Vulnerability, Exploit, Threat, Mitigation

• A vulnerability is any potential weakness that can compromise the CIA of a

system/info.
o A potential weakness isn’t a problem on its own.
• An exploit is something that can potentially be used to exploit the
vulnerability.
o Something that can potentially be used as an exploit isn’t a problem on
it’s own.
• A threat is the potential of a vulnerability to be exploited.
o A hacker exploiting a vulnerability in your system is a threat.
• A mitigation technique is something that can protect against
threats.
o Should be implemented everywhere a vulnerability can be exploited:
client devices, servers, routers, firewalls, etc.
 Common Attacks
• DoS (denial-of-service) attacks
• Spoofing attacks
• Reflection/amplification attacks
• Man-in-the-middle attacks
• Reconnaissance attacks
• Malware
• Social engineering attacks
• Password-related attacks
 Denial-of-service attacks
• DoS attacks threaten the availability of a system.
• One common DoS attack is the TCP SYN flood.
 TCP three-way handshake:
 The attacker sends countless TCP SYN messages to the target.
The target sends a SYN-ACK message in response to each SYN it receives.
 The attacker never replies with the final ACK of the TCP three-way handshake
 The incomplete connections fill up the target’s TCP connection table.
 The attacker continues sending SYN messages.
 The target is no longer able to make legitimate TCP connections.
 Denial-of-service attacks
• In a DDoS (Distributed Denial-Of-Service) attack, the attacker infects
many target computers with malware and uses them all to initiate a
denial-of-service attack, for example a TCP SYN flood attack.
• Group of infected computers is called a botnet.
 Spoofing attacks
• To spoof an address is to use a fake source address (IP or MAC
address).
• Numerous attacks involve spoofing, it’s not a single kind of attack.
• An example is a DHCP exhaustion attack.
• An attacker uses spoofed MAC addresses to flood DHCP Discover
messages.
• The target server’s DHCP pool becomes full, resulting in a denial-of-
service to other devices.
 Reflection/Amplification
attacks
• In a reflection attack, the attacker sends traffic to a reflector, and
spoofs the source address of its packets using the target’s IP address.
• The reflector (a DNS server) sends the reply to the target’s IP address.
• If the amount of traffic sent to the target is large enough, this can
result in a denial-of-service.
• A reflection attack becomes an amplification attack when the amount
of traffic sent by the attacker is small, but it triggers a large amount of
traffic to be sent from the reflector to the target.
 Man-in-the-middle attacks
• In a man-in-the-middle attack, the attacker places himself between the
source and destination to eavesdrop on communications, or to modify
traffic before it reaches the destination.
• A common example is ARP spoofing, also known as ARP poisoning.
• A host sends an ARP request, asking for the MAC address of another
advice.
• The target of the request sends an ARP reply, informing the requester of
its MAC address.
• The attacker waits and sends another ARP reply after the legitimate
replier.
• If the attacker’s ARP reply arrives last, it will overwrite the legitimate
ARP entry in PC1’s ARP table.
Man-in-the-middle attacks
 Man-in-the-middle attacks
• In PC1’s ARP table, the entry for 10.0.0.1 will have the attacker’s MAC
address.
• When PC1 tries to send traffic to SRV1, it will be forwarded to the
attacker instead.
• The attacker can inspect the messages, and then forward them on to
SRV1.
• The attacker can also modify the messages before forwarding them to
SRV1.
• This compromises the Confidentiality and Integrity of communications
between PC1 and SRV1.
Man-in-the-middle attacks
 Reconnaissance attacks
• Reconnaissance attacks aren’t attacks themselves, but they are used
to gather information about a target which can be used for a future
attack.
• This is often publicly available to learn the IP address of a site:

• Or a WHOIS query to learn email addresses, phone numbers, physical

addresses, etc.
https://lookup.icann.org/lookup
Reconnaissance attacks
 Malware
• Malware (malicious software) refers to a variety of harmful programs
that can infect a computer.
• Viruses infect other software (a ‘host program’). The virus spreads as
the software is shared by users. Typically they corrupt or modify files
on the target computer.
• Worms do not require a host program. They are standalone malware
and they are able to spread on their own, without user interaction.
The spread worms can congest the network, but the ‘payload’ of a
worm can cause additional harm to target devices.
• Trojan Horses are harmful software that is disguised as legitimate
software. They are spread through user interaction such as opening
email attachments, or downloading a file from the Internet.
 Social Engineering
attacks
• Social engineering attacks target the most vulnerable part of any
system – people!
• They involve psychological manipulation to make the target reveal
confidential information or perform some action.
• Phishing typically involves fraudulent emails that appear to come from
a legitimate business (Amazon, bank, credit card company, etc) and
contain links to a fraudulent website that seems legitimate.
Users are told to login to the fraudulent website, providing their login
credentials to the attacker.
 spear phishing is a more targeted form of phishing, i.e. aimed at employees of
a certain company.
Whaling is phishing targeted at high-profile individuals, i.e. a company
president.
 Social Engineering attacks
• Vishing (voice phishing) is phishing performed over phone.
• Smishing (SMS phishing) is phishing using SMS text messages.
• Watering hole attacks compromise sites that the target victim
frequently visits. If a malicious link is placed on a website the target
trusts, they might not hesitate to click it.
• Tailgating attacks involve entering restricted, secured areas by simply
walking in behind an authorized person as they enter.
 Password-related attacks
• Most systems use a username/password combination to authenticate
users.
• The user name is often simple/easy to guess (for example the user’s
email address), and the strength and secrecy of the password is relied
on to provide the necessary security.
• Attackers can learn a user’s passwords via multiple methods:
 Guessing
Dictionary attack: A program runs through a ‘dictionary’ or list of common
words/passwords to find the target’s password.
Brute force attack: A program tries every possible combination of letters,
numbers, and special characters to find the target’s password.