Chapter 2

Security Threat And Attack

Outline
 Threat
 Threat Actors
 Attack Types
 Social engineering
 Service/application attack
 Wireless attack
 Cryptographic attack
Security Threats

Threat: any circumstance or event with the potential to

harm an information system through unauthorized
access, discloser, destruction, modification and/or denial
of service.

Human Nature Malware

Human: Insider/Outsider

• Most of the time security is designed to protect against outside

intruders.
• However, insider are more dangerous in many respects than
outside intruders.
• According to Government Accountability Office, Department of
Homeland Security 60% of the incidents are cause by insiders.
 Have access to the organization and its assets
Natural/ Environmental

• Threats caused by non human agents.

• Include threats like:

• Earthquakes, Flood

• Fire, Lightning

• Wind, etc
Virus

• Malicious code that requires

user interaction to install and
replicate.
Virus Name Amount of Damage #PC’s Infected
($)
Stuxnet (2009-20 Unknown 100,000+
10)
Conficker (2009) $9,100,000,000 3,500,000
MyDoom (2004) $38,000,000,000 2,000,000
SoBig.F (2003) $37,000,000,000 2,000,000
I Love You (2000) $15,000,000,000 500,000
Worms

• Self-replicating program that is usually

self-contained and can execute and
spread without user interaction.
• Two main types:
 Network service worm: exploit network
vulnerabilities to propagate and infect
others.
 Mass mailing worms: exploit email
systems to spread and infect others.
Trojan

• Seemingly friendly software that

contains hidden malicious software.

• Because the software seems legitimate,

it is more likely to be given the
permission to execute malicious code.

• Mostly used as RAT (Remote Access

Tool).
Rootkit

• Malicious code that installs itself at

the OS or kernel level to avoid
detection.

• Rootkits are very difficult to rid of

 Load before the OS loads

 Can disable antivirus and

antimalware
Keylogger

• Malicious application that once installed on a

host can capture all keystrokes.
 Usernames/passwords
 Sensitive information/ credit card numbers
 Email/ chat/ instant message
• Captured files can be uploaded to a remote
location, emailed, or stored locally for later
retrieval.
• Hardware device can also be used as a
keylogger
Logic Bomb

• Malicious code triggers after a period of time

based on some date or specific activity.
 Execute when a specific condition is met in the
program.

• Generally used to commit a malicious action:

 Code that delete company data when the IT
employee is fired

 Code that erase part of a website on a specific

date
Threat Actors

• Threat actors can range from beginners probing around to

highly organized nation states.
 Script kiddies
 Hacktivist
 Organized crime
 Nation state /APT
 Insiders
 Competitors
Script Kiddies

• Hackers that are relatively new or

unskilled
 Typically looking to see what they can get
into

 The challenge is attraction

 Not typically associated with any organized

hacking group

 Usually not well funded

Hacktivist

• Hackers who are motivated by

ideology or some social/political
cause
 Can be well funded and skilled
 Usually deface website
 Steal information: personal information
and credentials

 DDoS
Organized Crime

• Hackers motivated by financial gain

 Deliberate with high technical
capability

 Well funded

 Collect information related to credit

cards, ATM

 Steal personal information for sale on

the dark web
Nation States/APT

• Highly skilled hackers whose main goal

is to penetrate government and
commercial systems
 Cyber espionage
 Data/IP theft
 Sabotage
 Cyber warfare

 Very stealthy and persistent, well

funded and connected
Insiders

• Often motivated by financial gain

 CERT advises that over 70% of IP
theft cases involve insiders.
 Accidental expose can occur from
misuse or misconfigured systems
 Data theft includes IP and company
secrets
 Need to take it seriously and
addressed it.
Competitors

• Motivated by financial gain

 Competitive advantage

 Theft of Ip or company secrets

 Sabotage

 Can be well funded and range from

low to high skill
Cyber Attack

Cyber Attack: any attempt to expose, alter, disable,

destroy , steal or gain unauthorized access to an
asset.
 any type of offensive maneuver that targets
computer information systems, infrastructures,
computer networks, or personal computer
devices.
General Categories of Attacks

♦ Interruption
 An asset of the system is destroyed of becomes
unavailable or unusable
 Attack on availability
 Destruction of hardware
 Cutting of a communication line
 Disabling the file management system

Interruption
 Cont..

♦ Interception
 An unauthorized party gains access to an asset
 Attack on confidentiality
 Wiretapping to capture data in a network
 Illicit copying of files or programs
 The emphasis is prevention rather than detection

Interception
 Cont..
♦ Fabrication
 An unauthorized party inserts counterfeit objects into
the system
 Attack on authenticity
 Insertion of spurious messages in a network
 Addition of records to a file

Fabrication
 Cont..

♦ Modification
 An unauthorized party not only gains access but
tampers with an asset
 Attack on integrity
 Changing values in a data file
 Altering a program so that it performs differently
 Modifying the content of messages being transmitted in
a network

Modification
Attack Types

Application/
Social Engineering Service Attack

Cryptographic
Wireless Attack
Attacks
Social Engineering

• Use deceptive tactics to trick individuals into providing information

they otherwise would not.

• Often rely on exploiting basic human instincts such as trust and fear
Social Eng. Attacks

• Phishing : attack via electronic communication (i.e.

email) posting as someone trustworthy.

• Spear Phishing: targeted attack appearing to

come from a trusted source, often within the
victim's own company, from someone in a
position of authority.

• Whaling: specific attack targeting high profile

business executive, upper management, CEO, etc.
 Cont..

• Vishing : phishing using voice call (voice

phishing)
• Get the victim divulge personal or
sensitive information.
• Attackers poses as legitimate company,
repair person, security personnel or
someone of trust.
• Can be internal or external to the
company
 Cont..

• Tailgating : following someone in to a

building through a gated area or badged
access area.
• People want to be helpful
• Hold the door for people who looks like
they belong: carrying lots of items, etc.
• Training and understanding of corporate
policy is key
 Cont..

• Dumpster Diving : removing trash from

dumpsters that could reveal sensitive
information.
• Username and password
• Personal Identifiable Information (PII)
• Company documents and resumes, etc.
• Mitigation techniques:
• Shredding documents prior to disposal
• Locked waste cans to be transported off-site
for shredding/disposal
 Cont..

• Shoulder Surfing: combined with social engineering to trick

someone into entering credentials into an application or
website.
• Strike up a conversation about their kid’s, sports, then ask
to see some pictures.
• Shoulder surf as they enter their username /password into
social media website.
• Mitigation techniques:
• Privacy screens
• Masked passwords: multiple asterisks per keystroke
further obfuscates the length of passwords
• Camera to monitor doors, sensitive areas, key card access,
etc.
Application/Service Attacks

• DDoS : large scale attack against a specific

target.
 Botnet
 Botnet herder
 Command and control center (C&C)
• C&C issue commands to botnet zombies to
initiate attack against a target
 Could be hundreds, thousands or
millions of zombies
 Cont..

• Buffer overflow: attack that causes a

system or app to crash or behave
unexpectedly
 Write more data that the buffer can
handle
 Data is written to adjacent memory
• Call pointers to jump to a different address
 Can contain user executable code which could
allow remote code execution which results
privilege elevation.
 Cont..

• SQL Injection: modify the SQL query

that’s passed to web application.
• Adding code into a data stream
 By pass login screens
 Vulnerable website return username and
password with right SQL injection
 Cause application to “throw” and error or
crash (allowing attackers remote access)

• Mitigation: Proper Input validation

 Cont..

• Typo Squatting/URL Hijacking : setting up

domain names to capitalize on the fact that
users make typos.
 Facbook.com instead of Facebook.com
 Goggle, Googel, Googgle, etc

• Fraudulent website are setup to resemble the

real once
 Capture user credentials
Wireless Attacks

• Rogue Access Point: unauthorized access point

installed in a corporate network or public areas.
 Used to steal or intercept data
 Can be used with jamming /interference
technique
 Attacker can also use captive portal to
capture credentials
• Evil Twin: rogue access point that is
impersonating a legitimate access point-using
the same SSID.
 Cont..

• Bluejacking: sending of unauthorized message

or data to a victim’s device via Bluetooth
technology.
• Bluesnarfing: is the opposite of bluejacking, in
that data is pulled of the victim device via
Bluetooth technology.
 Contact list, Text message, Email
 Personal Identifiable Information (PII)
 If your device is in discoverable mode, you will
be a victim of such type of attacks.
Cryptographic Attack

 Brute Force attack: attempt to defeat encryption

by systematically trying every possible
combination of passwords or passphrases.
 Time consuming
 Most accounts will lockout after “X” number of
attempts
 Length of password increase time to crack
 Cont..

• Collision Attack: attack that tries to find two inputs

that have the same output.
 Two separate input that produce the same output
is referred to as a collision

 Could be used to bypass security and enable a

malicious file appear legitimate if the hah value
are the same.
Passive Versus Active Attacks
•Security Attacks: Attacks may be passive or active. specifies whether the adversary interface

or not with the information

•Passive attacks (off line attack): the goal is to obtain the information transmitted.

 Obtain message contents

 Monitoring traffic flows

 release of message contents - e.g., from a telephone conversation, e-mail, transf

erred files, etc.

 traffic analysis - e.g., location and identity of communicating hosts, frequency and

length of messages, the nature of messages.

Passive Versus Active Attacks
•Active attacks (on line attack)

 Masquerade: pretending to be a different entity

 Modify messages in transmit

 Add, delete messages

 Denial of service

•Passive attacks are difficult to detect but easy to prevent whereas acti
ve attracts are easy to detect but difficult to prevent
Passive Versus Active Attacks
Security Mechanisms

 Prevention, Detection, Recovery

Prevention:
– Encryption

– Software Controls (DB access limitations, operating syst

em process protection)

– Enforce policies (frequent password change)

– Physical Controls

Detection: Intrusion detection systems (IDS)

Prevention Mechanisms
 Adequate prevention means that an attack will fail.

 Prevention usually involves mechanisms that the user cannot override.

 Prevention mechanisms are often cumbersome and do not always work perfec

tly or fail because they are circumvented.

 Passwords are a prevention mechanism to prevent unauthorized access. They

fail when the password becomes known to a person other than the owner.
Detection Mechanisms
 Detection is used when an attack cannot be prevented and it also in
dicates the effectiveness of prevention measures.

 The goal is to determine that an attack is underway or has occurred

and report it.

 Audit logs are detection mechanisms.

 When you log into the design center’s unix servers, it gives you th
e IP address of the last successful login.
Recovery
 Recovery has several aspects.

 The first is to stop an attack and repair the damage

 Another is to trace the evidence back to the attacker and discover th

e identity of the attacker (this could result in legal retaliation).

 Yet another aspect is to determine the vulnerability that was exploit

ed and fix it or devise a way of preventing a future attack.
Example: Private Property
Prevention: locks at doors, window bars, walls round the property

Detection: stolen items are missing, burglar alarms, closed circuit TV

Recovery: call the police, replace stolen items, make an insurance claim

Example E-Commerce
Prevention: encrypt your orders, rely on the merchant to perform checks on the cal
ler, don’t use the Internet (?) …

Detection: an unauthorized transaction appears on your credit card statement

Recovery: complain, ask for a new card number, etc.

Footnote: Your credit card number has not been stolen. Your card can be stolen, bu
t not the number. Confidentiality is violated.