Menu
homePhoto and video

How to find vulnerabilities in routers and what to do about them. What are the types of network threats: let’s look at them in order

Network as an object of protection

Most modern automated information processing systems are distributed systems built on standard network architectures and using standard sets of network services and application software. Corporate networks “inherit” all the “traditional” methods of unauthorized intervention for local computing systems. In addition, they are characterized by specific channels of penetration and unauthorized access to information due to the use of network technologies.

Let us list the main features of distributed computing systems:

  • territorial remoteness of system components and the presence of intensive information exchange between them;
  • a wide range of used methods for presenting, storing and transmitting information;
  • integration of data for various purposes belonging to various subjects within unified databases and, conversely, placement of data required by some subjects in various remote network nodes;
  • abstracting data owners from the physical structures and location of the data;
  • use of distributed data processing modes;
  • participation in the process of automated information processing of a large number of users and personnel of various categories;
  • direct and simultaneous access to resources of a large number of users;
  • heterogeneity of computer equipment and software used;

What are network vulnerabilities, threats and attacks?

In computer security the term " vulnerability" (English) vulnerability) is used to indicate a flaw in the system, using which an attacker can intentionally violate its integrity and cause incorrect operation. Vulnerabilities can be the result of programming errors, flaws in system design, weak passwords, viruses and other malware, script and SQL injections. Some vulnerabilities are known only theoretically, while others are actively used and have known exploits.

Typically, a vulnerability allows an attacker to “trick” an application into performing an action that it should not have the right to do. This is done by somehow introducing data or code into the program in such places that the program perceives them as “its own”. Some vulnerabilities arise due to insufficient verification of user input and allow arbitrary commands (SQL injection, XSS, SiXSS) to be inserted into the interpreted code. Other vulnerabilities arise from more complex problems, such as writing data to a buffer without checking its boundaries (buffer overflow). Vulnerability scanning is sometimes called probing, for example, when they talk about probing a remote computer, they mean searching for open network ports and the presence of vulnerabilities associated with applications using these ports.

Under threat(in general) usually understand a potentially possible event, action, process or phenomenon that could lead to damage to someone’s interests. A threat to the interests of subjects of information relations will be defined as such an event, process or phenomenon that, through its impact on information or other components of the AS, can directly or indirectly lead to damage to the interests of these subjects.

Network attack- an action the purpose of which is to seize control (increase rights) over a remote/local computer system, or destabilize it, or deny service, as well as obtain data from users using this remote/local computer system. information cybercrime computing

They have become a problem for all PC users with Internet access, without exception. Many companies use firewalls and encryption mechanisms as solutions to security problems in order to remain protected from possible threats. However, this is not always enough.

Classification of network threats

Network threats are classified into four categories:

  1. Unstructured threats;
  2. Structured threats;
  3. Internal threats;
  4. External threats.

Unstructured threats

Unstructured threats often involve unfocused attacks on one or more network systems. The attacked and infected systems may be unknown to the criminal. Program codes such as a virus, worm or Trojan horse can easily get onto your PC. Some common terms to be aware of:

Virus– a malicious program that can replicate with little or no user intervention, and replicated programs can also replicate.

Worm– a form of virus that spreads by creating duplicates on other drives, systems, or networks. For example, a worm operating on an email system can send copies of itself to every address in the email system's address book.

Trojan horse- This is, at first glance, a useful program (perhaps a game or a screensaver), but in the background it can perform other tasks, such as deleting or changing data, or capturing passwords. A true Trojan horse is not technically a virus because it does not replicate.

Unstructured attacks using code that replicates itself and sends a copy to all email users, can easily cross the globe in a few hours, causing problems for networks and individuals around the world. Although the original intention may have been minor.

Structured threats

Structured threats targeted at one or more individuals; will be reproduced by people with higher level skills actively working to compromise the system. The attackers, in this case, have a specific goal. They tend to be knowledgeable about network design, security, access procedures, and hacking tools, and have the ability to create scripts or applications to achieve their goals.

Insider threats

Insider threats come from persons with authorized access to the network. This could be a disgruntled employee or an unhappy fired employee whose access is still active. Many studies show that insider attacks can be significant in both number and loss.

External threats

External threats are threats from individuals outside the organization who frequently use the Internet or dial-up. These attackers do not have authorized access to the systems.

The classification of a particular threat may result in a combination of two or more threats. For example, an attack may be structured from an external source and, at the same time, may have one or more compromised employees internally actively promoting the effort.

The Internet is like a planetary minefield where you can easily encounter dangers.

1. Malicious programs and, first of all, Trojans that live on fraudulent sites. They are usually disguised as useful software, and these “attractive” programs are downloaded and installed on their PC by the Internet visitor himself.
2. Websites that exploit browser vulnerabilities to download malware. Moreover, pages with dangerous code can also be placed on completely decent sites that have been attacked by attackers.
3. Phishing sites that imitate the interface of popular sites (from email services and social networks to payment systems) in order to obtain visitor credentials.
4. Spam mailings received by users of almost all existing means of communication: electronic
mail, instant messaging, social networks, etc. Such messages may contain purely advertising information and links to phishing sites or sites that distribute malicious software.
5. Interception of data transmitted in unencrypted form. At the same time, confidential information may fall into the hands of criminals

In fact, all the troubles associated with accessing the Internet can be avoided by following basic safety rules.

Protect physical access to computers

Your system may be protected and locked with the latest tools, but if an attacker gains physical access to it, all your efforts will be nullified. Make sure computers are never left unattended.

Do not use administrative accounts for daily work

In the Windows NT era, before the Remote Desktop Connection client and the runas command, administrators often placed their own personal accounts in the Domain Admins group. This is not recommended at this time; It's better to create additional Active Directory administrative accounts (for example, for myself, I could create a personal rallen account and an administrative rallen.adm account). To run programs that require administrative privileges, use the Remote Desktop Connection service or the runas command. This will reduce the chance (although not much) of accidental damage to the system.

Using a regular user account also reduces the potential damage that a virus or worm can cause to your system.

Update virus definitions and anti-spyware applications regularly

One of the reasons that viruses spread so quickly is that virus definitions are updated too infrequently. These days, new viruses and worms are appearing with alarming frequency, and to be able to combat the virus threat, it is necessary to use the latest definitions. The same applies to spyware, which today has become almost a bigger problem than viruses.

Make sure all critical patches are installed on your computer

Even if virus definitions are not updated as frequently as they should be, most viruses and worms can be stopped at logon if you install critical security updates as soon as they become available. Of course, when Windows NT was widely used and Windows 2000 had just come out, this was not strictly necessary, but today a system in which new security updates are not installed for several days (and sometimes minutes) after release is completely open to new viruses and worms We recommend that you add the following website to your favorites list and visit it periodically to stay up to date with the latest Microsoft security technologies:
http://windowsupdate.microsoft.com.

Enable auditing of important activities
Windows provides the ability to log certain system actions and activities; Thanks to this, you can trace through the event log the necessary actions, such as modification of certain files, if a security threat arises.

Check event logs regularly

Event logs contain a lot of important information regarding system security, but they are often forgotten. Among other things, the reason for this is a large amount of “garbage” in the logs, that is, messages about insignificant events. Develop a process for centralizing and regularly reviewing event logs. Having a mechanism for regularly scanning logs will especially help you when auditing the important activities discussed in the previous section.

Develop an action plan in case of attack

Most people think that nothing like this will ever happen to them, but life shows that this is far from the case. In reality, most users do not have even a fraction of the security knowledge that “professional” attackers can boast of. If a specific attacker (or worse, a group of attackers) has their eye on your organization, you will need to use all your dexterity, intelligence and knowledge to prevent infiltration of the system. Even the largest companies in the world have been attacked. The moral is this: everyone should be prepared for the fact that the target of the next attack may be their system. What to do?
Here are some helpful links to help you develop a response plan.

Views: 3393

The article is intended for those who have begun to think about network security or continue to do so and are strengthening the protection of web applications from new threats - after all, first you need to understand what threats there may be in order to prevent them.

For some reason, the need to think about network security is considered the right of only large companies, such as , and , or , which openly announce competitions for finding vulnerabilities and improve the security of their products, web applications and network infrastructures in every possible way. At the same time, the vast majority of existing web systems contain “holes” of various types (90% of systems contain medium-risk vulnerabilities).

What is a network threat or network vulnerability?

WASC (Web Application Security Consortium) has identified several basic classes, each of which contains several groups of common vulnerabilities, the use of which can cause damage to a company. The full classification is laid out in the form, and in Russian there is a translation of the previous version from InfoSecurity - which will be used as the basis for the classification and significantly expanded.

Main groups of website security threats

Insufficient authentication when accessing resources

This group of threats includes attacks based on Selection (), Abuse of Functionality () and Predictable Resource Location (). The main difference from insufficient authorization is that there is insufficient verification of the rights (or features) of an already authorized user (for example, a regular authorized user can gain administrative rights simply by knowing the address of the control panel if sufficient access rights verification is not performed).

Such attacks can only be effectively countered at the application logic level. Some attacks (for example, too frequent brute force attacks) can be blocked at the network infrastructure level.

Insufficient authorization



This may include attacks aimed at easily brute-forcing access details or exploiting any errors when checking access to the system. In addition to the Selection () techniques, this includes Access Guessing () and Session Fixing ().

Protection against attacks from this group requires a set of requirements for a reliable user authorization system.

This includes all techniques to change the content of a website without any interaction with the server serving the requests - i.e. the threat is implemented through the user’s browser (but usually the browser itself is not the “weak link”: the problem lies in content filtering on the server side) or an intermediate cache server. Attack Types: Content Spoofing (), Cross-Site Requests (XSS, ), Redirect Abuse (), Cross-Site Request Forgery (), HTTP Response Splitting (, HTTP Response Smuggling (), and Routing Bypass (), HTTP Request Splitting () and HTTP Request Smuggling ().

A significant part of these threats can be blocked at the level of setting up the server environment, but web applications must also carefully filter both incoming data and user responses.

Executing Code

Code execution attacks are classic examples of website hacking through vulnerabilities. An attacker can execute his code and gain access to the hosting where the site is located by sending a specially prepared request to the server. Attacks: Buffer Overflow(), String Formatting(), Integer Overflow(), LDAP Injection(), Mail Injection(), Null Byte(), OS Command Execution(), External File Execution (RFI, ), SSI Injection() , SQL Injection (), XPath Injection (), XML Injection (), XQuery Injection (), and XXE Injection ().

Not all of these types of attacks may affect your website, but they are correctly blocked only at the level of WAF (Web Application Firewall) or data filtering in the web application itself.

Disclosure of Information

Attacks from this group are not a pure threat to the site itself (since the site does not suffer from them in any way), but can harm a business or be used to carry out other types of attacks. Types: Fingerprints () and Directory Traversal ()

Proper configuration of the server environment will allow you to completely protect yourself from such attacks. However, you also need to pay attention to the web application's error pages (which can contain a lot of technical information) and handling of the file system (which can be compromised by insufficient input filtering). It also happens that links to some site vulnerabilities appear in the search index, and this in itself is a significant security threat.

Logical attacks

This group includes all the remaining attacks, the possibility of which lies mainly in limited server resources. In particular, these are Denial of Service () and more targeted attacks - SOAP Abuse (), XML Attribute Overflow and XML Entity Expansion ().

Protection against them is only at the web application level, or blocking suspicious requests (network equipment or web proxies). But with the emergence of new types of targeted attacks, it is necessary to audit web applications for vulnerabilities.

DDoS attacks



As should be clear from the classification, a DDoS attack in the professional sense is always the exhaustion of server resources in one way or another. Other methods () are not directly related to a DDoS attack, but represent one or another type of site vulnerability. Wikipedia also describes protection methods in sufficient detail; I will not duplicate them here.