Export (0) Print
Expand All

Security Threats

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Microsoft Solutions Framework

Best Practices for Enterprise Security

Note: This white paper is one of a series. Best Practices for Enterprise Security ( http://www.microsoft.com/technet/archive/security/bestprac/bpent/bpentsec.mspx ) contains a complete list of all the articles in this series. See also the Security Entities Building Block Architecture ( http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspx ).

The Focus of This Paper

The purpose of this white paper is to help administrators, computer security officials, and others to understand the importance of computer security and the responsibilities it involves. The document provides a discussion of general security threats and how to plan and implement security policies and controls for often-performed computer security activities.

On This Page

Security Overview
Security Threats
Appendix A: Security Threats
Appendix B: Motives, Goals, and Objectives of Malicious Attackers
Appendix C: Methods, Tools, and Techniques for Attacks
Appendix D: Security Vulnerabilities
References
Acknowledgements

Security Overview

Background

Any organization that has a computer system and sensitive information wants to protect that information.

This section of this paper focuses on the background of security. It also looks at the importance of planning for possible threats and defining policies to limit the vulnerabilities that exist in a system and its security policies.

The greatest threat to computer systems and their information comes from humans, through actions that are either malicious or ignorant. When the action is malicious, some motivation or goal is generally behind the attack. For instance, the goal could be to disrupt normal business operations, thereby denying data availability and production. This could happen between two rival companies or even as a hoax. Here is a real life example:

April 13, 2000, 3:55 P.M. Pacific time: The Web site for the Motion Pictures Association of America (MPAA) is suffering intermittent outages, and the organization suspects computer vandals are to blame. A source inside the organization, who asked not to be identified, said that the MPAA is currently "experiencing problems with their public Web site, and they suspect a denial-of-service attack." The attack was first rumored on http://www.hackernews.com/ , a Web site for news on computer hacking.

To achieve their goals, attackers use well-known techniques and methods to exploit vulnerabilities in security policies and systems. The next section on security deals with the general threats associated with computer systems and discusses the motives or goals the attackers have, techniques and methods for gaining access, and the various vulnerabilities that could exist in systems and security policies.

Not all threats, goals, vulnerabilities, and methods are discussed because they are so numerous and they differ for each situation, organization, and system. Instead of identifying each, the section on threats presents a guideline outlining how to identify various threats, methods, and vulnerabilities that exist in systems.

Defining Security

Computer security means to protect information. It deals with the prevention and detection of unauthorized actions by users of a computer. Lately it has been extended to include privacy, confidentiality, and integrity. For example:

  • Chinese Foreign Ministry spokesman Zhu Bangzao rejected allegations that China stole U.S. nuclear secrets, saying such claims are meant to undermine China-U.S. relations. Meanwhile, a CIA-led task force was assessing how much damage may have been done to U.S. national security after a Chinese scientist at the Los Alamos National Laboratory in New Mexico allegedly shared nuclear secrets.1http://cnn.com/US/9903/09/china.spy.02/

  • Two parties agree and seal their transaction using digital signatures. The signature cannot be ruled invalid by state legislature or other law-making bodies because it uniquely identifies the individuals involved.2

  • You visit a Web site and the site collects more personal information than you are willing to divulge or the site distributes data to outside parties. By doing this, it compromises your privacy and opens your world to other parties.3

This definition implies that you have to know the information and the value of that information in order to develop protective measures. You also need to know to which individuals need unique identities and how much information may be divulged to the outside world. A rough classification of protective measures in computer security is as follows:

  • Prevention—Take measures that prevent your information from being damaged, altered, or stolen. Preventive measures can range from locking the server room door to setting up high-level security policies.

  • Detection—Take measures that allow you to detect when information has been damaged, altered, or stolen, how it has been damaged, altered, or stolen, and who has caused the damage. Various tools are available to help detect intrusions, damage or alterations, and viruses.

  • Reaction—Take measures that allow recovery of information, even if information is lost or damaged.

The above measures are all very well, but if you do not understand how information may be compromised, you cannot take measures to protect it. You must examine the components on how information can be compromised:

  • Confidentiality. The prevention of unauthorized disclosure of information. This can be the result of poor security measures or information leaks by personnel. An example of poor security measures would be to allow anonymous access to sensitive information.

  • Integrity. The prevention of erroneous modification of information. Authorized users are probably the biggest cause of errors and omissions and the alteration of data. Storing incorrect data within the system can be as bad as losing data. Malicious attackers also can modify, delete, or corrupt information that is vital to the correct operation of business functions.

  • Availability. The prevention of unauthorized withholding of information or resources. This does not apply just to personnel withholding information. Information should be as freely available as possible to authorized users.

  • Authentication. The process of verifying that users are who they claim to be when logging onto a system. Generally, the use of user names and passwords accomplishes this. More sophisticated is the use of smart cards and retina scanning. The process of authentication does not grant the user access rights to resources—this is achieved through the authorization process.

  • Authorization. The process of allowing only authorized users access to sensitive information. An authorization process uses the appropriate security authority to determine whether a user should have access to resources.

History of Security

Computers and networks originally were built to ease the exchange of information. Early information technology (IT) infrastructures were built around central computers or mainframe solutions while others were developed around the personal computer. What some thought impossible became reality and today businesses are being driven by the power of the personal computer that users access with just a user name and password.

But as the information revolution opened new avenues for IT, it also opened new possibilities for crime. Attackers used these opportunities to steal passwords and gain access to information or to create disastrous effects on networks and computers. For example:

Activist group RTMark attempted to justify its attack on eToys' Web site by citing the eToys versus etoy case as the victory of corporate greed over art and freedom of expression. Declaring a war of revenge against eToys, RTMark sought to rally the public to use a denial-of-service tool called FloodNet to saturate the eToys.com site with network ping floods. RTMark also engaged the help of the Electronic Disturbance Theater—a hacker group claiming to attack sites only on behalf of social causes—to help cripple eToys or deface its Web pages. "We're going to make an example of them," claimed Ray Thomas, a San Francisco-based accountant and RTMark's spokesman, describing how the group wants to "destroy" eToys.4http://www.nwfusion.com/news/1999/1220etoys.html

What will information security be like in the 21st century? The nature of computing has changed over the last few years. Networks are designed and built to facilitate the sharing and distribution of data and information. Controlling access to these resources can become a problem because you need to balance the requirement for access to free information with the value of the content of that information.

Some information is more sensitive in nature than other information; this leads to the need for security requirements. Today, IT security has progressed to more than just user names and passwords. It involves digital identities, biometric authentication methods, and modular security strategies.

The easiest one to relate to is the use of smart cards. These are tamper-proof devices that store security information. They are similar to a credit card with a built-in microprocessor and memory used for identification or financial transactions. When the user inserts it into a reader, it transfers data to and from a central computer. It is more secure than a magnetic stripe card and can be programmed to self-destruct if the wrong password is entered too many times. As a financial transaction card, it can be loaded with digital money and used like a travelers check, except that variable amounts of money can be spent until the balance is zero.

The Need for Security

Administrators normally find that putting together a security policy that restricts both users and attacks is time consuming and costly. Users also become disgruntled at the heavy security policies making their work difficult for no discernable reason, causing bad politics within the company. Planning an audit policy on huge networks takes up both server resources and time, and often administrators take no note of the audited events. A common attitude among users is that if no secret work is being performed, why bother implementing security.

There is a price to pay when a half-hearted security plan is put into action. It can result in unexpected disaster. A password policy that allows users to use blank or weak passwords is a hacker's paradise. No firewall or proxy protection between the organization's private local area network (LAN) and the public Internet makes the company a target for cyber crime.

Organizations will need to determine the price they are willing to pay in order to protect data and other assets. This cost must be weighed against the costs of losing information and hardware and disrupting services. The idea is to find the correct balance. If the data needs minimal protection and the loss of that data is not going to cost the company, then the cost of protecting that data will be less. If the data is sensitive and needs maximum protection, then the opposite is normally true.

Security Threats

Introduction

The first part of this section outlines security threats and briefly describes the methods, tools, and techniques that intruders use to exploit vulnerabilities in systems to achieve their goals. The section discusses a theoretical model and provides some real life scenarios. The appendixes give detailed analyses of the various aspects and components that are discussed in this section.

Security Threats, Attacks, and Vulnerabilities

Information is the key asset in most organizations. Companies gain a competitive advantage by knowing how to use that information. The threat comes from others who would like to acquire the information or limit business opportunities by interfering with normal business processes.

The object of security is to protect valuable or sensitive organizational information while making it readily available. Attackers trying to harm a system or disrupt normal business operations exploit vulnerabilities by using various techniques, methods, and tools. System administrators need to understand the various aspects of security to develop measures and policies to protect assets and limit their vulnerabilities.

Attackers generally have motives or goals—for example, to disrupt normal business operations or steal information. To achieve these motives or goals, they use various methods, tools, and techniques to exploit vulnerabilities in a computer system or security policy and controls.

Goal + Method + Vulnerabilities = Attack. These aspects will be discussed in more detail later in this section.

Security Threats

Figure 1 introduces a layout that can be used to break up security threats into different areas.

Cc723507.secthr01(en-us,TechNet.10).gif

Figure 1:

Natural Disasters

Nobody can stop nature from taking its course. Earthquakes, hurricanes, floods, lightning, and fire can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery plans and contingency plans in place. Other threats such as riots, wars, and terrorist attacks could be included here. Although they are human-caused threats, they are classified as disastrous.

Human Threats

Malicious threats consist of inside attacks by disgruntled or malicious employees and outside attacks by non-employees just looking to harm and disrupt an organization.

The most dangerous attackers are usually insiders (or former insiders), because they know many of the codes and security measures that are already in place. Insiders are likely to have specific goals and objectives, and have legitimate access to the system. Employees are the people most familiar with the organization's computers and applications, and they are most likely to know what actions might cause the most damage. Insiders can plant viruses, Trojan horses, or worms, and they can browse through the file system.

The insider attack can affect all components of computer security. By browsing through a system, confidential information could be revealed. Trojan horses are a threat to both the integrity and confidentiality of information in the system. Insider attacks can affect availability by overloading the system's processing or storage capacity, or by causing the system to crash.

People often refer to these individuals as "crackers" or "hackers." The definition of "hacker" has changed over the years. A hacker was once thought of as any individual who enjoyed getting the most out of the system he or she was using. A hacker would use a system extensively and study it until he or she became proficient in all its nuances. This individual was respected as a source of information for local computer users, someone referred to as a "guru" or "wizard."

Now, however, the term hacker refers to people who either break in to systems for which they have no authorization or intentionally overstep their bounds on systems for which they do not have legitimate access.

The correct term to use for someone who breaks in to systems is a "cracker." Common methods for gaining access to a system include password cracking, exploiting known security weaknesses, network spoofing, and social engineering.

Malicious attackers normally will have a specific goal, objective, or motive for an attack on a system. These goals could be to disrupt services and the continuity of business operations by using denial-of-service (DoS) attack tools. They might also want to steal information or even steal hardware such as laptop computers. Hackers can sell information that can be useful to competitors.

In 1996, a laptop computer was stolen from an employee of Visa International that contained 314,000 credit card accounts. The total cost to Visa for just canceling the numbers and replacing the cards was $6 million.5

Attackers are not the only ones who can harm an organization. The primary threat to data integrity comes from authorized users who are not aware of the actions they are performing. Errors and omissions can cause valuable data to be lost, damaged, or altered. Non-malicious threats usually come from employees who are untrained in computers and are unaware of security threats and vulnerabilities. Users who open up Microsoft Word documents using Notepad, edit the documents, and then save them could cause serious damage to the information stored on the document.

Users, data entry clerks, system operators, and programmers frequently make unintentional errors that contribute to security problems, directly and indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, errors create vulnerabilities. Errors can occur in all phases of the system life cycle.

Figure 2 gives a theoretical model that can be used to determine the various threats, goals, methods, and vulnerabilities used in an attack.

Cc723507.secthr02(en-us,TechNet.10).gif

Figure 2:

The following table gives some examples of the various aspects discussed above.

Threats

Motives/Goals

Methods

Security Policies

• Employees
• Malicious
• Ignorant
• Non-employees
• Outside attackers
• Natural disasters
• Floods
• Earthquakes
• Hurricanes
• Riots and wars

• Deny services
• Steal information
• Alter information
• Damage information
• Delete information
• Make a joke
• Show off

• Social engineering
• Viruses, Trojan horses, worms
• Packet replay
• Packet modification
• IP spoofing
• Mail bombing
• Various hacking tools
• Password cracking

• Vulnerabilities
• Assets
• Information and data
• Productivity
• Hardware
• Personnel

Note that ignorant employees usually have no motives and goals for causing damage. The damage is accidental. Also, malicious attackers can deceive ignorant employees by using "social engineering" to gain entry. The attacker could masquerade as an administrator and ask for passwords and user names. Employees who are not well trained and are not security aware can fall for this.

For more information on security threats, see Appendix A.

Motives, Goals, and Objectives of Malicious Attackers

There is a strong overlap between physical security and data privacy and integrity. Indeed, the goal of some attacks is not the physical destruction of the computer system but the penetration and removal or copying of sensitive information. Attackers want to achieve these goals either for personal satisfaction or for a reward.

Here are some methods that attackers use:

  • Deleting and altering information. Malicious attackers who delete or alter information normally do this to prove a point or take revenge for something that has happened to them. Inside attackers normally do this to spite the organization because they are disgruntled about something. Outside attackers might want to do this to prove that they can get in to the system or for the fun of it.

    April 27, 2000: Cheng Tsz-chung, 22, was put behind bars last night after changing the password on another user's account and then demanding $500 (Hong Kong currency) to change it back. The victim paid the money and then contacted police. Cheng has pleaded guilty to one charge of unauthorized access of a computer and two counts of theft. The magistrate remanded Cheng in custody and said his sentence, which will be handed down on May 10 pending reports, must have a deterrent effect. Cheng's lawyer told Magistrate Ian Candy that his client committed the offenses "just for fun."

  • Committing information theft and fraud. Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. Financial systems are not the only ones subject to fraud. Other targets are systems that control access to any resources, such as time and attendance systems, inventory systems, school grading systems, or long-distance telephone systems.

  • Disrupting normal business operations. Attackers may want to disrupt normal business operations. In any circumstance like this, the attacker has a specific goal to achieve. Attackers use various methods for denial-of-service attacks; the section on methods, tools, and techniques will discuss these.

Methods, Tools, and Techniques for Attacks

Attacks = motive + method + vulnerability.

The method in this formula exploits the organization's vulnerability in order to launch an attack as shown in Figure 2. Malicious attackers can gain access or deny services in numerous ways. Here are some of them:

  • Viruses. Attackers can develop harmful code known as viruses. Using hacking techniques, they can break into systems and plant viruses. Viruses in general are a threat to any environment. They come in different forms and although not always malicious, they always take up time. Viruses can also be spread via e-mail and disks.

  • Trojan horses. These are malicious programs or software code hidden inside what looks like a normal program. When a user runs the normal program, the hidden code runs as well. It can then start deleting files and causing other damage to the computer. Trojan horses are normally spread by e-mail attachments. The Melissa virus that caused denial-of-service attacks throughout the world in 1999 was a type of Trojan horse.

  • Worms. These are programs that run independently and travel from computer to computer across network connections. Worms may have portions of themselves running on many different computers. Worms do not change other programs, although they may carry other code that does.

  • Password cracking. This is a technique attackers use to surreptitiously gain system access through another user's account. This is possible because users often select weak passwords. The two major problems with passwords is when they are easy to guess based on knowledge of the user (for example, wife's maiden name) and when they are susceptible to dictionary attacks (that is, using a dictionary as the source of guesses).

  • Denial-of-service attacks. This attack exploits the need to have a service available. It is a growing trend on the Internet because Web sites in general are open doors ready for abuse. People can easily flood the Web server with communication in order to keep it busy. Therefore, companies connected to the Internet should prepare for (DoS) attacks. They also are difficult to trace and allow other types of attacks to be subdued.

  • E-mail hacking. Electronic mail is one of the most popular features of the Internet. With access to Internet e-mail, someone can potentially correspond with any one of millions of people worldwide. Some of the threats associated with e-mail are:

  • Impersonation. The sender address on Internet e-mail cannot be trusted because the sender can create a false return address. Someone could have modified the header in transit, or the sender could have connected directly to the Simple Mail Transfer Protocol (SMTP) port on the target computer to enter the e-mail.

  • Eavesdropping. E-mail headers and contents are transmitted in the clear text if no encryption is used. As a result, the contents of a message can be read or altered in transit. The header can be modified to hide or change the sender, or to redirect the message.

  • Packet replay. This refers to the recording and retransmission of message packets in the network. Packet replay is a significant threat for programs that require authentication sequences, because an intruder could replay legitimate authentication sequence messages to gain access to a system. Packet replay is frequently undetectable, but can be prevented by using packet time stamping and packet sequence counting.

  • Packet modification. This involves one system intercepting and modifying a packet destined for another system. Packet information may not only be modified, it could also be destroyed.

  • Eavesdropping. This allows a cracker (hacker) to make a complete copy of network activity. As a result, a cracker can obtain sensitive information such as passwords, data, and procedures for performing functions. It is possible for a cracker to eavesdrop by wiretapping, using radio, or using auxiliary ports on terminals. It is also possible to eavesdrop using software that monitors packets sent over the network. In most cases, it is difficult to detect eavesdropping.

  • Social engineering. This is a common form of cracking. It can be used by outsiders and by people within an organization. Social engineering is a hacker term for tricking people into revealing their password or some form of security information.

  • Intrusion attacks. In these attacks, a hacker uses various hacking tools to gain access to systems. These can range from password-cracking tools to protocol hacking and manipulation tools. Intrusion detection tools often can help to detect changes and variants that take place within systems and networks.

  • Network spoofing. In network spoofing, a system presents itself to the network as though it were a different system (computer A impersonates computer B by sending B's address instead of its own). The reason for doing this is that systems tend to operate within a group of other trusted systems. Trust is imparted in a one-to-one fashion; computer A trusts computer B (this does not imply that system B trusts system A). Implied with this trust is that the system administrator of the trusted system is performing the job properly and maintaining an appropriate level of security for the system. Network spoofing occurs in the following manner: if computer A trusts computer B and computer C spoofs (impersonates) computer B, then computer C can gain otherwise-denied access to computer A.

Appendix C contains detailed descriptions of some of the methods listed above.

Security Vulnerabilities

As explained previously, a malicious attacker uses a method to exploit vulnerabilities in order to achieve a goal. Vulnerabilities are weak points or loopholes in security that an attacker exploits in order to gain access to the network or to resources on the network (see Figure 2). Remember that the vulnerability is not the attack, but rather the weak point that is exploited. Some weak points are:

  • Passwords. Password selection will be a contentious point as long as users have to select one. The problem usually is remembering the correct password from among the multitude of passwords a user needs to remember. Users end up selecting commonly used passwords because they are easy to remember. Anything from birthdays to the names of loved ones. This is a vulnerability because it gives others a good chance to guess the correct password.

    Protocol design. Communication protocols sometimes have weak points. Attackers use these to gain information and eventually gain access to systems. Some known issues are:

    • TCP/IP. The TCP/IP protocol stack has some weak points that allow:

    • IP address spoofing

    • TCP connection request (SYN) attacks

  • Telnet protocol. Telnet can be used to administer systems running Microsoft Windows 2000 and Unix. When using the telnet client to connect from a Microsoft system to UNIX system and vice versa, user names and passwords are transmitted in clear text.

  • File Transfer Protocol (FTP). As with Telnet, if the FTP service is running and users need to send or retrieve information from a secure location then user names and passwords are transmitted in clear text.

    Commands revealing user information. It is not uncommon to find interoperability between Microsoft products and various versions of UNIX. Commands that reveal user and system information pose a threat because crackers can use that information to break into a system. Here are some ways:

    • Finger. The finger client utility on Microsoft Windows NT and Windows 2000 can be used to connect to a finger daemon service running on a UNIX-based computer to display information about users. When the finger program is run with no arguments, information for every user currently logged on to the system is displayed.

    • Rexec. The rexec utility is provided as a client on Microsoft Windows NT and Windows 2000. The rexec client utility allows remote execution on UNIX-based systems running the rexecd service. A client transmits a message specifying the user name, the password, and the name of a command to execute. The rexecd program is susceptible to abuse because it can be used to probe a system for the names of valid accounts. In addition, passwords are transmitted unencrypted over the network.

  • Asynchronous transfer mode (ATM). Security can be compromised by what is referred to as "manhole manipulation"—direct access to network cables and connections in underground parking garages and elevator shafts.

  • Frame relay. Similar to the ATM problem.

  • Device administration. Switches and routers are easily managed by an HTTP interface or through a command line interface. Coupled to the use of weak passwords (for example, public passwords), it allows anybody with some technical knowledge to take control of the device.

  • Modems. Modems have become standard features on many desktop computers. Any unauthorized modem is a serious security concern. People use them not just to connect to the Internet, but also to connect to their office so they can work from home. The problem is that a modem is a means of bypassing the "firewall" that protects a network from outside intruders. A hacker using a "war dialer" tool to identify the modem telephone number and a "password cracker" tool to break a weak password can gain access to the system. Due to the nature of computer networking, once a hacker connects to that one computer, the hacker can often connect to any other computer in the network.

Appendix D explains more about vulnerabilities.

To help explain Figure 2 and the theory behind attacks, here are some real life examples.

  • Example 1: non-malicious threat (ignorant employees).

    An employee known here as John Doe copies games and other executables from a 1.44 MB disk onto his local hard drive and then runs the executables. Unfortunately, the games contained various viruses and Trojan horses. The organization had not yet deployed any anti-virus software. After a short time, John Doe and other employees began to notice strange and unforeseen events occurring on their computers, causing disruption of services and possible corruption of data. The following figure explains the various vulnerabilities that existed and the loss in assets that are involved.

    Figure 3:

    Figure 3:
  • Example 2: malicious threat (malicious attackers)

    An employee known here as Sally was turned down for promotion three times. Sally believes that she has put in a considerable amount of work and overtime and is being turned down for promotion because she is too young. Sally has a degree in computer science and decides to resign from the company and take revenge on it by causing the company's Web server to stop servicing requests. Sally uses a denial-of-service attack tool called Trin00 to start an attack on the company's Web server.

    Most of the company's business is conducted via e-commerce and clients are complaining that they cannot connect to the Web server. The following diagram outlines the various tools and vulnerabilities Sally used to achieve her goal.

    Cc723507.secthr04(en-us,TechNet.10).gif

    Figure 4:

    Remember that this is just an example. Many possibilities, tools, and vulnerabilities can exist and will differ in the way to counter the attack.

  • Example 3: natural disasters

    An organization has various modems and Integrated Services Digital Network (ISDN) router installations and does not have surge protection. During a thunderstorm, lightning strikes the telephone and ISDN lines. All modems and ISDN routers are destroyed, taking with them a couple of motherboards. The following diagram shows the vulnerability and the loss of assets.

    Cc723507.secthr05(en-us,TechNet.10).gif

    Figure 5:

Conclusion

Malicious attackers will use various methods, tools, and techniques to exploit vulnerabilities in security policies and controls to achieve a goal or objective. Non-malicious attacks occur due to poor security policies and controls that allow vulnerabilities and errors to take place. Natural disasters can occur at any time, so organizations should implement measures to try to prevent the damage they can cause.

Appendix A: Security Threats

Threats can originate from two primary sources: humans and nature. Human threats subsequently can be broken into two categories: malicious and non-malicious. The non-malicious "attacks" usually come from users and employees who are not trained on computers or are not aware of various computer security threats. Malicious attacks usually come from non-employees or disgruntled employees who have a specific goal or objective to achieve.

Natural Disasters

Nobody can stop nature from taking its course. Earthquakes, hurricanes, floods, lightning, and fire can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware and other essential services can be disrupted.

Few safeguards can be implemented against natural disasters. The best course of action is to have disaster-recovery and contingency plans in place. These will help an organization restore itself to normal business operations.

Riots, wars, and terrorist attacks, although the result of human activity, fall into this category because they are seen as disasters and are difficult to protect against with computer security policies and controls.

Insiders or Malicious and Disgruntled Employees

Insiders are likely to have specific goals and objectives, and have legitimate access to the system. Employees are the group most familiar with their employer's computers and applications, including knowing what actions might cause the most damage. Insiders can plant viruses, Trojan horses, or worms, or browse through the file system. This type of attack can be extremely difficult to detect or protect against.

The insider attack can affect all components of computer security. By browsing through a system, an insider can learn confidential information. Trojan horses are a threat to both the integrity and confidentiality of information in the system. Insiders can affect availability by overloading the system's processing or storage capacity, or by causing the system to crash.

These attacks are possible for a variety of reasons. On many systems, the access control settings for security-relevant objects do not reflect the organization's security policy. This allows the insider to browse through sensitive data or plant a virus or Trojan horse. Often these actions are undetected because audit trails are inadequate or ignored.

Disgruntled employees can create both mischief and sabotage on a computer system. Organizational downsizing in both public and private sectors has created a group of individuals with organizational knowledge who may retain potential system access. System managers can limit this threat by invalidating passwords and deleting system accounts in a timely manner. However, disgruntled current employees actually cause more damage than former employees. Common examples of computer-related employee sabotage include:

  • Changing data

  • Deleting data

  • Destroying data or programs with logic bombs

  • Crashing systems

  • Holding data hostage

  • Destroying hardware or facilities

  • Entering data incorrectly

Outside Attackers or 'Crackers'

People often refer to "crackers" as "hackers." The definition of "hacker" has changed over the years. A hacker was once thought of as any individual who enjoyed getting the most out of the system he or she was using. A hacker would use a system extensively and study the system until he or she became proficient in all its nuances. This individual was respected as a source of information for local computer users, someone referred to as a "guru" or "wizard."

Now, however, the term hacker refers to people who either break in to systems for which they have no authorization or intentionally overstep their bounds on systems for which they do not have legitimate access.

The correct term for someone who breaks in to systems is a "cracker." Common methods for gaining access to a system include password cracking, exploiting known security weaknesses, network spoofing, and social engineering. Appendix C contains a detailed description of these methods.

Non-Malicious Employees

Attackers are not the only ones who can harm an organization. The primary threat to data integrity comes from authorized users who are not aware of the actions they are performing. Errors and omissions can lose, damage, or alter valuable data.

Users, data entry clerks, system operators, and programmers frequently make unintentional errors that contribute to security problems, directly and indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, errors create vulnerabilities. Errors can occur in all phases of the system life cycle.

Programming and development errors, often called "bugs," range in severity from irritating to catastrophic. Improved software quality has reduced but not eliminated this threat. Installation and maintenance errors also cause security problems.

Errors and omissions are important threats to data integrity. Errors are caused not only by data entry clerks processing hundreds of transactions per day, but also by all users who create and edit data. Many programs, especially those designed by users for personal computers, lack quality-control measures. However, even the most sophisticated programs cannot detect all types of input errors or omissions.

People often assume that the information they receive from a computer system is more accurate than it really is. Many organizations address errors and omissions in their computer security, software quality, and data quality programs.

Appendix B: Motives, Goals, and Objectives of Malicious Attackers

There is a strong overlap between physical security and data privacy and integrity. Indeed, the goal of some attacks is not the physical destruction of the computer system but the penetration and removal or copying of sensitive information. Attackers want to achieve these goals for either personal satisfaction or for a reward.

Deleting and Altering Information

Malicious attackers who delete or alter information normally do this to prove a point or take revenge for something that has happened to them. Insider attackers normally act out of spite for the organization because they are disgruntled about something. Outsiders might attack just to prove that they can or for the fun of it.

Committing Information Theft and Fraud

Information technology is increasingly used to commit fraud and theft. Computer systems are exploited in numerous ways, both by automating traditional methods of fraud and by using new methods. Financial systems are not the only ones subject to fraud. Other targets are systems that control access to any resources, such as time and attendance systems, inventory systems, school grading systems, or long-distance telephone systems.

Insiders or outsiders can commit fraud. Insiders who are authorized users of a system perpetrate the majority of fraud uncovered on computer systems. Since insiders have both access to and familiarity with the victim computer system, including what resources it controls and where the flaws are, authorized system users are in a better position to commit crimes. An organization's former employees may also pose threats, particularly if their access is not terminated promptly.

Because many computers are relatively small and valuable, they are easy to steal and sell. An organization should attempt to protect its investment in equipment with physical measures such as locks and bolts. If the computer is stolen, the information it contains will be at the disposal of the perpetrator. The thief may erase it or may be able to read it. The thief could sell sensitive information, use it for blackmail, or use it to compromise other computer systems. You can never make something impossible to steal, but you can make stolen information virtually useless by making sure the information is encrypted and the thief does not have the key.

Data can be stolen from a computer or even manipulated without the owner's knowledge. A Zip drive can be connected to a computer's parallel port and several megabytes of data can be copied.

Disrupting Normal Business Operations

Attackers may want to disrupt normal business operations. This could be done out of spite, as with a disgruntled employee who does not want to work because he or she has been turned down for promotion. Outside attackers might want to disrupt services to gain a competitive edge in world that thrives on competition. Maybe the perpetrators attack just for the fun of it. In any situation like this, the attacker has a specific goal to achieve. Accomplishing it is satisfying and rewarding. Attackers use various methods for performing denial-of-service attacks; the section on methods, tools, and techniques discusses these.

Appendix C: Methods, Tools, and Techniques for Attacks

Malicious attackers use various method, tools, and techniques to enter, disrupt, and steal information from a system.

E-mail Hacking

The most common mail transfer protocols (SMTP, POP3, IMAP4) do not typically include provisions for reliable authentication as part of the core protocol, allowing e-mail messages to be easily forged. Nor do these protocols require the use of encryption that could ensure the privacy or confidentiality of e-mail messages. Although extensions to these basic protocols do exist, the decision whether to use them needs to be established as part of the mail server administration policy. Some of the extensions use a previously established means of authentication while others allow the client and server to negotiate a type of authentication that both ends support.

Social Engineering

This is a common form of cracking. It can be used both by outsiders and by people within an organization. Social engineering is a hacker term for tricking people into revealing their password or some form of security information.

Users should be made aware of various security issues, even those that are not common. A common example of social engineering would be where a hacker sends e-mail to an employee, claiming to be an administrator who needs the employee's password to do some administrative work. The normal user who has not been taught about security might not know the difference between the actual administrator and the imposter administrator, especially in a large organization. Other variations of this type of social engineering would be where someone claiming to be the administrator phones a user and asks for the user's password and logon credentials. The user unwittingly gives out the logon and password and the imposter now has full access.

"Shoulder surfing" is also common among hackers and users who wish to learn someone's password. In this case, they hang around a user's desk, talking and waiting for the user to type in a password. Company employees with malicious intent could also do this. Users should be informed not to type in their passwords in front of others or, if they have and suspect that someone else now has their password, that they should change the password immediately.

Another form of social engineering is guessing a user's password. When people can learn things about certain users' personal and social lives, they can use this against them. For example, users might choose a daughter or son's name or birth date or a friend's name as a password. Users also often use passwords that they can read on their desks or on posters in the work area. This gives the hacker a chance at guessing the password.

Intrusion Attacks

Attackers using well-known techniques can penetrate many networks. This often happens when attackers use known vulnerabilities in the network. In updateable systems, administrators may not have or take the time to install all the necessary patches in a large number of hosts. In addition, it is usually not possible to perfectly map an organization's policy on computer use to its access-control mechanisms and thus authorized users often can perform unauthorized actions.

Users may also demand network services and protocols that are known to be flawed and subject to attack. For example, a user might ask, "Why can't I just FTP the files down?" It is very important that security policies deal not only with end-user demands but also with the threats and vulnerabilities associated with those demands. Realistically, however, it is seldom possible to remove all vulnerabilities.

Intrusion detection is the process of detecting unauthorized use of, or an attack upon, a computer or network. Intrusion detection provides two important functions in protecting information system assets.

The first function is that of a feedback mechanism that informs the security staff about the effectiveness of other components of the security system. The lack of detected intrusions is an indication that there are no known intrusions, not that the system is completely impenetrable.

The second function is to provide a trigger or gating mechanism that determines when to activate planned responses to an incident. A computer or network without an intrusion detection system (IDS) may allow attackers to leisurely explore its weaknesses. If vulnerabilities exist in networks, a determined attacker will eventually find them and exploit them. The same network with an IDS installed is a much more formidable challenge to an attacker. Although the attacker may continue to probe the network for weaknesses, the IDS should be able to detect these attempts if the vulnerabilities are known, block these attempts, and alert security personnel who can take appropriate action.

Denial-of-Service Attacks

Background

DoS attacks are designed to prevent legitimate use of a service. Attackers achieve this by flooding a network with more traffic than it can handle. Examples of this include:

  • Saturating network resources, thereby preventing users from using network resources.

  • Disrupting connections between two computers, preventing communications between services.

  • Preventing a particular individual from accessing a service.

  • Disrupting services to a specific system or client.

DoS attacks flood a remote network with an enormous amount of protocol packets. Routers and servers eventually become overloaded by attempting to route or handle each packet. Within minutes, network activity exponentially rises and the network stops responding to normal traffic and service requests from clients. This is also known as a network saturation attack or bandwidth consumption attack. Attackers strike with various tools, including Trin00 and Tribe Flood Network (TFN, TFN2K).

Types of Denial-of-Service Attacks

Computers use certain core resources to operate and function correctly. Failure or disruption of resources could cause the computer to crash. Some of these resources include network bandwidth, memory, CPU time, and hard drive space. The operating system and applications than run on the system play an important role in managing these resources correctly. When the operating system or the resources are overrun by malicious attacks, one or more of these core resources breaks down, causing the system to crash or stop responding. An attacker can cause resources to be overrun by various means, including consuming server resources, saturating network resources, and mail bombing.

Consuming Server Resources

The goal of a DoS attack is to prevent hosts or networks from communicating on the network. An example of this type of attack is the SYN flood attack:

When a client attempts to contact a server service, the client and server exchange a series of messages. The client starts by sending a TCP connection request or SYN message to the server. The server responds to the SYN message with an acknowledgement ACK-SYN message. The client then acknowledges the server's ACK-SYN message with an ACK message. After these three actions take place, the connection between the client and server is open and they can exchange service-specific data.

The problem arises when the server has sent the SYN-ACK message back to the client but has not yet received an ACK response from the client. This is now a half-open connection. The server keeps the pending connection in memory, waiting for a response from the client. The half-open connections in memory eventually will time out on the server, freeing up valuable resources again.

Creating these half-open connections is accomplished with IP spoofing. The attacker's system sends a SYN message to the victim's server. These messages seem to be legitimate but in fact are references to a client system that is unable to respond to the server's SYN-ACK message. This means that the server will never be able to send an ACK message to the client computer. The server now has half-open connections in memory and eventually will fill up the server connections. The server now is unable to accept any new connections. The time limit on half-open connections will expire. However, the attacker's system keeps sending IP-spoofed packets faster than the expire limit on the victim's server. In most cases the victim of such an attack will have difficulty accepting any new, legitimate incoming connections.

This type of attack does not really affect any of the current connections or outgoing connections. Normally it consumes an enormous amount of memory and processing power on the server, causing it to crash. The location of the attacking system is difficult to trace because the attacker's system address was masquerading as a legitimate IP address. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.

This type of attack does not depend on the attacker being able to consume network bandwidth. In this case, the intruder is consuming valuable server resources. The implication is that an intruder can execute this attack from a dial-up connection against a computer on a very fast network.

Saturating Network Resources

An intruder may also be able to consume all the available bandwidth on a network by generating a large number of packets directed to the network. Typically, these packets are Internet Control Message Protocol (ICMP) echo packets, but in principle they may be anything. Further, the intruder need not be operating from a single computer; he or she may be able to coordinate or co-opt several computers on different networks to achieve the same effect. This is known as a distributed denial-of-service attack (DDoS).

The ICMP is used to convey status and error information including notification of network congestion and other network-related problems. ICMP can be used to determine if a computer on the Internet is responding. To do this, an ICMP echo request packet is sent to a computer on the network. If the computer is operating, it will respond to the request by sending an ICMP echo reply packet. A common example of this is the PING command.

On TCP/IP networks, a packet can be sent to an individual computer or broadcast to all computers on the network. When an IP packet is sent to an IP broadcast address from a computer on the same local area network, all computers on that network receive the IP packet. When a computer outside the local area network sends an IP broadcast packet, all computers on the target network receive the broadcast packet (as long as the routers have been configured to forward these broadcast packets).

Three parties are involved in these attacks: the attacker, the intermediary, and the victim. The intermediary can also be a victim. The intermediary receives an ICMP echo request packet that is directed to the IP broadcast network address. If nothing is filtering these ICMP echo requests, all computers on the network will receive the ICMP echo request packet and respond with an ICMP echo reply packet. When all computers respond to these packets, severe network congestion or outages are possible.

When the attackers create these packets, they do not use their own IP source address. Instead, they use the source address of their intended victim. This is known as IP spoofing. The result is that when the intermediary computers respond to the ICMP echo request packet, they send the reply packet to the victim's IP address. The victim's computer is now subjected to network congestion that could cause the network to stop responding.

Attackers have developed a variety of tools for this purpose. The tools enable the hackers to send ICMP echo request packets to multiple intermediary computers, causing all of them to respond to the same victim's source IP address. These tools could also be used to scan for network routers that do not filter broadcast traffic.

DDoS attacks involve breaking in to hundreds or thousands of computers across the Internet. Then the attacker installs DDoS software on them, allowing the attacker to control all of these computers and launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.

The perpetrator starts by breaking into weakly secured computers, using well-known defects in standard network service programs, and common, weak configurations in operating systems. Then they perform some additional steps on each system. First, they install software to conceal the break-in and to hide the traces of their subsequent activity. For example, they replace the standard commands for displaying running processes with versions that fail to display the attacker's processes.

Then they install a special process used to remotely control the burgled computer. This process accepts commands from over the Internet, letting the intruder launch an attack over the Internet against some designated victim site. Finally, they make a note of the IP address of the computer they've taken over.

All these steps are highly automated. A cautious intruder will begin by breaking in to just a few sites, then using them to break into some more, and repeating this cycle for several steps. By the time they are ready to mount the attacks, they have taken over thousands of computers and assembled them into a DDoS network. Once the attacker has installed the DDoS software, the attacker runs a single command that sends command packets to all the captured computers, instructing them to launch an attack (from a menu of different varieties of flooding attacks) against a specific victim. When the attacker decides to stop the attack, he or she sends another single command.

The controlled computers being used to mount the attacks send a stream of packets. For most of the attacks, these packets are directed at the victim computer. For one variant (called "smurf," after the first circulated program to perform this attack), the packets are aimed at other networks, where they provoke multiple echoes all aimed at the victim as described earlier.

The packets used in DDoS attacks use forged source addresses or spoofed IP addresses. If a packet arrives at the first router, and the source IP address doesn't match the IP network it's coming from, the router should discard the packet. This style of packet checking is called ingress or egress filtering, depending on the point of view; it is egress from the customer network, or ingress to the heart of the Internet.

The first signs of an attack may be when thousands of compromised systems all over the world begin to flood the victim's network with traffic all at once. The first symptom is likely to be a router crash, or something that looks a lot like one; traffic simply stops flowing between the victim and the Internet.

Mail Bombing

Mail bombing is an e-mail-based attack. E-mail floods the attacked system until it fails. A system will fail in different ways, depending on the type of server and how it is configured. Some Internet service providers give temporary accounts to anyone who signs up for a trial subscription, and those accounts can be used to launch e-mail attacks.

Here are typical failure modes:

  • The e-mail server accepts e-mail messages until the disk where e-mail is stored fills up. Subsequent e-mail is not accepted. If the e-mail disk is also the main system disk, it may crash the system.

  • The incoming queue is filled with messages to be forwarded until the queue reaches its limit. Subsequent messages can't be queued.

  • A particular user's server disk quota can be exceeded. This prevents subsequent mail from being received and may keep the user from getting work done. Recovery can be difficult because the user may need to use more disk space just to delete the e-mail.

Virus Attacks

History

All administrators have heard about viruses and their effects. Viruses can be very destructive, causing loss of information. Fred Cohen formally defined the term "computer virus" in 1983 when he performed academic experiments on a Digital Equipment Corporation VAX system.

Viruses are classified as being one of two types: research or "in the wild." A research virus is one that has been written for research or study purposes and has received almost no distribution to the public. Viruses that have been seen with regularity are termed "in the wild."

The first computer viruses were developed in the early 1980s. The first viruses found in the wild were Apple II viruses such as Elk Cloner, which was reported in 1981. Viruses now have been found on the following platforms: Apple II, IBM PC, Macintosh, Atari, and Amiga.

When personal computers first came onto the market, operating systems like Microsoft MS-DOS were intended for a single user who was in total control of the computer. There were no security mechanisms to separate users, to separate the user from the system, or to stop intentional modification of system or user files.

Given the ways computers were used, these mechanisms were not required. However, the spread of computers instigated a new industry that grew around them. This included the emergence of:

  • Commercial software products such as spreadsheets and word processors.

  • Computer games.

  • Shared use of computers, whether it be several employees using the same computer or large organizations connecting computers on a LAN.

Note that all viruses found in the wild target personal computers. As of today, the overwhelming numbers of virus strains are IBM PC viruses.

Viruses have evolved over the years due to efforts by their authors to make the code more difficult to detect, disassemble, and eradicate. This evolution has been especially apparent in the IBM PC viruses. An examination of the IBM PC family of viruses indicates that the most commonly detected viruses vary according to continent, but that "Stoned," "Brain," "Cascade," and members of the "Jerusalem" family have spread widely and continue to appear. This implies that highly survivable viruses tend to be benign, replicate many times before activation, or are somewhat innovative, utilizing some technique never used before in a virus.

Personal computer viruses exploit the lack of effective access controls in these systems. The viruses modify files and even the operating system itself. These are legal actions within the context of the operating system. While more stringent controls are in place on multitasking, multiuser operating systems, configuration errors and security holes (security bugs) make viruses on these systems more than theoretically possible.

With the advent of the personal computer, software was exchanged on floppy disks, software for professional and private use ran on the same computer, and companies moved information onto computers that no longer were controlled by a central IT department but by individual users. The lack of security mechanisms and security awareness on these systems started to make itself felt.

Virus researchers have put considerable effort into developing schemes for describing, naming, and classifying computer viruses and on defining the distinctive features that distinguish computer viruses from other malicious software

How Viruses Work

A computer virus is a piece of self-replicating code attached to some other piece of code. This code can be harmless—for example, it might display a message or play a tune. Or it might be harmful and proceed to delete and modify files.

The virus code searches users' files for an uninfected executable program for which the user has security write privileges. The virus infects the file by putting a piece of code in the selected program file. When a program that is infected with a virus is executed, the virus immediately takes command, finding and infecting other programs and files.

Some viruses are "memory resident" viruses. When a user executes an executable file that is infected with this type of virus, the virus loads itself into memory and remains there even if the original program is shut down. Subsequent programs that are executed are infected with the virus until the computer is shut down or turned off. Some viruses have a "dormant" phase and will appear only at certain times or when certain actions are performed.

A variant is a virus that is generated by modifying a known virus. Examples are modifications that add functionality or evade detection. The term "variant" usually applies only when the modifications are minor. An example would be changing the trigger date from Friday the 13th to Thursday the 12th.

An overwriting virus will destroy code or data in the host program by replacing it with the virus code. It should be noted that most viruses attempt to retain the original host program's code and functionality after infection because the virus is more likely to be detected and deleted if the program ceases to work. A non-overwriting virus is designed to append the virus code to the physical end of the program or to move the original code to another location.

A self-recognition procedure is a technique whereby a virus determines whether or not an executable is already infected. The procedure usually involves searching for a particular value at a known position in the executable. Self-recognition is required if the virus is to avoid multiple infections of a single executable. Multiple infections cause excessive growth in size of infected executables and corresponding excessive storage space, contributing to the detection of the virus.

A resident virus installs itself as part of the operating system upon execution of an infected host program. The virus will remain resident until the system is shut down. Once installed in memory, a resident virus is available to infect all suitable hosts that are accessed.

A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. To achieve this, the virus intercepts system calls that examine the contents or attributes of infected files. The results of these calls must be altered to correspond to the file's original state. For example, a stealth virus might remove the virus code from an executable when it is read (rather than executed) so that an anti-virus software package will examine the original, uninfected host program.

An encrypted virus has two parts: a small decryptor and the encrypted virus body. When the virus is executed, the decryptor will execute first and decrypt the virus body. Then the virus body can execute, replicating or becoming resident. The virus body will include an encryptor to apply during replication. A variably encrypted virus will use different encryption keys or encryption algorithms. Encrypted viruses are more difficult to disassemble and study since the researcher must decrypt the code.

A polymorphic virus creates copies during replication that are functionally equivalent but have distinctly different byte streams. To achieve this, the virus may randomly insert superfluous instructions, interchange the order of independent instructions, or choose from a number of different encryption schemes. This variable quality makes the virus difficult to locate, identify, or remove.

A reaserch virus is one that has been written, but has never been unleashed on the public. These include the samples that have been sent to researchers by virus writers. Viruses that have been seen outside the research community are termed "in the wild."

How Are Computer Viruses Spread?

The following are necessary characteristics of a virus:

  • It is able to replicate.

  • It requires a host program as a carrier.

  • It is activated by external action.

  • Its replication ability is limited to the (virtual) system.

Computer viruses move from computer to computer by attaching themselves to files or boot records of disks and diskettes. These days it is not uncommon to find them in e-mail attachments and other programs that can be downloaded from the Internet.

A virus is a relatively passive agent that relies on ordinary users for its activation and propagation. It can travel from one file to another on the same computer if the infected file is executed, from computer memory to a file on disk, on a disk that is carried from one computer to another (some companies prohibit floppy drives, thereby preventing users from copying information onto their computers), on e-mail attachment executable files, and over a modem or network connection.

Damage that Viruses Cause

Viruses can destroy file allocation tables (FAT) and lead to the corruption of an entire file system, resulting in the need to fully reinstall and reload the system. Viruses also can create bad sectors on the disk, destroying parts of programs and files. They can decrease the space on hard disks by duplicating files. They also can format specific tracks on the disks or format the entire disk.

Viruses can destroy specific executable files and alter data in data files, causing a loss of integrity in the data. Viruses can cause the system to hang so that it does not respond to any keyboard or mouse movements.

Trojan Horses

Background

The term "Trojan horse" comes from a myth in which the Greeks gave a giant wooden horse to their foes, the Trojans, seemingly as a peace offering. After the Trojans dragged the horse inside the city walls of Troy, Greek soldiers sneaked out of the horse's hollow belly and opened the city gates, allowing their compatriots to pour in and capture Troy.

What Are Trojan Horses?

A Trojan horse is code hidden in a program such as a game or spreadsheet that looks safe to run but has hidden side effects. When the program is run, it seems to function as the user expects, but in actuality it is destroying, damaging, or altering information in the background. It is a program on its own and does not require a host program in which to embed itself. An example of a Trojan horse would be a Christmas executable that, when executed, pops up with an animated figure of Santa Claus and a caption saying "Merry Christmas." In the background, extra code could be deleting files or performing other malicious actions.

How Trojan Horses Are Spread

Trojan horses generally are spread through e-mail and exchange of disks and information between computers. Worms could also spread Trojan horses.

Damage Caused by Trojan Horses

The damage that Trojan horses cause is much the same as what a virus causes. Most of the time the users are unaware of the damage it is causing because of the Trojan horse's masking effect.

Worms

Background

Worms first were used as a legitimate mechanism for performing tasks in a distributed environment. Network worms were considered promising for the performance of network management tasks in a series of experiments at the Xerox Palo Alto Research Center in 1982. The key problem noted was worm management; controlling the number of copies executing at a single time.

Worms were first noticed as a potential computer security threat when the Christmas Tree Exec attacked IBM mainframes in December 1987. It brought down both the worldwide IBM network and BITNET. The Christmas Tree Exec wasn't a true worm. It was a Trojan horse with a replicating mechanism. A user would receive a Christmas card by e-mail that included executable (REXX) code. If executed, the program claimed to draw a Christmas tree on the display. That much was true, but it also sent a copy to everyone on the user's address lists.

The Internet Worm was a true worm. It was released on November 2, 1988. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries, one for each system). It utilized the TCP/IP protocols and vulnerabilities in sendmail, common application layer protocols, operating system bugs, and a variety of system administration flaws to propagate. Various problems with worm management resulted in extremely poor system performance and a denial of network service. It exploited operating system flaws and common system management problems.

What Are Worms?

The following are necessary characteristics of a worm:

  • It is able to replicate.

  • It is self-contained and does not require a host.

  • It is activated by creating process (it needs a multitasking system).

  • If it is a network worm, it can replicate across communication links.

A worm is a program designed to replicate. The program may perform any variety of additional tasks as well. The first network worms were intended to perform useful network management functions. They took advantage of system properties to perform useful actions. However, a malicious worm takes advantage of the same system properties. The facilities that allow such programs to replicate do not always discriminate between malicious and good code. Worms exploit flaws (that is, bugs) in the operating system or inadequate system management to replicate. Release of a worm usually results in brief outbreaks, shutting down entire networks.

Worms are programs that run independently and travel from computer to computer across network connections. Worms may have portions of themselves running on many different computers. Worms do not change other programs, although they may carry other code that does.

How Worms Affect Network Systems

Developing a worm requires a network environment and an author who is familiar not only with the network services and facilities, but also with the operating facilities required to support them once they've reached the computer. Protection against worm programs is like protection against break-ins. If an intruder can enter your computer, so can a worm program. If the computer is secure from unauthorized access, it should be secure from a worm program.

How Worms Are Spread

Worms are autonomous agents capable of propagating themselves without the use of another program or intervention or action by a user. Worms are found primarily on computers that are capable of multitasking and are connected by a network.

Damage that Worms Can Cause

Most worms disrupt services and create system management problems. Some worms scan for passwords and other loopholes and then send the information back to the attacker. In some cases worms can install Trojan horses or viruses that cause damage to the systems.

Macro Viruses

A macro virus is a virus that attaches itself to a spreadsheet worksheet, or is programmed into the spreadsheet. It also could be programmed into other products such as Word documents and Microsoft PowerPoint presentations and so on.

Macro viruses are written in high-level languages like Visual Basic for applications used by Microsoft Office products, Lotus scripting, WordPerfect macros, and so on. Macro viruses bypass integrity protection mechanisms for normal executables because macro viruses are embedded in the data file. Documents are widely exchanged by e-mail and therefore are a good medium for spreading a virus. Users opening a file may not even be aware of the fact that they are running a program. All instructions available for writing macros are also available to virus writers who now can hide viral code in a macro file.

An example of a macro virus is the Melissa macro virus. The Melissa macro virus was spread via e-mail. The virus was programmed into a Word document. When the document was opened, the macro virus would send a copy of it to the first 50 e-mail addresses from the global address list. This caused major e-mail systems to crash throughout the world and also saturated network bandwidth.

Appendix D: Security Vulnerabilities

Vulnerabilities are weak points or loopholes in security that an attacker can exploit in order to gain access to the network or to resources on the network. The vulnerability is not the attack, but rather the weak point that is exploited. This section discusses only a few common vulnerabilities. So many different types of vulnerabilities can exist that discussing them all would require hundreds of pages. To find out about vulnerabilities that exist on any particular system, talk to various software and hardware vendors and do research and tests on the products.

Vulnerabilities in Common Network Access Procedures and Protocols

The primary protocol used in operating systems today is the TCP/IP protocol stack. The wide use of this protocol helps to integrate different operating system architectures such as Microsoft and UNIX. Many organizations make use of this interoperability and use various TCP/IP utilities to run programs, transfer information, and reveal information. Due to the nature of these utilities, various security risks and threats exist. Users often use the same passwords for mixed environments. Sometimes, passwords are automatically synchronized. If hackers can crack the password on systems other than Microsoft systems, they could also use that password to logon to a Microsoft system.

Telnet

The Telnet protocol allows a user to log onto a system over the network and use that system as though the user was sitting at a terminal that was directly connected. The telnet command provides a user interface to a remote system. When using the Microsoft telnet client to log on to the Microsoft Windows 2000 Telnet service, it uses the NTLM protocol to log the client on. Problems arise when integrating Microsoft systems and UNIX systems. When logging on to a system from a Microsoft telnet client to UNIX TELNET daemon service or vice versa, the user name and password are sent over the network in plain text. Since the user name and password characters are not encrypted, it is possible for an electronic eavesdropper to capture a user name and password for a system for which a telnet connection is being established.

File Transfer Protocol

File Transfer Protocol allows users to connect to remote systems and transfer files back and forth. As part of establishing a connection to a remote computer, FTP relies on a user name and password combination for authentication. Use of FTP poses a security problem similar to use of the Telnet protocol because passwords typed to FTP are transmitted over the network in plain text, one character per packet. These packets can be intercepted.

Another problem area for FTP is anonymous FTP. Anonymous FTP allows users who do not have an account on a computer to transfer files to and from a specific directory. This capability is particularly useful for software or document distribution to the public. To use anonymous FTP, a user passes a remote computer name as an argument to FTP and then specifies "anonymous" as a user name.

One of the problems with anonymous FTP is that there is often no record of who has requested what information. Another problem with anonymous FTP is the threat of denial-of-service attacks. For deliberate or accidental denial-of-service attacks, authorized users may be denied access to a system if too many file transfers are initiated simultaneously. It is important to securely set up the anonymous FTP account on the server because everyone on the network will have potential access. If the anonymous FTP account is not securely configured and administered, crackers may be capable of adding and modifying files.

Trivial File Transfer Protocol

The 6Trivial File Transfer Protocol (TFTP) is a file transfer program that is frequently used to allow diskless hosts to boot over the network. Microsoft Windows 2000 implements a client utility to make use of TFTP services on UNIX flavors. Because TFTP has no user authentication, it may be possible for unwanted file transfer to occur. The use of TFTP to steal password files is a significant threat.

Commands Revealing User Information

It is not uncommon to find interoperability between Microsoft products and various flavors of UNIX. 7

Commands that reveal user and system information pose a threat because crackers can use that information to break into a system. This section provides a brief description of various commands whose output makes a system vulnerable to break-ins.

Finger

The finger client utility on Windows NT and Windows 2000 can be used to connect to a finger daemon service running on a UNIX-based computer to display information about users. When the finger client utility is invoked with a name argument, the password file is searched on a UNIX server. Every user with a first name, last name, or user name that matches the name argument is returned. When the finger program is run with no arguments, information for every user currently logged on to the system is displayed. User information can be displayed for remote computers as well as for the local computer.

The output of finger typically includes logon name, full name, home directory, last logon time, and in some cases when the user received mail and/or read mail. Personal information, such as telephone numbers, is often stored in the password file so that this information is available to other users. Making personal information about users available poses a security threat because a password cracker can make use of this information. In addition, finger can reveal logon activity.

Rexec

The rexec utility is provided as a client on Microsoft Windows NT and Windows 2000. The rexec client utility allows remote execution on UNIX-based systems running the rexecd service. A client transmits a message specifying the user name, the password, and the name of a command to execute. The rexecd program is susceptible to abuse because it can be used to probe a system for the names of valid accounts. In addition, passwords are transmitted unencrypted over the network.

Protocol Design

Communication protocols sometimes have weak points. Attackers use these to gain information and eventually gain access to systems. Some known issues are:

  • TCP/IP. The TCP/IP protocol stack has some weak points that allows:

    • IP address spoofing

    • TCP connection request (SYN) attacks

  • ATM. Security can be compromised by what is referred to as "manhole manipulation"—direct access to network cables and connections in underground parking garages and elevator shafts.

  • Frame relay. Similar to the ATM issue.

Weak Passwords

Password selection will always be a contentious point as long as users have to select one. The problem normally is to remember the correct password from among the many that users need to remember. Users end up selecting commonly used passwords because they are easy to remember—anything from birthday to the names of loved ones. This creates a vulnerability, however, because it gives others a good chance to guess the correct password.

A password is the key to a computer—a key much sought-after by hackers as a means of getting a foothold into a system. A weak password may give a hacker access not only to a computer, but to the entire network to which the computer is connected. Users should treat their passwords like the keys to their homes. Would they leave their homes or offices unlocked in a high crime area?

Device Administration

Switches and routers are easily managed by an HTTP Web interface or through a command line interface. Coupled to the use of weak passwords (for example, public passwords), it allows anybody with some technical knowledge to take control of the device.

Modems

If a computer has a modem connected to the Internet, the user needs to take appropriate precautions because modem connections can be a significant vulnerability.

Any unauthorized modem is a serious security concern. Hackers commonly use a tool known as a "war dialer" to identify the modems at a target organization. A war dialer is a computer program that automatically dials phone numbers within a specified range of numbers. Most organizations have a block of sequential phone numbers. If an organization has one number, it is usually correct to assume that most other numbers are within a limited range of numbers either higher or lower than that number.

By dialing all numbers within the targeted range, the war dialer identifies which numbers are for computer modems and determines certain characteristics of those modems. The hacker then uses other tools to attack the modem to gain access to the computer network. Anyone can download effective war dialers from the Internet at no cost.

References

Books

Garfinkel, Simson, and Gene Spafford. Practical Unix and Internet Security. O'Reilly & Associates, Inc., April 1996.

Gollmann, Dieter. Computer Security. John Wiley and Sons, August 1999

Microsoft Corp. Microsoft Windows 2000 Resource Kit. Redmond, WA: Microsoft Press, 2000.

Microsoft Corp. Microsoft Windows NT Server 4.0 Resource Kit. Redmond, WA: Microsoft Press 1996.

Microsoft Corp. Microsoft Windows NT 4.0 Workstation Resource Kit. Redmond, WA: Microsoft Press 1996.

Sanna, Paul. Windows 2000 Server Security for Dummies. IDG Books Worldwide, 1999.

Online Publications

Bassham, Lawrence E., and W. Timothy Polk. Threat Assessment of Malicious Code and Human Threats. National Institute of Standards and Technology Computer Security Division. http://csrc.nist.gov/publications/nistir/threats/threats.html

Brown, Carol E. and Alan Sangster. Electronic Sabotage. http://accounting.rutgers.edu/raw/aies/www.bus.orst.edu/faculty/brownc/lectures/virus/virus.htm

Chess, David. Things that Go Bump in the Net.http://www.research.ibm.com/massive/bump.html

Huegen, Craig. Network-Based Denial of Service Attack Information.http://users.quadrunner.com/chuegen/smurf/

Martin, Brian. Have Script Will Destroy (Lessons in DoS). http://www.attrition.org/

Parker, Donn. Automated Crime. http://www.infosecuritymag.com/

DDOS Debriefing. http://www.infosecuritymag.com/

Department of Defense Trusted Computer System Evaluation Criteria (Orange Book). National Computer Security Center. http://csrc.ncsl.nist.gov/secpubs/rainbow/std001.txt

Trusted Network Interpretation (Red Book). National Computer Security Center. http://csrc.ncsl.nist.gov/secpubs/rainbow/tg005.txt

Web Sites

For more information on viruses, Trojan horses, and Internet hoaxes, see:

For more information on distributed denial-of-service attacks, see http://www.icsa.net/

For more information on back-end system issues for online financial sites, see http://www.incurrent.com/

For more information about security, see the Pretty Good Privacy site at http://www.pgp.com.

Acknowledgements

This paper was created with help from the following people:

Writer

Christopher Benson, Inobits Consulting (Pty) Ltd.

Contributors

  • Denis Bensch, Inobits Consulting (Pty) Ltd.

  • Dawie Human, Inobits Consulting (Pty) Ltd.

  • Louis De Klerk, Inobits Consulting (Pty) Ltd.

  • Johan Grobler, Inobits Consulting (Pty) Ltd.

Reviewer

Christopher Budd

Macintosh is a registered trademark of Apple Computer, Inc

1 March 9, 1999. "CIA measures damage following leaked nuclear secrets."

2 October 18, 1999. WASHINGTON (IDG)—The U.S. House Judiciary Committee has approved a bill designed to encourage electronic commerce by recognizing digital signatures as having the same legally binding status as a handwritten signature.

3 The World Wide Web Consortium (W3C) is developing the Platform for Privacy Preferences Project (P3P).

4 "eToys attacks show need for strong Web defenses," NetWork World, December 20, 1999,

5 SecurTek Corporation,

6 Windows 2000 clients can retrieve information from a UNIX computer using the Trivial File Transfer Protocol client utility. Windows 2000 does not run a TFTP server service but the utility still is used without any authentication to UNIX systems.

7 The utilities described could still be used although Windows does not support services for these utilities. The client utilities can still be used when there is interoperability between Microsoft Windows and UNIX systems.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft