SOUTHERN LUZON STATE UNIVERSITY

COLLEGE OF ENGINEERING
DEPARTMENT OF ELECTRICAL ENGINEERING
LUCBAN, QUEZON

ELE17
INFORMATION TECHNOLOGY

GROUP REPORTING

“INTERNET AND NETWORK ATTACKS”

NAMES: ARCELO, RENDEL R.

ARGOSINO, ANDRE FUEGO P.
ARTIAGA, DING LEOVY S.
ATIENZA, MARICEL D.
AUSTRIA, MHERWIN R.
LORREDO, LESTER JOHN OLIVER Z.
LOSLOSO, RYAN C.
MACATANGAY, MATTHEW S.
ORTEGA, JOHN ALBERT P.
PAGE, ROMILOU JOHN R.

COURSE/SECTION: BSEE V-GJ

SCHEDULE: TUTH (11:30-12:30) RATING:
DATE SUBMITTED: NOVEMBER 12, 2018
DATE OF REPORTING: NOVEMBER 15, 2018

ENGR. DEAN NOMBREFIA

INSTRUCTOR
 INTERNET ATTACKS

Common Cyber Attacks: Reducing the Impact

INTRODUCTION
Different organization’s computer systems and the information they hold -can be compromised in
many different ways. It may be through malicious or accidental actions, or simply through the
failure of software or electronic components. And whilst you need to consider all of these potential
risks, it is malicious attack from the Internet that is hitting the headlines and damaging
organizations.
According to the Information Security Breaches Survey (2014). They found that 81% of large
companies had reported some form of security breach, costing each organization on average
between £600,000 and £1.5m.

More specifically, this paper covers:

 the threat landscape - the types of attackers, their motivations and their technical
capabilities
 vulnerabilities - what are they, and how are they exploited?
 cyber-attacks, stages and patterns - what is the ‘typical’ structure of a cyber-attack?
 reducing the impact of an attack - what controls are needed to reduce the impact of
common cyber-attacks?
 case studies - real world examples that demonstrate how cyber-attacks have caused
financial and reputational damage to major UK businesses


TRIVIA IN RELATIONSHIP WITH CYBERATTACK

Algerian hacker hacks 217 banks and donates it all to Palestine and African charities
the famous Algerian hacker (computer science graduate) Bendelladj Hamza, 27, was
arrested by US court for using a computer virus to steal money from more than 200 American
banks and financial institutions.
- code name BX1
- "happy hacker" or "smiling hacker"

- banking trojan horse called SpyEye

- infected more than 1.4 million computers in the US and 50 million worldwide
- allowed them to obtain passwords, usernames and credit card information.

Anonymous Philippines’ hacks government website (COMELEC) for rally

- Paul Luis Zulueta Biteng, IT graduate 23 yrs. old
- March 27, 2016
- get data of voters for the election that year
- posted a message asking the Comelec to make sure the PCOS have security features in place
Part 1: The Threat Landscape
TECHNICAL FOCUS:
RISK
In cyber security terms, risk is the potential for a threat (a person or thing that is likely to cause
damage) to exploit a vulnerability (a flaw, feature or user error) that may result in some form of
negative impact.

WHO MIGHT BE ATTACKING YOU?

Cyber criminals - interested in making money through fraud or from the sale of valuable
information.
Industrial competitors and foreign intelligence services - interested in gaining an economic
advantage for their companies or countries.
Hackers - who find interfering with computer systems an enjoyable challenge.
Hacktivists - who wish to attack companies for political or ideological motives.
Employees or those who have legitimate access - either by accidental or deliberate misuse.

Attacks may be classified as UN-TARGETED & TARGETED ATTACKS

1. Un-targeted attacks
In un-targeted attacks, attackers indiscriminately target as many devices, services or users as
possible. They do not care about who the victim is as there will be a number of machines or
services with vulnerabilities. To do this, they use techniques that take advantage of the openness
of the Internet, which include:

 phishing - sending emails to large numbers of people asking for sensitive information
(such as bank details) or encouraging them to visit a fake website
 water holing - setting up a fake website or compromising a legitimate one in order to
exploit visiting users
 ransomware - which could include disseminating disk encrypting extortion malware
 scanning - attacking wide swathes of the Internet at random

2. Targeted attacks
In a targeted attack, your organization is singled out because the attacker has a specific interest
in your business, or has been paid to target you. The groundwork for the attack could take months
so that they can find the best route to deliver their exploit directly to your systems (or users). A
targeted attack is often more damaging than an un-targeted one because it has been specifically
tailored to attack your systems, processes or personnel, in the office and sometimes at home.
Targeted attacks may include:
spear-phishing - sending emails to targeted individuals that could contain an attachment with
malicious software, or a link that downloads malicious software
deploying a botnet - to deliver a DDOS (Distributed Denial of Service) attack
subverting the supply chain - to attack equipment or software being delivered to the
organization
Part 2: Understanding Vulnerabilities
 Flaws
 Features
 Use error

Introduction
Vulnerabilities provide the opportunities for attackers to gain access to your systems. They can
occur through flaws, features or user error, and attackers will look to exploit any of them, often
combining one or more, to achieve their end goal.
In the context of this paper, a vulnerability is a weakness in an IT system that can be exploited by
an attacker to deliver a successful attack.

Flaws

 A flaw is unintended functionality.

 This may either be a result of poor design or through mistakes made during
implementation.
 Flaws may go undetected for a significant period of time.
 The majority of common attacks we see today exploit these types of vulnerabilities. In the
last twelve months nearly 8,000 unique and verified software vulnerabilities were disclosed
in the US National Vulnerability Database (NVD).

Features

 A feature is intended functionality

 Improve the user’s experience, help diagnose problems or improve management, but they
can also be exploited by an attacker.
 When Microsoft introduced macros into their Office suite in the late 1990s, macros soon
became the vulnerability of choice with the Melissa worm in 1999 being a prime example.
 JavaScript, widely used in dynamic web content, continues to be used by attackers. This
includes diverting the user’s browser to a malicious website and silently downloading
malware and hiding malicious code to pass through basic web filtering.

User error

 A computer or system that has been carefully designed and implemented can minimize
the vulnerabilities of exposure to the Internet. Unfortunately, such efforts can be easily
undone (for example by an inexperienced system administrator who enables vulnerable
features, fails to fix a known flaw5, or leaves default passwords unchanged).
 More generally, users can be a significant source of vulnerabilities.
 They make mistakes, such as choosing a common or easily guessed password, or leave
their laptop or mobile phone unattended. Even the most cyber aware users can be fooled
into giving away their password, installing malware, or divulging information that may be
useful to an attacker (such as who holds a particular role within an organization, and their
schedule). These details would allow an attacker to target and time an attack
appropriately.
TECHNICAL FOCUS: VULNERABILITIES

 Vulnerabilities are actively pursued and exploited by the full range of attackers
 The ability for an attacker to find and attack software flaws or subvert features depends
on the nature of the software and their technical capabilities.
 Some target platforms are relatively simple to access, for example web applications could,
by design, be capable of interacting with the Internet and may provide an opportunity for
an attacker.

Part 3: Common Cyber Attacks - Stages and Patterns

The attacker is effectively probing your defenses for weaknesses that, if exploitable, will
take them closer to their ultimate goal. Understanding these stages will help you to better defend
yourself.
Stages of an attack
A number of attack models describe the stages of a cyber-attack. We have adopted a
simplified model in this paper that describes the four main stages present in most cyber-attacks:

 Survey - investigating and analyzing available information about the target in order to
identify potential vulnerabilities. User error can also reveal information that can be used in
attacks. Common errors include:
 releasing information about the organization’s network on a technical support
forum.
 neglecting to remove hidden properties from documents such as author, software
version and file save locations.
 Delivery - getting to the point in a system where a vulnerability can be exploited. During
the delivery stage, the attacker will look to get into a position where they can exploit a
vulnerability that they have identified, or they think could potentially exist. Examples
include:
 attempting to access an organization’s online services.
 giving an infected USB stick away at a trade fair.
 creating a false website in the hope that a user will visit.
 Breach - exploiting the vulnerability/vulnerabilities to gain some form of unauthorized
access.
 Affect - carrying out activities within a system that achieve the attacker’s goal.

Part 4: Reducing Your Exposure to Cyber Attack

Preventing, detecting or disrupting the attack at the earliest opportunity limits the business
impact and the potential for reputational damage. Once the attacker has consolidated their
presence they will be more difficult to find and remove.

Reducing your exposure using essential security controls

Fortunately, there are effective and affordable ways to reduce your organization’s
exposure to the more common types of cyber-attack on systems that are exposed to the Internet.
The following controls are contained in the Cyber Essentials, together with more information about
how to implement them:

 boundary firewalls and internet gateways - establish network perimeter defenses,

particularly web proxy, web filtering, content checking, and firewall policies to detect and
block executable downloads, block access to known malicious domains and prevent
users’ computers from communicating directly with the Internet.
  malware protection - establish and maintain malware defenses to detect and respond to
known attack code.
 patch management - patch known vulnerabilities with the latest version of the software,
to prevent attacks which exploit software bugs.
 whitelisting and execution control - prevent unknown software from being able to run
or install itself, including Autorun on USB and CD drives.
 secure configuration - restrict the functionality of every device, operating system and
application to the minimum needed for business to function.
 password policy - ensure that an appropriate password policy is in place and followed.
 user access control - include limiting normal users’ execution permissions and enforcing
the principle of least privilege.
If your organization is likely to be targeted by a more technically capable attacker, give yourself
greater confidence by putting in place these additional controls set out in the 10 Steps to Cyber
Security:

 security monitoring - to identify any unexpected or suspicious activity.

 user training education and awareness - staff should understand their role in keeping
your organization secure and report any unusual activity.
 security incident management - put plans in place to deal with an attack as an effective
response will reduce the impact on your business.

The 10 Steps to Cyber Security sets out the features of a complete cyber risk management
regime. There are many effective and comprehensive schemes and open standards that your
organization can apply to support a defense-in-depth strategy, if this approach isn’t already
implemented.

Mitigating the stages of an attack

Mitigating the survey stage
User training, education and awareness is important. All your users should understand
how published information about your systems and operation can reveal potential vulnerabilities.
They need to be aware of the risks of discussing work-related topics on social media, and the
potential for them to be targeted by phishing attacks. They should also understand the risks to
the business of releasing sensitive information in general conversations, unsolicited telephone
calls and email recipients. The Centre for the Protection of the National Infrastructure (CPNI)
have published a guide to online reconnaissance to help put into place the most effective social
engineering mitigations.
Secure Configuration can minimize the information that Internet-facing devices disclose
about their configuration and software versions and ensures they cannot be probed for any
vulnerabilities.

Mitigating the delivery stage

The delivery options available to an attacker can be significantly diminished by applying
and maintaining a small number of security controls, which are even more effective when applied
in combination.
Up-to-date malware protection may block malicious emails and prevent malware being
downloaded from websites. Firewalls and proxy servers can block unsecure or unnecessary
services and can also maintain a list of known bad websites. Equally, subscribing to a website
reputation service to generate a blacklist of websites could also provide additional protection. A
technically enforced password policy will prevent users from selecting easily guessed
passwords and lock accounts after a specified number of failed attempts. Additional
authentication measures for access to particularly sensitive corporate or personal information
should also be in place.
Secure configuration limits system functionality to the minimum needed for business operation
and should be systematically applied to every device that is used to conduct business.

Mitigating the breach stage

As with the delivery stage, the ability to successfully exploit known vulnerabilities can be
effectively mitigated with just a few controls, which are again best deployed together.
All commodity malware depends on known and predominately patchable software flaws.
Effective patch management of vulnerabilities ensures that patches are applied at the earliest
opportunity, limiting the time your organization is exposed to known software vulnerabilities.
Malware protection within the internet gateway can detect known malicious code in an
imported item, such as an email. These measures should be supplemented by malware protection
at key points on the internal network and on the users’ computers where available. Devices within
the internet gateway should be used to prevent unauthorized access to critical services or
inherently unsecure services that may be required internally by your organization. Equally, the
gateway should be able to detect any unauthorized inbound or outbound connections. Well-
implemented and maintained user access controls will restrict the applications, privileges and
data that users can access. Secure configuration can remove unnecessary software and default
user accounts. It can also ensure that default passwords are changed, and any automatic features
that could immediately activate malware (such as Autorun for media drives) are turned off.
User training, education and awareness are extremely valuable to reduce the likelihood of
‘social engineering’ being successful. However, with the pressures of work and the sheer volume
of communications, you cannot rely on this as a control to mitigate even a commodity attack.
Finally, critical to actually detecting a breach is the capability to monitor all network activity and to
analyze it to identify any malicious or unusual activity.

Mitigating the affect stage

If all the measures for the survey, delivery and breach stages are consistently in place,
the majority of attacks using commodity capability are likely to be unsuccessful. However, if your
adversary is able to use bespoke capabilities then you have to assume that they will evade them
and get into your systems. Ideally, you should have a good understanding of what constitutes
‘normal’ activity on your network, and effective security monitoring should be capable of identifying
any unusual activity.
Once a technically capable and motivated attacker has achieved full access to your
systems it can be much harder to detect their actions and eradicate their presence. This is where
a full defense-in-depth strategy can be beneficial.
 NETWORK ATTACKS

Types of Attacks
Here we are presenting some basic class of attacks which can be a cause for slow network
performance, uncontrolled traffic, viruses etc. Attacks to network from malicious nodes. Attacks
can be categories in two:
"Passive" when a network intruder intercepts data traveling through the network, and
"Active" in which an intruder initiates commands to disrupt the network's normal operation.

Active attack
a. Spoofing – refers to tricking or deceiving computer systems or other computer users. This is
typically done by hiding one’s identity or faking the identity of another user on the internet.
- spoofing can be done by simply faking an identity, such as an online username.
Ex. E-mail spoofing – involves sending messages from a bogus e-mail address or faking
the e-mail address of another user.
IP spoofing – involves masking the IP address of a certain computer system. By
hiding or faking a computer's IP address, it is difficult for other systems to determine where the
computer is transmitting data from. Because IP spoofing makes it difficult to track the source of a
transmission, it is often used in denial-of-service attacks that overload a server.
b. Modification – the message which is sent by the sender is modified and sent to the destination
by an unauthorized user. The integrity of the message is lost by this type of attack. The receiver
cannot receive the exact message which is sent by the source which results in the poor
performance of the network.
c. Wormhole – also called the tunneling attack. In this attack, an attacker receives a packet at
one point and tunnels it to another malicious node in the network. So that a beginner assumes
that he found the shortest path in the network.
d. Fabrication - In this type of attack a fake message is inserted into the network by an
unauthorized user as if it is a valid user. This results in the loss of confidentiality, authenticity and
integrity of the message.
e. Denial of services – Is a constant danger to web sites. DOS has received increased attention
as it can lead to a severe loss of revenue if a site is taken offline for a substantial amount of time.
f. Sinkhole – Is a type of attack were compromised nodes tries to attack network traffic by
advertised its fake routing update.
g. Sybil – This attack related to multiple copies of malicious nodes. The Sybil attack can be
happened due to malicious nodes. In this way the number of malicious nodes is increased in the
network and the probability of the attack is also increases.

Passive attack
a. Traffic analysis - Here, an attacker tries to sense the communication path between the sender
and receiver. An attacker can find the amount of data which is travel from the route of sender and
receiver. There is no modification in data by the traffic analysis.

b. Eavesdropping - occurred in the mobile ad-hoc network. The main aim of this attack is to find
out some secret or confidential information from communication. This secrete information may be
privet or public key of sender or receiver or any secrete data.
c. Monitoring - In this attack in which attacker can read the confidential data, but he cannot edit
the data or cannot modify the data.

Advance attacks
a. Black hole attack - one of the advances attacking which attacker uses the routing protocol to
advertise itself as having the best path to the node whose packets it wants to intercept. A hacker
uses the flooding-based protocol for listing the request for a route from the initiator, then hacker
create a reply message he has the shortest path to the receiver. As this message from the hacker
reached to the initiator before the reply from the actual node, then initiator wills consider that, it is
the shortest path to the receiver. So that a malicious fake route is create.

b. Rushing attack - when sender send packet to the receiver, then attacker alter the packet
and forward to receiver. Attacker performs duplicate sends the duplicate to the receiver again
and again. Receiver assumes that packets come from sender so the receiver becomes busy
continuously.

c. Replay attack – a malicious node may repeat the data or delayed the data. This can be done
by originator who intercept the data and retransmit it. At that time, an attacker an intercept the
password.

d. Byzantine attack - A set of intermediate node works between the sender and receiver and
perform some changes such as creating routing loops, sending packet through non-optimal path
or selectively dropping packet, which result in disruption or degradation of routing services.

e. Location disclosure attack - Malicious node collects the information about the node and
about the route by computing and monitoring the traffic. So malicious node may perform more
attack on the network.