Chapter 4 - Network Security Threats and Issues

Deterrent

A form of security defense that focuses on discouraging a perpetrator with disincentives such as physical harm, social disgrace, or legal consequences. A deterrent can also be a defense that is complex or difficult to overcome, such as strong encryption, multifactor authentication, or stateful inspection filtering.

DNS poisoning

A network service that resolves fully qualified domain names (FQDNs) into their corresponding IP address. DNS is an essential service of most networks and their directory services.

Script kiddie

A new, inexperienced, or ignorant hacker who uses pre-built attack tools and scripts instead of writing his or her own or customizing existing ones. Even though a derogatory term in the hacker community, "script kiddie" still describes a serious threat to network security.

Mean time between failures (MTBF)

A rating on some hardware devices expressing the average length of time between significant failures.

ICMP redirects

An announcement message sent to hosts to adjust the routing table. ICMP type 5 messages are known as redirects. Hackers can use ICMP redirects to perform man-in-the-middle or session hijacking attacks.

Monkey-in-the-middle attack

Another term for man-in-the-middle attack.

Proxy attack

See man-in-the-middle attack.

MAC spoofing

The act of a hacker changing the MAC address of their network interface. Commonly used to bypass MAC filtering on a wireless access point by impersonating a valid client.

Shell code

The content of an exploit to be executed on or against a target system.

Chip creep

The slow movement of a chip out of its socket or solder points because of expansion and contraction caused by extreme temperature fluctuations.

Return on investment (ROI)

A business evaluation technique to determine whether an investment will earn back equivalent or greater benefit within a specific time.

Metacharacters

A character that has a special meaning assigned to it and recognized as part of a scripting or programming language. Metacharacters should be filtered, escaped, or blocked to prevent script injection attacks. Escaping metacharacters is a programmatic tactic to treat all characters as basic ASCII rather than as some- thing with special meaning or purpose.

Honeypots

A closely monitored system that usually contains a large number of files that appears to be valuable or sensitive, and serves as a trap for hackers. A ___________ distracts hackers from real targets, detects new exploitations, and learns the identities of hackers.

Buffer overflow

A condition in which a memory buffer exceeds its capacity and extends its contents into adjacent memory. Often used as an attack against poor programming techniques or poor software quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash.

Blogs

A contraction of the words "web" and "log," it is a form of Web site where the site owner posts messages, images, and videos for the public to view and potentially comment on. Blogs are commonly a platform for discussing issues, causes, or interests.

Professional hackers

A criminal whose objective is to compromise IT infrastructures. Whether operating as individuals, offering mercenary hacking services, or functioning as members of a criminal ring, professional hackers focus time and energy on becoming effective cyber attackers. A professional hacker is someone who contracts out his or her hacking skills to others.

Redundant array of independent disks (RAID)

A disk set management technology that gains speed and fault tolerance. RAID can provide some protection against hard drive failure, but does not protect against software or data compromises, such as virus infection.

Alternate data streams(ADS)

A feature added to the NTFS file system to support files from POSIX, OS/2, and Macintosh. ADS supports multiple resource forks for file objects. Hackers use ADS to hide files.

New technology file system (NTFS)

A file format developed by Microsoft commonly used on Windows systems. NTFS offers file security, large volume size, large file size, and alternate data streams (ADS).

Flaw exploitation attacks

A form of DoS that uses a software specific exploit to cause the interruption of availability. Once you apply the appropriate patch, the system is no longer vulnerable to this particular exploit.

SQL injuection

A form of Web site/application attack in which a hacker submits SQL expressions to cause authentication bypass, extraction of data, planting of information, or access to a command shell.

Rootkit

A form of malware that hackers can upload and deploy on a target system. It often replaces multiple components of the host operating system with altered code.

Instant message (IM)

A form of near real-time text communication. Also known as chat, IRC, and SMS messaging.

Mobile code

A form of software transmitted to and executed on a client. Hackers can use mobile code for malicious purposes.

Trapdoor

A form of unauthorized access to a system. A trapdoor is any access method or pathway that circumvents access or authentication mechanisms. Also known as a backdoor.

Pwned

A leetspeak word derived from a common IRC typo of "owned." Used to mean hacking and taking over control of a computer or network.

Partition

A logical division of a hard drive that can be formatted with a file system.

Clusters

A logical division of data composed of one or more sectors on a hard drive. A cluster is the smallest addressable unit of drive storage, usually 512, 1,024, 2,048, or 4,096 bytes, depending on the logical volume size.

Trojan horse

A mechanism of distribution or delivery more than a specific type of malware. The Trojan horse embeds a malicious payload within a seemingly benign carrier or host program. When the host program is executed or otherwise accessed, the malware is delivered. The gimmick of a Trojan horse is the act of fooling someone (a type of social engineering attack) into accepting the Trojan program as safe.

Banner

A message sent by a service in response to a valid or invalid query. A banner can confirm communication is functioning properly or announce an error. Some banners disclose the product name and version number of the service.

Wardialing

A method of discovering active modems by dialing a range of phone numbers.

Wardriving

A method of discovering wireless networks by moving around a geographic area with a detection device.

OS/2

A multi-tasking operating system developed jointly by Microsoft and IBM. First released in 1987, it lost nearly its entire market share to Windows after the two companies ceased collaboration in 1990. IBM discontinued support in 2006.

Advanced persistent threat (APT)

A network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The purpose of such an attack is to steal data, not to damage the network or organization. Sectors with high-value information, such as national defense, manufacturing, and the financial industry, are commonly the target of such attacks.

Nmap

A network mapping tool that performs network scanning, port scanning, OS identification, and other types of network probing. Nmap is avail- able at http://www.insecure.org/.

Botnet army (or zombie army)

A network of zombie/bot/agent- compromised systems controlled by a hacker. The network consists of the bots, agents, or zombies that intercommunicate over the Internet. Another term for zombie.

Ping sweeps

A network scan that sends ICMP type 8 echo requests to a range of IP addresses to obtain ICMP type 0 echo responses. A ping sweep can discover active systems and identify the IP addresses in use.

Port scanning

A network scan that sends various constructions of TCP or UDP packets to determine the open or closed state of a port. Tools such as nmap are used to perform port scanning.

Opportunistic hackers

A person who takes advantages of unique or abnormal situations to perform malicious actions, but who would not initiate such actions otherwise.

Mean time of failure (MTTF)

A rating on some hardware devices expressing the average length of time until the first significant failure is likely to happen.

Internet relay chat (IRC)

A real-time text communication system. Hackers commonly use IRC as a way to communicate anonymously and control botnets.

Dailers

A rogue program that automatically dials a modem to a pre-defined number. Sometimes this is to auto-download additional malware to the victim or to upload stolen data from the victim. In other cases, the dialer calls premium rate telephone numbers to rack up massive long distance charges.

Command Shell

A software interface with a system that allows code execution. A command shell is often the focus of an attack. If a hacker gains access to a command shell, he or she can perform arbitrary code execution. Also known as a terminal window or a command prompt. For example, in Windows, the command shell prompt is usually "C:\>".

Leetspeak

A somewhat secret form of communication or language hackers use based on replacing letters with numbers, symbols, or other letters that somewhat resemble the original characters. For example, "elite" becomes "eleet," and then becomes "31337."

Hierarchical file system (HFS)

A storage device file system developed by Apple Inc. for use on Macintosh computers. HFS supports multiple resource forks for file objects.

Sector

A subdivision of computer storage medium that represents a fixed size of user-accessible data. Magnetic disks typically have 512-byte sectors; optical disks have 2,048-byte sectors. When a device is formatted, sectors are grouped into clusters.

Static electricity discharge (SED)

A sudden and momentary electric current, usually of high voltage and low amperage, that flows between two objects. Commonly caused by low humidity environments. Humans, polyester, and plastics are prone to static build-up. SED can damage most computer components.

Cold calling

A tactic of pursuing and extracting information for the purpose of making a sale or performing a social engineering attack. A cold call presupposes little or no knowledge of the person answering the phone. It requires the caller to be able to pick up on vocal and word clues, be knowledgeable about human nature, and adapt quickly to changes in conversation.

Wrappers

A tool used to create Trojan horses by embedding malware inside of a host file or program.

Whois

A tool used to view domain registration information. Whois is a command line function of Linux and Unix, but is also a tool on most domain registrar Web sites.

Dumpster diving

A type of reconnaissance in which an attacker examines an organization's trash or other discarded items to learn internal or private information. The results of dumpster diving are often used to wage social engineering attacks.

POSIX

A variant of the UNIX operating system. Supported by Windows NT 4.0, but not in any subsequent version of Windows. POSIX used the ADS feature of NTFS.

Disgruntled employees

A worker who feels wronged by his or her employer and who may take malicious, unethical, potentially illegal actions to exact revenge on the organization.

Rogue access point

An access point set up and configured by a hacker to fool users into connecting with it. The hacker may then use the connection to carry out an attack such as a man-in-the-middle attack.

Spyware

An advancement of keystroke logging to monitor and record many other user activities. Spyware varies greatly, but it can collect a list of applications launched, URLs visited, e-mail sent and received, chats sent and received, and names of all files opened. It can also record network activity, gather periodic screen captures, and even recording from a microphone or Web cam. Can be linked with adware.

Proxy manipulation

An attack in which a hacker modifies the proxy settings on a client to redirect traffic to another system, such as the hacker's own machine. The hacker may host a proxy server in addition to eavesdropping and manipulating the redirected traffic.

IDS insertion

An attack that exploits the nature of a network-focused IDS to collect and analyze every packet to trick the IDS into thinking an attack took place when it actually hasn't. The common purpose of IDS injection attacks is to trick signature or pattern matching detection of malicious network events.

Phishing

An attack that seeks to obtain information from a victim by presenting false credentials or luring victims to an attack site. Phishing can occur face to face, over the phone, via e-mail, on a Web site, or through IM.

Flooding

An attack, usually resulting in a DoS, in which hackers direct massive amounts of traffic toward a target to fully consume available band- width or processing capabilities.

Arbitrary code execution

An exploit that allows a hacker to run any command line function on a compromised system. Buffer overflow attacks and SQL injection attacks can often allow arbitrary code execution.

Insertion attacks

An exploit-based on the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks include SQL injection, IDS insertion, and rogue devices.

Contract workers

An outsider brought into an organization to work on a temporary basis. Contracted workers can be consultants, temporary workers, seasonal workers, contractors, or even day-laborers. Contracted workers potentially represent a greater risk than regular, full-time regular employees because they might lack loyalty, not see the company as worthy of protection, might not be accountable after a project ends, and so on.

Covert channels

An unknown, secret pathway of communication. Covert channels can be timing or storage-based.

Interception attack

Any attack that positions the attacker inline with a session between a client and server. Such attacks typically allow the hacker to eavesdrop and manipulate the contents of the session. Also known as a man-in-the-middle attack.

Non-authenticating query service

Any communication exchange that does not verify the identity of the endpoints of a communication and accepts any properly formed response as valid. DNS and ARP are common examples. Hackers can easily spoof such a service.

Logic bomb

Malware that acts like an electronic land mine. Once a hacker places a logic bomb in a system, it remains dormant until a triggering event takes place. The trigger can be a specific time and date, the launching of a program, the typing of a specific keyword, or accessing a specific URL. Once the trigger occurs, the logic bomb springs its malicious event on the unsuspecting use.

Worm

Malware that does not need a host object; instead, a worm is a self-sustaining program in its own right. Worms are designed around specific system flaws. The worm scans other systems for this flaw and exploits the flaw to gain access to another victim. Once hosted on another system, the worm seeks to spread itself by repeating the process. Worms can act as carriers to deposit other forms of malicious code as they multiply and spread across networked hosts.

Virus

Malware that needs a host object to infect. Most ______ infect files, such as executables, device drivers, DDLs, system files, and sometimes even document, audio, video, and image files. Some _______ infect the boot sector of a storage device, including hard drives, floppies, optical discs, and USB drives. _____ are spread through the actions of users, and spread file-to-file (compare to worms).

Keystroke logger

Malware that records all keyboard input and transmits the keystroke log to a hacker.

URL injectors

Malware that replaces URLs in HTTP GET requests for alternative addresses. These injected URLs cause a different Web page to appear in the browser than the one requested by the user's request. These replaced Web pages could be advertisement sites, generate traffic to falsify search engine optimization (SEO), or lead to fake or spoofed sites.

National Institute of Standards and Technology (NIST)

NIST is a non-regulatory federal agency within the U.S. Department of Commerce whose mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. As part of its mission, the NIST performs vulnerability research, cataloging, and information distribution: http://nvd.nist.gov/.

USENET newsgroup

Persistent public messaging forums accessed over the NNTP (Network News Transfer Protocol). USENET has existed since 1980. Although the Web, e-mail, and BitTorrent are more widely known, USENET is still in use today.

Hacktivism

Politically or socially motivated hacking, seen by activists as a form of civil disobedience in the interest of free speech and human rights, but seen by its opponents as a form of cyberterrorism.

Recreational hackers

Someone who enjoys exploring and learning about computer technology but may put an organization's network at risk by bringing in unapproved software, experimenting on the network, or just trying an exploit to "see if it works."

MITRE

The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. It sponsors a vulnerability research, cataloging, and information organization: http://cve.mitre.org/.

Banner grabbing

The act of capturing or extracting banners from services. Hackers often perform banner grabbing after port scanning to learn what service is active on a port.

Reconnaissance

The act of learning as much as possible about a target before attempting attacks. Reconnaissance consists of collecting data about the target from multiple sources online and offline. Effective reconnaissance is done covertly, without tipping off the target about the research. Reconnaissance can also be called footprinting, discovery, research, and information gathering.

Privilege escalation

The act of obtaining a higher level of privilege or access for a user account or a session. A tactic employed by hackers once they intrude into a network through the compromise of a normal user account.

Scanning

The act of probing a network using custom crafted packets. Scanning can determine the IP addresses in use and whether ports are open or closed. The tool nmap can be used to perform scanning.

Footprinting

The act of researching and uncovering information about a potential attack target. Also known as reconnaissance.

Unpartitioned space

The area on a storage device not contained within a partition. Unpartitioned space is not directly accessible by the OS.

Social engineering

The craft of manipulating people into performing tasks or releasing information that violates security. Social engineering relies on telling convincing lies to manipulate people or take advantage of the victim's desire to be helpful.

ARP spoofing

The falsification of ARP replies to trick the requestor into sending frames to a system other than its intended destination.

Domain registrations

The information related to the owners and managers of a domain name accessed through domain registrar's Web sites and whois lookups. A domain registration might include a physical address, people's names, e-mail addresses, and phone numbers. This information is useful in waging social engineering attacks.

Maximum transmission unit (MTU)

The largest amount of data that a datagram can hold based on the limitations of the networking devices managing a given segment. As an MTU changes across a communication path, a datagram may be fragmented to comply with the MTU restriction.

Cross-site scripting (XSS)

The malicious insertion of scripting code onto a vulnerable Web site. The results of an XSS attack can include the corruption of the data on the Web site or identity theft of the site's visitors.

Upstream filtering

The management of traffic by a firewall or other filtering device located one or more hops away (upstream) from a private network.

Enumeration

The process of discovering sufficient details about a potential target to learn about network or system vulnerabilities. Enumeration often starts with operating system identification, followed by application identification, then extraction of information from discovered services.

Intentional electromagnetic interference (IEMI)

The result of an intentional discharge made to damage or destroy electronic equipment ranging from cell phones to computers and servers.

Slack space

The unused portion of the last cluster allocated to a stored file. It may contain remnants of prior files stored in that location. Hackers can hijack slack space to create hidden storage compartments.

Playback attacks (or Replay attacks)

This attack occurs when a hacker uses a network sniffer to capture network traffic and then retransmits that traffic back on to the network at a later time. Replay attacks often focus on authen- tication traffic in the hope that retransmitting the same packets that allowed the real user to log into a system will grant the hacker the same access.

Backdoor

Unauthorized access to a system. A ________ is any access method or pathway that circumvents access or authentication mechanisms.

Spam

Unwanted and often unsolicited messages. _____ is not technically malicious software, but it can have a serious negative effect on IT infrastructures through sheer volume. Estimates vary, but it may represents up to 95 percent of all e-mail.

Adware

Unwanted software that displays advertisements. Often linked with spyware.

Session hijacking

When a hacker is able to take over a connection after a client has authenticated with a server. To perform this attack, a hacker must eavesdrop on the session to learn details, such as the addresses of the session endpoints and the sequencing numbers. With this information, the hacker can desynchronize the client, take on the client's addresses, and then inject crafted packets into the data stream. If the server accepts the initial false packets as valid, then the session has been hijacked.