In today's information superhighway, there is a voluminous amount of data housed on our systems, and traveling over networks and the internet. Because of this, we must face the fact that it's not a matter of whether there will be an attack, it's a matter of when an attack will occur. The reality is that not all attacks are the same. In this chapter, we'll outline how a network can fall victim to either a passive or active attack, and we'll review examples of both. We'll see that while a passive attack may not seem serious, it can be a precursor to an active attack.
In addition, we'll see that there are many attack vectors that, if not properly protected, can lead to data exfiltration or exposure of confidential information. You'll learn that, today, data is in many places and is growing at an exponential rate, and with this growth comes a greater need to protect the data. Finally, you'll get a better understanding of the meaning of risk, threats, and vulnerabilities. You'll then appreciate how reducing risk in an organization helps prevent data from being changed, destroyed, or lost in an unauthorized or accidental manner.
In this chapter, we're going to cover the following main topics:
An attack on an information system can be against any of the following services: confidentiality, integrity, availability, or authentication. To further define the types of attacks, there are two broad categories, passive and active:
In this section, we'll compare each of the categories and provide some examples of each, along with ways to protect against the various attacks.
Let's start with a discussion on passive attacks.
With an active attack, there may be some network instability, system disruption, or data modification. However, with a passive attack, the objective is to do the following:
Let's see what's involved during reconnaissance.
Before launching an active attack, a malicious actor might conduct a reconnaissance exercise to find out more information on the target network. This is achieved by scanning the network using a variety of tools that help identify weaknesses or vulnerabilities on network hosts.
During reconnaissance, an attacker might scan the network using one of several scans to obtain more information about the network. Let's take a look at some examples of network scans next.
One of the first types of scans that are done during reconnaissance is called a ping sweep.
Important note
The term "ping" is related to the concept of using sound navigation ranging (SONAR). SONAR can sound like a "ping" when used underwater to identify the presence of objects or life forms.
When using a ping sweep, the malicious actor will use an app to send out a series of Internet Control Message Protocol (ICMP) packets to see whether any hosts are up and responding. As shown in the following diagram, one of the hosts on the Local Area Network responds:
Once the attacker identifies a host that is up and responding, the next step is to use a port scan to see whether the host has any Transmission Control Protocol (TCP) ports that are open and listening. The port scan generally scans the well-known ports that are in the range 1-1023; however, the malicious actor can set the app to scan a larger range.
As shown in the following diagram, the port scan will query a responding host, and then report back to the malicious actor on which ports are open:
A host with open ports can be a vulnerability. If, while scanning the network, a malicious actor discovers open ports, they might seek to take the next step and connect with the host by using the open port. To mitigate this vulnerability, the network administrator should disable any ports that aren't required.
Another scan that helps to learn more about the network and identify vulnerabilities is operating system (OS) fingerprinting. Fingerprinting gathers information and then makes a best guess as to what OS is in use on each host. As shown in the following diagram, the OS of the responding host is identified as Windows 10:
Many times, while performing the various scans, the software will also map the network and create a map of the topology. Also called network mapping, this scan builds a map that identifies all hosts on the network:
For scanning the network, there are a variety of tools available today. One well-known tool is called Network Mapper (Nmap), which is a free, open source scanner that can identify listening hosts and determine open ports. As shown in the following screenshot, the Nmap scan shows the open and listening ports on host 10.0.0.167:
Important note
You can find out more information on Nmap at https://nmap.org/. In addition, you can find out how to close or disable unused ports by doing a search on close or disable unused TCP ports.
The reconnaissance scans aren't always done in any particular order; however, the ping sweep is generally completed before a port scan. In addition, depending on the objective, there may only be one scan that is run.
Important note
Many of the same tools used by malicious actors are also used by network administrators to monitor the network.
When scanning the network, the app will often generate activity, as many of the scans use protocols, generally TCP and ICMP, to attempt to communicate with other hosts.
However, in some cases, a passive attack does not generate any activity. The attacker might simply eavesdrop on the network by using packet analysis. Packet analysis is also called sniffing, and is used to gather network traffic to obtain information that is traveling across the network. Next, let's see how an attacker can use packet sniffing to obtain information.
Packet sniffing can be done using software such as Wireshark, an open source packet analysis tool. During this exercise, the attacker can obtain a variety of information that can include network device configuration, or even sensitive information.
Sniffing network traffic can help the attacker learn the types and versions of devices on the network. This is possible because some devices communicate with one another and offer information about their OS, hostname, Internet Protocol (IP) address, and other information specific to that device. Protocols such as Cisco Discovery Protocol (CDP) and Simple Service Discovery Protocol (SSDP) provide information that can help the attacker learn about network devices.
Eavesdropping using packet sniffing is done in order to try and capture interesting data, such as a phone call, credentials, email, or documents. By using Wireshark to monitor the traffic, they might be able to obtain a username and password that is sent across the network.
For example, in the following screenshot, we see within the stream a username ([email protected]) and a password (Password2010), being sent in plain text:
Important note
When you see %40 in the email address, this translates to the @ symbol. For more details, visit https://grox.net/utils/encoding.html.
To defend against packet sniffing, data should be encrypted. However, not all devices encrypt traffic when communicating on the network, which can lead to exposure of information.
During a passive attack, the victim may not be aware that anything is happening. However, a passive attack can be dangerous as it can identify system weaknesses and be a precursor to an active attack.
Next, let's see an overview on the types of active attacks that can take place.
An active attack seeks to destroy, steal, or modify the integrity of a system. The types of attacks can vary, and each type can have a different objective. In an active attack, system resources and/or data can be damaged or destroyed, which can affect normal operations. Common attacks include social engineering, malware, and DoS attacks.
Social engineering is commonly used by cybercriminals to get a victim to perform some action. They may try to encourage them to click on a link to visit a web page, or prompt them to sign into a bank site to check account information. This takes advantage of an individual's trusting nature, and includes techniques such as phishing, pharming, popups, and fake websites. Social engineering is dangerous, and is the leading cause of ransomware attacks.
Another attack commonly used is malware, which continues to improve in sophistication in order to get into our systems. Let's outline the different types of malware next.
Malware is malicious software and includes the following:
Every day, hundreds of thousands of new malware variants are discovered, as seen in this chart: https://www.av-test.org/en/statistics/malware/. In addition, much of the malware today is polymorphic, in that it changes its form and behavior to elude detection. This makes it even harder to protect against ongoing threats.
Another threat is a DoS attack, which prevents legitimate requests from accessing the server. Let's take a look.
A DoS attack sends hundreds of requests per second to a target system. More commonly known as a Distributed Denial of Service (DDoS), this attack uses hundreds of thousands of bots (or zombies). The goal is to flood the system with so many bogus requests that legitimate users are locked out.
To launch a DoS attack, a cybercriminal first needs an army of bots. The malicious actor creates the army by first infecting millions of unknowing hosts with malware so they become zombies, which then become part of a large botnet. The botnet is controlled by a Command and Control (C&C) server. The attack occurs when, at a predefined time, or at a go signal from the C&C server, the zombies launch an attack on an unsuspecting victim.
The reality is that attacks can occur at any layer of the Open System Interconnection (OSI) model. Today, there are many different types of cyber threats; some are lesser known, and some are older. However, malicious actors will try all exploits to gain control of a system, as they may feel our defenses are down, or we may have forgotten about the exploit.
The key is, anything is possible, and over the years, we have seen an escalation of cyberattacks, which has resulted in businesses losing billions of dollars.
As a result, it's imperative for businesses to understand all possible attack vectors. Once the attack vectors are identified, the next step is to lock down and defend the organization. Doing so will reduce the effect of an attack and subsequent exposure of sensitive data. Let's explore this concept next.
Because of the expanding networks, additional devices, and the Internet of Things (IoT), data is in many places. Data lives within an organization, on storage devices, or even in our cars and homes, and is growing at an exponential rate. Along with this growth comes the real concern of the threat of unauthorized access to data.
Many individuals feel that data is the new gold. Cybercriminals are constantly seeking ways to gain access to our data, for a variety of reasons. Reasons include data theft, along with a newer threat, data modification. Unlike theft, data modification seeks to alter the integrity of data, for example, changing the details of blueprints or intellectual property.
In this section, we'll take a look at the many attack vectors that provide a way for data to be compromised in some way. Then we'll take a look at a few key methods to defend against data loss or modification.
Let's start with a discussion of the ways someone can gain access to data.
An attack vector is a path or means by which a malicious actor can access a system. Today, there are many attack vectors, including storage devices, email, mobile devices, cloud storage, malware, wireless networks, and the user.
Data exists in a variety of locations, within an organization, in the cloud, on storage devices, and computer systems. When not at rest on a storage medium, it is in motion over the network, or held in memory. Wherever it exists, there is a threat that someone can gain access and modify or extract the data in some way.
When dealing with data, there are a few main concerns. We need to ensure data is kept in the following way:
It's important to be aware of the many ways someone or something can gain access to data, so you can take steps to employ appropriate security mechanisms.
Some of the attack vectors include the following:
A malicious actor will go through a process to gain control of a system, as shown in the following diagram:
The steps to gain access to a system are as follows:
We now see the many attack vectors that can allow a malicious actor to gain access to a system. The next step is to outline the ways we can prevent data loss.
While no defense method is totally threatproof, good practices will help hamper a potential attack. Most experts generally suggest using a layered approach with a variety of proven methods.
Defense mechanisms include logical and physical security and security appliances, along with policies that outline proper behavior. The mechanisms are defined as follows:
Logical network defenses, security appliances, and anti-malware protection continue to improve in their ability to defend systems. Many devices have built-in artificial intelligence (AI) that monitors the network and quickly identifies unusual or suspicious behavior, and then sends an alert. This then helps the network administrator to be more responsive.
Let's take a look at how a layered defense combines protection methods to help prevent attacks.
When we layer our defenses, we use more than one method to defend against attacks. For example, imagine an attacker trying to get malware onto a server. They may be able to do the following:
However, once at the server, they would be stopped by the anti-malware protection, as shown in the following diagram:
As we can see, malicious activity might be able to spoof a system or circumvent a firewall. That is why a layered defense posture helps provide protection in case one or more defense methods fail.
In addition to the protection methods already in place, an organization should create security policies. Policies help maintain a structure for the management and administration of the security of the network.
Let's see what's involved when creating security policies.
Policies are designed to protect the infrastructure, by defining how an organization's people, processes, and devices access and interact with system resources. When creating policies, the organization should create a security plan, then policies and procedures, as shown in the following diagram:
For an optimal security posture, the progression should go as follows:
Keep the policies in line with the objectives of the organization. In addition, it's best to have the support of upper-level management during their creation. You'll want to consider the following when creating the policies:
The team should write the policy using clear and concise language with no use of jargon. Once written and approved, you'll need to disseminate the policy and train all users. In addition, it's best to assign responsibility to monitor, enforce, and periodically review the policy.
Creating a security policy can be overwhelming, but there is help. SANS.org is a respected source for information security training. They have some templates that are free to use and will step you through the process. To see an extensive list, visit https://www.sans.org/information-security-policy.
As outlined, policies help define proper behavior. However, writing and implementing policies isn't always enough. It's also important to train your users, so they can act as a human firewall. Let's take a look.
As logical and physical system defenses improve, malicious actors use social engineering to try and penetrate a softer target: the people in an organization, including employees, customers, and contractors. A skilled malicious actor will most likely use social engineering to obtain access to a system, before using more complex methods, such as password cracking.
To protect against a social engineering attack, put in place a solid user education program for new and existing employees. Discuss good practice guidelines when dealing with system resources, including the following:
Run periodic tests to see whether your employees can be spoofed. Many resources are available online. One site is here at SonicWall's phishing IQ test: https://www.sonicwall.com/en-us/phishing-iq-test-landing.
Social engineering is one of the hardest threats to defend against as humans can be our weakest link. However, steps can be taken to strengthen the human firewall to better protect the data.
As outlined, the one constant security goal in an organization is to maintain the integrity of the system, by taking steps to prevent a breach. In the next section, let's see how using encryption helps protect the data and decrease the risk of data exposure.
It's essential to keep data in its original, unaltered form. Although there may be threats to the organization, encryption can ensure data integrity and prevent data from being changed, destroyed, or lost in an unauthorized or accidental manner. Organizations seek to protect the data and system resources, by implementing security strategies.
In this section, we'll take a look at just what's at stake, by first outlining the meaning of assets. We'll then clarify the definition of risk, which is a product of threats and vulnerabilities. You'll then understand how decreasing vulnerabilities will reduce overall risk.
Let's start with defining assets.
When implementing security strategies, an organization seeks to protect their assets from threats such as cyberattacks or theft. Assets are either tangible or intangible goods that can be assigned a value:
Tangible assets are more common and easier to understand as they represent something you can touch. Tangible assets include the following:
Intangible assets are goods that you can't touch or see; however, they still represent value to the company. Intangible assets are more difficult to monetize, but in some ways, they may be more valuable than the tangible assets. Intangible assets include the following:
It's good practice to periodically conduct an inventory of your assets, so you truly understand the value of what you are trying to protect. In the next section, let's define risk, and learn one key strategy for decreasing overall risk.
Risk is the potential that something unpleasant or dangerous can happen. The outcome can range in severity as follows:
Risk is a function of threats and vulnerabilities, according to this formula:
A threat is an event, object, or individual that is capable of causing harm or damage. Threats can include malware, mischief, human error, and natural disasters. Threats exist; however, they are impossible to control.
A vulnerability is a flaw or weakness. When dealing with an information system, a vulnerability can include software bugs, unpatched systems, missing antivirus, or even human behavior. In many cases, we can fix vulnerabilities.
So that you can better understand the three terms in context, we'll use an example of a risk analysis exercise.
Risk is a function of threats and vulnerabilities. In general, although threats exist, we cannot control them. We can, however, minimize or control the vulnerabilities. Therefore, if we reduce the vulnerabilities, we will reduce overall risk.
To show you how threats and vulnerabilities work together to produce risk, we'll use an example. We'll see how using different levels of antimalware protection on a system will alter the risk:
In each case, there is a 100% chance that malware will be a threat. Knowing this, let's build our matrix. As shown in the following screenshot, I have assigned each of the systems a vulnerability rating as to how easily malware will infect the system:
As illustrated, the system using the free antivirus was the most vulnerable, and the risk of infection was 90%. The system using free antivirus had a 40% risk of being infected. However, the system using the UTM was minimally vulnerable, and therefore had only a 10% risk rating.
When providing security strategies, the goal is to decrease risk. As illustrated, when you decrease the vulnerabilities, you decrease overall risk.
In this chapter, we examined the differences between active and passive attacks. We saw how a passive attack is done to either learn information about devices on the network, or pick up confidential information, such as usernames and passwords. We then learned the different types of active attacks, which can modify the integrity of our systems and lead to data loss or compromise.
So that you can understand why encryption is so important, we outlined just what is at risk. We learned the different types of attack vectors, and the different defense mechanisms such as logical and physical security, security appliances, along with policies. Finally, we learned how organizations seek to protect assets and maintain system integrity, and how using countermeasures can reduce vulnerabilities and reduce overall risk.
In the next chapter, we'll discover symmetric encryption. We'll start with briefly covering some of the early ciphers, Lucifer and Feistel, and their influence on the Data Encryption Standard (DES). We'll then examine common algorithms including AES, DES, Blowfish, and Twofish. You'll learn the difference between a block and a stream cipher. We'll also cover how a stream cipher has different modes of operation such as cipher block chaining (CBC) and electronic code book (ECB). Finally, we'll take a look at how a stream cipher secures wireless communications and discuss some common protocols in use today.
Now it's time to check your knowledge. Select the best response, then check your answers, found in the Assessment section at the end of the book:
a. Vector
b. Modified
c. Active
d. Passive
a. Vector
b. Modified
c. Active
d. Passive
a. vector
b. stage
c. appliance
d. wall
a. stages
b. policies
c. attacks
d. appliances
a. threat
b. appliance
c. vulnerability
d. cage
a. threats
b. vulnerabilities
c. procedures
d. attacks
a. Social engineering
b. Cages
c. Viruses
d. Worms
Please refer to the following links for more information:
3.238.228.191