Computers can be attacked in many different ways. A determined hacker can target your company for a low-tech social-engineering attack or attempt a very advanced technique such as a cross-site scripting attack. Depending on what their motives are, they can do a huge amount of damage if they are successful.
Keystroke logging is an attack that is accomplished with software or hardware devices. These devices can record everything a person types, including usernames, passwords, and account information. The hardware version of these devices is usually installed while users are away from their desks. Hardware keystroke loggers are completely undetectable except for their physical presence. Even then, they can be overlooked because they resemble a balum or extension. How many people do you know who pay close attention to the plugs on the back of their computer? Who even looks back there?
The software version of this device is basically a shim that sits between the operating system and the keyboard. Most of these software programs are very simple, but some are more complex and can even email the logged keystrokes back to a preconfigured address. What they all have in common is that they operate in stealth mode and can be a serious threat to confidentiality.
Before you attempt any type of keystroke monitoring, be sure to check with your organization's legal department. Most states and federal law require that each user using the computer be notified of such activities. Otherwise, you could be breaking some laws.
Closely related to keystroke logging, wiretapping is used to eavesdrop on voice calls. A variety of tools is available for attackers to accomplish thiseven scanners that no longer support cordless phone sniffing can be hacked or rewired to add such functionality. Wiretapping is illegal in the United States without a court order. Another related type of passive attack is the practice of sniffing. Sniffing operates on the same principle as wiretapping but is performed on data lines. The danger of both wiretapping and sniffing is that they are hard to detect.
A traffic-analysis attack is a form of sniffing attack in which the data is encoded. By observing the victim's activities and analyzing traffic patterns, the attacker might be able to make certain assumptions. For example, if an attacker observes one financially strong company sending large amounts of communication to a financially weak company, the attacker might infer that they are discussing a merger.
Spoofing attacks take advantage of the fact that an attacker is changing his identity to avoid capture or to trick someone into believing he is someone else. Some examples are described here:
ARP spoofing is considered a local area network (LAN) attack because hardware addresses do not pass through routers.
Manipulation attacks can use different methods, but they have the same goal: manipulating data to steal money, embezzle funds, or change values. Some common forms of these attacks include the following:
Social engineering predates the computer era. Social engineering is much like an old-fashioned con game, in that the attacker uses the art of manipulation to trick a victim into providing private information or improper access. P. T. Barnum once said, "There's a sucker born every minute"unfortunately, he was right.
One common social-engineering attack has targeted e-Bay, Hotmail, PayPal, and Citibank users. The attacker sends an official-sounding email asking users to verify their Internet password via return mail. When they do so, their passwords are sent to the attacker, who can then access the accounts at will. Another common social-engineering hack is to call an organization's help desk and pretend to be a high-ranking officer. The lowly help desk employee can often be bullied or scared into giving out a password or other important information.
The best defense against social engineering is to educate your users and staff to never give out passwords and user IDs over the phone, via email, or to anyone who isn't positively verified as being who they say the are. Training can go a long way toward teaching employees how to spot these scams.
Plenty of valuable information can be stolen the low-tech way. One popular technique is to retrieve passwords and other information by dumpster diving and looking for scraps of paper used to write down important numbers and then thrown in the trash. Although this is not typically illegal, it is considered an unethical practice.
Figure 10.1. Dumpster diving.
Dumpster diving might not be considered illegal, but it is considered unethical.
The CISSP Cram Sheet
A Note from Series Editor Ed Tittel
About the Author
We Want to Hear from You!
The CISSP Certification Exam
Access-Control Systems and Methodology
System Architecture and Models
Telecommunications and Network Security
Applications and Systems-Development Security
Business Continuity Planning
Law, Investigations, and Ethics
Practice Exam 1
Answers to Practice Exam 1
Practice Exam 2
Answers to Practice Exam 2