290 likes | 316 Vues
Chapter Two. Malicious Attacks, Threats, and Vulnerabilities. DR. Musaab Riyadh Abdulrazzaq Mustansiriyah University College of Science- Computer Dept. Chapter 2 Topics. This chapter covers the following topics and concepts : • What you are trying to protect
E N D
Chapter Two Malicious Attacks, Threats,and Vulnerabilities DR. Musaab Riyadh Abdulrazzaq Mustansiriyah University College of Science- Computer Dept.
Chapter 2Topics This chapter covers the following topics and concepts: • What you are trying to protect • Whom you are trying to catch • What kinds of tools are used to attack computer systems • What a security breach is • What risks, vulnerabilities, and threats are • What malware is
Chapter 2Topics This chapter covers the following topics and concepts: • What a malicious software attack is • What a social engineering attack is • What a wireless network attack is • What a web application attack is • What countermeasures are
Malicious Attacks, Threats, and Vulnerabilities • Malicious attacks result in billions of dollars in damages each year. • In most cases, the only people who eve know about these attacks are security professionals and IT personnel. Security professionals are responsible for protecting their systems from threats and for handling malicious attacks when they do occur. • many companies and individuals are working hard to protect IT assets from attacks. • In this chapter, you will learn how to identify security vulnerabilities, protect your organization from threats, and keep your computers safe from malicious attacks.
What Are You Trying to Protect? • Customer data: Name, address, phone, Social Security number (SSN), date of birth, cardholder data, protected health care information. • IT assets and network infrastructure: Hardware, software, and services. • Intellectual property: Sensitive data such as patents, source code, formulas, or engineering plans. • Finances and financial data: Bank accounts, credit card data, and financial transaction data. • Service availability and productivity: The ability of computing services and software to support productivity for humans and machinery.
Whom Are You Trying to Catch? Black-hat hackers: tries to break IT security and gain access to systems with no authorization in order to prove technical prowess. Black-hat hackers generally develop and use special software tools to exploit vulnerabilities. Black-hat hackers generally exploit holes in systems, but they generally do not attempt to disclose vulnerabilities they find to the administrators of those systems. They tend to promote the free and open use of computing resources as opposed to the notion of security. White-hat hackers or ethical hacker: is an information systems security professional who has authorization to identify vulnerabilities and perform penetration testing. The difference between white-hat hackers and black-hat hackers is that white-hat hackers will identify weaknesses for the purpose of fixing them, and black-hat hackers find weaknesses just for the fun of it or to exploit them. Hackers are different from crackers. A cracker has a hostile intent, possesses sophisticated skills, and may be interested in financial gain. Crackers represent the greatest threat to networks and information resources.
Attack Tools Computer criminals and cyber attackers use a number of hardware and software tools to discover exploitable weaknesses and other tools to perform the actual attack. These tools and techniques can include the following: • Protocol analyzers: are a software or hardware that enables a computer to monitor and capture network traffic. It decodes the frame and IP data packet, allowing you to see data in clear text if it has not been encrypted. • Port scanners: is a tool used to scan IP host devices for open ports that have been enabled. For example, Port 80 is for HTTP web traffic, and Port 21 is File Transfer Protocol (FTP). Port scanners are used to identify open ports or applications and services that are enabled on the IP host device. This provides attackers with valuable information that can be used in the attack.
Attack Tools • OS fingerprint scanners: is a software program that allows an attacker to send a variety of packets to an IP host device. When an IP host device responds, then the OS fingerprint scanner can guess what operating system is installed on the device. Once an attacker knows what OS and version is installed, the better chance he has to use applicable software vulnerabilities and exploits. , hoping to determine the target device’s operating system (OS) from the responses. • Vulnerability scanners: is a software program that is used to identify and, when possible, verify vulnerabilities on an IP host device. From this information, a vulnerability scanner compares known software vulnerabilities in its database with what it has just found. The vulnerability scanner lists all known software vulnerabilities and prioritizes them as critical, major, or minor.
Attack Tools • Password crackers: it is a software program that performs brute-force password attack to gain unauthorized access to a system or recovery of passwords stored. • Keystroke loggers: is a type of surveillance software or hardware that can record to a log file every keystroke a user makes with a keyboard. Employers might use keystroke loggers to ensure that employees use work computers for business purposes only. However, spyware can also include keystroke logger software, hoping to transmit information such as a password to an unknown third party.
What Is a Security Breach? In spite of the most aggressive steps to protect computers from attacks, attackers sometimes get through. Any event that results in a violation of any of the confidentiality, integrity, or availability (CIA) security tenets is a security breach. Activities that can cause a security breach include the following: • Denial of service (DoS) attacks: A DoS attack is a coordinated attempt to deny service by occupying a computer to perform large amounts of unnecessary tasks. This excessive activity makes the system unavailable to perform legitimate operations. • Distributed denial of service attacks: A DDoS attack overloads computers and prevents legitimate users from gaining access. DDoS attacks differ from regular DoS attacks in their scope. In a DDoS attack, attackers hijack hundreds of Internet computers, planting automated attack agents on those systems. The attacker then instructs the agents to bombard the target site with forged messages. This overloads the site and blocks legitimate traffic.
What Is a Security Breach? • Unacceptable web-browsing behavior: a violation of an organization’s acceptable use policy (AUP), such as an employee’s unacceptable web browsing, can itself be a security breach. Organizations should have an AUP that clearly states what behavior is acceptable and what is not. • Wiretapping: attackers can tap telephone lines and data communication lines. Wiretapping can be active, where the attacker makes modifications to the line. It can also be passive, where an unauthorized user simply listens to the transmission without changing the contents. Passive intrusion can include the copying of data for a subsequent active attack. • Backdoors: Software developers sometimes include hidden access methods, called backdoors, in their programs. Backdoors give developers or support personnel easy access to a system without having to struggle with security controls.
What Is a Security Breach? • Data Modifications: Data that are purposely or accidentally modified impact the integrity tenet of information systems security. This is also considered a security breach. Another example is truncating data because the record field is not large enough to hold the complete data. This can occur with most programming languages and can be difficult to detect. However, the results can be significant. The best way to avoid data modification issues is to validate data before storing that data and to ensure that your programs adhere to strict data integrity rules.
What Are Risks, Threats, and Vulnerabilities? • A threat is any action that can damage or compromise an asset. • A vulnerability is a weakness in the design or software code itself. A vulnerability that can be exploited is a threat. • Any threat against a vulnerability creates a risk that a negative event may occur. You can’t eliminate threats, but you can protect against vulnerabilities. That way, even though a threat still exists, it cannot exploit the vulnerability. The key to protecting assets from the risk of attack is to eliminate or address as many vulnerabilities as possible.
What Is a Malicious Attack? An attack on a computer system or network asset succeeds by exploiting a vulnerability in the system. There are four general categories of attack: • Fabrications: fabrications involve the creation of some deception in order to trick unsuspecting users. • Interceptions: an interception involves eavesdropping on transmissions and redirecting them for unauthorized use. • Interruptions: an interruption causes a break in a communication channel, which blocks the transmission of data. • Modifications: a modification is the alteration of data contained in transmissions or files.
What Is Malicious Software? The purpose of malware is to damage or disrupt a system: • slowing down a PC to causing it to crash. • surfing the Internet, reading email, or downloading music or other, enabling the theft of credit card numbers. Malware exists in two main categories: • infecting programs: Infecting programs actively attempt to copy themselves to other computers. Their main purpose is to carry out an attacker’s instructions on new targets. Malware of this type includes the following:
What Is Malicious Software? • Viruses: A computer virus acts in a similar fashion to a biological virus. It “infects” a host program and may cause that host program to replicate itself to other computers. The virus cannot exist without a host, and it can spread from host to host in an infectious manner. The purpose of the virus is to trick the computer into following instructions not intended by the original program developer. • Worms: A worm is a self-contained program that replicates and sends copies of itself to other computers, generally across a network, without any user input or action. The worm’s purpose may be simply to reduce network availability by using up bandwidth, or it may take other nefarious actions.
What Is Malicious Software? • hiding programs: hiding programs hide in the computer, carrying out the attacker’s instructions while avoiding detection. Malware that tends to hide includes the following: • Trojan horses: Trojan horse programs use their outward appearance to trick users into running them. They look like programs that perform useful tasks, but actually, they hide malicious code. Once the program is running, the attack instructions execute with the user’s permissions and authority. • Spyware: is a type of malware that specifically threatens the confidentiality of information. It gathers information about a user through an Internet connection, without his or her knowledge.
What Is Malicious Software? • Rootkits: For example, if you were to ask a device to list all of the programs that are running, the rootkit might stealthily remove any programs it doesn’t want you to know about. Rootkits are all about hiding things. They want to hide both themselves and their malicious activity on a device.
What Are Common Types of Attacks? Depending on the attacker’s goal and objective, many different types of attacks can suit theirneeds and abilities. These attacks can be summarized in three categories: • Attacks on availability: These attacks impact access or uptime to a critical system, application, or data. • Attacks on people: These attacks involve using force or deception to get another human to divulge information or to perform an action (e.g., clicking on a suspicious URL. link or opening an email attachment from an unknown email address). • Attacks on IT assets—These attacks include penetration testing, unauthorizedaccess, stolen passwords, deletion of data, or performing a databreach.
Social Engineering Attacks Social engineering is the art of one human attempting to coerce or deceive another human into doing something or divulging information. Hackers use many different tactics to attempt to social engineer their victims. Here is a summary of social engineering attacks that may be used on you or your organization: • Authority: using a position of authority to coerce or persuade an individual to divulge information. • Consensus/social proof: using a position that “everyone else has been doing it” as proof that it is okay or acceptable to do. • Impersonation: pretending to be someone else (e.g., a delivery person, a bank representative). • Trust: building a human trust bond over time and then using that trust to get the individual to do something or divulge information.
Wireless Network Attacks SWireless network attacks involve performing intrusive monitoring, packet capturing, and penetration tests on a wireless network. • Bluejacking: Hacking and gaining control of the Bluetooth wireless communication link between a user’s earphone and smartphone device. • Bluesnarfing—Packet sniffing communications traffic between Bluetooth devices. • Evil twin: Faking an open or public wireless network to use a packet sniffer on any user who connects to it. • Jamming/interference—Sending radio frequencies in the same frequency as wireless network access points to jam and interfere with wireless communications and disrupting availability for legitimate users.
Web Application Attacks Web application attacks involve performing intrusive penetration tests on public-facing web servers, applications, and back-end databases. Given the rapid deployment of e-commerce and customer or member portals and websites, access to private data, sensitive data. Web applications that are public facing on the Internet are subject to a host of web application attacks, including: • Arbitrary/remote code execution: Having gained privileged access or sys admin rights access, the attacker can run commands or execute a command at will on the remote system. • Buffer overflow: Attempting to push more data than the buffer can handle, thus creating a condition where further compromise might be possible.
What Is a Countermeasure? • Because of continuous increases in malware attacks on computers, it has become a necessity to design and implement effective anti-malware software countermeasures. • Many anti-malware products are available to prevent the spread of all types of malware as well remove malware from infected computers such as Kaspersky Anti-Virus, and Norton AntiVirus. • Some anti-malware software works by examining the activity generated by a file to determine whether it is malware. These types of antimalware programs use an approach called heuristic analysis to see whether programs “act” like malware.
What Is a Countermeasure? • Other types of anti-malware software detect malware by comparing programs and files to signatures of known types of malware. The problem is, these programs may not immediately recognize and counteract newly created malware signatures. The anti-malware software must update its signature database to include these new signatures before the software can detect it. • Protecting Your System with Firewalls: A firewall is a program or dedicated hardware device that inspects network traffic passing through it and denies or permits that traffic based on a set of rules you determine at configuration. A firewall’s basic task is to regulate the flow of traffic between computer networks of different trust levels—for example, between the LAN-to-WAN domain and the WAN domain, where the private network meets the public Internet.