Threats, Attacks, And Vulnerabilities
Threats, Attacks, and VulnerabilitiesCSC 482/582: Computer SecuritySlide #1
Topics1.2.3.4.5.6.ThreatsCybercrimesAttacks, Attack Surface, and ExploitsMalwareVulnerabilitiesMitigations and PatchesCSC 482/582: Computer SecuritySlide #2
DefinitionsThreats are people who are able to take advantage of securityvulnerabilities to attack systems. Vandals, hacktivists, criminals, spies, disgruntled employees, etc.Vulnerabilities are weaknesses in a system that allow athreat to obtain access to information assets in violation of asystem’s security policy.(2719662)Vulnerabilities inGadgets Could AllowRemote Code ExecutionAttacks are actions taken by threats to obtain assets fromsystems in violation of the security policy.CSC 482/582: Computer SecuritySlide #3
Who are the Threats?HacktivistsVandalsCriminalsSpiesCSC 482/582: Computer SecuritySlide #4
HacktivistsHacktivists attack systems forpolitical goals. Deface websites to spreadtheir message(defacement ofavg.com shown) Take down sites inretribution for actions.CSC 482/582: Computer SecuritySlide #5
Vandals
CybercriminalsFocus on monetizing information via: Identity theft (phishing) Credit card or bank account fraud (phishing) Extortion (via ransomware or DDoS) Clickjacking Fraud (auction fraud, 419 scams, etc.)Specialists who sell services to other criminals Distribute malware Rent botnet computing servicesCSC 482/582: Computer SecuritySlide #7
CyberspiesThreats that work for a nation state or corp: Obtain classified information Install backdoors for later access Distract enemies from other operations Destroy physical devices (Stuxnet)Terms: Cyberespionage and cyberwarfareCSC 482/582: Computer SecuritySlide #8
Insider ProblemInsiders are threats who are members of theorganization that they are attacking.Insiders are dangerous because they Are inside the security perimeter, so cannot be blocks byperimeter defenses like firewalls and locked doors. Have some level of legitimate access to systems. May have physical access to systems and information.CSC 482/582: Computer SecuritySlide #9
CybercrimesA cybercrime is a crime that uses a computer to commita crime or that targets a computer in the commission ofthe crime.Examples of cybercrime include: Spam Phishing Fraud Harassment (cyberstalking, cyberbullying)CSC 482/582: Computer SecuritySlide #10
SpamSpam is the use of electronic messaging systems to sendunsolicited bulk messages, especially advertising,indiscriminately. Types: E-mail, IM, wiki, comment spam.Used to deliver other attacks Malware Phishing and other fraud enticementsSlide #11
Over 90% of e-mail is spam!CSC 482/582: Computer SecuritySlide #12
Phishing E-mailSlide #13
Phishing SiteSlide #14
Cybercrime OrganizationSponsors Governments, corporations, activist groups, organizedcrime, individuals.Cybercrime Boss Works for sponsor or may be sponsor himself. Plans crime, recruits tech providers and money mules.Technology Providers Deployment providers Malware authors Botnet mastersMoney MulesCSC 482/582: Computer SecuritySlide #15
Threat ModelA threat model describes which threats exist to asystem, their capabilities, resources, motivations, andrisk tolerance. Also known as an adversary model. Four quadrant model: skill and targeting. Resources and capabilities. Do you keep enough data about historical incidents toknow capabilities and motivations?CSC 482/582: Computer SecuritySlide #16
Four Quadrant Threat ModelingIBM X-Force 2012 Trend and Risk ReportCSC 482/582: Computer SecuritySlide #17
Resources Skilled personnel Money Computational power Technology InfrastructureCSC 482/582: Computer SecuritySlide #18
CapabilitiesComputational Can try X keys/second or X passwords/second.Informational Has access to {past, current, future} encrypted data. Has access to X GB of data.Class IVAccess Physical access. User access: none, authenticated, admin.Class III Can read network data.Class II Can inject packets into network.Class ICSC 482/582: Computer SecuritySlide #19
Advanced Persistent ThreatAdvanced persistentthreat (APT) refers to agroup that has theability to maintain aconstant presenceinside a target’snetwork. Sophisticated Targeted. Skilled personnel. May be backed withconsiderable budget.CSC 482/582: Computer SecuritySlide #20
Threat Information Sources Computer Emergency Response Team (CERT) Krebs On Security SANS Internet Storm Center (ISC) Symantec Internet Threat Reports ThreatPost See resources page on class site for more.CSC 482/582: Computer SecuritySlide #21
AttacksAn attack is an action taken by a threat to gainunauthorized access to information or resources orto make unauthorized modifications toinformation or computing systems. Spoofing (pretending to be another entity) Packet sniffing (intercepting network traffic) Man in the middle (active interception of traffic) Injection Attacks (buffer overflows, sql injection, etc.) Denial of Service (resource depletion) Defacement (vandalism) Social Engineering, etc.CSC 482/582: Computer SecuritySlide #22
How are Digital Attacks Different?Automation Salami Attack from Office Space.Action at a Distance Volodya Levin, from St. Petersburg, Russia, stole over 10million from US Citibank. Arrested in London.Technique Propagation Criminals share attacks rapidly and globally.CSC 482/582: Computer SecuritySlide #23
SpoofingA spoofing attack is when a threat masquerades asanother entity on a telecommunications network.Examples of spoofing include: E-mail spoofing ARP spoofing (MAC to IP address map spoofing) IP address spoofing Caller ID spoofing GPS spoofingCSC 482/582: Computer SecuritySlide #24
SniffingPacket sniffing is when a program records wiredor wireless network packets destined for otherhosts. Wireless traffic is available to everyone nearby. Antennas can extend range to miles. Wired traffic is accessible depending on networklocation. If network location unsatisfactory, ARP spoofing canredirect traffic to sniffing machine.Sniffing used to Obtain passwords (ftp, imap, etc.) Obtain other confidential informationCSC 482/582: Computer SecuritySlide #25
Man in the MiddleA man-in-the-middle attack is an active eavesdropping attack, in which the attacker connects toboth parties and relays messages between them.CSC 482/582: Computer SecuritySlide #26
Injection AttacksInjection attacks send code to a program instead of thedata it was expected, then exploit a vulnerability in thesoftware to execute the code. Buffer overflows inject machine code into a process. Cross-site scripting injects JavaScript code into a webpage seen by another user. SQL injection injects SQL code into a database queryrun by an application.CSC 482/582: Computer SecuritySlide #27
Denial of ServiceA denial of service (DoS) attack attempts to makecomputer or network resources unavailable to itsintended users.Slide #28
Social EngineeringSocial engineering is the psychologicalmanipulation of people to reveal confidentialinformation or perform actions to violate securitypolicy.CSC 482/582: Computer SecuritySlide #29
Attack SurfaceAttack surface: the set of ways an application can beattacked.Used to measure attackability of app. The larger the attack surface of a system, the more likelyan attacker is to exploit its vulnerabilities and the moredamage is likely to result from attack. Compare to measuring vulnerability by countingnumber of reported security bugs. Both are useful measures of security, but have verydifferent meanings.CSC 482/582: Computer SecuritySlide #30
ExploitsAn exploit is a technique or tool that takes advantage ofa vulnerability to violate an implicit or explicit securitypolicy.Exploits can be categorized by1.2.3.The type of vulnerability they exploit.Local (runs on vulnerable host) or remote.Result of exploit (elevation of privilege, DoS,spoofing, remote access, etc.)CSC 482/582: Computer SecuritySlide #31
Exploitation FrameworksCSC 482/582: Computer SecuritySlide #32
MalwareMalware, short for malicious software, is software designed togain access to confidential information, disrupt computeroperations, and/or gain access to private computer systems.Malware can be classified by how it infects systems: Trojan Horses Viruses WormsOr by what assets it targets: Ransomware Spyware and adware Backdoors Rootkits BotnetsCSC 482/582: Computer SecuritySlide #33
How much malware is out there?CSC 482/582: Computer SecuritySlide #34
Trojan HorsesCSC 482/582: Computer SecuritySlide #35
Trojan Horse ExamplesCSC 482/582: Computer SecuritySlide #36
VirusesA computer virus is a type of malware that, whenexecuted, replicates by inserting copies of itself(possibly modified) into other files. This process iscalled infecting.CSC 482/582: Computer SecuritySlide #37
WormsA worm is a typeof malware thatspreads itself toother computers.CSC 482/582: Computer SecuritySlide #38
RansomwareCSC 482/582: Computer SecuritySlide #39
Information StealersInformation stealers target specific types of information,such as passwords, financial credentials, privateinformation, etc. Keyloggers (can be hardware too) Desktop recorders Memory scrapersCSC 482/582: Computer SecuritySlide #40
Spyware and AdwareSlide #41
BackdoorsSlide #42
Backdoor Example: Dark CometCSC 482/582: Computer SecuritySlide #43
Rootkits Execution Redirection File HidingUser Program Process Hiding Network Hiding BackdoorRootkitOperating SystemCSC 482/582: Computer SecuritySlide #44
Covert ChannelsCovert channels enable communication usingtechniques not meant for information exchange. Malware could increase CPU usage to 100% tocommunicate a 1, regular usage is a 0. Malware could fill a storage device to 100% tocommunicate a 1, non-full device is a 0. Malware could send 2 packets/second to indicate a 1, 1packet/second to indicate a 0.CSC 482/582: Computer SecuritySlide #45
BotnetsSlide #46
VulnerabilitiesVulnerabilities can be found in any software: PC: Office, Adobe Reader, web browsers Server: Databases, DNS, mail server software, webservers, web applications, etc. Mobile: Mobile phone OS, mobile applications Embedded: printers, routers, switches, VoIP phones,cars, medical devices, TVs, etc. Third party software: Web browser plugins, Adaffiliate network JavaScript include files, Mobile adlibrariesCSC 482/582: Computer SecuritySlide #47
Document Format VulnerabilitiesIBM X-Force 2012 Trend and Risk ReportCSC 482/582: Computer SecuritySlide #48
Web Browser VulnerabilitiesIBM X-Force 2012 Trend and Risk ReportCSC 482/582: Computer SecuritySlide #49
Embedded VulnerabilitiesCSC 482/582: Computer SecuritySlide #50
MitigationsA mitigation is a process, technique, tool, or softwaremodification that can prevent or limit exploits againstvulnerabilities. A password length policy is a process mitigation toprotect against password guessing attacks. A firewall is a tool mitigation that limits exploits byblocking certain types of network traffic. Checking for the lock icon in the location bar of yourbrowser is a technique mitigation for verifying that webconnections are encrypted.CSC 482/582: Computer SecuritySlide #51
Security PatchesA security patch is a software modification designed toprevent or limit a vulnerability. A patch is a type ofmitigation. Administrator may have to apply manually. Some vendors specify certain days to patch, such as“Patch Tuesday,” the 2nd Tuesday of the month when MSreleases updates. Increasingly software auto updates itself with currentpatches.CSC 482/582: Computer SecuritySlide #52
Vulnerability TimelineCSC 482/582: Computer SecuritySlide #53
Zero DayA zero day vulnerability, attack, or exploit is a newlydiscovered one for which no patch currently exists. Once a patch is released, the vulnerability, attack, orexploit is no longer a zero day.Google’s Project Zero focuses on finding zero dayvulnerabilities in open source and commercial softwarebefore attackers do.CSC 482/582: Computer SecuritySlide #54
Vulnerability MarketsCSC 482/582: Computer SecuritySlide #55
Vulnerability DatabasesCSC 482/582: Computer SecuritySlide #56
Time to Attack after DeploymentJan 1 2005 – Jan 1 2014CSC 482/582: htmlSlide #57
Key PointsDefinitions1.1.threat, threat model, APT, attack, attack surface, exploit,vulnerability, mitigation, patch, zero day, malwareFour Quadrant Threat Model2.1.2.Expertise: off-the-shelf tool users up to sophisticated built your ownFocus: broad attack anyone to targeted attacks on high value victims3. Attack types: spam, phish, spoof, sniff, MITM, DoS4. Malware types: Trojan, virus, worm5. Vulnerability lifecycle Introduction, zero-day, patch, window of exposure6. You can improve the security of a system by1.2.Mitigating vulnerabilitiesReducing attack surfaceCSC 482/582: Computer SecuritySlide #58
References1. Arbaugh, William A., William L. Fithen, and John McHugh. "Windows of vulnerability: Acase study analysis." Computer 33.12 (2000): 52-59.2. Nate Anderson, Meet the men who spy on women through their webcams: The RemoteAdministration Tool is the revolver of the Internet's Wild West. Ars h-their-webcams/, 2013.3. Honeynet Project, Know Your Enemy, 2nd edition, Addison-Wesley, 2004.4. IBM, X-Force 2012 Risk and Trends Report, 2013.5. Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 7th edition,McGraw-Hill, 2012.6. Norton, Fake Antivirus, urcecenter/fake-antivirus.html7. Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.8. Stuart Staniford, Vern Paxson, and Nicholas Weaver, "How to 0wn the Internet in YourSpare Time," Proceedings of the 11th USENIX Security Symposium, 2002.CSC 482/582: Computer SecuritySlide #59
Released under CC BY-SA 3.0 This presentation is released under the CreativeCommons Attribution-ShareAlike 3.0 Unported (CC BYSA 3.0) license You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution — You must attribute the work to James Walden, but cannotdo so in a way that suggests that he endorses you or your use of thesematerials. Share Alike — If you remix, transform, or build upon this material, youmust distribute the resulting work under this or a similar open license. Details and full text of the license can be found 0/CSC 482/582: Computer SecuritySlide #60
Definitions Threats are people who are able to take advantage of security vulnerabilities to attack systems. Vandals, hacktivists, criminals, spies, disgruntled employees, etc. Vulnerabilities are weaknesses in a system that allow a threat to obtain access to infor
injection) Code injection attacks: also known as "code poisoning attacks" examples: Cookie poisoning attacks HTML injection attacks File injection attacks Server pages injection attacks (e.g. ASP, PHP) Script injection (e.g. cross-site scripting) attacks Shell injection attacks SQL injection attacks XML poisoning attacks
Future’s real-time threat intelligence solution. It describes what entities are involved in representing cyber threats, vulnerabilities, and attacks, how these entities are related in our cyber ontology, and how cyber events represent relationships between different involved entities.
VoIP Basics -An IntroductionVoIP Basics -An Introduction VoIP -Call Setup VoIP -Call Setup VoIP Security -Threats, Vulnerabilities, Attacks VoIP Security -Threats, Vulnerabilities, Attacks . PBX, Cisco Call manager. Few examples . . . OWASP VOIP overview -Protocols The protocols combining any IP Telephony architecture are divided .
Aug 26, 2015 · Modern Network Security Threats Explain network threats, mitigation techniques, and the basics of securing a network 1.1 Securing Networks Explain network security 1.2 Network Threats Describe various types of threats and attacks 1.3 Mitigating Threats Explain tools and procedures to mitigate the effects of
Data Loss and Exfiltration 5 Tracking Threats 6 Malware 6 Anatomy of a Worm 7 Mitigating Malware and Worms 7 Threats in Borderless Networks 8 Hacker Titles 8 Thinking Like a Hacker 9 Reconnaissance Attacks 9 Access Attacks 10 Password Cracking 11 Denial-of-Service Attacks 11 Distributed Denial-of-Service Attacks 12 Tools Used by Attackers 13
Detection of DDoS attacks using RNN-LSTM and Hybrid model ensemble. Siva Sarat Kona 18170366 Abstract The primary concern in the industry is cyber attacks. Among all, DDoS attacks are at the top of the list. The rapid increase in cloud migration also increases the scope of attacks. These DDoS attacks are of di erent types like denial of service,
APNIC 46 Network security workshop, deployed 7 honeypots to a cloud service 21,077 attacks in 24 hours Top 5 sensors –training06 (8,431 attacks) –training01 (5,268 attacks) –training04 (2,208 attacks) –training07 (2,025 attacks) –training03 (1,850 attacks)
Courses Taught: Financial Accounting and Management BOOK PUBLICATIONS Using Financial Statements: Analyzing, Forecasting, and Decision-Making, 2nd Edition, Business Expert Press, forthcoming 2018 (available in both hardcopy and digital formats). Financial Accounting, 17th Edition, (with Professors Williams & Carcello), McGraw-Hill/Irwin, 2017,
