Many threats to network security exist. Attackers are opportunistic and typically take the path of least resistance. This means they choose the most convenient route and exploit the most well-known flaw. Threats to network security can include denial-of-service attacks, disclosure, and destruction or alteration of information.
Many times denial-of-service (DoS) attacks are a last-ditch effort by malicious users to bring down a network. The thought process is that if they cannot have access to the network, no one else should, either. Some common DoS attacks include these:
- Ping of death An oversize packet is illegal but possible when fragmentation is used. When the fragments are reassembled at the other end into a complete packet, it can cause a buffer overflow on some systems.
- Smurf Uses a spoofed ping packet addressed to the broadcast address, with the source address listed as the victim. It floods the victim with ping responses.
- Teardrop Sends packets that are malformed, with the fragmentation offset value tweaked so that the receiving packets overlap. These overlapping fragments crash or lock up the receiving system, thereby causing a denial of service.
- Land Sends a packet with the same source and destination port and IP address. The receiving system typically does not know how to handle these malformed packets, so the system freezes or locks up, thereby causing a denial of service.
- SYN flood Instead of targeting the Internet Control Message Protocol (ICMP) or Internet Protocol (IP), a SYN flood disrupts the Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This fills the buffer on the victim's system and prevents it from accepting legitimate connections.
Disclosure attacks seek to gain access to systems and information that should not be available to unauthorized individuals. As a CISSP candidate, you should be aware of these attacks and their potential effects. They include the following:
- Sniffing This rather passive form of attack requires that the attacker gain some type of access to the network. This is easy to perform if the network is using hubs. The goal is to uncover sensitive information. This is made possible by the fact that many protocols, such as the File Transfer Protocol (FTP), Telnet, and the Simple Mail Transfer Protocol (SMTP), send usernames and passwords in clear text.
- ARP poisoning This attack usually is done to redirect traffic on a switch. Because switches do not send all traffic to all ports like a hub, attackers must use ARP poisoning techniques to put themselves in the middle of a data exchange. When this has been achieved, the attack can attempt a series of attacks, including sniffing and interception of confidential information.
- DNS spoofing Much like ARP poisoning, this attack attempts to poison the domain name service (DNS) process. Individuals who succeed have their fake DNS entry placed into the victim's DNS cache. Victims then can be redirected to the wrong Internet sites.
- Pharming attack Pharming exploits are another type of attack that misuses the DNS protocol. Normally DNS is responsible for translating web addresses into IP addresses. Pharming attacks hijack the DNS and force it to redirect Voice over IP (VoIP) or other traffic to a location of the attacker's choice. This allows the attacker to get control of VoIP calls. This means that your phone call might no longer be private and could be monitored.
- Phishing attack This social-engineering attack attempts to lure victims into disclosing confidential information. The attacker typically attempts to trick the victim by sending a fake email that appears to be from a legitimate bank or e-commerce vendor. The supplied link to the organization's website appears real but is actually hosted by the attackers.
- War dialing This old-school attack is based on the premise that if the attacker can successfully connect to the victim's modem, he might be able to launch an attack. War-dialing programs work by dialing a predetermined range of phone numbers, in hopes of finding one that is connected to an open modem. The threat of war dialing is that the compromised host acts as a gateway between the network and the Internet.
- War driving The practice of war driving, flying, boating, or walking around an area is to find wireless access points. Many individuals that perform this activity look specifically for unsecured wireless networks to exploit. The primary threat is that these individuals might then have a direct connection to your internal network or unrestricted Internet access.
- Spyware Spyware includes a broad category of illicit programs that can be used to monitor Internet activity, redirect you to specific sites, or barrage you with pop-up ads. Spyware is usually installed on a computer by some form of browser hijacking or when a user downloads a computer program that has the spyware bundled with it. Spyware typically works by tracking and sending data and statistics via a server installed on the victim's computer. Spyware programs can result in a loss of confidentiality.
- Viruses/worms These programs are created specifically to invade computers and networks and wreak havoc on them. Some display only cryptic messages on the victim's machine, whereas others are capable of disclosing information, altering files, or informing others so that they can victimize your computer. The big difference between viruses and worms is that viruses cannot replicate themselves. Worms are self-replicating and can spread so quickly that they clog networks and cause denial of service.
Destruction, Alteration, or Theft
The destruction, alteration, or theft of data represents a serious threat to the security of the organization. These attacks cut to the heart of the organization by compromising a network and accessing items such as databases that contain credit card information, for example. Even if regulatory requirements do not hold the organization liable, there is still the possibility of a serious public relations problem if one of these attacks occurs: