Tentativa de destruir, exponer, alterar, inhabilitar, robar, acceder
sin autorización o hacer un uso no autorizado de un activo [UNE-ISO/IEC 27000:2014]
Intento de
destruir, exponer, alterar o inhabilitar un sistema de información o la
información que el sistema maneja, o violar
alguna política de seguridad de
alguna otra manera. [ISO-18043:2006]
Explotación
de una o varias vulnerabilidades utilizando un método de ataque con una
oportunidad dada.
Ejemplos:
·
gran oportunidad de uso de
software falsificado o copiado debido a la ausencia total de concienciación o
de información sobre la legislación referida a los derechos de autor;
·
alteración del software por un
virus debido a la facilidad para introducir programas de efectos dañinos en la
red ofimática del organismo;
·
...
[EBIOS:2005]
Acción que
puede violar los sistemas y mecanismos de seguridad de un sistema de
información.
Tradicionalmente
los ataques se dividen, según el efecto que producen, en: interrupción,
interceptación, modificación y fabricación. Si se categorizan por el modo de actuación, se clasifican en: pasivos
(no modifican el estado atacando) y activos (alteran el sistema atacado).
[Ribagorda:1997]
1. Acciones
encaminadas a descubrir las claves secreta o privada de un criptosistema.
2. Cualquier
acción deliberada encaminada a violar los mecanismos de seguridad de un sistema
de información.
[CESID:1997]
attempt to destroy, expose,
alter, disable, steal or gain unauthorized access to or make unauthorized use
of an asset [ISO/IEC 27000:2014]
Any kind of malicious
activity that attempts to collect, disrupt, deny, degrade, or destroy
information system resources or the information itself . [CNSSI_4009:2010]
1. (I) An intentional act by
which an entity attempts to evade security services and violate the security
policy of a system. That is, an actual assault on system security that derives
from an intelligent threat. (See: penetration, violation, vulnerability.)
2. (I) A method or technique
used in an assault (e.g., masquerade).
Tutorial: Attacks can be
characterized according to intent:
·
An
"active attack" attempts to alter system resources or affect their
operation.
·
A
"passive attack" attempts to learn or make use of information from a
system but does not affect system resources of that system. (See: wiretapping.)
The object of a passive
attack might be to obtain data that is needed for an off-line attack.
·
An
"off-line attack" is one in which the attacker obtains data from the
target system and then analyzes the data on a different system of the
attacker's own choosing, possibly in preparation for a second stage of attack
on the target.
Attacks can be characterized
according to point of initiation:
·
An
"inside attack" is one that is initiated by an entity inside the
security perimeter (an "insider"), i.e., an entity that is authorized
to access system resources but uses them in a way not approved by the party
that granted the authorization.
·
An
"outside attack" is initiated from outside the security perimeter, by
an unauthorized or illegitimate user of the system (an "outsider").
In the Internet, potential outside attackers range from amateur pranksters to
organized criminals, international terrorists, and hostile governments.
Attacks can be characterized
according to method of delivery:
·
In a
"direct attack", the attacker addresses attacking packets to the
intended victim(s). In an "indirect attack", the attacker addresses
packets to a third party, and the packets either have the address(es) of the
intended victim(s) as their source address(es) or indicate the intended
victim(s) in some other way. The third party responds by sending one or more
attacking packets to the intended victims. The attacker can use third parties
as attack amplifiers by providing a broadcast address as the victim address
(e.g., "smurf attack"). (See: reflector attack. Compare: reflection
attack, replay attack.)
[RFC4949:2007]
Any person deliberately
exploiting vulnerabilities in technical and non-technical security controls in
order to steal or compromise information systems and networks, or to compromise
availability to legitimate users of information system and network resources.
[ISO-18028-1:2006]
Attempts to destroy, expose,
alter, or disable an Information System and/or information within it or
otherwise breach the security policy. [ISO-18043:2006]
The activities undertaken to
bypass or exploit deficiencies in a system's security mechanisms. By a direct
attack on a system they exploit deficiencies in the underlying algorithms,
principles, or properties of a security mechanism. Indirect attacks are
performed when they bypass the mechanism, or when they make the system use the
mechanism incorrectly. [H.235:2005]
Exploiting one or more
vulnerabilities using an attack method with a given opportunity.
Examples:
·
strong
opportunity of using counterfeit or copied software resulting from total
absence of awareness or information concerning copyright legislation;
·
software
damaged by a virus through easy loading of malicious programmes onto the organisation's
office network;
·
etc.
[EBIOS:2005]
An attack is the act of
carrying out an exploit.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
steps that an adversary
takes or may take to plan, prepare for, and execute an attack
Annotation: An attack path
may include recruitment, radicalization, and training of operatives, selection
and surveillance of the target, construction or procurement of weapons,
funding, deployment of operatives to the target, execution of the attack, and
related post-attack activities.
DHS Risk Lexicon, September
2008
An attack path is a path in
an attack tree from a leaf node to the root node. An attack path can be a
simplistic representation of an attack pattern.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An attack pattern is a
general framework for carrying out a particular type of attack such as a
particular method for exploiting a buffer overflow or an interposition attack
that leverages architectural weaknesses. In this paper, an attack pattern
describes the approach used by attackers to generate an exploit against
software.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An attacker is the person
that actually executes an attack. Attackers may range from very unskilled
individuals leveraging automated attacks developed by others (script kiddies)
to well-funded government agencies or even large international organized crime
syndicates with highly skilled software experts.
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/attack/590-BSI.html
An attempt by an unauthorized individual to fool a Verifier or a
Relying Party into believing that the unauthorized individual in question is
the Subscriber. [NIST SP-800-63:2013]
A party who acts with malicious intent to compromise an information
system. [NIST SP-800-63:2013]
An attack where the Attacker
obtains some data (typically by eavesdropping on an authentication protocol run
or by penetrating a system and stealing security files) that he/she is able to
analyze in a system of his/her own choosing. [NIST SP-800-63:2013]
An attack against an
authentication protocol where the Attacker either assumes the role of a
Claimant with a genuine Verifier or actively alters the authentication channel.
[NIST SP-800-63:2013]
The attack surface of a
system or asset refers to the collectively exposed portions of that system or
asset. A large attack surface means that there are many exposed areas that an
attack could target, while a small attack surface means that the target is
relatively unexposed. [knapp:2014]
An attack vector is the
direction(s) through which an attack occurs, often referring to specific
vulnerabilities that are used by an attacker at any given stage of an attack.[knapp:2014]
Exploitation d'une ou
plusieurs vulnérabilités à l'aide d'une méthode d'attaque avec une opportunité
donnée.
Exemples:
·
forte
opportunité d'utilisation de logiciels contrefaits ou copiés du fait de
l'absence totale de sensibilisation ou d'information sur la législation des
droits d'auteur ;
·
altération
du logiciel par un virus du fait de la facilité d'introduire des logiciels à
effets malicieux sur le réseau bureautique de l'organisme ;
·
...
[EBIOS:2005]
Une tentative
d'exploitation d'une vulnérabilité d'un système IT [ISO-15947:2002]