| MALICIOUS
THREATS |
| CATEGORY |
THREAT |
DEFINITION |
TYPICALABEHAVIOR |
VULNERABILITIES |
PREVENTION |
DETECTION |
COUNTERMEASURES |
| Malicious
Software |
Virus |
Malicious
software that attaches itself to other software. For example,
a patched software application in which the patch’s algorithm
is designed to implement the same patch on other applications,
thereby replicating. |
Replicates
within computer system, potentially attaching itself to every
software application
Behavior
categories:
- Innocuous
- Humorous
- Data altering
- Catastrophic
|
All
computers
Common
categories:
* Boot sector
* Terminate and Stay Resident (TSR)
* Application software
* Stealth (or Chameleon)
* Mutation engine
* Network
* Mainframe
|
Limit
connectivity. Limit downloads
Use only
authorized media for loading data and software
Enforce
mandatory access controls. Viruses generally cannot run unless
host application is running
|
Changes
in file sizes or date/time stamps
Computer
is slow starting or slow running
Unexpected
or frequent system failures
Change
of system date/time
Low computer
memory or increased bad blocks on disks
|
Contain,
identify and recover
Anti-virus
scanners: look for known viruses
Anti-virus
monitors - look for virus-related application behaviors
Attempt
to determine source of infection and issue alert
|
| Worm |
Malicious
software which is a stand-alone application |
Often
designed to propagate through a network, rather than just a
single computer |
Multitasking
computers, especially those employing open network standards |
Limit
connectivity, employ Firewalls
Worms can
run even without a host application
|
Computer
is slow starting or slow running
Unexpected
or frequent system failures
|
Contain,
identify and recover
Attempt
to determine source of infection and issue alert
|
| Trojan
Horse |
A
Worm which pretends to be a useful program or a Virus which
is purposely attached to a useful program prior to distribution |
Same
as Virus or Worm, but also sometimes used to send information
back to or make information available to perpetrator |
Unlike
Worms, which self-propagate, Trojan Horses require user cooperation
Untrained
users are vulnerable
|
User
cooperation allows Trojan Horses to bypass automated controls
User training
is best prevention
|
Same
as Virus and Worm |
Same
as Virus and Worm
Alert must
be issued, not only to other system admins, but to all network
users
|
| Time
Bomb |
A
Virus or Worm designed to activate at a certain date/time |
Same
as Virus or Worm, but widespread throughout organization upon
trigger date |
Same
as Virus and Worm
Time Bombs
are usually found before the trigger date
|
Run
associated anti-viral software immediately as available |
Correlate
user problem reports to find patterns indicating possible Time
Bomb |
Contain,
identify and recover
Attempt
to determine source of infection and issue alert
|
| Logic
Bomb |
A
Virus or Worm designed to activate under certain conditions |
Same
as Virus or Worm |
Same
as Virus or Worm |
Same
as Virus or Worm |
Correlate
user problem reports indicating possible Logic Bomb |
Contain,
identify and recover
Determine
source and issue alert
|
| Rabbit |
A
Worm designed to replicate to the point of exhausting computer
resources |
Rabbit
consumes all CPU cycles, disk space or network resources, etc. |
Multitasking
computers, especially those on a network |
Limit
connectivity, employ Firewalls |
Computer
is slow starting or running
Frequent
system failures
|
Contain,
identify and recover
Determine
source and issue alert
|
| Bacterium |
A
Virus designed to attach itself to the OS in particular (rather
than any application in general) and exhaust computer resources,
especially CPU cycles |
Operating
System consumes more and more CPU cycles, resulting eventually
in noticeable delay in user transactions |
Older
versions of operating systems are more vulnerable than newer
versions since hackers have had more time to write Bacterium |
Limit
write privileges and opportunities to OS files
System
administrators should work from non-admin accounts whenever
possible
|
Changes
in OS file sizes, date/time stamps
Computer
is slow in running
Unexpected
or frequent system failures
|
Anti-virus
scanners: look for known viruses
Anti-virus
monitors: look for virus-related system behaviors.
|
| Spoofing |
Spoofing |
Getting
one computer on a network to pretend to have the identity of
another computer, usually one with special access privileges,
so as to obtain access to the other computers on the network |
Spoofing
computer often doesn’t have access to user-level commands
so attempts to use automation-level services, such as email
or message handlers, are employed |
Automation
services designed for network interoperability are especially
vulnerable, especially those adhering to open standards |
Limit
system privileges of automation services to minimum necessary
Upgrade
via security patches as they become available
|
Monitor
transaction logs of automation services, scanning for unusual
behaviors
If automating
this process do so off-line to avoid “tunneling”
attacks
|
Disconnect
automation services until patched or monitor automation access
points, such as network sockets, scanning for next spoof, in
attempt to trace back to perpetrator |
| Masquerade |
Accessing
a computer by pretending to have an authorized user identity |
Masquerading
user often employs network or administrator command functions
to access even more of the system, e.g., by attempting to download
password, routing tables |
Placing
false or modified login prompts on a computer is a common way
to obtain user IDs, as are Snooping, Scanning and Scavenging |
Limit
user access to network or administrator command functions
Implement
multiple levels of administrators, with different privileges
for each
|
Correlate
user identification with shift times or increased frequency
of access
Correlate
user command logs with administrator command functions
|
Change
user password or use standard administrator functions to determine
access point, then trace back to perpetrator |
| Scanning |
Sequential
Scanning |
Sequentially
testing passwords/authentication codes until one is successful |
Multiple
users attempting network or administrator command functions,
indicating multiple Masquerades |
Since
most login prompts have a time-delay built in to foil automated
scanning, accessing the encoded password table and testing it
off-line is a common technique |
Enforce
organizational password policies.
Make even
system administrator access to password files cumbersome
|
Correlate
user identification with shift times
Correlate
user problem reports relevant to possible Masquerades
|
Change
entire password file or use baiting tactics to trace back to
perpetrator |
| Dictionary
Scanning |
Scanning
through a dictionary of commonly used passwords/authentication
codes until one is successful |
Multiple
users attempting network or administrator command functions,
indicating multiple Masquerades |
Use
of common words and names as passwords or authentication codes
(so-called “Joe Accounts”) |
Enforce
organizational password policies |
Correlate
user identification with shift times
Correlate
user problem reports relevant to possible Masquerades
|
Change
entire password file or use baiting tactics to trace back to
perpetrator |
| Snooping |
Digital
Snooping |
Electronic
monitoring of digital networks to uncover passwords or other
data |
Users
or even system administrators found on-line at unusual or off-shift
hours
Changes
in behavior of network transport layer
|
Example
of how COMSEC affects COMPUSEC
Links can
be more vulnerable to snooping than nodes
|
Employ
data encryption
Limit physical
access to network nodes and links
|
Correlate
user identification with shift times
Correlate
user problem reports. Monitor network performance
|
Change
encryption schemes or employ network monitoring tools to attempt
trace back to perpetrator |
| Shoulder
Surfing |
Direct
visual observation of monitor displays to obtain access |
Authorized
user found on-line at unusual or off-shift hours, indicating
a possible Masquerade
Authorized
user attempting administrator command functions
|
“Sticky”
notes used to record account and password information
Password
entry screens that do not mask typed text
“Loitering”
opportunities
|
Limit
physical access to computer areas
Require
frequent password changes by users
|
Correlate
user identification with shift times or increased frequency
of access
Correlate
user command logs with administrator command functions
|
Change
user password or use standard administrator functions to determine
access point, then trace back to perpetrator |
| Scavenging |
Dumpster
Diving |
Accessing
discarded trash to obtain passwords and other data |
Multiple
users attempting network or administrator command functions,
indicating multiple Masquerades |
“Sticky”
notes used to record account and password information
System
administrator printouts of user logs
|
Destroy
discarded hardcopy |
Correlate
user identification with shift times
Correlate
user problem reports relevant to possible Masquerades
|
Change
entire password file or use baiting tactics to trace back to
perpetrator |
| Browsing |
Usually
automated scanning of large quantities of unprotected data (discarded
media or on-line “finger”-type commands) to obtain
clues as to how to achieve access |
Authorized
user found on-line at unusual or off-shift hours, indicating
a possible Masquerade
Authorized
user attempting administrator command functions
|
“Finger”-type
services provide information to any and all users.
The information
is usually assumed safe but can give clues to passwords (e.g.,
spouse’s name)
|
Destroy
discarded media
When on
open source networks especially, disable “finger”-type
services
|
Correlate
user identification with shift times or increased frequency
of access
Correlate
user command logs with administrator command functions
|
Change
user password or use standard administrator functions to determine
access point, then trace back to perpetrator |
| Spamming |
Spamming |
Overloading
a system with incoming message or other traffic to cause system
crashes |
Repeated
system crashes, eventually traced to overfull buffer or swap
space |
Open
source networks especially vulnerable |
Require
authentication fields in message traffic |
Monitor
disk partitions, network sockets, etc. for overfull conditions |
Analyze
message headers to attempt trace back to perpetrator |
| Tunneling |
Tunneling |
Any
digital attack that attempts to get “under” a security
system by accessing very low-level system functions (e.g., device
drivers, OS kernels) |
Bizarre
system behaviors such as unexpected disk accesses, unexplained
device failures, halted security software, etc. |
Tunneling
attacks often occur by creating system emergencies to cause
system re-loading or initialization |
Design
security and audit capabilities into even the lowest level software,
such as device drivers, shared libraries, etc. |
Changes
in date/time stamps for low-level system files or changes in
sector/block counts for device drivers |
Patch
or replace compromised drivers to prevent access
Monitor
suspected access points to attempt trace back to perpetrator
|
| UNINTENTIONAL
THREATS |
| CATEGORY |
THREAT |
DEFINITION |
TYPICAL
BEHAVIOR |
VULNERABILITIES |
PREVENTION |
DETECTION |
COUNTERMEASURES |
| Malfunction |
Equipment
Malfunction |
Hardware
operates in abnormal, unintended mode |
Immediate
loss of data due to abnormal shutdown
Continuing
loss of capability until equipment is repaired
|
Vital
peripheral equipment is often more vulnerable than the computers
themselves |
Replication
of entire system including all data and recent transactions |
Hardware
diagnostic systems |
On-site
replication of hardware components for quick recovery |
| Software
Malfunction |
Software
behavior is in conflict with intended behavior |
Immediate
loss of data due to abnormal end
Repeated
system failure when re-fed “faulty” data
|
Software
developed using ad hoc rather than defined formal processes |
Comprehensive
testing procedures and software designed for graceful degradation |
Software
diagnostic tools |
Backup
software and robust operating systems facilitate quick recovery |
| Human
Error |
Trap
Door
(Back door)
|
System
access for developers inadvertently left available after software
delivery |
Unauthorized
system access enables viewing, alteration or destruction of
data or software |
Software
developed outside defined organizational policies and formal
methods |
Enforce
defined development policies
Limit network
and physical access
|
Audit
trails of system usage, especially user identification logs |
Close
Trap Door or monitor ongoing access to trace back to perpetrator |
| User
Error |
Inadvertent
alteration, manipulation or destruction of programs, data files
or hardware |
Incorrect
data entered into system or incorrect behavior of system |
Poor
user documentation or training |
Enforcement
of training policies and separation of programmer/operator duties |
Audit
trails of system transactions |
Backup
copies of software and data
On-site
replication of hardware
|
| PHYSICAL
THREATS |
| CATEGORY |
THREAT |
DEFINITION |
TYPICAL
BEHAVIOR |
VULNERABILITIES |
PREVENTION |
DETECTION |
COUNTERMEASURES |
| Phisical
Environment |
Fire
Damage |
Physical
destruction of equipment due to fire or smoke damage |
Physical
destruction of systems and supporting equipment |
Systems
located near potential fire hazards, e.g., fuel storage tanks |
Off-site
system replication, while costly, provides backup capability |
On-site
smoke alarms |
Halon
gas or FM200 fire extinguishers mitigate electrical and water
damage |
| Water
Damage |
Physical
destruction of equipment due to water (including sprinkler)
damage |
Physical
destruction of systems and supporting equipment |
Systems
located below ground or near sprinkler systems |
Off-site
system replication |
Water
detection devices |
Computer
rooms equipped with emergency drainage capabilities |
| Power
Loss |
Computers
or vital supporting equipment fail due to lack of power |
Immediate
loss of data due to abnormal shutdown, even after power returns
Continuing
loss of capability until power returns
|
Sites
fed by above-ground power lines are particularly vulnerable
Power loss
to computer room air conditioners can also be an issue
|
Dual
or separate feeder lines for computers and supporting equipment |
Power
level alert monitors |
Uninterruptible
Power Supplies (UPS)
Full-scale
standby power facilities where economically feasible
|
