What Are the Threats?

One of my favorite quotes is from Sun Tzus The Art of War: If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Nội dung trích xuất từ tài liệu:
What Are the Threats?What Are the Threats?One of my favorite quotes is from Sun Tzus The Art of War:If you know the enemy and know yourself, you need not fear the result of a hundredbattles. If you know yourself but not the enemy, for every victory gained you will alsosuffer a defeat. If you know neither the enemy nor yourself, you will succumb in everybattle.To this end, it is not good enough to merely know what a firewall does or how a firewallworks. You need to understand the threats that exist, to ensure that you can effectivelyprotect your environment from the threats.Threats that most IT organizations need to deal with include the following: • Targeted versus untargeted attacks • Viruses, worms, and trojans • Malicious content and malware • Denial-of-service (DoS) attacks • Zombies • Compromise of personal information and spyware • Social engineering • New attack vectors • Insecure/poorly designed applicationsTargeted Versus Untargeted AttacksOn the surface, the difference between a targeted and untargeted attack may seem prettyunimportant. As the saying goes, an attack is an attack, regardless of source. While in themidst of an attack, whether the attack is targeted or not may fall down the list ofpriorities. However, it is important to define the difference because it could impact theultimate level of response required to address the attack.Untargeted attacks are attacks that are not directly motivated by the resources beingattacked. In other words, the attacker is not necessarily being motivated to attack yourresources, as much as the attacker is probably trying to gain access to any server thatmight be susceptible, and your server just so happened to fall in their sights. This is acommon attack method for defacement-style attacks. In many cases, the attacker has notchosen to target your website because you own it, as much as they are trying to findwebsites running on certain versions of web server software, and you just so happened tobe running that web server software. As a result, untargeted attacks typically do not haveas much effort and motivation behind them and can be easier to defend against than atargeted attack is. In many cases, merely dropping the malicious traffic is enough toeffectively defend against an untargeted attack and cause the attacker to move on toeasier hunting grounds.Targeted attacks, on the other hand, present an additional twist to the attack. Forwhatever reason, the attacker is interested in the resources and data you have, and hasmade a conscious and concerted effort to try to gain access to those resources. Thismakes a targeted attack of more concern than an untargeted attack, because in general itmeans that the attacker is going to continue to attempt to gain access to those resources,despite your efforts to protect them. Therefore, you must be even more vigilant inattempting to stop and ultimately catch the attacker so that the legal authorities can takethe appropriate action. Indeed, if you suspect that your environment is under a targetedattack, it is a good idea to get the authorities involved sooner than later, because oftenattackers will not stop until they have been locked up by the appropriate legal authorities.Viruses, Worms, and TrojansIt seems like as long as there have been computer systems, there has been someonewilling to make malicious software to attack them. Although the terms virus, worm, andtrojan are often used interchangeably to refer to malicious software, each term has itsown distinct qualities and attributes that you need to understand.Viruses are pieces of malicious code that typically are attached to legitimate software.For example, an attacker might make a game for use on a computer that includes thevirus code as part of the game code. As the game is passed from computer to computer,typically through user intervention such as e-mail or sharing discs, the virus is able tospread, infecting computers that run the game software. Viruses have differing degrees ofseverity, ranging from merely annoying messages and content, to destructive codedesigned to erase or otherwise cause the loss of data or system functionality. The keyattribute to a virus is that it cannot execute and spread by itself; it requires userintervention to allow it to function and infect other systems.Worms are similar to viruses (sometimes even considered a subclass, or evolution of thetraditional virus), with one major difference. Worms are self-replicating and can spreadand infect systems with no help from a human user after they have been initiallyunleashed. In many cases, worms take advantage of system exploits in their propagationprocess, utilizing the exploit to allow the worm to infect a new system. Another commonmethod of propagation is to utilize the e-mail client on an infected host to e-mail theworm to additional targets. This nature of a worm allows it to be much more devastatingthan a traditional virus because an infected host can effectively spread the infection tohundreds of thousands of systems at once, allowing the spread of the worm to growexponentially after the initial host has been compromised. This propagation can be sodisruptive as to actually cause an inadvertent denial of service against resources in somecases. For example, Code Red spread by attempting to connect to a large number ofremote hosts, which in turn caused the routers connected to the networks that thoseremote hosts resided on to issue a corresponding amount of Address Resolution Protocol(ARP) requests in an attempt to connect to the remote hosts. Because of the sheerquantity of requests and the nature of how ARP functions (ARP is covered in more detailin Chapter 3), many routers were unable to handle the sheer volume of traffic andtherefore stopped being able to forward legitimate data.Trojans take the ...