Understanding Computer Security: Compromise Vector

Wednesday, September 08, 2010

Mister Reiner


The most important concept to understand in computer security is compromise vector. It is the key concept to understanding everything there is know about computer security and hacking. Once you get your mind wrapped around the concept, you will view computer security from a completely different perspective.

Simply put, compromise vectors are the various avenues of attack that can be used to compromise systems, information and credentials. When a vulnerability is announced, the most important thing for people to ask themselves (or a computer security professional) is how the exploit associated with the vulnerability applies to the hardware, operating systems and applications they use or manage, or to other system to which they connect.

Some compromise vectors are obvious, others are not so obvious, but know that there are no “secret” compromise vectors – just variations and combinations of known techniques that tend to surprise those who don’t think like the most devious of hackers. In some cases, a vulnerability may be of no significance because it’s technically impossible to exploit the vulnerability given the compromise vector requirements.

Below are just some of the compromise vectors that computer security professionals think about on a daily basis.

Email. The most effective way to deliver malicious code to a user’s computing device is via email. Opening an email or attachment may result in a compromise through scripting, execution of an attachment or  buffer overflow. Several potential compromise targets exist along the route from the email’s point of origin to the user’s inbox via a buffer overflow (if a buffer overflow vulnerability exists), which includes the receiving email gateway, email server, email client, and email anti-malware scanning software residing on these systems.

Websites. If malicious code can’t be delivered via email, why not post malicious code on Websites and wait for users to come to it? Sending users links via email, publishing popular content (i.e. photos, movies, music, ebooks, software, cooking recipes) that show up in search engine results, and infecting legitimate Websites, are ways to connect users to malicious code in waiting. When users get to the site, hackers take advantage of unpatched vulnerabilities, out of date anti-virus software, undocumented exploits with no known signature, and social engineering techniques that entice users to open documents/files and launch executables containing malicious code.

Removable media. USB devices, DVDs and CDs delivered via postal mail, given out at events or purposefully dropped in parking lots and by building doors are effective means to deliver malware directly to a user’s computer. Content on removable media can take may forms, including documents, repackaged legitimate software and multi-media. Well-packaged malicious code can be tested to avoid detection and take advantage of undocumented vulnerabilities. Sleepers and delayed post-installation malware downloads from the Internet can bypass automated and manual security screening.

Direct connectivity to a service.
All network-based applications listen on specific network protocols and ports. Network-based applications include Websites, remote access, file sharing, email, authentication services and virtual private networking. Some services are only available on a local area network, because a network perimeter firewall blocks initiating access from the outside world. Other services are intentionally open to those outside of the network, such as Web and email. Many people believe that perimeter firewalls protect their internal devices from direct connectivity vulnerabilities, but this is only true if there are no compromised computers on the internal network. Once a hacker successfully connects to a service, he can then try to exploit a vulnerability, unsecured service, misconfiguration service, or a service that has yet to be configured (defaults settings).

Physical access. Unsecured equipment in an open office area, unlocked server room and even  a locked server room, provide hackers, intruders and trusted insiders with an opportunity to bypass operating system security to implant malicious code, steal credentials, steal hard drives, steal information by replicating hard drives, and altering security configurations (device and physical). Also of concern are physical key loggers, attachment of rogue computer equipment (i.e. notebooks, wireless access points, packet capture systems) and installation of rogue cabling.

After malicious code is implanted using any of the compromise vectors described above, additional compromise vectors may present themselves to a hacker, intruder or trusted insider.

Escalation of privileges. Even if someone was only able to obtain user level permissions by successfully exploiting a vulnerability, implanting malicious code, or successfully logging in, there are compromise vectors that may be accessible once on a system, which may be exploitable in order to obtain system administrator access. To dismiss the seriousness of a vulnerability just because it only affords user level access is extremely short-sighted.

Trojans. Primary concerns include: man-in-the-middle attacks, key logging, using user or stolen admin credentials to access information, using stolen admin credentials to access other computers on the same network, uploading documents containing malicious code onto shared resources, and modification of security settings on other systems and devices to allow for additional unauthorized access from inside or outside the network. Of particular concern is a Trojan residing on a system or network administrator’s computer, which will afford access to devices that restrict access to specific IP addresses.

Accessing B2B resources. Malicious code placed on business-to-business servers can potentially be used to capture information being sent to and from the distant end. Depending on the application and protocols being used, it may be possible to compromise the computer on the distant end.

If all of this seems more complicated than, “Keep your software and anti-virus signatures up-to-date” -  it is. Extremely skilled computer security professionals spend a lot of time reading computer incident and forensics reports to keep on top of current compromise vector trends and those associated with old, new and updated software. Now factor in that most organizations don’t have the hardware or software to monitor and detect many of the activities associated with these compromise vectors. Then factor in that for some of these compromise vectors (I haven’t listed them all), monitoring and detection capabilities don’t even exist.

Now that you know all of this, there are five questions you need to ask yourself or your computer security professional for each device, operating system and application:

  1. What are ALL the compromise vectors?
  2. What security measures are in place to deny access to these compromise vectors?
  3. What is the likelihood that someone can access these compromise vectors remotely (inside and outside the network), once on a system (i.e. via compromise or using stolen credentials) or by obtaining physical access to a system?
  4. What signature-based and activity-based detection capabilities are in place to detect unauthorized activity?
  5. What monitoring capabilities are in place to identify unauthorized activity that is not signature-based or activity-based? In other words, if a hacker’s code and activities have been tested to avoid detection by anti-malware software, host-based intrusion detection systems and network-based intrusion detection systems, how will someone know that a system, application or information is compromised?

Once all the compromise vectors of a particular device, operating system or application are considered and understood, specific security measures can be put in place to significantly reduce the risk of compromise, and capabilities to increase the chances of detecting compromise.

If all of this seems a bit too overwhelming to deal with yourself, it’s best to seek the advice of a experienced computer security professional.

Cross-posted at Mister Reiner's blog.  Mister Reiner is author of the book  "OWNED: Why hacking continues to be a problem"

Possibly Related Articles:
Information Security
Security Management
Post Rating I Like this!
Carter Schoenberg MR,

Thanks for the post. Your point on vector is very important to grasp. I get a chuckle when I see some of my customers focus so laser point of NIST-800 or DIACAP from a technical control perspective only. FISMA has 17 control families, only 4 are actually technical. In my eperience, an overwhelming number of risks are identified in operational and/or managerial aspects of security but go unchecked in many instances.

Mister Reiner


I agree. A lot of organizations just want to get someone off their back by checking off the check boxes vice actually worrying about if their systems are actually secure. Life for the DAA is easy, right? Just read the statement of residual risk, sign it and then not worry about it.

Thanks for your comment.
Susan V. James Well done - one could actually analyze the assorted platforms they support against the threat presented by any of these compromise vectors, and categorize platforms by vulnerability level. Then as alerts come in, it becomes relatively easy to determine the seriousness of the threat and the amount of time that you have to address it. But the underlying requirement is that you have to have a *very* concise and detailed view of what is sitting on your networks - hardware types, software types, software versions, and risk mitigation strategies already in place to protect information assets.
Mister Reiner

Thanks Susan - and you're absolutely right. What you're talking about is exactly the type of tool and situational awareness that an organization needs to keep up with today's threats.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.