Methods of Threats
Network Based
Host Based
Application Based
Network Based Threats
Information Gathering
Attackers usually start with port scanning. After they identify open ports, they use banner grabbing and enumeration to detect device types and to determine operating system and application versions.
Configure routers to restrict their responses to foot printing requests. Configure operating systems that host network software to prevent foot printing by disabling unused protocols and unnecessary ports.
Sniffing
It is the act of monitoring traffic on the network for data such as plaintext passwords or configuration information.
Filter incoming packets that appear to come from an internal IP address at your perimeter. Filter outgoing packets that appear to originate from an invalid local IP address.
Session Hijacking
Also known as man in the middle attacks; session hijacking deceives a server or a client into accepting the upstream host as the actual legitimate host.
Use encrypted session negotiation. Use encrypted communication channels. Stay informed of platform patches to fix TCP/IP vulnerabilities, such as Predictable packet sequences.
Spoofing
Spoofing is a means to hide one’s true identity on the network.
Filter incoming packets that appear to come from an internal IP address at your perimeter. Filter outgoing packets that appear to originate from an invalid local IP address.
Denial of Service
Denial of service denies legitimate users access to a server or services.
Apply the latest service packs. Use a network Intrusion Detection System (IDS) because these can automatically detect and respond to SYN attacks.
Host Based Threats
Viruses, Trojan Horses, and Worms
A virus is a program that is designed to perform malicious acts and cause disruption to your operating system or applications. A Trojan horse resembles a virus except that the malicious code is contained inside what appears to be a harmless data file or executable program. A worm is similar to a Trojan horse except that it self-replicates from one server to another.
Be update with the latest operating system service packs and software patches. Block all unnecessary ports at the firewall and host. Disable unused functionality including protocols and services. Harden weak, default configuration settings.
Foot Printing
Foot printing like port scans, ping sweeps, and NetBIOS enumeration can be used by attackers to get valuable system-level information that are more significant to attacks.
Disable unnecessary protocols. Lock down ports with the appropriate firewall configuration. Use TCP/IP and IPSec filters for defense in depth. Configure IIS to prevent information disclosure through banner grabbing.
Password Cracking
If the attacker cannot establish an anonymous connection with the server, he or she will try to establish an authenticated connection.
Use strong passwords for all account types. Apply lockout policies to end-user accounts to limit the number of retry attempts that can be used to guess the password.
Denial of Service
Denial of service can be attained by many methods aimed at several targets within your infrastructure.
Stay current with patches and security updates. Harden the TCP/IP stack against denial of service. Make sure your account lockout policies cannot be exploited to lock out well known service accounts.
Application Based Threats
Buffer Overflows
Buffer overflow vulnerabilities can lead to denial of service attacks or code injection. A denial of service attack causes a process crash. Code injection alters the program execution address to run an attacker’s injected code.
When possible, limit your application’s use of unmanaged code, and thoroughly inspect the unmanaged APIs to ensure that input is properly validated
Cross-Site Scripting
An XSS attack can cause arbitrary code to run in a user’s browser while the browser is connected to a trusted Web site.
Use HTML Encode and URL Encode functions to encode any output that includes user input. This converts executable script into harmless HTML.
SQL Injection
A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database.
Perform thorough input validation. Your application should validate its input prior to sending a request to the database. Use least privileged accounts to connect to the database.
Network Eavesdropping
If authentication credentials are passed in plaintext from client to server, an attacker armed with rudimentary network monitoring software on a host on the same network can capture traffic and obtain user names and passwords.
Use authentication mechanisms that do not transmit the password over the network such as Kerberos protocol or Windows authentication.
Cookie Replay Attacks
With this type of attack, the attacker captures the user’s authentication cookie using monitoring software and replays it to the application to gain access under a false Identity.
Use an encrypted communication channel provided by SSL whenever an authentication cookie is transmitted.
Data Tampering
Data tampering refers to the unauthorized modification of data.
Use strong access controls to protect data in persistent stores to ensure that only authorized users can access and modify the data.
Man in the Middle Attacks
A man in the middle attack occurs when the attacker intercepts messages sent between you and your intended recipient. The attacker then changes your message and sends it to the original recipient.
Use Hashed Message Authentication Codes (HMACs). If an attacker alters the message, the recalculation of the HMAC at the recipient fails and the data can be rejected as invalid.