Security Threats - What to protect Against
There are an
ever growing number of threats that our systems become open to. They fall
into three distinct categories:
Hardware - Threats can exist
due to poor manufacture and configuration.
Software - By means of poor
exploitable holes in the coding that can be subverted.
You can patch & secure a system to the enth degree, BUT, if say a user leaves
their credentials on a post-it note!!!! ;-((
Costs arising from a breach of security are not purely monetary in nature.
You have to first consider that as a business you have a duty of care to
your customers and staff alike. These expect that your business will
A loss of
credibility by a breach of one of the above can severely damage your reputation
and/or credibility of the business as a whole.
monetary terms, to provide an example, if you have a worm infection on 3
computers and have an IT technician who provides your support. The technician
can only clean up one computer at a time so the other 2 computers and staff
would still be waiting and be unable to work in the meantime. If it took 30
minutes to remove each infection, the 1st user would lose 30 minutes
productive work the 2nd 1 hour and the third 1 ½ hours so you
have lost 3 man hours, (and 1 ½ man hours by your IT technician), making a total
loss of 4 ½ man hours. In addition to the wages lost during this
period, what about lost sales that these users could have made? This could
add up to a large amount of money dependant on your type of
Social Engineering has become one
of the biggest threats to the IT community as a whole. People, by default
try to be helpful, especially those that work in a service type industry, it
is this helpfulness that is exploited on a daily basis. The biggest uses
of social engineering today are:
Making multiple calls
to call centres, gaining extra pieces of information based on previous calls.
Using open source
information to fool people and create a robust legend for the social engineer.
Using duplicate forms,
possibly found discarded in waste bins to create a legend and thus obtain
Using direct access to
personnel to form relationships, build trust etc.
- Extra code written into an application that displays advertising banners to the
applications user. These would usually come in the form of pop-up windows or a
bar across the application screen. A large amount of Adware is incorporated
into freeware/ shareware software to try and recoup some of the development
costs. Adware works by sending details of your browsing habits to advertisers
who then use this information to specifically target you with tailored services/
- This is when fake, or 'spoofed', arp broadcasts get transmitted over the
network. These arp frames tend to contain false MAC Addresses that if injected into a network devices, such as a switch
or router may confuse there routing tables. As a result packets intended for one
host may be inadvertently directed to another.
- This is the sending of unsolicited messages over Bluetooth to
Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers.
Blue snarfing - A
vulnerability in Bluetooth that can allow passers-by to steal the entire
contents of a mobile phone's address book and other personal data.
Buffer Overflow Attacks - Normally takes the form of inputting an overly
long string of characters or commands that the system cannot deal with.
Some functions have
a finite space available to store these characters or commands and any extra
characters etc. over and above this will then start to overwrite other portions
of code and in
worse case scenarios will enable a remote user to gain a remote command prompt
with the ability to interact directly with the local machine.
Cross-site request forgery (CSRF), a.k.a one click attack or session riding or XSRF, is a type of malicious exploit of websites involving the passing of unauthorized commands from a user the website trusts.
Denial of service attacks – This is an aimed attacks designed to deny a
particular service that you could rely on to conduct your business. These
are attacks designed to
say overtax a web server with multiple requests which are intended to slow it
down and possibly cause it to crash. Traditionally such attacks emanated from
Directory Traversal Attacks - Basically when a user or function tries to
“break” out of the normal parent directory specified for the application and
traverse elsewhere within
the system, possibly gaining access to sensitive files or directories in the
of Service Attack (DDoS) -
A hacker does not usually directly attack a network.
They would probably not have the computing power required and they could
be caught quite easily. A hacker will try
and take control of a number of computers usually
involving locating and compromising
unprotected computers (usually by means of a trojan)
and launch an attack from these to obfuscate where the attack is really coming
from. Once these “bots” (they are basically remote controlled) have been
over they will use them to attempt exploitation of the target system i.e.
major e-commerce sites - and sometimes
against government and other official sites.
Many machines attempting to access a service at the
same time could thus deny access to the service to others.
The fact the attack is distributed gives us the name.
E-mail hoaxes – E-mails that appear helpful but may have malicious hidden
intent i.e. warning about a possible virus and suggesting files are deleted when
in fact the deletion
of these files will cause a detrimental effect to the users computer.
E-mail hoaxes rely on the naivety of users and rely on this weakness to enable
the messages to propagate
E-mail scams – E-mails that tries to obtain money/services by deception.
The notorious 419 scams that originated in Nigeria offering the recipient a
share in a huge fortune in
exchange for a payment to help "launder"/pay for administration costs of wiring
the money out of the country.
Format string attack - This can be used to crash a program or to execute
harmful code. The problem stems from the use of poor coding leading to
unfiltered user input which may be used to run arbitrary code or perform some
Unauthorized use (misuse), or attempts to circumvent/bypass the in-built
security mechanisms of an information system or network.
There are a
number of insecure protocols still in use today.
They include ftp, telnet, smtp, pop3, rsh, rlogin and http to name but a
few. They are insecure in that all data
is transmitted across the (Inter)network unencrypted and can be “sniffed” by
network sniffing software such as Ethereal.
- Usually involves the creation of customised IP packets with forged, (spoofed),
Man In The Middle Attacks - This is when an attacker has the ability to
read, insert and modify at will, messages between two hosts without hosts
knowledge that their
communications link between them has been compromised.
Also known as browser hijacking. Common results of browser hijacking are
an incorrect home page i.e. not the one you specified, or when attempting
to use a common search engine or directory site an automatic redirection to an
alternative site of the hijacker’s choice.
usually involves being taken to sites with "adult" content.
Phishing - Usually the receipt of an email, (usually in html format), directing you to a
spoofed web site in order to try and fraudulently obtain your banking or other
personal details. The email usually informs you that your bank/ebay/msn
account has been suspended or subject to fraud and attempts to get you to
re-validate your credentials.
Another subtle use of Social Engineering in order to carry out identity theft.
Privilege escalation - is the act of
exploiting a bug in an application to gain access to available resources, which
normally would be afforded adequate protection by normal software controls. This
results in the application allowing certain actions to be performed within a
higher security context than intended.
collection of tools that could allow a hacker a backdoor into a system, collect
information on other systems on the network, mask the fact that the system is compromised by replacing essential system commands with trojaned variants etc.
Rootkit are multi platform and grow ever more difficult to detect.
Smishing - This involves a message
being sent to a web-enabled phone/mobile devices incorporating an URL which will
download a Trojan horse to infect the phone and carry out some other nefarious
- Normally uses a limited range of distinct subject matter to entice users to
open and run an attachment say. Usually associated with phishing/E-mail
type attacks. The main themes are:
Sexual - Sexual ideas/pictures/websites
Curiosity - Friendly themes/appealing to someone's
passion or obsession
Fear - Reputable sources/virus alert
Authority - Current affairs/bank e-mails/company
Spam – Generically described as unsolicited E-mail. It is the
electronic equivalent of the mail that drops through your home letterbox and
comprises unwanted mail trying to
advertise/sell you things, get you to sign up for services or it could comprise
a hoax message designed to mislead etc.
Spim - 'Spam on Instant Messaging' is unsolicited E-mail
via an instant messaging application. It's can be more invasive than
E-mail spam because messages are not usually filtered by spam software and pop
up automatically when a user is logged on using their IM program. This
makes Spim harder to ignore. Some Spim messages can contain code that
accesses a victim's stored buddy list and then utilises these addresses to Spim
your contacts. The recipients of these messages accept them by wrote because
appear to come from someone on their own buddy lists.
- Unsolicited E-mail on voice over IP networks.
- Often installed on your computer without your knowledge. It is an unwanted
by-product of an application designed to gather information about you. Spyware can record what you do and can be used to gather credit card details and
personal information that could be used by nefarious people to carry out
identity theft. Spyware is sometimes likened to a trojan and some anti-virus
vendors actually regard this as malware and will automatically remove it from
SQL Injection - Basically when a low privileged user interactively
executes PL/SQL commands on the database server by adding additional syntax into
which is then passed to a particular function enabling enhanced privileges.
Trojan - A program which appears to offer some benefit to the user, but
which covertly does something else. The name originates from Greek mythology and
the siege of Troy,
but were unable to break through its defences until they hid some forces inside
a gift, (Trojan Horse) that was taken into the city.
Virus - A self-replicating program that has been specifically designed to
attach itself to, or infect, other programs on a host computer system. When one
of these infected programs
is run, the virus is surreptitiously activated, enabling it to infect other
programs in turn. Viruses generally either cause annoyance or physically
damage the infected PC.
- Is the process of identifying wireless networks and distinguishing between
those that are encrypted and those that are not. It is usually carried out
in a car utilising a standard wireless enabled laptop/PDA and freeware software
applications i.e. Kismet/NetStumbler.
favourite past time for hackers is web defacement i.e. Subverting information
hosted on a particular website and replacing it with their own message.
Many see this as a challenge and compete with each other to change the
web pages of sites all around the world.
It can be used to put across a political message, extort a company etc.
Worm - Different to a virus or Trojan horse as it does not need a host
program as it has an in-built capability to self-replicate. The payload of
a worm is generally not a physical
string of code, it is the effect it has on a computer when executed, i.e. what
process it runs, starts, stops etc. on the “affected” host. A very
interesting example of a payload is the
“code green” worm whose payload, (actions that it carries out), is designed to
hunt down PC’s infected with the “code red” worm, remove the infected files from
the system and
download a patch from Microsoft to remove the vulnerability on the host system.