METHODS OF ATTACK

NETWORK SECURITY
1) Malware
 Social engineering is a common security threat which preys upon human
weakness to obtain desired results.
 In addition to social engineering, there are other types of attacks which exploit
the vulnerabilities in computer software.
 Examples of these attack techniques include: viruses, worms and Trojan horses.
 All of these are types of malicious software introduced onto a host.
 They can damage a system, destroy data, as well as deny access to networks,
systems, or services.
 They can also forward data and personal details from unsuspecting computer
users to criminals.
 In many cases, they can replicate themselves and spread to other hosts
connected to the network.
 Sometimes these techniques are used in combination with social engineering to
trick an unsuspecting user into executing the attack.
i) Viruses
 A virus is a program that runs and spreads by modifying other programs or files.
 A virus cannot start by itself; it needs to be activated.
 Once activated, a virus may do nothing more than replicate itself and spread.
 Though simple, even this type of virus is dangerous as it can quickly use all
available memory and bring a system to a halt.
 A more serious virus may be programmed to delete or corrupt specific files before
spreading.
 Viruses can be transmitted via email attachments, downloaded files, instant
messages or via diskette, CD or USB devices.
 Worms and viruses propagate by exploiting vulnerabilities in services and other
weaknesses in operating systems.
 Host-based firewalls prevent this malware from gaining access to servers. They
can also help prevent the spread of worms and viruses by controlling outbound
traffic originating from a server.
ii) Worms
 A worm is similar to a virus, but unlike a virus does not need to attach itself to an
existing program.
 A worm uses the network to send copies of itself to any connected hosts.
 Worms can run independently and spread quickly.
 They do not necessarily require activation or human intervention.
 Self-spreading network worms can have a much greater impact than a single virus
and can infect large parts of the Internet quickly.
iii) Trojan Horses
 A Trojan horse is a non-self-replicating program that is written to appear like a
legitimate program, when in fact it is an attack tool.
 A Trojan horse relies upon its legitimate appearance to deceive the victim into
initiating the program.
 It may be relatively harmless or can contain code that can damage the contents of
the computer's hard drive.
 Trojans can also create a back door into a system allowing hackers to gain access.
iv) Ransomware
 Ransomware, from words Ransom Malware, is a type of malware that prevents
users from accessing their system or personal files and demands ransom
payment in order to regain access.
 There are several different ways that Ransomware can infect your computer.
 One of the most common methods today is through malicious spam, or
Malspam, which is unsolicited email that is used to deliver malware.
 The email might include booby-trapped attachments, such as PDFs or Word
documents. It might also contain links to malicious websites.
 v) Back doors and Trojan Horses

 Back doors and Trojan Horses allow hackers to remotely gain access to servers
on a network.
 The software typically works by sending a message to let the hacker know of a
successful infection.
 It then provides a service that the hacker can use to gain access to the system.
 Host-based firewalls can prevent a Trojan from sending a message by limiting
outbound network access.
 It can also prevent the attacker from connecting to any services.
 In addition to host-based firewalls, anti-virus software can be installed as a more
comprehensive security measure.
 Anti-virus software protects computer systems from viruses, worms, spyware,
malware, phishing, and even spam.
 Many ISPs offer customers anti-virus software as part of their comprehensive
security services.
2) Denial of Service (DoS)
 DoS attacks are aggressive attacks on an individual computer or groups of
computers with the intent to deny services to intended users.
 DoS attacks can target end user systems, servers, routers, and network links.
 In general, DoS attacks seek to flood a system or network with traffic to prevent
legitimate network traffic from flowing, Disrupt connections between a client and
server to prevent access to a service.
 There are several types of DoS attacks.
 Security administrators need to be aware of the types of DoS attacks that can
occur and ensure that their networks are protected.
 Three common DoS attacks are:
a) SYN (Synchronous) Flooding - A flood of packets are sent to a server
requesting a client connection. The packets contain invalid source IP addresses.
The server becomes occupied trying to respond to these fake requests and
therefore cannot respond to legitimate ones.
b) Ping of death: A packet that is greater in size than the maximum allowed by
IP (65,535 bytes) is sent to a device. This can cause the receiving system to crash.
c) ICMP flood: Also known as Ping flood, is a common Denial of Service (DoS) attack in
which an attacker takes down a victim's computer by overwhelming it with ICMP echo
requests, also known as pings.
 Normally, ICMP echo-request and echo-reply messages are used to ping a network
device in order to diagnose the health and connectivity of the device and the
connection between the sender and the device.
 By flooding the target with request packets, the network is forced to respond with an
equal number of reply packets.
 This causes the target to become inaccessible to normal traffic.
3) Brute Force Attacks
 Not all attacks that cause network outages are specifically DoS attacks.
 A Brute force attack is another type of attack that may result in denial of services.
 With brute force attacks, a fast computer is used to try to guess passwords or to
decipher an encryption code.
 The attacker tries a large number of possibilities in rapid succession to gain access or
crack the code.
 Brute force attacks can cause a denial of service due to excessive traffic to a specific
resource or by locking out user accounts.
4) Spyware, tracking cookies, Adware and pop-ups
 Not all attacks do damage or prevent legitimate users from having access to
resources.
 Many threats are designed to collect information about users which can be used for
advertising, marketing and research purposes. These include Spyware, Tracking
Cookies, Adware and Pop-ups. While these may not damage a computer, they
invade privacy and can be annoying.
5) Spyware
 Spyware is any program that gathers personal information from your computer
without your permission or knowledge. This information is sent to advertisers or
others on the Internet and can include passwords and account numbers.
 Spyware is usually installed unknowingly when downloading a file, installing
another program or clicking a popup.
 It can slow down a computer and make changes to internal settings creating more
vulnerabilities for other threats. In addition, spyware can be very difficult to
remove.
6) Tracking Cookies
 Cookies are a form of spyware but are not always bad.
 They are used to record information about an Internet user when they visit
websites.
 Cookies may be useful or desirable by allowing personalization and other time
saving techniques.
 Many web sites require that cookies be enabled in order to allow the user to
connect.
7) Adware
 Adware is a form of spyware used to collect information about a user based on
websites the user visits.
 That information is then used for targeted advertising. Adware is commonly
installed by a user in exchange for a "free" product.
 When a user opens a browser window, Adware can start new browser instances
which attempt to advertize products or services based on a user's surfing
practices.
8) Spam
 Another annoying by-product of our increasing reliance on electronic
communications is unwanted bulk email.
 Sometimes merchants do not want to bother with targeted marketing.
 They want to send their email advertising to as many end users as possible
hoping that someone is interested in their product or service.
 This widely distributed approach to marketing on the Internet is called spam.
Spam is a serious network threat that can overload ISPs, email servers and
individual end-user systems.
 A person or organization responsible for sending spam is called a spammer.
Spammers often make use of unsecured email servers to forward email.
 Spammers can use hacking techniques, such as viruses, worms and Trojan
horses to take control of home computers.
 9) Social Engineering

 One of the easiest ways for an intruder to gain access, whether internal or external is
by exploiting human behavior.
 One of the more common methods of exploiting human weaknesses is called Social
Engineering.
 Social engineering is a term that refers to the ability of something or someone to
influence the behavior of a group of people.
 In the context of computer and network security Social Engineering refers to a
collection of techniques used to deceive internal users into performing specific actions
or revealing confidential information.
 With these techniques, the attacker takes advantage of unsuspecting legitimate users
to gain access to internal resources and private information, such as bank account
numbers or passwords.
 Social engineering attacks exploit the fact that users are generally considered one of
the weakest links in security.
 Social engineers can be internal or external to the organization, but most often do not
come face-to-face with their victims. Three of the most commonly used techniques in
social engineering are: pretexting, phishing, and vishing.
a) Pretexting
 Pretexting is a form of social engineering where an invented scenario
(the pretext) is used on a victim in order to get the victim to release
information or perform an action.
 The target is typically contacted over the telephone.
 For pretexting to be effective, the attacker must be able to establish
legitimacy with the intended target, or victim.
 This often requires some prior knowledge or research on the part of the
attacker.
 For example, if an attacker knows the target's social security number,
they may use that information to gain the trust of their target.
 The target is then more likely to release further information.
b) Phishing
 Phishing is a form of social engineering where the phisher pretends to represent a
legitimate outside organization.
 They typically contact the target individual (the phishee) via email.
 The phisher might ask for verification of information, such as passwords or
usernames in order prevent some terrible consequence from occurring.
c) Vishing / Phone Phishing
 A new form of social engineering that uses Voice over IP (VoIP) is known as vishing.
 With vishing, an unsuspecting user is sent a voice mail instructing them to call a
number which appears to be a legitimate telephone-banking service, for example.
 The call is then intercepted by a thief.
 Bank account numbers or passwords entered over the phone for verification are
then stolen.
10) Man-in-the-Middle
 When a party succeeds in interposing itself between two endpoints and is
thereby able to intercept and possibly modify the communication without
either party being aware, this is referred to as a "man-in-the-middle" (MiM)
attack.
 MiM is related to interception, but requires that the interception occurs as
the result of the interposition of a listener rather than strictly passive
eavesdropping.
11) Replay
 Replay involves the interception of information intended for a target
system, followed by sending that information, possibly with additional
information inserted to the target system for the purpose of attacking the
system.
 Replay is a form of MiM attack in which the intercepted message is not
modified, although it may be augmented.
12) Forced Crash and Retrieval of Crash Artifacts
 When systems fail, they often leave traces of their internal operation or leave
resources in an inconsistent and potentially unprotected or insecure (for
example, unencrypted) state.
 Access to protected information can, therefore, sometimes be achieved by
forcing a system to crash and then examining the artifacts that remain.
 A crash can sometimes be achieved by exploitation of incomplete validation
of inputs or exposure of internal objects that can be modified during an attack
to force the system into a state that causes failure.
 The most common type of artifact left behind is a file containing an image of
the process.
 Such an image often contains sensitive data, such as unencrypted credentials
or the details and relative addresses of stack variables and program code.
13) Forced Restart, Forced Re-Install
 One way of inserting malicious software into a system is by compromising a
system’s bootup or installation configuration.
 If the system is then caused to crash or become unusable so that it will have
to be re-started, or corrupt so that it will have to be re-installed (with a
compromised installation), the compromised configuration will be started or
installed, respectively.
 This is an extremely powerful and subtle technique.
 It is unfortunately true that "backup" resources are usually much less
protected than primary resources.
 Thus, by silently implanting a trojan horse in a backup resource (or in an
emergency response tool) and then merely forcing the primary resource to
crash or be crippled, the compromised backup resource will be installed.
14) Spoofing
 Spoofing involves forging or corrupting (destroying the integrity of) a resource
or artifact for the purpose of pretending to be i.e., for the purpose of
masquerading as, something or someone else.
 There are many variations on spoofing, and it can be done at any level of a
system, from the network level through the application level. Some examples
are:
 Forging IP packet source addresses.
 Forging ARP packets to fool a router into thinking that your machine has
someone else's IP address.
 Creating misleading Web pages that fool a user into thinking that they are at a
different site.
 Sending a name resolution request to a DNS server, forcing it to forward the
request to a more authoritative server, and then immediately sending a forged
response, causing the first DNS server to cache the forged response and
supply that address to its clients
15) Hijacking
 The term "hijacking" is usually used to refer to an attack that involves
disconnecting a server resource in some manner from a resource channel and
replacing it with a different server resource.
 Thus, the channel is "hijacked."
 This is a variation of spoofing because users of the channel think that they
are accessing the intended resource, via the channel, but are "spoofed" by
the replacement resource.
16) Keystroke Loggers
 Keyloggers are built for the act of keystroke logging, creating records of
everything you type on a computer or mobile keyboard.
 These are used to quietly monitor your computer activity while you use your
devices as normal.
 Keyloggers are used for legitimate purposes like feedback for software
development but can be misused by criminals to steal your data.
 END
ANY QUESTIONS?