All The Linux Foundation training, including all the material provided herein, is supplied without any
guarantees from The Linux Foundation. The Linux Foundation assumes no liability for damages or
legal action arising from the use or misuse of contents or details contained herein.
Linux is a registered trademark of Linus Torvalds. Other trademarks within this course material are the
property of their respective owners.
If you believe The Linux Foundation materials are being used, copied, or otherwise improperly
distributed, please email training@linuxfoundation.org or call +1-415-723-9709 (USA).
The Linux Foundation is creating the greatest shared technology
investment in history by enabling open source collaboration across
companies, developers, and users.

We are the organization of choice to build ecosystems that accelerate

open technology development and commercial adoption.