NET-240 (NetAcad Chapter 2)

Threat

A potential danger to an asset such as data or the network itself.

Vulnerability

A weakness in a system or its design that could be exploited by a threat.

Propagation mechanism

After gaining access to a device, the worm replicates itself and locates new targets.

2.5.7 Check Your Understanding - Identify the Types of Network Attacks

Check your understanding of network attacks by answering the following questions.

FTP

Enables unauthorized file transfer services on end devices.

8. What is the term used when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source?

Phishing

Denial of Service (DoS)

Slows or halts network activity.

2. What type of attack is tailgating?

Social Engineering

Risk transfer

Some or all of the risk is transferred to a willing third party such as an insurance company.

Initiate a ping sweep of the target network

The information query usually reveals the target's network address. The threat actor can now initiate a ping sweep to determine which IP addresses are active.

Perform an information query of a target

The threat actor is looking for initial information about a target. Various tools can be used, including the Google search, organizations website, whois, and more.

Resource exhaustion

This evasion technique makes the target host too busy to properly use security detection techniques.

Botmaster

This is the threat actor who is in control of the botnet and handlers.

Risk acceptance

This is when the cost of risk management options outweighs the cost of the risk itself. The risk is accepted, and no action is taken.

Risk avoidance

This means avoiding any exposure to the risk by eliminating the activity or device that presents the risk. By eliminating an activity to avoid risk, any benefits that are possible from the activity are also lost.

Zombies

This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code referred to as robots (i.e., bots). The zombie malware continually attempts to self-propagate like a worm.

Botnet

This refers to a group of zombies that have been infected using self-propagating malware (i.e., bots) and are controlled by handlers.

Pivoting

This technique assumes the threat actor has compromised an inside host and wants to expand their access further into the compromised network. An example is a threat actor who has gained access to the administrator password on a compromised host and is attempting to login to another host using the same credentials.

Proxy

Uses the victim's computer as the source device to launch attacks and perform other illegal activities.

3. What type of malware encrypts all data on a drive and demands payment in Bitcoin cryptocurrence to unencrypt the files?

ransomware

2.5.2 DoS and DDoS Attacks

A Denial of Service (DoS) attack creates some sort of interruption of network services to users, devices, or applications. There are two major types of DoS attacks: Overwhelming Quantity of Traffic - The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service. Maliciously Formatted Packets - The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash. Click each button for an illustration and explanation of DoS and DDoS attacks. DoS Attack DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.

DDoS Attack

A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from multiple, coordinated sources. For example, A threat actor builds a network of infected hosts, known as zombies. The threat actor uses a command and control (CnC) system to send control messages to the zombies. The zombies constantly scan and infect more hosts with bot malware. The bot malware is designed to infect a host, making it a zombie that can communicate with the CnC system. The collection of zombies is called a botnet. When ready, the threat actor instructs the CnC system to make the botnet of zombies carry out a DDoS attack.

Denial-of-Service (DoS) Attack

A DoS attack prevents normal use of a computer or network by valid users. After gaining access to a network, a DoS attack can crash applications or network services. A DoS attack can also flood a computer or the entire network with traffic until a shutdown occurs because of the overload. A DoS attack can also block traffic, which results in a loss of access to network resources by authorized users.

Man-in-the-Middle Attack (MITM)

A MiTM attack occurs when threat actors have positioned themselves between a source and destination. They can now actively monitor, capture, and control the communication transparently.

Compromised Key Attack

A compromised-key attack occurs when a threat actor obtains a secret key. This is referred to as a compromised key. A compromised key can be used to gain access to a secured communication without the sender or receiver being aware of the attack.

Rootkit Detectors

A rootkit detector is a directory and file integrity checker used by white hats to detect installed root kits. Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.

Rootkits

A rootkit is a complex attacker tool used by experienced threat actors. It integrates with the lowest levels of the operating system. When a program attempts to list files, processes, or network connections, the rootkit presents a sanitized version of the output, eliminating any incriminating output. The goal of the rootkit is to completely hide the activities of the attacker on the local system.

Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges and read network packets. If the packets are not encrypted, a sniffer provides a full view of the data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless they are encrypted and the threat actor does not have access to the key.

Spear phishing

A threat actor creates a targeted phishing attack tailored for a specific individual or organization.

Baiting

A threat actor leaves a malware infected flash drive in a public location. A victim finds the drive and unsuspectingly inserts it into their laptop, unintentionally installing malware.

Pretexting

A threat actor pretends to need personal or financial data to confirm the identity of the recipient.

Phishing

A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the recipient into installing malware on their device, or to share personal or financial information.

2. What is an example of a local exploit?

A threat actor tries to gain the user password of a remote host by using a keyboard capture software installed on it by a Trojan.

2.3.2 Viruses

A virus is a type of malware that spreads by inserting a copy of itself into another program. After the program is run, viruses then spread from one computer to another, infecting the computers. Most viruses require human help to spread. For example, when someone connects an infected USB drive to their PC, the virus will enter the PC. The virus may then infect a new USB drive, and spread to new PCs. Viruses can lay dormant for an extended period and then activate at a specific time and date. A simple virus may install itself at the first line of code in an executable file. When activated, the virus might check the disk for other executables so that it can infect all the files it has not yet infected. Viruses can be harmless, such as those that display a picture on the screen, or they can be destructive, such as those that modify or delete files on the hard drive. Viruses can also be programmed to mutate to avoid detection. Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and email. Email viruses are a common type of virus.

Automated Indicator Sharing (AIS)

AIS enables the sharing of attack indicators between the US government and the private sector as soon as threats are verified.

1. What is the weakest link in network security?

Access

2.4.4 Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. The purpose of this type of attack is to gain entry to web accounts, confidential databases, and other sensitive information. Threat actors use access attacks on network devices and computers to retrieve data, gain access, or to escalate access privileges to administrator status. Password Attacks In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools. Spoofing Attacks In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. These spoofing attacks will be discussed in more detail later in this module Other Access attacks include: Trust exploitations Port redirections Man-in-the-middle attacks Buffer overflow attacks Click each button to view an illustration and explanation of these access attacks.

Keylogger

Actively attempts to steal confidential information, such as credit card numbers, by recording keystrokes entered into a web form.

Spam

Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive content.

IP Address Spoofing Attack

An IP address spoofing attack is when a threat actor constructs an IP packet that appears to originate from a valid address inside the corporate intranet.

Attack surface

An attack surface is the total sum of the vulnerabilities in a given system that are accessible to an attacker. The attack surface describes different points where an attacker could get into a system, and where they could get data out of the system. For example, your operating system and web browser could both need security patches. They are each vulnerable to attacks and are exposed on the network or the internet. Together, they create an attack surface that the threat actor can exploit.

Payload

Any malicious code that results in some action is a payload. Most often this is used to create a backdoor that allows a threat actor access to the infected host or to create a DoS attack.

White Hat Hackers

Are ethical hackers who use their programming skills for good, ethical, and legal purposes. They may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers and security personnel who attempt to fix the vulnerability before it can be exploited. Some organizations award prizes or bounties to white hat hackers when they provide information that helps to identify vulnerabilities.

Gray Hat Hackers

Are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. Gray hat hackers may disclose a vulnerability to the affected organization after having compromised their network. This allows the organization to fix the problem.

Black Hat Hackers

Are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Black hat hackers exploit vulnerabilities to compromise computer and network systems.

2.1.2 Hacker vs. Threat Actor

As we know, "hacker" is a common term used to describe a threat actor. However, the term "hacker" has a variety of meanings, as follows: A clever programmer capable of developing new programs and coding changes to existing programs to make them more efficient. A network professional that uses sophisticated programming skills to ensure that networks are not vulnerable to attack. A person who tries to gain unauthorized access to devices on the internet. An individual who run programs to prevent or slow network access to a large number of users, or corrupt or wipe out data on servers. 123 Gray Hat HackersBlack Hat HackersWhite Hat Hackers As shown in the figure, the terms white hat hacker, black hat hacker, and grey hat hacker are often used to describe hackers. White hat hackers are ethical hackers who use their programming skills for good, ethical, and legal purposes. They may perform network penetration tests in an attempt to compromise networks and systems by using their knowledge of computer security systems to discover network vulnerabilities. Security vulnerabilities are reported to developers and security personnel who attempt to fix the vulnerability before it can be exploited. Some organizations award prizes or bounties to white hat hackers when they provide information that helps to identify vulnerabilities. Grey hat hackers are individuals who commit crimes and do arguably unethical things, but not for personal gain or to cause damage. An example would be someone who compromises a network without permission and then discloses the vulnerability publicly. Grey hat hackers may disclose a vulnerability to the affected organization after having compromised their network. This allows the organization to fix the problem. Black hat hackers are unethical criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Black hat hackers exploit vulnerabilities to compromise computer and network systems. Good or bad, hacking is an important aspect of network security. In this course, the term threat actor is used when referring to those individuals or groups that could be classified as gray or black hat hackers.

I secretly installed a debit card skimmer device on an ATM machine. A few days later, I retrieved it and it had captured the account numbers and pins numbers of over 1000 people. I then proceeded to transfer money from their accounts to an offshore bank account.

Black Hat

I used malware to compromise several corporate systems to steal credit card information and sold that information to the highest bidder.

Black Hat

2.3.10 Check Your Understanding - Malware

Check your understanding of malware by answering the following questions.

2.2.4 Check Your Understanding - Classify Cyber Attacks

Check your understanding of types of cyber attacks by answering the following questions.

Performing Ping Sweeps

Click Play in the figure to view an animation of a threat actor doing a ping sweep of the target's network address to discover live and active IP addresses.

Performing Port Scans

Click Play in the figure to view an animation of a threat actor performing a port scan on the discovered active IP addresses using Nmap.

Internet Information Queries

Click Play in the figure to view an animation of a threat actor using the whois command to find information about a target.

2.1.8 Check Your Understanding - What Color is my Hat?

Click the appropriate response for each characteristic to indicate the type of hacker it describes.

4. A threat actor has gained access to encryption keys that will permit them to read confidential information. What type of attack is this?

Compromised Key

2.3.5 Worms

Computer worms are similar to viruses because they replicate and can cause the same type of damage. Specifically, worms replicate themselves by independently exploiting vulnerabilities in networks. Worms can slow down networks as they spread from system to system. Whereas a virus requires a host program to run, worms can run by themselves. Other than the initial infection, they no longer require user participation. After a host is infected, the worm is able to spread very quickly over the network. Worms are responsible for some of the most devastating attacks on the internet. In 2001, the Code Red worm had initially infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers. Initial Code Red Worm Infection Code Red Infection 19 hours later The initial infection of the SQL Slammer worm is known as the worm that ate the internet. SQL Slammer was a denial of service (DoS) attack that exploited a buffer overflow bug in Microsoft's SQL Server. At its peak, the number of infected servers doubled in size every 8.5 seconds. This is why it was able to infect 250,000+ hosts within 30 minutes. When it was released on the weekend of January 25, 2003, it disrupted the internet, financial institutions, ATM cash machines, and more. Ironically, a patch for this vulnerability had been released 6 months earlier. The infected servers did not have the updated patch applied. This was a wake-up call for many organizations to implement a security policy requiring that updates and patches be applied in a timely fashion. Initial SQL Slammer Infection SQL Slammer Infection 30 minutes later Worms share similar characteristics. They all exploit an enabling vulnerability, have a way to propagate themselves, and they all contain a payload.

2.1.4 Cybercriminals

Cybercriminals are threat actors who are motivated to make money using any means necessary. While sometimes cybercriminals work independently, they are more often financed and sponsored by criminal organizations. It is estimated that globally, cybercriminals steal billions of dollars from consumers and businesses every year. Cybercriminals operate in an underground economy where they buy, sell, and trade exploits and tools. They also buy and sell the personal information and intellectual property that they steal from victims. Cybercriminals target small businesses and consumers, as well as large enterprises and industries.

2.3.9 Common Malware Behaviors

Cybercriminals continually modify malware code to change how it spreads and infects computers. However, most produce similar symptoms that can be detected through network and device log monitoring. Computers infected with malware often exhibit one or more of the following symptoms: Appearance of strange files, programs, or desktop icons Antivirus and firewall programs are turning off or reconfiguring settings Computer screen is freezing or system is crashing Emails are spontaneously being sent without your knowledge to your contact list Files have been modified or deleted Increased CPU and/or memory usage Problems connecting to networks Slow computer or web browser speeds Unknown processes or services running Unknown TCP or UDP ports open Connections are made to hosts on the Internet without user action Strange computer behavior Note: Malware behavior is not limited to the above list.

2.4.7 Strengthening the Weakest Link

Cybersecurity is only as strong as its weakest link. Since computers and other internet-connected devices have become an essential part of our lives, they no longer seem new or different. People have become very casual in their use of these devices and rarely think about network security. The weakest link in cybersecurity can be the personnel within an organization, and social engineering a major security threat. Because of this, one of the most effective security measures that an organization can take is to train its personnel and create a "security-aware culture."

2.3.6 Worm Components

Despite the mitigation techniques that have emerged over the years, worms have continued to evolve and pose a persistent threat. Worms have become more sophisticated over time, but they still tend to be based on exploiting weaknesses in software applications. Common Worm Pattern Enabling vulnerability Propagation mechanism Payload Most worm attacks consist of three components, as listed in the animation above. Enabling vulnerability - A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system. Propagation mechanism - After gaining access to a device, the worm replicates itself and locates new targets. Payload - Any malicious code that results in some action is a payload. Most often this is used to create a backdoor that allows a threat actor access to the infected host or to create a DoS attack. Worms are self-contained programs that attack a system to exploit a known vulnerability. Upon successful exploitation, the worm copies itself from the attacking host to the newly exploited system and the cycle begins again. Their propagation mechanisms are commonly deployed in a way that is difficult to detect. The propagation technique used by the Code Red worm is shown in the figure. Code Red Worm Propagation 1. Propagate for 19 days. 2. Launch DoS attack for next 7 days. 3. Stop and go dormant for a few days. 4. Repeat the cycle. Note: Worms never really stop spreading on the internet. After they are released, worms continue to propagate until all possible sources of infection are properly patched.

DoS Attack

DoS attacks are a major risk because they interrupt communication and cause significant loss of time and money. These attacks are relatively simple to conduct, even by an unskilled threat actor.

Malware 2.3.1 Types of Malware

End devices are especially prone to malware attacks. Therefore, the focus of this topic is on threats to end devices. Malware is short for malicious software or malicious code. It is code or software that is specifically designed to damage, disrupt, steal, or generally inflict some other "bad" or illegitimate action on data, hosts, or networks. It is important to know about malware because threat actors and online criminals frequently try to trick users into installing malware to help exploit security gaps. In addition, malware morphs so rapidly that malware-related security incidents are extremely common because antimalware software cannot be updated quickly enough to stop the new threats. Play the animation to view examples of the three most common types of malware; virus, worm, and Trojan horse.

2.2.2 Evolution of Security Tools

Ethical hacking involves using many different types of tools to test the network and end devices. To validate the security of a network and its systems, many network penetration testing tools have been developed. However, many of these tools can also be used by threat actors for exploitation. Threat actors have also created various hacking tools. These tools are explicitly written for nefarious reasons. Cybersecurity personnel must also know how to use these tools when performing network penetration tests. Explore the categories of common network penetration testing tools. Notice how some tools are used by white hats and black hats. Keep in mind that the list is not exhaustive as new tools are continually being developed. Note: Many of these tools are UNIX or Linux based; therefore, a security professional should have a strong UNIX and Linux background.

Fuzzers to Search Vulnerabilities

Fuzzers are tools used by threat actors when attempting to discover a computer system's security vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.

2.1.7 Threat Sharing and Building Cybersecurity Awareness

Governments are now actively promoting cybersecurity. For instance, the US Cybersecurity Infrastructure and Security Agency (CISA) is leading efforts to automate the sharing of cybersecurity information with public and private organizations at no cost. CISA uses a system called Automated Indicator Sharing (AIS). AIS enables the sharing of attack indicators between the US government and the private sector as soon as threats are verified. CISA offers many resources that help to limit the size of the United States attack surface. The CISA and the National Cyber Security Alliance (NCSA) promote cybersecurity to all users. For example, they have an annual campaign in every October called "National Cybersecurity Awareness Month" (NCASM). This campaign was developed to promote and raise awareness about cybersecurity. The theme for the NCASM for 2019 was "Own IT. Secure IT. Protect IT." This campaign encouraged all citizens to be safer and more personally accountable for using security best practices online. The campaign provides material on a wide variety of security topics including: Social media safety Updating privacy settings Awareness of device app security Keeping software up-to-date Safe online shopping Wi-Fi safety Protecting customer data The European Union Agency for Cybersecurity (ENISA) delivers advice and solutions for the cybersecurity challenges of the EU member states. ENISA fills a role in Europe that is similar to the role of CISA in the US.

While I was searching for security vulnerabilities, I gained unauthorized access to a company's network and left the message "Your security is flawed".

Gray Hat

2.1.3 Evolution of Threat Actors

Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies to manipulate phone systems. At that time, telephone switches used various tones, or tone dialing, to indicate different functions. Early threat actors realized that by mimicking a tone using a whistle, they could exploit the phone switches to make free long-distance calls. In the mid-1980s, computer dial-up modems were used to connect computers to networks. Threat actors wrote "war dialing" programs which dialed each telephone number in a given area in search of computers, bulletin board systems, and fax machines. When a phone number was found, password-cracking programs were used to gain access. Since then, general threat actor profiles and motives have changed quite a bit. There are many different types of threat actors. Click the buttons to see definitions for the different types of threat actors.

Hacktivists

Hacktivists is a term that refers to grey hat hackers who rally and protest against different political and social ideas. Hacktivists publicly protest against organizations or governments by posting articles, videos, leaking sensitive information, and performing distributed denial of service (DDoS) attacks.

2.5.3 Components of DDoS Attacks

If threat actors can compromise many hosts, they can perform a Distributed DoS Attack (DDoS). DDoS attacks are similar in intent to DoS attacks, except that a DDoS attack increases in magnitude because it originates from multiple, coordinated sources, as shown in the figure. A DDoS attack can use hundreds or thousands of sources, as in IoT-based DDoS attacks. Client/AttackerAgents/ZombiesHandlersAttacker uses many intermediate hosts, called zombies, to launch the attack.Victim The following terms are used to describe components of a DDoS attack: Note: There is an underground economy where botnets can be bought (and sold) for a nominal fee. This can provide threat actors with botnets of infected hosts ready to launch a DDoS attack against the target of choice.

Man-in-the-Middle Attacks

In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. The figure displays an example of a man-in-the-middle attack.

Password Attacks

In a password attack, the threat actor attempts to discover critical system passwords using various methods. Password attacks are very common and can be launched using a variety of password cracking tools.

Port-Redirection Attacks

In a port redirection attack, a threat actor uses a compromised system as a base for attacks against other targets. The example in the figure shows a threat actor using SSH (port 22) to connect to a compromised Host A. Host A is trusted by Host B and, therefore, the threat actor can use Telnet (port 23) to access it.

Trust-Exploitation Attacks

In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system, possibly compromising the target. Click Play in the figure to view an example of trust exploitation.

Spoofing Attacks

In spoofing attacks, the threat actor device attempts to pose as another device by falsifying data. Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing. These spoofing attacks will be discussed in more detail later in this module.

Traffic substitution

In this evasion technique, the threat actor attempts to trick an IPS by obfuscating the data in the payload. This is done by encoding it in a different format. For example, the threat actor could use encoded traffic in Unicode instead of ASCII. The IPS does not recognize the true meaning of the data, but the target end system can read the data.

Impersonation

In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.

Scareware

Includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user and attempts to persuade the user to infect a computer by taking action to address the bogus threat.

Indicators of Compromise (IOC)

Indicators of compromise are the evidence that an attack has occurred. IOCs can be features that identify malware files, IP addresses of servers that are used in attacks, filenames, and characteristic changes made to end system software, among others. IOCs help cybersecurity personnel identify what has happened in an attack and develop defenses against the attack.

Cybersecurity Infrastructure and Security Agency (CISA)

Is leading efforts to automate the sharing of cybersecurity information with public and private organizations at no cost. CISA uses a system called Automated Indicator Sharing (AIS).

Social Engineer Toolkit (SET)

It was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks. It is a set of menu-based tools that help launch social engineering attacks. The SET is for educational purposes only. It is freely available on the internet.

Common Network Attacks - Reconnaissance, Access, and Social Engineering 2.4.1 Types of Network Attacks

Malware is a means to get a payload delivered. When it is delivered and installed, the payload can be used to cause a variety of network-related attacks from the inside. Threat actors can also attack the network from outside. Why do threat actors attack networks? There are many motives including money, greed, revenge, or political, religious, or sociological beliefs. Network security professionals must understand the types of attacks used to counter these threats to ensure the security of the LAN. To mitigate attacks, it is useful to first categorize the various types of attacks. By categorizing network attacks, it is possible to address types of attacks rather than individual attacks. Although there is no standardized way of categorizing network attacks, the method used in this course classifies attacks in three major categories. Reconnaissance Attacks Access Attacks DoS Attacks

2.1.6 Cyber Threat Indicators

Many network attacks can be prevented by sharing information about indicators of compromise (IOC). Each attack has unique identifiable attributes. Indicators of compromise are the evidence that an attack has occurred. IOCs can be features that identify malware files, IP addresses of servers that are used in attacks, filenames, and characteristic changes made to end system software, among others. IOCs help cybersecurity personnel identify what has happened in an attack and develop defenses against the attack. A summary of the IOC for a piece of malware is shown in the figure. Malware File - "studiox-link-standalone-v20.03.8-stable.exe" sha256 6a6c28f5666b12beecd56a3d1d517e409b5d6866c03f9be44ddd9efffa90f1e0 sha1 eb019ad1c73ee69195c3fc84ebf44e95c147bef8 md5 3a104b73bb96dfed288097e9dc0a11a8 DNS requests domain log.studiox.link domain my.studiox.link domain _sips._tcp.studiox.link domain sip.studiox.link Connections ip 198.51.100.248 ip 203.0.113.82 For instance, a user receives an email claiming they have won a big prize. Clicking on the link in the email results in an attack. The IOC could include the fact the user did not enter that contest, the IP address of the sender, the email subject line, the URL to click, or an attachment to download, among others. Indicators of attack (IOA) focus more on the motivation behind an attack and the potential means by which threat actors have, or will, compromise vulnerabilities to gain access to assets. IOAs are concerned with the strategies that are used by attackers. For this reason, rather than informing response to a single threat, IOAs can help generate a proactive security approach. This is because strategies can be reused in multiple contexts and multiple attacks. Defending against a strategy can therefore prevent future attacks that utilize the same, or similar strategy.

2.5.4 Video - Mirai Botnet

Mirai is malware that targeted Internet of Things (IoT) devices that are configured with default login information. Closed-circuit television (CCTV) cameras made up the majority of Mirai's targets. Using a brute force dictionary attack, Mirai ran through a list of default usernames and passwords that were widely known on the internet. root/default root/1111 root/54321 admin/admin1234 admin1/password guest/12345 tech/tech support/support After gaining successful access, Mirai targeted the Linux-based BusyBox utilities that run on these devices. These utilities were used to turn the devices into bots that could be remotely controlled as part of a botnet. The botnet was then used as part of a distributed denial of service (DDoS) attack. In September 2016, a Mirai botnet of over 152,000 CCTVs and digital video recorders (DVRs) was responsible for the largest DDoS attack known until that time. With peak traffic of over 1 Tb/s, it took down the hosting services of a France-based web hosting company. In October 2016 the services of Dyn, a Domain Name System (DNS) provider, were attacked, causing internet outages for millions of users in the United States and Europe. Play the video to view a demonstration of how a botnet-based DDoS attack makes services unavailable. Note: In December 2017, three American threat actors pleaded guilty to conspiring to "conduct DDoS attacks against websites and web hosting companies located in the United States and abroad." The three felons face up to 10 years in prison and $250,000 in fines.

11. Which evasion method describes the situation that after gaining access to the administrator password on a compromised host, a threat actor is attempting to login to another host using the same credentials?

Pivoting

2.4.2 Reconnaissance Attacks

Reconnaissance is information gathering. It is analogous to a thief surveying a neighborhood by going door-to-door pretending to sell something. What the thief is actually doing is looking for vulnerable homes to break into, such as unoccupied residences, residences with easy-to-open doors or windows, and those residences without security systems or security cameras. Threat actors use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct reconnaissance attacks are described in the table.

Something for Something

Sometimes called "Quid pro quo", this is when a threat actor requests personal information from a party in exchange for something such as a gift.

2.5.5 Buffer Overflow Attack

The figure shows a threat actor with a laptop. an arrow goes from the threat actor through the internet, two routers, a switch and arrives at a server labeled victim. there are four stacked envelopes next to the switch. R2R1S5 VictimInternet The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack. For example, a threat actor enters input that is larger than expected by the application running on a server. The application accepts the large amount of input and stores it in memory. The result is that it may consume the associated memory buffer and potentially overwrite adjacent memory, eventually corrupting the system and causing it to crash. An early example of using malformed packets was the Ping of Death. In this legacy attack, the threat actor sent a ping of death, which was an echo request in an IP packet larger than the maximum packet size of 65,535 bytes. The receiving host would not be able to handle a packet of that size and it would crash. Buffer overflow attacks are continually evolving. For instance, a remote denial of service attack vulnerability was recently discovered in Microsoft Windows 10. Specifically, a threat actor created malicious code to access out-of-scope memory. When this code is accessed by the Windows AHCACHE.SYS process, it attempts to trigger a system crash, denying service to the user. Search the Internet on "TALOS-2016-0191 blog" to go to the Cisco Talos threat intelligence website and read a description of such an attack. Note: It is estimated that one third of malicious attacks are the result of buffer overflows.

Maliciously Formatted Packets

The threat actor sends a maliciously formatted packet to a host or application and the receiver is unable to handle it. This causes the receiving device to run very slowly or crash.

Overwhelming Quantity of Traffic

The threat actor sends an enormous quantity of data at a rate that the network, host, or application cannot handle. This causes transmission and response times to slow down. It can also crash a device or service.

2.3.8 Other Malware

These are some examples of the varieties of modern malware: This list will continue to grow as the internet evolves. New malware will always be developed. A major goal of cybersecurity operations is to learn about new malware and how to promptly mitigate it.

Vulnerability Exploitation Tools

These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.

Encryption tools

These tools safeguard the contents of an organization's data when it is stored or transmitted. Encryption tools use algorithm schemes to encode the data to prevent unauthorized access to the data. Examples of these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.

Vulnerability Scanners

These tools scan a network or system to identify open ports. They can also be used to scan for known vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of these tools include Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.

1. In what way are zombies used in security attacks?

They are infected machines that carry out a DDoS attack.

Protocol-level misinterpretation

This evasion technique occurs when network defenses do not properly handle features of a PDU like a checksum or TTL value. This can trick a firewall into ignoring packets that it should check.

Traffic fragmentation

This evasion technique splits a malicious payload into smaller packets to bypass network security detection. After the fragmented packets bypass the security detection system, the malware is reassembled and may begin sending sensitive data out of the network.

Encryption and tunneling

This evasion technique uses tunneling to hide, or encryption to scramble, malware files. This makes it difficult for many security detection techniques to detect and identify the malware. Tunneling can mean hiding stolen data inside of legitimate packets.

Run vulnerability scanners

This is to query the identified ports to determine the type and version of the application and operating system that is running on the host. Examples of tools include Nipper, Secuna PSI, Core Impact, Nessus v6, SAINT, and Open VAS.

Initiate a port scan of active IP addresses

This is used to determine which ports or services are available. Examples of port scanners include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Shoulder surfing

This is where a threat actor inconspicuously looks over someone's shoulder to steal their passwords or other information.

Tailgating

This is where a threat actor quickly follows an authorized person into a secure location to gain access to a secure area.

Dumpster diving

This is where a threat actor rummages through trash bins to discover confidential documents.

Risk reduction

This reduces exposure to risk or reducing the impact of risk by taking action to decrease the risk. It is the most commonly used risk mitigation strategy. This strategy requires careful evaluation of the costs of loss, the mitigation strategy, and the benefits gained from the operation or activity that is at risk.

Handlers

This refers to a primary command-and-control (CnC or C2) server controlling groups of zombies. The originator of a botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to remotely control the zombies.

2.2.3 Categories of Attacks

Threat actors can use the previously mentioned tools or a combination of tools to create various attacks. The table displays common types of attacks. However, the list of attacks is not exhaustive as new ways to attack networks are continually being discovered. It is important to understand that threat actors use a variety of security tools to carry out these attacks.

2.1.5 Cybersecurity Tasks

Threat actors do not discriminate. They target the vulnerable end devices of home users and small-to-medium sized businesses, as well as large public and private organizations. To make the internet and networks safer and more secure, we must all develop good cybersecurity awareness. Cybersecurity is a shared responsibility which all users must practice. For example, we must report cybercrime to the appropriate authorities, be aware of potential threats in email and the web, and guard important information from theft. Organizations must take action and protect their assets, users, and customers. They must develop and practice cybersecurity tasks such as those listed in the figure. Cybersecurity checklist: Trustworthy IT vendor Security software up-to-date Regular penetration tests Backup to cloud and hard disk Periodically change WIFI password Security policy up-to-date Enforce use of strong passwords Two factor authentication

2.3.7 Ransomware

Threat actors have used viruses, worms, and Trojan horses to carry their payloads and for other malicious reasons. However, malware continues to evolve. Currently, the most dominating malware is ransomware. Ransomware is malware that denies access to the infected computer system or its data. The cybercriminals then demand payment to release the computer system. Ransomware has evolved to become the most profitable malware type in history. In the first half of 2016, ransomware campaigns targeting both individual and enterprise users became more widespread and potent. There are dozens of ransomware variants. Ransomware frequently uses an encryption algorithm to encrypt system files and data. The majority of known ransomware encryption algorithms cannot be easily decrypted, leaving victims with little option but to pay the asking price. Payments are typically paid in Bitcoin because users of bitcoin can remain anonymous. Bitcoin is an open-source, digital currency that nobody owns or controls. Email and malicious advertising, also known as malvertising, are vectors for ransomware campaigns. Social engineering is also used, as when cybercriminals who identify themselves as security technicians call homes and persuade users to connect to a website that downloads the ransomware to the user's computer.

2.5.6 Evasion Methods

Threat actors learned long ago that "to hide is to thrive". This means their malware and attack methods are most effective when they are undetected. For this reason, many attacks use stealthy evasion techniques to disguise an attack payload. Their goal is to prevent detection by evading network and host defenses. Some of the evasion methods used by threat actors include: New attack methods are constantly being developed. Network security personnel must be aware of the latest attack methods in order to detect them.

4. Why would a rootkit be used by a hacker?

To gain access to a device without being detected.

Enabling vulnerability

A worm installs itself using an exploit mechanism, such as an email attachment, an executable file, or a Trojan horse, on a vulnerable system.

Eavesdropping Attack

An eavesdropping attack is when a threat actor captures and listens to network traffic. This attack is also referred to as sniffing or snooping.

Phishing

Attempts to convince people to divulge sensitive information. Examples include receiving an email from their bank asking users to divulge their account and PIN numbers.

Bots

Bots are malware that is designed to infect a host and communicate with a handler system. Bots can also log keystrokes, gather passwords, capture and analyze packets, and more.

3. Which two statements describe access attacks? (Choose two.)

Buffer overflow attacks write data beyond the allocated buffer memory to overwrite valid data or to exploit systems to execute malicious code. Password attacks can be implemented by the use of brute-force attack methods, Trojan horses, or packet sniffers.

Destructive

Corrupts or deletes files.

Cybercriminals

Cybercriminal is a term for black hat hackers who are either self-employed or working for large cybercrime organizations. Each year, cyber criminals are responsible for stealing billions of dollars from consumers and businesses.

2. In what type of attack can threat actors change the data in packets without the knowledge of the sender or receiver?

Data Modification

Data Modification Attack

Data modification attacks occur when a threat actor has captured enterprise traffic and has altered the data in the packets without the knowledge of the sender or receiver.

Debuggers

Debugger tools are used by black hats to reverse engineer binary files when writing exploits. They are also used by white hats when analyzing malware. Debugging tools include GDB, WinDbg, IDA Pro, and Immunity Debugger.

European Union Agency for Cybersecurity (ENISA)

Delivers advice and solutions for the cybersecurity challenges of the EU member states. ENISA fills a role in Europe that is similar to the role of CISA in the US.

Adware

Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.

12. In what type of attack is a cybercriminal attempting to prevent legitimate users from accessing network services?

DoS

7. What type of attack prevents the normal use of a computer or network by valid users?

DoS

5. In what type of attack does a threat attacker attach to the network and read communications from network users?

Eavesdropping

Remote-access

Enables unauthorized remote access.

Indicators of Attack (IOA)

Focus more on the motivation behind an attack and the potential means by which threat actors have, or will, compromise vulnerabilities to gain access to assets. IOAs are concerned with the strategies that are used by attackers. For this reason, rather than informing response to a single threat, IOAs can help generate a proactive security approach. This is because strategies can be reused in multiple contexts and multiple attacks. Defending against a strategy can therefore prevent future attacks that utilize the same, or similar strategy.

I hacked into ATM machines without the manufacturer's authorization and discovered several vulnerabilities. I then contacted the ATM manufacturer to share my findings with them.

Gray Hat

Hacking Operating Systems

Hacking operating systems are specially designed operating systems preloaded with tools and technologies optimized for hacking. Examples of specially designed hacking operating systems include Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.

6. A threat actor constructs IP packets that appear to come from a valid source within the corporate network. What type of attack is this?

IP Address Spoofing

Buffer Overflow Attacks

In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. The figure shows that the threat actor is sending many packets to the victim in an attempt to overflow the victim's buffer.

2.4.8 Lab - Social Engineering

In this lab, you will research examples of social engineering and identify ways to recognize and prevent it.

Rootkits

Installed on a compromised system. After it is installed, it continues to hide its intrusion and provide privileged access to the threat actor.

5. Which statement describes the term attack surface?

It is the total sum of vulnerabilities in a system that is accessible to an attacker.

3. Threat actors have positioned themselves between a source and destination to monitor, capture, and control communications without the knowledge of network users. What type of attack is this?

MiTM

Network Scanning and Hacking Tools

Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports. Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.

Proxies

Network traffic can be redirected through intermediate systems in order to hide the ultimate destination for stolen data. In this way, known command-and-control not be blocked by an enterprise because the proxy destination appears benign. Additionally, if data is being stolen, the destination for the stolen data can be distributed among many proxies, thus not drawing attention to the fact that a single unknown destination is serving as the destination for large amounts of network traffic.

Packet Crafting Tools

Packet crafting tools are used to probe and test a firewall's robustness using specially crafted forged packets. Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.

Packet Sniffers

Packet sniffers tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.

1. Hackers have gained access to account information and can now login into a system with the same rights as authorized users. What type of attack is this?

Password-Based

Password-Based Attacks

Password-based attacks occur when a threat actor obtains the credentials for a valid user account. Threat actors then use that account to obtain lists of other users and network information. They could also change server and network configurations, and modify, reroute, or delete data.

Password Crackers

Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password recovery tools and can be used to crack or recover the password. This is accomplished either by removing the original password, after bypassing the data encryption, or by outright discovery of the password. Password crackers repeatedly make guesses in order to crack the password and access the system. Examples of password cracking tools include John the Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.

4. What is the weakest link in network security?

People

Data-sending

Provides the threat actor with sensitive data, such as passwords.

3. What type of attack is port scanning?

Reconnaissance

6. Which risk management plan involves discontinuing an activity that creates a risk?

Risk Avoidance

7. What name is given to an amateur hacker?

Script Kiddie

Script Kiddies

Script kiddies emerged in the 1990s and refers to teenagers or inexperienced threat actors running existing scripts, tools, and exploits, to cause harm, but typically not for profit.

Traffic insertion

Similar to traffic substitution, but the threat actor inserts extra bytes of data in a malicious sequence of data. The IPS rules miss the malicious data, accepting the full sequence of data.

10. A user receives a phone call from a person who claims to represent IT services and then asks that user for confirmation of username and password for auditing purposes. Which security threat does this phone call represent?

Social Engineering

2.4.6 Social Engineering Attacks

Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. Some social engineering techniques are performed in-person while others may use the telephone or internet. Social engineers often rely on people's willingness to be helpful. They also prey on people's weaknesses. For example, a threat actor could call an authorized employee with an urgent problem that requires immediate network access. The threat actor could appeal to the employee's vanity, invoke authority using name-dropping techniques, or appeal to the employee's greed. Information about social engineering techniques is shown in the table. Enterprises must educate their users about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person. The figure shows recommended practices that should be followed by all users. Recommended Social Engineering Protection Practices Protecting against social engineering attacks. Never give your username / password credentials to anyone. Always destroy confidential information according to the organization policy. Always report suspicious individuals. Always lock or sign out of your computer when unattended. Never re-use work related passwords. Never release work related information on social media sites. Never open emails from untrusted sources. Never leave your username/ password credentials where they can easily be found.

State-Sponsored Hackers

State-Sponsored hackers are threat actors who steal government secrets, gather intelligence, and sabotage networks of foreign governments, terrorist groups, and corporations. Most countries in the world participate to some degree in state-sponsored hacking. Depending on a person's perspective, these are either white hat or black hat hackers.

Security software disabler

Stops antivirus programs or firewalls from functioning.

Countermeasure

The actions that are taken to protect assets by mitigating a threat or reducing risk.

Risk

The likelihood that a particular threat will exploit a particular vulnerability of an asset and result in an undesirable consequence.

Exploit

The mechanism that is used to leverage a vulnerability to compromise an asset. Exploits may be remote or local. A remote exploit is one that works over the network without any prior access to the target system. The attacker does not need an account in the end system to exploit the vulnerability. In a local exploit, the threat actor has some type of user or administrative access to the end system. A local exploit does not necessarily mean that the attacker has physical access to the end system.

Impact

The potential damage to the organization that is caused by the threat.

2.3.3 Trojan Horses

The term Trojan horse originated from Greek mythology. Greek warriors offered the people of Troy (the Trojans) a giant hollow horse as a gift. The Trojans brought the giant horse into their walled city, unaware that it contained many Greek warriors. At night, after most Trojans were asleep, the warriors burst out of the horse, opened the city gates, and allowed a sizeable force to enter and take over the city. Trojan horse malware is software that appears to be legitimate, but it contains malicious code which exploits the privileges of the user that runs it, as shown in the figure. Often, Trojans are found attached to online games. Users are commonly tricked into loading and executing the Trojan horse on their systems. While playing the game, the user will not notice a problem. In the background, the Trojan horse has been installed on the user's system. The malicious code from the Trojan horse continues operating even after the game has been closed. The Trojan horse concept is flexible. It can cause immediate damage, provide remote access to the system, or access through a back door. It can also perform actions as instructed remotely, such as "send me the password file once per week." This tendency of malware to send data back to the cybercriminal highlights the need to monitor outbound traffic for attack indicators. Custom-written Trojan horses, such as those with a specific target, are difficult to detect.

Run exploitation tools

The threat actor now attempts to discover vulnerable services that can be exploited. A variety of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social Engineer Toolkit, and Netsparker.

Threat Actor Tools 2.2.1 Introduction of Attack Tools

To exploit a vulnerability, a threat actor must have a technique or tool. Over the years, attack tools have become more sophisticated, and highly automated. These new tools require less technical knowledge to implement. In the figure, drag the white circle across the timeline to view the relationship between the sophistication of attack tools versus the technical knowledge required to use them. Sophistication of Attack Tools vs. Technical Knowledge

9. Which two characteristics describe a worm? (Choose two.)

Travels to new computers without any intervention or knowledge of the user. Is self-replicating.

2.3.4 Trojan Horse Classification

Trojan horses are usually classified according to the damage that they cause, or the manner in which they breach a system, as shown in the table.

Spyware

Used to gather information about a user and send the information to another entity without the user's consent. Spyware can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.

Vulnerability Brokers

Vulnerability brokers typically refers to gray hat hackers who attempt to discover exploits and report them to vendors, sometimes for prizes or rewards.

Who is Attacking Our Network? 2.1.1 Threat, Vulnerability, and Risk

We are under attack and attackers want access to our assets. Assets are anything of value to an organization, such as data and other intellectual property, servers, computers, smart phones, tablets, and more. To better understand any discussion of network security, it is important to know the following terms: Threat Vulnerability Attack surface Exploit Risk Risk management is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset. There are four common ways to manage risk, as shown in the table: Risk acceptance Risk avoidance Risk reduction Risk transfer Other commonly used network security terms include: Countermeasure Impact Note: A local exploit requires inside network access such as a user with an account on the network. A remote exploit does not require an account on the network to exploit that network's vulnerability.

During my research for security exploits, I stumbled across a security vulnerability on a corporate network that I am authorized to access.

White Hat

I am working with technology companies to fix a flaw with DNS.

White Hat

My job is to identify weaknesses in the computer system in my company.

White Hat

Forensic Tools

White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular computer system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.

Network Threats Summary 2.6.1 What Did I Learn in this Module?

Who is Attacking Our Network? Understanding network security requires you to understand the following terms: threat, vulnerability, attack surface, exploit, and risk. Risk management is the process that balances the operational costs of providing protective measures with the gains achieved by protecting the asset. Four common ways to manage risk are risk acceptance, risk avoidance, risk reduction, and risk transfer. Hacker is a term used to describe a threat actor. White hat hackers are ethical hackers using their skills for good, ethical, and legal purposes. Grey hat hackers are individuals who commit crimes and do unethical things, but not for personal gain or to cause damage. Black hat hackers are criminals who violate computer and network security for personal gain, or for malicious reasons, such as attacking networks. Threat actors include script kiddies, vulnerability brokers, hacktivists, cybercriminals, and state-sponsored hackers. Many network attacks can be prevented by sharing information about IOCs. Many governments are promoting cybersecurity. CISA and NCSA are examples of such organizations. Introduction of Attack Tools Threat actors use a technique or tool. Attack tools have become more sophisticated, and highly automated. Many of the tools are Linux or UNIX based and a knowledge of these are useful to a cybersecurity professional. Tools include password crackers, wireless hacking tools, network security scanning and hacking tools, packet crafting tools, packet crafting tools, packet sniffers, rootkit detectors, fuzzers to search vulnerabilities, forensic tools, debuggers, hacking operating systems, encryption tools, vulnerability exploitation tools, and vulnerability scanners. Categories of attacks include eavesdropping attacks, data modification attacks, IP address spoofing attacks, password-based attacks, denial-of-service attacks, man-in the-middle attacks, compromised key attacks, and sniffer attacks. Malware Malware is short for malicious software or malicious code. Threat actors frequently try to trick users into installing malware to help exploit end device vulnerabilities. Often antimalware software cannot be updated quickly enough to stop new threats. Three common types are virus, worm, and Trojan horse. A virus is a type of malware that spreads by inserting a copy of itself into another program. Most viruses are spread through USB memory drives, CDs, DVDs, network shares, and email. Trojan horse malware is software that appears to be legitimate, but it contains malicious code that exploits the privileges of the user that runs it. Often, Trojans are found on online games. Trojan horses are usually classified according to the damage they cause. Types of Trojan horses include remote-access, data-sending, destructive, proxy, FTP, security software disabler, DoS, and keylogger. Worms are similar to viruses because they replicate and can cause the same type of damage. Viruses require a host program to run. Worms can run themselves. Most worm attacks consist of three components: enabling vulnerability, propagation mechanism, and payload. Currently, ransomware is the most dominant malware. It denies access to the infected system or its data. The cybercriminals then demand payment to release the computer system. Other malware examples include spyware, adware, scareware, phishing, and rootkits. Common Network Attacks - Reconnaissance, Access, and Social Engineering Threat actors can also attack the network from outside. To mitigate attacks, it is useful to categorize the various types of attacks. The three major categories are reconnaissance, access, and DoS attacks. Reconnaissance is information gathering. Threat actors do unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede access or DoS attacks. Some of the techniques used include the following: performing an information query of a target, initiating a ping sweep of the target network, initiating a port scan of active IP addresses, running vulnerability scanners, and running exploitation tools. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services. These attacks include password attacks, spoofing attacks, trust exploitation attacks, port redirections, man-in-the-middle attacks, and buffer overflow attacks. Social engineering is an access attack that attempts to manipulate individuals into performing unsafe actions or divulging confidential information. These attacks include pretexting, phishing, spear phishing, spam, something for something, baiting, impersonation, tailgating, shoulder surfing, and dumpster diving. Network Attacks - Denial of Service, Buffer Overflows, and Evasion DoS attacks create some sort of interruption of network services to users, devices, or applications. There are two major types: overwhelming quantity of traffic, and maliciously formatted packets. DDoS attacks are similar in intent to DoS attacks, except that the DDoS attack increases in magnitude because it originates from multiple, coordinated sources. The following terms are used to describe DDoS attacks: zombies, bots, botnet, handlers, and botmaster. Mirai is malware that targets IoT devices configured with default login information. Mirai uses a brute force dictionary attack. After successful access, Mirai targets the Linux-based BusyBox utilities that are designed for these devices. The goal of a threat actor when using a buffer overflow DoS attack is to find a system memory-related flaw on a server and exploit it. Exploiting the buffer memory by overwhelming it with unexpected values usually renders the system inoperable, creating a DoS attack. Many attacks use stealthy evasion techniques to disguise an attack payload. Evasion methods include encrypting and tunneling, resource exhaustion, traffic fragmentation, protocol-level misinterpretation, traffic substitution, traffic insertion, pivoting, rootkits, and proxies.

Wireless Hacking Tools

Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.

2. What type of malware typically displays annoying pop-ups to generate revenue for its author?

adware

4. What type of malware attempts to convince people to divulge their personally identifable information (PII)?

phishing

1. What type of malware executes arbitrary code and installs copies of itself in the memory of the infected computer? The main purpose of this malware is to automatically replicate from system to system across the network.

worm