Types of attacks on information systems
The rapid growth in popularity of Internet technologies is accompanied by the growth of serious threats to the disclosure of personal data is critical important corporate resources, state secrets, etc. Every day attackers threaten network information resources by trying gain access to them through special attacks. These attacks become everything more refined in influence and simple in execution. This is facilitated by two main factors. First, it is the widespread penetration of the Internet. Today to this millions of computers are connected to the network. Many millions of computers will be connected to the Internet in the near future, so the probability attackers access vulnerable computers and computer networks constantly is growing. In addition, the widespread use of the Internet allows attackers to exchange information on a global scale. Second, it is a common prevalence of easy-to-use operating systems systems and development environments. This factor dramatically reduces the requirements for the level of knowledge the attacker. Previously, the attacker required good knowledge and skills programming to create and distribute malware. Now for In order to access someone else's computer, you just need to know the IP the address of the desired site, and to carry out the attack just click the mouse. Problems of information security in corporate computer networks are driven by security threats to local workers stations, local area networks and attacks on corporate networks that have access to public data networks. Network attacks are as diverse as the systems they oppose directed. Some attacks are very complex. Others are capable to carry out the usual operator, without even assuming what consequences can have its activities. The intruder, carrying out the attack, usually has the following goals:
? violation of the confidentiality of transmitted information;
? violation of the integrity and reliability of the transmitted information;
? malfunction of the system as a whole or its individual parts.
In terms of security, distributed systems are characterized primarily the presence of remote attacks, as components of distributed systems usually use open data channels and the intruder can not only to passively listen to the transmitted information, but also to modify transmitted traffic (active influence). And if the active impact on traffic can be fixed, the passive influence is almost undetectable. But because during the operation of distributed systems exchange service information between system components is also carried out through open channels data transmission, the service information becomes the same object of attack as the data user.
Access attacks
An access attack is an attempt by an attacker to obtain information on acquaintance with which he does not have permission. The access attack is aimed at violation of information confidentiality. Eavesdropping (Sniffing). For the most part, data is transmitted over computer networks in an insecure format (plain text) that allows an attacker to gain access to data lines on the network, eavesdrop or read traffic. For eavesdropping on computer networks use a sniffer. The packet sniffer is an application a program that intercepts all network packets transmitted over a specific segment. Currently, sniffers work in networks on a completely legal basis. They used for fault diagnosis and traffic analysis. However, through that some network applications transmit data in text format (Telnet, FTP, SMTP, POP3, etc.), with the help of a sniffer you can learn useful and sometimes and confidential information (such as usernames and passwords). Prevent The threat of sniffing packages can be through the following measures and tools: use for authentication of one-time passwords; hardware installation or software that recognizes sniffers; application of cryptographic protection of communication channels. Hijacking. Unlike eavesdropping, interception Is an active attack. An attacker intercepts information in the process of transmitting it to destinations. Interception of names and passwords creates a great danger, because users often use the same login and password for many applications and systems. Many users generally have one password to access to all resources and applications. If the application is running in client / server mode, and authentication data is transmitted over the network in plain text format, this information is likely to be used to access other corporate or external resources. In the worst case, an attacker gains access to a user's resource at the system level and uses it to create the attributes of a new user, which can be used at any time to access the network and its resources. Session Hijacking. At the end of the initial authentication procedures for a connection established by a legitimate user, for example, with a mail server, an attacker switches to a new node, and the source server is instructed to disconnect. As a result The "interlocutor" of the legitimate user is imperceptibly substituted. After gaining access to the network, the attacking attacker appears great opportunities:
? it may send incorrect data to applications and network services,
leading to their crash or incorrect
functioning;
? It can also fill your computer or the entire network with traffic yet
the system will stop due to overload;
? Finally, an attacker can block traffic, leading to a loss
access of authorized users to network resources.
Modification attacks
An attack of modification is an attempt to illegally change information. So attack possible wherever information exists or is transmitted; it is aimed at violation of the integrity of information. Data change. An attacker, having the opportunity to read someone else's data, will be able to take the next step - to change them. The data in the package can be changed, even if the attacker knows nothing about either the sender or the recipient. Adding data. Another type of attack is the addition of new data, such as information about the history of past periods. The cracker performs the operation in banking system, as a result of which funds from the customer's account are transferred to his own account. Data deletion. A delete attack means moving existing data, for example, cancellation of the record of transactions from the balance sheet of the bank, c as a result, the withdrawn funds remain on it.
Denial of Service Attacks
Denial-of-Service (DoS) attacks are different attacks of other types. It is not intended to gain network access or retrieval from this network of any information. A DoS attack makes an organization's network unavailable for normal use due to excess the limits of the operation of the network, operating system or program. In fact, this attack deprives ordinary users of access to network resources or computers organizations. Most DoS attacks are based on common weaknesses in the system architecture. When using some server applications (such as web or FTP) server) DoS attacks may be to occupy all available connections for these applications, and keep them busy without allowing service of ordinary users. During DoS-attacks can use conventional Internet protocols such as TCP and ICMP (Internet Control Message Protocol). DoS attacks are difficult to prevent because they require coordination with provider. If the traffic destined for network congestion does not stop at the provider, then at the entrance to the network it is no longer possible to do, because the whole band the pass will be busy. If an attack of this type is carried out simultaneously through multiple devices, then talk about a distributed attack "denial of service" (DDoS, Distributed DoS). Ease of implementation of DoS-attacks and the huge damage caused by them organizations and users, draw close attention to these attacks network security administrators.
Denial of access to information. As a result of a DoS attack directed against the information, the latter becomes unusable. Information destroyed, distorted or transferred to an inaccessible place. Denial of access to applications. Another type of DoS attack is aimed at applications that process or display information, or on the computer system in which these applications run. If successful, similar attacks solve problems that are performed with such an application becomes impossible. Denial of access to the system. The general type of DoS-attacks sets its own in order to disable the computer system, resulting in the system itself, installed on it applications and all stored information become unavailable.
Denial of access to communications. The purpose of the attack is communication environment. The integrity of the computer system and information is not violated, however, the lack of means of communication deprives users of access to these resources.
Combined attacks
A combined attack is the attacker's application of several mutually related actions to achieve their goal. Substitution of a trusted entity. Most networks and operating systems use the computer's IP address to determine if it is the recipient you want. In some cases, incorrect assignment of IP- addresses (substituting the sender's IP address for another address) is an attack method called address falsification or IP spoofing. IP spoofing occurs when an attacker is inside corporate network or outside it, pretends to be a legitimate user. An attacker can use his IP address, which is within a range of authorized IP addresses, or an authorized external address, which allows access to certain network resources. An attacker can as well use special programs that form IP packets so that they looked like the source of the allowed internal addresses of the corporate network. IP spoofing attacks are often the starting point for other attacks. Classic An example is a denial-of-service (DoS) attack that begins with someone else's address, which hides the real identity of the attacker. Usually IP spoofing is limited to inserting false information or malicious commands in the normal flow of data transmitted between the client and server applications or the communication channel between peers. The threat of spoofing can be reduced (but not eliminated) with the following measures: the correct setting of external access control networks; stop attempts to spoof other people's networks by network users. The following should be kept in mind: IP spoofing can be performed provided that that user authentication is based on IP addresses, so the introduction additional methods of user authentication (based on one - time passwords or other cryptographic techniques) can prevent IP spoofing attacks.Mediation. An attack such as "mediation" involves active eavesdropping, interception of transmitted data by invisible intermediate node and their management. When computers interact at the network level, they cannot always determine with whom they are exchanging data. Mediation in the exchange of unencrypted keys (attack Man-in-the- Middle - "man-in-the-middle"). To carry out a "man-in-the-middle" attack an attacker needs access to packets transmitted over the network. Such access to all packets transmitted from the ISP provider to any other the network may, for example, be obtained by an employee of that provider. For attacks This type of package sniffers, transport protocols, and routing protocols.
In a more general case, "man-in-the-middle" attacks are carried out with for the purpose of stealing information, intercepting the current session and gaining access to private network resources to analyze traffic and obtain information about network and its users, to conduct DoS attacks, distortions transmitted data and input of unauthorized information in network sessions. You can only effectively fight man-in-the-middle attacks using cryptography. Used to counter attacks of this type Public Key Infrastructure PKI (Public Key Infrastructure). Exploit attack. An exploit is a computer program, a piece of program code or a sequence of commands that exploit vulnerabilities in software and apply to carrying out an attack on a computer system. The target of the attack can be as seizure of control over the system and disruption of its operation (DoS- attack).
Depending on the method of accessing the vulnerable software software, exploits are divided into remote and local:
? The remote exploit works over a network and exploits the vulnerability
protection without any prior access to a vulnerable system;
? the local exploit is launched directly in the vulnerable system,
requiring prior access to it. Commonly used for
obtaining by the attacker the rights of the superuser.
An exploit attack can be aimed at various computer components
systems - server applications, client programs or operating room modules
systems.
Password attacks. The purpose of these attacks is to capture the password and login of the legitimate
user. Attackers can carry out password attacks using methods such as:
? IP address substitution (IP spoofing);
? eavesdropping (sniffing);
? simple search.
Guessing the key. A cryptographic key is a code or number necessary to decrypt protected information. Although learn the key Access is difficult and such attempts require a lot of resources, however, it is perhaps. In particular, to determine the value of the key can be used a special program that implements the method of complete search. The key to which the attacker gains access, is called compromised. Attacking uses a compromised key to access protected data without the knowledge of the sender and recipient. The key makes it possible decrypt and edit data. Application-level attacks. These attacks can be carried out by several ways. The most common of these is the use of known vulnerabilities server software (FTP, HTTP, web server). The main problem with application-level attacks is that attackers often use ports that are allowed to pass through the network screens. Application-level attack information is widely published to give the ability for administrators to solve the problem with the help of corrective modules (patches). Unfortunately, many attackers also have access to these information that allows them to learn. Application-level attacks cannot be completely ruled out. Intruders constantly open and publish on their sites on the Internet new ones application vulnerabilities.
Here it is important to carry out good system administration. To reduce vulnerability to attacks of this type, the following measures can be taken:
? Analyze operating system logs and network log files
using special analytical programs;
? monitor CERT data on application vulnerabilities;
? use the latest versions of operating systems and
applications and the latest correction modules (patches);
? use Intrusion Detection (IDS) intrusion detection systems
Systems).
Network traffic analysis. The purpose of attacks of this type is eavesdropping communication channels and analysis of transmitted data and service information for the purpose study of network topology and system construction architecture, obtaining critical user information (such as user passwords or numbers credit cards transferred in the open). Attacks of this type prone to protocols such as FTP and Telnet, the feature of which is that the name and password user are transmitted within these protocols in the open. Network intelligence. Network intelligence is the collection of information about a network using publicly available data and applications. When preparing an attack against any network attacker is usually trying to get about it as much information as possible.
Network intelligence is conducted in the form of DNS queries, ICMP testing (Ping Sweep) and port scanning. DNS queries help you understand who owns what or another domain and which addresses belong to that domain. ICMP address testing, revealed using DNS, lets you see which nodes are actually working in this network. Having received the list of knots, malefactors use means scan ports to make a complete list of services supported by them nodes. The result is information that can be used for hacking. Abuse of trust. This type of action is not an attack in the full sense of the word words. It is a malicious use of a relationship of trust that exists in network. A typical example of such abuse is the situation in the peripheral part of the corporate network. In this segment are usually located DNS, SMTP and HTTP servers. Because they all belong to the same thing segment, hacking one leads to hacking all the others as these servers trust other systems in their network. The risk of abuse of trust can be reduced by more severe control the levels of trust within its network. Systems located with the outside of the firewall should never be used absolute trust on the part of systems protected by a firewall. Relationships of trust should be limited to certain protocols and by opportunities to authenticate not only by IP addresses, but also by others parameters. Phishing. Phishing is a relatively new type of Internet fraud, whose purpose is to obtain user credentials. These include theft of passwords, credit card numbers, bank accounts, PINs and other confidential information that gives access to the user's money. Phishing does not use technical shortcomings of the software, but gullibility Internet users. The term phishing itself is consonant with fishing (fishing), stands for password harvesting fishing - fishing password. Indeed, phishing is very similar to fishing. The attacker throws in The Internet lures and "catches" all the "fish" - Internet users, who bite on this bait. An attacker creates an almost exact copy of the site of the selected bank (electronic payment system, auction, etc.). Then using spam- technology email sends a letter composed in such a way that be as similar as possible to this letter from the selected bank. When writing a letter bank logos, names and surnames of real bank managers are used. Such a letter usually states that due to a software change security in the Internet banking system the user must confirm or change your credentials. As a reason to change the data may be named failure of the bank's software or attack by attackers. Availability a plausible legend that motivates the user to take the necessary action - is essential component of the success of fraudulent fishermen. In all cases, the purpose of such letters is the same - make the user click on the links provided and then enter their own confidential data (password, account number, PIN-code) on the fake website of the bank (electronic payment system, auction). Going to a fake site, the user enters in the appropriate lines of their confidential data, and then scammers get access to his mailbox at best, and at worst - to the electronic invoice. The success of phishing scams is facilitated by the low level of awareness of users about rules of operation of companies on whose behalf criminals act. In particular, about 5% users do not know the simple fact: banks do not send letters of request confirm your credit card number and PIN in the online number. Basic protection against phishing while spam filters remain. Unfortunately, software phishing protection tools have limited effectiveness, because attackers exploit primarily not vulnerabilities in the software, and human psychology. There was a concept associated with phishing - farming. Pharming. This is another type of fraud that aims receive users' personal data, but not through mail, but directly through official websites. Farmers are replacing digital addresses on DNS servers legitimate websites on fake, resulting in users redirected to fraudulent sites. This type of fraud is even more dangerous, because it is almost impossible to notice a fake. Technical means are being developed to protect against phishing and farming security, especially plug-ins for popular browsers. The essence of protection is blocking sites that are blacklisted for fraudulent resources. The next step may be one-time password generation systems for Internet access to bank accounts and records in payment systems, the widespread use of additional levels of protection through a combination of input password using a USB hardware key. Application of botnets. A botnet (zombie network) is a network of computers infected with malware that allows cybercriminals remotely manage infected machines (each separately, part of computers that included in the network, or the entire network) without the user's knowledge. Such programs are called bots. Botnets have powerful computing resources and are threatening cyber weapons and a good way to make money for criminals. At this infected machine that is part of the network, the owner of the botnet can manage from anywhere: from another city, country or even from another continent, and the organization of the Internet allows you to do it anonymously. Controlling a computer that is infected with a bot can be direct and indirect. In the case of direct control, an attacker can establish a connection with infected computer and manage it using the built-in body bot program commands.
In the case of indirect control, the bot itself connects to the center control or other machines in the network, sends a request and executes the received team. In any case, the owner of the infected car is usually not even suspects that it is being used by attackers. That is why they are infected malicious program-bot computers under secret surveillance cybercriminals, also called zombie computers, and the network to which they are included - zombie network. Most zombie cars become personal home users computers. Botnets can be used by attackers to solve criminal tasks of various scales: from sending spam to attacks on the state network. Anonymous network access. Attackers can access the servers on the Internet, using zombie cars, and on behalf of infected cars commit cybercrime, such as hacking websites or translating stolen money.Sale and rent of botnets. One of the options for illegal earnings using botnets is based on renting a botnet or selling ready-made network. Creating botnets for sale is a separate area of cybercrime business. Theft of confidential data. This type of criminal activity constantly attracts cybercriminals, and with the help of botnets "catch" in the form different passwords for accessing e-mail, FTP resources, web services) and other confidential user data increases thousands of times! Bot, which infected computers in the zombie network, can download another malicious a program, such as a Trojan that steals passwords. In this case, infected Trojan program will be all the computers included in this zombie network, and attackers will be able to obtain passwords from all infected machines. Stolen passwords are resold or used, in particular, for mass infect web pages (such as passwords for all FTP accounts found) within order to further spread the malware-bot and expand zombies- network.
These attacks on the IP network are possible for a number of reasons:
? use of public data channels. The most important
data is transmitted over the network in unencrypted form;
? Vulnerabilities in authentication procedures implemented in the TCP / IP stack.
Identifying information at the IP level is transmitted in the open;
? Lack of TCP / IP mechanisms in the base version of the protocol stack
ensure the confidentiality and integrity of transmitted messages;
? the sender is authenticated by his IP address. Procedure
authentication is performed only at the stage of establishing a connection, and in
further the authenticity of the received packets is not checked;
? lack of control over the route messages on the Internet, which makes remote network attacks virtually unpunished.