Chapter 3:

Attack Types and Protection Schemes

This chapter covers

 Understand the general groups of threat events with examples
 Identify and understand the top threat driven events
 Identify the different vulnerabilities of information systems
 Different malicious software’s and programs like viruses, worms, and etc.
 Identify the different security control mechanisms or schemes.

3.1. Categories of Attack Types and Security threats

Different types of attack

If you do not have a security plan in place then your networks and data are vulnerable to any of
the following types of attacks because without security controls and measure in place, your data
might be subjected to an attack. Attacks will be passive or active, passive meaning information is
monitored and others are active meaning the information is altered with intent to corrupt or destroy
some data or the network itself.

There are two types of security attacks in information security

Active attacks: An Active attack attempts to alter system resources or effect their operations.
Active attack involve some modification of the data stream or creation of false statement.
Types of active attacks are as following:

Page 1 of 25
Types of active attacks are as following:

 Masquerade –
Masquerade attack takes place when one entity pretends to be different entity. A
Masquerade attack involves one of the other form of active attacks.

Page 2 of 25
Modification of messages
It means that some portion of a message is altered or that message is delayed or reordered to
produce an unauthorized effect. For example, a message meaning “Allow JOHN to read
confidential file X” is modified as “Allow Smith to read confidential file X”.

Repudiation –
This attack is done by either sender or receiver. The sender or receiver can deny later that he/she
has send or receive a message. For example, customer ask his Bank “To transfer an amount to
someone” and later on the sender (customer) deny that he had made such a request. This is
repudiation.
Replay –
It involves the passive capture of a message and its subsequent the transmission to
produce an authorized effect.

Denial of Service
It prevents normal use of communication facilities. This attack may have a specific target. For
example, an entity may suppress all messages directed to a particular destination. Another form of
service denial is the disruption of an entire network wither by disabling the network or by
overloading it by messages so as to degrade performance.

Page 3 of 25
Passive attacks: A Passive attack attempts to learn or make use of information from the system
but does not affect system resources. Passive Attacks are in the nature of eavesdropping on or
monitoring of transmission. The goal of the opponent is to obtain information is being
transmitted.

Page 4 of 25
Types of Passive attacks are as following:

The release of message content

Telephonic conversation, an electronic mail message or a transferred file may contain sensitive or
confidential information. We would like to prevent an opponent from learning the contents of these
transmissions.

It is very difficult to detect a passive attack because there is no type of data alteration. Typically,
in passive the message traffic is not sent and received in an apparently normal fashion and the
sender and receiver is not aware that a third party has read the messages or observed the traffic
pattern used by transmission media.
However, it is possible to prevent the success of these type of attacks, usually by using encryption.
Thus the emphasis in dealing with passive attacks is on prevention rather than detection.

Page 5 of 25
 Table 1 the Difference between Active Attack and Passive Attack

S.NO Active Attack Passive Attack

1 In active attack, Modification in information While in passive attack, Modification
take place. in the information does not take
place.
2 Active Attack is danger for Integrity as well Passive Attack is danger for
as availability. Confidentiality.
3 Due to active attack system is always While due to passive attack, there is
damaged. no any harm to the system.
4 In active attack, Victim gets informed about While in passive attack, Victim does
the attack. not get informed about the attack.
5 In active attack, System resources can be While in passive attack, System
changed. resources are not change.

Page 6 of 25
 Table 2 General groups of threat events

Threat Example
Act of human error or failure Accidents, Employee Mistakes
Compromises to intellectual properties Privacy , copy right infringement
Deliberate act as espionage or trespass Unauthorized access and or data collection
Deliberate act as information extortion Black mail for information disclosure
Deliberate acts as sabotage or vandalism Destruction of systems or information
Deliberate act of theft Illegal confiscation of information or
equipment
Deliberate software attacks Viruses, worms , and denial of services
Deviations in quality of service by service Power and WAN quality of service issues from
provides service providers
Forces of nature Fire, flood, earthquake, and lightening
Technical hardware failures or errors Equipment failure
Technical software failures or errors Bugs , code problems
Technical obsolescence Antiquated or outdated technologies

Figure 1 Top Threat Driven Expenses

Page 7 of 25
Hardware and Software Failures and Errors
 cannot be controlled or prevented by the organization
 Best defense: keep up-to-date latest hardware and software vulnerabilities.
Forces of nature
 Fire, flood, earthquake, dust contamination
 organization must implement controls to limit damage as well as develop incident
response plans and business continuity plans
Act of Human Error or Failure
 Organization of its own employees are the greatest threats
Examples:
 entry of erroneous data
 accidental deletion or modification of data
 failure to protect data
 storing data in unprotected areas
Much of human error or failure can be prevented
 preventative measures
 training and ongoing awareness activities
 enhanced control techniques
o require users to type a critical command twice
o ask for verification of commands by a second party
Compromises to intellectual properties (IP)
o IP= ideas or tangible or virtual representations of these ideas
o Any unauthorized use of IP constitutes a security threat
Defense measures
 Use of digital watermarks and embedded code

Page 8 of 25
Deliberate act as information extortion
 hacker or trusted insider steals information and demands compensation for its return
Examples:
 theft of data files containing customer credit card information
Deliberate Act of Sabotage or Vandalism
 acts aimed to destroy an information asset and, ultimately, damage the image of an
organization
 examples:
 hackers accessing a system and damaging or destroying critical data
Deliberate Act of Trespass
 Unauthorized access to info. that an organization is trying to protect
 low-tech: shoulder surfing
 high-tech: hacking
Deviations in Quality of Service
 In organizations that relies on the Internet and Web,
irregularities in available bandwidth or server’s CPU can dramatically affect their
operation.
 E.g. employees or customers cannot contact the system
Deliberate Software Attacks
 A deliberate action aimed to violate / compromise a system’s security through the use of
software
 Examples:
o use of malware
o Password cracking
o DOS and DDOS
o Spoofing
o Sniffing
o Man In the middle attack
o Phishing
o Pharming

Page 9 of 25
A. Use of Malware
 Assumes the use of specialized software(malware) to damage or destroy information, or
to deny access to the target system
 Types of malware(virus, worms, Trojan Horse, Logic Bomb, Rootkit, Spyware, Adware)
 Virus
 malware that needs a ‘carrier’ to survive
 in fact, 2 carriers needed: document/program and user
 Virus secretly attaches itself to a document and then executes its malicious payload when
that document is opened and respective program launched.
 most viruses rely on actions of users to spread, e.g.:
o send/activate an infected file by email
o download/activate an infected file from the Interne
o download/activate an infected file from a USB drive
Viruses can cause the following damage:
o cause a computer to crash repeatedly
o erase files from a hard drive, reformat a hard drive
o reduce the security settings and allow intruders to remotely access the computer

 WORM
 Malware that uses computer networks and security holes in application or Os’ to replicate
itself.
 Once it exploits vulnerability on one system, worm deposits its payload and searches for
another computer
 Differences between worms and viruses
o Viruses need a carrier document or program (“must attach itself to something to
propagate”) are typically delivered by email and require user action.
o Worms do not need a carrier (“can move on their own”) are typically spread through the
internet or web and not rely on a user action.
Examples: Stuxnet (2010): a highly sophisticated worm that used a variety of advanced
techniques to spread, including:

Page 10 of 25
  By the use of shared infected USB drives (spread even between computers that are not
connected to the internet)
 By connecting to systems using database default password
 By searching for Unrotective administrative shares of systems on the LAN
Trojan horse
 A malware that looks legitimate and is advertised as performing on activity but actually
does something else; it does not replicate itself.
 Can achieve various attacks on the host: irritate the use with pop ups or changing
desktops.
 Example: AOL4 Free: advertised free access to AOL internet services; would delete hard
drive
Logic Bomb
 Malware typically installed by an authorized user; lies dormant until triggered by specific
logical event; once triggered it can perform any malicious activities.
 Trigger events 1) a certain date reached on the colander; check for organization payroll
data: event 2) a person was fired
Rootkit
 A software tools used to break into a computer, modify the operation of the operating
system in some fashion in order to facilitate nonstandard or unauthorized functions.
 Unlike viruses, Rootkit goal is not to damage computer directly or spread, but to hide the
presence and or control the function of other (malicious software)
 Since rootkits change the operating system, the only safe and foolproof way to handle a
rootkit injection is to reformat the hard drive and reinstall the operating system.
Spyware
 A software that spies on users by gathering information without their consent, thus
violating their privacy.
 Example: Zango: transmits details information to advertisers about websites you visit
Adware
 Software that delivers advertising content in a manner that is unexpected and unwanted by
the user

Page 11 of 25
B. Password Cracking
 Attempt to reverse calculate password
 Requires that a copy of security account manager(SAM) a registry data file obtained
 SAM file (c:windows\system32\config\SAM contained the hashed representations of
the user password (LM(local manager hash, NLTM()
 Cracking procedure: hash any random password using same algorithm and compare
with to the SAM’s file entries.
 Types of password cracking attacks
o Brute force: every possible combination/password is tried
o Guessing: the attacker uses her or his knowledge of users personal information
and tries to guess the password
o Dictionary: a list of commonly used password(dictionary)
C. Denial Of service(DOS)
 Attacker sends a large number of requests to a target
o Target gets overloaded and cannot respond to legitimate requests
 In case of distributed DOS-DDOS, a coordinated stream of requests is launched from
many locations (zombies) at the same time.
o Zombie: a compromised machine that can be commanded remotely by the master
machine.
 Organization must ensure that minimum service level as defined by service level
agreement with the ISP will satisfy its needs
 Alternate solution: Backup ISP

Page 12 of 25
 Figure 2 DDOS Attack

D. Spoofing
 Insertion of forged (but trusted) IP addresses into IP packets in order to gain access
to networks/computers
 New routers and firewalls can offer protection against IP spoofing
o Ingress filtering: upstream ISP discards any packet coming into a network if the
source address is no valid i.e. IP does not belong to any of the networks connected
to the ISP
o Egress filtering: organization firewalls discards any outgoing packets with a source
address that does not belong to that organization.

Page 13 of 25
 Figure 3 Spoofing

E. Sniffing
 Use of program or device that can monitor data traveling over a network.
o Unauthorized sniffers can be very dangerous – they cannot be detected yet they
can sniff or extract critical information from the packets traveling over the
network.
o Wireless sniffing is a particularly simple due to the open nature of wireless
medium
F. Man in the Middle Attack
 Gives illusion that two computers are communication with each other when actually
they are sending and receiving data with computer between them.
o Spoofing and or sniffing can be involved

Page 14 of 25
  Examples:
o Passive: attackers record, alters and resends data at a latter time,
o Active: attackers intercepts, alters, and sends data before the original arrives to
the recipient.

Figure 4 Man in the Middle Attack

Social Engineering

 Process of using social skills to manipulate people in reviling vulnerable information

o Examples: Phishing and Pharming
G. Phishing
 Attempt to gain sensitive personal information by posing as legitimate entity
o Simple phishing: an email is sent to the victim informing them of problem. Example
with their email or banking account) and asking them to provide their username and
password. From email address is spoofed to look legitimate “Reply To” email address
is an account controlled by the attacker.
o Sophisticated Phishing: an email is sent to the victim containing a link to a bogus
website that looks legitimate
Page 15 of 25
 H. Pharming
 Pharming redirects users to false website without them even knowing it typed or clicked
on URL
3.2. Vulnerabilities of Information Systems

An information systems vulnerability is a cybersecurity term that refers to a defect in a system that
can leave it open to attack. This vulnerability could also refer to any type of weakness present in a
computer itself, in a set of procedures, or in anything that allows information security to be exposed
to a threat. It is possible for network personnel and computer users to protect computers from
vulnerabilities by regularly updating software security patches. These patches are capable of
solving flaws or security holes found in the initial release. Network personnel and computer users
should also stay informed about current vulnerabilities in the software they use and look out for
ways to protect against them.

The most common computer vulnerabilities include:

 Bugs

 Weak passwords

 Software that is already infected with virus

 Missing data encryption

 OS command injection

 SQL injection

 Buffer overflow

 Missing authorization

 Use of broken algorithms

 URL redirection to untrusted sites

 Path traversal

 Missing authentication for critical function

 Unrestricted upload of dangerous file types

 Dependence on untrusted inputs in a security decision
 Cross-site scripting and forgery
 Download of codes without integrity checks

Page 16 of 25
3.3. Malicious Security Threats

The term malware or malicious software is used for any type of software that can affect your
computer equipment’s performance and functionality, either locally or remotely. Computer
viruses, Trojan horses and worms are all considered malware.

3.3.1. Viruses

Viruses are self-replicating programs that infect and propagate through files. Usually they will
attach themselves to a file, which will cause them to be run when the file is opened. Viruses often
have additional properties, beyond being an infector or macro virus.

A virus may also be multi-partite, stealth, encrypted or polymorphic. Multipartite viruses are
hybrid viruses that infect files and system and/or boot-records. This means multi-partite viruses
have the potential to be more damaging, and resistant. A stealth virus is one that attempts to hide
its presence. This may involve attaching itself to files that are not usually seen by the user.

Viruses can use encryption to hide their payload. A virus using encryption will know how to
decrypt itself to run. As the bulk of the virus is encrypted, it is harder to detect and analyses. Some
viruses have the ability to change themselves as time goes by, or when they replicate themselves.
Such viruses are called polymorphic viruses. Polymorphic viruses’ can usually avoid being
eradicated longer than other types of viruses as their signature changes. Macro viruses are simply
macros for popular programs, such as Microsoft Word, that are malicious. For example, they may
delete information from a document or insert phrases into it. Propagation is usually through the
infected files. If a user opens a document that is infected, the virus may install itself so that any
subsequent documents are also infected. Some macro viruses propagate via email, such as the
Melissa virus covered in the next section. Often the macro virus will be attached as an apparently
benign file to fool the user into infecting themselves.

3.3.2. Worms

A worm is a self-replicating program that propagates over a network in some way. Unlike viruses,
worms do not require an infected file to propagate. There are two main types of worms, mass-

Page 17 of 25
mailing worms and network-aware worms. Mass-mailing worms are an interesting category as
many attacks in this category could quite easily be classified as a worm, virus or both. A mass-
mailing worm is a worm that spreads through email. Once the email has reached its target it may
have a payload in the form of a virus or Trojan. Email, although it may become a file on its journey,
is more abstract than a file.

Therefore, while some attacks may use email attachments to send viruses, the attack vector is still
email. An attack such as Melissa should be classified first as a mass-mailing worm. Network-aware
worms are a major problem for the Internet. Worms such as SQL Slammer have shown that the
Internet can be degraded by a well written worm. Network-aware worms generally follow a four
stage propagation model. Although this is a generalization, most network-aware worms will fit
into this model. The first step is target selection. The compromised host targets a host.
The compromised host then attempts to gain access to the target host by exploitation. For example,
the SQL Slammer worm exploited a known vulnerability in Microsoft SQL Server 2000 and
Microsoft Desktop Engine. Once the worm has access to the target host, it can infect it. Infection
may include loading Trojans onto the target host, creating back doors or modifying files. Once
infection is complete, the target host is now compromised and can be used by the worm to continue
propagation.
3.3.3. Trojan horses

A Trojan horse or Trojan infiltrates your computer through a file that you download and open.
Unlike viruses, most Trojans stay on your computer only. They cause damage, but they do not
spread to other computers. A Trojan is a piece of malware that stays in one place rather than
spreading.

3.3.4. Spyware

Spyware is software that is installed on a computing device without the end user's knowledge. Any
software can be classified as spyware if it is downloaded without the user's authorization. Spyware
is controversial because even when it is installed for relatively innocuous reasons, it can violate
the end user's privacy and has the potential to be abused. It collects your personal information and
passes it on to interested third parties without your knowledge or consent.

Page 18 of 25
Spyware is also a type of malware (malicious software) that collects and shares information about
a computer or network without the user’s consent. It can be installed as a hidden component of
genuine software packages or via traditional malware vectors such as deceptive ads, websites,
email, instant messages, as well as direct file-sharing connections. Unlike other types of malware,
spyware is heavily used not only by criminal organizations, but also by unscrupulous advertisers
and companies who use spyware to collect market data from users without their consent.
Regardless of its source, spyware runs hidden from the user and is often difficult to detect, but can
lead to symptoms such as degraded system performance and a high frequency of unwanted
behavior (pop-ups, rerouted browser homepage, search results, etc.).
As a tool for advertising, spyware is used to collect and sell user information to interested
advertisers or other interested parties. Spyware can collect almost any type of data including web
browsing habits and download activity. Perhaps the greatest concern related to spyware is that
regardless of whether its presence detectable or not the user has neither any idea of what
information is being captured, sent away, or used, nor any mechanism or technology for finding
out. Spyware can be prevented through a combination of endpoint and network security controls.
Antispyware features are often integrated into modern antivirus software products that provide
protection at the endpoint.
3.4. Categories of Security controls

Security controls could be classified to the following types

Preventive

When you decide to use a preventive countermeasure, you want to prevent a malicious action from
occurring by blocking or stopping someone or something from doing or causing so.

Examples for such type of controls are:

 Firewalls.

 Intrusion Prevention Systems IPS.

 Security Guards.

 Biometric Access Control.

 Using Encryption.

Page 19 of 25
  Strong Authentication.

 Locks.

 Antivirus Software.

Detective:
Detective countermeasures are implemented to help detect any malicious activities.
A detective controls doesn’t stop or mitigate intrusion attempts; it only identifies and reports them.

Examples of this type are:

 Intrusion Detection Systems IDS.

 Alarms.

 Lights.

 Motion Detectors.

 Security Guards.

 Video Surveillance.

 Logs and Audit Trails.

 Enforcing Staff Vacations.

Corrective:
These type of controls attempt to get the system back to normal.
Examples for this type are:

 Restoring operating system or data from a recent backup.

 Updating an outdated antivirus.

 Installing a fix.

Page 20 of 25
3.5. Social Engineering

Social engineering is the term used for a broad range of malicious activities accomplished through
human interactions. It uses psychological manipulation to trick users into making security mistakes
or giving away sensitive information. Social engineering is the practice of using psychological
manipulation as well as social norms to deceive individuals into revealing sensitive and
confidential information including providing access to computer or systems that may have access
to those types of information.

Figure 5 Social Engineering Attack Lifecycle

What makes social engineering especially dangerous is that it relies on human error, rather
than vulnerabilities in software and operating systems. Mistakes made by legitimate users
are much less predictable, making them harder to identify and prevent than a malware-
based intrusion.
Social engineering is a popular tactic among hackers because it is often easier to exploit
users' weaknesses than it is to find a network or software vulnerability. Hackers will often

Page 21 of 25
 use social engineering tactics as a first step in a larger campaign to infiltrate a system or
network and steal sensitive data or disperse malware.

Let’s see in detail which are most common social engineering attacks used to targets users.
Phishing

Phishing attacks are the most common type of attacks leveraging social engineering techniques.
Attackers use emails, social media and instant messaging, and SMS to trick victims into providing
sensitive information or visiting malicious URL in the attempt to compromise their systems.
Phishing attacks are the most common attacks conducted by social engineers. They aim at
fraudulently acquiring private and confidential information from intended targets via phone calls
or emails. Attackers mislead victims to obtain sensitive and confidential information. They involve
fake websites, emails, ads, anti-virus, scareware, PayPal websites, awards, and free offers. For
instance, the attack can be a call or an email from a fake department of lottery about winning a
prize of a sum of money and requesting private information or clicking on a link attached to the
emails.

Phishing attacks present the following common characteristics:

 Messages are composed to attract the user’s attention, in many cases to stimulate his

curiosity providing a few information on a specific topic and suggesting that the victims
visit a specific website to gain further data.
 Phishing messages aimed to gather user’s information presents a sense of urgency in the

attempt to trick the victim into disclosing sensitive data to resolve a situation that could get
worse without the victim’s interaction.
 Attackers leverage shortened URL or embedded links to redirect victims to a malicious

domain that could host exploit codes, or that could be a clone of legitimate websites with
URLs that appear legitimate. In many cases the actual link and the visual link in the email
are different, for example, the hyperlink in the email does not point to the same location as
the apparent hyperlink displayed to the users.
 Phishing email messages have a deceptive subject line to entice the recipient to believe that

the email has come from a trusted source, attackers use a forged sender’s address or the

Page 22 of 25
 spoofed identity of the organization. They usually copy contents such as texts, logos,
images, and styles used on the legitimate website to make it look genuine.

Watering hole

A watering hole” attack consists of injecting malicious code into the public Web pages of a site
that the targets used to visit. The method of injection is not new, and it is commonly used by cyber
criminals and hackers. The attackers compromise websites within a specific sector that are
ordinary visited by specific individuals of interest for the attacks.

Whaling attack

Whaling is another evolution of phishing attacks that uses sophisticated social engineering
techniques to steal confidential information, personal data, access credentials to restricted
services/resources, and specifically information with relevant value from an economic and
commercial perspective.

What distinguishes this category of phishing from others is the choice of targets: relevant
executives of private business and government agencies. The word whaling is used, indicating that
the target is a big fish to capture.

Pretexting

The term pretexting indicates the practice of presenting oneself as someone else to obtain private
information. Usually, attackers create a fake identity and use it to manipulate the receipt of
information. Attackers leveraging this specific social engineering technique use adopt several
identities they have created during their carrier. This bad habit could expose their operations to the
investigations conducted by security experts and law enforcement.

The success of the pretexting attack heavily pretends on the ability’s attacker in building trust most
advanced forms of pretexting attacks try to manipulate the victims into performing an action that
enables an attacker to discover and exploit a point of failure inside an organization. An attacker
can impersonate an external IT services operator to ask internal staff for information that could
allow accessing system within the organization.

Page 23 of 25
Tailgating

The tailgating attack, also known as “piggybacking,” involves an attacker seeking entry to a
restricted area which lacks the proper authentication-

The attacker can simply walk in behind a person who is authorized to access the area. In a typical
attack scenario, a person impersonates a delivery driver or a caretaker who is packed with parcels
and waits when an employee opens their door. The attacker asks that the employee hold the door,
bypassing the security measures in place (i.e. electronic access control).

Once a victim visits the page on the compromised website a backdoor trojan is installed on his
computer, Watering Hole method of attacks is very common for cyber espionage operation or
state-sponsored attacks.

Social engineering prevention

Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and
draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted
to an offer displayed on a website, or when you come across stray digital media lying about. Being
alert can help you protect yourself against most social engineering attacks taking place in the
digital realm.

Moreover, the following tips can help improve your vigilance in relation to social engineering
hacks.

 Don’t open emails and attachments from suspicious sources: If you don’t know the

sender in question, you don’t need to answer an email. Even if you do know them and are
suspicious about their message, cross-check and confirm the news from other sources, such
as via telephone or directly from a service provider’s site. Remember that email addresses
are spoofed all of the time; even an email purportedly coming from a trusted source may
have actually been initiated by an attacker.

Page 24 of 25
 Use multifactor authentication: One of the most valuable pieces of information attackers

seek are user credentials. Using multifactor authentication helps ensure your account’s
protection in the event of system compromise.
 Be wary of tempting offers: If an offer sounds too enticing, think twice before accepting

it as fact. Googling the topic can help you quickly determine whether you’re dealing with
a legitimate offer or a trap.
 Keep your antivirus/antimalware software updated: Make sure automatic updates are

engaged, or make it a habit to download the latest signatures first thing each day.
Periodically check to make sure that the updates have been applied, and scan your system
for possible infections.

Page 25 of 25