The threats computer security professionals faced two-and-a-half decades ago are comparatively rudimentary and trivial by today's standards. They had no need for IPSs at that time. Unfortunately, threats have matured rapidly since then and are now sophisticated enough to warrant an advanced countermeasure like an IPS.

Many factors impact the security threats to which a computer system is vulnerable. Naturally, some threats are more severe than others, so when trying to understand why an IPS is necessary in today's networks, you need to consider the following factors:

• Technology adoption

• Target value

• Attack characteristics

Technology Adoption

It is sometimes easy to forget that, at 75 years of age, the digital computer industry as a whole is fairly young. You still find plenty of room for innovation, and new innovations in computing occur regularly. Inventions such as the personal computer and the Internet force businesses to change the way they operate .

The operational change might take some time because businesses don't usually adopt new technologies quickly. New technology comes with a set of risks, such as poor return on investment, security concerns, training costs, and so on. However, most technologies reach a point at which the rewards for adoption outweigh the risks. At that point, the technology is widely adopted, and the potential security risks become a reality. Even when these technologies are adopted, however, the objective many times is to simply get the technology working, with security being left as a future add on.

Four widely adopted technologies stand out as having had a tremendous impact on the evolution of security threats and thus the evolution of IPSs:

• Client-server computing

• The Internet

• Wireless connectivity

• Mobile computing

Client-Server Computing

Before the client-server architecture became commonplace in the 1990s, most businesses relied solely on mainframes for their computing needs. Users gained access to the mainframe using dumb terminals that were physically connected to the mainframe (but not each other), had a computer screen and a keyboard, but had almost no processing capability. All processing occurred on the mainframe.

Client-server is a computing architecture that has largely replaced mainframes because of its lower cost of ownership. In client-server processing, power is not centralized. Instead, it is distributed across many networked computers, each acting as either a client or server. Clients are expected to provide a great deal of processing power so that the servers can be free to handle intensive computational operations.

Attacks against dumb terminals were limited because the attacker needed physical access to the system. One common attack against these systems was for one user to use the dumb terminal and then run a program that mimicked the normal login program in an attempt to steal login credentials from other users who tried to use the dumb terminal. A terminal, however, that cannot store data and has no processor is usually not an attractive target. Furthermore, dumb terminals cannot be used as a client or a server because they have no processing capability and are not connected together.

Dumb terminals were replaced by personal computers or workstations that could meet the requirements of the client-server architecture. This resulted in a dramatic increase in the number of target hosts and networks available to an attacker. Figure 1-1 illustrates this increase. Large businesses can have hundreds of thousands of networked computers, all of which are potential targets for an attack.

A client-server architecture not only has more targets for an attacker, but it is also all networked together. If an attacker is able to compromise one computer, any computer connected to the compromised system is now a secondary target. Peer-to-peer networking contributed greatly to this problem by increasing the number of potential pathways between the systems. Furthermore, because the networked computers have high-speed connections and fast processors, they are very valuable and powerful targets.

The Internet

Client-server and peer-to-peer architectures multiplied the number of the potential targets. Even so, attackers needed to have a way to connect to a network or computer to attack it.

Enter the Internet, which allows attackers to rapidly reach millions of targets all over the globe. Any Internet-connected host or network is reachable by any attacker from practically anywhere . Despite the risks, the Internet is a powerful business tool, and almost every business uses it in one way or another.

A by-product of ubiquitous Internet use is that the communications protocol it uses, TCP/IP, has also grown in popularity. TCP/IP was designed to connect different types of systems together; it wasn't designed to be secure. Using the basic TCP/IP transport protocols presents a number of security risks, but these transport protocols are so commonly used to communicate between systems that virtually every computer is forced to use TCP/IP to some degree to access the network.

Wireless Connectivity

Traditionally, you accessed a network by plugging a network cable into a switch port on the network. Therefore, to gain access to the network, you had to have some sort of physical access to your facility. Wireless connectivity removed the physical restriction for access to your network.

Wireless connectivity enables an increase in productivity because it enables your users to easily remain connected as they travel from their desk to a meeting in a conference, or from one meeting to another. Furthermore, wireless connectivity is cheaper because you do not have to install switch ports throughout your entire facility.

However, unlike switch ports, the signals from your wireless access points do not stop at the walls of your facility. Without effective security measures installed, an attacker can easily gain access to your wireless network without ever entering your building.

Mobile Computing

Mobile computing refers to the collection of technologies that makes it possible for employees to remotely perform the same duties they could while at the office. Portable computers, mobile phones, and personal digital assistants (PDAs) are becoming just as powerful as similar non-mobile equipment. Still, many of the computing resources a mobile worker needs are stored in the office, so the mobile devices have to be able to access them remotely.

Corporations commonly make these resources available to their remote workers through dialup or Internet virtual private network (VPN) connections. Typically, once a user has made an authorized connection to the corporate network, the user's device acts like an ordinary network participant. It has virtually unfettered access (with maybe only minimal restrictions because of traversing through a firewall).

Having a mobile workforce is tremendously beneficial, but to realize the benefit companies must accept an equal amount of risk. Mobile workers use many powerful and potentially vulnerable devices that are frequently outside of the office. While not in the office, these devices are far more vulnerable because they are not protected by the countermeasures that would guard them ordinarily. At the same time, they are able to access the corporate network at will.

The upshot is that huge numbers of mobile devices are very vulnerable and tempting targets for attackers. Especially considering that once a device is compromised, the attacker can sometimes use the device's remote access to attack the corporate network.

Another aspect of mobile computing is the increased use of wireless network connectivity. Wireless connectivity enables laptops and PDAs to remain connected as users move from their desks to meetings in various conference rooms.

Note

Wireless mobile computing also refers to remaining connected while moving from one network or zone to another (such as when switching between different cell phone towers ).

Remaining connected increases the worker's productivity, but the wireless access increases the security risks because access to the wireless network does not necessarily end at the walls of the building. This analogy also applies to various wireless devices connected to your computer, cell phone, or PDA, such as wireless headsets, mice, and keyboards. An attacker might place calls on your cell phone by attacking the Bluetooth protocol that enables your wireless headset to communicate with your cell phone.

Target Value

Initially, personal computers were lucrative targets for their actual hardware. Currently, computer hardware is relatively cheap; however, personal computers are still lucrative targets because of the following factors:

• Information theft

• Zombie systems acquisition

Information Theft

Originally, many computer systems were used for local applications, such as word processing and playing games . Over time, especially after Internet usage became popular, the information stored on personal computers (both business and personal) has become much more valuable. Today, it is common for millions of people to access their banks and other financial institutions using their personal computers. Business computers frequently house sensitive information such as source code, locally stored e-mail archives, and business roadmaps . The information stored on computers has become more valuable than the actual systems themselves . Furthermore, these business systems (usually laptops) are frequently used away from the office (when working at home and when traveling).

Zombie Systems

Originally, people had PCs that were connected to the Internet via a dialup modem. These systems, therefore, were connected to the Internet only for a short period of time (limiting the attack window timeframe). With the deployment of high-speed Internet connections, many people have systems directly connected to the Internet 24 hours a day (dramatically increasing the attack window timeframe). Many of these always connected machines are running vulnerable software. By compromising these vulnerable systems, attackers can build a network of machines (known as zombies ) that they can use to perform various kinds of attacks. Furthermore, these attacks do not directly originate from the attackers, so tracing the attack back to the real attackers becomes more difficult.

Attack Characteristics

The threats resulting from technology adoption are not, by themselves, enough to compel the creation of a new countermeasure such as an IPS. Combine new technology threats with increasingly sophisticated and formidable attacks and you have circumstances dangerous enough to warrant IPSs. This section defines a loose model called attack characteristics to categorize the level of threat an attack poses.

The model uses a consistent set of attributes called attack characteristics to characterize attacks. Breaking down attacks into these attack characteristics enables you to compare various attacks using consistent factors. When an attack has one or more characteristics that are dramatically more dangerous than the same characteristic(s) in previous attacks, you have an indication that existing security countermeasures might not be enough to stop it. This section explores four attack characteristics:

• Delivery mechanism

• Complexity

• Target

• Impact

Attack Delivery Mechanism

Delivery mechanism is the method by which an attack is disseminated. When considering the attack delivery mechanism, you need to consider the following two aspects:

• Reach of the attacker

• Protection from discovery

Before media and networks were commonplace, the prevailing delivery mechanism was to deliver the attack in person. The replacement login attack (see the "Attack Examples" section later in the chapter) is a classic example of physical delivery. Of all the delivery mechanisms, physical has the shortest reach. The only targets in reach are the ones that an attacker can touch.

The next best approach is to distribute an attack using media of some kind. The most traditional media are floppy disks, although they are not in much use today because removable Universal Serial Bus (USB) storage devices are smaller and store far more data. Media distribution via floppy disks is more efficient and grants a longer reach than physical access; however, floppy disks change hands fairly slowly, and the reach of this sort of attack is still limited.

Modems, which have been commercially available since 1962, are another option. Attackers created tools they could use to find unsecured modems. Still, finding unsecured modems is a lengthy process, and modem connections are relatively slow. Modems give attackers a longer reach. To improve the efficiency of modem-based attacks, attackers developed tools known as war-dialers to more effectively identify modem connections.

The furthest reach currently available is granted by the Internet. Internet access has also become very fast because of high-speed connectivity via cable and digital subscriber line (DSL) modems. Attackers use Internet access to distribute attacks virtually anywhere they want at great speed, with low cost, and with great convenience. Further, the Internet grants a certain amount of anonymity, providing protection from discovery.

Protection from discovery is the second factor that determines the delivery mechanism threat level. It has to do with the risk that the attacker will be identified before, after, or during attack delivery. Naturally, most attackers would rather not be identified.

Physical dissemination is the least protective delivery mechanism because attacker stands a good chance of being spotted. Even with no eyewitnesses, the attacker might leave clues such as fingerprints behind. Remote delivery mechanisms make it easier for the attacker to remain anonymous.

Media, modems, and the Internet are more anonymous delivery mechanisms and thus have a higher threat level. Even so, none of the three are completely anonymous. It might be difficult, but it is quite possible to track an attack back to its point of origin, and thus the attacker, even if it was delivered via the Internet.

Several delivery mechanisms significantly increase the protection from discovery. One method is to use obfuscation techniques, and one such technique uses zombies to deliver attacks instead of the attacker's own machines, thus hiding the attacker from whoever might be looking. Tracking the attack back to the original attacker through one or more zombie systems is definitely difficult but not necessarily impossible .

Another way to avoid discovery is to deliver the attack wirelessly . An attacker can get within range of an unsecured wireless access point with access to the Internet, use it to deliver an attack, and leave. The chances of discovery are slim. An added advantage of using wireless is that it reaches mobile targets like phones and PDAs. Attacks that use the wireless delivery method can easily have a very high threat level. A simple (but effective) wireless attack is called drive-by spamming

Attack Complexity

Attack complexity is a measurement of the attack based on the following two factors:

• Complexity to launch the attack

• Complexity to detect the attack

The complexity to launch the attack helps you assess how easy it is for an attacker to use a specific attack. The more difficult an attack is to launch, the fewer the number of attackers that can successfully execute the attack. The Internet connects millions of computers together, potentially giving a large number of attackers access to your computer resources. Therefore, it is important to determine how likely it is an attack will be used against your network.

The number of operations an attack performs on the target usually determines its complexity at being detected . An attack that compromises the target and spreads to others performs only two operations and has a fairly low threat level. By contrast, an attack that compromises the target, spreads, deletes files, makes the machine into a zombie, and initiates a denial-of-service (DoS) attack is very complex and should be assigned a high threat level. Nimda and Slammer (see the "Attack Examples" section) are perfect examples of contrasting complexity.

Attack Target

The following two factors determine the threat level in the target category:

• Total number of potential targets

• Value of the potential targets (impact if compromised)

A vulnerability in a rarely used application provides fewer opportunities for an attacker than a vulnerability in an operating system that is used on millions of computers. The larger the potential number of targets is, the more usual it is that a higher threat level is assigned to a given attack.

In general, you have fewer servers than you have clients. Therefore, an attack that targets clients usually has more targets than an attack that targets servers. However, servers are usually more important to an organization than client systems. Servers typically contain more important data and provide important business functions. If a server is made unavailable by an attack, that impacts many users, as opposed to just one if a client is unavailable. Furthermore, a compromised server can be used to attack the client systems that attempt to connect to services on the server (exploiting vulnerabilities in the client systems).

Attacks that target one small category of servers might be assigned a low level of threat. If the target servers provide critical business functions such as web pages and database servers, the threat level is high. Likewise, if both servers and personal computers are targeted , the threat level should be high.

Attack Impact

The final attack characteristic is the impact that the attack generates. Many times, the impact is related to the intent of the attacker. Some common goals of an attacker include the following:

• Curiosity

• DoS

• Theft of confidential information

• Revenge

• Construction of a network of compromised machines

The intent attribute has to do with the objective of the attack. Not all attacks have an evil intent. The Morris worm (see the "Attack Examples" section), for example, was an accident . The author, Robert Morris, meant for the worm to do nothing more than count the number of hosts connected to the Internet. The damage it did was because of a bug in the worm's programming and not intentional at all. Nevertheless, the impact was still a major DoS on numerous systems. The impact threat level, however, was only medium because of the limited use of the Internet at the time.

Since the Morris worm, attacks have become increasingly malicious. Some delete data, steal confidential information, and/or intentionally deny service. Some of the most insidious are written by criminal organizations for the purpose of financial gain. For example, some criminal organizations maintain vast collections of zombies, which they rent to other organizations. Other criminals extort users by encrypting their data and then demanding money to decrypt it. Attacks with these types of intent have a threat level of high.

In other situations, someone with potentially good intentions might try to use a "benevolent" worm to try to remove or counter the effects of a malicious worm. A good example is creating a worm to patch systems that are vulnerable to a specific exploit. Similar to the Morris worm, however, these " benevolent " worms usually end up causing more harm than benefit.

The intent of attackers, as well as the impact of the attack, is very important. If attackers have access to a specific exploit, then they can search out systems that are vulnerable to the exploit, gaining control of a large number of systems to use as zombie systems. On the other hand, if attackers are trying to steal information from a specific company, then they seek out vulnerabilities specific to that company's network and use it to obtain the needed information.

Attack Examples

Now that you know what the attack characteristics are, you can apply them to any attack to evaluate the threat levels. This section uses several real-world attacks to illustrate the process. Also, each of the attack examples demonstrates an increase in one or more threat levels in comparison to prior attacks.

Replacement Login

The intent of this attack is to capture user login credentials. It requires that attackers have physical access to mainframe terminals. Attackers use the terminal to replace the login procedure for the computer with their own.

The attackers' program masquerades as a standard username and password prompt, but when users enters their credentials, it displays an "Invalid Username or Password" message. Users think that they simply mistyped something, but the program actually captures the login credentials and stores them somewhere for later retrieval. After the attackers' fake login program runs, the real login prompt appears, and users can log in.

Table 1-1 outlines the attack characteristics for the "Replacement Login" attack. There was no real discovery year for this technique. The delivery mechanism can be categorized as physical because you had to physically log into a dumb terminal connected to the mainframe and run your fake login program. The fake login program, however, was usually not very complex because most of the dumb terminals supported only textual displays (unlike the highly graphical nature of current displays). The target was the mainframe, but most accounts had limited privileges; therefore, the target threat level was low because the effect to the actual mainframe operation was limited. The impact was theft of login credentials, but the accounts usually had limited privileges (and the victim had to log in at the same terminal where your fake login program was running). So, the impact was considered only in the medium range.

Table 1-1. Replacement Login Attack Characteristics

The Morris Worm

In 1988, a Cornell University graduate student wrote and released a worm that propagated using the Internet. Between 6000 and 9000 UNIX-based computers were infected. The worm was not written to cause damage, but to spread to as many systems as possible. Unfortunately, a bug in the worm caused it to infect individual computers many times, resulting in widespread system slowdowns and crashes.

Prior to this worm and for a time after, the most common way to distribute attacks was using media that limited the attack's propagation and reach. The interesting thing about this worm is that it was one of the first distributed using the Internet. It infected systems by exploiting known operating system and application vulnerabilities. After the system was infected, the worm would infect other systems connected to the Internet, which demonstrated how the Internet is a powerful way to propagate attacks.

Table 1-2 outlines the attack characteristics for the Morris worm. This worm was launched in 1988 by Robert T. Morris. The delivery mechanism was via the nascent Internet. Because of the small size of the early Internet, using the Internet as the delivery mechanism was only a medium threat level. The attack was relatively simple (because the early Internet had virtually no security measures in place), and it targeted UNIX servers that were not extremely critical (compared to servers of today), resulting in low threat levels for both of these categories. Even though Morris had no malicious intent, his worm actually took down the Internet at the time. This impact, however, was only a medium threat level because, at the time, not that much work was being accomplished via the Internet. A similar disruption today would have a huge economic impact. [click here] [click here]

Table 1-2. Morris Worm Attack Characteristics

CIH Virus

CIH, also known as Chernobyl or Spacefiller, was one of the most damaging widely circulated viruses ever. It did not have the capability to self-propagate, but it infected some widely distributed files, such as a firmware update from Yamaha and a game demo from Activision. The payload activated on April 26, 1999. CIH severely damaged a large number of computers by destroying all data on the hard drive and, in some cases, damaging the system BIOS so that the computer could not even be turned on.

The CIH virus is notable because it demonstrated malicious code's damage potential. Few viruses, worms, or Trojans since CIH have done as much permanent and intentional damage, but the possibility of a future threat that does is still very real. An attack that deletes data and uses the Internet to propagate could be terribly damaging.

Table 1-3 outlines the attack characteristics of the CIH virus. This virus was discovered in 1998. It spread via floppy disks, which is not a very efficient or fast delivery mechanism, so the delivery mechanism is considered a relatively low threat level. CIH targeted personal computers that were beginning to be used for creating important documents and other applications, so the target threat was medium. The impact of the virus was the deletion of system information making the impact threat level high.

Table 1-3. CIH Virus Attack Characteristics

Loveletter Virus

By 2000, e-mail had become a commonplace application. The Loveletter virus, released that year, took advantage of the widespread adoption of e-mail. It consisted of an e-mail message with the worm as an attachment that masqueraded as a loveletter. Recipients were encouraged to open the attachment (and invoke the virus) by the subject of the message, which was "ILOVEYOU" and the fact that the sender address was usually one that the recipient recognized.

Note

Researching the Loveletter virus, you will find that some people call it a worm and other people call it a virus. Because the user had to open the attachment to infect his machine (and launch the Loveletter program), we stick to calling it a virus because it is not truly self-replicating.

After a system was infected, the virus sent itself to everyone in the infected system's e-mail contact list. It also initiated a DoS attack on the official White House website's IP address, damaged important multimedia files on the system, and caused widespread e-mail outages. Loveletter caused an estimated $10 billion in economic damages.

Table 1-4 outlines the attack characteristics of the Loveletter virus. Loveletter was discovered in 2000 and is an ideal example of a drastic leap in threat level. Loveletter used Microsoft Outlook Visual Basic commands to perform its operations and incorporated social engineering to trick the user into continuing its spread, giving the complexity a medium threat level. It was delivered using e-mail and the Internet. The target systems were personal computers that were still only moderately important to business operation, so the target threat level can be considered a medium level. At the time, e-mail use was becoming widespread, but it had not achieved the business reliance that it has today. So, the delivery mechanism of e-mail is considered only a medium threat (especially because the user had to actually open the attachment). The impact of the virus, how-ever, was a threat level of high. Not only did the virus impact the operation of personal computers, but it also slowed down entire networks and severely impacted the operation of the mail servers themselves, making Loveletter multifaceted and very dangerous.

Table 1-4. Loveletter Worm Attack Characteristics

Nimda

Prior to the Nimda worm, most malicious code traveled from system to system using just one or two methods . Loveletter, for example, propagated using only e-mail and file infection. Nimda, which is admin spelled backwards , used many propagation vectors. It infected local files, infected files via peer-to-peer file shares, attached itself to e- mails , and used a vulnerability to infect Microsoft web servers.

Although it didn't delete data, Nimda's complexity and variety of delivery mechanisms made it very difficult to stop. Also, it compromised the security settings of any infected host by giving anyone with network access full access to the hard drive. It was one of the first worms to rate a high threat level in every category.

Table 1-5 outlines the attack characteristics of the Nimda worm. Nimda was discovered in 2001 and incorporated multiple delivery mechanisms, giving it a high delivery threat level. Nimda was also fairly complex. It was the first virus/worm to actually infect other files (as opposed to just making multiple copies of itself), making removal more complicated, giving it a high complexity threat level. Nimda targeted personal computers and server systems. By 2001, personal computers and network connectivity had become a much more vital component to enhance the productivity of workers. Causing computers to crash or preventing network access now had significant business impact, giving Nimda the target threat level of high.

Table 1-5. Nimda Attack Characteristics

SQL Slammer

Slammer propagated with unprecedented speed. It attacked Microsoft database servers and was delivered via the Internet. After a server was infected, it didn't take long for the worm to infect all the other servers it could reach. In fact, it infected most of its estimated 75,000 victims within the first 10 minutes. Another important characteristic of the Slammer worm is that it targeted a service that, for many companies, is mission critical. Databases oftentimes store the most valuable and frequently used data a company has. If they are not available for any reason and access to the data is lost, the company can lose a tremendous amount of money.

When Slammer hit, its propagation could have been halted by "turning off" all the databases it targeted. Because of the mission critical nature of the service, most organizations could not afford to do that. Any time an attack targets required services, such as databases or network authentication, it is very difficult for organizations to arrest its propagation because doing so would deprive the users of a service they must have to do their jobs.

Note

Not being able to prevent the spread of SQL Slammer is a classic example of how business needs often override security concerns in many situations. In this situation, blocking SQL traffic at network routers would have had a much more damaging impact on the network than allowing the SQL Slammer worm to spread until all the systems could be patched.

Table 1-6 outlines the attack characteristics for the SQL Slammer worm. This worm, discovered in 2003, was delivered using the Internet but targeted a buffer overflow in Microsoft SQL servers. Exploiting a buffer overflow is not very complicated, so the SQL Slammer's complexity is in the low threat range. The delivery used the Internet, but because most SQL servers are protected from direct Internet access, the delivery threat level is only medium. The target of SQL Slammer was database servers. These systems are critical to business operations so the target threat level is high. Finally, the impact of the SQL Slammer worm is also a high threat level because of a couple of factors. First, the attacker gained control of critical database systems. Another side effect was that thousands and thousands of client systems were compromised because these systems had a simple SQL server program (Microsoft SQL Server 2000 Desktop Engine [MSDE]) running on them by default (unknown to most users of the client systems). Compromise of the clients systems also led to the compromise of more server systems because the client system had access to the internal SQL servers (which were protected from direct Internet access).

Table 1-6. SQL Slammer Attack Characteristics

Discovery Year	Delivery Mechanism	Complexity	Target	Impact
2003	Internet	Simple	Database servers	Spread
	(Threat level medium)	(Threat level low)	(Threat level high)	(Threat level high)