attempts to make confidential data (for example, personnel records, usernames, passwords, credit card numbers, or e-mails) viewable by an attacker
occurs when a hacking tool is specially used for crafting the packet in a way other than that the protocol originally intended
attempt to alter data
attempt to limit the accessibility and usability of a system. For example, if an attacker were able to consume the processor or memory resources on a target system, that system might be unavailable to legitimate users.
Denial of Service
sending the target system a flood of data or requests that consume the target system's resources
Distributed Denial of Service
an attacker compromises multiple systems, and those compromised systems, called zombies or botnets, can be instructed by the attacker to simultaneously launch a DDoS attack against a target system
TCP SYN Flood
One variant of a DoS attack is for an attacker to initiate multiple TCP sessions by sending SYN segments but then never complete the three-way TCP handshake.
program attempts to write more information than the buffer can accommodate
A packet-capture (also known as packet sniffing) utility (such as Wireshark [http://wireshark.org]) can capture packets using a PC's network interface card (NIC) by placing the NIC in promiscuous mode. Some protocols, such as Telnet and HTTP, are sent in plain text. Therefore, these types of captured packets can be read by an attacker, perhaps allowing the attacker to see confidential information.
Ping sweep and port scan
A confidentiality attack might begin with a scan of network resources to identify attack targets on a network. A ping sweep could be used to ping a series of IP addresses. Ping replies might indicate to an attacker that network resources were reachable at those IP addresses. After a collection of IP addresses is identified, the attacker might scan a range of UDP or TCP ports to see what services are available on the hosts at the specified IP addresses. Also, port scans often help attackers identify the operating system running on a target system. These attacks are also commonly referred to as reconnaissance attacks.
Because many companies throw away confidential information, without proper shredding, some attackers rummage through company dumpsters in hopes of discovering information that could be used to compromise network resources.
Electromagnetic interference (EMI) interception
Because data is often transmitted over wire (for example, unshielded twisted pair), attackers can sometimes copy information traveling over the wire by intercepting the EMI being emitted by the transmission medium. These EMI emissions are sometimes called emanations. Tempest was the name of a government project to study the ability to understand the data over a network by listening to the emanations. Tempest rooms are designed to keep emanations contained in that room to increase security of data communications happening there.
If an attacker gains physical access to a wiring closet, he might physically tap into telephone cabling to eavesdrop on telephone conversations, or he might insert a shared media hub inline with a network cable, allowing an attacker to connect to the hub and receive copies of packets flowing through the network cable.
If an attacker can get in the direct path between a client and a server, the attacker can then eavesdrop on their conversation. If cryptography is being used and the attacker fools the client and server both into building VPNs to the attacker instead of to each other, the attacker can see all the data in clear text. On a local Ethernet network, methods such as Address Resolution Protocol (ARP) spoofing, ARP cache poisoning, Dynamic Host Configuration Protocol (DHCP) spoofing, and Domain Name System (DNS) spoofing are all mechanisms that may be used to redirect a client's traffic through the attacker, instead of directly to the server.
Attackers sometimes use social techniques (which often leverage people's desire to be helpful) to obtain confidential information. For example, an attacker might pose as a member of an organization's IT department and ask a company employee for his login credentials for the "IT staff to test the connection."
Sending information over overt channels
An attacker might send or receive confidential information over a network using an overt channel. An example of using an overt channel is tunneling one protocol inside another (for example, sending instant-messaging traffic via HTTP). Steganography is another example of sending information over an overt channel. An example of steganography is sending a digital image made up of millions of pixels with "secret" information encoded in specific pixels, where only the sender and the receiver know which pixels represent the encoded information.
Sending information over covert channels
An attacker might send or receive confidential information over a network using a covert channel, which can communicate information as a series of codes/even. For example, binary data could be represented by sending a series of pings to a destination. A single ping within a certain period of time could represent a binary 0, and two pings within that same time period could represent a binary 1.
After a single machine in a company is compromised and is running malicious software, the attacker can then use that single computer to proceed further into the internal network using the compromised host as a pivot point. The malware may have been implemented by an outside attacker or by an inside disgruntled employee. Antivirus and antimalware should be run on all systems, and users should be given very limited rights related to installation of any software on the computers they use.
FTP supports a variety of commands for setting up a session and managing file transfers. One of these commands is the port command, and it can, in some cases, be used by an attacker to access a system that would otherwise deny the attacker. Specifically, an attacker connects to an FTP server using the standard port of 21. However, FTP uses a secondary connection to send data. The client issues a port command to specify the destination port and destination IP address for the data transmission. Normally, the client would send its own IP address and an ephemeral port number. The FTP server would then use a source port of 20 and a destination port specified by the client when sending data to the client. However, an attacker might issue a port command specifying the IP address of a device they want to access, along with an open port number on that device. As a result, the targeted device might allow an incoming connection from the FTP server's IP address, while a connection coming in from the attacker's IP address would be rejected. Fortunately, most modern FTP servers do not accept the port command coming from a device that specifies a different IP address than the client's IP address.
A salami attack is a collection of small attacks that result in a larger attack when combined. For example, if an attacker has a collection of stolen credit card numbers, the attacker could withdraw small amounts of money from each credit card (possibly unnoticed by the credit card holders). Although each withdrawal is small, the combination of the multiple withdrawals results in a significant sum for the attacker.
The process of data diddling changes data before it is stored in a computing system. Malicious code in an input application or a virus could perform data diddling. For example, a virus, Trojan horse, or worm could be written to intercept keyboard input, and while displaying the appropriate characters onscreen (so that the user does not see an issue), manipulated characters could be entered into a database application or sent over a network.
Trust relationship exploitation
Different devices in a network might have a trust relationship between themselves. For example, a certain host might be trusted to communicate through a firewall using specific ports, while other hosts are denied passage through the firewall using those same ports. If an attacker were able to compromise the host that had a trust relationship with the firewall, the attacker could use the compromised host to pass normally denied data through a firewall. Another example of a trust relationship is a web server and a database server mutually trusting one another. In that case, if an attacker gained control of the web server, he might be able to leverage that trust relationship to compromise the database server.
A password attack, as its name suggests, attempts to determine the password of a user. Once the attacker gains the username and password credentials, he can attempt to log in to a system as that user and inherit that user's set of permissions. Various approaches are available to determine passwords, including the following:
A Trojan horse is a program that appears to be a useful application but might capture a user's password and then make it available to the attacker.
A packet-capture utility can capture packets seen on a PC's NIC. Therefore, if the PC can see a copy of a plain-text password being sent over a link, the packet-capture utility can be used to glean the password.
A program that runs in a computer's background and logs keystrokes that a user makes. After a user enters a password, the password is stored in the log created by the keylogger. An attacker can then retrieve the log of keystrokes to determine the user's password.
This attack tries all possible password combinations until a match is made. For example, the brute-force attack might start with the letter a and go through the letter z. Then the letters aa through zz are attempted, until the password is determined. Therefore, using a mixture of upper- and lowercase, in addition to special characters and numbers, can help mitigate a brute-force attack.
Similar to a brute-force attack, in that multiple password guesses are attempted. However, the dictionary attack is based on a dictionary of commonly used words, rather than the brute-force method of trying all possible combinations. Picking a password that is not a common word helps mitigate a dictionary attack.
A software robot is typically thought of as an application on a machine that can be controlled remotely (for example, a Trojan horse or a backdoor in a system). If a collection of computers is infected with such software robots, called bots, this collection of computers (each of which is known as a zombie) is called a botnet. Because of the potentially large size of a botnet, it might compromise the integrity of a large amount of data.
Hijacking a session
An attacker could hijack a TCP session, for example, by completing the third step in the three-way TCP handshake process between an authorized client and a protected server. If an attacker successfully hijacked a session of an authorized device, he might be able to maliciously manipulate data on the protected server.
A process which is generally used by hackers in which they connect to the device using protocols such as SMTP, Telnet or HTTP and then generate an error message that displays the banner. On gaining the information, they can look for weaknesses in the system.
addresses security concepts deemed important to an organization
provide a more detailed treatment of an organization's security policy, as opposed to the governing policy
a prescribed set of statements for defining network functions. For a particular organization, it describes the acceptable use policies in detail about network equipment and the proper methods for upgrading, maintaining, and troubleshooting the network.
address security issues and procedures relevant to end users
support consistency within a network
tend to be suggestions. For example, a series of best practices
detailed documents that provide step-by-step instructions for completing specific tasks
How an organization reacts to a security violation