Information

system security

Yessuf Addis /MSc, Computer

Science/
Addis Ababa University
Chapter 3- Malicious
Attacks,Threats and
Vulnerabilities
2
 C hapter Goals
• Identify malicious software and implement
countermeasures
• Identify common attacks and develop appropriate
counter measures
• Recognize social engineering and reduce the risks
associated with it.
• Identify threats and types of attacks on wireless
networks
• Identify threats and types of attacks on web applications.
3
C hapter topics
• What the global scope of cyberattacks is
• What you are trying to protect
• Whom you are trying to catch
• What kinds of tools are used to attack computer systems
• What a security breach is
• What risks, vulnerabilities, and threats are
• What malware is
• What a malicious software attack is
• What a social engineering attack is
• What a wireless network attack is
• What a web application attack is
• What countermeasures are

4
Malicious activity on the rise
• Different malicious attacks and data breaches everywhere
• Hacking of email accounts
• Theft of millions of payment card information
• A company wide virus attack set off by clicking a ‘harmless’ email link,etc.
• Many victims of cyber attacks don’t publicize attack incidents.
Often, the only people who ever know about these attacks are
security professionals and IT personnel.
• Origins of cyber attcks are difficult to pinpoint. This is particularly
true if botnets are used to perform actual attack.
• A botnet is a bunch of internet-connected computers under the control of a
remote hacker.
• Transivite access is another attack approach that makes detecting the origins of
attacks difficult.

5
W hat are you trying to protect?
• You are trying to protect assets. A n asset is any item that has value
to an organization that includes
• C ustomer data
• Name,address,phone,social security number/SSN/,date of birth,cardholder data,protected
health care information
• IT assets and infrastructure
• Hardware,software and services
• Intellectual property
• Sensitive data such as patents,source code,formulas or engineering plans
• Finance and financial data
• Bank accounts, credit card data, and financial transactions
• Service availability and productivity
• The ability of computing services and software to support productivity for humans and
machinery.
• Reputation
• Corporate compliance and brand image.

6
W hom are you trying to catch?
• In the computing community, the word hacker generally describes a
person who enjoys exploring and learning how to modify
something,particularly related to computer systems.
• Categories of hackers
• W hite-hat hackers/ethical hacker:IS security professional who identifies
vulnerabilities and perform pentration testing so that the weaknesses could be
fixed.
• G ray-hat hackers: a hacker that identifies vulnerabilities but won’t exploit
them or a hacker that breached your system with no authorization but with no
evil intentions.
• B lack-hat hackers: break into your system and exploit weaknesses in the
system.
• Note: crackers have hostile intent and are involved in fraud,theft of
data,destruction of data,blocakge of access, and other malicious
activities.

7
 Attack tools
• Knowing how an attack is conducted and what tools are
used will help you build a defense plan.
• Computer criminals and cyberattackers use a number of
hardware and software tools to discover exploitable
weaknesses and other tools to perform the actual attack.
• These tools and techniques include the following:

8
• P rotocol analyzers/packet sniffers
• Used for monitoring and capturing network traffics
• They decode the frames and IP data packets allowing you to see
data in clear text if it has not been encrypted.
• P ort scanners
• Used to scan IP host devices for open ports or applications and
services that have been enabled.
• O s fingerprint scanners
• A software program that allows an attacker to send a variety of
packets to an IP host device,hoping to determine the target device’s
operating system from the responses.
• Vulnerabilities and exploits could be identified once the OS is
known.

9
• V ulnerability scanners
• A software program that is used to identify and possibly verify
vulnerabilities on an IP host device.
• The found vulnerabilities will be compared with the known vulnerabilities
in databases.
• They list known software vulnerabilities and prioritizes them as
critical,major and minor.
• Check https://cve.mitre.org
• E xploit software
• An application that incorporates known software vulnerabilities,data, and
scripted commands to exploit a weakness
• Used to carry out malicious intents shuch as denial of service attack,
unauthorized access, a brute-force password attack, buffer overflow, etc.
• Are used for performing vulnerability assessments and intrusive
pentration testing.

1
0
• W ardialers
• A computer program that dials telephone numbers,looking for a computer on
the other end.
• It logs and enters into a database those numbers that successfully connect to the
modem.
• P assword crackers
• A software program that carries out a brute-force password attack to gain
unauthorized access to a system or recovery of passwords stored in a
cryptographic hash on a computer system.
• In a brute-force password cracking attack, an attacker tries every possible
character combination until the cracked password succeeds in granting access.
• A dictionary password attack, subset of a brute-force attack, hackers try shorter and
simpler combinations,including actual words.

1
1
• K eystroke loggers
• A type of surveillance software or a hardware that can record to a
log file every keystroke a user makes with a keyboard.
• Employers might use them to ensure that employees use work
computers for business purposes only.
• Keystroke logger software program is usually disguised as a trojan
malicious software.
• They can be implemented as spywares as well.

1
2
W hat is a security breach?
• Any event that results in a violation of any of the
confidentiality,integrity or availability (CIA) security tenets
is a security breach.
• Some are carried out on purpose and others are accidental.
• Activities that can cause a security breach include:
• Denial of service (DoS) attacks
• Distributed denial of service (DDoS)attacks
• Unacceptable web-browsing behavior
• Wiretapping
• Use of a backdoor to access resources
• Accidental data modifications

1
3
• Denial of service attacks
• These attacks result in downtime or inability of an authorized user
to access a system.
• A DoS attack is a coordinated attempt to deny service by
occupying a computer to perform large amounts of unnecessary
tasks.
• When a disk fills up, the system locks an account out, a computer crashes, or a CPU
slows down.
• Two common types of DoS attacks are follows:
• L ogic attacks: use software flaws to crash or seriously hinder the performance of
remote servers. You can prevent many of these attacks by installing the latest
patches to keep your software up to date.
• F looding attacks: overwhelms the victim computer’s CPU,memory or network
resources by sending large numbers of useless request to the machine.

1
4
• One of the best defenses against DoS attacks is to use IPS software
or IDS systems.
• D istributed denial of service attakcs
• A type of DoS attack that overloads computers and prevents legitimate
users from gaining access.
• This attack comes from huge number of sources and it is the most
dangerous one.
• In a DDoS attack, attackers hijack hundreds or even thousands of Internet
computers, planting automated attack agents on those systems. The
attacker then instructs the agents to bombard the target site with forged
messages. This overloads the site and blocks legitimate traffic.

1
5
• Unacceptable web browsing
• A violation of an organization’s AUP such as an employee’s unacceptable web browsing,
can itself be a security breach.
• Examples : Unauthorized users searching files or storage directories for data and information they are
not supposed to read, or users simply visiting prohibited websites.
• W iretapping
• Attackers can tap telephone lines and data communication lines.
• It can be active where the attacker makes modifications to the line.
• It can be passive- the unauthorized user simply listens to the transmission without
changing the contents / copying the data.
• B ackdoors
• Software developers sometimes include hidden access methods called backdoors in their
programs. Backdoors give developers or support personnel easy access to a system
without having to struggle with security controls.
• Attackers can use them to bypass existing security controls such as passwords if the
backdoors are not left hidden.

1
6
•Data modifications
• Data that are purposely or accidentally modified impact the
integrity tenet of information systems security.
• The best way to avoid data modification issues is to validate
data before storing that data and to ensure that your programs
adhere to strict data integrity rules.

1
7
• A dditional Security Challenges
• Additional challenges to ensuring safe and secure communications
can originate from spam,hoaxes,spyware and even local
information stored by web browsers.
• Spam
• Spam is unwanted email.
• Most spam are commercial advertising—often for get-rich-quick
schemes, dubious products, or other services.
• Processing large volumes of unwanted messages is expensive.
• The receiving user wastes administrative time on cleanup and
monitoring of their received messages.
• Recently, a spam has become a way for criminals to solicit individuals
and company information and to plant trojan horses and other malware
onto user computers.

1
8
• A phishing email
• a fake or bogus email to trick the recipient into clicking on an
embedded URL link or opening an email attachment.
• Hoaxes
• a hoax is some act intended to deceive or trick the receiver. They don’t
infect systems the way viruses do, dealing with them is time consuming.

1
9
• Cookies
• a cookie is simply a text file that contains details gleaned from
past visits to a website.
• A web server tracks a user’s history, it stores a cookie on the
user’s hard drive.
• Later when the user sends a request, the server can access the
cookie instead of requiring that the user reenter the information.
• Since some sloppy sites store some sensitive information such as
credit card details or flight information, it can compromise privacy
details.
• You can delete them any time or change your browser’s settings
not to accept cookies.

2
0
 T hreat Types
• The three major threat types directly threaten each of the
CIA tenets are
• Disclosure threats
• Alteration threats
• Denial or destruction threats
• Disclosure threats
• Occurs anytime unauthorized user access private or confidential
information that is stored in a network resource or while it is in
transit between network resources.
• The techniques for this threat include
• Sabotage – destruction of propery or obstruction of normal operations.
• Espionage- spying to obtain secret information, this is a silent attack

2
1
• A lteration threats
• Violates the information integrity.
• Compromises a system by making unauthorized changes to data
on a system either intentionally or unintetionally.
• Modifications to system configurations compromise the integrity
of resources.
• Modification of database files,operating systems, application software or
hardware devices.
• Techniques to track or audit these changes or change management systems
could help to avert such problems.

2
2
• D enial or destruction threats
• Makes an asset or resources unavailable or unusable to authorized
users.
• It violates the availability tenet of information security.
• DoS and DDoS attacks are examples of these theats.
• Suppose if a port that supports a critical resource such as your website is
flooded with requests for DoS attack and is unavailable for a specific period
of time.

2
3
W hat is a malicious attack?
• An attack on a computer system or an asset succeeds by
exploiting a vulnerability in a system.
• An attack is an exploitation of a vulnerability in a system.
• Four general categories of attacks
• F abrications: the creation of some deception to trick
unsuspecting users.
• Interceptions: eavesdropping on transmissions and redirecting
for unauthorized use.
• Interruptions:cause a break in communication channel which
blocks transmission of data.
• M odifications: alteration of data contained in transmissions or
files.

2
4
• An attack can be an active or a passive one.
• Active attack :involves modification of the data stream or attempts
to gain unauthorized access to computers and networking systems.
• Passive attack: attacker doesn’t make changes to the system,
eavesdrops on and monitors transmissions.

2
5
W hat is a malicious software?
• Malicious software or malware
• A software that inflitrates one or more target computers
that can cause damages or disruptions,escalate security
privileges,divulge private data, modify data, delete
data,etc.
• Mawares exist in two main categories
• Infecting programs – actively attempt to copy themselves to other
computers.
• Viruses and worms
• H iding programs- hide in the computer,carrying out attacker’s
instructions while avoiding detection.
• Trojan horses
• Rootkits
• Spyware

2
6
• V iruses – attaches itself to or copies itself into another
program. Tricks a computer into following instructions not
intended by the original program developer.
• W orms- self-contained program or a standalone program
that replicates and sends copies of itself to other
computers, generally across a network, without any user
input or action.
• To reduce network availability by using up bandwidth
• T rojan Horses – masquerade as useful program. They
look like programs that perform useful tasks, but they hide
malicious code.

2
7
• R ootkits- provide attackers with easy access to
computers , they modify parts of the operating system to
conceal traces of their presence.
• They can be detected using a host-based IDS
• Spyware – threatens the confidentiality of information.
• Gathers information about a user through an internet
connection.
• Gather information such as email addresses, passwords and
credit card numbers.

2
8
W hat is a counter measure?
• You must focus on countermeasures that detect
vulnerabilities,prevent attacks and respond to the
effects of successful attacks.
• Dealing with computer and network attacks is a cost of doing
business in the IT field.
• The best strategy is to identify vulnerabilities and reduce them to
avoid attacks in the first place.
• You can respond to attacks by developing plans to rapidly restore
computer network resources if they are attacked, closing holes in
your organization’s defenses, obtaining evidence for prosecution of
offenders.
• Responding to attacks involves – planning,policy and detective work.

2
9
• Security incident response teams (SIRTs)
• A special team to handle security incidents when they occur.
• Know how to recognize incidents and respond to them in a way
that minimizes damage and preserves evidence for later action.
• Most common countermeasures we can take to protect our
IT infrastructure include
• C ountering malware
• P rotecting your system with firewalls

3
0
• C ountering malware
• Anti-malware measures- firstline of defense against attacks.
• Better to prevent malware than to have to fix damage caused by
malware
• General tips for preventing malware
• Create an education (information security awareness) program to keep your users
from installing malware on your system.
• Post regular bulletins about malware problems.
• Never transfer files from unknown or untrusted source unless the computer has anti-
malware utility installed.
• Test new programs or open suspected files on a quarantine computer – one
that is not connected to any part of your network- before introducing them to the
production environment.

3
1
• Install anti-malware software, make sure the software and the
data are current.
• Schedule regular malware scans.
• Use a secure logon and authentication process.
• Stay abreast of developments in malware for countering
malware
• Check staysafeonline.org (National cyber security alliance – NCSA)
• Run anti-malware program update and scan with every logon.
• If you find malware in your system, you must scan all your
systems, including storage devices for its existence.

3
2
• Protecting your system with firewalls
• Firewall – a program or a dedicated hardware device that
inspects network traffic passing through it.
• Denies or permits the traffic based on a set of rules.
• R egulate traffic between computer networks.
• Example- Between LAN-to-WAN domain and the WAN domain.

3
3