Predicting Threats to the Network

In order to successfully predict the threats to your network, you will need to understand what motivates the attacker. There are many categories of motives:

Vengeance The attacker may feel harmed by a specific organization and wish to harm it. Commonly, the attacker has an affiliation with the organization, such as former employment. In this case, the risk is elevated because the attacker has inside information about the network, the security practices, and access to the people within the organization.

Corporate or government espionage The attacker may be attempting to compromise a network to try to obtain government or corporate secrets. In this case, the attacker may be motivated by money or their belief system.

Publicity Many hacking groups attack a network or an application to gain recognition in the industry. Many of these groups publicly take credit for their attacks.

Terrorism An attacker’s goal may be to inflict harm on the target. The attacker may be a part of a group or state-sponsored terror cell. These are the most serious types of attackers because of their willingness to sacrifice the innocent.

To better predict the threats against your organization, you should be aware of the types of vulnerabilities that are used against most networks. In the following sections, you will be introduced to the common security vulnerabilities that plague networks today.

Common Vulnerabilities

Most successful attacks against networks are accomplished by exploiting a well-known weakness. The people who are charged with maintaining the security of a network should be properly trained to recognize vulnerabilities and make it part of their daily routine to learn of new vulnerabilities when they are discovered. Table 2.1 lists some of the most common network vulnerabilities with examples.

Most of the common vulnerabilities are easy to recognize and protect against. One of the main goals of your design is to minimize the attack surface of your organization. Simply translated, you need to remove any services that could be vulnerable to attack unless the services are required. If you have a workstation that will only be used to browse the Internet, it should have no services running other than those that are required. In addition to removing services, you should remove any hardware that isn’t required for the workstation to execute its primary function. Removing floppy disk drives or CD-ROM drives can improve security because if someone gets physical access to the workstation, they would have no easy way to install their own software on it.

In the following sections, you will learn how to recognize the types of attacks that are most likely to be used against your organization by internal and external attackers.

Internal Threats

The most severe risks to a system are those that are initiated from within your organization, referred to as internal threats. In most organizations, the most common network configurations are those in which the workstations and the servers are on the same segment. Thus, the workstations have unfettered access to the server; there is no firewall or router used to separate the workstations from the servers, and therefore the workstations can attack the server at will. Only in the most secure environments are workstations and servers separated by a firewall. Internal threats occur when a trusted user uses their limited access to launch an attack.

The most common motive for an internal security breach is user curiosity. For example, suppose an employee wanted to know how much money a coworker made in a year. They may attempt to access the secure payroll data, which would be a security breach. Other motives exist, ranging from anger at the company to a desire to steal data.

There is nothing more dangerous to your organization than an internal attack by an individual with knowledge of the network configuration and the skill to access it. Internal attacks don’t need to be complicated; if the attacker has physical access to parts of the network, they could steal or damage hardware.

Other types of attacks that can be spawned internally are corporate or government espionage. Espionage, as an attack, occurs when the information on your network is either stolen, tampered with, or destroyed. You may think that this type of thing only appears in spy novels and movies, but this type of attack does occasionally occur. It can be quite difficult to track a spy in your organization, especially if you’re not affiliated with the government (a government agency would expect these types of attacks). The best technique to detect espionage is to enable auditing and to evaluate the logs frequently. You should especially notice when a specific employee begins to traverse the secure areas of the network.

You’ll need to make sure that, in addition to auditing the resources on the network, you are auditing access to the server room. The first line of defense is to physically secure your environment. Failure to accomplish this single task would make any other security technique moot. If your organization has the infrastructure in place to track access to specific rooms, you should request access to these records to see if anyone is attempting access to the room.

Another major problem for security is password security. Many users either share their passwords with other employees or actually have it taped to their monitor so that they won’t forget it. In order to prevent this type of breach you need to train your users so that they understand the importance of keeping their passwords secure.

In the “Predicting Internal Threats to Your Network” Design Scenario, you will evaluate a small scenario in order to predict the different types of internal threats.

Design Scenario: Predicting Internal Threats to Your Network

A small company uses Windows Server 2003 on a machine named Server1 to run its line-of-business application. Server1 is located in a locked room with a backup device attached directly to it. In addition to providing the users with the application services, Server1 is also used to store the payroll data. The server is not connected to the Internet and the company uses a consulting firm for major administration tasks; for the day-to-day administration, the office manager has been trained to handle the resetting of passwords of all employees, including the owner. The office manager is also responsible for changing backup tapes.

1. Question: What are the threats that can be exploited internally? Answer: The office manager could change the password of another user and use that account to spoof the identity of the other user. Once the account is compromised, the of fice manager can access all information that is pri vy to that authenticated user. The office manager has physical access to the server and can therefore turn of f, or otherwise install or destroy, devices that are attached to the server. The backup tapes contain full copies of all of the data on the server, assuming no encryption; the tapes could be sold to a competitor or destroyed to prevent the data from being restored.

External Threats

Threats that come from outside of your organization’s firewall are referred to as external threats. The configuration of your network is fundamental in determining whether or not individual servers are vulnerable to attack from the outside. External threats are the ones that are most publicized and those that most organizations spend a majority of their resources on trying to defend against. The motivation of the external attacker is usually quite different than that of an internal attacker.

Assuming the attacker is skillful, they can break into the system, steal or manipulate the data, and to a certain degree, remove all traces of the attack. As you may have guessed, it’s impossible to respond to an incident if you are not aware that it occurred.

Most effective attacks against your organization from an attacker who isn’t familiar with your network will begin with a systematic probing of your network. This discovery is commonly referred to as footprinting. The concept of footprinting, or scouting, is not new. In almost every military conflict, there is a significant amount of discovery that takes place prior to an attack. The attacker, in our context, will evaluate the defenses of the target network or server by determining what systems and services are running. Even a novice attacker can use this information to break into your system.

Figure 2.1 shows what a simple Telnet session to a mail server can reveal about the server that it is running on.

Figure 2.1: Telnet session to Exchange Server 2003

As you can see, it tells us the internal name of the server and the full version of the mail service. This information tells the attacker that the server is running Exchange Server 2003 and even includes the minor version information, 6.0.3790.0, which lets the attacker know whether or not service packs have been installed as well as certain hotfixes. A simple Telnet session to a Windows NT 4 web server displays the IIS version, which lets the attacker know the operating system. Figure 2.2 shows a Telnet session to an NT 4 web server (port 80).

Figure 2.2: Telnet Session to IIS 4.0

Windows Server 2003 does a better job of shielding the version information, as seen in Figure 2.3.

Figure 2.3: Telnet Session to IIS 6.0

You’ll need to do your best to prevent as much information as possible from getting into an attacker’s hands. There are several methods that you can use to change or disable the banners that the services display. The options that are available to you will be determined by the specific service and operating system on the machine you are trying to protect. In addition to using the Telnet utility, there are other more elegant programs such as nmap, a free footprinting utility, and many more. Visit www.insecure.org to get more information about the nmap utility.

In the “Predicting External Threats to Your Network” Design Scenario, you will evaluate a scenario and predict the different types of external threats to the network.

Design Scenario: Predicting External Threats to Your Network

A large chain of toy stores operates a Web storefront that accepts credit card orders over the Internet for toys to be shipped to the customer. The web server is running IIS 6 on Windows Server 2003, Enterprise Edition. The application uses a SQL Server database, located on another Windows Server 2003 machine, to store the customer, order, and inventory data. The only connections to the web server from the Internet are on port 80 (WWW) and port 443 (SSL).

1. Question: What are some of the external threats to this company? Answer: One of the external threats that could be brought ag ainst this web server is a denial of service at tack. The DoS attack could be launched to prevent real customers from accessing the site. Another potential target is the customer’s data, including credit card numbers, which could be compromised and disclosed. Once an attacker determines the operating system and the services that are running he or she will try all known vulnerabilities against them, in this case, against IIS and Windows Server 2003, in order to gain access to the server.

Predicting Threats with Threat Modeling

In order to properly allocate your security resources, you should understand which threats are more likely to affect your organization. Threat modeling is the process of predicting threats and vulnerabilities to assets in your organization. Determining these threats will make for a more efficient use of your information security resources. Threat modeling can be further eased by categorizing the threats. You can use the STRIDE threat model to categorize the threats against your network. STRIDE is an acronym whose letters stand for the following threat categories:

(S)poofing identity Identity spoofing can be as simple as an attacker obtaining a username and password of a valid user and then illegally using those authentication credentials to access the resources of the target organization. Another form of spoofing is server spoofing. With server spoofing, an attacker uses a server to simulate another server with the hope of gathering data that would normally only be available to the real server. A common example of server spoofing is web spoofing, which is usually accomplished by taking advantage of mistyped URLs in a browser. The attacker will register the domain amszon.com, which is only one character away from the real Amazon.com, the attacker then creates a website on amszon.com that looks like Amazon.com. When the user’s browser loads the erroneous site, it prompts the user for credit card information, or other personal data which the user believes they are sending to Amazon.com, it could even be secure being transmitted over SSL. The point is that the attacker is spoofing the identity of the trusted web server and the user is unaware that they mistyped the URL. This could happen to any e-commerce site where customer data, such as credit card information, would be sent.

(T)ampering with data This threat category describes situations in which data is maliciously altered on the target machine. For example, data is tampered with when a website gets hacked and the attackers modify the original content and incorporate their own.

(R)epudiation This occurs when a user denies performing an action and the target has no way of proving otherwise. For example, a file is deleted by a user, the user denies deleting the file, and the administrative team has no logging mechanism to prove that the user did, in fact, delete the file.

(I)nformation disclosure Information disclosure occurs when someone gains access to data that they should not have access to. An example of information disclosure is when a file containing the salaries of employees is left improperly secured and is viewed by someone who should not have access to it.

(D)enial of service In a denial of service (DoS) attack, a service is denied to valid users, usually because the service is overwhelmed with requests. An everyday example would be when someone creates a program that auto-dials your work phone number, preventing valid callers from getting through. In network terms, a denial of service occurs when a server or service is over-loaded by malicious requests and is prevented from receiving valid requests. If there are multiple attackers, usually because an attacker has taken control over several computers that will be used to launch the attack, it is referred to as a distributed denial of service (DDoS) attack.

(E)scalation of privilege Escalation of privilege occurs when an unprivileged user gains privileged access illegitimately. When this happens, an attacker can assume the privileges of the trusted system itself. This typically occurs when a service is hijacked to run code of an attacker’s choice. If the attacker can force the service to run code on their behalf, the code will run in the security context of the service, which in the case of some services, may be the LocalSystem account or, worse, a domain-level administrative account.

Now that you’ve learned the categories of the threats that you will face, you’ll need to determine where the attack will come from. Although most companies spend most of their security budget securing their network from outside attacks, many studies have shown that attacks are more likely to come from within your organization.

In order to better predict the threats that your organization is likely to encounter, you should use a threat model like the STRIDE threat model. To use a model, you’ll need to complete the following steps:

Define the scope You’ll need to first decide what it is that you will be evaluating, specifically which hardware and which software packages will be included in your model. This allows you to focus only on the target of the model as opposed to an entire organization. The scope could be a specific web server, or even a specific application running on the specified server.

Create a team Next, you will need to build a team that consists of a wide variety of technical skill and experience. By creating a diverse team, you will allow for each object of the model to be evaluated from different perspectives. It is considered best practice to include only those with a limited stake in the outcome of the project to prevent selective disclosure as to the exposed risk. Try to avoid choosing an individual who was responsible for configuring a server that will be evaluated as he or she may not disclose the vulnerabilities that they have caused.

Predict threats The final step in your model will be to have your team meet and brainstorm to identify all of the potential threats to the subject of the model (such as the web server, the e-mail server, etc.). You should use whiteboards and all pertinent documentation (for example, product documentation, white papers, etc.).

When predicting threats, you will first identify the type of threat, define the threat itself, determine the probability that the threat will be carried out, and determine the degree of the affect an attack will have on your organization. Table 2.2 is a sample STRIDE threat model of an e-commerce web server.