This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This survey paper will give us the brief overview of what cyber attacks are, what are their types and their causes and what steps should be taken in order to control or counter them with respect to information security management. With the current advancement in cyber technology and mass adaptation of this technology by most of the organizations and businesses cyber security becomes the key concern. Most of the operations like financial, industrial and commercial are interlinked and dependent on each other and ever more dependent on information technology. At the same time, theÂ rapidly growing interconnectivityÂ of IT systems, and the convergence of theirÂ technology towardsÂ industry-standard hardware and software components andÂ sub-systems,Â renders these IT systems increasingly vulnerable to maliciousÂ attack. (Randel, etal,1998)
As technology progress and capabilities of information warfare have developed significantly in recent years, the probability of cyber attacks have increased as well. Computer-network attacks mainly known as cyber attacks can destroy adversary data, computer systems, and networks, and can have a major effect on an adversary's ability to wage war (Bayles, 2001).
In the cyber arena, the situation is, in some ways, worse than simply paying too little heed to a potential new threat until it manifests itself. Threats in the cyber arena have manifested themselves. We are reminded constantly of our vulnerabilities to the threat, yet we still are not doing enough. Every hour of every day, some individual or group is writing or disseminating a new disruptive virus or worm or is breaking into a computer network or to harm a network by some other means (Vatis, 2004). It is usually said that it is very productive and simple to bring computer in our systems and to increase its usage but at the same time it is significantly difficult and far more expensive to develop technologies to make it secure mainly because of the internet, a network which is used to share information rather than hiding it. Most cyber attackers are attracted to high value targets such as networks, servers, or routers, whose disruption could yield financia
or political consequences (Vatis 2001)..
Types of cyber Attacks:
According to (Arnold and Pangi, 2003) main objective of the cyber attack is to steal, destroy, remove or change information or to block the functionality of the system which they want to target. One of the most important issue in the information security management is the network security. In the present business world, almost all of the communication among businesses is done through internet. This makes the security of an organization much vulnerable as internet is a public Internetwork. Cyber attacks related to network security can mainly be divided into two types. These are as follows:.
NOTE: MENTION NON-NETWORK ATTACKS /////////////////////VX
Before we discuss the above mentioned network attacks, it is important to mention the concepts of encryption. In the present business world, data involved in network communication is almost always encrypted as plaintext data poses a serious threat to the Information security. In order to do that, mainly two types of techniques are used. These are as follows:
Private Key Encryption:
In this type of encryption, data is encrypted and decrypted through a single key that is shared between the concerned parties. The most common techniques used for private key encryptions are Data Encryption Standard(DES), Triple DES, Advanced Encryption Standard(AES). Discussion of these standards is beyond the scope of this paper.
Public Key Encryption:
In this type of encryption, a pair of keys is generated by every concerned party i.e. public and private. Then public key is kept public i.e. can be accessed by anyone and the private key is kept private i.e. can be accessed only by the concerned party. The data is encrypted by using a public key and that data can only be decrypted using the matching private key. RSA is the most widely used form of public key encryption. There are different ways in order to assure the security of public key, as it can be tempered with, such as Certificate Authority, Public key directories etc. Issues and technicalities related to public key encryption is again beyond the scope of this paper.
Different types of cyber attacks and their counter measures can now be discussed in the following paper.
Cyber attacks which involve interruption, modification or fabrication can be termed as active attacks. These type of attacks are more proactive and cannot easily go unnoticed. These type of attacks are also more difficult to implement. Some of the active attacks are mentioned below.
Brute Force Attacks
In these types of attacks, every possible combination of the encryption keys is taken into account. AES with key sizes as 128, 192, 256 etc minimizes the seriousness of this type of attack up to large extent but it can still be possible by the usage of distributed processing techniques on supercomputers present in the modern world.
It is the type of fabrication attack in which every possible word present in the language is checked against the password. It can be highly efficient if the passwords contain any language patterns i.e. if it is not a strong password.
CHOSEN CIPHERTEXT ATTACK
It is a type of active (fabrication) attack in which is used to compromise RSA encryption. In order to understand it, lets consider a case;
Suppose Alice sends a ciphertext "c" to Bob and an intruder Jack intercepts it. In order to get the original message "m", Jack performs the following calculations.
Jack finds out "n" from the bob's public key and chooses a random number "r" such that
r < n.
Jack then computes x = re mod n where (e,n) is bob's public key.
y = xc mod n
t = r-1 mod n
Jack knows that mathematically, if x=reÂ mod n, then r=xdÂ mod n. Jack can then get Alice to sign "y" with her private key and as a result jack gets u = yd mod n. Jack then computes:
tu mod n = (r-1)(yd) mod n = (r-1)(xd)(cd) mod n = (cd) mod n = m
In this way jack can get the original message "m". In order to prevent this type of attack, it is important to sign a one-way hash of the message instead of signing any random message(Mentis, 2005).
In this type of attack, data packets during the process of communication are captured and are analysed. If the data is not encrypted, it can be very useful as an active attack as the intruder will gain access to any valuable data e.g. passwords which can then be used for an unauthorized access to the Information systems. There are different softwares available in the market in order which can be used to pose this type of attack e.g. wireshark. It is, however, important to mention that this type of attack can be used as a passive attack as well in which the intruder can gain information about the sensitive data. It is, therefore, advisable to use sofwares like SSH for secure remote access rather than using telnet in which there is no data encryption facility.
IP SPOOFING ATTACK
In this type of attack, intruder pretends to be an authorized user i.e. it fabricates itself. Intruder achieves this by using the IP of an authorized user which is possible by different means. By doing so, an intruder can bypass any firewall security and can hence gain unauthorized access to the network.
It is a type of malware which does not perform a function what it seems to perform but instead provides an unauthorized access to the target system. It can be extremely harmful in certain cases depending upon its code. Sometimes it can just install unwanted programs like popups or it can also replace the legitimate contents with that of intruders e.g. in case of websites.
VIRUS or WORM
This is a type of program which can be used for many different reasons e.g. DOS, DDOS, unauthorized access, crashing of the organization's network or system. It can be transferred through many different ways to a system i.e. emails. Famous example of virues include love mail which used to shut down the system. Another example of email virus is "I love you email" which, once opened, used to start sending copies of the same email to all addresses in the user's address book.
Denial & Distributed Denial of Service attacks
Denial of service attack is a sort of attack in which hacker bombard the system with number of messages with such a frequency that system cannot able to process anything else. It overloads the computer system which results in effecting the functionality of the system.
Distributed denial of service (DDoS) attacks is another useful mean of putting computers off network for some time. In Distributed Denial of service attacks hacker bombard the web and email server from great number of messages, by receiving such a high numbers of fake messages system functionality becomes slow or sometime system get crashed. Hackers can easily increase the effect of their distributed denial of service (DDoS) attacks by using malicious codes to get control of other systems and using these Zombie machines to send more messages on to the servers(Arnold and Pangi, 2003).
Domain Name server (DNS) Attack:
According to (Arnold and Pangi, 2003) Communication between two computers on the internet is done by using internet protocol address of computers. To map the name of the website computer consult domain name servers and if DNS give wrong numerical address than user will connect to a wrong server without any information that he is on wrong server. This sort of attacks will be useful in spreading incorrect information and to divert a customer of e-commerce site from the original site or sometime block access. DNS is hierarchal there for the cascading effect on remote servers would result in traffic to selected site to be redirected or loss. (Cortes, 2004)
As the word compound itself describes these attacks are the combinations of 2 or 3 different attacks simultaneously. Purpose of these attacks is to increase the destructiveness of some sort of physical attack with the help of coordinated cyber attacks e.g. terrorist might place some boom in densely populated area at the same time with the help of cyber attacker they disable the communication setup of emergency services like ambulance, fire, police to impede there response. (Arnold and Pangi, 2003)
Router controls all the traffic on the internet that is there they make it sure that the information in the form of packets, get from the source to destination. In general router is not a primary threat for disruption, but if the routing operation is not well diversified than it can lead to a massive routing attack. So it now a primary concern for the router manufactures to follow standards and regulation for maintaining the security on routers. (Cortes, 2004).
Any type of attack that involves interception can be termed as a passive attack. This may involve the release of message contents of just the traffic analysis. These can easily go unnoticed as attacker does not change or modify anything but only observes. Following are some examples of such attacks:
Key Press Snooping
One of the passive attacks is Key Press Snooping. In this case, an attacker can install a software like key logger which records any key press in logs. This means that if there is a key logger installed on a system and a user types his/her passphrase then attacker will get it without any trouble, which can then be used to get private key. This is probably the easiest type of attacks.(Infinity, 2006)
Memory space snooping
According to (Infinity, 2006), there can be another type of attack known as Memory space snooping. In this attack, a user with full priviliges e.g. root on unix systems can access the virtual memory of the system (/dev/kmem) and can access the user's page directly.
Disk Cache Snooping
Another passive attack can be a Disk Cache Snooping (Infinity, 2006). Operating systems like Windows, pages the content of memory to disk in order to free up some RAM. This information can be found in the swapfile and could be recovered. In remote environments, this file can be stolen easily and then the contents can be accessed without any trouble.
There can be some cyber attacks which can be non-network related. These can be as follows:
Unauthorized Access :
In addition to the above mentioned attacks, unauthorized access can also be achieved in an organization by its employee i.e. there are different levels of authorization in an organization and not every employee is allowed to access any type of data. In this type of attack, an employee can use viruses, worms or Trojan horses. It can also use key press snooping technique in order to achieve his/her goals.
In social engineering can easily gain access to the organization's resources if he/she is friends with any of the company's employee. It can also be achieved by pretending to be someone and dodge an employee. In order to handle this, organizations need to educated and train its employees through different exercises.
Before we go into the details of the counter measures regarding the above mentioned cyber attacks, lets have a brief look at the different kinds of sources of these attacks.
Sources of Attacks:
Cyber attacks can be launched from different sources depending upon their motives and the target they want to attack, generally we can group them in three categories terrorist groups, targeted nation-states and thrill seekers.
Terrorist activities are the great threat for the whole world. Terrorist are not only targeting the physical infrastructure of the countries but now they are targeting the IT infrastructure as well. i.e. hacking the government websites and causing serious damage to vulnerable information (Cortes, 2004).
Most of the countries which don't have the friendly relation with one of the some countries use cyber attacks to sabotage the IT infrastructure of their potential enemy in order to safe guard their own national interests. e.g. India and Pakistan both are trying to attack government an defense resources in order to harm each other. Similarly China, America and Russia try to initiate attacks on each other national infrastructure primarily security network (Cortes, 2004).
These sorts of attacker are not attacking the network for specific purpose rather they do it for fun and check their ability to break the secured networks. Because of the advancement in technology probability of these attacks are high (Cortes, 2004).
In order to deal with the above mentioned cyber attacks, organizations implement different systems and techniques. Some of these are discussed in the following paper:
INTRUSION DETECTION SYSTEMS
Intrusion Detection System (IDS) is mainly designed for the detection for any kind of illegal activity (Edward, 1999). It does not provide any countermeasure to handle that threat. Intrusion detection systems can be used to monitor traffic either on knowledge based or behaviour based. However, IDS, because of its high processing, can effect the network performance. In order to overcome this, a port mirroring technique can be used in which data is first sent to the Anomaly detector and once cleared can then be sent to the quantam machine which scans the data.( Anagnostakis, K. G., & Sidiroglou, S, 2005).
Figure 1 Intrusion Detection System (ids.nic.in)
Kerberos provides authentication by using secret key cryptography between client and server.
Kerberos structure is composed of Authentication Server (AS) & Ticket Granting Server (TGS). In this case, user's password is used to derive long term key which is used between AS and user to mutually authenticate each other. Once authenticated, AS grants ticket and a short term key to user which is then used by user to authenticate itself with TGS. After this stage of authentication is achieved, the user is granted with a session key and ticket which is then used by user to access server. This can be seen in the following figure.
Figure 2 (borrowed from Phu.D.Lee, 2010)
VIRTUAL PRIVATE NETWORK (VPN)
Virtual Private Network is a type of technology in which a secure tunnel is built between the two communication parties. The data packets are encapsulated in a new IP thus giving it a high level of security. It is highly feasible because of its cost-effectiveness. VPN is used in three main topologies i.e. host-host, host-network and network-network. Details of these topologies are beyond the scope of this paper.
There are mainly four types of protocol standards for VPN i.e. IPsec, PPTP, L2TP and SSL.
PPTP stands for point-to-point tunneling protocol (K.n Hamzeh, G. S. Pall, W. Verhein, J. Taarud, W. A. Little,and G. Zorn, 1999). L2TP is a combination of PPTP and Layer Two
Forwarding (L2F) (W. Townsley, A. J. Valencia, A. Rubens, G. S. Pall, G. Zorn,and B. Palter, 1999). IPsec stands for Internet Protocol security and works at layer 4 (IETF, 1999).SSL stands for secure socket layer and is commonly used with HTTP to enable secure Web browsing, called HTTPS (O. Freier, P. Karlton, and P. C. Kocker 1996).
IPSec, along with L2TP, is the most commonly way of implementing VPNs. It is used for providing network layer level security. By the implementation of IPSec threats like ip spoofing, message replay, message alteration, DOS can be avoided.
Figure 3 IPSec (Perle, 2010)
Details of the VPN topologies and its protocols are beyond the scope of this paper.
Firewalls can be considered as the most important defense measure against cyber attacks. A firewalls can be defined as "essentially a software or hardware device that examines and filters external information coming from non-trusted sources outside of your network into your internal private network or computer system" (J. Mairs, 2002). There are different types of firewalls which work of different OSI layers. These mainly include network firewalls, application firewalls, proxies and hybrids.
Figure 4 Firewall (churchtechy, 2009)
DEMILITARIZED ZONE (DMZ)
Most organizations use their Internet connection to expose services to the public Internet. At a minimum, SMTP services are exposed to allow inbound email. Organizations mainly use filtering and port forwarding to allow this traffic through a firewall. In addition to this, organizations require a DMZ to further protect the internal network. DMZ is the area in which an organization typically place its servers that expose public services to provide the best security. It is a firewall configuration that separates the back-end servers from the corporate networks and enables communication between the back-end servers and a few servers within the corporate network
A DMZ consists of front-end servers, back-end servers, and firewalls. The firewalls protect the front-end servers from the public network and filter traffic between the corporate network and back-end servers. A DMZ provides a multilayer protection system between the Internet and the internal network of an organization. Any service that is being provided to users from an external network could be placed in the DMZ. The most common of these services are web servers, mail servers, FTP servers, VoIP servers and DNS servers.
To provide protection, the DMZ comprises a firewall that protects the front-end servers from Internet traffic and a set of "security-hardened" servers that support the services the application provides.
Figure 5: DMZ (techrepublic, 2010)
Even in the presence of such counter measures, the information security risk is quite high in the present world. The reason for this is that the intruders are constantly trying to improve their methods of intrusions. In addition to that, the security measure is still not treated as a primary concern in many small organizations and hence the needed countermeasures are not exactly followed. Keeping that in consideration, some of the measures are discussed in the following paper in order to further improve the Information security.
Establish threat intelligence gathering
Security strategy validation
Minimize delivery of malware
Security awareness enhancements
Continuous controls update
Application security testing
Prevent execution of malware
Least access privileges
Identity and access management
Protect the data
Protect the data/data loss prevention
Detect and respond
Host and network anomaly detection
Incident response program
Source: insight of IT risk 2010
Established threat gathering capabilities:
In order to understand the continuously changing threat landscape organization should develop an intelligence gathering capabilities to supervise and plan strategic and tactical responses to threats. This team should consist of qualified professionals who can keep an eye on the current threats and interpret how the organization can be effected by these potential threats and what necessary steps should be taken to modify the organizational security controls and overall security strategy. The prime objective of this time is to monitor the threat level than analyze it that how it can effect their organization and than to develop a strategy (Ernst & Young's, 2010).
Minimize delivery of malware:
By strictly implementing the traditional security measures in the organization the threat of malware can be greatly reduced below mentioned are the ways how we can reduce the threat level.
Social engineering solution:
It is one of the most common methods of reducing the threat or malware environment. There are number of ways, in addition to some discussed above, by which this threat can be introduced like phishing or dropping USB in organization premises and hoping some one will use this USB in company computer, resulting employees unintentionally perform a harmful action. Regardless of implementing the entire advance technical controls human factor will remain the weakest link in spreading malware. So the solution of this problem is to aware the employees as much possible against these threats so that the employees protect them self to unintentionally become a source for spreading these malware. Research shows that companies are not doing well in promoting awareness to their employees. The organization should conduct the information security programmes on regular intervals. So that there effectiveness will be increase (Ernst & Young's, 2010).
Mean to educate the employee about the common threats which are used by the cyber attackers. This awareness can be increased by including security awareness programs in the companies overall defense in depth strategy. These programs should include education about new threats different examples how employees contribute to the success of the attack and lesson learned what means are used by cyber attacker using social media etc. to target organizational networks and than take the feedback from the employees (Ernst & Young's, 2010).
Another way which can reduce the threat of cyber attack is a use of registered software's on all user computers. Corrupted or pirated software's are also the main source of introducing malware in the network.
Phishing and DNS redirection:
Threat can be introduced in the company network by redirecting the DNS to a malware site while preventing the user from visiting the hack or fraudent site to begin with would be preferred but it would not happen most of the time. So it is preferred to block the sites but it is infective to block the sites on domain name bases because they can easily be change. So it is more effective to block the sites by IP address. Install the tools which can tell the users when they visit the site whether the site is safe or unsafe the network. At the end decision is again in the employee's hand, so awareness to employees is really very important (Ernst & Young's, 2010).
Protect the data:
Data is the most important aspect in information system because at the end it all about the data. Implementing the Data Loss Prevention DLP solution can help stop malware collecting the sensitive data and from sending data back to attacker home network. On the basis of predefined policies host based DLP can be implemented in order to control the information which user has access. In order to keep the check on the flow of data on the network, network DLP can be use which keep the record which data is going in and out of the network and block the specific data to going out of the network ( Ernst & Young's, 2010).
After considering all the factors in mind which we have discussed above we came to conclusion that As technological advancement reaching at its peak, at the same time Cyber crime is also increasing day by day but different organization and agencies are working to overcome all such crimes. As cyber crime become a global issue so globally Governments are putting all their resources against these crimes by imposing legislation against these activities and most of the country have consensus to help each other against cyber attacks. Software companies are developing most sensitive tools and controls in order to protect organizational or government assets from these threats. The most important thing is to implement all those advance controls along with conventional security measures to safe guard all sort of assets from cyber attack.