One key question we hear a lot is why someone would attack you. The people that attack networks and systems that do not belong to them are criminals, pure and simple. You will often hear the description of them couched in terms such as script kiddie and hacker , but why beat around the bush? They are criminals.
What Is a Hacker?
We particularly dislike the use of the term hacker to describe a criminal. We both grew up in a time before the term hacker was appropriated by misinformed journalists to describe a criminal. A hacker is someone who is genuinely interested in computers and everything about them and who knows how to manipulate the machine in sophisticated ways, often even beyond what the designers envisioned and thought possible. Webster's dictionary offers several definitions of the term hacker:
The original definition of a hacker is the former. At some point in the late 1980s a misguided journalist co- opted the term, equating it with cybercriminal . This is particularly galling for those of us who have proudly called ourselves hackers since long before the term was appropriated and used to brand computer criminals. From now on, let it be known that when we use the term hacker, it is in the original, proud sense of the word, meaning someone who loves computers and tries to learn as much as possible about them.
The vast majority of people who attack networks today are not hackers under the original definition of that termthey are merely criminals. Therefore, the real explanation of why they do these things delves into the mind of criminals, and is best answered by a psychiatrist . However, there are several relatively obvious reasons. To understand the reasons, let us first look at the types of attacks you may see.
Essentially, network attacks can be distinguished on two dimensions: passive versus active and automated versus manual. A passive attack is one that uses network tools, such as a sniffer to capture network traffic, that simply listen on the network. These tools may capture traffic that contains sensitive information.
Active attacks, by contrast, are where the attacker is actively going after the protected resource and trying to get access to it, possibly by modifying or injecting traffic into the network.
On the other dimension, we have automated attacks. The vast majority of the attacks we hear about today are automated attacks, where the attacker creates some tool that attacks a network all by itself. The tool may have some intelligence built in, but fundamentally, if the network is not configured the same way as the one the tool was written for, the tool fails. Worms are methods of automated attack. In most cases, automated attacks are based on a known vulnerability in a system. The best method of defense against an automated attack is simply to keep the system fully patched at all times and monitor your network for suspicious events or messages. That is easier said than done, but Chapter 3, "Rule Number 1: Patch Your Systems," gives you some hints on how.
A manual attack occurs when the attacker is actually executing the attack without using automated tools. In this case, the attacker is actively analyzing the network and responding to its inputs. These types of attacks are much rarer, largely because the ratio of expert attackers to networks is relatively small. When we think of an attacker breaking into a network and stealing or modifying information, we are typically thinking of a manual attack.
Consider these four types of attacks; we have four intersections, ordered roughly in order of severity from least to most severe, as shown in Table 1-1.
Passive-automated This type of attack is usually some kind of sniffer that captures particular types of data. For instance, a keystroke logger that automatically sends data to the attacker falls into this category. So does a sniffer that captures and automatically replays an authentication sequence. It is pretty unlikely that these will generate a large percentage of useful data for the attacker, and it would require more skill than some of the other types that generate more access faster.
Passive-manual In this type of attack, the attacker is just sniffing everything. A packet sniffer that logs everything falls into this category. We worry a lot about these attacks, but as discussed in Chapter 10, "Preventing Rogue Access Inside the Network," they are not nearly as important as we make them out to be. An attacker who can perpetrate these can usually, with some notable exceptions such as wireless networks, perpetrate other more serious attacks.
Active-automated At first, it appears these attacks do not exist. How could an automated attack, such as a worm, involve an active attacker? However, into this category also falls attacks from attackers with sophisticated tools at their disposal. Most network worms fall into this category. For instance, a worm that searches for machines that are missing a particular patch, exploits it, and then uses the compromised machine to find additional targets falls into this category. Another example of this is an attack that uses thousands of hosts to target a single network to cause a denial-of-service condition. Tools now exist that can exploit hundreds, maybe even thousands, of systems at the click of a button and return information to the attacker about exactly which attacks succeeded. These attacks are very disturbing , but they are usually also very noisy . In addition, they usually rely on exploiting unpatched vulnerabilities. When doing this, the risk of crashing systems is pretty high, and that would be very noticeable.
Active-manual This is the most worrisome attack. Many people ask how this could be more worrisome than a tool that can exploit thousands of systems at the click of a button. The reason is that if you are subject to one of these, you are up against someone with at least a basic, probably more, knowledge of systems and how to attack them in general, and your network in particular. In this type of attack, the attacker manually attacks a particular network, adjusting the techniques and tools as necessary to counter your defenses. This attacker is probably out to get you, or someone you do business with. They have the time, skill, and resources to do the job thoroughly and to hide their tracks. If the attacker behind one of these attacks is skilled, you may never even know you got attacked !
Hard to pull off, unlikely to generate much value
Reaches thousands of systems, but (relatively) easy to defeat
Sometimes fruitful, but takes longer than an active attack
Extremely dangerous, but rarer than the others
We frequently discuss the types of attacks that worry us. It is not the first two, and to some extent, not even the third. We know pretty well how to stop worms. (Patch your stuff, and then see the discussion on isolation in Chapter 10.) We also know how to detect mass automated attacks, not to mention how well we know how to stop e-mail worms. The attack that worries us is the one where someone adds himself to your payroll system; the attack where someone gets access to all the patient records at Mass General Hospital; the attack where someone modifies all trades on the New York Stock Exchange by one cent and funnels the proceeds into a Cayman Islands bank account; the attack where someone gets access to the intercontinental ballistic missile systems and obliterates Minneapolis! Those are the types of attacks that worry us. This book is about what we need to do to protect ourselves against those types of attacks.
All the attacks can cause incredible amounts of damage. However, an active-manual attack can cause more targeted damage. An active-automated attack, in the form of a worm, is designed to cause widespread damage; but because it is designed to attack as many systems as possible, it is by necessity generic in nature. The basic principle behind worms is usually to cause the maximum amount of harm to the greatest number of people.
Thus, the damage it can inflict is often more generic. In an active-manual attack, the damage can be much more specific and designed to cause maximum harm to the current victim. There is one notable exception to this: the active-automated attack that is designed to use the maximum number of people to cause the greatest amount of harm possible to one victim. Microsoft, along with others, has been the victim of these types of attacks several times. In them, some criminal wrote a worm designed to infect as many systems as possible and then use them to disrupt access to Microsoft's Web sites. However, these attacks still pale in comparison to what a dedicated active-manual attack can do.
Generally speaking, four kinds of damage can be inflicted on a network or its data: denial of service (DoS), data destruction, information disclosure, and data modification. You will often see these discussed under the CIA acronym: confidentiality, integrity, and availability. However, data destruction and data modification, although they both fall under integrity, have vastly different consequences, and deserve to be separated. In essence, CIA fails to capture the nuances of what modern criminals do.
The simplest, and most obvious type of damage, is where an attacker slows down, or disrupts completely, the services of your infrastructure or some portion thereof. This is a typical DoS attack. The aforementioned attack on Microsoft's Web presence is an example of this type of attack. In some cases, the damage results from an attack that crashes or destroys a system. In other cases, a DoS attack can consist simply of flooding the network with so much data that it is incapable of servicing legitimate requests . In a flooding attack, it usually comes down to a matter of bandwidth or speed. Whoever has the fattest pipes or fastest computers usually wins. In other cases, particularly in the case of an automated attack, simply moving the computers to a different IP address mitigates the attack.
Of potentially much more serious consequence than a DoS attack is a data-destruction attack. In this type of attack, you are not merely prevented from accessing your resources, they are actually destroyed . Perhaps database files are corrupted, perhaps operating systems are corrupted, or perhaps information is simply deleted. Imagine if someone deleted your accounts receivable database? This type of attack can be extremely damaging , but can be mitigated by maintaining backup copies of both data and equipment.
NOTE: You will commonly see statistics that claim that DoS attacks cause more damage than any other attack type. These statistics are probably true. However, that is because of the sheer number of those attacks, and the fact that many organizations subject to data-destruction attacks will not acknowledge that fact. If you ask yourself truthfully, you will probably choose to have your systems crash any day if the alternative is to have all your data destroyed.
Damage can also result from information disclosure. This damage may be more serious than data destruction, particularly because it is much less obvious. For instance, in February 2004, someone posted portions of Microsoft Windows source code on the Internet.  This was an information-disclosure attack that involved portions of intellectual property. In a sophisticated information-disclosure attack, the victim may not know for years whether any data was disclosed. This is often the objective of government spiesto steal information such that they get an advantage while the enemy is unaware of what is happening. One extremely famous example of this happened during World War II. In 1942, the United States had accessed some of the Japanese naval codes, including the code used by Admiral Yamamoto, head of the Japanese combined fleet . The Americans knew that Yamamoto was planning an assault on a location designated as "AF." The problem was that they did not know what the designation AF meant , although they suspected it designated Midway. Commander Rochefort, of the code-breaking command at Pearl Harbor, and Captain Edwin Layton, Admiral Nimitz's fleet intelligence officer, devised a plan to determine whether AF actually did mean Midway. They sent a message via underwater line to Midway asking them to transmit a message in the clear stating that their desalination facility used to produce fresh water was broken. Shortly after the message was sent, the Japanese transmitted a new coded message indicating that AF was short on fresh water and that the conditions for an attack were favorable. Nimitz now had all the information he needed and was able to position the fleet to intercept the Japanese attack at Midway, leading to one of the most spectacular victories of World War II; a definitive turning point in the war in the Pacific.
A covert information-disclosure attack could either leave the victim with a false sense of security, or a nagging feeling of insecurity, both of which can be damaging in the long run. When information is disclosed, an attacker may be able to use it for malicious purposes. For example, confidential trade secrets can be used to undermine market share, to cause embarrassment, or to obtain access to money. Many people think that destruction of data is more damaging than an attacker reading the data, and, of course, whether it is depends on the data and whether regulatory confidentiality requirements are involved. (Some locales, notably California, now have regulatory requirements regarding confidentiality of all data, and virtually all jurisdictions are subject to regulatory confidentiality requirements of at least some data.) However, since we usually have some form of backup, disclosure is typically more severe. If you still have doubts , ask victims of identity theft if they would have rather had the criminal destroy their bank records rather than steal them.
Data modification may cause the most serious damage of all. The reason, as in the case of information disclosure, is that it is very difficult to detect. For example, suppose that the perpetrators broke into your payroll system and added themselves to the payroll? How long would it take you to notice? If you work in a small organization, it probably would be discovered during the next pay period; in a company with thousands of employees, however, it may go undiscovered for years. When writing this book, we were told of a story (no word on the truth of it) about a company that made all employees come pick up their paychecks one week instead of getting them automatically deposited. Apparently, several fake employees were discovered in the process.
When the Microsoft source code mentioned earlier was discovered on the Internet, the immediate concern was whether the perpetrators had also been able to insert back doors into the source code. (This is always the concern when a large software vendor is attacked, even if, as in this case, it was not actually the vendor that was attacked. The news reports immediately stated that "there is no word yet on whether any back doors have been inserted.") Data modification can be used to cause all kinds of damage, some of which may never be discovered, and some of which may only be discovered in very rare events, when the altered data are actually put to use. If someone wants to cause huge amounts of destruction to IT systems, obviously attacking a large software vendor and modifying the source code represents an efficient way to achieve that objective. If we may say so ourselves (after all, we helped design the protection), the Microsoft source code is extraordinarily well protected. However, back doors and Trojans have been discovered in several open source projects to date. Examples from other realms can easily be constructed . Consider, for instance, what would happen if attackers modified patient blood type data in a medical database, or tax information in an accounting database, or whatever data you consider important in your line of business.
Viruses vs. Worms
There is a long-standing debate about what constitutes a virus and what constitutes a worm. We would much rather not enter that debate because it really is a bit like pornographywe recognize it when we see it (not that we see it very much, mind you!)and the debate over its nature is largely wasted effort anyway. However, as a very simple definition, a virus is a piece of malicious code that spreads within a machine, and needs user action to spread to other machines; whereas a worm is a piece of malicious code that spreads from system to system without extraordinary user action. However, it is basically immaterial to the rest of the book to define better than that.
A friend of ours describes most of the victims of viruses and worms today as "roadkill." They just happen to be standing in front of the truck when it, in the form of the latest worm, comes barreling down the information superhighway. (Yes, this will be the last time we refer to the "information superhighway," and you may complain loudly if we break that promise!) Although it may be true that the person who wrote the worm was not out to attack you specifically , roadkill is still just as dead as if it had been shot with a high-precision weapon. There is an important lesson in that: Do not become roadkill . More specifically, there are some very simple things we can dosuch as patchingto avoid being roadkill. If we can just avoid being creamed by the latest worm, we can devote our attention to protecting ourselves against the attacks that are actually targeting us.
Many of the people who are causing damage on our networks today are best compared to the people who spray-paint highway overpasses. They are in it for the sheer joy of destruction and to broadcast their pseudonym. They may not be out to attack you specifically. As long as they ruin someone's day, that is sufficient. In some cases, they may not actually be after you at all. They may be after the vendor from whom you purchased your software or hardware. By causing damage to you, they discredit the vendor by making it seem as if the vendor's products are more insecure or cause more problems than some other vendor's systems.
The people you really have to worry about are the ones who are directly targeting you. In some cases, they are attacking you actively only because you use some technology that they know how to take advantage of, and taking advantage of it will earn them money, fame, or prestige in a community of like-minded deviants. In other cases, they are after you because you have something they want. You may, for example, have a list of customers. If competitors steal it, they can target your customers. You may have an accounts receivable database. If someone destroys it, you do not know how much money to ask people for, and you will not get paid. You may have a payroll system. If someone destroys it, how long before your employees leave when they do not get paid?
It really does not matter what business you are in. Every organization has something that is of value to someone else. You need to consider what those things are, how much they are worth, and how much money you should spend protecting them. Think of it this way: We all have insurance. Some large companies are self-insured, but they still have to set aside money to pay for claims. Although we can buy insurance for our information technologies, we still have to take reasonable measures to protect them. In Chapter 4, "Developing Security Policies," we discuss how to analyze how much money to spend protecting information and technology assets. Until then, keep in mind that the value of technology is not the technology itself; it is what you do with it. Technology is replaceable , but the services and data you are using it for are not. If your systems are down, the services they would have rendered while they are down are lost forever.