Security Threat Analysis
Recall the three steps of a security threat
analysis in other situations. First, we scrutinize all the parts of a system so
that we know what each part does and how it interacts with other parts. Next,
we consider possible damage to confidentiality, integrity, and availability.
Finally, we hypothesize the kinds of attacks that could cause this damage. We
can take the same steps with a network. We begin by looking at the individual
parts of a network:
·
local
nodes connected via
·
local
communications links to a
·
local
area network, which also has
·
local
data storage,
·
local
processes, and
·
local
devices.
The local network is also connected to a
·
network
gateway which gives access via
·
network
communications links to
·
network
control resources,
·
network
routers, and
·
network
resources, such as databases.
These functional needs are typical for network
users. But now we look again at these parts, this time conjuring up the
negative effects threat agents can cause. We posit a malicious agent—call him
Hector—who wants to attack networked communications between two users, Andy and
Bo. What might Hector do?
·
Read
communications. The messages sent and
received are exposed inside Andy's machine, at all places through the network,
and inside Bo's machine. Thus, a confidentiality attack can be mounted from
practically any place in the network.
·
Modify
communications from Andy to Bo. Again,
the messages are exposed at all places through the network.
·
Forge
communications allegedly from Andy to
Bo. This action is even easier than modifying a communication because a forgery
can be inserted at any place in the network. It need not originate with the
ostensible sender, and it does not require catching a communication in transit.
Since Andy does not deliver his communications personally and since Bo might
even never have met Andy, Bo has little basis for judging whether a
communication purportedly sent by Andy is authentic.
·
Inhibit
communications from Andy to Bo. Here
again, Hector can achieve this result by invading Andy's machine, Bo's machine,
routers between them, or communications links. He can also disrupt
communications in general by flooding the network or disrupting any unique path
on the network.
·
Inhibit
all communications passing through a point.
If the point resides on a unique path to or from a node, all traffic to or from
that node is blocked. If the path is not unique, blocking it will shift traffic
to other nodes, perhaps overburdening them.
·
Read
data at some machine C
between Andy and Bo. Hector can impersonate Andy (who is authorized to access
data at C). Bo might question a message that seems out of character for Andy,
but machine C will nevertheless apply the access controls for Andy.
Alternatively, Hector can invade (run a program on) machine C to override
access controls. Finally, he can search the network for machines that have weak
or improperly administered access controls.
·
Modify or destroy data at C. Here again Hector
can impersonate Andy and do anything Andy could. Similarly, Hector can try to
circumvent controls.
We summarize these threats with a list:
·
intercepting data in
traffic
·
accessing programs or
data at remote hosts
·
modifying programs or
data at remote hosts
·
modifying data in
transit
·
inserting communications
·
impersonating a user
·
inserting a repeat of a
previous communication
·
blocking selected
traffic
·
blocking all traffic
·
running a program at a
remote host
Why are all these attacks possible? Size,
anonymity, ignorance, misunderstanding, complexity, dedication, and programming
all contribute. But we have help at hand; we look next at specific threats and
their countermeasures. Later in this chapter we investigate how these
countermeasures fit together into specific tools.