You are on page 1of 36



 Operational Security
 Calculating Attact Strategies
 Recognizing Common Attack

CompTIA Security+ Study Guide, Sybex

Operational Security
 Operational securityfocuses on computers,
networks, and communications systems as
well as the management of information.
Operational security encompasses a large
area, and as a security professional, you’ll
be primarily involved here more than any
other area.

Operational Security
 Operational security issues include network
access control (NAC), authentication, and
security topologies after the network
installation is complete. Issues include the
daily operations of the network, connections to
other networks, backup plans, and recovery
 In short, operational security encompasses
everything that isn’t related to design or
physical security in your network. Instead of
focusing on the physical components where
the data is stored, such as the server, the
focus is now on the topology and connections.

Calculating Attack
 One main reason for the differences in attacks is
that they occur in many ways and for different
reasons. Regardless of how they occur, they
are generally used to accomplish one or more
of these three goals:
In an access attack, someone who should not be
able to wants to access your resources.
During a modification and repudiation attack,
someone wants to modify information in your
A denial-of-service (DoS) attack is an attempt to
disrupt your network and services. When your
system becomes so busy responding to
illegitimate requests, it can prevent authorized
users from having access.
Calculating Attack
 A. Understanding Access Attack Types
 The goal of an access attackis
straightforward. An access attack is an attempt to
gain access to information that the attacker isn’t
authorized to have. These types of attacks focus
on breaching the confidentiality of information.
They occur either internally or externally; they
might also occur when physical access to the
information is possible.
 Dumpster diving is a common physical access
method. Companies normally generate a huge
amount of paper, most of which eventually
winds up in Dumpsters or recycle bins.
Calculating Attack
 A second common method used in access
attacks is to capture information en route
between two systems; rather than paper, data
is found in such attacks. There are several
common types of access attacks:
Eavesdropping Eavesdropping is the process of
listening in on or overhearing parts of a
conversation, including listening in on your
network traffic. This type of attack is generally
passive. For example, a coworker might overhear
your dinner plans because your speakerphone is
set too loud or you’re yelling into your cell phone.
The opportunity to overhear a conversation is
coupled with the carelessness of the parties in the
Calculating Attack
Snooping Snooping occurs when someone looks
through your files hoping to find something
interesting. The files may be either electronic or
on paper. In the case of physical snooping, people
might inspect your Dumpster, recycling bins, or
even your file cabinets; they can look under the
keyboard for Post-it notes or look for scraps of
paper tacked to your bulletin board. Computer
snooping, on the other hand, involves someone
searching through your electronic files trying to
find something interesting.
Calculating Attack
Interception Interception can be either an active
or a passive process. In a networked environment,
a passive interception would involve someone
who routinely monitors network traffic. Active
interception might include putting a computer
system between the sender and receiver to
capture information as it’s sent. The process is
usually covert. The last thing a person on an
intercept mission wants is to be discovered.
Intercept missions can occur for years without the
knowledge of the parties being monitored.
Calculating Attack
B. Recognizing Modification and Repudiation
 Modification attacks involve the deletion,
insertion, or alteration of information in an
unauthorized manner that is intended to appear
genuine to the user. These attacks can be hard to
detect. They’re similar to access attacks in that the
attacker must first get to the data on the servers, but
they differ from that point on. The motivation for this
type of attack may be to plant information, change
grades in a class, fraudulently alter credit card
records, or something similar. Website defacements
are a common form of modification attack; they
involve someone changing web pages in a
malicious manner.
Calculating Attack
 A variation of a modification attack is a
repudiation attack.Repudiation attacks make data or
information appear to be invalid or misleading
(which can be even worse). For example, someone
might access your e-mail server and send
inflammatory information to others under the guise
of one of your top managers. This information might
prove embarrassing to your company and possibly
do irreparable harm. Repudiation attacks are fairly
easy to accomplish because most e-mail systems
don’t check outbound mail for validity. Repudiation
attacks, like modification attacks, usually begin as
access attacks.
Calculating Attack
C.Identifying Denial-of-Service and Distributed
Denial-of-Service Attacks
 Denial-of-service (DoS) attacks prevent
access to resources by users authorized to use
those resources. An attacker may attempt to
bring down an e-commerce website to prevent
or deny usage by legitimate customers. DoS
attacks are common on the Internet, where they
have hit large companies such as Amazon,
Microsoft, and AT&T. These attacks are often
widely publicized in the media. Most simple DoS
attacks occur from a single system, and a
specific server or organization is the target.
Calculating Attack
 There isn’t a single type of DoS attack, but
a variety of similar methods that have the
same purpose. It’s easiest to think of a DoS
attack by imagining that your servers are so
busy responding to false requests that they
don’t have time to service legitimate
requests. Not only can the servers be
physically busy, but the same result can
occur if the attack consumes all the available
Calculating Attack
 Several types of attacks can occur in this
category. These attacks can deny access to
information, applications, systems, or
A DoS attack on an application may bring down a
website while the communications and systems
continue to operate.
A DoS attack on a system crashes the operating
system (a simple reboot may restore the server
to normal operation).
A DoS attack against a network is designed to fill
the communications channel and prevent
access by authorized users.
Calculating Attack
 A common DoS attack involves opening as
many TCP sessions as possible; this type of
attack is called a TCP SYN flood DoS attack.
Two of the most common types of DoS attacks
are the ping of death and the buffer overflow.
The ping of death crashes a system by sending
Internet Control Message Protocol (ICMP)
packets (think echoes) that are larger than the
system can handle. Buffer overflow attacks, as
the name implies, attempt to put more data
(usually long input strings) into the buffer than it
can hold.
Calculating Attack
 A distributed denial-of-service (DDoS) attackis
similar to a DoS attack. A DDoS attack amplifies the
concepts of a DoS by using multiple computer
systems to conduct the attack against a single
organization. These attacks exploit the inherent
weaknesses of dedicated networks such as DSL
and cable. These permanently attached systems
usually have little, if any, protection. An attacker can
load an attack program onto dozens or even
hundreds of computer systems that use DSL or
cable modems. The attack program lies dormant on
these computers until they get an attack signal from
a master computer. The signal triggers the systems,
which launch an attack simultaneously on the target
network or system.
Calculating Attack
 The nasty part of this type of attack is that
the machines used to carry out the attack
belong to normal computer users. The attack
gives no special warning to those users.
When the attack is complete, the attack
program may remove itself from the system
or infect the unsuspecting user’s computer
with a virus that destroys the hard drive,
thereby wiping out the evidence.

Recognizing Common
 Most attacks are designed to exploit potential
weaknesses, which can be in the
implementation of programs or in the
protocols used in networks. Many types of
attacks require a high level of sophistication
and are rare, but you need to know about
them so that, should they occur, you can
identify what has happened in your
 In the following sections, we’ll look at some
common attacks more closely.
Recognizing Common
 Back Door Attacks
The term back door attack refers to gaining
access to a network and inserting a
program or utility that creates an entrance
for an attacker. The program may allow a
certain user ID to log on without a password
or gain administrative privileges. The next
figure shows how a back door attack can be
used to bypass the security of a network. In
this example, the attacker is using a back
door program to utilize resources or steal
Recognizing Common
 Spoofing Attacks
 A spoofing attack is an attempt by someone or
something to masquerade as someone else.
 This type of attack is usually considered an
access attack. A common spoofing attack that was
popular for many years on early Unix and other
timesharing systems involved a programmer writing a
fake logon program. It would prompt the user for a
user ID and password. No matter what the user
typed, the program would indicate an invalid logon
attempt and then transfer control to the real logon
program. The spoofing program would write the
logon and password into a disk file, which was
retrieved later.
Recognizing Common
 The most popular spoofing attacks today are
IP spoofing and DNS spoofing. With IP spoofing,
the goal is to make the data look as if it came
from a trusted host when it didn’t (thus spoofing
the IP address of the sending host). With DNS
spoofing, the DNS server is given information
about a name server that it thinks is legitimate
when it isn’t. This can send users to a website
other than the one they wanted to go to, reroute
mail, or do any other type of redirection wherein
data from a DNS server is used to determine a
destination. Another name for this is DNS
Recognizing Common
 Another DNS weakness is Domain Name
Kiting. When a new domain name is issued,
there is a five-day grace period before you
must technically pay for it. Those engaged in
kiting can delete the account within the five
days and re-register it again—allowing them
to have accounts that they never have to pay
Recognizing Common
 Man-in-the-Middle Attacks
 Man-in-the-middle attacks tend to be fairly
sophisticated. This type of attack is also an
access attack, but it can be used as the starting
point for a modification attack. The method used
in these attacks clandestinely places a piece of
software between a server and the user that
neither the server administrators nor the user is
aware of.
Recognizing Common
 The software intercepts data and then sends
the information to the server as if nothing is
wrong. The server responds back to the software,
thinking it’s communicating with the legitimate
client. The attacking software continues sending
information on to the server, and so forth.
 If communication between the server and user
continues, what’s the harm of the software? The
answer lies in whatever else the software is
doing. The man-in-the-middle software may be
recording information for someone to view later,
altering it, or in some other way compromising
the security of your system and session.
Recognizing Common
 Replay Attacks
 Replay attacksare becoming quite common.
They occur when information is captured over a
network. A replay attack is a kind of access or
modification attack. In a distributed environment,
logon and password information is sent between
the client and the authentication system. The
attacker can capture the information and replay it
again later. This can also occur with security
certificates from systems such as Kerberos: The
attacker resubmits the certificate, hoping to be
validated by the authentication system and
circumvent any time sensitivity.
Recognizing Common
 If this attack is successful, the attacker will
have all the rights and privileges from the
original certificate. This is the primary reason
that most certificates contain a unique
session identifier and a time stamp: If the
certificate has expired, it will be rejected and
an entry should be made in a security log to
notify system administrators.
Recognizing Common
 Password-Guessing Attacks
 Password-guessing attacks occur when an
account is attacked repeatedly. This is
accomplished by utilizing applications known
as password crackers, which send possible
passwords to the account in a systematic
manner. The attacks are initially carried out to
gain passwords for an access or modification
Recognizing Common
 There are two types of password-guessing
Brute-force attack
 A brute-force attack is an attempt to guess
passwords until a successful guess occurs. This
type of attack usually occurs over a long period.
To make passwords more difficult to guess, they
should be much longer than two or three
characters (six should be the bare minimum), be
complex, and have password lockout policies.
Recognizing Common
Dictionary attack
 A dictionary attack uses a dictionary of
common words to attempt to find the user’s
password. Dictionary attacks can be automated,
and several tools exist in the public domain to
execute them.
 Not all attacks are only brute-force or
dictionary based. A number of hybrids also
exist that will try combinations of these two
Recognizing Common
 Privilege Escalation
 Privilege escalation can be the result of an error on
an administrator’s part in assigning too high a
permission set to a user, but it’s more often associated
with bugs left in software.
 When creating a software program, developers will
occasionally leave a back door in the program that
allows them to become a root user should they need to
fix something during the debugging phase.
 After debugging is done and before the software
goes live, these abilities are removed. If a developer
forgets to remove the back door in the live version and
the method of accessing them gets out, it leaves the
ability for a miscreant to take advantage of the system.
Recognizing Common
 To understand privilege escalation, think of
cheat codes in video games. Once you know the
game’s code, you can enter it and become
invincible. Similarly, someone might take
advantage of a hidden cheat in a software
application you are using to become root.