Start exploring Linux Security Fundamentals by downloading the free sample chapter today. DOWNLOAD NOW
In part 1 of this series, we discussed the seven different types of hackers who may compromise your Linux system. White hat and black hat hackers, script kiddies, hacktivists, nation states, organized crime, and bots are all angling for a piece of your system for their own nefarious/various reasons.
It’s important to also realize that these hackers can perpetrate an attack from inside or outside your organization. And their attacks can be either active or passive:
• An active attack attempts to alter system resources or affect their operation, so it compromises the Integrity or Availability.
• A passive attack attempts to learn or make use of information from the system, but does not affect system resources, so it compromises Confidentiality.
Active Attacks
Let’s look at different types of active attacks.
Denial of service attacks
Generally done by flooding the service or network with more requests than can be serviced, which results in the service becoming unreachable. This sometimes happens due to a client mis-configuration.
Spoofing attacks
Take place when a valid or authorized system is impersonated via IP address manipulation. The service thinks it is communicating with an authorized system when it is really talking to an impostor. ARP (Address Resolution Protocol), DNS (Domain Name System), IP Address, and MAC (Message Authentication Code) are susceptible to spoofing.
Port scanning
Can be done with the nmap utility and involves sending SYN packets to a range of ports on the target systems. The replies, or lack of replies, from the target provide a significant amount of information about the possible services running on the target.
Idle scans
Variations on port scans that use a third system, referred to as zombie, to gain information about a target system. To learn more about idle scans, you can go to http://en.wikipedia.org/wiki/Idle_scan.
There are quite a variety of network attacks that are still widely used that take advantage of various network protocols required in most infrastructures. ARP storms, session hijacking, packet injection are all active network attack techniques.
Passive Attacks
Now, let’s take a look at a passive wiretapping attack.
Wiretapping is generally done with tcpdump or Wireshark to listen to traffic on the network. This is done by placing network interfaces into a promiscuous mode, in which all packets the switch sends to the port are then passed to the tcpdump application.
During normal operations, network interfaces throw away packets sent to them by the network devices when the destinations do not match those configured on the host. Pretty much all communications protocols and mechanisms are susceptible to wiretapping, including:
• Ethernet
• Wi-Fi
• USB
• Cellular networks.
In part 3 of this series, we’ll discuss the trade-offs you’ll face when making security decisions including the likelihood of an attack, the value of the assets you’re protecting, and the impact to business operations.
Stay one step ahead of malicious hackers with The Linux Foundation’s Linux Security Fundamentals course. Download a sample chapter today!
Read the other articles in this series:
Linux Security Threats: The 7 Classes of Attackers
Linux Security Fundamentals Part 3: Risk Assessment / Trade-offs and Business Considerations
Linux Security Fundamentals: Estimating the Cost of a Cyber Attack
Linux Security Fundamentals Part 5: Introduction to tcpdump and wireshark