Threats to Enterprise Security

{LANG_NAVORIGIN} Enterprise Security
By: Dan Sullivan, 04/18/2005

Continuing Threats to Assets and Recourses

Threats come in many forms and typically entail the theft, disruption, or destruction of information assets. They range from physical threats, such as the destruction of an IT center by fire, to intangible threats, such as the covert theft of proprietary information. When discussing threats, it is useful to consider the following questions:

• What type of threat are you dealing with?
• What are the assets you want to protect?
• What is the impact on the organization?
• Who is the perpetrator, or more technically, the threat agent?
• What vulnerability is exploited to execute the threat?
• What is the result if the threat is carried out?

The following sections will examine different types of threats guided by these questions.

Threat of Information Theft

Theft of information is the most significant cost threat to organizations, and identity theft is just one of the costly consequences of information theft. Identity theft costs banks $1 billion per year. The United States Federal Trade Commission (FTC) reported 161,000 cases of identity theft in 2002, but the United States Federal Bureau of Investigation (FBI) estimates the actual number of victims is closer to 500,000. The Identity Theft Resource Center (http://www.idtheftcenter.org) estimates the average identity theft victim spends 600 hours recovering from the crime. The same study found that businesses lose $40,000 to $92,000 per name in fraudulent charges.

For more information about the cost of identity theft, see http://msnbc.msn.com/id/3078480/.

Computer crime surveys of organizations and a sampling of legal prosecutions depict the scope of information theft.

System Attacks
According to the 2003 CSI/FBI Computer Crime Survey, the average reported cost to an organization as a result of information theft was $2.7 million. The high dollar amount is attributed in part to copyright violations (especially with music and video sharing networks) but also includes theft of other assets.

The full CSI/FBI survey is available at the Computer Security Institute Web site at http://www.gocsi.com/.

The U.S. Department of Justice Cybercrime division has its own litany of information theft convictions, including:

• An IT manager convicted of distributing $2.2 million worth of copyrighted software, computer games, movies, and music.
• A 25-year old attacker convicted of hacking into Axicom, a company managing customer information for credit card companies, banks, retailers, and other businesses. The cost of the intrusion and theft is estimated at $5.8 million.
• Alexey Ivanov’s conviction on conspiracy, computer intrusion, computer fraud, credit card fraud, wire fraud, and extortion charges, related to his attacking dozens of servers to steal usernames, passwords, credit card information, and other financial data. Total losses are approximately $25 million.

Information from the Computer Crime and Intellectual Property Section (CCIPS) of the United States Department of Justice (DoJ) is available online at http://www.usdoj.gov/criminal/cybercrime/.

Criminals steal information in a variety of ways. As some of the previous examples illustrate, reproducing copyrighted software, hacking into systems to steal information and financial data, and stealing transactional data are all theft methods. Without proper access controls in place, insider theft, a fairly low-tech theft method, can be quite successful. For example, one insider theft scheme was so effective that the Office of the Comptroller of the Currency at the United States Treasury issued a warning to banks about organized gangs recruiting bank tellers to assist with making fraudulent withdrawals and cashing stolen government checks. (Full text of the warning is available at http://www.occ.treas.gov/ftp/alert/2002-4.txt).

Safeguards Against “Internal” Threats
Security management entails multiple safeguards as a layered approach to prevent intrusions and damage because perpetrators can come from within the organization. Old distinctions of “inside” and “outside” no longer apply. Customers, business partners, and suppliers are accessing enterprise assets and resources through distributed systems that function across organizational boundaries. Firewalls and intrusion detection systems (IDSs) cannot prevent disgruntled employees or others with legitimate access from launching internal attacks. Also, employees do not have to be disgruntled—easy access is simply tempting for many.

To minimize threats from perpetrators that have some form of legitimate access, use multiple safeguards. Access control and file integrity safeguards should be employed to precisely restrict access and detect changes to critical files. IT staff should be granted access to systems only as needed for their jobs. File integrity programs can detect unauthorized changes to files and system directories. A security regime including file change detection might have detected the “time-bomb” left by the disgruntled network administrator, especially when combined with strict access controls and regular system auditing.

Threats from those without legitimate access to system resources also depend on multiple layers of security safeguards. Identity Management, access controls, firewalls, IDSs, file integrity checks, and formal policies and procedures all play a role. Each of these safeguards applies to disruption and destruction attacks as well as to information theft. These countermeasures each address a particular type of threat; an effect security regime demands that countermeasures be coordinated. Poorly integrated countermeasures can still render assets and resources vulnerable to attack.

Theft of financial information also creates compliance issues with regards to the Sarbanes-Oxley Act—SOX—and Graham Leach Bliley Act—GLBA. Incompliance with these and other industry- specific regulations carries a high cost for organizations.

Protecting against copyright threats requires comprehensive systems of digital rights management. Preventing system breaches depends upon well-defined, enforced security policies and operation safeguards. In many situations, cryptographic techniques are also required to prevent information theft. For example, storing passwords within an OS or single sign-on (SSO) server, transmitting financial data outside the organization, setting up a secure channel—or virtual private network (VPN)—over the Internet all depend on cryptography.

We will explore security policies and operational safeguards later in this guide.

Cryptographic Attacks

Cryptography is used to scramble information so that only the sender and the intended recipient can access the information. From a security management perspective, cryptographic attacks are managed in several ways. (For technical details, see the sidebar “Inside Cryptographic Attacks.”) At the most basic level, effective password policies are defined and enforced to minimize the chance of attackers discovering passwords. In addition to preventing unauthorized access to an asset, one must also ensure that fraudulent systems do not appear to be legitimate resources. For example, a disgruntled bank employee could establish a Web site that has a similar URL to the bank’s Web site and appears to be a legitimate online banking service. How are users to know the difference? Digital certificates from trusted third parties use encrypted information to validate the identity of a site while preventing anyone from tampering with the certificate. Encrypted communication between two parties depends upon both parties having information that allows them to unscramble the other party’s messages while preventing others from doing the same. Managing this information, also known as a key, is an essential security management function.

Inside Cryptographic Attacks
The nature of cryptography processes, encrypting plaintext into ciphertext and decrypting back to plaintext (see Figure 2.3), and the protocols for setting up secure communications are vulnerable to a number of attacks.


Figure 2.3: Successful use of cryptography depends on keeping attackers from stealing or discovering the encryption and decryption keys.

Ciphertext Attacks
A number of attacks are based on the attacker having copies of one or more plaintext and ciphertext messages. In a ciphertext-only attack, the attacker tries to discover the encryption key by analyzing a number of encoded messages. The longer the encryption key, the more difficult the key is to attack. Short keys, such as a 56-bit DES key, are easily broken; longer keys, such as the 168-bit key used in the Triple DES algorithm, are currently considered safe from cracking. Variations on the ciphertext-only attack include the known plaintext attack, the chosen plaintext attack, and the chosen ciphertext attack.

Man-in-the-Middle Attacks
Man-in-the-Middle attacks trick two victims who intend to communicate over a network. The attacker intercepts network traffic between the two, and changes the information sent to each victim without their knowledge. For example, an executive might a message to an assistant asking for a funds transfer from their company to a vendor to secure a deal on new equipment. The executive includes a bank routing number and account number in the message. The message is intercepted by an attacker, the routing and account numbers are changed, and the modified message is sent to the assistant who transfers the funds to the attacker’s account.

This type of attack works when the attacker can identify the source and target systems of the victims, sniff a network, intercept packets between the victims, and modify the messages (that is, the messages are not strongly encrypted). As with other types of attacks, tools are readily available to aid with man-in-the- middle attacks. Some of the best-known tools are Hunt, T-sight, and Juggernaut.

An encrypted communication channel can prevent this attack as long as the attacker does not intercept keys as they are exchanged. Digital signatures on messages and message digests are also used to ensure that messages are authentic and not modified en route (see Figure 2.4).


Figure 2.4: Digital signatures or message digests encrypted with the sender’s private encryption key can prevent man-in-the-middle attacks.

Replay Attacks
A replay attack reuses confidential information captured by a sniffer or other passive device. For example, a sniffer could capture packets containing authentication information that is later used to access a system. Replay attacks can be prevented by using unique session and message component IDs.

Senders attach these IDs to messages when the messages are sent, and recipients record these IDs for future reference. When a recipient receives a message, he or she verifies that session and message component IDs have not been used before; if they have, the message has been replayed. The Encapsulating Security Payload (ESP) header format in the IP protocol (versions 4 and 6) use this type of anti-replay mechanism.

Dictionary Attacks
Passwords are generally encrypted with one-way functions that are easy to compute but difficult, if not impossible, to reverse. When an attacker steals a password file, rather than waste time trying to decrypt the file, the attacker could compare the file with a list of known passwords that have been encrypted with the same one-way function (see Figure 2.5). This method is a dictionary attack.

To prevent successful dictionary attacks, systems administrators and security professionals recommend using difficult-to-guess passwords. These generally include passwords that have the following characteristics:

• A reasonable minimum length (at least eight characters)
• A combination of upper- and lower-case letters
• At least one number and other special character (such as @, $, !)
• Strings of characters not found in dictionaries or used in names

Enforced password policies that include requirements such as these can minimize the likelihood of a successful dictionary attack.


Figure 2.5: Dictionary attacks are successful when poorly chosen passwords are allowed.
















Your IP address will be sent with this e-mail

From e-mail to e-mail