Unit 2: Threats and Attack Modes
This unit introduces common threats and attack modes on information systems. The unit begins by differentiating between threats, attacks, and attack agents, and continues with a description of access control, spoofing, social engineering, application, web application, malware, and denial of service attacks. Understanding the method of an attack is instrumental to understand mitigation efforts used in information systems, and is a segway into the next unit on cryptographic models used to protect information from these attacks.
Completing this unit should take you approximately 10 hours.
Upon successful completion of this unit, you will be able to:
- distinguish between threats, attacks, and threat agents;
- discuss access control attacks, such as password, dictionary, and brute-force attacks;
- examine spoofing attacks, such as email, phone number, and internet protocol (IP) spoofing;
- identify social engineering attacks, such as dumpster diving, shoulder surfing, tailgating, phishing, spear-phishing, whaling, and pretexting;
- discuss application attacks, such as buffer overflows, time of check to time of use, back doors, and escalation of privilege;
- analyze web application attacks, such as those involving cross-site scripting (XSS) and SQL injection;
- distinguish between types of malware attacks, such as viruses, logic bombs, Trojan horses, and worms; and
- examine denial of service (DoS) and distributed denial of service (DDoS) attacks.
2.1: Threat Terminology
In this section, you will learn the relationship and differences between threats and attacks. Recall that in the previous unit you learned about incident response. Incidents may occur due to attacks. Attacks are deliberate actions meant to exploit a system. A threat is the potential of a system to be attacked as a threat is a known weakness in a system that has the potential to impact a system in a negative way. Attacks can be implemented by hackers, but not all hackers mean to cause harm as some attackers are considered ethical hackers and can test the security of a system. Hackers can be white hat, blue hat, gray hat, or black hat, and can also be called crackers, phrackers, script kiddies, and hactivists. This section will explain the differences between threats and attacks and will explain the characteristics of different types of hackers. You will also learn about threat modeling, identifying threats, and anti-forensic principles, or data minimization.
Many types of malicious or suspicious activities are presented to information systems. To understand how to protect systems, you first need to understand the nature of these threats and attacks. To begin, watch this video to understand threats and attacks. What are the differences between these two concepts?
Review this article to understand that there are many types of threats to systems and to be able to define the five types of hackers and their techniques.
Watch this video to learn about threat models, how to identify threats, and the utility of anti-forensics.
2.2: Types of Attacks
To select the appropriate countermeasures to protect against system attacks, you must first know if an attack is passive or active and if the threat agents are non-target specific, employees, criminals, corporations, human-unintentional, human-intentional, or natural. You will then understand the mechanisms used to respond to the attack. There are many types of system attacks. This unit will explain some common types to include birthday attacks, botnets, man-in-the-middle attacks, teardrop attacks, war dialing, and zero-day exploits.
Information security personnel need to be aware of common types of malicious attacks on information systems. This video will describe the difference between passive and active attacks. The two passive attacks described are release message contents and traffic analysis. The four active attacks are masquerade, replay, modifications, and denial of service. Pay attention to the characteristics of passive and active attacks. You should learn the method of attack and the mechanism to mitigate each of the two passive and the four active attacks.
Read this section, which describes threat agent, the actions a threat agent can take, and how to classify threat agents as non-target specific, employees, criminals, corporations, human-unintentional, human-intentional, or natural.
The birthday attack is a cryptographic attack based on the birthday paradox, or the probability of a group of people having the same birthday. The use of the theory of the birthday paradox improves the probability of creating a hash collision. Watch this video to understand the mathematics behind the birthday paradox. Do not be concerned with learning the mathematics. Instead, pay attention to how the probability increases as the number of people in the room increase, and how the brute attack effort decreases with the birthday paradox.
Botnets are a group of networked computers that are infected with malware. Watch this video to learn the terminology used with botnets such as botnet master and zombie, the purpose of botnets, and how to detect that a computer is infected by a botnet.
While you read, think about these questions: what kinds of people might choose to operate a botnet? Why might they do so? How can botnets be controlled? How big are most botnets?
Man-in-the-middle attacks are a type of information interception that when it occurs is unknown to both the sender and the receiver. What methods can be used to create a man-in-the-middle attack?
This page explains the concept of a teardrop attack, the effect these attacks have on a system, and the operating systems that are vulnerable to this kind of attack. Older versions of Windows and Linux are vulnerable to teardrop attacks, including Windows 7 and Windows Vista.
War dialing is a type of attack that exploits dial-up service. While dial-up service has been almost completely replaced by broadband, it still exists in some areas.
War dialing is a brute-force attack. How can auditing and monitoring reveal indicators of a war dialing attack?
"Zero-day exploit" refers to the day that a vulnerability is identified by the vendor, or the day before. Zero-day threats or attacks are dangerous because there are no ways to mitigate them. What should happen once a zero-day exploit is identified?
2.3: Spoofing Attacks
An attack that is commonly used today is spoofing or pretending to be someone or something that you are not. Spoofing occurs for various reasons, and one common reason is for financial gain. For instance, a website may be spoofed to obtain a bank account or credit card password and username. The prevention of spoofing is primarily through awareness training or simply being aware of the methods used in spoofing attacks. As an information security professional, you may have to identify spoofing techniques or you may have to train personnel on spoofing methods, but first you must understand spoofing techniques. This unit will describe email spoofing, caller ID spoofing, and IP address spoofing, and will describe how to identify and counter these techniques.
Spoofing is posing as someone you are not. Read this page, which explains the concept of spoofing, popular spoofing techniques, and countermeasures for spoofing attacks.
This article gives an in-depth explanation of internet protocol (IP) and email address spoofing. What are the steps for IP spoofing? Why might an attacker would want to spoof an IP or email address?
Email spoofing is common today, and can be dangerous by introducing malware into your system or by exploiting your identity. How can you identify a spoofed email? Why do attackers try to spoof emails? How can you combat email spoofing?
Phone number spoofing has become popular today, especially for telemarketers. Read this article and watch the video about caller ID spoofing. How can you avoid spoofing? How should you react to spoofed calls?
Read this article, which explains IP address spoofing and what an attacker can gain with this type of attack.
2.4: Social Engineering
Another type of attack is social engineering. Many are not aware that social engineering is a type of attack as it is not a technical method of attack but appeals to the trusting and social nature of humans. Social engineering is sometimes the most productive type of attack as it is the simplest and least costly type of attack. You have probably seen social engineering methods used in movies. An investigator gathers information from papers disposed of in the trash, a nefarious person watches over the shoulder of a coworker as they type on their cell phone or computer, or someone follows another person through a locked door of an apartment building. These methods can all be used to gather information or to gain access to a system. In this unit, the methods of social engineering examined include dumpster diving, shoulder surfing, tailgating, spear-phishing and pretexting.
Social engineering preys on the fact that humans are the weakest link in information security. This article explains the social engineering model, outlines the two categories of social engineering attacks, and discusses techniques for preventing and mitigating social engineering.
Dumpster diving is a way to obtain information that is has been improperly disposed. What kinds of security leaks that can be found "in the trash"?
Read this article, which gives another perspective on improperly disposed items and why they are valuable to dumpster diving attackers.
We should all be cognizant of "shoulder surfing" – people who can see our computer screens or keyboards. What can attackers gain by shoulder surfing? How can you tell when you might be vulnerable to a shoulder surfing attack?
Tailgating is going through a door without authorization. How does tailgating work? What are some of the factors used by successful tailgaters?
Watch this video, which explains how to prevent tailgating from happening in a secure area.
Phishing is a deceptive way to obtain sensitive information. Spear-phishing is a targeted way to attack systems within a particular organization using email addressed to specific individuals. Spear-phishing and whaling are very similar, but the target of the attack differs. Read this article, which explains methods of phishing, spear-phishing, and whaling. What is the purpose of whaling, and who is its target?
Pretexting is a way to gain passwords. Read this article, which explains the steps involved in pretexting.
2.5: Application Attacks
Attacks are often launched against applications because the code is proprietary and often unprotected by common defense methods. To understand how to protect against these attacks the information security professional must understand the attack methods. There are many types of application attacks, and some of the most common ones are discussed in this unit and include buffer overflow, time of check to time of use, escalation of privilege, and firmware resilience. The methods used to prevent these types of attacks are also addressed.
Attackers often exploit applications because they are not as secure as networks. An attack on an application can provide the attacker the same desired result. Watch this video, which describes application attacks and gives some examples of common application attacks. Notice that applications can also have zero-day attacks, which we discussed previously.
This video discusses application attacks further. What is the goal of application attacks? How can features such as cookies, attachments, malicious add-ons, header manipulations, and session hijacking make an application more vulnerable to attacks?
Buffer overflow attacks can often be avoided with proper system configurations. In this video, you will learn about buffers and how a buffer can be exploited in a buffer overflow attack. Pay attention to the seriousness of a buffer overflow attack and the possible outcome of this type of attack. What affect can the attack have on a system? How would a buffer overflow attack be initiated against a system? What procedures should be in place to avoid a buffer overflow attack? What programming languages are vulnerable to buffer overflow attacks?
Watch this video to learn more about buffer overflows to include stack-based and heap-based, buffer overflow myths, and ways to reduce buffer overflow attacks in code.
Time of check to time of use (TOCTTOU) is a race condition that affects software. While you read, pay attention to the mechanics of a TOCTTOU attack as provided in the attack examples. Remember the most common platform where you might find a TOCTTOU bug. What methods can be used to prevent TOCTTOU from occurring in UNIX and in Microsoft Windows?
Privilege is the level of access a user has on a system. Read the section in this article about escalation of privilege to learn the meaning of the term. What is the difference between vertical and horizontal escalation of privilege? Who has the highest level of privilege, that of a user at the application level or a system administrator at the kernel level? How can this kind of attack be prevented?
Watch this video to learn more about privilege escalation from the viewpoint of a hacker. What is privilege escalation? Why is privilege escalation difficult to execute? What types of things might an attacker look for on a system to escalate their privileges?
2.6: Web Application Attacks
The most common web application attacks are cross-site scripting (XSS) and SQL injection attacks. Injection attacks input malicious code into a web application and alters its behavior. You can see why this type of attack would be undesirable as passwords, or other personal information can be stolen without the owner’s knowledge of the attack. There are ways to prevent injection attacks from occurring, and it may be the job of the security professional to ensure that appropriate procedures are followed to circumvent these types of attacks. This section describes XSS and SQL injection attacks and a few other types of web application attacks as well as the recommended methods to prevent the attacks from occurring.
Some attacks work specifically against websites or applications. This video will discuss some basic application attacks such as cross-site scripting, SQL injection attacks, buffer overflow attacks, integer overflow attack, directory traversal command injection attack, lightweight directory access protocol (LDAP) injection attack, extensible markup language (XML) injection attack, and zero day attacks. You will how an attacker performs each type of attack. As you watch this video, think about why an attacker might attack an application instead of a network. What is the best defense against application attacks?
Read this article to learn about cross-site scripting (XSS). How does an attacker exploit an XSS vulnerability? Describe reflected and persistent XSS vulnerabilities. How can an XSS attack be prevented?
Review this selection to understand why cross-site scripting attacks (XSS) are categorized as injection attacks. Under what conditions do XSS attacks occur? You saw reflected attacks in the previous section but review this category again and learn about another category: stored XSS attacks. Also, in this article, pay attention to the consequences of XSS attacks, ways to find flaws to prevent XSS attacks, and how to protect from an XSS attack.
Read parts two and three of this article to understand the actors in cross-site scripting (XSS), persistent, reflected, and DOM-based XSS types, and methods to prevent XSS.
You have learned about cross-site scripting as an injection attack on applications. This article will introduce you to another type of injection attack on databases, SQL injection. After reading, be able to explain what occurs during a SQL injection attack, how to prevent the attack, and how a SQL injection can compromise a system.
Read this article to understand the concept of SQL injection attacks. Although you are not expected to know how to code, review the code examples and attempt to comprehend how the safe version provided in each example can prevent the attack.
In this unit, you previously learned about cross-site scripting and SQL injection attacks. In this article, you will learn how to define injection, and the terms threat agents, attack vectors, security weaknesses, technical impacts, and business impact as related to injection attacks. There is also a detailed example of how an injection attack works within code.
2.7: Malware attacks
You have learned about many types of attacks on a system. In this unit you will learn about the different types of malware and the harm it can cause a system. Malware can take on the form of viruses, worms, trojan horses, and logic bombs. Each type attacks a system and spreads to other parts of the system in a different manner. To understand how to combat and to contain these types of attacks it is important to understand how each type enters the system, the mechanism of harm, and how malware infects other parts of the system.
Watch this video to learn the definition of malware and what it can potentially do to a system. Pay attention to a method that can prevent introducing malware into a system when installing new software. You will learn about some common types of malware as well as their mode of attack, and what they attack in a system. The types of malware you will learn about are virus, trojan, worm, rootkit, logic bomb, ransomware, botnet, adware, spyware, polymorphic virus, armored virus, and backdoor access.
As you learned in the previous section, depending on the function or type of malware used the harmful effect on the system will differ. In this section, you will learn about the seven common effects malware can have on a system, such as overwhelming system resources, running malicious adware, running spyware, running ransomware, creating backdoors, disabling security functions, and creating botnets. Pay attention to the type of malware and the method used to create each affect.
Read this article on computer viruses, worms, Trojan horses, spyware, and adware. Be able to describe how a computer virus can spread throughout a system or network, and the effect a virus might have on a system. Think about how a worm affects a computer system, and how a worm is similar or different from a virus. A Trojan horse is malicious software that is named after the Trojan horse known in mythology. Learn what a trojan horse is and what it can do once activated in a system. What is the purpose of spyware and adware?
Watch this video to learn more about viruses, worms, and Trojan horses. After watching you should be able to describe a virus and how it spreads, and the affect a virus can have on a system. You should also be able to describe a worm and a Trojan horse. Why this type of malware is called a Trojan horse should become clear, as well as why it should NOT be termed a virus. You will also learn how a worm spreads, and some history about the infamous Stuxnet worm.
After reading the section on the types of Trojan horses, you should be able to describe all seven Trojan horse types. Think about how Trojan horses are different from viruses and worms.
Read the section on logic bombs and DOS to comprehend the ability of this type of code, and how it can be used in a DOS attack.
2.8: Denial of Service (DoS) and Distributed Denail of Service (DDoS)
Denial of service (DoS) attacks are used by hackers, and sometimes by governments to prevent systems from operating. This method consists of flooding a system’s network with traffic until the system overloads and crashes. One famous attack was during the Russo-Georgian War in 2008. Russia shutdown the Georgian president’s website, and other Georgian websites using a distributed denial of service attack (DDoS). These types of attacks can occur at any business and the security professional should understand this concept of this type of attack when it happens. This unit will describe denial of service (DoS) attacks and distributed denial of service attacks (DDoS) and will explain what happens to a system during a successful attack. As we have discussed in other sections, it is important to understand the effects of this type of attack on the tenets of the CIA triad.
This video will explain the concept of a denial of service (DoS) attack. What is the goal for an attacker when committing a DoS attack? How is this type of attack accomplished?
A denial of service (DoS) attack and a distributed denial of service (DDoS) attack are similar but one is more difficult to defend against. Watch this video as an introduction to the concept of a distributed denial of service (DDoS) attack. What is the intent of an attacker when initiating a DDoS? What systems are used to initiate the attack?
Read this to understand the objective of a denial of service (DoS) attack. When a DoS attack occurs, what happens to a system? Be able to explain how a DoS and a DDoS attack are related and how they differ.
Watch this video for an in-depth explanation of the types of DoS and DDoS attacks and how they work. Once complete, you should recognize the terms and associate them to denial of service attack methods. Thinking about the CIA triad, what leg of the triad does a DoS attack affect?
Unit 2 Assessment
- Receive a grade
Take this assessment to see how well you understood this unit.
- This assessment does not count towards your grade. It is just for practice!
- You will see the correct answers when you submit your answers. Use this to help you study for the final exam!
- You can take this assessment as many times as you want, whenever you want.