This action might not be possible to undo. Are you sure you want to continue?
Best Practices for Enterprise Security ( http://www.microsoft.com/technet/archive/security/bestprac/bpent/bpentsec.mspx ) contains a complete list of all the articles in this series. See also the Security Entities Building Block Architecture ( http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspx ).
the importance of computer security and the responsibilities it involves discussion of general security threats how to plan and implement security policies and controls for often-performed computer security activities. Security Overview Security Threats Appendix A: Security Threats Appendix B: Motives, Goals, and Objectives of Malicious Attackers Appendix C: Methods, Tools, and Techniques for Attacks Appendix D: Security Vulnerabilities References Acknowledgements
Introduction The first part of this section outlines security threats and briefly describes the methods, tools, and techniques that intruders use to exploit vulnerabilities in systems to achieve their goals. The section discusses a theoretical model and provides some real life scenarios. The appendixes give detailed analyses of the various aspects and components that are discussed in this section. Security Threats, Attacks, and Vulnerabilities Information is the key asset in most organizations. Companies gain a competitive advantage by knowing how to use that information. The threat comes from others who would like to acquire the information or limit business opportunities by interfering with normal business processes. The object of security is to protect valuable or sensitive organizational information while making it readily available. Attackers trying to harm a system or disrupt normal business operations exploit vulnerabilities by using various techniques, methods, and tools. System administrators need to understand the various aspects of security to develop measures and policies to protect assets and limit their vulnerabilities.
Attackers generally have motives or goals²for example, to disrupt normal business operations or steal information. To achieve these motives or goals, they use various methods, tools, and techniques to exploit vulnerabilities in a computer system or security policy and controls. Goal + Method + Vulnerabilities = Attack. These aspects will be discussed in more detail later in this section. Security Threats Figure 1 introduces a layout that can be used to break up security threats into different areas.
Figure 1: Natural Disasters Nobody can stop nature from taking its course. Earthquakes, hurricanes, floods, lightning, and fire can cause severe damage to computer systems. Information can be lost, downtime or loss of productivity can occur, and damage to hardware can disrupt other essential services. Few safeguards can be implemented against natural disasters. The best approach is to have disaster recovery plans and contingency plans in place. Other threats such as riots, wars, and terrorist attacks could be included here. Although they are human-caused threats, they are classified as disastrous. Human Threats Malicious threats consist of inside attacks by disgruntled or malicious employees and outside attacks by non-employees just looking to harm and disrupt an organization. The most dangerous attackers are usually insiders (or former insiders), because they know many of the codes and security measures that are already in place. Insiders are likely to have specific goals and objectives, and have legitimate access to the system. Employees are the people most familiar with the organization's computers and applications, and they are most likely to know what actions might cause the most damage. Insiders can plant viruses, Trojan horses, or worms, and they can browse through the file system. The insider attack can affect all components of computer security. By browsing through a system, confidential information could be revealed. Trojan horses are a threat to both the integrity and confidentiality of information in the system. Insider attacks can affect availability by overloading the system's processing or storage capacity, or by causing the system to crash.
People often refer to these individuals as "crackers" or "hackers." The definition of "hacker" has changed over the years. A hacker was once thought of as any individual who enjoyed getting the most out of the system he or she was using. A hacker would use a system extensively and study it until he or she became proficient in all its nuances. This individual was respected as a source of information for local computer users, someone referred to as a "guru" or "wizard." Now, however, the term hacker refers to people who either break in to systems for which they have no authorization or intentionally overstep their bounds on systems for which they do not have legitimate access. The correct term to use for someone who breaks in to systems is a "cracker." Common methods for gaining access to a system include password cracking, exploiting known security weaknesses, network spoofing, and social engineering. Malicious attackers normally will have a specific goal, objective, or motive for an attack on a system. These goals could be to disrupt services and the continuity of business operations by using denial-of-service (DoS) attack tools. They might also want to steal information or even steal hardware such as laptop computers. Hackers can sell information that can be useful to competitors. In 1996, a laptop computer was stolen from an employee of Visa International that contained 314,000 credit card accounts. The total cost to Visa for just canceling the numbers and replacing the cards was $6 million.5 Attackers are not the only ones who can harm an organization. The primary threat to data integrity comes from authorized users who are not aware of the actions they are performing. Errors and omissions can cause valuable data to be lost, damaged, or altered. Non-malicious threats usually come from employees who are untrained in computers and are unaware of security threats and vulnerabilities. Users who open up Microsoft Word documents using Notepad, edit the documents, and then save them could cause serious damage to the information stored on the document. Users, data entry clerks, system operators, and programmers frequently make unintentional errors that contribute to security problems, directly and indirectly. Sometimes the error is the threat, such as a data entry error or a programming error that crashes a system. In other cases, errors create vulnerabilities. Errors can occur in all phases of the system life cycle. Figure 2 gives a theoretical model that can be used to determine the various threats, goals, methods, and vulnerabilities used in an attack.
For more information on security threats. Employees who are not well trained and are not security aware can fall for this. Here are some methods that attackers use: . malicious attackers can deceive ignorant employees by using "social engineering" to gain entry. Motives. and Objectives of Malicious Attackers There is a strong overlap between physical security and data privacy and integrity.Figure 2: The following table gives some examples of the various aspects discussed above. The attacker could masquerade as an administrator and ask for passwords and user names. see Appendix A. Trojan horses. Also. Indeed. The damage is accidental. Goals. Threats Employees Malicious Ignorant Non-employees Outside attackers Natural disasters Floods Earthquakes Hurricanes Riots and wars Motives/Goals Methods Security Policies Social engineering Viruses. the goal of some attacks is not the physical destruction of the computer system but the penetration and removal or copying of sensitive information. Deny services worms Steal information Packet replay Alter information Damage information Packet modification Delete information IP spoofing Mail bombing Make a joke Various hacking tools Show off Password cracking Vulnerabilities Assets Information and data Productivity Hardware Personnel Note that ignorant employees usually have no motives and goals for causing damage. Attackers want to achieve these goals either for personal satisfaction or for a reward.
must have a deterrent effect. was put behind bars last night after changing the password on another user's account and then demanding $500 (Hong Kong currency) to change it back. the hidden code runs as well. Inside attackers normally do this to spite the organization because they are disgruntled about something. Malicious attackers can gain access or deny services in numerous ways. and Techniques for Attacks Attacks = motive + method + vulnerability. Computer systems are exploited in numerous ways." y y Committing information theft and fraud. Worms may have portions of themselves running on many different computers. such as time and attendance systems. The Melissa virus that caused denialof-service attacks throughout the world in 1999 was a type of Trojan horse. although they may carry other code that does. . the section on methods. When a user runs the normal program. which will be handed down on May 10 pending reports. These are programs that run independently and travel from computer to computer across network connections. In any circumstance like this. Information technology is increasingly used to commit fraud and theft. they always take up time. or long-distance telephone systems. April 27. Using hacking techniques. The method in this formula exploits the organization's vulnerability in order to launch an attack as shown in Figure 2. tools. The victim paid the money and then contacted police. Worms. Attackers use various methods for denial-of-service attacks. school grading systems. The magistrate remanded Cheng in custody and said his sentence. Here are some of them: y y y Viruses. both by automating traditional methods of fraud and by using new methods. 2000: Cheng Tsz-chung.y Deleting and altering information. Attackers may want to disrupt normal business operations. Cheng's lawyer told Magistrate Ian Candy that his client committed the offenses "just for fun. 22. Viruses in general are a threat to any environment. Trojan horses. Disrupting normal business operations. Cheng has pleaded guilty to one charge of unauthorized access of a computer and two counts of theft. Trojan horses are normally spread by e-mail attachments. Methods. the attacker has a specific goal to achieve. Malicious attackers who delete or alter information normally do this to prove a point or take revenge for something that has happened to them. They come in different forms and although not always malicious. Attackers can develop harmful code known as viruses. Tools. It can then start deleting files and causing other damage to the computer. Financial systems are not the only ones subject to fraud. Viruses can also be spread via e-mail and disks. inventory systems. and techniques will discuss these. Worms do not change other programs. Outside attackers might want to do this to prove that they can get in to the system or for the fun of it. they can break into systems and plant viruses. These are malicious programs or software code hidden inside what looks like a normal program. Other targets are systems that control access to any resources.
The header can be modified to hide or change the sender. Intrusion detection tools often can help to detect changes and variants that take place within systems and networks. computer A trusts computer B (this does not imply that system B trusts system A). Network spoofing. E-mail headers and contents are transmitted in the clear text if no encryption is used. Eavesdropping. the contents of a message can be read or altered in transit. Implied with this . using radio. because an intruder could replay legitimate authentication sequence messages to gain access to a system. data. The two major problems with passwords is when they are easy to guess based on knowledge of the user (for example. Some of the threats associated with e-mail are: Impersonation. This involves one system intercepting and modifying a packet destined for another system. In these attacks. It is a growing trend on the Internet because Web sites in general are open doors ready for abuse. E-mail hacking. Packet information may not only be modified. a system presents itself to the network as though it were a different system (computer A impersonates computer B by sending B's address instead of its own). It is possible for a cracker to eavesdrop by wiretapping. As a result. and procedures for performing functions. using a dictionary as the source of guesses). Someone could have modified the header in transit. Packet replay is frequently undetectable.y y y y y y y y y y y Password cracking. It is also possible to eavesdrop using software that monitors packets sent over the network. Therefore. These can range from password-cracking tools to protocol hacking and manipulation tools. Intrusion attacks. This allows a cracker (hacker) to make a complete copy of network activity. a cracker can obtain sensitive information such as passwords. This is a technique attackers use to surreptitiously gain system access through another user's account. or using auxiliary ports on terminals. or the sender could have connected directly to the Simple Mail Transfer Protocol (SMTP) port on the target computer to enter the e-mail. it could also be destroyed. This is a common form of cracking. Packet modification. Trust is imparted in a one-to-one fashion. They also are difficult to trace and allow other types of attacks to be subdued. Packet replay. As a result. The sender address on Internet e-mail cannot be trusted because the sender can create a false return address. someone can potentially correspond with any one of millions of people worldwide. Social engineering. companies connected to the Internet should prepare for (DoS) attacks. This refers to the recording and retransmission of message packets in the network. or to redirect the message. Packet replay is a significant threat for programs that require authentication sequences. Electronic mail is one of the most popular features of the Internet. It can be used by outsiders and by people within an organization. wife's maiden name) and when they are susceptible to dictionary attacks (that is. This attack exploits the need to have a service available. Social engineering is a hacker term for tricking people into revealing their password or some form of security information. The reason for doing this is that systems tend to operate within a group of other trusted systems. People can easily flood the Web server with communication in order to keep it busy. In most cases. but can be prevented by using packet time stamping and packet sequence counting. In network spoofing. This is possible because users often select weak passwords. it is difficult to detect eavesdropping. With access to Internet e-mail. a hacker uses various hacking tools to gain access to systems. Eavesdropping. Denial-of-service attacks.
It is not uncommon to find interoperability between Microsoft products and various versions of UNIX. Security Vulnerabilities As explained previously. o o o y y Commands revealing user information. user names and passwords are transmitted in clear text. Network spoofing occurs in the following manner: if computer A trusts computer B and computer C spoofs (impersonates) computer B. Remember that the vulnerability is not the attack. This is a vulnerability because it gives others a good chance to guess the correct password. The finger client utility on Microsoft Windows NT and Windows 2000 can be used to connect to a finger daemon service running on a UNIX-based computer to display information about users. Attackers use these to gain information and eventually gain access to systems. Telnet can be used to administer systems running Microsoft Windows 2000 and Unix. File Transfer Protocol (FTP). The TCP/IP protocol stack has some weak points that allow: IP address spoofing TCP connection request (SYN) attacks Telnet protocol. Anything from birthdays to the names of loved ones. Communication protocols sometimes have weak points. Appendix C contains detailed descriptions of some of the methods listed above. Some weak points are: y Passwords. When the finger program is run with no arguments.trust is that the system administrator of the trusted system is performing the job properly and maintaining an appropriate level of security for the system. Users end up selecting commonly used passwords because they are easy to remember. When using the telnet client to connect from a Microsoft system to UNIX system and vice versa. As with Telnet. Commands that reveal user and system information pose a threat because crackers can use that information to break into a system. Protocol design. The problem usually is remembering the correct password from among the multitude of passwords a user needs to remember. but rather the weak point that is exploited. if the FTP service is running and users need to send or retrieve information from a secure location then user names and passwords are transmitted in clear text. Password selection will be a contentious point as long as users have to select one. Here are some ways: o Finger. . information for every user currently logged on to the system is displayed. a malicious attacker uses a method to exploit vulnerabilities in order to achieve a goal. Vulnerabilities are weak points or loopholes in security that an attacker exploits in order to gain access to the network or to resources on the network (see Figure 2). Some known issues are: TCP/IP. then computer C can gain otherwise-denied access to computer A.
The rexec utility is provided as a client on Microsoft Windows NT and Windows 2000. Due to the nature of computer networking. public passwords). A hacker using a "war dialer" tool to identify the modem telephone number and a "password cracker" tool to break a weak password can gain access to the system. o Appendix D explains more about vulnerabilities. Asynchronous transfer mode (ATM). it allows anybody with some technical knowledge to take control of the device. The rexec client utility allows remote execution on UNIX-based systems running the rexecd service. The rexecd program is susceptible to abuse because it can be used to probe a system for the names of valid accounts. Similar to the ATM problem. In addition. here are some real life examples. John Doe and other employees began to notice strange and unforeseen events occurring on their computers. passwords are transmitted unencrypted over the network.44 MB disk onto his local hard drive and then runs the executables. the hacker can often connect to any other computer in the network. Modems. The following figure explains the various vulnerabilities that existed and the loss in assets that are involved. Security can be compromised by what is referred to as "manhole manipulation"²direct access to network cables and connections in underground parking garages and elevator shafts. once a hacker connects to that one computer. People use them not just to connect to the Internet.y y y y Rexec. To help explain Figure 2 and the theory behind attacks. A client transmits a message specifying the user name. but also to connect to their office so they can work from home. Unfortunately. The problem is that a modem is a means of bypassing the "firewall" that protects a network from outside intruders. and the name of a command to execute. the games contained various viruses and Trojan horses. Modems have become standard features on many desktop computers. An employee known here as John Doe copies games and other executables from a 1. Switches and routers are easily managed by an HTTP interface or through a command line interface. y Example 1: non-malicious threat (ignorant employees). Any unauthorized modem is a serious security concern. After a short time. . causing disruption of services and possible corruption of data. the password. The organization had not yet deployed any anti-virus software. Coupled to the use of weak passwords (for example. Frame relay. Device administration.
Sally uses a denial-of-service attack tool called Trin00 to start an attack on the company's Web server. taking with them a couple of motherboards. All modems and ISDN routers are destroyed. tools. During a thunderstorm. Sally has a degree in computer science and decides to resign from the company and take revenge on it by causing the company's Web server to stop servicing requests. Sally believes that she has put in a considerable amount of work and overtime and is being turned down for promotion because she is too young.Figure 3: y Example 2: malicious threat (malicious attackers) An employee known here as Sally was turned down for promotion three times. and vulnerabilities can exist and will differ in the way to counter the attack. Many possibilities. . y Example 3: natural disasters An organization has various modems and Integrated Services Digital Network (ISDN) router installations and does not have surge protection. Most of the company's business is conducted via e-commerce and clients are complaining that they cannot connect to the Web server. lightning strikes the telephone and ISDN lines. The following diagram outlines the various tools and vulnerabilities Sally used to achieve her goal. The following diagram shows the vulnerability and the loss of assets. Figure 4: Remember that this is just an example.
Malicious attacks usually come from non-employees or disgruntled employees who have a specific goal or objective to achieve. and damage to hardware and other essential services can be disrupted. Natural Disasters Nobody can stop nature from taking its course. Few safeguards can be implemented against natural disasters. wars. fall into this category because they are seen as disasters and are difficult to protect against with computer security policies and controls. downtime or loss of productivity can occur. and have legitimate access to the system. hurricanes. Top Of Page Appendix A: Security Threats Threats can originate from two primary sources: humans and nature. so organizations should implement measures to try to prevent the damage they can cause. although the result of human activity. including knowing what actions might cause the most damage. Natural disasters can occur at any time. Riots. floods. Insiders can plant viruses. and techniques to exploit vulnerabilities in security policies and controls to achieve a goal or objective. and terrorist attacks.Figure 5: Conclusion Malicious attackers will use various methods. Employees are the group most familiar with their employer's computers and applications. Insiders or Malicious and Disgruntled Employees Insiders are likely to have specific goals and objectives. and fire can cause severe damage to computer systems. lightning. The non-malicious "attacks" usually come from users and employees who are not trained on computers or are not aware of various computer security threats. Trojan . tools. These will help an organization restore itself to normal business operations. Information can be lost. Human threats subsequently can be broken into two categories: malicious and non-malicious. Non-malicious attacks occur due to poor security policies and controls that allow vulnerabilities and errors to take place. The best course of action is to have disaster-recovery and contingency plans in place. Earthquakes.
however. However. someone referred to as a "guru" or "wizard. disgruntled current employees actually cause more damage than former employees. an insider can learn confidential information. network spoofing. Often these actions are undetected because audit trails are inadequate or ignored. Disgruntled employees can create both mischief and sabotage on a computer system." The definition of "hacker" has changed over the years. exploiting known security weaknesses. Trojan horses are a threat to both the integrity and confidentiality of information in the system. A hacker was once thought of as any individual who enjoyed getting the most out of the system he or she was using. A hacker would use a system extensively and study the system until he or she became proficient in all its nuances. Insiders can affect availability by overloading the system's processing or storage capacity. or worms. This individual was respected as a source of information for local computer users." Now.horses. or by causing the system to crash. This allows the insider to browse through sensitive data or plant a virus or Trojan horse. On many systems. the access control settings for security-relevant objects do not reflect the organization's security policy. the term hacker refers to people who either break in to systems for which they have no authorization or intentionally overstep their bounds on systems for which they do not have legitimate access. These attacks are possible for a variety of reasons. By browsing through a system. and social engineering. or browse through the file system. The correct term for someone who breaks in to systems is a "cracker. Appendix C contains a detailed description of these methods. Non-Malicious Employees ." Common methods for gaining access to a system include password cracking. Common examples of computer-related employee sabotage include: y y y y y y y Changing data Deleting data Destroying data or programs with logic bombs Crashing systems Holding data hostage Destroying hardware or facilities Entering data incorrectly Outside Attackers or 'Crackers' People often refer to "crackers" as "hackers. This type of attack can be extremely difficult to detect or protect against. Organizational downsizing in both public and private sectors has created a group of individuals with organizational knowledge who may retain potential system access. System managers can limit this threat by invalidating passwords and deleting system accounts in a timely manner. The insider attack can affect all components of computer security.
People often assume that the information they receive from a computer system is more accurate than it really is. even the most sophisticated programs cannot detect all types of input errors or omissions. software quality. Deleting and Altering Information Malicious attackers who delete or alter information normally do this to prove a point or take revenge for something that has happened to them. The primary threat to data integrity comes from authorized users who are not aware of the actions they are performing. Indeed. However. Errors and omissions are important threats to data integrity. Insider attackers normally act out of spite for the organization because they are disgruntled about something. Financial systems are not the only ones subject to fraud. Top Of Page Appendix B: Motives. Committing Information Theft and Fraud Information technology is increasingly used to commit fraud and theft. Sometimes the error is the threat. school grading systems. and data quality programs. both by automating traditional methods of fraud and by using new methods. and programmers frequently make unintentional errors that contribute to security problems. but also by all users who create and edit data. such as time and attendance systems. In other cases. damage. Errors and omissions can lose. Many organizations address errors and omissions in their computer security. Users. Installation and maintenance errors also cause security problems. Outsiders might attack just to prove that they can or for the fun of it. Errors can occur in all phases of the system life cycle. Attackers want to achieve these goals for either personal satisfaction or for a reward. Goals. often called "bugs.Attackers are not the only ones who can harm an organization. such as a data entry error or a programming error that crashes a system. Computer systems are exploited in numerous ways. data entry clerks. or long-distance telephone systems. lack qualitycontrol measures. Improved software quality has reduced but not eliminated this threat. or alter valuable data. Programming and development errors. the goal of some attacks is not the physical destruction of the computer system but the penetration and removal or copying of sensitive information. errors create vulnerabilities. directly and indirectly. Many programs." range in severity from irritating to catastrophic. and Objectives of Malicious Attackers There is a strong overlap between physical security and data privacy and integrity. . especially those designed by users for personal computers. system operators. Other targets are systems that control access to any resources. inventory systems. Errors are caused not only by data entry clerks processing hundreds of transactions per day.
Attackers use various methods for performing denial-of-service attacks. tools. Social Engineering . E-mail Hacking The most common mail transfer protocols (SMTP. Since insiders have both access to and familiarity with the victim computer system. An organization should attempt to protect its investment in equipment with physical measures such as locks and bolts. Although extensions to these basic protocols do exist. In any situation like this. and techniques discusses these. An organization's former employees may also pose threats. the information it contains will be at the disposal of the perpetrator. Disrupting Normal Business Operations Attackers may want to disrupt normal business operations. Data can be stolen from a computer or even manipulated without the owner's knowledge. Because many computers are relatively small and valuable. Tools. If the computer is stolen. particularly if their access is not terminated promptly. the attacker has a specific goal to achieve.Insiders or outsiders can commit fraud. Nor do these protocols require the use of encryption that could ensure the privacy or confidentiality of e-mail messages. allowing e-mail messages to be easily forged. or use it to compromise other computer systems. and Techniques for Attacks Malicious attackers use various method. disrupt. authorized system users are in a better position to commit crimes. but you can make stolen information virtually useless by making sure the information is encrypted and the thief does not have the key. including what resources it controls and where the flaws are. and steal information from a system. the section on methods. and techniques to enter. IMAP4) do not typically include provisions for reliable authentication as part of the core protocol. This could be done out of spite. Outside attackers might want to disrupt services to gain a competitive edge in world that thrives on competition. the decision whether to use them needs to be established as part of the mail server administration policy. You can never make something impossible to steal. Top Of Page Appendix C: Methods. The thief could sell sensitive information. The thief may erase it or may be able to read it. Maybe the perpetrators attack just for the fun of it. they are easy to steal and sell. Some of the extensions use a previously established means of authentication while others allow the client and server to negotiate a type of authentication that both ends support. tools. as with a disgruntled employee who does not want to work because he or she has been turned down for promotion. use it for blackmail. A Zip drive can be connected to a computer's parallel port and several megabytes of data can be copied. POP3. Insiders who are authorized users of a system perpetrate the majority of fraud uncovered on computer systems. Accomplishing it is satisfying and rewarding.
The user unwittingly gives out the logon and password and the imposter now has full access. administrators may not have or take the time to install all the necessary patches in a large number of hosts. It can be used both by outsiders and by people within an organization. they hang around a user's desk. claiming to be an administrator who needs the employee's password to do some administrative work. A common example of social engineering would be where a hacker sends e-mail to an employee. they can use this against them. Another form of social engineering is guessing a user's password.This is a common form of cracking. especially in a large organization. it is usually not possible to perfectly map an organization's policy on computer use to its access-control mechanisms and thus authorized users often can perform unauthorized actions. . Intrusion detection provides two important functions in protecting information system assets. In this case. a computer or network. Users also often use passwords that they can read on their desks or on posters in the work area. if they have and suspect that someone else now has their password. Intrusion detection is the process of detecting unauthorized use of. even those that are not common. In updateable systems. or an attack upon. "Shoulder surfing" is also common among hackers and users who wish to learn someone's password. This often happens when attackers use known vulnerabilities in the network. Realistically. This gives the hacker a chance at guessing the password. however. For example. Users should be made aware of various security issues. Company employees with malicious intent could also do this. When people can learn things about certain users' personal and social lives. that they should change the password immediately. it is seldom possible to remove all vulnerabilities. "Why can't I just FTP the files down?" It is very important that security policies deal not only with end-user demands but also with the threats and vulnerabilities associated with those demands. For example. The normal user who has not been taught about security might not know the difference between the actual administrator and the imposter administrator. Social engineering is a hacker term for tricking people into revealing their password or some form of security information. Users may also demand network services and protocols that are known to be flawed and subject to attack. Other variations of this type of social engineering would be where someone claiming to be the administrator phones a user and asks for the user's password and logon credentials. Intrusion Attacks Attackers using well-known techniques can penetrate many networks. talking and waiting for the user to type in a password. a user might ask. In addition. users might choose a daughter or son's name or birth date or a friend's name as a password. Users should be informed not to type in their passwords in front of others or.
Examples of this include: y y y y Saturating network resources. Attackers achieve this by flooding a network with more traffic than it can handle. block these attempts. Disrupting services to a specific system or client. Preventing a particular individual from accessing a service. and alert security personnel who can take appropriate action. The lack of detected intrusions is an indication that there are no known intrusions. including consuming server resources. DoS attacks flood a remote network with an enormous amount of protocol packets. and hard drive space. Although the attacker may continue to probe the network for weaknesses. Failure or disruption of resources could cause the computer to crash. causing the system to crash or stop responding. Routers and servers eventually become overloaded by attempting to route or handle each packet. including Trin00 and Tribe Flood Network (TFN. the IDS should be able to detect these attempts if the vulnerabilities are known. Within minutes. and mail bombing. TFN2K). If vulnerabilities exist in networks. When the operating system or the resources are overrun by malicious attacks. CPU time. not that the system is completely impenetrable. preventing communications between services. An attacker can cause resources to be overrun by various means. The same network with an IDS installed is a much more formidable challenge to an attacker. The operating system and applications than run on the system play an important role in managing these resources correctly. a determined attacker will eventually find them and exploit them.The first function is that of a feedback mechanism that informs the security staff about the effectiveness of other components of the security system. Denial-of-Service Attacks Background DoS attacks are designed to prevent legitimate use of a service. thereby preventing users from using network resources. Disrupting connections between two computers. one or more of these core resources breaks down. network activity exponentially rises and the network stops responding to normal traffic and service requests from clients. This is also known as a network saturation attack or bandwidth consumption attack. memory. Attackers strike with various tools. saturating network resources. Types of Denial-of-Service Attacks Computers use certain core resources to operate and function correctly. Consuming Server Resources . The second function is to provide a trigger or gating mechanism that determines when to activate planned responses to an incident. A computer or network without an intrusion detection system (IDS) may allow attackers to leisurely explore its weaknesses. Some of these resources include network bandwidth.
Further. he or she may be able to coordinate or coopt several computers on different networks to achieve the same effect. the only way to validate the source of a packet is to use input source filtering. Since the network forwards packets based on destination address. waiting for a response from the client. but in principle they may be anything. the intruder is consuming valuable server resources. The server now is unable to accept any new connections. Creating these half-open connections is accomplished with IP spoofing. However. . these packets are Internet Control Message Protocol (ICMP) echo packets. The attacker's system sends a SYN message to the victim's server. In this case. The client starts by sending a TCP connection request or SYN message to the server. the client and server exchange a series of messages. The server keeps the pending connection in memory. The server now has half-open connections in memory and eventually will fill up the server connections. This is now a half-open connection. The problem arises when the server has sent the SYN-ACK message back to the client but has not yet received an ACK response from the client. This type of attack does not really affect any of the current connections or outgoing connections. the intruder need not be operating from a single computer. These messages seem to be legitimate but in fact are references to a client system that is unable to respond to the server's SYN-ACK message. An example of this type of attack is the SYN flood attack: When a client attempts to contact a server service. Normally it consumes an enormous amount of memory and processing power on the server. The implication is that an intruder can execute this attack from a dial-up connection against a computer on a very fast network. The location of the attacking system is difficult to trace because the attacker's system address was masquerading as a legitimate IP address. legitimate incoming connections. the attacker's system keeps sending IP-spoofed packets faster than the expire limit on the victim's server. The halfopen connections in memory eventually will time out on the server. Saturating Network Resources An intruder may also be able to consume all the available bandwidth on a network by generating a large number of packets directed to the network. In most cases the victim of such an attack will have difficulty accepting any new. the connection between the client and server is open and they can exchange service-specific data. The time limit on halfopen connections will expire. freeing up valuable resources again. This is known as a distributed denial-of-service attack (DDoS). This type of attack does not depend on the attacker being able to consume network bandwidth.The goal of a DoS attack is to prevent hosts or networks from communicating on the network. After these three actions take place. Typically. The server responds to the SYN message with an acknowledgement ACK-SYN message. causing it to crash. This means that the server will never be able to send an ACK message to the client computer. The client then acknowledges the server's ACK-SYN message with an ACK message.
all computers on the network will receive the ICMP echo request packet and respond with an ICMP echo reply packet. router processing capacity. Three parties are involved in these attacks: the attacker. using well-known defects in standard network service programs. Attackers have developed a variety of tools for this purpose. These attacks typically exhaust bandwidth. The perpetrator starts by breaking into weakly secured computers. This is known as IP spoofing. The tools enable the hackers to send ICMP echo request packets to multiple intermediary computers. The result is that when the intermediary computers respond to the ICMP echo request packet. Then they install a special process used to remotely control the burgled computer. weak configurations in operating systems. all computers on the target network receive the broadcast packet (as long as the routers have been configured to forward these broadcast packets). Then they perform some additional steps on each system. If the computer is operating. the intermediary. they install software to conceal the break-in and to hide the traces of their subsequent activity. To do this. they do not use their own IP source address. and common. and the victim. breaking network connectivity to the victims. The victim's computer is now subjected to network congestion that could cause the network to stop responding. Instead. A common example of this is the PING command. they use the source address of their intended victim. DDoS attacks involve breaking in to hundreds or thousands of computers across the Internet. When the attackers create these packets. it will respond to the request by sending an ICMP echo reply packet. severe network congestion or outages are possible. letting the intruder launch an attack over the Internet . allowing the attacker to control all of these computers and launch coordinated attacks on victim sites. The intermediary receives an ICMP echo request packet that is directed to the IP broadcast network address. This process accepts commands from over the Internet. ICMP can be used to determine if a computer on the Internet is responding. On TCP/IP networks. These tools could also be used to scan for network routers that do not filter broadcast traffic. an ICMP echo request packet is sent to a computer on the network. they send the reply packet to the victim's IP address. If nothing is filtering these ICMP echo requests. causing all of them to respond to the same victim's source IP address. When an IP packet is sent to an IP broadcast address from a computer on the same local area network.The ICMP is used to convey status and error information including notification of network congestion and other network-related problems. The intermediary can also be a victim. a packet can be sent to an individual computer or broadcast to all computers on the network. or network stack resources. all computers on that network receive the IP packet. For example. First. Then the attacker installs DDoS software on them. When a computer outside the local area network sends an IP broadcast packet. When all computers respond to these packets. they replace the standard commands for displaying running processes with versions that fail to display the attacker's processes.
Once the attacker has installed the DDoS software. the router should discard the packet. For most of the attacks." after the first circulated program to perform this attack). these packets are directed at the victim computer. Mail Bombing Mail bombing is an e-mail-based attack. The first signs of an attack may be when thousands of compromised systems all over the world begin to flood the victim's network with traffic all at once. Recovery can be difficult because the user may need to use more disk space just to delete the e-mail. and those accounts can be used to launch e-mail attacks. depending on the point of view. The controlled computers being used to mount the attacks send a stream of packets. the packets are aimed at other networks. it may crash the system. where they provoke multiple echoes all aimed at the victim as described earlier. Here are typical failure modes: y y y The e-mail server accepts e-mail messages until the disk where e-mail is stored fills up. All these steps are highly automated. the attacker runs a single command that sends command packets to all the captured computers. instructing them to launch an attack (from a menu of different varieties of flooding attacks) against a specific victim. it is egress from the customer network. If a packet arrives at the first router. The first symptom is likely to be a router crash. E-mail floods the attacked system until it fails. Finally. The packets used in DDoS attacks use forged source addresses or spoofed IP addresses. traffic simply stops flowing between the victim and the Internet. they make a note of the IP address of the computer they've taken over. he or she sends another single command. A cautious intruder will begin by breaking in to just a few sites. When the attacker decides to stop the attack. This style of packet checking is called ingress or egress filtering. For one variant (called "smurf. This prevents subsequent mail from being received and may keep the user from getting work done. A system will fail in different ways. Subsequent e-mail is not accepted. then using them to break into some more. they have taken over thousands of computers and assembled them into a DDoS network. or ingress to the heart of the Internet. depending on the type of server and how it is configured. . Some Internet service providers give temporary accounts to anyone who signs up for a trial subscription. and the source IP address doesn't match the IP network it's coming from. A particular user's server disk quota can be exceeded. By the time they are ready to mount the attacks. and repeating this cycle for several steps. If the e-mail disk is also the main system disk. or something that looks a lot like one. The incoming queue is filled with messages to be forwarded until the queue reaches its limit.against some designated victim site. Subsequent messages can't be queued.
While more stringent controls are in place on multitasking. these mechanisms were not required. Note that all viruses found in the wild target personal computers. to separate the user from the system. configuration errors and security holes (security bugs) make viruses on these systems more than theoretically possible. When personal computers first came onto the market. Given the ways computers were used. Viruses can be very destructive. . utilizing some technique never used before in a virus. or are somewhat innovative. An examination of the IBM PC family of viruses indicates that the most commonly detected viruses vary according to continent. multiuser operating systems. This included the emergence of: y y y Commercial software products such as spreadsheets and word processors. but that "Stoned. operating systems like Microsoft MS-DOS were intended for a single user who was in total control of the computer. Macintosh. Fred Cohen formally defined the term "computer virus" in 1983 when he performed academic experiments on a Digital Equipment Corporation VAX system. and eradicate. The viruses modify files and even the operating system itself. the spread of computers instigated a new industry that grew around them." and members of the "Jerusalem" family have spread widely and continue to appear. This evolution has been especially apparent in the IBM PC viruses. These are legal actions within the context of the operating system." "Cascade.Virus Attacks History All administrators have heard about viruses and their effects. IBM PC. Computer games. Viruses that have been seen with regularity are termed "in the wild." A research virus is one that has been written for research or study purposes and has received almost no distribution to the public. However. replicate many times before activation. causing loss of information. the overwhelming numbers of virus strains are IBM PC viruses. As of today. Shared use of computers. Viruses are classified as being one of two types: research or "in the wild. Viruses now have been found on the following platforms: Apple II. This implies that highly survivable viruses tend to be benign. Viruses have evolved over the years due to efforts by their authors to make the code more difficult to detect. which was reported in 1981. Personal computer viruses exploit the lack of effective access controls in these systems. The first viruses found in the wild were Apple II viruses such as Elk Cloner. disassemble. Atari. and Amiga." "Brain. or to stop intentional modification of system or user files. whether it be several employees using the same computer or large organizations connecting computers on a LAN. There were no security mechanisms to separate users." The first computer viruses were developed in the early 1980s.
Subsequent programs that are executed are infected with the virus until the computer is shut down or turned off. a resident virus is available to infect all suitable hosts that are accessed. When a user executes an executable file that is infected with this type of virus. software was exchanged on floppy disks. Some viruses are "memory resident" viruses. Or it might be harmful and proceed to delete and modify files. and companies moved information onto computers that no longer were controlled by a central IT department but by individual users. Examples are modifications that add functionality or evade detection. the virus loads itself into memory and remains there even if the original program is shut down. A resident virus installs itself as part of the operating system upon execution of an infected host program. The virus infects the file by putting a piece of code in the selected program file. When a program that is infected with a virus is executed. . the virus immediately takes command. Once installed in memory. The virus will remain resident until the system is shut down. A non-overwriting virus is designed to append the virus code to the physical end of the program or to move the original code to another location. The procedure usually involves searching for a particular value at a known position in the executable. A self-recognition procedure is a technique whereby a virus determines whether or not an executable is already infected. Some viruses have a "dormant" phase and will appear only at certain times or when certain actions are performed. A variant is a virus that is generated by modifying a known virus. it might display a message or play a tune. This code can be harmless²for example. naming. Self-recognition is required if the virus is to avoid multiple infections of a single executable.With the advent of the personal computer. The lack of security mechanisms and security awareness on these systems started to make itself felt. Virus researchers have put considerable effort into developing schemes for describing. finding and infecting other programs and files. contributing to the detection of the virus. The term "variant" usually applies only when the modifications are minor. It should be noted that most viruses attempt to retain the original host program's code and functionality after infection because the virus is more likely to be detected and deleted if the program ceases to work. An example would be changing the trigger date from Friday the 13th to Thursday the 12th. The virus code searches users' files for an uninfected executable program for which the user has security write privileges. and classifying computer viruses and on defining the distinctive features that distinguish computer viruses from other malicious software How Viruses Work A computer virus is a piece of self-replicating code attached to some other piece of code. software for professional and private use ran on the same computer. An overwriting virus will destroy code or data in the host program by replacing it with the virus code. Multiple infections cause excessive growth in size of infected executables and corresponding excessive storage space.
This variable quality makes the virus difficult to locate. To achieve this. These include the samples that have been sent to researchers by virus writers. A polymorphic virus creates copies during replication that are functionally equivalent but have distinctly different byte streams. To achieve this. thereby preventing users from copying information onto their computers). When the virus is executed. It can travel from one file to another on the same computer if the infected file is executed. It is activated by external action. a stealth virus might remove the virus code from an executable when it is read (rather than executed) so that an anti-virus software package will examine the original. and over a modem or network connection. The results of these calls must be altered to correspond to the file's original state. An encrypted virus has two parts: a small decryptor and the encrypted virus body. These days it is not uncommon to find them in e-mail attachments and other programs that can be downloaded from the Internet. the virus intercepts system calls that examine the contents or attributes of infected files. Computer viruses move from computer to computer by attaching themselves to files or boot records of disks and diskettes. A reaserch virus is one that has been written. interchange the order of independent instructions. Damage that Viruses Cause . the virus may randomly insert superfluous instructions. the decryptor will execute first and decrypt the virus body. Encrypted viruses are more difficult to disassemble and study since the researcher must decrypt the code. replicating or becoming resident. Viruses that have been seen outside the research community are termed "in the wild. or remove. Its replication ability is limited to the (virtual) system. from computer memory to a file on disk. Then the virus body can execute. A virus is a relatively passive agent that relies on ordinary users for its activation and propagation. The virus body will include an encryptor to apply during replication. on e-mail attachment executable files. on a disk that is carried from one computer to another (some companies prohibit floppy drives." How Are Computer Viruses Spread? The following are necessary characteristics of a virus: y y y y It is able to replicate. identify. uninfected host program.A stealth virus is a resident virus that attempts to evade detection by concealing its presence in infected files. A variably encrypted virus will use different encryption keys or encryption algorithms. It requires a host program as a carrier. but has never been unleashed on the public. or choose from a number of different encryption schemes. For example.
" In the background. or altering information in the background. Network worms were considered promising for the performance of network management tasks in a series of experiments at the Xerox Palo Alto Research Center in 1982. They also can format specific tracks on the disks or format the entire disk. Most of the time the users are unaware of the damage it is causing because of the Trojan horse's masking effect. Trojan Horses Background The term "Trojan horse" comes from a myth in which the Greeks gave a giant wooden horse to their foes. After the Trojans dragged the horse inside the city walls of Troy. Damage Caused by Trojan Horses The damage that Trojan horses cause is much the same as what a virus causes. causing a loss of integrity in the data. What Are Trojan Horses? A Trojan horse is code hidden in a program such as a game or spreadsheet that looks safe to run but has hidden side effects. Viruses also can create bad sectors on the disk. the Trojans. destroying parts of programs and files. pops up with an animated figure of Santa Claus and a caption saying "Merry Christmas. It is a program on its own and does not require a host program in which to embed itself. How Trojan Horses Are Spread Trojan horses generally are spread through e-mail and exchange of disks and information between computers. . allowing their compatriots to pour in and capture Troy. Worms Background Worms first were used as a legitimate mechanism for performing tasks in a distributed environment. when executed. Viruses can cause the system to hang so that it does not respond to any keyboard or mouse movements.Viruses can destroy file allocation tables (FAT) and lead to the corruption of an entire file system. seemingly as a peace offering. Viruses can destroy specific executable files and alter data in data files. it seems to function as the user expects. An example of a Trojan horse would be a Christmas executable that. Greek soldiers sneaked out of the horse's hollow belly and opened the city gates. Worms could also spread Trojan horses. When the program is run. They can decrease the space on hard disks by duplicating files. but in actuality it is destroying. damaging. resulting in the need to fully reinstall and reload the system. extra code could be deleting files or performing other malicious actions.
Release of a worm usually results in brief outbreaks. one for each system). it can replicate across communication links. a malicious worm takes advantage of the same system properties. If executed. It attacked Sun and DEC UNIX systems attached to the Internet (it included two sets of binaries. What Are Worms? The following are necessary characteristics of a worm: y y y y It is able to replicate. so can a worm program. The program may perform any variety of additional tasks as well. The Christmas Tree Exec wasn't a true worm. Worms are programs that run independently and travel from computer to computer across network connections. operating system bugs. Worms do not change other programs. The facilities that allow such programs to replicate do not always discriminate between malicious and good code. . It is self-contained and does not require a host. Worms may have portions of themselves running on many different computers. although they may carry other code that does. the program claimed to draw a Christmas tree on the display. bugs) in the operating system or inadequate system management to replicate. It utilized the TCP/IP protocols and vulnerabilities in sendmail. Worms were first noticed as a potential computer security threat when the Christmas Tree Exec attacked IBM mainframes in December 1987. It brought down both the worldwide IBM network and BITNET. The Internet Worm was a true worm. If it is a network worm. It was released on November 2. That much was true. 1988. Worms exploit flaws (that is. Various problems with worm management resulted in extremely poor system performance and a denial of network service. shutting down entire networks. but also with the operating facilities required to support them once they've reached the computer. It is activated by creating process (it needs a multitasking system). However. How Worms Affect Network Systems Developing a worm requires a network environment and an author who is familiar not only with the network services and facilities. it should be secure from a worm program. A worm is a program designed to replicate. If the computer is secure from unauthorized access. but it also sent a copy to everyone on the user's address lists. They took advantage of system properties to perform useful actions. and a variety of system administration flaws to propagate. It exploited operating system flaws and common system management problems. It was a Trojan horse with a replicating mechanism. If an intruder can enter your computer.The key problem noted was worm management. common application layer protocols. controlling the number of copies executing at a single time. The first network worms were intended to perform useful network management functions. Protection against worm programs is like protection against break-ins. A user would receive a Christmas card by e-mail that included executable (REXX) code.
Top Of Page Appendix D: Security Vulnerabilities Vulnerabilities are weak points or loopholes in security that an attacker can exploit in order to gain access to the network or to resources on the network. WordPerfect macros. The virus was programmed into a Word document. and so on. The Melissa macro virus was spread via e-mail. Documents are widely exchanged by e-mail and therefore are a good medium for spreading a virus. Users opening a file may not even be aware of the fact that they are running a program. Macro Viruses A macro virus is a virus that attaches itself to a spreadsheet worksheet. An example of a macro virus is the Melissa macro virus. Macro viruses are written in high-level languages like Visual Basic for applications used by Microsoft Office products. It also could be programmed into other products such as Word documents and Microsoft PowerPoint presentations and so on. the macro virus would send a copy of it to the first 50 e-mail addresses from the global address list. talk to various software and hardware vendors and do research and tests on the products. The vulnerability is not the attack. Lotus scripting. In some cases worms can install Trojan horses or viruses that cause damage to the systems. When the document was opened. This caused major e-mail systems to crash throughout the world and also saturated network bandwidth. or is programmed into the spreadsheet. Macro viruses bypass integrity protection mechanisms for normal executables because macro viruses are embedded in the data file. All instructions available for writing macros are also available to virus writers who now can hide viral code in a macro file. but rather the weak point that is exploited. This section discusses only a few common vulnerabilities.How Worms Are Spread Worms are autonomous agents capable of propagating themselves without the use of another program or intervention or action by a user. Vulnerabilities in Common Network Access Procedures and Protocols . Some worms scan for passwords and other loopholes and then send the information back to the attacker. Damage that Worms Can Cause Most worms disrupt services and create system management problems. So many different types of vulnerabilities can exist that discussing them all would require hundreds of pages. Worms are found primarily on computers that are capable of multitasking and are connected by a network. To find out about vulnerabilities that exist on any particular system.
Another problem with anonymous FTP is the threat of denial-of-service attacks. Use of FTP poses a security problem similar to use of the Telnet protocol because passwords typed to FTP are transmitted over the network in plain text. It is important to securely set up the anonymous FTP account on the server because everyone on the network will have potential access. Telnet The Telnet protocol allows a user to log onto a system over the network and use that system as though the user was sitting at a terminal that was directly connected. passwords are automatically synchronized. it uses the NTLM protocol to log the client on. a user passes a remote computer name as an argument to FTP and then specifies "anonymous" as a user name. FTP relies on a user name and password combination for authentication. These packets can be intercepted. When logging on to a system from a Microsoft telnet client to UNIX TELNET daemon service or vice versa. the user name and password are sent over the network in plain text. To use anonymous FTP. they could also use that password to logon to a Microsoft system. If hackers can crack the password on systems other than Microsoft systems. Sometimes. transfer information. Since the user name and password characters are not encrypted. Due to the nature of these utilities. If the anonymous FTP account is not securely configured and administered. authorized users may be denied access to a system if too many file transfers are initiated simultaneously. When using the Microsoft telnet client to log on to the Microsoft Windows 2000 Telnet service. File Transfer Protocol File Transfer Protocol allows users to connect to remote systems and transfer files back and forth. one character per packet. This capability is particularly useful for software or document distribution to the public. As part of establishing a connection to a remote computer. Users often use the same passwords for mixed environments. crackers may be capable of adding and modifying files. Another problem area for FTP is anonymous FTP. various security risks and threats exist. The wide use of this protocol helps to integrate different operating system architectures such as Microsoft and UNIX. Problems arise when integrating Microsoft systems and UNIX systems. For deliberate or accidental denial-of-service attacks. Anonymous FTP allows users who do not have an account on a computer to transfer files to and from a specific directory. Many organizations make use of this interoperability and use various TCP/IP utilities to run programs. Trivial File Transfer Protocol .The primary protocol used in operating systems today is the TCP/IP protocol stack. The telnet command provides a user interface to a remote system. and reveal information. it is possible for an electronic eavesdropper to capture a user name and password for a system for which a telnet connection is being established. One of the problems with anonymous FTP is that there is often no record of who has requested what information.
Because TFTP has no user authentication. The output of finger typically includes logon name. Making personal information about users available poses a security threat because a password cracker can make use of this information. last name. Microsoft Windows 2000 implements a client utility to make use of TFTP services on UNIX flavors. or user name that matches the name argument is returned. Personal information. such as telephone numbers. User information can be displayed for remote computers as well as for the local computer. 7 Commands that reveal user and system information pose a threat because crackers can use that information to break into a system. and in some cases when the user received mail and/or read mail. Every user with a first name. The use of TFTP to steal password files is a significant threat. it may be possible for unwanted file transfer to occur. home directory. passwords are transmitted unencrypted over the network. The rexecd program is susceptible to abuse because it can be used to probe a system for the names of valid accounts. This section provides a brief description of various commands whose output makes a system vulnerable to break-ins. finger can reveal logon activity. information for every user currently logged on to the system is displayed. Rexec The rexec utility is provided as a client on Microsoft Windows NT and Windows 2000. last logon time. full name. and the name of a command to execute. When the finger program is run with no arguments. When the finger client utility is invoked with a name argument. the password. Commands Revealing User Information It is not uncommon to find interoperability between Microsoft products and various flavors of UNIX. is often stored in the password file so that this information is available to other users. A client transmits a message specifying the user name. Some known issues are: y TCP/IP. The TCP/IP protocol stack has some weak points that allows: . the password file is searched on a UNIX server. In addition. Attackers use these to gain information and eventually gain access to systems. The rexec client utility allows remote execution on UNIX-based systems running the rexecd service.The 6Trivial File Transfer Protocol (TFTP) is a file transfer program that is frequently used to allow diskless hosts to boot over the network. Protocol Design Communication protocols sometimes have weak points. Finger The finger client utility on Windows NT and Windows 2000 can be used to connect to a finger daemon service running on a UNIX-based computer to display information about users. In addition.
By dialing all numbers within the targeted range. A weak password may give a hacker access not only to a computer. Users should treat their passwords like the keys to their homes. If an organization has one number. because it gives others a good chance to guess the correct password. Security can be compromised by what is referred to as "manhole manipulation"² direct access to network cables and connections in underground parking garages and elevator shafts. The problem normally is to remember the correct password from among the many that users need to remember. Anyone can download effective war dialers from the Internet at no cost. it is usually correct to assume that most other numbers are within a limited range of numbers either higher or lower than that number. Modems If a computer has a modem connected to the Internet. Frame relay. but to the entire network to which the computer is connected. Similar to the ATM issue. Users end up selecting commonly used passwords because they are easy to remember²anything from birthday to the names of loved ones. Most organizations have a block of sequential phone numbers. Top Of Page References . Would they leave their homes or offices unlocked in a high crime area? Device Administration Switches and routers are easily managed by an HTTP Web interface or through a command line interface. A password is the key to a computer²a key much sought-after by hackers as a means of getting a foothold into a system. Coupled to the use of weak passwords (for example. Hackers commonly use a tool known as a "war dialer" to identify the modems at a target organization. The hacker then uses other tools to attack the modem to gain access to the computer network. the war dialer identifies which numbers are for computer modems and determines certain characteristics of those modems. however. Any unauthorized modem is a serious security concern. public passwords). A war dialer is a computer program that automatically dials phone numbers within a specified range of numbers. o o Weak Passwords Password selection will always be a contentious point as long as users have to select one. it allows anybody with some technical knowledge to take control of the device. the user needs to take appropriate precautions because modem connections can be a significant vulnerability.y y IP address spoofing TCP connection request (SYN) attacks ATM. This creates a vulnerability.
Computer Security. Lawrence E.edu/faculty/brownc/lectures/virus/ virus.http://www.Practical Unix and Internet Security.com/ Department of Defense Trusted Computer System Evaluation Criteria (Orange Book). Paul. WA: Microsoft Press.research..html Brown.infosecuritymag. Donn. Carol E.rutgers. Inc.http://csrc. Microsoft Windows NT 4. Redmond.Electronic Sabotage. Have Script Will Destroy (Lessons in DoS).National Computer Security Center.Books Garfinkel. and Alan Sangster.bus.http://www. Timothy Polk. and Gene Spafford. Microsoft Corp. Simson.ibm.org/ Parker.nist.http://www.ncsl.National Institute of Standards and Technology Computer Security Division.0 Resource Kit.http://accounting. Sanna. National Computer Security Center.nist.IDG Books Worldwide.txt Trusted Network Interpretation (Red Book).Threat Assessment of Malicious Code and Human Threats. and W.nist.infosecuritymag. Redmond. http://csrc.com/ DDOS Debriefing. Gollmann. Microsoft Corp.com/chuegen/smurf/ Martin.attrition. Windows 2000 Server Security for Dummies.com/massive/bump.0 Workstation Resource Kit. O'Reilly & Associates. Network-Based Denial of Service Attack Information.Automated Crime. Redmond. April 1996. http://csrc. 2000. Microsoft Windows 2000 Resource Kit.quadrunner. Dieter. http://www.gov/secpubs/rainbow/tg005. 1999..http://users. WA: Microsoft Press 1996.orst.htm Chess. Craig.edu/raw/aies/www. WA: Microsoft Press 1996.gov/secpubs/rainbow/std001. Microsoft Windows NT Server 4. David.gov/publications/nistir/threats/threats.txt Web Sites . Brian. August 1999 Microsoft Corp.html Huegen. John Wiley and Sons.ncsl. Online Publications Bassham. Things that Go Bump in the Net.
1999.webopedia. Inobits Consulting (Pty) Ltd.incurrent. .org For more information on distributed denial-of-service attacks. 1999.net/ For more information on back-end system issues for online financial sites. Inobits Consulting (Pty) Ltd.icsa. WASHINGTON (IDG)²The U. House Judiciary Committee has approved a bill designed to encourage electronic commerce by recognizing digital signatures as having the same legally binding status as a handwritten signature." NetWork World. Inobits Consulting (Pty) Ltd. 3 The World Wide Web Consortium (W3C) is developing the Platform for Privacy Preferences Project (P3P).llnl. 1999. Contributors y y y y Denis Bensch." 2 October 18. Johan Grobler. Dawie Human. see http://www. see http://www. see the Pretty Good Privacy site at http://www. "CIA measures damage following leaked nuclear secrets.For more information on viruses. see: y y y The Computer Incident Advisory Capability site at http://ciac.cert. Inc 1 March 9. Louis De Klerk. December 20.pgp. Reviewer Christopher Budd Macintosh is a registered trademark of Apple Computer.com/ http://www.com/ For more information about security.gov The E-Commerce Webopedia at http://e-comm. Top Of Page Acknowledgements This paper was created with help from the following people: Writer Christopher Benson.com. Trojan horses. 4 "eToys attacks show need for strong Web defenses. and Internet hoaxes. Inobits Consulting (Pty) Ltd.S. Inobits Consulting (Pty) Ltd.
6 Windows 2000 clients can retrieve information from a UNIX computer using the Trivial File Transfer Protocol client utility. . Windows 2000 does not run a TFTP server service but the utility still is used without any authentication to UNIX systems. The client utilities can still be used when there is interoperability between Microsoft Windows and UNIX systems.5 SecurTekCorporation. 7 The utilities described could still be used although Windows does not support services for these utilities.
This action might not be possible to undo. Are you sure you want to continue?