ِِٰ ّ ‫ب ِْس ِِم ٱ‬

ِ‫َلل ٱ ِّلر ْ ٰمْح ِِِٰ ٱ ّلر ِِح ِي‬

Information Security 2
Syed Muhammad Mehdi
CS-RCET-UET
Outline

• Attacks
• Passive Attacks
• Active Attack
• Different Categories of Attacks
• How attackers may Attack
• Protect a Network
Threat vs Attack

Threat is a possible danger that might exploit a vulnerability to

breach security and therefore cause possible harm. It is a possible
danger or vulnerability.
Attack is the action or attempt of unauthorized action.
Implementation of a threat.
A network attack is an attempt to gain unauthorized access to an
organization’s network, with the objective of stealing data or
perform other malicious activity
Threat Consequences

• Unauthorized disclosure: threat to confidentiality

• Exposure (release data), interception, inference, intrusion
• Deception: threat to integrity
• Masquerade, falsification (alter data), repudiation
• Disruption: threat to integrity and availability
• Incapacitation (destruction), corruption (backdoor logic), obstruction (infer
with communication, overload a line)
• Usurpation: threat to integrity
• Misappropriation (theft of service), misuse (hacker gaining unauthorized
access)
 Threat Consequence Threat Action (Attack)
Unauthorized Exposure: Sensitive data are directly released to an
Disclosure unauthorized entity.
A circumstance or Interception: An unauthorized entity directly accesses

Consequences and Actions event whereby an

entity gains access to
data for which the
sensitive data traveling between authorized sources and
destinations.
Inference: A threat action whereby an unauthorized entity
entity is not indirectly accesses sensitive data (but not necessarily the
authorized. data contained in the communication) by reasoning from
characteristics or byproducts of communications.
Intrusion: An unauthorized entity gains access to sensitive
data by circumventing a system's security protections.
Deception Masquerade: An unauthorized entity gains access to a
A circumstance or system or performs a malicious act by posing as an
event that may result authorized entity.
in an authorized entity Falsification: False data deceive an authorized entity.
receiving false data Repudiation: An entity deceives another by falsely denying
and believing it to be responsibility for an act.
true.
Disruption Incapacitation: Prevents or interrupts system operation by
A circumstance or disabling a system component.
event that interrupts Corruption: Undesirably alters system operation by
or prevents the correct adversely modifying system functions or data.
operation of system Obstruction: A threat action that interrupts delivery of
services and system services by hindering system operation.
functions.
Usurpation Misappropriation: An entity assumes unauthorized logical
A circumstance or or physical control of a system resource.
event that results in Misuse: Causes a system component to perform a function
control of system or service that is detrimental to system security.
services or functions
by an unauthorized
entity.
Types of Attacks

• Passive Attacks
• Active Attacks
• Insider Attacks
• Outsider Attacks
Passive and Active Attacks
Passive Attack Active Attack

• Attempts to learn or make use of • Attempts to alter system resources or

affect their operation
information from the system but does not
affect system resources • Involve some modification of the data
stream or the creation of a false stream
• Eavesdropping on, or monitoring of, • Four categories:
transmissions
• Replay
• Goal of attacker is to obtain information • Masquerade
that is being transmitted • Modification of messages
• Denial of service
• Two types:
• Release of message contents
• Traffic analysis
Types of Attacks
Passive Attack

Attackers gain access to a network and can monitor or steal

sensitive information, but without making any change to the data,
leaving it intact.
A passive attack, in computing security, is an attack characterized
by the attacker listening in on communication.
Or by means of Eavesdropping.
A passive attack is a network attack in which a system is monitored
and sometimes scanned for open ports and vulnerabilities. The
purpose is solely to gain information about the target and no data is
changed on the target. Passive attacks include :
Active reconnaissance
Passive reconnaissance
Passive Attack [1]
Active Attack 11

An active attack is a network exploit in which a hacker

attempts to make changes to data on the target or data
en route to the target.
Attackers not only gain unauthorized access but also
modify data, either deleting, encrypting or otherwise
harming it.
Some Categories of Attack
Some Categories of Attacks

• Access
• Modification
• Denial of Service
• Repudiation
• Masquerade Attack
• Back Doors
• Brute Force
• Spoofing
• Session Replay
• Man in the middle attack
• Code and SQL Injection attack
• Insider Threats
1. Access Attack

• An access attack is an attempt to gain information that the

attacker is unauthorized to see.
• This attack can occur wherever the information resides or may
exist during transmission.
• This type of attack is an attack against the confidentiality of the
information.
• Examples:
• Snooping
• Eavesdropping
• Interception
1. Access Attack [1]

• Confidentiality can be compromised through:

• Snooping
• Snooping, in a security context, is unauthorized access to another person's or
company's data
• Not necessarily limited to gaining access to data during its transmission
• Casual observance of an e-mail that appears on another's computer screen or
watching what someone else is typing
• Eavesdropping
• Being invisible on a public channel can be considered eavesdropping
• To gain unauthorized access to information, an attacker must position himself at
a location where the information of interest is likely to pass by.
1. Access Attack [2]

• Confidentiality can be compromised through:

• Interception
• Unlike eavesdropping, interception is an active attack against the information
• When an attacker intercepts information, he is interesting himself in the path of
information and capturing it before it reaches its destination
• After examining the information, the attacker may allow the information to
continue to its destination or not.
2. Modification Attacks

• A modification attack is an attempt to modify information that an

attacker is not authorized to modify.
• This type of attack is an attack against the integrity of the
information.
• Integrity can be compromised through:
• Changes
• Insertion
• Deletion
3. Denial of Service Attacks

• DoS attacks are attacks that deny the use of

resources to legitimate(Authenticated) users
of the system, information, or capabilities.
• Any system that is connected to the Internet
and is equipped with TCP-based network
services is subject to attack.
• In computing, a denial-of-
service (DoS) attack is an attempt to make a
machine or network resource unavailable to
its intended users, such as to temporarily or
indefinitely interrupt or suspend services of
a host connected to the Internet.
3. Denial of Service Attacks [1]

• flooding a network, thereby preventing legitimate network traffic;

• disrupting a server by sending more requests than it can possibly
handle, thereby preventing access to a service;
• preventing a paticular individual from accessing a service;
• disrupting service to a specific system or person.
3. Denial of Service Attacks [2]

• DoS attacks can be done against the:

• Information
• Applications
• Systems
• Communications
Distributed Denial of Service Attack

• A distributed denial-of-service (DDoS) is where the attack source is

more than one, often thousands of, unique IP addresses. It is analogous
to a group of people crowding the entry door or gate to a shop or
business, and not letting legitimate parties enter into the shop or
business, disrupting normal operations.
• Such an attack is often the result of multiple compromised systems (for
example, a botnet) flooding the targeted system with traffic.
• E.g
• SMURF Attacks
• ICMP Flood
Distributed Denial of Service Attack
Distributed Denial of Service Attack

A botnet (also known as a zombie army) is a number of Internet

computers that, although their owners are unaware of it, have been set
up to forward transmissions (including spam or viruses) to other
computers on the Internet. Any such computer is referred to as a
zombie - in effect, a computer "robot" or "bot" that serves the wishes of
some master spam or virus originator.
4. Repudiation Attacks
• Repudiation is an attack against the accountability of
the information.
• Repudiation is an attempt to give false information or to
deny that a real event or transaction should have
occurred.
• An example of this type of attack would be a user performing a
prohibited operation in a system that lacks the ability to trace.
Defined as one party participating in a transaction or
communication, and later claiming that the
transaction or communication never took place
5. Back Doors

• A hardware or software-based hidden entrance to a

computer system that can be used to bypass the
system's security policies.
• Using a known or through newly discovered access
mechanism, an attacker can gain access to a system
or network resource through a backdoor.
5. Back Doors [1]

• There are several ways that back doors can be placed on a

computer:
• Opening an infected e-mail attachment (they are often combined with
viruses and worms)
• Exploiting a vulnerable, unpatched software application or operating system
service
• Active FTP server on the computer (especially one that allows "anonymous"
sessions)
6. Brute Force

• Also known as exhaustive key search and password

attack.
• Try every possible combination of options of a
password.
Brute force attack is a trial-and-error method used to
obtain information such as a user password or
personal identification number (PIN). In a brute force
attack, automated software is used to generate a
large number of consecutive guesses as to the value
of the desired data.
Determining the Difficulty of a Brute Force
Attack
• The difficulty of a brute force attack depends on several factors, such as:
• How long can the key be?
• How many possible values can each component of the key have?
• How long will it take to attempt each key?
• Is there a mechanism which will lock the attacker out after a number of failed attempts?
• The following measures can be used to defend against brute force attacks:
Requiring users to have complex passwords
• Limiting the number of times a user can attempt to log in
• Temporarily locking out users who exceed the specified maximum number of
login attempts
Dictionary

• Another form of the brute force attack.

• Dictionary attack narrows the field by selecting specific accounts
to attack and uses a list of commonly used passwords (the
dictionary) with which to guess, instead of random combinations.
7. Spoofing

• Is an attempt to gain access to a system by pretending as an

authorized user.
• By gaining the IP address of the trusted host and then modify the
packet headers so that it appears that the packets are coming
from that host.
• IP spoofing
• ARP spoofing
• Email spoofing
IP Spoofing

Inserting the IP address of an authorized user into the

transmission of an unauthorized user in order to gain
illegal access to a computer system. Routers and other
firewall implementations can be programmed to identify
this discrepanc.
ARP Poisoning

• The principle of ARP spoofing is to send fake, or 'spoofed',

ARP messages to an Ethernet LAN. Generally, the aim is to
associate the attacker's MAC address with the IP address
of another node (such as the default gateway).
• Any traffic meant for that IP address would be mistakenly
sent to the attacker instead. The attacker could then
choose to forward the traffic to the actual default
gateway (passive sniffing) or modify the data before
forwarding it (man-in-the-middle attack).
• The attacker could also launch a Denial of Service attack
against a victim by associating a nonexistent MAC address
to the IP address of the victim's default gateway.
Email Spoofing

• Email spoofing is the creation of email messages with a forged

sender address.
• The core email protocols do not have any mechanism for
authentication, making it common for spam and phishing emails to
use such spoofing to mislead or even prank the recipient about the
origin of the message.
8. Masquerade Attack 34

Masquerade takes place

when one entry pretends
to be an another entity.
9. Session Reply 35

Involves the passive capture of a data unit and its

subsequent retransmission to produce an
unauthorized effect.
A hacker steals an authorized user’s log in
information by stealing the session ID. The intruder
gains access and the ability to do anything the
authorized user can do on the website.
 10. Man in the middle Attack 36

A man in the middle attack involves

attackers intercepting traffic, either
between your network and external sites
or within your network. If
communication protocols are not
secured or attackers find a way to
circumvent that security, they can steal
data that is being transmitted, obtain
user credentials and hijack their
sessions.
11. Insider Threats 37

A network is especially vulnerable to malicious insiders,

who already have privileged access to organizational
systems. Insider threats can be difficult to detect and
protect against, because insiders do not need to penetrate
the network in order to do harm. New technologies like
User and Even Behavioral Analytics (UEBA) can help
identify suspicious or anomalous behavior by internal
users, which can help identify insider attacks.
12. Code and SQL injection Attacks 38

Many websites accept user inputs and fail to validate and

sanitize those inputs. Attackers can then fill out a form or
make an API call, passing malicious code instead of the
expected data values. The code is executed on the server
and allows attackers to compromise it.
How can an attack take place?
How can an attack take place

• Attacker
• Some one outside your network perimeter who is trying to break in
• Regular user has an inside view, so overwhelming majority originate from
inside
• Collecting information
• Probing the network
• Launching an attack
Collecting Information

• XYZ is the user that wants to attack your network.

• Question: Where to start?
• In order to get it he has to do some investigative work about your network.
• The first thing it can do is to run the “whois” query.
• Live and authoritative
Collecting Information [1]

• Whois
• Query to the interNIC.
• It maintains the publicly accessible database of all registered domains
• Can be searched with simple query “whois domainname”
• “Whois pugc.edu.pk”
Collecting Information [2]

• The organizational domain name

• The organizational location
• The organization’s administrative contact
• The phone no and fax number for the administrator
• A valid subnet address within the organization
Organization domain name

• It is important because anyone can use it to collect further

information
• Any host associated with this name will be an extra information
• www.pugc.edu.pk
• mail.pugc.eud.pk
• Now this host will be used as keyword to use when forming future
queries
Physical location

• Knowing physical location of Organization

• Might get temp job, offer his consulting services
• Once he is in, he might be granted certain level of permission to
resources
• Might try to backdoor into network
• Wants to do dumpster diving (Who, What, When, Where and Why )
• Dump sensitive information in trash
• Write passwords at temp places
• Not separating trash from rest for recycling
Admin Contact

• Individual responsible for maintaining network.

• This is very useful for physical hacking
• For example, he calls as member of help desk and asks,
“hey! You have asked me to check for your certain account,
there is some problems, what is your password”
• Dangerous for such organizations who don’t have the
tendency to change passwords frequently
• Email is also a valid attack for this contact, for sending
spoofed mail that contains some hostile code.
Valid subnet mask

• Last information of whois is an ip address entry for domain.

• Getting an ip address of same subnet, ensures that others will be
at the same place
• So ip spoofing attack can be send
Probing the Network

• After getting enough information of the network, the attacker

may try to search for the desired network.
• And after that he may observe the traffic type, flow and other
such things and analyze the best time to commit the attack.
Launching the Attack

• After gaining information and finding the suitable attack time, the
attacker may finaly now launch the attack.
Protect a Network
How to Protect Network [1] 51

Segregate Your Network

A basic part of network security is dividing a network into

zones based on security requirements. This can be done
using subnets within the same network, or by creating
Virtual Local Area Networks (VLANs), each of which
behaves like a complete separate network. Segmentation
limits the potential impact of an attack to one zone and
requires attackers to take special measures to penetrate
and gain access to other network zones.
How to Protect Network [2] 52

Regulate Access to the Internet via Proxy Server

Do not allow network users to access the Internet

unchecked. Pass all requests through a transparent proxy
and use it to control and monitor user behavior. Ensure
that outbound connections are actually performed by a
human and not a bot or other automated mechanism.
Whitelist domains to ensure corporate users can only
access websites you have explicitly approved.
How to Protect Network [3] 53

Place Security Devices Correctly

Place a firewall at every junction of network zones, not

just at the network edge. If you can’t deploy full-fledged
firewalls everywhere, use the built-in firewall functionality
of your switches and routers. Deploy anti-DDoS devices or
cloud services at the network edge. Carefully consider
where to place strategic devices like load balancers.
How to Protect Network [4] 54

Use Network Address Translation

Network Address Translation (NAT) lets you translate

internal IP addresses into addresses accessible on public
networks. You can use it to connect multiple computers to
the Internet using a single IP address. This provides an
extra layer of security, because any inbound or outgoing
traffic has to go through a NAT device, and there are
fewer IP addresses which makes it difficult for attackers to
understand which host they are connecting to.
How to Protect Network [5] 55

Monitor Network Traffic

Ensure you have complete visibility of incoming, outgoing

and internal network traffic, with the ability to
automatically detect threats, and understand their context
and impact. Combine data from different security tools to
get a clear picture of what is happening on the network,
recognizing that many attacks span multiple IT systems,
user accounts and threat vectors.
 Table 1.4

Security
Requirements

(FIPS 200)

(page 1 of 2)

(Table can be found on pages 16-17 in the textbook.)

 Table 1.4

Security
Requirements

(FIPS 200)

(page 2 of 2)

(Table can be found on pages 16-17 in the textbook.)

 Fundamental Security Design Principles

Economy of Fail-safe Complete Separation of

Open design
mechanism defaults mediation privilege

Least
Least Psychological
common Isolation Encapsulation
privilege acceptability
mechanism

Least
Modularity Layering
astonishment
The End