1.1 Key Terms
Asset
= Property (tangible or intangible) that has value to a company, something
worth protecting.
Vulnerability
= A flaw or weakness in a system’s design or implementation that could be
exploited.
Threat
= The potential for a vulnerability to be exploited.
Risk
= A measurement of the likelihood of a successful attack by measuring the level
of threat against a particular vulnerability.
1.2 Things to
Remember
1.2.1 Security Terms
Vocabulary Term
> Explanation
Asset
> An asset is an item that is to be protected and can include property,
people, and information/data that have value to the company. This includes
intangible items such as proprietary information or trade secrets and the
reputation of the company. The data could include company records, client
information, proprietary software, and so on.
Vulnerability
> A vulnerability is an exploitable weakness of some type. That exploitation
might result from a malicious attack, or it might be accidentally triggered
because of a failure or weakness in the policy, implementation, or software
running on the network.
Threat
> This is what you are protecting against. A threat is anything that
attempts to gain unauthorized access to, compromise, destroy, or damage an
asset. Threats are often realized via an attack or exploit that takes advantage
of an existing vulnerability. Threats today come in many varieties and spread more
rapidly than ever before. Threats can also morph and be modified over time, and
so you must be ever diligent to keep up with them.
Risk
> Risk is the potential for unauthorized access to, compromise, destruction,
or damage to an asset. If a threat exists, but proper countermeasures and
protections are in place (it is your goal to provide this protection), the
potential for the threat to be successful is reduced (thus reducing the overall
risk).
Countermeasure
> A countermeasure is a device or process (a safeguard) that is implemented
to counteract a potential threat, which thus reduces risk.
1.2.2 Additional Attack Methods
Method >
Description
Covert
channel > This method uses programs or communications in unintended
ways. For example, if the security policy says that web traffic is allowed but
peer-to-peer messaging is not, users can attempt to tunnel their peer-to-peer
traffic inside of HTTP traffic. An attacker may use a similar technique to hide
traffic by tunneling it inside of some other allowed
protocol to avoid detection. An example of this is a
backdoor application collecting keystroke information from the workstation and
then slowly sending it out disguised as Internet Control Message Protocol
(ICMP). This is a covert channel. An overt channel is the legitimate use of a
protocol, such as a user with a web browser using HTTP to access a web server.
Trust
exploitation > If the firewall has three interfaces, and the outside
interface allows all traffic to the demilitarized zone (DMZ), but not to the
inside network, and the DMZ allows access to the inside network from the DMZ,
an attacker could leverage that by gaining access to the DMZ and using that
location to launch his attacks from there to the inside network. Other trust
models, if incorrectly configured, may allow unintentional access to an
attacker including active directory and
NFS (network file system in UNIX).
Password
attacks > These could be brute force, where the attacker’s system
attempts thousands of possible passwords looking for the right match. This is best
protected against by specifying limits on how many unsuccessful authentication
attempts may occur within a specified time frame. Password attacks can also be
done through malware, man-in-themiddle
attacks using packet sniffers, or by using key loggers.
Botnet
> A botnet is a collection of infected computers that are ready to
takeinstructions from the attacker. For example, if the attacker has the malicious
backdoor software installed on 10,000 computers, from his central location he
could instruct those computers to all send TCP SYN requests or ICMP echo
requests repeatedly to the same destination. To add insult to injury, he could
also spoof the source IP address of the request so that reply traffic is sent
to yet another victim. A covert channel is generally used by the attacker to
manage the individual devices that make up the botnet.
DoS
and DDoS > Denial-of-service attack and distributed denial-of-service
attack. An example is using a botnet to attack a target system. If an attack is
launched from a single device with the intent to cause damage to an asset, the
attack could be considered a DoS attempt, as opposed to a DDoS. Both types of
attacks want the same result, and it just depends
on how many source machines are used in the attack as to
whether it is called a DoS or DDoS.
Comments
Post a Comment