CHAPTER 5

Database: A structured collection of data stored for use by

applications, with relationships between data items. May include
sensitive data requiring security.
SQL Injection (SQLi) Concepts
Query Language: A uniform interface to interact with the database
for users and applications. SQL Injection Attacks: Exploits web app vulnerabilities by sending
malicious SQL commands to extract, modify, or delete data.
Database Management System (DBMS): A suite of programs for
constructing and maintaining databases, offering ad hoc query Injection Techniques: Prematurely terminates text strings,
facilities. appending commands or using comments.

Relational Database: A table of data with rows and columns, where SQLi Attack Avenues:
a primary key uniquely identifies rows, and foreign keys link tables.
• User Input: Malicious inputs in data fields.
Primary Key: Uniquely identifies a row in a table using one or more • Server Variables: Exploits HTTP/network headers.
columns. • Second-Order Injection: Uses data already in the database.
• Cookies: Alters cookies to manipulate queries.
Foreign Key: Links one table to attributes in another table.
• Physical Input: Malicious input outside web requests.
View/Virtual Table: The result of a query returning specific rows and Types of SQLi Attacks:
columns, often for security purposes.
• Inband Attacks: Same channel for injection and data retrieval
The retrieved data are presented directly in application Web
page.

Structured Query Language (SQL): A standardized language to

define schema, manipulate, and query data in relational databases.
Several similar versions of ANSI/ISO standard.
 • Inferential Attacks: Gathers info indirectly via query
responses (e.g., blind SQL injection).no actual transfer of data
Illegal/Logically Incorrect Queries:Used to gather information
about the type and structure of the backend database in a web
application.Often a preliminary information-gathering step for
other attacks.
Blind SQL Injection:Enables attackers to infer data from a
database system, even when it doesn't return error messages
or explicit information.

• Out-of-Band Attacks: Data are retrieved using a different

channel. can be used when there are limitations on SQL Access Controls:(select,insert,update,delete,references)
information retrieval, but outbound connectivity from the
database server is lax • Grant: Assigns access rights/roles.
• Revoke: Removes access rights/roles.
SQLi Countermeasures: Defensive coding, parameterized queries,
Role-Based Access Control (RBAC): Simplifies administration by
signature-based detection, and runtime query prevention.
assigning roles with defined permissions.

Fixed Roles in SQL Server:

• Server Roles: Manage server configurations and resources.

• Database Roles: Manage database-level permissions.

Database Access Control

Access Control: Determines permissions for create, read, update,

and delete actions, using centralized, ownership-based, or
decentralized policies.
Database Encryption: Protects data at the database, record, their careful target selection and stealthy intrusion efforts over
attribute, or field level. Challenges include key management and extended periods. High profile attacks include Aurora, RSA, APT1,
limited searching. and Stuxnet.

Inference Detection:

• Design: Modifies the structure to prevent inference.

• Query Time: Blocks or alters queries to prevent data inference.
Data Center: A facility hosting servers, storage devices, and network
equipment with redundant power and security measures.

Security Considerations:

• Site Security: Setbacks, barriers, controlled entry points.

Adware: Advertising integrated into software that causes pop-up ads
• Physical Security: Surveillance, multi-factor authentication.
or browser redirection.(Zeus,Angler)
• Network Security: Firewalls, intrusion detection.
• Data Security: Encryption, masking, retention policies. Attack Kit: Tools for automatically generating malware, including
propagation and payload mechanisms. Toolkits are often known as
Tier System Design (TIA-942): “crimeware”.

• Tier 1: Basic, no redundancy, 99.671% uptime. Auto-rooter: Hacker tools to remotely break into systems.
• Tier 2: Some redundancy, 99.741% uptime. Backdoor (Trapdoor): Mechanisms bypassing security checks to
• Tier 3: Planned maintenance without disruption, 99.982% allow unauthorized access.
uptime.
Downloader: Installs additional malicious items on compromised
• Tier 4: Fully redundant, 99.995% uptime.
systems.
CHAPTER 6 Drive-by Download: Code exploiting browser vulnerabilities to attack
Malware: a program that is inserted into a system with the intent of systems when viewing compromised sites.
compromising the confidentiality,integrity,availability of victim’s
Exploits: Code targeting specific vulnerabilities.
data,app or OS
Flooder (DoS Client): Generates high data volumes to carry out
Advanced Persistent Threat (APT): Long-term, targeted attacks on
denial-of-service (DoS) attacks.
business or political entities using various intrusion technologies and
malware, often state-sponsored. Differ from other types of attack by Keylogger: Captures keystrokes on a compromised system.
Logic Bomb: Code triggered by predefined conditions to execute ----Virus Phases---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----
unauthorized actions.
Dormant Phase: Virus remains idle until triggered.
Macro Virus: Virus using macro/scripting code, typically embedded in Propagation Phase: Virus replicates into other programs or disk
documents. areas.
Mobile Code: Software that runs identically across different platforms. Triggering Phase: Virus activates based on specific events.
Execution Phase: Virus performs its intended function.
Rootkit: Hacker tools for maintaining root-level access after breaking
into a system. ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----
Spammer Program: Sends large volumes of unwanted email. ----Virus Classifications by TARGET ---- ---- ---- ---- ---- ---- ----
Spyware: Collects and transmits sensitive information by monitoring Macro Virus: Attaches to documents and uses macro programming
system activity. to execute and propagate.

Trojan Horse: Program appearing useful but contains hidden File Infector: Infects executable files.
malicious functions. Boot Sector Infector: Infects a disk's boot record, spreading during
system boot.
Virus: Malware that replicates itself into other executable code,
Multipartite Virus: Infects files in multiple ways.
infecting systems.
Worm: Independent malware that propagates across networks by ----Virus Classifications by STRATEGY---- ---- ---- ---- ---- ---- ----
exploiting vulnerabilities. Encrypted Virus: Uses encryption to hide its code.
Stealth Virus: Designed to avoid detection by antivirus software.
Zombie (Bot): Infected machine used to launch attacks as part of a Polymorphic Virus: Mutates with every infection.
botnet. Metamorphic Virus: Rewrites itself with each iteration, altering both
behavior and appearance.
Virus: Infects programs by modifying them to include a copy of itself,
spreads through networks, and executes secretly when the host Worm: Self-replicating program that seeks to infect multiple
program runs. Specific to operating system and hardware machines, often exploiting software vulnerabilities.
Spread Mechanisms: Network connections, shared media, email,
----Virus Components---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----
remote execution, and file sharing.
Infection Mechanism: Means by which a virus spreads or
propagates.(infection vector) ---------------------------------------------------------------------------------------
Trigger: Event or condition that activates the virus payload.(logic Target Discovery: Scanning for vulnerable systems using random,
bomb) hit-list, topological, or local subnet methods.
Payload: Effect of the virus, which may be harmful or benign.
Scanning (or Fingerprinting) First function in the propagation phase Email Worm: Spreads through email attachments or messages.
for a network worm. Searches for other systems to infect Network Worm: Propagates through network vulnerabilities.
File Worm: Infects shared files or removable media.
Random: compromised host probes random addresses in the IP Mobile Worm: Targets smartphones via Bluetooth or MMS.
address space using a different seed. This produces a high volume of
Internet traffic which may cause generalized disruption even before Drive-By-Download: Exploits browser and plugin vulnerabilities to
the actual attack is launched. download and install malware when a user views a malicious
webpage. Malware does not propagate like worms; it spreads when
Hit-List Attacker precompiles a list of vulnerable machines users visit infected websites.
delegating portions of the list to infected hosts for faster and stealthier
scanning Watering-Hole Attack: A targeted attack where attackers
compromise websites likely visited by their victims. The malicious
Topological Finds new targets using information from already
code activates only for specific systems, increasing stealth.
infected machines
Malvertising: Places malware in online ads without compromising the
Local Subnet Targets systems within the same local network as an
hosting site. Attackers dynamically generate malicious code in ads,
infected host by exploiting the subnet structure bypassing firewalls
targeting specific users and systems, making detection difficult.
------------------------------------------------------------------------------------
Clickjacking: UI redress attack where attackers trick users into
Morris Worm: The first significant worm infection released by Robert clicking unintended buttons or links, often using transparent layers.
Morris in 1988, targeting UNIX systems. It attempted to crack local This can hijack keystrokes or perform unauthorized actions.
password files for login credentials, exploited a bug in the finger
Social Engineering: Manipulating users to compromise their own
protocol to locate remote users, and utilized a trapdoor in the debug
systems, often via phishing, spam, or Trojan horses.
option of the mail-handling process. Successful attacks
communicated with the operating system command interpreter,
sending a bootstrap program to replicate the worm.

WannaCry: A ransomware attack in May 2017 that rapidly infected

hundreds of thousands of systems in over 150 countries. It spread as
a worm by scanning local and random remote networks to exploit a
vulnerability in the SMB file-sharing service on unpatched Windows Trojan Horse: A program containing hidden harmful code to perform
systems. The attack encrypted files and demanded ransom payments unauthorized actions, such as data theft or system corruption.
for decryption. Its spread was mitigated by the accidental activation of
a “kill-switch” domain by a UK security researcher.
Ransomware: Encrypts user data and demands payment for the Remote control facility: Distinguishes bots from worms; bots are
decryption key. Notable examples include WannaCry (2017), which controlled via central or distributed mechanisms like IRC servers,
targeted systems globally, encrypting files and demanding Bitcoin HTTP, or peer-to-peer protocols.
ransoms.
Information Theft:
Chernobyl Virus: A destructive parasitic virus (1998) targeting
Windows systems, overwriting the first megabyte of the hard drive to Keylogger: Captures keystrokes, often filtering for keywords like
corrupt the file system. "login" or "password."
Spyware: Subverts systems to monitor activities, modify web data, or
Klez: A mass-mailing worm (2001) infecting Windows systems, redirect traffic.
spreading via email and disabling antivirus programs. On a trigger Phishing: Social engineering to impersonate trusted communication,
date, it empties files on the infected system. stealing user credentials.
Spear-phishing: Targeted phishing crafted for specific individuals
Bot: Takes over computers to perform coordinated attacks (e.g., using personalized details.
DDoS, spam, or malware distribution).
Stealthing:
Botnet: A network of bots controlled remotely, often using peer-to-
peer or IRC communication. Backdoor: Secret entry point bypassing security, also called a
trapdoor or maintenance hook.
System Corruption: Rootkit: Hidden programs granting covert access, subverting system
monitoring, and enabling root-level privileges for unauthorized actions.
Real-world damage: Malware causes physical harm to equipment.
Chernobyl virus rewrites BIOS code.Stuxnet worm targets specific
industrial control system software.
Logic bomb: Code embedded in malware that activates under certain CHAPTER 7
conditions.
Attack Agents: Denial-of-Service (DoS) Attack: Prevents or impairs the authorized
Bots: Malware that takes over an Internet-connected computer to use of networks, systems, or applications by exhausting resources
manage attacks. such as CPU, memory, bandwidth, and disk space.
Botnet: A coordinated collection of bots used for:
DoS Categories:
Distributed Denial-of-Service (DDoS) attacks.
Spamming, sniffing traffic, keylogging, and spreading malware. Network Bandwidth: Overloads network links connecting a server to
Installing adware and browser helper objects (BHOs). the internet.
Attacking IRC chat networks or manipulating online polls and games.
System Resources: Crashes or overloads network handling Amplification Attacks: Exploits protocols like DNS to amplify
software. response size.
Application Resources: Consumes resources via valid requests,
limiting server responses to legitimate users. DoS Defenses:

Classic DoS Attacks: • Prevent spoofed addresses.

• Modify TCP handling to use cryptographic cookies.
Flooding Ping Command: Overwhelms network connection • Block IP broadcasts and suspicious services.
capacity, affecting performance. • Use CAPTCHAs and replicate servers for high performance.
Source Address Spoofing: Uses forged addresses, making attack
sources harder to identify. Responding to DoS Attacks:
SYN Spoofing: Overflows connection tables, denying access to
legitimate users. • Implement antispoofing, broadcast blocking, and rate-limiting
filters.
Flooding Attacks:Overloads network capacity with specific packet • Use network monitors and intrusion detection systems.
types. • Identify attack type, capture and analyze packets, and block
traffic upstream.
ICMP Flood: Uses echo requests.
• Trace source via ISP, switch to backup servers, or deploy new
UDP Flood: Targets specific ports.
ones.
TCP SYN Flood: Overloads with SYN packets.
CHAPTER 8
Distributed Denial-of-Service (DDoS):Uses multiple compromised Cyber Criminals: Individuals or organized crime group members
systems (botnet) to generate attacks.Botnets are controlled by an aiming for financial gain through activities like identity theft, theft of
attacker to flood a target system. financial credentials, corporate espionage, data theft, or data
ransoming. Often young hackers from Eastern Europe, Russia, or
HTTP-Based Attacks: Southeast Asia operating through underground forums.
Activists: Individuals or group members (hacktivists) motivated by
HTTP Flood: Overloads web servers with HTTP requests. social or political causes. They perform attacks like website
Slowloris: Maintains incomplete HTTP requests, consuming server defacement, denial-of-service attacks, or data theft to promote their
capacity. agenda.
Reflection Attacks:Spoofs target address, causing intermediaries to State-Sponsored Organizations: Hacker groups funded by
flood the victim. governments for espionage or sabotage, often termed Advanced
Persistent Threats (APTs) due to their covert and long-term
operations.
Others: Hackers motivated by technical challenge or peer recognition. Pirated Software Distribution: Sharing copyrighted software without
Includes classic hackers or those exploring vulnerabilities using widely permission.
available toolkits.
Unsecured Modem Access: Exploiting an unsecured modem to
Apprentice: Hackers with minimal technical skills, relying on existing infiltrate internal networks.
attack toolkits. They form the largest attacker group and are relatively
easy to defend against. Also known as "script kiddies." Executive Impersonation: Pretending to be an executive to extract
sensitive information.
Journeyman: Hackers with skills to modify attack tools or exploit new
vulnerabilities. Found across all intruder classes, they adapt tools for Using Unattended Workstations: Accessing systems left
others’ use. unattended to exploit them.

Master: Highly skilled hackers capable of discovering new Intrusion Behavior Phases: Includes target acquisition, initial
vulnerabilities and creating powerful attack tools. Some are employed access,
by state-sponsored organizations. Their attacks are extremely difficult
privilege escalation, information exploitation, maintaining access, and
to defend against.
covering tracks.
Remote Root Compromise: Unauthorized access to a system with
Security Intrusion: Unauthorized bypassing of a system's security
root-level privileges.
mechanisms.
Web Server Defacement: Altering a web server's content to display
Intrusion Detection: Hardware/software systems analyzing activity
unauthorized material.
within a network or system to identify potential intrusions.
Guessing/Cracking Passwords: Attempting to gain access by
Intrusion Detection System (IDS): Includes sensors to collect data,
deciphering user passwords.
analyzers to detect intrusions, and a user interface for control. Types
Copying Databases: Stealing databases containing sensitive include host-based (HIDS), network-based (NIDS), and distributed or
information like credit card details. hybrid systems.

Unauthorized Data Access: Viewing sensitive data without IDS Requirements: Must run continuously, resist faults, avoid system
authorization. overhead, adapt to changes, and scale for large networks.

Packet Sniffing: Capturing network traffic to extract sensitive CHAPTER 8

information.
• Cyber Criminals: Individuals or members of organized crime
groups aiming for financial gain through activities like identity
 theft, financial credential theft, corporate espionage, data theft, • Anomaly Detection: Identifies intrusions by comparing current
or data ransoming. user behavior with legitimate user behavior using statistical,
• Activists: Individuals or groups motivated by social or political knowledge-based, or machine-learning methods.
causes, often conducting website defacement, denial of service • Signature Detection: Matches known malicious patterns or
attacks, or data theft to publicize their cause. attack rules to identify intrusions, commonly used in antivirus
• State-Sponsored Organizations: Government-sponsored software and NIDS.
hacker groups conducting espionage or sabotage, also known • Rule-Based Heuristic Detection: Identifies penetrations or
as Advanced Persistent Threats (APTs). suspicious behavior using predefined rules.
• Others (Hackers): Hackers motivated by technical challenges • Security Intrusion: Unauthorized bypassing of a system’s
or peer recognition, often discovering new vulnerabilities or security mechanisms.
using attack toolkits. • Intrusion Detection Requirements: IDS must run continually,
• Apprentice (Skill Level): Hackers with minimal skills, using be fault-tolerant, resist subversion, adapt to system changes,
existing attack toolkits; also called "script-kiddies." and support large-scale systems.
• Journeyman (Skill Level): Hackers with intermediate skills, • Data Sources and Sensors: Collects data for intrusion
capable of modifying and extending attack tools or finding new detection from system calls, log files, file integrity checksums,
vulnerabilities. or registry access.
• Master (Skill Level): Hackers with advanced skills, capable of • Examples of Intrusion: Activities like remote root
discovering new vulnerabilities and creating powerful attack compromise, password cracking, viewing sensitive data without
toolkits. authorization, and running a packet sniffer.
• Intrusion Detection (ID): Hardware or software function that • Intruder Behavior: Involves stages like target acquisition,
gathers and analyzes information to identify potential security initial access, privilege escalation, information gathering,
breaches. maintaining access, and covering tracks.
• Intrusion Detection System (IDS): System comprising • Network-Based IDS (NIDS): Monitors traffic at selected
sensors (data collection), analyzers (detecting intrusions), and network points, examining traffic packet-by-packet in real or
user interfaces (monitoring output). near-real time, including network, transport, and application
• Host-Based IDS (HIDS): Monitors activity on a single host to protocol activities.
detect intrusions using anomaly or signature detection. • NIDS Components: Sensors, management servers, and
• Network-Based IDS (NIDS): Analyzes network traffic to detect management consoles for human interaction.
suspicious activity based on network, transport, and application • NIDS Sensor Deployment: Uses passive sensors with
protocols. monitoring interfaces in promiscuous mode and management
• Distributed or Hybrid IDS: Combines host and network-based interfaces with IP addresses to monitor traffic.
IDS data for better detection and response.
• Intrusion Detection Techniques - Signature Detection: • Snort: An open-source NIDS that uses rule-based detection
Identifies attacks by comparing observed data to known with various rule actions, such as alert, log, pass, drop, reject,
malicious patterns or attack rules. and dynamic.
• Intrusion Detection Techniques - Anomaly Detection: • Snort Rule Header: Defines the protocol, source IP and port,
Identifies attacks by comparing current behavior to a profile of direction, and destination IP and port for packet inspection.
legitimate user behavior. • Snort Rule Options: Specify additional details for packet
• Stateful Protocol Analysis (SPA): Compares observed matching, including keywords and arguments.
network traffic to vendor-supplied benign protocol profiles, • Snort Rule Actions: Actions include alert (log and notify), log
understanding and tracking protocol states. (record), pass (ignore), drop (block and log), reject (block, log,
• NIDS Logging: Logs typical data such as timestamps, and send a response), and sdrop (block without logging).
connection IDs, protocols, source/destination IPs and ports,
event types, and payload data. CHAPTER 9
• Distributed Detection and Inference: Integrates platform and
Evolution of Information Systems
network policies with adaptive feedback-based policies to
detect and respond to intrusions. • Centralized data processing system: Central mainframe
• Intrusion Detection Message Exchange Format (IDMEF): A supports directly connected terminals.
data model (RFC 4765) for representing information exported • LAN (Local Area Network): Interconnects PCs and terminals
by intrusion detection systems, implemented using XML. with each other and the mainframe.
• Intrusion Detection Exchange Protocol (IDXP): An • Premises network: Multiple LANs interconnecting PCs,
application-level protocol (RFC 4767) supporting mutual servers, and possibly mainframes.
authentication, integrity, and confidentiality for exchanging
• Enterprise-wide network: Multiple geographically distributed
intrusion detection data.
premises networks interconnected by a private WAN.
• Honeypot: A decoy system designed to lure attackers, collect • Internet connectivity: Premises networks connected to the
data about their activities, and keep them occupied. Internet, with or without a private WAN.
• Low-Interaction Honeypot: Software that emulates IT • Enterprise cloud computing: Virtualized servers in one or
services to provide a realistic initial interaction without fully more data centers for internal and external services.
executing services.
• High-Interaction Honeypot: A full system with operating Firewalls
systems and applications, providing a realistic target for
attackers but requiring more resources and posing risks if • Firewall: Inserted between premises network and Internet to
compromised. establish a controlled link, offering a single security choke point.
 • Firewall characteristics: All traffic must pass through, only • Network-based IPS (NIPS): Inline system modifies or discards
authorized traffic allowed, and firewall must be penetration- malicious packets using signature/heuristic and anomaly
resistant. detection.
• Firewall access policy: Defines authorized traffic based on
address ranges, protocols, applications, and content types. HIPS Techniques

Firewall Types • Signature detection: Identifies specific malicious patterns in

traffic or system calls.
• Packet filtering firewall: Filters packets based on rules for • Anomaly detection: Identifies behavior patterns inconsistent
IP/TCP headers; either discards or forwards packets. with legitimate activity.
• Stateful inspection firewall: Tracks TCP connections in a • Sandboxing: Isolates code in a controlled area and monitors
directory and allows packets matching the connection profiles. its behavior.
• Application-level gateway: Acts as a relay for application-
level traffic; requires proxy code for each application. Unified Threat Management (UTM)
• Circuit-level gateway: Sets up two TCP connections and
• UTM: Combines firewall, VPN, IDS, IPS, antivirus, antispam,
relays TCP segments without inspecting contents.
and web filtering in a single device.
• Host-based firewall: Secures an individual host and provides
additional protection tailored to its environment. Snort Inline
• Personal firewall: Controls traffic for personal computers or
workstations; simpler than server-based firewalls. • Snort Inline: Enables Snort to function as an IPS with options
like dropping, rejecting, or modifying packets.
Firewall Capabilities and Limitations

• Capabilities: Acts as a single choke point, monitors security

events, supports IPSec.
• Limitations: Cannot protect against internal threats or attacks
bypassing the firewall; vulnerable to poorly secured wireless
LANs.

Intrusion Prevention Systems (IPS)

• Host-based IPS (HIPS): Identifies malicious behavior through

signature/heuristic or anomaly detection, protecting system
resources and applications.