1.2.d Classify the vectors of data loss/exfiltration
Today’s review focuses on common network attacks. More specifically, we will look at social engineering and malware as two major sources of network attacks. We will also discuss the sources of potential data loss for organizations.
It is important to understand the different types of network attacks used by hackers. To mitigate these attacks, it is useful to first categorize the various types of attacks. The most common categories of network attacks are reconnaissance attacks, access attacks, and denial of service (DoS)/distributed denial of service (DDoS) attacks.
A reconnaissance attack is an attempt to learn more about the intended victim before attempting a more intrusive attack. Hackers use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Tools such as information queries via the WHOIS service, ping sweeps, port scans, vulnerability scanners, and exploitation tools are common techniques used by hackers when performing reconnaissance attacks.
Video 30.1—Examples of Reconnaissance Attacks
After gathering the necessary information during the reconnaissance phase of the attack, the hacker will usually attempt to access the network. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. The hacker’s main objectives may be to retrieve protected information, gain access to secure areas of the network, or escalate its access privileges. There are six common types of access attacks:
Password attack: A hacker attempts to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing.
Trust exploitation: A hacker uses unauthorized privileges to gain access to a system, possibly compromising the target. For example, if a DMZ device has access to the inside network, an attacker could leverage that by gaining access to the DMZ device and using that location to launch his attacks from there to the inside network.
Port redirection: A hacker uses a compromised system as a base for attacks against other targets.
Man-in-the-middle attack: An attacker places himself in line between two legitimate devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic.
Buffer overflow attack: An attacker exploits a buffer overflow vulnerability, which is a programming flaw. If a service accepts input and expects the input to be within a certain size but does not verify the size of input upon reception, it may be vulnerable to a buffer overflow attack. This means that an attacker can provide input that is larger than expected, and the service will accept the input and write it to memory, filling up the associated buffer and also overwriting adjacent memory. This overwrite may corrupt the system and cause it to crash, resulting in a DoS. In the worst cases, the attacker can inject malicious code, leading to a system compromise.
IP, MAC, DHCP spoofing: An attacker injects traffic that appears to be sourced from a system other than the attacker’s system itself. To perform MAC or IP spoofing, the attacker uses MAC or source IP addresses that are different than their real addresses. DHCP spoofing can be done with either the DHCP server or the DHCP client. To perform DHCP server spoofing, the attacker enables on a network a rogue DHCP server that will then respond to client requests with attacker-defined parameters. From the client side, an attacker can spoof many DHCP client requests, specifying a unique MAC address per request in the hope of exhausting the DHCP server’s IP address pool.
Video 30.2—Examples of Access Attacks
DoS and DDoS Attacks
DoS attacks attempt to consume all of the resources of a critical computer or network in order to make it unavailable for valid use. A DoS attack typically results in some sort of interruption of service to users, devices, or applications. Malicious hosts can also coordinate to flood a victim with an abundance of attack packets, so that the attack takes place simultaneously from potentially thousands of sources. This type of attack is called a DDoS attack. DDoS attacks typically emanate from networks of compromised systems, known as botnets. DDoS attacks can also use reflection and amplification to augment their impact on the victim. A reflection attack is a type of DoS attack in which the attacker sends a flood of protocol request packets to various IP hosts. These reflectors respond by sending response packets to a specific target, thus flooding it. In an amplification attack, a small forged packet elicits a large reply from the reflectors. Examples of DoS attacks are
Ping of death: An attacker sends a malformed or otherwise malicious ping to a network computer—in this case, a packet larger than the maximum packet size of 65,535 bytes—which then causes legacy systems to hang or crash.
Smurf attack: A hacker sends numerous ICMP echo-request packets to the broadcast address of a large network. These packets contain the victim’s address as the source IP address. Every host that belongs to the large network responds by sending ICMP echo-reply packets to the victim.
TCP SYN flood attack: An attacker exploits the TCP three-way handshake design by sending multiple TCP SYN packets with random source addresses to a victim host, forcing the host to respond and wait for an ACK packet that never arrives, thus leaving the victim with a large number of half-open TCP connections.
Video 30.3—Examples of DoS Attacks
Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Social engineering often relies on people’s willingness to be helpful. This attack also preys on people’s weaknesses. The following are a few of the more common types of social engineering attacks.
Phishing: This type of attack usually presents as an email message with a link that looks like a valid trusted resource to a user. When the user clicks the link, the user is prompted to disclose confidential information such as usernames/passwords, account numbers, or Social Security number.
Spear phishing: This is a targeted phishing attack that presents as an email message tailored for a specific individual or organization.
Whaling: Like spear phishing, whaling uses the concept of targeted emails; however, it increases the profile of the target. The target of a whaling attack is often one or more of the top executives of an organization.
Pharming: Whereas phishing entices the victim to a malicious website, pharming lures victims by compromising domain name services. When victims attempt to visit a legitimate website, the compromised name service instead provides the IP address of a malicious website.
Pretexting: A hacker calls an individual and lies to them in an attempt to gain access to privileged data.
Vishing: Vishing uses the same concept as phishing, except that it uses voice and the phone system as its medium instead of email.
Smishing: Smishing uses the same concept as phishing, except that it uses SMS texting as the medium instead of email.
Spam: Hackers may use spam email to trick a user into clicking an infected link or downloading an infected file.
Tailgating: A hacker quickly follows an authorized person into a secure location.
Baiting: A hacker leaves a malware-infected physical device, such as a USB flash drive, in a public location such as a corporate washroom. The finder of the device loads it onto their computer, unintentionally installing the malware.
Something for something: A hacker requests personal information from a party in exchange for something like a free gift.
Malvertising: A hacker injects malicious or malware-laden advertisements into legitimate online advertising networks and web pages.
Here are some of the security techniques and procedures that can be put into place to mitigate social engineering attacks:
Password management: Guidelines such as the number and type of characters that each password must include and how often a password must be changed.
Two-factor authentication: Combining something the user has and something the user knows to authenticate their access to the network.
Antivirus/antiphishing defenses: Both network- and host-based filtering services deployed throughout.
Change management: A well-documented change-management process describing how and when network changes can be made.
Information classification and handling: A policy that clearly sets out what information is considered sensitive and how to handle or destroy it.
Activity: Identify Network Attack Types
Malware is malicious software that comes in several forms, including the following:
Virus: Malicious code that is attached to executable files, which are often legitimate programs. Most viruses require end-user activation and can lay dormant for an extended period and then activate at a specific time or date.
Trojan horse: Malware that carries out malicious operations under the guise of a desired function. A Trojan horse comes with malicious code hidden inside of it. This malicious code exploits the privileges of the user that runs it and often creates a back door into the infected system. Often, Trojans are found attached to online games.
Worm: Malware that replicates itself by independently exploiting vulnerabilities in networks. Worms usually slow down networks.
Ransomware: Malware that denies access to the infected computer system and then demands a paid ransom for the restriction to be removed.
Spyware: Malware that is used to gather information about a user and send the information to another entity, without the user’s consent.
Adware: Malware that typically displays annoying pop-ups to generate revenue for its author.
Scareware: Malware that includes scam software that uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user.
Video 30.4—Examples of Malware Attacks
Data is likely to be an organization’s most valuable asset. Data loss or data exfiltration is when data is intentionally or unintentionally lost, stolen, or leaked to the outside world. Common vectors of data loss and exfiltration include the following:
Email attachments: Email attachments often contain sensitive information, such as confidential corporate, customer, and personal data, that could be intercepted as it leaves the corporate network.
Unencrypted devices: Smartphones and other personal devices are often protected only with a password. Employees sometimes send sensitive company information to these devices without using encryption.
Cloud storage devices: Saving data to the cloud has many potential benefits. However, sensitive data can be lost if access to the cloud is compromised due to weak security settings.
Removable media: Putting sensitive data on a removable storage device, such as a USB memory stick, may pose more of a threat than putting that data on a smartphone. Such devices are not only easily lost or stolen; they also typically do not have passwords, encryption, or any other protection for the data they contain.
Hard copy: Corporate data should be disposed of thoroughly. For example, confidential data should be shredded when no longer required.
Improper access control: Passwords are the first line of defense. Stolen passwords or weak passwords that have been compromised can provide an attacker easy access to corporate data.
For today’s exam topics, refer to the following resources for more study.