UNIT II ATTACKS AND COUNTERMEASURES

OSWAP; Malicious Attack Threats and Vulnerabilities: Scope of Cyber-Attacks –

Security Breach – Types of Malicious Attacks – Malicious Software – Common Attack
Vectors – Social engineering Attack – Wireless Network Attack – Web Application
Attack – Attack Tools – Countermeasures

What is OWASP?

The Open Web Application Security Project, or OWASP, is an international non-profit

organization dedicated to web application security. One of OWASP’s core principles is that
all of their materials be freely available and easily accessible on their website, making it
possible for anyone to improve their own web application security. The materials they offer
include documentation, tools, videos, and forums. Perhaps their best-known project is the
OWASP Top 10.

What is the OWASP Top 10?

The OWASP Top 10 is a regularly-updated report outlining security concerns for web
application security, focusing on the 10 most critical risks. The report is put together by a
team of security experts from all over the world. OWASP refers to the Top 10 as an
‘awareness document’ and they recommend that all companies incorporate the report into
their processes in order to minimize and/or mitigate security risks.

Below are the security risks reported in the OWASP Top 10

1. Injection

Injection attacks happen when untrusted data is sent to a code interpreter through a
form input or some other data submission to a web application. For example, an attacker
could enter SQL database code into a form that expects a plaintext username. If that form
input is not properly secured, this would result in that SQL code being executed. This is
known as an SQL injection attack.
Injection attacks can be prevented by validating and/or sanitizing user-submitted data.
(Validation means rejecting suspicious-looking data, while sanitization refers to cleaning up
the suspicious-looking parts of the data.) In addition, a database admin can set controls to
minimize the amount of information an injection attack can expose.
2. Broken Authentication

Vulnerabilities in authentication (login) systems can give attackers access to user

accounts and even the ability to compromise an entire system using an admin account. For
example, an attacker can take a list containing thousands of known username/password
combinations obtained during a data breach and use a script to try all those combinations on a
login system to see if there are any that work.
Some strategies to mitigate authentication vulnerabilities are requiring two-factor
authentication (2FA) as well as limiting or delaying repeated login attempts using rate
limiting.

3. Sensitive Data Exposure

If web applications don’t protect sensitive data such as financial information and
passwords, attackers can gain access to that data and sellor utilize it for nefarious purposes.
One popular method for stealing sensitive information is using an on-path attack.

Data exposure risk can be minimized by encrypting all sensitive data as well as disabling
the caching* of any sensitive information. Additionally, web application developers should
take care to ensure that they are not unnecessarily storing any sensitive data.

*Caching is the practice of temporarily storing data for re-use. For example, web browsers
will often cache web pages so that if a user revisits those pages within a fixed time span, the
browser does not have to fetch the pages from the web.

4. XML External Entities (XEE)

This is an attack against a web application that parses XML* input. This input can
reference an external entity, attempting to exploit a vulnerability in the parser. An ‘external
entity’ in this context refers to a storage unit, such as a hard drive. An XML parser can be
duped into sending data to an unauthorized external entity, which can pass sensitive data
directly to an attacker.

The best ways to prevent XEE attacks are to have web applications accept a less
complex type of data, such as JSON**, or at the very least to patch XML parsers and disable
the use of external entities in an XML application.
*XML or Extensible Markup Language is a markup language intended to be both human-
readable and machine-readable. Due to its complexity and security vulnerabilities, it is now
being phased out of use in many web applications.

**JavaScript Object Notation (JSON) is a type of simple, human-readable notation often used
to transmit data over the internet. Although it was originally created for JavaScript, JSON is
language-agnostic and can be interpreted by many different programming languages.
5. Broken Access Control

Access control refers a system that controls access to information or functionality.

Broken access controls allow attackers to bypass authorization and perform tasks as though
they were privileged users such as administrators. For example a web application could allow
a user to change which account they are logged in as simply by changing part of a url,
without any other verification.

Access controls can be secured by ensuring that a web application uses authorization
tokens* and sets tight controls on them.

*Many services issue authorization tokens when users log in. Every privileged request
that a user makes will require that the authorization token be present. This is a secure way to
ensure that the user is who they say they are, without having to constantly enter their login
credentials.

6. Security Misconfiguration

Security misconfiguration is the most common vulnerability on the list, and is often
the result of using default configurations or displaying excessively verbose errors. For
instance, an application could show a user overly-descriptive errors which may reveal
vulnerabilities in the application. This can be mitigated by removing any unused features in
the code and ensuring that error messages are more general.
7. Cross-Site Scripting

Cross-site scripting vulnerabilities occur when web applications allow users to add
custom code into a url path or onto a website that will be seen by other users. This
vulnerability can be exploited to run malicious JavaScript code on a victim’s browser. For
example, an attacker could send an email to a victim that appears to be from a trusted bank,
with a link to that bank’s website. This link could have some malicious JavaScript code
tagged onto the end of the url. If the bank’s site is not properly protected against cross-site
scripting, then that malicious code will be run in the victim’s web browser when they click on
the link.
Mitigation strategies for cross-site scripting include escaping
untrusted HTTP requests as well as validating and/or sanitizing user-generated content. Using
modern web development frameworks like ReactJS and Ruby on Rails also provides some
built-in cross-site scripting protection.

8. Insecure Deserialization

This threat targets the many web applications which frequently serialize and
deserialize data. Serialization means taking objects from the application code and converting
them into a format that can be used for another purpose, such as storing the data to disk or
streaming it. Deserialization is just the opposite: converting serialized data back into objects
the application can use. Serialization is sort of like packing furniture away into boxes before a
move, and deserialization is like unpacking the boxes and assembling the furniture after the
move. An insecure deserialization attack is like having the movers tamper with the contents
of the boxes before they are unpacked.
An insecure deserialization exploit is the result of deserializing data from untrusted
sources, and can result in serious consequences like DDoS attacks and remote code execution
attacks. While steps can be taken to try and catch attackers, such as monitoring
deserialization and implementing type checks, the only sure way to protect against insecure
deserialization attacks is to prohibit the deserialization of data from untrusted sources.

9. Using Components With Known Vulnerabilities

Many modern web developers use components such as libraries and frameworks in
their web applications. These components are pieces of software that help developers avoid
redundant work and provide needed functionality; common example include front-end
frameworks like React and smaller libraries that used to add share icons or a/b testing. Some
attackers look for vulnerabilities in these components which they can then use to orchestrate
attacks. Some of the more popular components are used on hundreds of thousands of
websites; an attacker finding a security hole in one of these components could leave hundreds
of thousands of sites vulnerable to exploit.
Component developers often offer security patches and updates to plug up known
vulnerabilities, but web application developers don’t always have the patched or most-recent
versions of components running on their applications. To minimize the risk of running
components with known vulnerabilities, developers should remove unused components from
their projects, as well as ensuring that they are receiving components from a trusted source
and ensuring they are up to date.
10. Insufficient Logging And Monitoring

Many web applications are not taking enough steps to detect data breaches. The
average discovery time for a breach is around 200 days after it has happened. This gives
attackers a lot of time to cause damage before there is any response. OWASP recommends
that web developers should implement logging and monitoring as well as incident response
plans to ensure that they are made aware of attacks on their applications.

Malicious Attack Threats and Vulnerabilities

KEY TERMINOLOGIES

Attack OR Attack Vector

An attack vector is defined as the technique by which unauthorized access is gained
inside the computer or network for a criminal purpose by exploiting the vulnerabilities in the
system.
Risk
It can be defined as the probability of the loss from any particular threat from the
threat landscape, which can exploit the system and gain the benefits from it such as loss of
private and confidential information such as username and password, sensitive organization
data, also the loss of the reputation which has occurred can be considered. Also, the loss
occurred in terms of damage or destruction of hardware and software assets can be
considered as Risk.
Threat
Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or
destroy an asset.
Vulnerability

Weaknesses or gaps in a systems security program, design policies and implementation that
can be exploited by different threats to gain unauthorized access of a computer system or
network.

Asset

People, property, and information. People may include employees and customers. Property
assets consist of both tangible and intangible items that can be assigned a value. Intangible
assets include reputation and proprietary information. Information may include databases,
software code, critical company records, and many other intangible items.

Countermeasure

An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack

by eliminating or preventing it, or by minimizing the harm it can cause, or by discovering and
reporting it so that corrective and proactive action can be taken.

Here in the below image, we will the relationship between all the different terminologies we
have seen.

Figure 2.1 Security Concepts and Relationships

Let us start looking at each concept in details. But before that let us look key terminologies
into the equation form which is given below and we will look at them in detail.

2.4ATTACK
 We have already seen the definition of the attack on the previous page, we will look here
the subtypes of attack and they are Active Attacks and Passive Attacks.

 Active Attacks: In an active attack, the attacker intercepts the connection and then
modifies information.

Figure 2.2 Active Attack Source:techdifferences.net

An active attack can be divided further into Masquerade, Replay attack, Modification of
messages.

 Passive Attack: In a passive attack, the attacker intercepts the information but with the
intent of reading the information and not modifying it. It can further be divided as Traffic
Analysis and Release of Message content.

Figure 2.3 Passive Attack

We can also classify the attack based on its origin.

 Inside Attack: If the origin of the threat agent is from the inside the organization, which
may have the authorization and access granted to the resources, but uses it with the
criminal intent.
 Outside Attack: Origin or source of the attack is from the outside of the organization and
gains the unauthorized access to the system or resources with the criminal intent.

A Cyber attack can destroy the business overnight; a proper security defense is required to
stop such attacks. The main focus is to compromise the systems and gain access to sensitive
data. Let us see the top cyber security attack and what do they do.

 Phishing Attack: It is a type of security attack that tricks the user to divulge the sensitive
and personal/confidential information which is sometimes referred to as “Phishing Scam”
also. Definitely, every user will not click the links provided in the email id for providing
the details, but the attackers are smart they will perform the social engineering and will
send the emails to the users with the similar content which user is already looking or
interested in it.

The most targeted business sectors are Payment Platforms, Financial and Banking
organizations, Webmail services and Cloud storage/hosting providers.

Phishing attacks engage users with a specific message and very solicit way for the
response from the user which is ideally to click on the link is known as “Call To Action”.
Which means the attacker wants the user action on the link provided in the email to
perform the action.

• Spear phishing: When a phishing attack is targeted to the specific individuals

of the organization, it is known as spear phishing. Attackers use the solicit
company logo, footer and all other style information which is present in the
legit email to trick the user. The content of the email mainly focuses on the
password reset email or, account reset activity.

For the prevention of the phishing, the user has to check clearly the from address and email
content, along with the links present in the email body. Apart from this, employees awareness
using various teaching method is the most important as major data breach occurs due to
human error which cannot be ignored.

 SQL Injection Attack: SQL which is pronounced as “squeal” stands for the structured
query language. It’s a programming language used to communicate with databases. It is
used to store critical data of websites/users/services in their databases which can contain
personal and sensitive information such as username and password, transaction details.
 SQL Injection attack targets the database using specifically crafted SQL statements to
trick the system into unexpected and undesired outputs.

SQL Injection attack can be carried out in different ways which can be decided after the
attacker identifies system behavior.

If the web application is building a SQL query string dynamically with the account
number the user will provide, it might look something like this:

“SELECT * FROM customers WHERE account = ‘“

+userProvidedAccountNumber +”’;”

While this works for users who are properly entering their account number, it leaves the
door open for attackers. For example, if someone decided to provide an account number
of “‘ or ‘1’ = ‘1”, that would result in a query string of:

“SELECT * FROM customers WHERE account = ‘’ or ‘1’ = ‘1’;”

Due to the ‘1’ = ‘1’ always evaluates to TRUE, sending this statement to the database will
result in the data for all customers being returned instead of just a single customer.

The above query might not work for all the database, but it can work where there are less
or no security measures taken to filter such SQL injection queries.

Other types of SQL injection attacks include Blind SQL Injection, Out of Bound SQL
Injection. SQL Injection attack can be prevented by avoiding the use of dynamic SQL,
sanitize user inputs, don’t store data in plaintext, provide access control and privileges also
use of web application firewall is a must.

 Denial-of-service(DOS) and Distributed Denial of Service(DDOS): Denial-of-Service

attack focus on disrupting or preventing legitimate users from accessing the websites or
application or any other resources by sending flood of messages, packets, & connection
requests, causing the target to slow down or “crash”, rendering it unavailable to its
users. Attacker mostly targets high-end value organizations such as media houses,
banking, and financial organization, E-Commerce to disrupt their services.

When the majority of present-day DoS attacks involve a number of systems (even into the
hundreds of thousands) under the attacker’s control which are installed with the bots, all
simultaneously attacking the target. This coordination of attacking systems is referred to
as a “Distributed Denial-of-Service” (DDoS).
 Figure 2.4 DDOS Architecture Source:Wikimedia.com

 Man-In-The-Middle Attack and Session Hijacking: Man-in-the-middle attacks are

a common type of cyber security attack that allows attackers to eavesdrop on the
communication between two targets. The attack takes place in between two legitimately
communicating hosts, allowing the attacker to “listen” to a conversation they should
normally not be able to listen.

When a user is using the internet and our computer performs a lot back and forth
transaction, the application generates and uses a session ID which will be unique and to
make the transactions private between user and application. The attacker hijacks the
session ID to eavesdrop the communication between user and application.

There are various types of Man-In-The-Middle Attack such as Rogue access points, ARP
Spoofing, DNS Spoofing, Packet Injection, SSL Striping.

We can prevent such attacks by using strong WEP/WAP encryption on access points,
using a virtual private network(VPN), enforce https and using a strong combination of the
public key pair authentication.

 Brute-Force Attack(Password Attack): The theory behind such an attack is that if you
take an infinite number of attempts to guess a password, you are bound to be right
eventually. The term brute-force means overpowering the system through repetition. A
 brute force attack is among the simplest and least sophisticated hacking method. Brute
Force attacks often use automated systems or tools to perform the attack in which
different password combinations are used to try to gain entry to a network, such as a
dictionary attack list or using rainbow tables.

The attacker aims to forcefully gain access to a user account by attempting to guess the
username/email and password. Usually, the motive behind it is to use the breached
account to execute a large-scale attack, steal sensitive data, shut down the system, or a
combination of the three.

We can prevent it by using a strong password combination policy and require to change a
password on regular intervals, locking out accounts on a certain number of incorrect
password attempts, use captcha, two-factor authentication, monitoring server logs, limit
logins from the single IP/Range.

 Malware Attack: Malware can be described as Malicious software that is installed in

your system without your consent. It can attach itself to the legitimate process or replicate
itself or can put itself to startup. The objective of the malware could be to exfiltrate
information, disrupt business operations, demand payment, There are many types of
malware below are some of the commonly known types:
• Macro Virus: These viruses infect applications such as Microsoft Word or
Excel. Macro viruses attach to an application’s initialization sequence. When
the application is opened, the virus executes instructions before transferring
control to the application. The virus replicates itself and attaches to other code
in the computer system.
• Trojans: A Trojan or a Trojan horse is a program that hides in a useful
program and usually has a malicious function. A major difference between
viruses and Trojans is that Trojans do not self-replicate. In addition to
launching attacks on a system, a Trojan can establish a back door that can be
exploited by attackers
• Logic bombs: A logic bomb is a type of malicious software that is appended
to an application and is triggered by a specific occurrence, such as a logical
condition or a specific date and time.
• Worms: Worms differ from viruses in that they do not attach to a host file, but
are self-contained programs that propagate across networks and computers. A
 typical worm exploit involves the worm sending a copy of itself to every
contact in an infected computer’s email address In addition to conducting
malicious activities, a worm can result in denial-of-service attacks against
nodes on the network.
• Dropper: A dropper is a program used to install viruses on computers. In
many instances, the dropper is not infected with malicious code and, therefore
might not be detected by virus-scanning software. A dropper can also connect
to the internet and download updates to virus software that is resident on a
compromised system.
• Ransomware:Ransomware is a type of malware that blocks access to the
victim’s data and threatens to publish or delete it unless a ransom is paid.
While some simple computer ransomware can lock the system in a way that is
not difficult for a knowledgeable person to reverse, more advanced malware
uses a technique called cryptoviral extortion and asks for the payment in
bitcoinWhich encrypts the victim’s files in a way that makes them nearly
impossible to recover without the decryption key or using the decryptor if it is
available.
• Adware: Adware is a software application used by companies for marketing
purposes; advertising banners are displayed while any program is running.
Adware can be automatically downloaded to your system while browsing any
website and can be viewed through pop-up windows or through a bar that
appears on the computer screen automatically.
• Spyware: Spyware is a type of program that is installed to collect information
about users, their computers or their browsing history. It tracks everything you
do without your knowledge and sends the data to a remote user. It also can
download and install other malicious programs from the internet. Spyware
works like adware but is usually a separate program that is installed
unknowingly when you install another freeware application.
• Zero-Day Exploit: A zero-day exploit hits after a vulnerability has been
announced, but before a patch or solution is implemented. Attacker targets the
disclosed vulnerability during this window of time.

To prevent such attack we need to ensure that the anti-virus product is up-to-date with the
latest signatures, continues user education, performing regular audits, regular backup of the
websites, application, and databases at multiple locations.Now we will start with
understanding the complete Risk Rating Methodology. It will also include different steps
such as Risk Analysis, Risk Assessment, and Risk Management.

Check Your Progress 1

1. What kind of malware encrypts the file and ask for ransom to decrypt the file __________
2. Mention any two types of SQL injection attacks
___________________________________
3. Which type of malicious software captures the user data and history _________________

RISK ASSESSMENT
Identifying threats and vulnerabilities is very important to build a robust security architecture.
It always starts with identifying what are the important assets which need to be secured from
threats. So the first and foremost task is to define the scope of the cybersecurity Risk
Assessment. Being able to estimate the associated risk to the business is very important.

Figure 2.5 Risk Equation

 Assets: We have seen the definition of the Assets in the first section under key
terminologies. Now we will understand the assets in relation to threat actions and will
map with the CIA triad.

Assets can be categorized in various types such as hardware, software, Data, and
communication channel(different devices including communication cables). In details if
we go it can be described as follow:
 Physical assets such as Computer, Laptop, Networking Devices, Storage Devices,
etc..Software such as Operating system, Application Running on the system, services
running, port scanning, API services, protocols used, and policies.

All this can be considered as an important asset and are part of the scope of the Risk
Assessment. One may identify security concerns in architecture or design. By using this
process it is possible to estimate the severity of all of these risks to the business and make
an informed decision about what to do about those risks. Having a system in place for
rating risks will save time when there is a situation arise to take the critical business
decision to reduce the impact.

• Asset Value Assessment: This would be the first involved in measuring the
asset value which is part of the critical business process. An asset can be the
people, process, hardware, software, data, any tangible or intangible(can
include the reputation of the organization, loss of customer and services)
things which are part of the critical business process.

In order to achieve greater control in risk and with effective least cost,
identifying and prioritizing the assets are a critical part of the process from top
priority to least priority.

This can be achieved by identifying the core functions and the process of the
organization. Along with this identifying the physical infrastructure, assets
which can be critical hardware or software related to the business functions
and safety measures which are preinstalled for the emergency situations need
to be also considered.

 Threats actions and its Consequences: As per the RFC 2828 we will see some
terminologies related to the threat, we have already seen the definition of the threat in the
first section of key terminologies.

After identifying the asset value assessment and quantifying it, next step is to conduct the
Threat assessment where the potential threats are identified.

There is another relative term “Hazard” is also used for the threats which are natural or
not man-made, such as earthquake, flood or wind disaster which also needs to be
considered and the man-made hazard can be either technological threats or terrorism
which we can refer as “Threats” for simplicity.
 • Threat Action: It is an assault on system security.
• Threat Analysis: An analysis of the probability of occurrences and
consequences of damaging actions to a system.
• Threat Consequence: A security violation that results from a threat action.
Includes disclosure, deception, disruption, and usurpation.

Threat Action (attack) Threat Consequence

Exposure: Sensitive data are directly Unauthorized Disclosure: A circumstance

released to an unauthorized entity. or event whereby an entity gains access to

Interception: An unauthorized entity data for which the entity is not authorized.
directly accesses sensitive data
traveling between authorized sources
and destinations.

Inference: A threat action whereby an

unauthorized entity indirectly accesses
sensitive data by reasoning from
characteristics or by-products of
communications.

Intrusion: An unauthorized entity

gains access to sensitive data by
circumventing a system’s security
protections.

Masquerade: An unauthorized entity Deception: A circumstance or event that

gains access to a system or performs a may result in an authorized entity receiving
malicious act by posing as an false data and believing it to be true.
authorized entity.

Falsification: False data deceive an

authorized entity.

Repudiation: An entity deceives

another by falsely denying
responsibility for an act.
 Incapacitation: Prevents or interrupts Disruption: A circumstance or event that
system operation by disabling a system Interrupts or prevents the correct operation of
component. system services and functions.
Corruption: Undesirably alters system
operation by adversely modifying
system functions or data.

Obstruction: A threat action that

interrupts delivery of system services
by hindering system operation.

Misappropriation: An entity assumes Usurpation: A circumstance or event that

unauthorized logical or physical results in control of system services
control of a system resource. orfunctions by an unauthorized entity.

Misuse: Causes a system component to

perform a function or service that is
detrimental to system security.

Table 2.1 Threat Action and Consequences Source: RFC 2828

Check Your Progress 2

1. What kind of threat action can cause the unauthorized disclosure of data _____________
2. What kind of event authorized user can receive false data _________________________
3. What do we call if due to undesirable action data is altered ________________________

 Threat Analysis: Our next goal here is to estimate the likelihood of a successful attack
by this group of threat agents for this we will use the OWASP risk rating methodology for
preparing severity of the Risk Assessment Model.

Skill level: How technically skilled is this group of threat agents? No technical skills
(1), some technical skills (3), advanced computer user (5), network and programming
skills (6), security penetration skills (9),

Motive: How motivated is this group of threat agents to find and exploit this
vulnerability? Low or no reward (1), possible reward (4), high reward (9)
 Opportunity: What resources and opportunities are required for this group of threat
agents to find and exploit this vulnerability? Full access or expensive resources
required (0), special access or resources required (4), some access or resources
required (7), no access or resources required (9)

Size: How large is this group of threat agents? Developers (2), system admins (2),
intranet users (4), partners (5), authenticated users (6), anonymous Internet users (9)

The use of a rating system will help in the quantification of risk. There is always difficulty in
justifying the protection of assets. Management is better able to understand the implications
of the threat and vulnerabilities when they are presented in the form of numbers and statistics
which means quantifiable and measurable.

 Vulnerability Analysis:Vulnerability is a weakness that a threat can exploit to breach

security and harm your organization. Vulnerabilities can be identified through
vulnerability analysis, audit reports, the NIST vulnerability database, and vendor data.
The problem faced within many organizations is the ability to effectively filter out the
false positives from assessment applications.

The result of the various manual and automated tools must be verified in order to
accurately determine the reliability of the tools in use and to avoid protecting an area that
in reality does not exist. False positive results can be mitigated by ensuring that the
assessment applications are up to date with the latest stable signatures and patches.

There are two ways penetration testing and vulnerability analysis can be done, one with
having the knowledge of the systems and topology, another with zero knowledge which is
mostly conducted externally known as black box testing.

Examples of vulnerabilities:

• Lack of sufficient logging mechanism

• Input validation vulnerability
• Sensitive data protection vulnerability
• Session management vulnerability
• Cryptographic vulnerability
• Memory leak Issue
• Cross-site request forgery
• Remote Code Execution
 • Business logic vulnerability

For more similar issues refer to OWASP Top Ten Project

• Prepare checklist for • Assessment performed

Target using automated as well
as manual tools

Vulnerability
Establish Assessment
Scope and
Detection

Reporting
and Penetration
Documentat Testing
aion
• Analysis of outcome & • Verification of
reporting the findings vulnerabilities by various
with recommendations. penetration test to avoid
FP's.

Figure 2.6 VAPT Process

 Vulnerability Factors: The goal here is to estimate the likelihood of the particular
vulnerability involved being discovered and exploited. Assume the threat agent selected
above.

Ease of discovery: How easy is it for this group of threat agents to discover this
vulnerability? Practically impossible (1), difficult (3), easy (7), automated tools
available (9)

Ease of exploit: How easy is it for this group of threat agents to actually exploit this
vulnerability? Theoretical (1), difficult (3), easy (5), automated tools available (9)

Awareness: How well known is this vulnerability to this group of threat agents?
Unknown (1), hidden (4), obvious (6), public knowledge (9)

Intrusion detection: How likely is an exploit to be detected? Active detection in

application (1), logged and reviewed (3), logged without review (8), not logged (9)

 Estimating Impact: When estimating the impact of the successful attack, it is important
to consider the technical impact and business impact.
 Ultimately the business impact would be more important. So by providing the appropriate
technical risk details which will enable management to make the decision about the
business risk.

• Technical Impact Factors: The goal is to estimate the magnitude of the impact on
the system if the vulnerability were to be exploited.

Loss of confidentiality: How much data could be disclosed and how sensitive is
it? Minimal non-sensitive data disclosed (2), minimal critical data disclosed (6),
extensive non-sensitive data disclosed (6), extensive critical data disclosed (7), all
data disclosed (9)

Loss of integrity: How much data could be corrupted and how damaged is it?
Minimal slightly corrupt data (1), minimal seriously corrupt data (3), extensive
slightly corrupt data (5), extensive seriously corrupt data (7), all data totally
corrupt (9)

Loss of availability: How much service could be lost and how vital is it? Minimal
secondary services interrupted (1), minimal primary services interrupted (5),
extensive secondary services interrupted (5), extensive primary services
interrupted (7), all services completely lost (9)

Loss of accountability: Are the threat agents' actions traceable to an individual?

Fully traceable (1), possibly traceable (7), completely anonymous (9)

• Business Impact Factors: Business impact requires a deep understanding of the

different operations on which the company is working and gets maximum return on
investment.

There are many factors and also may not be the same for all organization, but we will see
some of the common impact factors.

• Financial damage: How much financial damage will result from an exploit?
Less than the cost to fix the vulnerability (1), minor effect on annual profit (3),
significant effect on annual profit (7), bankruptcy (9)
• Reputation damage: Would an exploit result in reputation damage that would
harm the business? Minimal damage (1), Loss of major accounts (4), loss of
goodwill (5), brand damage (9)
 • Non-compliance: How much exposure does non-compliance introduce?
Minor violation (2), clear violation (5), high profile violation (7)
• Privacy violation: How much personally identifiable information could be
disclosed? One individual (3), hundreds of people (5), thousands of people (7),
millions of people (9)

 The severity of RISK: We will now prepare the severity of the risk which can be
obtained by combining the different impact factors.

It is divided into three parts from a 0-9 scale, low medium or high as shown below.

Impact Scale Impact Levels

0-<3 LOW

3-<6 MEDIUM

6-9 HIGH

Table 2.2 Severity Matrix

 Countermeasures(Control): In this step, we have to identify the existing security

policies and protocols which are placed. Are they are adequate with the current threat
landscape? Or it needs to modify and update the security posture of the organization.
What level of risk is acceptable to the organization. This will help the security team and
top management to understand the risk levels and they can focus on more high-level risks.
 Documentation: This is the final step in which risk assessment report is prepared to
support the management to take appropriate decision on policies, procedures, budget
allocation. For each threat, the report should have corresponding vulnerabilities, assets at
risk, impact, and control remediation.

2.6LET US SUM UP
In this chapter, we have seen what all different types of attacks and what it can cause. Next is
we have seen threats and consequences Which is followed by Risk Assessment procedure
which includes threat assessment, vulnerability assessment and how to prepare the severity
matrix to report the threat to management. Also based on the identified risk in the report we
have to recommend the security policy and procedure to rebuild the security posture of the
organization from the current threats and attacks.

31
2.7CHECK YOUR PROGRESS: POSSIBLE ANSWERS
Check Your Progress 1

1. Ransomware
2. Blind SQL Injection & Out of bound SQL Injection
3. Spyware

Check Your Progress 2

1. Exposer
2. Deception
3. Corruption

32
 SECURITY BREACH

What is a security breach?

A security breach is any incident that results in unauthorized access to computer data,
applications, networks or devices. It results in information being accessed without
authorization. Typically, it occurs when an intruder is able to bypass security mechanisms.

Technically, there's a distinction between a security breach and a data breach. A

security breach is effectively a break-in, whereas a data breach is defined as the
cybercriminal getting away with information. Imagine a burglar; the security breach is when
he climbs through the window, and the data breach is when he grabs your pocketbook or
laptop and takes it away.

Confidential information has immense value. It's often sold on the dark web; for
example, names and credit card numbers can be bought, and then used for the purposes of
identity theft or fraud. It's not surprising that security breaches can cost companies huge
amounts of money. On average, the bill is nearly $4m for major corporations.

It's also important to distinguish the security breach definition from the definition of a
security incident. An incident might involve a malware infection, DDOS attack or an
employee leaving a laptop in a taxi, but if they don't result in access to the network or loss of
data, they would not count as a security breach.

Examples of a security breach

When a major organization has a security breach, it always hits the headlines.
Security breach examples include the following:

Equifax - in 2017, a website application vulnerability caused the company to lose the
personal details of 145 million Americans. This included their names, SSNs, and drivers'
license numbers. The attacks were made over a three-month period from May to July, but the
security breach wasn't announced until September.

Yahoo - 3 billion user accounts were compromised in 2013 after a phishing attempt gave
hackers access to the network.
eBay saw a major breach in 2014. Though PayPal users' credit card information was not at
risk, many customers' passwords were compromised. The company acted quickly to email its
users and ask them to change their passwords in order to remain secure.

Dating site Ashley Madison, which marketed itself to married people wishing to have affairs,
was hacked in 2015. The hackers went on to leak a huge number of customer details via the
internet. Extortionists began to target customers whose names were leaked; unconfirmed
reports have linked a number of suicides to exposure by the data breach.

Facebook saw internal software flaws lead to the loss of 29 million users' personal data in
2018. This was a particularly embarrassing security breach since the compromised accounts
included that of company CEO Mark Zuckerberg.

Marriott Hotels announced a security and data breach affecting up to 500 million customers'
records in 2018. However, its guest reservations system had been hacked in 2016 - the breach
wasn't discovered until two years later.

Perhaps most embarrassing of all, being a cybersecurity firm doesn't make you immune -
Czech company Avast disclosed a security breach in 2019 when a hacker managed to
compromise an employee's VPN credentials. This breach didn't threaten customer details but
was instead aimed at inserting malware into Avast's products.

A decade or so ago, many companies tried to keep news of security breaches secret in
order not to destroy consumer confidence. However, this is becoming increasingly rare. In the
EU, the GDPR (General Data Protection Regulations) require companies to notify the
relevant authorities of a breach and any individuals whose personal data might be at risk. By
January 2020, GDPR had been in effect for just 18 months, and already, over 160,000
separate data breach notifications had been made - over 250 a day.

Types of security breaches

There are a number of types of security breaches depending on how access has been
gained to the system:

An exploit attacks a system vulnerability, such as an out of date operating system.

Legacy systems which haven't been updated, for instance, in businesses where outdated and
versions of Microsoft Windows that are no longer supported are being used, are particularly
vulnerable to exploits.
Weak passwords can be cracked or guessed. Even now, some people are still using the
password 'password', and 'pa$$word' is not much more secure.

Malware attacks, such as phishing emails can be used to gain entry. It only takes one
employee to click on a link in a phishing email to allow malicious software to start spreading
throughout the network.

Drive-by downloads use viruses or malware delivered through a compromised or spoofed

website.

Social engineering can also be used to gain access. For instance, an intruder phones an
employee claiming to be from the company's IT helpdesk and asks for the password in order
to 'fix' the computer.

In the security breach examples we mentioned above, a number of different

techniques were used to gain access to networks — Yahoo suffered a phishing attack, while
Facebook was hacked by an exploit.

Though we've been talking about security breaches as they affect major organizations,
the same security breaches apply to individuals' computers and other devices. You're
probably less likely to be hacked using an exploit, but many computer users have been
affected by malware, whether downloaded as part of a software package or introduced to the
computer via a phishing attack. Weak passwords and use of public Wi-Fi networks can lead
to internet communications being compromised.

What to do if you experience a security breach

As a customer of a major company, if you learn that it has had a security breach, or if
you find out that your own computer has been compromised, then you need to act quickly to
ensure your safety. Remember that a security breach on one account could mean that other
accounts are also at risk, especially if they share passwords or if you regularly make
transactions between them.

If a breach could involve your financial information, notify any banks and financial
institutions with which you have accounts.

Change the passwords on all your accounts. If there are security questions and answers or
PIN codes attached to the account, you should change these too.
You might consider a credit freeze. This stops anyone using your data for identity theft and
borrowing in your name.

Check your credit report to ensure you know if anyone is applying for debt using your
details.

Try to find out exactly what data might have been stolen. That will give you an idea of the
severity of the situation. For instance, if tax details and SSNs have been stolen, you'll need to
act fast to ensure your identity isn't stolen. This is more serious than simply losing your credit
card details.

Don'trespond directly to requests from a company to give them personal data after a
data breach; it could be a social engineering attack. Take the time to read the news, check
the company's website, or even phone their customer service line to check if the requests are
legitimate.

Be on your guard for other types of social engineering attacks. For instance, a criminal
who has accessed a hotel's accounts, even without financial data, could ring customers asking
for feedback on their recent stay. At the end of the call, having established a relationship of
trust, the criminal could offer a refund of parking charges and ask for the customer's card
number in order to make the payment. Most customers probably wouldn't think twice about
providing those details if the call is convincing.

Monitor your accounts for signs of any new activity. If you see transactions that you don't
recognize, address them immediately.

How to protect yourself against a security breach

Although no one is immune to a data breach, good computer security habits can make you
less vulnerable and can help you survive a breach with less disruption. These tips should help
you prevent hackers breaching your personal security on your computers and other devices.

Use strong passwords, which combine random strings of upper and lower-case letters,
numbers, and symbols. They are much more difficult to crack than simpler passwords. Don't
use passwords that are easy to guess, like family names or birthdays. Use a Password
Manager to keep your passwords secure.
Use different passwords on different accounts. If you use the same password, a hacker who
gains access to one account will be able to get into all your other accounts. If they have
different passwords, only that one account will be at risk.

Close accounts you don't use rather than leaving them dormant. That reduces your
vulnerability to a security breach. If you don't use an account, you might never realize that it
has been compromised, and it could act as a back door to your other accounts.

Change your passwords regularly. One feature of many publicly reported security breaches
is that they occurred over a long period, and some were not reported until years after the
breach. Regular password changes reduce the risk you run from unannounced data breaches.

If you throw out a computer, wipe the old hard drive properly. Don't just delete files; use
a data destruction program to wipe the drive completely, overwriting all the data on the disk.
Creating a fresh installation of the operating system will also wipe the drive successfully.

Back up your files. Some data breaches lead to the encryption of files and a ransomware
demand to make them available again to the user. If you have a separate backup on a
removable drive, your data is safe in the event of a breach.

Secure your phone. Use a screen lock and update your phone's software regularly. Don’t
root or jailbreak your phone. Rooting a device gives hackers the opportunity to install their
own software and to change the settings on your phone.

Secure your computer and other devices by using anti-virus and anti-malware
software.Kaspersky Antivirus is a good choice to keep your computer free from infection
and ensure that hackers can't get a foothold in your system.

Be careful where you click. Unsolicited emails which include links to websites may be
phishing attempts. Some may purport to be from your contacts. If they include attachments or
links, ensure they're genuine before you open them and use an anti-virus program on
attachments.

When you're accessing your accounts, make sure you're using the secure
HTTPS protocol and not just HTTP.
Monitoring your bank statements and credit reports helps keep you safe. Stolen data can
turn up on the dark web years after the original data breach. This could mean an identity theft
attempt occurs long after you've forgotten the data breach that compromised that account.

Know the value of your personal information and don't give it out unless necessary.
 Types of Malicious Attacks

What Is a Malicious Attack?

An attack on a computer system or network asset succeeds by exploiting a vulnerability in

the system. There are four general categories of attack. An attack can consist of all or a
combination of these four categories:
Fabrications—Fabrications involve the creation of some deception in order to trick
unsuspecting users.
Interceptions—An interception involves eavesdropping on transmissions and redirecting
them for unauthorized use.

Interruptions—An interruption causes a break in a communication channel, which

blocks the transmission of data.
Modifications—A modification is the alteration of data contained in transmissions or
files.
Security threats can be active or passive. Both types can have negative repercussions
for an IT infrastructure. An active attack involves a modification of the data stream or
attempts to gain unauthorized access to computer and networking systems. An active
attack is a physical intrusion. In a passive attack, the attacker does not make changes
to the system. This type of attack simply eavesdrops on and monitors transmissions.
Active threats include the following:

 Birthday attacks
 Brute-force password attacks
 Dictionary password attacks
 IP address spoofing
 Hijacking
 Replay attacks
 Man-in-the-middle attacks
 Masquerading
 Social engineering
 Phishing
 Phreaking
  Pharming
Such attacks are widespread and common. A growing number of them appear on
information systems security professionals’ radar screens every year. Following is a
description of several of the most common types of malicious attacks.

Birthday Attacks

Once an attacker compromises a hashed password file, a birthday attack is

performed. A birthday attack is a type of cryptographic attack that is used to make brute-force
attack of one-way hashes easier. It is a mathematical exploit that is based on the birthday
problem in probability theory.

Brute-Force Password Attacks

One of the most tried-and-true attack methods is the brute-force password attack. In a
brute-force password attack, the attacker tries different passwords on a system until one of
them is successful. Usually the attacker employs a software program to try all possible com-
binations of a likely password, user ID, or security code until it locates a match. This occurs
rapidly and in sequence. This type of attack is called a brute-force password attack because
the attacker simply hammers away at the code. There is no skill or stealth involved—just
brute force that eventually breaks the code. With today’s large-scale computers, it is possible
to try millions of combinations of passwords in a short period. Given enough time and using
enough computers, it is possible to crack most algorithms.

Dictionary Password Attacks

A dictionary password attack is a simple attack that relies on users making poor
password choices. In a dictionary password attack, a simple password-cracker program takes
all the words from a dictionary file and attempts to log on by entering each dictionary entry
as a password. Users often engage in the poor practice of selecting common words as
passwords. A password policy that enforces complex passwords is the best defense against a
dictionary password attack. Users should create passwords composed of a combination of
letters and numbers, and the passwords should not include any personal information about the
user

IP Address Spoofing
 Spoofing is a type of attack in which one person, program, or computer disguises
itself as another person, program, or computer to gain access to some resource. A common
spoofing attack involves presenting a false network address to pretend to be a different
computer. An attacker may change a computer’s network address to appear as an authorized
computer in the target’s network. If the administrator of the target’s local router has not
configured it to filter out external traffic with internal addresses, the attack may be successful.
IP address spoofing can enable an attacker to access protected internal resources.Address
resolution protocol (ARP) poisoning is an example of a spoofing attack. In this attack, the
attacker spoofs the MAC address of a targeted device, such as a server, by sending false ARP
resolution responses with a different MAC address. This causes duplicate network traffic to
be sent from the server. Another type of network-based attack is the Christmas (Xmas)
attack. This type of attack sends advanced TCP packets with flags set to confuse IP routers
and network border routers with TCP header bits set to 1, thus lighting up the IP router like a
Christmas tree.

Hijacking

Hijacking is a type of attack in which the attacker takes control of a session between
two machines and masquerades as one of them. There are a few types of hijacking:
Man-in-the-middle hijacking—In this type of hijacking, discussed in more detail in a
moment, the attacker uses a program to take control of a connection by masquerading as each
end of the connection. For example, if Mary and Fred want to communicate, the attacker
pretends to be Mary when talking with Fred and pretends to be Fred when talking to Mary.
Neither Mary nor Fred know they are talking to the attacker. The attacker can collect
substantial information and can even alter data as they flow between Mary and Fred. This
attack enables the attacker to either gain access to the messages or modify them before
retransmitting. A man-in-the-middle attack can occur from an insider threat. An insider threat
can occur from an employee, contractor, or trusted person within the organization.
Browser or URL hijacking—In a browser or URL hijacking attack, the user is directed to a
different website than what he or she requested, usually to a fake page that the attacker has
created. This gives the user the impression that the attacker has compromised the website
when in fact the attacker simply diverted the user’s browser from the actual site. This type of
attack is also known as typo squatting. Attackers can use this attack with phishing to trick a
user into providing private information such as a password.
Session hijacking—In session hijacking, the attacker attempts to take over an existing
connection between two network computers. The first step in this attack is for the attacker to
take control of a network device on the LAN, such as a firewall or another computer, in order
to monitor the connection. This enables the attacker to determine the sequence numbers used
by the sender and receiver. After determining the sequence numbering, the attacker generates
traffic that appears to come from one of the communicating parties. This steals the session
from one of the legitimate users. To get rid of the legitimate user who initiated the hijacked
session, the attacker overloads one of the communicating devices with excess packets so that
it drops out of the session.

Replay Attacks

Replay attacks involve capturing data packets from a network and retransmitting
them to produce an unauthorized effect. The receipt of duplicate, authenticated IP packets
may disrupt service or have some other undesired consequence. Systems can be broken
through replay attacks when attackers reuse old messages or parts of old messages to deceive
system users. This helps intruders to gain information that allows unauthorized access into a
system.

Man-in-the-Middle Attacks

A man-in-the-middle attack takes advantage of the multihop process used by many

types of networks. In this type of attack, an attacker intercepts messages between two parties
before transferring them on to their intended destination. Web spoofing is a type of man-in-
the-middle attack in which the user believes a secure session exists with a particular web
server. In reality, the secure connection exists only with the attacker, not the web server. The
attacker then establishes a secure connection with the web server, acting as an invisible go-
between. The attacker passes traffic between the user and the web server. In this way, the
attacker can trick the user into supplying passwords, credit card information, and other
private data.
Attackers use man-in-the-middle attacks to steal information, to execute DoS attacks,
to corrupt transmitted data, to gain access to an organization’s internal computer and network
resources, and to introduce new information into network sessions.

Masquerading
 In a masquerade attack, one user or computer pretends to be another user or
computer. Masquerade attacks usually include one of the other forms of active attacks, such
as IP address spoofing or replaying. Attackers can capture authentication sequences and then
replay them later to log on again to an application or operating system. For example, an
attacker might monitor usernames and passwords sent to a weak web application. The
attacker could then use the intercepted credentials to log on to the web application and
impersonate the user.

Eavesdropping

Eavesdropping, or sniffing, occurs when a host sets its network interface on

promiscuous mode and copies packets that pass by for later analysis. Promiscuous mode
enables a network device to intercept and read each network packet, even if the packet’s
address doesn’t match the network device. It is possible to attach hardware and software to
monitor and analyze all packets on that segment of the transmission media without alerting
any other users. Candidates for eavesdropping include satellite, wireless, mobile, and other
transmission methods.
 Malwares – Malicious Software
Malware is a software that gets into the system without user consent with an intention
to steal private and confidential data of the user that includes bank details and password.
They also generates annoying pop up ads and makes changes in system settings
They get into the system through various means:
1. Along with free downloads.
2. Clicking on suspicious link.
3. Opening mails from malicious source.
4. Visiting malicious websites.
5. Not installing an updated version of antivirus in the system.
Types:
1. Virus
2. Worm
3. Logic Bomb
4. Trojan/Backdoor
5. Rootkit
6. Advanced Persistent Threat
7. Spyware and Adware
What is computer virus:

Computer virus refers to a program which damages computer systems and/or destroys
or erases data files. A computer virus is a malicious program that self-replicates by copying
itself to another program. In other words, the computer virus spreads by itself into other
executable code or documents. The purpose of creating a computer virus is to infect
vulnerable systems, gain admin control and steal user sensitive data. Hackers design
computer viruses with malicious intent and prey on online users by tricking them.
Symptoms:
 Letter looks like they are falling to the bottom of the screen.
 The computer system becomes slow.
 The size of available free memory reduces.
 The hard disk runs out of space.
 The computer does not boot.
Types of Computer Virus:

These are explained as following below.

1. Parasitic
These are the executable (.COM or .EXE execution starts at first instruction). Propagated
by attaching itself to particular file or program. Generally resides at the start (prepending)
or at the end (appending) of a file, e.g. Jerusalem.
2. Boot Sector

Spread with infected floppy or pen drives used to boot the computers. During system
boot, boot sector virus is loaded into main memory and destroys data stored in hard disk,
e.g. Polyboot, Disk killer, Stone, AntiEXE.
3. Polymorphic

Changes itself with each infection and creates multiple copies. Multipartite: use more
than one propagation method. >Difficult for antivirus to detect, e.g. Involutionary,
Cascade, Evil, Virus 101., Stimulate.
Three major parts: Encrypted virus body, Decryption routine varies from infection to
infection, and Mutation engine.

4. Memory Resident

Installs code in the computer memory. Gets activated for OS run and damages all files
opened at that time, e.g. Randex, CMJ, Meve.
5. Stealth
Hides its path after infection. It modifies itself hence difficult to detect and masks the size
of infected file, e.g. Frodo, Joshi, Whale.
6. Macro
Associated with application software like word and excel. When opening the infected
document, macro virus is loaded into main memory and destroys the data stored in hard
disk. As attached with documents; spreads with those infected documents only, e.g.
DMV, Melissa, A, Relax, Nuclear, Word Concept.
7. Hybrids
Features of various viruses are combined, e.g. Happy99 (Email virus).
Worm:
A worm is a destructive program that fills a computer system with self-replicating
information, clogging the system so that its operations are slowed down or stopped.
Types of Worm:
1. Email worm – Attaching to fake email messages.
2. Instant messaging worm – Via instant messaging applications using loopholes in
network.
3. Internet worm – Scans systems using OS services.
4. Internet Relay Chat (IRC) worm – Transfers infected files to web sites.
5. Payloads – Delete or encrypt file, install backdoor, creating zombie etc.
6. Worms with good intent – Downloads application patches.
Logical Bomb:

A logical bomb is a destructive program that performs an activity when a certain action has
occurred. These are hidden in programming code. Executes only when a specific condition is
met, e.g. Jerusalem.
Script Virus:

Commonly found script viruses are written using the Visual Basic Scripting Edition (VBS)
and the JavaScript programming language.
Trojan / Backdoor:

Trojan Horse is a destructive program. It usually pretends as computer games or application

software. If executed, the computer system will be damaged. Trojan Horse usually comes
with monitoring tools and key loggers. These are active only when specific events are alive.
These are hidden with packers, crypters and wrappers.< Hence, difficult to detect through
antivirus. These can use manual removal or firewall precaution.

RootKits:
Collection of tools that allow an attacker to take control of a system.
 Can be used to hide evidence of an attacker’s presence and give them backdoor access.
 Can contain log cleaners to remove traces of attacker.
 Can be divided as:
 – Application or file rootkits: replaces binaries in Linux system
– Kernel: targets kernel of OS and is known as a loadable kernel module (LKM)
 Gains control of infected m/c by:

– DLL injection: by injecting malicious DLL (dynamic link library)

– Direct kernel object manipulation: modify kernel structures and directly target trusted
part of OS

– Hooking: changing applicant’s execution flow

Advanced Persistent Threat:

Created by well funded, organized groups, nation-state actors, etc. Desire to compromise
government and commercial entities, e.g. Flame: used for reconnaissance and information
gathering of system.
Spyware and Adware:

Normally gets installed along with free software downloads. Spies on the end-user, attempts
to redirect the user to specific sites. Main tasks: Behavioral surveillance and advertising with
pop up ads Slows down the system.
What is an Common Attack Vector in Cyber security?

A cyber security attack vector is a path that a hacker or malicious actor uses to gain
unauthorized access to a network, server, application, database, or device by exploiting
system vulnerabilities.

An attack vector is often a complex process that requires threat actors to gather
intelligence to understand their targets, identify security weaknesses, and then attempt to
make their way into the system. Once they’ve gained access, the hacker can wreak havoc by
compromising sensitive data, infecting software with malware, or causing a complete system
shutdown.

Attack vector, attack surfaces, and threat vectors: What's the difference?

An attack vector often gets mixed in with the terms "attack surface" and "threat
vector." A threat vector in cybersecurity is generally synonymous with an attack vector—a
method by which a hacker gains unauthorized access to a private system.

Attack surface, on the other hand, refers to all possible entry points someone could
use to access a system. In other words, it's the sum of all attack vectors within an IT
environment and organizational network. Hackers thoroughly evaluate attack surfaces before
selecting their attack vector based on discovered vulnerabilities.

Two Ways Bad Actors Exploit Attack Vectors

As bad actors undergo attack campaigns, they might take different paths when
exploiting system vulnerabilities. The two main types of threat vectors are active attacks and
passive attacks.

Active attack

Active attack vectors seek to directly harm, alter, or damage an organization's systems and
network resources. They are easier to trace than passive attacks because they cause
significant disruptions to an operation or IT production environment. Common active attack
vector examples include malware deployment, denial-of-service (DoS) attacks, and domain
hijacking.
Malware and DoS attacks, two of the most common active attack vectors, cost companies an
average of $2.5 million and $2 million per incident, respectively.

Passive attack

A passive attack vector is less apparent, where the hacker exploits vulnerabilities only to gain
information without actually causing operational disruption or altering data systems.
Phishing, for instance, is a typical passive attack vector that seeks to acquire information,
such as someone's access credentials.

The average cost of credential compromises to a business as a result of a passive attack vector
has doubled since 2015 to $2.1 million per incident.

15 Common Types of Attack Vectors to Know

1. Weak or compromised access credentials

Compromised access credentials give hackers a linear path into a computer system or
organizational network. Usernames and passwords for account profiles are often stolen and
leaked via phishing or brute force attacks, making it easy for cybercriminals to enter
networks undetected because it looks like usual login activity.

How to avoid it

Enact and enforce strict password management policies requiring long and complex
passwords, implement systems for secure password storage, and demand frequency rules for
changing passwords. A passwordless authentication system nearly eliminates this attack
vector: no passwords means no credentials can be compromised.

2. Phishing

In a phishing attack, scammers pretend to be a trusted entity to get users to voluntarily

release sensitive information—generally via a spoofed email address. The victim is tricked
into downloading malicious files or providing sensitive information either by responding to
the email or by clicking on a link to a fake web page where they enter their credentials.

How to avoid it

Cyber security awareness training is the best preventive measure, particularly

modules for detecting scams. Also, implement spam filters and block websites that don't meet
security criteria. As a failsafe, keep software up to date in case malware is delivered via
email, and utilize MFA for verification.

3. Malware

Malware (malicious software) is often distributed through phishing (as a

downloadable file) or within a network to devices or applications that have already been
compromised. There are many types of malware, including ransomware, viruses, trojans, and
spyware.

How to avoid it

Educate employees on how to recognize phishing attacks. Well-designed firewalls also help
prevent malware fruition—specifically malware delivered over the internet—by stopping it
before it hits a network or individual endpoint. Lastly, keep software applications up-to-date
to ensure the anti-malware and anti-virus mechanisms detect the most recent and prominent
threats.

4. Unpatched software

Unpatched software is both an attack vector and a vulnerability. As a vulnerability,

operating systems, servers, and applications that have bugs or security flaws enable an
opportunity for sophisticated hackers to manipulate the code or access the system. As a
vector, they can target software to deploy zero-day attacks, in which a vulnerability is
exploited before the development teams can fix them.

How to avoid it

Ensure all software remains up-to-date by enabling automatic updates across systems.
For internal software, teams can run vulnerability assessments to find potential entry points
and flaws in their code to fix them.

5. Third-party vendors & service providers

In recent years, cybercriminals have been targeting software vendors, managed service
providers (MSPs), security consultants, and cloud solution providers. These entities store data
on their customers, and a hacker that infiltrates such an organization gains access to the
information for many people at once.
How to avoid it

To mitigate the risk of this vertical, organizations must leverage privileged access
management tools that can enforce least privilege principles and control identity-based
vendor access. These solutions produce an audit trail and ensure vendor users only have
enough temporary resource access to complete the workflow or project.

6. Insider threats

Disgruntled employees or upset former staff that still have access to systems and
resources can be a massive threat to your business. In these scenarios, the attack vector comes
from the inside, where the threat actor could steal sensitive information, install malware on
network devices, or find ways to shut down the operation.

How to avoid it

Insider attacks can be mitigated by following the principle of least privilege, which only lets
authorized users access enough resources to perform their job functions. Continuous
monitoring and modern-day security frameworks such as Zero Trust are also effective
strategies.

7. Lack of encryption

This attack vector assumes that data stored at rest or in transit does not contain the
proper encryption—allowing a hacker who gains unauthorized system access to steal, delete,
or manipulate organizational data easily. If no form of encryption or hashing gets utilized,
unauthorized users can view the data in plain text format.

How to avoid it

Businesses should use data-loss prevention (DLP) solutions such as email encryption
tools to protect data-in-transit and fill any security gaps caused by unencrypted data.
Furthermore, they should only invest in software systems incorporating robust encryption
methods during processing and rest stages.

8. Misconfigurations

Misconfigurations occur when there's an unintended vulnerability within the security

settings or design of an application, database, or other computer systems. In cloud
environments, for instance, it's common for an administrator to fail to update their default
credentials or unintentionally give standard users privileged access. Unknown or unfixed
misconfigurations leave organizations open to a wide range of inside and outside attacks.

How to avoid it

Vulnerability assessments are a great way to identify any system misconfigurations

within a network. Organizations can also leverage automated confirmation management tools
to track technology resources, automate access provisioning tasks, and reduce system
deployment issues caused by human error.

9. Trust relationships

A trust relationship is the connection protocol in which multiple systems “trust” each other,
and one authentication ultimately gives users access to an entire network of resources. While
convenient for login processes, it paves the way for an attack vector. Compromised
credentials of a trusted user or domain can end up giving unauthorized access to all trusted
resources within the connection.

How to avoid it

Security teams must obtain visibility on all trusted relationships within their network,
including third-party connections of vendors. Network segmentation also reduces risk by
dividing resources into segments and requiring authentication at each point—letting
organizations protect their relationships and isolate potential incidents to one area.

10. Brute force

Brute force is a method where a hacker attempts to access a system by running password
combinations until successful. They often use a software program that automatically tests the
combinations, usually with a list of the most common passwords or passwords containing
personal data of the target. A successful attack can lead to a data breach and access to other
accounts that recycle the same password.

How to avoid it

Avoiding brute force attacks comes down to proper credential management. Organizations
must enforce policies that outline requirements for constructing long passwords containing
alphanumeric and special characters that avoid personal information.
11. DDoS attacks

A distributed denial-of-service (DDoS) attack is when a cyber criminal seeks to shut down
network resources, such as servers, applications, and websites, by flooding them with
overwhelming traffic or messages. An organization could halt its operations and lose access
to critical data if successful.

How to avoid it

While security controls for DDoS attacks vary by target, network monitoring solutions help
decipher legitimate vs. anomalous traffic to stop a DDoS attempt before its successful. Also,
application firewalls protect servers and let organizations control who can access the
application. Finally, teams can utilize the anycast network diffusion method, which prevents
overwhelming one server with network traffic by scattering traffic across numerous servers.

12. SQL injections

Structured query language (SQL) lets servers communicate with databases so users can pull
and manage data sets. An SQL injection is when a hacker essentially tricks the system to
expose certain information by using a malicious SQL command—allowing them to view,
steal, or delete sensitive data.

How to avoid it

Many SQL injections take advantage of outdated or vulnerable software, so organizations

must maintain a comprehensive software patching system and keep their programs up to date.
Company databases should also incorporate input validation controls. These control the
length and format requirements of SQL commands—preventing any commands that fall
outside the parameters from getting processed.

13. Cross-site scripting

Cross-site scripting (XSS) attacks use vulnerable but trusted company websites to target their
visitors. A hacker injects malicious scripts throughout the web pages, such as embedding a
link within a comments section on a forum page. If a website visitor were to click the
malicious link, malware could deploy on their endpoint device and possibly let the hacker
hijack the user's website account.

How to avoid it
Organizations must deploy content-security policies that let them control whether malicious
scripts can get inserted into the site and prevent the code from executing on the web visitor's
browser. They should also undergo website sanitation to remove unwanted data and unsafe
hypertext markup language (HTML) tags from web pages.

14. Man-in-the-middle attack

Man-in-the-middle (MITM) attacks are when a hacker puts themselves between a client and
server, typically a user and a web application, to steal data. It starts with an interception,
where a criminal hacks a vulnerable Wi-Fi network or creates a spoofed website or malicious
Wi-Fi hotspot. Then, hackers instigate a decryption phase, in which they monitor and capture
communication data, such as user credentials, for further use.

How to avoid it

Organizations can protect themselves from MITM attacks by setting employee governance
policies like avoiding non-secure websites or unknown Wi-Fi sources to prevent user data
interceptions. Additionally, enforcing authentication controls such as MFA restricts hackers
from obtaining access even after credentials are stolen.

15. Session hijacking

Also known as browser cookie theft, session hijacking is a man-in-the-middle attack that
targets online account data, such as usernames and passwords, by taking over and monitoring
user-browsing sessions. Once they’ve stolen an internet protocol (IP) address, they can hijack
the cookie data to track online activity, including pre-saved passwords.

How to avoid it

Businesses can prevent this attack vector by deploying top-of-the-line antivirus tools
on endpoints that protect from the malware used to execute a session hijacking. Additionally,
they should provide session protection solutions to employees, such as virtual private
networks (VPNs), that encrypt user data while browsing the web.

How StrongDM Simplifies Protection from Attack Vectors

StrongDM provides a centralized solution to securely manage users, connect network

resources and systems, and observe the activity. The People-First Access Platform combines
authentication management, authorization, and provisioning capabilities into one tool.91% of
organizations agree that authentication management solutions such as MFA are important to
stopping credential theft and phishing attacks.

IT, cyber security, and DevOps leaders can ensure attack vectors are neutralized with
simple yet streamlined methods for protecting credentials, verifying users, off boarding
employees who may be insider threats, and automating user provisioning. The platform is
fully built to handle granular access management that follows the principle of least privilege
while developing and maintaining solid network architecture such as Zero Trust.
 Social Engineering

What is social engineering

Social engineering is the term used for a broad range of malicious activities
accomplished through human interactions. It uses psychological manipulation to trick users
into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first
investigates the intended victim to gather necessary background information, such as
potential points of entry and weak security protocols, needed to proceed with the attack.
Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions
that break security practices, such as revealing sensitive information or granting access to
critical resources.

Social Engineering Attack Lifecycle

What makes social engineering especially dangerous is that it relies on human error,
rather than vulnerabilities in software and operating systems. Mistakes made by legitimate
users are much less predictable, making them harder to identify and thwart than a malware-
based intrusion.
Social engineering attack techniques
Social engineering attacks come in many different forms and can be performed
anywhere where human interaction is involved. The following are the five most common
forms of digital social engineering assaults.
Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or
curiosity. They lure users into a trap that steals their personal information or inflicts their
systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For
example, attackers leave the bait—typically malware-infected flash drives—in conspicuous
areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking
lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as
the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting
in automatic malware installation on the system.Baiting scams don’t necessarily have to be
carried out in the physical world. Online forms of baiting consist of enticing ads that lead to
malicious sites or that encourage users to download a malware-infected application.
Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats.
Users are deceived to think their system is infected with malware, prompting them to install
software that has no real benefit (other than for the perpetrator) or is malware itself.
Scareware is also referred to as deception software, rogue scanner software and fraudware.
A common scareware example is the legitimate-looking popup banners appearing in
your browser while surfing the web, displaying such text such as, “Your computer may be
infected with harmful spyware programs.” It either offers to install the tool (often malware-
infected) for you, or will direct you to a malicious site where your computer becomes
infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes offers
for users to buy worthless/harmful services.
Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The
scam is often initiated by a perpetrator pretending to need sensitive information from a victim
so as to perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-
workers, police, bank and tax officials, or other persons who have right-to-know authority.
The pretexter asks questions that are ostensibly required to confirm the victim’s identity,
through which they gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as
social security numbers, personal addresses and phone numbers, phone records, staff vacation
dates, bank records and even security information related to a physical plant.
Phishing
As one of the most popular social engineering attack types, phishing scams are email
and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims.
It then prods them into revealing sensitive information, clicking on links to malicious
websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy
violation requiring immediate action on their part, such as a required password change. It
 includes a link to an illegitimate website—nearly identical in appearance to its legitimate
version—prompting the unsuspecting user to enter their current credentials and new
password. Upon form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing
campaigns, detecting and blocking them are much easier for mail servers having access
to threat sharing platforms.
Spear phishing
This is a more targeted version of the phishing scam whereby an attacker chooses
specific individuals or enterprises. They then tailor their messages based on characteristics,
job positions, and contacts belonging to their victims to make their attack less
conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may
take weeks and months to pull off. They’re much harder to detect and have better success
rates if done skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an
organization’s IT consultant, sends an email to one or more employees. It’s worded and
signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s
an authentic message. The message prompts recipients to change their password and provides
them with a link that redirects them to a malicious page where the attacker now captures their
credentials.
Social engineering prevention
Social engineers manipulate human feelings, such as curiosity or fear, to carry out
schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed by
an email, attracted to an offer displayed on a website, or when you come across stray digital
media lying about. Being alert can help you protect yourself against most social engineering
attacks taking place in the digital realm.
Moreover, the following tips can help improve your vigilance in relation to social engineering
hacks.

 Don’t open emails and attachments from suspicious sources – If you don’t know the sender
in question, you don’t need to answer an email. Even if you do know them and are suspicious
about their message, cross-check and confirm the news from other sources, such as via
telephone or directly from a service provider’s site. Remember that email addresses are spoofed
all of the time; even an email purportedly coming from a trusted source may have actually been
initiated by an attacker.
 Use multifactor authentication – One of the most valuable pieces of information attackers
seek are user credentials. Using multifactor authentication helps ensure your account’s
protection in the event of system compromise. Imperva Login Protect is an easy-to-deploy 2FA
solution that can increase account security for your applications.
 Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting it as
fact. Googling the topic can help you quickly determine whether you’re dealing with a
legitimate offer or a trap.
 Keep your antivirus/antimalware software updated – Make sure automatic updates are
engaged, or make it a habit to download the latest signatures first thing each day. Periodically
check to make sure that the updates have been applied, and scan your system for possible
infections.
 Attacks On Wireless
Networks 3
Unit Structure

3.1. Learning Objectives

3.2. Introduction

3.3. Basics of Wireless Network

3.4. Standards in Wireless Network

3.5. Wireless Network Attack

3.6. Let Us Sum Up

3.7. Check your Progress: Possible Answers

93
3.1 LEARNING OBJECTIVE

After studying this unit student should be able to:

• To learn different wireless network standards.

• Current Issues with Wireless Network.
• Different attacks on wireless networks and their mitigation strategies.
• Tips to remain secure during wireless connection
• Introduction to Snort how to use it.

3.2 INTRODUCTION

In today's time, the wireless network is present everywhere from home to data centers. They
make life easy from the long and bulky cables and its related issues while ensuring the proper
network connectivity with the internet to perform our everyday task in order to learn the
wireless (In short Wi-Fi which came from wires fidelity) networks. It was first invented by
AT&T in the Netherlands in 1991. We will also see the basics of the wireless networks first
and it's different standards, security issues, and attacks and mitigation strategies. Also, we
will learn about the SNORT tools which is basically and IDS/IPS tool used for securing and
monitoring the network.

3.3 BASICS OF WIRELESS NETWORK

Wireless network in simple terms means the transformation of the information or power
between two nodes without any kind of physical electrical conductor. Wireless technology
uses radio waves for short and long-distance communication.

There is a wide range of application of this wireless technology such as in

telecommunication, satellite communications, mobiles, etc. There are multiple types of
wireless network exists which I am sure you will be aware by the names as Wide Area
Network(WAN), Local Area Network(LAN), Mobile Adhoc Network(MANET).

All these different types of networks are used for a different purpose but using wireless
technology is at the core of all this. This network is a very popular choice for home users and
from the small and medium size organization. There are three essential components of the

94
wireless network that are radio signals, antenna, and router. The radio waves are the key
which makes the Wi-Fi networking possible which are then converted to signals and picked
by the Wifireceiver which is transmitted by the antenna. Then users are connected through
the router for the communication.

The access point or router has a unique feature called as a beacon transmission, where it
keeps on sending a signal on the wireless radio spectrum. This signal contains the network
identification known as the service set identifier (SSID) and some trivial error correction
information.

The wireless receiver such as a laptop or any wireless device detects this signal in order to
show it in the list of available wireless networks. It also detects whether or not the access
point is using any security, and what level of security protocol, etc.

The access point or router contains TCP/IP stack which responds to ARP requests when a
node tries to connect to it. Since wireless can allow multiple nodes at any instance, it is
essential to have an authentication layer prior to starting the data transfer. It is the
responsibility of the access point to ensure this security and monitor the packet transmission
and data integrity.

3.4 STANDARDS IN WIRELESS NETWORKS

For the wireless networks, 802.11 is the working group from the Institute of Electrical and
Electronics Engineers (IEEE) who defines the standard of operation for a specific technology.
They are the group of expert members who works on it. There is multiple version of this. In
each version, there is an improvement in the features of 802.11.

Standard Frequency Speeds Interoperates with

802.11a 5 GHz 54 Mbps None

802.11b 2.4 GHz 11 Mbps None

802.11g 2.4 GHz 54 Mbps 802.11b

802.11n 2.4 / 5 GHz 100 Mbps 802.11b, 802.11g

802.11ac 5 GHz 1.3 Gpbs 802.11a, 802.11n

95
There are some common properties between all these standards there is also difference exist
between these standards such as in terms of speed and speed and modulation Whether they
are backward compatible or not.

There is some difference in protocols and how the data is handled by different standards but
the attack and defence strategy will remain the same most of the time.

The 802.11 standards, will prescribe which frequencies these technologies work as well as
which channel which also depends on the geographical locations. In the United States, There
are 11 different channels available from 1 to 11 all are separate and they will not interfere
with one another.

The wireless network can work in two different modes such as Infrastructure and Ad-Hoc.

There are some terminologies need to understand which are useful before moving forward
and are related to understanding the wireless networks and communications.

SSID: Service Set Identifier is a human-readable name associated with an 802.11

wireless network. It is normally known as the network name.

BSSID: Basic Service Set Identifier uniquely identifies a specific access point and it
is of the similar format as of the MAC address of the access point.

ESSID: Extended Service Set Identifier can essentially be thought of as a group of

BSSID which shares the same layer of the network and same SSID.

As the wireless network doesn’t have the in-built security mechanisms. Due to which a
secure layer is built on top of the wireless network protocol stack.

This is achieved by the encryption and authentication techniques such as WEP(Wired

Equivalent Privacy ) or WPA (Wi-Fi Protected Access). It is very important to secure the
wireless networks as it can easily be intercepted.

Let us now discuss in details regarding the attacks on the wireless networks. We will also in
details regarding the steps of how to crack the wireless networks from the learning
perspective which will help indirectly in how to design and implement the wireless network
effectively with robust security features in an organization.

Also for the wireless network, the security comes from the selection of the security technique
or the authentication method which is adopted. There are various different security technique
which is available such as WEP (Wired Equivalent Privacy), WPA2(Wifi Protected Access

96
II). WPA1 provides two different modes of operation which includes Personal or Pre-Shared
Key(PSK) and Enterprise.

WEP: WEP is a very basic and original part of the 802.11 wireless standards. It
provides encryption at layer 2 in an OSI layer. WEP utilizes the RC4 encryption
algorithm to encrypt data and uses a shared key-system. It uses either 40 bit or 104 bit
WEP key to encrypt data.

WPA2-PSK: It utilizes a shared key that is communicated to both sides access point
and client before establishing a wireless connection. This key is then used for secure
communication.

WPS2-Enterprise: It is also known as 802.1X which uses a RADIUS server for the
authentication purpose. IT is achieved using EAP (Extensible Authentication Protocol
which is defined in RFC 3748).

3.4 WIRELESS NETWORK ATTACK

Any kind of wireless network attack is vulnerable and can cause the potential business
impact. We will see several classifications which are described as below:

1. Access Control Attack: This attack tries to penetrate the wireless network or evading the
access control mechanisms.

War Driving: To discover wireless LAN network by listening to beacons using

sniffing tools.

Rogue Access Point: Installing an unsecured or fake access point inside the firewall.

Ad Hoc Associations: Connecting directly to an unsecured station.

MAC Spoofing: To bypass the MAC filtering policy in access points attackers used
to change the MAC address which matches to the access point MAC address
whitelist. SMAC tool can help in changing the MAC address in windows.

RADIUS Cracking:RADIUS(Remote Authentication Dial In User Service) is a

server which is used to authenticate client and server. This attack can be performed
using a brute force attack to obtain the secret key.

97
2. Confidentiality Attack: In these types of attacks attackers try to intercept the private
information which is sent over a wireless network.

Eavesdropping: To capture the unprotected network traffic. Attackers mostly target

the public wifi where the network usually does not have strong security measures.

WEP Key Cracking: To capture the network packets to recover the WEP key using
active or passive methods.

Man In The Middle Attack: Attackers will try to capture the SSL connections in
wireless networks and proxy them to web page logins to conduct the phishing attack.
It can successfully complete this attack by first setting up the rogue access point and
try to behave like a legitimate access point.

There are several steps involved to conduct such an attack which is listed below.

1. Select and target the access point and associated clients.

2. Identify the security protocol used such as WEP/WPA2 and crack the key.

3. Configure the wireless card as a rogue access point.

4. Use Airplay-ng to send de-authentication packets to target the host to disconnect

from the network.

5. The disconnected client will reconnect after scanning with the fake access point.

3. Integrity Attack: These types of attacks send the forged control and management or data
frames over the wireless network to misguide them or to fulfill another attack.

Frame Injection: Specifically crafting and forging the 802.11 packets.

RADIUS Replay: To capture RADIUS accept and reject messages for later reply.

4. Authentication Attack: Attackers try to steal legitimate user identities and credentials to
access private network and services.

VPN Login Craking: To get the credentials using the brute force attacks on VPN
authenticated protocols.

PSK Cracking: To crack and recover the password of WPA/WPA2-PSK from

captured key handshake frames using dictionary attack tools.

5. Availability Attacks: These attacks stop the delivery of wireless services to legitimate users
by denying them from accessing the WLAN resources.

98
 Beacon Flood: Generating thousands of fake beacons to make it hard for stations to
find a legitimate access point.

The next point we are going to see is to see how to crack the wireless network and get the
encryption key. Also, we will see the process and tools usage which are mainly present in
Kali Linux operating system.

But above all, it starts from understanding the basic cryptographic algorithm before starting
to break it. As it is just built by using mathematical functions.

Always under certain circumstances, weak implementation of the security mechanisms

allows an attacker to reverse engineer it. It applies to the wireless network protocols too.

When a WEP encrypted packets are captured using Wireshark or any other similar tool, there
is a field which is labeled as IV(Initialization Vector). Every packet has a different IV. IV is a
24-bit pseudo-random number which is there with every packet.

By passively capturing(stealth mode capture) the traffic to capture enough packets, WEP key
can be cracked. As for 24-bit pseudo-random number, there are around 16 million unique
IV’s, which can easily be got by capturing the busy network traffic. So there are chances that
multiple packets can have the same IV’s.

Let us see the process.

1. Identify the target wireless network.

2. Passively monitor the encrypted packets between an access point and client using a
sniffer tool.

3. Monitor ARP packets, as ARP packets are very small and having a unique size,
also it would be easy for an attacker to reply for an ARP request and to start
capturing.

4. Continue to send ARP request and get unique IV’s.

5. Save around 50,000 encrypted packets to determine the WEP key.

6. Use the aircrack-ng program against the saved packets to obtain the WEP key.

(aircrack-ng tools can be found pre-installed in Kali Linux).

There are other tools which are present and used for wireless network attacks. Such as:

Airmon-ng: Bash script to enable monitor mode on a wireless interface.

99
 Airodump-ng: Wireless packet capturing tool designed for capturing packet for
aircrack-ng.

Airplay-ng: Packet Injection Tool for the wireless network to generate the traffic.

Aircrack-ng: It is a tool used for cracking key of WEP or WPA/WPA-PSK wireless

network.

Various commands line utility or tools which are used for basic information gathering of
wireless network which is listed below.

iwlist: Command line utility for identifying the wireless network

Kismet: Linux wireless network detection suite.

Netstumbler: Windows-based wireless network detection suite.

We have seen the basic overview of the WEP cracking, but now we will look inside each step
in detail with commands. To start from identifying the NIC cards, scanning wireless networks
in surroundings.

The simplest way to identify the network wireless network cards in your system is using
iwconfig. It will list out all network interfaces which are present in the system.

There will be a wireless card which will be shown as wlan0 which will support the majority
of all standards from (a,b,g, and n).

Next step is to use an iwlist command which will help to gather initial information.

iwlist wlan0 scanning

This command will give information such as ESSID, channel, frequency such information
will be useful in later stages.

There are several fields which will be seen in the output and use to perform the following
tasks.

Encryption key: If this is set on, then the access point is using WEP encryption.

Channel: To see the current wireless channel for the specific BSSID.

Mode: If the mode is set to master, then it is an access point or else it is an Ad-Hoc
Network.

100
Use the MAC address statically while performing such kind of testing. For cloning MAC
address in Linux it is essential to bring down the interface first and to start again, this can be
performed using the ifconfig command.

Let’s begin with the process.

1. Identify the insure network using an iwlist command, which will consist of BSSID along
with the channel.

2. Start the wireless card interface wlan0 into monitor mode using airmon-ng. For eg:

>>airmon-ng start wlan0

Start capturing the network traffic associated with the network using airodump-ng.

3. >>airodump-ng –w DUMP –c <channel> --bssid<MAC Address> mon0

-w DUMP: It will tell airodump to name all files in output to start with DUMP*.

-c <channel>: It tells airodump to stay connected on the channel specified, instead to

jump In different channels.

--bssid: Just capture traffic related to target bssid.

Keep the window open until we do not capture the sufficient numbers of packets. We have
already seen that we need thousands of packets to gather enough number of IV to crack the
WEP key.

Goto the current working directory where you will see some pcap files which can be open
and view with Wireshark.

Now use aircrack-ng to see that pcap file to check how any number of packets are captured
and how many numbers of unique IV are there. It will automatically tell whether we need
more packets or we have enough number of the packet.

4. >>aircrack-ng *.cap

If it shows “Failed”. Then try again using ARP reply attack to capture enough number of
packets. As without a few thousand unique IV, we won't be able to crack the key.

5. >>airplay-ng –arprepaly –b <MAC Address>

--arpreplay: Attack method.

101
 ARP replay attack takes time to complete the packet capturing process. Sometimes in
several scenarios, if the packet capturing is not started then we have to cancel the process
using CTRL-C and we have to start again.

-b: Target MAC address.

After some time again check with

>>airplay –ng *.cap

This will shows if the number of IV are gathered it will automatically crack the key and
will show in hexadecimal form. Convert the same in ASCII format for text representation.

Now we will see about the WPA which is known as Wifi Protected Access. It has got two
different versions, WPA and WPA2(802.11i).

The initial 3 steps of WEP cracking are the same for the cracking the WPA2-PSK encrypted
are same but in later stages, the process becomes different which we will see below.

4. After performing the 3rd step the output will defer from what we have seen in the WEP
process. Where the BSSID will show that the encryption used is WPA2 and PSK as the
authentication method. Also, we can see the clients connected with the wireless network.

Now, we can wait for another client to connect with the wireless aces point or we can
deauthenticate the current client and capture the WPA handshake.

Use the airplay-ng utility to deauthenticate if there is any existing client connected with
the network.

5. >>airplay-ng –deauth=5 –a <MAC Address> mon0

-- deauth=5: To deauthenticate the client and retry it 5 times if it fails on the first time. We
can set this value as per our requirement. Make a note of STMAC address in output which
represents the station MAC Address which will be required in a further step.

-a: Provide target MAC Address

Now, this method will not work on a large network, this will be not in a stealthy mode
which we want to be. Also broadcasting the deauthentication message will not make sure
that client will reconnect to it.

Use the –c flag in the above command to make it effective.

>>airplay-ng –deauth=5 –a <MAC Address> -c <STMAC> mon0

102
 After deauthentication of the client, it will automatically reconnect with the network and
we will have the proper authentication handshake and start collecting in the pcap file. This
can be seen using aircrack-ng command.

>>aircrack-ng *.cap –w /usr/share/dict/words.

-w: Word list can be a user-specified directory where the file is located.

Aircrack-ng checks around 1000 passwords per second. In the output, you will get the text
representation of the key obtained.

Check Your Progress 1

1. List out all the commands in a sequence which is used to crack WEP encryption.

3.5 LET US SUM UP

In this chapter, we have what all kind of wireless network attacks are there. Also, we have
seen how to gather initial information or how to a reconnaissance of the wireless network to
crack the key. It is important to understand the commands and what it does instead of blindly
entering the command in the terminal.

We have also seen the tools which can be used for a different operating system platform.
Also, this does not ensure that the process mentioned will work on all environments. This can
differ as per the infrastructure and network devices used. Type of the wireless network card
also sometimes can create some issues related to some software or packages dependencies.

3.6 CHECK YOUR PROGRESS: POSSIBLE ANSWERS

Check Your Progress 1

>>airmon-ng start wlan0 <channel>

>>airodump-ng -w OUT -c <channel> –bssid<MAC Address> mon0
>>aireplay-ng --arpreplay -b <MAC Address> mon0
>>aircrack-ng *.c

103
Social Engineering Attacks
Social engineering is the art of one human attempting to coerce or deceive another
human into doing something or divulging information. We do this all the time in our day-
to-day lives. Children social engineer their parents into giving permission or providing
something they want. As a spouse, you may social engineer your partner into doing a
chore you’re responsible for. Criminals and hustlers are no different: They use social
engineering tactics to get humans to divulge information about themselves or someone
else. This is key in order to obtain private data to perfect identity theft. Hackers also
attempt to social engineer targeted employees into divulging information about IT systems
or applications so that the hackers can gain access.
Hackers and perpetrators use many different tactics to attempt to social engineer their
victims. Here is a summary of social engineering attacks that may be used on you or your
organization:
Authority—Using a position of authority to coerce or persuade an individual to divulge
information.
Consensus/social proof—Using a position that “everyone else has been doing it” as proof
that it is okay or acceptable to do.
Dumpster diving—Finding unshredded pieces of paper that may contain sensitive data or
private data for identity theft.
Familiarity/liking—Interacting with the victim in a frequent way that creates a comfort
and familiarity and liking for an individual (e.g., a delivery person may become familiar
to office workers over time) that might encourage the victim to want to help the familiar
person.
Hoaxes—Creating a con or a false perception in order to get an individual to do some-
thing or divulge information.
Impersonation—Pretending to be someone else (e.g., an IT help desk support person, a
delivery person, a bank representative).
Intimidation—Using force to extort or pressure an individual into doing something or
divulging information.
Scarcity—Pressuring another individual into doing something or divulging information
for fear of not having something or losing access to something.
Shoulder surfing—Looking over the shoulder of a person typing into a computer screen.
Tailgating—Following an individual closely enough to sneak past a secure door or access
area.
Trust—Building a human trust bond over time and then using that trust to get the indi-
vidual to do something or divulge information.
Urgency—Using urgency or an emergency stress situation to get someone to do some-
thing or divulge information (e.g., claiming that there’s a fire in the hallway might get the
front desk security guard to leave her desk).
Vishing—Performing a phishing attack by telephone in order to elicit personal
information; using verbal coercion and persuasion (“sweet talking”) the individual under
attack.
Whaling—Targeting the executive user or most valuable employees, otherwise consid-
ered the “whale” or “big fish” (often called spear phishing).

Wireless Network Attacks

Wireless network attacks involve performing intrusive monitoring, packet
capturing, and penetration tests on a wireless network. Given the rapid deployment of
wireless network connectivity in both public and private places, the mobile user is under
constant threat. Wireless networks may be compromised as a network access point into
your IT infrastructure. Implementation of proper wireless networking security controls is
the key to mitigate the risks, threats, and vulnerabilities that arise from wireless networks.
Many different tactics are used by hackers and perpetrators as they attempt to penetrate
and attack wireless networks.
Here is a summary of wireless network attacks:
Bluejacking—Hacking and gaining control of the Bluetooth wireless communication link
between a user’s earphone and smartphone device.
Bluesnarfing—Packet sniffing communications traffic between Bluetooth devices.
Evil twin—Faking an open or public wireless network to use a packet sniffer on any user
who connects to it.
IV attack—Modifying the initialization vector of an encrypted IP packet in transmission
in hopes of decrypting a common encryption key over time.
Jamming/interference—Sending radio frequencies in the same frequency as wireless
network access points to jam and interfere with wireless communications and disrupting
availability for legitimate users.
Near field communication attack—Intercepting, at close range (a few inches),
communications between two mobile operating system devices.
Packet sniffing—Capturing IP packets off a wireless network and analyzing the TCP/IP
®
packet data using a tool such as Wireshark .
Replay attacks—Replaying an IP packet stream to fool a server into thinking you are
authenticating to it.
Rogue access points—Using an unauthorized network device to offer wireless
availability to unsuspecting users.
War chalking—Creating a map of the physical or geographic location of any wireless
access points and networks.
War driving—Physically driving around neighborhoods or business complexes looking
for wireless access points and networks that broadcast an open or public network
connection.

In addition to these specific attacks, hackers may also attempt to exploit

weaknesses in the wireless encryption method used by the target: WEP (Wireless
Encryption Protocol), WPA (Wi-Fi Protected Assets), or WPS (Wi-Fi Protected Setup).

Web Application Attacks

Web application attacks involve performing intrusive penetration tests on public-
facing web servers, applications, and back-end databases. Given the rapid deployment of
e-commerce and customer or member portals and websites, access to private data,
sensitive data, and intellectual property is abundant. Many different tactics are used by
hackers and perpetrators when attempting to penetrate and attack web applications.
Web applications that are public facing on the Internet are subject to a host of web
application attacks, including:
Arbitrary/remote code execution—Having gained privileged access or sys admin rights
access, the attacker can run commands or execute a command at will on the remote
system.
Buffer overflow—Attempting to push more data than the buffer can handle, thus creating
a condition where further compromise might be possible.
Client-side attack—Using malware on a user’s workstation or laptop, within an internal
network, acting in tandem with a malicious server or application on the Internet (outside
the protected network).
Cookies and attachments—Using cookies or other attachments (or the information they
contain) to compromise security.
Cross-site scripting (XSS)—Injecting scripts into a web application server to redirect
attacks back to the client. This is not an attack on the web application but rather on users
of the server to launch attacks on other computers that access it.
Directory traversal/command injection—Exploiting a web application server, gaining
root file directory access from outside the protected network, and executing commands,
including data dumps.
Header manipulation—Stealing cookies and browser URL information and manipulat-
ing the header with invalid or false commands to create an insecure communication or
action.
Integer overflow—Creating a mathematical overflow which exceeds the maximum size
allowed. This can cause a financial or mathematical application to freeze or create a vul-
nerability and opening.
Lightweight Directory Access Protocol (LDAP) injection—Creating fake or bogus ID
and authentication LDAP commands and packets to falsely ID and authenticate to a web
application.
Local shared objects (LSO)—Using Flash cookies (named after the Adobe Flash
player), which cannot be deleted through the browser’s normal configuration settings.
Flash cookies can also be used to reinstate regular cookies that a user has deleted or
blocked.
Malicious add-ons—Using software plug-ins or add-ons that run additional malicious
software on legitimate programs or applications.
SQL injection—Injecting Structured Query Language (SQL) commands to obtain infor-
mation and data in the back-end SQL database.
Watering-hole attack—Luring a targeted user to a commonly visited website on which
has been planted the malicious code or malware, in hopes that the user will trigger the
attack with a unknowing click.
XML injection—Injecting XML tags and data into a database in an attempt to retrieve
data.
Zero-day—Exploiting a new vulnerability or software bug for which no specific defenses
yet exist.
 Attack Tools

Protecting an organization’s assets and IT infrastructure requires that you have some
idea of how attackers think. Knowing how an attack is conducted and what tools are used will
help you build a defense plan. In fact, many organizations use the same tools that attackers
use to help identify weaknesses they need to address. It is always better to find weaknesses in
your own environment before an attacker does, but it is even more important to quickly
remediate that weakness.
Computer criminals and cyberattackers use a number of hardware and software tools to
discover exploitable weaknesses and other tools to perform the actual attack. These tools and
techniques can include the following:
 Protocol analyzers
 Port scanners
 OS fingerprint scanners
 Vulnerability scanners
 Exploit software
 Wardialers
 Password crackers
 Keystroke loggers

Protocol Analyzers

A protocol analyzer or packet sniffer (or just sniffer) is a software program that enables a
computer to monitor and capture network traffic, whether on a LAN or a wireless network.
Attackers can capture and compromise passwords and clear text data. Protocol analyzers
come in both hardware versions and software versions, or a combination of both. Sniffers
operate in promiscuous mode, which means that every data packet can be seen and captured
by the sniffer. Sniffers decode the frame and IP data packet, allowing you to see data in
cleartext if it has not been encrypted.

Port Scanners
A port scanner is a tool used to scan IP host devices for open ports that have been enabled.
Think of a port number as a channel commonly associated with a service. For example, Port
80 is for HTTP web traffic, Port 21 is File Transfer Protocol (FTP), and Port 23 is Telnet, and
so on. Request for Comments (RFC) 1700, now superseded by RFC 3232, lists the most com-
mon TCP/UDP port numbers and services. (For a complete list of port numbers, refer to the
Internet Assigned Numbers Authority [IANA].) Port scanners are used to identify open ports
or applications and services that are enabled on the IP host device. This provides attackers
with valuable information that can be used in the attack.

OS Fingerprint Scanners

An operating system (OS) fingerprint scanner is a software program that allows an

attacker to send a variety of packets to an IP host device, hoping to determine the target
device’s operating system (OS) from the responses. Whereas network protocols are generally
standard, different operating system vendors are free to implement them as they see fit. The
packets sent from the OS fingerprint scanner will recognize differences from the various
operating systems used in workstations, servers, and network devices. When an IP host
device responds, then the OS fingerprint scanner can guess what operating system is installed
on the device. Once an attacker knows what OS and version is installed, the better chance he
has to use applicable software vulnerabilities and exploits. A software vulnerability is a bug
or weakness in the program. An exploit is something that an attacker can do once a
vulnerability is found.

Vulnerability Scanners

A vulnerability scanner is a software program that is used to identify and, when

possible, verify vulnerabilities on an IP host device. From this information, a vulnerability
scanner comparesknown software vulnerabilities in its database with what it has just found.
The vulnerability scanner lists all known software vulnerabilities and prioritizes them as
critical, major, or minor. For a complete and up-to-date list of known software vulnerabilities
and exposures, visit https://cve.mitre.org. The Common Vulnerabilities & Exposure (CVE)
list is maintained and managed by the Mitre Corporation on behalf of the U.S. Department of
Homeland Security. This list is now referred to as the National Vulnerability Database
(NVD).
Exploit Software

Exploit software is an application that incorporates known software vulnerabilities,

data, and scripted commands to “exploit” a weakness in a computer system or IP host device.
It is a program that can be used to carry out some form of malicious intent. This includes
things like a denial of service attack, unauthorized access, a brute-force password attack, or
buffer overflow. Remember, software vulnerabilities create a weakness in the system such as
a software bug, glitch, or backdoor vulnerability.

An attacker will use exploit software when performing vulnerability assessments and
intrusive penetration testing. Vulnerability assessments might identify a weakness;
penetration testing positively verifies the weakness by working to exploit it. Therefore,
intrusive testing generates malicious network traffic. Penetration testing is what a black-hat
or white-hat hacker performs to penetrate a computer system or IP host device. This can lead
to gaining system access as well as access to data, which are the prize that most black-hat
hackers are seeking. A white-hat hacker, given permission, performs penetration testing to
confirm that a discovered vulnerability is legitimate, resulting in critical risk exposure.
White-hat hackers then recommend ways to mitigate the risk exposure as part of the post-
mortem penetration testing report.

Wardialers

A wardialer is a computer program that dials telephone numbers, looking for a

computer on the other end. The program works by automatically dialing a defined range of
phone numbers. It then logs and enters into a database those numbers that successfully
connect to the modem. Wardialers are becoming more archaic and less often used due to the
rise of digital telephony, IP telephony, or Voice over IP (VoIP). Prior to VoIP, attackers
would use wardialers to gain access to private branch exchange (PBX) phone systems in an
attempt to obtain dial tone or international dialing capability to commit toll fraud. In addition,
an attacker would use a wardialer to identify analog modem signals and gain access to the
remote system within an IT infrastructure.

Some wardialers can also identify the operating system running on a computer, as well as
conduct automated penetration testing. In such cases, the wardialer runs through a predeter-
mined list of common usernames and passwords in an attempt to gain access to the system. A
network intruder can use a wardialer to identify potential targets. If the program does not
provide automated penetration testing, the intruder can attempt to hack a modem with
unprotected logons or easily cracked passwords. A network system administrator can use a
commercial wardialer to identify unauthorized modems on an enterprise network. These
unauthorized modems can provide attackers with easy access to an organization’s internal
network and must be controlled or eliminated.
Although wardialing is a rather old attack method, it is still useful for finding access
points to computers. Many computer networks and voice systems have modems attached to
phone lines. These modems are often attached either for direct access for support purposes or
by people attempting to bypass network-access restrictions. Even today’s Internet-connected
environments may have a few modems out there, ready to answer another computer that calls.
Successfully connecting to a computer using a modem provides a possible access point to the
rest of the organization’s network.

Password Crackers

The purpose of password cracking is to uncover a forgotten or unknown password. A

password cracker is a software program that performs one of two functions: a brute-force
password attack to gain unauthorized access to a system or recovery of passwords stored as
a cryptographic hash on a computer system. A cryptographic hash is an algorithm that
converts a large amount of data to a single (long) number. Once mathematically hashed, the
hash value can be used to verify the integrity of those data. In a brute-force password crack-
ing attempt, an attacker tries every possible character combination until the “cracked” pass-
word succeeds in granting acccess. Dictionary attacks are a subset of brute-force attacks. In a
dictionary password attack, hackers try shorter and simpler combinations, including actual
words (hence the name of the attack), because such passwords are so common.

Keystroke Loggers

A keystroke logger is a type of surveillance software or hardware that can record to a

log file every keystroke a user makes with a keyboard. The keystroke logger might store the
log file locally for later retrieval or send it to a specified receiver. Employers might use
keystroke loggers to ensure that employees use work computers for business purposes only.
However, spyware can also include keystroke logger software, hoping to transmit
information such as a password to an unknown third party. (You’ll learn about spyware later
in this chapter.) As a piece of hardware, a keystroke logger is typically a battery-sized plug
that serves as a connector between the user’s keyboard and computer. Because the device
resembles an ordinary keyboard plug, it is relatively easy for someone who wants to monitor
a user’s behavior to hide such a device in plain sight. Besides, workstation keyboards usually
plug into the back of the computer, which makes the keystroke logger even harder to detect.
As the user types on the keyboard, the keystroke logger collects each keystroke and saves it
as text in its own miniature hard drive. Later, the person who installed the keystroke logger
must return and physically remove the device in order to access the information the device
has gathered.
A keystroke logger software program is usually disguised as a Trojan malicious
software program. This malicious software can be delivered by a URL link, PDF file, or ZIP
file. As long as an attacker has network access to a computer, he or she can transfer any file,
including executable files, to the target computer. Many attackers then use social engineering
to trick users into launching the downloaded programs. Users can also unwittingly download
keystroke loggers as spyware, which an attacker can then execute as part of a rootkit. (You’ll
learn more about rootkits later in this chapter.) The keystroke logger program records each
keystroke the user types and periodically uploads the information over the Internet to
whomever installed the program.
What Is a Countermeasure?

There are no simple measures to protect your organization from computer attacks.
You must focus on countermeasures that detect vulnerabilities, prevent attacks, and respond
to the effects of successful attacks. This is not easy—but it is better than the alternative.
Dealing with computer and network attacks is a cost of doing business in the IT field.
Although smart attackers and intruders continue to invent new methods of attacking
computer and network resources, many are well known and can be defeated with a variety of
available tools. The best strategy is to identify vulnerabilities and reduce them to avoid at-
tacks in the first place.
Avoiding attacks should be the highest priority. Even so, some attacks will succeed. Your
response to attacks should be as aggressive, proactive, and reactive as the attack itself. You
can respond to attacks by developing plans to rapidly restore computer and network resources
if they are attacked, closing holes in your organization’s defenses, and obtaining evidence for
prosecution of offenders. Of course, you should use the lessons learned from an attack to
protect the network from similar attacks.
Responding to attacks involves planning, policy, and detective work. Fortunately, law en-
forcement agencies, forensic experts, security consultants, and independent response teams
are available to assist you in responding to a security incident as well as prosecuting offend-
ers. In addition, many organizations have special teams to handle security incidents when
they occur. These security incident response teams (SIRTs) know how to recognize
incidents and respond to them in a way that minimizes damage and preserves evidence for
later action.

Countering Malware

Malware provides a platform for attacks on both personal and business networks.
Anti-malware measures are the first line of defense against these attacks. You must take steps
to prevent the introduction of malware into your environment. It’s always better to prevent
malware than to have to fix damage caused by malware. You must develop a security pro-
gram for preventing malware.
Following are six general steps for preventing malware:

 Create an education (information security awareness) program to keep your users

from installing malware on your system.
 Post regular bulletins about malware problems.
 Never transfer files from an unknown or untrusted source unless the computer has an
anti-malware utility installed. (You’ll learn more about anti-malware utilities in a
moment.)
 Test new programs or open suspect files on a quarantine computer—one that is not
connected to any part of your network—before introducing them to the production
environment.
 Install anti-malware software, make sure the software and data are current, and
schedule regular malware scans to prevent malicious users from introducing malware
and to detect any existing malware.
 Use a secure logon and authentication process.
Another important tactic for countering malware is staying abreast of developments in mal-
ware. Keep up with the latest malware information by reading weekly computer journals or
joining organizations like the National Cyber Security Alliance (NCSA) or US-CERT. In
addition, you should frequently check the following websites for information about malware:
National Cyber Security Alliance (NCSA)—www.staysafeonline.org.
United States Computer Emergency Readiness Team (US-CERT)—http://us-cert.gov.

In addition, you should use anti-malware software on your system to scan all files introduced
to workstations and on mail servers. (Note that the more common name for this type of
software is antivirus software. However, because today’s antivirus software generally
addresses more than just viruses, the term anti-malware software is more accurate.) Most
administrators use anti-malware software at many points throughout the network.
Many anti-malware products are available to prevent the spread of all types of malware as
well remove malware from infected computers. These include the following:

 BitDefender—www.bitdefender.com.
 Kaspersky Anti-Virus—www.kaspersky.com.
 Webroot Antivirus—www.webroot.com.
 Norton AntiVirus—www.symantec.com/norton/antivirus.
 ESET Nod32 Antivirus—www.eset.com.
 AVG Antivirus—www.avg.com.
 G DATA Antivirus—www.gdatasoftware.com.
 Avira Antivirus—www.avira.com.
 McAfee Endpoint Protection—www.mcafee.com.
 Trend Micro—www.trendmicro.com.
 Microsoft Security Essentials—www.microsoft.com/ security_essentials.
Some anti-malware software works by examining the activity generated by a file to
determine whether it is malware. These types of anti-malware programs use an approach
called heuristic analysis to see whether programs “act” like malware. Other types of anti-
malware software detect malware by comparing programs and files to signatures of known
types of malware. The problem is, these programs may not immediately recognize and
counteract newly created malware signatures. The anti-malware software must update its
signature database to include these new signatures before the software can detect it. Because
attackers constantly invent new viruses, it’s imperative that you keep your anti-malware
software up to date. An effective approach is to run an anti-malware program update and scan
with every logon.
Note that even if you detect and eliminate a malware infection on a system, there is still a
chance that malware is lurking elsewhere in the organization, ready to reinfect or attack the
system. This is especially true in collaborative environments; files containing viruses may be
stored in central servers and distributed throughout the network. This cycle of infection,
disinfection, and reinfection will continue until you completely purge the malware from the
entire system. If you detect malware anywhere in your system, you must scan all your sys-
tems, including storage devices, for its existence

Protecting Your System with Firewalls

A firewall is a program or dedicated hardware device that inspects network traffic

passing through it and denies or permits that traffic based on a set of rules you determine at
configuration. A firewall’s basic task is to regulate the flow of traffic between computer
networks of different trust levels—for example, between the LAN-to-WAN domain and the
WAN domain, where the private network meets the public Internet.
There are numerous firewall solutions available. Prominent firewall vendors include the
following:

 Palo Alto Networks—www.paloaltonetworks.com.

 Cisco Systems—www.cisco.com.
 SonicWALL—www.sonicwall.com.
 WatchGuard Technologies—www.watchguard.com.
 Check Point—www.checkpoint.com.
 ZyXEL—www.zyxel.com.
 Netgear—www.netgear.com.
 Juniper Networks—www.juniper.net.
 DLink—www.dlink.com.
 MultiTech Systems—www.multitech.com.