Information Technology Reference
In-Depth Information
5.
OPERATION PHASE
Three types of action are necessary for a secure system in the operations phase: system
penetration tests and audit, monitoring and logging the system, incident handling. These
are explained in detail in the next sections.
5.1
System Penetration Tests and Audit Process
The tools available to launch an attack have become more effective, easier to use, and
more accessible to people without an in-depth knowledge of computer systems. Often a
sophisticated intruder embeds an attack procedure in a programme and widely distributes
it to the intruder community. Thus, people who have the desire but not the technical skill
are able to break into systems. Indeed, there have been instances of intruders breaking
into a UNIX system using a relatively sophisticated attack and then attempting to run
DOS commands (commands that apply to an entirely different operating system).
Tools are available to examine programmes for vulnerabilities even in the absence of a
source code. Though these tools can help system administrators identify problems, they
also help intruders find new ways to break into systems.
As in many areas of computing, the tools used by intruders have become more
automated, allowing intruders to gather information about thousands of Internet hosts
quickly and with minimum effort. These tools can scan entire networks from a remote
location and identify individual hosts with specific weaknesses. Intruders may catalogue
the information for later exploitation, share or trade with other intruders, or attack
immediately. The increased availability and usability of scanning tools means that even
technically naive, would-be intruders can find new sites and particular vulnerabilities.
Some tools automate multiphase attacks in which several small components are
combined to achieve a particular end. For example, intruders can use a tool to mount a
denial-of-service attack on a machine and spoof that machine's address to subvert the
intended victim's machine. A second example is using a packet sniffer to get router or
firewall passwords, logging in to the firewall to disable filters, then using a network file
service to read data on an otherwise secure server.
The trend toward automation can be seen in the distribution of software packages
containing a variety of tools to exploit vulnerabilities. These packages are often
maintained by competent programmers and are distributed complete with version
numbers and documentation.
A typical tool package might include the following:
x network scanner
x password cracking tool and large dictionaries
x packet sniffer
x a variety of Trojan horse programmes and libraries
x tools for selectively modifying system log files
x tools to conceal current activity
x tools for automatically modifying system configuration files
x tools for reporting bogus checksums
Penetration tests to the system can be performed with a typical tool package given
above.
Audit is mainly a comparison tool. It compares the systems, networks and the objects
that compose a system with previously defined security criteria. More generally, audit is
Search WWH ::
Custom Search