There are so many different types of exploits and variants that it is sometimes difficult to categorize all of them. Because exploits, in essence, compromise security, it is helpful to look at the core components of network and computer security to see how exploits fit in. The following are the three goals of information security:
• Confidentiality. Preventing, detecting, or deterring the improper disclosure of information.
• Integrity. Preventing, detecting, or deterring the improper modification of data.
• Availability. Preventing, detecting, or deterring the unauthorized denial of service to data.
An easy way to remember these goals is to take the first letter of each word, CIA, which can either mean the Culinary Institute of America or that special government agency located in Washington DC. It is important to point out that when most people think of security, they only think of confidentiality, not integrity and availability. I conducted a survey that consisted of 200 users ranging from highly technical to low technical expertise and asked them to give me their definition of security. 95% percent of the respondents indicated confidentiality in their definition, only three percent indicated integrity, and only five percent indicated availability. To better understand exploits, let’s briefly look at each of these areas of security.
What is Confidentiality?
How do you control access to sensitive information and only allow authorized people to have access to it? When most people think of security, they think of confidentiality or controlling access to sensitive information.
The obvious attacks against confidentiality are things like a competitor or credit card thief breaking into your databases and making away with your company’s vital secrets, but sometimes threats against confidentiality are not so obvious or sophisticated. Employee errors like not properly disposing of papers that ought to be shredded or network administrators who accidentally bring a crashed system back up with wide open permissions can create huge openings in your system.
Some ways to close up the biggest holes that make your company vulnerable to attacks against confidentiality are to examine your permissions setup carefully and to educate your employees on good security principles. Making sure that only the people who actually need access have access, and that your employees are aware of and controlling possible weaknesses will go a long way toward keeping your company’s confidential information just that, confidential.
In several cases, theft results in an attack against confidentiality or a loss of confidentiality. Sometimes, if a perpetrator steals memory or a CPU, this intrusion is more of a disruption of service or an attack against availability. However, the theft of items like hard drives or documents, which is more likely to occur, result in an attack against confidentiality. This is true because unauthorized users now have access to a company’s data.
Unfortunately, placing a dollar value on attacks against confidentiality is extremely difficult. If a business development employee is working on three major proposals and his laptop is stolen, there are several ways to look at the total loss:
• Cost of the equipment: $3,000
• Cost of project bids lost: $2,000,000
• Cost of additional sales: $10,000,000
Because there were no recent backups of the proposals, the company cannot bid, so it loses the revenue that those proposals would have generated. Each proposal was for a million dollar project, and they had a good chance of winning two of them.
One of the company’s competitors that would have gone out of business if it hadn’t won two of the contracts now has a great chance of winning because this company cannot bid. If its competitor had gone out of business, it would have guaranteed the company 10 million dollars in additional sales.
You could probably add several other items to this list, but as you can see, the simple theft of a laptop can result in a multi-million dollar total loss based on the attack against confidentiality. When these types of attacks occur, be careful not to underestimate the damage it has to your company.
What is Integrity?
Integrity deals with preventing, detecting, or deterring the improper modification of data. In some instances, there is an overlap between confidentiality and integrity because to change information, you usually need access to it—but not always. For example, what if a student is given information that a certain field in a database contains his grades, but the field is encrypted; he can access the database but cannot read the information in certain fields.
However, if the student knows of a classmate who received an A, he could copy that student’s encrypted grade into his grade field and have a high probability that the encrypted field that was copied contains an A. In this case, there is no confidentiality issue because the student cannot read the information, but there is an integrity issue because the student can modify his grade without the proper authorization. There are cases where you would want someone to have access to information but not be able to change it.
For example, a company could allow employees to have access to their salary information but not be allowed to change it. Attacks against integrity involve an unauthorized person making modifications to information and/or data. Attacks against integrity are difficult to defend against because they are only noticed after they have occurred and the system has been compromised. In other words, if someone can modify your data, the usual way you find out about it is that someone complains or there is a major problem, such as a proposal getting submitted with the wrong values. Therefore, implementing proper checks and balances on your systems that handle sensitive information is very important to guarantee that integrity is maintained. Most companies do not understand that attacks against integrity are a big threat, but hopefully the previous examples will help change their minds.
Availability
With both confidentiality and integrity attacks, an attacker needs to gain some access to a corporate network. An availability attack, however, can be performed against any system that is connected to the Internet. This is why availability attacks are so difficult to defend against. In this day and age, when employees come to rely on networks and email to perform their jobs, having access to these components at all times is a key factor for the success of most companies. In other words, data, information, servers, networks, and so on should be available to
authorized users when and where they need them. If an employee needs to dial in remotely to access a copy of a proposal, the employee should not only be able to successfully connect, but be able to access the data they need in a timely manner.
Word of Conclusion
Until you know what you are up against you cannot start to build proper defenses. Many companies think they are secure because they spend a lot of money on security. Unfortunately, a large number of companies spend in the wrong areas. What good is spending money or building defense mechanisms that do not protect your site against the attacks that are occurring. Now that we have a general understanding of the process attackers go through to compromise a system and the type of attacks that exist, we can start to take a more detailed look at some of these specific attacks in our future articles.
Sub Item 5.1b
0 comments