CHAPTER 2 Types of Attacks 15 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. B ad things can happen to an organization’s information or computer systems in many ways. Some of these bad things are done on purpose (maliciously) and others occur by accident. No matter why the event occurs, damage is done to the organiza - tion. Because of this, we will call all of these events “attacks” regardless of whether there was malicious intent or not. There are four primary categories of attacks: ▼ Access ■ Modification ■ Denial of service ▲ Repudiation We will cover each of these in detail in the following sections. Attacks may occur through technical means (a vulnerability in a computer system) or they may occur through social engineering. Social engineering is simply the use of non-technical means to gain unauthorized access—for example, making phone calls or walking into a facility and pretending to be an employee. Social engineering attacks may be the most devastating. Attacks against information in electronic form have another interesting characteristic: information can be copied but it is normally not stolen. In other words, an attacker may gain access to information, but the original owner of that information has not lost it. It just now resides in both the original owner’s and the attacker’s hands. This is not to say that damage is not done; however, it may be much harder to detect since the original owner is not deprived of the information. ACCESS ATTACKS An access attack is an attempt to gain information that the attacker is unauthorized to see. This attack can occur wherever the information resides or may exist during transmission (see Figure 2-1). This type of attack is an attack against the confidentiality of the information. Snooping Snooping is looking through information files in the hopes of finding something interest - ing. If the files are on paper, an attacker may do this by opening a filing cabinet or file drawer and searching through files. If the files are on a computer system, an attacker may attempt to open one file after another until information is found. Eavesdropping When someone listens in on a conversation that they are not a part of, that is eavesdrop - ping. To gain unauthorized access to information, an attacker must position himself at a 16 Network Security: A Beginner’s Guide location where information of interest is likely to pass by. This is most often done elec - tronically (see Figure 2-2). Interception Unlike eavesdropping, interception is an active attack against the information. When an attacker intercepts information, she is inserting herself in the path of the information and capturing it before it reaches its destination. After examining the information, the at - tacker may allow the information to continue to its destination or not (see Figure 2-3). Chapter 2: Types of Attacks 17 Communications tower Information in transit over the Internet or phone lines Desktop computer Fax City Information coming off fax machines or printers Information on local hard drives Information on file servers Information stored on media and left in the office or on backups taken off-site Information on paper in the office Mainframe Figure 2-1. Places where access attacks can occur 18 Network Security: A Beginner’s Guide How Access Attacks Are Accomplished Access attacks take different forms depending on whether the information is stored on paper or electronically in a computer system. Information on Paper If the information the attacker wishes to access exists in physical form on paper, he needs to gain access to the paper. Paper records and information are likely to be found in the fol - lowing locations: ▼ In filing cabinets ■ In desk file drawers ■ On desktops ■ In fax machines ■ In printers ■ In the trash ▲ In long term storage In order to snoop around the locations, the attacker needs physical access to them. If he’s an employee, he may have access to rooms or offices that hold filing cabinets. Desk file draw - Figure 2-2. Eavesdropping ers may be in cubes or in unlocked offices. Fax machines and printers tend to be in public ar- eas and people tend to leave paper on these devices. Even if offices are locked, trash and recycling cans tend to be left in the hallways after business hours so they can be emptied. Long-term storage may pose a more difficult problem, especially if the records are stored off-site. Gaining access to the other site may not be possible if the site is owned by a vendor. Precautions such as locks on filing cabinets may stop some snooping but a deter - mined attacker might look for an opportunity such as a cabinet left unlocked over lunch. The locks on filing cabinets and desks are relatively simple locks and may be picked by someone with knowledge of locks. Physical access is the key to gaining access to physical records. Good site security may prevent an outsider from accessing physical records but will likely not prevent an em - ployee or insider from gaining access. Electronic Information Electronic information may be stored: ▼ In desktop machines ■ In servers ■ On portable computers Chapter 2: Types of Attacks 19 Desktop computer Mainframe Attacker’s computer The attacker’s system sits in the path of the traffic and captures it. The attacker may choose to allow the traffic to continue or not. Traffic from the desktop to the mainframe travels over the local area network. Figure 2-3. Interception ■ On floppy disks ■ On CD-ROMs ▲ On backup tapes In some of these cases, access can be achieved by physically stealing the storage media (a floppy disk, CD-ROM, backup tape, or portable computer). It may be easier to do this than to gain electronic access to the file at the organization’s facility. If the files in question are on a system to which the attacker has legitimate access, the files may be examined by simply opening them. If access control permissions are set properly, the unauthorized individual should be denied access (and these attempts should be logged). Correct permissions will prevent most casual snooping. However, a determined attacker will attempt to either elevate his permissions so he can see the file or to reduce the access controls on the file. There are many vulnerabilities on systems that will allow this type of behavior to succeed. Information in transit can be accessed by eavesdropping on the transmission. On lo - cal area networks, an attacker does this by installing a sniffer on a computer system con - nected to the network. A sniffer is a computer that is configured to capture all the traffic on the network (not just traffic that is addressed to that computer). A sniffer can be installed after an attacker has increased her privileges on a system or if the attacker is allowed to connect her own system to the network (see Figure 2-2). Sniffers can be configured to capture any information that travels over the network. Most often they are configured to capture user IDs and passwords. Eavesdropping can also occur on wide area networks (such as leased lines and phone connections). However, this type of eavesdropping requires more knowledge and equipment. In this case, the most likely location for the “tap” would be in the wir- ing closet of the facility. Even fiber-optic transmission lines can be tapped. Tapping a fiber-optic line requires even more specialized equipment and is not normally performed by run-of-the-mill attackers. Information access using interception is another difficult option for an attacker. To be successful, the attacker must insert his system in the communication path between the sender and the receiver of the information. On the Internet, this could be done by causing a name resolution change (this would cause a computer name to resolve to an incorrect address—see Figure 2-4). The traffic is then sent on to the attacker’s system instead of to the real destination. If the attacker configures his system correctly, the sender or origina - tor of the traffic may never know that he was not talking to the real destination. Interception can also be accomplished by an attacker taking over or capturing a ses - sion already in progress. This type of attack is best performed against interactive traffic such as telnet. In this case, the attacker must be on the same network segment as either the client or the server. The attacker allows the legitimate user to begin the session with the server and then uses specialized software to take over the session already in progress. This type of attack gives the attacker the same privileges on the server as the victim. 20 Network Security: A Beginner’s Guide TEAMFLY Team-Fly ® Chapter 2: Types of Attacks 21 MODIFICATION ATTACKS A modification attack is an attempt to modify information that an attacker is not autho - rized to modify. This attack can occur wherever the information resides. It may also be at - tempted against information in transit. This type of attack is an attack against the integrity of the information. Changes One type of modification attack is to change existing information, such as an attacker changing an existing employee’s salary. The information already existed in the organiza - tion but it is now incorrect. Change attacks can be targeted at sensitive information or public information. Figure 2-4. Interception using incorrect name resolution information . information is found. Eavesdropping When someone listens in on a conversation that they are not a part of, that is eavesdrop - ping. To gain unauthorized access to information, an attacker must