Lesson 2: Identifying Threats

Previous page
Table of content
Next page

Lesson 2: Identifying Threats

You can categorize threats to help make them more easily identifiable. They are not always based on someone attacking your computer systems or network. For example, imagine you are working for a tea company where people order tea over the Internet, and the employees fill the orders by accessing a database on a server you maintain. If the server is down, it does not really matter if the room the servers are in floods or if a virus infects the server and temporarily destroys all of the data. The information is still not available to those who need access to it.

After this lesson, you will be able to

  • Identify the source of a threat

  • Understand what an attack is

  • Understand what malicious code is

  • Understand who is attacking

  • Understand what social engineering is

Estimated lesson time: 25 minutes

Sources of Threat

To plan for or react to a threat, you must understand the nature of the threat. For instance, if you protect your data files by installing software to block traffic from the Internet, this protects access from external sources, but does little to prevent someone inside the company from accessing the data. There are many ways to categorize threats, but the important thing is to identify as many threats as possible and create a risk management plan for each.

When identifying the source of a threat, there are several questions you can ask to help identify the type of threat, and then mitigate it. Some of the questions you might ask include these:

  • Is the threat due to a disaster of some sort, or is it due to an attack?

  • If it is an attack, is it the threat coming from someone that works for the company, or from someone outside of the company?

  • If the threat is from attack, is it a well-known attack?

  • If the threat is an attack, are you able to identify it by reviewing audit files?

  • If the threat is an attack, is it a business-related attack?

The more you know about the type of threats that could occur, the better you can plan and minimize the risk. The more categories or ways you have of identifying threats, the more threats you are likely to be able to identify and plan for.

Threats from Disaster

Disaster is defined as sudden or great misfortune. Some disasters are natural disasters, whereas others are fabricated. For instance, a fire could be a natural event (such as a forest fire) or manufactured (such as a fire created by an arsonist). Some things are not considered disasters, but could certainly be disastrous to your company's C-I-A triad.

  • Natural disasters.

    The C-I-A triad can be affected by natural disasters such as earthquakes or hurricanes. You need to identify those natural disasters most likely to affect your company and create a plan to mitigate potential losses.

    To plan for a natural disaster, you must identity the types of natural disaster that are most likely, determine how often those events occur (historically), and then create a mitigation plan to minimize the impact on your company. The plan might not be implemented, but it should still be identified.

  • Man-made disasters.

    Man-made or fabricated disasters that could affect the C-I-A triad include fire, loss of power, or a structural collapse. Because the meaning of disaster is a sudden or great misfortune, the event would be large and affect more than just information security. The concern and priority is for the safety of the people caught in the disaster, but good planning will help a company recover from the misfortune quicker.

  • Mishap.

    A mishap is defined as an unfortunate accident. If a server fails and the specialists who repair and restore the server are all away, then the C-I-A triad is at risk. Consider the severity and likelihood of the event, whether it is a disaster of epic proportions, or a minor mishap so you can minimize risk.

Threats from Attack

Threats from attack are a more recognized occurrence, and are typically harder to plan for than disasters or mishaps because this type of threat is constantly changing. Malicious users are always adapting methods of attacks to take advantage of different types of technologies and specific vulnerabilities that are discovered. To understand how to defend against an attack, you must understand the technology under attack. Many threats can fall into a number of categories, and the objective is not to categorize attacks; rather, the goal is to create a number of categories to help identify threats.

  • Threats based on the business.

    Some threats are directly related to the business your company is in; therefore, the attacks that are most likely to occur can be better identified. For instance, if your company has a special formula for tea, then the threat would likely come from someone trying to steal the formula. If your company maintained Web sites for other companies, then the threat would likely be to shut the Web sites down, redirect people to a different Web site, or gather any confidential data associated with that Web site.

  • Threats that can be verified.

    Verifiable threats can be identified by data that is captured. For instance, if you have a Web site that someone is trying to hack into, then you might be able to review log files or set an alert to identify the type of attack, the time it occurred, and other specific data. This might not help you minimize the risk of the intruder succeeding with this attack, but it will help you identify an attack type and prepare your security to defend against it. More important, it will enable you to better prepare for a similar attack in the future.

  • Widely known threats.

    Some threats are widely known and you can simply read about them. This type of threat is typically focused on a specific application or technology and might or might not be malicious. An example of this type of threat is the ILOVEYOU virus that infected e-mail systems. The virus sent e-mails to affected users' entire e-mail address books. Although the virus did not destroy system data, it did overload e-mail servers around the world and demonstrated that damage could be done to e-mail receivers' computers. Although no damage was done to data, e-mail service (a mission-critical service) was unavailable, thus breaking the C-I-A triad.

  • Internal threats.

    You must also be aware of internal threats that could affect the C-I-A triad. For instance, if you are using wire to connect all of the systems together on the network, there is a chance that someone could gain access to your network or record the communications that occur on your local network. If you do not use some authentication method for internal users, then the integrity of your information is at risk.

  • External threats.

    External threats originate from outside of your company. For instance, if you are connecting to a Web site on the Internet, the Web site could download an application to your computer that would access the address book in your e-mail program. Alternatively, someone could capture the communications between you and a Web site you are connecting with to buy a new car. By doing that, the malicious user could learn your name, address, and other personal information, such as a credit card number or bank account number. This type of threat would be would be an external threat.

Attacks

An attack is an attempt to bypass security controls on a computer. The attack could alter, release, or deny data. Attack types vary almost at the speed of light, but most have a name that describes the attack type well.

Attacks are covered in depth in later chapters, but to give you an idea of some of the current techniques in use today, a short list of attack types follows with a brief description:

  • Denial of service (DoS).

    This type of attack renders a service inoperative. For instance, a DoS attack can make a popular Web site unavailable for some length of time. A distributed denial of service (DDoS) attack has the same impact, but the attack is distributed to many attacking computers.

  • Spoofing.

    For information security, spoofing is pretending to be someone else by impersonating, masquerading, or mimicking that person. If you provide a user name and password, Internet Protocol (IP) address, or any other credential that is not yours to gain access to a network, system, or application, then you are spoofing that system. There are a number of spoofing techniques in use today, but one of the most common is IP spoofing, which is falsifying the information in an IP packet.

  • Man-in-the-middle.

    This is exactly what it sounds like. For networking, a computer captures the communications between two computers and impersonates them both. For instance, a client computer connects to a server to download a monthly transaction statement. The man-in-the-middle computer would impersonate the server when communicating with the client, and the client computer when communicating with the server. This allows the man-in-the-middle computer to capture all of the communications between the client and server computers.

  • Password guessing.

    This type of attack involves guessing a user name and password in an attempt to gain access to a network or system. There are password programs available that attempt to break a password using a brute force technique, and others that try passwords against a dictionary. A dictionary attack cannot only match words with a dictionary, but can use upper and lower case or switch numbers for letters in an attempt to break a password.

Malicious Code

Malicious code is software or firmware that is intentionally placed in a system for an unauthorized purpose. Examples of this are the Morris Worm and the Melissa virus. A lot of information about these attacks is available on the Internet, but they are also covered in more depth later in this book. Some of the basic types are the following:

  • Virus.

    A virus is a program that can replicate, but not propagate, itself. It requires an installation vector, such as an executable file attached to an e-mail message or a floppy disk. A virus infects other programs on the same system and can be transferred from machine to machine through e-mail attachments or some form of media, such as a floppy disk. A virus can destroy data, crash systems, or it can be mostly harmless.

  • Worm.

    A worm is a program that can replicate and propagate itself. It propagates itself by infecting other programs on the same system, and also spreading itself to other systems across a network, without the need for an installation vector. A worm can also destroy data, crash systems, or be mostly harmless.

  • Trojan horse.

    Generally, a Trojan horse program looks desirable or harmless, but actually does damage. For instance, you might download what you think is a game, but when you run it, you find that it deletes all of the executable files on your hard disk.

Who Is Attacking?

To protect against attack, you must understand who is attacking and how they are doing it. Some attacks are an attempt to gain access to your information, whereas other attacks are used as a ruse. As the military strategist and general Sun Tzu Wu said, "Know thy enemy and know thy self and you will win a hundred battles." The following are some types of attackers:

  • Hacker.

    The term hacker has two definitions, depending on to whom you are talking. To a programmer, a hacker can be someone who pounds out code that provides a quick solution to a difficult problem. The code might not be eloquently written, but it is functional and effective. To others, a hacker is someone who breaks security on an automated information system or a network. This type of hacker (also known as a cracker) is typically doing something mischievous or malicious, and although they might be trying to break into a system for what they consider a good and higher cause, they are still breaking into a system.

  • Novice.

    A novice is someone who aspires to be a hacker, but does not have the technical skills. Typically, a novice will go to a Web site created by a hacker and run a program that attacks a network or computer system. Although a novice attack is usually easily identified and denied, it can provide enough "white noise" to hide evidence that a hacker is attempting a more serious attack on a system or network.

Social Engineering

One of the hardest attacks to defend against is social engineering, the act of leveraging politeness and gullibility in others to gain access to secure resources through deceit. For instance, someone might call and say he or she is repairing a system of yours and needs the password to log on to the system and verify that the repair is complete. Another ploy might be that someone will walk up to a secured door that requires a special card to access and ask you to hold the door open so he or she can enter.

There are several ways social engineering can undermine even the best security plan. One of the best solutions for mitigating social engineering risk is user education. User education will enable your users to understand what information should never be provided to another person, and will provide best practices for handling sensitive information, as well as setting passwords and other day-to-day tasks.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. You are responsible for creating a mitigation plan for threats to your company's information security. Which of the following should your mitigation plan identify as threats from fabricated and natural disasters? (Select all that apply.)

    1. Incomplete backups

    2. Power outages

    3. Your building flooding

    4. A virus infecting the servers at your company

    5. A fire in your building

  2. When determining the risk posed by a threat, external threats are more dangerous than internal threats. (True or False?)

  3. Select all the attacks that are based on using malicious code:

    1. Trojan horse

    2. Social engineering

    3. Virus

    4. Novice

    5. Worm

Lesson Summary

  • Threats are anything that threaten the C-I-A triad and can come from a variety of sources. Examples of threats include the following:

    • Hackers (or crackers) trying to break into your network and computers

    • Malicious code such as a computer virus or Trojan horse

    • People who work for your company and are unhappy or are being paid to gather and sell your company's information

    • Fire, flood, hardware failure, or natural disaster

  • Threats can come from external sources, such as hackers and e-mail messages, but they can also come from sources internal to the company, as is the case with a disgruntled employee or someone who gains physical access to your computers.


Previous page
Table of content
Next page
Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55
Authors: Microsoft Corporation, Andy Ruth, Kurt Hudson
BUY ON AMAZON
Beginning Cryptography with Java
WebLogic: The Definitive Guide
The Complete Cisco VPN Configuration Guide
Introduction to 80x86 Assembly Language and Computer Architecture
Cisco CallManager Fundamentals (2nd Edition)
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy