‚ < ‚ Free Open Study ‚ > ‚ |
It is extremely difficult to predict how future incidents will differ from current trends because the data on current trends is so incomplete. Although some evidence might suggest that external attacks are becoming more common (as discussed in Chapter 10, "Responding to Insider Attacks"), personal experience tends to imply that insiders continue to dominate (at least the most serious). Recent years have seen a rise in virus and worm incidents and new motivations for attacks (such as "hacktivism"). Viruses and WormsViruses and worms are nothing new. In 1988, the Morris worm brought virtually the entire Internet to a halt. At that time, however, the Internet was restricted to a few government agencies and academic institutions. The effect on the average person or business was nonexistent. This is no longer possible. Ten years after the Morris worm, the Melissa worm hit. Melissa was the first worm with the capability to spread itself over a network. Since then, variants and copies of this worm have emerged. All tend to infect the host computer and then spread by mailing infected emails to other computers. Most are programmed inVisual Basic. Although they are not technically viruses in that they do not infect a specific file or program, many do require that certain programs be installed in order to run. For example, both Melissa and the I LoveYou worm required Microsoft Outlook to propagate. Although the antivirus community has been quick, in all of these cases, to develop tools to detect, quarantine, and clean these viruses, the rate at which they can spread is phenomenal. Company email servers have been crippled by the shear volume of the attacks. Some companies have even disconnected their mail servers in an attempt to prevent the spread of the virus. This, however, both prevents users from getting antiviral updates and also accomplishes a complete denial-of-service attack against the corporate network. Even if the virus does not gain hold, the company is completely shut down for the period. Virus writers (with the exception of Robert T. Morris) have traditionally been viewed by law enforcement as nuisances not worthy of prosecution . This has changed. The FBI launched massive investigations following the outbreaks of both Melissa and the Love Bug. This will almost certainly continue as new viruses emerge. Insider AttacksChapter 10 discussed some recent statistics that tend to indicate that external attacks are becoming more prevalent . This might, in fact, be a function of better detection or the widespread virus/worm outbreaks in the last few years. Insider attacks are still recognized as the most potentially damaging for all the reasons previously given. Because most office workers now have personal computers on their desktops ‚ and most of these have connections both to the company network and the Internet ‚ the potential for abuse is extraordinary. A malicious employee can use "tunneling" technology to send and receive encrypted data over open ports, regardless of the firewall configuration. These attacks are covered in more detail in Chapter 11,"The Human Side of Incident Response."They are almost impossible to detect and even more difficult to block. Some corporations have expressed concern over the use of a secure sockets layer (SSL) in web sites because they cannot monitor the traffic. However, blocking SSL will raise concerns with employees because then they cannot access e-commerce sites or do online banking from their corporate computers. Even some news and informational sites require SSL. If a company chooses to do this, it must first establish a policy that states that the company computers and network connections are for business use only and that no personal use is allowed. The trend, however, is in the other direction. Most companies accept some level of personal use, provided it does not impact business. Accepting this, however, does introduce some additional risk, and businesses must be prepared to address this. New Internet services can also introduce risk.Yahoo! now offers a service called the Yahoo! Briefcase (http://briefcase.yahoo.com). This service allows users to store up to 30MB of files on Yahoo! servers, accessible anywhere from a web browser. If an employee wants to steal data from the organization, he or she can now do it through the web browser and download it later from outside the organization. It will be almost impossible to detect unless the organization is specifically looking for (or blocking) connections to these sites. Another dangerous trend is the widespread use of personal systems (such as personal data assistants). Malicious users can download large amounts of data to these devices, which can be easily concealed and removed from the site. Some of these devices support wireless communication, either by wireless radio frequency modems or by infrared technology. Also newly available are removable storage devices. For example, there are now devices that plug into the universal serial bus (USB) port on a computer. Agate Technologies (www.agatetech.com) makes a USB hard drive about the size of a key fob.When plugged into the USB port, it appears to the computer as an additional hard drive. These drives can hold up to 64MB of data. External AttacksThe most recent trend in external attacks has been in denial of service. Security expert Bill Cheswick describes this as "the last computer security problem." [6] When all the patches are applied, when all the firewalls are in place, when all the software is completely secure, denial-of-service attacks are still possible.
The CIA model discussed in the Chapter 1 recognizes that information must be available to be useful. It is more than that, however. There are now businesses that have no physical presence to their customers outside of the Internet. The financial loss to an online merchant when customers cannot access the site is staggering. Individuals are now buying and selling stock over the Internet. Although it might be frustrating to one person not to be able to buy or sell, it could mean major losses for the brokerage houses . One can even postulate an incident in which a person can artificially manipulate a stock price simply by denying others the opportunity to trade. The costs in lost revenue are difficult to measure when customers cannot get into the site to buy. The intangible losses, in which new customers simply decide to go somewhere else, cannot be quantified . Even organizations that do not directly do business over the Internet can be affected. Their employees cannot exchange email with clients or suppliers. They can't access patches or updated software. It is even possible that the loss of network connectivity might overload or slow other communications networks, and the phone service into a company might be affected. Distributed denial-of-service attacks were discussed in earlier chapters. Until recently, a company under attack could simply add more capacity. It was likely that a corporation could quickly have more capacity than the attacker could overwhelm. With distributed attacks, however, an attacker can easily have more available bandwidth than the victim. As personal broadband systems become more widespread, the number of available agent computers increases dramatically. It will be easy for an attacker to compromise a few dozen home machines with DSL service and quickly overwhelm a T-1 connection.The suggestions in the following sidebar might help prevent these attacks, but they require that Internet service providers implement certain controls.
Another recent trend in external attacks has been to attack the corporation by compromising internal (or virtually internal) clients. For example, Microsoft had an incident in late 2000 in which a personal computer owned by a Microsoft employee and used to access the internal network was compromised by a trojan horse program. The attacker potentially had access to the entire internal Microsoft network through the company's own virtual private network. Firewalls and external controls have become very robust and, provided that they are maintained and patched, all but impossible to breach. However, more companies are allowing employees to telecommute or are providing access to workers who travel. These computers are much more difficult to secure because the company does not have day-to-day control, and the computers might be exposed to any number of attacks, unprotected by any kind of firewall (or even an antivirus program). A trojan program can initiate connections or can wait for the VPN client to establish a tunnel and then gather information about the internal network or even spread itself to other computers. When the attacker has access to an internal computer, he or she can tunnel traffic in both directions over a permitted port such as HTTP.
|
‚ < ‚ Free Open Study ‚ > ‚ |