INFORMATION

ASSURANCE &
SECURITY 2
 MODULE 5
PRINCIPLES OF NETWORK
SECURITY
OBJECTIVES
Upon completion of this module, the student would be able to:

➢ Explain the various types of threats and attacks.

➢ Describe malware.
➢ Explain common network attacks.
➢ Explain how networks are attacked.
➢ Describe the evolution of network security.
➢ Describe the various types of attack tools used by Threat Actors
ATTACKERS AND THEIR TOOLS
Who is Attacking Our Network?
Threat, Vulnerability, and Risk
▪ Threat
• Potential danger to an asset such as data or the network.
▪ Vulnerability and Attack Surface
• Weakness in a system or its design that could be exploited by a threat.
• Attack surface describes different points where an attacker could get into a system and could get to the
data (Example – operating system without security patches)
▪ Exploit
• Mechanism used to leverage a vulnerability to compromise an asset.
• Remote – works over the network.
• Local – threat actor has user or administrative access to the end system.

▪ Risk
• Likelihood that a threat will exploit a vulnerability of an asset and result in an undesirable consequence.
There are four common ways to manage risk:

•Risk acceptance
•Risk avoidance
•Risk limitation
•Risk transfer

•Other commonly used network security terms include:

•Countermeasure
•Impact

Note: A local exploit requires inside network access such as a user with an account on the network. A
remote exploit does not require an account on the network to exploit that network’s vulnerability.
Who is Attacking Our Network?
Hacker vs. Threat Actor
▪ White Hat Hackers
• Ethical hackers who use their programming skills for good, ethical, and legal
purposes.
• Perform penetration tests to discover vulnerabilities and report to developers
before exploitation.
▪ Grey Hat Hackers
• Commit crimes and do unethical things but not for personal gain or to cause
damage.
• May compromise network and then disclose the problem so the organization
can fix the problem.
▪ Black Hat Hackers
• Unethical criminals who violate security for personal gain, or for malicious
reasons, such as attacking networks.
Note: Threat actors is a term used to describe grey and black hat hackers.
Who is Attacking Our Network?
Evolution of Threat Actors

▪ Script Kiddies
• Inexperienced hackers running existing
tools and exploits, to cause harm, but
typically not for profit.
▪ State-Sponsored
• White or black hats who steal
government secrets, gather intelligence,
and sabotage networks.
• Targets are foreign governments,
terrorist groups, and corporations.
Who is Attacking Our Network?
Evolution of Threat Actors (Continuation)
▪ Cybercriminals
• Black hats stealing billions of dollars from
consumers and businesses.

▪ Hacktivists
• Grey hats who rally and protest against political
and social ideas.
• Post articles and videos to leak sensitive
information.

▪ Vulnerability Broker
• Discover exploits and report them to vendors,
sometimes for prizes or rewards.
Who is Attacking Our Network?
Cybercriminals
▪ Money-motivated threat actors.
▪ Buy, sell, and trade exploits, and
private information and intellectual
property.
▪ Steal from consumers, small
businesses, as well as large
enterprises and industries.
Who is Attacking Our Network?
Cybersecurity Tasks
▪ Develop good cybersecurity awareness.

▪ Report cybercrime to authorities.

▪ Be aware of potential threats in email and web

▪ Guard important information from theft.

▪ Organizations must take action and protect their

assets, users, and customers.
▪ Develop cybersecurity tasks and implement those
tasks on a reoccurring basis.
Who is Attacking Our Network?
Cyber Threat Indicators
▪ Each attack has unique identifiable attributes that
are known as cyber threat indicators or simply attack
indicators.
▪ U.S. Department of Homeland Security (DHS) and
United States Computer Emergency Readiness Team
(US-CERT) use the Automated Indicator Sharing (AIS)
system that enables sharing of verified attack
indicators with public and private sector
organizations
Threat Actor Tools
Introduction of Attack Tools
▪ Attackers use tools to exploit a vulnerability.
▪ Sophistication of attack tools and technical knowledge to conduct attacks has changed since
1985.
Threat Actor Tools
Evolution of Security Tools
▪ Common Penetration Testing Tools
• Password crackers
• Wireless hacking tools
• Network scanning and hacking tools
• Packet crafting tools
• Packet sniffers
• Rootkit detectors
• Fuzzers
Threat Actor Tools
Evolution of Security Tools
• Common Penetration Testing Tools
• Forensic tools
• Debugger tools
• Hacking operating systems
• Encryption tools
• Vulnerability exploitation tools
• Vulnerability scanners
Threat Actor Tools
Categories of Attacks

▪ Common Categories of Network Attacks

• Eavesdropping
• Data modification
• IP address spoofing
• Password-based
Threat Actor Tools
Categories of Attacks

▪ Common Categories of Network Attacks

• Denial-of-Service
• Man-in-the-Middle
• Compromised-Key
• Sniffer
COMMON THREATS AND
ATTACKS
Malware
Types of Malware
▪ Malware
• Short for malicious software or malicious code.
• Specifically designed to damage, disrupt, steal or inflict illegitimate action on data hosts or
networks.
Malware
Viruses
▪ Type of malware that propagates by inserting a copy
of itself into another program.
▪ Spread from one computer to another, infecting
computers.
▪ Spread by USB memory drives, CDs, DVDs, network
shares and email.
▪ Can lay dormant and activate at a specific time and
date.
▪ Requires human action to insert malicious code into
another program.
▪ Executes a specific unwanted, and often harmful,
function on a computer.
Malware
Trojan Horses
▪ Malicious code that is designed to look legitimate.
▪ Often found attached to online games.
▪ Non-replicating type of malware.
▪ Exploits the privileges of the user that runs the
malware.
▪ Can cause immediate damage, provide remote
access to the system, or access through a back
door.
Malware
Trojan Horse Classification
▪ Remote-access Trojan horse - Enables unauthorized
remote access.
▪ Data-sending Trojan horse - Provides the threat actor
with sensitive data, such as passwords.
▪ Destructive Trojan horse - Corrupts or deletes files.
▪ Proxy Trojan horse - Will use the victim's computer
as the source device to launch attacks and perform
other illegal activities.
▪ FTP Trojan horse - Enables unauthorized file transfer
services on end devices.
▪ Security software disabler Trojan horse - Stops
antivirus programs or firewalls from functioning.
▪ DoS Trojan horse - Slows or halts network activity.
Malware
Worms
▪ Executes arbitrary code and installs itself in the memory of the infected device.
▪ Automatically replicates itself and spreads across the network from system to system.
▪ Components of a worm attack include an exploiting vulnerability, delivering a malicious payload,
and self-propagation.
▪ Virus requires a host program to run, worms can run by themselves.
Code Red Worm Infection– 19 Hours Later
Initial Code Red Worm Infection – 658 servers 300,000 servers
Malware
Worm Components
▪ Worm attacks consist of three components:
• Enabling vulnerability - Worm installs itself using an
exploit mechanism, such as an email attachment, an
executable file, or a Trojan horse, on a vulnerable
system.
• Propagation mechanism - After gaining access to a
device, the worm replicates itself and locates new
targets..
• Payload - Any malicious code that results in some
action is a payload which is used to create a backdoor
that allows a threat actor access to the infected host or
to create a DoS attack.
Malware
Ransomware
▪ Malware that denies access to the infected computer
system or its data.
▪ Cybercriminals demand payment to release the computer
system.
▪ Frequently uses an encryption algorithm to encrypt system
files and data, cannot be easily decrypted.
▪ Email and malicious advertising are vectors for
ransomware campaigns.
▪ Social engineering is also used, cybercriminals who identify
themselves as security technicians call homes and
persuade users to connect to a website that downloads
the ransomware to the user’s computer.
Malware
Other Malware
▪ Modern Malware
• Spyware - Used to gather information about a user and send the information to another entity
without the user’s consent. Can be a system monitor, Trojan horse, Adware, tracking cookies, and
key loggers.
• Adware - Typically displays annoying pop-ups to generate revenue for its author. May analyze user
interests by tracking the websites visited and send pop-up advertising pertinent to those sites.
• Scareware - Includes scam software which uses social engineering to shock or induce anxiety by
creating the perception of a threat. Generally directed at an unsuspecting user and attempts to
persuade the user to infect a computer by taking action to address the bogus threat.
• Phishing - Attempts to convince people to divulge sensitive information. Examples include
receiving an email from their bank asking users to divulge their account and PIN numbers.
• Rootkits - Installed on a compromised system. After it is installed, it continues to hide its intrusion
and provide privileged access to the threat actor.
Malware
Common Malware Behaviors
▪ Computers infected with malware often exhibit one or more of the following:
• Appearance of strange files, programs, or desktop icons.
• Antivirus and firewall programs are turning off or reconfiguring settings.
• Computer screen is freezing or system is crashing.
• Emails are spontaneously being sent without your knowledge to your contact list.
• Files have been modified or deleted.
• Increased CPU and/or memory usage.
• Problems connecting to networks.
• Slow computer or web browser speeds.
• Unknown processes or services running.
• Unknown TCP or UDP ports open.
• Connections are made to hosts on the Internet without user action.
• Strange computer behavior.
Common Network Attacks
Types of Network Attacks
▪ This course classifies attacks in three major categories:

▪ By categorizing network attacks, it is possible to address types of attacks rather than individual
attacks.
Common Network Attacks
Reconnaissance Attacks
▪ Also known as information gathering,
reconnaissance attacks perform unauthorized
discovery and mapping of systems, services, or
vulnerabilities.
▪ Analogous to a thief surveying a neighborhood by
going door-to-door pretending to sell something.
▪ Called host profiling when directed at an endpoint.
▪ Recon attacks precede intrusive access attacks or
DoS attack and employ the use of widely available
tools.
Common Network Attacks
Sample Reconnaissance Attacks
▪ Techniques used by threat actors:
• Perform an information query of a target - Threat actor is
looking for initial information about a target. Tools: Google
search, public information from DNS registries using dig,
nslookup, and whois.
• Initiate a ping sweep of the target networks - Threat actor
initiates a ping sweep of the target networks revealed by the
previous DNS queries to identify target network addresses.
Identifies which IP addresses are active and creation of logical
topology.
• Initiate a port scan of active IP addresses - Threat actor
initiates port scans on hosts identified by the ping sweep to
determine which ports or services are available. Port scanning
tools such as Nmap, SuperScan, Angry IP Scanner, and
NetScan Tools initiate connections to the target hosts by
scanning for ports that are open on the target computers.
Common Network Attacks
Access Attacks
▪ Access attacks exploit vulnerabilities in authentication services, FTP services, and web services to
retrieve data, gain access to systems, or to escalate access privileges.

▪ There are at least three reasons that threat actors

would use access attacks on networks or systems:
• To retrieve data
• To gain access to systems
• To escalate access privileges
Common Network Attacks
Types of Access Attacks
• Password attack
• Pass-the-hash
• Trust exploitation
• Port redirection
• Man-in-the-middle attack
• IP, MAC, DHCP Spoofing
Common Network Attacks
Types of Access Attacks (Cont.)
Common Network Attacks
Social Engineering Attacks
▪ Type of access attack that attempts to manipulate individuals into performing actions or
divulging confidential information needed to access a network.
• Examples of social engineering attacks include:
• Pretexting - Calls an individual and lies to them in an attempt to gain access to privileged data. Pretends to need
personal or financial data in order to confirm the identity of the recipient.
• Spam - Use spam email to trick a user into clicking an infected link, or downloading an infected file.
• Phishing - Common version is the threat actor sends enticing custom-targeted spam email to individuals with
the hope the target user clicks on a link or downloads malicious code.
• Something for Something (Quid pro quo) - Requests personal information from a party in exchange for
something like a free gift.
• Tailgating - Follows an authorized person with a corporate badge into a badge-secure location.
• Baiting - Threat actor leaves a malware-infected physical device, such as a USB flash drive in a public location
such as a corporate washroom. The finder finds the device and inserts it into their computer.
• Visual hacking – Physically observes the victim entering credentials such as a workstation login, an ATM PIN, or
the combination on a physical lock. Also known as “shoulder surfing”.
Common Network Attacks
Phishing Social Engineering Attacks
▪ Phishing
• Common social engineering technique that threat actors use to send emails that appear to be
from a legitimate organization (such as a bank)
• Variations include:
• Spear phishing - Targeted phishing attack tailored for a specific individual or organization and is more likely
to successfully deceive the target.
• Whaling – Similar to spear phishing but is focused on big targets such as top executives of an organization.
• Pharming – Compromises domain name services by injecting entries into local host files. Pharming also
includes poisoning the DNS by compromising the DHCP servers that specify DNS servers to their clients.
• Watering hole – Determines websites that a target group visits regularly and attempts to compromise those
websites by infecting them with malware that can identify and target only members of the target group.
• Vishing – Phishing attack using voice and the phone system instead of email.
• Smishing – Phishing attack using SMS texting instead of email.
Common Network Attacks
Strengthening the Weakest Link
▪ People are typically the weakest link in cybersecurity
▪ Organizations must actively train their personnel and create a “security-aware culture.”
Common Network Attacks
Denial of Service Attacks
▪ Typically result in some sort of interruption of
service to users, devices, or applications.
▪ Can be caused by overwhelming a target device with
a large quantity of traffic or by using maliciously
formatted packets.
▪ A threat actor forwards packets containing errors
that cannot be identified by the application, or
forwards improperly formatted packets.
Common Network Attacks
DDoS Attacks
▪ DDoS Attacks
• Compromises many hosts
• Originates from multiple, coordinated sources
▪ DDoS terms:
• Zombies – Refers to a group of compromised hosts (i.e., agents).
These hosts run malicious code referred to as robots (i.e., bots).
• Bots – Bots are malware designed to infect a host and
communicate with a handler system. Bots can also log keystrokes,
gather passwords, capture and analyze packets, and more.
• Botnet – Refers to a group of zombies infected using self-
propagating malware (i.e., bots) and are controlled by handlers.
• Handlers – Refers to a master command-and-control server
controlling groups of zombies. The originator of a botnet can
remotely control the zombies.
• Botmaster – This is the threat actor in control of the botnet and
handlers.
Common Network Attacks
Example DDoS Attack

1. The threat actor builds or purchases a

botnet of zombie hosts.
2. Zombie computers continue to scan and
infect more targets to create more zombies.
3. When ready, the botmaster uses the
handler systems to make the botnet of
zombies carry out the DDoS attack on the
chosen target.
Common Network Attacks
Buffer Overflow Attack
▪ The goal is to find a system memory-related flaw on
a server and exploit it.
▪ Exploiting the buffer memory by overwhelming it
with unexpected values usually renders the system
inoperable.
▪ For example:
• Threat actor enters input that is larger than
expected by the application running on a server.
• The application accepts the large amount of input
and stores it in memory.
• It consumes the associated memory buffer and
potentially overwrites adjacent memory, eventually
corrupting the system and causing it to crash.
Common Network Attacks
Evasion Methods
▪ Threat actors learned long ago that malware and attack
methods are most effective when they are undetected.
▪ Some of the evasion methods used by threat actors
include encryption and tunneling, resource exhaustion,
traffic fragmentation, protocol-level misinterpretation,
traffic substitution, traffic insertion, pivoting, and rootkits.
▪ New attack methods are constantly being developed;
therefore, network security personnel must be aware of
the latest attack methods in order to detect them.
• Diane Barrett/ Martin M. Weiss (2018).CompTIA Security+ SY0-501 Exam Cram (5th Edition)

• Emmett Dulaney and Chuck Easttom. CompTIA Security+ Study Guide: Exam SY0-501 7th Edition

• David L. Prowse (2018) Pearson. CompTIA Security+ SY0-501 Cert Guide (4th Edition)

• Cisco Networking Academy (Author).(June 25, 2018)CCNA Cybersecurity Operations Companion

Guide 1st Edition

• Omar Santos/ Joseph Muniz /Stefano De Crescenzo(June 17, 2017)CCNA Cyber Ops (SECFND #210-
250 and SECOPS #210-255)Official Cert Guide Library 1st Edition