- How Seriously Should You Take Threats to Network Security?
- Identifying Types of Threats
- Assessing the Likelihood of an Attack on Your Network
- Basic Security Terminology
- Concepts and Approaches
- How Do Legal Issues Impact Network Security?
- Online Security Resources
- Test Your Skills
Identifying Types of Threats
As discussed in the previous section, identifying your threats is a key part of risk assessment. Some threats are common to all networks; others are more likely with specific types of networks. Various sources have divided threats into different categories based on specific criteria. In this section we will examine threats that have been divided into categories based on the nature of the attack. Most attacks can be categorized as one of seven broad classes:
Malware: This is a generic term for software that has a malicious purpose. It includes virus attacks, worms, adware, Trojan horses, and spyware. This is the most prevalent danger to your system. One reason the relatively generic term malware is now widely used is that many times a piece of malware does not fit neatly into one of these categories.
Security breaches: This group of attacks includes any attempt to gain unauthorized access to your system. This includes cracking passwords, elevating privileges, breaking into a server…all the things you probably associate with the term hacking.
DoS attacks: These are designed to prevent legitimate access to your system. And, as you will see in later chapters, this includes distributed denial of service (DDoS).
Web attacks: This is any attack that attempts to breach your website. Two of the most common such attacks are SQL injection and cross-site scripting.
Session hijacking: These attacks are rather advanced and involve an attacker attempting to take over a session.
Insider threats: These are breaches based on someone who has access to your network misusing his access to steal data or compromise security.
DNS poisoning: This type of attack seeks to compromise a DNS server so that users can be redirected to malicious websites, including phishing websites.
There are other attacks, such as social engineering. The foregoing list is just an attempt to provide a broad categorization of attack types. This section offers a broad description of each type of attack. Later chapters go into greater detail on each specific attack, how it is accomplished, and how to avoid it.
Malware is a generic term for software that has a malicious purpose. This section discusses four types of malware: viruses, Trojan horses, spyware, and logic bombs. Trojan horses and viruses are the most widely encountered. One could also include rootkits in the malware category, but these usually spread as viruses and thus are regarded as simply a specific type of virus.
According to Malwarebytes:
Malware, or “malicious software,” is an umbrella term that describes any malicious program or code that is harmful to systems. Hostile, intrusive, and intentionally nasty, malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Like the human flu, it interferes with normal functioning.”3
We still think primarily of computer viruses when we think of malware. The key characteristic of a computer virus is that it self-replicates. A computer virus is similar to a biological virus; both are designed to replicate and spread. The most common method for spreading a virus is using the victim’s email account to spread the virus to everyone in his address book. Some viruses don’t actually harm the system itself, but almost all of them cause network slowdowns due to the heavy network traffic caused by virus replication.
The Trojan horse gets its name from an ancient tale. The city of Troy was besieged for an extended period of time. The attackers could not gain entrance, so they constructed a huge wooden horse and one night left it in front of the gates of Troy. The next morning the residents of Troy saw the horse and assumed it to be a gift, so they rolled the wooden horse into the city. Unbeknownst to them, several soldiers were hidden inside the horse. That evening the soldiers left the horse, opened the city gates, and let their fellow attackers into the city. An electronic Trojan horse works similarly, appearing to be benign software but secretly downloading a virus or some other type of malware onto a computer from within.
Another category of malware currently on the rise is spyware. Spyware is simply software that literally spies on what you do on your computer. Spyware can be as simple as a cookie—a text file that your browser creates and stores on your hard drive—that a website you have visited downloads to your machine and uses to recognize you when you return to the site. However, that flat file can then be read by the website or by other websites. Any data that the file saves can be retrieved by any website, so your entire Internet browsing history can be tracked. Spyware may also consist of software that takes periodic screenshots of the activity on your computer and sends them to the attacker.
Another form of spyware, called a key logger, records all of your keystrokes. Some key loggers also take periodic screenshots of your computer. Data is then either stored for later retrieval by the person who installed the key logger or is sent immediately back via email. We will discuss specific types of key loggers later in this book.
A logic bomb is software that lays dormant until some specific condition is met. That condition is usually a date and time. When the condition is met, the software does some malicious act, such as delete files, alter system configuration, or perhaps release a virus. In Chapter 5, “Malware,” we will examine logic bombs and other types of malware in detail.
Compromising System Security
Next we will look at attacks that breach your system’s security. This activity is commonly referred to as hacking, though that is not the term hackers themselves use. We will delve into appropriate terminology in just a few pages; however, it should be noted at this point that cracking is the appropriate word for intruding into a system without permission, usually with malevolent intent. Any attack that is designed to breach your security, either via some operating system flaw or any other means, can be classified as cracking.
Essentially any technique to bypass security, crack passwords, breach Wi-Fi, or in any way actually gain access to the target network fits into this category. That makes this a very broad category indeed.
However, not all breaches involve technical exploits. In fact, some of the most successful breaches are entirely nontechnical. Social engineering is a technique for breaching a system’s security by exploiting human nature rather than technology. This was the path that the famous hacker Kevin Mitnick most often used. Social engineering uses standard con techniques to get users to give up the information needed to gain access to a target system. The way this method works is rather simple: The perpetrator gets preliminary information about a target organization and leverages it to obtain additional information from the system’s users.
Following is an example of social engineering in action. Armed with the name of a system administrator, you might call someone in the business’s accounting department and claim to be one of the company’s technical support personnel. Mentioning the system administrator’s name would help validate that claim, allowing you to ask questions in an attempt to ascertain more details about the system’s specifications. A savvy intruder might even get the accounting person to say a username and password. As you can see, the success of this method is based on how well the prospective intruder can manipulate people and actually has little to do with computer skills.
The growing popularity of wireless networks gave rise to new kinds of attacks. One such activity is war-driving. This type of attack is an offshoot of war-dialing. With war-dialing, a hacker sets up a computer to call phone numbers in sequence until another computer answers to try to gain entry to its system. War-driving is much the same concept, applied to locating vulnerable wireless networks. In this scenario, the hacker simply drives around trying to locate wireless networks. Many people forget that their wireless network signal often extends as much as 100 feet (thus, past walls). At the 2004 DEF CON convention for hackers, there was a war-driving contest where contestants drove around the city trying to locate as many vulnerable wireless networks as they could. These sorts of contests are now common at various hacking conventions. (DEF CON is the largest and oldest hacking conference in the world.)
Recent technological innovations have introduced new variations of war driving/dialing. Now we have war flying. The attacker uses a small private drone equipped with Wi-Fi sniffing and cracking software, flies the drone in the area of interest, and attempts to gain access to wireless networks.
Of course, Wi-Fi hacking is only one sort of breach. Password cracking tools are now commonly available on the Internet. We will examine some of these later in this book. There are also exploits of software vulnerabilities that allow one to gain access to the target computer.
In a DoS, the attacker does not actually access the system. Rather, this person simply blocks access from legitimate users. One common way to prevent legitimate service is to flood the targeted system with so many false connection requests that the system cannot respond to legitimate requests. DoS is a very common attack because it is so easy.
In recent years a proliferation of DoS tools have been available on the Internet. One of the most common such tools is the Low Orbit Ion Cannon (LOIC). Because these tools can be downloaded for free from the Internet, anyone can execute a DoS attack, even without technical skill.
We also have variations, such as the DDoS attack. This attack uses multiple machines to attack the target. Given that many modern websites are hosted in network clusters or even in clouds, it is very difficult for a single attacking machine to generate enough traffic to take down a web server. But a network of hundreds or even thousands of computers certainly can. We will explore DoS and DDoS attacks in more detail in Chapter 4, “Denial of Service Attacks.”
By their nature, web servers have to allow communications. Oftentimes, websites allow users to interact with the website. Any part of a website that allows for user interaction is also a potential point for attempting a web-based attack. SQL injections involve entering SQL (Structured Query Language) commands into login forms (username and password text fields) in an attempt to trick the server into executing those commands. The most common purpose is to force the server to log the attacker on, even though the attacker does not have a legitimate username and password. While SQL injection is just one type of web attack, it is the most common.
SQL injection is still quite common, though it has been known for many years. Unfortunately, not enough web developers take the appropriate steps to remediate the vulnerabilities that make such an attack possible. Given the prevalence of this type of attack, it warrants a bit more detailed description.
Consider one of the simplest forms of SQL injection, used to bypass login screens. The website was developed in some web programming language, such as PHP or ASP.NET. The database is most likely a basic relational database such as Oracle, SQL Server, MySQL, or PostgreSQL is used to communicate with the database, so we need to put SQL statements into the web page that was written into some programming language. That will allow us to query the database and see if the username and password are valid.
SQL is relatively easy to understand; in fact, it looks a lot like English. There are commands like SELECT to get data, INSERT to put data in, and UPDATE to change data. In order to log in to a website, the web page has to query a database table to see if that username and password are correct. The general structure of SQL is like this:
select column1, column2 from tablename
select * from tablename; Conditions: select columns from tablename where condition;
SELECT * FROM tblUsers WHERE USERNAME = 'jsmith'
This statement retrieves all the columns or fields from a table named tblUsers where the username is jsmith.
The problem arises when we try to put SQL statements into our web page. Recall that the web page was written in some web language such as PHP or ASP.NET. If you just place SQL statements directly in the web page code, an error will be generated. The SQL statements in the programming code for the website have to use quotation marks to separate the SQL code from the programming code. A typical SQL statement might look something like this:
"SELECT * FROM tblUsers WHERE USERNAME = '" + txtUsername.Text +' AND PASSWORD = '" + txtPassword.Text +"'" .
If you enter username 'jdoe' and the password 'password', this code produces this SQL command:
SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'password'
This is fairly easy to understand even for nonprogrammers. And it is effective. If there is a match in the database, that means the username and password match. If no records are returned from the database, that means there was no match, and this is not a valid login.
The most basic form of SQL injection seeks to subvert this process. The idea is to create a statement that will always be true. For example, instead of putting an actual username and password into the appropriate text fields, the attacker will enter ' or '1' = '1 into the username and password boxes. This will cause the program to create this query:
SELECT * FROM tblUsers WHERE USERNAME = '' or '1' = '1' AND PASSWORD = '' or '1' = '1'.
So you are telling the database and application to return all records where username and password are blank or if 1 = 1. It is highly unlikely that the username and password are blank. But I am certain that 1 = 1 always. Any true statement can be substituted. Examples are a = a and bob = bob.
The tragedy of this attack is that it is so easy to prevent. If the web programmer would simply filter all input prior to processing it, then this type of SQL injection would be impossible. Filtering means that before any user input is processed, the web page programming code looks through that code for common SQL injection symbols, scripting symbols, and similar items. It is true that each year fewer and fewer websites are susceptible to these attacks. However, there are still many sites that are vulnerable. SQL injection is still one of the top vulnerabilities found in websites according to OWASP (The Open Web Application Security Project). Subsequent chapters provide more coverage of most of these attacks, including tools used for them.
Cross-site scripting is a type of attack that is closely related to SQL injection. It involves entering data other than what was intended, and its success depends on the web programmer not filtering input. The perpetrator finds some area of a website that allows users to type in text that other users will see and then instead injects client-side script into those fields.
To better understand this process, let’s look at a hypothetical scenario. Let’s assume that ABC Online Book Sales has a website. In addition to shopping, users can have accounts with credit cards stored, post reviews, and more. The attacker first sets up an alternate web page that looks as close to the real one as possible. Then the attacker goes to the real ABC Online Book Sales website and finds a rather popular book. He goes to the review section, but instead of typing in a review, he types in this:
<script> window.location = "http://www.fakesite.com"; </script>
Now when users go to that book, this script will redirect them to the fake site, which looks a great deal like the real one. The attacker then can have the website tell the user that his session has timed out and to please log in again. That would allow the attacker to gather a lot of account and password information. That is only one scenario, but it illustrates the attack.
Performing session hijacking can be rather complex. For that reason, it is not a very common form of attack. Simply put, the attacker monitors an authenticated session between the client machine and the server and takes over that session. We will explore specific methods of how this is done later in this book.
A 1985 paper written by Robert T. Morris, titled “A Weakness in the 4.2BSD Unix TCP/IP Software,” defined the original session hijacking. By predicting the initial sequence number, Morris was able to spoof the identity of a trusted client to a server. This is much harder to do today.
In addition to flags (syn, ack, syn-ack), the packet header will contain the sequence number that is intended to be used by the client to reconstitute the data sent over the stream in the correct order. (We will explore network packet flags in Chapter 2, “Networks and the Internet.”)
The Morris attack and several other session hijacking attacks require the attacker to be connected to the network and to simultaneously knock the legitimate user offline and then pretend to be that user. As you can probably imagine, it is a complex attack.
Insider threats are a type of security breach. However, they present such a significant issue that we will deal with them separately. An insider threat occurs when someone inside your organization either misuses his access to data or accesses data he is not authorized to access.
The most obvious case is that of Edward Snowden. For our purposes, we can ignore the political issues connected with his case and instead focus solely on the issue of insiders accessing information and using it in a way other than what was authorized.
In 2009 Edward Snowden was working as a contractor for Dell, which manages computer systems for several U.S. government agencies. In March 2012 he was assigned to an NSA location in Hawaii. While there he convinced several people at that location to provide him with their login and password information, under the pretense of performing network administrative duties. Some sources dispute whether or not this is the specific method he used, but it is the one most widely reported. Whatever method he used, he accessed and downloaded thousands of documents that he was not authorized to access.
Again, ignoring the political issues and the content of the documents, our focus is on the security issues. Clearly, there were inadequate security controls in place to detect Edward Snowden’s activities and to prevent him from disclosing the content of confidential documents. While your organization may not have the high profile that the NSA has, any organization is susceptible to insider threats. Theft of trade secrets by insiders is a common business concern and has been the focus of many lawsuits against former employees. In both Chapter 7, “Industrial Espionage in Cyberspace,” and Chapter 9, “Computer Security Technology,” we will see some countermeasures to mitigate this threat.
While Edward Snowden is an obvious example of insider threats, that is only one example. A common scenario is when someone who has legitimate access to some particular source of data chooses either to access data he is not authorized to access or to use the data in a manner other than how he has been authorized to use it. Here are a few examples:
A hospital employee who accesses patient records to use the data to steal a patient’s identity, or someone with no access at all who accesses records
A salesperson who takes a list of contacts with him when he leaves the company
This is actually a much greater problem than many people appreciate. Within an organization, information security is often more lax than it should be. Most people are more concerned with external security than internal security, so it is often rather easy to access data within an organization. In my career as a security consultant, I have seen networks where sensitive data is simply placed on a shared drive with no limiting of access to it. That means anyone on the network can access that data. In a case such as this, when information is taken, no crime has been committed. However, in other cases, employees purposefully circumvent security measures to access data they are not authorized to. The most common method is to simply log in with someone else’s password. That enables the perpetrator to access the resources and data to which that other person has been granted access. Unfortunately, many people use weak passwords or, worse, they write their password somewhere on their desk. Some users even share passwords. For example, suppose a sales manager is out sick but wants to check to see if a client has emailed her. So she calls her assistant and gives him her login so he can check her email. This sort of behavior should be strictly prohibited by company security policies, but it still occurs. The problem is that now two people have the sales manager’s login. Either one could use it or reveal it to someone else (accidentally or on purpose). So there is a greater chance of someone using that manager’s login to access data he has not been authorized to access.
Most of your communication on the Internet will involve DNS, or Domain Name System. DNS is what translates the domain names you and I understand (like www.ChuckEasttom.com) into IP addresses that computers and routers understand. DNS poisoning uses one of several techniques to compromise that process and redirect traffic to an illicit site, often for the purpose of stealing personal information.
Here is one scenario whereby an attacker might execute a DNS poisoning attack: First the attacker creates a phishing website. It spoofs a bank that we will call ABC Bank. The attacker wants to lure users there so he can steal their passwords and use them on the real bank website. Since many users are too smart to click on links, he will use DNS poisoning to trick them.
The attacker creates his own DNS server. (Actually, this part is relatively easy.) Then he puts two records in that DNS server. The first is for the ABC Bank website, pointing to his fake site rather than the real bank site. The second entry is for a domain that does not exist. The attacker can search domain registries until he finds one that does not exist. For illustration purposes, we will refer to this as XYZ domain.
Then the attacker sends a request to a DNS server on the target network. That request purports to be from any IP address within the target network and is requesting the DNS server resolve the XYZ domain.
Obviously, the DNS server does not have an entry for the XYZ domain since it does not exist. So, it begins to propagate the request up its chain of command and eventually to its service provider DNS server. At any point in that process, the attacker sends a flood of spoofed responses claiming to be from a DNS server that the target server is trying to request records from but that are actually coming from his DNS server and offering the IP address for XYZ domain. At that point the hacker’s DNS server offers to do a zone transfer, exchanging all information with the target server. That information includes the spoofed address for ABC Bank. Now the target DNS server has an entry for ABC Bank that points to the hacker’s website rather than the real ABC Bank website. Should users on that network type in the URL for ABC Bank, their own DNS server will direct them to the hacker’s site.
This attack, like so many, depends on vulnerabilities in the target system. A properly configured DNS server should never perform a zone transfer with any DNS server that is not already authenticated in the domain. However, the unfortunate fact is that there are plenty of DNS servers that are not properly configured.
Many of the threats discussed in the first three editions of this book are still plaguing network security. Malware, DoS, and other such attacks are just as common today as they were 5 years ago or even 10 years ago.
One new phenomenon is doxing, which is the process of finding personal information about an individual and broadcasting it, often via the Internet. This can be any personal information about any person. However, it is most often used against public figures. It has even been the case that a previous director of the CIA was the target of doxing.4
Hacking of medical devices is another new type of attack. Hacker Barnaby Jack first revealed a vulnerability in an insulin pump that could allow an attacker to take control of the pump and cause it to dispense the entire reservoir of insulin in a single does, thus killing the patient. To date there are no confirmed incidents of this having actually been done, but it is disturbing nonetheless. Similar security flaws have been found in pacemakers. In 2018, the U.S. Food and Drug Administration (FDA) published a list of medical devices that are not secure. So, this problem appears to be getting worse.
In July 2015 it was revealed that Jeep vehicles could be hacked and shut down during normal operation. This means that a hacker could cause a Jeep to stop in the middle of heavy, high-speed traffic, potentially causing a serious automobile accident. The hacking of cars has become more widespread. DEF CON in 2016 had a car hacking village.
More recently, the Internet of Things has created a new set of targets for attackers. Smart homes and offices, with their integrated Internet-enabled devices, make attractive targets for attackers. For example, ransomware has been created for smart thermostats.
All of these attacks show a common theme: As our lives become more interconnected with technology, new vulnerabilities emerge. Some of these vulnerabilities are not merely endangering data and computer systems but potentially endangering lives.