ImpComputer systems open to intruders

Document Sample
ImpComputer systems open to intruders Powered By Docstoc
					Computer systems open to intruders
By: Karel Goldmann, 10. 11. 2008, More by this author: You can find potential attackers against computer systems in various environments; their typical common denominator is that they have enough resources and means to mount their attacks. One of the most specific features of a computer attacker is the intention to do harm. It is important to note that apart from deliberate threats, our systems and information are also exposed to other risks arising from the context of the whole computer system security concept. There are several categories of potential attackers. Some countries are a base for well-organized and well-funded attackers. They use the services of agents abroad to collect secret or sensitive information that seems to be hostile or from which the country can derive economic, military or political benefits. Individuals and groups such as hackers, crackers and pirates attack networks and systems by searching for vulnerabilities in operating systems or other errors, for example, in applications, that can be abused. Cyberterrorists are individuals and groups operating at state level or internationally, representing various terrorist or extremist groups. They use violence or the threat of violence to invoke fear, with a view to forcing the state government or any other society to give way to their pressure. Another group comprises well-organized and well-funded criminal organizations that operate and coordinate criminal activities, such as gambling, extortion, frauds, distribution of narcotics and many other activities. Criminal communities that are not organized or well-funded are also a potential source of cyber attack. They usually consist of a very small number of individuals or people acting individually. The media can also be guilty. Some organizations collect (sometimes illegally) and distribute data in order to sell it to newspapers and to other media. They strive to collect a wide array of information. Foreign and domestic companies operating on a competitive market can be involved in the illegal collection of information from competitors and from other countries in the form of industrial espionage. Angry, dissatisfied individuals may be able to do harm to local networks or systems. These employees can pose an internal threat whose magnitude depends on other circumstances, such as job activities and access rights assigned to the employee. In addition to harmful attackers, one should not overlook the group of people who could damage a computer system unintentionally, out of negligence. This group includes employees of computer system operators who, for lack of training, motivating corporate culture, interest or attention, became a threat to the computer system. Motivations and possibilities of attackers There are many different motivations to “get inside.” On one hand, some people act in a willful effort to reap business, military or personal rewards, and those known as “hackers.” On the other hand, there are attackers who occasionally threaten the network. Hackers include inexperienced experts, students and also young individuals with great expertise and talent. Most of all, hackers are not proud of their ability to damage, but simply seek to gain access so the computer or network can be used for later experiments. Hackers often believe that by revealing weaknesses and “backdoors” in computer systems they help organizations remove the weaknesses, thus contributing to the security of the Internet and to the suppliers of the systems concerned. Other hackers, however, have a less “friendly” motivation to “get inside.”

Intelligence activities, information services and “psychological warfare” are some of the motivations behind attempts to gain access. Motivation for attackers to focus on a specific target includes gaining access to classified or sensitive information (note: what is of high value for one person or organization may be worthless for another); tracking and monitoring the target’s operating activities; disturbing or interrupting the target’s operating activities; obtaining (stealing) money, products or services; gaining free access to resources (e.g. computational capacities or free network use; preventing access to the target; overpowering a “challenge”; and overcoming a security mechanism. When attacking a computer system, the attacker has to undertake a specific level of risk, which could be also time-dependent. The risk of the attacker’s loss can significantly exceed the expected profit. The risk factors therefore include: disclosure of the attacker’s ability to perform other types of attacks; testing response that would prevent the success of any future attack, especially if the profit is much higher; punishment (e.g. fines, imprisonment, other problems); and threat to human life. The attacker is willing to accept only the level of risk matching his motivations. The attacker’s capabilities are limited by his ability to undertake the attacks. The main factors influencing the attacker’s abilities are: expertise and experience to undertake attacks, and the availability of necessary resources. The attacker’s greater possibilities result in a higher likelihood of attack. If the attacker has the necessary expertise, experience and resources and is willing to risk exposing himself and the resources, opportunity remains the only factor at play. Although the opportunity factor is not listed among factors that influence the attacker’s possibilities, it is the last key element needed to mount an attack. Opportunity can have many possible forms, such as vulnerabilities of individual operating systems, nonconfigurable routers and firewalls and unprotected modems connected to a computer system of interest. It is usually impossible to decrease the attackers’ possibilities, but it is feasible to decrease their opportunities. Robert Gogela is an information security senior consultant at Asseco Czech Republic. ---

Types of attacks
Computer systems and networks are attractive targets for attacks. We can distinguish four main types of attacks against computer systems: passive, active, physical and internal. Passive attacks These attacks involve passive communication monitoring on publicly available media such as radio, satellite, microwave and other switched networks. Typical precautions against this type of attack include the use of virtual private networks (VPN), networks protected by encryption and physically protected network distribution systems. One example of a passive attack is open text monitoring, where the attacker monitors the network to take hold of user data or organization data that is not protected against disclosure. Another is deciphering weak encryption where the attacker focuses on analyzing insufficiently protected or incorrectly implemented encryption algorithms. Cryptoanalytic means are available as freeware applications. Password sniffing is a type of attack involving the use of protocol analyzers to capture passwords for

unauthorized use. Operation analysis uses the evaluation of external signs of operation to provide the attacker with critical information without having to, for example, decipher essential messages. Changes in the character of operation may indicate the risk of counter-measures, so the attacker can avoid any surprises. Active attacks Active attacks include attempts to circumvent or break security functions, upload harmful codes such as computer viruses and destroy data or system integrity. Typical precautions against active attacks include strong boundary protection such as firewalls, controlled network access based on authenticated identities, protected remote access, top-quality management and corporate audits, as well as automated tools for the detection of harmful codes and breaches. Examples of typical active attacks include acting as an authorized user or server. This attack covers the identity of the attacker, who pretends to be someone else and therefore gains unauthorized access to resources and information. The attacker obtains information for user or administrator authentication and uses it for authentication as an authorized user. This type of attack also includes the use of a false server, which can be used to retrieve sensitive information when the user, unaware of any danger, uses a service he considers reliable. Abusing system applications and operating systems are where the attacker uses vulnerability in applications launched with system rights. Well-known attacks take advantage of the vulnerability of Unix systems. Caution for the vulnerability of Microsoft Corporation’s Windows system has been growing recently. New vulnerabilities of miscellaneous applications are revealed daily. However, the uses can obtain information on various attacks, vulnerabilities and security patches for software in many discussion forums. With abuse of node or network trust, the attacker uses temporary trust to facilitate services by handling files in virtual or remote computers. Attacks against services that facilitate file and service sharing among workstations in organizations’ networks are well-known. By abuse of executable codes, the attacker may force the user to execute a harmful code by inserting codes in seemingly harmless software. The harmful code may be used to destroy or modify files, especially if they contain privileged parameters and values. As an example, attacks contained in macroviruses of the MS Office package are well-known. With the abuse of protocol weaknesses, the attacker uses a protocol weakness to fake a user or reroute data. Attacks of this type include fake DNS servers used to obtain unauthorized remote connection to a computer, “bombarding” via ICMP protocol, routing resources to a node acting as trustworthy, estimated TCP frequencies to gain access and TCP linking to obtain valid connection. Physical attacks Physical attacks are attacks when an unauthorized person gains physical access to networks and systems or an opportunity to modify and collect information or to prevent access to information. It is possible to gain physical access thanks to unauthorized entry, namely by means of insufficiently secured access. The purpose of gaining physical access to a local system may be modification or theft of information on IP addresses, identification data and passwords, tampering with the system to enable its monitoring or any other abuse, and physical destruction of the system. Internal attacks Internal attacks are performed by a person authorized to stay within the systems of secure

information processing or with direct access to such systems. Internal attackers know very well the structure of the system where valuable data is stored and know the safety precautions used. Internal attacks are undertaken from within the protection circuit and are often hard to detect and defend. There are two types of internal attacks: unintentionally harmful and deliberately harmful. Unintentionally harmful attacks include damage to the system and data caused by negligence or lack of computer system users’ knowledge. Typical precautions against internal attacks include establishment and enforcement of a security policy, building of security awareness, system audits, breach detection and limited access to critical systems and data. Examples of typical deliberately harmful internal attacks include modification of data or security mechanisms. The users often have access to information by way of shared networks. The attacker may gain access that enables him to tamper with or destroy information without authorization. Hidden channels are unauthorized communication routes used to transfer stolen information. They are created when the user of the internal network creates a link to another network without any authorization. This is a typical violation of the security policy or user rules and procedures. Physical damage involves the intentional damage or destruction of a local system, made possible by the attacker’s physical access. —Robert Gogela—

Shared By:
Tags: security
Description: Documents about VO security for the MSc security project