Cyber Security

Network Attacks Architecture and

Isolation
 Introduction

Network Threats & Attacks – Common Terms

Network Security Threats

• Classes of Threats
Agenda • Types of Threats and Prevention

Network Attacks
• Types of Attacks and Mitigation

Conclusion

References
 More and more people getting connected to
networks, increasing the number of network
security threats.

Network security – a major part of network

Introduction administration and management; because
information is being passed between computers
and is very vulnerable to attacks.

Over the past decade, people that manage

network security have noted a massive increase
of hackers(crackers) and criminals creating
malicious threats that have been pumped into
networks across the world.
 What is a network Threat? It is
an event that can take
advantage of a vulnerability and
cause a negative impact on the
network
Common
Terms
What is a vulnerability? These
could be weaknesses in the
technology, configuration, or
security policy
 • What is an attack? An assault on a
system's security that derives from an
Common intelligent threat i.e., an intelligent act
that is a deliberate attempt (especially
Terms in the sense of a method or technique)
to evade security services and violate
the security policy of a system.
Network Security
Threats - Classes
There are four primary classes of threats to
network security.
1. Unstructured Threats – consist mostly of
inexperienced individuals using easily
available tools such as shell scripts and
password crackers
2. Structured Threats – come from hackers
who are highly motivated and technically
competent. They know and are aware of
system vulnerabilities. They can
understand and develop exploit code
and scripts. They use sophisticated
hacking techniques to penetrate and
compromise systems.
Network Security
Threats - Classes
3. External Threats – these arise from
individuals or organizations working
outside the company, institution or
organization. They do not have authorized
access to the computer systems or
network(s). They work their way into a
network mainly through an Internet
connection
4. Internal Threats – these occur when
someone has authorized access to the
network with either an account on a
server or physical access to the network
 Hacker – a general term that has
Individuals historically been sed to describe a
computer programming expert who
who pose attempts to gain unauthorized access
Network to network resources

Threats and
Cracker – the term regarded as the
Initiate more accurate word that describes an
Network individual who attempts to gain
unauthorized network access to
Attacks network resources with malicious
intent
 Spammer – an individual who sends large
Individuals number of unsolicited emails. Spammers
use viruses to take control of computer
who pose systems then use them to send out bulk
Network messages

Threats and
Phisher – a phisher uses email or other
Initiate means to trick others into providing
sensitive information, such as credit card
Network numbers or passwords. The phisher
Attacks masquerades as a trusted party that would
have a legitimate need for sensitive
information
 White Hat – a term used to describe
Individuals individuals who use their abilities to
find vulnerabilities in the systems or
who pose networks and then report these
vulnerabilities to the owners of these
Network systems
Threats and
Initiate Black Hat – a term used to describe
individuals who use their knowledge
Network of computer systems to break into
systems that they are not authorized to
Attacks use
 The biggest threats to network security are
listed below;
• Viruses and worms
• Trojan Horses
Types of • SPAM
• Phishing
Network • Packet Sniffers
Threats and • Maliciously coded websites
Prevention • Password Attacks
• Hardware Loss and Residual Data
Fragments
• Shared Computers
• Zombie Computers and Botnets
 A virus is a program or piece of code that is
loaded onto your computer without your
knowledge and runs against your wishes

Viruses and An example of a virus would be if you

opened an email and malicious piece of

Worms code was downloaded onto your computer

causing it to freeze

In relation to a network, if a virus is

downloaded then all the computers in the
network would be affected because the
virus would make copies of itself and spread
across networks
 • A worm is similar to a virus but a worm
can run itself whereas a virus needs a
host program to run
Viruses and
Worms Prevention:
Install a security suite that protects the
computer against threats such as viruses
and worms
 • A Trojan Horse is a program in which
malicious code is contained inside
apparently harmless programs or data
in such a way that it can get control and
do its choses from of damage, such as
ruining the file allocation table on your
Trojan Horses hard disk
• In a network, if a Trojan Horse is
installed on a computer and tampers
with the file allocation table, it could
cause a massive amount of damage to
all computers in that network
 Prevention:
Trojan Horses • Internet security suites will prevent you
from downloading Trojan horses
 • SPAM is flooding the Internet with many
copies of the same message, in an
attempt to force the message on
SPAM people who would not otherwise
choose to receive it
• SPAM makes up 70% – 80% of daily
emails sent throughout the world
SPAM
Prevention:
• Install a SPAM filter
• You should protect your network from
email spam by requiring your employees to
use separate accounts for their personal
internet use; company accounts should not
be used to sign up to personal online
services
• When creating company email accounts
use a naming system which is not easily
guessable as spammers are increasingly
going through common name lists in order
to harvest emails to spam.
 • Phishing is an email fraud method in
which the perpetrator send out
legitimate-looking emails to gather
personal and financial information from
receipients
• Phishing is one of the worst security
Phishing threats over a network because a lot of
people that use computers linked up to
a network are novice users and would
be very vulnerable to giving out
information that could lead to theft of
money or identity theft
 Prevention:
• It is increasingly vital that you educate your
employees about the most common ways in
which hackers try to phish your account
information. A single phishing attack can
compromise an entire network's security if
an employee is tricked into giving his
Phishing network account information
• Even after educating your work force, you
should consider adding a header to your
network browser that reminds users never to
enter personal information solicitated
through an email
• Use sophisticated email filters to limit the
number of phishing attacks that your
employees must navigate around
 A packet sniffer is a device or program
that allows eavesdropping on traffic
travelling between networked
computers

Packet The packet sniffer will capture data that

is addressed to other machines saving it
Sniffers for later analysis

A packet sniffer can filter out personal

informarion and this can lead to areas
such as identity theft so this is a major
security threat to a network
 Prevention:

Packet
Sniffers When strong encryption is used, all
packets are unreadable to any but the
destination address, making packet
sniffers useless. So one solution is to
obtain strong encryption
 Some websites across the
Internet contain malicious code

Maliciously Malicious code is programming

code that can cause harm to
Coded availability, integrity of code or
data, or confidentiality in a
Websites computer system

AVG report that more than

300,000 infected sites appear
per day
 • In addition to stealing personal
information, maliciously coded websites
are also often designed for the
Maliciously following purposes:
Coded 1. Installation of keyloggers
2. Adware/Spyware/ Reading cookies
Websites 3. Drive-by downloads
4. XXS – cross site scripting to utilize web
browser flaws for other intention
 Prevention:
• Using a security suite that can detect infected
sites and try to prevent the user from entering
the site
Maliciously • Creating a regular browser patch and plugin
update schedule will also ensure your virus
Coded and email protections are up to date
Websites • Systematically set the browser security settings
of all your network computers to a higher than
default setting. While this step will not
eliminate the possibility that your employees
will stumble upon maliciously coded sites, it
will reduce the incidence of that occurrence
 • A password attack is a general term that describes a variety of
techniques used to steal passwords to accounts

1. Brute Force – one of the most labor intensive and

Password unsophisticated methods hackers use to steal passwords
is to try to guess a password by repeatedly entering in
new combinations of words and phrases compiled from a
Attacks dictionary. 'This dictionary attack' can also be used to
guess usernames as well, so developing difficult to guess
usernames and passwords is increasingly vital to network
security
2. Packet sniffers – packet sniffers glean data electronically
from a compromised network
 1. IP Spoofing – like 'Honeypots' this attack
involves the interception of data packets
by a computer successfully pretending to
Password be a trusted server/resource
Attacks 2. Trojans – Trojans are invasive, as
discussed above, and of these methods,
are most likely to succeed especially if
keyloggers are used
 Prevention:
• Automated testing (e.g. dictionary
scanning), human behavior (e.g. lack of
diversity in usernames and passwords),
and other security flaws make it easier for
password attackers to succeed.
Unfortunately, there is no one single
Password method to prevent against password
attacks, though combining network
Attacks traffic analysis, along with email
scanning, virus protection, firewalls, and
an educated workforce can all together
form a strong defense for any network
 • Hardware loss and residual data
fragments are a growing worry for
Hardware companies, institutions and
Loss and organizations
• An example this is if a few laptops get
Residual stolen from an institution that have
Data client details on them, this will enable
the thief to get personal information
Fragments from clients and maybe steal the clients'
identities
 Prevention:
The threat of hardware loss and residual data fragments
can be minimized by taking these straightforward steps:
1. Encrypt sensitive company data especially the
Hardware laptops and files of executives who are most likely to
be targeted
Loss and 2. Wipe/shred files on old hard drives before they
leave your organization. This is as much an issue of
Residual data compliance regulations as it is of network
security. No matter what your motivation, however,
Data failing to clean discarded hardware canleave your
entire network vulnerable
Fragments 3. Develop a policy for keeping track of employees
use of smartphones and USB memory cards
around sensitive data. Simply letting employees
know that you have such a policy and are monitoring
use of these devices will go a long way to prevent
misuse and protect the network
 Shared computers are always a threat

Prevention:
• Do not check the "Remember my ID on this
Shared computer" box
• Never leave a computer unattended while
Computers signed in
• Always sign out completely
• Clear browser cache
• Be wary of spyware
• Never save passwords
• Change your passwords often
 • A zombie computer is a computer that has
been secretly compromised by hacking tools
which allow a third party to control the
computer and its resources remotely
• A hacker could hack into a computer and
Zombie obtain data
• A botnet is a network of online computers
Computers that, although their owners are unaware of it,
have been setup to forward transmissions
and Botnets (including spam or viruses) to other computers
on the Internet
• This is a major security threat on a network
because the network, unknown to anyone,
could be acting as a hub that forwards
malicious files to ther computers.
Zombie Prevention:
Computers • Antivirus software suites can help
prevent zombie computers
and Botnets
Network Attacks
• Four primary classes of attacks
exist:
1. Reconnaisance
2. Access
3. Denial of service
4. Malicious code (worms, viruses
and Trojan horses)
 • Active vs Passive: An 'active attack' attempts
to alter system resources or affect their
operation. A 'passive attack' attempts to learn
or make use of information from the system
but does not affect system resources (e.g.,
wiretapping)
Common • Insider vs Outsider: An 'insider attack' is and
attacj initiated by an entity inside the security
Terms perimeter i.e., an entity that is authorized to
access system resources but uses them in a
way not approved by those who granted the
authorization.
• An 'outside attack' is initiated from outside the
perimeter, by an unauthorized or illegitimate
user of the system.
 • On the Internet, potential outside
attackers range from armateur
pranksters to organized criminals and
hostile governments
• Malware is any software used to
Common disrupt computer operation, gather
sensitive information, or gain access to
Terms private computer systems. Malware is
defined by its malicious intent, acting
against the requirements of the
computer user, and does not include
software that causes unintentional harm
due to some deficiency.
 Reconnaisance is the unauthorized discovery and mapping of
systems, services, or vulnerabilities

It is also known as information gathering and, in most cases, it

precedes an actual access or denial-of-service (DoS) attack

Reconnaisance is somewhat analogous to a thief casing a

Reconnaisance neighborhood for vulnerable homes to break into, such as an
unoccupied residence, easy-to-open doorsn or open windows

Reconnaisance attacks can consist of the following:

• Packet sniffers
• Port scans
• Ping sweeps
• Internet information queries
 System access is the ability for an unautorized
intruder to gain access to a device for which the
intruder does not have an account or password

Entering or accessing systems to which one does

Access not have authority to access usually involves
running a hack, script, or tool that exploits a known
Attacks vulnerability of the system or application being
attacked

Access attacks exploit known vulnerabilities in

authentication services, FTP services, and web
services to gain entry to web accounts, confidential
databases, and other sensitive information
 • Access attacks can consist of the
following:
1. Password attacks
Access 2. Trust exploitation
Attacks 3.
4.
Port redirection
Man-in-the-middle attacks
5. Social engineering
6. Phishing
 • Denial of service implies that an attacker
disables or corrupts networks, systems, or
services with the intent to deny services to
intended users
• DoS attacks involve either crashing the system
Denial-of- or slowing it down to the point that it is
unusable. But DoS can also be as simple as
Service (DoS) deleting or corrupting information
Attacks • In most cases, performing the attack simply
involves running a hack or script. The attacker
does not need prior access to the target
because a way to access it is all that is usually
required. For these reasons, DoS attacks are
most feared.
 Examples
1. Ping of death – This attack modifies the IP
portion of the header, indicating that there is
more data in the packet than there is,
causing the receiving host to crash
Denial-of- 2. SYN flood attack – This attack randomly
Service (DoS) opens many TCP ports, tying up the system
and network resources with so many bogus
Attacks requests that sessions are thereby denied to
others. This attack is accomplished with
protocol analyzers or other programs. The
SYN flood attack sends TCP connection
requests faster than a machine can process
them
 Examples continued;
1. Packet fragmentation and reassembly – This
attack exploits a buffer-overrun bug in hosts or
internetworking equipment
2. Email bombs – Programs can send bulk emails
to individuals, lists or domains, monopolizing
Denial-of- email services
3. CPU hogging – These attacks constitute
Service (DoS) programs such as Trojan horses or viruses that
tie up CPU cycles, memory, or other resources
Attacks 4. Malicious applets – these attacks are Java,
JavaScript or ActiveX programs that act as Trojan
horses or viruses to cause destruction or tie up
computer resources
5. Misconfiguring routers – misconfiguring
routers to reroute traffic disables web traffic
 • Distributed denial-of service (DDoS) attacks are designed to saturate
Distributed network links with spurious data
• This data can overwhelm an Internet link, causing legitimate traffic to be

Denial-of- dropped
• DDoS used attack methods similar to standard DoS attacks but operates
on a much larger scale
Service • Typically, hundreds or thousands of attack points attempt to overwhelm a
target
(DDoS) • Examples of DDoS attacks include:
• Smurf attacks
Attacks •
•
Tribe Flood Network (TFN) - CERT Incident Note 99-04
Stacheldraht
 • With a masquerade attack, the network intruder
can manipulate TCP/IP packets by IP spoofing,
falsifying the source IP address, thereby appearing
to be another user
• The intruder assumes the identity of a valid user
and gains that user's access privileges by IP
Masquerade/IP spoofing
• IP spoofing occurs when intruders create IP
Spoofing packets with falsified source addresses
Attacks • During an IP spoofing attack, an attacker outside
the network pretends to be a trusted computer
• The attacker may either use an IP address that is
within the range of IP addresses for the network or
use an authorized external IP address that is
trusted and provides access to specified resources
on the network
 • An IP spoofing attack is limited to the
injection of data or commands into an
existing stream of data passed between
a client and server application or peer-
to-peer network connection
Masquerade/IP • Some tools used to perform IP spoofing
Spoofing attacks are as follows:
Attacks 1. Protocol analyzers, also called password
sniffers
2. Sequence number modification
3. Scanning tools that probe TCP ports for
specific services, network or system
architecture, and the operating system
 • The primary vulnerabilities for end-user workstations are worm, virus and Trojan horse
attacks
• The anatomy of a worm attack is as follows:
1. The enabling vulnerability: A worm installs itself using an exploit vector on a
vulnerable system
2. Propagation mechanism: After gaining access to devices, a worm replicates

Malicious 3.
and selects new targets
Payload: After the device is infected with a worm, the attacker has access to the
host often as a privileged user. Attackers could use a local exploit to escalate

Code Prevention:
their privilege level to administrator

• The following are the recommended steps for worm attack mititgation:
1. Step 1: Containment
2. Step 2: Inoculation
3. Step 3: Quarantine
4. Step 4: Treatment
 • A virus is a malicious software that is attached
to another program to execute a particular
unwanted funtion on a user's workstation
• An example of a virus is a program that is
attached to command.com (the primary
interpreter for Windows systems) that deletes
Malicious certain files and infects any other versions of
command.com that it can find
Code • A Trojan horse differs only in that the entire
application was written to look like soemthing
else, whn in fact it is an attack tool
• An example of a Trojan horse is a software
application that runs a simple game on the
user's workstation
 • While the user is occupied with the
game, the Trojan horse mails a copy of
itself to every contact in the user's
address book. The other users receive
the game and then play it, thus
spreading the Trojan horse
Malicious Prevention:
Code • These kinds of applications can be
contained through the effective use of
antivirus software at the user level
• Keeping up-to-date with the latest
antivirus software, application versions
and software patches
 Every device in your network could be exploited so
make sure to harden them all (especially change
default usernames and passwords)

Printers, tablets, CPEs etc

Summary Deploy anti-spoofing filters

Understand what you are sending in the clear from

sending device to recipient and protect where needed

Log and udit for trends since sometimes an

abnormality can show the start of reconnaisance for a
later attack
 1. Internet Infrastructure Security
Technology Details – Merike Kaeo
(NSRC)
2. Cisco Networking Academy, Network
References Security 1 and 2 Companion Guide
3. IETF RFC 2828
4. IT Security. (2007) Network Security
Threats for SMBs