Unauthorised Access – What are Access Control Threats?

Access Control Threats are all the methods by which security controls can affect or bypass adversely.  This list of access control threats is not exhaustive:

Denial of service

• Any method by which legitimate access to a system, service  or resource prevents or delays beyond reasonable use
• SYN floods (start packets but not close)
• Teardrop (fragmented packets)
Traffic flooding
• DDOS (any method that uses more than one source to magnify the problem)

Buffer overflows

• Often it relates to poor garbage collection (memory management)
• Used in many ways including altering memory and injecting malicious code
• The very common, very old method, new ones discovered all the time
• Potentially possible in all physical chips and software

Mobile code

• Code that transmits from its target over a network and executes with little or no user input
• Not “installed” locally
• Things like Java applets, javascript, ActiveX controls, Flash, PDF embedded code etc
• Mobile code can be legitimate

Malicious software (differences getting harder to see)

Viruses

• Requires human interaction
• Comes in many forms
• Many different delivery methods

Worms

• Have all the features of Viruses but worms automate actions and therefore it does not depend on human interaction

Trojans

• Similar to viruses but tricks the user into installing it because it has the appearance of being desirable

Spyware

• Designed to monitor the users behaviour, show advertising and collect data including key strokes

Password crackers

• Any tool that attempts to find passwords
• Rainbow tables
• Dictionary attacks
• Brute forcing
• If they gain passwords, then their use appears legitimate

Spoofing/masquerading

• TCP frame sequence number manipulating
• Phishing
• Man in the middle

Sniffers, Eavesdropping and Tapping

• The “listening” to transmissions over any medium
• Can be done at the end points or at any stage during transmission
• Encryption can thwart
• We can use it for good to allow devices such as IDS and IPS

Emanations

• Electronic devices all give off EM radiation
• We can profile EM and information gathering from
• Keyboard noise, for example, can be recorded and analysed
• TEMPEST is a UK study from the 60’s

Shoulder Surfing

• Very simply put, watching what people are doing over their shoulder

Object Reuse

• What it says on the tin
• Reusing memory for unauthorised authentication
• Also applies to physical storage devices as well as RAM
• There was a recent study that showed if you freeze RAM it retains its data for long enough to put it into a specially created device to read it.  This allowed the compromise of full disk encryption keys

Data remnants

• Data that is left on old computers or external hard drives after they have been used
• Includes data that was simply not deleted
• Hard disks don’t actually remove the data from hard disks when you delete a file, they just remove the pointer to the data which is also stored on the disk

Unauthorised targeted data mining

• Collecting and analysing large amounts of data to determine patterns of use
• “Google” attacks

Dumpster diving

• Looking for paper in bins
• Written down passwords
• Network diagrams etc etc
• Banking details etc

Backdoor / trapdoor

• Unfortunately, lots of applications are built with a “backdoor” in them
• Administrative accounts created upon install are typical
• Once discovered these can be used by anyone who knows about them

Theft + Intruders

• As on the tin

Social engineering

• The serious threat that is not completely stoppable with technology due to human nature
• Comes in many forms
• Also, consider email and help-desk fraud

Logic bombs

• This is where an attack is prepared and taken advantage of but the results of which are not seen for a delay.  Typically trying to avoid there being any logs of the installation by delaying longer than backups go back for.
• Also used as a reverse dead man switch

Contact YGHT