List of Abbreviations

Chapter 2. Literature Review

2.4 Network Warfare

2.4.2 Network Warfare Defence

43

virus software and firewalls that may be in place. Once the system is infected the malicious content, or payload, is activated.

Figure 2.14 shows a network warfare attack process; information is required regarding the interfaces to reach the target network, and information about the target network itself, particularly the vulnerabilities that could potentially be exploited (Jones, Kovacich, & Luzwick, 2002). In this figure GII denotes the global information infrastructure and NII denotes the national information infrastructure. Once the system has been penetrated, the attacker may accomplish the objectives of the attack, and possibly identify additional networks that could be targeted; the attack then proceeds to these new targets. Usually backdoors are left so that the systems and networks may be easily penetrated at a later stage as required (ibid.). A distributed denial of service attack may not require the level of planning indicated in this process; all that is required is that the target is flooded with illegitimate data streams to reduce its performance; therefore all that is required is preliminary scanning to determine the IP range of the target.

Due to the prevalence of wireless technologies, there are a number of attacks that arose from weaknesses in the implementation. These include jamming, Wardriving and related attacks for WLAN; and Bluejacking, sniffing, and DoS attacks on Bluetooth networks. These attacks will be described in more detail in Section 2.8.2.

44

Figure 2.14: Network Warfare Attack Process, adapted from (Jones, Kovacich, & Luzwick, 2002)

The various security measures, also called controls or countermeasures, have strengths and limitations. Firewalls act as a gateway between private or trusted and public or untrusted networks by performing packet filtering based on a set of rules; certain protocols can be blocked and only the necessary protocols and their relevant ports are left open (Whitman & Mattord, 2010). The limitation of firewalls is that they do not check what the packets contain; therefore what appear to be legitimate packets to the firewall may still transfer malicious code or sensitive information (Pfleeger & Pfleeger, 2003). Firewalls also do not protect against DoS attacks (Whitman &

Mattord, 2010). Sinkholes and Black Hole filtering can be used to defend against DoS attacks.

45

Sinkholes redirect and trap malicious traffic from a DoS attack to protect the target and allow defenders to monitor and analyse the traffic (Glenn, 2003; Jeong, 2007). Black hole filtering allows traffic to be redirected to a different IP address; this technique is useful when the unavailability of a website is less harmful than traffic hindering the organisational network. It is implemented by reconfiguring the network perimeter routers to redirect the traffic at an organisational or service provider level (Glenn, 2003).

Intrusion detection systems (IDS) monitor the network or system and report on potential malicious activity; a signature-based IDS compares activity against known attack patterns, and a behaviour- based IDS builds a model of acceptable or normal behaviour, and reports on activity that does not correspond to the model (Pfleeger & Pfleeger, 2003). A protocol-anomaly IDS is a type of behaviour-based IDS that tests for anomalies in network or data-transfer protocols (Das, 2002).

Host-based IDSs (based on a system) can also check the system log files and file integrity (Gollmann, 2011). An improperly configured IDS may result in a flood of false alarms, or not detect attacks (Whitman & Mattord, 2010); behaviour-based IDSs are particularly susceptible to false alarms. Gollman (2011) also suggests that an attacker may intentionally create alarms on network IDS, resulting in the network administrator's email account being flooded with warnings.

Finding the balance of the sensitivity of the IDS may be difficult (Pfleeger & Pfleeger, 2003). An advanced IDS may have built in protection mechanisms that can reconfigure network devices to block the attack, or blocking the network connection; the IDS can therefore provide some protection against a DoS attack (Whitman & Mattord, 2010). A firewall and an IDS can complement each other well; the firewall blocks specified traffic and ports, and the IDS monitors the traffic that is allowed through (Pfleeger & Pfleeger, 2003). Anti-virus software is a form of IDS; the software scans files and processes to check for malicious code, and remove any infection that is discovered (Denning, 1999). Anti-virus software, and signature-based IDSs, may be limited to detecting malicious code and attacks that are encoded into the signature database (ibid.); this makes it imperative to ensure that the signature databases are updated regularly. Some sophisticated attacks use multiple methods; therefore multiple signatures will be required to counter these threats (Das, 2002). Rootkits, with their ability to mask intrusions and infections, may also be able to subvert the scans performed by anti-virus tools, however most modern anti-virus tools have some anti-rootkit capability.

Encryption scrambles the original plaintext into unreadable cipher text through the use of a key and algorithms; the aim of encryption is to protect confidentiality (Whitman & Mattord, 2010). Public-

46

key cryptography and digital signatures provide for a mechanism that provides authenticity, non- repudiation and integrity checks (ibid.). However, the integrity checks performed can only indicate that what was sent arrived at the destination without alteration; it cannot determine the accuracy of the information. Encryption schemes also assume that the end-points are secure; if a system or end- user is compromised, the source will be recognised as legitimate, however the communications as a whole is illegitimate. Public-key cryptography is susceptible to man-in-the-middle attacks (ibid.), as discussed in Section 2.4.1. It is also possible to use virtual private networks, which are essentially encrypted tunnels between two trusted networks, allowing users to access a trusted private network over a public or untrusted network (Gollmann, 2011; Pfleeger & Pfleeger, 2003). Vulnerabilities in the implementation of devices for virtual private networks may circumvent the secure communication channels they are intended to provide; in one instance general web browser security was undermined (US-CERT, 2009).

A concept that is applicable to both information security and network warfare defence is defence-in- depth; a range of countermeasures are implemented that will provide protection in the physical, information, and cognitive domains (Jones, Kovacich, & Luzwick, 2002). These measures typically attempt to prevent intrusion, detect any intrusion that has occurred, minimise the impact of the intrusion, recover from any damage or loss (Jones, Kovacich, & Luzwick, 2002; Peltier, Peltier, &

Blackley, 2005), and possibly respond to the attack (Hutchinson & Warren, 2001; Jones, Kovacich,

& Luzwick, 2002). Defence-in-depth usually contains layers of controls such as those discussed above in order to protect various aspects of the networks (Pfleeger & Pfleeger, 2003); for example firewalls provide gateway protection, anti-virus software protects against malicious code, and encryption protects confidentiality. Figure 2.15 illustrates this concept; in the figure ConOps denotes concept of operations, and BDA denotes battle damage assessment.

A defensive concept in the networked world is the air-gap or air wall. This physically and electronically separates critical systems from those that are connected to the Internet (Festa, 1998);

with the use of wireless it should also electromagnetically separate the networks using electromagnetic shielding. This is primarily used to separate sensitive networks (such as high- security military networks) and industrial control networks from the normal network that is connected to the Internet (Festa, 1998). The concept behind this is that it will prevent an attacker from gaining electronic access to those critical systems. However, the Stuxnet worm of 2010 managed to circumvent air-gaps (Fisher & Roberts, 2011); which illustrates that this method is not infallible.

47 2.4.3 Computer Network Support

Some of the defensive countermeasures taken may also fall under computer network support. This term was used by Smith and Knight (2005), and denotes normal maintenance of network and computer components and applications. Applying security patches and ensuring anti-virus applications are updated, conducting vulnerability and risk assessments, and creating benchmarks for normal network and system performance and behaviour may fall into this category (Smith &

Knight, 2005).