Identifying Cisco Network Threats
Terms you'll need to understand:
Distributed denial of service
Techniques you'll need to master:
Finding threat information
Analyzing threat types
If nothing could ever go wrong, we wouldn't need to worry about protecting those network assets. But, of course, things do go wrong, and many of those things are related to security threats. In Chapter 2, "Information Assets," we said that you need to be able to identify just what your information assets are, what you need to protect them from, and what tools you might have available to do that joband do it while keeping the network usable by the ordinary user. This is where we look at what you're protecting those information assets from. Cisco breaks out threats by their origin and by their type.
Threats can originate from inside or outside your network. That is actually not always an easy line to draw, though, as we'll see.
When the SAFE Blueprint discusses the origin of threats (internal versus external), it repeats the perception that most threats actually originate inside the network instead of penetrating your perimeter from the outside. Although that has historically been true, it could be changing. Every year, the FBI and the Computer Security Institute conduct and then publish a survey on the threats large organizations actually faced in the previous year. The percentage of incidents that originate outside the network is now essentially equal to the number originating inside the network. You might have heard about this or seen it written in industry publications. For the purposes of taking the test, however, you should be prepared to say that the majority of threats originate inside the network rather than coming from external sources.
What or who are these internal threats? People, of course, but it helps to narrow the most likely candidates rather than simply assuming that all people inside your network are threats. Of course, in some very security-conscious networks, everyone must be considered a potential suspect, but even there, some people are more likely candidates than others. Who among these people on the inside are likely to cause problems?
Current employees with dubious intentions
Current employees with unauthorized activities
Employees who mismanage their environment
Contractors who fit these same descriptions
Why would employees or contractors want to hurt the company, especially when jobs are tight? There are as many reasons as there are people: Someone might have a grudge for a promotion that he felt was deserved but went to someone else; another person might think that by creating a problem, she'll be a hero for finding and fixing it. At least in this category, you can confidently say that the person intended to do the enterprise harm (even if the goal might have been to fix it later). Likewise, someone who has done something wrong (embezzling or stealing from inventory, for instance) might want to limit the visibility of that wrong by removing evidence of the actions. Some employees, of course, will never be satisfied; no matter what management does to accommodate them, they will remain disgruntled.
So many stories have arisen of employees or departed contractors hosting illicit Web sites, or even web-based businesses, on a company's network that it's easy to become blasé about the entire idea. But it remains true: People do use corporate resources to host pornographic Web sites and to host music and movie files for peer-to-peer swapping. People do use their corporate email accounts to buy or sell items on EBay or other auction sites. As this was written, yet another article appeared on IDG.net reporting that more than three quarters of business networks checked had unauthorized peer-to-peer networking software installed, and no company with more than 500 PCs had none. Unauthorized uses also include hosting other businesses, some of which might be legal under authorized circumstances, or hosting personal sites.
Outside audits regularly uncover evidence of these activities, and people are even fired for having done them. Yet the next audit might find that another entrepreneur has taken the departed first business operator's place, with a new and improved set of activities. The problem here is less the intent to do harm (because harm raises interest in what's going on and draws unwelcome management attention) than it is that these activities introduce code that IT does not know is operating. The code might have vulnerabilities that can be exploited if the customersor even browsersinclude hackers.
One other related factor to remember is this: Allowing unauthorized hosting makes a business look incompetent in managing its own affairs, which is very bad for its image in front of the public. If that unauthorized activity includes illegal business, such as pornography or peer-to-peer file sharing, the business can be held legally liable for allowing it to happen. That could prove very expensive.
These are not the pointy-haired bosses of Dilbert fame; they are otherwise well-intentioned persons (employees or contractors) who make changes to their operating environment. Those changes can introduce holes in an otherwise well-guarded network. An example is an employee who likes to get a little more work done after hours from home and installs a package such as pcAnywhere for operating his desktop remotely. pcAnywhere is a commercial product, not malware, but if it is operating and IT doesn't know about it, it can create an opening in perimeter security that a hacker can exploit. Many employees, including less-experienced system administrators who should know better, or contractors use Instant Messaging or Internet Relay Chat without authorization. This, too, creates openings for malware. Many worms are now entering networks via chat because antivirus packages do not scan every object that enters; they scan only those that enter via email. Full- system virus scans will eventually catch the malware (if definition files are kept current), but cleanup is much harder than prevention. Again, there is probably no intent to cause harm, but an exposure is created by the addition of unmaintained or unauthorized software. That doesn't begin to address those who add a modem to dial in....
If internal threats are people inside the network, external threats must be people outside the network, right? Remember, however, that when you break things down simplistically like this, much depends on where you draw the network boundary. For instance, if you draw the boundary at your edge, remote users are external. Even if they tunnel in, you might not necessarily extend the network boundary to their devices, especially if they are connecting via the Internet. You might want to keep thinking of them as external.
In this case, though, the external threat is not directly the person, who might or might not be the kind of person we would say fits the internal threat category (if accessing the network from inside). Instead, the external threat is the fact that the device used (whether a laptop for a mobile worker or a desktop for a teleworker) is significantly exposed to the outside world, especially the Internet. Unlike a host inside your perimeter (in your campus), this host might spend much of its time on the Internet without necessarily going through your security precautions. (There's a way around that, which we'll discuss when we cover some design alternatives in Chapters 11, "The Medium Network Implementation," and 12, "The Remote-User Design," but there are always disadvantages as well as advantages associated with choosing the alternatives.)
The courseware for Cisco's SAFE Implementation course also categorizes external threats as structured or unstructured. "Structure," in this context, refers to the degree of organization and planning, or the amount of method applied in the attack, as opposed to haphazard efforts that might seem almost random to an observer. Note that both structured and unstructured threats can be malicious in intent or can be the result of human clumsiness or error.
More conventional external threats are people outside your organization. Cisco categorizes them as follows:
Hostile former employees
The thrill-seekers are often simply engaging in a social activityseeing what they can find and/or trying to impress their friends; they generally pose an unstructuredbut still dangerousthreat. Thrill-seekers might or might not have substantial skill; they are often (but not always) script kiddies: relatively unskilled users running scripts developed by skilled users that the script kiddies often do not understand. The clumsiness and ignorance of these thrill-seekers can cause significant damage if they manage to penetrate a network. Some of the more well-known scripted tools are L0phtcrack for password cracking and BackOrifice for exploiting vulnerabilities in Microsoft's Office suite of products.
Competitors, of course, exist everywhere in economic life, but business competitors can have a significant incentive to snoop in your network: It can save them millions of dollars if they can learn the lessons of your development without spending the money it cost you to learn them. Most businesses maintain a group to analyze their competition, using whatever information becomes available.
Spies are a threat to businesses as well as governments. Because of the high cost of developing new products and the intensity of competition, which leads to lower prices, corporate espionage is a problem to protect against. If you don't think corporate espionage really happens, consider first that Cisco thinks that it is serious (which makes it serious for the exam, of course). Second, take some time to read a few of the reference books listed at the end of the chapter. The stories in them have been sanitized to avoid lawsuits, but they are otherwise real.
So what exactly is the difference between competitors and spies? Cisco doesn't really say, but this might help: Competitors are in the same line of business (pharmaceuticals, mufflers, batteries, and so on), while spies are in the information business. Spies are usually third parties that obtain information for others; competitors are trying to obtain it for themselves. Either way, the hackers here generally pose a structured threat due to their greater skill and more organized effort.
Thieves are another group that has plagued business since there was such a thing as business. And the crime must pay (or, at least, be expected to pay) often enough to make it worthwhile to keep trying theft. What can be stolen via a network? Information such as credit card numbers or other data for perpetrating identity theft is always valuable. Surprisingly, information about the network can be valuable: If you can learn enough about the network devices, you might be able to control them and the traffic they carry. In short, if it can be used to create value for someone, it can be expected to be stolen at some point.
Hostile former employees (or contractors), such as current employees with a grudge, seek to damage the network or information assets for revenge. Sometimes they want to "get even" for whatever affronted them by stealing and selling information. What makes them different from outsiders is the likelihood that they have at least some inside information about the networkthey start with an advantage over other outside threats.
Finally, Cisco provides the catchall category of "other." As one policeman said, whenever you think you've seen it all, you wake up one morning and realize that you haven't seen it all. A time will come when you will find a network threat that doesn't exactly fit any of the specific categories; that will be your example of the "other" group.