CND - Module 2 Threats and attacks

What are some examples of threats?

(Input threats) Buffer overflows, Cross-site scripting, SQL injection, canonicalization attacks, query string manipulation, form field manipulation, cookie manipulation, HTTP header manipulation.

What are some examples of vulnerabilities?

(Input vulnerabilities) Lack of validation, use of non-validated inputs directly to generate SQL queries, relying solely on client-side validation, performing validation based on known bad patterns.

What are some examples of attacks?

(input attacks) Exploiting validation vulnerabilities to perform a buffer overflow attack, XSS attack, SQL injection attack, canonicalization attack, query string manipulation, cookie manipulation, etc.

What are the 6 ways network security breaches effect business continuity?

1. Disruption or shutdown. 2. Loss of productivity. 3. Loss of privacy. 4. Data loss/theft. 5. Legal liability. 6. Reputation Damage & Loss of consumer confidence.

What percentage of network attacks are other type attacks?

12%

What percentage of network attacks are backdoor type attacks?

2%

What percentage of network attacks are botnet type attacks?

2%

What percentage of network attacks are brute-force type attacks?

25%

What percentage of network attacks are denial-of-service type attacks?

37%

What percentage of network attacks are ssl type attacks?

6%

What percentage of network attacks are shellshock type attacks?

7%

What percentage of network attacks are browser type attacks?

9%

What is a dictionary password attack?

A dictionary file is loaded into the cracking applications that runs against user accounts. Makes guesses. Can be manual or automated. Attacker tries to match with most occurring or commonly used words in day-to-day life. Most common passwords are password, root, administrator, admin, demo, test, guest, qwerty, pet names, date of birth, child names, addresses, hobbies, and interests. Passwords that are not case sensitive can easily be guessed. Passwords that are not lengthy and complex can be guessed.

What is a DDoS attack?

A distributed DoS. Involves a multitude of compromised systems attacking a single target, thereby causing a denial of service for legitimate users. DDoS attacks disable the whole network and hinder business operations causing financial loss and a bad reputation. Attacker uses botnets for exploiting vulnerabilities which exist in the target system and convert it to a bot master. Doing this will infect it with malware or even take control of other systems on the network. Type types of DDoS attacks: Network-centric attack - overloads by consuming bandwidth. Application-centric - Overloads a service by sending inundate packets.

How Is a virus different from a worm?

A worm can spread itself to other computers without the intent of the host (without the user doing anything). Viruses require the user do to something.

What's the difference between passive and active recon?

Active are mostly port and OS scans, more noticeable and loud. Passive gather information from traffic/sniffing and publicly available information.

What is a malware attack?

Affect the system or network either directly or indirectly. They cause an adverse impact on how the network functions. Malware is a program or a file that poses a threat to a computer system. The different types of malware include Trojans, Viruses, and Worms.

What is an access attack?

After gaining information about the target network, attackers then try to gain access by using various exploitation techniques. These are the attempts made towards gaining access to the system or network. This includes gaining unauthorized access, brute force, privilege escalations, man-in-the-middle, etc.

What is a DNS cache poisoning attack?

Altering or adding forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site. If the DNS resolver cannot validate that the DNS responses are coming from an authoritative source, it will cache the DNS entries locally and serve this forged DNS to users when someone makes the same DNS request.

What is a threat?

An action or event that can potentially compromise security. A threat is a potential violation of security. A threat can affect the integrity and availability factors of an organization. The impact of threats is very high and it can affect the existence of the physical IT assets in an organization. The existence of threats may be accidental, intentional, or due to the impact of some other action.

What is an ARP poisoning attack?

An attack in which the attacker tries to associate their own MAC address with the victim's IP address so that the traffic meant for that IP address is sent to the attacker. ARP spoofing/poisoning involves sending a large number of forged entries to the target machine's ARP cache or overloading a switch.

What is an attack?

An attack is an action taken towards breaching an IT system's security through vulnerabilities. In the context of an attack on a system or network. I also refers to malicious software or commands that can cause an unanticipated behavior of legitimate software or hardware because attackers take advantages of the vulnerabilities.

What are structured threats?

Arise from individuals who are highly motivated and technically competent. Can quickly identify vulnerabilities and write exploits on their own to compromise the network. Often involved in major fraud and theft cases.

What are external threats?

Arise from individuals who do not have direct access to the network. Exploiting vulnerabilities already existing in the network. Attacker does it for the sake of curiosity, financial gain, or reputation damage. Two types: Structured and unstructured.

What are user account vulnerabilities?

Arise from insecure transmission of user account details over the network such as usernames and passwords.

What are internal threats?

Arise from internal employees with access to networks and other internal resources. Around 80% of internet-related crimes are insider attacks. Most of these attacks are performed by privileged users of the network. Often disgruntled or negligent employees. May be out of revenge, disrespect, frustration, or lack of security awareness. More dangerous because they know the network, policies, and regulations of the org.

What are system account vulnerabilities?

Arise from setting weak passwords on system accounts.

What are unstructured threats?

Arise from unskilled individuals who attack the network out of curiosity. Inexperienced, use readily available hacking tools and scripts. Generally intended to test hacking skills, pose serious hard to org.

What is a MAC spoofing/duplicating attack?

Attack launched by sniffing a network for MAC addresses, which are actively associated with a switch port and re-using one of those addresses. Replicates legitimate user's MAC address to receive all traffic intended for a specific user. Allows attacker to gain access to the network by faking another person's identity, who is already on the network.

What is DNS foot-printing? How does it work?

Attacker gathers DNS information to determine key hosts in the network and performs social engineering attacks. Use DNS interrogation tools to perform DNS foot-printing. DNS records provide important information about the location and type of server.

What is a DHCP spoofing attack?

Attacker places rogue DHCP server between client and the real server. Whenever client sends request, attacker's rogue server intercepts the communication and acts as a valid server by replying with fake IP addresses. Disrupts network access, causing DoS. Rogue server can also send clients to fake websites for the purpose of gaining their credentials. To mitigate, set interface that rogue server is connected to as untrusted. That action will bloc all ingress DHCP server messages from that interface.

What is a password attack?

Attacker tries to exploit weaknesses to hack well chosen passwords. Using common passwords will make a system or application vulnerable to cracking attacks. Mainly target routers and servers, use various techniques (such as brute-force, social engineering, spoofing, phishing, malware, sniffing, and key logging to acquire passwords), attackers start with cracking passwords and trick the network device to believe they are valid users.

What is a denial of service attack?

Attackers attempt to deny certain services available to customers, users, and/or organizations. The DoS attack does not lead to any loss or theft of information, but can affect the organization financially due to the downtime. The DoS attacks affect the files and other sensitive information stored in a system, as well as affect the working of any website. Websites are brought down using this method.

How does an external network sniff work?

Attackers outside the network that intercepts packets at the firewall level and steals info.

What is port scanning?

Attackers use various techniques to find open ports on a target. Attackers use nmap to perform port scanning. Other tools such as Netscan Tools Pro, SuperScan, and PRTG network monitor. Open ports are the doorways through which malware get on a system.

What is a botnet?

Collection of compromised computer connected to the internet to perform a distributed. Infected computer performs task without user's permission. Bots spread across internet and search for vulnerable and unprotected systems. Attackers use botnets to distribute spam emails, carry out DoS attacks, and automate identity theft. Might slow down victim's performance. Instruct infected systems to send viruses, worms, spam, etc. Can be used to steal personal and private info. Can be used to DoS/extort target. Automatically click on ads. Enter a system using a payload in a trojan or similar. Also infect using drive-by-downloads r sending spam.

What are the concerns with end-user carelessness?

Creates huge impact on network security. Human behavior is more susceptible to various types of attack and tends to lead o more serious attacks on the network including data loss information leakage, etc. Intruders gain sensitive info through various social engineering techniques. User sharing account info or login credentials, this leads to loss of data or exploitation of data.

What are the top 8 types of network attacks?

Denial-of-serice, brute-force, other, browser, shellshock, ssl, botnet, and backdoor.

What is a DoS attack?

Denial-of-service attack. Makes resources unavailable for genuine users by sending a large number of service requests or exploiting vulnerabilities. Techniques used are sending malicious packets, exploiting already existing programming, logical, and application vulnerabilities. Using this technique, an attacker can: consume the device's processing power which can allow attacks to go unnoticed. Cause the admin to take more time to investigate a large number of alarms. Fill up disk space providing no space or disrupt logged processes. Cause more alarms that are beyond handling capacity of management systems (such as databases, ticketing, etc. Cause the deice to lock up.

What is polymorphic malware?

Destructive and intrusive malware code that changes its signature to avoid pattern matching detection by AV. Functionality remains the same but its signature changes. Payload/code is encrypted in order to hide and make it difficult to read by AV. Polymorphic behavior is gained by malware when the mutation engines are bundled with another payload such as viruses, worms, or trojans. Allows different subversions of same code but with same functionality. Modifies file names, encrypts data with variable keys, compresses files, etc.

What are 5 types of password attacks?

Dictionary attack, brute force attack, hybrid attack, birthday attack, and rainbow table attack.

What is a vulnerability?

Existence of a weakness, design, or implementation error that can lead to an unexpected and undesirable event compromising security of the system. A vulnerability is a security loophole that allows an attacker to enter the system by bypassing various user authentication.

What is a replay attack?

Extension of man in the middle attack, attack captures data to obtain usernames and passwords, packet/auth tokens are captured. Uses tokens or credentials to replay user requests and get info.

What is spyware?

Extracts user's information and sends it to attacker. Enables advertisements to appear, modifies computer settings, redirects users to fake web pages, changes home page of browser. User is not aware they are being spied on. Most of the time used to track cookies and display unwanted pop-up ads. Key logger is a type of spyware used to record keystrokes. Can gather information such s usernames, passwords, bank account info, credit card numbers, etc. and send it to the attacker. Spyware degrades performance. It can disable software firewall, antivirus software, reduces browser security settings, etc. Spyware can interfere with networking software making it difficult to connect to internet. May cause crashes or system/app stability issues.

What are the 5 reasons why network security concerns arise?

Hardware or Software Misconfiguration, Insecure or poor design of the network, Inherent technology weaknesses, Careless approach of end users, Intentional acts from end users.

How does an internal network sniff work?

Hooked to internal LAN to capture traffic directly.

What are the two types of social engineering attacks? What's the difference?

Human-based or computer-based. Human-based attacks = physical presence of intruder. Computer-based attacks = remotely.

What is ICMP scanning? How does it work?

ICMP is the Internet Control Message Protocol. Sends an ICMP packet to a system to gather all info about it. Sends an ICMP OCH request to detect live hosts in a network. Sends to a single host. If host is live, it will return an ICMP echo reply. Technique also locates the active devices or determines if ICMP is passing through a firewall.

What are the concerns with intentional end-user acts?

If ex-employee has access to shared drive, can be used to leak company's sensitive data. This type of act is called an intentional enduser act. Such acts lead to heavy losses to the company and data.

What are the concerns with inherent technology weakness?

If the hardware or software is not capable of defending the network against certain types of attacks, then they will be vulnerable to those attacks. Many hardware, applications, web browsers, etc. are more prone to attacks such as DoS or MiTM. For example, old version of browser = higher chance of being vulnerable to distributed attacks. If systems are not updated, a small Trojan attack will force the user to clean the entire machine, which often leads to data loss.

What are the 2 types of network security threats?

Internal, External

What are the three ways to sniff a network?

Internal, external, and wireless.

What are security policy awareness vulnerabilities?

Lack of awareness for the security policy

What are lack of continuity vulnerabilities?

Lack of continuity in implementing and enforcing the security policy

What is a brute-force password attack?

Large number of guesses are performed. Involves checking all combinations of characters until the correct password is found. Suitable for gaining passwords which are small and not very complex. If the password is long and complex, dictionary attack is faster than brute-force. Brute force attacks are time and resource consuming. Effectiveness depends on the password being cracked.

What are default password and settings vulnerabilities?

Leaving network devices/products with their default passwords and settings.

What is ransomware?

Locks or encrypts valuable files available until ransom is paid. Unlike other malware, it does not hide. Redirects users to sites to pay ransom. Often collect credit card info to further abuse. No guarantee data will be recovered, even if payment is made. Demands are displayed either in a text file or on a web page in browser. Takes advantage of a victim's embarrassment, surprise, or fear. For example, puts on time pressure. Sometimes forces user to purchase a product to recover data. Sometimes tricks or embarrasses users to pay the ransom by stating they have been watching illegal content and must pay a fine.

What are the three types of communication that are susceptible to MiTM attacks?

Login functionality, unencrypted, financial sites

What is a trojan?

Malicious program that masquerades as a legitimate program. Can also be used as an intermediary to attack others. Most trojans consists of two parts: client and server. Server is a program that gets installed on the infected system. Client is a program located on the attacker's computer. Both are used to establish connection between attacker and victim's systems via the internet. Trojan horses can also access programs remotely, delete files, send files, modify files, install other programs that provide unauthorized network access and execute privilege-elevation attacks. A trojan can attempts to exploit a vulnerability to increase level of access beyond user running trojan horse. If trojan compromises a system in shared network, attacker records usernames/passwords/sensitive info as it navigates across network.

What is a malware attack? What is malware?

Malware are software programs or malicious code that install on a system without the user's knowledge. It disrupts services, damages systems, gathers sensitive info, etc.

What are the concerns with insecure or poor design of network?

May incur a variety of threats and the probability of data loss. For example, if firewalls, IDS, and VPN technologies are not implemented securely they will expose the network to different threats.

What are internet service misconfiguration vulnerabilities?

Misconfiguring internet services can pose serious security risks. For example, enabling JavaScript and misconfiguring IIS, Apache, FTP, Terminal services, etc. can create security vulnerabilities in the network.

What are network device misconfiguration vulnerabilities?

Misconfiguring the network device itself

What are the 3 types of information that can be obtained in a recon attack? What are some examples of those?

Network information, system information, organization's information. Domain name, internal domain names, network blocks, ip addresses of reachable systems, rogue websites/private websites, TCP/UDP services running, Access Control Mechanisms/ACLs, networking protocols, VPN points, IDSes running, analog/digital telephone numbers, authentication mechanisms, system enumeration, information on key employees.

What are some concerns about network security?

Network security is a primary concern, potential threats are evolving every day. Attacks are becoming technically more sophisticated, better organized, and harder to detect. Organizations are failing to defend themselves against rapidly increasing network attacks due to lack of network security skills. Insider threats can be more dangerous than external ones.

What is nmap?

Nmap is a network discovery and security-auditing tool. Attackers can use it to extract information such as live hosts on the network, services (application name and version), type of packet filters/firewalls, operating systems, and OS versions.

What are some examples of recon attacks?

Packet sniffing, port scanning, ping sweeping, DNS foot-printing, social engineering"

What is a root kit?

Performs malicious activities to get privileged access to target computer. Hides the fact that system is compromised by attackers. Successful root kit can potentially remain in place for years if it remains undetected. Root kits are used to hide viruses, worms, bots, etc. and it's difficult to remove them. Are installed after gaining admin access either by manipulating a vulnerability or cracking a password. Attacker gets full control over target system. Can modify files and existing software that detects root kits. Root kits are activated each time system reboots before system completes booting.

What is a logic bomb?

Piece of software code that performs malicious action when logic condition is satisfied. For example: Crashing a program on a specific date. Malicious software such as viruses use logic bombs to spread before being noticed. Can be used to blackmail target. Another example: User visits website, triggers key logger to capture credentials and send to attacker.

What are politics vulnerabilities?

Politics make it difficult to implement a consistent security policy

What s a DHCP starvation attack?

Process of inundating DHCP servers with fake DHCP requests with spoofed MAC addresses and using up all the available IP addresses. Results in DoS attack, as the DHCP server cannot issue new IP addresses to genuine hosts. New clients cannot get access to the network. Similar to a SYN flood attack. Port security is a method used in preventing DHCP starvation attacks. Limits the number of MAC addresses that can access the port and only the MAC addresses having permission to access the port can send forward packets. DNS snooping that filters untrusted DHCP messages is another method.

What is network sniffing?

Process of monitoring and capturing all data packets passing through a given network using sniffing tools. Attackers use various sniffing utilities to sniff network traffic in order to gain sensitive information. Orgs often leave their switch ports open. Anyone in the same physical location can plug into the network using an ethernet cable. Purpose is to steal information. Usually user IDs, passwords, network details, credit card info, etc. Generally a passive type of attack, where attacker can be silent/invisible on the network. Makes it difficult to detect and is a dangerous type of attack.

What is a virus?

Program that duplicates itself by making copies of itself. The major criteria is that it replicates itself through the host. Virus can only spread from one PC to another when it's host is taken to the uncorrupted computer. For example, the user transmitting it over the network or executing it on a removable drive. Viruses can spread the infection by damaging files in a file system.

What are the 4 main types of network security attacks?

Recon attacks, access attack, denial of service attacks, malware attacks

What are the concerns with hardware and software misconfiguration?

Security loopholes are created. For example, misconfigured or use of unencrypted protocol may lead to network intrusions resulting in a leak of sensitive information. Misconfigured hardware may allow attackers to gain access to network or system. Misconfigured software may allow attackers to gain unauthorized access to application and data.

What is a birthday password attack?

Similar to brute-force but relies on the probability of hash collisions.

How does a wireless network sniff work?

Sit near the network and penetrate it to get info.

What are backdoors?

Small programs that bypass the authentication check such as gaining admin privileges without passwords. Attacker installs program and controls victim's computer remotely. Attackers use backdoors to get access to a network and keep returning using the same exploit. Difficult to block backdoor access, as it can bypass passwords so changing password won't help. Not logged and appear as if no one is online. Password cracking is common type of backdoor.

What is a switch port stealing attack?

Sniffing technique to spoof both the MAC and IP address of target machine. MiTM technique used to perform packet sniffing by exploiting the switch ports of a user, attacker floods switch ports with forged packets that contain victim's host spoofed MAC address as source and attacker's MAC address as destination. Allows switch port to send traffic to the attacker instead of victim.

What are some techniques involved in recon attacks?

Social Engineering, Port scanning, DNS foot-printing, ping sweeping

What are the types of technological network security vulnerabilities?

TCP/IP protocols (HTTP, FTP, ICMP, SNMP, SMTP are inherently insecure), OS Vulnerabilities (inherently insecure, not patched with latest updates), Network Device Vulnerabilities (Lack of password protection, lack of auth, insecure routing, firewall vulnerabilities)

What is a reconnaissance attack?

Technique in which the attackers gather information about the network or organization, helping them perform attacks easier. Gathering information about a network allows attackers to recognize any potential weaknesses it may have.

What is social engineering?

The art and science of convincing/tricking people to provide personal or business information. The human side of breaking into a corporate network. Non-technical intrusion that relies heavily on human interaction. Involves tracking other people to break normal security procedures. Organizations are vulnerable to social engineering attacks even after implementing various technical network security measures.

What is a privilege escalation attack?

The attacker gains access to the network and the associated data and applications by taking advantage of defects in the design, software application, poorly configured operating systems, etc. Once attackers gained access with valid account they attempt to increase their privileges. These privileges allows an attacker to view private information, delete files, or install malicious programs such as viruses, trojans, worms, etc.

What is a MiTM attack?

The intruder sets up a station between the client and server communication to intercept messages being exchanged. Attackers use different techniques to split TCP connections into two connections: Client-to-attacker connection and attacker-to-server connection. Interception of TCP connection allows attacker to read, modify, and insert fraudulent data into the intercepted communication. Involves snooping on a connection, intruding into a connection, intercepting messages, and modifying the data. Type of eavesdropping attack. Communication susceptible to MiTM attacks include login functionality, unencrypted, and financial sites. Often found in telnet and wireless tech. Not easy to implement due to TCP sequence numbers and speed. Hard to perpetrate and can be broken sometimes by invalidating traffic.

What is the difference between a threat vulnerability, and attack?

Threat is potential violation of security. A vulnerability is a weakness or error in design or implementation that can be exploited. An attack (or exploit) is an action that uses one or more vulnerabilities to realize a threat.

What is adware?

Tracks user's browsing patterns for marketing purposes and displaying advertisements. Collects user's data such as what types of internet sites user visits.

What is a DNS poisoning attack?

Unauthorized manipulation of IP addresses in the domain naming server cache. Corrupt DNS redirects user requests to malicious website to perform illegal activities. For example: If a victim types www.google.com, the request is redirected to fake website www.goggle.com

What are the types of policy network security vulnerabilities?

Unwritten policy, lack of continuity, office politics, security policy unawareness

What are unwritten policy vulnerabilities?

Unwritten security policy is difficult to implement and enforce

What are the types of network configuration vulnerabilities?

User account vulnerabilities, system account vulnerabilities, internet service misconfiguration, default password an settings, and network device misconfiguration.

What is a rainbow table password attack?

Uses a huge set of pre-computed hashes or passwords/hash pairs to quickly lookup a matching password to a given hash.

What are the two types of privilege escalation attacks? What are the differences?

Vertical and horizontal. Vertical is gaining higher privileges or higher level or access, doing kernel level operations that permit unauthorized code to run. Horizontal uses the same privileges or level or access while assuming the identity of another user.

What is an armored virus?

Virus specifically coded with different mechanisms to make its detection difficult. Feels anti-virus programs, making them believe it's located somewhere else in memory and making them difficult to detect and remove. Also crypting (""complicating and confusing code"") to hide from being detected. Makes difficult for researchers to disassemble the virus, therefore propagating longer before researchers find a countermeasure.

What are the 10 primary types of malware?

Viruses/Armored Viruses, Trojans, Adware, Spyware, Root kits, Backdoors, Logic bomb, Botnets, Ransomware, and Polymorphic malware.

What is a hybrid password attack?

Works like a dictionary attack but adds numbers and symbols to the words. Generalize common things people do to make their passwords hard to guess. Starts guessing dictionary terms and created other guesses by appending or prepending the characters to the dictionary term. Such as dates, numbers alphanumeric characters, etc.