Chapter Two

Attack Types and Protection

Schemes

1
 Security Attacks
 Without security measures and controls in place, your
data might be subjected to an attack.
 Attack is an assault on system security that derives
from an intelligent threat
 Attack is a deliberate unauthorized action on a
system or asset and an be classified as active and
passive attack.
 It is act or action that exploits vulnerability (i.e., an
identified weakness) in controlled system ,
 Any kind of malicious activity that attempts to collect,
disrupt, deny, degrade, or destroy information system
resources or the information itself.
 It is accomplished by threat agent which damages or
steals organization’s information
2
 Cont…
An information should be delivered to the
intended person by preserving the
authenticity of the data from the right
person.

3
 Cont…
 There are two main types of network attacks:

 Passive: Attackers gain access to a network and can monitor

or steal sensitive information, but without making any change

to the data, leaving it intact.
 A passive attack attempts to learn or make use of information

from the system but does not affect system resources.

 Active: Attackers not only gain unauthorized access but also

modify data, either deleting, encrypting or otherwise harming

it.
 An active attack attempts to alter system resources or affect

their operation.

4
 Passive Attacks
Interception:- is a type of attack that is done
without the permission or knowledge of the users.
It breaks the rules of confidentiality in the
principle of security.
It is further categorize into sub types
 Release of message Content
Telephonic conversation, an electronic mail
message, or a transferred file may contain
sensitive or confidential information.
When you send a message to your friend, you
want that only that person can read the message.
 Using certain security mechanism, we can
prevent release of message contents, such as
encryption;
5
 Passive Attacks…
 Traffic analysis
 Suppose that we had a way of masking (encryption)
information, so that the attacker even if captured
the message could not extract any information from
the message.
 The opponent could determine the location and
identity of communicating host and could observe
the frequency and length of messages being
exchanged. This information might be useful in
guessing the nature of the communication that was
taking place.
.

6
 Passive Attacks…
Sniffing
A packet sniffing attack, or simply a sniffing
attack, is a cyber-attack that involves
intercepting and misusing content (like reading
sensitive data) passing through a network in
the form of packets.
Unencrypted email communications, login
passwords, and financial information are
common targets for a packet sniffing attack.
Besides this, an attacker may also use sniffing
tools to hijack packets by injecting malicious
code into the packet itself, which executes
once it reaches the target device.
7
 Passive Attacks….
Keylogger
 A keylogger, sometimes called a keystroke logger or
keyboard capture, is a type of surveillance
technology used to monitor and record each
keystroke on a specific computer.
 Keyloggers are often used as a spyware tool by
cybercriminals to steal personally identifiable
information (PII), login credentials and sensitive
enterprise data.
 Some uses of keyloggers could be considered ethical
or appropriate in varying degrees.
 Keylogger recorders may also be used by:
employers to observe employees' computer activities;
parents to supervise their children's internet usage;
8
device owners to track possible unauthorized activity
 Active Attacks
 Masquerade/Fabrication
 A masquerade takes place when one entity
pretends to be a different entity .
 Insertion of messages into the network from a
fraudulent source.
 For example if a person know your user name
and password he pretends to be you and can
communicate your manager.

9
 Cont…
 Replay
 Replay involves the passive capture of a data unit and
its subsequent retransmission to produce an
unauthorized effect.
 Involves the re-use of captured data at a later
time than originally intended in order to repeat
some action of benefit to the attacker: for
example, the capture and replay of an instruction
to transfer funds from a bank account into one
under the control of an attacker.
 The delay or repeat of the data transmission is carried
out by the sender or by the malicious entity, who
intercepts the data and retransmits it.

10
 Cont…
 Modification of messages
Modification of messages simply means
that some portion of a legitimate message
is altered, or that messages are delayed or
reordered, to produce an unauthorized
effect.
 E.g A message meaning “Allow John Smith to
read confidential file accounts” is modified to
mean “Allow Fred Brown to read the
confidential file accounts”.

11
 Cont…
 Denial of Service: It prevents or inhibits the
normal use or management of communications
facilities.
 A denial of service (DoS) attack is an attempt to
prevent legitimate users of a service from using
that service.
 Ex. An entity may suppress all messages directed
to a particular destination. (e.g The security audit
service). Another form of service denial is the
disruption of an entire network, either by
disabling the network or by overloading it with
messages so as to degrade performance.

12
 Active Attacks Vs Passive Attacks
 In active attacks, modification of messages is done,
but on the other hand, in passive attacks, the
information remains unchanged.
 The active attack causes damage to the integrity
and availability of the system, but passive attacks
cause damage to data confidentiality.
 In active attacks, attention is given to detection,
while in passive attacks, attention is given to
prevention.
 The resources can be changed in active attacks, but
passive attacks have no impact on the resources.
 Active attack influences the system services, but the
information or data is acquired in passive attacks.
 Active attacks are challenging to be prohibited, but
13 passive attacks are easy to prevent.
 Security Controls
 Computer security control is often divided into three

distinct master categories, commonly referred to

as controls:
 Physical

 Technical

 Administrative

 These three broad categories define the main

objectives of proper security implementation. Within
these controls are sub-categories that further detail
the controls and how to implement them.
14
 Physical Controls
Physical control is the implementation of security
measures in a defined structure used to detect or
prevent unauthorized access to sensitive material.
Examples of physical controls are:
 Closed-circuit surveillance cameras

 Motion or thermal alarm systems

 Security guards

 Picture IDs

 Biometrics (includes fingerprint, voice, face, iris,

handwriting, and other automated methods used to
recognize individuals)
15
 Technical Controls
Technical controls use technology as a basis for

controlling the access and usage of sensitive data

throughout a physical structure and over a
network. Technical controls are far-reaching in
scope and encompass such technologies as:
 Encryption

 Smart cards

 Network authentication

 Access control lists (ACLs)

 File integrity auditing software

16
 Administrative Controls
Administrative controls define the human factors of

security.
It involves all levels of personnel within an
organization and determines which users have access
to what resources and information by such means as:
 Training and awareness

 Disaster preparedness and recovery plans

 Personnel recruitment and separation strategies

 Personnel registration and accounting

17
 Threat Vs Attacks
 The main difference between threat and attack is a threat can be

either intentional or unintentional where as an attack is

intentional.
 Threat is a circumstance that has potential to cause loss or

damage whereas attack is attempted to cause damage,

 Threat to the information system doesn’t mean information was

altered or damaged but attack on the information system means

there might be chance to alter, damage, or obtain information
when attack was successful.
 A security threat is the expressed potential for the occurrence of

an attack.
 A security attack is an action taken against a target with the
18
intention of doing harm.
 Social Engineering
 Social engineering is the tactic of manipulating,

influencing, or deceiving a victim in order to gain

control over a computer system, or to steal
personal and financial information.
 It uses psychological manipulation to trick users

into making security mistakes or giving away

sensitive information.
 Social engineering attacks come in many different

forms and can be performed anywhere where

19 human interaction is involved.
 Types of Social Engineering Attacks
 Phishing: The process of attempting to acquire
sensitive information such as usernames, passwords,
and credit card details by masquerading as a
trustworthy entity using bulk email, SMS text
messaging, or by phone.
 Phishing messages create a sense of urgency,
curiosity, or fear in the recipients of the message.
 The message will prod victims into revealing sensitive

information, clicking on links to malicious websites, or

opening attachments that contain malware.
20
 Cont…

21
 Phishing
 Angler phishing:- Phishing attacks carried out via

spoof customer service accounts on social media.

 Pharming:-Redirecting web traffic from legitimate sites

to malicious clones.
 BEC (business email compromise):-Emails purporting

to be from senior members of staff.

 Spear phishing:-Phishing attacks targeting specific
organizations or individuals.
 Whaling/CEO fraud:-Targeted phishing attacks aimed

at high-profile individuals, such as board members.

22
 Cont…
 Honey trap:-Attackers pretend to be romantically or sexually
interested in the victim to persuade them to yield sensitive
information or money.
 Scareware:- A form of malicious software usually in the form of a

pop-up that warns your security software is out of date or that

malicious content has been detected on your machine that fools
victims into visiting malicious websites or buying worthless products.
 Vishing/voice phishing:- A form of targeted social engineering attack

that uses the phone. Types of vishing attack include recorded

messages telling recipients their bank accounts have been
compromised.
 Victims are then prompted to enter their details via their phone’s

keypad, thereby giving access to their accounts.

23
 Security Threats

 A security threat is a malicious act that aims

to corrupt or steal data or disrupt an

organization's systems or the entire
organization.
A security event refers to an occurrence
during which company data or its network
may have been exposed.
And an event that results in a data or network

24
breach is called a security incident.
 Types of information security threats
 Insider threats

 An insider threat occurs when individuals close to an

organization who have authorized access to its network

intentionally or unintentionally misuse that access to
negatively affect the organization's critical data or systems.
 Careless employees who don't comply with their
organizations' business rules and policies cause insider
threats.
 For example, they may inadvertently email customer data

to external parties, click on phishing links in emails or

share their login information with others.
25
 How to prevent insider threats
 Limit employees' access to only the specific resources they need to

do their jobs.
 Train new employees and contractors on security awareness before

allowing them to access the network.

 Set up contractors and other freelancers with temporary accounts

that expire on specific dates, such as the dates their contracts end.
 Implement two-factor authentication, which requires each user to

provide a second piece of identifying information in addition to a

password.
 Install employee monitoring software to help reduce the risk of

data breaches and the theft of intellectual property by identifying

careless, disgruntled or malicious insiders.
26
 Cont..
Viruses and worms
 Viruses and worms are malicious software programs (malware)
aimed at destroying an organization's systems, data and network.
A computer virus is a malicious code that replicates by copying
itself to another program, system or host file.
 It remains dormant until someone knowingly or inadvertently
activates it, spreading the infection without the knowledge or
permission of a user or system administration
A computer worm is a self-replicating program that doesn't have
to copy itself to a host program or require human interaction to
spread.
 Its main function is to infect other computers while remaining
27 active on the infected system
 Cont…
 A worm can self-replicate and spread to other computers,

while a virus cannot. A virus needs to be sent from one

computer to another by a user or via software.
 To reduce the risk of these types of information security

threats caused by viruses or worms, companies should install

antivirus and antimalware software on all their systems and
networked devices and keep that software up to date.
 n addition, organizations must train users not to download

attachments or click on links in emails from unknown senders

and to avoid downloading free software from untrusted
websites
28
 Cont…
Botnets

 A botnet is a collection of Internet-connected

devices, including PCs, mobile devices, servers and
IoT devices that are infected and remotely
controlled by a common type of malware.
 Typically, the botnet malware searches for
vulnerable devices across the internet. The goal of
the threat actor creating a botnet is to infect as
many connected devices as possible,

29
 Drive-by download attacks
 In a drive-by download attack, malicious code is downloaded

from a website via a browser, application or integrated OS

without a user's permission or knowledge.
 A user doesn't have to click on anything to activate the

download. Just accessing or browsing a website can start a

download.
 Cybercriminals can use drive-by downloads to inject
banking Trojans, steal and collect personal information as well
as introduce exploit kits or other malware to endpoints.
 Users should also be warned to stay away from insecure

websites. Installing security software that actively scans

websites can help protect endpoints from drive-by downloads.
30
 Cont…
 Ransomware

 In a ransomware attack, the victim's computer is locked, typically by

encryption, which keeps the victim from using the device or data
that's stored on it.
 To regain access to the device or data, the victim has to pay the

hacker a ransom, typically in a virtual currency such as Bitcoin.

 Ransomware can be spread via malicious email attachments, infected

software apps, infected external storage devices and compromised

websites.
 Users should regularly back up their computing devices and update all

software, including antivirus software. Users should avoid clicking on

links in emails or opening email attachments from unknown sources.

31
Victims should do everything possible to avoid paying ransom.
 Malvertising
 Malvertising is a technique cybercriminals use to

inject malicious code into legitimate online

advertising networks and web pages. This code
typically redirects users to malicious websites or
installs malware on their computers or mobile
devices. Users' machines may get infected even if
they don't click on anything to start the download.
 Cybercriminals may use malvertising to deploy a

variety of moneymaking malware, including

cryptomining scripts, ransomware and banking
32
Trojans.
 o u
k Y
an
Th

33