attack map 

attack 

Any method used to try to breach the security of a net- work or system.

Overview

Threats to a network’s security can originate from a variety of sources including the following:

●  External, structured threats from malicious individ­

uals or organizations

●  External, unstructured threats from inexperienced

attackers such as script kiddies

●  Internal threats from disgruntled employees or

contractors

The overall approaches used by malicious individuals or organizations vary considerably, but can be broken down into several broad categories:

●  Access attacks: The intruder tries to gain access to

resources on your network by exploiting flaws in software such as buffer overflows and information leakage and by elevating the intruder’s privileges to execute arbitrary code.

●  Denial of service (DoS) attacks: The intruder tries

to deny legitimate users access to resources on your network.

●  Reconnaissance attacks: The intruder ties to map

your network services in order to exploit vulnera­ bilities detected.

Another way of classifying attacks is according to their impact on the systems being attacked:

●  Active attacks: These involve trying to modify

data either during transmission or while stored on the target system. Examples include inserting back- doors and Trojans, deleting or modifying log files, disrupting services or communication, and so on.

●  Passive attacks: The goal here is not to modify the

target system but rather to capture data being trans­ mitted by eavesdropping or by using a packet sniffer in order to obtain sensitive or confidential information such as passwords or credit card num­ bers. Passive attacks are also used for capturing

attack map

information that can help the attacker create a map of the target network’s hosts and services, which usually forms the preamble of an active attack. Some of the specific methods used by intruders for attacking networks include data modification, eaves- dropping, impersonation, and packet replay attacks. Other common methods include exploiting coding vulnerabilities using buffer overflows, malformed Uni­ form Resource Locators (URLs), and other methods. Social engineering and Dumpster diving are different approaches that sometimes lead to immediate success in penetrating a network’s defenses. Finally, phishing is a form of automated social engineering that sometimes bears fruit for the attacker.

See Also: attack map, denial of service (DoS), eaves-

dropping, impersonation, packet replay, phishing, sniff  ing, social engineering, vulnerability

attack map 

A map of a network that an intruder plans to attack.

Overview

When an intruder wants to break into a company’s net- work, the first stage of the attack is usually the recon­ naissance stage, in which the intruder tries to create a map of the hosts and network services running on the network. The intruder might begin mapping a com­ pany’s network by using a search engine to find the company’s Web site and then use nslookup to find the Internet Protocol (IP) address of the server. Once the server’s IP address is known, a whois query of the ARIN database can determine the range of IP addresses for the network and administrative contact information, which can indicate whether the server is being hosted on the company’s demilitarized zone (DMZ) or at an Internet service provider (ISP) or hosting provider. If the server is hosted by a service provider, the attacker could be out of luck. But if the company owns the IP address block to which the server belongs, then one host on the company’s network has been identified. At this point, the intruder might scan the IP address block using a freely available tool such as Nmap to see whether any other hosts in the network are exposed

A 

to the Internet (stealth mode is used for running Nmap to help avoid detection during the scanning process). Once exposed hosts are found and listening ports iden­ tified, the intruder has gained knowledge of which net- work services are running on these hosts and the attack map takes on shape.

The intruder might next try to determine which operat­ ing systems are running on the exposed hosts. For Web servers, this can be done by using telnet to send a Hypertext Transfer Protocol (HTTP) GET request to port 80, because the Web server’s response to this request contains HTTP headers that typically contain such information. Having identified the operating sys­ tem and network services running on hosts, the intruder has created a map that then allows it to test for common vulnerabilities that result from administrators failing to patch their systems appropriately.

See Also: attack, Nmap, Nslookup, vulnerability

auditing 

A security principle that involves reviewing informa­ tion concerning user and system activity to look for inappropriate actions.

Overview

Auditing is an essential part of any security program for any network, and most operating system platforms sup- port some form of auditing. Auditing can be

approached in two general ways:

●  Proactive auditing: This involves regularly

reviewing audit logs to look for signs of intrusion attempts or abnormal system behavior.

●  Reactive auditing: This is basically a forensic

activity that is performed after a system has been compromised.

By enabling auditing on a system, information is col­ lected concerning specified events such as logons, resource access, and so on. This information is then stored in special log files called audit logs, which can then be reviewed to look for suspicious patterns of behavior or monitor resource usage activity for accounting purposes. Many applications such as

auditing

firewalls and intrusion detection systems (IDSs) also support various forms of auditing.

Implementation

Auditing is implemented in various ways on different operating system platforms and applications. In gen­ eral, an auditing system comprises two components:

●  A data collector that monitors the system or appli­

cation and saves audit information in audit logs

●  A data analyzer that allows administrators to dis­

play, query, and analyze audit logs to search for pat- terns and events

As far as analysis of auditing information is concerned, this may be performed in either of the following ways:

●  Manually, by having administrators periodically

examine audit logs using various tools

●  Automatically, using statistical methods or

rule-based expert systems, an approach generally used for IDSs

In addition, auditing systems can be implemented in either of the following ways:

●  Local auditing: Each system is responsible for col­

lecting and maintaining its own audit information.

●  Distributed auditing: Collection of audit informa­

tion is performed by different systems on a network and either stored centrally for processing or ana­ lyzed in a distributed fashion for load balancing of processing.

There is no single standard format for what information should be audited by a system or how it should be stored. Certain standards such as the Security Criteria for Distributed Systems developed by the Institute for Defense Analysis or the Trusted Computer Systems Evaluation Criteria from the National Computer Secu­ rity Center are helpful in deciding what types of events a computer system should be able to audit, but different vendors usually implement such standards differently. And despite various attempts to standardize audit log formats, particularly on the UNIX platform, there is

audit log

currently no universal format that has achieved wide acceptance.

See Also: audit log, audit policy, Security Criteria for

Distributed Systems, Trusted Computer Systems Evalu  ation Criteria (TCSEC)

audit log 

A log file containing audit information for an applica­ tion or system.

Overview

Audit logs provide a record of audit information for monitoring the security and accountability of applica­ tions and systems. There is no standard or universal for- mat for audit logs, although there have been various attempts at developing such a format especially on UNIX platforms. Examples of such proposed standard audit file formats include

● Bishop’s Standard Audit Trail Format

● Normalized Audit Data Format (NADF)

Implementation

On Microsoft Windows platforms, auditing is con- trolled by audit policies configured using Local Secu­ rity Policy or Group Policy, depending on whether machines are running in a workgroup or Active Direc­ tory service scenario. Microsoft Windows platforms support auditing of file system objects, printers, Active Directory, and security events such as logons and privilege use.

Most UNIX systems maintain various types of auditing information including the following:

●  Logon logs: These maintain a record of console

logons, use of rsh, and sessions for telnet, File Transfer Protocol (FTP), and X. Logon logs are usu­ ally located either under the /etc or /var hierarchies.

●  System logs: These maintain records of various

system activities in a set of logs specified by /etc/ syslog.conf.