Network/System Forensics - Research Paper Example

Network/System Forensics Cyber Attacks Cyber attack can be referred to as the computer to computer attacks that are carried out to erase, alter, orsteal information or to impede or destroy the functioning of the targeted computer system (Pangi, 2003). It can also be defined as an attempt to compromise the functionality of the computer-based system or an attempt to monitor the individual’s online movement without their consent or permission. In most cases, these attacks are undetectable to the network administrator or the end user or it can lead to disruption of the network in such a way that the end user is unable to perform some of the rudimentary tasks. These network attacks are very sophisticated and thus it has lead to the development of effective defensive software systems (Tatum, 2011). It is imperative to note that cyber attack can be relatively harmless and fail to cause any form of harm to the systems or the equipments. This is so when there is downloading of the spyware onto the hard drive or the server without the prior knowledge or the permission of the owner of the system or the equipment. The major aim of this type of attack is to collect information; the collection ranges from the basic searches and movements done by the authorized users to the forwarding and copying of the main information or documents that is saved on the server or the hard drive. The main goal is to get and transmit the information that will assist the recipient in the achievement of financial gain; the spyware runs unnoticed in the background and it is rarely tampers with the normal functioning of the system. The cyber attack can take the form of malice; this is so with the viruses that is designed to immobilize the functioning of the network or the single computer that is connected to the internet (Tatum, 2011). Three Common Types of Cyber Attacks Cyber attacks fall into three categories; (a) the unauthorized intrusion – the attacker finds a way into the computer system with the use of various techniques such as cracking or hacking or the insider overuses his or her authorized access to perform unauthorized activities to the computer system or on to the network, (b) destructive worms or viruses – they spread from one computer to the other through electronic mail (email) or other types of data exchange media and these worms and viruses cause the loss of functioning on any part of the network, and (c) denial of service (DoS) attacks – they utilize a number of techniques to attack targeted computer system, communication is the mode used and the system is overloaded until its functionality is hampered (Pangi, 2003). Hacking Hacking is the unauthorized intrusion of the computer system or the network, also known as cracking. Hacking can be further categorized into three types. The first type of hacking is the shutting down of the computer system. The computer system can be shut down by the hacker; this problem is recognizable by the administrator and the system can be restored quickly. The second type of hacking is the defacement of the computer system or the network. Defacements alter the information that is on the victim’s computer system. They are generally easy to detect and this is so when the hacker displays a message such as “you have been hacked by …” (Centre of Excellence Defence Against Terrorism, 2008). The most risky defacements are the types which change the figures or any other information on the computer system or the network (Centre of Excellence Defence Against Terrorism, 2008). Web defacements are the most common types of cyber attack. The groups or people involved generally deface the information on the company or the government’s website in order to distribute the group’s messages or mock the entity that supports the site. Majority of these attacks do not possess any harm but they are a nuisance to the target. The most serious defacements as mentioned earlier are the changing of the web page content through semantic hacking; the alteration in this case is not easily evident. The result is the dissemination of false information. For example, in the year 2002, the Venezuelan government website was defaced by hackers and the website was made to appear that Hugo Chavez, the president of Venezuela had issued orders for the shooting of the opposition political party members (Pangi, 2003). The third and last type of hacking is the introduction of Trojan horse programmes. These programmes are not easy to detect even with the installation of a virus scanner, they may go undetected (that is, they are silent operations). Trojan horse programmes collect information from the targeted computer system and transmit it to the hacker; the primary target is basically the bank details (Centre of Excellence Defence Against Terrorism, 2008). Distributed Denial of Service (DDoS) These are effective ways of disrupting the functionality for a specific time. The DoS attacks flood the computer system with a huge number of messages; these messages occupy all the processing ability of the computer. In other words they subject the email and web servers with uncontrollable volume of communications from the other computers. The huge volume of information slows the functioning of the targeted system or effectively and completely shuts down the systems (Pangi, 2003). Distributed DoS utilize the worldwide network of computers popularly known as the bot-nets; they make use of the robot software. The bot-nets are infected with viruses which permit then to become zombies that are controlled by the bot-master; these viruses are very common (Centre of Excellence Defence Against Terrorism, 2008). The hackers multiply the intensity of the DDoS attacks by utilizing the mentioned malicious codes to have control of the user’s machines and use the zombie machines to distribute more communications to the targeted servers (Pangi, 2003). For example, in October 2002, “a large and sophisticated DDoS attack was launched against the Internet’s 13 domain name root servers” (Pangi, 2003). The system administrators of the host sites were able to counter the attack but there were concerns from the security experts and the government officials about the outages and delays in the global Internet traffic (Pangi, 2003). Destructive Worms, Viruses and Trojan Horses A computer worm is a program that is reproductive and has the capability of travelling on its own through the network connections. A virus is also a reproductive program but lacks the capability of travelling on its own through the network; their spread depends on the transfer of files between machines. The rampant utilization of the Microsoft operating tools and the Windows operating systems has made the systems vulnerable to attacks by computer viruses. Battling these viruses is not easy although Microsoft has provided patches that give the user the capability of downloading them. The viruses and worms distribute very quickly such that the investigators are unable to trace the creators of these viruses and worms (Epatko, 2003). The basic environment that has been created by the dominance of certain computer programs has made it easy for the computer users to communicate with another around the universe and it has also created a good platform for the emergence and persistence of computer viruses (Epatko, 2003). Trojan horses can be introduced by the hackers into the computer system. Although Trojan horse resembles a benign application, it includes illicit codes that have the capability of damaging the system operations. The hackers can install a Trojan horse program and assert that it is an anti-virus program. When the program is opened, the virus spreads in the computer system. Trojan horses do not have the capability of replicating themselves like the viruses and worms; their ability to be destructive to the computer system can not be ignored (Siegel, 2008). Tools Used For Cyber Attacks A study conducted by Symantec Corp in regard to the Malicious Websites and Attack Toolkits revealed that the attack tool kits have become easily accessible and easier to utilize; the kits have become in use more widely. The trend has attracted traditional criminals who lack technical knowledge in cybercrime and it has fueled a profitable, self-sustaining and an organized global economy (i-policy.org, 2011). The attack toolkits are software programs that are utilized by the experts and novices; they are used to facilitate the commencement of extensive attacks on the networked computers. These kits assist the attacker to launch a number of pre-written threats against the computer systems. They also offer the capability of customizing the threats in order to avoid detection and automation of the attack process. The attack tool kits are very simple and effective and it has led to their increased use in most of the malicious Internet attacks (i-policy.org, 2011). The profitability of the cyber attacks is increasing and the popularity of the associated kits has increased tremendously. The resultant effect has been the increase of sophisticated and robust kits. The kits are sold on the basis of subscription; they have regular updates, support services, and components that extend their abilities. The cybercriminals regularly rent out limited access to the kit consoles, advertise the installation services, and utilize the commercial anti-piracy tools to avert the attackers from utilizing the tools without making payment for the services (i-policy.org, 2011). The attack tool kits are easy to use and cybercrime no longer requires advanced programming expertise to launch an attack. The participants in cybercrime are a mix of people with skills in traditional criminal activities like money laundering and computer skills (i-policy.org, 2011). The biggest threat to the internet users is the development of attack tool kits and Symantec estimates that there are 240,000 attack tool kits among 200 countries. Zeus is the most prevalent kit used in cyber crimes; the kit possesses eminent threat to the users because it is used to steal bank account details; this is done in the absence of safeguards (Bennett, Coleman & Co. Ltd., 2011). The kit poses a severe threat to small businesses and its key objective is steal bank account details or credentials. These businesses possess a few safeguards that have been put into place to protect their financial transactions and thus making them vulnerable to Zeus (i-policy.org, 2011). Another tool kit used for cyber attack is the Socketsoft Advanced DoS and Penetration Cyber Attack Tool. The tool has enormous capabilities and power. The tool is capable of bringing down immediately any site or service that can be accessed by the internet. Multiple services and sites can be handled by this kit simultaneously. The tool has the following features and capabilities; (a) physical server or multiple cloud based instances that act as agents, (b) each of the instances can bombard ten of thousands of services or protocols asynchronously, (c) high attacking capacity-pooled instances that permit numerous simultaneous connections, (d) integrated target analysis capable of determining the available services or protocols and their vulnerabilities, (e) proxy support – the tool can express the attack(s) via multiple proxy servers, (f) active and passive service or protocol attack increase their effectiveness, (g) parsed and random requests that are based on circumvent pattern and heuristic defenses, (h) the command console permits complete manipulation of the tool, (i) a multilayered encrypted communication between the console and the instances, (j) the integrated scripting facility permits automated control, (k) integrated real-time performance permits monitoring and reporting, (l) perimeter filters, redundancy, and target network IDS do not inhibit or obstruct their effectiveness, and (m) the multiple services and sites regardless of their defenses or size can be shut down simultaneously (Socketsoft.net, n.d.). Cyber Attack Prevention A detection system can be used for the detection of any suspicious activities. The protection of computer and network systems security requires three significant areas to be addressed; detection, prevention, and response. The main aim of prevention is to strengthen the network and computer system and make the detection of a threat very difficult and therefore minimize the likelihood of a threat. However, this does not deter the determination of skilled and potential attackers; organized, skilled and determined attackers can conquer the attack difficulties that have been created by the prevention mechanism and thus break into the network and computer system through the exploitation of the unknown and known system vulnerabilities. The detection is therefore required to detect the attack acting on the network and computer system and offer assistance in the identification of the nature of the attack, and evaluate the impact of the attack, that is, the path, damage and the origin. Detection of the attack requires appropriate response to avert the attack, correct the exploited vulnerability, and recover the system; all these actions are based on the diagnostic information gathered from the attack assessment section of the attack detection (Ye, 2008). Most of the prevention mechanisms that are used practically focus mainly on the access and flow control of the network and computer system. Some of the access and flow control technologies used are the firewalls, authorization, and authentication. There are two forms of firewalls that are used; the application gateways and screening routers. A firewall is installed on the application or the router gateway and controls the outgoing and incoming traffic of the protected network and computer system. The firewall on the router also called the screening router filters the traffic data between the protected system and the other world by the definition of rules which are applicable to the header fields of the packet data at the IP and TCP layer of the IP/TCP protocol. The data section of the network packet may be rendered unreadable due to the application data that has been encrypted and thus it is not used in the definition of the filtering rules in the firewall (Ye, 2008). Apart from the knowledge in the prevention of cyber attack, another tool useful for the prevention of cyber attacks is the familiarization with a number of techniques and tricks used by the hackers to gain access into the systems. Some of the tricks include the regular scanning of the system for weak spots such as an operating system that recently patched or not upgrade, or the utilization of malware to record any significant information from the computer system such as financial information and passwords. Other than stealing, the hacker can attack a computer system to store illegal content such movie downloads that have been pirated or the recruitment of the system into an online bot entity (Damico, 2009). Majority of these cyber attacks occur due to software vulnerabilities, poor access control, and weak points in the data control systems. This was the case in a survey done by the Federal Energy Regulatory Commission and to that effect it approved 8 critical infrastructure protection standards; they are also known as CIP standards. The standards are meant to prevent the national energy grid system from cyber attacks due to the mentioned weak points in the system. The standards include: (a) identification of critical cyber assets, (b) control of the management security, (c) personnel and training, (d) physical security of the critical cyber assets, (e) management of the systems security, (f) response planning and incident reporting, and (g) recovery plans for the critical cyber assets (Messmer, 2008). References Bennett, Coleman & Co. Ltd. (2011). Beware of attack tool kits from malicious websites: Symantec. Retrieved from http://articles.economictimes.indiatimes.com/2011-01-25/news/28429587_1_kits-cyber-criminals-cyber-attacks/2 Centre of Excellence Defence Against Terrorism. (2008). Responses to cyber terrorism. Netherlands: IOS Press. Damico, T. M. (2009). Cyber attack prevention for the home user: How to prevent a cyber attack. Retrieved from http://www.studentpulse.com/articles/47/cyber-attack-prevention-for-the-home-user-how-to-prevent-a-cyber-attack Epatko, L. (2003). Cyber attacks target computer vulnerabilities. Retrieved from http://www.pbs.org/newshour/science/computer_worms/intro.html i-policy.org. (2011). Cyber attack toolkits dominate internet threat landscape. Retrieved from http://www.i-policy.org/2011/01/cyber-attack-toolkits-dominate-internet-threat-landscape.html Messmer, E. (2008). Group defines cyberattack prevention rules for U.S. Retrieved from http://www.pcworld.com/article/141481/group_defines_cyberattack_prevention_rules_for_us.html Pangi, R. L. (2003). Countering terrorism: Dimensions of preparedness. Cambridge, MA: MIT Press. Siegel, L. J. (2008). Essentials of criminal justice. Belmont, CA: Cengage Learning. Socketsoft.net. (n.d.). Cyber attack tool – socketsoft advanced DoS and penetration cyber attack tool. Retrieved from http://www.socketsoft.net/cybertool.asp Tatum, M. (2011). What is a cyberattack? Retrieved from http://www.wisegeek.com/what-is-a-cyberattack.htm Ye, N. (2008). Secure computer and network systems: Modeling, analysis and design. West Sussex, UK: John Wiley and Sons. Read More