Skip to main content


Showing posts from 2013

3.2.6 Spoofing

Spoofing A spoofing attack is an attempt to masquerade as someone else. There are a variety of spoofing attacks, including: Wolf in sheep's clothing Spoofing email messages to trick the recipient to accept an email from an attacker Creating fake logon programs that attempt to capture user ID and password Spoofing IP addresses to make it appear to come from a trusted source DNS spoofing involves an attempt to populate a name server database with false information. This can result in a user being sent to a website other than the one intended Spoofing is making data appear to come from someone or somewhere other than where it originated by maliciously modifying TCP/IP source information. The goal of spoofing attacks is to gain illegitimate access to a resource. A number of the TCP/IP protocols (DNS, IP, ARP, ICMP, SMTP, NTP, etc.) are vulnerable to spoofing attacks as they were not designed with authentication as a core feature. As such,

3.2.4 Replay

Replay In a replay attack, an attacker captures network traffic and then replays (or retransmits) the captured traffic at a later time, in order to gain unauthorized access to a system. This type of attack may succeed in spite of encryption because even though the messages may be encrypted, and the attacker may not know what the actual keys and passwords are, the retransmission of valid logon messages may be sufficient to gain access to the network. This is the reason most certificates contain unique session identifiers and time stamps. Packet sequencing, time stamps, digital signatures and session tokens (or hash) are countermeasures used against replay attacks: Packet sequencing ensures that any packet received that is not in the proper order is dropped. Time stamps ensure that any packet received outside a specified time window is dropped. A session token is a one-time token or hash used to computationally transform a message such that it cannot be duplicated wi

3.2.3 DoS

DoS A denial-of-service (DoS) attack is one where an attacker attempts to prevent legitimate users from accessing information or services. By targeting the computer and its network connection, an attacker may be able to prevent normal access to email, web sites, online accounts (banking, etc.), or other services that run on the affected systems. In a denial-of-service attack, a resource such as a web server is flooded with false requests, overwhelming the system and preventing legitimate requests from being serviced. Ultimately the system will crash. The most common and obvious type of DoS attack occurs when an attacker "floods" a network with information. When you enter a URL for a particular web site into your browser for example, you are sending a request to that site's computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it cannot proc

3.2.2 DDoS

DDoS In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer. The attack is "distributed" in that the attacker can marshal multiple computers, to launch the denial-of-service attack. A distributed denial of service attack (DDoS) is a type of DoS attack where multiple systems combine their efforts to target and attack one or multiple victim systems. The attacking systems are typically victims themselves – having been previously infected with malware that enables a malicious user to control and conscribe them into an attack. The advantage to an attacker of using a distributed denial-of-service attack over a non-distributed denial-of-service attack is that multiple systems can generate greater load on the victim system(s) than in a DoS attack. Additionally it is more difficult to block attacks from multiple attacking systems than one system. Four common categories of attacks have been defined: TCP Connec

3.1.9 Botnets

Botnets What is a botnet? The word botnet is a portmanteau of robot and network. A “bot” is a type of malicious software (malware) residing on a computer and it allows an attacker to take control and direct the actions of the infected computer. These bot-infected computers are also referred to as victim computers or “zombies”. A “botnet” is an assembly of multiple bot-infected computers that can be conscribed to undertake a specific mission. Botnets can consist anywhere from a few hundred to millions of infected computers. In 2010, the creator of the Mariposa botnet which reportedly consisted of over 12 million computers was arrested. The purpose of a botnet is to undertake activities that could take advantage of the ability to marshal large-scale computing resources and apply it to a particular task. Botnets have typically been used to send out spam email messages, spread viruses, steal sensitive information including license keys and financial data on individ

3.1.8 Logic Bomb

Logic bomb A logic bomb is a form of malicious code that is unauthorized and unknown to the legitimate user. It remains dormant until a triggering event occurs. When triggered it performs some undesirable act. The triggering event may be a positive trigger or a negative trigger. An example of a positive trigger can be the lapse of a period of time, the modification of a file or system configuration, or an application-specific event such as the removal of an entry in the company’s salary database. A negative trigger can be a failure to respond to a prompt. Logic bombs are considered viruses. Sometimes logic bombs are referred to as slag code or time bomb. A logic bomb will carry out any number of malicious activities including: deleting data, reformatting drives, modification of system configurations, weakening system security, etc. Deploying a logic bomb can be considered more an act of precision bombing than indiscriminate bombing. The target of a logic bomb attack

3.2.1 Man-in-the-middle

Man-in-the-middle A man-in-the-middle or MITM attack takes place when an attacker intercepts traffic and then tricks the parties on both ends into believing they are communicating directly with each other. In the man-in-the-middle attack, the attacker interjects itself into the conversation between two parties and acting like a proxy it receives and transmits information from party A to party B and vice versa. This is a fairly sophisticated attack and in general, it involves placing malicious software or malware between the source and the destination. The software intercepts data from the source and then passes it on to the destination. Once intercepted, the data can either be monitored, logged and/or modified. A successful man-in-the-middle attack depends on the ability to: compromise the routing and name server system in the network in order to position the malware between two communicating parties coerce the two parties to see the attacker

3.1.7 Backdoors

Backdoors "With Sardaukar, you must scan them, scope them - both reflex and hard ray - cut off every scrap of body hair. And when you're through, be certain you haven't discovered everything." – Dune, Frank Herbert. What is a Backdoor Program? A backdoor is an undocumented means of access to a computer system that bypasses normal authentication and security mechanisms. A backdoor might be installed deliberately by the software developer or system administrator or it might be installed surreptitiously by an attacker as part of an exploit. “ A backdoor violation occurs when software creates a security vulnerability that allows malware or hackers to gain unauthorized access to a system .” Deliberately enabled backdoors include: Application vendors that enable access that bypasses normal security mechanisms to make it easy to support or troubleshoot their applications. System administrators that install unpublished root or administrative accounts

3.1.5 Trojans

Trojans “ Whatever it is, I’m afraid of Greeks even those bearing gifts. ” † From classic literature such as Virgil's Aeneid, Book II and Homer's Odyssey, we get the tale of Greek soldiers hiding in a large wooden horse (Trojan Horse) in order to gain access to the city of Troy. Once they had access, they surreptitiously opened the gates of the city and let in an invading Greek force. A Trojan or Trojan horse in computing is a type of malicious software that is disguised as something useful, legitimate or interesting. Since Trojans cannot replicate on their own, they are designed to trick the user into installing and running it on their computer. “A Trojan horse is a malicious software program that hides inside other programs. It enters a computer hidden inside a legitimate program, such as a screen saver. It then puts code into the operating system, which enables a hacker to access the infected computer. Trojan horses do not usually spread by themselves; the

3.1.3 Worms

Worms A computer worm is a type of malicious software (malware) that is self-contained, self-replicating and self-propagating. Unlike a virus which is a piece of software code that attaches itself to another program, a worm is a standalone software program. The primary purpose of a worm is to make copies of itself and to look for other host computers to infect. When a worm is introduced onto a host computer, it sets about doing just that – replicating or making copies of itself and seeking out communication channels it can use to target other hosts. Worms target vulnerabilities in application, operating system and network protocols. In addition to its primary purpose – propagation, a worm can carry a “payload”, which in this case is a software code written to carry out specific malicious activities such as altering or deleting data, establishing backdoors or other remote control tools. Even without the “payload”, worms are considered malware because they consume sys

3.1.2 Virus

Virus Based on a Google definition, a biological virus is “an infective agent that typically consists of a nucleic acid molecule in a protein coat, is too small to be seen by light microscopy, and is able to multiply only within the living cells of a host.” A biological virus introduced into a living cell can reproduce, corrupt and/or destroy cells in the host. A computer virus as the name suggests “infects” computers. It is software code written to perform surreptitious and often malicious activity on the system. It is embedded (hidden) in a “host” program. When the host program is introduced into a computer system and run, the virus is activated and can cause harm by interfering with the normal operation of the system. Merriam-Webster defines a computer virus nicely as – “a computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action

1.3.9 Cloud Computing

Cloud Computing The only thing new about Cloud Computing is the term. The concept has been around since the days of the mainframe computer. This is where the data processing happens somewhere separate from the data consumption. What is cloud computing? In one of the more bare-bones definition, it is the ability to process information on someone else’s device. For a more comprehensive definition, we go to the NIST definition. The National Institute of Standards and Technology (NIST) published its final definition of Cloud Computing in September 2011: “ Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. ” The NIST cloud computing definition and guideline was crafted, with public input, for use by U.S. Federal agencies.

1.4.7 TCP/IP

TCP/IP TCP/IP stands for T ransmission C ontrol P rotocol / I nternet P rotocol. It is a communication protocol for computers on the Internet (it also operates on intranets and extranets). TCP/IP is a suite of protocols of which the Transmission Control Protocol and the Internet Protocol are two of the most prominent. Others include: UDP (User Datagram Protocol) – lightweight, “unreliable” communication between applications, ICMP (Internet Control Message Protocol) – for statistics and tracking errors, DHCP (Dynamic Host Configuration Protocol) – for dynamic configuration of devices. The Internet data communications model is also known as the TCP/IP model. Like other data communication models, TCP/IP makes it possible for two nodes to exchange information. TCP The Transmission Control Protocol works essentially like a two-way virtual pipe. It allows you to both read from and write to the pipe. TCP uses the underlying network infrastructure to connect two end-points (or socke

1.4.4 SSL

SSL Secure Sockets Layer (SSL) (and its successor Transport Layer Security), is a cryptographic protocol designed to secure communications over the Internet. They use X.509 digital certificates, asymmetric cryptography and the exchange of a symmetric key to secure the message transmission. The TLS/SSL protocol is divided into two layers operating at both the Session and Presentation layers of the OSI 7 Layer Model. At the session layer, TLS/SSL uses a handshake protocol to establish a session including cipher settings and a shared key. At the presentation layer, asymmetric and symmetric cryptography is used to create a secure communication session for the rest of the transmission. “The SSL handshake protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data.” OSI Model Equivalence SSL Architecture Applicati

2.4.7 Threat Awareness

Threat Awareness A lawsuit, brought by Sidekick customer Maureen Thompson, alleges T-Mobile, Microsoft and Microsoft subsidiary Danger failed to follow even the most basic data protection principles and as a result the safety, security and availability of the data belonging to users was compromised. – Global Payments, a third-party payments processor to Visa and MasterCard credit and debit cards, reiterated that while customer data may be at risk, the data breach has been "contained to the best of our ability." Overall, 1.5 million accounts may have been affected. – Malware, (unauthorized and malicious software) that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida allowed credit and debit card numbers to be stolen as shoppers swiped their cards at checkout line machines. This massive data breach compromised up to 4.2 million credit and debit cards. – The Indiana Famil

1.6.9 TKIP

TKIP Temporal Key Integrity Protocol (TKIP) is a security protocol defined by the IEEE 802.11 wireless networking specification. TKIP was designed to replace WEP without requiring the replacement of legacy hardware. Customers could take advantage of it by updating firmware instead of having to replace hardware. 1 TKIP is a "wrapper" that goes around the existing WEP encryption.  TKIP comprises the same encryption engine and RC4 algorithm defined for WEP.  However, the key used for encryption in TKIP is 128 bits long.  This solves the first problem of WEP: a too-short key length. 2 It is the encryption method used in Wi-Fi Protected Access (WPA). References: CompTIA SY0-301

1.6.6 LEAP

LEAP LEAP (Lightweight Extensible Authentication Protocol) is a proprietary EAP protocol, also known as Lightweight EAP. It was created by the company Cisco Systems for its line of Wireless LAN Access Points as a way to address the security weaknesses in WEP. Security of LEAP relies on the strength of the organization’s password policy. With LEAP the organization should use complex passwords that make it computationally infeasible to attempt an offline dictionary or brute force attack. 1 References: CompTIA SY0-301

1.6.3 WEP

WEP Wired Equivalent Privacy (WEP) is the original security standard used in wireless networks to encrypt the wireless network traffic 1 . It adds security to 802.11 Wi-Fi networks at the data link layer (OSI model Layer 2) using a combination of hexadecimal digits. Hexadecimal digits include ten numbers (0 – 9) and six letters (A – F). WEP uses a combination of these hexadecimal digits to create WEP keys. For example: 8734CDEA08432FACDE65748ACC There are three keys sizes in use with WEP: 10, 26 and 58 digit key lengths. A 10 digit hexadecimal key size results in a 40 or 64-bit WEP key. Note: each hexadecimal character represents four bits, resulting in a 40-bit key. 40-bit keys can be concatenated with a 24-bit initialization vector (IV) to generate a 64-bit WEP key. A 26 digit hexadecimal key size results in a 104 or 128-bit WEP key. Note: as each hexadecimal character represents four bits, this yields a 104-bit key. If this is concatenated with a 24-bit initiali

1.6.2 WPA2

WPA2 Wi-Fi Protected Access II (WPA2) is a security protocol developed to protect wireless network communications. WPA2 is also known as the IEEE 802.11i standard. It is certified by the Wi-Fi Alliance in 2004: Table 1: Wi-Fi Security Timeline 1 Date Milestone September 1997 IEEE 802.11 standard ratified, including WEP April 2000 Wi-Fi CERTIFIED program launched, with support for WEP May 2001 IEEE 802.11i task group created April 2003 WPA introduced with: • IEEE 802.1X authentication • Temporal Key Integrity Protocol (TKIP) encryption • Support for EAP-Transport Layer Security (EAP-TLS) September 2003 WPA mandatory for all Wi-Fi CERTIFIED equipment June 2004 IEEE 802.11i amendment ratified September 2004 WPA2 introduced with: • IEEE 802.1X authentication • AES encryption • Support for EAP-TLS A

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk-avoidance, transference, acceptance, mitigation, deterrence Risk Avoidance Risk Avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk. Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to being exposed to the risk. One of the problems with risk avoidance is that it may require you to also avoid activities that may be otherwise beneficial. Risk avoidance is the most effective countermeasure to risk, however it is often not possible due to organizational requirements and business drivers. Risk Transference With risk transference, you share some of the burden of the risk with another entity, such as an insurance company. You do not completely offload the risk, you mitigate it through partnerships. An example policy might pay out if you could prove that all necessary measures to reduce the risk were taken and you still