By Kailin Acheson
If you are the administrator of a network, you likely have been thinking about, and possibly worrying about, potential network attacks. It's much more rewarding (and less stressful) to protect a network than to fix it (unless, as Tim Charlton wrote in one of his recent blogs, you like the pressure. It might be helpful to try to answer the following questions as you consider attacks on the network:
- Who might attack this network?
- What attacks might those attackers launch?
- What is the purpose of those attacks, and what outcome could the attackers be expecting?
- How can I protect the network from these and other attacks?
Who might attack this network?
First, it's helpful to know who might attack the network; because if you don't know who the threat is coming from, how can you stop them and prevent the attacks?
Malicious users, or adversaries according to the Information Assurance Technical Framework (IATF), are potential attackers. These adversaries could be individuals, business rivals, script kiddies, black hat hackers, disgruntled employees, or others. But potential adversaries might also be nonmalicious users — such as poorly trained employees — who might present a threat to a network.
What attacks might those attackers launch?
The IATF defines and discusses the following types of attacks: passive, active, close-in, insider, and distribution (relevant to the CCENT certification exam).
Passive attacks do not modify data and typically involve the monitoring of data flows between systems. Using a network sniffer to extract passwords is an example of a passive attack. By contrast, active attacks typically modify or disrupt the flow of data between systems. A Denial of Service (DoS) attack, which is a flood of Transmission Control Protocol (TCP) packets to a server that causes the server to stop accepting connections, is an example of an active attack. Passive attacks are typically used to improve the success of active attacks.
Close-in attacks are those that rely on the close physical proximity of the attacker to the target system. An attacker who is watching users type in their user names and passwords is performing a close-in attack.
Insider attacks involve a user who normally has some form of access to the target system. For example, an employee transferring confidential information to an unauthorized site is considered an insider attack.
Distribution attacks occur when malicious users modify hardware or software prior to its installation. This modification can occur at the source or while the hardware or software is in transit. A software back door created by the software vendor is an example of a distribution attack.
Specific threats from these types of attacks will be discussed in my upcoming Network Security Part 2: Threats blog.
What is the purpose of those attacks, and what outcome could the attackers be expecting?
Goals and motivation can vary among the attackers. For example, malicious users could be motivated by financial gain, information theft, curiosity, or pride; they purposely attack the network with the goals of accessing proprietary information, modifying information, and denying access to information. Nonmalicious users, on the other hand, typically have no motivation to negatively affect the network; however, they might inadvertently compromise the security of the network by choosing weak passwords or installing unauthorized software. So their motivation might be to use something that will make their access easier, but the result might be an exposed network.
How can you protect the network from these and other attacks?
There are multiple ways to mitigate the attacks on a network. To help prevent threats from nonmalicious users, such as uninformed employees, you could ensure that all employees are taught the benefit of strong passwords and informed of the reasons behind installing only authorized hardware. To help prevent attacks from malicious users, you should consider the following:
- Use antivirus software to protect workstations and servers against viruses.
- Use antispyware to protect sensitive information on workstations and servers.
- Use Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) to identify malicious network traffic and take action.
- Use a firewall to filter traffic by Internet Protocol (IP) address and by traffic type.
- Harden security on individual network devices.
These mitigation techniques work best on specific types of threats. A discussion of those threats will be coming in Network Security Part 2: Threats.
Photo by zeevveez