Secure Messaging with MicrosoftВ® Exchange Server 2003 (Pro-Other)

A complete discussion of all of the possible risks to your network and computers could fill several books. Some of these threats, of course, are much more likely than others ”the risk that copper will suddenly stop conducting electricity, although real, is pretty remote, whereas the risk that a worm or a virus will attack your network is regrettably large. It s helpful to have a system to categorize threats in several ways, including by target, type, and severity.

What Makes a Target?

Everyone knows something confidential. Likewise, every company, no matter how small, has at least some data that it would prefer to keep confidential. Some companies (particularly those in the financial services or defense manufacturing industries) have data that is well worth stealing. Other companies might find themselves targeted because of what they do, who they employ , or where they re located. However, because most attacks are initiated by worms and viruses, most victims are randomly targeted. Targets can be grouped into three general categories:

• Opportunistic targets are just that; they get attacked simply because they re there. Many attackers are looking for any system to attack, not a particular one. This is especially true for springboard attacks, in which an intruder compromises a machine solely to use it as a launch point for attacks on another (and probably better defended) target. Port scans and Domain Name System (DNS) zone transfers are common ways to map potential targets on a network. Follow-up probes can check for specific vulnerabilities that can be exploited.

• Incidental targets end up getting attacked as part of an attack on another system. For example, one variant of the CodeRed worm was programmed to attempt a distributed denial of service (DDoS) attack on the http://www.whitehouse.gov Web site. Machines that were compromised by this worm were incidental targets, because the real purpose of the attack was to flood the Internet Protocol (IP) address of the White House Web site with traffic. (Fortunately, the designer made a simple implementation mistake that made the attack easy to prevent!)

• Targeted systems are attacked because of the data they contain or the role they play. Critical infrastructure systems, like emergency dispatch centers, telephone switches, or public-utility control systems, are frequently (if unsuccessfully) targeted because disruptions to these systems cause great upset. More ominously for Microsoft Exchange administrators, messaging or storage systems at particular businesses are often targeted for penetration or denial of service (DoS) attacks. Potential attackers include current or former employees (one large financial services firm that I know of loses more than five times more money to internal thefts than to external ones each year) or people seeking monetary gain, revenge , or prestige in the hacker community. During the 1990s, a little-publicized series of attacks stole several millions of dollars from Citibank (although the attacker was eventually caught), and a number of successful attacks against Web sites of media outlets (including USA Today , the New York Times , CBS News, and CNN) catapulted the attackers to temporary notoriety. Of course, e-mail systems are often targeted as part of attacks on other systems because an attacker can use the system to monitor the security staff s efforts to catch them by reading their e-mail!

You might think that no one would ever intentionally target your systems because your organization is too small to bother with, or none of your data or resources are valuable enough to attack. You might even be correct in thinking that (although, as I pointed out earlier, even small, unknown companies generally have information of value to dishonest employees or competitors ). However, because most attacks are incidental or opportunistic, it s well worth taking good protective measures just in case.

Attack Versus Defense

In war, the advantage typically goes to the defense because in infantry and armor combat the defender can prepare defensive positions that play to the strengths of the defenders equipment and terrain by forcing the attacker into predictable positions or actions. Regrettably for us, the opposite principle is true of computer security: the attacker has significant advantages that we cannot always counteract. Michael Howard of Microsoft has set forth a set of four principles that neatly sum up the problem we as administrators face:

• Coverage The defender must defend all points of vulnerability, including workstations, servers, stored passwords, communication links, and network access devices. The attacker can choose which point, or points, he or she attacks.

• Knowledge The defender can only defend against vulnerabilities he or she knows about. The attacker is free to study the systems and networks to find new vulnerabilities and exploits for them. That means that you must stay alert to new classes of attacks and new vulnerabilities as they emerge.

• Vigilance The defender must be constantly vigilant. The attacker can strike at will. Prime times for attacks are Sunday nights, any time during long weekends, or major holidays like Christmas or New Year s ”all times when administrators are less likely to be vigilantly watching for signs of an attack.

• Fair play The defender has to play by the rules, but the attacker can fight dirty. In particular, attackers can use specialized hardware or software; they can attempt to trick employees into giving them passwords, network addresses, or other useful bits of information about the network or systems, and they can gang up on a target. For major attacks, it s not inconceivable that an attacker might try to physically coerce key employees into giving up their credentials or other information useful to an attacker.

As you read the material on classifying threats and on applying the two threat models covered in this chapter to your own work, remember these principles ” forgetting them can cost you dearly!

Classifying Threats

In his famous speech in the Book of Mormon, King Benjamin says, I cannot tell you all the things whereby ye may commit sin; for there are diverse ways and means, even so many that I cannot number them. (See http://scriptures.lds.org/mosiah/4/29 .) So it is with security threats: clever attackers are continually finding new vulnerabilities in software, systems, and communications protocols, so it s very difficult to come up with a comprehensive list of potential attacks that will remain useful over time ”especially because new software and hardware releases from our vendors can introduce new vulnerabilities that we might not find out about until after they ve been exploited. Worse, as attackers discover new vulnerabilities, there s no guarantee that the vendors will find out about them until they begin to be exploited!

Rather than a checklist of attack methods , it s more useful to classify threats into general categories, with a few specific examples of each:

• DoS attacks are designed to keep legitimate users from using a resource. If someone blocks my car into a parking space, that s an effective DoS attack, because I can t move my car until the obstructing vehicle moves. One common network-based DoS is flooding, in which a target system s Internet connection is overwhelmed with meaningless traffic. It is not uncommon to see DoS attacks that involve sending specially malformed data to a service on the target machine. That data exploits programming flaws that cause the service to crash or hang, or to consume all of the CPU resources or RAM on the target server.

• DDoS attacks are a pernicious variant of ordinary DoS attacks. Imagine if a crew of miscreants simultaneously used every pay phone in New York City to dial 911 ”the 911 dispatch center would quickly be overwhelmed, and legitimate calls couldn t get through. That s the evil genius behind DDoS attacks; they leverage many compromised machines that focus their efforts on a single target. Participating machines are typically compromised either by a worm or a Trojan; once compromised, they can attack the target on a coordinated schedule or when directed to by the original attacker.

• Penetration attacks involve gaining surreptitious access to a network. For example, an increasingly common penetration tactic is using software like NetStumbler ( http://www.netstumbler.org ) to find poorly protected wireless local area networks (WLANs), then attack them. Penetration attacks are usually a prerequisite to other types of attacks; sometimes an attacker s only goal is to penetrate a particular network so that it can be used as a jumping- off point for attacking a different network. Most penetration attempts are never reported to law enforcement, and I would venture to say that until recently, the majority of attempts went completely undetected by the target ” not exactly a comforting thought.

• Spoofing attacks are those in which some kind of data is falsified. If you ever get unsolicited commercial e-mail (UCE, better known as spam ), you ve probably seen at least one kind of spoof, in which the e-mail headers for the sending domain are falsified. Other spoofs include the injection of fake DNS records or rogue DNS or Dynamic Host Configuration Protocol (DHCP) servers into a network, as well as more obvious attacks like falsifying or modifying data in databases, file shares, or messages.

  Note	Hormel, the owner of the trademark for SPAM ¢, has been very generous in allowing the use of spam to refer to UCE. As someone who ate SPAM three or four times a week while growing up, I applaud them for this and ask that you use spam for referring to UCE and SPAM for making spaghetti.

• Escalation of privilege attacks are quite serious. Thanks to the access control mechanisms that Microsoft Windows implements (see Chapter 3, Windows and Exchange Security Architecture ), an ordinary user doesn t have privileges to do really destructive or dangerous things. Administrators, however, do. Privilege escalation attacks depend on flaws in the operating system that let an ordinary user gain administrative privileges. These flaws can be exploited by unscrupulous users, attackers who can gain physical access to the machine, or attackers who trick legitimate users into running Trojans. (See Law #1, Appendix A, The Ten Immutable Laws. )

• Information disclosure attacks attempt to steal useful or interesting information. They range from the exotic, like using high-gain wireless antennae to sniff corporate 802.11 signals from out in the parking lot or across the street, to the mundane, like rifling through the company dumpster looking for incriminating documents. This kind of thing sometimes happens to security companies, too; try doing a Web search for Mykotronx dumpsters and see what you find! Most commonly, these attacks are accomplished by using privilege escalation or penetration attacks to get the attacker into the system where the target data are stored.

• Information compromise attacks have as their object the covert modification, substitution, or creation of data. As with disclosure attacks, these attacks are usually undertaken after a successful penetration or privilege escalation attack gives the malefactor access to the needed systems. These are similar to spoofing attacks, but the distinction between them is that spoofing attacks concentrate on falsifying identities or services (for example, the address of a legitimate DNS server for a domain), whereas compromise attacks target data stored on a system (for example, the value of an oil and gas drilling lease or the amount of revenue a company has booked in the year to date).

• Virus or worm attacks are usually opportunistic, but they can be quite damaging . These attacks could lead to other types of attacks; I already mentioned the CodeRed DDoS payload, and it is not uncommon for worms or viruses to carry Trojan payloads that allow remote compromise and exploitation of an infected system.

It s important to note that for some of these attacks, there s no practical distinction between network- borne attacks and those that arrive through other means. Of course, penetration, DoS, and DDoS attacks are dependent on network connectivity, but the other types discussed here are just as feasible from a local workstation as they are from some far corner of the Internet.