 |
 |
 |
 |
 |
  |
|||
 |
 |
 |
|
|
Security Threats - What to protect Against
There are an ever growing number of threats that our systems become open to. They fall into three distinct categories:
Costs arising from a breach of security are not purely monetary in nature. You have to first consider that as a business you have a duty of care to your customers and staff alike. These expect that your business will provide:
A loss of credibility by a breach of one of the above can severely damage your reputation and/or credibility of the business as a whole. In monetary terms, to provide an example, if you have a worm infection on 3 computers and have an IT technician who provides your support. The technician can only clean up one computer at a time so the other 2 computers and staff would still be waiting and be unable to work in the meantime. If it took 30 minutes to remove each infection, the 1st user would lose 30 minutes productive work the 2nd 1 hour and the third 1 ½ hours so you have lost 3 man hours, (and 1 ½ man hours by your IT technician), making a total loss of 4 ½ man hours. In addition to the wages lost during this period, what about lost sales that these users could have made? This could add up to a large amount of money dependant on your type of business.
Social Engineering has become one of the biggest threats to the IT community as a whole. People, by default try to be helpful, especially those that work in a service type industry, it is this helpfulness that is exploited on a daily basis. The biggest uses of social engineering today are:
Glossary of Threats
Adware - Extra code written into an application that displays advertising banners to the applications user. These would usually come in the form of pop-up windows or a bar across the application screen. A large amount of Adware is incorporated into freeware/ shareware software to try and recoup some of the development costs. Adware works by sending details of your browsing habits to advertisers who then use this information to specifically target you with tailored services/ offers.
Arp Spoofing - This is when fake, or 'spoofed', arp broadcasts get transmitted over the network. These arp frames tend to contain false MAC Addresses that if injected into a network devices, such as a switch or router may confuse there routing tables. As a result packets intended for one host may be inadvertently directed to another.
Blue jacking - This is the sending of unsolicited messages over Bluetooth to Bluetooth-enabled devices such as mobile phones, PDAs or laptop computers.
Blue snarfing - A vulnerability in Bluetooth that can allow passers-by to steal the entire contents of a mobile phone's address book and other personal data.
Buffer Overflow Attacks - Normally takes the form of inputting an overly long string of characters or commands that the system cannot deal with. Some functions have a finite space available to store these characters or commands and any extra characters etc. over and above this will then start to overwrite other portions of code and in worse case scenarios will enable a remote user to gain a remote command prompt with the ability to interact directly with the local machine.
Cross-site request forgery (CSRF), a.k.a one click attack or session riding or XSRF, is a type of malicious exploit of websites involving the passing of unauthorized commands from a user the website trusts.
Denial of service attacks – This is an aimed attacks designed to deny a particular service that you could rely on to conduct your business. These are attacks designed to say overtax a web server with multiple requests which are intended to slow it down and possibly cause it to crash. Traditionally such attacks emanated from one particular source.
Directory Traversal Attacks - Basically when a user or function tries to “break” out of the normal parent directory specified for the application and traverse elsewhere within the system, possibly gaining access to sensitive files or directories in the process.
Distributed Denial of Service Attack (DDoS) - A hacker does not usually directly attack a network. They would probably not have the computing power required and they could be caught quite easily. A hacker will try and take control of a number of computers usually involving locating and compromising unprotected computers (usually by means of a trojan) and launch an attack from these to obfuscate where the attack is really coming from. Once these “bots” (they are basically remote controlled) have been taken over they will use them to attempt exploitation of the target system i.e. major e-commerce sites - and sometimes against government and other official sites. Many machines attempting to access a service at the same time could thus deny access to the service to others. The fact the attack is distributed gives us the name.
E-mail hoaxes – E-mails that appear helpful but may have malicious hidden intent i.e. warning about a possible virus and suggesting files are deleted when in fact the deletion of these files will cause a detrimental effect to the users computer. E-mail hoaxes rely on the naivety of users and rely on this weakness to enable the messages to propagate to others.
E-mail scams – E-mails that tries to obtain money/services by deception. The notorious 419 scams that originated in Nigeria offering the recipient a share in a huge fortune in exchange for a payment to help "launder"/pay for administration costs of wiring the money out of the country.
Format string attack - This can be used to crash a program or to execute harmful code. The problem stems from the use of poor coding leading to unfiltered user input which may be used to run arbitrary code or perform some malicious function.
Hacking - Unauthorized use (misuse), or attempts to circumvent/bypass the in-built security mechanisms of an information system or network.
Insecure Protocols - There are a number of insecure protocols still in use today. They include ftp, telnet, smtp, pop3, rsh, rlogin and http to name but a few. They are insecure in that all data is transmitted across the (Inter)network unencrypted and can be “sniffed” by network sniffing software such as Ethereal.
IP Spoofing - Usually involves the creation of customised IP packets with forged, (spoofed), source addresses.
Man In The Middle Attacks - This is when an attacker has the ability to read, insert and modify at will, messages between two hosts without hosts knowledge that their communications link between them has been compromised.
Page-jacking – Also known as browser hijacking. Common results of browser hijacking are an incorrect home page i.e. not the one you specified, or when attempting to use a common search engine or directory site an automatic redirection to an alternative site of the hijacker’s choice. Most redirection usually involves being taken to sites with "adult" content.
Phishing - Usually the receipt of an email, (usually in html format), directing you to a spoofed web site in order to try and fraudulently obtain your banking or other personal details. The email usually informs you that your bank/ebay/msn account has been suspended or subject to fraud and attempts to get you to re-validate your credentials. Another subtle use of Social Engineering in order to carry out identity theft.
Privilege escalation - is the act of exploiting a bug in an application to gain access to available resources, which normally would be afforded adequate protection by normal software controls. This results in the application allowing certain actions to be performed within a higher security context than intended.
Rootkit - A collection of tools that could allow a hacker a backdoor into a system, collect information on other systems on the network, mask the fact that the system is compromised by replacing essential system commands with trojaned variants etc. Rootkit are multi platform and grow ever more difficult to detect.
Smishing - This involves a message being sent to a web-enabled phone/mobile devices incorporating an URL which will download a Trojan horse to infect the phone and carry out some other nefarious function.
Social Engineering - Normally uses a limited range of distinct subject matter to entice users to open and run an attachment say. Usually associated with phishing/E-mail type attacks. The main themes are:
Spam – Generically described as unsolicited E-mail. It is the electronic equivalent of the mail that drops through your home letterbox and comprises unwanted mail trying to advertise/sell you things, get you to sign up for services or it could comprise a hoax message designed to mislead etc.
Spim - 'Spam on Instant Messaging' is unsolicited E-mail via an instant messaging application. It's can be more invasive than E-mail spam because messages are not usually filtered by spam software and pop up automatically when a user is logged on using their IM program. This makes Spim harder to ignore. Some Spim messages can contain code that accesses a victim's stored buddy list and then utilises these addresses to Spim your contacts. The recipients of these messages accept them by wrote because they appear to come from someone on their own buddy lists.
Spit - Unsolicited E-mail on voice over IP networks.
Spyware - Often installed on your computer without your knowledge. It is an unwanted by-product of an application designed to gather information about you. Spyware can record what you do and can be used to gather credit card details and personal information that could be used by nefarious people to carry out identity theft. Spyware is sometimes likened to a trojan and some anti-virus vendors actually regard this as malware and will automatically remove it from the system.
SQL Injection - Basically when a low privileged user interactively executes PL/SQL commands on the database server by adding additional syntax into standard arguments, which is then passed to a particular function enabling enhanced privileges.
Trojan - A program which appears to offer some benefit to the user, but which covertly does something else. The name originates from Greek mythology and the siege of Troy, but were unable to break through its defences until they hid some forces inside a gift, (Trojan Horse) that was taken into the city.
Virus - A self-replicating program that has been specifically designed to attach itself to, or infect, other programs on a host computer system. When one of these infected programs is run, the virus is surreptitiously activated, enabling it to infect other programs in turn. Viruses generally either cause annoyance or physically damage the infected PC.
Wardriving - Is the process of identifying wireless networks and distinguishing between those that are encrypted and those that are not. It is usually carried out in a car utilising a standard wireless enabled laptop/PDA and freeware software applications i.e. Kismet/NetStumbler.
Web Defacement - Another favourite past time for hackers is web defacement i.e. Subverting information hosted on a particular website and replacing it with their own message. Many see this as a challenge and compete with each other to change the web pages of sites all around the world. It can be used to put across a political message, extort a company etc.
Worm - Different to a virus or Trojan horse as it does not need a host program as it has an in-built capability to self-replicate. The payload of a worm is generally not a physical string of code, it is the effect it has on a computer when executed, i.e. what process it runs, starts, stops etc. on the “affected” host. A very interesting example of a payload is the “code green” worm whose payload, (actions that it carries out), is designed to hunt down PC’s infected with the “code red” worm, remove the infected files from the system and download a patch from Microsoft to remove the vulnerability on the host system.
|
IT Security News:
Pen Testing Framework:
Latest Tool Reviews:
|
| © VulnerabilityAssessment.co.uk 19 March 2008 |
|
