Understanding Vulnerability
By David E. Stern, CISSP
This is part 2 of a 3 part series about truly understanding vulnerabilities and taking this knowledge to make a difference in the way you practice information security.
How do adversaries launch attacks to exploit vulnerabilities?
Like an explosive charge, an exploit needs to be delivered to its target to be of any use. As with the previous section, we will broadly define four type of delivery methods that are commonly used today:Â viruses, worms, tools, L33t Ninja Magic.
Viruses predate almost every mainstream commercial networking system. A virus attacks the most fundamental parts of a system. The most distinguishing characteristic of a computer virus comes from its lack of mobility. Viruses need to catch a ride with an email, a program, or be brought in by other established viruses. As with the human body, a system without anti-virus capabilities does not have a chance against the computer virus. A virus does not necessarily need to exploit a programming weakness in a system since it is usually allowed onto the system by the owner giving it whatever access levels the owner has. Usually, the system owner will open a harmless looking email or view a funny video. This is all it takes to unleash a hidden virus onto the system. There are some viruses however, that launch local exploits to do their damage.
Worms are the logical evolutionary next step after viruses. Worms are also known as malicious code or mobile code in that they have the capability to move themselves across a network. A worm is itself a delivery mechanism that may carry a specific exploit or may be designed to act as a carrier with multiple uses. A worm will have a detection module that can look for other systems vulnerable to its exploit as well as module that can launch the exploit against vulnerable targets. Many worms will also have the capability to “phone home†for instructions from its creator once it has established itself. Successful worms like the infamous Red Alert, Blaster, and Slammer had exponential propagation times.
Tools are designed by people who require a personal, hands approach to exploiting vulnerabilities. An exploit tool will contain many of the features found in a worm. Reconnaissance, target selection, and attack are all modes that are presented to a tool’s user. As with commonly used productivity software, the initial exploit tools were bulky and cumbersome, requiring a lot of knowledge and skill to use. As the years have progressed, exploit tools have vastly improved, gaining point and click graphical interfaces. This ease of use has spawned an entire generation of “script kiddies†– black hatter-wannabees who know little more than how to download and run these tools. While they may be unskilled, they present a major nuisance.
L33t Ninja Magic is reserved for the most elite special operators, those who can truly call themselves hackers. This tiny subset of the hacker population deeply understands systems and their underpinnings. They can visualize the detailed workings of vulnerability and know how to code an exploit against it. A true hacker can build his own tools or even exploit systems directly without the help of mainstream tools.
In the next lesson, we will see how you must add to the threat evaluation equation the type of vulnerability along with the delivery method to have an effective risk assessment result.
Coming up in Part Three: How do we protect ourselves?
Until the Catalyst Community is relaunched, comments are open!