Network Security Threat Matrix May 2004

(1)

Network Security Threat Matrix

May 2004

By Lawrence Allhands

BlueMotorcycle

Consulting

650/704-4821

2830 Flores #18

San Mateo, CA 94403

http://www.bluemotorcycle.com

(2)

Abstract – Know your

enemy

“If you know the enemy and

know yourself, you need not

fear the result of a hundred

battles. If you know yourself

but not the enemy, for every

victory gained you will also

suffer a defeat.” Sun Tzu on

The Art of War

Network security is a constantly moving target. A war of ever changing tactics is being waged 24/7 against your home and business networks.

Unfortunately, the enemy needs only to be lucky once to succeed, we, the defenders, must be lucky all the time.

To fully understand the scope of the threat, one must survey the battlefield and know well the tactics of the enemy. The purpose of this paper is to identify some of the major elements of the battlefield and the common modus operandi of today’s cyber enemy.

(3)

Probability Level

Specific Event

• Occasional

• Probable

• Remote

• Improbable

• Will occur several times

• Likely to occur sometime

• Possible to occur, but unlikely

• Very unlikely, may never be experienced

Severity Level

Characteristics

• Catastrophic

• Critical

• Marginal

• Negligible

• System loss or severe damage

• Severe damage to major systems

• Minor system performance degradation

• Nuisance, slight performance degradation

Potential Vulnerability Level

Severity

Occasional Probable Remote Improbable

Catastrophic

_{5 5 4 3}

Critical

_{5 4 3 2}

Marginal

_{4 3 2 1}

Negligible

_{3 2 1 1}

(5=High, 4=Med-High, 3=Med, 2=Med-Low, 1=Low) Figure 1

(4)

Network Security Threats

Outside Threats (Human)

Risk Analysis: 5 (High)

Occasional occurrences with Critical impact

Individuals or groups of individuals that attempt to penetrate systems through computer networks, public switched telephone networks or other sources. These attacks generally target known security vulnerabilities of systems.

Insiders, hackers and "Script Kiddies" are the main components of the human threat factor.

These threats can be broken down into four primary sub-sets;

Corporate (Industrial) Espionage

• Primary attribute and motivation is access to systems or information for economic or strategic objectives. Currently, this is the highest growth area both in terms of number of intrusions and monetary damage. Foreign Espionage

• The primary attribute and motive is access to systems or information for national economic or strategic objectives.

Terrorism (Foreign and Domestic)

• The primary attribute and motive is the disruption or destruction of a target’s key infrastructure components. Hacker Community

• Usually act independently in the pursuit of personal goals. The motive of these individuals can be defined as the challenge or thrills of gaining access to a computer system. May work in groups to achieve goals.

(5)

Hosts

flaws which vendors fix with software patches. Unpatched systems can be a major security risk. Inadequate physical security can also lead to a compromise of the host.

Vendor software is often received without appropriate software patches installed, and requires further action by System Administrators to install the additional patches. These patches often close significant security vulnerabilities within operating systems that could otherwise be exploited. If the vulnerabilities are

exploited, including physical access, unauthorized users can obtain privileged status and gain access to critical

information and technology.

Services

Some system services are security risks to the host computer and can be easily

compromised to gain privileged system access. Some services such as tftp, nfs, nis, and the r commands present

significant security risks that are not easily countermanded.

Compromises of system services present a grave concern to the security of the

system. Most of these services operate at the system level and with system

privileges. These services are well

documented, well analyzed and subverted by the hacker community.

Telecommunications

Risk Analysis: 3 (Medium)

Remote occurrences with Critical

Network telecommunication components such as bridges, hubs, patch panels, routers, and switches are key equipment pieces that define a network and its

(6)

Malicious Code & Viruses

Risk Analysis: 4 (Medium-High)

Occasional occurrences with Marginal impact

Malicious code can attack a system in one of two ways, either internally or

externally. Traditionally, the virus has been an internal threat, while the worm, to a large extent, has been a threat from an external source. Trojan Horses

generally leave an undocumented "back door" into the system for later exploitation by unauthorized personnel, both

employees and non-employees.

There are many avenues by which viruses and malicious code may impact systems, applications, and files. Malicious code can be introduced into a system through ftp or as attachments to e-mail.

Applications

Probable occurrences with Marginal impact

Application vulnerabilities can be exploited to gain system privileges. Errant

applications can create undocumented vulnerabilities. These vulnerabilities are well documented and exploited in the hacker community.

Application software, because of their reliance on the operating system to provide adequate security, often contains code that can be a determent to the information processed through the application.

Further, many applications do not behave properly and can interfere with system performance. For example, software that fails to perform adequate bounds checking can invade areas of system memory used by other software packages. This

interference can give the user special privileges afforded the application software, or can result in a total system lock-up.

(7)

Firewalls

Remote occurrences with Critical impact

Firewalls are an important network security component. Firewalls are the first, not the only, defense against outside attacks. Effective installation can help keep unauthorized users outside the firewall from accessing the network while allowing authorized users to access the network through the firewall. Improper installation and unknown software vulnerabilities are an open invitation to any knowledgeable hacker.

Improper maintenance of the firewall, whether by failure to install the latest software patches or by the improper application of Rules, can facilitate

unauthorized access and lead to a loss or compromise of information. Inadequate physical security can also lead to a compromise of the firewall.

Files

Occasional occurrences with Negligible impact

File permissions should be adequately set so only authorized individuals have access to them in the due performance of their jobs. This includes users as well and administrators. Groups should be effectively used and files appropriately assigned to groups to further restrict access. Minimum access permissions should be defined at the directory level and inherited by files.

In an open environment where users have ultimate control over the accesses to data under their control, it can be expected that file and directory permissions will vary from their optimum settings. Indeed, even system administrators have

(8)

Personnel (Human)

Risk Analysis: 4 (Medium-High)

Occasional occurrences with Marginal impact

Insiders are legitimate users of a system. When they use their access to circumvent security, it is known as an insider attack. Insiders account for nearly 80% of

recorded attacks; most of these are inadvertent, but a significant 14% are intentional attacks by insiders.

The primary threat to computer systems has traditionally been the insider attack. Insiders are likely to have specific goals and objectives, and have legitimate access to the system. Insiders can plant Trojan horses, keystroke loggers, or browse through the file system. This type of attack can be extremely difficult to detect or protect against. Their motivation tends to be revenge, though convenience and opportunity contribute significantly to white-collar computer crime.

This particular risk is enhanced and facilitated by the lack of due care or diligence applied to the foregoing threats, and increases or decreases in indirect proportion to the level of effort given to those threats. The importance of a firewall in protecting data from outside access diminishes in direct proportion to the vulnerabilities that are not adequately controlled behind the firewall. While

Outsiders are kept at bay, Insiders can be throwing things out the open, gated window.

Any user with physical access to a computer generally has the ability to trivially override any system security. This is certainly true on most UNIX systems by default; anyone with physical access to the machine can break in regardless of the operating system in use. Proper use of passwords just makes entry a little more time consuming.

(9)

Change Control

Occasional occurrences with Potentially Catastrophic impact

A change control board should be

established to monitor and approve major changes in the network environment that may affect overall security.

Without adequate planning and oversight, modifications to the network architecture may impact security of the entire system and compromise sensitive or proprietary data.

Conclusion

Effective network security cannot be attained through ad hoc measures, but requires a comprehensive policy

encompassing the risks previously identified. This policy should then be extracted into a set of procedures and plans to attain the policy goal; the protection and preservation of network resources and data.

Unfortunately, network security is usually an afterthought. The majority of network users begrudgingly adhere to even the most basic security procedures and openly grumble at the hint of any changes in policy.

BlueMotorcycle has formalized a standard security policy system that can be

deployed in any environment, a living document that dynamically changes to reflect new, changed, or rescinded requirements. These modifications are based on technology advances and new vulnerabilities that are identified-part of the risk assessment process where

nothing is in stasis, but dynamic change is all around.