Information Security and

Vulnerabilities
Outline
• Threats and Vulnerabilities
• Threats Actors/Agents
• Information Security Attacks
• Classification of Attacks
• Hacking Methodology

2
Threats and
Vulnerabilities
What is a Threat?
• A threat is the potential occurrence of an undesirable
event that can eventually damage and disrupt the
operational and functional activities of an organization
• Attackers use cyber threats to infiltrate and steal data
such as individual’s personal information, financial
information, and login credentials

4
Examples of Threats
• An attacker stealing sensitive data of an organization
• An attacker causing a server to shut down
• An attacker tricking an employee into revealing sensitive
information
• An attacker infecting a system with malware
• An attacker spoofing the identity of an authorized person
to gain access
• An attacker modifying or tampering with the data
transferred over a network
• An attacker remotely altering the data in a database server
• An attacker performing URL redirection or URL forwarding

5
Threat Sources
Threat Sources

Intentional Unintentional Natural

• Unskilled • Fires
administrators • Floods
• Accidents • Power failures
Internal External
• Untrained employees

• Fired employee • Hackers

• Disgruntled • Criminals
employee • Terrorists
• Service providers • Corporate raiders
• Contractors

6
Threat Actors/Agents
• Black Hats
• White Hats
• Gray Hats (Do both)
• Suicide Hackers
• Script Kiddies
• Cyber Terrorists
• State-Sponsored Hackers

7
องค์ประกอบของ Threat Actors
• ภัยคุกคามจากภายใน
◦ มีสิทธิในการเข้าถึงมากยิ่งขึ้น
• ภัยคุกคามจากภายนอก
◦ สิทธิในการเข้าถึงน้อยลง มองเป็นการโจมตีจากด้านนอก
• ความเชี่ยวชาญ
◦ ความเก่งของผู้โจมตี
• ทรัพยากร
◦ แหล่งเงินทุน และทรัพยากรบุคคล
• แรงจูงใจ
◦ การเมือง, สงคราม

8
Threat Vectors
• Threat vector is a medium through which an attacker
gains access to system.

Direct access Cloud

Removable media Ransomware/malware

Wireless Supply chain

Email Business partners

9
Common Areas of Vulnerability

Users Network Infrastructure

Operating System Internet of Things (IoT)

Applications Configuration Files

Network Devices

10
Introduction to Malware
• Malware is malicious software that damages or disables
computer systems and gives limited or full control of
the systems to the malware creator for the purpose of
theft or fraud
• Malware programmers use malware to:
◦ Attack browsers and track websites visited
◦ Slow down systems and degrade system performance
◦ Cause hardware failure, rendering computers inoperable
◦ Steal personal information, including contacts
◦ Spam inboxes with advertising email

11
Types of Malware
• Trojans • PUAs or Grayware
• Viruses • Spyware
• Ransomware • Keylogger
• Computer Worms • Botnets
• Rootkits • Fileless Malware

12
What is Trojan?
• Malicious code is contained inside harmless program
• User performs predefined actions
• Indications
◦ Background ถูกเปลี่ยน
◦ Computer screen flips
◦ Antivirus ถูกปิด
◦ Create backdoors
◦ Encrypt data
◦ แก้ไข Operating system files

13
What is Virus?
• Self-replicating program
• ติดจาก File download, Flash drives, Email attachments
• จุดประสงค์
◦ สร้างความเสียหายให้กับคู่แข่ง
◦ สร้างความเสียหายให้กับระบบ Network และ Computers
◦ เข้าควบคุมเครื่อง
◦ Financial benefits

14
Creating a Virus
• Virus can be created in two ways:
◦ Writing a Virus Program
◦ Using Virus Maker Tools

15
Computer Worms
• Independently replicate, execute and spread across
network connections
• Comsume available resources without human
interaction

Ref: https://www.wallarm.com/what/what-is-computer-worm 16
How is a Worm Different from a Virus?
Virus
A virus infects a system by inserting itself
into a file or executable program
It alters the way a computer system
operates without the knowledge or
consent of a user
A virus cannot spread to other computers
unless an infected file is replicated and
sent to the other computers
A virus spreads at a uniform rate, as
programmed
Viruses are difficult to remove from
infected machines
Worm
A worm infects a system by exploiting a
vulnerability in an OS or application by
replicating itself
It consumes network bandwidth, system
memory, etc., excessively overloading
servers and computer systems
A worm can replicate itself and spread
using Internet Relay Chat (IRC), Outlook, or
other applicable mailing programs after
installation in a system
A worm spreads more rapidly than a virus
Compared with a virus, a worm can be
removed easily from a system
17
Vulnerability Classification
• Misconfigurations/weak configurations
• Default installations/default configurations
• Application flaws
• Poor patch management
• Design flaws
• Operating system flaws

18
Vulnerability Classification
• Default passwords
• Zero-day vulnerabilities
• Legacy platform vulnerabilities
• System sprawl/undocumented assets
• Improper certificate and key management
• Third-party risks

19
Misconfigurations
• Misconfiguration is the most common vulnerability and
is mainly caused by human error. It allows attackers to
break into a network and gain unauthorized access to
systems.
◦ Network Misconfigurations
◦ Insecure Protocols
◦ Open Ports and Services
◦ Errors
◦ Weak Encryption
◦ Host Misconfigurations
◦ Open Permissions
◦ Unsecured Root Accounts

20
Information
Security Attacks
Motives, Goals, and Objectives of Information
Security Attacks

Attacks = Motive (Goal) + Method + Vulnerability

22
Classification of Attacks
• Passive Attacks
◦ Do not tamper with the data and involve intercepting and
monitoring network traffic and data flow on the target network
◦ Examples include sniffing and eavesdropping
• Active Attacks
◦ Tamper with the data in transit or disrupt the communication
or services between the systems to bypass or break into
secured systems
◦ Examples include DoS, Man-in-the-Middle, session hijacking,
and SQL injection

23
Classification of Attacks
• Close-in Attacks
◦ Are performed when the attacker is in close physical proximity
with the target system or network in order to gather, modify,
or disrupt access to information
◦ Examples include social engineering such as eavesdropping,
shoulder surfing, and dumpster diving
• Insider Attacks
◦ Involve using privileged access to violate rules or intentionally
cause a threat
◦ Examples include theft of physical devices and planting
keyloggers, backdoors, and malware

24
Classification of Attacks
• Distribution Attacks
◦ Occur when attackers tamper with hardware or software prior
to installation
◦ Attackers tamper with the hardware or software at its source or
in transit
◦ Examples of distribution attacks include backdoors created by
software or hardware vendors at the time of manufacture

25
MITRE Attack Framework
• MITRE ATT&CK is a globally accessible knowledge base
of adversary tactics and techniques based on real-world
observations

Ref: https://digitalguardian.com/blog/threat-hunting-mitres-attck-framework-part-1

26
Hacking Methodology
• Footprinting and Reconnaissance
• Scanning
• Gaining Access
• Maintaining Access
• Clearing Tracks

27
Hacking Methodology
• Footprinting and Reconnaissance
• Scanning
• Gaining Access
• Maintaining Access
• Clearing Tracks

28
Reconnaissance
• Systematic attempt to locate, gather, identify, and
record information about a target
• Also known as footprinting the organization
• Techniques include:
◦ Internet or open-source research
◦ Social engineering
◦ Dumpster diving
◦ Email harvesting

29
Job Postings

30
Resumes

31
Reconnaissance Tools
• Nslookup
• Traceroute
• Ping
• Whois
• Domain Dossier
• Email Dossier
• Google
• Social Networking
• SET
• Maltego

32
Putting It All Together...
• You’ve collected examples of emails, names, phone
numbers, servers’ addresses, documents, presentations,
and more
• Use the emails to draft potential spearphishing emails
to be more realistic
◦ Use target’s PDF, Word, Excel, and PowerPoint files to embed
malware
◦ Use real employee names, positions, and writing styles to
mimic real email traffic

33
Hacking Methodology
• Footprinting and Reconnaissance
• Scanning
• Gaining Access
• Maintaining Access
• Clearing Tracks

34
Scanning and Enumeration
• Scanning: Actively connecting to the system and get a
response to identify open ports and services
• Enumeration: Actively connecting to the systems to
determine open shares, user accounts, software
versions, and other detailed info

35
Hacking Methodology
• Footprinting and Reconnaissance
• Scanning
• Gaining Access
• Maintaining Access
• Clearing Tracks

36
Network-level Attacks
Reconnaissance Attacks
Network Scanning
DNS Footprinting
Packet Sniffing
Man-in-the-Middle Attack
IP Address Spoofing
Distributed Denail-of-Service
Attack (DDoS)
DNS Poisoning
Domain Hijacking
ARP Spoofing Attack
DHCP Starvation Attack
DHCP Spoofing Attack
Denail-of-Service Attack (DoS)
Malware Attacks
37
Man-in-the-Middle Attack
• เสมือนว่าเป็นคนกลางโดยแบ่ง การเชื่อมต่อ เป็น 2 ส่วน
◦ ระหว่าง Client และ Attacker
◦ ระหว่าง Attacker และ Server
• โดยจะทําการดักข้อมูลระหว่างทาง
• เครื่องมือที่ใช้ เช่น Cain & Abel

38
DNS Poisoning
• DNS (Domain Name System) ทําหน้าที่เปลี่ยนชื่อที่เข้าใจง่าย เช่น
“www.google.com” แปลงเป็น “ชุดตัวเลข” ที่เครื่องคอมพิวเตอร์
สามารถเข้าใจได้เรียกว่า IP address
• Attacker จะทําการเปลี่ยนแปลง record ที่อยู่ใน DNS ทําให้ข้อมูล
เปลี่ยนเส้นทาง มาหาเครื่องตนเอง
google.com www.google.com 8.8.8.8 8.8.8.8
www.facebook.com 9.9.9.9

www.google.com 5.5.5.5 8.8.8.8

google.com
www.facebook.com 9.9.9.9
5.5.5.5
(ปลอม)

39
Denail-of-Service Attack (DoS)
• การโจมตีประเภทนี้ทําให้ระบบเครือข่ายเกิดอาการ “ช้า”,
“กระตุก”, “ใช้งานไม่ได้”
• Attacker จะทําการส่งข้อมูล หรือส่งการร้องขอการเข้าใช้งาน
จํานวนมาก จน Server เกิดอาการ Overload
• Attacker ใช้เครื่องมือ เช่น hping3

Ref: https://bunny.net/academy/network/what-are-distributed-denial-of-service-ddos-attacks/ 40
Application-level Attacks
Injection Flaws
Cross-Site Scripting (XSS)
Application-level DoS Attack
API Attacks
Insecure SSL Configuration
SSL Stripping
SQL Injection
Parameter Tampering Attack
XML Injection
Invalid Input Attacks
Login Stuffing Attacks
API DDoS Attacks
41
OS-level Attacks
Password Cracking Dictionary Attack
Brute-Force Attack Default Passwords
Pass-the-Hash (PtH) Zero-day Attacks
Buffer Overflow Privilege Escalation
DLL Hijacking Rainbow Table Attack

42
Password Cracking
• ปกติ Password จะเก็บอยู่ในรูปแบบของ Digest (กระบวนการที่
ทําให้อ่านไม่ออก)
• Password Cracking เป็นการพยายามเปลี่ยน Digest กลับมา
เป็น Password ที่สามารถอ่านออกได้
• ส่วนใหญ่เกิดจากการตั้ง Password ที่สามารถเดาได้ง่าย

43
ประเภทของ Password Cracking
• Non-Electronic Attacks
◦ Does not need technical knowledge
• Active Online Attack
◦ Password cracking by directly communicting with server
• Offline Attack
◦ Copy the taget’s password file and try to crack passwords

Dictionary Attack Brute-Force Attack

ใช้ศัพท์ในการเดา เดาทุกๆอักขระที่เป็นไปได้
(โอกาสสําเร็จมากกว่า ถ้าใช้ Password ง่าย) (อาจใช้เวลานาน)

44
Default Passwords

https://www.fortypoundhead.com
https://cirt.net
http://www.defaultpassword.us
https://www.routerpasswords.com
https://default-password.info

45
Password-Cracking Tools
• Joth the Ripper

46
Q&A