Essential Terminology

Essential Terminology

• Threat - An action or event that might prejudice security. A threat is a potential violation of security.
• Vulnerability - Existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system.
• Target of Evaluation - An IT system, product, or component that is identified/subjected as requiring security evaluation.
• Attack - An assault on system security that derives from an intelligent threat. An attack is any action that attempts to or violates security.
• Exploit - A defined way to breach the security of an IT system through vulnerability.

Before we can move on to the tools and techniques, we shall look at some of the key definitions. The essence of this section is to adopt a standard terminology through the courseware.

What does it mean when we say that an exploit has occurred? To understand this we need to understand what constitutes a threat and vulnerability.

A threat is an indication of a potential undesirable event. It refers to a situation in which human(s) or natural occurrences can cause an undesirable outcome. It has been variously defined in the current context as:

1. An action or event that might prejudice security.
2. Sequence of circumstances and events that allows a human or other agent to cause an information-related misfortune by exploiting vulnerability in an IT product. A threat can be either 'intentional' (i.e., intelligent; e.g., an individual cracker or a criminal organization) or 'accidental' (e.g., the possibility of a computer malfunctioning, or the possibility of an 'act of God' such as an earthquake, a fire, or a tornado).
3. Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.
4. A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.
5. U. S. Government usage: The technical and operational capability of a hostile entity to detect, exploit, or subvert friendly information systems and the demonstrated, presumed, or inferred intent of that entity to conduct such activity.

This brings us to discussing the term 'vulnerability'. Vulnerability has been variously defined in the current context as:

1. A security weakness in a Target of Evaluation (e.g. due to failures in analysis, design, implementation, or operation).
2. Weakness in an information system or components (e.g. system security procedures, hardware design, or internal controls) that could be exploited to produce an information - related misfortune.
3. Vulnerability is the existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system, network, application, or protocol involved.

It is important to note the difference between threat and vulnerability. This is because inherently, most systems have vulnerabilities of some sort. However, this does not mean that the systems are too flawed for usability.

The key difference between threat and vulnerability is that not every threat results in an attack, and not every attack succeeds. Success depends on the degree of vulnerability, the strength of attacks, and the effectiveness of any counter measures in use. If the attacks needed to exploit vulnerability are very difficult to carry out, then the vulnerability may be tolerable.

If the perceived benefit to an attacker is small, then even an easily exploited vulnerability may be tolerable. However, if the attacks are well understood and easily made, and if the vulnerable system is employed by a wide range of users, then it is likely that there will be enough benefit for the perpetrator to make an attack.

Logically, the next essential term is 'attack'. What is being attacked here? The information resource that is being protected and defended against any attacks is usually referred to as the target of evaluation. It has been defined as an IT system, product, or component that is identified / subjected as requiring security evaluation.

An attack has been defined as an assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system.

Note that it has been defined as 'intelligent act' that is a 'deliberate attempt'. Attacks can be broadly classified as active and passive.

• Active attacks are those that modify the target system or message, i.e. attacks that violate the integrity of the system or message are examples of an active attack. An example in this category is an attack on the availability of a system or service, a so-called denial-of-service (DoS) attack. Active attacks can affect the availability, integrity and authenticity of the system.
• Passive attacks are those that violate the confidentiality without affecting the state of the system. An example is the electronic eavesdropping on network transmissions to release message contents or to gather unprotected passwords. The key word here is 'confidentiality' and relates to preventing the disclosure of information to unauthorized persons.

The difference between these categories is that while an 'active attack' attempts to alter system resources or affect their operation, a 'passive attack' attempts to learn or make use of information from the system but does not affect system resources.

The figure below shows the relation of these terms and sets the scope for this module.

Attacks can also be categorized as originating from within the organization or external to it.

• An 'inside attack' is an attack initiated by an entity inside the security perimeter (an 'insider'), i.e., an entity that is authorized to access system resources but uses them in a way not approved by those the authority concerned.
• An 'outside attack' is initiated from outside the perimeter, by an unauthorized or illegitimate user of the system (an 'outsider'). Potential outside attackers can range from amateur pranksters to organized criminals, international terrorists, and hostile governments.

How does an attack agent (or attacker) take advantage of the vulnerability of the system? The act of taking advantage of a system vulnerability is termed an 'exploit'.

Exploit is a defined way to breach the security of an IT system through vulnerability.

What comprises a breach of security will vary from organization to another or even department to another. This is why it is imperative for organizations to address both penetration and protection issues. This scope of this course is limited to the penetration aspect (ethical hacking); while the organization must address the protection issues through security policies and ensure that it complies with the requirements of a security audit.

When a threat is exploited, it can be exposed. However, not every exposure is vulnerability. Examples are port scanning, finger, and whois.

Exposure can be said to be a security violation that results from a threat action.

This includes disclosure, deception, disruption, and usurpation. An exposure is a primary entry point an attacker can use to gain increased access to the system or to data. It allows an attacker to conduct information gathering and hide activities. It often includes a capability that behaves as expected, but can be compromised. In contrast, vulnerability allows an attacker to execute command as another user; access data contrary to access control lists (ACLs), pose as another entity and even allow an attacker to conduct Denial of Service.