Network Security Threats

CHAPTER © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE2 OR DISTRIBUTION © Digital_Art/Shutterstock Network Security Threats

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FORETWORK SALE ORSECURITY DISTRIBUTION IS UNDER CONSTANT ATTACK by threatsNOT both FOR internal SALE and OR DISTRIBUTION external, ranging from disgruntled employees to worldwide hackers. There is no perfect Ndefense, because hackers are able to bypass, compromise, or evade almost every safe- guard, countermeasure, and security control. Hackers are constantly developing new techniques © Jones & Bartlettof attack, Learning, writing new LLC exploits, and discovering new© Jonesvulnerabilities. & Bartlett Network Learning,security is a task LLC of constant vigilance, not a project to complete. It is a job that is never done. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Why is it critically important to understand hacking, exploitation, vulnerabilities, and attacks? As the sixth century BC Chinese military strategist and philosopher Sun Tzu stated in his famous military text The Art of War: “If you know the enemy and know yourself, you need not fear the results of a hundred battles.” Once you understand how hackers think, the tools they use, their exploits,© Jones and their & attackBartlett techniques, Learning, you can LLC then create effective defenses© to Jones protect & Bartlett Learning, LLC against your network.NOT FOR Understanding SALE OR hacking DISTRIBUTION not only improves network security; it alsoNOT main- FOR SALE OR DISTRIBUTION tains security at a high level of readiness.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FORChapter SALE OR2 Topics DISTRIBUTION NOT FOR SALE OR DISTRIBUTION This chapter covers the following topics and concepts: • Types of hackers and their motivations • Frequently targeted network assets © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION• Internal and external network threats NOT FOR SALE OR DISTRIBUTION • Hacking process • Common IT infrastructure threats • Various types of malicious code (malware) and the corresponding security concerns • ©Dangers Jones of fast & growth Bartlett and overuse Learning, LLC © Jones & Bartlett Learning, LLC • NOTDangers FOR posed bySALE wireless OR and wiredDISTRIBUTION connections NOT FOR SALE OR DISTRIBUTION • Risk of eavesdropping • Different attack types, including hijack and replay attacks, insertion attacks, fragmentation attacks, and buffer overflows © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning,© Jones LLC & Bartlett Learning LLC, an Ascend Learning© Jones Company. & NOT Bartlett FOR SALE Learning, OR DISTRIBUTION. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

9781284183658_CH02_Stewart.indd 31 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 32 CHAPTER 2 | Network Security Threats

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Preventing session hijacking, spoofing attacks, and man-in-the-middle attacks • Covert channels and associated attacks • Threats to network and resource availability, including denial of service (DoS) and distributed denial © Jones & Bartlettof service Learning, (DDoS) attacks LLC © Jones & Bartlett Learning, LLC NOT FOR SALE• Risks OR of social DISTRIBUTION engineering NOT FOR SALE OR DISTRIBUTION

Chapter 2 Goals When you complete this chapter, you will be able to: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION• Describe the motivations of hackers andNOT other FORmalicious SALE computer OR network DISTRIBUTION intruders • Compare and contrast threats from internal and external sources • Describe how accidents, natural disasters, and ignorance affect network security • Explain the risk posed by malicious code •© IdentifyJones the &effects Bartlett of wired Learning,and wireless connectivity LLC on network security © Jones & Bartlett Learning, LLC •NOT Describe FOR common SALE network OR security DISTRIBUTION exploits and attacks, including hijack attacks,NOT replay FOR attacks, SALE OR DISTRIBUTION insertion attacks, fragmentation attacks, buffer overflows, XSS attacks, man-in-the-middle attacks, spoofing attacks, covert channels, DoS, DDoS, botnet attacks, and social engineering attacks • Describe how hacker tools exploit vulnerable targets © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Hackers and Their Motivation © Jones & Bartlett Learning,Hacking LLCoriginally meant tinkering with© orJones modifying & Bartlett systems to Learning, learn and explore. LLC How- NOT FOR SALE OR DISTRIBUTIONever, the term now refers to malicious—andNOT possiblyFOR SALE criminal—intrusion OR DISTRIBUTION into and manipulation of computers. In either case, a malicious or criminal hacking is a serious threat. Every network administrator should be concerned about hacking. Hackers are people—often misguided, unethical, ingenious, and criminal—but still people. When you design security, keep in mind that the threat is ultimately and mostly human. This © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC awareness should lead to better selections of deterrent, detection, and response tools and techniques.NOT A deterrent FOR SALE is any tool OR or DISTRIBUTIONtechnique that makes hacking your networkNOT less attractive FOR SALE than OR DISTRIBUTION hacking another network. This can be done by enhancing security, which may increase the time, effort, and investment required of the hacker to gain access. Locating the network in an area with strict laws and punishments for illegal or unauthorized access is another example of a deterrent. © Jones & BartlettSome important Learning, aspects LLC of security stem from understanding© Jones the & techniques, Bartlett Learning,methods, LLC NOT FOR SALEand motivations OR DISTRIBUTION of hackers. Once you learn to think likeNOT a hacker, FOR you SALE may be ORable toDISTRIBUTION anticipate future attacks. This enables you to devise new defenses before a hacker can successfully breach your organization’s network.

9781284183658_CH02_Stewart.indd 32 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Hackers and Their Motivation 33

So, how do hackers think? Hackers think along the lines of manipulation or change. They look into the© rules Jones to create & Bartlettnew ways ofLearning, bending, breaking, LLC or changing them. Many© Jonessuc- & Bartlett Learning, LLC cessful securityNOT breaches FOR have SALE been OR little DISTRIBUTION more than slight variations or violations NOTof net -FOR SALE OR DISTRIBUTION work communication rules. Hackers look for easy targets or overlooked vulnerabilities. Hackers turn things over, inside out, and in the wrong direction. Hackers attempt to perform tasks in different orders, © Joneswith incorrect & Bartlett values, Learning, outside the expected LLC boundaries, and with© a purposeJones to & cause Bartlett a reac -Learning, LLC NOTtion. FOR Hackers SALE learn OR from DISTRIBUTION and exploit mistakes, especially mistakesNOT of the FOR network SALE security OR DISTRIBUTION professionals who fail to properly protect an organization’s assets. 2

What motivates hackers to attack computer networks? Why does anyone get involved in Network Security Threats illicit activity? The motives are as numerous as the number of ways to conduct the computer attacks. Some do it for the sheer thrill of hacking—the sport of it. Some hackers consider © Jones & Bartletthacking Learning, their hobby. LLC Some love a challenge. Some© areJones victims & ofBartlett peer pressure Learning, or are seeking LLC NOT FOR SALE socialOR DISTRIBUTION validation. For others, hacking is a way toNOT earn “street FOR cred”SALE with OR peers DISTRIBUTION or attack a perceived social injustice. Finally, many hackers pursue their exploits for power and financial gain. As it can be difficult to understand the motivation of a hacker, this section offers more detail to give insight into the hacker mentality. Many criminal hackers are in it simply for the money. Hackers have many ways to gain financially from© Jones attacking & computer Bartlett networks, Learning, ranging LLC from theft of credit cards and© Jonesfinan- & Bartlett Learning, LLC cial statementsNOT to blackmail, FOR SALE black marketOR DISTRIBUTION sales, and trafficking. Some monetary gainNOT is FOR SALE OR DISTRIBUTION immediate; for example, hackers might be able to transfer funds out of a target account. Other methods are more involved, such as stealing corporate documents and selling them to competitors, or hijacking data using encryption and holding it for ransom. Hackers can become involved in selling their services, including distributing spam, eavesdropping, © Jonescracking & passwor Bartlettds, andLearning, generating LLC DoS events. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION FYI

Spam is unwanted and unrequested email. It is often sent in large quantities to an email address in the hopes of © Jones & Bartlettcausing Learning, system delays LLC or denial of service (DoS) events. Spam© Jones is not technically & Bartlett malicious software, Learning, but spam LLCcan NOT FOR SALE ORhave DISTRIBUTION a serious negative effect on IT infrastructures. ExpertsNOT estimate FOR that 80 SALE to 95 percent OR of emailDISTRIBUTION Internet traffic is spam and other forms of malicious messages. Hackers can easily use DoS attacks through flooding a network with traffic or ping requests. As a result, the network servers cannot keep up with the immense amount of traffic; it often renders a website or network access inaccessible.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC A more recentNOT type FOR of attack SALE for financialOR DISTRIBUTION gain is ransomware. Historically, a hackerNOT gains FOR SALE OR DISTRIBUTION access to a system, identifies assets, removes valuable information, and possibly remains resi- dent on the network or creates a backdoor to allow reentry into the network. In a ransomware attack, however, the hacker typically tricks users into clicking a malicious link or email © Jonesattachment, & Bartlett which encrypts Learning, files, folders, LLC or entire drives, preventing© Jones users from & Bartlett viewing, Learning, LLC NOTcopying, FOR orSALE accessing OR them. DISTRIBUTION The hacker informs the victim how accessNOT can FOR be returned, SALE ORsuch DISTRIBUTION as with a cryptocurrency payment like Bitcoin. Payment of the ransom often results in return of access for the victim, but it is not a guarantee, nor is it protection against reencryption.

9781284183658_CH02_Stewart.indd 33 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 34 CHAPTER 2 | Network Security Threats

FYI© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Cryptocurrency is electronic currency where the existence of the currency is a mathematical formula stored on the systems of the participants with a rate that fluctuates. The hacker lists the demand as “4 Bitcoin” or some other amount and the victim purchases the cryptocurrency at the going rate. Some ransoms have been paid through donations to charitable organizations if the hacker wanted to punish the victim or right a perceived wrong. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION For many hackers, it is an exciting challenge to find new vulnerabilities, develop new attack code, or discover new security breaches. A breach is any successful attempt to get past a network’s defenses, such as “breaching” the perimeter. Some hackers attack © Jones & Bartlett Learning,targets forLLC the same reasons some people© Jones climb mountains—because& Bartlett Learning, it’s there, LLC because NOT FOR SALE OR DISTRIBUTIONthey can, and because they want to beatNOT it. SomeFOR hackers SALE continually OR DISTRIBUTION seek out new and more difficult targets to improve their skills and to increase the level of the challenge. Demonstrating the ability to compromise a target, especially if the target is reason- ably secure, is a way for hackers to prove they are more powerful than the defend- ers. If you can control something, you have power over it. If a hacker can control your computer© Jones remotely, & Bartlett then the Learning, hacker has power LLC over your computer; in© some Jones ways, & the Bartlett Learning, LLC hackerNOT has FOR power SALE over you, OR as DISTRIBUTION well. Hackers sometimes hack to boost NOTtheir image FOR and SALE OR DISTRIBUTION feed their ego. If they can wage a successful attack, then they are showing dominance over their target. Hacking can be thrilling. Think of the way a treasure hunter feels on someone’s private © Jones &property. Bartlett The Learning, combination LLC of power, challenge, risk, and© potential Jones pursuit,& Bartlett along withLearning, dis- LLC covering potentially valuable assets, is a thrill for some hackers. The thrill of getting away NOT FOR SALEwith it motivates OR DISTRIBUTION many hackers to continue their attacksNOT once FORthey figure SALE out ORhow toDISTRIBUTION successfully hack into a network. Some hackers enjoy the sheer risk of attacking a network. As with any crime, the risk of being caught is always a possibility. A target network might have honeypots, intrusion © Jones & Bartlett Learning,detection LLC systems (IDSs), intrusion prevention© Jones systems & Bartlett (IPSs), firewalls,Learning, and LLCother technical defenses that the hacker will need to detect and evade. Security professionals are NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION always looking to discover new attack techniques and to learn the identity of hackers. With every attack, therefore, the hacker is at risk of getting caught and prosecuted. Some hackers resort to hacking as an attempt to be entertained or distracted from their boredom. A successful system breach will usually initiate a response, often a cat- and-mouse© Jones game & thatBartlett is entertaining Learning, for hackers. LLC With a ransomware attack© Jones there &is alsoBartlett Learning, LLC a powerNOT position: FOR SALE the victim OR must DISTRIBUTION comply with the hacker’s demand, orNOT access FOR is not SALE OR DISTRIBUTION returned. Hackers have peers and social groups just like everyone else. Peer pressure can be a powerful motivator to fit in, show off, or demonstrate loyalty to a group, especially for those in the lower levels or rankings of hacker communities. New or inexperienced © Jones & hackersBartlett feel Learning, encouraged LLC to perform attacks to maintain© Jones their membership & Bartlett in Learning,their peer LLC NOT FOR SALEgroup. SomeOR DISTRIBUTION attacks are performed as an initiation orNOT rite ofFOR passage SALE from OR a potential DISTRIBUTION hacking group member to an actual full member. Hacking can help the hacker achieve or maintain status. Some hackers try to cause a media story and to get their name

9781284183658_CH02_Stewart.indd 34 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Hackers and Their Motivation 35

in the news. Other hacks are performed to instill fear and compliance in current and future targets.© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Hackers whoNOT believe FOR that SALE a company OR DISTRIBUTIONis not a good local or global citizen may undertakeNOT FOR SALE OR DISTRIBUTION hacktivism, which is hacking as a form of righting a social injustice or to exact revenge for perceived wrongs committed by the company or specific individuals. This type of hacker may steal but often donates the financial gain to a cause deemed worthy or one that works © Jonesto correct & theBartlett wrong thatLearning, initiated theLLC hack. This hacker is more ©difficult Jones to catch,& Bartlett as the Learning, LLC NOTfunds FOR are SALE usually ORdirected DISTRIBUTION immediately to a third-party nonprofit,NOT which FOR does SALEnot employ OR DISTRIBUTION or sponsor the hacker. There is no “follow the money” opportunity to capture the individ- 2

ual, as there is when the hacker keeps the proceeds of their hacking. Network Security Threats Three primary types of hackers are recreational, opportunistic, and professional: • Recreational hackers are those who enjoy learning and exploring, especially with com- © Jones & Bartlettputing Learning, technology. LLC However, they might make© poor Jones choices & Bartlettas to when Learning, to use their LLC NOT FOR SALE ORnewfound DISTRIBUTION skills. Bringing in unapproved softwareNOT fromFOR home, SALE experimenting OR DISTRIBUTION on the company network, or just trying out an exploit to see if it works are all potential actions of recreational hackers. Some hackers might not fully consider that their hobby can be dangerous and their actions may be in violation of the company security policy. For example, a© script Jones kiddie & is Bartlett a hacker who Learning, relies on preexistingLLC programs or code ©written Jones & Bartlett Learning, LLC by others. NOTThis type FOR of hacker SALE runs OR scripts DISTRIBUTION by simply pointing and clicking a toolNOT and mayFOR SALE OR DISTRIBUTION not fully understand the ramifications of these actions. • Opportunistic hackers are timid and not likely to initiate an attack. For whatever reason, they are unwilling to purposefully plan out and wage intrusions. However, if the circum- stance presents itself for an attack that can be easily performed with little potential for © Jonesdiscovery & Bartlett or consequence, Learning, the opportunistic LLC hacker may take ©advantage Jones of& the Bartlett fleet- Learning, LLC NOT FORing opportunity. SALE OR That DISTRIBUTION moment could arrive when someone happensNOT toFOR work SALE late and OR is DISTRIBUTION the last employee left in the building. The opportunity could be when a fire drill drives everyone else out of the facility, or when a random power outage occurs and half the workforce leaves for home. It could even happen when they notice a certain office door is left open and no one else is watching. © Jones & Bartlett• Professional Learning, hackers LLC are criminals whose sole© carJoneseer objective & Bartlett is to compromise Learning, LLC NOT FOR SALE ORIT infrastructures.DISTRIBUTION Whether operating as individuals,NOT FOR offering SALE mercenary OR DISTRIBUTION hacking services, functioning as a member of a criminal enterprise, or operating in a state- sponsored attack, professional hackers focus their time and energy on conducting the best security assault possible. When people spend years learning and practicing in one primary area of interest, they can develop expertise and skills to rival all defenses. The perfect unbreachable© Jones security& Bartlett solution Learning, does not exist.LLC Professional hackers have© theJones & Bartlett Learning, LLC time, stamina,NOT skill, FOR patience, SALE and OR backing DISTRIBUTION to keep up an assault against a targetNOT until FOR SALE OR DISTRIBUTION they succeed. They are to a network what termites are to a wooden building. You can deter them; you can keep them out most of the time. But they will always be nearby and eager to gnaw into the foundations if you drop your guard for a moment. © JonesHackers & perform Bartlett hacks Learning, for many reasons, LLC and this list is likely incomplete.© Jones Whatever & Bartlett their Learning, LLC NOTmotivations, FOR SALE they ORare driven DISTRIBUTION to do unethical activities. You mightNOT not completely FOR SALE understand OR DISTRIBUTION the hacker mindset, but it is important for you to try so you can better anticipate how hackers could attack your network.

9781284183658_CH02_Stewart.indd 35 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 36 CHAPTER 2 | Network Security Threats

Favorite© Jones Targets & Bartlett of Learning,Hackers LLC © Jones & Bartlett Learning, LLC In termsNOT of FOR security, SALE the things OR DISTRIBUTIONyou want to protect are known as assets. AnNOT asset FOR is anything SALE OR DISTRIBUTION used to conduct business over a computer network. Any object, computer, program, piece of data, or other logical or physical component employees need to complete a task is an asset. What valuable assets do attackers most frequently target? Every hacker is different, just © Jones &as Bartlett with any individualLearning, member LLC of any subculture. While© many Jones agree & on Bartlett what is valuable, Learning, LLC NOT FOR SALEsuch as moneyOR DISTRIBUTION and access, others might find corporate NOTfinances, FOR secret SALE formulas, OR medical DISTRIBUTION history, credit reports, court records, accounting logs, and so on preferable as their target of choice. For example, why do some people collect toys while others collect cars, soda bottles, or pictures of dogs playing poker? Among a hacker’s favorite targets are easy assets—those that pay off quickly. Easy targets © Jones & Bartlett Learning,are IT infrastructures LLC and elements not© properly Jones secured.& Bartlett Systems Learning, with well-known, LLC exploit- NOT FOR SALE OR DISTRIBUTIONable holes, known as vulnerabilities, exposedNOT FOR to the SALEworld are OR “easy DISTRIBUTION pickin’s” for hackers. An item’s cost does not classify it as an asset; instead, it is the usefulness and value to the company network. Some of the most recent ransomware attacks have been against healthcare systems and providers, including hospitals, doctor’s offices, and insurance companies. The medical providers have an urgent need to regain access, and the ransom is often low enough that© it Jonesis an inconvenience & Bartlett rather Learning, than a hardship LLC to pay. © Jones & Bartlett Learning, LLC TargetsNOT FOR that pay SALE off quickly OR areDISTRIBUTION those that earn the hacker some form NOTof monetary FOR or SALE OR DISTRIBUTION barter gain, such as funds or cryptocurrency. Credit cards and bank accounts can be quickly turned into the hacker’s desired form of currency. In other cases, gaining access and control of networks, especially those with high-speed Internet links, is valuable. Such a network could be loaded with malicious code that transmits spam, and it can be conducting eaves- © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC dropping. Using the hacked network, a hacker can use the servers and processing power to NOT FOR SALEattempt ORto break DISTRIBUTION encryption. The hacker can then tradeNOT or sell FOR these servicesSALE ORto others. DISTRIBUTION Some hackers, however, do not seek the easy targets; instead, they look for unique targets, new challenges, and complex infrastructures to test and improve their skills. Expert and highly experienced hackers often want to continue to improve their abilities rather than © Jones & Bartlett Learning,waste their LLC time on targets that any amateur© Jones hacker, & orBartlett script kiddie, Learning, could compromise. LLC Assets do not have to be expensive, complicated, or large. In fact, many assets are rela- NOT FOR SALE OR DISTRIBUTIONtively inexpensive, commonplace, and NOTvariable FOR in size. SALE For most OR organizations, DISTRIBUTION including SOHO (small office/home office) environments, the assets of most concern include business and personal data. If this information is lost, damaged, or stolen, serious complications can result. Businesses can fail, individuals can lose money, identities can be stolen, government regulators© Jones can apply& Bartlett penalties Learning, or criminal charges, LLC and lives can be ruined.© Jones & Bartlett Learning, LLC ValuableNOT FOR resources SALE abound OR onDISTRIBUTION individual computers, as well as on IT infrastructuresNOT FOR SALE OR DISTRIBUTION comprised of interconnected LANs. Hackers seek out targets based on a variety of goals and motivations, as well as perceived value of a resource. But who are the hackers? Threats from Internal Personnel and External Entities © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALEWhile historically OR DISTRIBUTION two-thirds or more of security violationsNOT have FOR been SALE the direct OR result DISTRIBUTION of outsiders, this is changing dramatically. As a result of more automated breaches, more hacking, and increased criminal and terrorist activity, the percentage of “inside” computer crime has been reduced as low as single digits, which still translates to small and medium-sized

9781284183658_CH02_Stewart.indd 36 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Threats from Internal Personnel and External Entities 37

businesses and small government agencies experiencing thousands or more attacks daily. This has markedly© Jones increased & Bartlett the need forLearning, trained computer LLC security professionals© in Jonesorgani- & Bartlett Learning, LLC zations of allNOT sizes. AccordingFOR SALE to the OR Verizon DISTRIBUTION 2019 Data Breach Investigations ReportNOT (https:// FOR SALE OR DISTRIBUTION enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf), 69 percent of data breaches stemmed from external agents. Internal breaches were responsible in 34 percent of the events categorized. © JonesAn on-site & Bartlett employee Learning, has physical LLC access to the facility and logical© Jonesaccess to & the Bartlett network. Learning, LLC NOTAn FOR employee SALE may ORhave DISTRIBUTIONonly a standard or normal user account, butNOT some FOR level SALEof logical OR DISTRIBUTION access can be parlayed into greater levels of access (known as privilege escalation). Threats 2

from insiders, whether physical or logical, are serious. You must address such threats in your Network Security Threats security policy, network design, infrastructure deployment, and ongoing system and security management. The people who represent the most common threats to an organization’s net- © Jones & Bartlettwork Learning, security include LLC disgruntled employees and© contractJones workers & Bartlett (insider Learning, threats), as LLCwell NOT FOR SALE asOR a host DISTRIBUTION of external hackers. FIGURE 2-1 depicts internalNOT FOR and external SALE hackers. OR DISTRIBUTION Disgruntled employees believe that they have been wronged somehow by the organization. Whether this “wrong” is real or perceived, their actions can cause severe disruption of mission-critical operations. Disgruntled employees may attempt to embezzle, steal supplies, waste time, infect a system or network with malicious code, leak confidential data, interrupt other workers,© orJones derail projects.& Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Contract workersNOT areFOR outsiders SALE brought OR DISTRIBUTION in to an organization to perform work on aNOT tempo FOR- SALE OR DISTRIBUTION rary basis. Contract workers can be consultants, temporary workers, seasonal workers, con- tractors, even day laborers. Usually, outsiders do not share the same loyalty to the organization that most full-time employees exhibit. Thus, if the opportunity affords itself to compromise the organization for personal gain, contract workers are more likely to act unethically. Such criminal © Jonesoutsiders & don’tBartlett worry Learning,about long-term LLC stability or viability, or the fate© Jones of regular & employees. Bartlett Learning, LLC NOTInstead, FOR they SALE take ORadvantage DISTRIBUTION of these ways to personally profit at theNOT expense FOR of others.SALE OR DISTRIBUTION Employees and external entities represent differing levels of risk that should be addressed in planning network security. Initially, the risk from an external attacker is low. Outside attackers must seek out and discover methods of gaining logical or physical access © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE ORFIGURE DISTRIBUTION 2-1 H Internal and external Hacker hackers.

Private © Jones &LAN Bartlett Learning, LLC © Jones & Bartlett Learning, LLC

NOT FOR SALE OR DISTRIBUTION H NOT FOR SALE OR DISTRIBUTION

H Hacker Hacker

9781284183658_CH02_Stewart.indd 37 15/09/20 11:39 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 38 CHAPTER 2 | Network Security Threats

to the network or the facility. Without access, hackers must resort to attacking external interfaces© Jones such &as Bartlettweb servers, Learning, VPN devices, LLC firewalls, and remote access© servers Jones (RASs). & Bartlett Learning, LLC If theseNOT are FOR secure, SALE then the OR default DISTRIBUTION or fallback position of a hacker is to wageNOT a DoSFOR attack, SALE OR DISTRIBUTION attempt a burglary, or perform social engineering against insiders. Another threat to network security is intentional damage or sabotage. Disgruntled employees, dismissed contract workers, opportunistic janitorial staff, unhappy manag- © Jones &ers, Bartlett and even Learning, careless visitors LLC can wreak havoc in moments© Jones if they have& Bartlett access to Learning,sensitive LLC NOT FOR SALEequipment OR or DISTRIBUTION information. Proper pre-employment applicantNOT screening,FOR SALE perceptive OR DISTRIBUTION super- visory oversight, escorts for nonemployees, background checks, security cameras, training, paying attention to the corporate culture, and providing competitive pay scales or other incentives and courtesies to employees can go a long way toward preventing intentional disruption or destruction of IT equipment and resources. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTIONThe Hacking Process NOT FOR SALE OR DISTRIBUTION As much as cybersecurity professionals dislike the practice, hacking can be a fascinating process. Hackers’ activities often appear chaotic and random, at least when observed from the mainstream IT industry. Hackers do not have to follow any fixed procedures or recognize any established© Jones boundaries. & Bartlett Instead, Learning, they seek vulnerabilitiesLLC on a selected target,© Jones using any & Bartlettand Learning, LLC all meansNOT atFOR their SALE disposal. OR For DISTRIBUTIONthem, chaos is both a methodology and a defenseNOT FOR mechanism. SALE OR DISTRIBUTION Generally, hacking falls into five main subgroups of events or activities referred to as phases. This categorization can represent hacking, but it does not actually control or prevent it. The five categories are reconnaissance, scanning, enumeration, attacking, and post-attack activities. (See .) This order of phases occurs if an attack is successful. If an attack © Jones & Bartlett Learning,FIGURE 2-2 LLC © Jones & Bartlett Learning, LLC is not successful, the hacker can instead attempt a fallback position. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Fallback Attacks Fallback attacks are the other options for mayhem a hacker can deploy after unsuccessful breach © Jones & Bartlett Learning,attempts LLC against a target. Common alternatives© Jones to intrusion & Bartlett include DoS, Learning, eavesdropping, LLCbreaking and NOT FOR SALE OR DISTRIBUTIONentering, social engineering, malicious code,NOT session FOR hijacking, SALE man-in-the-middle OR DISTRIBUTION attacks, wireless hacking, SQL injection, website attacks, and more.

FIGURE© Jones 2-2 & Bartlett Learning,Reconaissance LLC © Jones & Bartlett Learning, LLC Five NOTphases ofFOR hacking. SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Scanning

Enumeration © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Attacking NOT FOR SALE OR DISTRIBUTION Fallback Post-attack attacks activities

9781284183658_CH02_Stewart.indd 38 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION The Hacking Process 39

Reconnaissance© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC ReconnaissanceNOT is the FOR initiation SALE of theOR process DISTRIBUTION of hacking. Reconnaissance means theNOT act FORof SALE OR DISTRIBUTION inspecting or exploring and can also be called footprinting, discovery, research, and information gathering. This phase is the first of three pre-attack phases in which hackers learn as much as possible about a target before attempting the first actual attacks. Reconnaissance consists of collecting data about the target from all possible sources online and offline. The © Joneshacker is& careful Bartlett to avoid Learning, alerting the LLC target that it has probed the© network Jones for & information. Bartlett Learning, LLC NOT FORReconnaissance SALE OR can DISTRIBUTIONinclude: NOT FOR SALE OR DISTRIBUTION2

• Researching old versions of a target organization’s website at archive.org Network Security Threats • Examining search engine contents • Reviewing the organization’s website © Jones & Bartlett• Investigating Learning, the LLC background of personnel © Jones & Bartlett Learning, LLC NOT FOR SALE •OR Performing DISTRIBUTION location mapping NOT FOR SALE OR DISTRIBUTION • Reading job postings • Checking insider information leak sites • Looking at newspaper and magazine articles for mentions of the organization • Perusing press© Jones releases & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC • Searching NOTnewsgroups, FOR chatSALE archives, OR DISTRIBUTIONblogs, and forums NOT FOR SALE OR DISTRIBUTION • Auditing financial records or reviewing public filings • Reviewing court cases and other public records • Querying whois, domain registrations, and public IP assignments Eavesdropping on email and other conversations © Jones• & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC • Visiting a physical location for the organization NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION These are just some of the possible reconnaissance activities a hacker can perform. Informa- tion gathering is limited only by the time, resources, and imagination of the hacker. Once the hacker has built and organized a reasonable portfolio of information about the target, the next step is scanning. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE ScanningOR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Scanning is the activity of using various tools to confirm information learned during reconnaissance and to discover new details. Scanning is aimed at discovering live and active systems. Scanning can include wardialing, wardriving, ping sweeps, and port scanning. Wardialing© is Jones an older &tactic Bartlett that uses Learning, the telephone LLC system to locate any active© and Jones & Bartlett Learning, LLC answering modems.NOT FOR Using SALEa modem OR and DISTRIBUTION often a dialing program, a hacker’s computerNOT auto FOR- SALE OR DISTRIBUTION matically dials target phone numbers. The hacker obtains phone numbers during reconnaissance or by dialing all the numbers in an area code or prefix. Wardriving, a term derived from wardialing, is the technique of using a wireless detector (sniffer) to locate wireless networks. Hackers used to drive through cities or neighborhoods © Joneswith laptop & Bartlett computers Learning, to discover LLCwireless networks. Today, driving© Jones is not necessary & Bartlett and Learning, LLC NOTsmartphones FOR SALE detect OR wireless DISTRIBUTION networks automatically. NOT FOR SALE OR DISTRIBUTION Ping sweeps are used to discover systems over network connections that will respond to Internet Control Messaging Protocol (ICMP) echo requests. Hackers commonly use ICMP for

9781284183658_CH02_Stewart.indd 39 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 40 CHAPTER 2 | Network Security Threats

network health and testing. The ping command typed from the command line of a computer or network© Jones mapping & Bartlett utility sends Learning, ICMP echo LLC requests to all possible recipients© Jones within & an Bartlett Learning, LLC InternetNOT Protocol FOR SALE (IP) address OR rangeDISTRIBUTION or subnet. ICMP echo responses fromNOT systems FOR indicate SALE OR DISTRIBUTION their IP addresses and that they are up and running. Hackers perform port scanning by sending various constructions of Transmission Con- trol Protocol (TCP) or User Datagram Protocol (UDP) packets to ports (FIGURE 2-3). If the © Jones &hacker Bartlett does Learning, not know the LLC computer system exists, then© a Jonesport scan & can Bartlett determine Learning, the LLC NOT FOR SALEexistence OR of a DISTRIBUTION system at a specific IP address, as well asNOT whether FOR a port SALE is open, OR closed, DISTRIBUTION or filtered. A TCP port is known to be open if a full TCP three-way handshake can establish a virtual circuit. A UDP port cannot be confirmed as open because the default response from an open port is always silence.

NOT FOR SALE OR DISTRIBUTIONFIGURE 2-3 NOT FOR SALE OR DISTRIBUTION Basic TCP and UDP port scanning.

SYN/ACK Response Packet Open Port ACK Response Packet © Jones & BartlettTCP Scan Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

SYN Request Packet

Closed Port © Jones & Bartlett Learning, LLC RST© Jones Response & Pa Bartlettcket Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Datagram Open Port No Response © UDPJones Scan & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Datagram © Jones & Bartlett Learning, LLC ICMP Type 3 Response© Jones & BartlettClosed Learning, Port LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

9781284183658_CH02_Stewart.indd 40 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION The Hacking Process 41

© Jones & Bartlett Learning, LLC Technical© Jones TIP & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Ports exist at the Transport Layer (Layer 4) of the Open Systems Interconnection (OSI) Reference Model. TCP and UDP use ports to support multiple simultaneous communications, connections, or sessions over a single Layer 3 (Network Layer) IP address. There are 65,535 ports, but most systems can only support a few hundred concurrent transactions. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC A port is open if an active service is ready to process data through the specific port. A port is closed if NOT FORno service SALE is associated OR DISTRIBUTION with that specific port. NOT FOR SALE OR DISTRIBUTION2

When communications elicit error messages or abnormal responses from a port, a firewall can filter Network Security Threats out these responses. This will result in a port being visible for valid and normal communications. A firewall can block any attempt to elicit errors or abnormal responses. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

During scanning, often referred to as probing, a hacker sends packets to elicit responses. When a hacker performs scanning, it is detectable. Reconnaissance is generally silent, secretive, and unobtrusive. You are also unlikely to detect scanning to verify individual data items, such as© a Jonessingle open & Bartlettor closed port. Learning, But when LLC hackers scan to discover all possible© Jones IP & Bartlett Learning, LLC addresses in NOTuse and FOR all possible SALE open OR and DISTRIBUTION closed ports, it is noticeable to networkNOT admin FOR- SALE OR DISTRIBUTION istrators and usually captured in system logs. Reconnaissance activity might or might not draw attention, but scanning—if not conducted carefully and on single ports, as opposed to all ports at once in a port sweep or blast—will be hard to ignore. © JonesHackers & Bartlett perform scanningLearning, until LLCthey discover one or more targets.© Jones Because & scanningBartlett Learning, LLC NOTuncovers FOR SALE only a system OR DISTRIBUTION and the open ports, hackers learn very littleNOT about FOR the targets.SALE OR DISTRIBUTION Hackers stop scanning and move to the enumeration phase, the next step toward attacking, whenever they have enough information or their scans fail to reveal new information, based on the purpose of their attacks. Keep in mind that an attacker needs only a single vulnerability to gain access to a system or network. Once hackers can access a machine, moving on © Jones & Bartletttoward Learning, attacking itLLC quickly is the most common© escalation. Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Enumeration Enumeration is the discovery and listing of potential attack targets. Enumeration is the hackers’ process of discovering sufficient details about a potential target to learn whether a vulnerability exists© Jones that they & can Bartlett successfully Learning, attack. Enumeration LLC often starts with operating© Jones & Bartlett Learning, LLC system (OS) identification,NOT FOR SALEfollowed OR by application DISTRIBUTION identification, then extraction ofNOT informa FOR- SALE OR DISTRIBUTION tion from discovered services. Hackers perform OS identification by probing an open and closed port of a target. The responses from these ports identify the OS. This identification is possible because of the idiosyncrasies of different programmers writing interoperable code. Each OS uses a differ- © Jonesent group & Bartlettof programmers Learning, to write LLC the network protocol stack. Even© Jones though &the Bartlett resultant Learning, LLC NOTprotocol FOR SALEstack may OR be inDISTRIBUTION compliance with IEEE standards, the defaultsNOT andFOR reactions SALE of OR the DISTRIBUTION stack often differ from one OS to the next. These differences are known and maintained in a small database, which is coded into most network scanning and probing tools, such as nmap.

9781284183658_CH02_Stewart.indd 41 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 42 CHAPTER 2 | Network Security Threats

FIGURE© Jones 2-4 & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC A bannerNOT grabbed FOR from SALE a web server.OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Courtesy of Zenmap.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Each open port has a service running behind it. Banner grabbing is the activity of probing those services to obtain information (FIGURE 2-4). Once a connection has begun, a service may send an announcement of connection or communication confirmation. This announce- © Jones & Bartlett Learning,ment is calledLLC the banner. The banner may© Jones contain & additional Bartlett details, Learning, such as theLLC product name and version number of the service. NOT FOR SALE OR DISTRIBUTIONThe information in the banner can beNOT used FOR by a hacker SALE for OR reconnaissance DISTRIBUTION purposes—to gain the intelligence needed to form the basis of an attack. One low-cost method of protection is to change the banner to mislead hackers into using the wrong exploits against the server, but still allow the service on the given port to perform its duties. In some cases, ban- ners© are Jones not actually & Bartlett used, so Learning,these may be LLCgreatly shortened; in other cases,© Jones advanced & feaBartlett- Learning, LLC turesNOT that areFOR not SALE used may OR be DISTRIBUTIONabandoned in a trade-off that results in betterNOT security. FOR SALE OR DISTRIBUTION Once hackers have identified the service, they can request additional information. The information request may be ignored and is secure, as no response is sent. But if insecure, the service may return volumes of data to the hacker. Depending upon the service and the queries the hacker performs, the extracted information could include system name, network © Jones & name,Bartlett user Learning,names, group LLCnames, share names, security© settings, Jones resources & Bartlett available, Learning, access LLC NOT FOR SALEcontrol settings,OR DISTRIBUTION and more. NOT FOR SALE OR DISTRIBUTION Enumeration provides the hacker with identified, potential attack points. After reviewing vulnerability databases, such as MITRE (http://cve.mitre.org) or National Institute of Standards

9781284183658_CH02_Stewart.indd 42 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION The Hacking Process 43

and Technology (NIST) (https://nvd.nist.gov), hackers evaluate the potential vulnerabilities. Once the hacker© Jones selects an & attack Bartlett target, Learning, they collect exploitLLC tools and wage the attack.© Jones & Bartlett Learning, LLC One aspectNOT that characterizesFOR SALE modern OR DISTRIBUTION attacks is the amount of time that passesNOT between FOR SALE OR DISTRIBUTION the reconnaissance phase and the attack phase. In the past, a matter of minutes may have separated the two, but the more modern attack might take weeks, months, or longer to gather information before the attack is unleashed. Such an attack, the highly targeted © Jonesadvanced & persistentBartlett threatLearning, (APT), willLLC be discussed in more depth© later Jones in this & chapter. Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION2

Attacking Network Security Threats Attacking is the fourth phase of hacking. Although this seems to be the phase that attracts most of the hype about hackers, in fact, it is the briefest phase of the overall hacking process. © Jones & BartlettA successful Learning, attack, LLC based on solid research and© preparation, Jones & can Bartlett take just Learning, seconds. LLC NOT FOR SALE ORIf anDISTRIBUTION initial attack fails, hackers can modify theirNOT exploits, FOR tuneSALE their OR payloads, DISTRIBUTION adjust their shell code, reset their vectors, and relaunch the attack. Once hackers figure out that an assumed vulnerability does not exist or has been secured, they return to their enumeration results to select a new point of assault. Again, think of termites: If they can’t get into the house structure through a doorjamb, they will just as eagerly try to enter through a window- sill. Both pests© areJones relentless. & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Repeated NOTattacks FOR will lead SALE either OR to an DISTRIBUTION eventual successful breach or to the frustrationNOT ofFOR SALE OR DISTRIBUTION a hacker due to successful defense by the target. If successful, the attacker moves on to post- attack activities. If unsuccessful, the attacker can elect to move to alternative fallback attacks.

© JonesPost-Attack & Bartlett Activities Learning, LLC © Jones & Bartlett Learning, LLC NOTIn FORa successful SALE attack, OR the DISTRIBUTION hacker usually has breached the target’s NOTsecurity FOR to gain SALE some level OR of DISTRIBUTION logical access. This could be the credentials of a standard user account or access to acommand shell accessed through a buffer overflow exploit. In any case, some common post-attack activities usually take place. These include privilege escalation, depositing additional hacker tools, pilfering data, creating a re-entry point (backdoor) and removing evidence of the hack. © Jones & BartlettPrivilege Learning, escalation LLC is attempting to gain higher© Jones levels of &access Bartlett or privilege Learning, from the LLC NOT FOR SALE target.OR DISTRIBUTION This can occur using a keystroke logger, knownNOT FOR OS exploits SALE to stealOR administratorDISTRIBUTION or system access, manipulation of scheduled tasks, social engineering, Trojan horses, remote control programs, and other mechanisms. The result is that the hacker gains access to a user account or a command shell that operates as an administrator, root, or the system itself. With privileged© Jonesaccess, the & remainingBartlett post-attackLearning, activities LLC are much easier. © Jones & Bartlett Learning, LLC DepositingNOT additional FOR hacker SALE tools OR gives DISTRIBUTION the hacker more power over the compromisedNOT FOR SALE OR DISTRIBUTION system. Tools may enable additional abilities unavailable through the current connection method. Tools may assist in pilfering data, removing evidence of the hack, or maintaining or regaining access in the future. To regain access, hackers often create new accounts on the system. Scanning for new accounts is an easy way to identify this technique. © JonesPilfering & Bartlett data is just Learning, that: scouring LLC storage devices looking for© files Jones of interest. & Bartlett Hackers Learning, LLC NOTlook FOR for anythingSALE ORthey DISTRIBUTIONcan turn into cash quickly. They also look NOTfor things FOR that SALE would beOR DISTRIBUTION fun, interesting, or damaging to disclose to the public. They look for items they can use to blackmail or coerce users. And, of course, they are on the lookout for potentially valuable

9781284183658_CH02_Stewart.indd 43 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 44 CHAPTER 2 | Network Security Threats

information for bartering or trading with other hackers or criminals. Dumping the user account© Jones database & andBartlett password Learning, hashes is oftenLLC a priority as well. Cracking© theJones passwords & Bartlett of Learning, LLC otherNOT users FOR will helpSALE in accessing OR DISTRIBUTION the system in the future. NOT FOR SALE OR DISTRIBUTION Removing evidence of the compromise and subsequent activities is an important step for the hackers. Failing to cover their tracks could lead to apprehension and prosecution. Allow- ing the IT and security staff to discover the intrusion will lead only to heightened levels of © Jones &security. Bartlett Discovery Learning, makes LLC future returns more difficult, ©if notJones impossible, & Bartlett depending Learning, on the LLC NOT FOR SALEhacker’s ORskill DISTRIBUTIONset. NOT FOR SALE OR DISTRIBUTION Once the hacker performs evidence cleanup, the attacker can claim to have owned (or pwned, in leetspeak, hackers’ code language) a system. The hacker has demonstrated skills through the discovery, tracking, and penetration of a target. This is often the goal of a hacker: to successfully penetrate a target. However, such successes are not always easy, or © Jones & Bartlett Learning,common. LLC If the attacks fail, the hacker© may Jones have fallback & Bartlett attack Learning,options. LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Common IT Infrastructure Threats The more you understand about the various threats and risks to network security, the more defenses you can mount against these attacks. Threats to network security include hacker exploits,© Jones as well & as Bartlett Mother Nature, Learning, device failures,LLC and users performing© normal Jones business & Bartlett Learning, LLC activities.NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Hardware Failures and Other Physical Threats Network security is not just about protection against hacking. Computer systems and © Jones &networks Bartlett face Learning, many other LLC threats on an ongoing basis.© ComputerJones & equipment Bartlett isLearning, complex LLC NOT FOR SALEand sometimes OR DISTRIBUTION fragile. Hardware failures are the mostNOT common FOR cause SALE of unexpected OR DISTRIBUTION downtime. Most equipment is expected to operate well beyond its expected lifetime in normal environments. Some forms of technology, however, are more prone to failure than others. One of the most commonly discussed causes of unexpected downtime is hard drive fail- © Jones & Bartlett Learning,ure. A hard LLC drive is one of the few common© Jones computer & Bartlett components Learning, that has moving LLC parts. NOT FOR SALE OR DISTRIBUTIONWhile optical drives, tape drives, mice,NOT and keyboards FOR SALE have movingOR DISTRIBUTION parts, these devices seem to outlast hard drives by a significant margin. Hard drive failure can occur unexpect- edly or with reasonable warning. The warning is usually a grinding, whining, or clicking noise coming from the drive as it begins to fail. These noises are clear signs that the end of the ©device’s Jones usable & Bartlett life is near Learning, and it should LLC be replaced immediately. © Jones & Bartlett Learning, LLC The best defense against hard drive failure, as well as hardware failure in general, is to be NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION prepared. Being prepared includes consistent periodic backups, preferably using a redun- dant array of independent disks (RAID); performing general cleaning and maintenance; and having spare parts on hand for the inevitable. Another method to avoid downtime and a loss of availability is to replace equipment before it fails. Most devices have a mean time to failure © Jones & (MTTF)Bartlett or mean Learning, time between LLC failures (MTBF) that can determine© Jones the & statistical Bartlett likelihood Learning, of LLC NOT FOR SALEa failure. OR It is DISTRIBUTIONa good practice to replace the device beforeNOT that FORperiod SALEexpires. ORWhile DISTRIBUTION you will be replacing some devices long before an actual failure, this technique keeps the statistics on your side. Though planned downtime is costly, it is less costly than unplanned downtime.

9781284183658_CH02_Stewart.indd 44 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Common IT Infrastructure Threats 45

Solid-state drives (SDDs) eliminate many of the problems associated with hard disk drives but at a greater© Jonesinitial cost & forBartlett the hardware. Learning, LLC © Jones & Bartlett Learning, LLC Another physicalNOT FOR threat SALE is heat. TooOR much DISTRIBUTION heat damages computer equipment. SystemsNOT FOR SALE OR DISTRIBUTION that experience severe temperature cycles, such as very hot to very cold, can have incidents of chip creep or warping and cracking of materials. Chip creep is caused by the expansion and contraction of metal because of temperature changes. Severe temperature cycling can © Joneseven break & Bartlett soldered connections.Learning, The LLC traditional debate about turning© Jones computers & Bartlett off at Learning, LLC NOTnight FOR or overSALE weekends OR DISTRIBUTION or leaving the equipment in a running stateNOT speaks FOR to theSALE effects OR of DISTRIBUTION these temperature changes. A running computer is at its optimum functioning temperature. 2

Static electricity discharge (SED) from dry conditions can destroy most circuits. Frayed Network Security Threats wires caused by rubbing against sharp metal edges or rough surfaces, such as a concrete block wall, can cause a short circuit. Moisture, due to high humidity in the air or liquid © Jones & Bartlettspills, Learning, is always bad LLC for electrical devices. Excessive© Jones vibration & canBartlett be damaging Learning, to computer LLC NOT FOR SALE equipment.OR DISTRIBUTION Vibrations—caused by nearby heavyNOT construction FOR SALE or regular OR passing DISTRIBUTION of trains, subways, and airplanes, or even forklifts and large equipment on a shop or manufacturing floor—can cause damage over time. Any obvious physical damage as a result of dropping the device, knocking it over, dropping heavy objects on the device, and so on can result in broken equipment. You can eliminate or significantly reduce most physical risks and threats with reasonable© Jones precautions & Bartlett and common Learning, sense in proper LLC handing, care, and storage© Jones of & Bartlett Learning, LLC electronic equipment.NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION One such risk is intentional electromagnetic interference (IEMI), in which an intentional discharge is made that damages or destroys electronic equipment from cell phones and video surveillance to computers and servers. IEMI discharges have been recorded up to © Jonestwo miles & Bartlettaway and poseLearning, no risk of LLC damage to living creatures. Although© Jones IEMI & andBartlett related Learning, LLC technologies have been used by the military for years, IEMI is just now becoming a threat NOTto FORcomputer SALE security. OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION One final physical threat is theft. Physical facility protections should ensure that an IT infrastructure is not threatened by unauthorized outsiders (or insiders) walking away with storage devices or other critical components. A hacker who has stolen a device can © Jones & Bartlettspend Learning, as long as it LLC takes to attempt to gain access© toJones it. & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Natural Disasters Mother Nature is powerful and unpredictable. All sorts of serious weather events can damage or destroy IT infrastructures. Knowing the types of severe weather common in your area will suggest© Jones the correct & Bartlett precautions, Learning, such as special LLC insurance, structural reinforce© Jones- & Bartlett Learning, LLC ments, lightningNOT protection, FOR SALE surge protectors,OR DISTRIBUTION bilge pumps, and so on. No matter whatNOT FOR SALE OR DISTRIBUTION the potential disaster, the best protection for data is a reliable regular backup stored in a secured, off-site facility.

© JonesAccidents & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOTAccidents FOR SALE happen. OR Whenever DISTRIBUTION humans are involved, things will goNOT wrong. FOR Murphy’s SALE Law OR DISTRIBUTION states, “Anything that can go wrong will.” Preparing for accidents can significantly lessen the impact if one occurs or aid in avoidance.

9781284183658_CH02_Stewart.indd 45 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 46 CHAPTER 2 | Network Security Threats

An IT infrastructure is a large, complex, but fragile thing and it is completely at the mercy of human© Jones beings. & AccidentalBartlett damageLearning, in the LLCwrong location or at the wrong© timeJones can have& Bartlett Learning, LLC devastatingNOT FOR results. SALE Accidents OR includeDISTRIBUTION spilling liquids on equipment, trippingNOT over FOR cables, SALE OR DISTRIBUTION pulling out the wrong power cord or cable, tripping the building’s circuit breaker, setting off the water sprinklers, knocking over a computer, turning off a system prematurely, installing the wrong driver, and so on. © Jones & BartlettThe best Learning,precautions and LLC protections against accidents© Jonesare backups, & Bartlett configuration Learning, docu- LLC NOT FOR SALEmentation, OR and DISTRIBUTION training. With some commonsense adjustmentsNOT FOR to worker SALE activity, OR payingDISTRIBUTION closer attention to activities they perform, and watching out for precarious circumstances, you can avoid many “common” accidents. Training employees what to do in the event of an accident or emergency significantly increases the chances of successful recovery. © Jones & Bartlett Learning,Malicious LLC Code (Malware)© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Malware is the shortened term for malicious software. Malware is unethical code hackers write to cause harm and destruction. Malware gains access to a system in myriad ways, usually without the consent or knowledge of the user. The most common vectors of this computer contaminant are portable storage devices and Internet communications, like email or social© media.Jones A &wide Bartlett range of Learning,malware exists, LLC including viruses, worms, Trojan© Jones horses, & keyBartlett- Learning, LLC strokeNOT loggers, FOR spyware, SALE adware, OR DISTRIBUTION rootkits, logic bombs, trapdoors, backdoors,NOT dialers, FOR URLSALE OR DISTRIBUTION injectors, and other exploits. The number of unique malicious code examples is astounding. Some recent research of malware attacks has estimated the potential number of unique signatures (strings of code used to detect and identify specific malware, much like a finger- print) as into the billions. This is a huge increase since Symantec noted more than 17 million © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC unique signatures less than 10 years ago. NOT FOR SALEJust like OR a biologicalDISTRIBUTION virus, a computer virus needs a hostNOT object FOR to SALEinfect. Most OR viruses DISTRIBUTION infect files, such as executables; device drivers; dynamic link libraries (DLLs); system files; and sometimes even document, audio, video, and image files. Some viruses infect the boot sector of a storage device, including hard drives, and USB drives. Viruses spread through the © Jones & Bartlett Learning,actions ofLLC users. As users open infected© files, Jones the virus & Bartlett spreads to Learning, other files. As LLC users send infected files to other systems, the virus spreads there, as well. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Unlike viruses, which spread from file to file, worms spread from system to system. Because human interaction isn’t necessary for propagation, these files can (and do) spread much more quickly than viruses. Today, nearly every threat described as a virus is really a worm. Hackers design worms around specific system flaws. The worm scans other systems© for Jones this flaw, & Bartlettand then exploits Learning, the flaw LLC to gain access to another victim© Jones system. & Once Bartlett Learning, LLC hostedNOT on FORanother SALE system, OR the DISTRIBUTIONworm spreads itself by repeating the process.NOT Worms FOR canSALE OR DISTRIBUTION be carriers to deposit other forms of malicious code as they multiply and spread across networked hosts. A Trojan horse is actually a mechanism of distribution or delivery more than a specific type of malware. During the Trojan War, the Greeks built a huge, hollow wooden horse; hid © Jones & warriorsBartlett inside; Learning, delivered LLC the horse statue to the Trojans;© Jonesand seemingly & Bartlett departed Learning, the area. LLC NOT FOR SALEThe Trojans OR tookDISTRIBUTION the horse into their citadel and were massacredNOT FOR overnight SALE when OR theDISTRIBUTION Greek warriors emerged from hiding. The concept refers to an embedded malicious payload within a seemingly benign carrier or host program, a program that the user wanted—such as game

9781284183658_CH02_Stewart.indd 46 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Malicious Code (Malware) 47

or video clip—and intentionally downloaded or copied. Then, when the host program runs the game or video© Jones clip, the & malwareBartlett is delivered.Learning, LLC © Jones & Bartlett Learning, LLC The gimmickNOT of aFOR Trojan SALE is fooling OR someone DISTRIBUTION (a type of social engineering attack)NOT into FOR SALE OR DISTRIBUTION accepting the Trojan program as safe. Any program can be converted into a Trojan by embedding malware inside it, in the same way that any food can be poisoned by adding a toxic substance to it. In fact, hackers have specialized tools designed for the express purpose © Jonesof building & Bartlett Trojan horses Learning, called wrappers LLC or Trojan construction ©kits. Jones & Bartlett Learning, LLC NOT FORKeystroke SALE loggers OR record DISTRIBUTION the keyboard activity of a user. HackersNOT can FORdeposit SALE software OR DISTRIBUTION keystroke loggers onto a victim’s system through a variety of techniques, including a worm 2

or a Trojan. Once a system is infected, the keystroke logger periodically transmits key logs to Network Security Threats the originating hacker through email, File Transfer Protocol (FTP), or instant messaging (IM). Hardware keystroke logger attacks can come through the keyboard cable. These are hard to © Jones & Bartlettdetect Learning, because the LLC device is very small; while often© Jones linked to & the Bartlett keyboard Learning, cable, it is usually LLC NOT FOR SALE belowOR DISTRIBUTION the desk or behind the computer where usersNOT typically FOR SALE would notOR look. DISTRIBUTION Spam email is often used to perpetrate phishing attacks where an email appears legitimate or enticing, even if it was never requested, causing the receiver to click on it, thus launching malware into their computer system. Spyware is an advancement of keystroke logging to monitor and record many other user activities. Spyware© Jones varies & greatly, Bartlett but can Learning, collect a list LLC of applications launched, URLs© Jonesvisited, & Bartlett Learning, LLC email sent andNOT received, FOR chats SALE sent ORand received,DISTRIBUTION names of all files opened, recordingNOT of net FOR- SALE OR DISTRIBUTION work activity, periodic screen captures, and even recordings from a microphone or images from a webcam. Adware infiltrates advertisements. Spyware and adware are often linked together in a symbiosis, because the information learned about a target from spyware helps in selecting © Jonesmaterials & theBartlett adware Learning, will push through LLC to the user. Adware can push© Jones advertisements & Bartlett as Learning, LLC NOTpop-ups, FOR SALEas email ORmessages, DISTRIBUTION or by replacing existing legitimate adsNOT on websites FOR SALE as each OR is DISTRIBUTION displayed in the browser. Rootkits are malicious camouflage that function as invisibility shields for anything a hacker wants to hide on a computer. A rootkit acts like a device driver and positions itself between © Jones & Bartlettthe kernelLearning, (the core LLC program of an operating system)© Jones and the & hardware. Bartlett From Learning, there, the LLC rootkit can selectively hide files on storage devices and keep active processes in memory from NOT FOR SALE beingOR DISTRIBUTIONviewable, accessible, or detectible by the OS.NOT Rootkits FOR hide SALE other ORforms DISTRIBUTION of malware or hacker tools and can include other malware functions in addition to their stealth abilities. A logic bomb is an electronic land mine. Once a hacker embeds a logic bomb in a system, it remains dormant until a triggering event takes place. The trigger could be a specific time and date, the launching© Jones of a program, & Bartlett the typing Learning, of a specific LLC keyword, or accessing a specific© Jones URL. & Bartlett Learning, LLC Once the triggerNOT occurs, FOR the SALE logic bomb OR springs DISTRIBUTION its malicious event on the unsuspectingNOT user. FOR SALE OR DISTRIBUTION Trapdoor and backdoor malware are two terms for the same type of malware. A backdoor or trapdoor program opens an access pathway for a hacker to gain easy access into a compromised system. Backdoor malware is commonly delivered by the Trojan horse method. Unlike malware such as ransomware or a worm, it is most important to the malicious por- © Jonestion of the& Bartlett Trojan to remainLearning, hidden. LLC The access could be the creation© Jones of a new & userBartlett account Learning, LLC NOTwith FOR credentials SALE theOR hacker DISTRIBUTION has defined; a rogue web, Telnet, or NOTSecure FOR Shell (SSH)SALE server OR DISTRIBUTION that gives the hacker remote command prompt access; or a source that enables full remote control over the victim’s machine (sometimes just by turning on Remote Desktop on a

9781284183658_CH02_Stewart.indd 47 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 48 CHAPTER 2 | Network Security Threats

Windows host). Many other possible trapdoor or backdoor manipulations can grant access to external© Jones hackers. & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC ANOT dialer FOR is a rogue SALE program OR thatDISTRIBUTION automatically dials a modem at a predefinedNOT FOR number. SALE OR DISTRIBUTION Sometimes this process auto-downloads additional malware to the victim system or uploads stolen data from the victim. In other cases, the dialer calls premium rate telephone numbers from the victim system to rack up massive long-distance charges. If the user normally con- © Jones &nects Bartlett to the Learning,Internet over LLCa dial-up link, the dialer could© dial Jones a rogue & proxy Bartlett site instead Learning, of the LLC NOT FOR SALEInternet ORservice DISTRIBUTION provider (ISP). This site would act as a NOTman-in-the-middle FOR SALE and OR then DISTRIBUTION eavesdrop on all communications. URL injectors replace URLs in HTTP GET requests for alternative addresses. These injected URLs cause a different webpage to appear in the browser than the one requested by the user’s click. These replaced webpages could present advertisement sites, generate traffic © Jones & Bartlett Learning,to falsify LLC search engine optimization (SEO),© Jones or lead & to Bartlett spoofed sites. Learning, LLC NOT FOR SALE OR DISTRIBUTIONExploits are any form of malware designedNOT FOR to take SALE advantage OR of DISTRIBUTION a flaw in programming, timing, communication, or storage. Hackers often embed exploits into other forms of malware to assist in infection and distribution. Exploits also exist independently, usually as tools employed by hackers to wage attacks, cause damage, and perform intrusions. Malware is spread through the same communication channels as legitimate, benign data. The© difference Jones is& that Bartlett hackers Learning, design malware LLC to cause distress and destruction.© Jones A growing & Bartlett Learning, LLC areaNOT of risk FOR for the SALE spread OR of malware DISTRIBUTION is mobile code. Mobile code is softwareNOT that FOR hackers SALE OR DISTRIBUTION write for easy distribution over communications networks, such as the Internet and mobile phone networks. Hackers design mobile code to download to a host, and then execute on the host. Malware, under the guise of mobile code, is spreading more rapidly than ever. The © Jones &general Bartlett population—and Learning, LLCeven IT professionals—need to© beJones more aware, & Bartlett use proper Learning, precau- LLC tions, and use anti-malware applications. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Advanced Persistent Threat For many years, it was common for the general public, and even many knowledgeable security professionals, to call every type of malware a virus. It has become just as common for every © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC type of malware to now be called an advanced persistent threat (APT). Although the occurrence NOT FOR SALE OR DISTRIBUTIONof APTs has increased dramatically, theyNOT still account FOR SALEfor a small OR percentage DISTRIBUTION of attacks. It is true that APTs represent the next generation of malware in that the threat quietly resides on a target machine until activated (hence the term “persistent”). However, APTs are highly targeted, with the targeting intelligence often gleaned from other types of attacks, from phishing ©to socialJones engineering. & Bartlett Historically, Learning, most attacksLLC have been opportunistic© attacks Jones seeking & Bartlett Learning, LLC the NOTweakest FOR systems SALE to break OR into: DISTRIBUTION the lowest-hanging fruit. As we see a shiftNOT from FOR financially SALE OR DISTRIBUTION motivated attacks to state-sponsored espionage and hacktivism, or politically motivated hacking, it follows that we are likely to see the continued growth of targeted attacks such as APTs. Even with all the variations of malware that currently exist and those that will exist in the future, you can choose from only a few common defenses: antivirus software, anti- © Jones & malwareBartlett scanners, Learning, integrity LLC checking scanners, and user© awareness.Jones & AntivirusBartlett software Learning, LLC NOT FOR SALEactively ORsearches DISTRIBUTION for viruses, worms, Trojans, and otherNOT similarly FOR destructive SALE OR forms DISTRIBUTION of malware in memory and on storage devices. Anti-malware scanners look for spyware, adware, dialers, and so forth that an antivirus software might not address. An integrity checker

9781284183658_CH02_Stewart.indd 48 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Fast Growth and Overuse 49

keeps a database of hash values for all system and application files and reports when unauthorized changes© Jones occur to& those Bartlett files. YouLearning, can improve LLC user awareness by offering© training Jones & Bartlett Learning, LLC that encouragesNOT responsible FOR SALE action OR with DISTRIBUTION regard to security. Training will also encourageNOT FOR SALE OR DISTRIBUTION users take reasonable precautions against infection and attack both at work and at home. Training should include awareness of what to do and whom to contact, such as the IT team or the helpdesk, to report incidents within an organization. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOTFast FOR Growth SALE OR and DISTRIBUTION Overuse NOT FOR SALE OR DISTRIBUTION2

Network security is not always an organizational priority. Some organizations are more con- Network Security Threats cerned with profits and rapid growth than with spending time on network security. Security is sometimes viewed as an annoying overhead expense that consumes resources without © Jones & Bartlettproviding Learning, any return LLC to compensate for the outlay.© Jones Although & this Bartlett mindset Learning,is common among LLC NOT FOR SALE seniorOR DISTRIBUTION management, it is a poor and incorrect understandingNOT FOR SALEof the return OR onDISTRIBUTION investment (ROI) of the crucial investment in network security. Network security—in fact, all forms of security—protect the organization so that its profit centers can function without interruption or interference. Without network security, the capability and availability of the IT infrastructure would be unstable, especially during periods of accident,© Jones infection, & Bartlett attack, or Learning, hardware failure. LLC Network security reduces© theJones & Bartlett Learning, LLC occurrences NOTof downtime FOR andSALE damaged OR orDISTRIBUTION lost resources. What could be more importantNOT FOR to SALE OR DISTRIBUTION an organization’s bottom line? Organizations that fail to address security issues in periods of explosive growth are more likely to experience catastrophic failure. By failing to protect assets (communications, data stores, intellectual property, customer data, financial records, and private personnel data), © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC any level of hacker breach could result in organizational implosion. NOT FORRacing SALE to get ahead, OR DISTRIBUTION without proper planning and preparation,NOT usually FOR ends SALE in failure. OR DISTRIBUTION When constructing a skyscraper, the top of the structure is not built until each floor below it is properly erected. Growing a company too fast without adequate network security protections is like attempting to build the penthouse before the lower floors are completed. The © Jones & Bartlettrise Learning,to the top floor LLC may be exhilarating, but the© subsequent Jones & crash Bartlett will be Learning,unavoidable. LLCWhat goes up too fast will inevitably come down faster. NOT FOR SALE ORA slightlyDISTRIBUTION slower growth rate to build networkNOT security FOR concurrently SALE OR with DISTRIBUTION the expansion of the organization is a much smarter plan. Such a deliberate approach is more likely to provide sustained growth and longevity than one based on an unbridled push for forward momentum without considering the risks. Another potential© Jones oversight & Bartlett is when Learning, an organization LLC pushes equipment, software,© Jonesand & Bartlett Learning, LLC connectivity beyondNOT FOR a reasonable SALE load OR level. DISTRIBUTION Trying to pull a yacht with a sports carNOT comes FOR to SALE OR DISTRIBUTION mind. It looks sexy, but what’s at risk? Modern IT equipment is able to perform at astounding levels. But even the best equipment can do only so much before it exceeds its peak oper- ational limitations—and starts trending toward failure. The growth of most organizations is predictable. Predictable growth can help plan for © Jonesexpansion & Bartlett of infrastructure Learning, before LLCthe infrastructure becomes a ©bottleneck. Jones As& growthBartlett Learning, LLC NOTpasses FOR 60 SALE percent OR capacity DISTRIBUTION of the current infrastructure, you shouldNOT already FOR be SALE planning OR for DISTRIBUTION expansion. As growth passes 80 percent capacity, take steps to implement expansion. As growth passes 90 percent, accelerate your efforts to complete the expansion.

9781284183658_CH02_Stewart.indd 49 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 50 CHAPTER 2 | Network Security Threats

If the company reaches 100 percent capacity before it completes expansion, a bottleneck inhibiting© Jones growth & willBartlett result. Learning,This obstacle LLCcan create a bounce-back effect,© inJones which inter& Bartlett- Learning, LLC ruptedNOT growth FOR could SALE shrink OR the DISTRIBUTION organization, making the return to growthNOT more FOR difficult. SALE OR DISTRIBUTION Equipment, storage space, memory capacity, backup capabilities, communication bandwidth, and processing capabilities should never reach maximum use or consumption. You should reserve sufficient overhead for the occasional spike above normal maximum activity. © Jones & BartlettManaging Learning, organizational LLC growth has many benefits, ©including Jones measured, & Bartlett planned Learning, LLC NOT FOR SALEupgrades OR and DISTRIBUTION improvements versus equipment failuresNOT and outages. FOR SALEIf growth OR occurs DISTRIBUTION too quickly, how will you know if the lack of bandwidth is due to overuse and overgrowth of the legitimate network processes or a malware infestation? These two situations have similar effects on the behavior of a network and user satisfaction. © Jones & Bartlett Learning,Wireless LLC Versus Wired © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION The security implications of a wireless network compared to a wired network are often exag- gerated. The biggest difference is the mechanism and proximity of the attack. With wired networks, a hacker must gain physical proximity to a target to make direct contact with it. Once connected to the wired network, the hacker can attempt various attack and exploits. With© Jones wireless & networks, Bartlett the Learning, hacker does LLC not have to be physically close.© HackersJones can& Bartlett Learning, LLC attemptNOT network FOR SALEbreaches OR from DISTRIBUTION a mile or more away from the access pointNOT (FIGURE FOR 2-5 ).SALE In OR DISTRIBUTION most real-world situations, however, the range is often under 1,000 feet with a small, but powerful, directional antenna. In either case, wired or wireless, the hacker must first obtain a network connection with the target network to attack if the hacker’s goal is to gain access to user accounts or data © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC stored on the network. If the hacker is mainly interested in destruction and DoS, then logical NOT FOR SALEnetwork OR access DISTRIBUTION is not necessary. NOT FOR SALE OR DISTRIBUTION Eavesdropping

© Jones & Bartlett Learning,Eavesdropping LLC is listening in on communications.© Jones Eavesdropping& Bartlett Learning, can be the recording LLC of network traffic using a packet-capturing tool, generically known as a sniffer (FIGURE 2-6). Hack- NOT FOR SALE OR DISTRIBUTIONers can eavesdrop against data packetsNOT or against FOR voice SALE traffic. OR Eavesdropping DISTRIBUTION can occur over wired or wireless connections.

FIGURE 2-5 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Wired networks requireNOT local FOR SALE OR DISTRIBUTION NOT FOR SALEH OR DISTRIBUTION attacks; wireless networks allow for remote attacks.

9781284183658_CH02_Stewart.indd 50 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Hijack and Replay Attacks 51

© Jones & Bartlett Learning, LLC FIGURE 2-6 © Jones & Bartlett Learning, LLC H Hacker NOT FOR SALE OR DISTRIBUTION Eavesdropping on an existingNOT session FOR SALE OR DISTRIBUTION between client and server.

Any communication performed in plain and directly usable data forms is subject to inter- © Jones & Bartlettception Learning, and recording. LLC You can prevent eavesdropping© Jones by using & Bartlett encrypted Learning, protocols. Only LLC NOT FOR SALE stronglyOR DISTRIBUTION cryptographically encoded messages areNOT safe FORfrom outsiders SALE ORlearning DISTRIBUTION the content of the conversation. But as super computers gain speed and efficiency, the ability to crack encryption is only a matter of time once the packets are acquired.

Hijack and© Jones Replay & Bartlett Attacks Learning, LLC © Jones & Bartlett Learning, LLC A hijack attackNOT occurs FOR when SALE a hacker OR uses DISTRIBUTION a network sniffer to watch a communicationsNOT sesFOR- SALE OR DISTRIBUTION sion to learn its parameters. The hacker then disconnects one of the session’s hosts, imper- sonates the offline system, and begins to inject crafted packets into the communication stream. If successful, the hacker takes over the session of the offline host, while the other host is unaware of the switch. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Replay attacks are also known as playback attacks. A replay attack occurs when a hacker uses NOTa networkFOR SALE sniffer toOR capture DISTRIBUTION network traffic, and then retransmits thatNOT traffic FOR back SALE on to the OR net -DISTRIBUTION work at a later time. The goal of a replay attack is to gain interactive or session access to a system. The traffic captured and retransmitted for a replay attack is authentication packets (FIGURE 2-7). In this type of attack, the hacker captures traffic between a client and server, © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE ORFIGURE DISTRIBUTION 2-7 NOT FOR SALE OR DISTRIBUTION Replay attacks collect authentication packets, and then retransmit the packets at a later time.

PL 3 H PL 2 H PL 1 H © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Client Server

COPY PL 1 H © Jones & Bartlett Learning, LLC COPY © Jones & Bartlett Learning, LLC PL 3 H COPY PL 2 H NOT FOR SALE OR DISTRIBUTIONHacker H NOT FOR SALE OR DISTRIBUTION

9781284183658_CH02_Stewart.indd 51 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 52 CHAPTER 2 | Network Security Threats

and then later retransmits it against the same server as the original communication. Replay attacks© Jones often focus & Bartlett on authentication Learning, traffic LLC in the hope that retransmitting© Jones the same & pack Bartlett- Learning, LLC ets NOTthat allowed FOR theSALE real userOR toDISTRIBUTION log onto a system will grant the hacker theNOT same FOR access. SALE OR DISTRIBUTION Fortunately, you can thwart most replay attacks by using one of several common communication improvements. Many authentication transactions include a random challenge-response dialogue that cannot be replayed. This dialogue consists of one endpoint generating a random © Jones &seed Bartlett value sent Learning, to the other LLC endpoint. The second endpoint© Jones uses a mutual & Bartlett secret known Learning, by LLC NOT FOR SALEboth endpoints OR DISTRIBUTION to compute a response using a one-way computation.NOT FOR TheSALE response OR returnsDISTRIBUTION to the original endpoint, where the response was predicted. If the received and predicted responses match, the user is authenticated. Time stamps are another defense against replay attacks. Some authentication exchanges have encoded time details that are difficult to reproduce or modify without detection. Addition- © Jones & Bartlett Learning,ally, the useLLC of one-time pad or session-based© Jones encryption & Bartlett can make Learning, replay attacks LLC impossible. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Insertion Attacks

Insertion attacks come in many forms, but all involve the introduction of unauthorized content or devices to an otherwise secured infrastructure. Three common insertion-based attacks© Jones include &SQL Bartlett injection, Learning, IDS insertion, LLC and rogue device insertion. Knowing© Jones what & Bartlett Learning, LLC shouldNOT be FORon the SALEnetwork OR and droppingDISTRIBUTION unexpected or improperly formattedNOT data FOR packets SALE OR DISTRIBUTION greatly diminishes these types of attacks. SQL injection is an attack that inserts a hacker’s code into a script hosted on a website or through the querying of a database. SQL injection attacks can give the hacker access to the © Jones &back-end Bartlett database Learning, of a web LLC application. The technique exploits© Jones a weakness & Bartlett in common Learning, web LLC communications that treats certain characters differently because they are assigned a special NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION meaning or purpose rather than just treated as text. These are called metacharacters and act as programming markup. If you don’t write a script defensively to block out or ignore metacharacters, then injection attacks can effectively rewrite the script based on content a hacker submits. The injected code can perform just about any possible command line task imaginable. © Jones & Bartlett Learning,Cross-site LLC scripting (XSS) is similar to© SQLJones injection, & Bartlett but the results Learning, attack future LLC visitors to a webpage rather than grant the hacker access to the back-end database. An XSS attack NOT FOR SALE OR DISTRIBUTIONsubmits script code to a website. XSS canNOT result FOR in persistent SALE OR malicious DISTRIBUTION modification of web source files. This causes all future visitors to the site to receive compromised content. XSS attacks can include emails to victims with falsified hyperlinks that point the script injection to a target site when the victim clicks on the email’s embedded links. Such an attack© Jonescan grant & the Bartlett hacker access Learning, to the seemingly LLC secured web transaction© Jones of the victim. & Bartlett Learning, LLC ThisNOT form FORof attack SALE is non-persistent OR DISTRIBUTION because it affects only those who clickNOT on theFOR links SALE in OR DISTRIBUTION the malicious email. IDS insertion is a form of attack that exploits the nature of a network-focused IDS; it col- lects and analyzes every packet to trick the IDS into thinking an attack took place when it really has not. The common purpose of IDS insertion attacks is to trick signature- or pattern- © Jones & matchingBartlett detection Learning, of malicious LLC network events. By interspersing© Jones attack & Bartlett traffic with Learning, packets LLC NOT FOR SALEthat the ORtarget DISTRIBUTION host will reject but the IDS will view, the NOTIDS fails FOR to see SALE the attack OR pattern, DISTRIBUTION but the attack still takes place. For example, suppose an attack is composed of four packets—A, B, C, and D—and the IDS signature is a packet stream of ABCD. If the hacker transmits the attack

9781284183658_CH02_Stewart.indd 52 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Buffer Overflows 53

as AXBCYD, where X and Y are invalid packets rejected by the target, then the IDS doesn’t recognize the pattern.© Jones After X& and Bartlett Y are discarded, Learning, the ABCD LLC attack occurs against the ©target. Jones & Bartlett Learning, LLC Rogue deviceNOT insertion FOR is SALE a physical OR form DISTRIBUTION of insertion attack where a hacker insertsNOT an FOR SALE OR DISTRIBUTION imposter device into an infrastructure. The most common example of this is the insertion of a rogue wireless access point (WAP) configured similarly to the real, authorized access point. Some users might be fooled into connecting to the rogue access point. This would con- © Jonesstitute a& man-in-the-middle Bartlett Learning, attack whereLLC the hacker would intercept© Jones all transactions & Bartlett from Learning, LLC NOTthe FOR compromised SALE ORsystem. DISTRIBUTION A smartphone can mimic a WAP. AnotherNOT type FOR of insertion SALE attack OR DISTRIBUTION is the physical key logger discussed earlier. 2

Each insertion attack method requires that you create a unique defense. You can prevent Network Security Threats SQL injection attacks by defensive programming and filtering input. XSS attacks are generally preventable if you use defensive coding techniques, metacharacter filtering, and input © Jones & Bartlettvalidation. Learning, For end LLC users, defenses include cookie© managementJones & Bartlett and disabling Learning, scripting LLCsup- NOT FOR SALE portOR inDISTRIBUTION browsers and email clients. Squelch IDS NOTinsertion FOR attacks SALE by using OR modernDISTRIBUTION IDS techniques such as anomaly, behavioral, and heuristic detection. You can derail a rogue device insertion through encrypted communications, preconfigured network access, prohibited wireless networking, user training, and regular site surveys. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC FragmentationNOT FOR Attacks SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Fragmentation attacks are an abuse of the fragmentation offset feature of IP packets. Fragmentation occurs when there are many different network links connected to construct a global infrastructure. Some network segments support smaller datagrams (another term for packet or frame) than others, so larger datagrams are fragmented into the smaller, © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC more compatible size. When the fragmented elements of the original datagram reassemble, NOTmanipulations FOR SALE of fragmentationOR DISTRIBUTION can cause several potentially maliciousNOT FORreconstructions, SALE OR DISTRIBUTION such as overlapping and overrun. Think of the transporter on Star Trek: If anything gets in the way of the reassembly of the person being transported, you might end up with an evil Mr. Spock with a goatee. © Jones & BartlettOverlapping Learning, can LLC cause full or partial overwriting© Jones of datagram & Bartlett components, Learning, creating new LLC datagrams out of parts of previous datagrams. Overrun can result in excessively large data- NOT FOR SALE grams.OR DISTRIBUTION Other fragmentation attacks cause DoS orNOT confuse FOR IDS SALEdetection OR and DISTRIBUTION firewall filtering. Protections against fragmentation attacks include modern IDS detection and firewall- filtering features, as well as performing sender fragmentation. Sender fragmentation queries the network route to determine the smallest maximum transmission unit (MTU) or datagram size. The sender© Jones then pre-fragments & Bartlett the Learning, data to ensure LLC that no fragmentation needs© toJones occur & Bartlett Learning, LLC en route. “BeamNOT me FORup, Mr. SALE Scott—and OR make DISTRIBUTION sure I get back all in one piece.” NOT FOR SALE OR DISTRIBUTION Buffer Overflows A buffer is an area of memory designated to receive input. Buffers are of a specifically deter- © Jonesmined size& Bartlett set by the Learning, programmer, LLCas only a finite amount of memory© Jones resides & on Bartlett a host. Learning, LLC NOTA FORbuffer overflowSALE isOR an attackDISTRIBUTION against poor programming techniquesNOT and FOR a lack SALEof quality OR DISTRIBUTION control. Hackers can inject more data into a buffer than it can hold, which may result in the additional data into the next area of memory.

9781284183658_CH02_Stewart.indd 53 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 54 CHAPTER 2 | Network Security Threats

This overflow could be totally ignored, could trigger an overflowing crash or freeze, or © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC could result in arbitrary code execution. In the last case, the hacker crafts the input stream so theNOT overflo FORwed SALE data is aOR command-line DISTRIBUTION code statement executed with system-levelNOT FOR SALE OR DISTRIBUTION privileges. Programmers can prevent buffer overflows. Using defensive programming techniques, such as input limit checks and avoiding programming language functions that do not check © Jones &boundary Bartlett limitations, Learning, buffer LLC overflows become a useless© form Jones of attack. & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Session Hijacking, Spoofing, and Man-in-the-Middle Attacks Attacks on systems and networks can involve falsification of credentials or misrepresenta- © Jones & Bartlett Learning,tion. This LLC collection of attacks involves© a hackerJones posing & Bartlett as another Learning, entity or sending LLC mes- NOT FOR SALE OR DISTRIBUTIONsages that their system is actually a differentNOT FORmachine. SALE These OR attacks DISTRIBUTION include session hijacking, spoofing, and man-in-the middle attacks.

Session Hijacking © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Session hijacking occurs when a hacker is able to take over a connection after a client has authenticatedNOT FOR with SALE a server OR (FIGURE DISTRIBUTION 2-8). To perform this attack, a hackerNOT must eavesdropFOR SALE on OR DISTRIBUTION the session to learn details, such as the addresses of the session endpoints and the sequenc- ing numbers. With this information, the hacker can desynchronize the client, take on the client’s addresses, and then inject crafted packets into the data stream. If the server accepts © Jones &the Bartlett initial false Learning, packets as LLC valid, then the session has been© Joneshijacked. & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION FIGURE 2-8 Session hijacking steals a connection from a client.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Client NOT FOR SALE OR DISTRIBUTION NOTServer FOR SALE OR DISTRIBUTION H Hacker PL 3 H PL 2 H PL 1 H © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Client Server

9781284183658_CH02_Stewart.indd 54 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Session Hijacking, Spoofing, and Man-in-the-Middle Attacks 55

In a session hijack, the attacker does not directly learn the credentials of the client. If the hacker loses ©the Jones connection, & Bartlett he will have Learning, to look for anotherLLC session to hijack. The© client Jones & Bartlett Learning, LLC who lost the NOTsession FOR will be SALE aware thatOR theDISTRIBUTION connection was lost, but will not necessarilyNOT be FOR SALE OR DISTRIBUTION aware that the disconnect was a hijack attack. Session hijacking sometimes employs DNS spoofing, poisoning, ARP spoofing, ICMP redirects, and rogue DHCP to alter the route or pathway of a session. The hacker uses this © Jonespathway & alteration Bartlett to Learning, make the session LLC hijacking attack easier by© forcing Jones the &target Bartlett session Learning, LLC NOTto FORtravel overSALE a more OR accessible DISTRIBUTION network segment. NOT FOR SALE OR DISTRIBUTION Any host that uses TCP/IP without encryption is vulnerable to session hijacking. Even 2

with complex or pseudo-randomized packet sequence numbering, a little eavesdropping is Network Security Threats all that is necessary for hackers (or the hackers’ tools) to predict future sequence values. The only true protection against session hijacking is encryption, such as a VPN. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE SpoofingOR DISTRIBUTION Attacks NOT FOR SALE OR DISTRIBUTION Spoofing is falsification of information. Most spoofing is a falsification of the identity of a source. Email addresses, MAC addresses, and IP addresses are all easily spoofed. Spoof- ing tricks a user or a host into believing a communication originated from somewhere other than its© real Jones source. & ThisBartlett is a common Learning, tactic inLLC the transmission of spam. Spoofing© Jones & Bartlett Learning, LLC impersonatesNOT an authorized FOR SALE entity, OR such DISTRIBUTION as MAC spoofing to bypass wireless access-pointNOT FOR SALE OR DISTRIBUTION MAC filtering. Spoofing is difficult to prevent and somewhat hard to detect. Most spoofing detection occurs when you watch normal traffic and look for addressing anomalies. For example, if a switch sees that a specific MAC address is the source address for frames received on switch © Jonesport 6, and& Bartlett that MAC Learning,address also appearsLLC as the source address© for Jones frames received& Bartlett on Learning, LLC NOTswitch FOR port SALE 9, that OR is a DISTRIBUTIONsymptom of MAC spoofing (FIGURE 2-9). InNOT another FOR example, SALE if a fireOR- DISTRIBUTION wall receives a packet on its external interface and the source IP address is an internal LAN address, spoofing could be going on.

9781284183658_CH02_Stewart.indd 55 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 56 CHAPTER 2 | Network Security Threats

Technical© Jones TIP & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION The alternate data streams (ADS) of NTFS are a feature added to this file system to support files from POSIX, OS/2, and Macintosh. This feature was added to New Technology File System (NTFS) in the mid-1990s to drive government purchase of Windows NT. However, even with POSIX and OS/2 support now dropped from Windows and Macintosh hierarchical file system (HFS), NTFS has retained this feature. ADS is the ability © Jones &of Bartlett a file to contain Learning, multiple resource LLC forks. The result of NTFS support© for Jones ADS is that & completeBartlett additional Learning, LLC NOT FOR SALEfiles—not ORonly additional DISTRIBUTION resources—can hide below any normal fileNOT object. FOR SALE OR DISTRIBUTION A normal file object, including directories, can contain numerous additional files underneath itself. The number of additional files is limited only by the total amount of free space on the drive and the size of the hidden files. Once a file stores as an ADS, it is no longer visible or easily accessible by the OS itself. Several © Jones & Bartlett Learning,hacking tools LLC can create and manipulate ADS. ©Only Jones a few scanning & Bartlett tools, such Learning, as Streams from LLC sysinternals NOT FOR SALE OR DISTRIBUTION.com, and only a handful of malware scannersNOT can specifically FOR SALE explore aOR drive DISTRIBUTION for ADS hidden code.

Spoofing is something to watch and filter for, but no real or direct prevention of spoofing exists.© JonesAdditionally, & Bartlett hackers can Learning, intercept and LLC modify data already in transit© fromJones a real & source Bartlett Learning, LLC if it is not encrypted. Thus, spoofed data does not always originate as falsified communications. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Man-in-the-Middle Attacks Man-in-the-middle (MitM) attacks occur when a hacker intervenes in a communication ses- © Jones &sion Bartlett between Learning, a client and LLCa server. The attack usually involves© Jones fooling & orBartlett tricking Learning,the client LLC into initiating the session with the hacker’s computer instead of with the intended server NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION (FIGURE 2-10). The hacker performs a spoofing attack in order to trick the client. The result is that the connection between the client and server is proxied by the hacker. This allows the hacker to eavesdrop and manipulate the communications. An MitM attack is also called an interception attack, a proxy attack, or a monkey-in-the-middle attack. © Jones & Bartlett Learning,MitM LLCattacks involve a pre-attack element,© Jones in which & Bartlett the client Learning, is given false LLC information NOT FOR SALE OR DISTRIBUTIONthat leads the client to request a sessionNOT with FOR the hacker’s SALE computer OR DISTRIBUTION rather than with the real server. The hacker can accomplish this using one of several methods: • ARP spoofing—Address Resolution Protocol (ARP) is a nonauthenticating broadcast query service that requests the Media Access Control (MAC) address from a system using a © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC FIGURE 2-10 Modified Original NOT FOR SALE ORresponse DISTRIBUTION responseNOT FOR SALE OR DISTRIBUTION Man-in-the-middle oacket packet attacks fool clients H into initiating PL 2x Hx PL 2 H sessions with the © hackerJones instead & Bartlettof Learning, LLCPL 1 H © JonesPL &1x BartlettHx Learning, LLC NOTthe target FOR server. SALE ORClient DISTRIBUTION Hacker NOT FOR SALE OR SerDISTRIBUTIONver Original Modified request request packet packet

9781284183658_CH02_Stewart.indd 56 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Covert Channels 57

specific IP. If a hacker running an ARP spoofing tool sends a false response to the requester before the ©real Jones response & returns,Bartlett then Learning, the sender willLLC use the false MAC address.© Subse Jones- & Bartlett Learning, LLC quent framesNOT go toFOR the rogue SALE MAC OR address, DISTRIBUTION which the hacker’s computer uses. BecauseNOT FORthe SALE OR DISTRIBUTION ARP protocol is Layer 2 and nonroutable, ARP spoofing must occur within a subnet. • MAC spoofing—The hacker’s computer uses a server’s MAC address; while the server is flooded, the hacker’s system receives traffic instead of the intended server. Similar to ARP © Jonesabove, & MAC Bartlett spoofing Learning, must occur withinLLC a subnet. © Jones & Bartlett Learning, LLC NOT• FORDNS poisoning SALE OR—To DISTRIBUTIONperform DNS poisoning, a hacker compromisesNOT a FOR Domain SALE Name ORSys- DISTRIBUTION2 tem (DNS) server and plants false FQDN-to-IP mapping records. The DNS source will feed

subsequent user queries false data. Network Security Threats • DNS spoofing—DNS is a nonauthenticating query service that requests the resolution of a FQDN into its related IP address. A hacker hosting a rogue DNS spoofing tool can send © Jones & Bartlettback Learning, false DNS responses.LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Technical TIP

When a nonauthenticating query service is in use, it does not confirm the source or the validity of any response received. Thus, if you receive a fake, spoofed, or rogue response, the system accepts it as genuine and© the Jones query session & Bartlett ends. If the Learning, real response LLCarrives, the system rejects it as an© invalid Jones or & Bartlett Learning, LLC stray packetNOT because FOR it will SALE no longer OR correspond DISTRIBUTION to any open query session. NOT FOR SALE OR DISTRIBUTION

• ICMP redirect—On subnets with multiple routers, ICMP redirects can cause a host to © Jonesalter &its Bartlettrouting table. Learning, This attack LLC could redirect traffic along a ©different Jones route & Bartlett than the Learning, LLC NOT FORdefault, SALE expected, OR or DISTRIBUTIONoptimal one. NOT FOR SALE OR DISTRIBUTION • Proxy manipulation—To perform proxy manipulation, a hacker reconfigures a client’s proxy configuration. Requests for services go to the hacker’s system that acts as a MitM proxy. • Rogue DHCP—A rogue DHCP is a false Dynamic Host Configuration Protocol (DHCP) server that can provide IP address configuration leases for a unique subnet and define the © Jones & Bartlettdefault Learning, gateway, LLC because the hacker’s computer© Jonesacts as a &MitM Bartlett router/proxy. Learning, LLC NOT FOR SALE •OR Rogue DISTRIBUTION access point—To create a rogue accessNOT point FOR, a hacker SALE configures OR DISTRIBUTION a rogue wireless access point similar to the real authorized access point that can fool users into connecting, which then serves as a MitM proxy. Defenses against MitM attacks include IDS and IPS solutions that monitor for common network abuses ©or Jonesabnormal & network Bartlett activity. Learning, Additionally, LLC strong multifactor authentication© Jones & Bartlett Learning, LLC and mutual authenticationNOT FOR SALEcan reduce OR the DISTRIBUTION success of MitM attacks. NOT FOR SALE OR DISTRIBUTION Covert Channels Covert channels are hidden, unknown, unique, atypical pathways of information transfer. The © Joneschannel & is Bartlettcovert because Learning, it is unknown LLC and unseen. Hackers use© covert Jones channels & Bartlett for secre -Learning, LLC NOTtive FOR communications, SALE OR often DISTRIBUTION to leak data (transport it) out of a securedNOT environment, FOR SALE such OR as DISTRIBUTION an air-gapped system. Covert channels are insecure pathways of transmission. If the pathway were known, it would be an overt channel and likely blocked, filtered, or otherwise secured.

9781284183658_CH02_Stewart.indd 57 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 58 CHAPTER 2 | Network Security Threats

Two main forms of covert channels exist: timing and storage. A timing channel conveys information© Jones through & Bartlett timed and Learning, synchronized LLC activities. A few potential examples© Jones of timing& Bartlett Learning, LLC covertNOT channels FOR include:SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Blinking lights to distribute information in Morse code • Manipulating a fan’s speed so the higher and lower pitched noise creates binary transmission • Throttling the bandwidth consumption on an Internet link so that at a specific interval © Jones & Bartletta utilization Learning, measurement LLC reads a value below 60 percent© Jones as a zero & Bartlettand a value Learning, above LLC NOT FOR SALE60 percent OR DISTRIBUTIONas a one for binary communications. This NOTdoes r esultsFOR in SALE a lower OR baud DISTRIBUTION rate (the rate data is transmitted), which will still work for small communication streams such as user credentials, but it will not work for large amounts of packets, like a database. A storage covert channel conveys information through unseen or undiscovered storage © Jones & Bartlett Learning,locations. LLC A few potential examples of ©storage Jones covert & Bartlettchannels include: Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION • Using the unpartitioned space of a hard drive to store data written via a hex editor • Using a firmware flash memory onboard chip to store data • Using the alternate data streams of NTFS to hide files • Using the slack space of a hard drive to store data © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC The best defenses against covert channels include IDS and IPS, as well as thorough monitoring of allNOT aspects FOR of an SALE IT infrastructure OR DISTRIBUTION for aberrant or abnormal events of anyNOT type. FORPredicting SALE OR DISTRIBUTION covert channels is difficult because, by their very nature, they are unknown and unseen.

© JonesHow Hackers& Bartlett Hijack Learning, Slack Space LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION A hard drive contains segments known as sectors. A sector is the smallest fixed-size block of storage space of a drive and is 512 bytes. When a file system is applied to a partition, clusters are created out of one or more sectors. Slack space is the unused portion of the last cluster only partially consumed by a stored file. The cluster- to-sector ratio typically ranges from 1:1 to 1:128 for clusters of 512 bytes to 64 KB. © Jones & BartlettA fileLearning, system has a LLC fixed maximum number of addresses© assignedJones to & clusters. Bartlett Larger Learning, drives have the LLCsame num- NOT FOR SALE ORber ofDISTRIBUTION clusters as smaller drives, but the clusters are larger.NOT It’s FOR a little SALE like shoes: OR kids’ DISTRIBUTION shoes are one pair to a box, just like adults’ shoes, but the box containing adults’ shoes is bigger. A cluster is the smallest consumable element of storage space and can contain data from only a single file. No native mechanism addresses subcluster divisions in standard file system formats. When a file writes to a drive, it consumes as many clusters as necessary to contain all of the data of the file. All © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC clusters but the final or last cluster containing the file are filled. The last cluster is fully consumed only if the file happens to beNOT an exact FOR multiple SALE of the clusterOR DISTRIBUTION size (which is not very common). The unused portionNOT of the FOR last SALE OR DISTRIBUTION cluster is known as slack space (FIGURE 2-11). Slack space is effectively unusable, wasted storage space. Hackers have developed special file manipulation tools that can locate and hijack the slack space and use it to create hidden volumes on a hard drive. These volumes are nearly impossible to detect because they are not © Jonescontained, & Bartlett referenced, Learning,or addressed by LLCthe file system of the storage device.© JonesInstead, the & slack Bartlett space drive Learning, exists LLC NOT onlyFOR because SALE special OR software DISTRIBUTION can address subcluster storage locations. TheNOT slack FOR space driveSALE software OR operates DISTRIBUTION independently of the OS and the file system.

9781284183658_CH02_Stewart.indd 58 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Network and Resource Availability Threats 59

FIGURE 2-11 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Slack space is theNOT unused FOR portion SALE of the last OR cluster DISTRIBUTION only partially consumed by a stored file. NOT FOR SALE OR DISTRIBUTION

Clusters

Stored file Slack space Slack space Network Security Threats

Web servers, or at least websites, appear on the Internet in a least four different architectural deployment options: reverse proxy, demilitarized zone (DMZ), co-location, and hosting. Reverse proxy uses a static network address translation (NAT) mapping or port forwarding to allow outside visitors to initiate communications© Jones with &an Bartlettinternal server. Learning, This is the poorest LLC security choice because it could© Jones grant & Bartlett Learning, LLC hackers accessNOT to theFOR entire SALE intranet ORif the DISTRIBUTIONweb server is compromised. NOT FOR SALE OR DISTRIBUTION Hosting a web server in a DMZ is a more secure solution. However, if compromised, a DMZ web server gives the hacker a weapons platform just outside of the private network’s front door. Co-location is placing a web server host directly on an ISP network within a facility. Hosting is leasing access to © Jonesspace & on Bartlett an existing Learning,web server owned LLC and managed by the hosting entity.© Jones These last & two Bartlett options Learning, LLC NOT FORare the SALE most secure; OR if DISTRIBUTIONthe web server or site is compromised, the hackerNOT gains FOR no location SALE benefit OR to DISTRIBUTION breach the private network.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE NetworkOR DISTRIBUTION and Resource AvailabilityNOT FOR Threats SALE OR DISTRIBUTION To be successful, many exploits and attacks require special access on a private network. Some exploits will function against an Internet-facing web server, but such a server might not directly connect to a private network. If a hacker is unable to find an exploitable vulnerability that gains© Jones access or& control Bartlett over Learning, the targeted systems,LLC a fallback or final resort© Jones option & Bartlett Learning, LLC is to launch availabilityNOT FOR attacks. SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION An availability attack aims at preventing legitimate access or use of resources to delay or interrupt business. Generally, this is known as a denial of service attack.

© JonesDenial & of Bartlett Service Learning, (DoS) LLC © Jones & Bartlett Learning, LLC NOTA FORdenial ofSALE service OR (DoS) DISTRIBUTION attack interrupts the normal patterns of NOTtraffic, FORcommunication, SALE OR and DISTRIBUTION response. A DoS attack interferes with timely processing and reply to legitimate requests for resources. A DoS attack can be of two primary forms: flaw exploitation or traffic generation.

9781284183658_CH02_Stewart.indd 59 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 60 CHAPTER 2 | Network Security Threats

FIGURE 2-12© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Denial of serviceNOT flooding FOR attack SALE against OR a client. DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL HPL H PL H PL H Hacker PL H PL H PL H PL H PL H PL HPL H PL H PL H PL H PL H PL H PL H PL H PL HPL H PL H PL H PL H PL H PL H PL H PL H PL HPL H PL H PL H © Jones & Bartlett Learning,PL H PL LLCH PL H PL ©H JonesPL H PL &H Bartlett Learning,H LLC PL H PL H PL H PL H PL H PL H NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL HPL H PL H PL H PL H PL H PL H PL H PL H PL HPL H PL H PL H PL H PL H PL H PL H PL H PL HPL H PL H PL H PL H PL H PL H Victim PL H PL H PL HPL H PL H PL H PL H PL H PL H © Jones & Bartlett Learning, LLC ©PL JonesH PL &H BartlettPL H Learning, LLC PL H PL H PL H NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

Flaw exploitation DoS attacks take advantage of a programming bug, flaw, or conven- tion. The DoS exploit results in the system freezing, crashing, rebooting, or failing to respond© Jones to external & Bartlett communications. Learning, You LLC can mitigate flaw exploitation© DoSJones attacks & Bartlett Learning, LLC throughNOT the FOR application SALE ofOR a patch DISTRIBUTION and the use of an IDS or IPS system.NOT Once youFOR apply SALE a OR DISTRIBUTION patch, the DoS will no longer be effective. Flaw exploitation attacks are usually specific to a software version. Traffic generation DoS attacks flood a target with traffic ( FIGURE 2-12). The traffic consumes available bandwidth and processing, preventing legitimate communications. © Jones &No Bartlett patches Learning,exist to mitigate LLC traffic generation DoS attacks.© Jones Instead, & Bartlett traffic filtering Learning, is LLC NOT FOR SALEthe only OR effective DISTRIBUTION response. Upstream filtering, however,NOT is more FOR effective SALE than OR edgeDISTRIBUTION device filtering. Upstream filtering occurs when a parent network, usually the ISP, provides filtering for traffic before it enters the child network to which individual and business customers con- © Jones & Bartlett Learning,nect. Edge LLC device filtering will prevent© malicious Jones traffic & Bartlett from entering Learning, the private LLC network, but it will not prevent a successful DoS. Only upstream filtering will reduce or eliminate the NOT FOR SALE OR DISTRIBUTIONDoS traffic and allow legitimate communicationsNOT FOR to SALEcontinue. OR DISTRIBUTION

Distributed Denial of Service (DDoS) Distributed© Jones denial & of Bartlett service (DDoS) Learning, attacks advance LLC DoS attacks through massive© Jones distributed & Bartlett Learning, LLC processingNOT FOR and sourcing. SALE TheOR foundations DISTRIBUTION of a DDoS attack are agents, botsNOT, or zombies FOR ,SALE OR DISTRIBUTION which are malicious code implanted on victim systems across the Internet. These mobile agents may create their own peer-network interaction or connect into a public communication medium, such as an Internet relay chat (IRC) channel. The resultant network is known as a botnet, zombie army, or zombie array. © Jones & BartlettThe hacker Learning, remotely controls LLC the botnet and directs© it toJones perform & various Bartlett malicious Learning, LLC NOT FOR SALEactivities—including OR DISTRIBUTION flooding attacks—against selectedNOT targets. FOR Generally, SALE the OR main DISTRIBUTION targets of the botnet are known as primary victims, while the compromised systems hosting the botnet’s agents are known as secondary victims. This form of DoS is distributed because the

9781284183658_CH02_Stewart.indd 60 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Network and Resource Availability Threats 61

bots are disseminated across numerous secondary victims, and the resulting attacks originate from a plethora© Jones of source & Bartlett vectors. Learning, LLC © Jones & Bartlett Learning, LLC A hacker distributesNOT FOR the SALE bots, agents, OR DISTRIBUTION or zombies to many secondary victims locatedNOT FOR SALE OR DISTRIBUTION throughout the Internet. The bots then connect to some form of communication server, commonly a chat service like IRC, where each can receive instructions from the hacker. Once the hacker sends attack instructions, the bots launch attacks against the primary © Jonestarget (&FIGURE Bartlett 2-13). Learning, LLC © Jones & Bartlett Learning, LLC NOT FORA botnet SALE can perform OR DISTRIBUTION a wide range of malicious actions includingNOT flooding,FOR SALE spam -OR DISTRIBUTION ming, eavesdropping, intercepting, MitM, session hijacking, spoofing, packet manipulat- 2

ing, malware distributing, phishing site hosting, password stealing, encryption cracking, Network Security Threats and more. Several botnets, such as Storm and Conficker, have appeared in the last decade; these two © Jones & Bartlettworms Learning, had an estimated LLC secondary victim base© of Jones75 to 100 & million Bartlett systems. Learning, LLC NOT FOR SALE ORDefenses DISTRIBUTION against DDoS focus on either avoidingNOT becoming FOR SALEa secondary OR victim DISTRIBUTION or protect- ing against primary victim onslaughts. To avoid becoming a secondary victim, measures include current antivirus and anti-malware scanning, user behavior modification, firewall filtering, and IDS/IPS solutions. Protection against primary victim onslaughts includes firewall filtering, honeypots, IDS/IPS solutions, and DDoS mitigators. A DDoS mitigator is a purpose-built© Jonesappliance & that Bartlett inspects Learning, traffic entering LLC a network; it blocks attacks© while Jones & Bartlett Learning, LLC allowing legitimateNOT FORtraffic toSALE flow. Hybrid OR DISTRIBUTION solutions are available that combine on-premisesNOT FOR SALE OR DISTRIBUTION appliances with a cloud-scrubbing service to filter traffic.

FIGURE 2-13 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC H Distributed denial of NOT FOR SALE OR DISTRIBUTION NOT FOR serviceSALE flooding OR attackDISTRIBUTION against a primary target.

PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H PL H © Jones & Bartlett Learning,PL LLC © Jones & Bartlett Learning, LLC H PL NOT FOR SALE OR DISTRIBUTION H NOT FOR SALE OR DISTRIBUTION

9781284183658_CH02_Stewart.indd 61 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 62 CHAPTER 2 | Network Security Threats

Hacker© Jones Tools & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC HackerNOT tools FOR include SALE a wide OR variety DISTRIBUTION of software: from mundane native OSNOT utilities, FOR to com SALE- OR DISTRIBUTION mercial applications, to custom-coded exploits. Generally, any software put to a malicious or unauthorized (according to company security policy) use is a hacking tool. Hacking tools perform hacking activities. All of the exploit concepts mentioned in this chapter are possible © Jones &through Bartlett a wide Learning, variety of LLChacking tools and utilities. © Jones & Bartlett Learning, LLC NOT FOR SALENo master OR DISTRIBUTIONlist of hacker tools exists to search for or blockNOT access FOR to SALE protect ORIT systems. DISTRIBUTION Just about every legitimate program can be put to some illicit task. To defend generally against hacker tools, consider using a whitelist restriction system. A whitelist restriction system incorporates a list of software executables authorized for use. A user can launch any application on the list, but all executables not on the list can be © Jones & Bartlett Learning,blocked LLCfrom running. A whitelist cannot© Jones focus only & onBartlett authorized Learning, filenames; LLCthis process NOT FOR SALE OR DISTRIBUTIONalso uses a hash value to prevent a hackerNOT from FOR easily SALE bypassing OR theDISTRIBUTION limitation through sim- ple file renaming. In addition to whitelisting, you can reduce the threat of hacking tools by limiting Internet downloads and file exchanges, controlling use of portable storage devices (especially those used on external systems), filtering email attachments, installing IDS/IPS solutions, and providing user education. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC SocialNOT FOREngineering SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Social engineering is the art of manipulating and exploiting human nature by getting people to perform tasks or release information that violates security. Social engineering is an © Jones &exploit Bartlett that Learning,can almost always LLC be performed against a target© Jones organization & Bartlett due to Learning,the pres- LLC ence of humans. Humans are the primary targets of social engineering. NOT FOR SALEHumans OR are DISTRIBUTION the weakest link in most security solutionsNOT because FOR humans SALE are OR the DISTRIBUTION only element in an organization with free will. Every other element can perform only within its programming and design. In addition, humans can be tricked or fooled, while hardware and software can perform only in accordance with their design and programming. Social engi- © Jones & Bartlett Learning,neering canLLC take place over any communication© Jones method, & Bartlett including Learning, face-to-face, LLC telephone, email, IM, and websites. Social engineering may focus on extracting information from a tar- NOT FOR SALE OR DISTRIBUTIONget or convincing the target to take actionNOT that FOR alters SALE the security OR DISTRIBUTIONstatus of a host or network. Many social engineering attacks stem from some form of relationship, from initial and casual to business professional to long-term and highly developed. The more in-depth and long-term the relationship, the more leverage the hacker can use to turn, trick, or abuse the target.© Jones Social engineering & Bartlett can Learning, involve a wide LLC range of techniques, including© impersonatingJones & Bartlett Learning, LLC a positionNOT FORof authority, SALE reciprocating OR DISTRIBUTION favors, using social validation, and creatingNOT FOR urgency SALE OR DISTRIBUTION through scarcity. Often these attacks become more successful if the hacker can impersonate an insider. Gaining access to inside information is often the first element of a social engineering attack. Dumpster diving, using reconnaissance, and cold calling are techniques to learn © Jones & aboutBartlett the internal Learning, culture LLC of the target. As a hacker learns© Jones more and & Bartlettmore terminology, Learning, LLC NOT FOR SALEprocesses, OR organizational DISTRIBUTION hierarchy, policies, events, gossip,NOT socialFOR occurrences, SALE OR calendars, DISTRIBUTION project scheduling, and so on, the more the hacker is able to simulate being an insider. Once a target is fooled into believing that the hacker is just another employee, the initial

9781284183658_CH02_Stewart.indd 62 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Chapter Summary 63

attack is successful. With the standing gained, the hacker manipulates the target into revealing more© Jonesinternal information,& Bartlett reconfiguringLearning, LLCsystems, or downloading tools© fromJones & Bartlett Learning, LLC questionableNOT Internet FOR locations. SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Social engineering may be the first wave of hacker attacks, or it could be the last-resort fallback plan if attempts to perform logical intrusion or physical burglary fail. Some hackers are naturally gifted at social engineering, while others must practice to obtain workable © Jonescompetency & Bartlett at the craft. Learning, These skills LLC of social engineering are not© unique Jones to this & Bartlett unethical Learning, LLC NOTactivity; FOR instead,SALE they OR are DISTRIBUTION the same skills most people use in normalNOT social FOR situations SALE when OR DISTRIBUTION trying to get their way, convince someone to go out on a date, ask for help, improve social 2

status, get out of trouble, lead a group, sell and market, create advertising, and so on. The Network Security Threats difference is that hackers have an unethical goal in their use of these skills. Social engineering, primarily attacks against people, is invulnerable to typical IT counter- © Jones & Bartlettmeasures. Learning, Instead, LLC the best defense against social© engineeringJones & Bartlettis thorough Learning, user training LLC and NOT FOR SALE awareness.OR DISTRIBUTION Once personnel are aware that theyNOT are, have FOR been, SALE and will OR be DISTRIBUTIONtargets of attack, they can adopt a slightly suspicious and cautious outlook. Employees should skeptically evaluate any activity, question, interaction, or relationship that seems odd or out of place. You can help reduce the threat of social engineering by using security policies that employ information classification with related restrictions on communication methods. If you limit the ©communication Jones & Bartlett channels Learning,that specific classes LLC of information traverse,© you Jones will & Bartlett Learning, LLC reduce informationNOT FORleakage SALE caused OR by social DISTRIBUTION engineering. For example, if you restrictNOT the FOR SALE OR DISTRIBUTION use of passwords over the telephone or by email, then anyone who requests a password will be obviously attempting to violate security. Employees should be trained to report all such requests to the network security staff. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION CHAPTER SUMMARY

Hackers are consistently seeking to take advantage of anyone or any system not prepared or properly secured. Understanding the various means of attacks hackers © Jones & Bartlett Learning,commonly LLC employ directly improves awareness© Jones and & overall Bartlett network Learning, security. LLC NOT FOR SALE OR DISTRIBUTIONHackers often seek monetary gain throughNOT attacks FOR against SALE individuals OR DISTRIBUTION and organizations. Hackers can be employees or outsiders. Compromising situations are not limited to hacker attacks, but they can also include accidents, oversights, hardware failure, rapid growth, and severe weather. Hacker tools and techniques include malicious software, exploiting wireless connections, eavesdropping, replay, insertion, fragmentation, buffer© overflow, Jones XSS, & Bartlett man-in-the-middle, Learning, session LLC hijacking, spoofing, covert© channels, Jones & Bartlett Learning, LLC and theNOT availability FOR SALE attacks ofOR DoS DISTRIBUTION and DDoS. You should take action to restrictNOT or limitFOR SALE OR DISTRIBUTION hacker tools and use caution and training to avoid social engineering. Hacking attacks and techniques other than those listed here exist. This chapter offers a generic description of the hacking process, not a definitive or exhaustive examina- © Jones &tion. Bartlett However, Learning, from this foundation, LLC you can develop a greater© Jones understanding & Bartlett of hack Learning,- LLC NOT FORing SALE and the OR threats DISTRIBUTION posed by hackers (as well as other sourcesNOT ofFOR threats SALE and risk), OR DISTRIBUTION leading to improved security design, policy, and implementation.

9781284183658_CH02_Stewart.indd 63 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 64 CHAPTER 2 | Network Security Threats

KEY CONCEPTS© Jones & BartlettAND TERMS Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Advanced persistent threat (APT) Fragmentation Professional hackers Adware Fragmentation attacks Proxy attack Agents Hackers Proxy manipulation Alternate data streams (ADS) Hacking Pwned © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Arbitrary code execution Hacktivism Ransomware NOT FORARP SALE spoofing OR DISTRIBUTIONHierarchical file system (HFS)NOT FORReconnaissance SALE OR DISTRIBUTION Attacking Hijack attack Recreational hackers Backdoor Honeypots Replay attack Banner ICMP redirects Return on investment (ROI) © Jones & Bartlett Learning,Banner grabbing LLC IDS insertion© Jones & BartlettRogue Learning, access point LLC NOT FOR SALE OR DISTRIBUTIONBaud rate Insertion attacksNOT FOR SALE ORRogue DISTRIBUTION device insertion Bots Instant messaging (IM) Rogue DHCP Botnet Intentional electromagnetic Rootkits Breach interference (IEMI) Scanning Buffer Interception attack Script kiddie Buffer overflow© Jones & Bartlett Learning,Internet relay chat LLC (IRC) Sector © Jones & Bartlett Learning, LLC Chip creepNOT FOR SALE ORKeystroke DISTRIBUTION loggers Session hijackingNOT FOR SALE OR DISTRIBUTION Clusters Leetspeak Shell code Cold calling Logic bomb Signatures Command shell MAC spoofing Slack space © JonesContract & Bartlett workers Learning, LLCMan-in-the-middle (MitM) attacks© JonesSocial & engineering Bartlett Learning, LLC NOT FORCovert SALE channels OR DISTRIBUTIONMaximum transmission unit (MTU)NOT FORSolid-state SALE drives OR (SDDs) DISTRIBUTION Cross-site scripting (XSS) Mean time between failures Spam Cryptocurrency (MTBF) Spoofing DDoS mitigator Mean time to failure (MTTF) Spyware Denial of service (DoS) attack Metacharacters SQL injection © Jones & Bartlett Learning,Deterrent LLC MITRE © Jones & BartlettStatic Learning, electricity dischargeLLC (SED) NOT FOR SALE OR DISTRIBUTIONDialer Mobile codeNOT FOR SALE ORTrapdoor DISTRIBUTION Disgruntled employees Monkey-in-the-middle attack Trojan horse Distributed denial of service National Institute of Standards Unpartitioned space (DDoS) attacks and Technology (NIST) Upstream filtering DNS poisoning New Technology File System (NTFS) URL injectors DNS spoofing© Jones & Bartlett NmapLearning, LLC Virus © Jones & Bartlett Learning, LLC Domain NOTregistrations FOR SALE ORNonauthenticating DISTRIBUTION query service Wardialing NOT FOR SALE OR DISTRIBUTION Dumpster diving Opportunistic hackers Wardriving Eavesdropping Partition Whois Enumeration Phishing Worms © JonesFallback & Bartlett attacks Learning, LLCPing sweeps © JonesWrappers & Bartlett Learning, LLC NOT FORFlaw SALE exploitation OR attacks DISTRIBUTIONPlayback attacks NOT FORZombies SALE OR DISTRIBUTION Flooding Port scanning Zombie army Footprinting Privilege escalation Zombie array

9781284183658_CH02_Stewart.indd 64 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Chapter 2 Assessment 65

CHAPTER© Jones 2 ASSESSMENT & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 1. Which type of hacker represents the greatest 6. Which attack is based on the impersonation of a threat because they likely already have physical legitimate host? access to a target? A. DoS A. Consultant B. Fragmentation © JonesB. Competitor & Bartlett Learning, LLC C. Hijacking© Jones & Bartlett Learning, LLC NOT FORC. Cleaner SALE OR DISTRIBUTION D. SpoofingNOT FOR SALE OR DISTRIBUTION2 D. Customer 7. Which method of communication is unseen, Network Security Threats 2. Most exploits are based on the existence of which unfiltered, and based on timed manipulations? of the following? A. Buffer overflow A. Bandwidth speed B. Covert channel © Jones & Bartlett B.Learning, Human beings LLC © JonesC .& IDS Bartlett insertion Learning, LLC NOT FOR SALE ORC. DISTRIBUTIONFiltering protocols NOT FORD. Man-in-the-middleSALE OR DISTRIBUTION D. System anomalies 8. Which attack uses nontechnical means to achieve 3. What is the first stage or step in the hacking results? process? A. Buffer overflow A. Enumeration© Jones & Bartlett Learning, LLCB. Covert channel © Jones & Bartlett Learning, LLC B. PenetrationNOT FOR SALE OR DISTRIBUTIONC. Social engineering NOT FOR SALE OR DISTRIBUTION C. Reconnaissance D. SQL injection D. Scanning 9. What does a hacker exploit in a target system? 4. Which form of attack captures authentication A. A botnet packets to retransmit them later? B. A vulnerability © JonesA. Hijacking& Bartlett Learning, LLC C. Multifactor© Jones authentication & Bartlett Learning, LLC NOT FORB. Insertion SALE OR DISTRIBUTION D. TrafficNOT filtering FOR SALE OR DISTRIBUTION C. Interruption Which of the following might a hacker launch if D. Replay 10. the other attempts are not successful? 5. Which form of attack submits excessive amounts A. Buffer overflow of data to a target to cause arbitrary code B. Fallback attack © Jones & Bartlett execution?Learning, LLC © JonesC. & Covert Bartlett channels Learning, LLC NOT FOR SALE ORA. DISTRIBUTION Buffer overflow NOT FORD. ZombieSALE attack OR DISTRIBUTION B. Fragmentation C. Insertion D. Interruption © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

9781284183658_CH02_Stewart.indd 65 15/09/20 11:40 PM © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

9781284183658_CH02_Stewart.indd 66 15/09/20 11:40 PM