COIT20246

Attacks and Vulnerabilities

COIT20246 Networking and Cyber Security

Attacks and Vulnerabilities 1

COIT20246

What will you learn?

• What is information security?
• What do we want to protect with information security
• CIA, McCumber, STRIDE
• Difference between threats and vulnerabilities
• Examples of adversarial and non-adversarial threats
• Where to find information about specific vulnerabilities and attacks
• Examples of general attacks in networks

2 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 2

COIT20246

Information Security Protections

3 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 3

COIT20246

Information Security Protections

• Information Security
• The protection of information and information systems from unauthorized
access, use, disclosure, disruption, modification, or destruction in order to
ensure confidentiality, integrity, and availability
• Information System: discrete set of information resources organized for the collection,
processing, maintenance, use, sharing, dissemination, or disposition of information.
• Different models/views for protection
• CIA Triad, STRIDE, AAA, McCumber Cube, …
• Defense in Depth
• Information security strategy integrating people, technology, and operations capabilities
to establish variable barriers across multiple layers and missions of the organization

Information systems usually include computers, networks and the Internet (“cyberspace”). Information security includes
computer security, network security and cyber security. There are differences, but often the terms are used interchangeably.

4 COIT20246 ‐ Attacks and Vulnerabilities

Many definitions and concepts in these slides are from NIST, especially:
An Introduction to Information Security, NIST SP 800‐12, 2017 by Nieles, Dempsey
and Pillitteri.
https://csrc.nist.gov/publications/detail/sp/800‐12/rev‐1/final
Also see the NIST Computer Security Resource Centre Glossary:
https://csrc.nist.gov/glossary

The next slides will define confidentiality, integrity and availability (CIA) and give the
STRIDE model. We will not cover AAA = Authentication, Authorisation and Accounting in
any depth, as aspects are covered in other models.

Attacks and Vulnerabilities 4

COIT20246

CIA Triad: Common InfoSec Goals

• Confidentiality
• Preserving authorized restrictions on information access and disclosure,
including means for protecting personal privacy and proprietary information
• Integrity
• Guarding against improper information modification or destruction and
ensuring information non-repudiation and authenticity
• Data integrity: The property that data has not been altered in an unauthorized manner.
Data integrity covers data in storage, during processing, and while in transit.
• System Integrity: The quality that a system has when it performs its intended function in
an unimpaired manner, free from unauthorized manipulation of the system, whether
intentional or accidental.
• Availability
• Ensuring timely and reliable access to and use of information.
5 COIT20246 ‐ Attacks and Vulnerabilities

CIA definitions are from NIST An Introduction to Information Security, 2017,

https://csrc.nist.gov/publications/detail/sp/800‐12/rev‐1/final

Confidentiality is what we often first think of when considering information security:

keeping information secret. Only those that are intended/allowed (authorized) to access
the information should be able to access it. If that information is disclosed to the wrong
people, then it is a breach of confidentiality.

Integrity is making sure information is not modified or denied.

Non‐repudiation: To repudiate is to deny, so non‐repudiation means someone cannot

deny something happened.

Availability is making sure the information system is available to the intended users as
expected. If the system goes down (users cannot access), then that is a compromise of
the availability protection.

One of the critiques of CIA Triad is it doesn’t capture other important aspects like AAA or
the importance of people and processes. Hence other models developed, like STRIDE
and McCumber Cube.

Attacks and Vulnerabilities 5

COIT20246

McCumber Cube
• Expands CIA to also consider …
• Information States
• Data at rest, e.g. stored on disk
• Data in transit, e.g. sent across network
• Processing, e.g. operations by CPU
• Safeguards
• Policy and practices: processes to improve InfoSec
• Human factors: the role of people in InfoSec
• Technology: software and hardware solutions for InfoSec
• 27 possible combinations, e.g.
• What processes used to provide confidentiality of data at rest?
• What technology used to provide integrity of data in transit?

6 COIT20246 ‐ Attacks and Vulnerabilities

The idea of the McCumber Cube is to use it as a model for identifying the measures
(safeguards) needed to provide InfoSec.

An organisation will consider the measures they have from the perspective of processes,
people and technology.
‐ Processes are normally documented as policies or practices, e.g. a password policy
defines the process for creating new users, and limiting the structure of passwords.
‐ The role of people is referred to as “human factors”. Example of measures may include
user training and awareness campaigns.
‐ Technology is hardware or software to implement a measure.

It is important to note that information being protected should be considered depending

on its state. That is, you may have a different measure depending on whether that
information is at rest or in transit. E.g. encryption of data at transit, while using access
control mechanisms for data at rest.

To use the McCumber Cube an organisation would consider all 3x3x3 = 27 combinations
in the cube. Some may require multiple measures.

Attacks and Vulnerabilities 6

COIT20246

STRIDE
• Spoofing of identity (authentication)
• Tampering with data (integrity)
• Repudiation (non-repudiation)
• Information disclosure (confidentiality)
• Denial of service (availability)
• Elevation of privilege (authorization)

• Developed by Microsoft with focus on identifying threats

7 COIT20246 ‐ Attacks and Vulnerabilities

STRIDE developed by Microsoft https://learn.microsoft.com/en‐us/previous‐

versions/commerce‐server/ee823878(v=cs.20)

Attacks and Vulnerabilities 7

COIT20246

How to use security models?

• CIA Triad, McCumber Cube, STRIDE, …
• Use a checklist of threats and protections
• What information is important to be protected for confidentiality?
• What measures do we have to protect against elevation of privilege?
• What processes do we have to ensure availability of our data at rest?
• Which security model to use?
• Context and organisation specific
• Use a combination
• No one best model
• CIA Triad is quick/simple, but move to others for more rigorous analysis

8 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 8

COIT20246

Threats and Vulnerabilities

9 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 9

COIT20246

Threats and Vulnerabilities

• Threat
• Any circumstance or event with the potential to adversely impact
organizational operations, organizational assets, or individuals through an
information system
• Vulnerability
• Weakness in a system, system security procedure, internal controls, or
implementation that could be exploited by a threat source
• Incident
• An event that can potentially cause undesirable consequences or impacts
• If a system is vulnerable, a threat source can lead to an incident

10 COIT20246 ‐ Attacks and Vulnerabilities

Threats may take advantage of vulnerabilities which lead to incidents. Incidents then
may have some negative impact (on the user/organisation).

Different terminology is used sometimes, e.g. threat event = incident.

If vulnerabilities are identified in advanced, then security mechanisms can be used to

reduce the risk. Later topics will cover these processes.

Attacks and Vulnerabilities 10

COIT20246

Threat Sources and Incidents: Adversarial

• Adversarial threat sources
• individuals, groups, organizations, or entities that seek to exploit an
organization’s dependence on cyber resources
• Fraud and Theft
• Insiders, outsiders; authorized admins; former employees; criminal
organisations; …
• Gain access to information/systems via:
• Social Engineering: influence a person to violate security mechanism or divulge
confidential information, e.g., phishing
• Social Media: impersonate trusted people to send malicious software; collect
information for social engineering attacks
• Advanced Persistent Threat (APT): long term intrusion to gain specific information; use
multiple techniques to gradually build up access

11 COIT20246 ‐ Attacks and Vulnerabilities

This slides, and the next few slides, give examples of adversarial threat sources and non‐
adversarial threat sources. They are only selected examples: there may be others.

Attacks and Vulnerabilities 11

COIT20246

Threat Sources and Incidents: Adversarial

• Insider Threat
• Employees of an organisation are often trusted, but if malicious can do
significant damage
• Destroy hardware, destroy data, add incorrect data, change passwords, …
• Malicious Hacker
• individual or group who use an understanding of systems, networking, and
programming to illegally access systems, cause damage, or steal
information
• Various types (and motivations)
• Attackers (thrill/challenge); Criminal groups (financial gain); Bot-Network Operators (sell
service to others); Intelligence Services (spying); Phishers (steal info for financial gain);
Spammers (sell products); Malware Authors (sell services to others); Terrorists
(ideology); Industrial Spies (financial gain)

12 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 12

COIT20246

Threat Sources and Incidents: Adversarial

• Malicious Software (Malware)
• Virus: code that attaches copies to other software and executes “payload”
• Payload: delete files, show message, encrypt files, …
• Trojan Horse: software performs a normal task, but also hidden unexpected
task
• Ransomware: encrypts files blocking access, seeking financial payment to
decrypt
• Logic bomb, worm, …

13 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 13

COIT20246

Threat Sources and Incidents: Non-adversarial

• Non-adversarial threat sources
• natural disasters or erroneous actions taken by individuals in the course of
executing their everyday responsibilities
• Errors and omissions
• Users incorrectly enter data or omit data; programming errors (“bugs”);
incorrect configuration of network equipment and servers; …
• Loss of physical infrastructure
• Power failures, ISP links fail, water leaks, fire, flood, civil unrest, strikes, …
• Impacts to personal privacy of information sharing
• Shifting from on-premise to cloud now makes user data available to cloud
operator
• Sharing personal info via social media (makes it easer for hackers)
• Organizations sharing info about cyber attacks may disclose personal info
14 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 14

COIT20246

Dealing with Threats and Vulnerabilities

• If vulnerabilities can be identified and removed in advance, the
threats can be reduced
• In practice, all threats cannot be removed
• Tradeoff between potential impact and cost of removing
• Risk management is necessary
• Cyber security frameworks, including risk management, propose
mechanisms for dealing with threats and vulnerabilities

15 COIT20246 ‐ Attacks and Vulnerabilities

Cyber security frameworks are covered in the next topic(s).

Attacks and Vulnerabilities 15

COIT20246

Vulnerability Resources

16 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 16

COIT20246

Vulnerability Resources
• Organisations track vulnerabilities, attacks and solutions
• Governments: ACSC Alerts & Advisories (AU), CISA (US), CNCERT/CC (CN),
CERT-EU (EU), CERT-In (IN), FIRST (intl)
• Not-for-profits and industry orgs: AUSCERT, OWASP, MITRE CVE, NIST
NVD, MITRE ATT&CK, …
• Companies: many are CVE Number Authorities (CNA) reporting CVEs

17 COIT20246 ‐ Attacks and Vulnerabilities

CERT = Computer Emergency Readiness Team. They traditionally kept track of

vulnerabilities and attacks. In the past, many countries had one or more CERTs,
sometimes government and sometimes non‐government (e.g. industry, academics).
Most countries now have an official government CERT (although may no longer be called
a CERT). E.g. CISA was called US‐CERT.

Attacks and Vulnerabilities 17

COIT20246

CVE, NVD and CVSS

• Common Vulnerabilities and Exposures (CVE)
• Specific vulnerabilities on products and systems
• CVE Identifier: CVE-YYYY-NNNNN
• MITRE CVE Database lists all CVEs (e.g. CVE-2023-23397)
• CVE Numbering Authorities (CNA) can create CVE IDs for their products (e.g.
CVE-2023-23397)
• NIST NVD includes all CVEs and may add more details (e.g. CVE-2023-23397)
• Includes severity rating based on Common Vulnerability Scoring System (CVSS)
• Common Weakness Enumeration (CWE) lists general vulnerabilities
• MITRE CWE Database
(e.g. CWE-294)

18 COIT20246 ‐ Attacks and Vulnerabilities

MITRE is a not‐for‐profit primarily funded by the US federal government. It maintains the

CVE database listing all CVEs. However a lot of the CVEs are created by companies
(which are CNAs), so details of the CVE can normally be found on the company website
as well as the MITRE CVE website. In addition, NIST maintains the NVD which also lists
all CVEs, but may include additional information, including a rating.

The example CVE‐2023‐23397 was used as it was the a recent advisory from ACSC at
time of writing (https://www.cyber.gov.au/acsc/view‐all‐content/alerts/high‐severity‐
vulnerability‐present‐microsoft‐outlook‐windows). It is titled Follow the links and
explore the details shown by:
CVE: https://cve.mitre.org/cgi‐bin/cvename.cgi?name=CVE‐2023‐23397
Microsoft: https://msrc.microsoft.com/update‐guide/vulnerability/CVE‐2023‐23397
NVD: https://nvd.nist.gov/vuln/detail/CVE‐2023‐23397
And take note that it references CWE‐294:
https://cwe.mitre.org/data/definitions/294.html

Attacks and Vulnerabilities 18

COIT20246

MITRE ATT&CK https://attack.mitre.org/

• Database of adversary tactics and techniques based on real-world
observations

• Tactics: short-term, tactical adversary goals during an attack

• Techniques: means by which adversaries achieve tactical goals
• Sub-techniques: more specific means
• Covers: Enterprise, Mobile and Industrial Control Systems (ICS)
• Lists specific examples of attack: Campaigns, Groups, Software
• Lists: Mitigations and Detections

19 COIT20246 ‐ Attacks and Vulnerabilities

Open up the ATT&CK website and explore:

‐ Enterprise Tactics
‐ Techniques for one of the Enterprise Tactics, e.g. Reconnaissance has 10 techniques
‐ Groups
‐ Software
‐ Campaigns

Attacks and Vulnerabilities 19

COIT20246

OWASP https://owasp.org/
• Non-profit organisation for promoting software security (especially
web applications)
• Tutorials, cheat sheets, Top 10, methodologies, APIs, code libraries, testing
software, forums, …
• OWASP Top 10 https://owasp.org/Top10/
• Critical web application security risks

A01 Broken Access Control A06 Vulnerable and Outdated Components

A02 Cryptographic Failures A07 Identification and Authentication Failures
A03 Injection A08 Software and Data Integrity Failures
A04 Insecure Design A09 Security Logging and Monitoring Failures
A05 Security Misconfiguration A10 Server Side Request Forgery

20 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 20

COIT20246

Network Attacks

21 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 21

COIT20246

Network Attacks
• Most information systems involve communications across a
computer network
• Network security is therefore important part of information security
and cyber security
• Focus on packets being delivered between source and destination
• Not consider: compromise of source/destination computers; social
engineering; malware; …

22 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 22

COIT20246

Where can an attacker access your packets?

• Consider simple model of a network when web browsing:

• Packets between web browser and web server

• Who can “see” your packets? Where?

23 COIT20246 ‐ Attacks and Vulnerabilities

The diagram is a simple view of a network path. Consider you using a web browser on
your computer at home and web browsing to some web server. The circles represent
routers. You have a home router, and a link to your ISP. Your ISP then connects to other
ISPs (x and y in this case, but could be any number of ISPs). Finally the operator of the
web server has a router on their network.

When web browsing, packets are sent between your web browser to web server,
traversing the routers and links in between. At what points could someone see the
packets between your browser and the web server?

[Diagram: network‐path‐model‐1; public domain; created by Steven Gordon]

Attacks and Vulnerabilities 23

COIT20246

Where can an attacker access your packets?

• Anywhere between your computer and server!

• A red X denotes link/device where attacker can potentially “see”

your packets
• Any link or device between source and destination
End‐to‐end security is necessary
24 COIT20246 ‐ Attacks and Vulnerabilities

The diagram illustrates location where attacks may potentially occur with regards to
network security. In short, an attack may take place at any point between the source and
destination. Therefore we often talk about “end‐to‐end" security, where the security
mechanisms must apply across the entire path. It is usually not sufficient to secure just
one segment of the path, because the attack may take place on the other (unsecured)
segment.

You have already used “tcpdump” as a tool to capture (“see”) packets, however that was
on your own computer. Tcpdump and similar tools can be run on links/devices through
the network.

In the following we will look at the general types of attacks that an attacker can perform
on our network packets.

[Diagram: network‐path‐model‐2; public domain; created by Steven Gordon]

Attacks and Vulnerabilities 24

COIT20246

Types of Network Attacks

• Assume user A and user B communicate across the Internet
• Attacker can intercept communications between A and B

25 COIT20246 ‐ Attacks and Vulnerabilities

The following slides present 6 general types of network attacks. To demonstrate we will
use the model as shown here. We assume user A and B are communicating over the
Internet. An attacker C can intercept any communications between A and B, and
optionally modify communications.

In the following slides the examples link to techniques from MITRE ATT&CK and/or
MITRE CWE. Explore those links to see further detailed examples of attacks.

Attacks and Vulnerabilities 25

COIT20246

Disclosure Attack
• Attacker intercepts message and reads the contents (when they are
not authorized to)

• Examples: Wi-Fi packet sniffing, tcpdump on router, port mirroring on switch;

T1040 Network Sniffing, T1557 Adversary-in-the-Middle

26 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 26

COIT20246

Traffic Analysis Attack

• Attacker intercepts messages and by observing patterns of
communications learns useful information

• Examples: IP src/dst can reveal websites visited, frequency/timing/size of

messages may reveal confidential behaviour

27 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 27

COIT20246

Masquerade Attack
• Attacker sends message to user B pretending to be user A

• Example: T1566 Phishing

28 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 28

COIT20246

Replay Attack
• Attacker intercepts message and later re-sends that message to B

• Example: CWE-294 Authentication bypass by capture-replay; T1111 Multi-

Factor Authentication Interception

29 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 29

COIT20246

Modification Attack
• Attacker intercepts message and modifies the message before it
reaches user B

• Example: T1565 Transmitted Data Manipulation, T1557 Adversary-in-the-Middle

30 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 30

COIT20246

Denial of Service Attack

• Attacker sends many messages to user B, so B is unavailable to
respond to user A

• Example: T1498 Network Denial of Service

31 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 31

COIT20246

Network Attack Prevention and Detection

• Prevent the passive attacks
• Attacker passively listens to packets
• Disclosure, Traffic Analysis
• Mechanisms: Encryption, proxies, ToR, …
• Detect the active attacks
• Attack actively changes the communications
• Masquerade, Replay, Modification, DoS
• Mechanisms: Authentication, signatures, timestamps, load balancing, …

• These and other security controls covered later (weeks/units)

32 COIT20246 ‐ Attacks and Vulnerabilities

Attacks and Vulnerabilities 32