Network Security Library
Javascript Feeds    RSS Feed    Security Dashboard    SearchSecurity.com
About | Contact | Advertise | Site Map
Print Printer Friendly      PDF PDF Version
intrusion detection E-mail      Save Save This

Threats to Enterprise Security


{LANG_NAVORIGIN} Enterprise Security
By: Dan Sullivan, 04/18/2005



Threat of Disruption and Destruction


Threats to disrupt services and destroy information are the most common types of attacks. According to the most recent CSI/FBI Computer Crime Survey, 82 percent or respondents had experienced a virus attack and 42 percent had experienced a DoS attack (second in cost only to information theft). The CSI/FBI survey estimates the total cost to respondents was more than $67 million in 2003. This category includes several types of attacks: This list is not an exhaustive list of all types of disruption and destruction attacks—for example, Spam, unsolicited and unwanted email, has also become a major threat to services, impacting network bandwidth, email system performance, network storage, and end-user support—but it does give some sense of the most common types of attacks.

DoS Attacks
DoS attacks seek to deprive users of access to system resources. Typically, this attack is carried out by overwhelming a server with requests for a resource, such as bandwidth, connections, disk space, memory, and so on. Another form of this attack limits access to services by changing configuration information.

In February 2000, Yahoo!, Buy.com, EBay, Amazon.com, and CNN.com all experienced DoS attacks over a 2-day period. The sites were flooded with junk network traffic, a technique called packet flooding, so that legitimate users could not access those sites. Another form of such junk traffic is bogus requests for connections.

These connection requests use false return addresses, so when the server responds, it cannot find the server that initiated the request. The attacked server will keep the connection open for the bogus request for some period of time (for example, as long as 1 minute) before closing it. When thousands of these bogus requests are made, the server exhausts its pool of connections, which prevents access by others (see Figure 2.6).


Figure 2.6: DoS attacks overwhelm servers with bogus traffic and requests for connections, eventually exhausting a server’s resources.

A more sophisticated version of this attack is the DDoS attack (see Figure 2.7). This type of attack can occur in two phases: First, the originator of the attack places a copy of the DoS program on a vulnerable system. These DoS programs are designed to launch a coordinated attack at a specific time or after a particular event. DDoS attacks are more difficult to stop than traditional DoS attacks because of the multiple sources of the attack. It is also difficult to trace the attack back to the originator.


Figure 2.7: DDoS attacks use compromised systems or “zombies” to launch a coordinated attack.

Another form of DoS attacks changes configuration information on target machines. On Windows machines, this attack can entail modifying registry settings or changing network configuration files. For example, in the case of the recent Mydoom email virus, a DoS component modified the resident hosts file to map antivirus vendor’s domain names to a bogus IP address, 0.0.0.0. Similar attacks can occur on Linux and UNIX systems.

DoS attacks can come from within an organization. The fork bomb attack, for example, continuously spawns processes until system resources are consumed. Another technique is to repeatedly generate system errors until log files are filled and available disk space is consumed.

Preventing any type of DoS attack is difficult. Because DoS attackers spoof IP addresses, it is difficult to identify the source and prevent the source from continuing the attack. Some DoS packet flooding tools change source and destination ports in packets to make detection and suppression more difficult. DoS programs are becoming more sophisticated, using alternative protocols such as Internet Relay Chat (IRC), and incorporating self-replicating mechanisms. The SQL Slammer worm, for example, exploited a vulnerability in the Microsoft SQL Server database to spread within minutes through much of the Internet.

To prevent DoS attacks, intrusion detection and network sniffers can detect recurring patterns in network packets and block those packets at a firewall, thus protecting systems within the firewall. However, resources are still unavailable to legitimate external users.

For a timeline description of the spread of the Slammer virus through the Internet, see Paul Boutin’s “Slammed: An Inside View of the Worm that Crashed the Internet in 15 Minutes” in Wired, July 2003 (http://www.wired.com/wired/archive/11.07/slammer.html).

Insider Abuse and Backdoors
Sometimes the most damaging threats originate within an organization. For example, former network administrator at a high-tech measurement and control instruments company left a “time- bomb” to delete all sophisticated manufacturing software on his former employer’s servers. The disruption cost the company at least $10 million in sales and future contracts.

For more information about this incident, see the DoJ Press Release, February 26, 2002. http://www.cybercrime.gov/lloydSent.htm.

Typical types of intruder attacks include: As noted earlier, the distinction between inside and outside threats to an organization is no longer useful. It is better to distinguish users by their legitimate level of access. Developers and systems administrators have high levels of access. These roles demand high levels of controls, monitoring, and policy enforcement. The same access control mechanism that deters attackers can maintain appropriate restrictions on legitimate users.

Denying Services by Domain Spoofing
Domain spoofing targets domain name system (DNS) servers, which are responsible for mapping domain names, such as www.mydomain.com into an IP address. DNS servers respond to queries of the DNS database and respond in one of four ways: Once a DNS server has retrieved an IP address for a domain name, the server caches that information for a predefined period of time, which is called a Time to Live (TTL) period. In theory, DNS servers should only accept domain information from an authorized server. In practice, earlier versions of popular DNS servers, including the popular Berkley Internet Name Domain (BIND), can accept and cache false domain name mappings resulting in domain name spoofing.

For more information about known vulnerabilities of early versions BIND, consult the BIND Security Matrix at http://www.isc.org/index.pl?/sw/bind/.

According to a 2003 survey by Men & Mice, 33 percent of 5000 randomly surveyed DNS servers in the .com domain were vulnerable to spoofing. The survey also found that more than 68 percent of DNS servers are incorrectly configured resulting in problems with host lookups and providing basic Internet services. Figure 2.8 shows how domain spoofing works.

Results of the latest and past DNS Health Surveys can be found at http://www.menandmice.com/6000/6000_domain_health.html.


Figure 2.8: Domain spoofing reroutes traffic from its legitimate target to a third party.

Steps 1 through 3 illustrate how DNS should normally resolve a domain name to an IP address. When an Internet service, such as ftp or email, needs a connection to a service on another server, the service first queries a DNS server for the IP address. The correct IP address is returned and the connection is made to the target service. In step 4, the vulnerable DNS server is spoofed into caching an incorrect IP address for Domain B. From that point on, traffic to Domain B is routed to the attacker’s IP address instead of to Domain B.

Viruses
Viruses have long been a problem in computer security. With the advent of the PC, early viruses were spread by infecting diskettes used in multiple PCs. Today, email, Internet chat, and other protocols are the most common mode of transmission. The new transmission channels are one reason for the rapid spread of viruses; another reason is the evolving nature of viruses themselves. Viruses have become increasingly more complex and more difficult to detect. Three broad categories of viruses, in increasing complexity, are: These categories represent techniques used by virus writers to avoid detection. These techniques can be used with different types of viruses, including boot, file, and macro viruses, which vary by method of attack.

Regardless of how a virus masks its identity or how it targets a system, they all have three components: A payload is the code that executes once the virus is triggered and can be as simple as displaying a message or as malicious as deleting files. Methods of spreading vary by the type of virus. For example, some Microsoft Word macro viruses spread by infecting the normal.dot template.

Some recent email viruses spread by sending copies of themselves to addresses found in an infected user’s address book. Many viruses are triggered when a user opens an infected attachment; others activate on a predefined date.

Detecting Simple Viruses
Unencrypted, static viruses are the easiest to detect. These viruses are like conventional programs in that they do not encrypt or otherwise hide their executable code. Antivirus software easily detects these viruses by looking for identifying patterns of code. These patterns, or signatures, must be sufficiently discriminating to reduce the chance of false positives.

Encrypted Viruses
Following the pattern noted in the opening of this chapter, virus writers responded to antivirus detection techniques with methods to circumvent simple pattern matching. Encrypting the virus is the first step (see Figure 2.9).


Figure 2.9: Encrypted viruses need to carry the decryption code and the decryption key along with the virus payload.

An encrypted file still has unique patterns that could be used by signature-scanning antivirus software. Virus writers avoided this by choosing random encryption keys and different encryption methods. The Achilles’ heal of this technique is that decryption code must be included with the virus. Antivirus scanners are able to scan for that code and identify viruses.

Some viruses, such as the Whale virus, use several encryption schemes and therefore different decryption code. Antivirus scanners need a unique signature for each type of decryption scheme in order to detect this virus.

Polymorphic Viruses
Attackers made the next move. They created viruses that change with each infection using a mutation engine. The mutation engine changes the virus code in such a way that it alters the binary file without changing the behavior of the programs (see Figure 2.10). Typical techniques include: Any combination of these techniques can be used any number of times, making it impossible to depend on signature scanning to reliably identify viruses. New techniques had to be developed to identify polymorphic viruses.


Figure 2.10: Polymorphic viruses include mutation engines to vary the virus as it propagates.

Early attempts focused on hand-crafted detection routines written by antivirus researchers. This approach obviously would not scale and so led to a shift in strategy: rather than look at surface features of a file, examine patterns of behavior.

Generic polymorphic detectors create a virtual environment for executing suspected viruses. These virtual environments provide a safe sandbox to execute the virus code without risking damage to the host system. As the virus executes, the detectors look for a tell-tale sign, such as a signature after the payload is decrypted. A key limitation of generic polymorphic detectors is the time required to run the virus simulation. There is no way to know when a payload will be decrypted and there is no generic way to determine whether a program will ever complete, so simulations alone are not enough.

Antivirus researchers added heuristics, or rules of thumb, to simulations to improve detection. Some rules look for tell-tale signs of a virus, such as the early use of a NOP instruction. Other rules check for behaviors not commonly found in viruses, such as generating interrupts. Between these two types of rules, an antivirus program can estimate the likelihood that the program executing in the virtual environment is actually a virus.

For a technical discussion of polymorphic viruses, see Computer Viruses by Eugene Kaspersky, available online at http://www.viruslist.com/eng/viruslistbooks.html?id=50.

The evolution of viruses will likely continue as a cycle of innovation on the part of virus writers, leading to innovations by antivirus researchers, then prompting new virus coding techniques.

Why So Many Viruses?
Computer users are constantly reminded to keep their antivirus software up to date to prevent infections; but that raises the question, why are there so many different viruses if they are so complex? Self-modifying, self-replicating programs are difficult to write. Are there that many attackers out there that can write such programs? Unfortunately the answer is yes.

Knowledge about virus-writing techniques spreads just as it does with any topic. The first person to write a mutation engine for a polymorphic virus faced a much higher hurdle than subsequent virus writers faced. Mutation engines, such as the Mutation Engine (MtE) and the Triden Polymorphic Engine (TPE), have been packed into toolkits to allow any virus writer to add polymorphic functionality. Thus, even unsophisticated virus writers can create viruses that are not detectable with signature-scanning techniques.

For beginners, there are virus kits for generating viruses with a range of characteristics. These kits give users options to customize the generated virus, such as level of damage and triggering conditions. Fortunately, the generated code from early virus kits contains common code that is detectable by signature-scanning antivirus software.

For more information about virus construction kits, see Howard Fuhs’ “Virus Construction Kits” at http://www.fuhs.de/en/pub/virconkits.shtml.

The severity of the virus problem becomes clear when we imagine a beginner hacker, or script kiddie, using a menu-driven toolkit to generate a destructive virus. To minimize the chance of detection, the hacker uses the MtE mutation engine to add polymorphic capabilities. Combine the newly mutating virus with a macro virus found on an attacker bulletin board that sends a copy of itself to all addresses in a victim’s Outlook address book, and you have a difficult to detect, fast-spreading virus.

Spam
Spam has grown rapidly to become a major disruption to services, clogging email systems, choking network bandwidth, using valuable storage space, and increasing storage Help desk costs. The FTC estimates the cost of spam to United States business in 2003 to be $8.9 billion (June, 2003). Analyst IDC estimates that as much as 70 percent of email in the United States is spam and the cost to protect a firm of 14,000 employees against spam can be as high as $245,000, and this number is growing.

Spammers are constantly using new tricks to thwart existing filters and organizations are challenged with reducing the amount of spam while ensuring that valid business email gets through. Government legislation has been one avenue pursued to end the onslaught of spam, but how effective it will be is questionable. The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN SPAM), an anti-spam law that took effect on January 1st, 2004, does not appear to have substantially reduced the amount of spam.

The State of Malware and the Implication for Security Management


This brief overview of electronic information security threats (this overview has excluded examples of physical threats, such as fire and flood) highlights three disturbing trends: Anyone responsible for security management will also note another implication of these trends. Imagine that a disgruntled programmer whose job has been moved offshore has access to a GUI- based virus toolkit, the MtE mutation engine, and the corporate network. A similar scenario can be applied to a network manager with a DDoS toolkit.

Thus, it is prudent to assume that attacks will increase with time and the sophistication of the attacks will continue to grow. The appropriate response is to view security as an ongoing process, not a static state.
















E-Mail Link

Your IP address will be sent with this e-mail
From e-mail to e-mail



Stats
18452 Views
4.08/5 Rating
12 Votes
Papers
Newest
Highest Rated
Most Viewed
Reference

Services
Javascript Feeds
RSS (New Papers)
Security Dashboard

Our Stuff
About SecurityDocs
Advertise
Contact

Valid HTML 4.01!
Valid CSS!


Unless otherwise noted, all paper copyrights are owned by the author. The rest copyright 2003-2005 TechTarget

Privacy : Contact