Problemi in questa pagina? Segnalali in questa discussione
The (network) Attack Process
Tipi di aggressori
Di "aggressori" ce ne sono molti con una grande varietà di obiettivi e diversi livelli di esperienza. È perciò difficile cercare di catalogarli correttamente: alcune di queste classificazioni parlano di 26 tipi di "aggressori", ma queste non ci aiutano necessariamente al progetto concreto di un'architettura sicura.
La categorizzazione quì presentata qui presentata si basa sulla semplicità e strizza l' occhio al progettista di reti. In linea di massima ci sono tre tipi di aggressori:
1. script kiddies(i newbies) |
2. crackers |
3. elite |
||
scritti in quest' ordine proporzionalmente al loro numero.
|
Gli aggressori non si possono rilevare con certezza, perciò la catalogazione presentata si basa solo su dati empirici.. |
Script kiddie
Alla base della catalogazione ci sono gli "script kiddie", così chiamati perchè stereotipamente sono giovani e non hanno un vero talento, perciò necessitano di usare script per eseguire la maggior parte del loro lavoro. Pur non avendo grandi conoscenze informatiche, ne hanno generalmente di più dei normali utilizzatori circa la protezione del computer e le comuni vulnerabilità. I motivi degli attacchi sono vari, ma comunque generalmente lo fanno senza discriminazione. Gli script kiddies preferiscono attaccare con una sequenza che hanno già imparato e che ripetono su qualsiasi pc sia vulnerabile ad essa.
Sperando che nessun lettore voglia diventare uno script kiddie, è utile comprendere come sia facile al giorno d'oggi diventarlo e causare danni reali in Internet. Questo è un esempio di come diventare uno script kiddie in sette facili passaggi:
- Installare alcune distro LINUX/UNIX su un pc.
- Trascorrere molto tempo su IRC ed apprendere il "gergo".
Iscriversi a BugTraq e vuln-dev. Non devi necessariamente contribuire ad una discussione; ed esse forniscono i tool di cui lo script kiddie ha bisogno.
- Controllare i post relativi alle nuove vulnerabilità, in special modo quelle che affliggono molti utenti (per esempio quelle relative ai web server),
Usare un analizzatore della rete come Nmap per trovare le macchine potenzialmente esposte all'attacco.
- Prendere il codice di esempio fornito nella mailing list ed eseguirlo sul sistema che lo script kiddie ritiene essere vulnerabile.
- Utilizzare la macchina compromessa per attaccare altre macchine, lanciare attacchi DoS (Denial of Service), prelevare informazioni confidenziali, ecc.
Ciò che è da ricordare è che agli script kiddies non importa che ci sia qualcosa di valore sulla macchina attaccata; molti sono contenti semplicemente di comprometterla ed usarla per attaccarne delle altre.
Cracker
Un gradino sopra gli script kiddie ci sono i cracker, i quali hanno più esperienza e sono potenzialmente più pericolosi. Si distinguono dagli script kiddie nella loro abilità nel pensare e lanciare nuovi attacchi contro obiettivi specifici.
Vengono chiamati generalmente "cracker" o "black hat"; importante è non chiamarli "hacker", che è un "distintivo di onore:il Jargon File (è corretta la traduzione???) definisce hacker "una persona a cui piace esplorare i dettagli delle macchine ed espanderne le capacità, l'opposto di molti utenti, che preferiscono imparare solo il minimo necessario", definisce invece cracker "colui che infrange la sicurezza di un sistema".
Il Jargon File prosegue dicendo che il termine cracker fu coniato nel 1985 da hacker, per offrire ai media un altro termine per chiamare coloro che infrangono le sicurezze dei sistemi. Purtoppo, ciò non venne applicato e quando i media dicono "hacker" intendono ancora oggi una persona che "fa cose illegali".
Elite
Infine, il gradino più alto include le persone di cui raramente sentirai parlare e certamente non attaccheranno la tua rete. Sono spie delle corporate, dei governi, terroristi, ecc., ecc. Essi attaccano bersagli specifici, senza tregua.
Io sono sempre un po' prudente nel menzionare questa categoria di aggressori, spesso infatti vengono usate per spaventare grandi aziende quando si vuole vendere loro prodotti per la sicurezza.
Se il lettore gestisce reti in infrastrutture critiche (come centrali elettriche, sistemi idrici, ospedali, ecc.), deve essere informato del rischio. Se invece il lettore lavora nel mercato concorrenziale dove la proprietà intellettuale ha un alto valore, si può credere che gli avversari siano tutti cittadini rispettosi della legge.
Tipologie di vulnerabilità
Ogni rete contiene delle vulnerabilità. È perciò importante comprendere come esse possano sorgere e a cosa bisogni prestare attenzione. Le vulnerabilità possono essere catalogate nelle seguenti categorie:
- Software
- Hardware
- Configurazione
- Policy
- Utilizzo
Se le prime due sono più "concrete", le ultime tre sono più difficili da catalogare.
Vulnerabilità software
Alcuni studi accademici e di case produttrici di software hanno cercato di calcolare il numero di errori contenuti in media in ogni 1000 righe di codice. A seconda dell'organizzazione che ha compiuto la misurazione, si sono trovati dai 5 ai 15 errori. Considerato che molti dei moderni sistemi operativi e applicazioni hanno milioni di righe di codice (ad esempio, Windows XP ne contiene circa 50 milioni), è facile comprendere che se anche una minima percentuale di essi riguarda la sicurezza, e se pochi di essi possano essere utilizzabili per attaccare una macchina, ci si trova con centinaia se non migliaia vulnerabilità.
Soprattutto, il codice cambia continuamente, e può essere che un aggiornamento che corregga un errore ne crei un altro. Inoltre, può accadere che due diverse parti di codice siano sicure, ma che eseguite assieme possano introdurre nuovi problemi È sufficente guardare la mailing list di BugTraq per accorgersi di quanti errori vengano trovati nei programmi.
Oltre ai normali bug, l'implementazione di un protocollo o un progetto imperfetto può causare problemi. Siccome il risultato è un errore del software, queste vulnerabilità vengono chiamate software vulnerabilities.
NOTE As a secure network designer, software vulnerabilities are part of the reason you have a job in the first place. In many cases, the network is augmenting the security of an application. If software could be counted on to operate without error, application security could be relied on more, and elements such as firewalls and intrusion detection systems might not be as necessary.
Hardware Vulnerabilities Hardware vulnerabilities are less common but are increasing in significance primarily because of the increase of programmable hardware in the market. Vulnerabilities in the system basic input/output system (BIOS), network processors, and CPUs could do potentially more damage because a hardware vulnerability is often not easily remedied by a software patch.
Finding out you must replace your computer because of a hardware vulnerability is not a happy day. Although not specifically related to security, Intel had to offer customers free replacement Pentium processors in 1994 because of a floating-point error in the hardware.
Configuration Vulnerabilities Despite the best intentions of network operators, misconfigurations are very common on a network. In a firewall with a complex access control policy, hundreds of entries permitting and denying different traffic types can exist. The chances are high that someone eventually will make a mistake.
In addition to inadvertent misconfigurations, the problem of RTFM often rears its head. For a definition of RTFM, consult your friendly neighborhood search engine. The basics of the problem are this: if the individual responsible for deploying a technology doesn't know much about the technology, the chances of it working as intended decrease significantly. As a result, it is critical that organizations set aside part of the budget to allocate for employee training.
TIP One of the easiest ways to avoid configuration errors is to ensure that your security technologies are easy to manage. For example, when deciding on a firewall, features, performance, and cost are second, third, and fourth on my list of criteria after manageability.
Policy Vulnerabilities In addition to software, hardware, and configuration vulnerabilities, you might encounter policy vulnerabilities. Policy vulnerabilities occur when an attack is made possible by a poor choice in the development or implementation of a security policy. Since your network security system is only as good as the security policy to which it adheres, policy vulnerabilities can cause widespread problems. This is one of the main reasons because the security system is improved over time through modification of the system and the policies. The distributed denial of service (DDoS) attacks that occurred in 2000 are examples of policy vulnerabilities. Clearly, changes could have been made to IP to reduce the chances of these attacks succeeding, but at the time most organizations had not planned for such attacks or even considered the remote possibility of them. As such, organizational security policies had not defined standards for how systems should deal with DDoS attacks. Today, if you look at the security policy of any large e-commerce organization, you will probably find standards and guidelines around protecting systems from DDoS.
Usage Vulnerabilities Just because a system can be used in a secure way, it doesn't mean a user will use it in a secure way. Usage vulnerabilities occur when a user (usually through inexperience, not malice) violates the security policy and causes a vulnerability in the network. One common example is when a user adds a modem to his computer so he can dial up after hours to do work. The user probably personally installed the remote control software and, in doing so, most likely did not enable any of the security features. Therefore, an attacker can use that same modem as a launching point to attack the rest of the network.
Attack Results All attacks have specific attack results that can be categorized as one of five types. The result shown in screenshot_014.png was denial of service. Howard mentions four types of results: ■ disclosure of information, ■ corruption of information, ■ denial of service, ■ theft of service and, here, we can add a fifth, ■ increased access.
The following definitions of the first four types of attack results come straight out of Howard's work.
NOTE Although the first four definitions provided are from Howard's paper, the definitions are themselves references within Howard's document. Refer to Howard's paper for more specific references.
Disclosure of Information Disclosure of information is the dissemination of information to anyone not authorized to access that information. This includes sniffing passwords off the wire, reading parts of a hard disk drive you are unauthorized to access, learning confidential information about your victim, and so on.
Corruption of Information Corruption of information is any unauthorized alteration of files stored on a host computer or data in transit across a network. Examples include ■ website defacement, ■ man-in-the-middle (MITM) attacks, ■ viruses that destroy data, and so on.
Denial of Service Denial of service (DoS) is the intentional degradation or blocking of computer or network resources. Most types of flooding attacks have DoS as a primary objective. Similarly, intentionally crashing network resources can create a DoS condition, as would reconfiguration of certain network devices.
Theft of Service Theft of service is the unauthorized use of computer or network services without degrading the service to other users. Stealing someone's password and logging on to the network is a good example, as is accessing a wireless LAN without authorization or pirating software.
Increased Access Increased access is the resultant unauthorized increase in user privileges that occurs when accessing computer or network services. Executing a buffer overflow attack is a good example of an attack resulting in increased access.
NOTE Increased access typically is not the end result of an attack as are the preceding four attack results. It is more often a midpoint to further attacks, which can ultimately accomplish one of the other four results.
Attack Taxonomy Attack taxonomies are almost always inaccurate in some way. They either create conditions in which attacks exist in more than one category or conditions in which a given attack doesn't have a clear home. But without a reasonably comprehensive attack taxonomy, security designers have no way of knowing whether their architecture addresses the threats it must.
We cover the main types of attacks against networks and the results they generally create. The main families (also called classes) of attacks are as follows: ■ Read Gain access to unauthorized information ■ Manipulate Modify information ■ Spoof Provide false information or offer false services ■ Flood Overflow a computer resource ■ Redirect Change the flow of information ■ Composite Comprise more than one listed method
NOTE If you have a taxonomy that you are more comfortable or familiar with, feel free to use it here. This taxonomy is very network centric.
Each attack class can comprise a number of attack elements or subclasses. For example, the first class read includes the subclass reconnaissance and the attacks sniffer and direct access. Each subclass comprises two or more attack elements. The attack elements for the reconnaissance subclass are data scavenging, wardial/drive, and probing and scanning. The entire attack taxonomy is presented in screenshot_016.png.
Table below shows the analysis of a sample attack: probing and scanning.
■ Attack name: Probing and scanning ■ Class/subclass: Read/reconnaissance ■ Example implementations: Nmap , Nessus ■ Prerequisites: Data scavenging ■ Pertinent vulnerability: None ■ Typical use: Learn IPs and applications available at victim network ■ Attack result: Disclosure of information ■ Likely follow-up attack: Almost anything ■ OSI layers: 37 ■ Detection: IDS and firewalls (with log analysis) ■ Protection: None ■ Detection difficulty: 4 ■ Ease of use: 5 ■ Frequency: 5 ■ Impact: 2 ■ Overall rating: 37
The following list defines the components of the table:
Member of class/subclass Refers to the class and subclass to which the specific attack belongs. In the example above, the attack TCP spoofing is a member of the class spoof and the subclass transport.
Sample implementations Provides examples of the given attack. In some cases, this might link to a website about the subclass of attacks rather than to a specific example.
Prerequisites Lists required or optional attacks that enable or enhance the attack in question. Optional prerequisites are noted in the field with an (optional) marker. In this case, data scavenging is necessary first to determine the IP address ranges of the systems the attacker will scan.
Pertinent vulnerability Cites the most common vulnerability type enabling the attack from the list of five vulnerability types discussed earlier in this text. In this example, there is no real vulnerability because some form of probing and scanning is always possible on IP networks.
Typical use Explains the most common use of a particular attack. This generally relates to the attack result.
Attack result Cites the most common attack result from the list of five explained earlier.
Likely follow-up attack Lists the attack most likely to be run after a successful attempt at the attack in question. In this example, after a probe and scan, almost any attack can be run. From the Internet, application manipulations are very common once a vulnerable system is scanned.
OSI layers Lists the most common Open Systems Interconnection (OSI) layers used in the attack.
Detection Lists the security technology that is capable of detecting but not preventing the attack. In this case, intrusion detection systems (IDS) are able to detect many types of scans and probes, and firewalls can also show scans if their log data is analyzed.
Protection Lists the security technology that actually stops or helps to stop a particular attack. These technologies can also aid in detection but are never listed in both categories. Because there are always exceptions in network security, the inclusion of a particular technology does not mean it is 100 percent effective against the attack. Defense-in-depth still applies.
The remaining five fields in Table are numeric values, and the final field shows an overall rating of the attack. This rating can be used as a rough guide to determine the level of concern you should have for a particular attack. Higher numbers are always better for the attacker and worse for you. The criteria are rated on a 1 to 5 scale, and the overall rating is derived from this formula:
(Detection Difficulty * 1) + (Ease of Use * 2) + (Frequency * 3) + (Impact * 4) = Overall Rating
This formula produces a range from 10 (shouting nasty words at the network with the hope it will crash) to 50 (I won't even say).
WARNING I chose the values for rating attacks in a completely subjective manner. Anyone with 10 minutes and a favorite spreadsheet program can begin to reproduce these values with weightings more appropriate to their security policy or even the specific area of the network. I selected the values based on my own and my customers' experiences.
The following describes the remaining five fields and the rating scale for each:
Detection difficulty Refers to the approximate difficulty network staff will have in detecting the attack. Secure networking best practices are assumed. Later, these values might trend up or down depending on the capabilities of a particular network design.
- The attacker is assumed to have midlevel competence. The probe and scan attack
example earned a 4 because most modern scanners have the ability to scan so slowly that they stay below the radar of most IDS systems (1 = almost trivial to detect; 5 = almost impossible to detect).
Ease of use Refers to how hard the attack is to execute. When tools for the attack are freely available in the public domain, the rating increases. For attacks with no publicly available tools or for which public tools are of limited use (as in the case of worms), the value trends lower.
Probing and scanning earned a 5 in this category because almost anyone can scan. Even my Macintosh comes standard with a port scanner in the default installation (1 = elite skills required; 5 = script kiddie ability needed).
Frequency Refers to how common the attack is in the area of the network in which it is most effective. For example, an Address Resolution Protocol (ARP) redirection attack might have a midtier frequency rating even though it is almost never launched against an Internet edge (since the attack doesn't cross routers). As anyone who has ever looked at a firewall or IDS log will tell you, probing and scanning easily earns a 5 in this category (1 = attack is almost never seen; 5 = most large networks see this attack daily).
Impact A measurement of the damage caused by the successful execution of the attack. This value certainly changes based on the type of asset the attack affects. The rating provided in this field is an average. If there is a very dangerous attack that is made possible by the listed attack, the impact rating tends to increase even if the listed attack is fairly benign. This is the case with probing and scanning. By itself, probing and scanning earns only a 1 in impact, but because scanning makes follow-up attacks more likely to be successful, the attack earns a 2 (1 = little to no impact; 5 = better brush up the résumé, just in case).
Overall rating Refers to how this attack stacks up against others you are likely to encounter. This rating isn't as important as its relationship to the rest of the attacks under evaluation. For example, an attack rating of 30 doesn't mean that you can ignore the attack, but if you are dealing with several attacks that have higher ratings, you should give them priority (of course, with adjustments based on the location of the network or your own security policy). Later you will see how these overall ratings change based on the location of the network you are trying to protect. What was once a top-5 issue can struggle to be in the top 20 (10 = no worries; 50 =instant insomnia).
