- By Darril Gibson
- Objective 1.1: Control access by applying the following concepts/methodologies/techniques
- Objective 1.2: Understand access control attacks
- Objective 1.3: Assess effectiveness of access controls
- Objective 1.4: Identity and access provisioning lifecycle (e.g., provisioning, review, revocation)
Objective 1.2: Understand access control attacks
Risk is identified by calculating the probability that a threat will exploit a vulnerability. Often, the threats come in the form of attackers attempting to exploit vulnerabilities in an organization’s people, processes, or technology. Risk management includes identifying threats by using threat modeling, identifying valuable assets to protect, and analyzing vulnerabilities. Risks can then be mitigated with controls that reduce the impact of threats or reduce vulnerabilities.
Exam need to know…
For example: What are some methods of social engineering? What’s the difference between a denial of service (DoS) and a distributed denial of service (DDoS) attack?
For example: When should the value of assets be identified? What assets should be evaluated within an organization as part of a risk management process?
For example: How often should vulnerability assessments be done? What can a vulnerability scan detect?
For example: What types of attacks are launched by Advanced Persistent Threats (APTs)? Who can be a target of an APT?
Threat modeling is the process of identifying potential and realistic threats to an organization’s assets. You should be aware of common methods of access control attacks, including the following:
- Social engineering Attackers can often gain access simply by asking. This includes in-person, over the phone, and via email such as with phishing, spear-phishing, and whaling. It can also include tailgating and shoulder surfing.
- Dumpster diving If papers are thrown in the trash, they can easily be retrieved to gain information.
- Malware Viruses, worms, Trojan horses, and logic bombs are common methods that attackers use to gain control of a system or launch access control attacks.
- Mobile code Attackers have hijacked legitimate websites and installed malicious ActiveX and Java scripts. This represents a threat to the organization hosting the website. Additionally, visitors can be attacked by a drive-by download.
- Denial of Service (DoS) These come from a single attacker and attempt to disrupt normal operation or service of a system. A classic DoS attack is the SYN flood attack. DoS attacks are commonly launched against Internet-facing servers (any server that can be reached by another public IP address).
- Distributed DoS (DDoS) These come from multiple attackers, such as zombies in a botnet.
- Buffer overflow When input validation isn’t used, unexpected code can cause an unhandled error and allow an attacker to install malicious code on a system.
- Password crackers Applications are widely available that can crack a password through comparative analysis. If the attacker can gain access to a database with passwords, the attacker can crack the passwords offline.
- Spoofing Attackers attempt to impersonate others in many different ways. They can spoof IP addresses, MAC addresses, and email addresses. Similarly, masquerading is when a social engineer impersonates someone such as a repairman.
- Sniffers Protocol analyzers placed on a network can capture traffic for later analysis. If passwords or valuable data are sent unencrypted, they can easily be read. Sniffers are often used in man-in-the-middle and replay attacks.
- DNS-related attacks Users can be tricked into providing their credentials on a bogus website after a DNS poisoning attack redirects traffic. DNS poisoning is used in pharming attacks.
True or false? Executives can be targeted through a whaling attack.
Answer: True. Whaling is a form of phishing that targets executives such as CEOs, presidents, and vice presidents.
True or false? A SYN flood attack uses spoofed IP addresses and causes a buffer overflow.
Answer: False. A SYN flood attack commonly uses spoofed IP addresses, but it doesn’t cause a buffer overflow. Instead, it disrupts the three-way TCP handshake process by holding back the third packet.
One of the first steps in risk management is identifying the value of assets within the organization. This includes hardware assets, software assets, data and information assets, system assets, and personnel assets.
Key steps within the risk management process depend on knowing the value of the assets. For example, a cost-benefit analysis helps determine the return on investment (ROI) of a control. The ROI is high if you purchase an effective control for US$1,000 to protect a web farm generating 1 million dollars a day. It is ridiculously low if you pay US$1,000 to protect a US$15 keyboard. These examples represent two extremes where the answer is obvious, but the answers aren’t always so clear, especially if the value of assets is not known.
True or false? Asset valuation is done only on hardware assets.
Answer: False. Asset valuation should be done on all assets, including hardware, software, data or information, and personnel. Many systems, such as a web farm, include hardware, software, and data and represent a combined value much greater than that of their individual components.
A vulnerability analysis helps determine how vulnerable a system is to one or more threats. This is often referred to as two separate processes: vulnerability scans and vulnerability assessments.
Vulnerability scans are performed with automated tools such as Nmap to determine what vulnerabilities exist at any given time. Vulnerability scanners can detect a wide assortment of vulnerabilities, including open ports, unpatched or misconfigured systems, and weak passwords.
A vulnerability assessment is an overall examination of the organization beyond just a technical scan. It will often attempt to match threats with vulnerabilities and use available data to determine the likelihood or probability that a threat will attempt to exploit a vulnerability. Data reviewed in an assessment includes security policies, historical data on past incidents, audit trails, and the results of various tests, including vulnerability scans.
Threats and the environment regularly change, so these reviews and scans must be repeated. Based on their security policies and available resources, organizations must decide how often to repeat the vulnerability scans and assessments. For example, a large organization might perform vulnerability scans weekly and vulnerability assessments annually, but a smaller organization might do scans only monthly.
True or false? Risk management is an ongoing process, and a vulnerability analysis is a point-in-time assessment.
Answer: True. Risk management is a continuous process that needs regular attention. A vulnerability analysis identifies vulnerabilities at a given time, but changes in threats or the environment negate the findings.
Access aggregation refers to the combination of methods used to gain progressively more and more access. As a basic example, malware often attempts to progressively increase its privileges until it has full administrative access. On a larger scale, attackers often use a combination of methods to gain more and more access to an organization.
For example, an attacker might decide to target an organization and start with a dozen or so social engineering phone calls. Each call gets one more piece of information, and eventually the attacker has the names and email addresses of several executives. He might then use whaling to send one or more malware-infected phishing emails to these executives. If one of the executives takes the bait, the malware begins collecting information and sending it to the attacker.
This is challenging enough if you are considering only one attacker. Advanced Persistent Threats (APTs) are composed of full teams of attackers. They often have unlimited funding from a nation-state sponsor, but they could just as easily be funded by any group that has the money and a target.
True or false? An APT is a group of attackers, often sponsored by a government, that attacks only military or government targets.
Answer: False. An APT is often sponsored by a government, but it can target any organization. Attacks against organizations such as Google and Lockheed Martin are believed to have come from APTs.
Can you answer these questions?
You can find the answers to these questions at the end of the chapter.
- An attacker is able to enter data into a webpage and install malware on the system. What should have been done to prevent this?
- What assets should be evaluated when identifying asset values?
- What is the primary purpose of vulnerability scans?
- Who can be a target of an APT?