Day 30. Common Security Threats

• 1.2.a Identify common network attacks
• 1.2.b Describe social engineering
• 1.2.c Identify malware
• 1.2.d Classify the vectors of data loss/exfiltration

Video 30.1—Examples of Reconnaissance Attacks

• Password attack: A hacker attempts to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing.
• Trust exploitation: A hacker uses unauthorized privileges to gain access to a system, possibly compromising the target. For example, if a DMZ device has access to the inside network, an attacker could leverage that by gaining access to the DMZ device and using that location to launch his attacks from there to the inside network.
• Port redirection: A hacker uses a compromised system as a base for attacks against other targets.
• Man-in-the-middle attack: An attacker places himself in line between two legitimate devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic.
• Buffer overflow attack: An attacker exploits a buffer overflow vulnerability, which is a programming flaw. If a service accepts input and expects the input to be within a certain size but does not verify the size of input upon reception, it may be vulnerable to a buffer overflow attack. This means that an attacker can provide input that is larger than expected, and the service will accept the input and write it to memory, filling up the associated buffer and also overwriting adjacent memory. This overwrite may corrupt the system and cause it to crash, resulting in a DoS. In the worst cases, the attacker can inject malicious code, leading to a system compromise.
• IP, MAC, DHCP spoofing: An attacker injects traffic that appears to be sourced from a system other than the attacker’s system itself. To perform MAC or IP spoofing, the attacker uses MAC or source IP addresses that are different than their real addresses. DHCP spoofing can be done with either the DHCP server or the DHCP client. To perform DHCP server spoofing, the attacker enables on a network a rogue DHCP server that will then respond to client requests with attacker-defined parameters. From the client side, an attacker can spoof many DHCP client requests, specifying a unique MAC address per request in the hope of exhausting the DHCP server’s IP address pool.

Video 30.2—Examples of Access Attacks

• Ping of death: An attacker sends a malformed or otherwise malicious ping to a network computer—in this case, a packet larger than the maximum packet size of 65,535 bytes—which then causes legacy systems to hang or crash.
• Smurf attack: A hacker sends numerous ICMP echo-request packets to the broadcast address of a large network. These packets contain the victim’s address as the source IP address. Every host that belongs to the large network responds by sending ICMP echo-reply packets to the victim.
• TCP SYN flood attack: An attacker exploits the TCP three-way handshake design by sending multiple TCP SYN packets with random source addresses to a victim host, forcing the host to respond and wait for an ACK packet that never arrives, thus leaving the victim with a large number of half-open TCP connections.

Video 30.3—Examples of DoS Attacks

• Phishing: This type of attack usually presents as an email message with a link that looks like a valid trusted resource to a user. When the user clicks the link, the user is prompted to disclose confidential information such as usernames/passwords, account numbers, or Social Security number.
• Spear phishing: This is a targeted phishing attack that presents as an email message tailored for a specific individual or organization.
• Whaling: Like spear phishing, whaling uses the concept of targeted emails; however, it increases the profile of the target. The target of a whaling attack is often one or more of the top executives of an organization.
• Pharming: Whereas phishing entices the victim to a malicious website, pharming lures victims by compromising domain name services. When victims attempt to visit a legitimate website, the compromised name service instead provides the IP address of a malicious website.
• Pretexting: A hacker calls an individual and lies to them in an attempt to gain access to privileged data.
• Vishing: Vishing uses the same concept as phishing, except that it uses voice and the phone system as its medium instead of email.
• Smishing: Smishing uses the same concept as phishing, except that it uses SMS texting as the medium instead of email.
• Spam: Hackers may use spam email to trick a user into clicking an infected link or downloading an infected file.
• Tailgating: A hacker quickly follows an authorized person into a secure location.
• Baiting: A hacker leaves a malware-infected physical device, such as a USB flash drive, in a public location such as a corporate washroom. The finder of the device loads it onto their computer, unintentionally installing the malware.
• Something for something: A hacker requests personal information from a party in exchange for something like a free gift.
• Malvertising: A hacker injects malicious or malware-laden advertisements into legitimate online advertising networks and web pages.

• Password management: Guidelines such as the number and type of characters that each password must include and how often a password must be changed.
• Two-factor authentication: Combining something the user has and something the user knows to authenticate their access to the network.
• Antivirus/antiphishing defenses: Both network- and host-based filtering services deployed throughout.
• Change management: A well-documented change-management process describing how and when network changes can be made.
• Information classification and handling: A policy that clearly sets out what information is considered sensitive and how to handle or destroy it.

Activity: Identify Network Attack Types

• Virus: Malicious code that is attached to executable files, which are often legitimate programs. Most viruses require end-user activation and can lay dormant for an extended period and then activate at a specific time or date.
• Trojan horse: Malware that carries out malicious operations under the guise of a desired function. A Trojan horse comes with malicious code hidden inside of it. This malicious code exploits the privileges of the user that runs it and often creates a back door into the infected system. Often, Trojans are found attached to online games.
• Worm: Malware that replicates itself by independently exploiting vulnerabilities in networks. Worms usually slow down networks.
• Ransomware: Malware that denies access to the infected computer system and then demands a paid ransom for the restriction to be removed.
• Spyware: Malware that is used to gather information about a user and send the information to another entity, without the user’s consent.
• Adware: Malware that typically displays annoying pop-ups to generate revenue for its author.
• Scareware: Malware that includes scam software that uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user.

Video 30.4—Examples of Malware Attacks

• Email attachments: Email attachments often contain sensitive information, such as confidential corporate, customer, and personal data, that could be intercepted as it leaves the corporate network.
• Unencrypted devices: Smartphones and other personal devices are often protected only with a password. Employees sometimes send sensitive company information to these devices without using encryption.
• Cloud storage devices: Saving data to the cloud has many potential benefits. However, sensitive data can be lost if access to the cloud is compromised due to weak security settings.
• Removable media: Putting sensitive data on a removable storage device, such as a USB memory stick, may pose more of a threat than putting that data on a smartphone. Such devices are not only easily lost or stolen; they also typically do not have passwords, encryption, or any other protection for the data they contain.
• Hard copy: Corporate data should be disposed of thoroughly. For example, confidential data should be shredded when no longer required.
• Improper access control: Passwords are the first line of defense. Stolen passwords or weak passwords that have been compromised can provide an attacker easy access to corporate data.

Check Your Understanding