Security Threats and Vulnerabilities
Learn about malware, attacks to the network, social engineering attacks from scratch.
Malware can be very problematic that can lock access of files and demand money to pay. It happened to many police office. They had to pay Money to the malware software created to get back the access of the data.
3 Main areas of Malware are:
- Nuisance Adds, Spyware and Marketing
- Remote Access / Keyloggers : Get in to our system and steal password
- Remote Attacks / DDos: Use our machine as a botnet and do remote attack against some 3rd party application
Malware that is installed on an infected machine to
deliver ads. Use Malwarebytes Anti-Malware software to prevent Adware.
Malicious code that
require user interaction to install and replicate.
Malicious software that capture
user activity and reports back. ( keystrokes, web browsing activity etc.)
Seemingly friendly software that contains
hidden malicious software. Normally, it comes from Remote Access Tools (RAT).
Malicious code that install itself at the
OS or Kernel level to avoid detection. They load before OS load while bootup. So anti-virus can not detect it.
Kasper Sky Lab
TDSSKiller it can scan boot sector, services and drivers. It is free.
Software that installs for the purpose of opening ports and installing
additional software. Backdoor can steal passwords. Full access to the system.
Malicious code that
triggers after a period of time based on some
specific activity. Normally in backup files or codes they hide. An employee who wants to destroy company by installing logic bomb that triggers after he gets fired.
Malicious code that infects
large numbers of hosts for the purpose of launching
large scale attacks on
A botnet refers to a group of computers which have been infected by malware and have come under the control of a malicious actor.
Command and Control (C&C) servers can control thousands of bots( zombies ) for massive DDoS attacks.
They can target Military, Google, Amazon, Yahoo etc.
Malicious applications that
scam users into taking some type of
action. Typically paying the creator for removal.
changes on each install to
avoid detection like changing ports, destination IP addresses etc.
Malicious code that is designed to
analysis ( Encryption, obfuscation, additional useless code, etc. )
Types of Attacks to the Network
4 Categories of attacks:
- Denial of Service: DDoS
- Traffic Capture: Sniffers
- Password Crack: Brute force
- DNS & Host File: Website Spoofing
Here is the list of all attacks:
- Smurf Attack: Broad-cast ping request from victim machine to large number of pcs.
- Spoofing: Masquerading as another using their IP address used in DDoS
- Spam: using DDoS attacks spam email server
- Phishing: Email contains malicious links looks like original ebay or amazon.
- Spim: SPAM over instant messaging
- Vishing: Voice Phishing
- Spear Phishing: Targeted & Focused phishing campaign
- Xmas Attack: Scan of a host to determine what type of system it is. NMap initiates Xmas Attack and creates xmas flags.
- NMap software if u give ip address of router then it will give all details of your machine.
- Pharming: Redirecting a website’s traffic somewhere else.
If attacker modify DNS Server to redirect the site to Hacker server. Also called as DNS Poising and ARP Poising
- If attacker modify Client PC to redirect the site to Hacker server.
- DNS Poisoning and ARP Poisoning
- Privilege Escalation: Obtaining elevated privileges
- Malicious Insider Threat: Hard to guard this one. Threats from internal employees. They can do logic bomb etc.
- Transitive Access: Hard to guard this one. Granted by virtue of being granted access to intermediatory component. If A trusts B and B trusts C then A trusts C by nature of transitivity.
- Client-Side attacks: Attack initiated by client machine. Firewall can not guard against this attack. Layered defences can only save us from client-side attacks. Something like WAF web application firewall on the PC and stop this attack.
- Password attacks: Attempting to crack password.
- Brute Force: keep trying the password till you crack.
- Dictionary Attacks: use tools like
Crackto get possible password.
- Hybrid: brute force attack combined with dictionary attack.
- Birthday Attacks: Try all combination of alphanumeric value to get the hash value that match with user’s password hash value.
- Rainbow Tables: Precomputed cryptographic hash that gives you large list of hashes to try.
- Typo Squatting/URL Hijacking: Hackers register domain names with wrong spelling and fool user. Example: Google, Googel, Googgle etc. They just get tons of traffic and they can route them to other site and earn money from them.
- Watering Hole Attack: Attackers plant malware on the Less secure website where user of targeted company frequently go.
Man In Middle
Hacker can use Packet sniffing software (WIRESHARK) to intrude the connection. Get the sender and receiver server information. He can get access to the website as Alice or Bob.
Sniffing the wired network. Capture packet and put them back in the connection in the network. If you don’t get packet on sequence or delay then it is an alert for replay or man in middle attack.
Large scale attack against a target. Botnet is Army of a Zombie
Similar type of attack but on much smaller scale.
DDoS attack from China to USA
Social Engineering Attacks (Important Topic)
- Shoulder surfing: A person sitting side to you and get your pin
- Dumpster diving: Stealing personal info from dustbin
- Hoaxes: An email looks genuine on click install virus.
- Whaling: A fake company that can steal your money
- Vishing: A phone call take your personal/company information.
Reasons for Social Engineering Attacks
- Consensus or Social proof
- Scarcity or Urgency
- Rogue access points: Hacker put their WAP and do malicious activity.
- War Driving
- Bluejacking: Sending vCard to someone’s phone.
- Bluesnarfing: Get data from someone’s phone
- IV attacks: Initialization Vector Attacks. Hackers can easily cracked encryptions WEP 24 bit encryption data.
- Packet Sniffing: Someone can use tools (like WIRESHARK) to read data from the network’s packets. You can look source, destination, protocol, and the actual query, data etc.
- NFC (Near Field Communication): Allow to communicate between 2 phone with 2–3 inch near.
- WPS (Wifi Protected Setup) attack: Router pin is compromised.
- WEP/WPA attacks
- Cross-site scripting (XSS): technique to hijack sessions. Browser will run the malicious code because it was served from the server it trust.
- Cross-site Request Forgery (XSRF)
Hacker can manipulate the header of the packet. Here server will run the malicious code because it trust the client. You can use VPN or SSL/TLS to prevent XSRF attack.
- XSS vs XSRF
- SQL injection
Add malicious sql code into the data stream that is running on SQL server. Throw error to crash app, or get info about tables in SQL.
- LDAP injection
LDAP is used to authenticate users. Pass a malicious LDAP query to the webserver that will execute in LDAP server and return additional data.
Therefore, sanitize the input value coming from client in webserver before executing to protect this attack.
- XML injection
Inject xml query to alter the path or query of resource. Make a $harmless query in the .ini file present in the server.
Fuzzing used by application to detect security holes.
- Directory traversal/command injection
../ to navigate to other directories.
- Buffer overflow
- Integer overflow
- This are the virus that are not yet fixed by antivirus softwares. Zero-day attack can’t be stopped by anti-virus.
Stuxnetattack was using 4 zero-day attack. Google, Microsoft, big private companies, government companies, hackers company they all buy and horde zero-day exploits.
- Cookies and attachments EverCookies don’t delete ever and they track user’s browsing habits.
- LSO (locally shared objects)
Flash Cookies don’t delete ever and they track user’s browsing habits.
- Flash Cookies
- Malicious add-ons
- Session hijacking
- Header manipulation
- Arbitrary code execution/remote code execution
Monitoring and Hardening servers and applications
You want to maintain CIA Triad. Your system is secure, users can access to the data they need and make sure that access is secure.
- Monitoring System Logs
- Event Logs
- Audit Logs
- Security Logs
- Access Logs
- Hardening servers and applications
- Disabling unnecessary services
- Protecting management interfaces and applications
- Password protection
- Disabling unnecessary accounts
- Network Security
- MAC limiting and filtering
- Disabling unused interfaces and unused application service ports
- Rogue machine detection
- Security Posture
- Initial baseline configuration
- Continuos security monitoring
- Detection controls vs Prevention controls
- IDS ( Intrusion Detection Systems ) vs IPS (Intrusion Prevention Systems)
- Camera vs. guard
Defending the perimeter of our network!
Reporting is required to avoid the false alarms.
Detection controls vs Prevention controls
- IDS: Log alerts, events, analyze it is reactive.
- IPS: New platform, enable prevention, automatically shut down the port.
Discovering Security Threats and Vulnerabilities
- Security Assessment Tools
- Risk Assessment Tools
- Assessment Types
- Assessment Techniques
Security Assessment Tools
All of the tools produce lot of results. How to interpreted the data produced by these tools.
- Protocol Analyzer
- Vulnerability Scanner
- Port Scanner
- Passive vs. Active Tools
- Banner Grabbing
It is known as packet sniffer. It can get layer-2,3 information. Capture package you can save it or analyze it.
- Netmon (Microsoft)
Scan entire network, segment of network or specific host.
Honeypots & Honeynets
You create a trap for hacker and let them do their business. Meanwhile you can identify them learn hacker’s techniques, tools etc.
NMap is a port scanner tool, it can search for open ports. There are
65,536 ports available. Common ports are:
- HTTP = 80
- FTP = 21 and 22
- SMTP = 58
- SMTP = 25
- DNS = 53
- SSL = 443
Telnet and Netcat are used to know what services are running on the specific ports. Hacker can crack that specific service or application.
Passive vs. Active Tools
Passive Tools: Don’t interact directly with host, just monitor traffic and see what host is doing. Active Tools: It is visible to the host and admin. Here you interact with host and get info out of the host. ( Honeypots/honeynets, Port scanner, banner grabbing, penetration testing)
Risk Assessment Tools
Threat vs Likelihood. Business owner has to find out the risk of tolerance.
- AV = Asset Value
- EF = Exposure Factor
- ALE ( Annual Loss Expectancy ) : How much monitory loss u can expect in a year.
ALE = SLE x ARO
- SLE ( Single Loss Expectancy ) : How much monitory loss u can expect at anytime.
SLE = AV x EF
- ARO ( Annualized Rate of Occurrence ) : Probability of the server failure during the year.
Example: If your business Annual Loss = 121K , Fixing cost = 500K Would you do fix or bear loss? For Amazon they will fix it because they are obsessed of customer and you care for them and don’t let your business down that will impact your customer.
- Baseline reporting
- Code review
- Determine attack surface
- Review Architecture
- Review Design
Determine attack surface
Attack Surface Reduction (ASR) has the goal of mitigating risk.
Penetration testing vs Vulnerability Scanning
Penetration Testing (Pen Testing): Attacking a computer system with the intention of finding it’s weaknesses and security vulnerability. This is a intrusive test. So business has to sign off for penetration testing. It could bring servers down and business may be impacted.
- Bypass security control
- XSS attacks
- IP or MAC Spoofing : Check switch are only allowing few IP’s.
- MiTM attacks
- Protocol Analyzer or Packet Sniffers
- Actively Test security controls
- This is a intrusive test. So business has to sign off for this test. It could bring servers down and business may be impacted.
- Exploiting Vulnerabilities
- Nessus and Metasploit tool can be used to find missing patches and security misconfigurations.
It is a non-intrusive testing and it does not impact business.
Intrusive vs Non-intrusive Security Testing
Different Types of Testing
- False Positive
- Black Box
- tester has no prior knowledge of network or environment.
- use fuzzing technique
- use injection attack
- White Box
- full knowledge of network or environment
- done by internal employee
- Grey Box
- some knowledge, no access of documents, but they know where to go and test
Things to Remember
- Take Business consent for Vulnerability or Penetrating Testing
- Review company
guidelines and rules of engagement
- Make sure You have skills and background to do Pen testing. This is very expensive test. If you make mistake and did detail testing or deep scan it will shut down network and environment.
Thanks for reading my article till end. I hope you learned something special today. If you enjoyed this article then please share to your friends and if you have suggestions or thoughts to share with me then please write in the comment box.