Threats and Responses

Lecture 2
Common Threats
 Concepts
• Threat: Something that could pose loss to all or part of an asset
• Threat Agent: What carries out the attack
• Exploit: A specific instance where a vulnerability is successfully
compromised.
• Risk: The probability of a threat materializing and causing harm
• Controls: Measures designed to mitigate risks, including physical,
administrative, and technical protections.
• Vulnerability: A weakness in a system that makes it susceptible to an
attack.
• Security Threat: The possibility of a harmful event, such as a
cyberattack, occurring.
 Common Threats
The following examples are just a few sources of data that can come from
established organizations:
• Personal Information
• Medical Records
• Education Records
• Employment and Financial Records
 Common Threats
• Threats to Network Services
– Cybercriminals often target network services, such as DNS,
HTTP, and online databases, using various tactics:
– Packet-Sniffing Tools: Used to capture and monitor data
streams over a network.
– Rogue Devices: Devices like unsecured Wi-Fi access points
that compromise network security.
– Packet Forgery (Packet Injection): The creation of
falsified data packets to disrupt legitimate communications.
 Impacted Industries and Domains
• Critical Infrastructure:
– Manufacturing
– Energy Production and Distribution
– Electrical Distribution and Smart Grids
– Oil and Gas
• Communication Systems:
– Phone
– Email
– Messaging
• Transportation Systems:
– Air Travel
– Rail
– Over-the-Road
 Degrees of harm

– Level of potential damage

– Include all parts of system
» Potential data loss
» Loss of privacy
» Inability to use hardware
» Inability to use software
 Threat Types

• Man-made
o Strikes, riots, fires, terrorism, hackers, vandals
• Natural
o Tornado, flood, earthquake
• Technical
o Power outage, device failure, loss of a T1 line
 Types of threat agents

Employee
• Employees can be the most overlooked, yet most
dangerous threat agent because they have greater access
to information assets than anyone on the outside trying
to break in. Employees are also known as internal
threats.
• Employees can:
o Become disappointed with their employer
o Be bribed by a competitor
o Be an unintentional participant in an attack
 Types of threat agents

Spy
• Spies can be employed in corporate espionage
(spying) to obtain information about competitors for
commercial purposes. Spies are typically deployed in
the following scenarios:Hacker
• A spy applies for a job with a commercial competitor
and then exploits internal vulnerabilities to steal
information and return it to their client.
• A spy attacks an organization from the outside by
exploiting external vulnerabilities and then returns the
information to their client.
 Types of threat agents

Hacker
• In general, a hacker is any threat agent who uses their
technical knowledge to bypass security mechanisms to exploit
a vulnerability to access information. Hacker subcategories
include the following:
• Script kiddies download and run attacks available on the
Internet, but generally are not technically savvy enough to
create their own attacking code or script.
• Cybercriminals usually seek to exploit security vulnerabilities
for some kind of financial reward or revenge.
• Cyber terrorists generally use the Internet to carry out terrorist
activities, such as disrupting network-dependent institutions.
 Additional Threat Actors
• Script kiddie
– Little expertise, sophistication, or funding
• Nation state/advanced persistent threat (APT)
o Identify a target and persistently attack until they gain access
o China APT1
o Russia APT 28 (Fancy Bear): Their primary targets include aerospace,
defense, energy, government, media
o Russia APT 29 (Cozy Bear): primary goal is to spy and gather intelligence on
nations and multinational organizations.
• Competitor
 Threats To Users
• Identity Theft
– Impersonation by private information
– Methods of stealing information
• Shoulder surfing
• Dumpster diving
• Social engineering
• High-tech methods
 Threats To Users
• Loss of privacy
– Personal information is stored electronically
– Purchases are stored in a database
• Data is sold to other companies
– Public records on the Internet
– Internet use is monitored and logged
– None of these techniques are illegal
 Cookies
• Cookies
• Cookies are small data files delivered by a web server
and placed on a user's computer during their browsing
session.
• These files store stateful information, allowing web
servers to track and manage user interactions across
web pages.
• Cookies can be used to remember user preferences,
login credentials, and track browsing activities,
including button clicks and pages visited.
• Cookies can also be employed to track user behavior
and history across websites.
 Threats to Hardware
• Affect the operation or reliability
• Power-related threats
– Power fluctuations
• Power spikes or browns out
– Power loss
– Countermeasures
• Surge suppressors
• Uninterruptible power supplies
• Generators
 Threats to Hardware
• Theft and vandalism
– Thieves steal the entire computer
– Accidental or intentional damage
– Countermeasures
• Keep the PC in a secure area
• Lock the computer to a desk
• Do not eat near the computer
• Watch equipment
• Chase away loiterers
• Handle equipment with care
 Threats to Hardware
• Natural disasters
– Disasters differ by location
– Typically result in total loss
– Disaster planning
• Plan for recovery
• List potential disasters
• Plan for all eventualities
• Practice all plans
 Threats to Data
• The most serious threat
– Data is the reason for computers
– Data is very difficult to replace
– Protection is difficult
• Data is intangible
Threats and Attacks
 DoS Attack Facts
– Denial of Service (DoS) and Distributed Denial of
Service (DDoS) attacks impact system availability
by flooding the target system with traffic or
requests or by exploiting a system or software
flaw.
– The goal of a DoS attack is to make a service or
device unavailable to respond to legitimate
requests.
– Attackers may choose to overload the CPU, disk
subsystem, memory, or network (most common).
 DoS Attack
– In a DoS attack, a single attacker directs an attack against a single target,
sending packets directly to the target.
– In a Distributed DoS (DDoS) attack, multiple PCs attack a victim
simultaneously. DDoS compromises a series of computers by scanning
computers to find vulnerabilities and then capitalizing on the most
vulnerable systems.
– In a DDoS attack:
• The attacker identifies one of the computers as the master (also known as zombie
master or bot herder).
• The master uses zombies/bots (compromised machines) to attack.
• The master directs the zombies to attack the same target.
• The attacker is able to effectively hide his identity by being two hops away from the
victim.
ICMP Attack Description

A ping flood is a simple DoS attack where the attacker overwhelms the
victim with ICMP Echo Request (ping) packets. In a ping flood:
 The attack succeeds only if the attacker has more bandwidth than the
Ping flood victim.

 The attacker hopes that the victim will respond with ICMP Echo Reply
packets, thus consuming outgoing bandwidth as well as incoming
bandwidth.
A Smurf attack is a form of DRDoS attack that spoofs the source address in
ICMP packets. A Smurf attack requires an attacker system, an amplification
network, and a victim computer or network.
 The attacker sends ICMP packets to an amplification network or
broadcast address. The packets spoof the source address to be that of
Smurf
the target.

 The amplification network responds by sending packets to the target

(victim) site.

 The victim has thousands of replies to packets sent by the attacker.

TCP Attack Description

The SYN flood exploits the TCP three-way handshake as follows:

 The attacker floods a victim site with SYN packets.

 The victim responds to each SYN packet with a SYN ACK packet.

 The attacker does not respond with the last portion of the
handshake (an ACK packet), leaving the victim waiting for a
SYN flood response.

 The attacker continues to send the victim SYN frames with a

spoofed address.

 The victim continues to attempt sessions with the attacker,

allocating resources to accommodate each of these inbound
session requests.
A LAND attack is one in which the attacker floods the victim's system
with packets that have forged headers. In a LAND attack:
 The packets have the same source and destination address (the
victim's).
LAND  The victim's system has no procedure to deal with these packets.

 The victim's system holds the packets in RAM.

Attack Description

A man-in-the-middle attack is used to intercept information passing

between two communication partners. With a man-in-the-middle attack:
 An attacker inserts himself in the communication flow between the

Man-in-the client and server. The client is fooled into authenticating to the attacker.
middle  Both parties at the endpoints believe they are communicating directly
with the other, while the attacker intercepts and/or modifies the data in
transit. The attacker can then authenticate to the server using the
intercepted credentials.

TCP/IP hijacking is an extension of a man-in-the-middle attack where the

attacker steals an open and active communication session from a
legitimate user.
TCP/IP (session)  The attacker takes over the session and cuts off the original source
hijacking device.

 The TCP/IP session state is manipulated so that the attacker is able to

insert alternate packets into the communication stream.

HTTP (session) hijacking is a real-time attack in which the attacker hijacks a

HTTP (session)
legitimate user's cookies and uses the cookies to take over the HTTP
hijacking
session.
In a replay attack, the attacker uses a protocol analyzer or sniffer to
Vulnerabilities and Countermeasures
Threats Consequence & Actions
Threats Consequence & Actions
Threats Consequence & Actions
Threats Consequence & Actions