CHAPTER 2

Network Security
Threats

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Learning Objective and Key Concepts

Learning Objective Key Concepts

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Recognize the impact that ▪ Hackers and their motivations
malicious exploits and attacks have
▪ The hacking process
on network security.
▪ Hardware failures, physical threats,
accidents, and other disasters
▪ Common types of malware
▪ Social engineering practices and
their impact on network security
efforts
Hackers and Their Motivation

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Thrill Hobby Challenge Peer pressure

Social validation Street cred Status Money

Attack perceived
Power Financial gain
social injustice
Hackers and Their Motivation (Cont.)

Primary Types Recreational: Enjoy learning and exploring, especially with

of Hackers computing technology

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Opportunistic: Timid; not likely to initiate an attack but will take
advantage if the right opportunity presents itself
Professional: Criminals whose sole career objective is to
compromise IT infrastructures
Favorite Targets of Hackers

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Easy assets Unique targets Easy targets

Those that pay off quickly

Challenging

Monetary or barter gain; IT infrastructures and

funds, cryptocurrency,
credit cards, bank elements not property
accounts secured

Complex infrastructures
Control of networks
Threats from Internet Personnel and External Entities

On-site employees Common threats to network

security

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Have physical access to the facility
▪ Insider threats
▪ Have logical access to the network
▪ Disgruntled employees who
▪ Address employee threats in your believe they have been wronged
security policy, network design, by the organization
infrastructure deployment, and ▪ Can include contract workers
ongoing system and security ▪ External threats
management ▪ Hackers
 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-1 Internal and external hackers.
Internal and External Hackers
 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-2 Five phases of hacking.
The Hacking Process
Reconnaissance

▪ Initiation of the process of hacking

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ The act of inspecting or exploring
▪ Also called footprinting, discovery,
research, and information gathering

FIGURE 2-2 Five phases of hacking.

Reconnaissance (Cont.)

Examples:

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Examining search engine contents; reviewing the organization’s website
▪ Investigating the background of personnel
▪ Performing location mapping
▪ Auditing financial records or reviewing public filings
▪ Reviewing court cases and other public records
▪ Querying whois, domain registrations, and public IP assignments
▪ Eavesdropping on email and other conversations
▪ Visiting a physical location for the organization
Scanning

▪ The activity of using various tools to

confirm information learned during

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
reconnaissance and to discover
new details
▪ Aimed at discovering live and
active systems
▪ Can include wardialing, wardriving,
ping sweeps, and port scanning
▪ Often referred to as probing: The
hacker sends packets to elicit
responses
FIGURE 2-2 Five phases of hacking.
▪ Is detectable
 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-3 Basic TCP and
UDP port scanning.
Basic TCP and UDP Port Scanning
Enumeration

▪ The discovery and listing of

potential attack targets

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Hackers’ process of discovering
sufficient details about a target to
learn if a vulnerability exists that
they can successfully attack
▪ Probe open and closed ports of a
target
▪ Open ports have services running
behind them
FIGURE 2-2 Five phases of hacking.
▪ Banner grabbing is probing
services to obtain information
A Banner Grabbed from a Web Server

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-4 A banner
grabbed from a web server.
Courtesy of Zenmap.
Attacking

▪ Briefest phase of the hacking

process

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Successful attack
▪ May take seconds
▪ Move to post-attack activities

▪ Failed attack
▪ Modify approach and relaunch
attack
▪ Return to enumeration results to
select a new point of assault
▪ Move to fallback attacks FIGURE 2-2 Five phases of hacking.
Post-Attack Activities

Depositing

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Privilege
additional hacker
escalation
tools

Creating a re-
Pilfering data entry point
(backdoor)

Removing
evidence of the
hack FIGURE 2-2 Five phases of hacking.
Common IT Infrastructure Threats

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Hardware failures and other physical threats

Natural disasters

Accidents
Hardware Failures and Other Physical Threats

▪ Hard drive and hardware failures

▪

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Common cause of downtime
▪ Preparation is the best defense
▪ Perform consistent periodic backups
▪ Conduct general cleaning and maintenance
▪ Keep spare parts on hand
▪ Replace equipment before it fails

▪ Solid-state drives (SDDs) eliminate many problems associated with hard disk
drives but at a greater initial cost for the hardware
Hardware Failures and Other Physical Threats (Cont.)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Static electricity
Too much heat Frayed wires
discharge (SED)

Intentional
Moisture electromagnetic Theft
interference (IEMI)
Natural Disasters

Weather events

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
• Understand types of weather events common to your area

Precautions

• Special insurance
• Structural reinforcements
• Lightning protection
• Surge protectors
• Bilge pumps

Best protection

• A reliable regular backup stored in a secured, off-site facility

Accidents

▪ Spilling liquids on equipment Precautions and protections

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Tripping over cables ▪ Backups, configuration
documentation, and training
▪ Pulling out the wrong power cord or
cable ▪ Adjustments to worker activities
▪ Tripping the building’s circuit ▪ Training employees what to do in
breaker the event of an accident or
emergency
▪ Setting off the water sprinklers
▪ Knocking over a computer
▪ Turning off a system prematurely
▪ Installing the wrong driver
Malicious Code (Malware)

Software downloads Data loss, exposure, or

Effects of malware
Distribution methods

change

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Email
Malicious websites Poor system performance
File transfer Pop-up ads
Flaws in software System becomes a “bot” or
“zombie”
Common Types of Malware

Keystroke
Viruses and Spyware and

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Trojan horses loggers
worms adware
(“keyloggers”)

Trapdoors and
Rootkits Logic bombs Dialer
backdoors

URL injectors Exploits Mobile code

Advanced Persistent Threat

▪ Highly targeted

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Targeting intelligence often gleaned
from other types of attacks
▪ Phishing
▪ Social engineering
▪ Occurrence has increased
dramatically but represents a small
percentage of attacks
Fast Growth and Overuse

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
A slightly slower growth Failure to address
rate to build network security issues in a period
security concurrently with of explosive growth is
expansion of the more likely to result in
organization is more likely catastrophic failure
to provide sustained
growth and longevity
Wireless Versus Wired

▪ Wired networks require local attacks

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Wireless networks allow for remote attacks

FIGURE 2-5 Wired networks require

local attacks; wireless networks allow
for remote attacks.
Eavesdropping

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Listening in on communications

• Recording of network traffic using a packet-capturing tool,

generically known as a sniffer
• May eavesdrop against data packets or against voice traffic
• Can occur over both wired and wireless connections

Prevent eavesdropping by using encrypted protocols

Eavesdropping on an Existing Session Between a Client
and a Server

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-6 Eavesdropping on an existing session between client
and server.
Hijack and Replay Attacks

Hijack attacks Replay attacks

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Occur when a hacker uses a ▪ Also known as playback attacks
network sniffer to watch a
▪ The hacker uses a network sniffer
communications session to learn its
to capture network traffic
parameters
▪ The hacker retransmits that traffic
▪ The hacker disconnects one of the
back onto the network at a later
session’s hosts, impersonates the
time
offline system, and injects crafted
packets into the communication ▪ Goal is to gain interactive or
stream session access to a system
▪ The hacker then takes over the
session of the offline host
Replay Attacks Collect Authentication Packets, and Then
Retransmit the Packets at a Later Time

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-7 Replay attacks collect authentication packets, and then
retransmit the packets at a later time.
 Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Cross-site scripting

Rogue device
insertion
(XSS)
SQL injection

IDS insertion
Insertion Attacks
Fragmentation Attacks

▪ Abuse the fragmentation offset feature of IP packets

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Occur when many different network links connect to construct a global
infrastructure
▪ Overlapping
▪ Can cause full or partial overwriting of datagram components, creating new
datagrams out of parts of previous datagrams
▪ Overrun
▪ Can result in excessively large datagrams

▪ Other fragmentation attacks

▪ Cause denial of service (DoS) or confuse intrusion detection system (IDS) detection
and firewall filtering
Buffer Overflows

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Buffer
▪ Memory-based attacks
• An area of memory designated to ▪ Typically a result of poor
receive input
programming
▪ Can result in code injection
Buffer overflow
▪ Used for crashing systems
• An attack against poor
programming techniques and lack
of quality control
Session Hijacking, Spoofing, and Man-in-the-Middle
Attacks

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Man-in-the-middle
Session hijacking Spoofing attacks
(MitM) attacks

▪ Attacks on systems and networks can involve:

▪ Falsification of credentials or misrepresentation
▪ Posing as another entity
▪ Sending messages that the system is a different machine
Session Hijacking

▪ Hacker takes over the connection after a client authenticates with a server

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Attacker does not directly learn credentials of the client
▪ May employ DNS spoofing, poisoning, ARP spoofing, ICMP redirects, and
rogue Dynamic Host Configuration Protocol (DHCP) to alter the route or
pathway of a session
▪ Hosts that use TCP/IP without encryption are vulnerable to session hijacking
▪ Encryption = only true protection against session hijacking
Session Hijacking Steals a Connection from a Client

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-8 Session hijacking steals a connection from a client.
Spoofing Attacks

▪ Involve falsification of information

▪ Falsification of the identity of a source

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Email addresses, Media Access Control (MAC) addresses, and IP addresses

▪ Hacker impersonates an authorized entity

▪ Difficult to prevent and hard to detect
▪ To detect a spoofing attack, watch normal traffic and look for addressing
anomalies
Spoofing of a Client’s MAC Address by a Hacker’s
Computer

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-9 Spoofing of a client’s MAC address
by a hacker’s computer.
Man-in-the-Middle Attacks

▪ ARP spoofing
▪ Address Resolution Protocol (ARP)

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ A nonauthenticating broadcast query service that requests the MAC address from a
system using a specific IP

▪ MAC spoofing
▪ The hacker’s computer uses a server’s MAC address and receives traffic instead of
the intended server once the server is flooded

▪ DNS poisoning
▪ The hacker compromises a Domain Name System (DNS) server and plants false
FQDN-to-IP mapping records
▪ The DNS source then feeds subsequent user queries false data
Man-in-the-Middle Attacks (Cont.)

▪ DNS spoofing
▪ A nonauthenticating query service requests the resolution of a FQDN into its related

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
IP address, allowing false DNS responses to be sent

▪ ICMP redirect
▪ Causes a host to alter its routing table

▪ Proxy manipulation
▪ The hacker reconfigures a client’s proxy configuration

▪ Rogue DHCP
▪ A false DHCP server that can provide IP address configuration leases for a unique
subnet and define the default gateway, because the hacker’s computer acts as a
MitM router/proxy
Man-in-the-Middle Attacks (Cont.)

▪ Rogue access point

▪ The hacker configures a rogue wireless access point similar to the real authorized

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
access point that can fool users into connecting, which then serves as a MitM proxy
Man-in-the-Middle Attacks Fool Clients into Initiating
Sessions with the Hacker Instead of the Target Server

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-10 Man-in-the-middle attacks fool clients into initiating sessions with
the hacker instead of the target server.
Cover Channels

• Hidden, unknown, unique, atypical pathway of

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Covert channel information transfer

• Conveys information through timed and

Timing channel synchronized activities
• Example: Morse code

• Conveys information through unseen or

Storage channels undiscovered locations
• Examples: Slack space, flash memory
Slack Space Is the Unused Portion of the Last Cluster
Only Partially Consumed by a Stored File

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-11 Slack space is the unused portion of the last cluster only partially
consumed by a stored file.
Network and Resource Availability Threats

▪ Many attacks require special access on a private network

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Availability attacks are a fallback option when hackers can’t locate a
vulnerability to exploit
▪ Availability attacks
▪ Denial of service (DoS)
▪ Prevents legitimate access or use of a resource to delay or interrupt business
▪ Can involve exploitation of a flaw or traffic generation
▪ Distributed denial of service (DDoS)
▪ Attacks through massive distributed processing and sourcing
▪ Foundations are agents, bots, or zombies, which are malicious code implanted on victim
systems across the Internet
Denial of Service Flooding Attack Against a Client

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-12 Denial of service flooding attack against a client.
Distributed Denial of Service Flooding Attack Against a
Primary Target

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
FIGURE 2-13 Distributed denial of service
flooding attack against a primary target.
Hacker Tools

▪ Any software can be used as a hacking tool

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ Operating system utilities
▪ Commercial applications
▪ Custom code
▪ More
▪ Whitelisting is the best defense
▪ Whitelisting restrictions
▪ A whitelisting system incorporates a list of
approved software executables for use
▪ Applications not on the list are blocked
Social Engineering

▪ The art of manipulating and exploiting human nature to get

people to perform tasks or release information that violates

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
security
▪ Humans are primary targets
▪ People are weakest link and can be tricked or fooled
▪ Techniques include impersonating a position of authority,
asking favors, offering social validation, and creating urgency
▪ Gaining access to inside information is often the first element
of a social engineering attack
▪ Other techniques include dumpster diving, reconnaissance,
and cold calling
▪ The best defense is user training and awareness
Summary

▪ Hackers and their motivations

Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
▪ The hacking process
▪ Hardware failures, physical threats, accidents, and other disasters
▪ Common types of malware
▪ Social engineering practices and their impact on network security efforts