Individuals, organisations and government are faced with the task of defending their networks against several types of intrusive attacks Hafele, 2004- SANS. Every computer connected to the Internet is prone to intrusion. A lot of computer criminals have therefore, taken advantage of the vulnerabilities as a result of lack of security features associated with the internet. Hackers and other threat agents have advanced to using stealthier attacks that are more effective. Cybercrime are illegal actions facilitated via the use of computer systems (Milone, 2002). Various attacks against information infrastructure and Internet services such as online fraud, malicious software and hacking attacks are being carried out every day. The financial damages caused by computer-related crimes and cybercrime are massive, exceeding 17 billion USD (CRS Report, 2004). This shows the importance of protecting information infrastructures and improving cybersecurity.
C:\Users\Chichi\Pictures\threat.JPG
Fig 1. Percentage of threat actions
THE THREAT ENVIRONMENT:
Unauthorised access and data breach of computerised information compromises the integrity, confidentiality and availability of the information maintained by an individual or an organisation. Threat agents can cause or contribute to incidents with their involvement being malicious or non-malicious and intentional or accidental. The categories of threat agents are the External, Internal, and Partner threats. External threats are threats that originate from outside the organisation, it includes hackers and organised crime groups. Internal or insiders threat originate from inside the organisation. This comprises of employees, contractors, executives and interns. Partners include third parties that have a business relationship with the organisation. This includes vendors, distributors, IT support etc.
HACKERS: A hacker is an individual who breaks into a computer system, data or person files without permission. Hackers have a good understanding of the internet and the internet protocols and how to use hacking tools (Barber, 2001). They are highly intelligent and good programmers. The major reasons why people hack into systems are for thrill and excitement, knowledge/experiment, curiosity, prestige, intellectual challenge, money and revenge. The tools hackers use includes password cracking, rootkit, packet sniffing and ip-spoofing.
Types of hackers
The various types of hackers and their activities are described below:
The white hat hacker: white hat is used to describe security experts' also known as ethical hackers. With contrast to the individuals who hacks systems with malicious intent, a white hat does so with a sense of ethical responsibility and intent to enhance security practices and strengthen computer systems. The increase in number and complexity of threats being faced by enterprise networks has created a high demand for ethical hackers (Caldwell, 2011). They use their knowledge, skills and expertise to defend network and informational assets, test and improve security.
Black hats: the black hat hackers are individuals that break into computer systems for malicious intents. They shut down networks, create and send viruses or worms, steal person information and data, fraud, theft, espionage and terrorism.
Script kiddies: Script kiddies are 14-16 years teenagers who use tools available on the internet, written by more experienced hackers. They seek the thrill of publicity and are easier to detect and catch. Script kiddies are not computer geniuses; they have little knowledge about the workings of the internet and its protocols (Barber, 2001). Their attacks can be very damaging as they gain access to systems, deface web pages or interrupt network systems. In 2000, major online companies like Yahoo!, CNN, eBay and Amazon experienced Denial of Service attacks (DoS). Huge amounts of traffic were sent to the websites till they could not handle the volume. The alleged perpetrator was a 15-year-old Canadian Script Kiddy.
Grey hats: Grey hat hackers are those whose activities fall in-between the black and white hackers. Their activities are performed within legal legislations and regulations but they may slightly go over the boundaries to achieve better security. They carry out penetration testing to identify and exploit a company's security weaknesses. These tests reveal how easy an organization's security controls can be penetrated, and how access to confidential and sensitive information asset by can be easily obtained by hackers.
Hacktivists:
Hacktivism is defined as hacking done for political cause. It is the combination of hacking and activism with politics and technology, covering activities that utilise hacking techniques to disrupt a target's website without causing damage (Denning, 1999). Hactivists operations involve defacements of web pages, redirects, virtual sit-ins, virtual blockades, denial of service attacks, computer viruses and worms, site parodies, automated email bombs, computer break-ins, software development, information theft, and espionage (Denning 1999). Hacktivists stop short of cyber terrorism as they are devoted to ensuring the Internet is used as a platform for free speech and expression (Samuel, 2004).
Cyber terrorism: cyber terrorism is described as the fusion of cyberspace and terrorism. It involves hacking operations that are politically motivated, aimed to cause severe damage such as loss of lives, electrical blackouts, communication system breakdown and economic harm (Denning 1999). Major targets include banking and financial institutions, telephone systems, electrical infrastructures, water resources, and oil and gas supplies as they are computer-controlled and possess varying degrees of vulnerability to a full-on attack (Stephen, 2003).
2. ATTACK METHODS
These are techniques used to breach the information security defences of an organisation.
2.1 MALWARE ATTACKS:
Malware or malicious software is a terminology used to describe various types of programs that are written to be harmful or cause damage to a computer system. There are two categories of malicious software: those that require a host program and those that are independent (William Stallings, 2006). The former requires a host program and cannot function independently. They rely on other application program, utility or system program. Examples are viruses, backdoors and logic bombs. The latter are programs that can be run by the operating system. Examples are worms and zombie programs.
The types of malware described are:
Viruses: A computer Virus is a program or programming code that is constructed with two objectives (Marshall and Podell H.J 1998). The first is to replicate by copying itself into a useful document, program or computer boot sector. The second objective is to perform a specific function such as slowing down processes in the computer, displaying a message and erasing sectors of a hard disk. Viruses can be propagated through attachments, emails, CDs or floppy disk. Types of virus include the metamorphic virus, stealth virus, macro virus, file virus, script virus etc. (William Stallings, 2006). The impacts of a virus attack can include interruption of operations, theft, destruction or modification of data, loss of life or business, unavailability of computer resources, embarrassment, fraud and other financial crimes (Marshall and Podell 1998)
Worm: worm unlike viruses do not infect or alter other program files and system sectors. It replicates and sends copies of itself to other computers across network connections. Network worms can act as a virus once it is active within a system. It can search for hosts with weak webserver programs and transfer worm into the machine with a single-message break-in attack (Panko, 2005). When they are unleashed, they replicate and spread rapidly, thereby clogging networks and rendering web pages slow to load up. Worms can also compromise the security and damage the computer.
In 2001, worm attacks called Code Red and Nimda infested more than 500,000 servers causing $2.6 billion damage (Panko, 2005). The Robert Morris worm in 1988 infected an approximate of 6000 hosts on the internet. It rendered the internet offline and caused approximately $10 million damage.
Trojan horse: A Trojan horse is a malicious program disguised to have a useful purpose or be a normal application. Trojan horse programs can be transmitted as attachments to a virus. They spread when individuals are lured to open programs that seem to be of legitimate sources. When it runs, it could allow a backdoor access to hackers or destroy files on the hard disk. Some examples of Trojan virus are Remote Access Trojans, Data Destruction, Downloader, Server Trojan, Spyware and Rootkits. The functions of Trojans include keylogging, creation of backdoors, disc formatting and deletion of files.
Payloads: payloads can be described as the malicious software content that a virus or worm executes when it propagates into a computer system. Payload deletes files and causes operating systems to not function properly. The functions of payload include data stealing, backdoor creation, file deletion, encrypting, disk overwriting and BIOS flashing.
Mobile code: These are light-weight codes that are downloaded and executed with little or no user intervention. They enter a site through active content such as JavaScript, Visual Basic Scripts, Java Applets, ActiveX controls and Plug-ins (Daniel Cleary, 2004). The active content gives information servers the ability to customize the presentation of their information, and it provides a method to attack systems running a client browser. Some of the most common attacks used are browser monitoring, Resource Exhaustion, Browser Hijacking, obtaining access to files, Web bug privacy attack, Cookie Stealing and XSS-Cross scripting (Daniel Cleary, 2004).
2.2 REMOTE ATTACKS
These are special techniques that attackers use to compromise remote systems. They are described as the following:
DoS attacks: DoS attacks is intended to render computer or network resources unavailable to legitimate users. They are designed to consume the available resources of a target thereby causing a level of service disruption (Kevin Joule et al, 2001). Network bandwidth, storage and processing power are the major targets of DoS attacks.
Network based denial of service attacks involve the corruption of the operating system or resource exhaustion. DoS are carried out in several ways such as the ping of death, UDP bombing, tcp SYN flooding, connectivity attacks, and smurf attack (Gregg et al, 2001).
DNS Poisoning: DNS poisoning is the changing or adding records in the domain name system table by replacing the IP address for an attacker's address with another rogue address (Olzak, 2006). The main reasons for DNS poisoning is identity theft, distribution of false information, distribution of malware and man-in-the-middle attacks (Olzak, 2006).
Port scanning: Port scanning is a technique to discover the weaknesses of hosts by sending port probes (Lee, 2003). Port scanning is carried out by malicious individuals to seek out network vulnerabilities and determine the best ways for attack. The effects of ports scans include network congestion, wasting of resources and malware activities. Some types of port scanning techniques include stealth scan, Sweep, connect scan, Vanilla, FTP Bounce Scan and Fragmented Packets (Singh, 2011).
Other types of re,ote attacks include TCP desynchronization, SMB Relay and ICMP attacks
SOCIAL ENGINEERING ATTACKS
Social engineering is the use of various techniques to manipulate or trick people into performing actions and revealing confidential information that can be used to gain unauthorised access to information and systems, steal data and identity (Thomas, 2006). The two main categories of social engineering attacks are technology-based approach and human based approach.
Technology based approach: is the use of computer systems to deceive users into divulging corporate and confidential information. They include:
Phishing: phishing attacks are on a high rise and have become one of the most lethal hacking methods as they are sophisticated and difficult to detect (Hazel, 2011). Phishing involves the use of an email that appears to be from a legitimate company to obtain access to bank accounts, identification numbers, credit cards, passwords, logins, social security numbers and other confidential information (Smedinghoff, 2005). The emails do contain a link to the perpetrator's web site which has the same look, logos, content and feel as the original website and contains a form for entering personal information.
Vishing: this is the combination of voice and phishing. It is act of using Voice over Internet Protocol (VoIP) technology to get confidential information from customers for financial gain (Swann, 2007). Attackers use the telephone systems, claiming to be with legitimate financial institutions or other entities to obtain account and credit card numbers, Social security Numbers, passwords, and login details from customers.
Spam Mails: these are emails that appear to offer useful information but contain programs and executables hidden in the attachments (Peltier, 2006). The messages can appear in the form of videos, music, photographs, jokes, security notices, cartoons or software downloads. When these messages are opened, malicious softwares gain access into the systems and networks.
Pop-up Windows: an attacker's program appears on the screen notifying the user that the connectivity was dropped due to network problems and needs to be re-authenticated. The user unsuspectingly does as requested and the program emails the attacker with the access information (Peltier, 2006).
Human- based approach: these include
Pretexting or impersonation: this is usually done over the telephone by the creation and usage of invented scenarios to persuade a victim to divulge information or carry out an action (Peltier, 2006). It can also be used to impersonate employees who have the appropriate authority to obtain banking records, hospital records and other customer information. The technique requires a lot of research as it involves providing some information to establish trust and legitimacy with the target.
Dumpster Diving: Dumpster Diving which is also known as thrashing, is a popular method of social engineering. Hackers can easily retrieve sensitive and confidential information from the dumpsters. Various information such as company's policies and procedure manuals, employee information, phone books, source codes, disks and tapes, if not shredded can provide rich and useful information for hackers.
Reverse Social Engineering: this is a more advanced method of social engineering. Here, the victim is tricked into contacting the attacker first (Danesh et al, 2011). An example is when an attacker sabotages a network and poses as a technician to help resolve the problem for the victim. Thus, trust is established between the attacker and the victim and the attacker can easily launch various attacks such as identity theft, blackmail and phishing.
Other types: other types of human-based approach of social engineering attacks include piggybacking, shoulder surfing, persuasion, eavesdropping and hoaxing.
PREVENTION OF ATTACKS
Intrusion Detection Systems (IDS): The implementation of IDS can provide a strong and effective defence and prevent threats from entering the network. An advanced Intrusion Detection Systems inspects all network activity, detects and identifies suspicious network activities, port scans and malicious payloads (Stephen, 2003). It also manages firewalls, servers and routers. It audits operating systems, system configurations and vulnerabilities, assesses the integrity of critical system and data files (Pietro and Mancini, 2008).
Physical Access Security: this is physically placing a barrier, safeguarding information and computer systems from physical attacks and unauthorised physical access to the computer systems (Weingart, 2000). Servers, switches, routers and other equipment should be kept in a protected environment with restricted access. Other security measures should involve the use of security guards, access policies, biometrical authentication systems, cameras and badge readers.
Anti-Virus Software: the use of antivirus software on individual PCs, local systems internet and network servers is an effective detection and prevention method. Antivirus software programs search and scan the computer systems for known or potential viruses before it spreads and cause tremendous damage.
Internet Firewalls: Firewalls are hardware and software systems that protect networks from attacks by filtering and managing internet traffic (Kamara, 2003). It denies or allows outgoing traffic and incoming traffic, known as egress filtering and ingress filtering respectively. A firewall prevents unauthorised access to and from a network, and limits access from one network to another. Firewalls are used for the protection of the availability, confidentiality and integrity of information in an organisation's computing environment.
Encryption: Encryption is a very effective method of data security used to protect digital information from unauthorised access. Data encryption is defined as the process of converting or scrambling information that is reversible only by the intended recipient (Moore, 2005). A lot of companies implement data encryption techniques to prevent data loss against disgruntled employees, hackers, visitors and insider attacks. It is being used by financial institutions for money transfer protection, businesses for credit-card protection and by corporations for sensitive data transmission (Moore, 2005).
Awareness and Education: An important part of defence strategy is to communicate, build awareness and train employees on the organisation's security policies and procedures, cyber issues and solutions. They should also be educated on the techniques and behaviours engaged by hackers, disgruntled employees and social engineers. Some ways to create awareness is through regular online training and tests, scenarios, real life examples and use of penetration tests; whereby security consultants try to identify vulnerabilities within an organisation's system to provide a significant evaluation of security. This will strengthen the overall resilience and security of the company.
Processes: conducting risk assessments and implementing risk management helps in identifying an organisation's critical assets and implementing controls and safety measures to protect the assets against attacks. Audit procedures should also be in place to ensure that employees are complying with policy.
Conclusion
The risk level of data loss and theft from unauthorised access is increasing daily. The development and implementation of technologies and security architectures are effective ways of dealing with threats. Though traditional methods of prevention are being used as security measures, there is the need to utilize specialists who exploit vulnerabilities in networks with the aim to determine the security stance of an organization. It is impossible to completely eliminate cybercrime but it is possible to keep them in check. This can be done by creating awareness and education, and stringent laws to check cybercrime.
