Unit 2:

Security Threats

eSEC01_v1.0
 OVERVI
EW
• Goals of Information Security
• Attacks on Different Layers
• Attack Examples
• Worms, Viruses, Trojan Horse, Trap Door
• Stack and Buffer Overflow
• System Threats- intruders
• Communication Threats- Tapping and Piracy
• Firewalls
• Security Methodology-The Three D’s of Security
• Website Attacks: SQILA, XSS, LDAP, Injection Attack
 GOALS OF INFORMATION
SECURITY

SECURITY
Confidentialit Integrit Availabilit
y y y

prevents safeguards authorized

unauthoriz the users have
ed use or accuracy reliable and
disclosure and timely
of completenes access to
informatio s of information
n information
 WHY
SECURITY?
• The Internet was initially designed for connectivity
– Trust assumed
– We do more with the Internet nowadays
– Security protocols are added on top of the TCP/IP
• Fundamental aspects of information must be protected
– Confidential data
– Employee information
– Business models
– Protect identity and resources
• We can’t keep ourselves isolated from the Internet
– Most business communications are done online
– We provide online services
– We get services from third-party organizations online
ATTACKS ON DIFFERENT
LAYERS
Application Layer 7: DNS, DHCP, HTTP, FTP,
Application
IMAP, LDAP, NTP, Radius, SSH,
Telnet,SNMP,
SMTP, DNS Poisoning, hing,
Presentatio TFTP Phis
SQL injection, Spam/Scam

n Session Layer 5: SMB, NFS, Socks

Transpor
t
Transport Layer 4: TCP,
UDP
TCP attacks, ing
Rout SYN
attack,
flooding,
Network Interne
Layer 3: IPv4, 6, ICMP, Sniffing
IPv IPSec t
Ping/ICMP Flood
Data Link Layer 2: PPTP, Token
ARP spoofing, MAC
Network
flooding
ess
Physical Ring
Acc
OSI Reference TCP/IP Model
Model
 SECURITY ON
DIFFERENT LAYERS
Application Layer 7: DNS, DHCP, HTTP, FTP,
IMAP, LDAP, NTP, Radius, SSH,
SMTP, SNMP,
Presentatio Telnet, TFTP
DNS Poisoning, Phishing, SQL
HTTPS, DNSSEC, PGP, SMIME
injection,
n Session Layer
5:Spam/Scam
SMB, NFS,
Socks

Transport Layer 4: TCP,

UDP
TLS, Routing
TCP attacks, SSL, SSHattack,
SYN flooding, Sniffing

Network Layer 3: IPv4, IPv6, ICMP, IPSec

IPSecFlood
Ping/ICMP

Data Link Layer 2: VTP, PPTP, Token Ring

IEEE 802.1X, MAC
ARP spoofing, PPP &flooding
PPTP
Physical
 WHAT ARE BUFFER
OVERFLOW ATTACKS?

• Attackers exploit buffer overflow issues by overwriting the

memory of an application. This changes the execution path
of the program, triggering a response that damages files or
exposes private information. For example, an attacker may
introduce extra code, sending new instructions to the
application to gain access to IT systems.

• If attackers know the memory layout of a program, they

can intentionally feed input that the buffer cannot store,
and overwrite areas that hold executable code, replacing it
with their own code. For example, an attacker can
overwrite a pointer (an object that points to another area
in memory) and point it to an exploit payload, to gain
control over the program.
 TYPES OF BUFFER
OVERFLOW ATTACKS
• Stack-based buffer overflows are more common, and
leverage stack memory that only exists during the
execution time of a function.

• Heap-based attacks are harder to carry out and

involve flooding the memory space allocated for a
program beyond memory used for current runtime
operations.
 SYSTEM THREATS-
INTRUDERS
• The most common threat to security is the attack by
the intruder. Intruders are often referred to as
hackers and are the most harmful factors
contributing to the vulnerability of security. They
have immense knowledge and an in-depth
understanding of technology and security. Intruders
breach the privacy of users and aim at stealing the
confidential information of the users. The stolen
information is then sold to third-party, which aim at
misusing the information for their own personal or
professional gains.
 INTRUDERS
• Intruders are divided into three categories:
• Masquerader: The category of individuals that are not authorized to use the
system but still exploit user’s privacy and confidential information by possessing
techniques that give them control over the system, such category of intruders is
referred to as Masquerader. Masqueraders are outsiders and hence they don’t have
direct access to the system, their aim is to attack unethically to steal data/
information.
• Misfeasor: The category of individuals that are authorized to use the system, but
misuse the granted access and privilege. These are individuals that take undue
advantage of the permissions and access given to them, such category of intruders
is referred to as Misfeasor. Misfeasors are insiders and they have direct access to
the system, which they aim to attack unethically for stealing data/ information.
• Clandestine User: The category of individuals those have
supervision/administrative control over the system and misuse the authoritative
power given to them. The misconduct of power is often done by superlative
authorities for financial gains, such a category of intruders is referred to as
Clandestine User. A Clandestine User can be any of the two, insiders or outsiders,
and accordingly, they can have direct/ indirect access to the system, which they
aim to attack unethically by stealing data/ information.
 13

FIREWALLS
• A firewall is a network security
device, either hardware or software-
based, which monitors all incoming
and outgoing traffic and based on a
defined set of security rules it
accepts, rejects or drops that
specific traffic.
• Accept : allow the traffic
Reject : block the traffic but reply
with an “unreachable error”
Drop : block the traffic with no
reply
• A firewall establishes a barrier
between secured internal networks
and outside untrusted network,
such as the Internet.
 NEED OF FIREWALL
• Before Firewalls, network security was performed by Access
Control Lists (ACLs) residing on routers. ACLs are rules that
determine whether network access should be granted or
denied to specific IP address.
But ACLs cannot determine the nature of the packet it is
blocking. Also, ACL alone does not have the capacity to
keep threats out of the network. Hence, the Firewall was
introduced.
• Connectivity to the Internet is no longer optional for
organizations. However, accessing the Internet provides
benefits to the organization; it also enables the outside
world to interact with the internal network of the
organization. This creates a threat to the organization. In
order to secure the internal network from unauthorized
traffic, we need a Firewall.
 WORKING OF FIREWALL
• Firewall match the network traffic against the rule set defined in its table.
Once the rule is matched, associate action is applied to the network
traffic. For example, Rules are defined as any employee from HR
department cannot access the data from code server and at the same
time another rule is defined like system administrator can access the data
from both HR and technical department. Rules can be defined on the
firewall based on the necessity and security policies of the organization.
• From the perspective of a server, network traffic can be either outgoing or
incoming. Firewall maintains a distinct set of rules for both the cases.
Mostly the outgoing traffic, originated from the server itself, allowed to
pass. Still, setting a rule on outgoing traffic is always better in order to
achieve more security and prevent unwanted communication.
• Incoming traffic is treated differently. Most traffic which reaches on the
firewall is one of these three major Transport Layer protocols- TCP, UDP or
ICMP. All these types have a source address and destination address. Also,
TCP and UDP have port numbers. ICMP uses type code instead of port
number which identifies purpose of that packet.
 TYPES OF FIREWALL
• Five types of firewall include the following:
1.packet filtering firewall
2.circuit-level gateway
3.application-level gateway (aka proxy firewall)
4.stateful inspection firewall
5.next-generation firewall (NGFW)
 17

FIREWALL
CHARACTERISTICS
Originally, firewalls focused primarily on service control, but they have
since evolved to provide all four:
• Service control: Determines the types of Internet services that can be
accessed, inbound or outbound. The firewall may filter traffic on the basis
of IP address, protocol, or port number; may provide proxy software that
receives and interprets each service request before passing it on; or may
host the server software itself, such as a Web or mail service.
• Direction control: Determines the direction in which particular service
requests may be initiated and allowed to flow through the firewall.
• User control: Controls access to a service according to which user is
attempting to access it. This feature is typically applied to users inside the
firewall perimeter (local users). It may also be applied to incoming traffic
from external users; the latter requires some form of secure
authentication technology, such as is provided in IPsec (Chapter 8).
• Behavior control: Controls how particular services are used. For
example, the firewall may filter e-mail to eliminate spam, or it may enable
external access to only a portion of the information on a local Web server.

15-441 Networks Fall 2002

 SECURITY METHODOLOGY-THE
• THREE D’S OF SECURITY
The three D’s are typically put into effect before an
incident. When a business uses countermeasures that
embody the three D’s, they change the environment in a
way that makes it more difficult for incidents to occur.
• Deter: Discourage the attack or threat from ever
happening.
• Detect: Identify and verify the threats as they are
happening.
• Delay: Postpone a threat from reaching your assets
allowing for response to happen.
Countermeasures often accomplish one more or more of
these tasks. A security officer can embody all three, for
example, while a bollard may deter a vehicle attack that
might crash into a building. Access management may
also deter, detect, and delay threats from entering
restricted areas of a site.
 INJECTION ATTACKS
• During an injection attack, an attacker can provide
malicious input to a web application (inject it) and
change the operation of the application by forcing it
to execute certain commands.
• An injection attack can expose or damage data and
lead to a denial of service or a full webserver
compromise. Such attacks are possible due to
vulnerabilities in the code of an application that
allows for unvalidated user input.
• Injection attacks are one of the most common and
dangerous web attacks. Our scans consistently see
that websites are sometimes critically vulnerable to
these types of attacks. Many injection attacks can
harm your web apps and cause severe loss or damage
to the data.
 SQL INJECTION ATTACK
While SQL and Cross-Site Scripting injection attacks are the most common
types, there is a host of such attacks, all of which have different aims and
means to achieving them.
The main types of injection attacks that your application may be
vulnerable to are:
• SQL Injection (SQLi)
• SQL is a query language to communicate with a database. It can be
used to perform actions to retrieve, delete and save data in the
database.
• An attacker will try to manipulate the SQL query used in the web
application and gain direct access to your data during an SQL injection
(SQLi) attack. This is typically done through a web form input field,
comment fields, or other freely accessible to users.
• Such malicious SQL statements will seek to exploit a vulnerability in the
authentication and authorization procedures of the application. If they
are successful, the SQL database will execute the commands that the
attacker has injected.
• Depending on the type of SQL injection, it can read, modify, add, or
delete data from the database.
 LDAP INJECTION
• LDAP injection attacks can be executed by malicious users when web-
based applications don’t check user input rigorously and thus create a
loophole for unauthorized LDAP statement modifications.
• Like SQL injection, LDAP injection attacks happen when an attacker
exploits this security fault that allows unsanitized input with the help of a
local proxy. As a result, they can obtain permissions and execute malicious
commands for unauthorized queries or modify content within the LDAP
tree.
• More specifically, attackers can control a query’s meaning through
metacharacters like brackets, asterisks, ampersands, and quotes. If they
can submit such input, they can change the query in an unauthorized way
to achieve their goal. The newly passed parameters can manipulate the
search, addition, and modification functions.
• The injection flaws in the case of LDAP are a significant security threat.
They can provide attackers with sensitive data, such as credentials, roles,
permissions, and more if successfully executed. Furthermore, this attack
often results in authentication bypasses, data corruption, or denial of
service (DoS), ruining the attacked server.
 CROSS-SITE SCRIPTING (XSS)
• Whenever an application allows user input within the
output it generates, it allows an attacker to send malicious
code to a different end-user without validating or encoding
it. Cross-Site Scripting (XSS) attacks take these
opportunities to inject malicious scripts into trusted
websites.
• A text containing malicious code (typically in JavaScript) is
inserted into a web page during a Cross-Site Scripting
attack. When an unsuspecting user visits that web page,
the code is executed.
• For example, a string of text may be added to the URL. If
the application fails to validate it and allows it to pass, a
user’s browser will execute the code leading to a breach.
• An XSS attack can be used to steal cookie details, change
user settings, hijack user sessions, and more. This can
open the door to impersonation and defacement.
 CODE INJECTION
• In this scenario, an attacker is acquainted with the application
code and programming language. By exploiting a vulnerability,
they may attempt to inject code into the application to be
executed as a command by its web server. This differs from an
operating system (OS) command injection (see below).
• Code typically employs a code injection technique via multiple
input fields, including text input, HTTP GET/POST/PUT/DELETE
parameters, headers, cookies, etc.
• Once inside the target application, the attacker may force the
webserver to do what they want by gaining greater privileges.
• A code injection may impact an application anywhere, from
gaining access to data to fully compromising the system.
Therefore, a vulnerability to a code injection is of great concern.
 COMMAND INJECTION
• Sometimes web applications need to call a system
command on the web server running them. In such
instances, if user input is not validated and
restricted, a command injection can occur.
• Unlike code injections, command injections only
require the attacker to know the operating system.
Then, the attacker inserts a command into the
system, using the user privileges. The inserted
command then executes in the host system.
• A command injection can compromise that
application, its data, the entire system, connected
servers, systems, and other infrastructure.
 CCS INJECTION
• A CCS injection exploits a vulnerability found in the
ChangeCipherSpec processing in some versions of
OpenSSL.
• During such an attack, invalid signals are sent by
attackers in the handshake session between servers
and clients. This allows them to seize encryption key
materials, access the communication between server
and client, and possibly perform identity theft.
• These are the most common and serious injection
attacks used on web applications. Unfortunately,
protecting your applications can be a huge uphill task
for companies or individuals with many web
applications and limited developer time and resources.