|
|
In this chapter, we discussed the concepts of risks, threats, and vulnerabilities and their relationships; defined a formula that may be used to calculate risk; and saw that risk is a product of threats, vulnerabilities, and the value of assets with which we are concerned. We also came up with a possible definition of what constitutes a secure system and what are the requirements to protect such a system. Types of attackers, their motives, and their means were discussed, along with overviews of attack methods. Outlines of risk-management and risk-analysis techniques were discussed from the viewpoint of a risk-based management approach to information security. Understanding that we cannot eliminate all risks, we must nevertheless manage them—reducing, transferring, or accepting risks as appropriate, but never ignoring or rejecting them. Finally, we took a look at how attackers gather information about their targets, which may later be used in an attack, and how we can minimize the leakage of such information.
Here are some of the key points from the certification objectives in Chapter 2.
A secure system is a system that has certain security functionalities and that provides certain assurance that it will function in accordance with and enforce a defined security policy in a known environment, provided it is operated in a prescribed manner.
A trusted system or component has the power to break security policy. Trusted path is the term used to describe the secure communication channel between the user and the software (an application or the operating system itself). A trusted path exists when a mechanism is in place to assure the users that they are indeed interacting with the genuine application or the operating system, and not software that impersonates them.
A threat describes a business asset that is most likely to be attacked. This term defines the cost of an attack weighed against the benefit to the attacker that can be obtained through such an attack. It does not describe when an administrator decides to accept a specific risk.
A vulnerability describes how susceptible your system is to an attack and how likely you are to succumb to an attack if it occurs.
Risk assessment is a critical element in designing the security of systems and is a key step in the accreditation process that helps managers select cost- effective safeguards.
Three factors must be present for an attack of any type to take place and succeed: the attacker must have a motive, an opportunity, and the means to carry out the attack.
Main categories of attackers may be descibed as script kiddies, amateur hackers, professional hackers, organized hacker groups, corporate hackers, and state-sponsored hackers.
Attack methods differ widely in their sophistication, effectiveness, and other properties; however, all attacks belong to one of the two broad types of attacks: passive attacks or active attacks.
Attacks from disgruntled employees are most dangerous because they have the closest physical and logical access to the internal infrastructure, applications, and data. Disgruntled employees also have a good understanding of business and technical climate, organization, and capabilities.
Most widely known attacks are eavesdropping, social engineering, buffer overflows, denial of service, spoofing, man in the middle, replay, hijacking, brute force, and dictionary attacks.
The first step in any attack is reconnaissance, or information gathering. At this stage, the attacker's goal is to collect as much information as possible. This stage is very important because the success of the entire attack largely depends on what information attackers have managed to collect.
Public databases and records provide a wealth of information that may be very useful to potential attackers in planning and carrying out an attack. Three such databases are the Domain Name System (DNS), the whois databases, and the IP address allocation databases maintained by the Regional Internet Registries (RIRs).
Utilities such as traceroute, ping, and their variants and incarnations also provide information regarding network topologies, names of network nodes and routers and their location, and other information.
Although much information is public, the goal is to minimize the amount of additional information given out that may help the attackers. Information that should be protected includes the following: types and version numbers of operating systems, versions of server software, details of network topology and infrastructure, and details of security mechanisms.
The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, because there might be more than one correct answer. Choose all correct answers for each question.
|
What is a trusted system? (Choose all that apply.)
|
|
|
|
If A trusts B, and B trusts C, then:
|
|
|
|
User trust is
|
|
|
|
What is a threat? (Choose all that apply.)
|
|
|
|
Vulnerabilities are weaknesses that can be exploited by
|
|
|
|
Why is risk management important? (Choose all that apply.)
|
|
|
|
Risk is a product of
|
|
|
|
Which of the following should be considered when estimating asset value? (Choose all that apply.)
|
|
Answers
|
þ B and D. A trusted system or component has the power to break one's security policy. Trusted systems are more rigorously designed and tested than untrusted systems. ý A and C are incorrect because a high security system is not necessarily a trusted system and trusted systems do not refer to operating systems only. |
|
|
þ B. Trust is not transitive. ý A and C are incorrect because if A trusts B, and B trusts C, it does not mean that A automatically trusts C, or vice versa. D is incorrect because trust is not symmetric: if A trusts B, it doesn't mean that B trusts A. |
|
|
þ C. User trust refers to users' expectations of the reasonable security of systems, which is the responsibility of security administrators who enforce security policy set by management. User trust may also refer to expectations of reasonable operation of systems (hardware and software). ý A, B, and D are incorrect because user trust is not guaranteed by trusted systems, it is not defined in security policy, and it is not transitive and bi-directional. |
|
|
þ C and D. A threat is anyone or anything that can exploit a vulnerability. Threats to information systems may be grouped into natural, physical, and logical threats. ý A and B are incorrect because absence of security mechanisms is not a threat, and threat is not the opposite of assurance. |
|
|
þ B and C. Vulnerabilities can be exploited by threats, and malicious hackers can pose a threat. ý A and D are incorrect because risks and software bugs do not exploit vulnerabilities—risk is the possibility of an exploit and software bugs are vulnerabilities. |
|
|
þ E. All of the answers are correct. |
|
|
þ C. This simple formula conveniently shows the relationship between threats, vulnerabilities, and risk. ý A, B, and D are incorrect because the correct formula is Threats × Vulnerabilities × Asset value = Risk. |
|
|
þ E. All answers are correct. Valuation of information assets is a complex and subjective exercise in which very often no single value is correct; however, the more factors you consider for the purposes of valuation, the more accurate your valuation would be. |
|
For an attack to take place and succeed, which of the following should be present? (Choose all that apply.)
|
|
|
|
Do insiders pose a threat to information security, and if so, why?
|
|
|
|
Which of the following has changed with the advent of information systems and the Internet? (Choose all that apply.)
|
|
|
|
Which of the following may be performed by an attacker during the actual attack? (Choose all that apply.)
|
|
Answers
|
þ D. All answers are correct. For an attack of any type to take place and to succeed, three factors must be present: the attacker must have a motive, an opportunity, and the means to carry out the attack. |
|
|
þ D. Company insiders constitute a higher threat than a person on the street because they have more authorized network access and sensitive knowledge than outsiders. In fact, risks posed by insider attacks are more substantial, require less means to mount, and may result in larger losses than risks posed by outside attackers. They may also be more difficult to detect and recover from. ý A, B, and C are incorrect because although insiders are usually bound by employment and confidentiality agreements, that alone doesn't remove the threat. Insiders are subject to access controls, and access to information is not a threat in itself. |
|
|
þ A, C, and D. Means, opportunities, and vulnerabilities have changed with the advent of computers and computer networks. ý B is incorrect because crime motives have not changed—a theft is a theft, regardless of whether it is a theft of a physical asset or information, and vandalism is vandalism, regardless of whether it occurs at a shop front or a web site. |
|
|
þ A, B, and C. Attacks may include installation of backdoors, Trojans, and elevation of privileges. ý D is incorrect because destruction of evidence is usually considered a post-attack activity. After the attack took place, the attackers may wish to destroy the evidence. |
|
What are the public sources of information that may be useful to an attacker? (Choose all that apply.)
|
|
|
|
Are Internet protocols that do not include confidentiality mechanisms vulnerable to sniffing, and if so, why?
|
|
|
|
Why can't technical measures be used to defend against social engineering?
|
|
|
|
Which security principles may be used to protect against buffer overflows? (Choose all that apply.)
|
|
|
|
Which of the following may protect against spoofing attacks?
|
|
|
|
Continuous authentication protects against
|
|
|
|
How can you protect systems against brute-force attacks? (Choose all that apply.)
|
|
|
|
What is the rationale behind nondisclosure of software version numbers and other details of systems? (Choose all that apply.)
|
|
Answers
|
þ E. All these sources contain information that may potentially be useful to attackers. The only issue is just how useful such information is and how difficult it is to obtain this information. |
|
|
þ C. Internet protocols that do not include confidentiality mechanisms are insecure and prone to eavesdropping attacks because they transmit unencrypted information, so passwords and other information sent across the network may easily be captured and misused. ý A, B, and D are incorrect because when the protocol was developed does not directly affect its security, there is no such term as anti-sniffing handshakes, and it is not difficult to mount sniffing attacks on the Internet. |
|
|
þ A. Social engineering takes on different forms, but the central concept of social engineering is exploiting human qualities or weaknesses to achieve one's aim. The only defense against social engineering is having security-aware and risks-aware staff and management—technological defenses do not protect against social engineering. ý B, C, and D are incorrect because social engineering is a real security issue and because technical measures simply do not address social engineering risks. |
|
|
þ A, B, and C. What we can do is to design and administer systems in such a way that risks resulting from buffer overflows are understood, minimized, and controlled. Compartmentalization prevents the compromise of the entire system when one compartment is compromised; minimization reduces the potential attack targets and channels; and defense in depth guards against failure of some security controls. ý D is incorrect because secure programming is not a security principle. There isn't much we as security administrators can do to fix buffer overflows. |
|
|
þ C. The most effective defense against spoofing is the use of cryptographic authentication and digital signatures. ý A is incorrect because encryption does not necessarily protect against spoofing. There is no such term as cryptographic initiation (B), and secret addresses don't make sense (D). |
|
|
þ C. Continuous authentication protects against hijacking attacks. ý Answers A and B are too general. D is incorrect because continuous authentication does not protect against sniffing unless all traffic is encrypted. |
|
|
þ B and C. The defense against brute-force attacks is to make the amount of time and computations required to conduct an exhaustive search impossible to afford by using a sufficiently large set—that is, longer passwords or keys. ý A and D are incorrect. The use of strong authentication alone would not guarantee protection against brute-force attacks, and role-based access control does not address the risk of brute-force attacks. |
|
|
þ E. All of the answers are correct. It is important to protect software version numbers and other details of your systems in order to make attackers spend more time and effort on an attack, to avoid easy identification of bugs and vulnerabilities of deployed software, to avoid or minimize script kiddie attacks, and to comply with principles of minimization and least privilege. |
|
|
