CCS340 – CYBER SECURITY

SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks:
- Every day, systems around the world are under threat.

- In most cases, the only people who ever know about these attacks are
security professionals and IT personnel.

- Security professionals are responsible for protecting their systems

from threats and for handling malicious attacks when they do occur.

- One of the most effective ways to protect computer systems is to

ensure that vulnerabilities are mitigated throughout the IT
infrastructure, quickly and efficiently.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
- We are trying to protect assets.
- An asset is any item that has value.
- Although all items in an organization have some value, the term asset generally
applies to those items that have substantial value.
An organization’s assets can include the following:
- Customer data - Name, address, phone, Social Security number (SSN),
date of birth, cardholder data, protected health care
information.
- IT assets and network infrastructure—Hardware, software, and services.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?

- Intellectual Property - Sensitive data such as patents, source code, formulas,

or engineering plans.
- Finances and financial data - Bank accounts, credit card data, and
financial transaction data.
- Service availability and productivity

- Reputation - Corporate compliance and brand image

 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Customer data:
- Loss of customer private data, cardholder data, or electronic protected health care data
elements rise to top of newsworthy headlines because of the impact.

- In the digital era of today, customer private data is vulnerable to theft and abuse by
another individual.

- When private data is used to impersonate an individual, the outcome is called identity
theft.

- Customer private data may include first and last name, home address, phone number,
date of birth, SSN, or cardholder data .
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• IT and Network Infrastructure:

- Hardware and software are key pieces of any organization’s infrastructure.

- Figure shows the seven domains of a typical IT infrastructure framework.

- Components in each domain may connect to a network or to the Internet.

- Threats can exist, both internal to the IT infrastructure and external, given that the
IT infrastructure is connected to the Internet
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• IT and Network Infrastructure:
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• IT and Network Infrastructure:

- Damage to data caused by new threats includes armored virus, ransomware,

and cryptolocker malware, which can cost time and money to fix or replace.

- Armored viruses have hardened code that makes it difficult to reverse-engineer and
build an antivirus for the malware.

- Ransomware is a new form of malware linked to a time clock, forcing the victim
organization to pay a ransom to prevent its data from being deleted
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• IT and Network Infrastructure:

- Cryptolocker is a specific form of ransomware that encrypts critical files or data

until the victim pays a ransom to obtain the decryption keys.

- Malicious Attack lead to these problems can include loss of critical data or theft of
financial information or intellectual property.

- Unprotected IT and network infrastructure assets can offer attackers and

cybercriminals the widest opening to access sensitive resources
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• IT and Network Infrastructure:

- That means you should put your most valuable assets deep inside your IT
infrastructure to enable a layered security defense.

- Layered security defenses are critical given the sophistication of new, polymorphic
malware software.

- Polymorphic malware is harmful given that it can morph, or change, making it

difficult to see and be remediated with antivirus or anti-malware applications
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Intellectual Property:

- Intellectual property is the center of many organizations.

- Intellectual property is an asset of an organization.

- It can be a unique business process or actual data such as customer data.

- Examples of intellectual property include such things as patents, drug formulas,

engineering plans, scientific formulas, and recipes.

 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Intellectual Property:

- In a digital world, data constitute the most valuable asset.

- The more data you have, the more valuable you are.

- And, if you have metadata for your data, that can add additional value to your data's.

- As an information systems security professional, it is your mission to prevent a data

breach from occurring to your assets. That is your number-one objective.

- The core issue from an IT security perspective is protecting the theft of intellectual
property and preventing its release to competitors or to the public.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Intellectual Property:

- The theft of intellectual property can nullify an organization’s competitive advantage.

- Imagine that a company called Alpha Drug Company invested $2 billion to develop a new
prescription drug, with the expectation that it would earn $10 billion when it releases the drug.

- Now imagine that just as Alpha Drug Company was set to bring its medication to market, Beta
Drug Company obtained Alpha’s formulas and rushed its own version to market.

- Alpha would lose the first-to-market advantage, given that it invested in R&D and a big chunk
of the revenue associated with the new drug.

- Protecting intellectual property is a top-of-mind consideration for any organization

 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Finances and Financial Data:

- Financial assets are among the highest-profile assets in any organization.

- These assets can take various forms.

- They can be real financial assets, such as bank accounts, trading accounts,
purchasing
accounts, corporate credit cards, and other direct sources of money or credit.

- Alternatively, they can be data that allows access to real financial assets.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Finances and Financial Data:

- Financial data can include customer credit card numbers, personal financial
information, or usernames and passwords for banking or investment accounts.

- Other examples include the transaction data that companies and banks use to
transfer
financial data between themselves.

- This can include electronic data interchange (EDI) numbers or automated

clearinghouse (ACH) transactions used for electronic payments or transfer of funds
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Finances and Financial Data:

- Loss of financial assets due to malicious attacks is a worst-case scenario for all
organizations.

- Not only does it represent significant physical loss, but it can also have long-term
effects on a company’s reputation and brand image
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Service Availability and Productivity:

- It is important that critical services be available for use when organizations need them.

- Downtime is the time during which a service is not available due to failure or
maintenance.

- Downtime can be intentional or unintentional.

- Often administrators will schedule intentional downtime in advance.

- For example, when servers need operating system upgrades or patches, administrators take
them offline intentionally so they can perform the necessary work without problems
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Service Availability and Productivity:

- Unintentional downtime is usually the result of technical failure, human error, or

attack.

- Technical failure and human error are the most common causes of unintentional
downtime.

- Although downtime caused by malicious attacks is less common, research

indicates that it is growing rapidly.

- Malicious attacks can occur and cause downtime in any of the seven domains of an
IT infrastructure like User, Workstation, LAN, and LAN-to-WAN domains
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Service Availability and Productivity:

- Opportunity cost is the amount of money a company loses due to downtime.

- Some organizations refer to opportunity cost as true downtime cost.

- Opportunity cost usually measures the loss of productivity experienced by an

organization due to downtime.

- For example, suppose a major airline’s reservation servers fail. While the servers are
down, no customers can book flights.

- The opportunity cost of unintentional downtime is usually much higher than the
opportunity cost of intentional downtime.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: What Are You Trying to Protect?
• Reputation:

- One of the most important things that information security professionals try to protect
is their organization’s reputation and brand image.

- For example, a security breach that allows attackers to steal customer credit card data
and distribute those data internationally would do significant harm to that company’s
reputation and brand image.

- Even if the company’s response were swift and solved the problem effectively, the
negative public perception of the company could remain for the long term.

- Among other consequences, this could lead to a decline in the organization’s revenue,
net worth, and market capitalization.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: Whom Are You Trying to catch?
• In popular usage and in the media, the term hacker often describes someone who breaks into
a computer system without authorization.

• The media and the general public also use the word hacker to describe anyone accused of
using technology for terrorism, vandalism, credit card fraud, identity theft, intellectual
property theft, or one of many other forms of crime.

• In the computing community, the term hacker generally describes a person who enjoys
exploring and learning how to modify something, particularly related to computer systems.

• Hackers, for good or bad, are considered to be experts and tinkerers, but because of the way
the media negatively protrays the term, hackers are often the subject of some controversy.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: Whom Are You Trying to catch?
• Another type of attacker is a script kiddie—a wannable hacker, a person of any age with
little or no skill.

• This person simply follows directions or uses a “cookbook” approach to carrying out a
cyberattack, without fully understanding the meaning of the steps he or she is performing.
Categorizing hackers as follows:
 Black-hat hackers—A Black-hat hackers tries to break IT security and gain access to
systems with no authorization in order to prove technical ability.
 Black-hat hackers generally develop and use special software tools to exploit vulnerabilities.
 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: Whom Are You Trying to catch?
Categorizing hackers as follows:
• White-hat hackers—A White-hat hackers, or ethical hacker, is an information systems
security professional who has authorization to identify vulnerabilities and perform penetration
testing.
• Gray-hat hackers—A gray-hat hacker is a hacker with average abilities who may one day
become a black-hat hacker but could also opt to become a white-hat hacker.

• Hackers are different from crackers.

 Malicious Attack Threats and Vulnerabilities
Scope of Cyber-Attacks: Whom Are You Trying to catch?
Categorizing hackers as follows:
• A cracker has a harsh intent, possesses sophisticated skills, and may be interested in financial
gain.

• Crackers represent the greatest threat to networks and information resources.

• These threats usually involve fraud, theft of data, destruction of data, blockage of access, and
other malicious activity.
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Malicious Attack Threats and Vulnerabilities
Security Breach:

• Any event that results in a violation of any of the confidentiality, integrity, or availability
(CIA) security tenets is a security breach.

• Some security breaches disrupt system services on purpose. Others are accidental and may
result from hardware or software failures.

• Regardless of whether a security breach is accidental or malicious, it can affect an

organization’s ability to conduct business as well as affecting the organization’s believability.
 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 Malicious Attack Threats and Vulnerabilities
Security Breach: Denial of service (DoS) attacks:
- Denial of service (DoS) attacks result in downtime or inability of a user to access a
system.

- A DoS attack is a coordinated attempt to deny service by occupying a computer to

perform large amounts of unnecessary tasks.

- This excessive activity makes the system unavailable to perform legitimate operations.

- When a disk fills up, the system locks an account out, a computer crashes, or a CPU
slows down, the result is denial of service—hence the name.

- DoS attacks generally originate from a single computer.

- Once you detect a DoS attack, you can stop it easily

 Malicious Attack Threats and Vulnerabilities
Security Breach: Denial of service (DoS) attacks:
Two common types of DoS attacks are as follows:

Logic attacks:

- Logic attacks use software flaws to crash or seriously delay the performance
of remote servers.

- You can prevent many of these attacks by installing the latest patches to keep
your software up to date.
Flooding attacks:

- Flooding attacks overwhelm the victim computer’s CPU, memory, or network

resources by sending large numbers of useless requests to the machine
 Malicious Attack Threats and Vulnerabilities
Security Breach: Denial of service (DoS) attacks:
One of the best defenses against DoS attacks is to

 Use intrusion prevention system (IPS) software or devices to detect and stop the attack.
 Intrusion detection system (IDS) software and devices can also detect DoS attacks and alert

you when such attacks are in progress.

- Without a defense against DoS attacks, they can quickly overwhelm servers, desktops,
and network hardware, slowing computing in your organization to a grinding halt.

- In some cases, these attacks can cripple an entire infrastructure.

 Malicious Attack Threats and Vulnerabilities
Security Breach: Denial of service (DoS) attacks:
- Attackers can launch DoS attacks using common Internet protocols such as TCP and
Internet Control Message Protocol (ICMP).

- A DoS attack launched through one of these protocols can bring down one or more
network servers or devices by flooding it with useless packets and providing false
information about the status of network services. This is known as a packet flood.

- One popular technique for launching a packet flood is a SYN Flood.

- SYN is a TCP control bit used to initialize TCP/IP communication with another device.

- Another popular technique is smurfing.

- The smurf attack uses a directed broadcast to create a flood of network traffic for the
victim computer
 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 Malicious Attack Threats and Vulnerabilities
Security Breach: Distributed denial of service (DDoS) attacks:
- The Distributed Denial of Service (DDoS) attack is a type of DoS attack that also
impacts a user’s ability to access a system.

- In a DDoS attack, attackers hijack hundreds or even thousands of Internet computers,

planting automated attack agents on those systems.

- The attacker then instructs the agents to bombard the target site with forged messages.

- This overloads the site and blocks legitimate traffic.

- The attacker does more damage by distributing the attack across multiple computers .
 Malicious Attack Threats and Vulnerabilities
Security Breach: Distributed denial of service (DDoS) attacks:
- Larger companies and universities tend to be attractive targets for attackers launching
DDoS attacks.

- DDoS attacks are more difficult to stop than DoS attacks because they originate from
different sources.

- Protecting computers from DDoS attacks requires several layers of security.

- Both DoS and DDoS attacks come in many forms and different levels of severity and
can cost millions of dollars in lost revenue.
 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 Malicious Attack Threats and Vulnerabilities
Security Breach: Unacceptable Web Browsing:
- A violation of an organization’s acceptable use policy (AUP), such as an employee’s
unacceptable web browsing, can itself be a security breach.

- Organizations should have an AUP that clearly states what behavior is acceptable and
what is not.

- Unacceptable use can include unauthorized users searching files or storage directories
for data and information they are not supposed to read, or users simply visiting
prohibited websites.

- The AUP defines the actions that are security breaches.

 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 Malicious Attack Threats and Vulnerabilities
Security Breach: Wiretapping:

- Attackers can tap telephone lines and data communication lines.

- Wiretapping can be active, where the attacker makes modifications to the line.

- It can also be passive, where an unauthorized user simply listens to the transmission
without changing the contents.

- Passive intrusion can include the copying of data for a subsequent active attack .
 Malicious Attack Threats and Vulnerabilities
Security Breach: Wiretapping:
Two methods of active wiretapping are as follows:

i) Between-the-lines wiretapping:
- does not alter the messages sent by the legitimate user but inserts additional messages

into the communication line when the legitimate user pauses .

ii) Piggyback-entry wiretapping:

- This type of wiretapping intercepts and modifies the original message by breaking the

communications line and routing the message to another computer that acts as a host.

- Attackers can also use wiretapping to capture data communications. When referring to the
capturing of data communications, however, the more commonly used term is sniffing
 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 Malicious Attack Threats and Vulnerabilities
Security Breach: Backdoors:

- Software developers sometimes include hidden access methods, called backdoors, in

their programs.

- Backdoors give developers or support personnel easy access to a system without

having to struggle with security controls.

- The problem is that backdoors don’t always stay hidden.

- When an attacker discovers a backdoor, he or she can use it to bypass existing security
controls such as passwords, encryption, and so on.

- Where legitimate users log on through front doors using a user ID and password,
attackers use backdoors to bypass these normal access controls
 Malicious Attack Threats and Vulnerabilities
Security Breach: Backdoors:
- Attackers can also compromise a system by installing their own backdoor program on it.

- The netcat utility is one of the most popular backdoor tools in use today.

- Rootkits are malicious software programs designed to be hidden from normal methods of
detection.

- Rootkits are installed by attackers once they obtain root or system administrator access
privileges.

- Rootkits commonly include backdoors.

- Traditional rootkits replace critical programs to give attackers backdoor access and
enable them to hide on the host system.
.
 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 Malicious Attack Threats and Vulnerabilities
Security Breach: Data Modification:
- Data that are purposely or accidentally modified impact the integrity tenet of
information systems security. This is also considered a security breach.

- Example is truncating data because the record field is not large enough to hold the
complete data.

- This can occur with most programming languages and can be difficult to detect.

- The best way to avoid data modification issues is to validate data before storing that
data and to ensure that your programs adhere to strict data integrity rules.
.
 Malicious Attack Threats and Vulnerabilities
Security Breach:
Activities that can cause a security breach include the following
 Denial of service (DoS) attacks
 Distributed denial of service (DDoS) attacks
 Unacceptable web-browsing behavior
 Wiretapping
 Use of a backdoor to access resources
 Accidental data modifications
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Malicious Attack Threats and Vulnerabilities
What is a Malicious Attack?
An attack on a computer system or network asset succeeds by developing a vulnerability
in the system.

There are four general categories of attack. An attack can consist of all or a combination of these
four categories:
• Fabrications—Fabrications involve the creation of some cheating in order to trick unsuspecting
users.
• Interceptions—An interception involves eavesdropping on transmissions and redirecting them
for unauthorized use.
• Interruptions—An interruption causes a break in a communication channel, which blocks the
transmission of data.
• Modifications—A modification is the alteration of data contained in transmissions or files
 Malicious Attack Threats and Vulnerabilities
Types of Malicious Attack?

- Security threats can be active or passive.

- An active attack involves a modification of the data stream or attempts to gain

unauthorized access to computer and networking systems.

- An active attack is a physical intrusion.

- In a passive attack, the attacker does not make changes to the system.

- This type of attack simply eavesdrops on and monitors transmissions.

 Malicious Attack Threats and Vulnerabilities
Types of Malicious Attack? Active Threats:
S. No Active Threats S. No Active Threats
1. Birthday attacks 7. Man-in-the-middle attacks
2. Brute-force password attacks 8. Masquerading
3. Dictionary password attacks 9. Social engineering
4. IP address spoofing 10. Phishing
5. Hijacking 11. Phreaking
6. Replay attacks 12. Pharming
 Types of Malicious Attack? Active Threats:
1. Birthday Attacks:
- Once an attacker compromises a hashed password file, a birthday attack is performed.
- A birthday attack is a type of cryptographic attack that is used to make brute-force attack of one-way hashes easier.
- It is a mathematical abuse that is based on the birthday problem in probability theory

2. Brute Force Password Attacks:

- In a brute-force password attack, the attacker tries different passwords on a system until one of them is
successful.
- Usually the attacker employs a software program to try all possible combinations of a likely password,
user ID, or security code until it locates a match.
- This occurs rapidly and in sequence.
- This type of attack is called a brute-force password attack because the attacker simply beats away at
the code.
- There is no skill or stealth involved—just brute force that eventually breaks the code.
 Types of Malicious Attack? Active Threats:
3. Dictionary Password Attacks:

- A dictionary password attack is a simple attack that relies on users making poor
password choices.

- In a dictionary password attack, a simple password-cracker program takes all the

words from a dictionary file and attempts to log on by entering each dictionary entry
as a password.
- Users often engage in the poor practice of selecting common words as passwords.

- A password policy that enforces complex passwords is the best defense against a
dictionary password attack.

- Users should create passwords composed of a combination of letters and numbers, and
the passwords should not include any personal information about the user .
 Types of Malicious Attack? Active Threats:
4. IP Address Spoofing:

- Spoofing is a type of attack in which one person, program, or computer masks itself
as another person, program, or computer to gain access to some resource.

- A common spoofing attack involves presenting a false network address to pretend to

be a different computer.

- An attacker may change a computer’s network address to appear as an authorized

computer in the target’s network.

- If the administrator of the target’s local router has not configured it to filter out
external traffic with internal addresses, the attack may be successful.

- IP address spoofing can enable an attacker to access protected internal resources.

 Types of Malicious Attack? Active Threats:
4. IP Address Spoofing:

- ARP Poisoning is an example of a spoofing attack.

- In this attack, the attacker spoofs the MAC address of a targeted device, such as a
server, by sending false ARP resolution responses with a different MAC address.

- This causes duplicate network traffic to be sent from the server.

- Another type of network-based attack is the Christmas (XMAS) Attack.

- This type of attack sends advanced TCP packets with flags set to confuse IP routers
and network border routers with TCP header bits set to 1, thus lighting up the IP router
like a Christmas tree
 Types of Malicious Attack? Active Threats:
5. Hijacking:

- Hijacking is a type of attack in which the attacker takes control of a session between two
machines and masquerades as one of them.
There are a few types of hijacking:
Man-in-the-middle hijacking:
- The attacker uses a program to take control of a connection by masquerading as each end of the
connection.
- For example, if Mary and Fred want to communicate, the attacker pretends to be Mary when
talking with Fred and pretends to be Fred when talking to Mary.
- Neither Mary nor Fred know they are talking to the attacker. The attacker can collect
substantial information and can even alter data as they flow between Mary and Fred.
- This attack enables the attacker to either gain access to the messages or modify them before
retransmitting.
 Types of Malicious Attack? Active Threats:
5. Hijacking: Man-in-the-middle hijacking:

- A man-in-the-middle attack can occur from an insider threat.

- An insider threat can occur from an employee, contractor, or trusted person within the
organization
 Types of Malicious Attack? Active Threats:
5. Hijacking:

Browser or URL hijacking:

- The user is directed to a different website than what he or she requested, usually to a
fake page that the attacker has created.

- This gives the user the impression that the attacker has compromised the website when
in fact the attacker simply diverted the user’s browser from the actual site.

- This type of attack is also known as typo squatting.

- Attackers can use this attack with phishing to trick a user into providing private
information such as a password.
 Types of Malicious Attack? Active Threats:
5. Hijacking:

Session hijacking:

- The attacker attempts to take over an existing connection between two network computers.

- The first step in this attack is for the attacker to take control of a network device on the LAN,
such as a firewall or another computer, in order to monitor the connection.

- This enables the attacker to determine the sequence numbers used by the sender and receiver.

- After determining the sequence numbering, the attacker generates traffic that appears to
come from one of the communicating parties.

- This steals the session from one of the legitimate users.

- To get rid of the legitimate user who initiated the hijacked session, the attacker overloads one
of the communicating devices with excess packets so that it drops out of the session
 Types of Malicious Attack? Active Threats:
6. Replay Attacks:

- Replay Attacks involve capturing data packets from a network and retransmitting them
to produce an unauthorized effect.

- The receipt of duplicate, authenticated IP packets may disrupt service or have some
other undesired consequence.

- This helps intruders to gain information that allows unauthorized access into a system
 Types of Malicious Attack? Active Threats:
7. Man-in-the-Middle Attacks:

- In this type of attack, an attacker intercepts messages between two parties before transferring
them on to their intended destination.

- Web spoofing is a type of man-in-the-middle attack in which the user believes a secure session
exists with a particular web server.

- In reality, the secure connection exists only with the attacker, not the web server.

- The attacker then establishes a secure connection with the web server

- The attacker passes traffic between the user and the web server.

- In this way, the attacker can trick the user into supplying passwords, credit card information,
and other private data.
- Attackers use man-in-the-middle attacks to steal information, to execute DoS attacks, to
corrupt transmitted data, to gain access to an organization’s internal computer and network
resources, and to introduce new information into network sessions
 Types of Malicious Attack? Active Threats:
8. Masquerading:

- One user or computer pretends to be another user or computer.

- Masquerade attacks usually include one of the other forms of active attacks, such as IP
address spoofing or replaying.

- For example, an attacker might monitor usernames and passwords sent to a weak web
application.

- The attacker could then use the intercepted credentials to log on to the web application
and impersonate the user
 Types of Malicious Attack? Active Threats:
9. Social Engineering:

- Social engineering involves tricking authorized users into carrying out actions for
unauthorized users.

- The success of social engineering attacks depends on the basic tendency of people to want to
be helpful.

- Social engineering places the human element in the security breach loop and uses it as a
weapon.

- A forged or stolen vendor or employee ID could provide entry to a secure location.

- The intruder could then obtain access to important assets.

- Personnel who serve as initial contacts within an organization, such as receptionists and
administrative assistants, are often targets of social engineering attacks.
 Types of Malicious Attack? Active Threats:
9. Social Engineering:

Eliminating social engineering attacks can be difficult, but here are some techniques to reduce their
impact:

- Ensure that employees are educated on the basics of a secure environment.

- Develop a security policy and computer use policy.

- Enforce a strict policy for internal and external technical support procedures.

- Require the use of identification for all personnel.

- Be very careful when using remote access. Use strong validation so you know who is
accessing your network.

- Teach personnel the techniques for sending and receiving secure email.

- Shred all documents that may contain confidential or sensitive information.

 Types of Malicious Attack? Active Threats:
10. Phreaking:

- Phone phreaking, is a slang term that describes the activity of a subculture of people
who study, experiment with, or explore telephone systems, telephone company
equipment, and systems connected to public telephone networks.

- Phreaking is the art of exploiting bugs and glitches that exist in the telephone system ..
 Types of Malicious Attack? Active Threats:
11. Phishing:

- Phishing is a type of fraud in which an attacker attempts to trick the victim into providing private
information such as credit card numbers, passwords, dates of birth, bank account numbers, automated
teller machine (ATM) PINs, and Social Security numbers.

- The message appears to come from a legitimate source, such as a trusted business or financial institution,
and includes an urgent request for personal information.

- Phishing messages usually indicate a critical need to update an account (banking, credit card, etc.)
immediately.

- The message instructs the victim to either provide the requested information or click on a link provided
in the message.

- Clicking the link leads the victim to a spoofed website.

- This website looks identical to the official site but in fact belongs to the scammer.

- Personal information entered into this web page goes directly to the scammer, not to the legitimate
organization
 Types of Malicious Attack? Active Threats:
11. Phishing:
- A variation of the phishing attack is spear phishing.

- Spear Phishing uses email or instant messages to target a specific organization,

seeking unauthorized access to confidential data.

- As with the messages used in regular phishing attempts, spear-phishing messages

appear to come from a trusted source.
 Types of Malicious Attack? Active Threats:
12. Pharming:
- Pharming is another type of attack that seeks to obtain personal or private financial
information through domain spoofing.

- Pharming “poisons” a domain name on the domain name server (DNS), a process
known as DNS poisoning.
 Malicious Attack Threats and Vulnerabilities
Types of Malicious Attack? Active Threats:
S. No Active Threats S. No Active Threats
1. Birthday attacks 7. Man-in-the-middle attacks
2. Brute-force password attacks 8. Masquerading
3. Dictionary password attacks 9. Social engineering
4. IP address spoofing 10. Phishing
5. Hijacking 11. Phreaking
6. Replay attacks 12. Pharming
 Types of Malicious Attack? Passive Threats:
- In a passive attack, the attacker does not make changes to the system.

- This type of attack simply eavesdrops on and monitors transmissions.

- Passive Attack involves gathering information about a target without his / her knowledge.

- Google or Yahoo search

- Surfing online community groups.

- Organization’s website

- Blogs, Newsgroups etc.

- Going through the job postings in particular job profiles.

 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Malicious Software
- Some software infiltrates one or more target computers and follows an attacker’s
instructions.

- These instructions can include causing damage, escalating security privileges,

divulging private data, or even modifying or deleting data.

- This type of software is malicious software, or malware for short.

- The purpose of malware is to damage or disrupt a system.

- The effects of malware can range from slowing down a PC to causing it to crash,
enabling the theft of credit card numbers, and worse.

- Simply surfing the Internet, reading email, or downloading music or other files can
infect a personal computer with malware—usually without the user’s knowledge .
 Malicious Software
- Malware exists in two main categories:
 Infecting programs and hiding programs.
- Infecting programs actively attempt to copy themselves to other computers.
- Their main purpose is to carry out an attacker’s instructions on new targets.

- Malware of this type includes the following:

Viruses
Worms
 Malicious Software

- As their name implies, hiding programs hide in the computer, carrying out the
attacker’s instructions while avoiding detection.

- Malware that tends to hide includes the following:

Trojan horses
Rootkits
Spywear
 Malicious Software
Viruses:
- A computer virus is a software program that attaches itself to or copies itself into
another program on a computer.

- The purpose of the virus is to trick the computer into following instructions not
intended by the original program developer.

- Users copy infected files from another computer on a network, from a flash drive, or
from an online service.

- Alternatively, users can transport viruses from home and work on their portable
computers, which have access to the Internet and other network services.

- The first virus recorded was the Creeper virus, written by researcher Bob Thomas in
1971.
 Malicious Software
Worms:
- A worm is a self-contained program that replicates and sends copies of itself to other
computers, generally across a network, without any user input or action.

- The worm’s purpose may be simply to reduce network availability by using up

bandwidth, or it may take other nefarious actions.

- The main difference between a virus and a worm is that a worm does not need a host
program to infect.

- The worm is a standalone program.

-The first worm reported to spread “in the wild” was the Morris worm. Robert Tappan
Morris wrote the Morris worm in 1988.
 Malicious Software
Trojan Horses:
- Trojan horse programs use their outward appearance to trick users into running them.

- They look like programs that perform useful tasks, but actually, they hide malicious
code.

- Once the program is running, the attack instructions execute with the user’s
permissions and authority.

- The first known computer Trojan was Animal, released in 1974.

- Animal disguised itself as a simple quiz game in which the user would think of an
animal and the program would ask questions to attempt to guess the animal.
 Malicious Software
Rootkits:
- A rootkit modifies or replaces one or more existing programs to hide traces of attacks.

- Although rootkits commonly modify parts of the operating system, they can exist at
any level—from a computer’s boot instructions up to the applications that run in the
operating system.

- Once installed, rootkits provide attackers with easy access to compromised computers
to launch additional attacks.

- Rootkits exist for a variety of operating systems, including Linux, UNIX, and
Microsoft Windows.
 Malicious Software
Spyware:
- Spyware is a type of malware that specifically threatens the confidentiality of
information.

- It gathers information about a user through an Internet connection, without his or her
knowledge.

- Spyware is sometimes bundled as a hidden component of freeware or shareware

programs that users download from the Internet, similar to a Trojan horse.

- Spyware has been around since the late 1990s, increasing in popularity after 2000.

- The rapid growth of the Internet enabled attackers to collect useful information from
more and more unsuspecting users.
 Malicious Software
Spyware:
- Spyware exists as independent executable programs, it can perform a number of
operations, including the following:

 Monitoring keystrokes

 Scanning files on the hard drive

 Snooping other applications, such as chat programs or word processors

 Installing other spyware programs

 Reading cookies

 Changing the default homepage on the web browser

 Malicious Software
Adware:
- Adware is similar to spyware but does not transmit personally identifiable information
(PII)

- PII is any information that can help identify a specific person.

- Examples of PII include driver’s license numbers, Social Security numbers, credit card
numbers, and so on.

- Many adware programs use popup to interact with users

- A number of software suppliers make anti-spyware, anti-adware software, many

antivirus and general anti-malware software programs also detect and remove spyware
and adware.
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Common Attack Vectors
- Attack vector is a path or means by which an attacker can gain access to a computer
or to a network server to deliver a payload or malicious outcome.

Attack vectors are:

1. Attack by email:
- The hostile content is either embedded in the message or linked to by the message .
- Spam is almost always the carrier for fraud or malicious action

2. Attachments:
- Malicious attachments install malicious computer code.
3. Hackers:
- Hackers / crackers used a variety of hacking tools, heuristics and social engineering to gain access
to computers and online accounts.
 Common Attack Vectors
4. Attack by Webpage (Heedless guests):

- Websites are used to extract personal information.

- Such websites look a genuine websites they intimate.

5. Attack of the worms:

- Many worms are delivered as email attachments, network worms use holes in network
protocols directly. (Firewall will block worms)

- System worms install Trojan Horses, begin scanning the Internet for other computers
to infect.

6. Malicious Macros:

- Macros can be used for malicious purposes. (MS Word and MS Excel)
 Common Attack Vectors
7. Foistware:

- Foistware is a software that hides hidden components to the system.

- It is a legal software that bundled with some attractive software.

8. Viruses:

- are malicious computer codes that hitch a ride and make the payload.

- Virus vectors include email attachments, download files, worms etc.

 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Social Engineering Attack
Social engineering is the art of one human attempting to trick another human into doing
something or divulging information.
 Social Engineering Attack
Social engineering is the art of one human attempting to trick another human into doing
something or divulging information.
 Authority—Using a position of authority to force or encourage an individual to divulge
information.
 Consensus/social proof—Using a position that “everyone else has been doing it” as proof
that it is okay or acceptable to do.
 Dumpster Diving —Finding unshredded pieces of paper that may contain sensitive data or
private data for identity theft.
 Familiarity / Liking —Interacting with the victim in a frequent way that creates a comfort
and familiarity and liking for an individual that might encourage the victim to want to help
the familiar person.
 Social Engineering Attack - continued
 Hoaxes—Creating a con or a false perception in order to get an individual to do something
or divulge information.
 Impersonation —Pretending to be someone else (e.g., an IT help desk support person, a
delivery person, a bank representative).
 Intimidation—Using force to extort or pressure an individual into doing something or
divulging information.
 Scarcity —Pressuring another individual into doing something for fear of not having
something or losing access to something.
 Shoulder Surfing —Looking over the shoulder of a person typing into a computer screen.
 Social Engineering Attack - continued
Tailgating - Following an individual closely enough to sneak past a secure door or access area.

Trust —Building a human trust bond over time and then using that trust to get the individual to
do something or divulge information.

Urgency —Using urgency or an emergency stress situation to get someone to do something or

divulge information (e.g., claiming that there’s a fire in the hallway might get the front desk
security guard to leave her desk).

Vishing —Performing a phishing attack by telephone in order to elicit personal information;

using verbal coercion and persuasion (“sweet talking”) the individual under attack.

Whaling —Targeting the executive user or most valuable employees, otherwise considered the
“whale” or “big fish” (often called spear phishing)
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Wireless Network Attack
- Wireless network attacks involve performing intrusive monitoring, packet capturing,
and penetration tests on a wireless network.

- The rapid deployment of wireless network connectivity in both public and private
places, the mobile user is under constant threat.

- Implementation of proper wireless networking security controls is the key to mitigate

the risks, threats, and vulnerabilities that arise from wireless networks.

- Many different tactics are used by hackers and perpetrators as they attempt to
penetrate and attack wireless networks.
 Wireless Network Attack – continued..
1. Bluejacking - Hacking and gaining control of the Bluetooth wireless communication link
between a user’s earphone and smartphone device.

2. Bluesnarfing —Packet sniffing communications traffic between Bluetooth devices.

3. Evil twin —Faking an open or public wireless network to use a packet sniffer on any user
who connects to it.

4. IV attack—Modifying the initialization vector of an encrypted IP packet in transmission in

hopes of decrypting a common encryption key over time.
 Wireless Network Attack – continued..
5. Jamming / Interference - Sending radio frequencies in the same frequency as wireless
network access points to jam and interfere with wireless
communications and disrupting availability for
legitimate users.

6. Near Field Communication Attack—Intercepting, at close range (a few inches),

communications between two mobile operating system devices.

7. Packet sniffing—Capturing IP packets off a wireless network and analyzing the TCP/IP
packet data using a tool such as Wireshark

8. Replay Attacks —Replaying an IP packet stream to fool a server into thinking you are
authenticating to it.

9. Rogue Access Points —Using an unauthorized network device to offer wireless availability
to unsuspecting users.
 Wireless Network Attack – continued..
10. War Chalking —Creating a map of the physical or geographic location of any wireless
access points and networks.

11. War Driving—Physically driving around neighborhoods or business complexes looking for
wireless access points and networks that broadcast an open or public
network connection.

• In addition to these specific attacks, hackers may also attempt to exploit weaknesses in the
wireless encryption method used by the target:
• WEP (Wireless Encryption Protocol),
• WPA (Wi-Fi Protected Assets), or
• WPS (Wi-Fi Protected Setup).
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Web Application Attack
- Web application attacks involve performing intrusive penetration tests on public-
facing web servers, applications, and back-end databases.

1. Arbitrary / Remote code execution — Having gained privileged access or sys admin rights
access, the attacker can run commands or
execute a command at will on the remote
system.

2. Buffer Overflow —Attempting to push more data than the buffer can handle.

3. Client-Side Attack —Using malware on a user’s workstation or laptop, within an internal

network, acting in work with a malicious server or application
on the Internet (outside the protected network).

4. Cookies and attachments—Using cookies or other attachments to compromise security.

 Web Application Attack – continued..
5. Cross-site scripting (XSS) —Injecting scripts into a web application server to redirect attacks
back to the client. This is not an attack on the web application but rather on
users of the server to launch attacks on other computers that access it.

6. Directory Traversal / Command injection —Exploiting a web application server, gaining root
file directory access from outside the protected network,
and executing commands, including data dumps.

7. Header Manipulation —Stealing cookies and browser URL information and manipulating the
header with invalid or false commands to create an insecure
communication or action.

8. Integer overflow — Creating a mathematical overflow which exceeds the maximum size
allowed. This can cause a financial or mathematical application to freeze or
create a vulnerability and opening.
 Web Application Attack – continued..
9. Lightweight Directory Access Protocol (LDAP) injection —Creating fake ID and
authentication LDAP commands and packets to falsely ID and authenticate to a web
application.

10. Local Shared Objects —Using Flash cookies (named after the Adobe Flash player), which
cannot be deleted through the browser’s normal configuration settings. Flash cookies can also
be used to reinstate regular cookies that a user has deleted or blocked.

11. Malicious Add-ons —Using software plug-ins or add-ons that run additional malicious
software on legitimate programs or applications.

12. SQL injection —Injecting Structured Query Language (SQL) commands to obtain
information and data in the back-end SQL database.
 Web Application Attack – continued..
13. Watering-hole attack—Luring a targeted user to a commonly visited website on which has
been planted the malicious code or malware, in hopes that the user will trigger the attack with a
unknowing click.

14. XML injection —Injecting XML tags and data into a database in an attempt to retrieve
data.

15. Zero – day —Exploiting a new vulnerability or software bug for which no specific
defenses yet exist.
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Attack Tools
- Protecting an organization’s assets and IT infrastructure requires that you have some idea
of how attackers think.

- It is always better to find weaknesses in your own environment before an attacker does,
but it is even more important to quickly remediate that weakness.

- Computer criminals and cyberattackers use a number of hardware and software tools to
discover exploitable weaknesses and other tools to perform the actual attack.

These tools and techniques can include the following

1. Protocol analyzers 5. Exploit software

2. Port scanners 6. Wardialers

3. OS fingerprint scanners 7. Password crackers

4. Vulnerability scanners 8. Keystroke loggers

 Attack Tools – continued..
1. Protocol analyzers:

- A protocol analyzer or packet sniffer (or just sniffer) is a software program that
enables a computer to monitor and capture network traffic, whether on a LAN or a
wireless network.

- Attackers can capture and compromise passwords and cleartext data.

- Protocol analyzers come in both hardware versions and software versions, or a

combination of both.

- Sniffers operate in promiscuous mode, which means that every data packet can be seen
and captured by the sniffer.

- Sniffers decode the frame and IP data packet, allowing you to see data in cleartext if it
has not been encrypted
 Attack Tools – continued..
2. Port Scanners:

- A port scanner is a tool used to scan IP host devices for open ports that have been
enabled.

- Think of a port number as a channel commonly associated with a service.

- For example, Port 80 is for HTTP web traffic, Port 21 is File Transfer Protocol (FTP),
and Port 23 is Telnet, and so on.

- Port scanners are used to identify open ports or applications and services that are
enabled on the IP host device.

- This provides attackers with valuable information that can be used in the attack.
 Attack Tools – continued..
3. OS Fingerprint Scanners:

- It is a software program that allows an attacker to send a variety of packets to an IP

host device, hoping to determine the target device’s operating system (OS) from the
responses.

- The packets sent from the OS fingerprint scanner will recognize differences from the
various operating systems used in workstations, servers, and network devices.

- When an IP host device responds, then the OS fingerprint scanner can guess what
operating system is installed on the device.

- Once an attacker knows what OS and version is installed, the better chance he has to
use applicable software vulnerabilities and exploits.

- A software vulnerability is a bug or weakness in the program. An exploit is something

that an attacker can do once a vulnerability is found
 Attack Tools – continued..
4. Vulnerability Scanners:

- It is a software program that is used to identify and, when possible, verify

vulnerabilities on an IP host device.

- From this information, a vulnerability scanner compares known software

vulnerabilities in its database with what it has just found.

- The vulnerability scanner lists all known software vulnerabilities and prioritizes them
as critical, major, or minor.

- The Common Vulnerabilities & Exposure (CVE) list is maintained and managed by
the Mitre Corporation on behalf of the U.S. Department of Homeland Security.

- This list is now referred to as the National Vulnerability Database (NVD).

 Attack Tools – continued..
5. Exploit Software:

- It is an application that incorporates known software vulnerabilities, data, and scripted

commands to “exploit” a weakness in a computer system or IP host device.

- It is a program that can be used to carry out some form of malicious intent.

- This includes things like a denial of service attack, unauthorized access, a brute-force
password attack, or buffer overflow.

- Remember, software vulnerabilities create a weakness in the system such as a software

bug, glitch, or backdoor vulnerability.
 Attack Tools – continued..
6. Wardialers:

- It is a computer program that dials telephone numbers, looking for a computer on the
other end.

- The program works by automatically dialing a defined range of phone numbers.

- It then logs and enters into a database those numbers that successfully connect to the
modem.

- Wardialers are becoming more archaic and less often used due to the rise of digital
telephony, IP telephony, or Voice over IP (VoIP).

- In addition, an attacker would use a wardialer to identify analog modem signals and
gain access to the remote system within an IT infrastructure.
 Attack Tools – continued..
7. Password Crackers:

- The purpose of password cracking is to uncover a forgotten or unknown password.

- It is a software program that performs one of two functions:

 A brute-force password attack to gain unauthorized access to a system or

 Recovery of passwords stored as a cryptographic hash on a computer system.

- A cryptographic hash is an algorithm that converts a large amount of data to a single (long)
number.

- Once mathematically hashed, the hash value can be used to verify the integrity of those data.

- In a brute-force password cracking attempt, an attacker tries every possible character combination
until the “cracked” password succeeds in granting access.

- Dictionary attacks are a subset of brute-force attacks.

 Attack Tools – continued..
8. Keystroke Loggers:

- It is a type of surveillance software or hardware that can record to a log file every
keystroke a user makes with a keyboard.

- The keystroke logger might store the log file locally for later retrieval or send it to a
specified receiver.

- As a piece of hardware, a keystroke logger is typically a battery-sized plug that serves

as a connector between the user’s keyboard and computer.

- As the user types on the keyboard, the keystroke logger collects each keystroke and
saves it as text in its own miniature hard drive.

- Later, the person who installed the keystroke logger must return and physically
remove the device in order to access the information the device has gathered
 Attack Tools – continued..
8. Keystroke Loggers:

- A keystroke logger software program is usually disguised as a Trojan malicious

software program.

- This malicious software can be delivered by a URL link, PDF file, or ZIP file.

- As long as an attacker has network access to a computer, he or she can transfer any
file, including executable files, to the target computer.

- Many attackers then use social engineering to trick users into launching the
downloaded programs.

- The keystroke logger program records each keystroke the user types and periodically
uploads the information over the Internet to whomever installed the program.
 Attack Tools – continued..
1. Protocol analyzers

2. Port scanners

3. OS fingerprint scanners

4. Vulnerability scanners

5. Exploit software

6. Wardialers

7. Password crackers

8. Keystroke loggers
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 Countermeasures
- The best strategy is to identify vulnerabilities and reduce them to avoid attacks.

- Avoiding attacks should be the highest priority. Even so, some attacks will succeed.
Your response to attacks should be as aggressive, proactive, and reactive

- Responding to attacks involves planning, policy, and detective work.

- In addition, many organizations have special teams to handle security incidents when
they occur.

- These security incident response teams (SIRPs) know how to recognize incidents and
respond to them in a way that minimizes damage and preserves evidence for later
action.
 Countermeasures - continued..
Countering Malware:

- Anti-malware measures are the first line of defense against these attacks.

- It’s always better to prevent malware than to have to fix damage caused by malware.

Following are six general steps for preventing malware:

 Create an education program to keep your users from installing malware on your system.

 Post regular bulletins about malware problems.

 Never transfer files from an unknown or untrusted source unless the computer has an anti-malware
utility installed.

 Test new programs or open suspect files on a isolated computer

 Install anti-malware software, make sure the software and data are current, and schedule regular
malware scans to prevent malicious users from introducing malware and to detect any existing malware.

 Use a secure login and authentication process.

 Countermeasures - continued..
Countering Malware:

- Anti-malware products are:

 BitDefender

 Kaspersky Anti-Virus

 Webroot Antivirus

 Norton AntiVirus

 Avira Antivirus
 Countermeasures - continued..
Protecting systems with firewalls:

- A firewall is a program or dedicated hardware device that inspects network traffic

passing through it and denies or permits that traffic based on a set of rules you
determine at configuration.

Prominent firewall vendors include the following:

 Palo Alto Networks

 Cisco Systems

 SonicWALL

 WatchGuard Technologies

 Check Point
 CCS340 – CYBER SECURITY
SYLLABUS
UNIT II
ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks – Security

Breach – Types of Malicious Attacks – Malicious Software – Common Attack Vectors –
Social engineering Attack – Wireless Network Attack – Web Application Attack – Attack
Tools – Countermeasures.
 OWASP
OWASP (Open Web Application Security Project)
About OWASP:
- A non-profit worldwide charitable organization
- Focuses on improving the security of software applications
- Educates designers, developers and business owners on various risks commonly
associated with Web applications
OWASP Top-10 and its versions
• OWASP Top-10 is an awareness document, listing the Top-10 vulnerabilities found in web
applications

• First developed in 2003 with subsequent releases in 2004, 2007, 2010, 2013 and 2017.

• OWASP's main aim is to make application security guidelines easily available to all, so that
developers and organizations can make correct decisions about application security risks.
OWASP
 OWASP
A01: 2021 – Broken Access Control:

- Access control enforces policy such that users cannot act outside of their intended
permissions.

- Failures typically lead to unauthorized information disclosure, modification, or

destruction of all data.

Common access control vulnerabilities include:

• Violation of the principle of least privilege or deny by default, where access should only be
granted for particular capabilities, roles, or users, but is available to anyone.

• Bypassing access control checks by modifying the URL, internal application state, or the HTML
page, or by using an attack tool modifying API requests.

• Permitting viewing or editing someone else's account, by providing its unique identifier.
 OWASP
A01: 2021 – Broken Access Control:

How to prevent:
- Log access control failures, alert admins when appropriate (e.g., repeated failures).

- Rate limit API and controller access to minimize the harm from automated attack
tooling.
(API rate limit is a restriction on the number of times a client can call an API
within a given time period)

- (Domain models must implement unique application business limit

specifications to ensure record ownership)
OWASP
 OWASP
A02: 2021 – Cryptographic failures:

- Previously known as Sensitive Data Exposure, failures related to cryptography which

often leads to sensitive data exposure or system compromise.

- The first thing is to determine the protection needs of data in transit and at rest.

- For example, passwords, credit card numbers, health records, personal information,
and business secrets require extra protection,

How to Prevent:

- Classify data processed, stored, or transmitted by an application. Identify which data is

sensitive according to privacy laws, regulatory requirements, or business needs.

- Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS
compliant tokenization or even truncation.
 OWASP
A02: 2021 – Cryptographic failures:

How to Prevent:

- Make sure to encrypt all sensitive data at rest.

- Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use
proper key management.

- Encrypt all data in transit with secure protocols such as TLS with forward secrecy (FS)
ciphers, cipher prioritization by the server, and secure parameters.

- Disable caching for response that contain sensitive data.

- Apply required security controls as per the data classification.

- Always use authenticated encryption instead of just encryption.

OWASP
 OWASP
A03:2021-Injection

- Cross-site Scripting is now part of this category in this edition.

An application is vulnerable to attack when:

- User-supplied data is not validated, filtered, or sanitized by the application.

- Dynamic queries or non-parameterized calls without context-aware escaping are used

directly in the interpreter.

- Hostile data is used within object-relational mapping (ORM) search parameters to

extract additional, sensitive records.

- Hostile data is directly used or concatenated. The SQL or command contains the
structure and malicious data in dynamic queries, commands, or stored procedures.
 OWASP
A03:2021-Injection

- Some of the more common injections are SQL, NoSQL, OS command, Object
Relational Mapping (ORM), LDAP, and Expression Language (EL) or Object Graph
Navigation Library (OGNL) injection.

- Source code review is the best method of detecting if applications are vulnerable to
injections.

- Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML
data inputs is strongly encouraged.

How to prevent:

- The preferred option is to use a safe API, which avoids using the interpreter entirely,
provides a parameterized interface, or migrates to Object Relational Mapping Tools
(ORMs).
 OWASP
A03:2021-Injection

How to prevent:

- Use positive server-side input validation.

- For any residual dynamic queries, escape special characters using the specific escape
syntax for that interpreter.

- Use LIMIT and other SQL controls within queries to prevent mass disclosure of
records in case of SQL injection.

Example Attack Scenario:

Scenario #1: An application uses untrusted data in the construction of the following vulnerable
SQL call: String query = "SELECT \* FROM accounts WHERE custID='" +
[Link]("id") + "'";
OWASP
 OWASP
A04:2021-Insecure Design

- It is a new category for 2021, with a focus on risks related to design flaws.

- To avoid this make use of threat modeling, secure design patterns and principles, and
reference architectures.

Requirements and Resource Management:

- Collect and negotiate the business requirements for an application with the business

- Compile the technical requirements, including functional and non-functional security

requirements.

- Plan and negotiate the budget covering all design, build, testing, and operation,
including security activities.
 OWASP
A04:2021-Insecure Design

Secure Design

- Secure design is a culture and methodology that constantly evaluates threats and ensures
that code is robustly designed and tested to prevent known attack methods.

- Look for changes in data flows and access control or other security controls.

- Analyze assumptions and conditions for expected and failure flows, ensure they are still
accurate and desirable.

- Determine how to validate the assumptions and enforce conditions needed for proper
behaviors.

- Ensure the results are documented.

- Secure design is neither an add-on nor a tool that you can add to software.
 OWASP
A04:2021-Insecure Design

Secure Development Lifecycle:

- Secure software requires a secure development lifecycle, some form of secure design
pattern, paved road methodology, secured component library, tooling, and threat
modeling.

How to prevent:

- Use threat modeling for critical authentication, access control, business logic, and key
flows

- Integrate security language and controls into user stories.

- Limit resource consumption by user or service.

OWASP
 OWASP
A05:2021-Security Misconfiguration

- Tested for some form of misconfiguration, XML External Entities (XXE) is now part
of this category.

The application might be vulnerable if the application is:

- Unnecessary features are enabled or installed (e.g., unnecessary ports, services, pages,
accounts, or privileges).

- Default accounts and their passwords are still enabled and unchanged.

- Error handling reveals stack traces or other overly informative error messages to users.

- The software is out of date or vulnerable.

 OWASP
A05:2021-Security Misconfiguration

How to prevent:

- Remove or do not install unused features and frameworks.

- Review cloud storage permissions.

- A segmented application architecture provides effective and secure separation between

components or tenants, with segmentation, containerization, or cloud security groups.

- Sending security directives to clients, e.g., Security Headers.

- An automated process to verify the effectiveness of the configurations and settings in

all environments.
OWASP
 OWASP
A06:2021-Vulnerable and Outdated Components

- It is the only category not to have any Common Vulnerability and Exposures
(CVEs).

You are likely vulnerable:

- If you do not know the versions of all components you use

- If the software is vulnerable, unsupported, or out of date.

- If you do not scan for vulnerabilities regularly

- If you do not fix or upgrade the underlying platform, frameworks, and dependencies in
a risk-based, timely fashion.

- If software developers do not test the compatibility of updated, upgraded, or patched

libraries.
 OWASP
A06:2021-Vulnerable and Outdated Components

How to Prevent

- Remove unused dependencies, unnecessary features, components, files, and

documentation.

- Continuously inventory the versions of both client-side and server-side components

- Only obtain components from official sources over secure links.

- Monitor for libraries and components that are unmaintained.

OWASP
 OWASP
A07:2021-Identification and Authentication Failures:

- Confirmation of the user's identity, authentication, and session management is critical

to protect against authentication-related attacks.

There may be authentication weaknesses if the application:

- Permits automated attacks such as credential stuffing, where the attacker has a list of
valid usernames and passwords.

- Permits brute force or other automated attacks.

- Permits default, weak, or well-known passwords, such as "Password1" or

"admin/admin".

- Uses plain text, encrypted, or weakly hashed passwords data stores.

 OWASP
A07:2021-Identification and Authentication Failures:

How to Prevent

- Implement multi-factor authentication to prevent automated credential stuffing, brute

force, and stolen credential reuse attacks.

- Do not ship or deploy with any default credentials, particularly for admin users.

- Implement weak password checks, such as testing new or changed passwords against
the top 10,000 worst passwords list.

- Ensure registration, credential recovery, and API pathways are hardened against
account enumeration attacks by using the same messages for all outcomes.
OWASP
 OWASP
A08:2021-Software and Data Integrity Failures:

- Focusing on making assumptions related to software updates, critical data, and CI /

CD pipelines without verifying integrity.

- Software and data integrity failures relate to code and infrastructure that does not
protect against integrity violations.

- An example of this is where an application relies upon plugins, libraries, or modules

from untrusted sources, repositories, and content delivery networks (CDNs).

How to Prevent

- Use digital signatures or similar mechanisms to verify the software or data is from the
expected source and has not been altered.
 OWASP
A08:2021-Software and Data Integrity Failures:

How to Prevent

- Ensure libraries and dependencies, such as npm or Maven, are consuming trusted
repositories.

- Ensure that a software supply chain security tool, such as OWASP Dependency Check

- Ensure that there is a review process for code and configuration changes to minimize
the chance that malicious code

- Ensure that unsigned or unencrypted serialized data is not sent to untrusted clients.
OWASP
 OWASP
A09:2021-Security Logging and Monitoring Failures:

- Failures in this category can directly impact visibility, incident alerting, and forensics.

- This category is to help detect, escalate, and respond to active breaches.

- But without logging and monitoring, breaches cannot be detected.

Insufficient logging, detection, monitoring, and active response occurs any time:

- Auditable events, such as logins, failed logins, and high-value transactions, are not
logged.

- Warnings and errors generate no, inadequate, or unclear log messages.

- Logs of applications and APIs are not monitored for suspicious activity.
 OWASP
A09:2021-Security Logging and Monitoring Failures:

How to Prevent

- Ensure all login, access control, and server-side input validation failures can be logged
with sufficient user context to identify suspicious or malicious accounts.

- Ensure that logs are generated in a format that log management solutions can easily
consume.

- Ensure log data is encoded correctly to prevent injections or attacks on the logging or
monitoring systems.

- Ensure high-value transactions have an audit trail with integrity controls to prevent
tampering or deletion.
OWASP
 OWASP
A10:2021-Server-Side Request Forgery:

- SSRF flaws occur whenever a web application is fetching a remote resource without
validating the user-supplied URL.

- It allows an attacker to force the application to send a crafted request to an unexpected

destination, even when protected by a firewall, VPN.

How to prevent:

From Network layer:

- Segment remote resource access functionality in separate networks to reduce the

impact of SSRF.

- Enforce “deny by default” firewall policies to block all but essential intranet traffic.
 OWASP
A10:2021-Server-Side Request Forgery:

How to prevent:

From Application layer:

- Sanitize and validate all client-supplied input data

- Enforce the URL schema, port, and destination with a positive allow list

- Disable HTTP redirections