Some of the most common terms are as follows:
• White hat-An individual who looks for vulnerabilities in systems or networks and then reports these vulnerabilities to the owners of the system so that they can be fixed. They are ethically opposed to the abuse of computer systems. A white hat generally focuses on securing IT systems, whereas a black hat (the opposite) would like to break into them.
• Hacker-A general term that has historically been used to describe a computer programming expert. More recently, this term is often used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.
• Black hat-Another term for individuals who use their knowledge of computer systems to break into systems or networks that they are not authorized to use, usually for personal or financial gain. A cracker is an example of a black hat.
• Cracker-A more accurate term to describe someone who tries to gain unauthorized access to network resources with malicious intent.
• Phreaker-An individual who manipulates the phone network to cause it to perform a function that is not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls.
• Spammer-An individual who sends large quantities of unsolicited e-mail messages. Spammers often use viruses to take control of home computers and use them to send out their bulk messages.
• Phisher-Uses e-mail or other means to trick others into providing sensitive information, such as credit card numbers or passwords. A phisher masquerades as a trusted party that would have a legitimate need for the sensitive information.
A closed network does not allow a connection to public networks. Because there is no outside connectivity, networks designed in this way are considered safe from outside attacks. However, internal threats still exist. A closed network does little to prevent attacks from within the enterprise.
The four classes of physical threats are:
• Hardware threats-Physical damage to servers, routers, switches, cabling plant, and workstations
• Environmental threats-Temperature extremes (too hot or too cold) or humidity extremes (too wet or too dry)
• Electrical threats-Voltage spikes, insufficient supply voltage (brownouts), unconditioned power (noise), and total power loss
• Maintenance threats-Poor handling of key electrical components (electrostatic discharge), lack of critical spare parts, poor cabling, and poor labeling
Structured Threats
Structured threats come from individuals or groups that are more highly motivated and technically competent. These people know system vulnerabilities and use sophisticated hacking techniques to penetrate unsuspecting businesses.
Social Engineering
The easiest hack involves no computer skill at all. If an intruder can trick a member of an organization into giving over valuable information, such as the location of files or passwords, the process of hacking is made much easier. This type of attack is called social engineering, and it preys on personal vulnerabilities that can be discovered by talented attackers.
Phishing is a type of social engineering attack that involves using e-mail or other types of messages in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher masquerades as a trusted party that has a seemingly legitimate need for the sensitive information.
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked. It is mitigated primarily through the use of proper trust models. Antivirus software and host-based IDS can help detect and prevent an attacker installing port redirecting utilities on the host.
Man-in-the-Middle Attack
A man-in-the-middle (MITM) attack is carried out by attackers that manage to position themselves between two legitimate hosts. The attacker may allow the normal transactions between hosts to occur, and only periodically manipulate the conversation between the two.
In a transparent proxy attack, an attacker may catch a victim with a phishing e-mail or by defacing a website. Then the URL of a legitimate website has the attackers URL added to the front of it (prepended).
The Smurf attack uses spoofed broadcast ping messages to flood a target system. It starts with an attacker sending a large number of ICMP echo requests to the network broadcast address from valid spoofed source IP addresses. A router could perform the Layer 3 broadcast-to-Layer 2 broadcast function, most hosts will each respond with an ICMP echo reply, multiplying the traffic by the number of hosts responding.
Host and Server Based Security
Device Hardening
• When a new operating system is installed on a computer, the security settings are set to the default values. In most cases, this level of security is inadequate. There are some simple steps that should be taken that apply to most operating systems:
• Default usernames and passwords should be changed immediately.
• Access to system resources should be restricted to only the individuals that are authorized to use those resources.
• Any unnecessary services and applications should be turned off and uninstalled, when possible.
Antivirus software does this in two ways:
• It scans files, comparing their contents to known viruses in a virus dictionary. Matches are flagged in a manner defined by the end user.
• It monitors suspicious processes running on a host that might indicate infection. This monitoring may include data captures, port monitoring, and other methods.
Operating System Patches
The most effective way to mitigate a worm and its variants is to download security updates from the operating system vendor and patch all vulnerable systems. This is difficult with uncontrolled user systems in the local network, and even more troublesome if these systems are remotely connected to the network via a virtual private network (VPN) or remote access server (RAS).
Intrusion Detection and Prevention
Intrusion detection systems (IDS) detect attacks against a network and send logs to a management console. Intrusion prevention systems (IPS) prevent attacks against the network and should provide the following active defense mechanisms in addition to detection:
• Prevention-Stops the detected attack from executing.
• Reaction-Immunizes the system from future attacks from a malicious source.
Host-based Intrusion Detection Systems
Host-based intrusion is typically implemented as inline or passive technology, depending on the vendor.
The security policy is the hub upon which the four steps of the Security Wheel are based. The steps are secure, monitor, test, and improve.
Step 1. Secure
Secure the network by applying the security policy and implementing the following security solutions:
• Threat defense
• Stateful inspection and packet filtering-Filter network traffic to allow only valid traffic and services.
• intrusion prevention systems-Deploy at the network and host level to actively stop malicious traffic.
• Vulnerability patching-Apply fixes or measures to stop the exploitation of known vulnerabilities.
• Disable unnecessary services-The fewer services that are enabled, the harder it is for attackers to gain access.
Secure connectivity
• VPNs-Encrypt network traffic to prevent unwanted disclosure to unauthorized or malicious individuals.
• Trust and identity-Implement tight constraints on trust levels within a network. For example, systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall.
• Authentication-Give access to authorized users only. One example of this is using one-time passwords.
• Policy enforcement-Ensure that users and end devices are in compliance with the corporate policy.
Step 2. Monitor
Monitoring security involves both active and passive methods of detecting security violations. The most commonly used active method is to audit host-level log files.
Step 3. Test
In the testing phase of the Security Wheel, the security measures are proactively tested. Specifically, the functionality of the security solutions implemented in step 1 and the system auditing and intrusion detection methods implemented in step 2 are verified.
Step 4. Improve
The improvement phase of the Security Wheel involves analyzing the data collected during the monitoring and testing phases. This analysis contributes to developing and implementing improvement mechanisms that augment the security policy and results in adding items to step 1.
Functions of a Security Policy
A comprehensive security policy fulfills these essential functions:
• Protects people and information
• Sets the rules for expected behavior by users, system administrators, management, and security personnel
• Authorizes security personnel to monitor, probe, and investigate
• Defines and authorizes the consequences of violations
