Network Attacks
Network Attacks.
In this section of the course,
we're going to talk about network attacks.
Now security is an important part of running our networks,
because if we don't secure our networks,
someone will eventually find their way in
and cause a data breach or other malicious actions
against our organizations.
Network security is critically important
to our modern networks,
especially since most of our networks are always on
and always connected
to the world's largest wide area network, the internet.
Now, as you're probably aware,
the internet can be a really scary place.
There's lots of bad people doing lots of bad things
at all hours of the day or night.
So in this section,
we're going to focus on all the bad things
that can happen to your network
when you don't secure them properly.
Now, in this section of the course,
we're going to talk again about domain four, network security,
and we're going to cover just one objective, objective 4.2.
Objective 4.2 states that you must comparing and contrast
common types of attacks.
So let's get started learning all about network attacks
and threats to our networks.
Denial of service attacks.
In this lesson, we're going to discuss a network-based attack
that you may come across while working in the field.
This is known as a denial of service. or DoS, attack.
Now a denial of service occurs
when one machine is continually flooding a victim
with requests for services.
That victim's system simply won't be able to keep up
and so it'll run out of memory and eventually crash.
For example, if I have a workstation
that begins to send 10 or 20
or 30 different packets of information at once
to a low-powered server,
that server may be able to crash
because it won't be able to handle all those requests.
Now, this was a big problem
when we're dealing with networks 10 or 20 or 30 years ago,
but since that time,
computers and servers have gotten much faster
and so it is now very difficult for one computer
to cause a denial of service all by itself
by being able to send enough traffic to a server.
But it is important to understand this concept
from a historical perspective
because what is old tends to become new again over time
when it comes to network attacks
and protecting ourselves from them.
To achieve a denial of service attack with a single machine,
attackers are going to use either a TCP SYN flood
or an ICMP flood.
A TCP SYN flood is a specific type
of denial of service attack that occurs when an attacker
initiates multiple TCP sessions
but they never complete those sessions.
So remember, TCP operates
by conducting a three-way handshake
to establish communication.
This happens by the requester first sending a packet
with a SYN flag set.
Then the server sends back a packet
with both the SYN and the ACK flag set.
And finally that server sits there
and waits for the client to send back a final packet
with just the ACK flag set
and this will complete the handshake.
Well, in a TCP SYN flood attack,
the attacker sends a bunch of requests to the server
to establish those connections
by sending out the first part of the handshake.
Those packets will just have the SYN flag set.
The server will then respond and reserve some resources
like network capacity or memory for each of the requests
and it sends back the packet
that has SYN and ACK flags both being set.
Now up to this point,
everything is operating like a normal TCP handshake, right?
But instead of the attacker acknowledging
that SYN ACK packet,
they're not going to send back an ACK packet.
Instead, they're just going to ignore it
and so we end up with a bunch of these half-open connections
that are consuming resources on the server.
If you have too many of these half-open connections,
you could overwhelm the server
and therefore you could crash it
through this process of resource exhaustion.
To execute this type of an attack,
the attacker is usually going to spoof their source IP
when conducting their three-way handshake.
This way, when they send the SYN packet over,
the sever will respond with the SYN ACK to a spoofed IP
and that person isn't expecting it
and therefore they're not going to answer it
and they're just going to drop that packet.
This leaves the connection half open
for the default length of time
until the server closes that connection.
Normally this will be around three minutes.
So in that three-minute period,
you can get a lot of these half-open connections
and if you get too many of them,
it will be resource exhaustion on that server
that could cause it to crash.
You could see an example of that here
with four different spoofed IPs being sent to the server
by the attacker.
Now, when the server sends back its responses to those IPs,
which never respond because they weren't starting
a three-way handshake after all,
that server is now just going to sit there
and wait with a bunch of half-open connections.
To help you remember this concept,
I think there's a good analogy that I can give you here.
Let's pretend that you have some kids,
and if you have kids,
you're probably going to relate well to this.
Now, when my kids were really little,
my wife would sometimes get really stressed out
and overwhelmed by them.
This would occur because both kids would try
to get her attention at one time.
For example, my two kids would go running over to her
and go, "hey, Mommy, Mommy, Mommy, I have a question.
"Mommy, Mommy, Mommy, I want a snack.
"Mommy, Mommy, Mommy!"
And things like that.
Now, if one of the kids did this to Mom,
Mom could handle it.
She can take care of one kid with no issues.
But if both of them did at the same time,
she would have to balance her efforts between the two kids.
And so if my kids had a few friends over
and now we have five or six kids
who are asking for Mom's attention all at once,
she could quickly become overwhelmed and crash.
And that is using the terminology of an overloaded server,
but you get the idea.
Basically she could become exhausted
and she wouldn't be able to function anymore
and answer all their queries.
This is basically a denial of service.
Now another form of denial of service attack we have
is known as a smurf attack
and, again, this is an older type of attack.
It's known as an ICMP flood.
This occurs against the victim's server
by using ICMP traffic instead of TCP traffic.
An ICMP flood occurs when an attacker sends a ping
to a subnet broadcast address with the source IP spoofed
and that source IP is now going to be showing
as the victimized server.
By doing this, all of the devices on that subnet
are going to respond back to the server
and this can start using up all their processing power,
their memory, and their bandwidth,
and this could lead to resource exhaustion
and, again, a possible server crash.
In this example, an attacker spooks their source address
and pretends that they are the server.
Now, this attacker sends out a single packet
to the subnet broadcast address of 192.168.1.255
And it says, Hey, I'm the server at 10.1.1.2.
Now in response to this, all the clients in the broadcast,
in this example,
a class C subnet with up to 254 clients on it,
will start sending back a response to that server
since they all saw the source IP of this request
as that of the server and not the attacker.
This essentially is going to amplify the denial of service
against the server
because the attacker can now speed up this process even more
by sending out more of these requests.
They can send the same type of requests over and over
to multiple different subnets
and they can use different broadcast addresses
to get all these things amplified back
towards that first victim.
Now, because of this threat
of a denial of service using ICMP traffic,
which is the same traffic that's used by the ping tool,
a lot of networks will block providing responses
to ping requests
and instead they'll just drop or ignore these requests.
For this reason,
ICMP floods are not as common as they used to be,
but if you misconfigured your network,
it still could be a viable attack method
for an attacker to use on your network.
All right, let's take this concept
of a denial of service one step further
and add more attacking machines
that are focused on overwhelming a single server
all at the same time.
This is known as a distributed denial of service,
or DDoS attack.
Now, in a distributed denial of service attack,
the attacker will use 100, 1,000,
or even 100,000 computers all at the same time
asking for access to a single server.
This way they can consume up
all of that server's processing,
memory, and bandwidth resources,
leading to that server exhaustion and a server crash.
Now, often these machines can become part of the attack
and they won't even know they're part of that attack
because they are essentially part of a botnet
and they're now being controlled as a zombie.
A botnet is simply a collection of compromised computers
under the control of a single master node.
A zombie, on the other hand,
is any one of these individually compromised computers.
Once the device becomes part of a botnet,
it can be controlled by a master node,
known as a C2 or command and control server.
An attacker who controls the C2 server
will also control all the zombies that operate
as part of this botnet.
This isn't just a single computer anymore,
but instead it could be hundreds of thousands of machines,
all with the ability to be coordinated
into attacking a single target.
So when the attacker wants to launch
a distributed denial of service attack
against a website like the Wall Street Journal,
they simply send a command from their computer
to the C2 server
and then the C2 server will then relay that command
down to some or all of the zombies under its control.
This allows them to conduct a massive attack
that can even take down some really large websites
if they have enough zombies.
Now, the challenge for an attacker here
is that as more and more organizations move to the cloud,
it becomes harder and harder to overwhelm their servers.
After all, if you're using elastic cloud servers,
you can simply horizontally scale out
to answer up for all this new demand
that's being sent to you from all these different zombies
during a distributed denial of service attack.
But that doesn't mean
you shouldn't try to prevent these types
of distributed denial of service attacks from happening.
After all, with cloud-based resources,
you're still paying for all that compute
and bandwidth resources that are being used
to answer up for all these attacking requests,
so even if you can withstand the attack and outlast it
by horizontally scaling out on your servers,
it could result in a huge bill at the end of the month
and none of that bandwidth
was actually doing anything useful for you
because it wasn't from legitimate customers or users,
it was just from people who were attacking you
and you're still paying for it.
General network attacks.
In this lesson, we're going to discuss
some general network attacks that you may come across
while working in the field.
These attacks include things like on-path
or Man in the Middle attacks,
session hijacking, DNS poisoning and rogue DHCP servers.
Let's jump right into our first type of attack,
known as an on-path attack,
but you may be more familiar with it by another name,
the MITM or Man in the Middle attack.
Now, a Man in the Middle attack occurs when an attacker
puts themselves between the victim
and the intended destination.
For example, if you're trying to connect to yourbank.com
from your laptop,
and someone's able to get in between your laptop
and the bank servers,
this would be an on-path attack.
In this type of attack,
the attacker is simply going to have the ability
to monitor whenever you're sending,
or they can even manipulate it
because they're in the middle of the communications
between you and the server.
For example, let's pretend I have a client
who is client number 12345,
and they want to conduct a transaction at their online bank.
They go and they log on and they go to transfer $50
to their account.
Now they send a request to move $50 to account 12345
from their checking account
and they think that request
went straight to the bank servers for processing,
but little did they know they were in the middle
of a Man in the Middle attack or on-path attack.
So what happens?
Well from this position of the Man in the Middle
of the communication,
they're sitting between the client and the bank.
So the attacker can then change the amount from $50
to $5,000, or they could change the bank account
that funds are going to be transferred to.
So instead of going to account 12345,
it now goes to 67890 instead.
Now the bank servers still believe there's an authentication
that has happened between the client and the bank servers.
So they're going to process the requests
and instead they're going be sending 100 times the money
from the client's checking account
to the attacker's account,
as directed by this modified request they received.
Now another type of general network attack
is known as session hijacking.
Session hijacking occurs when an attacker
is able to guess the session ID that is in use
between a client and a server,
and then they could try to take over
that already authenticated session.
In this type of attack,
it's very similar to an on-path attack,
but instead of being placed into the middle
of the conversation and relaying the victim's request
to the server,
it instead focuses on taking over the session completely
and the victim's machine is no longer receiving
any of the data.
This type of attack is focused on exploiting the way
TCP/IP protocols are going to use session numbers
or session IDs at layer five of the OSI model.
In the early days of TCP/IP,
the session IDs were not randomly assigned,
but instead they were assigned in sequential order.
So if I had session ID 123,
I could probably guess that your next session
was going to be 124,
and if you create your session right before,
or right after me, I can then guess your ID as 122 or 124,
because it's one before or one after my particular session.
So to combat this,
session ID's now got to be randomized
inside our newer TCP/IP configurations.
So if I now have session 123,
you might have session 934, or 523 or anything else, really,
because it's going to be just randomly assigned to you
and that way I can't guess your session ID
and take over your session using session hijacking.
Next, we're going to discuss an attack known as DNS poisoning.
Now, DNS poisoning occurs when an attacker manipulates
known vulnerabilities within the domain name system,
or DNS, to reroute traffic from one site
to a fake version of that site.
DNS poisoning usually occurs on a company's internal DNS
servers instead of on the public facing DNS servers
used by most of us on the internet.
But in some cases, those internet DNS servers
have also been poisoned.
Remember DNS is used for one big thing.
It's to be able to provide a method of changing domain names
into IP addresses and vice versa.
When a client needs to go to a website
like diontraining.com,
they asked their DNS server for the location of that server,
and they receive an IP address back as the location
from that DNS server
and then their computer goes to the IP address
to load the website.
Now, since DNS works in a hierarchal manner,
the client assets local DNS servers
for the resolution of that domain first.
If the DNS server has the domain name
and IP address stored locally within its cache,
it's going to return that address to the client.
So what does an attacker do in DNS poisoning?
Well, they're going to attempt to change the IP address
of a domain name stored in the DNS cache
of a given DNS server.
If they can do that, any client who requests to visit
that website in the future
will be redirected to a website controlled by the attacker,
allowing them to conduct further exploitation
of your client, which is now their victim.
Remember, DNS poisoning works by poisoning
either a workstation or servers DNS cache,
hijacking their local DNS server
or performing an unauthorized zone transfer
to an unpatched DNS server to change the IP address
of a given web servers A record.
To counteract DNS poisoning attacks,
a secure version of DNS known as DNSSEC has been created.
DNSSEC uses encrypted digital signatures
when passing DNS information between servers
to help protect it from poisoning.
You can also prevent your DNS servers from being poisoned
by ensuring your server has the latest security patches
and the latest updates to make sure
they're always properly protected.
The next attack we're going to discuss
involves the use of rogue DHCP servers.
Now a rogue DHCP server is any DHCP server
that is connected to your network,
but you as the network administrator
did not have control over and did not install it.
This usually happens when an attacker or an end user
connects their own DHCP server to your network,
and often it's unintentionally done by your own users.
When that rogue DHCP servers connected to the network,
it's going to do what DHCP servers do
and it's going to start assigning IPs to clients
on the network when they boot up
and reconnect to the network.
Now, the issue here is that these rogue DHCP servers
are now handing out IP addresses, subnet masks, gateways,
and DNS server assignments to your network clients.
In the best case,
these rogue DHCP servers are simply going to be connected
by one of your end users
because they wanted to add a wireless access point
to their office and so they ran down
to the local electronics store and they bought themselves
a wireless router or gateway.
Little did they know these devices include a DHCP server
that's turned on by default.
So when they connected it to the network,
it began its job as handing out DHCP server addresses.
This can lead to clients that have the same IP address
as other clients in the network because this DHCP server
is rogue and it doesn't know what addresses
your official DHCP server was already using
inside that same scope.
This is especially popular inside private class C addresses
of 192.168.1.0/24.
And this can lead to two clients having connectivity issues
on the network because they both have the same IP address.
Now, in the worst case,
this rogue DHCP server was actually attached to your network
by an attacker.
The attacker could then issue out IP addresses
and subnet mask that will properly connect to your network.
But these rogue DHCP servers can also be used
to configure clients to use a gateway
that the attacker controls,
and this would allow them to do an on-path attack
and intercept or modify communications
between the clients and the outside servers.
This essentially becomes an on-path
or Man in the Middle attack.
These rogue DHCP servers can also assign
a different DNS server for the clients to use.
This can effectively create the same effect as DNS poisoning
from the client's perspective.
So you want to be wary of these rogue DHCP servers,
and always look for them on your network
and when you find them, get them off the network.
Spoofing attacks.
In this lesson we're going to discuss
some different spoofing attacks that you may come across
while working in the field.
These attacks include things like IP spoofing,
MAC spoofing, ARP spoofing,
VLAN hopping.
Now, spoofing is a category of network attacks
that occurs when an attacker masquerades as another person
by falsifying their identity.
Just like a person in real life might use a mask
to cover their face and hide their true identity,
spoofing is the electronic equivalent.
Really anything that identifies a user or system
can be spoofed.
Now, most commonly we're going to see IP spoofing,
MAC moving or ARP spoofing used
as part of an attack on our networks.
IP spoofing occurs when an internet protocol or IP packet
is created with a modified source address
in order to hide the identity of the sender
to impersonate another client or both.
When conducting a denial of service attacks
such as an ICMP flood,
it's common to use IP spoofing as part of the attack.
Now, the easiest way to think about IP spoofing
is to think about the last time you wrote a letter,
and went to mail it.
You had to fill out the destination address
such as your grandma's name and address,
and then you'd fill out the source or from address.
This would have the name and address
in the upper left-hand corner of the envelope
that you were sending it from.
Now, if instead of writing your own name and address
in the front part of the envelope
you decided to write your brother's name and address,
then when your grandma receives that letter
she initially believes your brother wrote it to her,
not you because she saw his name and address
in the upper left corner.
This is really all there is to it
when we talk about IP spoofing.
We can just change the from address
which we call the source IP inside the TCP/IP protocol.
IP spoofing is focused at Layer 3 of the OSI model
because we're modifying IP addresses.
Now, another version of spoofing
involves MAC address spoofing.
This is focused at Layer 2 of the OSI model
because we're now modifying MAC addresses.
Remember each network interface card
has a unique MAC address that's assigned to it
by the manufacturer.
But MAC address spoofing allows an attacker
to change their MAC address
to pretend they're using
a different network interface card or device.
Spoofing a MAC address is actually really easy to do.
Even though the MAC address is burned
into a network interface card,
most operating systems allow you to overrate this value
inside the operating system.
For example, I use a MacBook Pro,
and I can change my MAC address of my wireless adapter
with a single command line inside the terminal.
I simply enter sudo ifconfig en0 ether and a MAC address,
and press enter,
and all of a sudden my MAC address is changed
the MAC address that I specified in that command.
Then when I reboot my computer my MacBook Pro
will reset my MAC address
back to the one that's burned into the wireless adapter
by the manufacturer.
So it's just a temporary change I can do.
Often networks will use network access controls
to allow only authorized people to connect to the network.
And the simplest form of this is to use MAC filtering
which relies on a list of all the known,
and authorized MAC addresses.
So as an attacker I can simply spoof the MAC address
of somebody who is authorized to join the network,
and now I can bypass your MAC filtering,
and join the network as if I was somebody
who was authorized.
Now, there's a third type of spoofing
that you may experience inside your networks,
and this is known as ARP spoofing.
ARP spoofing occurs when the attacker sends
falsified ARP messages over a local area network.
Remember, the purpose of ARP,
or the Address Resolution Protocol
is to create a binding between
an IP address and a MAC address
inside the local area network.
As the information travels from computer to computer
across the internet,
it's going to rely on the IP addresses
to transfer packets from router to router
across the internet.
But once it finds the right local area network
that IP address at Layer 3 has to be converted
to the MAC address of that device at Layer 2
so it can be delivered to the final destination client
using your switch.
This occurs by using an ARP table
which is maintained by the routers and the switches
on your network.
If an attacker wants to pretend
to be a different client on the network
in order to intercept those frames
destined for a different client,
they can go ahead and change
the IP address and MCA address binding
that's stored inside this ARP table
by doing ARP spoofing.
To do that they would send out an ARP message,
and advertise their IP address as the correct one
for the MAC address of the victimized client.
So this ARP spoofing attack can be used
as a precursor to other attacks.
Things like interception or modification of frames
using an on-path or man-in-the-middle attack
at Layer 2 of the OSI model.
To prevent ARP poisoning
you should set up good VLAN segmentation
within your network.
Our next attack is known as VLAN hopping.
Now VLAN hopping occurs when an attacker
is able to send traffic
from one VLAN into another effectively
bypassing the VLAN segmentation
that you've configured within your Layer 2 networks.
VLAN hopping can be accomplished using one of two methods.
You can either use double tagging or switch spoofing.
Double tagging occurs when an attacker
is connected to an interface on the switch
using access mode with the same VLAN
as the native untagged VLAN on that trunk.
Then whenever the attacker sends a frame on the network
they're going to send it with two 802.1Q tags.
This is why we call it double tagging.
The inner tag will contain the true destination
the attacker is trying to reach.
The outer tag will contain the native VLAN
Remember the native VLAN is the one VLAN we have
the normally travels across the trunk port
without a VLAN tag.
So when the switch receives this double tagged frame
it first removes the outer tag
that contains the native VLAN,
and then it forwards the frame to the VLAN
of the second tag
which was the inner tag with the location
the attacker is trying to really get to.
The result here is that the attacker
is able to break out of their own VLAN
in this case the native VLAN,
and migrate into the destination VLAN.
It's also important to note that this technique
is really a one-way trip for those frames though,
because the destination wouldn't double tag the data,
and send it back to them.
So, why would an attacker use double-tagging
to send out into a VLAN
without being able to receive any response back?
Well, usually this is part of a technique
that's going to be part of a denial of service attack
since you wouldn't need to receive a response
for any data being forwarded into this VLAN
using double tagging,
and instead you just want to send a bunch of data in.
Now, the second method of performing VLAN hopping
is known as switch spoofing.
Switch spoofing occurs when an attacker attempts to conduct
a Dynamic Trunking Protocol or DTP negotiation.
This is normally performed by a switch
when it's connected to a trunk port.
By default trunk ports are set up to support
auto-negotiation between two switches
so they can share VLAN information.
So if an attacker configures their attack workstation
to act like a switch,
and it sets it to dynamic auto,
or dynamic desirable switch port mode,
when the attack workstation is connected to a trunk port
it will automatically try to negotiate
a trunking connection just like a switch would.
Now, once that trunk is established
with the attackers workstation by the switch,
the workstation will now have access to all the VLANs
inside the network.
To prevent this from occurring
you should always configure your switch ports
to have dynamic switch port modes disabled.
After all, if your switch doesn't support auto-negotiation
because you're disabled this mode,
you can prevent this type of attack
from occurring on your networks in the first place.
Malware.
In this lesson,
we're going to discuss some different types
of malware that you may come across
while working as a cyber security or network technician.
So, what is malware?
Well, malware is a shorthand term for malicious software.
This is software that's designed
to infiltrate a computer system
and possibly damage it without
the user's knowledge or consent.
Simply put, malware is some kind of bad software code
that wants to do harm to our computers and our networks.
Malware comes in many varieties, including viruses, worms,
Trojan horses, ransomware, spyware, and rootkits.
The first type of malware we have is known as viruses.
A computer virus is simply made up of malicious code
that's run on a machine without the user's knowledge.
This code allows it to infect the computer
whenever that code is run.
Now, what does this look like in the real world?
Well, one of your users may have gone
to a website to download a new game,
and when they did that,
they actually download an installation file
that contained a virus or malicious code inside of it.
When they ran that program to install the game,
they actually just installed the virus onto
the client machine,
and now, that virus has taken hold.
At this point,
the virus is going to want to reproduce and spread,
and it does this because you had a user action occur.
This was namely the opening
and running of the game's install file.
Once this has been done,
the virus can now begin to replicate
and attempt to spread further across the network.
Our second type of malware is known as a worm.
Now a worm is a piece of malicious software,
much like a virus.
But it can replicate itself without any user interaction.
This is a key distinction between a virus and a worm.
Remember, I said the user had
to install the program or open a file
in order to have the virus take action
and begin its replication.
But with worms, this simply isn't the case.
Worms are able to self-replicate
and they spread throughout your network
without a user's consent or action.
This occurs because worms take advantage
of security vulnerabilities that exist
within operating systems,
network protocols, and other applications.
If the warm determines
that there is a computer on the network
that doesn't have the latest security patch installed,
it can then take advantage of that
and exploit that vulnerability
to spread from victim to victim across the entire network,
or even across the internet and the entire world.
Because of this,
worms can cause disruption to your normal network traffic
and your computing activities,
because as they're spreading and replicating
from victim to victim,
they're also using its processing power,
its memory, and its network traffic,
it's going to be using all these different resources,
and not for something that you want them to do.
Eventually, this can start slowing down your systems,
or in some cases,
it can cause your systems or your networks to crash.
Worms are known for spreading far and wide over
the internet in a relatively short amount of time.
Back in 2001, there was a worm named Nimda,
which is admin spelled backwards.
Now it was able to propagate across
the entire internet in just 22 minutes.
Then in 2009, we had another worm.
This one was known as Conficker.
This was probably one of the largest worms
that we as cybersecurity professionals
have seen to date.
Conficker was able to infect between nine
and 15 million machines worldwide.
This worm was infecting as many machines
as it could by leveraging exploit
against a missing Microsoft Windows security patch.
This was specifically the patch associated
with the MS-08-067 eight security bulletin.
Now, the vulnerability was a coding error
with the way Microsoft Windows
was performing file and printer sharing.
Conficker sought out those machines
that were missing the security patch,
installed this piece of code on them,
and then those machines became part of a botnet.
Ultimately, this botnet was able
to be shut down before it was used
for negative or malicious purposes,
but it does show the true power of these worms,
and how they can gather up lots
and lots of zombies for a botnet really quickly
for use later on.
The third type of malware we have
is known as a Trojan horse.
A Trojan horse gets his name
from the legendary trick that was used during
the Trojan War back in ancient Greece.
Greece and Troy were at war for 10 years,
and there was no end in sight.
After a long siege,
the Greeks decided they were getting restless,
and they decided they wanted
to try something a little different
to get this war over with.
So, they decided to construct a large wooden horse,
and they gave it to the city of Troy as a peace offering,
or so the story goes.
Now, this seemingly harmless gift
was actually filled with Greek soldiers.
And once it was wheeled inside the city,
day turned to night,
and the soldiers emerged from within the horse.
These soldiers immediately opened
the walled city gates and began letting
in their fellow soldiers
that were from the invading Greek army.
They got into the city and they laid waste to it.
This was the first example of a Trojan horse.
Now in the world of cybersecurity and computer networking,
Trojan horses work much the same way.
Trojan horses are pieces of malicious code
that's disguised as a piece of harmless
or desirable software.
Basically, a Trojan says I'm going
to perform this function for you.
And it may very well perform that desired function.
But it can also perform a malicious function too.
Now, when I was a kid,
there was a new game out called Tetris
that you probably have heard of at this point,
and it was extremely popular,
everybody wanted to get a copy of it.
So a lot of times,
you might have a friend who put a copy of it
on a disc, and they handed it to you so you can install it
at home, and you could play this great new game to.
Well, one person was really smart
and they used a copy of Tetris
and embedded a Trojan horse inside that copy of Tetris.
Now, if you took that disc and installed
that game on your computer,
that game would launch and play just like normal.
You could play Tetris, no issue at all.
But in the background, the Trojan horse part of this,
opened up something that allowed a connection
between your system and the attacker's system,
allowing them to have remote control
and steal your information or destroy your data.
This is one of the earliest examples
of what we now refer to
as a RAT, or Remote Access Trojan.
A RAT is a common type of Trojan
that's still widely used today.
It provides the attacker with remote control
of a victim system.
These techniques are still really used a lot today,
but instead of somebody handing you a disc,
they instead post the file
on a website and they wait for you to download it.
Remember, whenever you're downloading
a program from the internet,
always be careful,
because you don't know what other code
is inside of that lurking there.
Anytime you or your users are downloading a file,
you have to make sure you check it for viruses, worms,
and Trojans before you install it.
The fourth type of malware we have is known as ransomware.
If you've watched the news
or scrolled Facebook in the last year or two,
you probably already know what ransomware is
because it keeps showing up all over our news feeds.
Ransomware is a type of malware
that restricts access to a victim's computer system
or their files until a ransom or payment is received.
Essentially, someone's going to break into a network,
a server or a computer,
and then they're going to encrypt all
the files or change the passwords,
or do something else to hold that system hostage
until you pay up.
One day, you may reboot your computer
and it says something like this,
your computer has been locked.
You have to pay a fine of $200
and be able to pay it through this link using Bitcoin
and able to get access back.
If you pay me,
I'll give you a secret unlock code,
and you can put it in that white box,
and you can hit OK, and have access to all your stuff.
This is what ransomware looks like
when it targets end users.
But even more recently,
we're seeing large-scale ransom attacks
against large corporations and local governments,
including oil pipelines,
hospital systems, and even city governments.
Back in 2018, the city of Atlanta
got infected with the SamSam ransomware.
This started spreading across
a lot of their systems throughout the city,
and it ended up costing them over $17 million to fix it.
They ended up not paying the ransom,
but instead, they spent about $6 million
in services and contracts and software upgrades,
and another $11 million in hardware upgrades
to be able to deal with the SamSam ransomware.
This made it the costliest cyber attack
affecting the government in 2018.
And this was despite them not paying
the ransom demanded by the attackers.
Usually, ransomware is going to get
a foothold into your network somewhere
because of a vulnerability
in a piece of software on one
of your servers or your clients.
Once it gets into the network though,
it's going to attempt to steal your data
and hold it hostage.
Once they do that,
you have no way to decrypt that data
unless you pay the ransom or restore from an offline backup.
The fifth type of malware we have is known as spyware.
Spyware is a type of malicious software
that's installed on your system,
and it gathers information about you without your consent.
Normally, this will be installed either
from a website or some third-party software
that you have installed on your system.
That software is going to look through all your files.
It's going to look through all your emails,
all of your instant messages,
all your calendar invites,
and what other information you may have on your system,
it's going to look through that together information
and build a profile on you.
This is the best case scenario.
Now, after all,
spyware may just be trying to figure out things
they can advertise to you.
And in this case,
we call this a thing called adware.
Now, this allows you to display advertisements
to you based on what they think you'd like best
and what you're most likely to buy.
Now, in the worst case,
spyware could include a key logger.
Now, a key logger can allow an attacker
to capture any keystrokes you make on a victim machine,
such as the website addresses you type in,
the usernames, and even the password you enter.
Spyware and key loggers
can collect those details
and send it all back to the attacker,
complete with screenshots that they're taking
on a regular interval of your computer screen.
Now our sixth type of malware we have
is known as a rootkit.
A rootkit is a specific type of software
that's designed to gain administrative level control
over a computer system or network device
without being detected.
Now, this is really important
because when we talk about root
or administrator level permissions,
this is the highest level of permissions
that someone can have on a system.
If you're using a Windows machine,
for example, that will be your administrator account
that allows somebody to install programs,
delete programs, open ports, and shut ports.
Basically, they can do whatever they want on your system.
This type of access is known as root access
if you're using Unix, Linux or OS X,
which is a Mac operating system.
Either way, gaining administrative
or root access is great for an attacker,
but it is horrible for you and your security.
Now in our networks,
the most common place to find a rootkit would be
if the attacker was able
to compromise the firmware on our routers or switches.
There have been documented cases
of this for pretty much every brand
of router and switch out there.
So it's important to keep up to date
with the latest threats based
on the type of equipment
that you're using inside your networks.
Rootkits are extremely powerful,
and they're really difficult
to detect, because the operating system itself
can be blinded to them,
since they're loaded before the operating system itself is.
To detect them, the best way is to boot
from an external device,
and then scan the device to ensure
that you can probably detect those rootkits.
As I said earlier in this lesson,
there are lots of different types of malware.
In this lesson, we discussed just a few of them.
We talked about viruses and worms, and Trojan horses,
and ransomware, and spyware, and rootkits.
But there are many others out there
that you're going to learn
about as you continue
to advance in your cybersecurity career.
(offbeat motivating music)
Wireless attacks.
In this lesson, we're going to discuss
the different types of wireless attacks
that you need to be aware of.
This includes rogue access points, evil twins,
deauthentication attacks, password attacks,
and wireless interception.
A rogue access point is any wireless access point
that's been installed on a secure network
without explicit authorization
from a local network administrator.
These are often added by a malicious attacker
or simply by one of your end users
who didn't know any better.
For example, if your office only has a wired network,
but somebody wanted to add wireless capability
so they could use their iPad in the office,
they may go out to the store and buy a wireless access point
and then connect it to the wall jack in their office.
Now, this may seem harmless enough,
but if that wireless access point isn't properly secured
with a strong password and encryption,
an attacker can also connect to that access point
from outside the building
and now they're going to be fully connected
to your network, too.
Another risk with these types of devices
is that many wireless access points
sold at the electronic stores
aren't really wireless access points,
but instead they're wireless routers or wireless gateways.
This means that device has a router and a DHCP server in it
and it's usually enabled by default.
So when they connect this device,
they thought it only had an access point,
but it also has a rogue DHCP server, too.
Devices like these are added to the network all the time,
without knowledge of the IT department
and its system administrators.
This can lead to many insecure devices
being all over your network.
These devices, when we take them all together,
are known as shadow IT.
Shadow IT is the use of information technology systems,
devices, software, applications, or services
without the explicit approval of the IT department.
Shadow IT is a major risk to any organization,
because if the IT department
doesn't know about these devices,
how are they supposed to configure them
and secure them from attacks?
That's the idea,
we need to make sure we understand what's out there
so we can then better protect it.
Speaking of rogue wireless access points
being added to your network,
we also have the threat of evil twins
in and around our network.
Now, in an evil twin attack,
an attacker will set up a wireless access point
that uses the same name as your own network.
For example, if you're sitting in Starbucks
having some coffee and you go to wifi,
you might see the Starbucks free wifi.
Now, an attacker can also be sitting there
with their own wireless access point
and having it broadcast out the name Starbucks Free Wi-Fi
with a stronger signal.
And they're hoping you connect to them
instead of to Starbucks.
Now, if you do connect to them,
their evil twin will still give you access to the internet,
but it also puts the attacker in a position
to see and record everything you're doing
over that wireless connection,
because you're really connected to them
and not to Starbucks.
This is an evil twin.
And an evil twin is an easy way for an attacker
to conduct an on path or men in the middle attack.
The next attack we have is known as a deauthentication,
or deauth attack.
Now a deauthentication attack is a type of
denial of service attack
that attempts to interrupt communication
between an end user's client
and the wireless access point.
A deauthentication attack is commonly used
in wireless hacking attacks
to kick a person off of the network.
To perform this attack,
the attacker sends a deauthentication frame
to the wireless access point
using the spoofed IP address of their victim,
which is one of your network clients.
Then when this happens,
the client will attempt to reconnect
and reestablish a connection to the wireless access point
by conducting a new session establishment and handshake.
As they do this,
the attacker can then capture that handshake
and attempt to crack or break
the wireless network's password
from that encrypted handshake.
Again, this is something you want to be careful of
and make sure that if you're using a wireless network,
you're aware of these types of techniques
because they are extremely common.
Speaking of password attacks,
let's talk a little bit more about an attacker
and how they can crack a password.
There are really two methods of cracking a password.
You have a dictionary attack and a brute force attack.
Now a dictionary attack occurs when an attacker tries to
guess the password by attempting to check
every single word or phrase contained within a word list,
which we call a dictionary.
Now, an attacker's dictionary
isn't like the dictionary you used in high school.
It doesn't just contain real words.
Many attacker's dictionaries
contain things like the word password,
but the A becomes an @ symbol
and the S becomes a dollar sign.
When an attacker attempts to crack your password
using this list, we consider it a dictionary attack.
The best defense against a dictionary attack
is to not use anything that looks like a regular word.
Even if you've already substituted out symbols for letters
or numbers for letters.
On the other hand,
if a dictionary attack isn't successful,
the attacker can try to do a brute force attack.
Now, with a brute force attack,
they're going to try every possible combination
until they figure out your password.
For example,
if your password was something like a four digit pin number,
the attacker could start out at zero, zero, zero, zero.
Then they try zero, zero, zero, one.
Then zero, zero, zero, two, and so on.
And eventually they'll get to your four digit code
of five, two, four, six, or whatever it was.
The thing about a brute force attack
is they will always be successful, eventually.
It's just a matter of time.
Now, the key is to preventing a brute force attack.
The longer and more complicated your password is,
the longer it's going to take for an attacker
to guess it using brute force.
Now, in addition to a dictionary and a brute force attack,
we have something known as a hybrid attack
where we can basically get a few key words about our victim,
and we enter those to create a small word list.
Then we use those as part of our brute force attack.
It's essentially seeding the brute force of it.
Now this helps focus the brute force attack
better than just starting out with the letter A
and moving upwards from there.
This gives you some way to actually
cut down the time of brute force attack.
But again, you have to know some information
about your target system.
Next, we need to discuss the concept
of wireless interception.
Now, wireless interception is an attack
that involves capturing wireless data packets
as they go across the airwaves.
Since wireless networks operate much like a hub,
the data is simply floating through the air
for any attacker to grab.
To protect this data.
most wireless networks use wireless encryption technologies
like AES in the WPA2 standard.
But even though these packets are encrypted,
they can still be intercepted and recorded
using a packet capture.
Then the attacker can attempt to crack the password offline
when they have more time
using a dictionary, brute force or hybrid technique.
In addition to wireless interception of wifi networks,
wireless interception can also focus
on Bluetooth or cellular signals.
It just becomes a matter of changing the type of
antenna and radio that you're using
to conduct that packet capture.
For example, a Stingray device,
also known as an IMSI catcher,
can be used to act like a cellular tower
and send out signals and get specific devices
to connect to it.
The Stingray can then identify what cellular devices
are being used in an area by clicking location data
and other identifying information
about those cellular devices.
When the cellular devices connect to it,
the stingray can then capture any data
that's sent through it,
essentially performing an on path,
or man in the middle attack,
against any cellular device in range.
These stingray devices were originally developed
by the US government for use in criminal investigations,
but some attackers have them, as well.
Now, your wired networks
can also be subject to wireless interception, too,
using specialized techniques
that are going to be way beyond the abilities
of a standard network technician.
But I want to discuss this
just so you understand the concept.
If your wired network is using copper wires,
like an unshielded twisted pair cable,
those cables actually admit electromagnetic waves
as the data travels down the cable.
Now a highly skilled analyst with specialized equipment
could collect those electromagnetic waves
and convert them back into ones and zeros
that are being sent down the copper cable
as an electrical impulse.
To capture these signals,
the attacker would have to be fairly close
to the copper cable, though,
usually within about 10 to 12 inches.
But it is still technically a type of wireless interception.
All right, as I said,
this whole area is a very technical area,
but it's just one of many different types
of specialized attacks
that I wanted to make sure you understood existed.
And so if anybody ever asked you about it,
you could be aware of it.
Social engineering attacks.
In this lesson, we're going to focus on
the different types of social engineering attacks,
including phishing, tailgating, piggy-backing,
shoulder surfing, eavesdropping and dumpster diving.
Now, before we get into the specific attacks,
let's define social engineering.
Social engineering is any attempt to manipulate users
into revealing confidential information
or performing other actions
that are detrimental to that user
or the security of our systems.
Social engineering is always focused on the human element
and trying to find a way to bypass
our systems' technical controls by simply hacking the human
instead of hacking the technology.
For example,
if I wanted to break into your wireless network,
and I found that you had implemented a long,
strong password for your WPA2 AES encrypted network,
it could take me years upon years
to brute force that password.
But if I instead figure out a way to trick you or your users
into sharing that password with me,
I might be able to access that network
by the end of the day,
that's the idea of social engineering.
In most of our networks,
the weakest link in our security is our end users
and our employees.
This is why conducting
good annual user cybersecurity training
is so important to the security of your organization.
So let's take a look at a few social engineering attacks.
The first one we have is phishing.
A phishing attack occurs when an attacker sends an email
in an attempt to get a user to click a link.
For example, if an attacker is going to send an email
claiming they're from PayPal
and they're asking you to confirm your account information,
this is a prime example of a phishing attack.
In this example, the attacker may include PayPal's logo,
the same format that PayPal uses in their emails normally,
and other things that make it appear legitimate.
But if you or your users click on that link,
it would instead take you to a PayPal login page
hosted on the attacker site,
where they're going to try to get you to login
by entering your username and your password
and now they have your account details
and can steal any money you may have in your account.
Now, how many people do you think fall for this?
Well, you'd actually be really surprised
because the answer is a lot of people.
In phishing attempts that I've done
as part of a penetration test,
I've personally seen response rates
as high as 60 or 70% of users
clicking the links inside those emails.
Even when I include things like bad grammar, poor spelling,
improper logos, and other things like that,
users still end up clicking the links
at a rate about 30 to 40%.
This means phishing works really well for an attacker,
and it's really hard for us to prevent.
Now, phishing is a bad thing
and the best thing you can do to prevent it
is really train all of your end users
and make them aware of it.
Now phishing itself takes one of three forms.
This is either known as phishing, spear phishing or whaling.
In phishing, this is the most broad type of these three.
In a phishing campaign, an attacker isn't really targeting
any particular person or group,
but instead sends out emails
that are likely to capture the most people.
For example, the PayPal phishing email I mentioned earlier
is a great form of phishing
because there's over 377 million users of PayPal.
So if I just send out that email to every email address
I had, most likely, a lot of those people
are going to have PayPal accounts
and they'll possibly click the links in my email.
Spear phishing on the other hand is more targeted.
For example, let's pretend that you are a member
of a small local bank called DT Savings and Loan.
Now, unfortunately, DT Savings and Loan
had a data breach last year.
And that resulted in all the names and emails
of all their account holders
being downloaded by that attacker.
That list is now on the dark web.
Now an enterprising young hacker
decides to craft a spear phishing email
that targets a hundred of the users on that list.
In that email they create,
they pretend to be from DT savings and loan,
and they only sent this email to people they know
have accounts at DT savings and loan.
You see the difference?
Instead of trying to send the email to a million people
and hoping some of them have a PayPal account,
instead, we are now targeting people we know
have a banking relationship with DT savings and loan.
The final type of phishing we have is known as whaling.
Whaling is like spear phishing,
but it's focused on key executives within an organization,
such as your CEO, COO, CFO, CIO, and many other key leaders,
executives, and managers within your company.
Now the second type of social engineering attack we have
is known as tailgating.
Tailgating is going to occur when an attacker
attempts to enter a secure portion
of the organization's building
by following an authorized person into that area
without their knowledge or consent.
For example, if I just went up to the server room door
and I swipe my access badge and I entered my pin,
the door would beep and unlock and I can walk in
because I'm part of the authorized personnel list.
Now, as I open the door and walk through,
but before the door shuts behind me,
somebody could sneak in and get in there
without my knowledge, that would be tailgating.
For this reason, you should always train your employees
to pull the door shut behind them
and not simply walk away in hopes the force of gravity
is going to shut the door for them.
Now, the other side of this is known as piggybacking.
This is something that is similar to tailgating,
but it occurs with the employee's knowledge or consent.
Now, piggybacking might occur when an attacker
walks up to a secure area carrying a bunch of boxes
and they ask somebody to nicely open the door for them
because their hands are full.
If the employee trying to be nice,
opens the door and lets the attacker walk into the building,
this is known as piggy-backing
because two people are entering on one swipe
of the employee's access card.
The next social engineering attack we have to talk about
is known as shoulder surfing.
Now, shoulder surfing occurs
when an attacker comes up behind an employee
and tries to use direct observation
to obtain authentication information.
For example, you're sitting at your desk
and you're logging into your computer in the morning.
If I were to walk up near you and look over your shoulder,
as you typed in your password,
I might see your finger start going
P-A-S-S-W-O-R-D, password.
Now I know what your password is.
Now, this is the idea of shoulder surfing
because I've looked at your hands as you were doing it.
Now, usually it won't be as obvious
as me standing right behind you
and looking over your shoulder,
but it can take a lot of different forms.
Maybe I work at the desk next to yours
and I glance over your computer screen
and I see your bank balance or your credit card number
or something like that.
Any kind of information that someone's able to see
that they're not really authorized to see,
could be gained using shoulder surfing.
In the same way I can use eyes to conduct shoulder surfing,
I can also use my ears to conduct eavesdropping.
Now, maybe I'm going to stand around
while you're talking with your boss
and I overhear you telling him some information
about the projections for next quarter's profits.
By listening to your conversation
and doing that direct observation with my ears,
I'm now able to listen in on that conversation
and get the information that I might want to get.
The final method of social engineering we have
is known as dumpster diving.
Now, dumpster diving occurs when an attacker
actually scavenges for personal or confidential information
inside the garbage or recycling containers.
Yes, I know it sounds dirty, but guess what?
This works really well and so hackers are willing to do it
because they will find some really great information
inside those dumpsters.
If the attacker needs to break into an organization,
they're first going to look through your trash for clues.
For example, maybe I can perform dumpster diving
against an organization before I do a pen test.
And from there I can find a phone list.
Now, I have people's names and their positions
and their phone numbers, and maybe even their emails.
All of this is great information for me to use.
So how do you prevent an attacker from gaining access
to your information using dumpster diving?
Well, you either need to shred your paperwork
prior to throwing it away using a cross-cut shredder,
or you need to use a lock trashcan
that only your organization
and the waste management company have access to.
Insider Threat.
In this lesson, we're going to discuss
the risk of an insider threat.
Now, an insider threat is an employee
or other trusted insider, such as a contractor, supplier
or business partner who uses their authorized network access
in unauthorized ways to cause harm to your company.
For example, if Tom in sales decides he's going to
download an entire copy of
our customer relationship management database,
and he takes it home with him to sell it
to one of our competitors, then Tom is an insider threat.
Now insider threats are one of the most dangerous threats
to your organization
because they are very difficult to find and stop
from a technical network perspective.
After all, these are people who have authorized credentials
to log onto the network and use all the different servers
and applications that you provide.
They have a valid username and password
so they can do their job.
But if they're not trustworthy, they can also use
that same access to harm your company and harm your network.
So what is the best way to catch an insider threat?
Well, it's by conducting observation of employees
while they're logged in
and enforcing a culture of questioning fellow employees.
After all, if another employee sees somebody
doing some weird things
like downloading large quantities of data at weird times
of the day, you want them to ask,
hey, what are you doing and why,
so you can determine if there's a legitimate business need,
or is this an insider threat at work.
Now I've worked at organizations where we've had employees
who were very vocal about their dislike of the organization
and how they wanted to see the organization fail
or get hurt.
Now, once I found out about this,
we carefully had to invite them to leave the organization
because their services were no longer required
and we couldn't trust them on our network.
Because if they're that angry with the company,
we don't want them hurting our company
by stealing our information.
Now, a great example of an insider threat
comes from the original "Jurassic Park" movie.
In that movie, they use a logic bomb
to cause harm to the park.
Now, a logic bomb is a specific type of malware
that's tied to either a logical event or a specific time.
In this case, we had a disgruntled IT administrator
and they would be an insider threat.
And they decided that they're going to make sure
that when they leave the company,
the company is going to regret it.
So going back to this example of the "Jurassic Park" movie,
there was an IT administrator who worked for the park
that housed all the dinosaurs.
He decided to create a script that would continually run
on that park's access control systems.
Each day, the technician had to login and enter a code
or a password.
When he did that, a countdown clock reset
for another 24 hours again,
and the countdown began again.
This way, if the clock ever reached zero,
he code the system to unlock all the cages
that hold the dinosaurs and they would run amuck
and eat all the tourists.
Now in the movie, spoiler alert,
the technician goes missing because he gets killed
by a dinosaur on one of these days.
And then the entire park security system goes offline
because of his script when it reached zero
and it released all the animals
and this leads to chaos for the rest of the movie.
This is a classic example of a logic bomb
since it's configured as,
if the code isn't entered every 24 hours,
then open all the cages and make bad things happen.
Conversely, the attacker could have it set up
that on a specific date, like February 29, 2024,
the malware will launch and encrypt the entire hard drive
of the server, or it's going to delete all the files
or it's going to release all your confidential information
to WikiLeaks or whatever.
It really doesn't matter.
But the case here is, we're dealing with some kind
of an insider trying to cause bad things to happen
on our networks.