Chapter Two

Computer Security Threats and Attacks

Computer security threats are anything that has a potential to cause harm on value of assets of
information system resources.
On the other hand, computer security attack is any action that compromises the security of on
value of assets of information system resources that derives from an intelligent threat. An
intelligent act of threat that attempt to avoid security services, exploits a vulnerability and violate
the security policy of a system. Examples of attacks include sending malicious input to an
application or flooding a network in an attempt to deny service. Computer security threat could
be in the form of natural causes or person (Non-malicious or a computer malicious software or
malware software).

1
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
 Figure 1.2 Causes of Threat

Malicious attacks can be random or directed. In a random attack the attacker wants to harm
any computer or user, such an attack is similar/analogous to accosting the next pedestrian who
walks down the street. An example of a random attack is malicious code posted on a website that
could be visited by anybody.

In a directed attack, the attacker intends harm to specific computers, perhaps at one.
Organization (think of attacks against a political organization) or belonging to a specific
individual (think of trying to drain a specific person’s bank account, for example, by
impersonation). Another class of directed attack is against a particular product, such as any
computer running a particular browser.

Non-malicious kinds of harm include someone’ s accidentally spilling a soft drink on a laptop,
Social Engineering, unintentionally deleting text, unintentionally sending an email message to
the wrong person, and carelessly typing “12” instead of “21” when entering a phone number or
clicking “yes” instead of “no” to overwrite a file.
Social Engineering: Is a technique that a hacker uses to steal sensitive data by a person for
different for purposes by psychological manipulation combined with social scenes intentionally.
E.g. Imagining that, the Boss asking the username and password one of the staff member.

Computer Malicious Software or Malware (Malicious Code or Malcode)

Computer malicious is a software that specifically designed to damage, interrupt, steal, and
cause illegitimate action on value of assets of information system resources. It is one of the most
common computer threats. Malware is software that a hacker has created to damage a legitimate
user’s computer resources. Some of the most commonly known types of malware are
Masquerader, Viruses, Worms, Trojans, Backdoors, Spyware, Adware bots and Ransom ware.
Masquerader: An individual who is not authorized to use the computer and who penetrates a
system's access controls to exploit a legitimate user's account.

What is Virus?
Virus is a program made of malicious code that can spread /propagate from device to device. It
can replicate itself and gets attached with another application or file. When that file is transferred
to another computer via email, network, removal devices they spread to that computer. A virus
2
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
typically attaches itself to a program file, or the boot sector of the hard drive. Once the virus
attaches itself to that file or program they’re infected. When the infected application or file
executed in the computer, the virus activates and executes in the system, then able to delete,
duplicate, or corrupt the files. When your computer is infected, it alters the way your computer
operates, can destroy your files, or prevent it from working altogether.
Signs of Virus Infection
It is vital for any computer user to be aware of these warning signs –
 Slower system performance and Pop-ups bombarding the screen
 Programs running on their own and Files multiplying/duplicating on their own
 New files or programs in the computer and the sound of a hard drive
 Files, folders or programs getting deleted or corrupted What is Worm?
Worms are a self-replicating type of malware that enter networks by exploiting vulnerabilities,
moving quickly from one computer to another. Because of this, worms can propagate themselves
and spread very quickly not only locally, but have the potential to disrupt systems worldwide.
Unlike a typical virus, worms don’t attach to a file or program. Instead, they slither and enter
computers through a vulnerability in the network, self-replicating and spreading before you’re
able to remove the worm. Worms are a standalone computer malware that doesn’t need any host
to spread. It doesn’t need human help to execute. Worms replicate themselves and spread
automatically with the help of network or user’s email account. Worms already have consumed
all the resources such as Memory, CPU, network bandwidth, or interrupting network and web
servers. Also able to crash a computer or a network by increasing the usage. Worms take
advantage of a network or system vulnerability and infect the computer.

Virus Worm

The virus needs human help to execute and Worms automatically execute and spread.
spread.

Virus attaches itself with the host and spread Worms don’t need a host and exploit the
where the host reaches. vulnerability of a network to spread.

Viruses destroy, damage, or alter the files in the Worms don’t affect the file but increase the
infected computer. resource usage to crash the system or network.

3
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
 Virus spreading speed is low compared to Worms spreading speed is fast, and it quickly
worms. infects multiple computers or networks.

To clean the infection of virus or stop its To remove the worm’s infection or prevent the
infection, the user needs an antivirus. infection, the user needs antivirus and a firewall.

Trojans is a type of malware that is disguised as legitimate software. Cybercriminals trick users
into uploading Trojans onto their computer where they cause damage or collect data. Trojans are
also known to create backdoors to give malicious users access to the system. Unlike viruses and
worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must
spread through user interaction such as opening an email attachment or downloading and running
an executable file or document from the Internet. We defense by avoid downloading executable
file or documents from the untrusted site/ sources.

Backdoor
An undocumented way of accessing a system, bypassing the normal authentication mechanisms.
Some backdoors are placed in the software by the original programmer and others are placed on
systems through a system compromise, such as a virus or worm. Usually, attackers use
backdoors for easier and continued access to a system after it has been compromised. Back
doors, typically, a password, known only to the attacker that allows access to the system without
having to go through any security.
Spyware is a program that secretly records what a user does or software that gathers user
information through the user’s Internet connection without their knowledge. For example,
spyware could capture credit card details, keylogger, and password capture.
Adware is a software that generates revenue for its developer by automatically generating online
advertisements in the user interface of the software or on a screen presented to the user during
the installation process. The software may generate two types of revenue, one is for the display
of the advertisement and another on a "pay-per-click" basis if the user clicks on the
advertisement.
Adware in short advertising software which can be used to spread malware.

4
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
Ransomware: Malware which locks down a user’s files and data, with the threat of erasing it
unless a ransom (payment/ money) is paid.
Phishing is when cybercriminals target victims with emails that appear to be from a legitimate
company asking for sensitive information. Phishing attacks are often used to dupe people into
handing over credit card data and other personal information.

Denial-of-Service Attack (DOS)

A denial-of-service attacker sends so many information requests to a target system that the target
cannot handle them successfully and can crash the entire system, site down (either crash or hang
the operating system or disable any network communication to or from the site).
Distributed DoS Attacks (DDoS): a machine compromise another machines (zombies) make
them to participate in the attack. This group of compromised computers is known as zombies.
Zombies can operate autonomously or under the attacker’s direct control to attack systems. In
the scanning process, the attacker first seeks out a number of vulnerable machines and infects
them. Then, typically, the zombie software that is installed in the infected machines repeats the
same scanning process, until a large distributed network of infected machines is created.

Another way to classify DDoS attacks is as either direct or reflector DDoS attacks. In a direct
DDoS attack (Figure1.3), the attacker is able to implant zombie software on a number of sites
distributed throughout the Internet. Often, the DDoS attack involves two levels of zombie
machines, master zombies and slave zombies. The hosts of both machines have been infected
with malicious code. The attacker coordinates and triggers the master zombies, which in turn
coordinate and trigger the slave zombies. The use of two levels of zombies makes it more
difficult to trace the attack back to its source and provides for a more resilient network of
attackers.

Fig1.3Direct

5
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
 DDoS Attack

Areflector DDoS attack adds another layer of machines (Figure 1.4). In this type of attack, the
slave zombies construct packets requiring a response that contains the target’s IP address as the
source IP address in the packet’s IP header. These packets are sent to uninfected machines
known as reflectors. The uninfected machines respond with packets directed at the target
machine. A reflector DDoS attack can easily involve more machines and more traffic than a
direct DDoS attack and hence be more damaging. Further, tracing back the attack or filtering out
the attack packets is more difficult because the attack comes from widely dispersed uninfected
machines

Fig1.4 Reflector DDoS Attack

6
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
 Types of flooding based DDoS Attack
DDoS Countermeasures
In general, there are three lines of defense against DDoS attacks.
Attack prevention and preemption (before the attack): These mechanisms enable the victim
to endure attack attempts without denying service to legitimate clients. Techniques include
enforcing policies for resource consumption and providing backup resources available on
demand. In addition, prevention mechanisms modify systems and protocols on the Internet to
reduce the possibility of DDoS attacks.

Attack detection and filtering (during the attack): These mechanisms attempt to detect the
attack as it begins and respond immediately. This minimizes the impact of the attack on the
target.
Detection involves looking for suspicious patterns of behavior. Response involves filtering out
packets likely to be part of the attack.

Attack source trace back and identification (during and after the attack): This is an attempt
to identify the source of the attack as a first step in preventing future attacks. However, this
method typically does not yield results fast enough, if at all, to mitigate an ongoing attack. The
challenge in coping with DDoS attacks is the sheer number of ways in which they can operate.
Thus DDoS countermeasures must evolve with the threat.

Security Attack Vs Security Threat

The main difference between threat and attack is a threat can be either intentional or
unintentional where as an attack is intentional. Computer security threats are anything that has
the potential to cause harm on value of assets of information system resources, whereas attack is
attempted to cause damage. Threat to the information system resource doesn’t mean information
was altered or damaged but attack on the information system means there might be chance to
alter, damage, or obtain information when attack was successful. A security threat is the
expressed potential for the occurrence of an attack. A security attack is an action taken against a
target with the intention of doing harm.
Common Security Attacks
 Interruption: The systems become unusable after this attack by the unauthorized users
which results in the wastage of systems.
7
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
  Interception: The data or message which is sent by the sender is intercepted by an
unauthorized individual where the message will be used by the individual for his
malicious process.
 Modification: The message which is sent by the sender is modified and sent to the
destination by an unauthorized user. The integrity of the message is lost by this type of
attack.
 Fabrication: In this type of attack a fake message is inserted into the network by an
unauthorized user as if it is a valid user. This results in the loss of confidentiality,
authenticity and integrity of the message.
Common Security Attacks

Fig1.5 Common Attack

Active Attack and Passive Attack

Computer security attacks are that compromise the security of the system. Conceptually, the
security attacks can be classified into two types that are active and passive attacks where the
attacker gains illegal access to the system’s resources. Active Attacks:
Active attacks are the type of attacks in which, the attacker efforts to change or modify the
content of messages. Active Attack is danger for Integrity as well as availability. Due to active
attack system is always damaged and System resources can be changed. The most important
thing is that, in active attack, Victim gets informed about the attack.

8
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
Active attacks involve some modification of the data stream or the creation of a false stream and
can be subdivided into four categories: masquerade, replay, modification of messages, and
denial of service. A masquerade takes place when one entity pretends to be a different entity. A
masquerade attack usually includes one of the other forms of active attack. For example,
authentication sequences can be captured and replayed after a valid authentication sequence has
taken place, thus enabling an authorized entity with few privileges to obtain extra privileges by
impersonating an entity that has those privileges.

Passive Attacks:
Passive attacks are very difficult to detect because they do not involve any alteration of the data.
Passive Attacks are the type of attacks in which, the attacker observes the content of messages or
copy the content of messages. Passive Attack is danger for Confidentiality. Due to passive attack,
there is no any harm to the system. The most important thing is that in passive attack, Victim
does not get informed about the attack.

9
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
Generally, the major difference between active and passive attacks is that in active attacks the
attacker intercepts the connection and modifies the information. Whereas, in a passive attack, the
attacker intercepts the transit information with the intention of reading and analyzing the
information not for altering it. Passive attacks are in the nature of eavesdropping on, or
monitoring of, transmissions. The goal of the opponent is to obtain information that is being
transmitted. Two types of passive attacks are release of message contents and traffic analysis.
The read the content of the message and release of message contents is easily understood. A
telephone conversation, an electronic mail message, and a transferred file may contain sensitive
or confidential information. We would like to prevent an opponent from learning the contents of
these transmissions.
Observe pattern of the content of the message traffic analysis
A second type of passive attack, traffic analysis, is subtler. Suppose that we had a way of
masking the contents of messages or other information traffic so that opponents, even if they
captured the message, could not extract the information from the message. The common
technique for masking contents is encryption. If we had encryption protection in place, an
opponent might still be able to observe the pattern of these messages. The opponent could
determine the location and identity of communicating hosts and could observe the frequency and
length of messages being exchanged. This information might be useful in guessing the nature of
the communication that was taking place.

10
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
 Difference between Active Attack and Passive Attack:
Active Attack Passive Attack

1. In active attack, Modification in information While in passive attack, Modification in the

take place. information does not take place.

2. Active Attack is danger for Integrity as well Passive Attack is danger for Confidentiality.
as availability.
3. In active attack attention is on detection. While in passive attack attention is on prevention.

4. Due to active attack system is always While due to passive attack, there is no any harm
damaged. to the system.

5. In active attack, Victim gets informed about While in passive attack, Victim does not get
the attack. informed about the attack.
6. In active attack, System resources can be While in passive attack, System resources are not
changed. change.

Class of Attacks
The three common classes of attack are access, reconnaissance, and DoS
Access Attacks
An access attack is an attackers attempt to access another user account or network device by
unauthorized subjects if that resource is left vulnerable to attacker. A resource administrator is
responsible for ensuring that only authorized users’ access that resources. Unauthorized attacks
are attempted via four means, such that password attacks, trust exploitation, port redirection, and
man-in-the-middle attacks.
Password Attacks
Like a good idea to keep your passwords simple or to write them down, both practices are highly
discouraged thus, an attacker might attempt a login with false credentials. Not except all
attackers are external users, most successful attacks have come from internal company
employees. Therefore, make it harder to guess your password, is good for password integrity is

11
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
necessary. And changing passwords every time an employee leaves the company or in a given
time period (every 90 days) would also help protect login credentials.

Trust Exploitation (Trust Abuse)

Trust exploitation can occur in one of two ways. o Reliance
on the trust a client has in a server o Reliance on
the trust the server has in the client
Servers that communicate from the DMZ and the internal network may have a trust relationship
established. The internal devices may be set up to trust information that is received from a DMZ
server. Mostly an attacker can access the DMZ and then compromise the DMZ server and initiate
a connection to the internal network.
Port Redirection
Port redirection is a form of trust exploitation in which the untrustworthy source uses a machine
with access to the internal network to pass traffic through a port on the firewall or access control
list (ACL). The port in question normally denies traffic, but with redirection the attacker can
bypass security measures and open a tunnel for communication.

Man-in-the-Middle Attacks
A man-in-the-middle attack happens when a hacker eavesdrops or listens for network traffic and
intercepts a data transmission. After the transmission is intercepted, the untrustworthy host can
position itself between the two communicating hosts, interpret the data, and steal information
from the packets sent. The hacker can also take over the session and reformat the packets to send
information to either or both communicating parties. In this situation, it is possible for the hacker
to capture credentials, hijack a session, or instigate a DoS attack. Data sessions are more
vulnerable when the packets are left in clear-text format and can be read without additional
decryption by the human eye. Proper data encryption, with the use of an encryption protocol,
makes the captured data useless.

12
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
Reconnaissance Attacks
When I hear the word reconnaissance, I think of a military reconnaissance mission. The soldier is
sent out to gather important information about an area of interest. The same holds true for a
reconnaissance attack on a computer network. The hacker surveys a network and collects data for
a future attack. Important information that can be compiled during a reconnaissance attack
includes the following:
 Ports open on a server
 Ports open on a firewall
 IP addresses on the host network
 Hostnames associated with the IP addresses
There are four common tools used for reconnaissance attacks are packet sniffers (also known as
network monitors), ping sweeps, port scans, and information queries.
Packet Sniffers
A packet sniffer may also be called a network analyzer, packet analyzer, or Ethernet sniffer. The
packet sniffer may be either a software program or a piece of hardware with software installed in
it that captures traffic sent over the network, which is then decoded and analyzed by the sniffer.
Network administrators install monitors on dedicated machines or on their workstations when
needed. A common software program available today is Wireshark, formerly known as Ethereal.
Ping Sweeps
As you may recall, ping enables you to validate that an IP address exists and can accept requests
by sending an echo request and then waiting for an echo reply. A ping sweep tool can send an
echo request to numerous host IP addresses at the same time to see which host(s) respond(s) with
an echo reply. Port Scans
A port scanner is a software program that surveys a host network for open ports. Because ports
are associated with applications, the hacker can use the port and application information to
determine a way to attack the network. As mentioned, these programs can be used by a third
party to audit a network as well as being used by a hacker for malicious intent.

Denial of Service (DoS) Attacks

DoS attacks are often implemented by a hacker as a means of denying a service that is normally
available to a user or organization. For example, users might be denied access to email as the
13
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
result of a successful DoS attack. DoS can also be in the form of a distributed DoS (DDoS)
attack, TCP SYN attack, or smurf attack.
Distributed DoS (DDoS)
With distributed DoS, multiple systems are compromised to send a DoS attack to a specific
target. The compromised systems are commonly called zombies or slaves. As a result of the
attack, the targeted system denies service to valid users.
Session Establishment.
In a TCP SYN attack, a SYN request is sent to a device with a spoofed source IP address. The
attacking system does not acknowledge the resulting SYN-ACK, which causes the session
connection queues to fill up and stop taking new connection requests. TCP intercept can be
configured on a router to block a TCP SYN attack. This enables the router to terminate any
sessions that have not been established within an allotted time frame.
Smurf Attack
With a smurf attack, multiple broadcast ping requests are sent to a single target from a spoofed IP
address. Adding the no ip directed-broadcast command to a router might help mitigate a potential
smurf attack

Hackers Vs Crackers
The Hackers and the Crackers are exactly (precisely) the people who have extensive knowledge
about the computers and networks ranging from how they are built, how they work, the
programming, the codes and everything else that relates to the security. The two work for
opposite interests. While one may work for good the other works completely for malicious and
criminal reasons.
In simpler terms, a hacker is someone who uses his/her skills and knowledge to identifies/ find
vulnerabilities in computer systems and helps improve and patch those vulnerabilities. The
knowledge they possess about programming, various computer languages, code and general
computer security is advanced and used for morally good purposes. They’re normally security
professionals who can be hired by organizations to try and break into their systems, to audit DNS
14
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
and their networks so they can identify any flaws they may have. The hackers on the other hand
are the internet security experts who may even be hired for locating and identifying the loopholes
in the internet security systems and fix these loopholes and flaws. The hackers use their
knowledge to help security systems.
Crackers is someone who uses his/her skills and knowledge attempts to breach the internet
security and disrupt system security to steal credit card information (financial) or to get private
data to sell it or to simply destroy the data or for illegal activity. A cracker is someone who
unethically attempts to access computer systems without authorization. The crackers usually gain
internet access or various software or Apps, without the knowledge or permission of the system
owners and without paying payments and uses for the purpose of appealing in illegal activities.
The two are sometimes called as White Hats and Black Hats. The Hackers being the good guys
are called white hats while black hats usually refer to the crackers who violate computer security
for personal gains. They look for backdoors in programs and systems, exploit those backdoors,
and steal private information for use in a malicious way.
There are three groups of Hackers
A white hat hacker, upon finding some flaw in a system, will report the flaw to the vendor of that
system (probably anonymously) and explain exactly what the flaw is and how it was exploited.
White hat hackers, also called Sneakers, are often hired specifically by companies to do
penetration tests. The EC Council even has a certification test for white hat hackers, the Certified
Ethical Hacker test.
A black Hat Hacker is the person normally depicted in the media. Once s/he gains access to a
system, her/his goal is to cause some type of harm. S/he might steal data, erase files, etc. Black
hat hackers are sometimes referred to as crackers. Cracking is hacking conducted for malicious
purposes
A gray hat hacker is normally a law-abiding citizen, but in some cases will venture into illegal
activities
Script Kiddies: A hacker is an expert in a given system, as with any profession it includes its
share of frauds. So, what is the term for someone who calls himself or herself a hacker but lacks
the expertise? The most common term for this sort of person is script kiddy. The name comes
from the fact that the Internet is full of utilities and scripts that one can download to perform
some hacking tasks
15
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C
Phreaking: One specialty type of hacking involves breaking into telephone systems. It is “the
action of using mischievous and mostly illegal ways in order to not pay for some sort of
telecommunications bill, order, transfer, or other service”. Phreaking requires a significant
knowledge of telecommunications.
Motive of Attackers
There are three categories of motivation, political motivations, economic motivations and
sociocultural motivations.
 Political motivations: examples include destroying, disrupting, or taking control of
targets; espionage; and making political statements, protests, or retaliatory actions.
 Economic motivations: examples include theft of intellectual property or other
economically valuable assets (e.g., funds, credit card information), fraud, industrial
espionage and sabotage, and blackmail.
 Socio-cultural motivations: examples include attacks with philosophical, theological,
political, and even humanitarian goals. Socio-cultural motivations also include fun,
curiosity, and a desire for publicity or ego gratification.

16
Computer Security _ Compiled - Zufan W. OBU- - 2016 _E.C