CS406 Study Guide

Unit 2: Threats and Attack Modes

2a. Distinguish between threats, attacks, and threat agents

  • What is the difference between a threat and an attack?
  • What is a threat agent?
  • How are threats identified and prioritized?

A threat is the potential for an attack, and an attack is an assault on a system. A threat can be an attacker that means to cause harm when possible, an employee or insider that intentionally or unintentionally attacks a system, or a threat could be the environment such as the possibility of a hurricane or a tornado. An attack is an action to interrupt services or to bypass controls to access a system. There are many types of attacks that are discussed in additional sections in this unit.

A threat agent, sometimes called a threat actor, is the individual or group that exploits vulnerabilities. A threat agent attacks a system and can be a type of malware, a hacker, an employee, or a nation-state. Each type of threat agent has a different motivation for being an attacker.

The threat landscape changes often and is what is known as a moving target. There are so many threats today that no one person can identify or know them all. The best way is to pay attention to data breach reports and news on cyber threats. Threats should be identified and then prioritized according to the possible impact of the threat.

To review, see Threat Terminology, Privacy Threats, and An Overview of Threats.

 

2b. Discuss access control attacks, such as brute-force attacks, man-in-the-middle attacks, and zero-day exploits

  • What is the difference between passive and active attacks?
  • What is the significance of the brute-force birthday attack as related to the birthday paradox?
  • What is the purpose of a man-in-the-middle attack?
  • When is a zero-day exploit identified?

Passive attacks gather data or information about a system, but the attack will not attack the system resources to alter the functionality of the system. These types of attacks are more difficult to detect but simpler to prevent. An active attack may change the way a system operates and is more easily detected, but more difficult to prevent.

In cryptography, the birthday attack is a brute-force attack. For example, when obtaining a password by brute-force, an attacker tries all possible password combinations to gain access. The birthday attack is the possibility that a hash can be duplicated without changing the original message, and this duplication is called a collision. The birthday paradox is the possibility of people in one room having the same birthday which statistically is a 50% chance if there are 253 random people in a room. The birthday attack is based on the statistical occurrence of the birthday paradox.

A man-in-the-middle attack is when the communication between two parties is intercepted by an attacker. The parties usually do not know that the attacker is intercepting the communication. Man-in-the-middle attacks are used by hackers for several different purposes; to steal information, to analyze traffic, or to corrupt data to become part of a denial-of-service attack (DoS).

Zero-day exploits are vulnerabilities in software that are known to attackers but unknown to system maintainers. Zero days refers to the number of days that the maintainers know about the vulnerability. Vulnerabilities, once known, are listed in databases that are usually available to the public. One commonly known database is the common vulnerabilities and exposures (CVE) database maintained by the MITRE Corporation.

To review, watch Types of Attacks, Birthday Attacks, What is a Botnet?, and Zero-Day Exploits. Also, read Classifying Threats, More on Botnets, Man-in-the-Middle Attacks, Teardrop Attacks, What is War Dialing?, and More on War Dialing.

 

2c. Examine spoofing attacks, such as email, phone number, and internet protocol (IP) spoofing

  • What is meant by spoofing and what is the primary goal of spoofing?
  • What are some common spoofing techniques?
  • How can a spoofed email be identified?
  • How should a receiver respond to a spoofed telephone call?

Spoofing is pretending to be someone or something that you are not. There are many reasons or goals for spoofing, but the primary reason an attacker may use spoofing is for financial gain. Another reason may be to gain access to a system to obtain protected information.

Some common spoofing techniques are: Man-in-the-middle attacks where an attacker intercepts messages between two parties; IP address spoofing is falsifying an IP address to impersonate a sender, or to conceal the address of a sender; phishing is masquerading as a trusted person to gain protected information; email address spoofing is to conceal the address of the originator.

To identify a spoofed email review the address bar to confirm the email address is from the sender. Pay particular attention to the domain name to ensure it is correct. When in question, call the company and ask if the message is legitimate.

Spoofed telephone calls are from false caller ID numbers. To protect from spoofed calls, do not answer when the caller ID shows as unknown, or is from an unrecognized number. If you answer and there is a recording asking you to select a number to stop getting the calls do not respond. Not answering or responding is the best way to respond to spoofed calls.

To review, read Spoofing Attacks, A Comprehensive Analysis of Spoofing, Email Spoofing, Caller ID Spoofing, and ID Address Spoofing.

 

2d. Identify social engineering attacks, such as dumpster diving, shoulder surfing, tailgating, phishing, spear-phishing, whaling, and pretexting

  • What is social engineering and what are the two categories of social engineering attacks?
  • What kinds of security leaks can be found in the trash and what is this kind of attack?
  • What can attackers gain by shoulder surfing and how is it different from tailgating?
  • What is the purpose of whaling and who is the target?

Social engineering is when attackers influence individuals to disclose protected information. The two categories of social engineering attacks are human-based and computer-based. A human-based attack is when the attacker contacts the target. A computer-based attack is gathering information from technology such as cell phones or social media websites.

Dumpster diving is when an attacker finds protected information or equipment in the trash. To prevent information from being stolen, documents should be shredded before discarding and devices should be erased.

Shoulder surfing is watching over an individual's shoulder by standing behind them, by watching through a window, using a camera, or other methods that allow the monitor to be viewed as information is entered into a system. Login and information and protected data may be compromised while shoulder surfing. To protect against this type of attack, users should remain aware of their surroundings when entering protected information into a system.

Tailgating is when one person follows another through a secure entry point. The person that tailgates may or may not have authorized access to the area. To ensure this does not happen, the person that enters the secure location should ensure that the door or entry device closes behind them and that no one follows them into the secure location.

Whaling-phishing, usually referred to as whaling, is a type of spear-phishing attack. Spear-phishing is a type of targeted phishing attack, and whaling is targeting a person with a high profile in a company. The only difference between phishing, spear-phishing, and whaling is the target.

There are other types of social engineering that have not been mentioned. One that is commonly used is pretexting or designing scenarios that will make victims trust the attacker, and then providing the attacker with protected information. A typical way this occurs is when an attacker telephones a user and impersonates company help desk personnel. The user feels comfortable and trusts the attacker, and provides the attacker with protected or personal information, such as passwords and usernames.

To review, read An Overview of Social Engineering, Dumpster Diving, One Man's Trash is Another Man's Treasure, Shoulder Surfing, Tailgating, Phishing, Spear-phishing, and Whaling, Pretexting, and watch How to Protect Against Tailgating.

 

2e. Discuss application attacks, such as buffer overflows, time of check to time of use, back doors, and escalation of privilege

  • Why are attacks often launched against applications?
  • What effect can a buffer overflow have on an application?
  • How can a time of check to time of use (TOCTTOU) and an escalation of privilege attack be prevented?

Attacking an application can give an attacker the same result as when attacking a network, only the attack on an application is easier to successfully achieve. Applications are often unprotected by common defense methods and they are not as secure as networks. An attacker can gain control of a system through an attack on an application when performed correctly.

A buffer is temporary memory and is a place where information is temporarily stored while in use. If an attacker sends too much information to the buffer, the overflow information will be stored outside the buffer. If an attacker's data moves outside the buffer, the attacker can gain control of the system.

A TOCTTOU attack is a race condition that is caused by a software bug. When an authorized change is in progress and the system is locked down, the change may still occur because access to the software was already authorized. One technique that can be used to prevent the TOCTTOU attack is exception handling.

Escalation of privilege is when an attacker gains access at a low level and has the capability to raise their access to a higher level. This may occur by an attacker accessing a system and then taking over an account of a user at a higher level. Different methods can be used to prevent escalation of privilege, but the primary method is through least privilege. Least privilege is when users are limited only to the access needed to perform their jobs. When the method of least privilege is used and an attacker takes over another account the privileges gained will be limited.

To review, watch Application Attacks, Types of Application Attacks, The Basics of Buffer Overflows, More on Buffer Overflows, and Escalation of Privilege. Also, read Time of Check to Time of Use and  Application and Escalation of Privilege.

 

2f. Describe web application attacks, such as those involving cross-site scripting (XSS) and SQL injection

  • What is the best defense against application attacks?
  • How can a cross-site scripting (XSS) attack be prevented?
  • What kind of injection attacks affects databases?

Since networks are hardened and are a more challenging target for attackers, applications have now become the focus of attackers. The best protection against application attacks is an improved design approach by application developers. When developers incorporate appropriate data validation techniques into the application and the techniques are properly tested for effectiveness by someone outside the organization, attackers find it more difficult to successfully attack the application.

Cross-site scripting (XSS) is used as a method to attack applications. Malicious code is inserted in a form on a web page. The code is then relayed to the server where the web page resides and is sent to a client system to be executed. One of the most important methods to prevent XSS is through data validation. Validation is testing the data to verify that the appropriate format is submitted before it is accepted into the system.

Cross-site scripting attacks database servers, and structured query language (SQL) injection attacks can attack a database. In SQL injection attacks, an attacker inputs SQL commands into the system from a form or an input field, and the commands are passed on to the database. The malicious SQL commands may modify or retrieve information in the system's database.

To review, read Cross-Site Scripting, Examples of Cross-Site Scripting, How Does XSS Work?, SQL Injection, Examples of SQL Injection Attacks, How Application Flaws Enable SQL Injection, and watch Types of Application Attacks.

 

2g. Distinguish between types of malware attacks, such as viruses, logic bombs, Trojan horses, and worms

  • What are three types of malware and how do they differ?
  • What is the purpose of spyware and adware?
  • How can a logic bomb be used in a DDoS attack?

 Three common types of malware are viruses, trojans, and worms. A virus needs a host, and to be effective it must replicate and activate its malicious code. A trojan disguises itself as something needed or wanted by a user. A trojan is used to get a user to download a virus. A worm differs from a virus in that it can replicate itself across a network without the assistance of a host.

Spyware collects system information and sends it to an attacker, and adware entices users to make purchases. Spyware is accomplished through malicious code that may make changes to system settings. Adware may load advertisements, possibly as pop-ups, and may cause poor system performance.

Another type of malware is logic bombs. Code is inserted into a system that can be set to cause harm once certain conditions have been met. A logic bomb may be inserted into many other systems and all set to launch at the same time creating zombies to launch a distributed denial-of-service attack (DDoS).

To review, watch Common Types of Malware, Malware Functions, and The Security Risks of Viruses, Worms, and Trojan Horses, and read Computer Viruses, Worms, Trojan Horses, Spyware, and Adware, Types of Trojan Horses, and Logic Bombs.

 

2h. Examine denial of service (DoS) and distributed denial of service (DDoS) attacks

  • What is the goal for an attacker that commits a denial of service (DoS) attack?
  • What leg of the CIA triad is affected by a DoS attack?
  • What systems are used to initiate a distributed denial of service (DDoS) attack?

A denial of service (DoS) attack is when many requests are sent to a system, so many requests that the system cannot manage the traffic. An attacker attempting a denial-of-service attack differs from other attacks in that the attacker is not trying to gain access to a system, nor is the attacker trying to steal information. When an attacker launches a DoS attack, the attacker is attempting to disrupt the operation of the system.

The CIA triad represents confidentiality, integrity, and availability. If a DoS attack is successful, the system will shut down and will not be available to users. If the system shuts down, the tenet of the CIA triad that is affected is availability.

The difference between a DoS attack and a distributed denial of service (DDoS) attack is the number of systems that are used in the attack. A DoS attacks one system using one other system, but DDoS attacks a system using multiple compromised machines to attack one other system. The machines attack the system by sending more traffic than the system can handle, resulting in a system shut down.

To review, read How DoS Attacks Work and watch Denial of Service (DoS), Distributed Denial of Service (DDoS) and Types of DoS and DDoS Attacks.

 

Unit 2 Vocabulary

This vocabulary list includes the terms you will need to know to successfully complete the final exam.

  • adware
  • application
  • attack
  • birthday
  • brute-force
  • buffer overflow
  • code
  • distributed
  • dumpster
  • exploit
  • injection
  • internet protocol
  • logic bomb
  • malicious
  • phishing
  • pretexting
  • shoulder surfing
  • spear phishing
  • spoofing
  • spyware
  • tailgating
  • threat
  • threat actor
  • threat agent
  • traffic
  • trojan
  • validation
  • vulnerability
  • web application
  • whaling
  • worm
  • zero-day