Who Are the Attackers?

2017-11-03 09:05:01

Who, from the perspective of an IT infrastructure, are internal attackers and external attackers? Internal attackers are commonly linked to disgruntled employees, contractors, or third-party users who, for whatever reason, have lost respect and integrity for the organization, including its IT infrastructure and its assets. External attackers are commonly linked to one of numerous attacker profiles or types. Figure 6.1 depicts a typical IT infrastructure and the domain between inside and outside threats.

Figure 6.1. Internal vs. external human threats to an IT infrastructure.

Which of the Two Attacker Types Is Potentially More Damaging to the Organization?

It is potentially more damaging to have an attack caused from inside versus outside because that typically means the inside attack was conducted by an employee or individual who has or can obtain access to mission-critical IT systems, resources, and data. More threatening is if the employee was an IT professional with access rights and privileges to the organization's mission critical IT servers, resources, and data. Because of this internal threat caused by IT employees, organizations must have the appropriate Acceptable Use Policies (AUPs) and Confidentiality Agreements in place with key IT personnel who have access to confidential or sensitive IT systems, resources, or data. In addition, human resource procedures and guidelines must be adhered to, especially if an IT employee is to be fired or terminated by the organization. The disgruntled employee situation, along with other human factors and issues, is a serious threat to organizations and IT infrastructures and their assets. This is why conducting thorough background and reference checks for IT employees is a critical and necessary step in the hiring process for many organizations.

Attackers, whether they are internal or external to an organization, are the threat to known or unknown vulnerabilities that can be exploited in an IT infrastructure.

Definition of Threat by National Information System Security Conference

"A threat is any circumstance or event with the potential to adversely impact a system through"

Unauthorized access This is when the attacker does not have authorization or permission to access an organization's IT infrastructure and IT assets. Unauthorized access may very well carry a criminal charge, depending on what was compromised and if any monetary damage or loss of productivity was encountered by the targeted victim.

Destruction or damage After the attacker has completed the initial probing and scanning and has gained access to an IT system or application, the attacker can escalate its user privileges and destroy or damage data assets of the organization after access has been obtained on mission-critical IT systems, resources, and servers.

Disclosure of confidential information After the attacker has completed the initial probing and scanning and has gained access to an IT system or application, the attacker can access and disclose confidential information to a competitor to damage the organization or collect a payoff if the attacker had monetary motivation.

Modification or alteration of data After the attacker has completed the initial probing and scanning and has gained access to the IT system, resource, or application, the attacker can escalate its user privileges and modify or alter the data assets of the organization, thus causing monetary damage and loss of data to the organization.

Denial of Service (DoS) A DoS attack is when the attacker renders production TCP/IP host computers useless or unavailable through the transmission of bogus and invalid packet-sized ICMP echo requests (Ping), SYN flood attacks, or invalid packet transmissions. These invalid or bogus transmissions, in turn, cause a flood of retransmissions between the source and destination IP devices, thus absorbing CPU utilization and resources on the targeted IP device and bandwidth on the network.

By understanding more about the attackers, the risk and vulnerability assessor can "think like an attacker." In the next section, attacker types and their characteristics are presented. This knowledge helps the IT security professional understand who attackers are and how best to combat the kinds of attacks that they commonly engage in.

Attacker Types and Their Characteristics

Many terms and adjectives are used to describe an attacker of an IT infrastructure and its assets. Each type of attacker has a unique profile description along with unique and differentiating characteristics. These profile definitions along with differentiating characteristics are presented next:

Black Hat Hacker Describes a technically proficient software programmer and information-security knowledgeable individual capable of conducting an attack on an IT infrastructure or its assets merely to prove vulnerabilities or technical prowess and usually without authorization or ethical conduct.

Cracker Describes an expert software programmer who is capable of programming scripts, solving complex programming problems, and reverse engineering software. Hacker or Cracker are synonyms and used interchangeably, but the Cracker has specific expertise in reverse engineering software and complex programming problems.

Cyber-Terrorists/Cyber-Criminals Describes an individual or groups of individuals who are funded to conduct clandestine or espionage activities on governments, corporations, and individuals in an unlawful manner. These individuals typically engage in sponsored acts of defacement, DoS/DDoS attacks, identity theft, financial theft, or worse, compromising critical infrastructures in countries, such as nuclear power plants, electric plants, water plants, and so on.

Disgruntled Employee Describes an employee who has lost respect and integrity for the employer. This is potentially a risk if the employee was fired or terminated without cause, was slighted a deserved promotion or increase in compensation, or was wrongly blamed for a situation. A disgruntled IT employee is potentially a critical threat to an organization, especially if access rights and privileges were provided and managed by the individual.

Hacker Describes an expert software programmer who is capable of programming scripts, solving complex programming problems, and reverse engineering software. Hacker or Cracker are synonyms and used interchangeably, but the Cracker has specific expertise in reverse engineering software and complex programming problems.

Phreakers Describes telecommunication and PBX system attackers who break into service provider or corporate telecommunications networks and then exploit and illegally use or provide access to their telecommunication services. This includes physical theft, stolen calling cards, access to telecommunication services, reprogramming of telecommunications equipment, and compromising user ids and passwords to gain unauthorized use of facilities such as voice mail.

Program Cracker/Hacker Describes a Cracker/Hacker who has specific expertise in reverse engineering software programs and, in particular, software license registration keys used by software vendors when installing software onto workstations or servers.

Script/Click Kiddies Describes younger attackers who use widely available freeware vulnerability assessment tools and hacking tools that are designed for attacking purposes only. These attackers typically do not have any programming or hacking skills and given the techniques used by most of these tools, can be defended against with the proper security controls and risk mitigation strategies. Script Kiddies and Click Kiddies are synonyms; the term click comes from the fact that many tools are automated and have GUI interfaces with buttons to click to launch an attack.

System Cracker/Hacker Describes a Cracker/Hacker who has specific expertise in attacking vulnerabilities of systems at the operating-system level. These individuals get the most attention and media coverage because of the globally impacting viruses, worms, and Trojans that they create. System Crackers/Hackers perform interactive probing activities to exploit security defects and security flaws in network operating systems and protocols.

Whackers A whacker was previously a novice or apprentice hacker studying and learning to become a hacker. With the deployment of wireless LAN and WAN technology, hackers who attack wireless LANs and WANs are becoming known as whackers who focus their attacks on wireless networks.

White Hat Hacker Describes an ethical, information security professional who conducts intrusive penetration tests on IT infrastructures and its assets as part of an overall risk and vulnerability assessment project. A White Hat Hacker is a technically proficient software programmer and information security knowledgeable individual who conducts attacks on an IT infrastructure or its assets with full authorization by the organization.

Who Are the Greatest Threat?

The greatest threat to an organization and its IT infrastructure and assets are its internal employees, contractors, and third-party users who have access to the organization's IT infrastructure and its assets. Providing access rights and privileges to internal employees who work with the organization's confidential data and information potentially represents the largest exposure to risk, hence the need for proper human resource procedures when hiring and employing personnel who will be accessing confidential systems and data. Proper background checks, AUPs, and confidentiality agreements must be done for new employees or IT employees who will have access to confidential systems and data. These instruments are the only protection an organization has to prevent an attack made by an internal employee or worse, an internal IT employee. The disgruntled employee represents the single greatest threat to an organization, although the more popular or media-covered security breaches are typically initiated from external attackers.

Insecure Computing Habits Are a Threat

The second greatest threat to an organization and its IT infrastructure and assets are its employees' insecure computing habits. These insecure computing habits typically include the following:

Sharing and exchanging disk media Employees and users, whether trusted or not, commonly share data and files on CD-ROMs, USB thumb drives, or floppy disksall of which are subject to threats from malicious code and malicious software if not properly scanned and quarantined.

Installation of unauthorized or pirated software Employees and users commonly load unauthorized personal software applications (IM Chat, KAZAA, for example) or pirated software on their company-owned laptops and workstation devices. This can lead to threats from unknown software and data files that are loaded onto the company-owned laptop or workstation as well as software licensing infringements by the employee or user.

Downloading and installation of files Worse yet is the downloading and installation of freeware or other software applications that may have embedded malicious code or malicious software, such as spyware or adware that examines the cookies and previous Internet destinations of your workstation browser and builds a target profile of the users' habits and likes.

Use of email for communications and file transfers Employees and users today rely on email communications as the primary business communication tool. Email as a means for file transfer is also another primary application. If the recipient of the email believes it comes from a trusted user, then what is to prevent the user from clicking an email attachment? Hiding a virus, worm, or Trojan in an email attachment that employees and users commonly click is the easiest way to inject a malicious code or malicious software attack into the system.

Carelessness with confidential information Employees, contractors, and third-party users are often careless with an organization's confidential information and data. This carelessness can be as easy as losing a laptop computer, leaving confidential documents in the back seat of the car, or leaving the computer screen on while the user leaves the work area.

Disgruntled Employees Are a Threat

The third greatest threat that an organization may face may be the result of poor firing and termination procedures for employees, and more importantly, IT employees. Many security breaches, both reported and unreported, originate internally to the organization, are perpetrated by current or former employees, and are often undetected because of weak or inefficient human resource procedures and guidelines for the firing and termination of employees. This is particularly important if IT personnel are fired and terminated, with or without cause, or if the employee was slighted a well-deserved promotion, or if other circumstances occur that may lead an employee to lose respect and integrity for the employer. By the time the IT manager or department notifies human resources of the employee termination and human resources notifies the IT manager or department that it was done, the attack could have already happened. In some organizations, it takes days or even weeks before a configuration move, add, or change request is completed, depending on the backlog of trouble tickets and access control procedures; or they get lost and access is never removed until an audit uncovers this loose end.

Organizations must implement proper security controls regarding the deletion of inactive user accounts and access privileges by the appropriate human resources and IT personnel as a final step. Without proper security controls and procedures, such as immediate removal of all access rights and privileges to company-owned IT resources, systems, and applications, an organization may be subject to one of the following threats caused by a disgruntled IT employee:

Unauthorized access This occurs when an attacker accesses an IT infrastructure and its assets without permission or authority to do so. The attacker willingly and knowingly accesses IT systems, resources, and data, and depending upon motives, may do damage or leave unnoticed and undetected.

Privilege escalation This occurs when an attacker exploits a software vulnerability such as a buffer overflow error, and through cracking and hacking steps is able to increase access rights and privileges on the system. This is called privilege escalation and is a critical threat because system administrator rights may be compromised, thus leaving the system and its data unprotected.

Disclosure This occurs when the attacker willingly and purposely releases confidential information about an individual or organization that is damaging and done with malice.

Destruction or defacement of data This occurs when the attacker willingly and purposely attacks by destroying data or defacing websites; it is similar to graffiti on city walls and buildings.

Use of organization's IT infrastructure and IT assets to initiate an outside attack This occurs when the attacker compromises someone else's IT infrastructure and assets and launches an attack from that infrastructure, thus putting an additional layer of protection and anonymity on the attacker.

Accidental or intentional release of malicious code or malicious software This occurs when the attacker knowingly and purposely launches a virus, worm, or Trojans on the organization's IT assets, thus spreading the mass infection throughout the organization.

Which of the Two Attacker Types Is Potentially More Damaging to the Organization?

Definition of Threat by National Information System Security Conference

Категории