Computer Threat

1 Chapter TWO
 Introduction
2
 Malicious code is code inserted in a software system or web script intended to
cause undesired effects, security breaches, or damage to a system.
 Taking advantage of common system vulnerabilities,
 malicious code examples include

computer viruses,

worms,

Trojan horses,

logic bombs,

spyware,

adware, and

backdoor programs.
 Malicious code
3

 Visiting infected websites or clicking on a bad email link or

attachment are ways for malicious code to sneak its way into a system.
 The most common form of malicious code is the computer virus,
which infects a computer by attaching itself to another program and
then propagating when that program is executed.
 Another common form is the worm, which makes copies of itself,
spreading through connected systems and consuming resources on
affected computers.
 4

 Protecting programs is at the heart of computer security. So we need

to ask two important questions:
 How do we keep programs free from flaws?
 How do we protect computing resources against programs that
contain flaws?
 Security implies some degree of trust that the program enforces
expected confidentiality, integrity, and availability
 2.1 Malicious code
5

 Malicious Code Can Do Much (Harm)

 Malicious code runs under the user's authority.
 Thus, malicious code can touch everything the user can touch, and in the
same ways.
 Users typically have complete control over their own program code and data
1. Program flaws

files; they can read, write, modify, append, and even delete them.
 But malicious code can do the same, without the user's permission or even
knowledge.
 Kinds of Malicious Code

 Malicious code or rogue program is the general name for unanticipated or

undesired effects in programs or program parts, caused by an agent intent on
damage.
 A virus is code that attaches to another program and copies itself to other
programs
 A transient virus has a life that depends on the life of its host
 A resident virus locates itself in memory
 A Trojan horse is malicious effect is hidden from user
 A logic bomb is a class of malicious code that "detonates" OR goes off when a
specified condition occurs OR triggered by an event
 7

 A time bomb is a logic bomb whose trigger is a time or date.

 A trapdoor or backdoor is a feature that allows access to program other than
through normal channels
 A worm is a program that spreads copies of itself through a network.
 A rabbit is a virus or worm that self-replicates without bound
 Viruses and Other Malicious Code
8

 Malicious Code Can Do Much (Harm)

Malicious code runs under the user's authority.
Thus, malicious code can touch everything the user can touch, and in the
same ways.
Users typically have complete control over their own program code and data
files; they can read, write, modify, append, and even delete them.
But malicious code can do the same, without the user's permission or even
knowledge.
9
 How Viruses Attach
10

 A printed copy of a virus does nothing and threatens no one. Even executable
virus code sitting on a disk does nothing.
Appended Viruses
 A program virus attaches itself to
a program; then, whenever the
program is run, the virus is activated.
 Viruses That Surround a Program

11

 An alternative to the attachment is a

virus that runs the original program
but has control before and after
its execution
 Integrated Viruses and Replacements
12
 A third situation occurs when
the virus replaces some of its
target, integrating itself into
the original code of the target.
Finally, the virus can replace the
entire target, either mimicking the
effect of the target or ignoring
the expected effect of the target
and performing only the virus effect.
In this case, the user is most likely
to perceive the loss of the original
program.
 13

 When activated, virus may:

 Cause direct and immediate harm.
 Run as memory-resident program, always available for use in discovering
and infecting new targets.
 Replace (or relocate) boot sector program(s), so malicious code runs
when system starts up.
 14
Document Viruses
 Currently, the most popular virus type is what we call the document virus,
 which is implemented within a formatted document, such as a written
document, a database, a slide presentation, or a spreadsheet.
How Viruses Gain Control
 Virus V has to be invoked instead of target T
 V overwrites T
 V changes pointers from T to V
 High risk virus properties
15

 The virus writer may find these qualities appealing in a virus:

 It is hard to detect.
 It is not easily destroyed or deactivated.
 It spreads infection widely.
 It can re-infect its home program or other programs.
 It is easy to create.
 It is machine independent and operating system independent
 Few viruses meet all these criteria. The virus writer chooses from these
objectives when deciding what the virus will do and where it will reside.
 Homes for Viruses
16

One-Time Execution
 The majority of viruses today execute only once, spreading their infection and
causing their effect in that one execution. A virus often arrives as an e-mail
attachment of a document virus. It is executed just by being opened.
 Boot Sector Viruses
17

 When a computer is started, control begins with firmware that determines

which hardware components are present, tests them, and transfers control to an
operating system.
 Memory-Resident Viruses
18

 For very frequently used parts of the operating system and for a few specialized
user programs, it would take too long to reload the program each time it was
needed. Such code remains in memory and is called "resident" code.
 Virus writers also like to attach viruses to resident code because the resident
code is activated many times while the machine is running.
 Each time the resident code runs, the virus does too.

Other Homes for Viruses

 One popular home for a virus is an application program. Many applications,
such as word processors and spreadsheets, have a "macro" feature, by which
a user can record a series of commands and repeat them with one invocation.
 Libraries are also excellent places for malicious code to reside.
 19

 Compilers, loaders, linkers, runtime monitors, runtime debuggers, and

even virus control programs are good candidates for hosting viruses because
they are widely shared.
Virus Signatures
 The virus's signature is important for creating a program, called a virus scanner,
that can automatically detect and, in some cases, remove viruses.
 The scanner searches memory and long-term storage, monitoring execution and
watching for the telltale signatures of viruses.
 2.2 Classes of Attack
20
1. Access Attacks
• Password Attacks
• Trust Exploitation
• Port Redirection
• Man-in-the-Middle Attacks
2. Reconnaissance Attacks
• Packet Sniffers
• Ping Sweeps
• Port Scans
• Information Queries
3. Denial of Service (DoS) Attacks
• Distributed DoS (DDoS)
• TCP SYN
• Smurf Attack
 1. Access Attacks
21
• An attempt to access another user account or network device through
improper means.
• If proper security measures are not in place, the network may be left
vulnerable to intrusion.
• A network administrator is responsible for ensuring that only authorized
users access the network.
• Unauthorized attacks are attempted via four means, all of which try to
bypass some facet of the authentication process:
• password attacks,
• trust exploitation,
• port redirection, and
• man-in-the-middle attacks.
 Password Attacks
22

• A password attack refers to any of the various methods used to

maliciously authenticate into password-protected accounts.
• These attacks are typically facilitated through the use of software that
expedites cracking or guessing passwords.
• The most common attack methods include brute forcing, dictionary
attacks, password spraying, and credential stuffing. Others Phishing,
Social Engineering, Keylogger Attacks, MitM Attacks, Traffic
interception etc…
 Password Attacks
23
• Brute forcing is the attempt to guess a password by iterating through all
possible combinations of the set of allowable characters.
• Dictionary attacks try to guess passwords by iterating through commonly
used passwords, such as words found in the dictionary and simple variations
on them.
• A password spraying attack is a type of brute force attack where a hacker,
much like the name implies, “sprays” an authentication server with
combinations of usernames and common passwords. Attackers often run
through lists of commonly used passwords available on the web. Eg. 123456,
password1
• Credential stuffing is the automated injection of stolen username and
password pairs (“credentials”) in to website login forms, in order to fraudulently
gain access to user accounts.
 Cont…
24

• an attacker might attempt a login with false credentials.

• It is also important to note that not all attackers are external
users.
• Many recorded instances of attempted and/or successful
attacks have come from internal company employees.
 How to Prevent a Password Attack?
25
• Password threats can have severe consequences. So, practice the
following preventive measures to secure your passwords and avert any
damage.
• Enforce Strong Password Policies
• Ensure your password has a minimum of 8 characters and contains
special characters, capital letters, and small letters.
• You shouldn’t use guessable words or names like your nickname,
pet’s name, favorite food, holiday destination, birth dates, etc.
• People who know you personally might crack such passwords.
• Also use unique passwords for every account, device, and file.
Otherwise, hackers might use the credential stuffing technique to
attempt password attacks.
 How to Prevent a Password Attack?
26
• Training for Employees
• Conduct organization-wide training explaining everything about password attacks
in cybersecurity and ways to prevent them.
• Activate Two-Factor Authentication
• Two-factor authentication adds an additional safety layer to your accounts by
implementing OTPs, biometric authentication, software tokens, and behavioral
analysis.
• So this way, hackers can’t access your account despite obtaining the password.
• Use a Password Manager
• Password managers help web administrators to store and manage user
credentials. They also generate passwords for users following strong policies and
best practices.
• Hackers are always adopting new techniques to attempt password attacks. You must set
unguessable and unique passwords for each account. Train your employees on password best
practices and activate company-wide two-factor authentication for enhanced security.
 Trust Exploitation
27
 Trust exploitation is the act of taking advantage of someone's trust,
often for personal gain. This can include fraud, extortion, or using one's
position of trust to manipulate a person or situation for one's own
benefit.
 Port Redirection
28

• Port redirection is a form of trust exploitation in which the untrustworthy

source uses a machine with access to the internal network to pass traffic
through a port on the firewall or access control list (ACL).

• The port in question normally denies traffic, but with redirection the
attacker can bypass security measures and open a tunnel for
communication.
 How to prevent Port Redirection
29

• Port redirection can be controlled primarily through the use of proper

trust models. Antivirus software or a host-based intrusion detection
system (IDS) can help detect an attacker and prevent the installation of
such utilities on a host.
 Man-in-the-Middle Attacks
30
• A man in the middle (MITM) attack is a general term for when a criminal
positions himself in a conversation between a user and an application
either to eavesdrop or to impersonate one of the parties, making it
appear as if a normal exchange of information is underway.
• The goal of an attack is to steal personal information, such as login
credentials, account details and credit card numbers.
• Targets are typically the users of financial applications, SaaS
businesses, e-commerce sites and other websites where logging in is
required.
• Information obtained during an attack could be used for many purposes,
including identity theft, unapproved fund transfers or an illicit password
change.
 Cont…
31

Man-in-the-middle (MiTM) attack

• A man-in-the-middle (MiTM) attack is a type of cyber attack in which
the attacker secretly intercepts and relays messages between two
parties who believe they are communicating directly with each other.
• The attack is a type of eavesdropping in which the attacker intercepts
and then controls the entire conversation.
 Cont…
32

• A man-in-the-middle attack happens when a hacker eavesdrops

or listens for network traffic and intercepts a data transmission.
After the transmission is intercepted, the untrustworthy host can
position itself between the two communicating hosts, interpret the
data, and steal information from the packets sent.

• The hacker can also take over the session and reformat the
packets to send information to either or both communicating
 Cont…
33

• In this situation, it is possible for the hacker to capture

credentials, hijack a session, or instigate a DoS attack.

• Data sessions are more vulnerable when the packets are left in
clear-text format and can be read without additional decryption
by the human eye.

• Proper data encryption, with the use of an encryption protocol,

makes the captured data useless.
 Cont…
34
 2. Reconnaissance Attacks
35

• A reconnaissance attack is a kind of information gathering on network

systems and services. This enables the attacker to discover
vulnerabilities or weaknesses in the network.

• An attempts to gain information about an organization’s systems and

networks without the explicit permission of the organization.

• These attacks are usually carried out by threat actors who are trying to
find vulnerabilities they can exploit.
 Cont…
36

• Reconnaissance attacks can consist of:

1. Internet information lookup,
2. Ping sweeps,
3. Port scans,
4. Packet sniffers (also known as network monitors) etc…
 Cont…
37

Internet information lookup

• Network intruders can use Internet tools, such as the nslookup and
whois utilities, to easily determine the IP address space assigned to a
given organization or network.
• After finding out the IP address, the intruder can then ping the publicly
available IP addresses to identify the addresses that are active.
 Cont…
38

Packet Sniffers
• A packet sniffer may also be called a network analyzer, packet analyzer, or
Ethernet sniffer.
• The packet sniffer may be either a software program or a piece of hardware with
software installed in it that captures traffic sent over the network, which is then
decoded and analyzed by the sniffer.
• Network administrators install monitors on dedicated machines or on their
workstations when needed.
• A common software program available today is Wireshark, formerly known as
Ethereal.
 Cont…
39

Ping Sweeps
• Ping enables you to validate that an IP address exists and can accept
requests by sending an echo request and then waiting for an echo
reply.
• A ping sweep tool can send an echo request to numerous host IP
addresses at the same time to see which host(s) respond(s) with an
echo reply.
 Cont…
40

Port Scans
• A port scanner is a software program that surveys a host network for open ports.
Because ports are associated with applications, the hacker can use the port and
application information to determine a way to attack the network.
• When the attacker discovers active IP addresses, the intruder or attacker uses a
port scanner (Nmap or Superscan -software designed to search a network host for
open ports) to determine which network services or ports are active on the active
IP addresses.
 3. Denial-of-Service (DoS) attack
42

• A Denial-of-Service (DoS) attack is an attack meant to shut down

a machine or network, making it inaccessible to its intended users.

• DoS attacks accomplish this by flooding the target with traffic, or

sending it information that triggers a crash.

• In both instances, the DoS attack deprives legitimate users (i.e.

employees, members, or account holders) of the service or
resource they expected.
 Cont…
43

• Victims of DoS attacks often target web servers of high-profile

organizations such as banking, commerce, and media
companies, or government and trade organizations.

• Though DoS attacks do not typically result in the theft or loss of

significant information or other assets, they can cost the victim
a great deal of time and money to handle.
 Cont…
44

A distributed denial-of-service (DDoS) attack

• A distributed denial-of-service (DDoS) attack is a malicious attempt to
disrupt the normal traffic of a targeted server, service or network by
overwhelming the target or its surrounding infrastructure with a flood of
Internet traffic.
• With distributed DoS, multiple systems are compromised to send a DoS
attack to a specific target.
• The compromised systems are commonly called zombies or slaves.
• As a result of the attack, the targeted system denies service to valid users.
 Cont…
45

SYN flood attack

• TCP SYN flood (a.k.a. SYN flood) is a type of
Distributed Denial of Service (DDoS) attack that exploits part of
the normal TCP three-way handshake to consume resources on
the targeted server and render it unresponsive.
• Essentially, with SYN flood DDoS, the offender sends TCP
connection requests faster than the targeted machine can process
 46

Smurf attack (ICMP flood)

• A Smurf attack is a distributed denial-of-service (DDoS) attack in which
an attacker attempts to flood a targeted server with Internet Control
Message Protocol (ICMP) packets.
 2.3 Program flaws

47
 Non-malicious flaws:- Introduced by the programmer overlooking something:
 Buffer overflow error
 Incomplete mediation error
 Time-of-check to Time-of-use (TOCTTU) errors
 Types of Flaws
48

 The inadvertent flaws fall into six categories:

 validation error (incomplete or inconsistent): permission checks
 domain error: controlled access to data
 serialization and aliasing: program flow order
 inadequate identification and authentication: basis for authorization
 boundary condition violation: failure on first or last case
 other exploitable logic errors
 Buffer Overflows
49

 Buffers are memory storage regions that temporarily hold data while it is being

transferred from one location to another.

 A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the

storage capacity of the memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.

 For example, a buffer for log-in credentials may be designed to expect username

and password inputs of 8 bytes, so if a transaction involves an input of 10 bytes

(that is, 2 bytes more than expected), the program may write the excess data past
the buffer boundary.
 Cont…
50

 Buffer Overflows
 Memory is finite
 A buffer's capacity is finite.
 In many programming languages the programmer must declare the buffer's
maximum size so that the compiler can set aside that amount of space.
 Incomplete mediation
51

• Inputs to programs are often specified by untrusted users

• Web-based applications are a common example
• “Untrusted” to do what?
• Users sometimes mistype data in web forms
• Phone number: 51998884567
• Email: iang#cs.uwaterloo.ca
• The web application needs to ensure that what the user has
entered constitutes a meaningful request.
• This is called mediation
 Incomplete mediation
52

• Incomplete mediation occurs when the application accepts

incorrect data from the user
• Sometimes this is hard to avoid
• Phone number: 519-886-4567
• This is a reasonable entry, that happens to be wrong
• We focus on catching entries that are clearly wrong
• Not well formed
• DOB: 1980-04-31
• Unreasonable values
• DOB: 1876-10-12
• Inconsistent with other entries
 Time-of-check to Time-of-use (TOCTTU) errors
53

 Concurrency issue
• Successive instructions may not execute serially
• Other processes may be given control
 Access control
• Only users with rights can access objects
 TOCTTOU: control is given to other process between access
control check and access operation
 2.4 Controls Against Program Threats
54
 Three types of controls:
1. Developmental control
2. Operating system Controls

3. Administrative Controls

Developmental Controls
1. The Nature of Software Development
 Collaborative effort, involving people with different skill sets who combine their
expertise to produce a working product
 Development requires people who can requirement specification, designing,
implementation, testing, review, documenting, reviewing, managing, maintaining
the system.
 Developmental Controls
55
2. Fundamental principles of s/w engineering
 Fundamental principles of software engineering
1. Modularity
2. Encapsulation
3. Information hiding
 A key principle of software engineering is to create a design or code in small, self-contained
units, called components or modules
 If a component is isolated from the effects of other components, then it is easier to trace a
problem to the fault that caused it and to limit the damage the fault causes. This isolation is
called encapsulation.
 Information hiding is another characteristic of modular software.
 Modularization is the process of dividing a task into subtasks.
 Encapsulation hides a component's implementation details, but it does not necessarily mean
complete isolation
 Developmental Controls
56
1. Modularity
 Modules should be:
 Single-purpose - logically/functionally
 Small - for a human to grasp
 Simple - for a human to grasp
 Independent – high cohesion, low coupling
 High cohesion – highly focused on (single) purpose
 Low coupling – free from interference from other modules
 Modularity should improve correctness
 Fewer flaws => better security
 Developmental Controls
57
2. Encapsulation
 Minimizing information sharing with other modules
=> Limited interfaces reduce # of covert channels
 Well documented interfaces
 “Hiding what should be hidden and showing what should be visible.”

3. Information hiding
 Module is a black box
 Well defined function and I/O
 Easy to know what module does but not how it does it
 Reduces complexity, interactions, covert channels, ...
=> better security
 Operating System Controls
58

 How an operating system can protect against some of the design and
implementation flaws.
Trusted Software
 To trust any program, we base our trust on rigorous analysis and testing,
looking for certain key characteristics:
 Functional correctness
 Enforcement of integrity
 Limited privilege
 Appropriate confidence level
 Operating System Controls
59

• Key characteristics determining if OS code is trusted

1. Functional correctness
• OS code consistent with specs
2. Enforcement of integrity
• OS keeps integrity of its data and other resources even if presented with flawed or
unauthorized commands
3. Limited privileges
• OS minimizes access to secure data/resources
• Trusted programs must have “need to access” and proper access rights to use
resources protected by OS
• Untrusted pgms can’t access resources protected by OS
4. Appropriate confidence level
• OS code examined and rated at appropriate trust level
 60

 Ways of increasing security if untrusted programs present:

1. Mutual suspicion
2. Confinement
3. Access log / Audit log
 61

Mutual Suspicion between programs

 Mutually suspicious programs operate as if other routines in the system were
malicious or incorrect.
 Each protects its interface data so that the other has only limited access.
Confinement
 Confinement is a technique used by an operating system on a suspected program.
 A confined program is strictly limited in what system resources it can access. If a program
is not trustworthy, the data it can access are strictly limited.
 Strong confinement would be helpful in limiting the spread of viruses

Access Log / Audit log

 An access or audit log is a listing of who accessed which computer objects, when, and for
 62

Access Log / Audit log

 An access or audit log is a listing of who accessed which computer
objects, when, and for what amount of time.
 Records who/when/how (e.g., for how long) accessed/used which objects
• Events logged: logins/logouts, file accesses, pgm ecxecutions,
device uses, failures, repeated unsuccessful commands (e.g., many
repeated failed login attempts can indicate an attack)
 Audit frequently for unusual events, suspicious patterns
 Forensic measure not protective measure
• Forensics – investigation to find who broke law, policies, or rules
 Administrative Controls
63
 Administrative controls define the human factors of security.
 It involves all levels of personnel within an organization and determines which users
have access to what resources and information. (The Massachusetts Institute of
Technology (MIT) )
 Administrative security controls often include, but may not be limited to:
Security education training and awareness programs;

A policy of least privilege (though it may be enforced with technical controls);

Bring your own device (BYOD) policies;

Password management policies;

Incident response plans (which will leverage other types of controls); and

Personnel management controls (recruitment, account generation, etc.).

 Cont…
64

 Demand certain human behavior via policies, procedures, etc.

 These controls, encouraged by managers and administrators, are called
administrative controls.
Security planning
Risk analysis
Security policies
Physical security
 Cont…
65

 Security planning
 Security planning considers how security risk management practices
are designed, implemented, monitored, reviewed and continually
improved.
 Entities must develop a security plan that sets out how they will
manage their security risks and how security aligns with their
priorities and objectives.
 Security planning includes controls planned for future
implementation, as well as resources planned for future use.
Resources include personnel, contractors, equipment, software, and
budgetary allocations.
 Cont…
66

 Risk analysis
The process of identifying the risks to system security and
determining the probability of occurrence, the resulting impact, and
the additional safeguards that mitigate this impact.
 Cont…
67

 Process of Risk Analysis

 Analyzing risk have both a positive and negative effect.
 Such effects can have both worldly and non-materialistic impacts on the organization.
 A risk is an uncertain event that can have both positive and negative effects.
 Any organization shall follow the process for risk analysis which is discussed as below
–
 Identification of Risk
 Analyzing the Risk
 Evaluating the Risk
 Treat the Risk
 Review the Risk
 Cont…
68
 Identification of Risk
 The First step comes as identifying the risk. Team members shall gather all the inputs that shall be used in the projects
and recognize the outcome of the projects and the number of ways such as risk involved in the process, etc.
 Analyzing the Risk
 After identifying risk, it’s likely to understand and assess the extent of risk and nature of risk that most likely to happen
and to what extent it may occur to the organization shall be analyzed.
 Evaluating the Risk
 Analyzing risk helps you to estimate the capacity of risk that may happen. Hence in evaluating the risk, the team shall
rank the calculated risk to decide whether to accept such risk or not.
 Treat the Risk
 In this step, the team shall decide whether to continue the project or not; if so, the project is accepted, then they shall try
to treat or resolve the issue by modifying any changes required in the project.
 Review the Risk
 As the risk is uncertain at any point in time, reviewing risk is essential to evaluate risk in the project from time to time to
avoid any future disturbance.