DoS Denial of Service and Access attacks.

DoS (Denial of Service) attacks:

The main purpose of a DoS attack is slow down or disable a system such that the services the system offers become unavailable to its users. These type of attacks are generally caused by exhaustion of the system's resources or by exploiting a known vulnerability (bug) on the system that stops it from functioning in a normal manner. A simple example of this would be sending so much garbage traffic to a system that legitimate traffic could not process similarly to phone lines being tied up from too many telephone calls at once. More complex versions of these attacks are known as DDoS or Distributed Denial of Service attacks where multiple devices launch the attack on the system at the same time.

Access attacks: 

The main purpose of an access attack is to gain access to unauthorized (protected) system resources such as data or to simply take over control of an interior network system to perform the illegal activity. An access attack can often follow a Denial of Service attack but generally attacks of this nature with reconnaissance of some type in order to expose system exploits and exploitable systems. Amazingly enough, the most common threat when considering an access attack is Social Engineering. Social Engineering is the most effective and the hardest access attack to control because it involves the manipulation of people. An example of Social Engineering would be a hacker gaining access to a system by learning a valid username and password from someone through the art of deception.

IE:

Claiming to be someone that one would trust, even though in reality they are not.
Some of the methods discussed previously can be used in order forcefully obtain access to unauthorized data and unfortunately, it could be yours. Fortunately, however, most major networks of the more prominent companies that one might do business with are generally secured from most threats that we've talked about by means of physical equipment security, monitoring, data encryption, and constant updating. Obviously, a threat to these type of systems always exists but is much less likely due to the vast amount of money and time spent by these companies in order to protect their networks and their customer's information. This should make you feel somewhat more comfortable but wait a minute, what about your system? Now, we will talk about some things that you can do in order to protect yourself a little better.

1: Perhaps one of the most important things that you should remember is to never give out any of your personal information to someone unless you have gone through means to verify their identity. This includes your email and any usernames and passwords that could lead to the discovery of your other personal information. As we discussed previously Social Engineering is the leading cause of unauthorized access attacks. Phishing, banding or carding is a very popular form of private information theft. This is when you might receive what appears to be a legitimate email or instant message claiming that you need to "update your account information" or something similar and provides a link to a site to input this data in order to steal it. The link is often masked such that it appears to come from this legitimate source and the site it sends you to also looks legitimate because they've matched the source code to the actual site in question. The best thing to do in this instance is called the customer support number that would come on your real statement. Most major organizations will never ask you this information outside of initial signup. Most companies will have a specific email address that you can forward such scams available on their website. This type of attack can also come via a phone call, so in this case, I would suggest that you disconnect the call and contact the customer support department directly with the phone number listed from a statement to inquire about the situation.

2: Be careful what type of information that you send via email. Where you send it is important but what you send is also important. Email by default is sent with clear text. An experienced hacker that might be sniffing or intercepting traffic to a service provider (man-in-the-middle attack) can easily read anything sent across standard email. There are some methods for encrypting email like Entrust http://www.entrust.com/ (digital certificates) and PGP http://www.pgp.com/ (pretty good privacy) that can be used when properly configured but your best bet is to never send any personal information via email.

3: Make sure you are doing business with a company that you know to be secure. Generally, you won't have problems when dealing with major companies like Wal-Mart or Gap but you should still read their privacy and security policies such that you have a good understanding of the information that they collect and what they do with it, as well as the means that they use to secure their transactions. If a site doesn't have this information readily available then I would not recommend doing business with them. Most private web transactions are secured with SSL or Secure Socket Layer encryption. This is the primary standard for encrypting web transactions and it is approved by the Internet Engineering Task Force. You will know that your connection is secured if you look in the address field of your browser and see https:// in front of the web address. Note: The Sin https which signifies that the session is secured with SSL.

4. Use strong passwords. Typically you will want to use at least 8 characters, use a mix of letters and numbers, do not use complete words, do not use sequential numbers, do not use your username and try not to use any personal information that could be guessed by someone like your birthday.

Here is a link to a Microsoft document on generating strong passwords complete with a link to a page to check your password strength: http://www.microsoft.com/athome/security/privacy/password.mspx

Here is a link to a document on generating strong passwords on the SANS site: http://www.sans.org/rr/whitepapers/authentication/1636.php

Its also never a good idea to store passwords or cache them on your local system. If your system is somehow compromised, then so are your account passwords.

5. If you are using a wireless network, secure it. Wireless networks can be easily sniffed out remotely by "war drivers" or even your neighbor. Change any default settings like the SSID that might be easily guessable. Disable remote administrator to the router and password protect local administration. Use MAC address filtering to only allow your trusted connections to the router. Enable the strongest encryption available on your router. Here is an article I wrote previously on securing a wireless network when using one of the more common Linksys wireless G routers. http://www.computernetworkinghelp.com/content/view/31/2/

6. Use a personal firewall to protect your computer from traffic originating from the outside world. IE: Traffic that you didn't initiate a request to come to you.

7. Use virus software and keep it up to date. Remember, if your virus definitions are old the software is all but useless. Scan your email in real-time (upon download or prior to opening attachments). Scan your drive regularly. It's also a good idea to never open attachments from unknown sources. Virus software relies on matching patterns a virus must exist before an updated pattern can be created so there is always a chance of becoming infected even if your software is up to date.

8. Use spyware removal software and keep it up to date. Remember, if your spyware removal definitions are old the software is all but useless. Scan your drive regularly. Spyware can not only be annoying but also dangerous in some cases.

If you follow the simple steps listed above you will be better protected against identity theft and personal fraud. I hope you've enjoyed the article and learned a thing or two along the way.