When you conduct a penetration test, you have to completely change your thought process. When you attack a network, you have to think of all the possible criminal activities you could perform and how you would manage to accomplish such a task. By placing yourself in the mind of a malicious hacker, you begin to see the threats in a different way; this allows you to present the worse-case scenarios to the client during the reporting phase of the project.
■ Denial of service: Almost all systems are susceptible to denial of service attacks. This can result in bandwidth issues, processing power, and even resource starvation from poor software design.
■ Destruction or alteration of information: Once a malicious user has gained access to your data, how can you know what’s been changed and what hasn’t? Alteration of information is usually much more costly to repair than simple destruction.
■ Dumpster diving: While taking trash out of a trash bin is often not itself illegal (unless it is on private property, and there are warnings against trespassing, in most cases), people don’t steal trash just because they can. They do so to obtain information that can be used to do harm. Whether it is simple like a list of names and phone numbers, or something more dangerous in the wrong hands, such as customer or privacy data, dumpster diving is a very effective initial step in a malicious attack.
■ Emanation eavesdropping: In the days of the Cold War, there was a legitimate fear that foreign nations could spy on the United States by obtaining data inadvertently broadcasted through radio frequency (RF) signals generated by terminals. Although most equipment today emits very little RF noise, there is a tremendous growth in the use of wireless networks. Eavesdropping on wireless communications is something all organizations should be concerned about.
■ Embezzlement: Some crimes will always be popular and embezzlement is one of those. The problem is that the introduction of computers have made embezzlement easier to hide, because everything is“0’s and 1’s”. There have been large strides made toward identifying modification of financial data, but the code behind the applications is only as strong as the developers made it. And we all know there is no such thing as perfectly secure code.
■ Espionage: Whether this is between competing nations or competing companies, espionage is a constant problem. At the national level, exposure to espionage can seriously undermine the safety of its citizens and concerns.
At the corporate level, espionage could ruin a company financially.
■ Fraud: Related to computer crime, fraud is often associated with fake auctions. From a penetration testing perspective, fraud can include phishing, cross-site scripting, and redirection attacks.
■ Illegal content of material: Once a malicious user gains access to a system, he has many options as to how to use the system for his own gain. In some Computer Crime Laws 25 cases, it’s to use the compromised system as a download or a storage site for illegal content, in the form of pirated software, music, or movies.
■ Information warfare: Many political organizations would love to spread their message using whatever means possible. In addition, these same political organizations may desire to destroy the information architecture of a nation. Information warfare comes in many different forms, from simple Web defacement to attacks against military systems/financial institutions/network architecture.
■ Malicious code: Viruses and worms cost companies billions of dollars each year. The creation and distribution of malicious codes occur for a variety of reasons–everything from thrill seeking to organized criminal intent.
■ Masquerading: This is accomplished by pretending to be someone else– someone who has a higher level of access than the malicious user might have. This could occur at the system level or network.
■ Social engineering: This technique is often the simplest and most effective way of obtaining data, or access to systems. By using one’s social skills, a person can get others to reveal information that they shouldn’t. Theproblem is that most people like to be helpful, and social engineering can take advantage of this need to be helpful.
■ Software piracy: Software developers and owners like to be paid for their efforts to provide helpful and productive software to the masses. Software piracy undermines their ability to make a profit and is illegal in many countries.
■ Spoofing of IP addresses: Spoofing of an Internet Protocol (IP) address is often used to avoid detection or point of origination. It can also be used to gain access to systems that use IP addresses as a form of security filtering.
■ Terrorism: Most people think of bombs when they think of terrorist attacks. However, the Internet and networking has become such an integral part of our day-to-day business that an attack against the communication infra-structure could have the same, or potentially greater, impact against citizens of a country regarding the spread of fear. It may not have the same visual impact that explosions seen on the nightly news would have, but if the idea is to cripple a nation, the communication infrastructure is certainly a target.
■ Theft of passwords: Whether this is accomplished using simple techniques, such as shoulder surfing, or the more invasive technique of brute force, the compromise of passwords is a serious threat to the confidentiality and integrity of data. Another type of criminal activity that focuses on theft of passwords includes phishing attacks.
■ Use of easily-accessible exploit scripts: A lot of the tools we use in pro-fessional penetration testing use exploit scripts to compromise systems; there are also Web sites that have numerous scripts also designed to compromise systems. Obtaining these scripts and tools is trivial.
■ Network intrusions: In some cases, the targetisthe network. It wasn’t that long ago that the phone network was the target for phone hackers, so they could place calls without payment. In today’s network, there are new communica-tion technologies that provide an enticing target for malicious hackers, including Voice over Internet Protocol (VoIP).