CH2 Network security
explain the two types of keyloggers
As a hardware device, it is inserted between the computer keyboard connection and USB port• Software keyloggers are programs installed on the computer that silently capture information
Manipulating online polls
Because each bot has a unique Internet Protocol (IP) address, each "vote" by a bot will have the same credibility as a vote cast by a real person.
Spamming
Botnets are widely recognized as the primary source of spam email. A botnet consisting of thousands of bots enables an attacker to send massive amounts of spam
Spreading malware
Botnets can be used to spread malware and create new bots and botnets. Bots can download and execute a file sent by the attacker.
Denying services
Botnets can flood a web server with thousands of requests and overwhelm it to the point that it cannot respond to legitimate requests.
viruses
CAMP- Computer virus - malicious computer code that reproduces itself on the same compute Appender infection - virus appends itself to end of a file-Easily detected by virus scanners Macro - a series of instructions that can be grouped together as a single command•Common data file virus is a macro virus that is written in a script known as a macro Program virus - infects an executable program file
useful items retrieved in dumpster diving
Calendars-A calendar can reveal which employees are out of town at a particular time Inexpensive computer hardware, such as USB flash drives or portal hard drives Memos-Seemingly unimportant memos can often provide small bits of useful information for an attacker who is building an impersonation Organizational charts-These identify individuals within the organization who are in positions of authority Phone directories-Can provide the names and telephone numbers of individuals in the organization to target or impersonate Policy manuals-These may reveal the true level of security within the organization System manuals-Can tell an attacker the type of computer system that is being used so that other research can be conducted to pinpoint vulnerabilities
Malware can be classified by
Circulation - spreading rapidly to other systems in order to impact a large number of users Infection - how it embeds itself into a system Concealment - avoid detection by concealing its presence from scanners Payload capabilities - what actions the malware performs
Worms may
Consume resources or•Leave behind a payload to harm infected systems
Examples of worm actions
Deleting computer files•Allowing remote control of a computer by an attacker
Dumpster diving
Digging through trash to find information that can be useful in an attack•An electronic variation of dumpster diving is to use Google's search engine to look for documents and data posted online•Called Google dorking
Malicious software (malware)
Enters a computer system without the owner's knowledge or consent•Uses a threat vector to deliver a malicious "payload" that performs a harmful function once it is invoked
Tailgating
Following behind an authorized individual through an access door•An employee could conspire with an unauthorized person to allow him to walk in with him (called piggybacking)•Watching an authorized user enter a security code on a keypad is known as shoulder surfing
botnet
Groups of zombie computers are gathered into a logical computer network called a botnet under the control of the attacker (bot herder)
A common C&C mechanism
HTTP, which is more difficult to detect and block
Psychological approaches often involve
Impersonation, phishing, spam, hoaxes, and watering hole attacks
command and control (C&C)
Infected zombie computers wait for instructions through a command and control (C&C) structure from bot herders
What is a RAT trojan
Remote access Trojan (RAT) - gives the threat actor unauthorized remote access to the victim's computer by using specially configured communication protocols
Some armored virus infection techniques include
SMS Swiss cheese infection - viruses inject themselves into executable code-Virus code is "scrambled" to make it more difficult to detect Mutation - some viruses can mutate or change-An oligomorphic virus changes its internal code to one of a set of number of predefined mutations whenever executed-A polymorphic virus completely changes from its original form when executed-A metamorphic virus can rewrite its own code and appear different each time it is executed Split infection - virus splits into several parts-Parts placed at random positions in host program-The parts may contain unnecessary "garbage" doe to mask their true purpose
Variations on phishing attacks
Spear phishing - targets specific users•Whaling - targets the "big fish"•Vishing - instead of using email, uses a telephone call instead•About 97% of all attacks start with phishing
Once infected with crypto-malware
The software connects to the threat actor's command and control (C&C) server to receive instructed or updated data•A locking key is generated for the encrypted files and that key is encrypted with another key that has been downloaded from the C&C•Second key is sent to the victims once they pay the ransom
Hoaxes
a false warning, usually claiming to come from the IT department•Attackers try to get victims to change configuration settings on their computers that would allow the attacker to compromise the system•Attackers may also provide a telephone number for the victim to call for help, which will put them in direct contact with the attacker
Watering hole attack
a malicious attack that is directed toward a small group of specific individuals who visit the same website
Social engineering
a means of gathering information for an attack by relying on the weaknesses of individuals Social engineering attacks can involve psychological approaches as well as physical procedures
Crypto-malware
a more malicious form of ransomware where threat actors encrypt all files on the device so that none of them could be opened
Trojan Malware
an executable program that does something other than advertised•Contain hidden code that launches an attack•Sometimes made to appear as data file
Bot or zombie
an infected computer that is under the remote control of an attacker
Keylogger
captures and stores each keystroke that a user types on the computer's keyboard•Attacker searches the captured text for any useful information such as passwords, credit card numbers, or personal information
Logic bomb
computer code that lies dormant until it is triggered by a specific logical event•Difficult to detect before it is triggered•Often embedded in large computer programs that are not routinely scanned
Backdoor
gives access to a computer, program, or service that circumvents normal security to give program access•When installed on a computer, they allow the attacker to return at a later time and bypass security settings
Worm
malicious program that uses a computer network to replicate Sends copies of itself to other network devices Exploits a vulnerability in an application or operating system
Does a worm need a user to spread it
no
does a worm infect a file?
no
Can a virus automatically spread to another computer
no it relies on user action to spread
Ransomware
prevents a user's device from properly operating until a fee is paid A variation of ransomware displays a fictitious warning that a software license has expired or there is a problem and users must purchase additional software online to fix the problem
Adware
program that delivers advertising content in manner unexpected and unwanted by the user •Typically displays advertising banners and pop-up ads•May open new browser windows randomly
Phishing
sending an email claiming to be from legitimate source•Tries to trick user into giving private information•The emails and fake websites are difficult to distinguish from those that are legitimate
Spyware
software that gathers information without user consent•Uses the computer's resources for the purposes of collecting and distributing personal or sensitive information
Rootkits
software tools used by an attacker to hide actions or presence of other types of malicious software
Psychological approaches goal
to persuade the victim to provide information or take action
how are viruses spread
transferring infected files.
Spam
unsolicited e-mail•Primary vehicles for distribution of malware•Sending spam is a lucrative business-Cost spammers very little to send millions of spam messages
Image spam
uses graphical images of text in order to circumvent text-based filters
Examples of virus actions
•Cause a computer to repeatedly crash•Erase files from or reformat hard drive•Turn off computer's security settings
Primary payload capabilities are to:
•Collect data•Delete data•Modify system security settings•Launch attacks
Two of the most common physical procedures are:
•Dumpster diving•Tailgating
Impersonation
•Help desk support technician•Repairperson•IT support•Manager•Trusted third party•Fellow employee
Attackers use a variety of techniques to gain trust without moving quickly
•Provide a reason•Project confidence•Use evasion and diversion•Make them laugh
Different types of malware are designed to collect important data from the user's computer and make it available at the attacker
•Spyware•Adware
Three examples of malware that have the primary trait of infection
•Trojans•Ransomware•Crypto-malware
Viruses perform two actions:
•Unloads a payload to perform a malicious action•Reproduces itself by inserting its code into another file on the same computer
Types of trojans
•User downloads "free calendar program"-Program scans system for credit card numbers and passwords-Transmits information to attacker through network
Two types of malware have the primary traits of circulation:
•Viruses•Worms
