6.1.1 Intruders: Who, Why, and How?
The first step to safeguarding your computer system and information property is to understand your opponents. The profiles of computer system attackers include:
People who hack for fun, curiosity, personal pride, or just for the sake of breaking into computer systems to see how far they can get (for example, high school or college students, also known as script-kiddies, who attempt to gain access to secure systems such as those owned by the government)
Internal or external personnel who may be seeking revenge on the targeted organization. Security breaches from within an organization account for 70% to 90% of all security breaches according to estimates by The Hurwitz Group of Framingham, Massachusetts
People who may want to make a profit or gain other benefits using confidential data from the targeted system (for example, business advantage, military advantage)
Criminals or organizations whose objective is to corrupt the security of the targeted system for unethical purposes including blackmail and industrial espionage
Terrorists who want to promote political aims and demoralize the victim country
Computer systems that are easy for intruders to attack are those used in residential settings, commonly referred to as home computers. Once home computers are compromised, they may be used to launch larger attacks against computers in an organization. Home computer systems are more vulnerable to attacks for the following reasons:
Home users may be using cable modem/wireless networks, which can be eavesdropped.
Home computer systems are less likely to be configured securely.
Home users are less likely to detect that their system's security has been breached.
Access to home systems might provide an alternative access to the computers in their work place.
Typically, intruders launch attacks using the following steps:
Step 1: Obtain information
Guess passwords.
Pretend to be a system administrator asking for sensitive information.
Read packets of sensitive information sent over the Internet or stored on the computer.
Scan for vulnerabilities.
Step 2: Analyze Information
Use the information obtained and look for weak points in the network to exploit (for example, open ports, user accounts).
Step 3: Launch attack
Alter, delete or corrupt data on system.
Make system unavailable by creating excessive amount of traffic on the network (for example, denial of service attack, which will be discussed later).
Slow down a network.
Deface a website.
The diagram below illustrates the generalized process of attacks.
Figure 1 General flow of an attack
You will learn more about the specific attack methods later in this section.
6.1.2 Identity Theft and Privacy Violation
Password Cracking
Packet Sniffing
Social Engineering/Fraud
Spoofing
Port Scanning
The table below provides an overview of the level of compromise each of the attacks addressed in this section can achieve. Note that most of these attacks are used to obtain information, which could enable more damaging attacks on data integrity.
|
|
Data Confidentiality |
Data Availability |
|
Password Cracking |
x |
|
|
Packet Sniffing |
x |
|
|
Social Engineering |
x |
|
|
Spoofing |
|
x |
|
Port Scanning |
|
x |
Table 1 Level of security compromise achieved by identify theft and privacy violation attacks
One of the attack mechanisms is to capture login and password information in order to break into your user account. Once intruders crack your user name and password, they can act as you, with all your access privileges to alter the data on your account, send email from your account, or attack other computers from your account. Furthermore, if your account could obtain higher rights, such as administrative rights, intruders may use your account to obtain those rights as well. They can also try to generate messages pretending to be from a source you trust and trick you into providing sensitive information such as login names, passwords, and confidential data on your system. The following material covers some of the methods attackers use to obtain sensitive information.