103
7Chapter
Tactics: An Introduction
Tactics are procedures or sets of actions used to achieve a speci c objective. In military opera-
tions, tactics de ne a number of maneuvers designed to give the attacking or the defending force
an advantage. For example, a fl anking maneuver is used to confuse and demoralize an enemy
force by attacking its position from multiple directions. Confusion causes people to hesitate, and
hesitation in war can be fatal.  e military objective is to defeat the enemy; fl anking is one means
to accomplish that objective. Frontal assault and Blitzkrieg are two other examples of off ensive
tactics.  ere are also a number of defensive tactics, including camoufl age, reconnaissance, and
the use of specialized weapons such as surface-to-air missiles, to deal with speci c attacks. Each of
these tactics has a parallel in the enterprise security realm.  is portion of the book covers a num-
ber of physical and information security tactics; the focus is primarily on defensive tactics because
off ensive measures have liabilities associated with them that most nongovernment organizations
do not want to deal with. Nonetheless, there are a couple of off ensive measures that certainly have
merit and are worth studying.
Tactical Framework
A target can be attacked in only so many ways. All tactics, off ensive or defensive, are based on
this limitation. In medieval days there were two basic ways to defeat a castle: assault or attrition
(siege). Castles had a number of tactical features designed to give the defenders a decided advan-
tage, including observation towers, high walls, moats, drawbridges, and fortifi ed gates. Assaulting
a castle was a costly proposition, especially in human lives, and there was no guarantee of success,
so many commanders chose siege instead. Castles were designed for that contingency too; they
had water wells and storehouses of food. Unfortunately, if the castle noble couldnt rally anyone
to help break the siege, supplies would eventually run out and the defenders would be forced to
surrender.
Castles provide a good metaphor for today’s IT environments because the attacks used against
IT systems mirror those used against castlesTrojan horses, malicious insiders, spies, imperson-
ation, and so on. What has changed, however, is the con guration of the castle and the alliances of
the king. Medieval castles had two or three possible entries; today’s computer networks have dozens
TAF-K11348-10-0301-C007.indd 103TAF-K11348-10-0301-C007.indd 103 8/18/10 3:08:05 PM8/18/10 3:08:05 PM
104Security Strategy: From Requirements to Reality
of entry points (i.e., attack paths or vectors). Castles were self-contained defensive structures with
well-guarded entrances; today’s computing environments can have a number of alliances that grant
access to any number of unknown (or at least unverifi ed) entities.  ese changes (just like changes
in modern warfare) require subsequent changes in defensive tactics.  e German Blitzkrieg dur-
ing World War II is a de ning example.  e German assault against the highly regarded French
Maginot line demonstrated how a small force using advanced technology with skill and daring
could overcome even the most robust defenses.  e good news is—despite Hollywoods fi rewall-
busting depictions—that there are no tanks (or for that matter any cannons) on the Internet.  is
does not, however, eliminate the need for us to adjust our defensive tactics as the tactics of our
attackers change. Modern warfare off ers some interesting advances. For example:
Spreading out defenses to negate the eff ects of artillery and aerial bombardment.
Using defenses laid out in depth to absorb the initial assault of mobile armored forces.
Keeping a strong mobile reserve for employment against the main assault.
Replacing a static defense with armored mobile defenses that would absorb the initial assault
just long enough to set the conditions for a counterattack. ( is was the premise for the defenses
in Europe against the massive armored formation of the Soviet Union during the Cold War.)
Warfare in the 21st century has become even more complicated with the introduction of
irregular threats (e.g., terrorism) where attackers use modern technology electively to in ict dam-
ages and promote their interests. Irregular threats more closely resemble what IT professionals deal
with, and like our military counterparts, we use many of the same tactics including “hardening”
the facilities and systems that would be the target of such an attack, employing quick incident
response forces to rapidly deal with any contingency, and gathering the intelligence needed to
detect potential attacks so that we can be prepared for them. Modern armies detect potential
attacks through reconnaissance in the air with spy planes and unmanned aerial vehicles, recon-
naissance on the ground through patrolling and sensors, and collection of information from
electronic and human networks.  e parallels in physical and logical security in the corporate
environment are not hard to realize, although CCTV surveillance is substituted for aerial recon-
naissance. More attack options are available today than ever before (irregular threats are increasing),
which makes the tactical framework larger, but it still has a fi xed boundary. Whether you are talking
about physical or logical targets, tactics are still based on the attack limitations of the opposing force.
FacilitiesPhysical Attack Scenarios
eft of assets (data or equipment) is the primary goal of physical attacks against computing
facilities.  e second most common goal is disruption of service (the loss of data and processing
availability). Revenge is yet another common motivation. Seven basic attack scenarios can be used
to achieve these goals. Most physical attacks require physical access or proximity except those that
can be conducted through a commercial (or other) transport mechanism (e.g., a mail bomb).  e
seven basic physical attack scenarios are as follows:
1. Assaultpeople-based attacks usually conducted in stealth and frequently involving small
arms or other weaponry. Assaults are used to overcome or overwhelm physical protections;
steal, damage, or destroy assets; and disrupt operations. Robbery is the most common form
of assault. Workplace violence, riots, and terrorism are other examples.
TAF-K11348-10-0301-C007.indd 104TAF-K11348-10-0301-C007.indd 104 8/18/10 3:08:05 PM8/18/10 3:08:05 PM
Tactics: An Introduction105
e important thing to remember about assault is that it is the only scenario that can result
in the theft of assets. eft requires a conscious (human) decision.  e other attack scenarios
may facilitate the thief s access to an asset, but they cannot result in the attacker taking pos-
session of that asset.
2. Bash—mechanized assaults; the use of vehicles, heavy equipment, aircraft, and the like, to
overcome physical protections (e.g., 9/11 airliner crashes).  is scenario is frequently used in
combination with a people-based assault to quickly defeat physical protections, but it may
also be used to disrupt operations by destroying critical resources or threatening the safety of
facility personnel.  e best example of this technique is the video of the thief who backs his
truck through the front window of a convenience store to bash an ATM off its base, which
he then throws into the back of his truck and drives off !
3. Blast—the use of explosives, compressed gas, or other blast agents to overcome physical pro-
tections, destroy equipment and facilities, or disrupt operations.  is scenario is sometimes
used in conjunction with an assault to quickly defeat physical protections.
4. Burn—the use of fi re, acid, or other deterioration agents to overcome physical protections,
destroy equipment and facilities, or disrupt operations.  is scenario is sometimes used as a
diversion in assaults but is more often employed for sabotage or revenge attacks because it is
simple to execute.
5. Flood—the use of water or other liquids to destroy equipment and facilities or disrupt oper-
ations. While water is particularly eff ective against electronics and computer equipment, it
is not a common attack scenario. Most computing facilities carefully monitor and control
the use and availability of water within the facility.
6. Poisonthe use of air, liquid, or food-borne agents to overcome personnel and disrupt
operations; examples include gas, smoke, and stink agents.  is scenario is sometimes used
as a diversion in assaults but is more often used for sabotage or revenge attacks because mate-
rials are readily available and the attack is simple to execute.
7. Siegecutoff of access; power; communications; heating, ventilating, and air conditioning;
water, or other necessities in an eff ort to damage or destroy equipment and disrupt opera-
tions. is is a very eff ective scenario, but it can be very di cult to execute and sustain it for
an extended period of time. Most computing facilities are designed to withstand these types
of failures, and help is readily available in most cases.
e remaining techniques might be classi ed as annoyance attacks, including false alarms,
bomb scares, and light and noise annoyances, which are aimed primarily at disrupting operations.
ere are any number of possible ways to carry out these attacks. Understanding the attack meth-
ods is less important than understanding the limitations (scope) of each scenario. Focusing on
attack methods results in point solutions, whereas focusing on attack scenarios results in compre-
hensive (or multipoint) solutions—solutions that counter multiple attack methods in overlapping
scenarios. For example, if we understand that all physical attacks (with the exception of assault)
at worst will result in a loss of data availability, we can focus our tactics and control objectives on
measures that counter that loss across the entire spectrum of attacks. Lets call this tactic business
continuity planning.  e best tactics are those that use tactical principles to effi ciently and e ec-
tively counterattack scenariossomething we must never lose sight of in our strategic and tactical
endeavors.
TAF-K11348-10-0301-C007.indd 105TAF-K11348-10-0301-C007.indd 105 8/18/10 3:08:05 PM8/18/10 3:08:05 PM
106Security Strategy: From Requirements to Reality
IT SystemsLogical Attack Scenarios
ere are six basic attack scenarios against computer systems if the attacker does not have physical
access or proximity:
1. System awsExploit weakness in the operating system, services, hardware, fi rmware, or
software, including coding errors (e.g., buff er overfl ows) or architecture aws (e.g., Remote
Procedure Call [RPC]).
2. Confi guration awsExploit errors in the system confi guration, including blank or default
passwords; enable anonymous or guest accounts and incorrect share of fi le permissions (e.g.,
EVERYONE Read/Write).
3. Unsecured trusts—Exploit trusts with other systems by poisoning domain naming services
(DNS), routing and address resolution entries, or using existing database or Distributed
Component Object Model (DCOM) connections to compromise data.
4. Malware infection—Implant a piece of malicious code on the system using an e-mail
attachment, a malicious download, or a drive-by-attack website.
5. User impersonationCompromise a legitimate users credentials by guessing or cracking
their password, getting them to disclose it (e.g., phishing), or by capturing it with a man-in-
the-middle system or a sni er.
6. Process awsBecome a user on the system by gaming the provisioning process, or con-
vincing (or coercing) someone to create an account for you (i.e., social engineering).
In addition to these scenarios there are seven basic attack scenarios against a system’s network
connections:
1. System fl aws
a. Data accessExploit weaknesses in the operating system, hardware, fi rmware, protocol,
or services to access data (e.g., cracking wireless encryption) or to access other networks
(e.g., virtual local area network [VLAN] hopping).
b. Denial of ServiceExploit a weakness in a transit node to cause it to fail (e.g., Ping of
Death), slowdown (e.g., starvation attack), or malfunction sending data into a black hole.
2. Passive wiretappingCapture data or credentials in transit on a link using a sniff er or a
man-in-the-middle system.
3. Data insertion—Write data to the link such as a cookie or a packet with credentials to gain
access to a resource.
4. Node impersonationBecome or compromise a transit node on the link to capture the
data or credentials passing through it or to redirect tra c to another system.
5. Confi guration awExploit the confi guration of a transit node to gain access and redirect
traffi c to another system (e.g., ARP, routing or DNS poisoning).
6. End-point impersonation—Appear to be the legitimate end point of the link by cloning
the real system or by DNS poisoning.
7. Process fl aws—Become a permitted node on the link by convincing or coercing someone
to add your transit node to the network. Once attached it can be used to capture data and
credential.
ese descriptions contain just a small number of possible methods used to carry out these
attacks, but it isnt the methods that are important. Understanding the scope (boundaries) of the
TAF-K11348-10-0301-C007.indd 106TAF-K11348-10-0301-C007.indd 106 8/18/10 3:08:05 PM8/18/10 3:08:05 PM
Tactics: An Introduction107
attack scenarios is what’s important. When we begin to break our strategy down into speci c tacti-
cal objectives, we must keep the big picture in mind. We need to focus on the attack scenarios, not
the attack methods. Here’s a quick example. Implanting a piece of malicious code on the system is
a common attack scenario. What is our objective? Preventing the code from getting there or pre-
venting it from doing any damage when it does? Most would say both, but in truth only the latter
really matters. Preventing unauthorized code from executing on the system is a more e ective and
effi cient control than using a control that compares every piece of data coming into or going out
of the system to 2 million virus signatures!  e best tactics are those that use tactical principles to
effi ciently and eff ectively counterattack scenarios. Another advantage of this approach is the abil-
ity to clearly see what attack scenarios you have control over and which you do not; this informa-
tion is particularly valuable when you are assessing outsourced services.
Objectives Identi cation
As stated earlier, tactics are used to achieve a pa rticular outcome, so it stands to reason that those out-
comes (objectives) must fi rst be identi ed before an appropriate tactic or tactics can be selected.
e process involves breaking down the strategic plan into smaller point solutions. For exam-
ple, the strategy may call for the proper management of privacy-related information. Under that
strategy heading, we can identify a number of specifi c objectives at the people, process, and tech-
nology levels, including training, operational procedures, access controls, and identity assurance.
e broad category may be “excellence in operations, with the specifi c objectives being iron-
clad identity management, least privilege access controls, and so on. In Figure 7.1 the security
objective is listed under each tactic.  e description provides additional tactical details. Once
these objectives have been identifi ed, the resources, time, and eff ort needed to achieve them can
User authentication, user privacy, data
access, and facilities access
Engineer software, hardware, and facilities
to be secure.
People, processes, and technology to
maintain and operate secure systems
Manage risk across all layers of the
computing environment
Security tactics
Defense in depth
Excellence in identity management
Excellence in security engineering
Excellence in operations
Description
Securing the perimeter and network
Secure hosts and applications
Secure data security and privacy
Secure operations and personnel
Secure by design
Practice good supervision
Practice incident response
Awareness and staff skills training
Maintain and monitor system security
Audit and monitor for compliance
Secure in development
Secure in deployment
Redundant and fault tolerant
Physical security
Practice the principle of least privilege
Enforce accountability
Enforce privacy and privacy rights
Audit identity assurance processes
Figure 7.1 Security objectives and tactics.
TAF-K11348-10-0301-C007.indd 107TAF-K11348-10-0301-C007.indd 107 8/18/10 3:08:06 PM8/18/10 3:08:06 PM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset