Materi Komputer: IETF RFC 2828

Types of attacks

An attack usually is perpetrated by someone with bad intentions: Black hatted attacks falls in this category, while other perform Penetration testing on an organization information system to find out if all foreseen controls are in place.

The attacks can be classified according to their origin: i.e. if it is conducted using one or more computers: in the last case is called a distributed attack. Botnet are used to conduct distributed attacks.

Other classifications are according to the procedures used or the type of vulnerabilities exploited: attacks can be concentrated on network mechanisms or host features.

Some attacks are physical: i.e. theft or damage of computers and other equipment. Others are attempts to force changes in the logic used by computers or network protocols in order to achieve unforeseen (by the original designer) result but useful for the attacker. Software used to for logical attacks on computers is called malware.

The following is a partial short list of attacks:

Passive
- Network
  - wiretapping
  - Port scanner
  - Idle scan
Active
- Denial-of-service attack
- Spoofing
- Network
  - Man in the middle
  - ARP poisoning
  - Ping flood
  - Ping of death
  - Smurf attack
- Host
  - Buffer overflow
  - Heap overflow
  - Format string attack

Phenomenology

An attack can be active or passive.

An "active attack" attempts to alter system resources or affect their operation.

A "passive attack" attempts to learn or make use of information from the system but does not affect system resources. (E.g., see: wiretapping.)

An attack can be perpetrated by an insider or from outside the organization;

An "inside attack" is an attack initiated by an entity inside the security perimeter (an "insider"), i.e., an entity that is authorized to access system resources but uses them in a way not approved by those who granted the authorization.

An "outside attack" is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an "outsider"). In the Internet, potential outside attackers range from amateur pranksters to organized criminals, international terrorists, and hostile governments.

The term "attack" relates to some other basic security terms as shown in the following diagram:

      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+

A resource (both physical or logical), called an asset, can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromises the Confidentiality, Integrity or Availability properties of resources (potentially different that the vulnerable one) of the organization and others involved parties (customers, suppliers).

The so-called CIA triad is the basis of Information Security.

The attack can be active when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.

A Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. That is, a threat is a possible danger that might exploit a vulnerability. A threat can be either "intentional" (i.e., intelligent; e.g., an individual cracker or a criminal organization) or "accidental" (e.g., the possibility of a computer malfunctioning, or the possibility of an "act of God" such as an earthquake, a fire, or a tornado).

A set of policies concerned with information security management, the information security management systems (ISMS), has been developed to manage, according to Risk management principles, the countermeasures in order to accomplish to a security strategy set up following rules and regulations applicable in a country.

An attack should led to a security incident i.e. a security event that involves a security violation. In other words, a security-relevant system event in which the system's security policy is disobeyed or otherwise breached.

The overall picture represents the risk factors of the risk scenario.

An organization should make steps to detect, classify and manage security incidents. The first logical step is to set up an Incident response plan and eventually a Computer emergency response team.

In order to detect attacks, a number of countermeasures can be set up at organizational, procedural and technical levels. Computer emergency response team, Information technology security audit and Intrusion detection system are example of these.

Countermeasure (computer)

In Computer Security a countermeasure is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken.

The definition is as IETF RFC 2828 that is the same as CNSS Instruction No. 4009 dated 26 April 2010 by Committee on National Security Systems of United States of America

According to the Glossary by InfosecToday, the meaning of countermeasure is:

The deployment of a set of security services to protect against a security threat.

A synonym is security control. In telecommunications, communication countermeasures are defined as Security services as part of OSI Reference model by ITU-T X.800 Recommendation. X.800 and ISO ISO 7498-2 (Information processing systems – Open systems interconnection – Basic Reference Model – Part 2: Security architecture are technically aligned.

The following picture explain the relationships between these concepts and terms:

      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+
      | An Attack:              |  |Counter- |  | A System Resource:   |
      | i.e., A Threat Action   |  | measure |  | Target of the Attack |
      | +----------+            |  |         |  | +-----------------+  |
      | | Attacker |<==================||<=========                 |  |
      | |   i.e.,  |   Passive  |  |         |  | |  Vulnerability  |  |
      | | A Threat |<=================>||<========>                 |  |
      | |  Agent   |  or Active |  |         |  | +-------|||-------+  |
      | +----------+   Attack   |  |         |  |         VVV          |
      |                         |  |         |  | Threat Consequences  |
      + - - - - - - - - - - - - +  + - - - - +  + - - - - - - - - - - -+

A resource (both physical or logical) can have one or more vulnerabilities that can be exploited by a threat agent in a threat action. The result can potentially compromises the Confidentiality, Integrity or Availability properties of resources (potentially different that the vulnerable one) of the organization and others involved parties (customers, suppliers).

The so called CIA triad is the basis of Information Security.

The attack can be active when it attempts to alter system resources or affect their operation: so it compromises Integrity or Availability. A "passive attack" attempts to learn or make use of information from the system but does not affect system resources: so it compromises Confidentiality.

Kamis, 18 April 2013

Types of attacks

Phenomenology

Countermeasure (computer)