Everything Is a Weapon

One of the biggest reasons everything is a target is because nearly everything can be used as a weapon, and an attacker is motivated to acquire weapons to wield against future targets. So, nearly every successful attack has not only a direct result for the attacker, but an indirect result in that the attacker gains an additional weapon to use against new targets. For example, if an attacker is able to compromise a Dynamic Host Configuration Protocol (DHCP) server, consider the potential next step:

• The attacker could stop the DHCP service after expiring all leases and cause every system that needs a dynamic address to no longer have network connectivity.
• The attacker could use the DHCP server to launch an attack in which the trust that other systems have in the DHCP server is exploited to gain access to additional systems.
• The attacker could leave the DHCP server running but change the DHCP configuration to send malicious DNS server and default gateway information to the client. This malicious data appears valid to the client but redirects DNS queries and off-net traffic through the default gateway to the attacker's IP address, not the real servers and routers. Then all the client's off-net traffic is redirected through the attacker, where it is vulnerable to sniffing and MITM attacks.

In all but the first and easiest attack example, the attacker utilizes the DHCP server as a means to attack other systems. Since nearly all of the most devastating break-ins require several steps on the part of the attacker, the notion of using your own systems as weapons against you is critical for the attacker's success. If your organization is the target of a directed attack from resourceful, dedicated attackers, which of the following attack scenarios is easier to successfully complete for the attacker?

• Penetrate through the corporate firewall where your company might have IDS deployed and resources monitoring for malicious activity.
• War dial (dial all phone numbers in a range searching for modems) in an attempt to find an internal system accessible by modem with a weak password. Even though you might have a policy against insecure modems in your network, it doesn't mean everyone has read and understands the policy. It also doesn't guarantee that an inadvertent error wasn't made. Once connected to that internal system, the attacker can use the victim as a "jump host" from which to attack more critical areas of the network.

The war-dialing example is far more likely to yield a good result for the attacker. If you put yourself in the attacker's place and assume the attacker has some knowledge of your environment, you often find that the things you must protect and the ways in which you must protect them are very different than the countermeasures you currently have deployed.

Although our first two examples center on an attacker using your existing systems as weapons, this will not always be the case. Attackers could introduce devices into your network as a means to further their goals. Consider the following attack sequence in which an attacker introduces an insecure WLAN network to a location without any WLAN connectivity:

1. Attacker purchases low-cost WLAN AP from the local electronics retailer.
2. Attacker dresses in a manner similar to other workers at your company ("business casual" dress makes this even easier).
3. Attacker "tailgates" a legitimate employee and gains physical access to your building.
4. Attacker makes a quick stop in an empty conference room, attaches the AP to the underside of a conference room table, plugs into the CAT-5 jack, and makes a hasty exit.
5. Attacker now has direct local access to your network, and it's likely you'll never catch such an intruder.

Even if your organization has chosen not to deploy a certain technology because of the security risks (in this case, wireless LAN), nevertheless that technology's vulnerabilities can be used as a weapon against you.