Chapter 18Computer and Network Security Threats

Computer Security Concepts

The NIST Computer Security Handbook [NIST95] defines the term computer security as:

“The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware, software, firmware, information/data, and telecommunications).”

Computer Security Objectives

The Security Requirements Triad

Table 18.1

Threat Consequences, and the Types

of Threat Actions That Cause Each

Consequence

(Based on RFC 2828)

Scope of System Security

Table 18.2 Computer and Network Assets, with Examples of Threats

Communication Lines and NetworksPassive attacks

Attempts to learn or make use of information from the system but does not affect system resourcesAre in the nature of eavesdropping on, or monitoring of, transmissionsGoal of attacker is to obtain information that is being transmittedDifficult to detect because they do not involve any alteration of the dataEmphasis is on prevention rather than detection

Two types:Release of message contents

Prevent an opponent from learning the contents of a transmissionTraffic analysis

Encrypting the contents of a message so even if an opponent captures the message, they cannot extract the information

Communication Lines and NetworksActive attacks

Involve some modification of the data stream or the creation of a false streamGoal is to detect them and to recover from any disruption or delays

Four categories:ReplayMasqueradeModification of messagesDenial of service

Intruders

Intrusion ExamplesPerforming a remote root compromise of an e-mail serverDefacing a Web server Guessing and cracking passwordsCopying a database containing credit card numbersViewing sensitive data without authorizationRunning a packet sniffer on a workstation to capture usernames and passwordsUsing a permission error on an anonymous FTP server to distribute pirated software and music filesDialing into an unsecured modem and gaining internal network accessPosing as an executive, calling the help desk, resetting the executive’s e-mail password, and learning the new passwordUsing an unattended, logged-in workstation without permission

Intruder Behavior PatternsHackers

Organized group of intruders who hack into a computer for the thrill or for status

CriminalsUsually have specific targets or classes of targets in mindFrequently Eastern European or Southeast Asian groups who do business on the WebOnce a site is penetrated, the attacker acts quickly, scooping up as much valuable information as possible and exiting

Insider AttacksDifficult to detect and preventEmployees have access to and knowledge of the structure and content of databasesCan be motivated by revenge or a feeling of entitlement

Malicious Software

MalwareMalicious software that exploits system vulnerabilitiesDesigned to cause damage to or use up the resources of a target computerFrequently concealed within or masquerades as legitimate software

Two categoriesThose that need a host programThose that are independent (parasitic)

May or may not replicate

Table 18.4

Terminology of Malicious Programs

(This table can be found in the textbook on page 523)

Malicious Programs

Back door (also known as a trap door)Secret entry point into a program that allows someone who is aware of the back door to gain access without going through the usual security access proceduresA maintenance hook is a backdoor inserted by a programmer to aid in testing and debugging

Logic BombOne of the oldest types of program threatsCode embedded in some legitimate program that is set to “explode” when certain conditions are met

Malicious ProgramsTrojan Horse

A useful, or apparently useful, program or command procedure containing hidden code that, when invoked, performs some unwanted or harmful functionCan be used to accomplish functions indirectly that an unauthorized user could not accomplish directly

Malicious Programs

Viruses Software that can “infect” other programs by modifying them

The modification includes injecting the original program with a routine to make copies of the virus program, which can then go on to infect other programs

Virus has three parts:Infection mechanism

The means by which a virus spreads, enabling it to replicateAlso referred to as the infection vector

TriggerThe event or condition that determines when the payload is activated or delivered

PayloadWhat the virus does, besides spreadingMay involve damage or may involve benign but noticeable activity

Virus Phases

A Simple Virus

Logic for a Compression Virus

Virus Classifications by Target

Boot sector infectorInfects a master boot record and spreads when a system is booted from the disk containing the virus

File infectorInfects files that the operating system or shell considers to be executable

Macro virusInfects files with macro code that is interpreted by an application

Virus Classification by Concealment Strategy

Virus Kits

Enables a relative novice to quickly create a number of different virusesTend to be less sophisticated than viruses designed from scratchThe sheer number of new viruses that can be generated using a toolkit creates a problem for antivirus schemes

Macro Viruses

In the mid 1990’s became by far the most prevalent type of virusThreatening because:

A macro virus is platform independentMacro viruses infect documents, not executable portions of codeMacro viruses are easily spreadTraditional file system access controls are of limited use in preventing their spread

Is an executable program embedded in a word processing document or other type of file

E-Mail Viruses

WormsPrograms that can replicate themselves and send copies from computer to computer across network connectionsIn addition to propagation the worm usually performs some unwanted functionActively seek out more machines to infect and each machine that is infected serves as an automated launching pad for attacks on other machinesA network worm:

Exhibits the same characteristics as a computer virusMay attempt to determine if a system has previously been infected before copying itself

BotsAlso know as a zombie or droneProgram that secretly takes another Internet-attached computer, then uses it to launch attacks that are difficult to trace to the bot’s creatorA botnet is a collection of bots capable of coordinating attacks

Uses of Bots

Distributed denial-of-service attacksSpammingSniffing trafficKeyloggingSpreading new malware

Installing advertisement add-ons and browser helper objects (BHOs)Attacking IRC chat networksManipulating online polls/games

Remote Control Facility

Is what distinguishes a bot from a wormA worm propagates itself and activates itself, whereas a bot is controlled from some central facility

A typical means of implementation is on an IRC server

All bots join a specific channel on this server and treat incoming messages as commands

Once a communications path is established between a control module and the bots, the control module can activate the bots

Constructing a Network Attack

Software to carry out the attack must be able to run on a large number of machines and remain concealedThe attack must be aware of a vulnerability that many system administrators have failed to noticeA strategy for locating vulnerable machines must be implemented

This is known as scanning or fingerprinting

Scanning Strategies

Spam (Unsolicited Bulk) E-Mail

Credential Theft, Keyloggers, and Spyware

KeyloggerCaptures keystrokes on the infected machine to allow an attacker to monitor this sensitive information

SpywareSubverts the compromised machine to allow monitoring of a wide range of activity on the system

May include monitoring the history and content of browsing activityRedirecting certain Web page request to fake sites controlled by the attackerDynamically modifying data exchanged between the browser and certain Web sites of interest

Phishing and Identity TheftPhishing

Exploits social engineering to leverage user’s trust by masquerading as communications from a trusted sourceSpam e-mail may direct a user to a fake Web site controlled by the attacker, or to complete some enclosed form and return to an e-mail accessible to the attacker, which is used to gather a range of private, personal information on the user

Spear-phishingE-mail claiming to be from a trusted source, however, the recipients are carefully researched by the attacker and each e-mail is carefully crafted to suit its recipient specifically, often quoting a range of information to convince them of its authenticity

Types of Attacks

Experienced

SecurityTechnologies

Used

Summary Computer security concepts

Threats and attacks

Threats and assets

Intruder behavior patterns

Intrusion techniques

Viruses

Worms

Bots

Spam

Computer security trends

Chapter 18: Computer and Network Security Threats

Malicious software Back door Logic bomb Trojan horse Mobile code Multiple-threat malware

Credential theft, keyloggers, and spyware

Phishing and identity theft

Reconnaissance and espionage