Webupon

Numerous information security studies and surveys have found that the majority of attacks upon information systems actually originate in whole or are contributed to in a significant way from sources located within the information systems organization itself. This falls into the general category of “subversion from within”.

These internal threat sources can be as simple as duly authenticated authorized users attempting to exceed their access rights and permissions or unauthorized users trying to go where they should not be at all. Part of these types of attack can be relatively unthreatening and in no way exhibit or infer malicious or malevolent intentions on the part of the source of the attack.

For example; it may well be that a duly authenticated authorized user is attempting to perform an action that exceeds their current logon account’s specific user access rights and privileges such as trying to install a piece of software. As an information systems administrator; I too must confess, that I have been guilty of absent mindedly using inappropriate logon credentials. It just goes to show that those things we don’t do or are not reminded of “day in, day out” quickly gather cobwebs in the cogs of our minds.

One can very easily forget that the general purpose logon account credentials one uses in the production network environment outside of the higher security administration administrator only access room has considerably fewer access rights and privileges than ones full administrator account credentials has. For a Microsoft Windows-based network this is the full access rights and privileges administrator account or as “root” in the Linux/UNIX world.

Danger Potential is Relative

The insider attack is potentially more dangerous than an outsider attack because the insider (he, she or it) already has a level of access to both facilities and systems that the outsider does not. If nothing else the insider has physical accessibility options the remote or outsider does not usually enjoy. Not all insider originating or complicated attacks are perpetrated by members of the organization the attack is directed against.

False Sense of Security – One area in which “insider” attacks have recently been proliferating is in the exploitation of unsecured internal wireless networks. In many cases these attacks exploiting the not so truly secured, fully patched, locked up and locked down internal wireless networks have been perpetrated against wireless networks considered to be “safe“ by their owners on the assumption that this sector of the corporate network is entirely “internal”. It cannot be connected to by randomly passing external wireless traffic. Wrong again.

Subterfuge – Attackers have been using various ploys to gain physical accessibility to such vulnerable supposedly secure internal wireless networks for quite some time now. Generally some form of deception or teams of perpetrators implementing quite elaborate ruses such as the impersonation of maintenance or utility workers to gain access to restricted areas and then either taking advantage of their now more privileged location to install a device to which they can later connect in relative safety (from a distance) to initiate their attack against the victim network.

Non-Exclusive Access – Organizations with shared areas or multiple tenant scenarios are prime candidates for these types of ploys. I have even seen situations where the plant could be done from the other side of a hollow core wall without the target even knowing they had been penetrated.

The Plant – Placing a wireless enabled device in the suspended ceiling in a company’s toilet facilities has long been a favorite here. Persons accompanied by infants will simply ask to use the toilet on behalf of the infant. Smelly nappies do not promote business in areas where the general public is served. Law enforcement has even reported that some of these tricksters are using hydrogen sulfide (rotten egg gas) to enhance their deception.

Traditional “Insider” Attacks – Even the more traditional “insider” attack where an employee, business partner, associate or other individuals with authenticate accessibility credentials does; for one reason or another, decide to partake in subversive activities is difficult for most organizations to foil. Quite simply many organizations lack the internal preventive controls and other countermeasures to adequately defend against attacks from insider instigated threats.

Beyond Public Access – Once beyond publically accessible areas; networks are often wide open. Servers might even be sitting in physically unsecured areas, system patches might be out of date, and system administrators might not review security logs or have the time to review them properly.

Inside/Outside Collusion – The greatest threat, however, arises when an insider colludes with a knowledgeable structured outside attacker. The outsider’s skills, combined with the insider’s access, nearly always results in substantial damage or loss to the victim or victim organization.

Attack Categories

In essence all attacks can be divided into three main categories:

Reconnaissance Attacks - Many attackers/hackers attempt to discover systems and gather information. Perusing the landscape to see what is out there and to hopefully determine the vulnerability status of those systems discovered.

Attackers can save themselves considerable time if they take the effort to determine whether or not those systems they discover or those which they have decided before hand to make victim are vulnerable to a whole host of known and documented exploits and vulnerabilities. The types of security holes the attacker is looking for will often depend upon the true purpose of their intended attack.

In most instances, reconnaissance attacks are used to gather information to set up an access or a denial of service (DoS) attack. In a typical reconnaissance attack a would-be hacker might ping a range of IP addresses to discover what is alive on a network. The hacker might then perform a port scan on the systems to see which applications are running as well as identifying the operating system and its version on potential target machines.

In short reconnaissance attacks are pretty much as you would guess from standard military usage of the term reconnaissance; to learn as much as possible about an intended target without the target being aware or alerted in any way as to your presence or actions.

Access Attacks - Simply put an access attack is an attack in which an intruder attempts to gain unauthorized access to a system to retrieve information or leave a nasty covert surprise such as user activity recording and transmitting malware. Sometimes the attacker needs to gain access to a system by cracking passwords using so-called dictionary attacks, brute force attacks or through using an exploit. At other times, the attacker already has access to the system (an insider or by using an insider’s credentials) but needs to escalate his or her privileges.

Denial of Service (DoS) Attacks - Attackers use DoS attacks to disable or corrupt access to networks, systems, or services. The intent is to deny authorized or valid users access to these resources. DoS attacks typically involve running a script or a tool, and the attacker does not implicitly require access to the target system, only a means to reach it. Buffer overrun exploits are an example of a DoS attack.

In a distributed DoS (DDoS) attack, the source consists of large numbers of compromised computers (called zombies) that are usually spread across a large geographic boundary. When the zombies are collectively under the control of a central controller they are referred to as a “botnet” and the central controller is known as the “bot-master”.

Not all botnets are used for DoS and DDoS attacks. It would be amiss of me not to mention the use of botnets for perpetrating Pay-Per-Click fraud. The bot-master directs zombie machines in sections of his botnet to visit specific web pages and then execute a script imitating a user clicking an advertising link.

The mechanism by which the DDoS attack immobilizes the target is often buffer overrun-related in nature. Due to the severity and speed with which a DDoS attack can be initiated and its victim nullified there have been a number of instances of extortion related to the actual attacks.

The Essence of Information Security Objectives

In essence, information security involves making sure that only authenticated authorized entities (people and systems) are granted access to secured information. Therefore it is the people, the information systems (hardware and software) and the data (information) contained within them that information security aims to protect from unauthorized or inappropriate modification or corruption.

The objectives of ensuring information and information systems remain confidential, of trustworthy and reliable integrity and available whenever desired to duly authenticated, authorized personal with the appropriate levels of user access rights and privileges is of paramount importance.

Tools of Information Security

There are many tools that can be employed in our endeavors to ensure adequate protection is afforded our information systems. Some of the more prominent ones being: cryptography, authentication servers, appropriate backup and restoration strategies, complex passwords and passphrases, digital certificates, biometrics, access controls, firewalls, intrusion detection and prevention systems, auditing, accounting, logging, analysis of access control logs, audit and accounting log analysis and diversionary tactics such as honey pots.

Multi-factor authentication systems when incorporated transparently with a host of other initiatives should always be designed with a security in depth ethos. The more layers of protection that an attacker must penetrate the greater the odds they will become frustrated and simply move on to easier targets.

Yet; even with all of this technology we still find that user education and the development, implementation and maintenance of appropriate security policies and practices including regulated regular information systems updating and patching regimes in conjunction with alert attention to physical security are perhaps the most valuable of all of our front-line defenses.

The Defining Goals of Information Security

Without doubt the defining goals of information and information systems security initiatives must be the promotion of confidence in the users of those information systems that said information systems will remain free from undetected outside interference, corruption or attack whilst being immune to subversion from within.