Chapter 1. Security Problem Virus and Worms Intruders Types of Attack Avenues of Attack 2 Prepared by Mohammed Saher Hasan

Introduction & Security Trends

Chapter 1

Prepared by Mohammed Saher Hasan

2

Security Problem

Virus and Worms

Intruders

Types of Attack

Avenues of Attack

Objective


3

Terrorists and Terrorism is a real treat.

They have targeted people and physical structure.

Average citizens are more likely to be the targets

of an attack on their computers rather then to be

the direct victims of a terrorist attack.

Background


4

Background


5

Fifteen year ago:

◦ Few people had access to a computer system or a

network.

◦ Securing these systems was easier.

◦ Companies did not conduct business over the Internet.

Today, companies rely on the Internet to operate

and conduct business.

The Security Problem


6

Networks are used to transfer vast amounts of

money in the form of bank transactions or credit

card purchases.

When money is transferred via networks, people

try to take advantage of the environment to

conduct fraud or theft.



7

There are various ways to attack computers and

networks to take advantage of what has made

shopping, banking, investment, and leisure

pursuits a matter of “dragging and clicking” for

many people.

◦ Identity theft is common today.



8

Electronic crime can take different forms.

The two categories of electronic crimes are:

◦ Crimes in which the computer is the target of the attack.

◦ Incidents in which the computer is a means of

perpetrating a criminal act.

Security Incidents


9

In a highly networked world, new threats have

developed.

There are a number of ways to break down the

various threats.

Threats to Security

10

To break down threats, users need to:

◦ Categorize external threats versus internal threats.

◦ Examine the various levels of sophistication of the

attacks from “script kiddies” to “elite hackers.”

◦ Examine the level of organization for the various threats

from unstructured to highly structured threats.

Breaking Down Threats



11

Employees in an organization may not follow

certain practices or procedures because of which

an organization may be exposed to viruses and

worms.

However, organizations generally do not have to

worry about their employees writing or releasing

viruses and worms.

Viruses and Worms


12

Viruses and worms:

Are expected to be the most common problem

that an organization will face as thousands of

them have been created.

Are also generally non-discriminating threats that

are released on the Internet and are not targeted

at a specific organization.

Viruses and Worms


13

The act of deliberately accessing computer

systems and networks without authorization is

called “hacking”.

The term may also be used to refer to the act of

exceeding one’s authority in a system.

Intruders are very patient as it takes persistence

and determination to gain access to a system.

Hacking


14

Intruders, or those who are attempting to conduct

an intrusion, are of various types and have varying

degrees of sophistication.

Intruders


15

At the low end technically are script kiddies.

They do not have the technical expertise to

develop scripts or discover new vulnerabilities in

software.

They have just enough understanding of computer

systems to be able to download and run scripts

that others have developed.

Script Kiddies


16

Script kiddies are generally not as interested in

attacking specific targets.

Script kiddies look for any organization that may not

have patched a newly discovered vulnerability for

which they have located a script to exploit.

At least 85 to 90% of the individuals conducting

“unfriendly” activities on the Internet are probably

accomplished by these individuals.

Script Kiddies


17

These individuals are capable of writing scripts to

exploit known vulnerabilities.

They are more technically competent than script

kiddies.

They account for an estimated 8 to 12% of the

individuals conducting intrusive activity on the

Internet.

Sophisticated Intruders


18

Elite hackers are highly technical individuals and

are able to:

◦ Write scripts that exploit vulnerabilities.

◦ Discover new vulnerabilities.

This group is the smallest accounting for only 1 to

2% of the individuals conducting intrusive activity.

Elite Hackers


19

Elite Hackers

Sophisticated Intruders

Script Kiddies

Intruders


20

Insiders:

Are more dangerous than outside intruders.

Have the access and knowledge necessary to

cause immediate damage to an organization.

Insider Threats


21

Most security is designed to protect against

outside intruders and thus lies at the boundary

between the organization and the rest of the

world.

Besides employees, insiders also include a

number of other individuals who have physical

access to facilities.

Insider Threats


22

Attacks by individuals or even small groups of

attackers fall into the unstructured threat category.

Attacks at this level are generally conducted over

short periods of time (lasting at most a few months).

They do not involve a large number of individuals,

and have little financial backing.

They do not include collusion with insiders.

Unstructured Threats


23

Criminal activity on the Internet at its most basic is

not different than criminal activity in the physical

world.

A difference between criminal groups and the

“average” hacker is the level of organization that

criminal elements may employ in their attack.

Criminal Organizations


24

Attacks by criminal organizations can fall into the

structured threat category, which is characterized

by:

◦ Planning.

◦ Long period of time to conduct the activity.

◦ More financial backing.

◦ Corruption of or collusion with insiders.

Structured Attacks


25

As nations become dependent on computer

systems and networks, essential elements of the

society might become a target.

They might be attacked by organizations or

nations determined to adversely affect another

nation.

Terrorist and Information Warfare


26

Many nations today have developed to some

extent the capability to conduct information

warfare.

Information warfare is warfare conducted against

information and the information-processing

equipment used by an adversary.

Terrorist and Information Warfare


27

Highly structured threats are characterized by:

◦ A long period of preparation (years is not uncommon).

◦ Tremendous financial backing.

◦ A large and organized group of attackers.

These threats may not only include attempts to

subvert insiders, but also include attempts to plant

individuals inside potential targets before an attack.

Highly Structured Threats


28

In information warfare, military forces are certainly

still a key target

Other likely targets can be the various

infrastructures that a nation relies on for its daily

existence.

Highly Structured Threats


29

Critical infrastructures are those infrastructures whose loss

would have a severe detrimental impact on a nation.

Examples:

◦ Water.

◦ Electricity.

◦ Oil and gas refineries and distribution.

◦ Banking and finance.

◦ Telecommunications.

Critical Infrastructure


30

Many countries have already developed a

capability to conduct information warfare.

Terrorist organizations can also accomplish

information warfare.

Information Warfare


31

Terrorist organizations are highly structured

threats that:

◦ Are willing to conduct long-term operations.

◦ Have tremendous financial support.

◦ Have a large and organized group of attackers.

Information Warfare


32

The type of individual who attacks a computer

system or a network has also evolved over the

last 30 years.

◦ The rise of non-affiliated intruders, including “script-

kiddies,” has greatly increased the number of individuals

who probe organizations looking for vulnerabilities to

exploit.

Profile of Individuals


33

Another trend that has occurred is: as the level of

sophistication of attacks has increased, the level

of knowledge necessary to exploit vulnerabilities

has decreased.

Important Trend


34

The two most frequent types of attacks have

remained constant with viruses and insider abuse

of net access being the most common.

Common Attacks


35

When a computer system is attacked, it is either

specifically targeted by the attacker, or it is an

opportunistic target.

Avenues of Attack


36

In the first case, the attacker chooses the target

not because of the hardware or software the

organization is running but for some other reason,

such as a political reason.

Specific Target


37

The second type of attack, an attack against a target of

opportunity, is conducted against a site that has

hardware or software that is vulnerable to a specific

exploit.

The attackers, in this case, are not targeting the

organization. Instead, they have learned of a

vulnerability and are looking for an organization with

this vulnerability that they can exploit.

Target of Opportunity


38

Targeted attacks are more difficult and take more

time than attacks on a target of opportunity.

◦ The second type of attack relies on the fact that with any

piece of widely distributed software, there will almost

always be somebody who has not patched the system.

Target of Opportunity


39

The steps an attacker takes in attempting to

penetrate a targeted network are similar to the

ones that a security consultant performing a

penetration test would take.

The attacker will need to gather as much

information about the organization as possible.

The Steps in an Attack


40

There are numerous web sites that provide

information on vulnerabilities in specific

application programs and operating systems.

Source of Information


41

In addition to information about specific

vulnerabilities, some sites may also provide tools

that can be used to exploit vulnerabilities.

An attacker can search for known vulnerabilities

and tools that exploit them, download the

information and tools, and then use them against

a site.

Source of Information


42

The first step in the technical part of an attack is

often to determine what target systems are

available and active.

This is often done with a ping sweep, which sends

a “ping” (an ICMP echo request) to the target

machine. If the machine responds, it is reachable.

Perform a Ping Sweep


43

The next step is to perform a port scan. This will

help identify the ports that are open, which gives

an indication of the services running on the target

machine.

Perform a Port Scan


44

After determining the services available, the

attacker needs to determine the operating system

running on the target machine and specific

application programs.

Determine the Operating System


45

The attack may be successful if the administrator

for the targeted system has not installed the

correct patch.

The attacker will move on to the next possible

vulnerability if the patch has been installed.

Administrative Mistake


46

There are different ways in which a system can be

attacked.

◦ Gathering as much information as possible about the target (using

both electronic and non-electronic means).

◦ Gathering information about possible exploits based on the

information about the system, and then systematically attempting

to use each exploit.

If the exploits do not work, other, less system-specific,

attacks may be attempted.

The General Process


47

Understanding the steps an attacker will take

enables to limit the exposure of the system and

minimize the avenues an attacker might possibly

exploit.

Minimizing Avenues of Attack


48

The first step an administrator can take to minimize the

possible attacks is to ensure that all patches for the

operating system and the applications are installed.

The second step an administrator can take is to limit the

services running on a system.

Another step that can be taken to minimize the possible

avenues of attack is to provide as little information as

possible on an organization and its computing resources.

Minimizing Avenues of Attack


49

There are a number of ways that a computer system or a

network can be attacked.

Attacks can result in one of a few general consequences:

◦ A loss of confidentiality where information is disclosed to

unauthorized individuals.

◦ A loss of integrity where information is modified by unauthorized

individuals.

◦ A loss of availability where information or the systems processing

it are not available for authorized users.

Types of Attacks

Documents

Chapter 1. Security Problem Virus and Worms Intruders Types of Attack Avenues of Attack 2 Prepared by Mohammed Saher Hasan