GCSE J277 Unit 1.

4 | Network security Craig’n’Dave

Specification and learning objectives

By the end of this topic, you will have studied:
• Forms of attack: Malware, social engineering (e.g., phishing, people as a weak point), brute-force attacks, denial-of-service attacks, data interception and theft, the concept
of SQL injection
• Common prevention methods: Penetration testing, anti-malware software, firewalls, user access levels, passwords, encryption, physical security

Resources
We recommend the OCR-endorsed text book from PG Online for use during your GCSE studies.
Craig ‘n’ Dave videos for SLR 1.4
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Front cover

GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Page 1 – Malware

Software written to infect computers, allowing you to conduct fraud and identity theft.
Malware is big business in our world. Fools engaging in web surfing, shopping,
banking, email, instant messaging and gaming without proper protection are the target.

Anti-malware software may be installed, but it may not be up-to-date.

Your best approach is ransomware. Send your victim an email with a trojan that encrypts their
files. Make sure the attachment is something they are likely to open such as invoice.vbs. Then
send them another email demanding payment to unlock the files and watch the cash roll in.
Whether you choose to unlock their files afterwards is up to you.

Evgeniy Bogachev, The Master of Malware,

made $300,000,000 in 100 days using CryptoLocker.
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Page 2 – Social engineering (phishing)

Sending emails purporting to be from reputable companies,

designed to incite people to reveal their personal information.
Want access to a bank account? Credit card details? Password? Then get phishing.

From: uec_100@hotmail.com
To: noreply@hotmail.com
Doing it right
Subject: Your account will be deactivated
• Use a company logo
Dear email user,
• Tell them their account is at risk.
• Tell them to act now.
This is to inform you that on 4 th March, Steam will discontinue
• Give them a URL to click –
your account, and your purchases will be lost unless you
everyone likes a quick link.
update your security settings. Click here to update now.
• Watch your spelling and grammar.
Your email has to look genuine.
Thank you.
Steam

Phishing is big money 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Page 3 – Brute-force attack

A trial-and-error method of attempting to crack a password.

Automated software is used to generate a continuous stream of guesses.
A brute-force attack is an easy way to gain access to a secure system. Most people have passwords that are easy
to guess or crack. Sites to avoid include those using lock-out policies, progressive delays and challenge response.

Most popular passwords A dictionary hack attempts every word

in the dictionary. It can be effective
123456 because many people use passwords
123456789 that are ordinary words or simple
qwerty variations of common words.
12345678
111111 If you know something about the user you are trying to hack, try
1234567890 their surname, family members, favourite football club, etc.
1234567
password
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Page 4 – Denial-of-service attack

Flooding a server with traffic so it is unable to process legitimate requests.

DoS attacks really annoy the big firms. Taking down company servers can cause massive revenue losses!

The secret here is to use malware to

distribute software to zombie
computers that can be triggered to
send lots of requests to a server.

Hopefully, the network manager won’t

have installed a firewall, additional
anti-DoS modules on the server or be
monitoring network traffic.
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Page 5 – Data interception and theft

The unauthorised act of stealing computer-based information.

These methods will allow you to obtain usernames,
passwords and other sensitive information from
individuals and companies. Keep an eye out eye for
passwords written on Post-It notes, printed documents
lying around or computers left unlocked.

Watch out for encryption, VPNs and network forensics.

GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Page 6 – SQL injection

A technique used to view or change data in a database

by inserting additional code into text boxes.

If a database has not been programmed using modern techniques, you may be able to output, modify or delete
records by entering SQL code into the text boxes intended for users to search the database.

Try these snippets of code:

' OR '1'=‘1
Outputs all the records in the table.

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = ‘t

Deletes the table named users, creating havoc in the system.

Learn the SQL language to understand how to manipulate databases.

GCSE J277 Unit 1.4 | Network security Craig’n’Dave

The Hacker's Handbook: Back cover

Hacking is a crime.
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

People as a weak point in secure systems

Social engineering refers to the psychological manipulation of people into taking unusual actions or divulging confidential information. It is a type of confidence
trick for the purpose of information gathering, fraud or unauthorised system access. It is often one of many steps in a more complex fraud operation.

Mistakes people make with system security:
• Not installing operating system updates.
• Not keeping anti-malware up-to-date.
• Not locking doors to server/computer rooms.
• Not logging off.
• Leaving printouts containing sensitive information lying around.
• Writing passwords down on sticky notes attached to computers.
• Sharing passwords.
• Using easy-to-guess passwords.
• Not encrypting data on portable media.
• Not applying security to networks – e.g., VPN, WPA2.
• Not understanding network policies or implementing them poorly.
• Not training staff to protect themselves against phishing attacks.
GCSE J277 Unit 1.4 | Network security Craig’n’Dave

People as a weak point in secure systems

TAKE CYBERSECURITY
SERIOUSLY!
’ T w rite
N wn
• DO words do ious
pass use obv
D ON’ T
•
s w o rds one
pa s l any
O N ’T tel ord
• D p assw
yo u r
GCSE J277 Unit 1.4 | Network security
Common prevention methods to forms of attack
User access levels – what is it?
The easiest way to prevent unauthorised access to a
network is to set up different user access levels –
you probably have this at school. Computers are
shared so anyone can log into them. Only someone
with a valid account and the correct username and
password will be able to gain access.
The network manager might insist on password
rules such as minimum length. On top of this, they
can choose which areas of the system that users can
access with their access level. For example, students
may only see certain files and folders while teachers
and finance staff can see others.
When it would be used:
When a user wants to log into a school or company
network. To check a user has a valid account for an
online system. To ensure certain types of users only
have access to relevant information.
Encryption – what is it?
The process of turning plain text into an unreadable
form. It does not prevent hacking, but it does make
the data impossible to read. Plain text is encrypted
into a cyphertext using an encryption algorithm and
unique key. Only someone with the appropriate key
can to translate the cyphertext back into plain text.
There are many types of encryption algorithms out
there – a very simple, early example is the Caesar
shift cipher. Banks and online checkouts use far
more complex encryption algorithms.
When it would be used:
Any situation when it is necessary to make data
unreadable by unauthorised sources – for example,
transmitting sensitive data like passwords,
credit/debit card numbers, bank details, etc.
Craig’n’Dave
Firewall – what is it?
A firewall is a piece of software of hardware
(sometimes both) configured to let only certain
types of traffic through it. It can be set up to prevent
unwanted internet traffic from gaining access to a
LAN or people inside a LAN from accessing parts of
the internet the company does not want them to.
It can block certain ports and types of traffic and can
inspect the contents of data traveling across it to
check if it looks suspicious. Operating systems and
home routers come with built-in firewalls, but more
sophisticated ones are available to purchase.
When it would be used:
Operating systems come with a pre-installed
firewall, as do home routers. Schools and large
organisations such as banks and government
organisations use firewalls.
GCSE J277 Unit 1.4 | Network security
Common prevention methods to forms of attack
ANTI-MALWARE
SOFTWARE
Anti-malware software protects
against infections caused by the
many types of malware
including viruses, worms,
trojans, rootkits, spyware, key
loggers, ransomware and
adware.
PASSWORDS
This very common method of
preventing unauthorised access
requires users to enter a
password to gain access.
Passwords can be made more
secure by implementing rules
such as minimum length.
PHYSICAL
SECURITY
Any form of real-world physical
security that helps protect data
and systems – e.g., alarms,
locks, keypad entry, cameras,
security patrols, etc.
Craig’n’Dave
PENETRATION
TESTING
Testing to check system security
and identify vulnerabilities.
Black-box penetration testing
Attempting to gain access to
resources without knowledge of
usernames, passwords and
other normal means of access.
Simulates an external attack.
White-box penetration testing
Simulates an attack by a
malicious insider with
knowledge of and often basic
credentials for the system.