Threats and Responses

Lecture 2
Common Threats
 Concepts
• Threat: Something that could pose loss to all or part of an asset
• Threat Agent: What carries out the attack
• Exploit: An instance of compromise
• Risk: The probability of a threat materializing
• Controls: Physical, Administrative, and Technical Protections
 Common Threats
• Security specialists possess the insight to recognize the influence of
data and harness that power to build great organizations, provide
services and protect people from attacks
• security specialists recognize the threat that data poses if used against
people
• A security threat is the possibility that a harmful event, such as an
attack, will occur
• vulnerability is a weakness that makes a target susceptible to an attack
• threats are particularly dangerous to certain industries and the type of
information they collect and protect
 Common Threats
The following examples are just a few sources of data that can come from
established organizations:
• Personal Information
• Medical Records
• Education Records
• Employment and Financial Records
 Common Threats
Network services like DNS, HTTP and Online Databases are prime targets
for cyber criminals.
• Criminals use packet-sniffing tools to capture data streams over a
network. Packet sniffers work by monitoring and recording all
information coming across a network.
• Criminals can also use rogue devices, such as unsecured Wi-Fi access
points.
• Packet forgery (or packet injection) interferes with an established
network communication by constructing packets to appear as if they are
part of a communication.
 Common Threats
Domains include:
• Manufacturing
– Industry Controls
– Automation
• Energy Production and Distribution
– Electrical Distribution and Smart Grid
– Oil and Gas
• Communication
– Phone
– Email
– Messaging
• Transportation systems
– Air Travel
– Rail
– Over the Road
 Degrees of harm
– Level of potential damage
– Include all parts of system
» Potential data loss
» Loss of privacy
» Inability to use hardware
» Inability to use software
 Threat Types

• Man-made
o Strikes, riots, fires, terrorism, hackers, vandals
• Natural
o Tornado, flood, earthquake
• Technical
o Power outage, device failure, loss of a T1 line
 Types of threat agents

Employee
• Employees can be the most overlooked, yet most
dangerous threat agent because they have greater
access to information assets than anyone on the
outside trying to break in. Employees are also
known as internal threats.
• Employees can:
o Become disappointed with their employer
o Be bribed by a competitor
o Be an unintentional participant in an attack
 Types of threat agents
Spy
• Spies can be employed in corporate espionage (spying)
to obtain information about competitors for commercial
purposes. Spies are typically deployed in the following
scenarios: Hacker
• A spy applies for a job with a commercial competitor
and then exploits internal vulnerabilities to steal
information and return it to their client.
• A spy attacks an organization from the outside by
exploiting external vulnerabilities and then returns the
information to their client.
 Types of threat agents
Hacker
• In general, a hacker is any threat agent who uses their
technical knowledge to bypass security mechanisms to
exploit a vulnerability to access information. Hacker
subcategories include the following:
• Script kiddies download and run attacks available on the
Internet, but generally are not technically savvy enough to
create their own attacking code or script.
• Cybercriminals usually seek to exploit security
vulnerabilities for some kind of financial reward or revenge.
• Cyber terrorists generally use the Internet to carry out
terrorist activities, such as disrupting network-dependent
institutions.
 Additional Threat Actors
• Script kiddie
– Little expertise, sophistication, or funding
• Nation state/advanced persistent threat (APT)
o Identify a target and persistently attack until they gain access
o China APT1
o Russia APT 28 (Fancy Bear): Their primary targets include aerospace,
defense, energy, government, media
o Russia APT 29 (Cozy Bear): primary goal is to spy and gather
intelligence on nations and multinational organizations.
• Competitor
 Threats To Users
• Identity Theft
– Impersonation by private information
– Methods of stealing information
• Shoulder surfing
• Dumpster diving
• Social engineering
• High-tech methods
 Threats To Users
• Loss of privacy
– Personal information is stored electronically
– Purchases are stored in a database
• Data is sold to other companies
– Public records on the Internet
– Internet use is monitored and logged
– None of these techniques are illegal
 Threats To Users
• Cookies
– Files delivered from a web site
– are small blocks of data created by a web server while
a user is browsing a website and placed on the user's computer
– They enable web servers to store stateful information & Cookies
now track history and passwords
– Browsers include cookie blocking tools
– Used to track the user's browsing activity (including clicking
particular buttons, logging in, or recording which pages were
visited in the past).[1] They can also be used to save for
subsequent use information that the user previously entered
into form fields, such as names, addresses, passwords,
and payment card numbers.
 Threats to Hardware
• Affect the operation or reliability
• Power-related threats
– Power fluctuations
• Power spikes or browns out
– Power loss
– Countermeasures
• Surge suppressors
• Uninterruptible power supplies
• Generators
 Threats to Hardware
• Theft and vandalism
– Thieves steal the entire computer
– Accidental or intentional damage
– Countermeasures
• Keep the PC in a secure area
• Lock the computer to a desk
• Do not eat near the computer
• Watch equipment
• Chase away loiterers
• Handle equipment with care
 Threats to Hardware
• Natural disasters
– Disasters differ by location
– Typically result in total loss
– Disaster planning
• Plan for recovery
• List potential disasters
• Plan for all eventualities
• Practice all plans
 Threats to Data
• The most serious threat
– Data is the reason for computers
– Data is very difficult to replace
– Protection is difficult
• Data is intangible
Threats and Attacks
 DoS Attack Facts
– Denial of Service (DoS) and Distributed Denial of
Service (DDoS) attacks impact system availability
by flooding the target system with traffic or
requests or by exploiting a system or software
flaw.
– The goal of a DoS attack is to make a service or
device unavailable to respond to legitimate
requests.
– Attackers may choose to overload the CPU, disk
subsystem, memory, or network (most common).
 DoS Attack
– In a DoS attack, a single attacker directs an attack against a
single target, sending packets directly to the target.
– In a Distributed DoS (DDoS) attack, multiple PCs attack a
victim simultaneously. DDoS compromises a series of
computers by scanning computers to find vulnerabilities
and then capitalizing on the most vulnerable systems.
– In a DDoS attack:
• The attacker identifies one of the computers as the master (also
known as zombie master or bot herder).
• The master uses zombies/bots (compromised machines) to attack.
• The master directs the zombies to attack the same target.
• The attacker is able to effectively hide his identity by being two
hops away from the victim.
ICMP Attack Description

A ping flood is a simple DoS attack where the attacker overwhelms the victim with
ICMP Echo Request (ping) packets. In a ping flood:
Ping flood • The attack succeeds only if the attacker has more bandwidth than the victim.

• The attacker hopes that the victim will respond with ICMP Echo Reply packets, thus
consuming outgoing bandwidth as well as incoming bandwidth.

A Smurf attack is a form of DRDoS attack that spoofs the source address in ICMP
packets. A Smurf attack requires an attacker system, an amplification network, and a
victim computer or network.
• The attacker sends ICMP packets to an amplification network or broadcast address.
Smurf
The packets spoof the source address to be that of the target.

• The amplification network responds by sending packets to the target (victim) site.

• The victim has thousands of replies to packets sent by the attacker.

TCP Attack Description

The SYN flood exploits the TCP three-way handshake as follows:

• The attacker floods a victim site with SYN packets.

• The victim responds to each SYN packet with a SYN ACK packet.

• The attacker does not respond with the last portion of the handshake (an ACK
SYN flood
packet), leaving the victim waiting for a response.

• The attacker continues to send the victim SYN frames with a spoofed address.

• The victim continues to attempt sessions with the attacker, allocating

resources to accommodate each of these inbound session requests.

A LAND attack is one in which the attacker floods the victim's system with packets
that have forged headers. In a LAND attack:
• The packets have the same source and destination address (the victim's).

LAND • The victim's system has no procedure to deal with these packets.

• The victim's system holds the packets in RAM.

• As the victim's system continues to hold more and more packets in RAM, it is
unable to process legitimate requests.
Attack Description

A man-in-the-middle attack is used to intercept information passing between two

communication partners. With a man-in-the-middle attack:
• An attacker inserts himself in the communication flow between the client and
Man-in-the middle server. The client is fooled into authenticating to the attacker.

• Both parties at the endpoints believe they are communicating directly with the
other, while the attacker intercepts and/or modifies the data in transit. The
attacker can then authenticate to the server using the intercepted credentials.

TCP/IP hijacking is an extension of a man-in-the-middle attack where the attacker

steals an open and active communication session from a legitimate user.
TCP/IP (session) • The attacker takes over the session and cuts off the original source device.
hijacking
• The TCP/IP session state is manipulated so that the attacker is able to insert
alternate packets into the communication stream.

HTTP (session) HTTP (session) hijacking is a real-time attack in which the attacker hijacks a legitimate
hijacking user's cookies and uses the cookies to take over the HTTP session.
In a replay attack, the attacker uses a protocol analyzer or sniffer to capture
authentication information going from the client to the server. The attacker then uses
Replay attack
this information to connect at a later time and pretend to be the client. Use a secure
authentication method such as Kerberos to prevent a replay attack. Wireshark
Vulnerabilities and Countermeasures
Threats Consequence & Actions
Threats Consequence & Actions
Threats Consequence & Actions
Threats Consequence & Actions