ACCESS ATTACKS An access attack is an attempt to gain information that the attacker is unauthorized to see.. If the files are on a computer system, an attacker may attempt to open one fi
Trang 1CHAPTER 2
Types of Attacks
15
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2tion Because of this, we will call all of these events “attacks” regardless of whether there was malicious intent or not
There are four primary categories of attacks:
▼ Access
■ Modification
■ Denial of service
▲ Repudiation
We will cover each of these in detail in the following sections
Attacks may occur through technical means (a vulnerability in a computer system) or
they may occur through social engineering Social engineering is simply the use of
non-technical means to gain unauthorized access—for example, making phone calls or walking into a facility and pretending to be an employee Social engineering attacks may
be the most devastating
Attacks against information in electronic form have another interesting characteristic: information can be copied but it is normally not stolen In other words, an attacker may gain access to information, but the original owner of that information has not lost it It just now resides in both the original owner’s and the attacker’s hands This is not to say that damage is not done; however, it may be much harder to detect since the original owner is not deprived of the information
ACCESS ATTACKS
An access attack is an attempt to gain information that the attacker is unauthorized to see This attack can occur wherever the information resides or may exist during transmission (see Figure 2-1) This type of attack is an attack against the confidentiality of the information
Snooping
Snooping is looking through information files in the hopes of finding something interest-ing If the files are on paper, an attacker may do this by opening a filing cabinet or file drawer and searching through files If the files are on a computer system, an attacker may attempt to open one file after another until information is found
Eavesdropping
When someone listens in on a conversation that they are not a part of, that is eavesdrop-ping To gain unauthorized access to information, an attacker must position himself at a
Trang 3location where information of interest is likely to pass by This is most often done
elec-tronically (see Figure 2-2)
Interception
Unlike eavesdropping, interception is an active attack against the information When an
attacker intercepts information, she is inserting herself in the path of the information and
capturing it before it reaches its destination After examining the information, the
at-tacker may allow the information to continue to its destination or not (see Figure 2-3)
Communications tower
Information in transit over the Internet or phone lines
City
Information coming off fax machines or printers
Information on
local hard drives
Information on
file servers
Information stored on media and left in the office or on backups taken off-site
Information on
paper in the office
Mainframe
Figure 2-1. Places where access attacks can occur
Trang 4How Access Attacks Are Accomplished
Access attacks take different forms depending on whether the information is stored on paper or electronically in a computer system
Information on Paper
If the information the attacker wishes to access exists in physical form on paper, he needs
to gain access to the paper Paper records and information are likely to be found in the fol-lowing locations:
▼ In filing cabinets
■ In desk file drawers
■ On desktops
■ In fax machines
■ In printers
■ In the trash
▲ In long term storage
In order to snoop around the locations, the attacker needs physical access to them If he’s
an employee, he may have access to rooms or offices that hold filing cabinets Desk file
draw-Figure 2-2. Eavesdropping
Trang 5ers may be in cubes or in unlocked offices Fax machines and printers tend to be in public
ar-eas and people tend to leave paper on these devices Even if offices are locked, trash and
recycling cans tend to be left in the hallways after business hours so they can be emptied
Long-term storage may pose a more difficult problem, especially if the records are stored
off-site Gaining access to the other site may not be possible if the site is owned by a vendor
Precautions such as locks on filing cabinets may stop some snooping but a
deter-mined attacker might look for an opportunity such as a cabinet left unlocked over lunch
The locks on filing cabinets and desks are relatively simple locks and may be picked by
someone with knowledge of locks
Physical access is the key to gaining access to physical records Good site security may
prevent an outsider from accessing physical records but will likely not prevent an
em-ployee or insider from gaining access
Electronic Information
Electronic information may be stored:
▼ In desktop machines
■ In servers
■ On portable computers
Desktop computer Mainframe
Attacker’s computer
The attacker’s system sits in the path of the traffic and captures it.
The attacker may choose to allow the traffic to continue or not.
Traffic from the desktop to the mainframe travels over the local area network.
Figure 2-3. Interception
Trang 6■ On floppy disks
■ On CD-ROMs
▲ On backup tapes
In some of these cases, access can be achieved by physically stealing the storage media (a floppy disk, CD-ROM, backup tape, or portable computer) It may be easier to do this than to gain electronic access to the file at the organization’s facility
If the files in question are on a system to which the attacker has legitimate access, the files may be examined by simply opening them If access control permissions are set properly, the unauthorized individual should be denied access (and these attempts should be logged) Correct permissions will prevent most casual snooping However, a determined attacker will attempt to either elevate his permissions so he can see the file or
to reduce the access controls on the file There are many vulnerabilities on systems that will allow this type of behavior to succeed
Information in transit can be accessed by eavesdropping on the transmission On lo-cal area networks, an attacker does this by installing a sniffer on a computer system
con-nected to the network A sniffer is a computer that is configured to capture all the traffic on
the network (not just traffic that is addressed to that computer) A sniffer can be installed after an attacker has increased her privileges on a system or if the attacker is allowed
to connect her own system to the network (see Figure 2-2) Sniffers can be configured
to capture any information that travels over the network Most often they are configured to capture user IDs and passwords
Eavesdropping can also occur on wide area networks (such as leased lines and phone connections) However, this type of eavesdropping requires more knowledge and equipment In this case, the most likely location for the “tap” would be in the wir-ing closet of the facility Even fiber-optic transmission lines can be tapped Tappwir-ing a fiber-optic line requires even more specialized equipment and is not normally performed
by run-of-the-mill attackers
Information access using interception is another difficult option for an attacker To be successful, the attacker must insert his system in the communication path between the sender and the receiver of the information On the Internet, this could be done by causing
a name resolution change (this would cause a computer name to resolve to an incorrect address—see Figure 2-4) The traffic is then sent on to the attacker’s system instead of to the real destination If the attacker configures his system correctly, the sender or origina-tor of the traffic may never know that he was not talking to the real destination
Interception can also be accomplished by an attacker taking over or capturing a ses-sion already in progress This type of attack is best performed against interactive traffic such as telnet In this case, the attacker must be on the same network segment as either the client or the server The attacker allows the legitimate user to begin the session with the server and then uses specialized software to take over the session already in progress This type of attack gives the attacker the same privileges on the server as the victim
TE AM
FL Y
Team-Fly®
Trang 7MODIFICATION ATTACKS
A modification attack is an attempt to modify information that an attacker is not
autho-rized to modify This attack can occur wherever the information resides It may also be
at-tempted against information in transit This type of attack is an attack against the
integrity of the information
Changes
One type of modification attack is to change existing information, such as an attacker
changing an existing employee’s salary The information already existed in the
organiza-tion but it is now incorrect Change attacks can be targeted at sensitive informaorganiza-tion or
public information
Figure 2-4. Interception using incorrect name resolution information