Intrusion Methods and Techniques

Previous page
Table of content
Next page

Most organizations today have opened their systems or a portion of their systems to partners, vendors, and the general public. The explosive growth of the Internet has enabled organizations to provide information, sell goods and services, exchange and update information, and transmit data between geographically dispersed offices. This "openness" provides the perfect opportunity for hackers or intruders to gain unauthorized access to private networks and data.

The terms hacker and cracker are commonly used today to describe individuals who use either social engineering or technical skills to gain unauthorized access to networks. In the not-too-distant past, a hacker was someone who was interested in the way things worked (such as computers and programs) and used skills to find out very detailed information on what made them tick. These individuals, called hackers, were not malicious, but curious. Today the term hacker refers to an individual who is trying to gain unauthorized access to or compromise the integrity and availability of computer systems and data. For the purposes of this book, we replace the term hacker with the term intruder because it is more appropriate. Intruders can be either internal or external to the organization and might try to gain access to systems with the intent of causing harm to the systems or data, invading others' privacy, or stealing proprietary information. The IS auditor should understand both the internal and external risks to ensure that proper security controls are in place to protect the organization's assets.

Passive and Active Attacks

Intruders have access to detailed instructions, tools, and methods via the Internet. Intruders use this collection of information and programs to gain a better understanding of an organization's computer systems and network topography, and to circumvent access controls. Attack types include both passive and active attacks, and can be either internal or external to the organization's network. Passive attacks are generally used to probe network devices and applications, in an attempt to learn more about the vulnerabilities of those systems. An intruder might utilize scanning tools, eavesdropping, and traffic analysis to create a profile of the network:

  • Scanning This attack uses automated tools to scan systems and network devices, to determine systems that are on the network and network ports (services) that are listening on those systems.

  • Eavesdropping In this attack, also known as sniffing or packet analysis, the intruder uses automated tools to collect packets on the network. These packets can be reassembled into messages and can include email, names and passwords, and system information.

  • Traffic analysis In traffic analysis, an intruder uses tools capable of monitoring network traffic to determine traffic volume, patterns, and start and end points. This analysis gives intruders a better understanding of the communication points and potential vulnerabilities.


    Traffic analysis is a passive attack method intruders use to determine potential network vulnerabilities.


    Active attacks involve using programs to either bypass access controls or negatively impact the availability of network devices and services. Active attacks include brute-force attack, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial of service, dial-in penetration attacks, email bombing and spamming, and email spoofing:

  • Brute-force attack An intruder uses automated tools and electronic dictionaries to try to guess user and system passwords. These automated tools try thousands of words or character combinations per hour in an attempt to gain unauthorized access to the system.

  • Denial of service Any method an intruder uses to hinder or prevent the delivery of information services to authorized users is considered a denial-of-service (DoS) attack. As an example, an intruder inundates (floods) the system with requests. In the process of responding to a high volume of requests, the system is rendered useless to authorized users. These types of attacks generally intend to exhaust all available CPU or memory.

    The "ping of death" is a common denial-of-service (DoS) attack that entails using a ping with a packet size higher than 65Kb with the "no fragmentation" flag on. When the system receives the oversize packet that exceeds the acceptable length (higher than 65Kb), it causes the system to freeze, reboot, or crash.

  • Spamming Spam is common on the Internet today, but the act of spamming or email bombing is the capability of sending messages in bulk. Spamming can be used to overload individual email boxes on servers, which fills up the hard drives and causes system freezes and crashes.

When an intruder gains access to the system, he might tamper with existing programs to add a Trojan horse. A Trojan horse is a program that masquerades as another program or is even embedded within a program. Trojan horse programs or code can delete files, shut down the systems, or send system and network information to an email or Internet address. Trojan horse programs are a common form of Internet attack.

In addition to active and passive attacks, intruders might use social engineering to gain information that opens access to physical facilities and network systems. Social engineering is the use of psychological tricks on authorized users to gain access. Intruders might use techniques such as calling on the phone to authorized users and posing as help-desk personnel, to coerce an authorized user into divulging his password. Social engineering is the art of using social "con" skills to obtain passwords without the use of computer tools or programs.


Using social skills to obtain unauthorized access to company assets is called social engineering. Security-awareness programs are used to address the risk of unauthorized access resulting from social engineering attacks.


Viruses

A virus is computer program that infects systems by inserting copies of itself into executable code on a computer system. In addition to damaging computer systems through reconfiguration and file deletion, viruses are self-replicating, similar to a biological virus. When executed, a virus spreads itself across computer systems. A worm is another type of computer program that is often incorrectly called a virus. The difference between a virus and a worm is that the virus relies on the host (infected) system for further propagation because it inserts itself into applications or programs so that it can replicate and perform its functions. Worms are malicious programs that can run independently and can propagate without the aid of a carrier program such as email. Worms can delete files, fill up the hard drive and memory, or consume valuable network bandwidth.

Viruses come in many shapes and sizes. As an example, the polymorphic virus has the capability of changing its own code, enabling it to have many different variants. The capability of a polymorphic virus to change its signature pattern enables it to replicate and makes it more difficult for antivirus systems to detect it. Another type of malicious code is a logic bomb, which is a program or string of code that executes when a sequence of events or a prespecified time or date occurs. A stealth virus is a virus that hides itself by intercepting disk access requests.

Adopting and communicating a comprehensive antivirus policy is a fundamental step in preventing virus attacks. Antivirus software is considered a preventive control. Antivirus software products are applications that detect, prevent, and sometimes remove all the virus files located within a computing system. IS auditors should look for the existence of antivirus programs on all systems within the organization. In addition, users within the IT infrastructure should understand the risks of downloading programs, code, and ActiveX and Java applets from unknown sources. The primary restlessness seeded with virus programs is their ability to replicate across a variety of platforms very quickly.

Integrity checkers are programs that detect changes to systems, applications, and data. Integrity checkers compute a binary number for each selected program called a cyclical redundancy check (CRC). When initially installed, an integrity checker scans the system and places these results in a database file. Before the execution of each program, the checker recomputes the CRC and compares it to the value stored in the database. If the values do not match, the program is not executed because the integrity checker has determined that the application file might have been modified. Similar to antivirus programs, integrity checkers can be used to detect and prevent the use of virus-infected programs.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Oracle Developer Forms Techniques
Sap Bw: a Step By Step Guide for Bw 2.0
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
The Oracle Hackers Handbook: Hacking and Defending Oracle
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy