| Malicious Threats |
| Category |
Threat |
OSI Layer |
Definition |
Typical Behaviors |
Vulnerabilities |
Prevention |
Detection |
Countermeasures |
| Malicious Software |
Virus |
Application |
Malicious software that attaches itself to other software. For example, a patched software application in which
the patch’s algorithm is designed to implement the same patch on other applications, thereby replicating. |
Replicates within computer system, potentially attaching itself to every software application
Behavior categories
- Innocuous
- Humorous
- Data altering
- Catastrophic
|
All computers
Common categories
- Boot sector
- Terminate and Stay Resident (TSR)
- Application software
- Stealth (or Chameleon)
- Mutation engine
- Network
- Mainframe
|
Limit connectivity. Limit downloads
Use only authorized media for loading data and software
Enforce mandatory access controls. Viruses generally cannot run unless host application is running |
Changes in file sizes or date/time stamps
Computer is slow starting or slow running
Unexpected or frequent system failures
Change of system date/time
Low computer memory or increased bad blocks on disks |
Contain, identify and recover
Antivirus scanners - look for known viruses
Antivirus monitors - look for virus related application behaviors
Attempt to determine source of infection and issue alert |
| Worm |
Application
Network |
Malicious software which is a stand alone application |
Often designed to propagate through a network, rather than just a single computer |
Multitasking computers, especially those employing open network standards |
Limit connectivity, employ firewalls
Worms can run even without a host application |
Computer is slow starting or slow running
Unexpected or frequent system failures |
Contain, identify and recover
Attempt to determine source of infection and issue alert |
| Trojan Horse |
Application |
A Worm which pretends to be a useful program or a Virus which is purposely attached to
a useful program prior to distribution |
Same as Virus or Worm, but also sometimes used to send
information back to or make information available to perpetrator |
Unlike Worms, which self propagate, Trojan Horses require user cooperation
Untrained users are vulnerable |
User cooperation allows Trojan Horses to bypass automated controls
User training is best prevention |
Same as Virus and Worm |
Same as Virus and Worm
Alert must be issued, not only to other system admins, but to all network users |
| Time Bomb |
Application |
A Virus or Worm designed to activate at a certain
date/time |
Same as Virus or Worm, but widespread throughout organization upon trigger date |
Same as Virus and Worm
Time Bombs are usually found before the trigger date |
Run associated anti-viral software immediately as available |
Correlate user problem reports to find patterns indicating possible Time Bomb |
Contain, identify and recover
Attempt to determine source of infection and issue alert |
| Logic Bomb |
Application |
A Virus or Worm designed to activate under certain conditions |
Same as Virus or Worm |
Same as Virus and Worm |
Same as Virus and Worm |
Correlate user problem reports indicating possible Logic Bomb |
Contain, identify and recover
Determine source and issue alert |
| Rabbit |
Application
Network |
A Worm designed to replicate to the point of exhausting computer resources |
Rabbit consumes all CPU cycles, disk space or network resources, etc. |
Multitasking computers, especially those on a network |
Limit connectivity, employ firewalls |
Computer is slow starting or running
Frequent system failures |
Contain, identify and recover
Determine source and issue alert |
| Bacterium |
Application |
A Virus designed to attach itself to the OS in particular (rather than any
application in general) and exhaust computer resources, especially CPU cycles |
Operating System consumes more and more CPU cycles, resulting eventually in noticeable delay in user transactions |
Older versions of operating systems are more vulnerable than newer versions since hackers have had more time to write Bacterium |
Limit write privileges and opportunities to OS files
System administrators should work from non-admin accounts whenever possible |
Changes in OS file sizes, date/time stamps
Computer is slow in running
Unexpected or frequent system failures |
Antivirus scanners: look for known viruses
Antivirus monitors: look for virus related system behaviors. |
| Spoofing |
Spoofing |
Network
Data Link |
Getting one computer on a network to pretend to have the identity of another computer, usually one with special
access privileges, so as to obtain access to the other computers on the network |
Spoofing computer often doesn’t have access to user level commands so attempts to use automation level
services, such as email or message handlers, are employed |
Automation services designed for network interoperability are especially vulnerable, especially those adhering to open standards |
Limit system privileges of automation services to minimum necessary
Upgrade via security patches as they become available |
Monitor transaction logs of automation services, scanning for unusual behaviors
If automating this process do so off-line to avoid "tunneling" attacks |
Disconnect automation services until patched or monitor automation access points, such as network sockets,
scanning for next spoof, in attempt to trace back to perpetrator |
| Masquerade |
Network |
Accessing a computer by pretending to have an authorized user identity |
Masquerading user often employs network or administrator command functions to access even more of the system,
e.g., by attempting to download password, routing tables |
Placing false or modified login prompts on a computer is a common way to obtain user IDs, as are Snooping,
Scanning and Scavenging |
Limit user access to network or administrator command functions
Implement multiple levels of administrators, with different privileges for each |
Correlate user identification with shift times or increased frequency of access
Correlate user command logs with administrator command functions |
Change user password or use standard administrator functions to determine access point, then trace back to perpetrator |
| Scanning |
Sequential Scanning |
Transport
Network |
Sequentially testing passwords/authentication codes until one is successful |
Multiple users attempting network or administrator command functions, indicating multiple Masquerades |
Since most login prompts have a time delay built in to foil automated scanning, accessing the encoded password
table and testing it off-line is a common technique |
Enforce organizational password policies.
Make even system administrator access to password files cumbersome |
Correlate user identification with shift times
Correlate user problem reports relevant to possible Masquerades |
Change entire password file or use baiting tactics to trace back to perpetrator |
| Dictionary Scanning |
Application |
Scanning through a dictionary of commonly used passwords/authentication codes until one is successful |
Multiple users attempting network or administrator command functions, indicating multiple Masquerades |
Use of common words and names as passwords or authentication codes (so called "Joe Accounts") |
Enforce organizational password policies |
Correlate user identification with shift times
Correlate user problem reports relevant to possible Masquerades |
Change entire password file or use baiting tactics to trace back to perpetrator |
| Snooping (Eavesdropping) |
Digital Snooping |
Network |
Electronic monitoring of digital networks to uncover passwords or other data |
Users or even system administrators found online at unusual or off-shift hours
Changes in behavior of network transport layer |
Example of how COMSEC affects COMPUSEC
Links can be more vulnerable to snooping than nodes |
Employ data encryption
Limit physical access to network nodes and links |
Correlate user identification with shift times
Correlate user problem reports. Monitor network performance |
Change encryption schemes or employ network monitoring tools to attempt trace back to perpetrator |
| Shoulder Surfing |
Physical |
Direct visual observation of monitor displays to obtain access |
Authorized user found online at unusual or off-shift hours, indicating a possible Masquerade
Authorized user attempting administrator command functions |
"Sticky" notes used to record account and password information
Password entry screens that do not mask typed text
"Loitering" opportunities |
Limit physical access to computer areas
Require frequent password changes by users |
Correlate user identification with shift times or increased frequency of access
Correlate user command logs with administrator command functions |
Change user password or use standard administrator functions to determine access point, then trace back to
perpetrator |
| Scavenging |
Dumpster Diving |
All |
Accessing discarded trash to obtain passwords and other data |
Multiple users attempting network or administrator command functions, indicating multiple Masquerades |
"Sticky" notes used to record account and password information
System administrator printouts of user logs |
Destroy discarded hardcopy |
Correlate user identification with shift times
Correlate user problem reports relevant to possible Masquerades |
Change entire password file or use baiting tactics to trace back to perpetrator |
| Browsing |
Application
Network |
Usually automated scanning of large quantities of unprotected data (discarded media or online "finger" type
commands) to obtain clues as to how to achieve access |
Authorized user found online at unusual or off-shift hours, indicating a possible Masquerade
Authorized user attempting administrator command functions |
"Finger" type services provide information to any and all users.
The information is usually assumed safe but can give clues to passwords (e.g., spouse’s name) |
Destroy discarded media
When on open source networks especially, disable "finger" type services |
Correlate user identification with shift times or increased frequency of access
Correlate user command logs with administrator command functions |
Change user password or use standard administrator functions to determine access point, then trace back to
perpetrator |
| Spamming |
Spamming |
Application
Network |
Overloading a system with incoming message or other traffic to cause system crashes |
Repeated system crashes, eventually traced to overfull buffer or swap space |
Open source networks especially vulnerable |
Require authentication fields in message traffic |
Monitor disk partitions, network sockets, etc. for overfull conditions |
Analyze message headers to attempt trace back to perpetrator |
| Tunneling |
Tunneling |
Network |
Any digital attack that attempts to get "under" a security system by accessing very low level system
functions (e.g., device drivers, OS kernels) |
Bizarre system behaviors such as unexpected disk accesses, unexplained device failures, halted security software, etc. |
Tunneling attacks often occur by creating system emergencies to cause system reloading or initialization |
Design security and audit capabilities into even the lowest level software, such as device drivers, shared libraries, etc. |
Changes in date/time stamps for low level system files or changes in sector/block counts for device drivers |
Patch or replace compromised drivers to prevent access
Monitor suspected access points to attempt trace back to perpetrator |
| Unintentional Threats |
| Category |
Threat |
OSI Layer |
Definition |
Typical Behaviors |
Vulnerabilities |
Prevention |
Detection |
Countermeasures |
| Malfunction |
Equipment Malfunction |
All |
Hardware operates in abnormal, unintended mode |
Immediate loss of data due to abnormal shutdown
Continuing loss of capability until equipment is repaired |
Vital peripheral equipment is often more vulnerable than the computers themselves |
Replication of entire system including all data and recent transactions |
Hardware diagnostic systems |
On-site replication of hardware components for quick recovery |
| Software Malfunction |
Application |
Software behavior is in conflict with intended behavior |
Immediate loss of data due to abnormal end
Repeated system failure when re-fed "faulty" data |
Software developed using ad hoc rather than defined formal processes |
Comprehensive testing procedures and software designed for graceful degradation |
Software diagnostic tools |
Backup software and robust operating systems facilitate quick recovery |
| Human Error |
Trap Door
(Back door) |
Application |
System access for developers inadvertently left available after software delivery |
Unauthorized system access enables viewing, alteration or destruction of data or software |
Software developed outside defined organizational policies and formal methods |
Enforce defined development policies
Limit network and physical access |
Audit trails of system usage, especially user identification logs |
Close Trap Door or monitor ongoing access to trace back to perpetrator |
| User/Operator Error |
All |
Inadvertent alteration, manipulation or destruction of programs, data files or hardware |
Incorrect data entered into system or incorrect behavior of system |
Poor user documentation or training |
Enforcement of training policies and separation of programmer/operator duties |
Audit trails of system transactions |
Backup copies of software and data
On-site replication of hardware |
| Physical Threats |
| Category |
Threat |
OSI Layer |
Definition |
Typical Behaviors |
Vulnerabilities |
Prevention |
Detection |
Countermeasures |
| Physical Environment |
Fire Damage |
N/A |
Physical destruction of equipment due to fire or smoke damage |
Physical destruction of systems and supporting equipment |
Systems located near potential fire hazards, e.g., fuel storage tanks |
Off-site system replication, while costly, provides backup capability |
On-site smoke alarms |
Halon gas or FM200 fire extinguishers mitigate electrical and water damage |
| Water Damage |
N/A |
Physical destruction of equipment due to water (including sprinkler) damage |
Physical destruction of systems and supporting equipment |
Systems located below ground or near sprinkler systems |
Off-site system replication |
Water detection devices |
Computer rooms equipped with emergency drainage capabilities |
| Power Loss |
N/A |
Computers or vital supporting equipment fail due to lack of power |
Immediate loss of data due to abnormal shutdown, even after power returns
Continuing loss of capability until power returns |
Sites fed by above ground power lines are particularly vulnerable
Power loss to computer room air conditioners can also be an issue |
Dual or separate feeder lines for computers and supporting equipment |
Power level alert monitors |
Uninterruptible Power Supplies (UPS)
Full scale standby power facilities where economically feasible |
| Civil Disorder Vandalism |
N/A |
Physical destruction during operations other than war |
Physical destruction of systems and supporting equipment |
Sites located in some overseas environments, especially urban environments |
Low profile facilities (no overt disclosure of high value nature of site) |
Physical intrusion detection devices |
Physical access restrictions and riot contingency policies |
| Battle Damage |
N/A |
Physical destruction during military action |
Physical destruction of systems and supporting equipment |
Site located in theater |
Off-site system replication
OPSEC and low profile to prevent hostile targeting |
Network monitoring systems |
Hardened sites |
Basic Troubleshooting Steps
