Security Threats & Vulnerabilities

What are Vulnerabilities

• Vulnerability: A vulnerability is a Weakness or fault in a system, or
protection mechanism that exposes information to possible attack
or damage.

• Vulnerabilities may result from bugs or design flaws in the system.

They can range from a flaw in a software package, to an
unprotected system port, or an unlocked door.

• Examples: Data validation, Buffer overflows, etc.

 Types of Vulnerabilities
• Vulnerabilities basically are weaknesses in systems that allow
a threat to become effective. In general, vulnerabilities can be
classified into four categories (*):
– Vendor-supplied software may create vulnerabilities
through design flaws, bugs, unapplied security patches,
and updates.

– System configuration vulnerabilities include the

presence of default or improperly set configurations, guest
user accounts, extraneous services, and improperly set file
and directory permissions.
 Types of Vulnerabilities
– Administration-based vulnerabilities include
integration of system services with improperly set options
in NT registry keys, for example, unauthorized changes,
and insecure requirements for minimum password length.

– User activity can create vulnerabilities in the form of

risky shortcuts to perform tasks, such as
• mapping unauthorized users to network/shared drives;
• failure to perform housekeeping chores,
• such as updating virus software;
• using a modem to dial in past the corporate firewall;
• and policy violations, such as failing to use strong passwords.
 Common Vulnerabilities
• Major Common Vulnerabilities are:
– Input validation error: which Results when the input
to a system is not properly checked, producing a
vulnerability that can be exploited by sending a malicious
input sequence.

– Buffer overflow: occurs when System input is longer

than expected, but the system does not check for the
condition, allowing it to execute.
• The input buffer fills up and overflows the allocated
memory.
• An attacker takes advantage of this, skillfully
constructing the excess input to execute malicious
instructions.
 Common Vulnerabilities
• In Boundary condition error: System input exceeds a
specified boundary, resulting in exceeding memory, disk
space, or network bandwidth.
– The attacker takes advantage of the overrun by inserting
malicious input as the system attempts to compensate for
the condition.

• In Access validation error: If The access control

mechanism is faulty because of a design flaw, an exceptional
condition arises; handling it creates the vulnerability.
 Common Vulnerabilities
• Environmental error: The environment into which a
system is installed causes it to become vulnerable because of
an unanticipated event between, for example, an application
and the operating system.
– Environmental vulnerabilities may exist in a production
environment despite a successful test in the test
environment.
 Common Vulnerabilities
• Configuration error: occurs when user-controllable
settings are improperly set by system/or applications
developers.
 What are threats

 A threat is a potential security violation. Threats are

dangerous actions that can breach security and cause harm
exploiting system vulnerabilities.

 A threat is an unwanted (deliberate or accidental) event that

may result in harm to an asset.

 Examples: Hijacking, blackmail, unauthorized access to

information and modification or destruction.
 What are threats - Assets

• Assets: An asset is the organizational resource that is being

protected.

• An asset could be logical, such as a website, information, or

data, or an asset can be physical also such as a person,
computer system, or other tangible object.

• Assets and particularly information assets are the focus of our

security efforts and are what we are attempting to protect.
 What are threat Agents

• Threat Agent: a threat agent is the specific instance or

component of a threat,
– for e.g. all hackers in the world can be thought of as a collective threat,
and Kevin Mitnick, who was convicted for hacking into phone systems
as a specific threat agent.

• For example, a specific lightning strike or tornado is a threat

agent that is part of the threat of storms.
 Types of Security Threats

• (*)RFC 1244 identifies three distinct types of security threats

associated with network connectivity:
– Unauthorized access
– Disclosure of information
– Denial of service

• Unauthorized access: A break-in by an unauthorized person.

Break-ins may be an embarrassment that undermine the
confidence that others have in the organization.
 Types of Security Threats

• Disclosure of information: disclosure of valuable or sensitive

information to people, who should not have access to the
information.

• Denial of service: Any problem that makes it difficult or

impossible for the system to continue to perform productive
work.

• Threats are blocked by control of vulnerabilities.

 Attacks
• Security attack can be defined as any action that compromises
the security of information owned by an organization

• It is an act that is an intentional or unintentional attempt to

cause damage to or otherwise compromise the information and
/or the systems that support it

• Attack is the deliberate act that exploits vulnerability, which is

accomplished by a threat agent.
 Security Attacks

• Interruption: This is an attack on availability.

• Interception: This is an attack on confidentiality.

• Modification: This is an attack on integrity.

• Fabrication: This is an attack on authenticity.

Security Attacks
 Types of Attacks

Attacks are broadly categorized as:

 A passive attack is one in which the intruder
eavesdrops but does not modify the message stream
in any way. (*)

 A passive attack is a network attack in which a

system is monitored and sometimes scanned for
open ports and vulnerabilities.

 The purpose is solely to gain information about the

target and no data is changed on the target
 Active attacks
• An active attack is one in which the intruder may
transmit messages,
replay old messages,
modify messages in transit, or
delete selected messages from the wire.

• An "active attack" attempts to alter system

resources or affect their operation.
 Types of Attacks

Passive Attacks Active Attacks

 Types of Attacks – Passive Attacks

Two types of passive attacks are:

• Release of message content:.(*) A telephone conversation, an
electronic mail message, & a transferred file may contain sensitive
or confidential information.

• Traffic Analysis: is observing the traffic and trying to

understand the message contents . The main purpose is to
understand the flow of traffic and try to capture the messages
for further possible attacks.
 Passive Attack – Traffic Analysis

• (*)The common technique masking contents is encryption.

• If we had encryption protection in place, an attacker might

still be able to observe of these messages, the attacker could
determine the location and identity of communicating hosts
and could observe the frequency and length of messages
being exchanged.

• This information might be useful in guessing the nature of the

connection that was taking place.
 Types of Attacks – Active Attacks

There can be four type of Active Attacks:

• Masquerade: A masquerade takes place when an entity
pretends to be a different entity. A masquerade attack usually
includes one of the other forms of active attacks.

• For example, when authentication sequences have taken

place thus enabling an authorized entity with few privileges to
obtain extra privileges by impersonating an entity that has
those privileges.
 Types of Attacks – Active Attacks

• Replay: it involves the passive capture of a data unit and its

subsequent retransmission to produce an unauthorized effect.

• Modification of Messages: it simply means that some portion

of a legitimate message is altered or that messages are
delayed or reordered to produce an unauthorized effect.
 What are Malicious Software Attacks
 A malicious software attack is a type of software attack where an attacker
inserts malicious code into a user's system to disrupt or disable the
operating system or an application.
 Types of Malicious Software Attacks
Worms:
 It is a sample of code that spreads from one computer to other computers on its
own, by creating multiple copies of itself.
 It s a standalone, self replicating program that spreads via a network .
 Worm can erase or corrupt files.
 Code Red Worm is an example of it, which propagates with e-mail or shared files
on local networks.
 Other examples, internet worm, Blaster worm, Xerox parc worm, Morris worm
etc.

Hex dump of the Blaster worm,

showing a message left for
Microsoft CEO Bill Gates by the
worm programmer
 Types of Malicious Software Attacks
Viruses:

 It is a sample code that spreads from one computer to other computers by

attaching itself to other files.

 The files to which it is attached when opened or executed, virus corrupts or

erases files.

 Melissa virus is an example of it ,which attached to MS-word documents and

spreads with E-mail.
 Types of Malicious Software Attacks

Trojan Horses:

 It is a useful, or apparently useful, program or command procedure containing

hidden code that, when invoked, performs some unwanted or harmful function.

 Trojan horse can be used to accomplish functions indirectly that an unauthorized

user could not accomplish directly.

 For example, changing the file permissions so that files are readable by any user.

 Examples: Feliz Trojan Horse and Back Orifice

 Types of Malicious Software Attacks

Bombs:

 It is code embedded in some legitimate programs that is set to “explode” when

certain conditions are met.

 Conditions may be absence or presence of certain files, a particular day of the

week or date or any other.

 Once logic bombs are triggered, they alter or delete data or entire files.

 Example: Logic Bombs, Time Bombs.

 Types of Malicious Software Attacks
Trap doors:

 It is a secret entry point into a program that allows someone, that is aware of the
trapdoor, to gain access without going through usual security access procedure.

 Trap doors have been used legitimately by programmers to debug and test
programs for many years.

 It becomes a threat when they are used by unscrupulous programmers to gain

unauthorized access.
 Other Types of Malicious Software Attacks

Hijacking Attacks:

 The attacker takes control of (hijacks) a TCP session (after authentication at the
beginning of the session) to gain access to data or network resources using the
identity of a legitimate network user.

 During a hijacking attack, the attacker can participate in the TCP session and access
the packets when they pass from one host to another.

 The attacker can take control of a TCP session between two hosts and replace one
of the hosts (by disconnecting) and continue communication with the other host as
being one of the original party to the session.
 Other Types of Malicious Software Attacks
Port Scanning attacks:

 Attacker scans the networking components i.e. computers and other devices,
connected to the Internet to see which TCP and UDP ports and services on the
system are active.

 Port scanning attacks are often the first step taken by hacker to determine where
system vulnerability exists.
 Security Countermeasures
• Organization Role :
– To proactively look for new security vulnerabilities &
threats
– Prerequisite : to know the existing threats
– Identify the risks and associated threats
– Minimize the vulnerabilities

• Assigning information security roles & responsibilities

• Establishing information security policies and procedures
• Training staff in the area of I.S
 Measures for security solution

• Ethical social engineering

• Security Awareness & Trainings
• Security penetration tests
• Classifying information
• Strict guidelines for internal & external people
• Non-disclosure of personal identifiers &
privileged information
 Ethical social engineering(SE)

• Impersonating social engineering

attacks
• Preparedness testing from social
engineering attacks
• Identify the weak link in the chain
• Investigate & Research the skills
associated with SE
• Use the information to benefit
employees & people
 Security penetration tests
• Security alert & penetration tests :
• To identify vulnerabilities & human security
holes
• Examples:
– Password protection policy
– Email policy
– Website & Internet policy
 Security penetration tests
• Security alert & penetration tests :
• To identify vulnerabilities & human security
holes
• Examples:
– Password protection policy
– Email policy
– Website & Internet policy
 SETA
• Educate and bring awareness about SE & its
attacks
• Create & conduct dedicated trainings for
defending from Social Engineering attacks
• Awareness about identification, prevention &
defend mechanisms
• Educate & Make people to less likely become a
victim
 Simple education such as

More are the people made aware, lesser are they prone to Social
Engineering