Attack Tree Of Computer Security

This report is introduces about the possible attack for company and it represent by the attack tree diagram. In the company have six computer and internal server. Each computer is using Microsoft window 7. They are using the DVD to store the backup and the router is default setting. Each employee has the email address. Firstly, I will attack the workstation, try to obtain the password illegally and attack the security such as install virus, Trojan, worm and DOS attack. After that, I will attack the dvd to get the dvd and do some malicious action. Obtain the DVD can through the employee, such as bribe or threaten. Malicious action will install the threats into the DVD and spread to other computer when they are using the backup. Then, we will attack the router which is change the WEP or filter the mac address to cause the computer cannot connect to the network. We also can using threats through the router to install into the system, e.g plashing, pharming, DNS cache poisoning and spoofing. However, I will attack the server using the internal threats and external threats, such as ask a person to disguise a customer to get the information from company, or ask the temporarily customer to be a spy to do some malicious action. Moreover, attack the email using the security threats like phishing, email spam, virus and spam. Then, obtain the email password from the target. Finally, attack the window 7 using hacking tools to destroy the host file from the system and using physical attack to the system and obtain the important data or change the data to make a big lose for the company. All of these attacks will discuss in this report.

Introduction and scope

Attack tree helps one to understand security issue better, from the stand point of an attacker. Attack trees are a graphical and mathematical construct used to identify most of the attack that will cause the greatest risk to the defender, determine effective strategies decrease the risk in a acceptable level for the defender, describe the potential attack between the adversary and the defender, provide a communication mechanism for security analysts, capture what is known and believed about the system and its adversaries, and store the information in a diagram that can be understood for the subsequently defenders. Although it is very hard to identify the entire possible factor that leads to intuition, it is based on the experiences and the ability to extrapolate how the experiences apply on the new situation. For example, the effectiveness of internet security, network security, banking system security, installation and personnel security may all be modelled using attack trees. The ideal of attack tree is that an equipment, software, process could have vulnerabilities that when successful, they could compromise the entire system.

Scope

There are six computers and one internal server and each computer encompasses Microsoft Window 7 and Microsoft Office 2007. Each workstation has been patched with all updates of March 25, 2010. They are using ADSL 2+ connection. The server and workstation backup is store in a DVD. All the employees have email addresses and there share the document through a D-Link DNS-323 NAS. The router is utilising default settings and consists of a D-Link DSL G604t. Each workstation is utilising Microsoft Windows Malicious Software Removal Tool.

Assumptions

-The room houses the server is not locked or well protected with access key.

-The router is not updated with the latest patches and set the default setting.

-The workstations are not created with user login account.

-No legal antivirus software is installed.

Attack tree for compromising availability

Spyware

Trojan

Virus

Worm

DOS attack

Security attack

Attack workstation

Description:

Due do the workstation do not have any legal antivirus software, so the security of the workstation is weak. We can use different threats to attack the workstation. We will install spyware to the workstation through email, when the employee clicks on the email. Spyware will collect some information from there without their knowledge. It is hard to detect, unless the user install the anti spyware software. We also use the same way to install the Trojan, virus and worm into the workstation. Trojan will format the hard drive when the user runs it. Virus will spread from one device to another, when they are connecting to another computer or device. Most of the virus will destroy the data or cause the computer keep reboot. Worm will use up the computer resources and possibly shutting down the system. Install the DOS (Denial of service) attack to prevent the user to access information or service, such as access email, website, etc.

Attack workstation

Steal

Get password from employee

Bribe

Threaten

Find written password

Obtain login password illegally

Use widely known password

Learn password

Guess password

Description:

The other way to attack the workstation is obtain the administrator login password illegally. First of all, we can try to guess the password or use the widely known password, because most of the users usually use the password to easy memories. After that, we also can learn the password such as find the written password from the user. We also can get the password from the employee. There are many ways to get from them. Firstly, we can threaten the employee, like find out some secret from the employees. However, we can bribe the employees to give them some advantages, such as money or something they like. Finally, we can steal from the employee, like install remote password stealer computer and receive the password through email.

Blackmail

Bribe

Employee

Copy

Steal

Exchange DVD

Obtain DVD

Attack backup

Description:

The backup of company is store in a DVD, so there are many possible ways to obtain the DVD. Firstly, we can use another DVD to exchange with the DVD backup, so they cannot find out any problem before they use the DVD. After that, we also can steal the DVD or copy the DVD. Finally, we can bribe the employee or blackmail the employee to let him get the DVD.

Attack backup

Malicious action

Spyware

Virus

Trojan

Destroy DVD

Description:

Another way to attack the backup is do malicious action. We can destroy DVD, like burn or break it. We also can put the threats through email or employee to the workstation, so after they backup the threats also in the DVD. When they use the backup DVD, the Trojan will install in the system, and format the hard drive of the system. Virus will spread into the system to destroy the data or make the system error. Spyware will install into the system and collects some information from the system, so we can know what is the user doing in the system.

Filter the mac address

Set the WEP

Get in the router

Attack router

Change router login password

Block the website

Description:

Because of the router is using the default setting, so they do not change the login password. So we can get in the router using the default password. After that, we can change the login password and set a WEP to ignore the employee using the wireless. However, we can filter the mac address to disable employee’s computer to connect internet. Furthermore, we also can block some URL about the company, so the employee cannot access the website.

Phlashing

Pharming

DNS cache poisoning

Spoofing

Attack router

Security attack

Description:

There is some security attack to the router. We can use the spoofing attack to masquerades as another program to falsifying data and gaining some advantages. Furthermore, DNS cache poisoning will corrupts the DNS table and cache, so the domain name will assign with a malicious IP address. When the employee use the malicious IP address, the computer will infected by worm, viruses or spyware. Moreover, we also can use pharming to attack the router. Pharming is redirecting the website traffic to a bogus website. When the employee get in the website, pharming will conducted to change the hosts file or exploitation the vulnerability in DNS server software. Finally, phlashing will exploit vulnerability in network based firmware update, it will permanently disable the hardware by loading corrupted BIOS onto the hardware.

Attack server

Trojan

Worm

Virus

Check for the security protection

Install remote access

Disguise

Eavesdrop

Security attack

Espionage

Temporarily employee

Customer

Internal threats

Description:

There are two internal threats to attack the server. Due to the room of server is do not lock properly, so the temporarily employee can easily get in the room. Temporarily employee maybe is espionage to get the information from the server. They will install remote access to control the server, such as delete the data or destroy the server. They also will attack the security and install virus, worm and Trojan to exploit the server and cause the server crash. Attacker also will disguise be a customer, so they can go to the company easily. They can be eavesdrop in the company, and they can check for the security protection of the company, find out the vulnerability, so they can easily get into the company when nobody inside.

Attack server

Internal threats

Across to the computer room power

Across to the power switch

Turn off security protection

Rename server

Turn the power off

Steal data

Employee

Description:

Another internal threat is employee. We can bribe the employee, because employees already work in the company for a long time, so we can ask them to steal important data or some secret data of the company. However, we also can ask them to turn off the power of the server room, so some document have not save will missing. Employees can across the power switch or across to the computer room power to turn off the power. Then, turn off the security protection in the server, so we can easily to hack into the server. Finally, rename the server and cause all computer cannot connect to the server.

Obtain password from target

Threats

Trojan

Viruses

Email spam

Phishing

Security attack

Attack email

Description:

Email will attack by the threats and obtain the password illegally from the target. We can threaten or blackmail the target to get the email password, so we can send email for others and provide wrong information to them. There are four types of threats send to the email and bluff the employee to click it, so the threats will install into the system. First, phishing will send by the email and come out well known website, then the employee go to the website and key in the username and password, their information will obtain by attacker. Moreover, the email spam will send the message to numerous recipients by email, and it is unsolicited. However, viruses are dangerous because they often deliver extremely destructive payloads, destroying data, and bringing down entire mail systems. Finally, use email installs Trojan to obtain confidential information or gain control of the server.

Attack Microsoft Window 7

Change the document

Destroy host file

Spyware

Malware

Hacking tools

Turn off power supply

Disguise Cleaner

Destroy computer

Description:

Microsoft window 7 is the widely operating system in the world, so there are many hacking tools to hack into the system. Attacker can pretend be a cleaner, and using the tools to hack into the system, after that install the malware to destroy the host file or change the important document, effects the company process. Then, install the spyware to spy the user work in the system and obtain the login password. Furthermore, we also can destroy the computer such as use water or burn it. Finally, turn off the power supply and cause the system lost the data before the user save it.

Attack Microsoft Window 7

Physical attack

Security attack

Teardrop

Remote access trojan

Worm

Virus

Crash Win 7

Description:

Microsoft window 7 also can attack physically. Because of the window 7 is widely use, so attacker are found many security vulnerability. Teardrop attack is a form of denial of service (DOS) attack, it will exploit the system when the internet protocol requires that a packet too big for the next router to handle has to split into fragments. In the teardrop attack, attacker’s IP puts an odd and confusing offset value in the second fragment or in a fragment thereafter. If the operating system under the teardrop attacks, the system will crash. Another is security attack, we can ask the employee or using the email to install virus, worm and spread all of these threats to the entire computer in the company on the network, and make the system down. Another threat is using remote access Trojan to control the system. This type of Trojan creates a backdoor into the system. We can use the client to control the server, this can allow to almost completing control over the victims system.

Attack Microsoft Office 2007

Confidential loss

Threats of document

Integrity loss

Altered data

Corrupt data

Sell data

Broadcast data

Description

The method of attack the Microsoft Office 2007 is threats the document. Firstly, we can get the document from employee or using the Trojan or virus through email send to the system to obtain the document. Then, it will cause the integrity loss and confidential loss. In the integrity loss, we will altered the data and corrupt the data. In the confidential loss, we will broadcast the data or sell the data to another company, so the secret of the company will know by everyone. These two type of method will cause big loss for the company.

Conclusion

As you can seem that from the diagram, there are many attack come from many different ways such as internal threats, external threats. Internal threats are cause by the employee, customer and the worker in the company. External threats are cause by the attacker using different method to hack into the system to do malicious action. But comparatively, the attacking from internal is easier, because the employee is know more about the company and can get the data easily, but that is dangerous, if the company found that, they will get catch. In the other hand, the attacking from external is difficult but safe, because they do not know where is the data and also need to avoid the security protection, but if the company found that, they is hard to track the attacker. All of the diagram above is some of the possible attack, there are still have many possible attack. Indeed, with the technological advancements, it is likely that the computer threats will emerge in endlessly, so the possible attack will come out more and more in the future.

Glossary

Virus- A hidden, self-replicating section of computer software, usually malicious logic, that propagates by infecting – i.e., inserting a copy of itself into and becoming part of – another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Trojan- A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Worm- A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.

Spyware- Spyware is a type of malware that can be installed on computers and collects little bits of information at a time about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user’s personal computer.

Spam-Electronic junk mail or junk newsgroup postings.

Spoofing-Attempt by an unauthorized entity to gain access to a system by posing as an authorized user.

Pharming-This is a more sophisticated form of MITM attack. A user’s session is redirected to a masquerading website. This can be achieved by corrupting a DNS server on the Internet and pointing a URL to the masquerading website’s IP. Almost all users use a URL like www.worldbank.com instead of the real IP (192.86.99.140) of the website. Changing the pointers on a DNS server, the URL can be redirected to send traffic to the IP of the pseudo website. At the pseudo website, transactions can be mimicked and information like login credentials can be gathered. With this the attacker can access the real www.worldbank.com site and conduct transactions using the credentials of a valid user on that website.

Phishing-The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with.

Denial of service-The prevention of authorized access to a system resource or the delaying of system operations and functions.

Malware-A generic term for a number of different types of malicious code.

DNS cache poisoning-DNS poisoning is also called DNS cache poisoning, and refers to the corruption of DNS tables and caches so that a domain name points to a malicious IP address. Once the user is re-directed to the malicious IP address his/her computer can be infected with worms, viruses, spy ware etc.

Phlashing- Phlashing is a permanent denial of service (DoS) attack that exploits a vulnerability in network-based firmware updates. Such an attack is currently theoretical but if carried out could render the target device inoperable.

Teardrop-Teardrop is a program that sends IP fragments to a machine connected to the Internet or a network. Teardrop exploits an overlapping IP fragment bug present in Windows 95, Windows NT and Windows 3.1 machines. The bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. This attack has not been shown to cause any significant damage to systems, and a simple reboot is the preferred remedy. It should be noted, though, that while this attack is considered to be non-destructive, it could cause problems if there is unsaved data in open applications at the time that the machine is attacked. The primary problem with this is a loss of data.