Methods of Attack

1
Methods of Attack

• NJ-CISSP

2
Attack

• An assault on system security that derives from
  an intelligent threat, i.e., an intelligent act
  that is a deliberate attempt (especially in the
  sense of a method or technique) to evade security
  services and violate the security policy of a
  system. RFC 2828, May 2000

3
Attacks Target Secure Computing Properties

• Confidentiality
• The property that information is not made
  available or disclosed to unauthorized
  individuals, entities, or processes.
• Integrity
• The property that data has not been changed,
  destroyed, or lost in an unauthorized or
  accidental manner.
• Availability
• The property of a system or a system resource
  being accessible and usable upon demand by an
  authorized system entity, according to
  performance specifications for the system i.e.,
  a system is available if it provides services
  according to the system design whenever users
  request them.

4
Attack Phases

• PHASE 1 - INFORMATION GATHERING
• First phase tools (Ping sweeps, Port scans,
  Social Engineering)
• PHASE 2 - GAINING ACCESS
• Second phase techniques (exploit of software
  bugs, buffer overflow exploit, FTP bugs)
• PHASE 3 - DENYING SERVICES
• Third phase attacks (Syn Flood, Ping of
  death, Teardrop Attack)
• PHASE 4 - EVADE DETECTION

5
Brute Force

• A cryptanalysis technique or other kind of attack
  method involving an exhaustive procedure that
  tries all possibilities, one-by-one. For
  example, for ciphertext where the analyst already
  knows the decryption algorithm, a brute force
  technique to finding the original plaintext is to
  decrypt the message with every possible key.

6
Brute Force

• Passwords
• More successful against weak passwords
• Encryption - DES
• Obtain sample plaintext-ciphertext pair
• Test each possible key in turn
• Would take thousands of years,
• unless done in parallel. (20 hours by 1990)
• Pop service (110) success
• Did not have their login failures logged

The key to a successful brute force attack is to
select a target that has a high degree of success
and a small chance of being logged.
7
Dictionary

• An attack that uses a brute-force technique of
  successively trying all the words in some large,
  exhaustive list. For example, an attack on an
  authentication service by trying all possible
  passwords or an attack on encryption by
  encrypting some known plaintext phrase with all
  possible keys so that the key for any given
  encrypted message containing that phrase may be
  obtained by lookup. RFC 2828, May 2000

8
Denial of Service

• Denial Of Service (DOS) attacks attempt to slow
  or shut down targeted network systems or
  services.
• There are two main types of DOS attacks flaw
  exploitation and flooding.

9
Denial of Service

• Flaw exploitation DOS Attacks
• Flaw exploitation attacks exploit a flaw in the
  target systems software in order to cause a
  processing failure or to cause it to exhaust
  system resources.
• Flooding DOS Attacks
• Flooding attacks simply send a system or system
  component more information than it can handle. In
  cases where the attacker cannot send a system
  sufficient information to overwhelm its
  processing capacity, the attacker may nonetheless
  be able to monopolize the network connection to
  the target, thereby denying anyone else use of
  the resource.

10
Distributed Denial of Service

• DDOS attacks are a subset of DOS
• DDOS attacks are simply flooding DOS attacks
  where the hacker uses multiple computers to
  launch the attack. These attacking computers are
  centrally controlled by the hackers computer and
  thus act as a single immense attack system.

11
Spamming

• Attacks are a subset of DOS
• A spammer uses your email system as a spam relay.
  Your system becomes the host and then tries to
  deliver all messages.
• While your email server is spending time
  processing the spam mail, it is prevented from
  handling legitimate mail for your domain.

12
Spoofing

• In a spoofing attack, the intruder sends messages
  to a computer indicating that the message has
  come from a trusted system. To be successful, the
  intruder must first determine the IP address of a
  trusted system, and then modify the packet
  headers to that it appears that the packets are
  coming from the trusted system
• http//www.sans.org/infosecFAQ/threats/intro_spoo
  fing.htm

13
Spoofing

• IP spoofing - IP spoofing involves forging one's
  source IP address. It is the act of using one
  machine to impersonate another. Many applications
  and tools in UNIX systems rely on source IP
  address authentication.
• ARP spoofing - ARP spoofing involves forging
  packet source hardware address (MAC address) to
  the address of the host you pretend to be.

14
Man-in-the-middle

• The "Man In The Middle" or "TCP Hijacking" attack
  is a well known attack where an attacker sniffs
  packets from network, modifies them and inserts
  them back into the network. There are few
  programs/source codes available for doing a TCP
  hijack. Juggernaut, T-Sight and Hunt are some
  these programs.
• http//www.sans.org/infosecFAQ/threats/middle.htm
  

15
Sniffers

• Packet sniffers
• A software application that uses a network
  adapter card in promiscuous mode to capture all
  network packets that are sent across a LAN.
• Captures plain text user account names,
  passwords, etc.
• Can also interject new information or change
  existing information.

16
Crackers

• Someone who tries to break the security of, and
  gain access to, someone else's system without
  being invited to do so.

17
Countermeasures

• Adequate Security Controls
• Documentation
• Policy, Standards, Processes
• Equipment
• IDS, Firewall, Network Map
• Personnel
• Auditing, Monitoring, Configuring, etc
• Education
• CISSP Certified Staff

18
Questions?

• Ask Jeanette!