Critical Knowledge ™

SUMMARY NOTES

UNIT 2:
THREATS & ATTACKS
2.1 CIA, Risk and Threats

CIA Triad

• Confidentiality – Keeping secret things secret, limiting access to information,

maintaining privacy
• Integrity – Ensuring data doesn’t change in unexpected ways, preventing
unauthorized users from manipulating data
• Availability – Ensuring resources are available when needed; access ≠ availability

Threats Overview

• Risk Cycle

Assets

Safeguards Threats

Risk Vulnerabilities

Exposure

• As a security practitioner, the best way you can protect your organization is to focus
on vulnerabilities

Threat Actors and Vectors

Threat Actors – Who is behind cyberattacks?

 • Nation State Actors – most sophisticated, government sponsored, have access to
vast resources

• Cyber Criminals – financially motivated, sophisticated, seeking PII and access to

financial accounts

• Competitors – financially motivated, seeking competitive advantage and trade

secrets

• Hacktivists – response to perceived injustice, vigilantism, focused on political action

• Script Kiddies – novice hackers, use hackers’ sophisticated code, can cause damage

• Insider Threats – unique threat, within organization, recruited by nation states and
competitors

Zero-Day Vulnerability Overview

Zero-Day – previously unknown vulnerabilities that are still “in the wild” and operate in new,
unique ways

• Unaddressed vulnerabilities mean unaddressed risk

• Have long detection times (according to Symantec, an average of 312 days to
discovery)
• Few opportunities to prevent or detect these attacks
• Zero-day detection technologies (expensive) can help mitigate risk

Spectre/Meltdown

• Long-term existing flaws created security vulnerabilities on certain Intel processors

which allowed attackers to gain kernel access
• Gave unauthorized access to program data, including passwords, emails, and text
files
• This vulnerability was unaddressed for decades

Sony Pictures Data Breach of 2014

• Combination of social engineering and a zero-day exploit

2.2 Social Engineering

Social Engineering Overview

• Focuses on human weakness, designed to manipulate people to give out sensitive

information
• Reasons for effectiveness:
o Authority – an attacker pretends to be a superior requesting information
o Trust – building trust over time, impersonating a trusted person
o Urgency – requests an immediate response for action

Phishing Attacks

• Phishing is the most common (and effective) form of social engineering with many
variations;
o Phishing – mass emails designed to mimic legitimate sources (e.g.
password reset requests, HR requests, accounting information, etc.)
o Spear-Phishing – custom phishing attacks tailored to high-powered
targets (e.g. the Podesta email leaks)
o Whaling – phishing that targets upper management/C-suite executives
o Vishing – phone- or voice/VoIP-based phishing
o Smishing – SMS/text-based phishing campaigns

Social Engineering Techniques

• Social manipulation is used to gain physical access or to acquire sensitive or

personally indefinable information (PII)

o Tailgating – following a person to gain unauthorized access (e.g. asking

someone to open a door to a restricted area)
o Shoulder surfing – looking over someone’s shoulder to see their screen
o Dumpster diving – finding sensitive information in corporate garbage

Social Engineering Countermeasures

• Countermeasures:
o Mantraps prevent tailgating
o Screen protectors prevent shoulder surfing
o Secure shredding prevents dumpster diving
o Educating employees on known attack methods helps prevent all forms of
social engineering
2.3 DoS Attacks

DoS Attack Overview

DoS – Denial of Service attack

• Designed to force resources and victims offline by overloading servers with traffic,
disrupting services, or preventing normal online operations
• Does not attempt to steal or manipulate data
• Harms availability
• Attack source is a single machine

DDoS – Distributed Denial of Service attack

• Similar to a DoS attack, but uses multiple machines or “botnets” to flood a target
resource with traffic
• Botnets are robotic networks of infected machines that an attacker controls via a
Command and Control (C&C or C2) server
• Self-propagating malware turns the victim’s machine into a tool (bot) to launch
attacks without the user’s knowledge

TCP and UDP Overview

TCP – Operates at the Transport Layer

• Connection oriented
• Reliable, allows for retransmission
• Ensures against packet loss
• Commonly used for email (SMTP) or file transfer (FTP)
• Slower than UDP

UDP – Operates at the Transport Layer

• Connectionless
• Unreliable, doesn’t allow for retransmission
• Cannot ensure against packet loss
• Commonly used for broadcast (one → many) media streaming and voice streaming
• Faster than TCP

TCP Three-Way-Handshake

The three-way handshake is what makes TCP reliable. The final step, ACK, means
guaranteed packet delivery.

• Step One (SYN) – the initiating computer sends a packet with the SYN flag, indicating
the desire to create a connection (“Hey, do you want to talk?”)
• Step Two (SYN/ACK) – the receiving host acknowledges receiving the packet and
responds, indicating a willingness to create a connection by sending back a packet
with both the SYN and ACK flags (“I got your message, yes I want to talk!”)
 • Step Three (ACK) – the original host acknowledges the connection process is
complete by sending a final packet with the ACK flag set (“OK, I got your message,
let’s talk!”)
• The application only begins to transfer data after the handshake is complete

SYN Flood Attack

A type of denial-of-service (DoS) attack in which an attacker sends a succession of SYN

requests to a system to consume enough server resources to offline the system

• A malicious client spoofs the source IP address in the SYN, causing the server to send
the SYN-ACK to a falsified IP address
• The ACK is never received because the false IP "thinks" that it never sent a SYN
• The connections are now “half-open” and gradually consume more server resources
• This eventually renders the server unresponsive, preventing legitimate access

Countermeasures

• Filtering traffic
• Reducing the SYN-RECEIVED timer
• Recycling the oldest half-open TCP connection
• Enabling SYN cache and SYN cookies
• Configuring firewalls and proxies

Smurf and Fraggle Attacks

Internet Control Messaging Protocol (ICMP) – Used for network troubleshooting,

determining error messages, and evaluating overall network health. PING and TRACEROUTE
are common tools used within this protocol

Ping – software utility used to test the reachability of a host on a network

• Ping measures the round-trip time for messages sent from the host to a destination
computer that are “echoed” back to the source
• Echo request packets are sent to the target host and wait for an ICMP echo reply
• The utility reports errors, packet loss, and a statistical summary of the results

ICMP Broadcast Address – IP address that forwards a copy of the message to all hosts on
the network

Smurf Attack

• Type of DoS attack that sends large numbers of ICMP echo requests to an ICMP
broadcast address
• This request gets forwarded to all hosts on the network
• The attacker then spoofs the victim’s source IP
• The hosts then respond with an echo reply
• These replies, or "echoes," are then sent back to the spoofed source IP (setting up an
infinite loop), flooding the victim’s computer with traffic and eventually offlining it

Fraggle Attack
 • Fraggle attacks work exactly the same as smurf attacks, but exploit the UDP protocol
rather than the ICMP protocol

Countermeasures

• Make sure to block directed broadcast traffic coming into the network
• Configure hosts and routers not to respond to ICMP echo requests

MTU – Maximum Transmission Unit – largest single data packet that can be communicated
in a single network layer transaction

Fragmentation – fragmentation is used when data packets must be broken down into
smaller pieces to accommodate the MTU

Teardrop Attack

A type of DoS attack in which an attacker sends fragmented packets to a target machine

• The attacker exploits the fragment offset field in the IP header to produce corrupted
fragments which are then delivered to the target machine
• The target machine cannot reassemble these packets
• The packets overlap one another, eventually crashing the target

Countermeasures

• Modern networking devices (routers or secure proxies) can be employed to inspect

incoming packets for violations of fragmentation rules

Buffer Overflow Attack

Takes advantage of a coding error where a program. While writing data to a buffer, overruns
the buffer's boundary and overwrites adjacent memory locations. This can be exploited to
alter the execution path of the application. The resulting malicious extra data contains code
used to gain unauthorized access.

• Buffer – An allocation in memory designed to hold a finite amount of data in memory

• Buffer Overflow – occurs when executing code requires more memory than is
allocated by the buffer. By exceeding the buffer limit, malicious code can be
executed.

Example – Morris Worm

• One of the earliest computer worms distributed via the internet (1988)
• It was the first felony conviction in the United States under the 1986 Computer Fraud
and Abuse Act
• It functioned by exploiting known vulnerabilities in Unix sendmail, finger, and
rsh/rexec, as well as weak passwords

DNS/NTP Amplification Attacks

DNS – DDoS attack that leverages open DNS resolvers to overwhelm a target with an
amplified amount of traffic

• Attacker sends UDP packets with spoofed IP addresses to a DNS recursor. The
spoofed address on the packets points to the real IP address of the victim.
• The UDP packets make a request to a DNS resolver using an “ANY” query in order to
receive a large response
• After receiving the requests, the DNS resolver sends a large response to the spoofed
IP address.
• The IP address of the target receives the response and becomes overwhelmed with
traffic, resulting in a denial of service.

NTP (Network Time Protocol) – exploits an NTP server to overwhelm a targeted server with
an amplified amount of UDP traffic

• The attacker uses a botnet to send UDP packets with spoofed IP addresses to a NTP
server that has its “monlist” command enabled (command used to monitor which
hosts have connected).
• The spoofed IP address on the packets points to the real IP address of the victim.
• Each UDP packet makes a request to the NTP server using its monlist command,
resulting in a large response.
• The server then responds to the spoofed address with the resulting data – a very
large amount of packets.
• The IP address of the target receives the response and becomes overwhelmed with
traffic, resulting in a denial-of-service.

DDoS Attacks – Famous example is the Mirai malware attack on DNS infrastructure in 2016

• Mirai infection on Dyn servers (major DNS service provider) brought down major
websites like GitHub, Twitter, Reddit, Netflix, and Airbnb
• Mirai targeted consumer IoT devices, like IP cameras and home routers
• Connected via ports 22 and 23 (Telnet)
• Used a dictionary attack (password guessing)
 • After infection, Mirai would kill Telnet, SSH, and HTTP processes, preventing
legitimate users from accessing to the device
• Infected devices were used to launch various DDoS attacks such as SYN floods, HTTP
floods, and GRE floods

DoS/DDoS Attack Countermeasures Summary

• General DoS/DDoS – use filtering to verify source IP address

• Smurf/Fraggle – Disable directed broadcast and block ICMP at the firewall level
• Teardrop – update older systems, employ security devices to automatically drop
malformed packets
• NTP Amplification – disable monlist requests
• DNS Amplification – correct server configuration to ignore ANY queries
• Buffer Overflow – practice secure coding, use vulnerability scanning tools, strive to
use coding languages that do not require direct access to memory, include canary
words to protect direct memory
• SYN Flood – use a flood guard, often used on routers and firewalls that drops
connections from dangerous (half-open) traffic patterns
2.4 Spoofing Attacks

Spoofing Overview and IP Spoofing

Spoofing – unauthorized access using a false identity

• Methods – IP, MAC address, credentials, SSIDs, email

• Types – IP spoofing, DNS spoofing, ARP spoofing

Internet Protocol (IP) Overview

• Uses TCP/IP protocol, packet headers provide crucial information

• Two versions: IPv4 and IPv6
• Vulnerabilities – Authentication is limited to IP, IP host, and MAC address; header
fields can be forged

IP Spoofing

IP Spoofing – Falsifies the source address to bypass firewalls, gather sensitive information,
and stage further attacks

• Can be used to craft MITM, session hijacking, and DoS attacks

• Security Risks – bypasses authentication mechanisms
• Countermeasures – Use packet filtering, drop packets with source mismatch,
eliminate trust relationships, implement IPv6, implement IPSec, use encryption, and
monitor network traffic

DNS Spoofing

DNS Spoofing – Intercepts a legitimate DNS request by spoofing a DNS server’s IP address

• Security Risks – DNS protocol was not designed to be secure, only resolves domain
names to IP addresses, and lacks encryption
• Spoofed DNS servers are used to intercept traffic while still resolving the address,
leaving the victim unaware of the threat
o This type of attack is often employed to steal data
• Cache Poisoning – replacing the DNS cache with incorrect mapping,
o Attacker responds to DNS query with fake IP address
o Fake address redirects the target to a malicious site, then forwards the query
to a legitimate site

Spoofing Countermeasures

• Resolve DNS queries to local servers

• Block DNS requests to external servers
• Implement DNSSEC
• Use solutions such as DNS firewall, passive DNS, and IDS/IPS software such as
SNORT
• Set short TTL (allows for cache clearing and detects spoofing attempts), and clear all
local machines and network settings
2.5 Injection Attacks
Injection Attack Overview

• Most users interact with databases through web applications

• Attackers inject malicious code or script to gain access to backend databases
• The most common attack locations are input fields, such as URLs or web forms
• Malicious inputs are passed by the web application to the backend database
• Attacker bypasses authentication to steal or modify data

Open Web Application Security Project (OWASP)

A non-profit organization that publishes research and guidelines for web application
security

• Publishes Top Ten list of application security risks

• Injection attacks routinely make the list

Cross-Site Scripting (XSS) Attacks

An injection attack where malicious scripts are injected into trusted websites

• XSS attacks occur when an attacker uses a web application to send malicious code,
usually a browser-side script, to an unsuspecting end user
• XSS script can access sensitive information, such as session cookies and tokens
• XSS script can also deface websites and redirect users to malicious sites
• Top 10 OWASP attack, very common security vulnerability

XSS Types

• Reflected Input – occurs when custom script (such as HTML) can be run in a standard
input field (name, address, etc.) to execute malicious code
o Non-persistent (not saved on the server)
o Web application passes malicious input to backend/client
• Persistent Input – occurs when the data provided by the attacker is saved by the
server, and then permanently displayed on "normal" pages
o More dangerous than reflected input and can do more damage

Example – In 2018, British Airways lost the personal information of 380,000 customers,
including credit card payment information, via a XSS attack

• Attack injected malicious script into online payment forms in vulnerable web apps
• Worked similar to a credit card skimmer
• Once the customer clicked the “submission” button, the captured information was
forwarded to the attacker’s server

Email Header Injection Attack

• Also known as an SMTP injection

• Common injection attack that occurs in email headers
 • Attackers abuse input fields by spoofing email addresses (source or destination)
• This can then be used to pass on bad information or redirect field input information
to a site that the attacker controls

LDAP Injection Attack

• Lightweight Directory Access Protocol (LDAP) – queries a central repository of

authentication information, and is used to store authentication information across
multiple devices (used as part of SSO)
• LDAP attack finds sensitive user information and/or modifies information in the
LDAP data stores
• Malicious LDAP queries are used to escalate privileges, bypass authentication, or
steal sensitive user data

SQL Injection Attack

• Malicious input that allows attacker to manipulate SQL database

• Allows attacker to bypass authentication, modify data, and drop database tables
• By creating true conditions in fields, authentication can be bypassed

Injection Attack Countermeasures

Input Validation

• Blacklisting – block known risky characters

• Whitelisting – only allow certain kinds of characters/inputs
• Data Sanitization – takes input as plaintext, meaning raw data is never read as
code/commands

Error Handling

• Keep error information generic to avoid giving specific information to attackers

Permissions

• Implement principle of least privilege and limit access of web applications to prevent
escalation of privileges
2.6 Session Hijacking
Session Hijacking Overview

• Exploitation of a valid session to bypass authentication

• Session ID – unique identifier assigned for each session
• Hijacking can occur at both the network level and application level

Process

• Attacker takes over valid session

• Attacker establishes a separate session
• Web server continues communication with attacker

Security Risks

• Hijacked sessions can be used to launch other attacks

• Spoofing / Theft of sensitive information

Methods

• Physical Access – stealing files with session ID info

• Guessing – looking for session IDs
• Brute force – most resource-intensive way to guess session IDs
• Interception – tricking the victim into thinking the attacker is the real server
• Cookies – using existing web cookies to access a web session (user has not properly
disconnected)
Active vs Passive

• Active – Tearing down the connection while in progress

o Attacker interacts with victim or target
o Man in the middle (MiTM) is a classic example
• Passive – Use of sniffers
o Attacker does not interact with victim or target
o Eavesdrops to steal info that is used to create a later session

Application Level

• Exploits HTTP user sessions, new unauthorized sessions, web application

vulnerabilities
• Types of Attacks – sniffing, prediction, session fixation

Network Level

• Captures TCP/UDP session packets, no need for session modification, focused on

protocol and data flow
• Types of Attacks – TCP/IP hijacking, UDP hijacking

o TCP/IP – Victim sends data packet > server responds with SEQ# and ACK# >
Attacker predicts SEQ# and connects with server
 o UDP – Victim sends UDP request > server sends UDP response > attacker
forges a reply to the victim (MITM type; simpler attack than TCP/IP)
MiTM Attack

• An attacker positions himself between a user and an application, either to eavesdrop

or to impersonate one of the parties
• Versatile, simple, and often used as a precursor to more sophisticated attacks

Process

• Communication between A&B

• Attack inserts between communication
• Breaks session between A&B and creates two sessions
• Attacker intercepts all traffic between A&B

Methods

• ARP poisoning
• Exploitation of vulnerabilities in various protocols: ICMP, DNS, DHCP, SSL, and
wireless
• MiTM attacks can be used for spoofing, altering data, hijacking, or eavesdropping
• Often part of more complex attacks used to steal sensitive information or conduct
illicit transfers

Countermeasures

• Encryption and authentication

Sequence Number Guessing

• Predicts the sequence number that identifies the packets in a TCP connection, which
can be used to counterfeit packets

Process

• User connects with server

• Attacker sniffs the session
• Attacker predicts SEQ#
• Attacker then injects commands into the session and floods the target
• Intercepting valid user and desynchronizing the session
• Server continues communicating with the attacker

Countermeasures

• Proper router / firewall configuration

• Drop or block packets that originate from outside the network

ARP Overview

Address Resolution Protocol

 • Used to map IP addresses (logical) of machines to their MAC addresses (physical)
• ARP cache – Lists the ARP entries saved to the device
• Allows network devices to discover each other
• Works with DNS to allow interoperability

ARP Poisoning Attack

• A technique by which an attacker sends (spoofed) ARP messages onto a local area
network
• ARP spoofing and ARP poisoning are two parts of a single attack
• ARP spoofing – forging ARP packets to link an attacker’s MAC address with the IP
address of a legitimate computer or server on the network

o ARP request for MAC address is sent

o Real response is sent
o Attacker sends forged ARP response packet with attacker’s MAC address
o Forged ARP response is received
• ARP Poisoning
o Attacker crafts forged ARP responses
o Attacker floods target device (switch) with forged packets
o Switch’s ARP table is overwritten with the attacker’s MAC address
o Once ARP table is flooded, switch is set to forwarding mode
o Attacker can now intercept all ARP data

Cross-Site Request Forgery (CSRF) Attack

• Forces user to execute unwanted actions on a web application in which they’re

authenticated
• CSRF attacks focus on website data stored in user’s browser

Process

• User logs into a trusted site (i.e. bank)

• Session cookie is stored
• Attacker creates malicious website
• Malicious code is saved
• “Valid request” (controlled by attacker) is sent to trusted site (bank)
• Transfer of funds is complete

Countermeasures

• Identify code vulnerabilities – session cookies, unique identifiers, business logic,

HTTP request validation
• Assure that each form or link contains a unique ID, authenticate each unique ID, and
force termination

Session Hijacking Countermeasures

Detection Methods

• Manual – packet analysis, identifying suspicious or abnormal traffic

 • Automatic – IDS (intrusion detection system) and IPS (intrusion prevention system)

Encryption

• Use SSH and HTTPS

• Encrypt data in transit (especially proprietary or sensitive data)
• Use long and random session keys

Authentication

• Implement strong authentication (e.g. Kerberos)

• Generate session ID after authentication
• RE-AUTHENTICATE
• Set a logout time

Operations

• Update and patch all devices

• Configure gateway devices to prevent spoofing and use IPS / IDS
• Do not use vulnerable network devices such as hubs

Judgment

• Properly train staff to avoid human error

2.7 Malware Types

Malware Overview

Malware – malicious software installed with or without the user’s knowledge, used to cause
damage, bypass authentication, and steal assets

• Logic Bombs – malicious code hidden in programs that execute when certain
conditions are met (e.g. Sony BMG CD malware)
o Often installed by insiders

• Backdoor – a method to gain accessing via bypassing authentication and normal

security procedures
o Backdoors can be installed for legitimate reasons by programmers to conduct
maintenance/debugging or to accelerate workflows
o Backdoors allow for administrative privileges with no authentication

Virus Overview

Virus – malicious code that attaches itself to legitimate applications to cause harm; spreads
through user actions

Virus Types

• Master Boot Record – instructs host machine to boot virus before OS, which targets
executables
• Multipartite – 1+ propagation techniques
• Stealth – Intercepts requests
• Polymorphic – Code mutates but algorithm remains the same
• Encrypted – new key for each file, antivirus scanners cannot detect
• Cluster – modifies directory table, points users to virus code instead of normal
programs
• Metamorphic – similar to polymorphic virus, but virus rewrites itself completely
• Cavity – overwrites the host file while maintaining original file size

Trojan Overview

Trojans

• Malware that is often disguised as legitimate software

• Used to gain unauthorized access, delete/replace critical files, disable firewalls,
generate fake traffic, create backdoors, etc.
• Requires human interaction to propagate

Trojan Types

• Command Shell – remote control of CS

• Defacement – view, edit, replace images
• Botnet – used to create and propagate bots
 • FTP – opens FTP ports
• Remote Access – controls GUI access
• E-banking – most commonly used by criminals to intercept account info
• Destructive – used to format drives and make OS inoperable
• Mobile – targets mobile devices, often used as part of botnets
• IoT – often used for botnets to carry out DDoS attacks
• Security Software Disabler – used to disable firewalls, antivirus, etc.

Worms Overview

• Standalone malware that replicates itself in order to spread to other computers

• Worms differ from viruses in that they do not require human interaction to propagate
• Worms are designed purely for destructive purposes, i.e. payload damage
• Take advantage of transport systems to replicate and spread

Stuxnet case study

• Alleged joint US/Israeli cyberweapon discovered in 2010

• Targeted SCADA systems and PLCs used to control industrial machinery
• Destroyed centrifuges at the Natanz nuclear facility in Iran
• Spread initially via infected USB (to clear airgapped facilities)
• Upon finding vulnerable PLCs, Stuxnet would automatically update itself
• After infecting host PLCs, Stuxnet would force a change in the centrifuge speed
• Infected PLCs would send back false feedback
• Centrifuges would burn out and become inoperable while monitoring systems
showed no abnormal conditions

Ransomware Overview

Malware that encrypts computer system or data until a ransom is paid

• Attacker holds decryption key

• Often spread via a Trojan or delivered by email
• Payload is run, encrypting the victim’s data
• Message is sent to victim (ransom note)

WannaCry Case Study

• Cryptoworm that targeted Windows computers in 2017

• Propagation – spread through email attachments, self-spread after download
• Took advantage of Windows SMD (server message block)
• If no “kill swtich” domain, data was encrypted
• Ransom in bitcoin
• Used RSA and AES encryption

Spyware Overview

• Malware designed to steal internet usage data and sensitive information

• Passively monitors and collects data
• Hides processes, files, etc. from user
 • Propagation – Drive-by-download, often via fake “antispyware” programs, Web
browser exploits, piggyback software, browser add-ons, cookies

Types of Spyware

• Keyloggers – record keystrokes to gain confidential information

• Legitimate uses – employee monitoring/safety monitoring for children
• Hardware – PC/BIOS, keyboard, external logger
• Software – Application, kernel, hypervisor, formjacking

Malware Countermeasures

• Update and maintain antivirus/antimalware solutions

• Maintain backups
• Conduct regular scans
• Harden systems
• Analyze baseline normal traffic
• Increase training and awareness
2.8 Authentication Attacks
Authentication and Replay Attacks

Allows attacker to guess a person’s user name, password, or cryptographic key by using an
automated process of trial and error

Key Terms

• Identity – Who you say you are

• Authentication – Validation of identity
• Authorization – Verification of clearance to access resources

Hashing – transforming a string of text into a usually shorter fixed-length value or key that
represents the original string

• Used to verify integrity of data

• One-way function: Sender > Hash Value > Receiver
• Used for password storage
• Salting: random data used as an additional input to a one-way function (hash) used
to safeguard passwords in storage

Replay Attacks – attack in which a valid data transmission is maliciously or fraudulently

repeated or delayed

• Resends and/or delays packets

• Bypasses authentication
• Reroutes communications
• Often used with financial data

Countermeasures

• Use of one-time passwords

• Multi-factor authentication
• Use of timestamps

Password Cracking Techniques

• Recovers passwords from data that have been stored in or transmitted by a

computer system

Methods

• Social Engineering – dumpster diving, shoulder surfing, reconnaissance

• Active attacks – Direct communication/interaction attacks
o Brute force
▪ Attempts all combinations to crack password
▪ Time- and resource-intensive
o Dictionary attacks
▪ Attempts a list of all possible passwords
▪ Mostly automated
▪ Used with a cracking application
▪ Translated to hashes
 • Passive attacks – No direct communication/interaction: sniffing, MiTM, replay
attacks
• Offline attacks – Rainbow table attack
o Database of precomputed hashes
o Captures hashes of passwords and compares

Countermeasures

• Long, complex passwords

• Use alphabetical characters, numbers, and symbols
• Salt passwords

Cryptographic Attacks

• Key Terms
o Cipher – algorithm that encrypts the data
o Key – bit string used to decrypt data
o Plaintext – text readable by human eyes
o Ciphertext – text encrypted by the algorithm
• Process – Plaintext + Cipher + Key = Ciphertext
• Attack Types
o Known plaintext – by knowing the plaintext message and parts of the
ciphertext, the cryptographic key can be discovered
o Chosen ciphertext – attacker compares parts of the ciphertext and the
plaintext to discover the key
o Chosen plaintext – attacker creates a plaintext message, runs it through an
algorithm, then analyzes the result to discover the key

Countermeasures

• Implement strong cryptographic systems

• Use long keys
• Use one-time pads

Password Attack Countermeasures

• Use long passwords

• Salt passwords
• Password history control, i.e. mandate password rotation/changes
• Encrypt hashes
• Monitor logs
• Use multifactor authentication
• Keep systems updated and patched
2.9 Mobile, IoT, and Cloud Attacks
Attacks on Mobile Devices

Mobile devices (smartphones, smartwatches, tablets, etc.) represent a wide attack

surface for malicious actors

• Data leakage – Apps leak confidential data or other PII

• Insecure data storage – Apps and malware access mobile device storage
• Unsecure Wi-Fi – Allows attackers to sniff data, gain login credentials, etc.
• Poor Authentication/Authorization – Allows unauthorized access or escalation of
privileges
• Broken Cryptography – Apps use weak or easily crackable cryptography
• Insufficient Transport Protection – Lack of SSL/TLS implementation
• Improper Session Handling – Accidental sharing of tokens with attackers

Countermeasures

• Anti-malware software
• Multifactor authentication
• Secure gateways
• Limit use of third-party, non-vetted software

Attacks on IoT Devices

• Attack categories: Healthcare (sensors, measuring devices), industrial (controllers for

SCADA systems), personal (wearables, watches), home (smartlights, garage doors)
• Process – Devices use IoT gateways to communicate with cloud servers/internet
(usually via applications)
o This presents a very wide range of vulnerabilities to IoT devices
• Vulnerabilities – No account lockout mechanism, lack of two-factor authentication,
weak password rules, open UPnP ports, lack of privacy, lack of encryption via update
servers

Attacks

o Botnets – IoT devices (via a Trojan) can easily propagate botnets and quickly
overload targeted servers (DDoS)
o HVAC/ICS – Industrial control systems are especially susceptible, and once
cracked allow for privilege escalation
o Rolling Code – most modern keyfobs (automobiles) are IoT enabled
▪ RF signal sent to car via keyfob
▪ Attacker intercepts signal (using a jammer)
▪ By sniffing this signal attacker gains access to code 1
▪ Victim resends signal to car and attacker gains access to code 2
▪ Attacker forwards code 1, unlocking car, and saves code 2 for later date

Attacks on Cloud and Virtual Machines

• Cloud Overview – advantages of cloud services include reduced server costs,

increased efficiency, and redundancy
• Managed by cloud service provider (CSP)
 • Unlike on-premises resources, which are managed by a company or organization,
cloud resources are shared

Cloud Service Types

• IaaS – (infrastructure as a service) usually a suite of services, VMs, different APIs

(Amazon EC2, Windows Skydrive)
• PaaS – (platform as a service) cloud service provides development tools,
configuration management suite, and deployment platforms (Google App Engine,
Azure)
• SaaS – (software as a service) a software provided on the cloud (i.e. google docs)

Cloud Categories

• Public – open to anyone

• Private – one to one, owned by company or corporation
• Community – more than one company/organization joined to achieve greater
services
• Hybrid – a combination of two or more of the above cloud types

Threats

• Data Breaches – Lost CSP data cannot be retrieved

• Insecure API – Can circumvent security policies enforced by your organization
• Shared Tech – Shared resources (i.e. GPU) can be exposed to attackers
• Unknown Risk Profile – Clients lack full ownership/control of backend hardware
• Hardware Failure – Damage to datacenters means irretrievable losses for clients
• Management Interface – Attackers can take advantage of vulnerabilities present
between clients and resources (via remote access)
• Authentication Attacks – Single point of failure to gain access to large amount of
company/organization resources

Attacks

• Social Engineering – obtaining login credentials to access resources managed by CSP

• Session Hijacking – XSS, net sniffing, session riding
• DNS Attacks – DNS cache poisoning, spoofing
• SQL Injection Attacks – Manipulation or erasure of confidential data
• Wrapping Attacks – Manipulation of XML format to gain unauthorized access
• Side Channel Attacks – Attacker runs parallel VM on target machine to gain
unauthorized access to data managed by CSP
• DoS/DDoS Attacks – Attempt to limit resources and disrupt availability to client

Countermeasures

• SLA (service level agreements) – a clear and defined SLA is crucial for cloud security
• Tailored services – security defined to your organizational needs
• DRP (disaster recovery plan) – clear outline to maintain business operations should a
datacenter go down in a disaster
• Data encryption – ensure that CSP provides encryption services
• Transport encryption – ensure CSP provides end-to-end security with data in transit
• Load Balancing – to prevent downtime from DDoS attacks
• Data Backups – should be part of DRP, and not wholly reliant upon CSP
• Strong Authentication – implement least privilege and need to know practices
• Robust Logging and Monitoring – ensure auditing capabilities are provided by CSP