1.4.2 Back Door
1.4.4 Man in the Middle
1.4.6 TCP/IP Hijacking
1.4.9 Social Engineering
1.4.11 Password Guessing
18.104.22.168 Brute Force
1.4.12 Software Exploitation
1.5 Malicious Code
1.5.2 Trojan Horses
1.5.3 Logic Bombs
1.6 Social Engineering
1.7 Auditing – Logging, system scanning
The threat of attack to your network, servers, and workstations can come from many different places. Your job is to implement and maintain measures that can help keep your systems safe from attack. There is a running battle between the people who want to attack your systems and the people who make products and services to help protect your system. Unfortunately, your network and systems is the battlefield.
In this chapter, we will look at the different types of attacks, as well as the reasons that your network is vulnerable. The vulnerabilities you must deal with are a result of the
occurs when an individual or a
Attacks occur in many different ways and for different reasons. These attacks
An access attack is one in which someone wants access to your resources.
denial of service attack
is one in which someone wants to
The people attacking you may be attacking you for the fun of it, they may be criminals attempting to steal from you, or they can be individuals or groups who are using this attack to make a political statement or commit an act of terrorism. In any event, your job is to protect the people you work with from these acts of aggression. You are, in many cases, the only person in your organization charged with the responsibility of repulsing these attacks.
This section deals with the general types of attacks you will see.
The goal of an access attack is straightforward. Access attacks are an attempt to gain access to information that the attacker is not authorized to have. These types of attacks focus on breaching the confidentiality of information. These attacks occur either through internal or external access. These attacks also occur when physical access to the information is possible.
is a very common physical access method. Companies generate a huge amount of paper in the normal course of events. Most of the information eventually winds up in dumpsters or recycle
A second common method used in access attacks is to capture information en route between two systems. Some common types of these access attacks include:
Eavesdropping Eavesdropping is the process of listening in or overhearing
partsof a conversation. Eavesdropping also includes attackerslistening in on your network traffic. This type of attack is generally passive. A coworker may overhear your dinner plans because your speakerphone is set too loud. Eavesdropping is a passive process in which the opportunity to overhear a conversation meets the carelessness of the parties in the conversation.
Snooping Snooping occurs when someone looks through your files in the hopes of finding something interesting. These files may be either electronic or paper. In the case of physical snooping, people might inspect your dumpster, recycling bins, or even your file
cabinets. Computer snooping, on the other hand, involves someone searching through your electronic files trying to find something interesting.
Interception Interception can be both an active or passive process. In a networked environment, a passive interception would involve someone who routinely
monitorsnetwork traffic. Active interception might include puttinga computer system between the sender and receiver to capture information as it is sent. From the perspective of interception, this process is a covert process. The last thing a person on an intercept mission wants is to be discovered. Intercept missions can occur for years, without the knowledge of the intercepted parties.
Government agencies routinely run intercept missions to gather intelligence about the capabilities and locations of enemies. The FBI has several products that they install on ISPs to gather and process e-mail looking for keywords. These keyword searches become the basis of an investigation.
The major difference in these types of attacks is how they are accomplished. The ultimate objective is to gain access to information that is not authorized.
Modification attacks change or modify information in an unauthorized manner. These attacks are similar to access attacks in that these attacks require access to information on servers. The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or any number of other reasons. A variation of a modification attack is a repudiation attack.
Modification attacks involve the deletion, insertion, or alteration of information in a manner that appears
make data or information that is used invalid or misleading, which can be even
A common type of repudiation attack would involve a customer who claims that they never received a service for which they were billed. In this situation, the
Denial of service
) attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by
Several different types of attacks can occur in this category. These attacks can deny access to information, applications, systems, or communications. In a DoS attack on an application, the attack may bring down the website while the communications and systems continue to
An attack that is similar in objective is called a Distributed Denial of Service Attack. This type of attack amplifies the concepts of a DoS by using multiple computer systems to conduct the attack.
A relatively new type of DoS attack called a Distributed Denial of Service Attack (DDoS) uses multiple computers to attack a single organization. These attacks exploit the inherent weaknesses of dedicated networks such as DSL and cable. These permanently attached systems do not usually have much, if any, protection. An attacker can load an attack program onto dozens or even hundreds of computer systems that use DSL or cable modems. The attack program will lay
Figure 2.1: Distributed Denial of Service attack
The nasty part of this type of attack is that the machines used to carry out the attack belong to normal computer users. The attack gives no special warning to those users. When the attack is complete, the attack program may remove itself from the system or
In general, there is very little you can do to prevent DoS or DDoS attacks. Your best method of dealing with these types of attacks involves countermeasures and prevention. Many operating systems are particularly susceptible to these types of attacks. Fortunately, most operating system manufacturers have implemented updates to minimize the effects of these types of attacks. Make sure that your operating system and the applications you use are up to date and current.
The common attacks that are
The second type of back door refers to the entry and placement of a program or utility into a network that creates a back door for an attacker. These attacks are initiated by gaining access to a network and inserting a program or utility that creates the back door for the attacker. The program may allow a certain user ID to log on without a password, or gain administrative privileges. Figure 2.2 shows how a back door attack can be used to bypass the security of a network. In this example, the attacker is using a back door program to utilize resources or steal information.
Figure 2.2: A back door attack in progress
In either case, this attack is usually used as either an access or modification attack. A number of tools exist to create back door attacks on systems. One of the more popular tools used to create backdoors is Back Orifice. Back Orifice has been updated to work with Windows 2000. Another popular backdoor program is NetBus. Fortunately, a lot of conventional antivirus software will detect and block these types of attacks.
Back Orifice and NetBus are remote administration tools used by attackers to take control of Windows systems. These packages are typically installed using a Trojan Horse program. BO and NetBus allow a remote user to take full control of the systems that have these applications installed. Back Orifice and NetBus run on all of the current Windows operating systems.
is simply an attempt by someone or something to masquerade as someone else. This type of attack is usually
Figure 2.3: A spoofing attack during logon
The important point to remember is that a spoofing attack is accomplished to trick something or someone into thinking something legitimate is occurring.
Man in the middle attacks
tends to be fairly sophisticated. This type of attack is also an access attack, but it can be used as the starting point for a modification attack. The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way
Figure 2.4: A man in the middle attack occurring between a client and a web server
are becoming quite common. These attacks occur when information is captured over a network. Replay attacks are used for access or modification attacks. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture this information and replay it again later. This can also occur with security certificates from systems such as Kerberos. The attacker resubmits the certificate hoping to be
Figure 2.5: A replay attack occurring
If this attack is successful, the attacker will have all of the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session identifier and a time stamp. If the certificate has
attacks occur when an account is attacked repeatedly. This is accomplished by sending possible passwords to the account being
Brute Force Attack A brute force attack is an attempt to guess passwords until a successful guess occurs. This type of attack usually occurs over a long period. Passwords should be longer than two or three
characters. This makes it more difficult to guess a password.
Dictionary Attack A dictionary attack is an attack which uses a dictionary of common words to attempt to find the password of a user. Dictionary attacks can be automated, and several tools exist in the public domain to execute a dictionary attack.
Some systems will identify whether an account ID is valid and whether the password is wrong. Giving the attacker a clue as to a valid account