IA Solutions | Services | Disaster Recovery Methodology | Security Threats
| WLAN Security Tips | How | Experience | ContactContents
| Malicious Threats | ||||||||
|---|---|---|---|---|---|---|---|---|
| Category | Threat | OSI Layer | Definition | Typical Behaviors | Vulnerabilities | Prevention | Detection | Countermeasures |
| Malicious Software | Virus | Application | Malicious software that attaches itself to other software. For example, a patched software application in which the patch’s algorithm is designed to implement the same patch on other applications, thereby replicating. | Replicates within computer system, potentially attaching itself to every software application
Behavior categories
|
All computers
Common categories
|
Limit connectivity. Limit downloads
Use only authorized media for loading data and software Enforce mandatory access controls. Viruses generally cannot run unless host application is running |
Changes in file sizes or date/time stamps
Computer is slow starting or slow running Unexpected or frequent system failures Change of system date/time Low computer memory or increased bad blocks on disks |
Contain, identify and recover
Antivirus scanners - look for known viruses Antivirus monitors - look for virus related application behaviors Attempt to determine source of infection and issue alert |
| Worm | Application
Network |
Malicious software which is a stand alone application | Often designed to propagate through a network, rather than just a single computer | Multitasking computers, especially those employing open network standards | Limit connectivity, employ firewalls
Worms can run even without a host application |
Computer is slow starting or slow running
Unexpected or frequent system failures |
Contain, identify and recover
Attempt to determine source of infection and issue alert |
|
| Trojan Horse | Application | A Worm which pretends to be a useful program or a Virus which is purposely attached to a useful program prior to distribution | Same as Virus or Worm, but also sometimes used to send information back to or make information available to perpetrator | Unlike Worms, which self propagate, Trojan Horses require user cooperation
Untrained users are vulnerable |
User cooperation allows Trojan Horses to bypass automated controls
User training is best prevention |
Same as Virus and Worm | Same as Virus and Worm
Alert must be issued, not only to other system admins, but to all network users |
|
| Time Bomb | Application | A Virus or Worm designed to activate at a certain date/time | Same as Virus or Worm, but widespread throughout organization upon trigger date | Same as Virus and Worm
Time Bombs are usually found before the trigger date |
Run associated anti-viral software immediately as available | Correlate user problem reports to find patterns indicating possible Time Bomb | Contain, identify and recover
Attempt to determine source of infection and issue alert |
|
| Logic Bomb | Application | A Virus or Worm designed to activate under certain conditions | Same as Virus or Worm | Same as Virus and Worm | Same as Virus and Worm | Correlate user problem reports indicating possible Logic Bomb | Contain, identify and recover
Determine source and issue alert |
|
| Rabbit | Application
Network |
A Worm designed to replicate to the point of exhausting computer resources | Rabbit consumes all CPU cycles, disk space or network resources, etc. | Multitasking computers, especially those on a network | Limit connectivity, employ firewalls | Computer is slow starting or running
Frequent system failures |
Contain, identify and recover
Determine source and issue alert |
|
| Bacterium | Application | A Virus designed to attach itself to the OS in particular (rather than any application in general) and exhaust computer resources, especially CPU cycles | Operating System consumes more and more CPU cycles, resulting eventually in noticeable delay in user transactions | Older versions of operating systems are more vulnerable than newer versions since hackers have had more time to write Bacterium | Limit write privileges and opportunities to OS files
System administrators should work from non-admin accounts whenever possible |
Changes in OS file sizes, date/time stamps
Computer is slow in running Unexpected or frequent system failures |
Antivirus scanners: look for known viruses
Antivirus monitors: look for virus related system behaviors. |
|
| Spoofing | Spoofing | Network Data Link | Getting one computer on a network to pretend to have the identity of another computer, usually one with special access privileges, so as to obtain access to the other computers on the network | Spoofing computer often doesn’t have access to user level commands so attempts to use automation level services, such as email or message handlers, are employed | Automation services designed for network interoperability are especially vulnerable, especially those adhering to open standards | Limit system privileges of automation services to minimum necessary
Upgrade via security patches as they become available |
Monitor transaction logs of automation services, scanning for unusual behaviors
If automating this process do so off-line to avoid "tunneling" attacks |
Disconnect automation services until patched or monitor automation access points, such as network sockets, scanning for next spoof, in attempt to trace back to perpetrator |
| Masquerade | Network | Accessing a computer by pretending to have an authorized user identity | Masquerading user often employs network or administrator command functions to access even more of the system, e.g., by attempting to download password, routing tables | Placing false or modified login prompts on a computer is a common way to obtain user IDs, as are Snooping, Scanning and Scavenging | Limit user access to network or administrator command functions
Implement multiple levels of administrators, with different privileges for each |
Correlate user identification with shift times or increased frequency of access
Correlate user command logs with administrator command functions |
Change user password or use standard administrator functions to determine access point, then trace back to perpetrator | |
| Scanning | Sequential Scanning | Transport
Network |
Sequentially testing passwords/authentication codes until one is successful | Multiple users attempting network or administrator command functions, indicating multiple Masquerades | Since most login prompts have a time delay built in to foil automated scanning, accessing the encoded password table and testing it off-line is a common technique | Enforce organizational password policies.
Make even system administrator access to password files cumbersome |
Correlate user identification with shift times
Correlate user problem reports relevant to possible Masquerades |
Change entire password file or use baiting tactics to trace back to perpetrator |
| Dictionary Scanning | Application | Scanning through a dictionary of commonly used passwords/authentication codes until one is successful | Multiple users attempting network or administrator command functions, indicating multiple Masquerades | Use of common words and names as passwords or authentication codes (so called "Joe Accounts") | Enforce organizational password policies | Correlate user identification with shift times
Correlate user problem reports relevant to possible Masquerades |
Change entire password file or use baiting tactics to trace back to perpetrator | |
| Snooping (Eavesdropping) | Digital Snooping | Network | Electronic monitoring of digital networks to uncover passwords or other data | Users or even system administrators found online at unusual or off-shift hours
Changes in behavior of network transport layer |
Example of how COMSEC affects COMPUSEC
Links can be more vulnerable to snooping than nodes |
Employ data encryption
Limit physical access to network nodes and links |
Correlate user identification with shift times
Correlate user problem reports. Monitor network performance |
Change encryption schemes or employ network monitoring tools to attempt trace back to perpetrator |
| Shoulder Surfing | Physical | Direct visual observation of monitor displays to obtain access | Authorized user found online at unusual or off-shift hours, indicating a possible Masquerade
Authorized user attempting administrator command functions |
"Sticky" notes used to record account and password information
Password entry screens that do not mask typed text "Loitering" opportunities |
Limit physical access to computer areas
Require frequent password changes by users |
Correlate user identification with shift times or increased frequency of access
Correlate user command logs with administrator command functions |
Change user password or use standard administrator functions to determine access point, then trace back to perpetrator | |
| Scavenging | Dumpster Diving | All | Accessing discarded trash to obtain passwords and other data | Multiple users attempting network or administrator command functions, indicating multiple Masquerades | "Sticky" notes used to record account and password information
System administrator printouts of user logs |
Destroy discarded hardcopy | Correlate user identification with shift times
Correlate user problem reports relevant to possible Masquerades |
Change entire password file or use baiting tactics to trace back to perpetrator |
| Browsing | Application
Network |
Usually automated scanning of large quantities of unprotected data (discarded media or online "finger" type commands) to obtain clues as to how to achieve access | Authorized user found online at unusual or off-shift hours, indicating a possible Masquerade
Authorized user attempting administrator command functions |
"Finger" type services provide information to any and all users.
The information is usually assumed safe but can give clues to passwords (e.g., spouse’s name) |
Destroy discarded media
When on open source networks especially, disable "finger" type services |
Correlate user identification with shift times or increased frequency of access
Correlate user command logs with administrator command functions |
Change user password or use standard administrator functions to determine access point, then trace back to perpetrator | |
| Spamming | Spamming | Application
Network |
Overloading a system with incoming message or other traffic to cause system crashes | Repeated system crashes, eventually traced to overfull buffer or swap space | Open source networks especially vulnerable | Require authentication fields in message traffic | Monitor disk partitions, network sockets, etc. for overfull conditions | Analyze message headers to attempt trace back to perpetrator |
| Tunneling | Tunneling | Network | Any digital attack that attempts to get "under" a security system by accessing very low level system functions (e.g., device drivers, OS kernels) | Bizarre system behaviors such as unexpected disk accesses, unexplained device failures, halted security software, etc. | Tunneling attacks often occur by creating system emergencies to cause system reloading or initialization | Design security and audit capabilities into even the lowest level software, such as device drivers, shared libraries, etc. | Changes in date/time stamps for low level system files or changes in sector/block counts for device drivers | Patch or replace compromised drivers to prevent access
Monitor suspected access points to attempt trace back to perpetrator |
| Unintentional Threats | ||||||||
| Category | Threat | OSI Layer | Definition | Typical Behaviors | Vulnerabilities | Prevention | Detection | Countermeasures |
| Malfunction | Equipment Malfunction | All | Hardware operates in abnormal, unintended mode | Immediate loss of data due to abnormal shutdown
Continuing loss of capability until equipment is repaired |
Vital peripheral equipment is often more vulnerable than the computers themselves | Replication of entire system including all data and recent transactions | Hardware diagnostic systems | On-site replication of hardware components for quick recovery |
| Software Malfunction | Application | Software behavior is in conflict with intended behavior | Immediate loss of data due to abnormal end
Repeated system failure when re-fed "faulty" data |
Software developed using ad hoc rather than defined formal processes | Comprehensive testing procedures and software designed for graceful degradation | Software diagnostic tools | Backup software and robust operating systems facilitate quick recovery | |
| Human Error | Trap Door
(Back door) |
Application | System access for developers inadvertently left available after software delivery | Unauthorized system access enables viewing, alteration or destruction of data or software | Software developed outside defined organizational policies and formal methods | Enforce defined development policies
Limit network and physical access |
Audit trails of system usage, especially user identification logs | Close Trap Door or monitor ongoing access to trace back to perpetrator |
| User/Operator Error | All | Inadvertent alteration, manipulation or destruction of programs, data files or hardware | Incorrect data entered into system or incorrect behavior of system | Poor user documentation or training | Enforcement of training policies and separation of programmer/operator duties | Audit trails of system transactions | Backup copies of software and data
On-site replication of hardware |
|
| Physical Threats | ||||||||
| Category | Threat | OSI Layer | Definition | Typical Behaviors | Vulnerabilities | Prevention | Detection | Countermeasures |
| Physical Environment | Fire Damage | N/A | Physical destruction of equipment due to fire or smoke damage | Physical destruction of systems and supporting equipment | Systems located near potential fire hazards, e.g., fuel storage tanks | Off-site system replication, while costly, provides backup capability | On-site smoke alarms | Halon gas or FM200 fire extinguishers mitigate electrical and water damage |
| Water Damage | N/A | Physical destruction of equipment due to water (including sprinkler) damage | Physical destruction of systems and supporting equipment | Systems located below ground or near sprinkler systems | Off-site system replication | Water detection devices | Computer rooms equipped with emergency drainage capabilities | |
| Power Loss | N/A | Computers or vital supporting equipment fail due to lack of power | Immediate loss of data due to abnormal shutdown, even after power returns
Continuing loss of capability until power returns |
Sites fed by above ground power lines are particularly vulnerable
Power loss to computer room air conditioners can also be an issue |
Dual or separate feeder lines for computers and supporting equipment | Power level alert monitors | Uninterruptible Power Supplies (UPS)
Full scale standby power facilities where economically feasible |
|
| Civil Disorder Vandalism |
N/A | Physical destruction during operations other than war | Physical destruction of systems and supporting equipment | Sites located in some overseas environments, especially urban environments | Low profile facilities (no overt disclosure of high value nature of site) | Physical intrusion detection devices | Physical access restrictions and riot contingency policies | |
| Battle Damage | N/A | Physical destruction during military action | Physical destruction of systems and supporting equipment | Site located in theater | Off-site system replication
OPSEC and low profile to prevent hostile targeting |
Network monitoring systems | Hardened sites | |