L6: Threat to Information System | Accidental Threat| Intentional Threat| Passive and Active Attack

Security attacks may be divided into these two main categories:

  • Passive attacks.
  • Active attacks.

Passive attacks:

Passive attacks attempt to learn or make use of information from the system but do not affect system resources. A passive attack is one where the attacker only monitors the communication channel. A passive attacker only threatens the confidentiality of data. Passive attacks are in the nature of eavesdropping on, or monitoring of, transmissions. The goal of the opponent is to obtain information that is being transmitted.

Two types of passive attacks are related to message contents and traffic analysis:

  • Eavesdropping. In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in the network to "listen in" or interpret (read) the data exchanged over the network. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, the data can be read by others as it traverses the network.
  • Traffic analysis. It refers to the process of intercepting and examining messages in order to deduce information from patterns in communication. It can be performed even when the messages are encrypted and cannot be decrypted. In general, the greater the number of messages observed, or even intercepted and stored, the more can be inferred from the traffic.

Active attacks:

Active attacks attempt to alter system resources or affect their operation. This type of attack is one where the adversary attempts to delete, add, or in some other way alter the transmission on the channel. An active attacker threatens data integrity and authentication as well as confidentiality.

Active attacks involve some modification of the data stream or the creation of a false stream and can be divided into six categories:

  • Masquerade. It is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for.
  • Replay. In this kind of attack, valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits them, possibly as part of a masquerade attack.
  • Modification of messages. The attacker removes a message from the network traffic, alters it, and reinserts it.
  • Man in the Middle (MitM). In this kind of attacks, an intruder intercepts communications between two parties, usually an end user and a website. The attacker can use the information accessed to commit identity theft or other types of fraud.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS). Denial of service implies that an attacker disables or corrupts networks, systems, or services with the intent to deny services to intended users. DoS attacks involve either crashing the system or slowing it down to the point that it is unusable. But DoS can also be as simple as deleting or corrupting information. In most cases, performing the attack simply involves running a hack or script. The attacker does not need prior access to the target because a way to access it is all that is usually required. For these reasons, DoS attacks are the most feared.
  • Advanced Persistent Threat (APT). It is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing and the financial industry.

From the point of view of the attacker’s location, there exist two different kinds of attackers:

  • Inside attacker or insider,
  • Outside attacker or outsider.

An Insider is, in general, a person who has access to the internal computer network, and is therefore a legitimate user, but attempts to obtain unauthorized access to the data, system resources and services or misuses any authorized data.

An Outsider is generally a person who does not have authorized access to the internal computer network and wishes to enter into that network by using any vulnerable locations or security holes.

Threats

Threat: an object, person, or other entity that represents a constant danger to an asset

Management must be informed of the different threats facing the organization

By examining each threat category, management effectively protects information through policy, education, training, and technology controls

There are four primary classes of threats to network security.

■ Unstructured threats—Unstructured threats consist of mostly inexperienced individuals using easily available hacking tools such as shell scripts and password crackers. Even unstructured threats that are only executed with the intent of testing and challenging a hacker’s skills can still do serious damage to a company. For example, if an external company website is hacked, the integrity of the company is damaged. Even if the external website is separate from the internal information that sits behind a protective firewall, the public does not know that. All the public knows is that the site is not a safe environment to conduct business.

■ Structured threats— Structured threats come from hackers who are more highly motivated and technically competent. These people know system vulnerabilities and can understand and develop exploit code and scripts. They understand, develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. These groups are often involved with the major fraud and theft cases reported to law enforcement agencies.

■ External threats—External threats can arise from individuals or organizations working outside of a company. They do not have authorized access to the computer systems or network. They work their way into a network mainly from the Internet or dialup access servers.

■ Internal threats—Internal threats occur when someone has authorized access to the network with either an account on a server or physical access to the network

As the types of threats, attacks, and exploits have evolved, various terms have been coined to describe different groups of individuals. Some of the most common terms are as follows:

■ Hacker—Hacker is a general term that has historically been used to describe a computer programming expert. More recently, this term is commonly used in a negative way to describe an individual who attempts to gain unauthorized access to network resources with malicious intent.

■ Cracker—Cracker is the term that is generally regarded as the more accurate word that is used to describe an individual who attempts to gain unauthorized access to network resources with malicious intent.

■ Phreaker—A phreaker is an individual who manipulates the phone network to cause it to perform a function that is normally not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long-distance calls.

■ Spammer—A spammer is an individual who sends large numbers of unsolicited e-mail messages. Spammers often use viruses to take control of home computers to use these computers to send out their bulk messages.

■ Phisher—A phisher uses e-mail or other means in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.

■ White hat—White hat is a term used to describe individuals who use their abilities to find vulnerabilities in systems or networks and then report these vulnerabilities to the owners of the system so that they can be fixed.

■ Black hat—Black hat is another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use