Unauthorised Access – What are Access Control Threats?
24/06/2012 Article
Access Control Threats are all the methods by which security controls can affect or bypass adversely. This list of access control threats is not exhaustive:
- Denial of service
- Any method by which legitimate access to a system, service or resource prevents or delays beyond reasonable use
- SYN floods (start packets but not close)
- Teardrop (fragmented packets)
- Traffic flooding
- DDOS (any method that uses more than one source to magnify the problem)
- Buffer overflows
- Often it relates to poor garbage collection (memory management)
- Used in many ways including altering memory and injecting malicious code
- The very common, very old method, new ones discovered all the time
- Potentially possible in all physical chips and software
- Mobile code
- Code that transmits from its target over a network and executes with little or no user input
- Not “installed” locally
- Things like Java applets, javascript, ActiveX controls, Flash, PDF embedded code etc
- Mobile code can be legitimate
- Malicious software (differences getting harder to see)
- Viruses
- Requires human interaction
- Comes in many forms
- Many different delivery methods
- Worms
- Have all the features of Viruses but worms automate actions and therefore it does not depend on human interaction
- Trojans
- Similar to viruses but tricks the user into installing it because it has the appearance of being desirable
- Spyware
- Designed to monitor the users behaviour, show advertising and collect data including key strokes
- Viruses
- Password crackers
- Any tool that attempts to find passwords
- Rainbow tables
- Dictionary attacks
- Brute forcing
- If they gain passwords, then their use appears legitimate
- Spoofing/masquerading
- TCP frame sequence number manipulating
- Phishing
- Man in the middle
- Sniffers, Eavesdropping and Tapping
- The “listening” to transmissions over any medium
- Can be done at the end points or at any stage during transmission
- Encryption can thwart
- We can use it for good to allow devices such as IDS and IPS
- Emanations
- Electronic devices all give off EM radiation
- We can profile EM and information gathering from
- Keyboard noise, for example, can be recorded and analysed
- TEMPEST is a UK study from the 60’s
- Shoulder Surfing
- Very simply put, watching what people are doing over their shoulder
- Object Reuse
- What it says on the tin
- Reusing memory for unauthorised authentication
- Also applies to physical storage devices as well as RAM
- There was a recent study that showed if you freeze RAM it retains its data for long enough to put it into a specially created device to read it. This allowed the compromise of full disk encryption keys
- Data remnants
- Data that is left on old computers or external hard drives after they have been used
- Includes data that was simply not deleted
- Hard disks don’t actually remove the data from hard disks when you delete a file, they just remove the pointer to the data which is also stored on the disk
- Unauthorised targeted data mining
- Collecting and analysing large amounts of data to determine patterns of use
- “Google” attacks
- Dumpster diving
- Looking for paper in bins
- Written down passwords
- Network diagrams etc etc
- Banking details etc
- Backdoor / trapdoor
- Unfortunately, lots of applications are built with a “backdoor” in them
- Administrative accounts created upon install are typical
- Once discovered these can be used by anyone who knows about them
- Theft + Intruders
- As on the tin
- Social engineering
- The serious threat that is not completely stoppable with technology due to human nature
- Comes in many forms
- Also, consider email and help-desk fraud
- Logic bombs
- This is where an attack is prepared and taken advantage of but the results of which are not seen for a delay. Typically trying to avoid there being any logs of the installation by delaying longer than backups go back for.
- Also used as a reverse dead man switch
