Computer Network Security Avenues of Attack

In the first case, the attacker has chosen the target not because of the hardware or soft- ware the organization is running but for another reason, such as a political reason. An example of this type of attack would be an individual in one country attacking a government system in another country. Alternatively, the attacker may be targeting the organization as part of a “hactivist” attack. An example, in this case, might be an attacker who defaces the web site of a company that sells fur coats because the attacker feels using animals in this way is unethical. Perpetrating some sort of electronic fraud is another reason a specific system might be targeted for attack. Whatever the reason, an attack of this nature is decided upon before the hardware and software of the organization is known. The second type of attack, an attack against a target of opportunity, is conducted

againstasitethathashardwareorsoftwarethatisvulnerabletoaspecificexploit.Theattackers, in this case, are not targeting the organization; they have instead learned of a vulnerability and are simply looking for an organization with this vulnerability that they can exploit. This is not to say that an attacker might not be targeting a given sector and looking for a target of opportunity in that sector. For example, an attacker may desire to obtain credit card or other personal information and may search for any exploitable company with credit card information in order to accomplish the attack. Targeted attacks are more difficult and will take more time than attacks on a target of opportunity. The latter simply relies on the fact that with any piece of widely distributed software, there will almost always be somebody who has not patched the system as they should have.

Steps in attack

The steps an attacker takes in attempting to penetrate a targeted network are similar to the ones that a security consultant performing a penetration test would take. The attacker will need to gather as much information about the organization as possible. There are number of ways to do this, including studying the organization’s own website, looking for postings on news groups or consulting resources such as the Securities and Exchange Commission’s (SEC’s) EDGAR web site. A number of different financial reports are available through the EDGAR web site that can provide information about an organization that is useful for an attack, especially for social engineering attacks. The type of information that the attacker wants includes IP addresses, phone numbers, names of individuals, and what networks the organization maintains.

The first step in the technical part of an attack is often to determine what target systems are available and active. This is often done with a pings weep, which simply sends a “ping” (an ICMP echo request) to the target machine. If the machine responds, it is reachable.

The next step is often to perform a port scan. This will help identify which ports are open, which gives an indication of which services may be running on the target machine. Determining the operating system that is running on the target machine, as well as specific application programs, follows along with determining the services that are available. Various techniques can be used to send specifically formatted packets to the ports on a target system to view the response. Often this response will provide clues as to which operating system and specific application is running on the target system. Once this is done, the attacker should have a list of possible target machines, the operating system running on them, and some specific applications or services to target. Up until this point, the attacker has simply been gathering the information needed to take the next step, the actual attack on the target. Knowing the operating system and services on the target helps the attacker decide which tools to use in the attack. There are numerous web sites that provide information on vulnerabilities in specific application programs and operating systems. This information is valuable to administrators, since they need to know what problems exist and how to patch them.

In addition to information about specific vulnerabilities, some sites may also provide tools that can be used to exploit the vulnerabilities. An attacker can search for known vulnerabilities and tools that exploit them, download the information and tools, then use them against a site. If the administrator for the targeted system has not installed the correct patch, the attack may be successful, if the patch has been installed, the attacker will move on to the next possible vulnerability. If the administrator has installed all of the appropriate patches so that all known vulnerabilities have been addressed, the attacker may have to resort to a brute-force attack, which involves guessing a userid and password combination. Unfortunately, this type of attack, which could be easily prevented, sometimes proves successful. This discussion of the steps in an attack is by no means complete. There are many different ways a system can be attacked. This, however, is the general process  gather ing as much information about the target as