A threat is simply any event that, if realized, can cause damage to a system and create a loss of confi dentiality, availability, or integrity. Threats can be mali- cious, such as the intentional modifi cation of sensitive information, or they can be accidental — such as an error in a transaction calculation or the accidental deletion of a fi le.

A vulnerability is a weakness in a system that can be exploited by a threat.

Reducing the vulnerable aspects of a system can reduce the risk and impact of threats on the system. For example, a password-generation tool, which helps

c04.indd 141

c04.indd 141 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM

users choose robust passwords, reduces the chance that users will select poor passwords (the vulnerability) and makes the password more diffi cult to crack (the threat of external attack).

Common threats to both cloud and traditional infrastructure include the following:

 Eavesdropping — Data scavenging, traffi c or trend analysis, social engineer- ing, economic or political espionage, sniffi ng, dumpster diving, keystroke monitoring, and shoulder surfi ng are all types of eavesdropping to gain information or to create a foundation for a later attack. Eavesdropping is a primary cause of the failure of confi dentiality.

 Fraud — Examples of fraud include collusion, falsifi ed transactions, data manipulation, and other altering of data integrity for gain.

 Theft — Examples of theft include the theft of information or trade secrets for profi t or unauthorized disclosure, and physical theft of hardware or software.

 Sabotage — Sabotage includes denial-of-service (DoS) attacks, production delays, and data integrity sabotage.

 External attack — Examples of external attacks include malicious crack- ing, scanning, and probing to gain infrastructure information, demon dialing to locate an unsecured modem line, and the insertion of a malicious code or virus.

PRIVATE CLOUDS VS. PUBLIC CLOUDS

Cloud computing infrastructure security is greatly affected by whether the cloud employed is a private cloud or a public cloud. Private cloud infra- structure security almost exactly duplicates traditional IT security archi- tecture, such that they are nearly indistinguishable from one another. The security tools and processes in place for the traditional infrastructure will apply pretty well for the private cloud, and are similar to a private extranet implementation.

The public cloud infrastructure, however, requires that an organization rethink security architecture and processes and address how its network fi ts with the CSP’s network. In either case, a secure cloud implementation must reduce risk to confi dentiality, integrity, and availability, as well as protect data storage and ensure proper access control (authentication, authorization, and auditing.)

Many ne twork attacks and abuses share a commonality with traditional infra- structure and cloud infrastructure. Attacks against computers, networks, and cryptographic systems have a variety of motivations. Some attacks are aimed

c04.indd 142

c04.indd 142 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM

at disrupting service, others focus on illegally acquiring sensitive information, and others attempt to deceive or defraud. In general, such attacks target the CIA components of information security.

This section explores the most common types of attacks. Although these attacks are constantly evolving, most networked systems attacks can be grouped into several general areas.

Logon Abuse

Logon abuse can refer to legitimate users accessing services of a higher security level that would normally be restricted to them. Unlike network intrusion, this type of abuse focuses primarily on those users who might be legitimate users of a different system or users who have a lower security classifi cation.

Masquerading is the term used when one user pretends to be another user, such as an attacker socially engineering passwords from an Internet Service Provider (ISP).

Inappropriate System Use

This style of network abuse refers to the nonbusiness or personal use of a net- work by otherwise authorized users, such as Internet surfi ng to inappropriate content sites (travel, pornography, sports, and so forth). As per the International Information Systems Security Certifi cation Consortium (ISC) Code of Ethics and the Internet Advisory Board (IAB) recommendations, the use of networked services for other than business purposes can be considered abuse of the system.

While most employers do not enforce extremely strict Web surfi ng rules, occa- sional harassment litigation may result from employees accessing pornography sites and employees operating private Web businesses using the company’s infrastructure.

Eavesdropping

This type of network attack consists of the unauthorized interception of network traffi c. Certain network transmission methods, such as satellite, wireless, mobile, PDA, and so on, are vulnerable to eavesdropping attacks. Tapping refers to the physical interception of a transmission medium (like the splicing of a cable or the creation of an induction loop to pick up electromagnetic emanations from copper). Eavesdropping can take one of two forms:

 Passive eavesdropping — Covertly monitoring or listening to transmissions that are unauthorized by either the sender or receiver

 Active eavesdropping — Tampering with a transmission to create a covert signaling channel, or actively probing the network for infrastruc- ture information

c04.indd 143

c04.indd 143 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM

Eavesdropping and probing are often the preliminary steps to session hijack- ing and other network intrusions. Covert channel eavesdropping refers to using a hidden, unauthorized network connection to communicate unauthorized information. A covert channel is a connection intentionally created to transmit unauthorized information from inside a trusted network to a partner at an outside, untrusted node.

War walking (or war driving) refers to scanning for 802.11-based wireless net- work information by either driving or walking with a laptop, a wireless adapter in promiscuous mode, some type of scanning software such as NetStumbler or AiroPeek, and a Global Positioning System (GPS).

Network Intrusion

This type of attack refers to the use of unauthorized access to break into a network primarily from an external source. Unlike a logon abuse attack, the intruders are not considered to be known to the company. Most common hacks belong to this category. Also known as a penetration attack, it exploits known security vulnerabilities in the security perimeter.

Back doors are very hard to trace, as an intruder will often create several avenues into a network to be exploited later. The only real way to ensure that these avenues are closed after an attack is to restore the operating system from the original media, apply the patches, and restore all data and applications.

Piggy-backing, in the network domain, refers to an attacker gaining unauthor- ized access to a system by using a legitimate user’s connection. A user leaves a session open or incorrectly logs off, enabling an unauthorized user to resume the session.

Denial-of-Service (DoS) Attacks

The DoS attack might use some of the following techniques to overwhelm a target’s resources:

 Filling up a target’s hard drive storage space by using huge e-mail attach- ments or fi le transfers

 Sending a message that resets a target host’s subnet mask, causing a dis- ruption of the target’s subnet routing

 Using up all of a target’s resources to accept network connections, result- ing in additional network connections being denied

Session Hijacking Attacks

Unauthorized access to a system can be achieved by session hijacking. In this type of attack, an attacker hijacks a session between a trusted client and network

c04.indd 144

c04.indd 144 6/24/2010 7:42:24 AM6/24/2010 7:42:24 AM

server. The attacking computer substitutes its IP address for that of the trusted client and the server continues the dialog, believing it is communicating with the trusted client.

Highjacking attacks include IP spoofi ng attacks, TCP sequence number attacks, and DNS poisoning.

Fragmentation Attacks

IP fragmentation attacks use varied IP datagram fragmentation to disguise their TCP packets from a target’s IP fi ltering devices. The following are two examples of these types of attacks:

 A tiny fragment attack occurs when the intruder sends a very small frag- ment that forces some of the TCP header fi eld into a second fragment.

If the target’s fi ltering device does not enforce minimum fragment size, this illegal packet can then be passed on through the target’s network.

 An overlapping fragment attack is another variation on a datagram’s zero-offset modifi cation. Subsequent packets overwrite the initial packet’s destination address information, and then the second packet is passed by the target’s fi ltering device. This can happen if the target’s fi ltering device does not enforce a minimum fragment offset for fragments with non-zero offsets.

DIALING ATTACKS

War dialing is a method used to hack into computers by using a software pro- gram to automatically call a large pool of telephone numbers to search for those that have a modem attached.