Computer Security Threat Sources (Attacks)
A threat is the potential, of chance, for a threat source to use a vulnerability which will cause the threat to materialize. A threat source is a method by which a vulnerability is triggered or exploited. This page lists threat sources which when deliberately used are attacks or accident happening in the case of an unintentioned situation.
Computer Security Threat categories
Unauthorized Access to data or a system whether done using a software vulnerability or impersonating an authorized user.
Denial of service to data or a system whether done on purpose or by accident.
Loss of data integrity due to error or deliberate modification.
Viruses - Attaches itself to other software and attempts to spread within the system and to others primarily using e-mail as a transport to spread. It may alter data and files on the infected computer. Attacks at the application layer.
Worm - Spreads through a network usually exploiting a vulnerability in an operating system or application program. It attacks at the network and application layers.
Trojan Horse - A worm or virus that may send information back to the originator or may be used by the originator or attacker to gain control of a targeted system. Many trojan horses spread by attaching themselves to an useful program. Usually attacks at the application layer.
Time bomb - A virus or worm that activates at a certain point in time. Usually attacks at the application layer.
Logic Bomb - A virus or worm that activates when set conditions are met. Usually attacks at the application layer.
Rabbit - A worm which tries to consume all computer resources as it replicates. Attacks at the network and application layers.
Bacterium - A virus which attaches itself to an operating system and consumes all system resources. Attacks at the application layer.
Spyware - Software that may be installed as part of another program. It may also be installed when a user visits a website with malicious code or when an already running process loads and installs it. This program is designed to report on what the user does to the program creator.
Adware - Software that may be installed as part of another program. It may also be installed when a user visits a website with malicious code or when an already running process loads and installs it. This program is designed to serve ads, usually in the form of popups to the system user.
Rootkit - A tool used by a third party to maintain control of the operation of a computer without being detected. Usually it is used after control of the target system has been achieved.
Key loggers - Used to save the victim's keystrokes and send to the attacker. May be a function included in a trojan.
Spoofing - Done at the data link and network layers, this is an attack where an attacker will try to get one computer to pretend it is another computer to fool another system or part of the network into allowing privileges of the spoofed computer. Sequence number spoofing may be used for this type of attack.
Masquerade - Done at the network layer, this is an attack where an attacker will try to access a computer pretending to have an authorized user identity such as a network administrator.
Sequential Scanning - Attempting to log onto a system by sequentially trying different combinations of passwords and user IDs.
Dictionary Scanning - Attempting to log onto a system by sequentially trying passwords for users that may be dictionary words such as "password"
Snooping or Sniffing
Digital Snooping - Monitoring a private or public network for passwords or data. This attack is at the network layer.
Shoulder Snooping - This is a physical attack where someone trys to watch for typed passwords or see information on a computer monitor that they should not have access to.
Dumpster Diving - Trying to get information from the trash with the hope that it will allow the attacter to get access or priviledged information.
Browsing - Scanning of large amounts of unprotected data to get information for greater access. This is usually automated and an indication of its activity would be an authorized user on line at unusual times.
Tunneling - This attack uses low level system functions such as an operating system kernel or a device driver to get below a security system. Strange behavior of a system may indicate this type of attack including device failures or unusual hard drive activity.
Impersonalization - Impersonating an authorized user or computer
Replay attack - Replay an authentication session to fool a computer into granting access.
Session hijacking - The attacker monitors a session between two computers and injects traffic making it look like it came from one of the hosts. The legitimate computer connection is dropped and the attacker continues with the same privileges the legitimate host had. Defense is to use random sequence numbers rather than predictable ones or to enrypt the data used to secure sessions since the attacker won't be able to encrypt properly without the encryption key. Without the encryption key, the decrypted commands from the attacker will be junk.
Impersonating a router and sending false routing information to disrupt the network or gain information.
DNS cache poisoning
Denial of service
SYN attack - Forces the target computer to allocate so much memory for TCP connections so that it runs out of memory.
Ping of death - Uses IP to cause large packets to be reassembled in order to make the target computer crash.
Teardrop.c attack - Uses IP to create packet reassembly problems so the target computer crashes. Uses overlapping fragments of packets
Land.c attack - Sends a TCP SYN packet using the target's IP address as the sender and receiver causing some systems to crash.
Smurf attack - Floods networks with broadcasted ICMP echo request traffic to cause a network to be congested. It sends the ping as a broadcast with a spoofed sender address.
Fraggle attack - Floods networks with broadcasted UDP echo request traffic to cause a network to be congested.
DDOS attack - Uses many machines to attack one system or network. One method to do this was to do a broadcast ping to an entire subnet and fake the sender of the ping making it look like the sender was the intended target (smurf attack). This would cause a flood of ping replies to the target. Attackers may also use many compromised hosts.
Flooding - sending many valid requests to a target system to overload it.
Directory traversal - Attempts to access directories that should not be accessed in an attempt to run software on a computer that the user should not run. Usually this is done to run the cmd.exe file to gain control of a web server or mail server.
Man in the middle attack
Brute force attack
Spam - Spam email can contain malicious attachments or embedded malicious content in HTML pages.
Social engineering - Skillful lying to get useful information from someone or to gain unauthorized access.
Using telephone to get information pretending to be someone who the attacker is not.
Gaining physical access pretending to be a staff member or service person.
Phishing - Sending an email pretending to be a bank, agency, or support group instructing a person to do something such as open and run a file.
Theft of data or equipment
Weak or blank passwords
Writing down passwords or careless storing of passwords
Loss of password.
Trap Door - System developers sometimes write back doors for access to their applications and may forget to close them.
User error - Accidental deletion or modification of programs or data.
Improper or system configuration exposing data or systems to attack.
Use of no encryption or weak encryption protocols when transmitting confidential or sensitive data.
Misconfiguration of wireless devices or use of unauthorized wireless devices.
Inaccurate data entry or modification.
Accidental deletion of data.
Use of unauthorized or insecure software (peer to peer, IM, screensavers, etc).
Back door to network such as an unauthorized modem or wireless access point.
Throwing away or improper storage or use of storage media or portable computers with sensitive information.
- Configuration error
Not keeping operating systems, programs, or applications patched.
Misconfiguration of network equipment such as routers.
Misconfiguration of wireless access points.
Allowing unneeded services to run on a computer system.
Badly configured firewall
Badly configured web, mail, and FTP servers.
Excessive trust across domains.
Inadequate logging or monitoring and threat detection of threats on servers or the network.
Former employee accounts left active.
Configuration weaknesses in the operating system.
Weakness in internet browser configurations.
Bad privilege assignment
Configuration to use insecure protocols to transmit or store sensitive data.
Not changing default passwords on systems or services such as on network devices, printer control software, etc.
Allowing the use of weak passwords for network passwords.
Allowing directory traversal on systems so an attacker can access directories that should not be accessed.
Insecure permission configuration for accounts.
Unneeded wireless SSID broadcast.
Wireless systems using poor encryption such as WEP.
Log files stored in insecure location.
Storage of sensitive information in logs such as passwords.
Anti-virus settings not configured properly such as not acanning all files and directories, not scanning weekly, etc.
Vulnerability to SQL, mail, or other injection.
Instability to mal-formed input.
Cross site scripting vulnerability allowing attackers to steal cookies.
Format string vulnerability - A user can inject format specifiers during string processing.
Lack of verification of authenticity causing spoofing attack vulnerability.
Not generating random enough session numbers allowing session hijacking.
Weak encryption for storage or transmission of sensitive data.
Weak or bad authentication mechanism.
Weak authentication encryption.
Leaving desks or cabinets unlocked that should be secure.
Leaving rooms unlocked that should be secure.
Not having screen saver password protection implemented on a computer.
Lack of security policies and procedures.