- Attackers exploit vulnerabilities in an information system to gain unauthorized access to the system resources.
- The unauthorized access may result in loss, damage, or theft of sensitive information.
TYPES OF ATTACKS
Operating System Attacks
Application Level Attacks
Mis-configuration Attacks
Shrink Wrap Code Attacks
Gaining Access:
Attackers search for vulnerabilities in an operating system's design, installation or configuration and exploit them to gain access to a network system
OS Vulnerabilities:
- Buffer Overflows Vulnerabilities
- Bugs
- Unpatched operating system
Operating System Attacks:
- Exploiting specific protocol implementation
- Attacking built-in authentication system
- Breaking file-system security
- Cracking passwords and encryption mechanics
APPLICATION LEVEL ATTACKS:
Attackers exploit the vulnerabilities in application running on organizations' information system to gain unauthorized access and steal or manipulate data
Poor or nonexistent error checking in applications leads to:
- Buffer overflow attacks
- Sensitive information disclosure
- Cross-site scripting
- Session hijacking and man-in-the-middle attacks
- Denail-of-service attacks
- SQL injection attacks
Other application-level attacks include:
- Phishing
- Session Hijacking
- Man-in-the-middle attack
- Parameter/form tampering
- Directory traversal attacks
Examples of Application-Level Attacks:
Session Hijacking
Vulnerable code Secure code
<configuration> <configuration>
<system.web> <system.web>
<authentication mode="Forms"> <authentication mode="Forms">
<forms cookieless="UseUri"> <forms cookieless="UseCookies">
<system.web> <system.web>
</configuration> </configuration>
<forms cookieless="UseUri"> <forms cookieless="UseCookies">
Attacker may exploit session The code can be secured by using
information in the vulnerable UseCookies instead of UseUri
code to perform session hijacking
Denail of Service
Vulnerable code Secure code
Statement stmnt = conn.createstatement (); Statement stmnt;
ResultSet rsltset = stmnt.executeQuery(); try {stmnt = conn.createstatement ();
stmnt.close (); stmnt.executeQuery();}
finally {
If (stmnt! = null) {
try { stmnt.close ();
} catch (SQLException sqlexp) ( )
} catch (SQLException sqlexp) ( )
This code is vulnerable to denail of service This code can be secured by releasing the
attack, as it fails to release connection resources in a finally block
resources
MISCONFIGURATION ATTACKS:
- If a system is misconfigured, such as a change is made in the file permission, it can no longer be considered secure
- Misconfiguration vulnerabilities affect web servers, application platforms databases, networks, or frameworks that may result in illegal access or possible owning of the system
- The administrators are expected to change the configuration of the devices before they deployed in the network. Failure to do this allows the default settings to be used to attack the system
- In order to optimize the configuration of the machine, remove any redundant services or software
SHRINK WRAP CODE ATTACKS:
- Why reinvent the wheel when you can buy off-the-shelf libraries and code?
- When you install an OS or application, it comes with supporting sample scripts to perform various administration tasks
- Application developers also use off-the-shelf libraries and code to reduce development time and cost
- The problem is not fine tuning or customizing these scripts
- Shrink wrap code or default code attack refers to attacks that exploit default configuration and settings of the off-the shelf libraries and code.
No comments:
Post a Comment