Instructor Materials

Chapter 3: Cybersecurity
Threats, Vulnerabilities, and
Attacks

Cybersecurity Essentials v1.0

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
 Chapter 3:
Cybersecurity Threats,
Vulnerabilities, and Attacks

Cybersecurity Essentials v1.0

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
 Chapter 3 - Sections & Objectives
‫برامج ضارة‬ ‫كود ضار‬
3.1 Malware and Malicious Code
Differentiate the types of malware and malicious code.
3.2 Deception
‫الخداع‬
Describe the tactics, techniques and procedures used by
cyber criminals.
3.3 Attacks
Compare the different methods used in social engineering.
Compare different types of cyberattacks.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
 3.1 Malware and Malicious
Code

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
 Malware and Malicious Code
Types of Malware ‫ شرعي‬legitimate
Cyber criminals target user’s end devices through the installation
of malware.
‫كود ضار‬
Viruses - A virus is malicious executable code attached to
another executable file, such as a legitimate program. Most
viruses require end-user initiation, and can activate at a specific
time or date.
Worms - Worms are malicious code that replicates by
independently exploiting vulnerabilities in networks. Worms
usually slow down networks. Whereas a virus requires a host
program to run, worms can run by themselves. Other than the
initial infection, worms no longer require user participation.
Trojan horse - A Trojan horse is malware that carries out
malicious operations under the guise of a desired operation such
as playing an online game. This malicious code exploits the
privileges of the user that runs it. A Trojan horse differs from a
virus because the Trojan binds itself to non-executable files, such
as image files, audio files, or games.
‫ ستار‬guise
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
 Malware and Malicious Code
Types of Malware (Cont.)
 Logic Bomb - A logic bomb is a malicious program that
uses a trigger to awaken the malicious code. For example,
triggers can be dates, times, other programs running, or
the deletion of a user account. The logic bomb remains
inactive until that trigger event happens. Once activated, a
logic bomb implements a malicious code that causes harm
to a computer.
‫فدية‬ ‫ أسير‬captive
 Ransomware - Ransomware holds a computer system, or
the data it contains, captive until the target makes a
payment. Ransomware usually works by encrypting data
in the computer with a key unknown to the user.
 Backdoors and Rootkits - A backdoor or rootkit refers to
the program or code introduced by a criminal who has
compromised a system. The backdoor bypasses the
normal authentication used to access a system. A rootkit
modifies the operating system to create a backdoor.
Attackers then use the backdoor to access the computer
remotely.
‫ اختراق‬compromised
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Malware and Malicious Code
Email and Browser Attacks (Cont.)
Email is a universal service used by billions worldwide. As
one of the most popular services, email has become a
major vulnerability to users and organizations.
‫الغير مرغوب فيها‬
Spam - Spam, also known as junk mail, is unsolicited
email. In most cases, spam is a method of advertising.
However, spam can send harmful links, malware, or
‫المحتوى المخادع‬
deceptive content.
Spyware - Spyware is software that enables a criminal to
obtain information about a user’s computer activities.
Spyware often includes activity trackers, keystroke
collection, and data capture. In an attempt to overcome
security measures, spyware often modifies security
settings.

‫ برامج التجسس‬Spyware

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Malware and Malicious Code
Email and Browser Attacks (Cont.)
Adware - Adware typically displays annoying pop-ups
to generate revenue for its authors. The malware may
analyze user interests by tracking the websites
visited. It can then send pop-up advertising pertinent
to those sites.
Scareware - Scareware persuades the user to take a
specific action based on fear. Scareware forges pop- ‫تزوير‬
up windows that resemble operating system dialogue
windows.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Malware and Malicious Code
Email and Browser Attacks (Cont.)
Phishing - Phishing is a form of fraud. Cyber
criminals use email, instant messaging, or other
social media to try to gather information such as
login credentials or account information by
masquerading as a reputable entity or person.
Phishing occurs when a malicious party sends a
fraudulent email disguised as being from a
legitimate, trusted source. The message intent is to
trick the recipient into installing malware on his or
her device or into sharing personal or financial
information. ‫ النصب واالحتيال‬fraud
Spear phishing - Spear phishing is a highly
targeted phishing attack. While phishing and spear ‫ التصيد االحتيالي‬Phishing
phishing both use emails to reach the victims,
spear phishing sends customized emails to a ‫ متنكرا‬disguised, masquerad
specific person.
‫ حسن السمعة‬reputable

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
 Spear phishing is a more advanced form of phishing.

 Spear phishing is a specific and targeted attack on one or a

select number of victims, while regular phishing attempts to
scam masses of people.

 These are highly personalized cyberattacks that target

specific individuals or companies.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Malware and Malicious Code
Email and Browser Attacks (Cont.)
Vishing - Vishing is phishing using voice
communication technology. Criminals can spoof calls
from legitimate sources using voice over IP (VoIP)
technology. Victims may also receive a recorded
message that appears legitimate.
Pharming - Pharming is the impersonation of a
legitimate website in an effort to deceive users into
entering their credentials.
Whaling - Whaling is a phishing attack that targets
high profile targets within an organization such as spoof ‫محاكاة ساخرة‬
senior executives.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
 Spam is unsolicited email, instant messages, or social media
messages. These messages are fairly easy to spot and can
be damaging if you open or respond.
 Phishing is an email sent from an Internet criminal disguised
as an email from a legitimate, trustworthy source. The
message is meant to lure you into revealing sensitive or
confidential information.
 Spear Phishing occurs when criminals obtain information
about you from websites or social networking sites, and
customize a phishing scheme to you.
 Spoofing describes a criminal who impersonates another
individual or organization, with the intent to gather personal or
business information.
 Pharming is a malicious website that resembles a legitimate
website, used to gather usernames and passwords.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Malware and Malicious Code
Email and Browser Attacks (Cont.)
SEO Poisoning - Search engines such as Google work by ranking pages and
presenting relevant results based on users’ search queries.
Depending on the relevancy of web site content, it may appear higher or lower in
the search result list. SEO, short for Search Engine Optimization, is a set of
techniques used to improve a website’s ranking by a search engine.

While many legitimate companies specialize in optimizing websites to better

position them, SEO poisoning uses SEO to make a malicious website appear
higher in search results.

Browser Hijacker - A browser hijacker is malware that alters a computer's

browser settings to redirect the user to websites paid for by the cyber criminals'
customers. Browser hijackers usually install without the user's permission and is
usually part of a drive-by download.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
3.2 Deception

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
 Deception
The Art of Deception
Social Engineering - Social engineering is a completely non-
technical means for a criminal to gather information on a
target. Social engineering is an attack that attempts to
‫ تالعب‬manipulate individuals into performing actions or revealing
confidential information.

Social engineers often rely on people’s willingness to be

helpful but also prey on people’s weaknesses. These are
some types of social engineering attacks:
‫ذريعة‬
Pretexting - This is when an attacker calls an individual and
lies to them in an attempt to gain access to privileged data.
An example involves an attacker who pretends to need
personal or financial data in order to confirm the identity of
the recipient.

Something for Something (Quid pro quo) - This is when an

attacker requests personal information from a party in
exchange for something, like a gift.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Deception
Types of Deception
Shoulder Surfing and Dumpster Diving – refers to picking
up PINs, access codes or credit card numbers. An attacker
can be in close proximity to his victim. Like digging through
someone's trash, shoulder surfing is a non-technical means
of stealing information -- including credit card data -- from
individuals. One example of shoulder surfing is if an
employee is talking about confidential business on their
phone and a co-worker is sitting right next to them.

Impersonation and Hoaxes - Impersonation is the action of Impersonation and Hoaxes

pretending to be someone else. For example, a recent ‫انتحال الهوية والخداع‬
phone scam targeted taxpayers. A criminal, posing as an
IRS employee, told the victims that they owed money to the
IRS.

Piggybacking and Tailgating - Piggybacking occurs when

a criminal tags along with an authorized person to gain entry
into a secure location or a restricted area. Tailgating is a
physical security breach whereby an unauthorized person
follows an authorized individual into a secured premise.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
3.3 Attacks

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Attacks
Types of Cyber Attacks
Denial-of-Service (DoS) Attacks - are a type of network attack. A DoS attack results in
some sort of interruption of network services to users, devices, or applications. DoS attacks
are a major risk because they can easily interrupt communication and cause significant loss
of time and money. These attacks are relatively simple to conduct, even by an unskilled
attacker.
Sniffing - Sniffing is similar to eavesdropping on someone. It occurs when attackers
examine all network traffic as it passes through their NIC, independent of whether or not the
traffic is addressed to them or not. Criminals accomplish network sniffing with a software
application, hardware device, or a combination of the two.
Spoofing - Spoofing is an impersonation attack, and it takes advantage of a trusted
relationship between two systems. If two systems accept the authentication accomplished
by each other, an individual logged onto one system might not go through an authentication
process again to access the other system.

‫ انتحال‬Spoofing

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
 Attacks
Types of Cyber Attacks
Man-in-the-middle - A man-in-the-middle (MiTM) attack is a type of
cyber attack in which the attacker secretly intercepts and relays
messages between two parties who believe they are communicating
directly with each other. The attack is a type of eavesdropping in which
the attacker intercepts and then controls the entire conversation.

Zero Day Attacks is a cyberattack vector or technique that takes

advantage of an unknown or unaddressed security flaw in computer
software, hardware or firmware. ‘Zero day’ refers to the fact that the
software or device vendor has zero days, or no time, to fix the flaw,
because malicious actors can already use it to gain access to
vulnerable systems.
Keyboard Logging - Keyboard logging is a software program that
records or logs the keystrokes of the user of the system.

Criminals can implement keystroke loggers through software installed

on a computer system or through hardware physically attached to a
computer.

The criminal configures the key logger software to email the log file.
The keystrokes captured in the log file can reveal usernames,
passwords, websites visited, and other sensitive information.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Attacks
Wireless and Mobile Attacks (Cont.)
Grayware and SMiShing
 Grayware An application that may not carry any recognizable malware, but
which is nevertheless harmful or annoying to a user.

 Common examples of greyware are location trackers, browsing monitors, and

programs that serve unwanted pop-up ads. While not as dangerous as other
malicious software, greyware often leads to system vulnerabilities that create
opportunities for cyber attacks.

 As the name suggests, grayware programs sit somewhere between harmful

and harmless software. While malware is specifically designed to cause
damage to a device, this can be, but isn't always, the case for grayware.

 SMiShing is short for SMS phishing. It uses Short Message Service (SMS) to
send fake text messages. The criminals trick the user into visiting a website or
calling a phone number. Unsuspecting victims may then provide sensitive
information such as credit card information. Visiting a website might result in
the user unknowingly downloading malware that infects the device.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Attacks
Wireless and Mobile Attacks (Cont.)
Rogue Access Points - A rogue access point is a wireless
access point installed on a secure network without explicit
authorization. A rogue access point can be set up ito make:
RF Jamming - Wireless signals are susceptible to
electromagnetic interference (EMI), radio-frequency
interference (RFI), and may even be susceptible to lightning
strikes or noise from fluorescent lights. Radio frequency
(RF) jamming disrupts the transmission of a radio or satellite
station so that the signal does not reach the receiving
station.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Attacks
Wireless and Mobile Attacks (Cont.)
WEP and WPA Attacks
Wired Equivalent Privacy (WEP) is a security protocol that attempted to provide a
wireless local area network (WLAN) with the same level of security as a wired
LAN. Since physical security measures help to protect a wired LAN, WEP seeks to
provide similar protection for data transmitted over the WLAN with encryption.
 WEP uses a key for encryption.
 There is no provision for key management with WEP, so the number of people
sharing the key will continually grow.
Wi-Fi Protected Access (WPA) and then WPA2 came out as improved protocols
to replace WEP. WPA2 does not have the same encryption problems because an
attacker cannot recover the key by observing traffic.
 WPA2 is susceptible to attack because cyber criminals can analyze the packets
going between the access point and a legitimate user.
 Cyber criminals use a packet sniffer and then run attacks offline on the
passphrase.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Attacks
Wireless and Mobile Attacks (Cont.)
Defending Against Wireless and Mobile Device Attacks
There are several steps to take to defend against wireless and mobile device
attacks.
 Most WLAN products use default settings. Take advantage of the basic wireless
security features such as authentication and encryption by changing the default
configuration settings.
 Restrict access point placement with the network by placing these devices
outside the firewall or within a demilitarized zone (DMZ) which contains other
untrusted devices such as email and web servers.

 Internet Security tips — to help you protect your wireless network

 Avoid using the default password. ...
 Don't let your wireless device announce its presence. ...
 Change your device's SSID name. ...
 Encrypt your data. ...
 Protect against malware and Internet attacks.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Attacks
Application Attacks
Cross-site scripting (XSS) - is a vulnerability found in web applications. XSS
allows criminals to inject scripts into the web pages viewed by users. This script
can contain malicious code. Cross-site scripting has three participants: the
criminal, the victim, and the website. The cyber-criminal does not target a victim
directly. The criminal exploits vulnerability within a website or web application.
Criminals inject client-side scripts into web pages viewed by users, the victims.
Code Injections Attacks - One way to store data at a website is to use a
database. There are several different types of databases such as a Structured
Query Language (SQL) database or an Extensible Markup Language (XML)
database. Both XML and SQL injection attacks exploit weaknesses in the program
such as not validating database queries properly.
Buffer Overflow -
Buffers are memory storage regions that temporarily hold data while it is being
transferred from one location to another.

A buffer overflow (or buffer overrun) occurs when the volume of data exceeds the
storage capacity of the memory buffer. As a result, the program attempting to write
the data to the buffer overwrites adjacent memory locations.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Attacks
Application Attacks
Remote Code Executions vulnerabilities allow a cybercriminal to execute
malicious code and take control of a system with the privileges of the user running
the application. Remote code execution allows a criminal to execute any command
on a target machine.
ActiveX Controls and Java controls provide the capability of a plugin to Internet
Explorer.
 ActiveX controls are pieces of software installed by users to provide extended
capabilities. Third parties write some ActiveX controls and they may be
malicious. They can monitor browsing habits, install malware, or log keystrokes.
Active X controls also work in other Microsoft applications.
 Java operates through an interpreter, the Java Virtual Machine (JVM). The JVM
enables the Java program’s functionality. The JVM sandboxes or isolates
untrusted code from the rest of the operating system. There are vulnerabilities,
which allow untrusted code to go around the restrictions imposed by the
sandbox.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Attacks
Application Attacks
Defending Against Application Attacks
 The first line of defense against an application attack is to write solid code.
 Regardless of the language used, or the source of outside input, prudent
programming practice is to treat all input from outside a function as hostile.‫عدائي‬
 Validate all inputs as if they were hostile.
 Keep all software including operating systems and applications up to date, and
do not ignore update prompts.
 Not all programs update automatically, so at the very least, always select the
manual update option.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
3.4 Chapter Summary

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Chapter Summary
Summary
Threats, vulnerabilities, and attacks are the central focus of the cybersecurity
specialists.
 This chapter discussed the various cybersecurity attacks that cyber criminals
launch.
 The chapter explained the threat of malware and malicious code.
 The chapter discussed the types of deception involved with social engineering.
Maneuvering explained the types of attacks that both wired and wireless
networks experience.
 Finally, the chapter discussed the vulnerabilities presented by application attacks.
Understanding the types of possible threats allows an organization to identify the
vulnerabilities that make it a target. The organization can then learn how to defend
itself against cybersecurity trickery and maneuvering.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40