Information Security Threats
Introduction
Information is one of the most important assets for many organizations, as it acts as a differentiator and provides a competitive advantage. Loss of information such as patent information, proprietary processes, or trade secrets could prove to be very detrimental to a business. While there are many threats to the information security, this report focuses on three of them, which are 1) Denial of service, 2) Privilege escalation, and 3) Backdoor. This report provides measures that address, block, or removes these threats. Information about tools, products, or services that mitigate these threats is provided in the report as part of recommendations.
Information Security Threats
Figure 1: Classification of DoS Detection and Mitigation methods
Source:
The implementation of Internet technologies has some inherent weaknesses, which are exploited by Denial of Service (DoS) attacks. DoS attacks do not need prior access to the resources by the attack, only a way to access the resources is all that is needed and hence they are easy to perpetrate and difficult to prevent. DoS is an attack that prevents legitimate and authorized users from accessing resources including network resources, bandwidth, network devices such as an edge router, websites or web servers, or specific resources such as backend databases. Some of the different types of DoS attacks include UDP flood, SYN flood, ICMP ping flood, ping of death, SlowLoris, NTP amplification, HTTP flooding, reflected or spoofed (Distributed Reflected Denial of Service attack (DRDoS)), zero-day DDoS, slow read, and distributed attacks (DDoS).
Figure 1 shows the detection methods which include Traffic Feature Conditional Entropy (TFCE), GA-based Optimized Traffic Matrix, Cumulative Sum (CUSUM), Intrusion Detection System (IDS), Entropy Computing, ICMP traceback, and Deterministic Packet Marking. Mitigation methods include Interface-based Rate Limiting (IBRL) Algorithm, Model-based Adaptive method, Rate limiting client puzzle scheme, Filtering method using FOSel architecture, or router-based approach. A workable solution for preventing DoS attacks is Cisco’s multi-verification process (MVP).
Cisco DoS Solution Set
Solutions such as packet filtering, and rate limiting to mitigate DoS indirectly serve the attackers objective by shutting down services denying legitimate users access to the resources. Other methods such as over-provisioning do not work due to the ever-increasing size of attacks, blackholing can divert legitimate traffic, firewalls, and routers are not designed to protect against such attacks. Using router ACLs protects against some types of attacks. However, sophisticated attacks use legitimate protocols and services rendering them ineffective. The Cisco DoS solution set is the most effective solution for actively mitigating malicious traffic and has two parts 1) a Traffic Anomaly Detector (TAD) and 2) Cisco Guard XT. The solution prevents all types of DoS attacks including the types that have not yet been encountered so far.
The Traffic Anomaly Detector acts to warn the system in advance by providing an in-depth analysis of the traffic. It monitors the network traffic passively, trying to identify any deviance from the baseline behavior that might be an indication of a DDoS attack. After identifying an attack, the Cisco Guard XT is alerted and it is provided with a detailed report and specific alerts so that it can quickly react to the threat. For example, the anomaly detector can detect if the rate of UDP packets from a single source IP is out of range, even though overall thresholds are not exceeded.
Cisco Guard XT is deployed upstream at the perimeter of an enterprise network or at the internet service provider (ISP) data center to mitigate DDoS attacks and protect the network or the data center. The Guard and the TAD exist along with the target device, which can be a router or a switch, on a separate network interface. This placement helps provide on-demand protection while the rest of data traffic flow is unaffected and can concurrently protect multiple potential targets. It can be alerted by inputs from a traffic anomaly detector, intrusion detection system, or some third party anomaly detectors. After an alert, the traffic is forced to pass through the Cisco guards that are placed along with the targeted device. This necessitates the traffic to pass through five modules that provide a five-stage analysis and filtering process. This process will remove all malicious traffic and will only allow good packets.
The Guard XT uses Multi-Verification Process with five modules (Figure 2). The first module is a filtering module which uses static filters which are preloaded by Cisco and filter non-essential traffic, while the dynamic filters are configured dynamically by others based on the traffic flow analysis providing real-time updates. The second module for active verification is used to verify that the packets entering the module are not spoofed and ensures that legitimate traffic is not discarded. The third module or the anomaly recognition module monitors all traffic that has passed through the previous two modules. It compares this traffic to the recorded baseline behavior, identifying deviations and therefore the source of malicious packets, which is based on the principle that the pattern of malicious traffic differs from the pattern generated by legitimate sources during normal operation, which is used to identify the attack source and type.
Figure 2: Five modules used in MVP of Cisco Guard XT
Source:
The fourth module is a protocol analysis module that processes any anomalous traffic flows detected by the previous module and identifies any misbehaving protocol transactions, including incomplete transactions or errors. The fifth module or the rate-limiting module provides an enforcement option by performing traffic shaping on a per-flow basis, penalizes those sources that consume too many resources, and prevents the misbehaving flows from overwhelming the target device while monitoring takes place.
These solutions are expensive as they are focused on large data centers and e-commerce clients and hence are not suitable for mid and small range organizations. While they are -high-performance devices, maintaining and updating their configurations and general upkeep is tedious for small and medium organizations.
Privilege Escalation
Privilege escalation is a process by which access to a computing resource is gained with fewer access rights than what are needed and then attempts are made to escalate the access rights. To attack any computing resource, first, the target is selected, a passive and active reconnaissance is conducted, the vulnerabilities exposed by the reconnaissance are exploited to obtain certain privileges, and those privileges are escalated. The escalated privileges are used to entrench into the system by downloading and executing malware to gain remote access, tracks are covered, the system is pillaged, and the network is attacked so that the attacker can penetrate deeper into the network. Privilege escalation can be horizontal or vertical. Horizontal escalation involves accessing resources pertaining to another account with similar levels of privileges. Vertical escalation, or privilege elevation, involves a lower privileged user trying to obtain higher privileges. The ultimate goal of any privilege escalation is to obtain system level privileges. Methods for obtaining privileges include password attacks, trust exploitation, port redirection, man-in-the-middle attacks, social engineering, and phishing attacks.
Backdoor
Backdoors are hidden entrances to computer systems that can be exploited to bypass the security policies and usually bypass the authentication and authorization mechanism. These are generally undocumented ways to get access to a system or the data that it contains. The backdoors can be unconventional backdoors or conventional backdoors such as those that are there due to hidden parameters, redundant interfaces, and so on. Backdoors become available when redundant interfaces, hidden parameters, redundant users (guest user, testuser, and so on), and hard coded third party accesses are left open by design in the testing stage and promoted to production environment by mistake. Middle tier systems might not have authentication and authorization requirements, which can be exploited by the attackers. Attackers might attack a system, escalate privileges, pillage it, and then install Trojans to create backdoors so that the systems can be controlled remotely later. Backdoors can also be hardware backdoors such as those that the Chinese government installed on the Huawei manufactured hardware or those that the National Security Agency (NSA) installed on the Cisco routers.
Backdoors can be mitigated by using multiple vendors so that the risk of common backdoor across the systems is mitigated and changing the default authentication credentials for backdoor support accounts. Other activities include installing open source software and performing scans for software integrity signatures and known backdoors. Monitoring the network for any communication that is suspicious and employing automated tools for vulnerability scanning and configuration management also reduce the chance for backdoors in the systems. Vendors should be mandated to use strong software development practices so that the chances of software with backdoors being elevated to production are minimized. Using centralized authentication management such as active directory, administrative tools, and practice the principle of separation of duties for all data center operations and software development processes are required. It is also recommended that administrative passwords for network infrastructure be changed, though not as frequently as user passwords.
Conclusion
The report discusses three important information security threats, which are a denial of service, privilege escalation, and backdoor. In each case, the threat and its effects are explained along with some of the possible ways these threats can manifest. The possible methods to mitigate each of these threats are suggested. Since these threats are very generic and depend on many variables that cannot always be predicted, the mitigation responses are also mostly generic and depend on the actual threat vector or vulnerability.
Recommendations
The following recommendations are made for the threats that have been analyzed in this report.
DoS attacks: It is recommended that Cisco guard XT product be used in conjunction with either Cisco Anomaly detector, Tipping Point IPS (Intrusion Prevention System), firewall, or an Intrusion Detection System (IDS).
Privilege escalation: While best practices such as timely patch and software updates and robust password management are essential and recommended, it is also recommended that some form tools that can mine the access control errors must be used to correct them to ensure that this threat is mitigated.
Backdoor: This requires generic practices such as implementing software development best practices, network management best practices, and data center maintenance best practices.
References
Cisco. (2014, January 23). Defeating DDoS attacks. Retrieved from cisco.com: http://www.cisco.com/c/en/us/products/collateral/security/traffic-anomaly-detector-xt-5600a/prod_white_paper0900aecd8011e927.html
Lewis, N. (2016, September 5). Locking the backdoor: reducing the risk of unauthorized system access. Retrieved from searchsecurity.techtarget.com: http://searchsecurity.techtarget.com/tip/Locking-the-backdoor-Reducing-the-risk-of-unauthorized-system-access
Rufi, A. (2006). Network security 1 and 2 companion guide (Cisco networking academy). Indianapolis, IN: Pearson Education, Cisco Press.
Shishira, S., Pai, V., & Manamohana, K. (2014, February). A survey on existing detection and mitigation methods of denial of service attacks. International Journal of Advanced Information Science and Technology (IJAIST), 22(22), 106-110.
