Attackers break into systems for a variety of reasons and for a variety of
purposes. Until you understand how attackers break into systems and why
they do it, you will have a hard time defending against the variety of
attacks that are currently being used to compromise systems. This
chapter will take a detailed look at these issues so you can better
understand the processes, methods, and types of attacks that are
currently being used.
What Is an Exploit?
Because the topic of exploits will be addressed throughout the book, this
is probably a good time to cover what an exploit actually is.
If this were a short-answer question, the correct answer would be “an
exploit can be anything.” Basically, anything that can be used to
compromise a machine is considered an exploit. Remember, we are also
using a loose definition of the word compromise. A compromise could
include the following:
• Gaining access
• Simplifying gaining access
• Taking a system offline
• Desensitizing sensitive information
For example, going through a company’s garbage to find sensitive
information can be considered an exploit. If an attacker goes through the
garbage and finds a computer printout of top-secret information about a
company’s new product, he has technically compromised the system
without ever touching it. This is why addressing all the ways a system can
be exploited is so important. Many times, security professionals put on
blinders and look at only one aspect of security. It is important to
remember that a chain is only as strong as its weakest link, and an
attacker will compromise the weakest link in a company’s security.
Therefore, it is critical that security professionals step back and properly
look at and address all the security issues a company might face.
Hollywood Hackers
For a good example of going through a company’s garbage, or the
more technical term dumpster diving, rent the movie Sneakers.
Although it is a very entertaining movie, it also shows the security
threats that companies can face.
Just to whet your appetite, the movie is about a company that
performs penetration testing of other companies’ security
systems—particularly banks.
To look at a more formal definition, www.dictionary.com defines an exploit
as “a security hole or an instance of a security hole.” This brings out a
very important point: For there to be an exploit, there has to be a
weakness that can be compromised. If there are no weaknesses, there is
nothing to exploit. That is why most people would say that a truly secure
system is one that is not plugged into a network or any sort of electricity
and buried in 30 feet of cement under the support beams for the Brooklyn
Bridge. In this case, the number of possible exploits is minimized because
the number of weaknesses is reduced or eliminated. It is also important to
point out that, although the number of exploits is minimized, the
functionality of the system is also severely minimized. One of the main
reasons why companies do not have truly secure servers is that,
whenever you increase security, you reduce functionality, and
functionality is what keeps a company in business. The counter argument
I always make is that functionality might keep a company in business, but
lack of security will put a company out of business.
Therefore, when building secure systems, it is critical that you minimize
the risk while reducing the impact it has on overall functionality. Figure
2.1 shows the constant battle of trying to balance security, functionality,
and ease of use. Imagine that there is a ball in the triangle and you can
move it to whatever corner you want. As you move the ball toward the
corner of security, you are moving farther away from the other two
corners. This means that as you increase security, you reduce
functionality and ease of use.
Figure 2.1. The security, functionality, and ease-of-use triangle.
Now that you have a good idea of what an exploit is and what things to be
careful of when securing your system, let’s take a look at the process that
attackers go through to exploit a system. The following section looks at all
types of exploits, not just computer-or network-based, to give you a
better idea of the threats that exist.
The Attacker’s Process
There are many ways an attacker can gain access or exploit a system. No
matter which way an attacker goes about it, there are some basic steps
that are followed:
1. Passive reconnaissance.
2. Active reconnaissance (scanning).
3. Exploiting the system:
o Gaining access through the following attacks:
Operating system attacks
Application level attacks
Scripts and sample program attacks
Misconfiguration attacks
o Elevating of privileges
o Denial of Service
4. Uploading programs.
5. Downloading Data.
6. Keeping access by using the following:
o Backdoors
o Trojan horses
7. Covering tracks.
Note that it is not always necessary to perform all of these steps, and in
some cases, it is necessary to repeat some of the steps. For example, an
attacker performs the active and passive reconnaissance steps and, based
on the information he gathers about the operating systems on certain
machines, he tries to exploit the system. After unsuccessfully trying all
sorts of operating system attacks (Step 3), he might go back to Steps 1
and 2. At this point, his active reconnaissance will probably be more in
depth, focusing on other applications that are running or possible scripts
that are on the system, and even trying to find out more information
about the operating system, such as revision and patch levels. After he
has more information, he will go back to attacking the system.
You would hope that, by protecting your systems from attack, this process
would take a long time to accomplish, frustrating the attacker enough to
give up before he gains access. Ideally, a company should have proper
Intrusion Detection Systems in place so that it can detect an attack and
protect against it before it does any damage. Most companies should
strive for this, but unfortunately most ignore it.
Let’s briefly run through each of the steps from an attacker’s point of
view. The attacker starts off seeing if he has any general information
about the system. This consists of information like the domain name and
any servers or systems the company might have. After all of the passive
information has been gathered, active reconnaissance begins. This is
where the attacker tries to find out as much information about the
systems, without setting off too many alarms. Then, he gathers things
such as IP addresses, open ports, operating system and version, and so
on. After some initial information is gathered, an attacker steps through
each of the attack areas: operating system, applications, scripts, and
misconfigured systems. For each item, an attacker tries an attack; if
unsuccessful, he tries to gather more information about the component.
After all the information has been gathered for an item, an attacker moves
on to the next item. After an attack has been successful and access has
been gained, the attacker then uploads any necessary programs,
preserves access by installing Trojan horses, and finally cleans up the
system to hide the attack.
No comments:
Post a Comment