| Null or Default Passwords | Leaving administrative passwords blank or using a default
password set by the product vendor. This is most common in
hardware such as routers and BIOSes, though some services that run
on Linux can contain default administrator passwords (though
Red Hat Enterprise Linux does not ship with them). | | Commonly associated with
networking hardware such as routers, firewalls, VPNs, and
network attached storage (NAS) appliances. | | Common in many legacy operating systems, especially
OSes that bundle services such as UNIX and Windows. | | Administrators sometimes create privileged users in a
rush and leave the password null, a perfect entrypoint for
malicious users who discover the user. |
|
| Default Shared Keys | Secure services sometimes
package default security keys for development or evaluation
testing purposes. If these keys are left unchanged and are placed
in a production environment on the Internet,
any user with the same default keys have
access to that shared-key resource, and any sensitive information
contained in it. | | Most common
in wireless access points and preconfigured secure server
appliances. | | CIPE (refer to Chapter 6 Virtual Private Networks) contains a sample static key that must be
changed before deployment in a production
environment. |
|
| IP Spoofing | A remote machine acts as a node on
your local network, finds vulnerabilities with your servers, and
installs a backdoor program or trojan to gain control over your
network resources. | | Spoofing is quite difficult as it involves the
attacker predicting TCP/IP SYN-ACK numbers to coordinate a
connection to target systems, but several tools are available to
assist crackers in performing such a vulnerability. | | Depends on target system running services (such as
rsh, telnet, FTP and others)
that use source-based authentication
techniques, which are not recommended when compared to PKI or
other forms of encrypted authentication used in
ssh or SSL/TLS. |
|
| Eavesdropping | Collecting data that passes between two active nodes on a
network by eavesdropping on the connection between the two
nodes. | | This type of attack works mostly with plain text
transmission protocols such as Telnet, FTP, and HTTP
transfers. | | Remote attacker must have
access to a compromised system on a LAN in order to perform
such an attack; usually the cracker has used an active attack
(such as IP spoofing or Man-in-the-middle) to compromise a
system on the LAN. | | Preventative
measures include services with cryptographic key exchange,
one-time passwords, or encrypted authentication to prevent
password snooping; strong encryption during transmission is
also advised. |
|
| Service Vulnerabilities | An attacker finds a
flaw or loophole in a service run over the Internet; through this
vulnerability, the attacker compromises the entire system and
any data that it may hold, and could possibly compromise other
systems on the network. | | HTTP-based services such as CGI
are vulnerable to remote command executions and even interactive
shell access. Even if the HTTP service runs as a non-privileged user
such as "nobody", information such as configuration files and
network maps can be read, or the attacker can start a denial of
service attack which drains system resources or renders it
unavailable to other users. | | Services
sometimes can have vulnerabilities that go unnoticed during
development and testing; these vulnerabilities (such as
buffer overflows, where attackers gain access
by filling addressable memory with a quantity over that which is
acceptable by the service, crashing the service and giving the
attacker an interactive command prompt from which they may execute
arbitrary commands) can give complete administrative control to an
attacker. | | Administrators should make sure
that services do not run as the root user, and should stay vigilant of patches
and errata updates for applications from vendors or security
organizations such as CERT and CVE. |
|
| Application Vulnerabilities | Attackers find
faults in desktop and workstation applications such as e-mail
clients and execute arbitrary code, implant trojans for future
compromise, or crash systems. Further exploitation can occur if
the compromised workstation has administrative privileges on the
rest of the network. | | Workstations and desktops are more prone to exploitation as
workers do not have the expertise or experience to prevent or
detect a compromise; it is imperative to inform individuals of the
risks they are taking when they install unauthorized software or
open unsolicited email attachments. | | Safeguards
can be implemented such that email client software does not
automatically open or execute attachments. Additionally, the
automatic update of workstation software via Red Hat Network or other
system management services can alleviate the burdens of multi-seat
security deployments. |
|
| Denial of Service (DoS) Attacks | Attacker or
group of attackers coordinate against an organization's network or
server resources by sending unauthorized packets to the target
host (either server, router, or workstation). This forces the
resource to become unavailable to legitimate users. | | The most reported DoS case in
the US occurred in 2000. Several highly-trafficked commercial
and government sites were rendered unavailable by a coordinated
ping flood attack using several compromised systems with high
bandwidth connections acting as zombies, or
redirected broadcast nodes. | | Source
packets are usually forged (as well as rebroadcasted), making
investigation to the true source of the attack difficult. | | Advances in ingress filtering (IETF rfc2267)
using iptables and Network IDSes such as
snort assist administrators in tracking down
and preventing distributed DoS
attacks. |
|