Common Security Threats

Question 1

3 major categories of attacks

Answer 1

1. Reconnaissance Attacks
2. Access attacks
3. DoS attacks

Question 2

Reconnaissance Attacks

Answer 2

• known as information gathering
• think of thief scouting neighbourhood for vulnerable houses
• hackers use recon attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities
• recon attacks precede access attacks or DoS attacks and often employ the use of widely available tools

Question 3

Steps of a Reconnaissance Attack

Answer 3

1. Perform an information query of a target
2. Initiate a ping sweep of the target network
3. initiate a port scan of active IP addresses
4. run vulnerability scanners
5. run exploitation tools

Question 4

Access Attacks

Answer 4

Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.

Question 5

3 reasons hackers would use access attacks

Answer 5

1. to retrieve data
2. to gain access
3. to escalate access privileges

Question 6

Types of Access attacks

Answer 6

1. password attack
2. Trust exploitation
3. port redirection
4. MITM
5. Buffer overflow
6. IP, MAC, DHCP spoofing

Question 7

IP, MAC, and DHCP spoofing attacks

Answer 7

Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data. There are multiple types of spoofing attacks. For example, MAC address spoofing occurs when one computer accepts data packets based on the MAC address of another computer. ​

Question 8

Buffer Overflow

Answer 8

This is when a hacker exploits the buffer memory and overwhelms it with unexpected values. This usually renders the system inoperable, creating a DoS attack. It is estimated that one third of malicious attacks are the result of buffer overflows.​

Question 9

MITM Man-In-The-Middle Attack

Answer 9

The hacker is positioned in between two legitimate entities in order to read or modify the data that passes between the two parties. ​

Question 10

Port Redirection

Answer 10

This is when a hacker uses a compromised system as a base for attacks against other targets. ​

Question 11

Trust Exploitation

Answer 11

A hacker uses unauthorized privileges to gain access to a system, possibly compromising the target. ​

Question 12

Password Attack

Answer 12

Hackers attempt to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing. Brute-force password attacks involve repeated attempts using tools such as Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa. ​

Question 13

Social Engineering

Answer 13

• Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information. ​
• Let’s say a hacker calls an authorized employee with an urgent problem that requires immediate network access. The hacker could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.​

Question 14

Social Engineering attacks

Answer 14

• Pretexting
• Phishing
• Spear Phishing
• Spam
• Tailgating
• somthing for somthing (quid pro quo)
• Baiting

Question 15

Phishing

Answer 15

Phishing is when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source. The message intends to trick the recipient into installing malware on their device, or into sharing personal or financial information.​

Question 16

Pretexting

Answer 16

This is when a hacker calls an individual and lies to them in an attempt to gain access to privileged data. An example involves an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.​

Question 17

Social Engineering Toolkit​

Answer 17

The Social Engineering Toolkit (SET) was designed to help white hat hackers and other network security professionals create social engineering attacks to test their own networks.​

Question 18

Baiting

Answer 18

This is when a hacker leaves a malware-infected physical device, such as a USB flash drive in a public location such as a corporate washroom. The finder finds the device and loads it onto their computer, unintentionally installing the malware.​

Question 19

Something for Something​

(Quid pro quo)​

Answer 19

This is when a hacker requests personal information from a party in exchange for something like a free gift.​

Question 20

Tailgating

Answer 20

This is when a hacker quickly follows an authorized person into a secure location. The hacker then has access to a secure area.​

Question 21

SPAM

Answer 21

Hackers may use spam email to trick a user to click an infected link or download an infected file.​

Question 22

Spear Phishing

Answer 22

This is a targeted phishing attack tailored for a specific individual or organization. ​

Question 23

Denial of Service Attacks

Answer 23

A DoS attack results in some sort of interruption of service to users, devices, or applications

there are 2 major sources of DoS attacks:

• Maliciously formatted packets
• Overwhelming Quantity of Traffic

Question 24

DoS: Overwhelming Quantity of Traffic

Answer 24

This is when a network, host, or application is unable to handle an enormous quantity of data, causing the system to crash or become extremely slow.

Question 25

DoS: Maliciously Formatted Packets

Answer 25

This is when a maliciously formatted packet is forwarded to a host or application and the receiver is unable to handle an unexpected condition

An example of this would be a hacker forwards packets containing errors that cannot be identified by the application, or forwards improperly formatted packets. This causes the receiving device to crash or run very slowly

Question 26

DoS: TCP SYN Flood Attack

Answer 26

In this type of attack, a hacker sends many TCP SYN session request packets with a spoofed source IP address to an intended target. ​

The target device replies with a TCP SYN-ACK packet to the spoofed IP address and waits for a TCP ACK packet.

However, the responses never arrive, and the target hosts are overwhelmed with TCP half-open connections.​

Question 27

Distributed Denial of Service attack (DDoS)

Answer 27

similar in intent to a DoS attack, except that a DDoS attack increases in magnitude because it originates from multiple, coordinated sources. ​

DDoS attacks also introduced new terms such as botnet, handler systems, and zombie computers.​

The most common DDoS attack right now is going through HTTP (about 80% of current DDoS attacks). Whether it is using SSL to attack or using hashing attacks, it seem that HTTP is the protocol being picked on. ​

Question 28

DDoS: Sloworis

Answer 28

• Kali linux does support this
• Sloworis allows you to send a very slow pace of attack that’s designed to keep the tables full and so you start eating up a lot of information processing power. ​

Question 29

DDoS: Collision hashing

Answer 29

This type of attack is telling these HTTP web servers that they got a hash problem and they need to recompute and figure out where all these problems are happening and start redoing these hashes.

Anytime you do any type of crypto or any type of calculations like that, it eats up a ton of resources.

Question 30

Attack Methods Summary​

Answer 30

Reconnaissance​

Access​

Social Engineering​

Privilege Escalation​

Back Doors​

Code Execution​

Covert Channel​

Trust Exploitation​

Brute Force Attacks (Password Guessing)​

Botnets​

DoS and DDoS​

Question 31

Primary Vulnerabilities for end device attacks

Answer 31

Viruses
Worms
Trojan Horse attacks

Question 32

Viruses

Answer 32

• A virus is malicious code that is attached to executable files which are often legitimate programs. ​
• Viruses normally require end user activation, which means that they can lay dormant for an extended period and then activate at a specific time or date. ​
• Viruses can be harmless, such as those that display a picture on the screen, or they can be destructive, such as those that modify or delete files on the hard drive. Viruses can also be programmed to mutate to avoid detection.​
• Most viruses are now spread by USB memory drives, CDs, DVDs, network shares, and email. Email viruses are now the most common type of virus.​

Question 33

Worms

Answer 33

• Worms replicate themselves by independently exploiting vulnerabilities in networks.
• While a virus requires a host program to run, worms can run by themselves. Once the device has been infected, the worm no longer requires user participation and the worm is able to spread very quickly over the network.
• Notable worm attacks: Code red worm (2001) 658 servers to over 300k in 19 hours,

Question 34

SQL Slammer Worm

Answer 34

aka the worm that ate the internet

• DoS attack that exploited a buffer overflow bug in MS SQL server
• at its peak it infected 250k + hosts, doubled every 8.5 seconds
• patch that fixed this vulnerability was deployed 6 months earlier, servers that were attacked did not update in time

Question 35

Trojan Horse

Answer 35

A Trojan horse is malware that carries out malicious ​operations under the guise of a desired function.

• exploits the privileges of the user that runs it
• It can cause immediate damage, provide remote access to the system, or access through a back door. It can also perform actions as instructed remotely, such as “send me the password file once per week.”

Question 36

Trojan Horse Classifications

Answer 36

• Remote-access Trojan Horse - enables unauthorized remote access
• Data-sending Trojan horse - sends data to attackers, passwords etc
• Destructive trojan horse - corrupts or deletes files
• Proxy Trojan Horse - uses victims computer as source for illegal activities
• FTP trojan horse - enables unauthorized file transfer
• Security software disabler trojan Horse - This stops antivirus programs or firewalls
• DoS trojan - slows or halts network activity

Question 37

Rootkit

Answer 37

This malware is installed on a compromised system. After it is installed, it continues to hide its intrusion and maintain privileged access to the hacker. ​

Question 38

Scareware

Answer 38

This malware includes scam software which uses social engineering to shock or induce anxiety by creating the perception of a threat. It is generally directed at an unsuspecting user. ​

Question 39

Adware

Answer 39

This malware typically displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests by tracking the websites visited. It can then send pop-up advertising pertinent to those sites. ​

Question 40

Spyware

Answer 40

This malware is used to gather information about a user and send the information to another entity, without the user’s consent. Spyware can be classified as a system monitor, Trojan horse, Adware, Tracking cookies, and key loggers.​

Question 41

Ransomware

Answer 41

This malware denies access to the infected computer system. The ransomware then demands a paid ransom for the restriction to be removed. ​

Question 42

12 Domains of Network Security

Answer 42

Risk Assessment
security Policy
Organization of information security
Asset Management
Human resources security
physical environment security
communications and operations management
information systems acquisition, development, and maintenance
access control
information security incident management
business continuity management
compliance

Question 43

Mitigating Trojans and Viruses

Answer 43

• end user based
• Use and antivirus and keep it up to date
• Keep employees educated about security and phishing etc

Question 44

Mitigating worms

Answer 44

• network based
• Containment if it happens need to contain the incident: segregate parts of the network to stop or slow the worm’s spread
• quarantine: find which systems are infected and quarantine/remove them from the network
• inoculation: happens same time or before quarantine: remove non infected systems and patch them immediately
• treatment: remove the software the worm uses or fully wipe and reinstall the device

Question 45

Mitigating Reconnaissance attacks

Answer 45

• Implement authentication to ensure proper access
• use encryption to render packet sniffer attacks useless
• use anti-sniffer tools to detect packet sniffer attacks
• implement a switched infrastructure
• use a firewall and IPS

These attacks can be detercted by preconfigured alarms or notifications: such as the number if icmp requests per second

Question 46

Network Foundation Protection

Answer 46

systematically breaking down the infrastructure into smaller components and then systematically focusing on how to secure each of those components.​
3 planes or functionalities: 
 - management plane
 - control plane
 - data plane