Information Security

Week 02
Anatomy of an Attack

 This section provides an example of how a hacker might discover information and gain
access to a network
 An attack on your system can come from either inside or outside your organization.
 Protecting your systems only from external attack may be a fatal flaw in your security
 policy.
 Most attacks, however, do come from the outside by either experienced hackers or
inexperienced, newly budding hackers and take place during the night when risk of
detection is low.
 Describing this process should enlighten the reader to the clever methods that may be
employed by a hacker to gain access to your systems and network.
Anatomy of an Attack

 1. The hacker picks a target organization.

 2. The hacker attempts to discover the organization’s internet connections by issuing
who is queries to InterNIC (Internet Network Information Center) to find the
organization’s DNS (Domain Name Service) servers.
 3. A DNS zone transfer is requested from the organization’s DNS servers.
 This is a probe into the organization that may not be blocked by the organization’s
firewall (if they have one at all).
 4. The hacker tries to discover the IP addresses of the filtering router, which is the
organization’s internet gateway, by probing the site with a program that will trace the
route packets will travel.
 The organization’s internal router or firewall will be the last hope before packets issued
by the probe get dropped.
Anatomy of an Attack

 5. IP addresses for bastion host machines (see section 5.3) outside the firewall attempt
to be found.
 6. The bastion host machine ports are scanned to determine which ports are active and
what system services are running that may be exploited.
 7. If access can be gained into the machine, then the accounts database or password file
is searched for existing usernames.
 8. Password cracking programs are used to try to break into the administrator or “super-
user” account. If access is gained, then that machine is entirely compromised and the
hacker has free rein.
Anatomy of an Attack

 9. Next, to compromise other machines on the network, a password decryption program

is run to get other username passwords. Some of the same passwords that are on bastion
hosts may be used on machines inside the firewall. Also addresses and names of the
internal machines may be discovered by checking the “hosts” file or other equivalent files
residing on the bastion hosts.
 10. Armed with this information, access to the internal machines is attempted via the
compromised bastion host machine.
 Misconfigured or poorly configured firewalls are common. These may contain holes that
allow access to internal networks to clever hackers.
 If entry is achieved by remote login to any of the internal machines, then a sniffer
program can be run from the internal machine to discover clear-text password
information flowing on the network and thereby enable hacked access into all the internal
machines.
Anatomy of an Attack

 11. Once inside, then other access points within the internal network such as other
firewalls or machines with modems are secured in case the original intrusion point is
discovered.
 Phone numbers to modems may be published internally or in an administrator’s
 directory.
 Else, a dialer program that scans the phone lines looking for modem carriers can be
run. Internal PCs with modems are a perfect backdoor.
 12. The attack progresses to compromise as many machines as possible with the
ultimate goal to reach an organization’s most mission-critical machines and those with
sensitive information.
Anatomy of an Attack

 11. Once inside, then other access points within the internal network such as other
firewalls or machines with modems are secured in case the original intrusion point is
discovered.
 Phone numbers to modems may be published internally or in an administrator’s
 directory.
 Else, a dialer program that scans the phone lines looking for modem carriers can be
run. Internal PCs with modems are a perfect backdoor.
 12. The attack progresses to compromise as many machines as possible with the
ultimate goal to reach an organization’s most mission-critical machines and those with
sensitive information.
Awareness and Management
Commitment to Security
 The first step in implementing information security is to create a security policy.
 Before creating a security policy, however, an organization’s management must
consider arguments for the security risks: how security breaches may impact business,
such as the reputation of the company if it is hacked (negative publicity), and the
potential financial risk that is at stake.
 Also, some businesses, such as healthcare, will need to implement information security
because it is required by law.
 If the risks to the organization are not perceived as high, or are not believable, then you
will not be able to effectively enforce or maintain your security policy.
Awareness and Management
Commitment to Security
 Much of the time management is simply not aware of the risks or does not fully
understand them. They may not believe the organization is vulnerable to attack for
some reason.
 Managers of small companies, for example, tend to downplay security risks.
 I have found a general lack of management awareness of security risks at all levels and
types of organizations.
 Security at best is perceived as a necessary evil and at worst is seen as a costly and
undesirable intrusion.
 It must be seen as an integral part of an organization’s overall business strategy.
Awareness and Management
Commitment to Security
 Security risks must be translated in the minds of managers to financial loss, either
through lost business, reduced productivity, lost data, revealed corporate secrets or
compromised integrity.
 The threat by hackers must be perceived as real.
 Examples of recent hacker attacks on similar organizations may need to be presented to
management, to get their attention.
Awareness and Management
Commitment to Security
 If management does not agree to establish and enforce a security policy, then your
enhancements to security may not stop your high-risk threats.
 The high-risk threats and the cost of mitigating these threats must be presented
accurately and fully.
 Only then can management make a good decision.
 Since management may need to be educated as to the reality of the threat and its
impact on the organization, the most potent argument is to clearly define the financial
risks.
 It may be necessary to hire a third party to do the vulnerability analysis, as this often
 has a stronger impact with management.
Awareness and Management
Commitment to Security
 If management does not agree to establish and enforce a security policy, then your
enhancements to security may not stop your high-risk threats.
 The high-risk threats and the cost of mitigating these threats must be presented
accurately and fully.
 Only then can management make a good decision.
 Since management may need to be educated as to the reality of the threat and its
impact on the organization, the most potent argument is to clearly define the financial
risks.
 It may be necessary to hire a third party to do the vulnerability analysis, as this often
 has a stronger impact with management.