Attack Tree Model Analysis of Security Breaches

Attack Tree Model Analysis of Security BreachesTHE SUCCESS MISUSES of computing device transcriptions protection breaches increased slightly in 2005, according to the FBI and the Computer Security Institute (CSI). Many tribute issues that apply to large enterprises definitely apply to SMBs, particularly as SMBs become much technologically sophisticated, according to Andrew Kellett, senior research analyst with U.K.-based Butler Group. You dont have to be a particular large organization to have some pretty complex supporting systems in place, he says. (Fred Sandsmark, p11)The above-mentioned stated that there was slightly increase in computers approaching in 2005. As technology evolving, companies entrustingly to spend more money on computer systems to do business activities with their associate and partners.This will increase more and more security breaches on the computer systems.The purpose of this analysis report is to examine the various possible besiege methods to co mpromise the availability of the computers, training and associated resources of a low-toned firm.Research for this report includes an attack corner diagram, showing how the hack crapper compromise the availability of the systems services, associated resources and to access sensitive information done different attack techniques. Each technique is the subset of the different type of attack methods, with possible assumptions bond to each methods, the attack maneuver will be discussed in greater flesh out. ingressThe manager of the Raylee Pte Ltd has recently heard through the media and newspaper publications that there ar numerous threats which could compromise the availability of the computers, information and associated resources. way of Raylee Pte Ltd has decided to hire the security consultant firm Red Alert Security Pte Ltd to undertake a details analysis of its current computer and interlocking state in stray to prevent the hack writers to compromise the availabilit y of the computers services, information and resources. The under-mentions are the electronic engagement and desktop surrounds of the Raylee Pte Ltd.There are six computers and one internal host (for processing orders) in spite of appearance the firm.Each computer encompasses Microsoft Windows 7 and Microsoft 2007Each workstation has been patched with all updates as of March 25th, 2010.The company roles an ADSL 2+ connection amongst all computers. emcee backups are do fortnightly and stored on a DVD spindle name backup1Workstation backups are done bi-monthly and stored on a DVD spindle name backup2Employees have e-mail addresses provided by the Internet Service Provider.Documents are shared amongst employees through a D-Link DNS-323 NASThe router is utilising a default settings and consists of a D-Link DSL G604t.Each workstation is utilising Microsoft Windows Malicious software system remotion Tool.SCOPESecurity consultant of Red Alert Security Pte Ltd will analyse of the com pany current computer system, mesh state and desktop environment in order to prevent the hackers to compromise the availability of the computers services, information and resources. Then the consultant will submit a detail analysis report to the circumspection of Raylee Pte Ltd for recommendationsMETHODOGLYThe security consultant uses a technique known as attack point to identify the best possible options to compromise the availability of the system services, information and resource in the quickest time. Below is the attack tree he comes up with.Compromise The Availability Of Computers, Information And Associated Resources1. Remote entryway RouterD-Link DSL G604t2. Access NASD-Link DNS-3233. 3. Gain Access Internal Server(Processing Orders)Orders)4. divert Password WorkstationsMETHODOLOGYFrom the attack tree in the previous page, each of the sub attack tree will be discussed in more detail.Figure 11. Remote Access Router D-Link DSL G604t1.1 Determine the countersign1.1.1 Lear n give-and-take1.1.2 Use astray know password1.1.3 Dictionary attacks1.1. Determine passwordHacker and cyber criminal will try to particularise the password of the router in order to access the network environment and do whatever they want. We will briefly explain the methods as follows1.1.1 Learn passwordIf the substance abuser has not set new password and is victimization the default which is normally blank.Hackers can easily search online for the manual of the particular wireless router and know the password. Hackers login the wireless router configuration page to change the setting and overthrow the network. For instance, hacker can surf this link http//www.routerpasswords.com/index.aspto get the default password for all the routers.1.1.2 Use widely know passwordThe common use passwords are admin, password, netmail protect, 123456,666666, qwerty, 00000000 and etc. These widely used passwords allow hackers to easily access the router.1.1.3 Dictionary attacksAs the word dict ionary it implies that it is one of the attack techniques use by the hackers to determine its decryption key, password or passphrase by searching the all the words which are usually seven characters or lesser chosen by the user in the dictionary.METHODOLOGYFigure 22. Access NAS D-Link DNS-3232.1 FTP server2.2 Folder File Permission2.3 P2P distribution2.1.1 Bounce Attack2.1.2 Misconfigure2.3.1 File toxic condition2.3.2 Sybil attack2.1 FTP serverMost of the Network Attach Storage device comes with the feature of the FTP serverwhich allows user to transfer or transfer file remotely anywhere. However, this servicecreates a loophole for attacker to retrieve sensitive information and info. The various attack methods on FTP server are discussed as follows2.1.1 Bounce AttackFTP bounce attack is another attacking technique use by the hacker to exploit the ftp protocol so that he can use the PORT command to send request access to the ftp port indirectly to another victim machine which a cts as third party for such request to access the ftp.2.1.2 MisconfigureOne of the common problems is to misconfigure the ftp server which allows users to download and upload the files in the same directory (global/tmp directory) for people to share data with each other. It will create an opportunity for attacker or theft to steal the data or upload virus program to the directory. and then employee will accidentally install the virus program and infect to the computer systems and network.2.2 Folder File PermissionProper folder and file permission must(prenominal) be set according to the employee roles and responsibilities. If there is no permission setting on the files and folder and gives everyone permission to read, write and execute it. Then it will be easily for attacker to retrieve information upon hacking into the company network.2.3 P2P DistributionIt is a peer-to-peer file transfer protocol to allow users each download different pieces of the downhearted file from the or iginal uploader (seed). Users exchange the pieces with their peers to obtain the broken ones which are missing. IT savvy employees can make use of the P2P to download their favourite movies, videos, music and software. Hacker will make use of theP2P attacks to gain access into the network. There are two types of attacks which are file poisoning and Sybil attack.2.3.1 File PoisoningFile poisoning attacks campaign on the data plane and have become extremely commonplace in P2P networks. The purpose of this attack is to replace a file in the network by a fake one and this file will be corrupted and no longer in use.2.3.2 Sybil AttackThe idea behind this attack is that a single malicious identity can present multiple identities, and thus gain control over part of the network. Once the attacker gains the control, he can abuse the protocol in any way he likes.METHODOLOGYFigure 33. Gain Access Internal Server(Processing Orders)3.1 Steal sensitive information from the database3.1.1 Gain acc ess by internet3.1.2 Physical access to the server3.1.3 Access server from workstationOROR3.1.1.1 Monitor network traffic3.1.1.2 Use remote exploit3.1 Steal sensitive information from the databaseSometimes hackers are hired by the competitor to create chaos in the company network and to steal confidential information such as customer data, vendor data, pricing information, new product launch information from the computer systems. There are various methods to steal information from the database and there are as follows3.1.1 Gain Access By InternetAttack corporate network by using internet is becoming more sophisticated as technologies evolving. There is an increase of internet attacks orchestrate by the hackers to strike highly protected targets, to coordinate waves of scripted exploits and/or to conceal the true origin ofan attack.3.1.1 .1 Monitor Network TrafficCyber criminal use network monitor tools to monitor the topical anesthetic area networks or wide area networks. Some of t he network monitoring tools such as Microsoft Network Monitor, Ettercap, TCP Dump and DSniff can be download freely from the internet. This program can intercept and log the traffic passing over the network or part of the network. Once the information is captured by the program, hacker will decodes and analyse its content according to the appropriate RFC or other specifications.3.1.1 .2 Use Remote ExploitThe server is connected to the internet and the operating system is not updated the latest patches, then the cyber attacker will use remote exploit the vulnerability of the system to infiltrated the system to steal the information and sabotage the server by destroy the database and hard disk. Since the server backups are done fortnightly, management will be facing difficulties in recover the data.3.1.2 Physical Access To The ServerDue to the space constraint, sometime the server share space with someones cubicle or office.This creates an opportunity for an attacker who able to acces s files and other data by removes the hard disk, and then attaches it to another computer. He can also use third-party operating system CD to start the computer and steal corporate data or insert USB drive to inject virus into the system.3.1.3 Access Server From WorkstationCyber attacker is not limited to hack into the server. Workstation is the often the first target the hacker will try to access because from there, he can learn virtually the network environment and security loopholes to attack the server. He will use the workstation as the stepping-stone to server-level break-in by stealing administrator passwords.METHODOLOGYFigure 44. Steal Password Workstations4.1 Users Login password4.1.2 Obtain password illegally4.1.1 Social engineering4.1.1.1 Share password4.1.1.2 Phishing4.1.2.2 Find indite password4.1.2.1 Steal password4.1.2.1.2 Install keyboard sniffer4.1.2.1.1 Obtain sniffer rig fileAND4.1 Users Login PasswordCompanies must know that hackers not only interested in the corporate data, they are also interested in the employees personal data such as bank account, credit card, email addressand others. To break into the workstation, hackers will need to know the users login password.4.1.1 Social EngineeringSocial engineering is the method of non technical hacking into the system by manipulating people through social interaction via email or phone to reveal their password.4.1.1.1 Shared PasswordIt is very common for employees to share computer password with their colleagues. Sometimes in their absence in the office, they will usually call one another to help them login to the computer to retrieve some information.4.1.1.2 PhishingHacker can create an email or instant messaging with attach fake website link which looks almost the same as the real one to lure the user enters their personal details such as username, password, credit card details and banking credential. All these information will be sending tothe hacker.4.1.2 Obtain Password IllegallyWeak p assword makes hacker to obtain password illegally and faster. Cyber attackers will steal the password by infect the workstation with trojan. Basically there are three types of trojan attackers can use to steal the password namely keyboard sniffer, login spoofing and password stealer. When attacker install the keyboard sniffer program which will monitor each keystroke the user has entered and this program generate the sniffer output file which send to the attacker. Sometimes hacker can pose as companys guest to access the premises. Upon entering the office, he will lookfor password which the employee create verbally on a piece of paper and paste it around the working cubicle.CONCLUSIONCompanies are constantly at risk of losing sensitive corporate data. In this report,we have use the attack tree model to analyse various attacks method the attackers use to steal sensitive information on the server, network attach storage device, router and workstations. The most common and easier meth od is to obtain the users password by learn the password, use widely common password, dictionary attack, shared password, phishing, find written password and steal passwords. Cyber attackers and novice hackers are usual like to steal the passwords by downloading keyboard loggers, passwords cracking software, keyboard sniffers and others which are available on the website to test on their skill.Management should implement counter measures to prevent hackers to attack their system and security breaches. We recommend antivirus program to be installed onthe workstation and server as they are utilising Microsoft Windows Malicious Software Removal Tool which is not enough for the prevention of the cyber attacks.Local group policy of the password needs to enforce on the networking devices, workstation and server so that the password is not being easily crack by the hackers.Lastly, passwords should be set minimum 8 characters and contain alphanumeric and symbols for complexity.In conclusion , steal password is the easiest method for hackers to attack the computer system because local authorities might face difficulties in tracking them down if they are distant hackers.GLOSSARYAttack tree Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks. Basically, you represent attacks against a system in a tree structure, with the goal as the root node and different ways of achieving that goal as leaf nodes. (Source http//www.schneier.com/paper-attacktrees-ddj-ft.html )Social Engineering In computer security, social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures.(Source http//searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html )3. Phishing Phishing is a technique of fraudulently obtaining private information.(Source http//en.wikipedia.org/wiki/Social_engineering_(se curity)Pretexting )4. Keyboard Sniffer A program which reads the keystrokes made by a user and transmits them tosomeone else. Such programs are usually used by intruders into computer systems in order tocapture important information such as passwords.(Source http//www.encyclopedia.com/doc/1O12-keyboardsniffer.html )5. RFC Short for Request for Comments, a series of notes about the Internet, started in 1969 (when the Internet was the ARPANET). An Internet Document can be submitted to the IETF by anyone, but the IETF decides if the document becomes an RFC. Eventually, if it gains enough interest, it may evolve into an Internet standard. Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number. (Source http//www.webopedia.com/TERM/R/RFC.html )