May 13th, 2002, 01:48 AM
Understanding Security Threats: You Are a Target!
Just as armies have developed standard ways of discussing and thinking about war, IT professionals should develop common ways of thinking about information threats.
As a network security consultant, one thing I hear time and time again is, "Our company is too small, no one would want to hack us," or, "We don't have anything that those people would want to steal." In this case, unfortunately, perception is not reality.
We live in a massively connected world. No matter who you are and no matter where you live, you are a target.
If that thought scares you, it should. The idea that someone from the other side of the planet can "touch" your network or computer is a creepy thought. In fact, the entire Earth is now a war zone -- an information war zone.
In order to protect ourselves, we need to begin thinking of ourselves as innocent people living under the constant threat of attack.
In continuing with the military analogy, we first need some common terminology. Just as armies have developed standard ways of discussing and thinking about war, so IT professionals should develop common ways of thinking about information threats.
For our purposes, I have broken down the attacks and exploits into five styles or types of attacks:
Jump Point Attack
By looking at these five attacks in detail, we can begin to place our network into a particular environment, thus beginning the process of determining and managing risk.
The strategic attack assumes the attacker has identified the victim as a defined target. Let's imagine that our hypothetical hacker buys a book on the Net at ReallyBigButUnprofitableOnLineBookstore.com.
If something goes wrong, such as the credit card being double-billed, a hacker might become angry and target the company for revenge. The strategic attack, therefore, is any attack that is deliberately targeted at a specific entity.
Collateral attacks are those that are directed at entities other than ourselves that spill over into our world and cause us to suffer. There are innumerable ways for this to happen.
We might be a victim of a self-propagating virus that was sent to a friend or colleague, or we might suffer because of network downtime related to a coworker being attacked.
The tragedy of the nuke attack is that just existing on the Net victimizes huge numbers of systems and individuals.
In the same way that a nuclear weapon detonated thousands of feet above a target can lay waste to a vast swath of territory, the nuke attack emanates from a single point, and the shockwave and fallout are almost limitless. The new, virulent viruses and worms are examples of the nuke attack.
An Easy Target
Random attacks are crimes of opportunity. An attacker can use automated tools to scan large numbers of IP addresses, looking for holes to exploit. He identifies addresses with gaping holes and networks that will be easy to attack.
This is very impersonal. The hacker sees a number with no identity attached. Is it you? You did nothing to provoke his upcoming attack. The lack of security was enough to entice the hacker to explore your network.
Where It All Started
Jump Point Attack:
The jump point attack may be the most crafty and insidious of all. In this attack, your computer or network is nothing more than a jumping-off point for a larger, more surgical attack.
Distributed Denial of Service (DDoS) attacks are examples of jump point attacks. In a DDoS attack, the attacker sets his sights on a large target, say, http://www.BloatedOnlineAuctionSiteF...dsOrWants.com. But the twist is that he plans to use your computer and system to do his dirty work.
He must first acquire rights on multiple systems, then put in place programs that will launch the denial-of-service attack. A denial-of-service attack occurs when a hacker sends so much network traffic to a specific IP address that the site becomes confused and shuts down.
The Bottom Line
The advent of the Internet has given us unparalleled connectivity and opportunity. All of this comes with a price. The bottom line is that every interconnected system is at risk.
No matter how small and insignificant you believe your company or network to be, you are still a target. You may not need to worry about company secrets, but there is enough risk out there to significantly raise your PQ, or Paranoia Quotient. Remember, the Internet is a rough neighborhood.
May 13th, 2002, 01:54 AM
You do not know how many times I hear "It's not gonna happen to me" over and over and over. People NEED to understand the risks and threats that they face when they're out surfing the Internet. There are too many that do not and then they get burned. I've heard stories of 70 year old people coming under a Trojan attack. We all need to use a lot more caution.