introduction Security threats and attacks Version: 1.0.2 On this page
Security threats and attacks The more valuable information is the higher the threats and chances for an attack are. Security threatsβ π Threat means anything that has potential of causing damage to the system. Types of threatsβ Network threatsβ Network is the set of devices that are connected through communication channels where data exchange happens between devicesAttacker may break into the channel and steal the information that is being exchanged. E.g. β’ denial of service attacks (DoS) β’ password-based attacks β’ compromised-key attacks, firewall and IDS attacks β’ DNS and ARP poisoning β’ man in the middle (MITM) attack β’ spoofing β’ session hijacking β’ information gathering β’ sniffing... Host threatsβ Application threatsβ Exploitation of vulnerabilities that exists in the application itselfCaused by e.g. bad coding practices Rushed programs has mistakes e.g. lack of validation of input data Can be found through reverse engineering, or trial and error Large codes that are difficult to maintain has more vulnerabilities. Mostly because of improper input validation. E.g. β’ SQL injection β’ cross-site scripting β’ session hijacking β’ identity spoofing β’ improper input validation β’ security misconfiguration β’ information disclosure β’ hidden-field manipulation β’ broken session management β’ cryptography attacks β’ buffer overflow attacks β’ phishing Security attacksβ Or cyber attack Attempt to gain unauthorized access to a system or network. Actualization of a threat Motivesβ Attack = Motive + Vulnerability + Method (exploit) General core of every motives is access to the valuable information Common motives:Interrupting the flow of business activities and processes Stealing valuable information Data manipulation Stealing money and important financial information Revenge Ransom Types of attacksβ You need to find vulnerability in a system to have an attack You can never prove that's its not vulnerable, but can prove it's vulnerable.or You can never prove that a system is secure, but can prove it's insecure. Operating system attacksβ β If OS is taken over protecting applications won't matter. Vulnerabilities includeBugs (as it's a big codebase) Buffer overflow Unpatched operating systemsCan lead to successful leads using already known vulnerabilities π€ E.g. Microsoft had already patched the EternalBlue vulnerability that NSA developed before it was leaked to public. However, many systems still remained unpatched due to users not updating their systems. So the same vulnerability on unpatched systems were still successfuly exploited by first WannaCry ransomware that compromised hundreds of thousands computers, and then by NotPetya malware . 1 Attacks include π‘ Secure OS is an OS that's updated, monitored, regulated as frequently as possible. See also banner grabbing Misconfiguration attacksβ Hacker gains access to the system that has poorly configured security. Can affect works, databases, web servers, etc. E.g. β’ using default accounts (passwords) β’ forgetting Apache server online to allow proxy requests enabling DDoS attacks π‘ Detected mostly by automated scanners Application-level attacksβ Similar to OS attacks but far less damaging as their scope is far narrower. Caused by lack of testing as developers rush development of applications and miss something. E.g. β’ sensitive information disclosure β’ buffer overflow attack β’ SQL injection v cross-site scripting β’ session hijacking denial of service β’ man in the middle β’ phishing π€ E.g. Transmission torrent client (macOS) Shrink-wrap code attacksβ Attacks on libraries and frameworks that the software is depended on. Finding vulnerabilities in libraries allows re-using same exploits on more than single application π‘ Use libraries: older, more mature, maintained, updated actively with proven track record. E.g.A bug is fixed in library but application uses older version. Application uses libraries in debug mode or with default configurations. Attack vectorsβ Attack vector = Means by which hackers deliver a payload to systems and networks Cloud computing threats such as data breach and loss.IoT threats usually caused by insecure devices and hardware constraints (battery, memory, CPU etc.)Ransomware : Restricts access to your files and requires payment to be granted accessMobile threats Advanced Persistent Threats (APT)β π Stealthy threat actor with continuous attacks targeting a specific entity. APT groups include: Advanced Uses special malware, often crafted for specific organizationsUsually a modified version of common malware used in botnets Sophisticated techniques against target not generic Persistent Long-term presence with external command and control Extracting dataUsually low-and-slow to avoid detection E.g. instead of sending big data, it breaks data to chunks and sends each chunk whenever a user is connected to the internet Threat Targets high value organizations and information E.g. governments and big companies π€ E.g. Common stepsCreate a breach e.g. through spear phishing Exploit inner system vulnerabilities Control of the system or its segments Data exfiltration (= unauthorized data transfer) Viruses and wormsβ Both can replicates themselves throughout the system in files, documents. Have capabilities to infect systems and networks in a quick time. Virus : Requires user action to be activated e.g. running a file that has a virus embedded.Worm : can spread independently without any user action i.e. self-replicatingπ Used by hackers to control the infected machines e.g. phones, PC, IoT Hackers perform malicious activities from the machines on which bots run eg. DDoS attacks. Main problem is lack of security software or proper updates on devices. See also Botnet trojans and Botnets | Denial of Service Insider attacksβ Performed by a person from within the organization who has authorized access.E.g. disgruntled employee, employee paid by a third-party Presents one of the greatest potential of risk and most difficult attacks to defend against. See also Insider attacks |Β Social engineering types . Insider threat typesβ Pure insider Inside employee with normal access rights Elevated pure insider Insider with elevated access Insider associate Insider with limited authorized access (e.g. guard, cleaning person) Insider affiliate Spouse, friend, or client of an employee that uses employee's credentials. Outsider affiliate Unknown and untrusted person from outside the organization. Uses an open access channel or stolen credentials to gain unauthorized access. Insider attack countermeasuresβ Restricting access Logging to know who access what at what point of time Active monitoring of employees with elevated privileges Trying to not have disgruntled employees Separation of duties Phishingβ Web application threatsβ Takes advantage of poorly written code and lack of proper validation of input and output data. E.g. buffer overflows, SQL injections, cross-site scripting π‘ There are many online scanning tools to detect those. Use of information and communication technologies for competitive advantages over an opponent Weapons include β’ viruses β’ worms β’ trojan horses β’Β logic bombs β’Β trap doors β’ nano machines and microbes β’ electronic jamming β’ penetration exploits and tools. E.g.Corporations spy on each other to use each others technology secrets and patents Governments spy on other governments by using hackers as proxies to gain information about e.g. defense systems. Intellectual property thefts with reverse engineering to create products without investing in R&D Categories include:Command and control (C2) warfare Taking down the command center may protect the headquarters but may interfere with their mobility Intelligence-based warfare Sensor-based technology to disrupt systems Electronic warfare Enhance, degrade, or intercept the flow of information Psychological warfare "Capture their minds and their hearts and souls will follow" E.g. propaganda or terror Hacker warfare Acquire information about subject A, sell it to subject B. Economic information warfare Channeling or blocking information to pursue economic dominance Cyber warfare : use of information systems against virtual personas Each category can have:Offensive strategy Attacks against an opponent E.g. web application attacks, malware attacks, system hacking.. Defensive strategy Actions taken against attacks. E.g. monitoring, alerts, response, detection, prevention systems See also Information Warfare website