Threats, Safeguards, Vulnerabilities, and Attacks | Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM

[Previous] [Next]

Security doesn't involve only the components we've just discussed, which make up part of the operation of the application you're creating. You must also place your system in the context of the environment in which the system will operate, such as on a corporate intranet or on the Web. Once you've determined what that context is, you need to determine how your system might be attacked, what threats exist to your business, and how you might attempt to counter them with technology, policy, and procedure. The security terms used when performing such an analysis are threat, safeguard, vulnerability, and attack, each of which we'll quickly describe here. We'll explain how to perform such an analysis in detail in the next chapter.

A threat is a possibility that poses danger to business assets (such as privacy or data integrity). An example of a threat is the possibility that an unauthorized person might get access to confidential company data or maliciously adjust account details. All threats are determined in relation to business risk. The greater the risk—that is, the greater the impact on the business should the threat be realized—the greater the threat. High-risk outcomes include public embarrassment, loss of credibility or good will, death or injury, loss of money, and so on.

A safeguard is a means to counter the threat, through technology, policy, or procedure. For example, requiring personnel to carry identification badges is a safeguard used to counter the threat that unauthorized people might enter a secure building.

A vulnerability is a weakness in a safeguard that can lead to a threat being realized as an attack. For example, if an administrator doesn't log off a secure terminal when she leaves, a nonadministrator might be able to perform administrative tasks such as changing passwords. In this case, the administrator logging off is the safeguard against the threat of unauthorized changes, and the fact that she might fail to do so is a vulnerability in the safeguard.

An attack is a threat that is brought to fruition through the exploitation of a vulnerability (or vulnerabilities) in the system. For an attack to take place, the following must occur:

The attacker must have a motive. For example, an attacker might attack your Web site because he dislikes your stance on trade policy.

The attacker must be able to justify the attack. For example, an attacker might believe that by attacking your site with antitrade policy graffiti she will heighten awareness of your policies.

An opportunity must arise. The attacker must find a weakness in the system by which he can attack your site. When a server is on the Web, the opportunity for attack is 24 hours a day, so the risk is vulnerability-based rather than time-based—meaning, how secure is your system?

Each of these requirements is covered in detail in Chapter 12, "Securing Against Attack."

Three main categories of attacks exist: denial of service, disclosure, and integrity. We'll discuss these categories in the following sections.

Denial of Service

Denial of service (DoS) attacks are common on the Internet today because such attacks can be launched remotely and with a good degree of anonymity. Two of the most common forms of DoS attacks are

Consuming all resources on the system so that no resources are available for other authorized users. An example of this is flooding a print queue with thousands of massive print jobs so that the printer runs out of paper and can no longer function.

Crashing the system. An example of this is attempting to find a flaw in the system that creates an access violation (AV) and causes a crash.

Disclosure

Disclosure attacks involve unauthorized access to data. For example, a nonemployee might gain access to a company's personnel databases. Imagine the damage an attacker could cause by accessing your personal data, such as your address, telephone number, salary, birthday, social security number or tax identification number, bank account details used for salary direct deposit, and so on. All this information could be used to impersonate you.

Integrity

The final type of attack is an integrity attack, in which data is changed maliciously. Often, the only way to survive a successful attack of this kind is to have a good backup policy. Fortunately, most Internet-based attackers do not want to destroy data; hence, this kind of attack is rare.