Threats to Network Security
Many threats to network security exist. Attackers are opportunistic and typically take the path of least resistance. This means they choose the most convenient route and exploit the most well-known flaw. Threats to network security can include denial-of-service attacks, disclosure, and destruction or alteration of information.
DoS Attacks
Many times denial-of-service (DoS) attacks are a last-ditch effort by malicious users to bring down a network. The thought process is that if they cannot have access to the network, no one else should, either. Some common DoS attacks include these:
- Ping of death An oversize packet is illegal but possible when fragmentation is used. When the fragments are reassembled at the other end into a complete packet, it can cause a buffer overflow on some systems.
- Smurf Uses a spoofed ping packet addressed to the broadcast address, with the source address listed as the victim. It floods the victim with ping responses.
- Teardrop Sends packets that are malformed, with the fragmentation offset value tweaked so that the receiving packets overlap. These overlapping fragments crash or lock up the receiving system, thereby causing a denial of service.
- Land Sends a packet with the same source and destination port and IP address. The receiving system typically does not know how to handle these malformed packets, so the system freezes or locks up, thereby causing a denial of service.
- SYN flood Instead of targeting the Internet Control Message Protocol (ICMP) or Internet Protocol (IP), a SYN flood disrupts the Transmission Control Protocol (TCP) by sending a large number of fake packets with the SYN flag set. This fills the buffer on the victim's system and prevents it from accepting legitimate connections.
Disclosure Attacks
Disclosure attacks seek to gain access to systems and information that should not be available to unauthorized individuals. As a CISSP candidate, you should be aware of these attacks and their potential effects. They include the following:
- Sniffing This rather passive form of attack requires that the attacker gain some type of access to the network. This is easy to perform if the network is using hubs. The goal is to uncover sensitive information. This is made possible by the fact that many protocols, such as the File Transfer Protocol (FTP), Telnet, and the Simple Mail Transfer Protocol (SMTP), send usernames and passwords in clear text.
- ARP poisoning This attack usually is done to redirect traffic on a switch. Because switches do not send all traffic to all ports like a hub, attackers must use ARP poisoning techniques to put themselves in the middle of a data exchange. When this has been achieved, the attack can attempt a series of attacks, including sniffing and interception of confidential information.
- DNS spoofing Much like ARP poisoning, this attack attempts to poison the domain name service (DNS) process. Individuals who succeed have their fake DNS entry placed into the victim's DNS cache. Victims then can be redirected to the wrong Internet sites.
- Pharming attack Pharming exploits are another type of attack that misuses the DNS protocol. Normally DNS is responsible for translating web addresses into IP addresses. Pharming attacks hijack the DNS and force it to redirect Voice over IP (VoIP) or other traffic to a location of the attacker's choice. This allows the attacker to get control of VoIP calls. This means that your phone call might no longer be private and could be monitored.
- Phishing attack This social-engineering attack attempts to lure victims into disclosing confidential information. The attacker typically attempts to trick the victim by sending a fake email that appears to be from a legitimate bank or e-commerce vendor. The supplied link to the organization's website appears real but is actually hosted by the attackers.
- War dialing This old-school attack is based on the premise that if the attacker can successfully connect to the victim's modem, he might be able to launch an attack. War-dialing programs work by dialing a predetermined range of phone numbers, in hopes of finding one that is connected to an open modem. The threat of war dialing is that the compromised host acts as a gateway between the network and the Internet.
- War driving The practice of war driving, flying, boating, or walking around an area is to find wireless access points. Many individuals that perform this activity look specifically for unsecured wireless networks to exploit. The primary threat is that these individuals might then have a direct connection to your internal network or unrestricted Internet access.
- Spyware Spyware includes a broad category of illicit programs that can be used to monitor Internet activity, redirect you to specific sites, or barrage you with pop-up ads. Spyware is usually installed on a computer by some form of browser hijacking or when a user downloads a computer program that has the spyware bundled with it. Spyware typically works by tracking and sending data and statistics via a server installed on the victim's computer. Spyware programs can result in a loss of confidentiality.
- Viruses/worms These programs are created specifically to invade computers and networks and wreak havoc on them. Some display only cryptic messages on the victim's machine, whereas others are capable of disclosing information, altering files, or informing others so that they can victimize your computer. The big difference between viruses and worms is that viruses cannot replicate themselves. Worms are self-replicating and can spread so quickly that they clog networks and cause denial of service.
Destruction, Alteration, or Theft
The destruction, alteration, or theft of data represents a serious threat to the security of the organization. These attacks cut to the heart of the organization by compromising a network and accessing items such as databases that contain credit card information, for example. Even if regulatory requirements do not hold the organization liable, there is still the possibility of a serious public relations problem if one of these attacks occurs:
- Database attacks These attacks target an organization's database. Although the techniques vary, the results are the same: Malicious users can run their code on the victim's database server or steal information for the server. This can be a serious threat to the integrity or confidentiality of the organization.
- Cellphone attacks It's not hard to believe that Americans now spend more time talking on their cellphones than they do land lines. With so many cellphones in use, there are numerous ways in which attackers can try to exploit their vulnerabilities. One is through the practice of cloning. Cellphones have an electronic serial number (ESN) and a mobile identification number (MIN). Attackers can use snifferlike equipment to capture these numbers from your phone and install them in another. The attacker then can sell or use this cloned phone.
Tumbling is another form of cellphone attack. Specially modified phones tumble and shift to a different pair of ESN/MIN numbers after each call. This technique makes the attacker's phone appear to be a legitimate roaming cell phone. First-generation (1G) cellphones were vulnerable to this attack. Today most cellphones are second- (2G) and third- (3G) generation phones.
- Data diddling This form of attack works by changing data as it is being keyed in or processed by a computer. It can include canceling debts without proper authority or assigning a large hourly pay increase to your salary. Trying to track down the problem is difficult, and it could be months before the attack is uncovered.
- Identity theft FBI statistics list identity theft as one of the fastest-growing white-collar crimes. Identity theft is the deliberate assumption of another person's identity, usually to gain access to that person's finances or to use his or her identity and credit history to purchase goods or services, or to establish credit or receive loans under the victim's name. This form of attack can endanger the integrity and confidentiality of the victim's credit history.
- Password cracking This type of attack targets an organization's passwords. These passwords could belong to anyone from the CEO to the help-desk technician. Techniques include guessing, shoulder surfing, and dictionary, hybrid, and brute-force attacks. Dictionary password cracking pulls words from dictionaries and word lists to attempt to discover a user's password. Hybrid attacks use dictionaries and word lists, and then prepend and append characters and numbers to dictionary words in an attempt to crack the user's password. Brute-force attacks use random numbers and characters to crack a user's password.
- Privilege escalation Some computer operations require special privilege to complete their tasks. These operations can be executed as administrator, system, or root. Attackers look at the code that executes the operations in search of errors or other bugs. By injecting their code into these programs, they can sometimes execute their commands, giving them control of the computer.
- Salami attack This financial crime works by taking small amounts of money over an extended period. For the attacker to be successful, he must remove an amount so small that it will go unnoticed.
- Software piracy This illegal activity occurs when individuals or corporations distribute software outside its legal license agreement. Not only is software piracy morally wrong, but there are also significant financial and legal penalties. Individuals who distribute pirated software can face felony charges and be jailed for up to 5 years.
- Session hijacking This attack allows an attacker to take over an existing connection. It is an effective attack because most TCP services perform only authentication at the beginning of the session. So in this case, the attacker simply waits until authentication is complete and then jumps in and takes control. Applications such as FTP and Telnet are vulnerable to this attack.
- Spamming Spam is unsolicited bulk mail. One of the real dangers of spam is that your organization's mail servers could be tricked into forwarding SPAM if they are not properly secured. Spammers don't want to send junk mail from their own domains so they troll the Internet looking for open mail relays, which they then use to send junk mail.