Module 1c: Cybersecurity Threats, Vulnerabilities and Attacks
Defending Against Attacks
-Configure firewalls to remove any packets from outside the network that have addresses indicating that they originated from inside the network. -Ensure patches and upgrades are current. -Distribute the workload across server systems. -Network devices use Internet Control Message Protocol (ICMP) packets to send error and control messages, such as whether or not a device can communicate with another on the network. To prevent DoS and DDoS attacks, organizations can block external ICMP packets with their firewalls.
Distributed (DDoS)
1.An attacker builds a network (botnet) of infected hosts called zombies, which are controlled by handler systems. 2. The zombie computers constantly scan and infect more hosts, creating more and more zombies. 3. When ready, the hacker will instruct the handler systems to make the botnet of zombies carry out a DDoS attack.
maliciously formatted packets
A packet is a collection of data that flows between a source and a receiver computer or application over a network, such as the Internet. When a maliciously formatted packet is sent, the receiver will be unable to handle it. For example, if an attacker forwards packets containing errors or improperly formatted packets that cannot be identified by an application, this will cause the receiving device to run very slowly or crash.
Man in the Middle/Man in the Mobile attack
Attackers can intercept or modify communications between two devices to steal information from or to impersonate one of the devices.
Several employees at @Apollo have reported performance issues on their computers, with applications running slow and notable popup ads appearing. Guru has asked you to investigate. You consult a network monitoring tool, which also reveals abnormal traffic on the network. Based on your findings, what type of attack do you think @Apollo might be involved with? A. DoS attack B. DNS attack C. DDoS attack D. Layer 2 attack
C. DDoS attack
You have just received an email from @Apollo's HR department asking you to add your bank account details to your file by clicking on a link in the email. It stresses that this must be completed by the end of the day for you to be included in this month's payroll. Although the email looks like it has been sent internally, closer inspection reveals a slight variation in the email domain of the sender's address. You could be a victim of what type of attack? A. Trojan horse B. Domain hijacking C. Impersonation D. Man-in-the-middle
C. Impersonation
MAC Flooding
Devices on a network are connected via a network switch by using packet switching to receive and forward data to the destination device. MAC flooding compromises the data transmitted to a device. An attacker floods the network with fake MAC addresses, compromising the security of the network switch.
Domain reputation
The Domain Name System (DNS) is used by DNS servers to translate a domain name, such as www.cisco.com, into a numerical IP address so that computers can understand it. If a DNS server does not know an IP address, it will ask another DNS server. An organization needs to monitor its domain reputation, including its IP address, to help protect against malicious external domains.
denial of service attack: Overwhelming quantity of traffic
This is when a network, host or application is sent an enormous amount of data at a rate which it cannot handle. This causes a slowdown in transmission or response, or the device or service to crash.
Ransomware
This malware is designed to hold a computer system or the data it contains captive until a payment is made. Ransomware usually works by encrypting your data so that you cannot access it. According to ransomware claims, once the ransom is paid via an untraceable payment system, the cybercriminal will supply a program that decrypts the files or send an unlock code — but in reality, many victims do not gain access to their data even after they have paid.
Domain hijacking attack
When an attacker wrongfully gains control of a target's DNS information, they can make unauthorized changes to it. The most common way of hijacking a domain name is to change the administrator's contact email address through social engineering or by hacking into the administrator's email account. The administrator's email address can be easily found via the WHOIS record for the domain, which is of public record.
Keyboard Logging
a software program that records or logs the keystrokes of the user of the system. Cybercriminals log keystrokes via software installed on a computer system or through hardware devices that are physically attached to a computer, and configure the keylogger software to send the log file to the criminal. Because it has recorded all keystrokes, this log file can reveal usernames, passwords, websites visited and other sensitive information.
Malware
code that can be used to steal data, bypass access controls or cause harm to or compromise a system.
zero-day attack
exploits software vulnerabilities before they become known or before they are disclosed by the software vendor. A network is extremely vulnerable to attack between the time an exploit is discovered (zero hour) and the time it takes for the software vendor to develop and release a patch that fixes this exploit. Defending against such fast-moving attacks requires network security professionals to adopt a more sophisticated and holistic view of any network architecture.
logic bomb
malicious program that waits for a trigger, such as a specified date or database entry, to set off the malicious code. Until this trigger event happens, the logic bomb will remain inactive. Once activated, a logic bomb implements a malicious code that causes harm to a computer in various ways. It can sabotage database records, erase files and attack operating systems or applications.
Worms
malicious software program that replicates by independently exploiting vulnerabilities in networks. Unlike a virus, which requires a host program to run, worms can run by themselves. Other than the initial infection of the host, they do not require user participation and can spread very quickly over the network, usually slowing it down. Worms share similar patterns: they exploit system vulnerabilities, they have a way to propagate themselves and they all contain malicious code (payload) to cause damage to computer systems or networks.
Trojan Horse
malware that carries out malicious operations by masking its true intent. It might appear legitimate but is, in fact, very dangerous. Trojans exploit the privileges of the user who runs them. Unlike viruses, Trojans do not self-replicate but often bind themselves to non-executable files, such as image, audio or video files, acting as a decoy to harm the systems of unsuspecting users.
DNS spoofing
or DNS cache poisoning is an attack in which false data is introduced into a DNS resolver cache — the temporary database on a computer's operating system that records recent visits to websites and other Internet domains. These poison attacks exploit a weakness in the DNS software that causes the DNS servers to redirect traffic for a specific domain to the attacker's computer.
Viruses
type of computer program that, when executed, replicates and attaches itself to other files, such as a legitimate program, by inserting its own code into it. Some viruses are harmless yet others can be destructive, such as those that modify or delete data. Most viruses require end-user interaction to initiate activation, and can be written to act on a specific date or time. Viruses can be spread through removable media such as USB flash drives, Internet downloads and email attachments. The simple act of opening a file or executing a specific program can trigger a virus. Once a virus is active, it will usually infect other programs on the computer or other computers on the network. Viruses mutate to avoid detection.
Spoofing
type of impersonation attack that takes advantage of a trusted relationship between two systems. -MAC address spoofing occurs when an attacker disguises their device as a valid one on the network and can therefore bypass the authentication process. -ARP spoofing sends spoofed ARP messages across a LAN. This links an attacker's MAC address to the IP address of an authorized device on the network. -IP spoofing sends IP packets from a spoofed source address in order to disguise it.
Uniform Resource Location (URL)
unique identifier for finding a specific resource on the Internet. Redirecting a URL commonly happens for legitimate purposes. For example, you have logged into an eLearning portal to begin this Cybersecurity Essentials course. If you log out of the portal and return to it another time, the portal will redirect you back to the login page. It is this type of functionality that attackers can exploit. Instead of taking you to the eLearning login page, they can redirect you to a malicious site.