Threat and Vulnerability Management (TVM)

we are going to discuss about the threats and vulnerabilities of information systems from both insiders and outsiders and the ways of managing such threats and vulnerabilities.

Information Security Attacks from Insiders

It is now an acknowledged fact within the information security community that insiders(people with access to information systems of organizations) within the organization represents one of the biggest2 (estimates vary from half- to three-fourths of all security incidents) information security threats (Dillon 1999, Whitman 2003). Considering that a large number of such incidents go undetected (Hoffer and Straub 1989) it is most likely that these numbers are actually much higher. Specialists therefore prescribe a cocktail of measures to prevent security incidents. These measures fall under two broad categories:

1. Procedural or business control measures-those that define access and other security policies, usage guidelines, security education, training and awareness (SETA) programs.
2. Technical measures-includes authentication measures, monitoring techniques, tools and filtering mechanisms.

Types of Information Security Attacks from Outsiders

Information security attacks can be of various types. Modern attacks and techniques are difficult to detect and stop as it requires continuous monitoring of the system. Perimeter security is therefore of vital importance as the objective of a security system is to halt an attacker from gaining access into the system. The following are the major forms of attack:

Hacking

It is the activity of getting into a computer system without authorization to have an access for a look around and see what is possible to do in the system. Hackers are mainly of three different types.

1. Ethical hackers: Ethical hacking and hacking etiquette demands that the hacker after having penetrated the system notifies the system administrator of his entry to let him know about the vulnerability of the system. This kind of hacking actually helps the organization to improve its security apparatus.
2. Crackers: These are malicious hackers. Once they get inside a system, they destroy valuable assets. Their objective is to cause as much damage to the system as possible. These attacks are to be feared as they have the potential to cause large-scale damage to the organization’s information assets.
3. Phreaks: These are people who hack into the phone systems of organizations so that they can then make calls at the expense of the organization. Each hacking incident however, may be different from the other as each hacker in each incident tries a different trick to exploit a different vulnerability of a system. Since nowadays most systems are connected to the Internet, most hacking incidents occur from net-based hackers who gain access into the organizations computer systems and then cause damage to the system. Most hacking incidents follow a typical pattern or method, which are:

Reconnaissance-The hacker before embarking on a full-scale attack tries to find out the counter measures that are protecting a system. He tests the waters before jumping into the action. In this stage, he typically tries to gather information about the system (and/or network), its vulnerabilities, critical information stored in the system, key employee information, public information about the system and the organization, information about customers of the organization. This is passive reconnaissance. After this stage, the hacker moves on to active reconnaissance in which he acquires DNS information, IP addresses, performs ping sweeps, SNMP network scans and other attacks like banner grabbing, etc.

Vulnerability canning-After the reconnaissance stage, the hacker moves to the scanning stage in which he looks for vulnerabilities in the perimeter security of the system. He also scans the routers and firewalls of the organization to check for vulnerabilities.

Securing/getting access-After the scanning stage, he moves to the stage of gaining access, here he accesses the organization’s system after capitalizing on any vulnerability in the organization’s security system. This can happen through the operating system of the organization’s server or networked computer, an application (either planted within the system or suitable file corrupted/modified by the hacker to work on his commands), or through any network devices in the organization’s network.

Maintaining access-After getting access to the organization’s system, the hacker would normally like to continue to maintain access. This he manages by planting a custom-built application on the already compromised server of the organization. This strategy helps the hacker to enter and exit the system at will. Thus, the hacker can have complete control over the organization’s system. He can upload applications, modify applications, modify data without anyone’s knowledge, steal data and cause widespread damage to the system. At this stage, the hacker evaluates the information assets of the organization and based on his intentions goes ahead with a plan to profit from his efforts. He can wish to just maintain access without causing any damage, steal information and sell it outside, profit from altering the data of the organization or simply blackmail the organization•

Covering tracks-Once the hacker has enabled his access into the organization’s system, he would like to remove any trace of his entry and exit from the system. This he manages by suitably deleting the evidence of his access from the audit files and log files. Thus, the system administrators remain oblivious to the access of the hacker.

Denial of service (DoS)

This is another form-security attack in which the attacker overwhelms the organization’s server (or other hardware resources) or the telecommunication lines from the ISP. Normally, DoS attacks are one-to-one meaning that the attackers launches an attack from his machine and attacks one organization with the objective of overwhelming its resources (hardware or telecom) thereby denying the system’s services to legitimate users. Since February 2000 the trend for such attacks has changed. Now attackers use a many-to-one mode of attack for DoS. This is known as distributed denial of service (DDoS). The attacker creates zombies (these are compromised machines on the Internet that run application codes which are controlled by the attacker). At his instructions DoS attacks are launched simultaneously on a single target from all the zombies (sometimes as many as tens of thousands). The only way to control DDoS attacks is to control the number of zombies on the network. It is one of the most difficult forms of attack against which an organization is to be secured.

Malicious code

“This is another form of security threat, being pieces of code that reach vital areas of a system and renders great damage to it. The easiest form of distributing malicious codes is through e-mails. It is therefore a good idea to check the attachment files in e-mails before opening them. There are many different types of malicious code:

1. Virus: This is the most common type of malicious code. Viruses are also of various types. File viruses are viruses that infect files of a system and then keep on multiplying themselves whenever a user opens a file or access a file and therefore spread to all parts of a system and damage all files in a system. Such file viruses are the most common form of virus applications. Most file viruses are executable files. Other types of viruses attack the master boot record of the operating system thereby rendering the as useless. Some viruses are application specific like macro viruses that affect office applications.
2. Worm: A form of malicious code that affects networks. They have the capability to replicate themselves over a network and spreads very quickly from one machine to another in a network. Several highly publicized attacks have been reported.
3. Trojan: It is a stealth version of a malicious code. It seems like a good and trustworthy code on the surface but is actually a malicious code in reality? The easiest way to stop Trojans is to stop opening untrustworthy attachments and stop downloading and running freeware.
4. Logic bomb: This type of malicious code waits in a system for a trigger, like a particular date and time, to unleash damage. The code waits patiently and does not act malevolently until a particular data and time and after that due date and time, it would work in a malevolent manner by damaging the system and data.

Social engineering

This is another way of attacking a system. Social engineering is a set of techniques used to trick gullible users into parting with their critical information like username and password. The social engineering attacker uses the following human attributes to get access to critical data:

1. Most people trust others unless they are found untrustworthy. The attacker exploits this trait of human nature. For example, simple calls made ostensibly on behalf of a trustworthy organization like a bank would make us divulge a lot of critical information about our bank accounts.
2. The fear of getting into trouble is also another human trait that the attacker exploits. For example, a simple mail requesting you to give your password for better maintenance of your bank account may actually cause fear in your mind that if you do not divulge your password, maintenance will not be proper and hence some indeed do give away their password.
3. Preference for short cuts is another human trait that attackers exploit. Most people give passwords as nicknames or birth dates or name of their pets which can be easily cracked.

Thus, we can see that a skilled social engineer may be able to get critical data that will enable him to access the system without much trouble. Thus, this type of attack is a very serious threat that all must be careful about.

Some Top Hacking Incidents of All Time

1990s

Kevin Mitnick, a well known hacker, hacked into computer networks and systems of top telecom companies like Nokia, Fujitsu, Motorola, and Sun Microsystems. The incident caused a huge stir in the security establishment and Mitnick was arrested by the FBI in 1995, but later released on parole in 2000.

1995

A Russian hacker Vladimir Levin was the first hacker to hack into a bank to rob money. In early 1995, he hacked into a top US bank which had a very secure VAX VMS based system and robbed an estimated $10 million USD. He was later arrested.

1990

In 1990 a radio station in Los Angeles started a contest that awarded a Porsche for the 102nd caller. Kevin Paulson, a hacker took control of the entire city’s telephone network, and ensured that he is the 102nd caller, so that he get the prize. He was later arrested.

1996

Timothy Lloyd wrote a small piece of malicious software code that allowed a “logic bomb” to explode which deleted software worth $10 million USD.

1988

Robert Morris a Cornell University graduate launched a worm on the Internet that infected machines world wide and crashed thousands of machines.

1999

David Smith wrote and launched one of the most dreaded virus, Melissa that damaged machines worldwide.

2000

Mafia Boy hacked into the most popular sites on the Internet world, like eBay, Amazon and Yahoo and managed to engineer a Denial of Service attack.