Okay, you know your enemy and your weaknesses. But what exactly is that enemy up to, and what are they going to do to take advantage of your vulnerabilities? It’s extremely important for you to understand this, so you can be prepared for what an attacker may throw at you. Most network attacks fall into these three categories:
Reconnaissance attacks Reconnaissance attacks are unauthorized familiarization sessions that a hacker uses to find out what can be attacked on your network. An attacker on reconnaissance
4422c01.fm Page 10 Tuesday, November 30, 2004 11:31 AM
Types of Network Attacks 11
is out for discovery—mapping the network and its resources, systems, and vulnerabilities.
This is often just a preliminary task. The information gathered is frequently used to attack the network later.
Access attacks Access attacks are waged against networks or systems to retrieve data, gain access, or escalate access privileges. This can be as easy as finding network shares with no pass-words. Such attacks aren’t always serious—many access attacks are performed out of curiosity or for the intellectual challenge. But beware: Some access attacks are done to nick stuff, whereas other hackers perform access attacks because they want to play with your toys or use you to cam-ouflage their identity in order to make their dirty work look as though it came from your network.
Denial-of-service (DoS) attacks Denial-of-service (DoS) attacks are always nasty. Their sole purpose is to disable or corrupt network services. A DoS attack usually either crashes a system or slows it down to the point that it’s rendered useless. DoS attacks are usually aimed at web servers and are surprisingly easy to perform. (The next section discusses DoS attacks in more detail.)
There are many ways—most of them fairly common—to gather information about a network and to compromise corporate information, and even to cause the destruction of a corporate web server and services. In particular, the three network attacks we just discussed can cause the most trouble in your system.
TCP/IP teams up with your operating system to provide many weak, exploitable spots (if not outright invitations) in a corporation’s network. TCP/IP and operating system weaknesses are probably the two greatest technology-oriented weaknesses facing corporations today.
Here is a list of the most common attacks that your network may experience:
Eavesdropping
Trojan horse programs, viruses, and worms
HTML attacks
When protecting your information from these attacks, it’s your job to prevent theft, destruc-tion, corrupdestruc-tion, and the introduction of information that can cause irreparable damage to sensitive and confidential data on your network.
4422c01.fm Page 11 Tuesday, November 30, 2004 11:31 AM
12 Chapter 1 Introduction to Network Security
Eavesdropping
Eavesdropping, also known in the industry as network snooping or packet sniffing, is the act of a hacker listening in to your system. A cool product called (surprise!) a packet sniffer enables its user to read packets of information sent across a network. Because a network’s packets aren’t encrypted by default, they can be processed and understood by the sniffer. You can imagine how helpful this capability is to the network administrator trying to optimize or troubleshoot a network. But it’s not exactly a stretch to visualize an evil hacker—packet sniffer in hand—
using it to break into a network to gather sensitive corporate information.
And gather they can. Did you know that some applications send all information across the net-work in clear text? This is especially convenient for the hacker who’s striving to snag usernames and passwords and use them to gain access to corporate resources. All bad guys need to do is jack the right account information, and they’ve got the run of your network. Worse, if a hacker manages to gain admin or root access, they can create a new user ID to use at any time as a back door into your network and its resources. Then your network belongs to the hacker—kiss it goodbye.
Even more insidious, eavesdropping is also used for information theft. Imagine the intruder hacking into a financial institution and sneaking credit card numbers, account information, and other personal data from one of the institution’s network computers or from the data crossing its network. The hacker now has everything they need for serious identity theft.
Is there anything you can do about this threat? Yes. Again, it comes down to a nice, tight net-work security policy. To counteract eavesdropping, you need to create a policy forbidding the use of protocols with known susceptibilities to eavesdropping, and you should make sure all important, sensitive network traffic is encrypted.
Simple Eavesdropping
Here is an example of simple eavesdropping that I encountered when I was checking my e-mail.
This shows how easy it can be to find usernames and passwords.
Notice in this example that the EtherPeek network analyzer I’m using shows that the first packet has the username in clear text:
TCP - Transport Control Protocol Source Port: 3207 Destination Port: 110 pop3 Sequence Number: 1904801173 Ack Number: 1883396251 Offset: 5 (20 bytes) Reserved: %000000 Flags: %011000
0. .... (No Urgent pointer)
Types of Network Attacks 13
The next packet has the password. Everything seen in this packet (an e-mail address and a username/password) can be used to break into the system:
TCP - Transport Control Protocol
The username is tlammle1, and the password is secretpass—all nice and clear for everyone’s viewing pleasure.
14 Chapter 1 Introduction to Network Security