CHAPTER
2
Types of Attacks
15
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
B
ad things can happen to an organization’s information or computer systems in
many ways. Some of these bad things are done on purpose (maliciously) and others
occur by accident. No matter why the event occurs, damage is done to the organiza
-
tion. Because of this, we will call all of these events “attacks” regardless of whether there
was malicious intent or not.
There are four primary categories of attacks:
▼
Access
■
Modification
■
Denial of service
▲
Repudiation
We will cover each of these in detail in the following sections.
Attacks may occur through technical means (a vulnerability in a computer system) or
they may occur through social engineering. Social engineering is simply the use of
non-technical means to gain unauthorized access—for example, making phone calls or
walking into a facility and pretending to be an employee. Social engineering attacks may
be the most devastating.
Attacks against information in electronic form have another interesting characteristic:
information can be copied but it is normally not stolen. In other words, an attacker may
gain access to information, but the original owner of that information has not lost it. It just
now resides in both the original owner’s and the attacker’s hands. This is not to say that
damage is not done; however, it may be much harder to detect since the original owner is
not deprived of the information.
ACCESS ATTACKS
An access attack is an attempt to gain information that the attacker is unauthorized to see.
This attack can occur wherever the information resides or may exist during transmission
(see Figure 2-1). This type of attack is an attack against the confidentiality of the information.
Snooping
Snooping is looking through information files in the hopes of finding something interest
-
ing. If the files are on paper, an attacker may do this by opening a filing cabinet or file
drawer and searching through files. If the files are on a computer system, an attacker may
attempt to open one file after another until information is found.
Eavesdropping
When someone listens in on a conversation that they are not a part of, that is eavesdrop
-
ping. To gain unauthorized access to information, an attacker must position himself at a
16
Network Security: A Beginner’s Guide
location where information of interest is likely to pass by. This is most often done elec
-
tronically (see Figure 2-2).
Interception
Unlike eavesdropping, interception is an active attack against the information. When an
attacker intercepts information, she is inserting herself in the path of the information and
capturing it before it reaches its destination. After examining the information, the at
-
tacker may allow the information to continue to its destination or not (see Figure 2-3).
Chapter 2: Types of Attacks
17
Communications tower
Information in transit
over the Internet or
phone lines
Desktop computer
Fax
City
Information coming
off fax machines or
printers
Information on
local hard drives
Information on
file servers
Information stored on
media and left in the
office or on backups
taken off-site
Information on
paper in the office
Mainframe
Figure 2-1.
Places where access attacks can occur
18
Network Security: A Beginner’s Guide
How Access Attacks Are Accomplished
Access attacks take different forms depending on whether the information is stored on
paper or electronically in a computer system.
Information on Paper
If the information the attacker wishes to access exists in physical form on paper, he needs
to gain access to the paper. Paper records and information are likely to be found in the fol
-
lowing locations:
▼
In filing cabinets
■
In desk file drawers
■
On desktops
■
In fax machines
■
In printers
■
In the trash
▲
In long term storage
In order to snoop around the locations, the attacker needs physical access to them. If he’s
an employee, he may have access to rooms or offices that hold filing cabinets. Desk file draw
-
Figure 2-2.
Eavesdropping
ers may be in cubes or in unlocked offices. Fax machines and printers tend to be in public ar-
eas and people tend to leave paper on these devices. Even if offices are locked, trash and
recycling cans tend to be left in the hallways after business hours so they can be emptied.
Long-term storage may pose a more difficult problem, especially if the records are stored
off-site. Gaining access to the other site may not be possible if the site is owned by a vendor.
Precautions such as locks on filing cabinets may stop some snooping but a deter
-
mined attacker might look for an opportunity such as a cabinet left unlocked over lunch.
The locks on filing cabinets and desks are relatively simple locks and may be picked by
someone with knowledge of locks.
Physical access is the key to gaining access to physical records. Good site security may
prevent an outsider from accessing physical records but will likely not prevent an em
-
ployee or insider from gaining access.
Electronic Information
Electronic information may be stored:
▼
In desktop machines
■
In servers
■
On portable computers
Chapter 2: Types of Attacks
19
Desktop computer
Mainframe
Attacker’s computer
The attacker’s system sits in the
path of the traffic and captures it.
The attacker may choose to allow
the traffic to continue or not.
Traffic from the desktop to
the mainframe travels over
the local area network.
Figure 2-3.
Interception
■
On floppy disks
■
On CD-ROMs
▲
On backup tapes
In some of these cases, access can be achieved by physically stealing the storage media
(a floppy disk, CD-ROM, backup tape, or portable computer). It may be easier to do this
than to gain electronic access to the file at the organization’s facility.
If the files in question are on a system to which the attacker has legitimate access, the
files may be examined by simply opening them. If access control permissions are set
properly, the unauthorized individual should be denied access (and these attempts
should be logged). Correct permissions will prevent most casual snooping. However, a
determined attacker will attempt to either elevate his permissions so he can see the file or
to reduce the access controls on the file. There are many vulnerabilities on systems that
will allow this type of behavior to succeed.
Information in transit can be accessed by eavesdropping on the transmission. On lo
-
cal area networks, an attacker does this by installing a sniffer on a computer system con
-
nected to the network. A sniffer is a computer that is configured to capture all the traffic on
the network (not just traffic that is addressed to that computer). A sniffer can be installed
after an attacker has increased her privileges on a system or if the attacker is allowed
to connect her own system to the network (see Figure 2-2). Sniffers can be configured
to capture any information that travels over the network. Most often they are configured to
capture user IDs and passwords.
Eavesdropping can also occur on wide area networks (such as leased lines and
phone connections). However, this type of eavesdropping requires more knowledge
and equipment. In this case, the most likely location for the “tap” would be in the wir-
ing closet of the facility. Even fiber-optic transmission lines can be tapped. Tapping a
fiber-optic line requires even more specialized equipment and is not normally performed
by run-of-the-mill attackers.
Information access using interception is another difficult option for an attacker. To be
successful, the attacker must insert his system in the communication path between the
sender and the receiver of the information. On the Internet, this could be done by causing
a name resolution change (this would cause a computer name to resolve to an incorrect
address—see Figure 2-4). The traffic is then sent on to the attacker’s system instead of to
the real destination. If the attacker configures his system correctly, the sender or origina
-
tor of the traffic may never know that he was not talking to the real destination.
Interception can also be accomplished by an attacker taking over or capturing a ses
-
sion already in progress. This type of attack is best performed against interactive traffic
such as telnet. In this case, the attacker must be on the same network segment as either the
client or the server. The attacker allows the legitimate user to begin the session with the
server and then uses specialized software to take over the session already in progress.
This type of attack gives the attacker the same privileges on the server as the victim.
20
Network Security: A Beginner’s Guide
TEAMFLY
Team-Fly
®
Chapter 2: Types of Attacks
21
MODIFICATION ATTACKS
A modification attack is an attempt to modify information that an attacker is not autho
-
rized to modify. This attack can occur wherever the information resides. It may also be at
-
tempted against information in transit. This type of attack is an attack against the
integrity of the information.
Changes
One type of modification attack is to change existing information, such as an attacker
changing an existing employee’s salary. The information already existed in the organiza
-
tion but it is now incorrect. Change attacks can be targeted at sensitive information or
public information.
Figure 2-4.
Interception using incorrect name resolution information