Threats and Attacks

CSC1032- Introduction to
Cybersecurity

Dr. Ihsen Alouani

i.Alouani@qub.ac.uk
Objectives

1 2 3
Know the different Understand the Understand how
categories of different attacks and vulnerabilities can be
vulnerabilities vulnerabilities and how mitigated
they are exploited
 Vulnerability

• NIST Definition: Weakness in an information system, system security procedures, internal controls, or
implementation that could be exploited or triggered by a threat source.
• ISO27005 Information Security Risk Management in the following areas:
• Organization
• Processes and procedures
• Management routines
• Personnel
• Physical environment
• Information system configuration
• Hardware, software or communications equipment Dependence on external parties
• We are mainly interested in the last 2
Vulnerability Scoring (by NIST)

• National Vulnerability Database (NVD):

• Attack vector: network, local, physical
• Privileges required: None, low, high
• User interaction: None, required
• Impact on CIA: None, low, high
 Vulnerability Reporting

• When a vulnerability is discovered, it is usually reported to the organisation

responsible for the product and they are given time to fix
• Zero Day vulnerability is one that is unknown (or unfixed) by the manufacturer
of the product when it is exploited
• Vulnerabilities that are reported and then fixed, by a patch or upgrade of the
software or product, is then reported for inclusion in public databases:
• CVE Common Vulnerabilities and Exposures (https://cve.mitre.org/index.html)
• NVD National Vulnerability Database (https://nvd.nist.gov/)
• VulDB (https://vuldb.com/)
 Exploit

• An exploit is a program designed to find and take advantage of a

vulnerability in an application or computer system, typically for malicious
purposes such as installing malware.
• An exploit is not malware itself, but rather it is a method used by
cybercriminals to deliver malware.
• Exploits can be
o Known: After an exploit is made known, the vulnerability is often fixed through a
patch to make the exploit unusable.
o Unknown: Exploits unknown to everyone but the people that developed them are
referred to as zero-day exploits. These are by far the most dangerous exploits
 Survey- attacker looks for information about
organization, staff or systems to identify vulnerabilities
Cyber Attacks
Delivery- Positioning to be able to exploit a vulnerability

Breach – vulnerability exploited and unauthorised

access achieved to given service or data
Survey Delivery Breach Affect
Affect – steps taken to reach objectives of the attacker
Common
protections
A countermeasure is an action taken that reduces the chance of attack,
for example prevention of a specific attack or an action to minimise
damage if an attack succeeds.
Cyber Attacks
Examples
Top 10 Web Application Security Risks
(OWASP)

https://owasp.org/www-project-top-ten/
 DoS and DDoS Attacks

• A denial-of-service (DoS) is designed to overwhelm the resources of a system to the point where it is unable to reply to
legitimate service requests.
• A distributed denial-of-service (DDoS) attack is initiated by a vast array of malware-infected host machines controlled by
the attacker.
• With a DoS attack, the target system gets flooded with illegitimate requests
• A DoS attack can also be used to create vulnerability for another type of attack. With a successful DoS or DDoS attack,
the system often has to come offline, which can leave it vulnerable to other types of attacks.
• One common way to prevent DoS attacks is to use a firewall that detects whether requests sent to your site are
legitimate. Imposter requests can then be discarded, allowing normal traffic to flow without interruption.
• An example of a major internet attack of this kind occurred in February 2020 to Amazon Web Services (AWS).
 Man-in-the-middle Attacks

• Man-in-the-middle (MITM) types of cyber attacks refer to breaches where an

attacker eavesdrops on the data sent back and forth between two networks,
or computers.
• It is called a “man in the middle” because the attacker positions themselves
in the “middle” or between the two parties trying to communicate.
• Example: Fake router: requesting credentials, using them with the real
network
• Some ways to protect systems from MITM attacks is by using strong
encryption on access points or to use a virtual private network (VPN).
 Phishing Attacks

• A phishing attack occurs when a malicious actor sends emails in an attempt to grab sensitive information
from the target. Phishing attacks combine social engineering and technology
• Whale-phishing Attacks are so-named because it goes after the “big fish” or whales of an organization.
These individuals are likely to possess information that can be valuable to attackers, such as proprietary
information about the business or its operations.
• Spear-phishing Attacks: The attacker takes the time to research their intended targets and gather
information to tailor efficient phishing
• Similar to regular phishing attacks, spear-phishing-attacks can be prevented by carefully checking the
details in all fields of an email and making sure users do not click on any link whose destination cannot
be verified as legitimate.
Quiz

• A DoS attack impacts:

1. Availability
2. Confidentiality
3. Integrity
Quiz

• A MITM attack impacts:

1. Availability
2. Confidentiality
3. Integrity
4. Confidentiality and Integrity
 Malware

• Malware is a general term for malicious software

• Malware infects a computer and changes how it functions,
destroys data, or spies on the user or network traffic as it passes
through.
• Several of the attack methods described above can involve forms
of malware, including MITM attacks, phishing, ransomware, SQL
injection, Trojan horses, drive-by attacks, and XSS attacks.
 Malware:
Trapdoor

• Secret entry point into a system

• Specific user identifier or
password that circumvents
normal security procedures.
• Commonly used by developers
• Could be included in a
compiler.
Malware: Logic Bomb

• Embedded in legitimate programs

• Activated when specified conditions met
• E.g., presence/absence of some file; Particular date/time or
particular user
• When triggered, typically damages system
• Modify/delete files/disks
 Malware:
Trojan Horse
• Program with an overt (expected) and
covert effect
• Appears normal/expected
• Covert effect violates security policy
• User tricked into executing Trojan horse
• Expects (and sees) overt behavior
• Covert effect performed with user’s
authorization
 Malware:
Virus
• Malware that require to be embedded within a
host code (e.g. Macro within a file)
• It is not triggered systematically
• It is not stand-alone
• A virus cannot replicate itself in an autonomous
manner (main difference with worms) and
requires a host action
• A virus lays dormant in a victim system until
required action, such as enabling macros on an
infected DOC file.
• Once activated, the virus inserts its code into
other programs on the victim device
Sample Virus Infection Vectors

BOOT SECTOR (USB EXECUTABLE MACRO FILES

DRIVES)
Virus Properties

• Terminate and Stay Resident

• Stays active in memory after application complete
• Stealth
• Conceal Infection
• Trap read and disinfect
• Let execute call infected file
• Encrypt virus
• Prevents “signature” to detect virus
• Polymorphism
• Change virus code to prevent signature
Malware:
Worm
Runs independently
• Does not require a host program

Propagates a fully working version of itself to other machines

Carries a payload performing hidden tasks

• Backdoors, spam relays, DDoS agents; …

Phases
• Probing è Exploitation è Replication è Payload
Sample Worms:
• Love Bug worm (ILOVEYOU worm) (2000):
• May 3, 2000: 5.5 to 10 billion dollars in damage
• Some social media messages-based attacks
• Stuxnet
 Virus, Worm and Trojan
Virus Worm Trojan Horse
A connects to another software/program A Worm is a program that does not Trojan Horse is a hidden piece of malware
to execute unanticipated tasks when the communicate with other system that steals sensitive information/data
system's actual program is running. programs but multiplies and runs itself from a user's system and sends it to
another location across the network.

Viruses cannot be operated remotely; Worms can be controlled remotely; Trojan Horse can be operated remotely,
they are installed on the target machine they can open a back door much like worms via the network.

Viruses cannot replicate themselves. Worms replicate themselves in the A Trojan Horse spreads slowly and do not
system and propagate quickly replicate itself.

The primary goal of a virus is to alter or Worms aim to degrade system The Trojan horse disguises itself as normal
erase system data. performance and slow it down software and steals crucial information
Announcement (Assessment2)

• Monday 08/04 at 3pm CSB + Green Rooms

• Duration 2 hours
• Class Test in-person online
• Worth:
• 60%
• 100% for students that have an EC in
assessment 1
• For students with EC, the assessment covers
everything
• For everyone else, the assessment covers only the
second part + Lecture 1
 Botnet

• Secretly takes over another networked computer by exploiting software

flows
• Builds the compromised computers into a zombie network or botnet
• a collection of compromised machines running programs, under a
common command and control infrastructure.
• Uses it to indirectly launch attacks
• E.g., DDoS, phishing, spamming, cracking, cryptocurrencies mining
 Rootkit
• The applications which allow unauthorized root
or admin-level access to the device are known as
the "kit".
• Rootkit: Software used after system compromise
to provide backdoors for easy reentry
• Rootkits give a threat actor remote access to a
system.
• Although this type of software has some
legitimate uses, such as providing remote end-
user support, most rootkits open a backdoor on
victims' systems to introduce malicious software
Spyware

• Malware that collects little bits of information at a time about

users without their knowledge
• Keyloggers:
• May also tracking browsing habit
• May also re-direct browsing and display ads
• Famous example: Pegasus from NSO
• Exploits iOS vulnerability
• Even a missed call is enough
• Used by authoritarian regimes to track HR/political
activists, lawyers, journalists, etc.
• Used against politicians, journalists, Human Rights
Activists and even head-of-states (e.g. Macron)
 Ransomware

• Ransomware is malicious software that blocks access to a computer system or files unless a
sum of money is paid.
• An infected PC can spread the ransomware to other computers on your network
• Holds a computer system, or the data it contains, hostage against its user by demanding a
ransom.
• Encrypts some of the user's personal files, originally referred to as cryptoviruses, or
cryptoworms
• grew 41% in the last year
SQL Injection

• Insertion or “injection” of a SQL query via the input data from the client to the
application.
• SQL commands are injected into data-plane input in order to affect the execution of
predefined SQL commands.
• A successful SQL injection exploit can read sensitive data from the database, modify
database data (Insert/Update/Delete), execute administration operations on the
database (such as shutdown the DBMS), etc.
SQL Injection-- Demo

Instructions for Demonstration (Code on Canvas)

• Run the script: This sets up the database and launches a simple login interface.
• Attempt a normal login:
• Use the credentials username: user and password: pass to show a normal login,
• Use another random credential to see unsuccessful login attempt.
• Demonstrate SQL Injection: Enter username: admin and for the password, use
an SQL injection payload such as ' OR '1'=‘1.
• This will bypass the login check, demonstrating the vulnerability.
SQL Injection Demo -- explanation
• Query Dataset (benign)
SELECT * FROM `login` WHERE username=‘user’ AND
password=‘pass’

• SQL injection:

SELECT * FROM `login` WHERE username=‘admin’ AND

password=‘’ OR ‘1’=‘1’
Side-channel Attacks
Timing

Power Electromagnetic
EM Consumption
Emissions
0110 1001
1001
Acoustic
1011
1011 0110
Input Victim System Output
0010 0010
1110 1110
Power
Timing Sound Heat

… etc
Power Side Channel Attack
Security
Controls
 Security
Controls

Physical Technical Policy Legal

Defence in Depth is the use of multiple layers of security controls to
maximise security and minimise impact if one (or more) layer is
attacked.
Defence in Depth – Physical
Space
Biometric door access

Locked
safe

Card access door

Defence in Depth – Cyber
Space

Firewall
Network Access
Controls
Server Access
Controls

Data Access
Controls

Application Access
Controls
 Implementing Controls

• Implement Defense in Depth: i.e. have multiple layers of controls that

implement security at each level
• Traditionally, people implemented a perimeter firewall to protect
company, but further layers are necessary (authenticatin, access control,
data encryption, etc.)
• Partition the network into different functional concerns e.g.
Departments in an organisation, servers from the administration
network, staff from students.
 Computers

1. Application control: prevent the execution of unapproved/malicious

programs
2. Restrict administration privileges
3. Multi-factor Authentication
4. Daily backups
5. Patching applications
6. Application hardening (example IoT default passwords, routers, etc.)
7. Access control
 Anti-Malware Software (endpoint security)

• Anti-Malware software (aka Anti-Virus) can be installed at endpoints (computers,

mobile devices, tablets) or on edge devices like routers
• Works in real-time scanning network traffic, scan file changes etc.
• Works by looking for a range of indicators such as file signatures based on file hashes,
presence of certain strings (text), use of system functionality that is not normal for
applications
• More recently anti-malware operates on behavioural analysis (anomaly-based):
behaviour typical of malware, unexpected network traffic, attempts to change
memory or other applications
• This is increasingly done using machine learning techniques
 Intrusion Detection Systems

• Intrusion detection system (IDS) can be network-based or host-based

• Like anti-malware, uses knowledge-based and behavioural-based
approaches
• IDS systems report back to a Security Information and Event Manager
(SIEM) which can alert security staff of issues
Intrusion Protection Systems

• Intrusion protection system (IPS) is usually placed inline in the

network
• Like IDS, uses knowledge-based and behavioural-based approaches
to detection
• IPS will take active measures to block malicious activity
• Open Source example Snort
 Honeypots

• A Honeypot is a system that is put on the network to lure

attackers to attack it and not the real network
• The honeypot is often isolated from any other network meaning
that the attackers spend time trying to escape
• Monitors attempts at probing and attacking
• Gives a geographical picture of where attacks are originating
from
Summary

• Definitions of vulnerabilities and exploits

• Several attacks
• Countermeasures