Chapter 2: Computer Threat (4 hr)

2.1 Malicious code

Studied in Chapter 1(This is Repeating)

Class of Attacks

Classification Of Computer Security Attacks

In an Information Security context there are 4 broad based categories of

attacks:

1. Fabrication
2. Interception
3. Interruption
4. Modification
5. Intrusion

1.Fabrication

As stated above, fabrication is one of the four broad-based categories used to

classify attacks and threats. A fabrication attack creates illegitimate information,
processes, communications or other data within a system.

Often, fabricated data is inserted right alongside authentic data. When a

known system is compromised, attackers may use fabrication techniques to
gain trust, create a false trail, collect data for illicit use, spawn malicious or
extraneous processes. In addition, fabricated data may reduce confidence in
genuine data with the affected system.

Examples of Fabrication attacks include:

• SQL Injection
• User / Credential Counterfeiting
• Log / Audit Trail Falsification
• Email Spoofing

1|Page Computer Digital Information security

Mitigate the attack :

• Use of Authentication and authorization mechanisms

• Using Firewalls
• Use Digital Signatures - Digital signature scheme is a mathematical
scheme for demonstrating the authenticity of a digital message or
document.

2.Interception

An interception is where an unauthorized individual gains access to confidential

or private information. Interception attacks are attacks against network
the confidentiality objective of the CIA Triad.

Examples of Interception attacks:

• Eavesdropping on communication.
• Wiretapping telecommunications networks.
• Illicit copying of files or programs.
• Obtaining copies of messages for later replay.
• Packet sniffing and key logging to capture data from a computer system
or network.

Mitigate the attack :

• Using Encryption - SSL, VPN,are deployed to encrypts the flow of

information from source to destination so that if someone is able to snoop
in on the flow of traffic, all the person will see is ciphered text.
• Traffic Padding - It is a function that produces cipher text output
continuously, even in the absence of plain text. A continuous random
data stream is generated. When plaintext is available, it is encrypted and
transmitted. When input plaintext is not present, the random data are
encrypted and transmitted. This makes it impossible for an attacker to
distinguish between tree data flow and noise and therefore impossible to
deduce the amount of traffic.

2|Page Computer Digital Information security

3.Interruption

In an interruption attack, a network service is made degraded or unavailable for

legitimate use. They are the attacks against the availability of the network.

Examples of Interruption attacks :

• Overloading a server host so that it cannot respond.

• Cutting a communication line.
• Blocking access to a service by overloading an intermediate network or
network device.
• Redirecting requests to invalid destinations.
• Theft or destruction of software or hardware involved.

Mitigate the attack:

• Use Firewalls - Firewalls have simple rules such as to allow or deny

protocols, ports or IP addresses.
• Keeping backups of system configuration data properly.
• Replication.

4.Modification

Modification is an attack against the integrity of the information. Basically there

is three types of modifications.

• Change: Change existing information. The information is already existed

but incorrect. Change attacks can be targeted at sensitive information or
public information.
• Insertion: When an insertion attack is made, information that did not
previously exist is added. This attack may be mounted against historical
information or information that is yet to be acted upon.

3|Page Computer Digital Information security

 • Deletion : Removal of existing information.

Examples of Modification attacks include:

• Modifying the contents of messages in the network.

• Changing information stored in data files.
• Altering programs so they perform differently.
• Reconfiguring system hardware or network topologies.

Mitigate the attack :

• Using Encryption mechanisms

• Traffic padding
• Keeping backups
• Use messaging techniques such as checksums, sequence numbers, ests,
authentication code

5.Intrussion

Entry Between Client and Server by Force then exploiting the Resources

Mitigate the attack :

• Introduction of intrusion detection systems (IDS) which could look for

different signatures which represent an attack.

6.Reconnaissance

In the context of cybersecurity, reconnaissance is the practice of covertly

discovering and collecting information about a system. This method is often
used in ethical hacking or penetration testing.

Like many cybersecurity terms, reconnaissance derives from military language,

where it refers to a mission with the goal of obtaining information from enemy
territory.

4|Page Computer Digital Information security

How Reconnaissance Works

1. Collect initial information

2. Determine the network range
3. Identify active machines
4. Find access points and open ports
5. Fingerprint the operating system
6. Discover services on ports
7. Map the network

Using these steps, an attacker will aim to gain the following information about a
network:

• File permissions
• Running network services
• OS platform
• Trust relationships
• User account information

8. Access
Access attacks require some sort of intrusion capability. These can consist of
anything as simple as gaining an account holder’s credentials to plugging
foreign hardware directly into the network infrastructure. They usually happen
when Reconnaissance Attacks have already performed by the
hacker/attacker.

General Distinction of Access Attacks

A. Logical access attacks like exploitation through brute force attacks or testing
passwords on the net by rainbow tables or dictionary attacks tend to create a
ton of traffic on the network and can be easily spotted by even a lower
experienced level network monitor.

B. Physical access is really either access to the hardware or access to the

people. Social engineering is very dangerous and hard to defend against simply
because your users are usually the weakest link in cybersecurity. The easiest type
of social engineering attack involves sending out phishing emails designed to
hook someone that way or getting a key logger on a person inside’s computer
to gain credentials that may escalate privileges of the attacker. Even the best of
cybersecurity can fall subject to these types of attacks simply because they play
on humanity as it exists, and we are not perfect beings as we make humanly
mistakes.

Mitigation(Remedial Solution)
These type of attacks really come down to network hardening. Most companies
are limited to the capabilities of their equipment, so if your Cisco router is

5|Page Computer Digital Information security

vulnerable to attack, then the best course of action is to know that attack, look
for it and set rules on your network IDS/IPS for it.

Update often and regularly. This cannot be stressed enough in the computer
industry.

Additional steps include monitoring the probing from any recently recognized
reconnaissance attacks. If hackers are researching you, there is a greater
possibility of future attack attempts.

Again, bring in outsourced teams to test and audit current security standings, if
you don't have right team setup within.

9.Denial of Service, etc.

Denial-of-Service (DoS) attack is an attack meant to shut down a machine or
network, making it inaccessible to its intended users. DoS attacks accomplish
this by flooding the target with traffic, or sending it information that triggers a
crash

Program flaws
3.1 Buffer overflows

A flaw is a security risk, cause the program to crash, or cause other issues. To
resolve flaws, the software developer release updates or ..
What is a Security Flaw in a Program? , a security flaw is a part of a pro- gram
that can cause the system to violate its security requirements.
In software development, comes in two ways
1. Boundary Overflow: Input exceeds an assumed boundary thereby
causing vulnerability. For example, the application may run out of
memory, a variable might reach its maximum value and roll over to its
minimum value, etc.
2. Buffer Overflow: A special case of Boundary Overflow, where the bounds
checking on the size of input being stored in a buffer array is not
performed or in error. This type of vulnerability comes with different flavors,
include:

Data Type: Buffer of all data types (character, integer, floating point, wide
character, pointer, unsigned character, and unsigned integer) may be
overflowed. The attacker may use different technique for different data
type to exploit the buffer overflow vulnerability.

Memory Location: Buffer may reside in different locations (stack, heap,

data region, BSS, shared memory, etc.). The attacker may use different
technique for different memory location to exploit the buffer overflow
vulnerability.

3.2 Time-of-check to time-of-use flaws

6|Page Computer Digital Information security

In software development, Time-of-check-to-time-of-use (TOCTTOU - pronounced
TOCK-too) is a file-based race condition that occurs when a resource is
checked for a particular value, such as whether a file exists or not, and that
value then changes before the resource is used, invalidating the results of the
check.

Errors can occur when the status changes unexpectedly, either maliciously or
unintentionally, between a check and a subsequent operation. A TOCTTOU
attack exploiting such conditions can lead to privilege escalation, allowing
unauthorized access to resources, such as read and write access, as well as
avoiding log and audit controls. This sort of attack is difficult to detect. It requires
not only looking for evidence, but also determining whether it could be caused
by TOCTOU.

Cause:

The root cause of many TOCTTOU vulnerabilities lies in the lack of concurrency
control in an operating system's file-system API

How to Mitigate
Defenses against TOCTTOU errors
• When performing a privileged action on behalf of
another party, make sure all information relevant
to the access control decision is constant between
the time of the check and the time of the action (“the race”)

For example

with Windows Vista, Microsoft added transaction support (TxF) to their NTFS file
system. Within a transaction, all updates are kept isolated until committed, when
they are atomically published to the rest of the system. Programmers should be
aware of the dangers of TOCTTOU vulnerabilities and make use of these recent
features to prevent TOCTTOU race conditions or reduce their potential impact

3.3 Incomplete mediation

Inputs to programs are often specified by untrusted users
• Web-based applications are a common example
• “Untrusted” to do what?
• Users sometimes mistype data in web forms
• Phone number: 51998884567
• Email: mynaxwe@gmail.com
• The web application needs to ensure that what the
user has entered constitutes a meaningful request
• This is called mediation
Incomplete mediation
Incomplete mediation occurs when the application accepts incorrect data
from the user
• Sometimes this is hard to avoid
7|Page Computer Digital Information security
• Phone number: 519-886-4567
• This is a reasonable entry, that happens to be wrong
• We focus on catching entries that are clearly
wrong
• Not well formed
• DOB: 1980-04-31
• Unreasonable values
• DOB: 1876-10-12
• Inconsistent with other entries

Why do we care?
• What’s the security issue here?
• What happens if someone fills in:
• DOB: 98764874236492483649247836489236492
• Buffer overflow?
• DOB: ’; DROP DATABASE clients; --
• SQL injection?
• We need to make sure that any user-supplied input falls within well-specified
values, known to be safe other wise SQ: Injection wo;; occur
How to Mitigate
Defences against buffer overflows
Use catches exception and data validation

Controls to protect against program flaws in execution

Operating system support and administrative controls is the use of a;; the above
explained mitigation mecanisms

Program Security Defenses

The first mechanism (Technical defense) provides defense to the system by using
software and hardware, for example, encryption, firewall, anti-malware, and
intrusion detection. The second mechanism (Operational defense) provides
defense to the system by setting up system policies. Both in Software
development controls and Testing techniques and in Database management
systems security
Database security, a subset of data security, consists of security controls, tools,
and countermeasures that can protect a database from malicious attacks. It
encompasses the protection of the data itself, the database management
systems that manage the data, and applications that access and use the data.
The end goal is to protect confidentiality, integrity, and availability (CIA) of
company information,
Threat Causes
Occurs when threat actors inject malicious code into web-
based frontend applications. The code can pass to a
SQL injection
backend database and provide threat actors with access
to all data stored in the database.
DoS attacks can slow down the database server or make it
Denial of Service
unavailable to end-users. The result is poor user experience
(DoS)
and significantly high costs in bringing the database back
8|Page Computer Digital Information security
 Threat Causes
up.
Threat actors actively look for misconfigurations to exploit.
Database Databases running with default settings are particularly
misconfigurations useful to threat actors, making it easier to hack into these
accounts.
Sensitive data is the bread and butter of organizations as
Poorly managed well as cybercriminals. Unfortunately, many organizations do
sensitive data not properly secure their sensitive information, exposing it to
attacks.
Many regulatory entities require organizations to record and
register database events automatically. Keeping track of
these events provides an audit trail that enables security
Weak audit trails
teams, database administrators, and external auditors to
investigate to ensure the data stored within the database is
properly protected.

Key take away from this chapter

Harden Database Management Systems

Database hardening is the process of analyzing and configuring a database to

address security vulnerabilities by applying security best practices

Activity Monitoring

monitoring is enabled on their systems and that logs are sent to a secure
repository. Monitoring systems must use behavior-based analysis to detect
unusual user activity, especially among users with administrative access.

Encrypt Sensitive Data

Encryption is a critical best practice for database security. Businesses should use
strong encryption to protect their databases in three ways:

Perform Vulnerability and Configuration Assessments

Enforce the Principle of Least Privilege

A basic concept of network security is to restrict a user’s access to the minimum

set of privileges required to perform their task.

Establish Security and Compliance Policies

Without clearly defined security policies and standards

9|Page Computer Digital Information security

Computer security threats are potential threats to your computer’s efficient
operation and performance. These could be harmless adware or dangerous
trojan infection A threat in a computer system is a potential danger that could
jeopardize your data security. At times, the damage is irreversible.

Types of Threats:

A security threat is a threat that has the potential to harm computer systems and
organizations. The cause could be physical, such as a computer containing
sensitive information being stolen. It’s also possible that the cause isn’t physical,
such as a viral attack.

1. Physical Threats: A physical danger to computer systems is a potential cause

of an occurrence/event that could result in data loss or physical damage. It can
be classified as:

• Internal: Short circuit, fire, non-stable supply of power, hardware failure

due to excess humidity, etc. cause it.
• External: Disasters such as floods, earthquakes, landscapes, etc. cause it.
• Human: Destroying of infrastructure and/or hardware, thefts, disruption,
and unintentional/intentional errors are among the threats.

2. Non-physical threats: A non-physical threat is a potential source of an

incident that could result in:

• Hampering of the business operations that depend on computer systems.

• Sensitive – data or information loss
• Keeping track of other’s computer system activities illegally.
• Hacking id & passwords of the users, etc.

The non-physical threads can be commonly caused by:

(i) Malware: Malware (“malicious software”) is a type of computer program that

infiltrates and damages systems without the users’ knowledge. Malware tries to
go unnoticed by either hiding or not letting the user know about its presence on
the system. You may notice that your system is processing at a slower rate than
usual.

(ii) Virus: It is a program that replicates itself and infects your computer’s files
and programs, rendering them inoperable. It is a type of malware that spreads
by inserting a copy of itself into and becoming part of another program. It
spreads with the help of software or documents. They are embedded with
software and documents and then transferred from one computer to another
using the network, a disk, file sharing, or infected e-mail. They usually appear as
an executable file.

(iii) Spyware: Spyware is a type of computer program that tracks, records, and
reports a user’s activity (offline and online) without their permission for the
purpose of profit or data theft. Adware is a sort of spyware that is primarily
10 | P a g e C o m p u t e r D i g i t a l I n f o r m a t i o n s e c u r i t y
utilized by advertising. When you go online, it keeps track of your web browsing
patterns in order to compile data on the types of websites you visit.

(iv) Worms: Computer worms are similar to viruses in that they replicate
themselves and can inflict similar damage. Unlike viruses, which spread by
infecting a host file, worms are freestanding programs that do not require a host
program or human assistance to proliferate. Worms don’t change programs;
instead, they replicate themselves over and over. They just eat resources to
make the system down.

(v) Trojan: A Trojan horse is malicious software that is disguised as a useful host
program. When the host program is run, the Trojan performs a
harmful/unwanted action

(vi) Denial Of Service Attacks: A Denial of Service attack is one in which an

attacker tries to prohibit legitimate users from obtaining information or services.

(vii) Phishing: Phishing is a type of attack that is frequently used to obtain

sensitive information from users, such as login credentials and credit card details

(viii) Key-Loggers: Keyloggers can monitor a user’s computer activity in real-

time.

How to mitigate:

In order to keep your system data secure and safe, you should take the
following measures:

1. Always keep a backup of your data.

2. Install firewall software and keep it updated every time.

3. Make use of strong and difficult to crack passwords (having capital & small
alphabets, numbers, and special characters).

4. Install antivirus/ anti-spyware and keep it updated every time.

5. Timely scan your complete system.

6. Before installing any program, check whether it is safe to install it (using

Antivirus Software).

7. Take extra caution when reading emails that contain attachments.

8. Always keep your system updated.

11 | P a g e C o m p u t e r D i g i t a l I n f o r m a t i o n s e c u r i t y