Information Security Threats and Vulnerability (PDF)

Summary

This document defines information security threats and vulnerabilities, including malware and various types of cyber threats. It also explains techniques used to spread malware, such as social engineering and compromised websites.

Full Transcript

Define Threat and Threat Sources ================================ What is a Threat? ----------------- A **threat** is the potential occurrence of an undesirable event that could cause [damage]. Attackers use cyber threats to [infiltrate] (проникновения) and [steal information]. Threat Sources --...

Define Threat and Threat Sources ================================ What is a Threat? ----------------- A **threat** is the potential occurrence of an undesirable event that could cause [damage]. Attackers use cyber threats to [infiltrate] (проникновения) and [steal information]. Threat Sources -------------- **Natural**: fires, floods, power failures **Unintentional** (Непреднамеренное): unskilled administrators, accidents, lazy or untrained employees Intentional: - **Internal**: fired employee, disgruntled (недовольный) employee, service provider, contractors - **External**: hackers, criminals, terrorist, foreign intelligence agent, corporate raiders Define Malware and its Types ============================ Introduction to Malware ----------------------- **Malware** -- malicious software, disables computer systems and gives control of the systems to an attacker for theft or fraud. Malware for: - [Browser] attack, tracking of visited sites - System [slowdown], performance degradation - [Hardware failure] -\> computer inoperable - Personal information [theft] Different Ways for Malware to Enter a System -------------------------------------------- - Messengers - Portable hardware media/removable devices - Browser and email software bugs - Untrusted sites, freeware apps/software - Downloading files from internet - Email attachment - Installation by other malware - Bluetooth and wireless network Common Techniques Attackers Use to Distribute Malware on the Web ---------------------------------------------------------------- **Black hat Search EngineOptimization (SEO)**: Ranking [malware pages highly] in search results **Social Engineered Click-jacking**: Tricking users into [clicking on innocent-looking] webpages **Spear-phishing Sites**: [Mimicking legitimate institutions] in an attempt to steal login credentials **Malvertising**: Embedding malware in [ad-networks] **Compromised Legitimate Websites**: Hosting embedded malware that spreads to [unsuspecting visitors] **Drive-by Downloads**: Exploiting flaws (недостатки) in browser software to install malware just [by visiting a web page] **Spam Emails**: Attaching the malware to emails and tricking victims to [click the attachment] Components of Malware --------------------- The components depend on the author\'s requirements. - **Crypter** -- software, protects malware from reverse engineering or analysis - **Downloader** -- Trojan, downloads other malware from the internet to PC - **Dropper** -- Trojan, installs other malware on the system - **Exploit** -- malicious code, breaks system security by exploiting software vulnerabilities - **Injector** -- program, injects its code into vulnerable running processes and changes the way they execute to hide or prevent its removal - **Obfuscator** -- program, hides its code and intended purpose - **Packer** -- program, allows all files to be merged into one executable file via compression - **Payload** -- part of the software, manages the computer system after it has been exploited - **Malicious** **Code** -- command, defines the basic functionalities of malware Types of Malware ---------------- - Trojans - Viruses - Ransomware - Computer Worms - Rootkits - PUAs or Grayware - Spyware - Keylogger - Botnets - Fileless Malware What is a Trojan? ----------------- **Trojan** -- program with malicious code inside an apparently harmless program or data. Activated when a user performs certain actions. Create a hidden communication channel between the victim\'s computer and the attacker to transfer sensitive data. *Indications of Trojan Attack:* - The [screen flashes], flips or inverts - The background or wallpaper setting changes automatically - Web pages open suddenly - OS colour settings change automatically - Antivirus automatically disables - Strange messages [pop up] *How Hackers Use Trojans:* - Delete or replace [OS files] - [Record] screenshots, audio or video from the victim\'s PC - Spam and blast (врыв) email messages - Download spyware, adware and malware files - Disable firewalls and antivirus - Create backdoors - Steal personal information - [Encrypt data] and block access to machine *Types of Trojans:* Trojans are categories according to their functioning and targets: - - Remote Access Trojans - Backdoor Trojans - Botnet Trojans - Rootkit Trojans - E-Banking Trojans - Point-of-Sale Trojans - Defacement Trojans - Service Protocol Trojans - Mobile Trojans - IoT Trojans - Security Software Disabler Trojans - Destructive Trojans - DDoS Attack Trojans - Command Shell Trojans *Creating a Trojan:* **Trojan Horse construction kits** help attackers to [construct Trojan horses] of their choice Trojan Horse Construction Kits: - DarkHorse Trojan Virus Maker - Trojan Horse Construction Kit - Senna Spy Trojan Generator - Batch Trojan Generator - Umbra Loader - Botnet Trojan Maker **Theef RAT Trojan** -- Remote Access Trojan written in Delphi. What is a Virus? ---------------- **Virus** -- [self-replicating program] that produces its own copy by attaching itself to another program, computer boot sector or document. Characteristics: - Infect other programs - Transform themselves - Encrypt themselves - Alter data - Corrupt files and programs - Self-replicate *Purpose of Creating Viruses:* - Damage to competitors - Financial benefits - Vandalize intellectual property - Prank/research - Cyberterrorism - Spread political messages - Damage networks and computers - Remote access *Indications of Virus Attack:* - Processes require more resources and time - Computer beeps with no display - OS does not load - Constant antivirus alerts - Computer freezes frequently, BSOD error - Files and folders missing - Suspicious activity on the hard drive - Browser window \"freezes\" *Stages of Virus Lifecycle* 1. Design: develops the virus 2. Replication: replicates on the target system, then spreads itself 3. Launch: activated when the user performs the specified actions 4. Detection: identified as a threat 5. Incorporation: antivirus developers develop defences 6. Execution of the damage routine: sers update the antivirus and eliminate threats *How does a Computer Get Infected by Viruses?* - accepts and downloads files without source checking - opening infected email attachments - pirated software - do not update plugins - not running the latest version of antivirus - clicking on malicious ads - portable media - connection to an unreliable network *Types of Viruses:* Viruses are categories according to their [functioning] and [targets]. - - System or Boot Sector Virus - File and Multipartite Virus - Macro and Cluster Virus - Stealth/Tunneling Virus - Encryption Virus - Sparse Infector Virus - Polymorphic Virus - Metamorphic Virus - Overwriting File or Cavity Virus - Companion/Camouflage Virus - Shell and File Extension Virus - FAT and Logic Bomb Virus - Web Scripting Virus - Email and Armored Virus - Add-on and Intrusive Virus - Direct Action or Transient Virus - Terminate & Stay Resident Virus *Creating a Virus:* Two different ways: - Writing a Virus Program: 1. Create a batch file Game.bat with this text @ echo off\ for %%f in (\*.bat) do\ copy %%f + Game.bat\ del c:\\Windows\\\*.\* 2. Covert to Game.com via bat2com utility 3. Send as an email attachment 4. When run, it copies itself and deletes all files in Windows directory - Using Virus Maker Tools: - DELmE's Batch Virus Maker - Bhavesh Virus Maker SKW - Deadly Virus Maker - SonicBat Batch Virus Maker - TeraBIT Virus Maker - Andreinick05\'s Batch Virus Maker**\ ** Ransomware ---------- **Ransomware** -- [restricts access] to files and folders. Requires payment of a [ransom] to remove restrictions. Computer Worms -------------- **Worms** -- malicious programs, [independently replicated], [executed] and [spread] across network connections. Consume (потребляет) available computing resources without human interaction Used to install [backdoors]. *How is a Worm Different from a Virus?* Worm can replicate and use memory, but [cannot attach itself to other programs]. A worm uses the file or information transfer capabilities of systems and automatically [spreads through an infected network], while a virus does not. *Worm Makers:* **Internet Worm Maker Thing** -- open-source tool to create worms that can infect discs, files, show messages, disable antivirus. Rootkits -------- **Rootkits** -- programs that [hide their presence] and malicious actions of the attacker, granting full access to the server or hosting. Replace certain operating system calls and utilities with their own [modified versions]. Comprises (включает в себя) backdoor programs, DDoS programs, packet sniffers, log-wiping utilities, IRC robots and etc. The attacker places a rootkit by: - Scanning for [vulnerable] computers and servers - [Wrapping] (упаковывая) it in a special package - Installing on public or corporate computers through [social engineering] - Launching a zero-day attack Objectives of a rootkit: - Gain remote backdoor access - [Mask] attacker tracks and presence of malicious - Gather sensitive data, network traffic - Store other malicious programs Potentially Unwanted Application or Applications (PUAs) ------------------------------------------------------- Also known as **grayware** or junkware -- applications that may pose a [risk] to data security and privacy. Installed when [downloading freeware] or accepting a misleading (обманчивый) licence agreement. Covertly (скрытно) [monitor] and [alter data] or settings. Types: - Adware - Torrent - Marketing - Cryptomining - Dialers Adware ------ **Adware** -- software or program that generates [unwanted ads and pop-ups]. Tracks cookies and user browsing patterns. [Wastes CPU] and memory resources. Indications of Adware: - Frequent system lag - Inundated (затопленный) advertisements - Incessant (непрекращающийся) system crash - Disparity (несоответствие) in the default browser homepage - Presence of new toolbar or browser add-ons - Slow Internet Spyware ------- **Spyware** -- stealthy program that [records the user\'s interactions] with computer and Internet. Hides its process, files, etc. Spyware Propagation (распространение): - Drive-by download - Masquerading as anti-spyware - Cookies - Browser add-ons - Piggybacked software installation - Web browser vulnerability exploits What Does the Spyware Do? - Steals personal information - Monitors users\' online activity - Displays pop-ups - Redirects to advertising sites - Changes default browser settings - Changes firewall settings Keylogger --------- Programs or hardwares that track keystrokes when user typing. *What a Keylogger can Do?* - Record every keystroke - Capture screenshots - Track user activity - Monitor users\' online activity - Record usernames, bank details, passwords - Record online chat conversations Botnets ------- **Botnets** are a collection of [compromised computers] connected to the Internet. **Bot** program or an infected system performs repetitive work or acts as an agent or as a UI to control other programs. *Why Attackers use Botnets?* - DDoS attacks - Use a sniffer to steal information from one botnet and use it against another - Keylogging to log in to an account for services - Spreading new bots - Perpetrate (совершать) "click fraud" (мошенничество) - Identity theft Fileless Malware ---------------- **Fileless malware** (*non-malware*) infects [legitimate software], [applications], and other protocols. It is stored in [RAM] (оперативная память). Injects malicious code into running processes (Microsoft Word, Flash, Adobe PDF Reader, etc.). *Reasons for Using Fileless Malware in Cyber Attacks:* - [Stealthy in nature]: Exploits legitimate system tools - [Living-offthe-land]: Exploits default system tools - [Trustworthy]: Uses tools that are frequently used and trusted *Fileless Propagation Techniques*: - Phishing emails - Infection through lateral (боковом) movement - Registry manipulation - Legitimate applications - Memory code injection - Native applications - Malicious websites - Script-based Injection Trojan Countermeasures ---------------------- - Do not open email attachments from [unknown senders] - Block [unnecessary ports] on the host and firewall - Do not accept [programs transferred] by from messengers - Strengthen the default [configuration settings] - Disable [unused functionality] Virus and Worm Countermeasures ------------------------------ - Install an [antivirus] and update it - [Regular scan] for all drives (диск) - When [downloading files] from the Internet, pay attention to the instructions - Do not open [attachments] from an unknown sender - Make regular [data backups] Rootkit Countermeasures ----------------------- - [Reinstall the OS/application] from a trusted source after backup - [Well-documented automated] installation procedures - Protect your [workstation] or [server] from attack - Install [firewalls] - Avoid logging into an account with [administrator rights] Spyware Countermeasures ----------------------- - Avoid using computer networks that are not completely [under your control] - [Browser security settings] at a high level for the Internet zone - Be careful with [suspicious emails] and websites - Check the [Task manager report] and MS configuration manager report - Install [antispyware] software PUAs/ Adware Countermeasures ---------------------------- - To download the software, use [trusted websites] - Read the [license agreement] before installation - Avoid setting up using the [express method] or the recommended method - Install [antivirus], [anti-adware] software - Vigilance (Бдительность) towards [social engineering] Keylogger Countermeasures ------------------------- - *Pop-up blockers*, avoid opening unwanted *emails* - *Antispyware/antivirus* programs - *Firewall* and protection against keylogging - Software for *interference* (вмешательство) when pressing keys (randomized characters) - *On-screen keyboard* for password Fileless Malware Countermeasures -------------------------------- - Remove administrative tools, restrict access using [Windows Group Policy] and Windows AppLocker - Disable [PowerShell] and WMI when not in use - Disable [PDF readers] - Perform periodic [AV scan] - Disable [Flash] Define Vulnerabilities ====================== What is Vulnerability? ---------------------- Existence of **weakness** in an asset that can be exploited by threat agents. *Common Reasons behind the Existence of Vulnerability*: - Hardware or software misconfiguration - Insecure or poor network or application design - Technology weaknesses - Careless approach of end users *Vulnerability Classification:* - Misconfiguration - Default Installations - Buffer Overflows - Unpatched Servers - Design Flaws (Недостатки) - Operating System Flaws - Application Flaws - Open Services - Default Passwords - Zero-day/Legacy Platform vulnerabilities *Impact of Vulnerabilities:* - Information disclosure - Unauthorized access - Identity theft - Financial loss - Legal consequences - Reputational damage - Data modification Examples of Network Security Vulnerabilities -------------------------------------------- ***Technological Vulnerabilities**:* - *TCP/IP Protocol*: HTTP, FTP, ICMP, SNMP, SMTP are insecure. - *Operating System*: Vulnerable due to inherent (внутренняя) insecurity or missing updates. - *Network Devices*: Routers, firewalls, switches can be at risk from weak passwords, no authentication, insecure routing, and firewall flaws. **Configuration Vulnerabilities**: - *User account vulnerabilities*: Insecure transfer of user account data - *System account vulnerabilities*: Weak password - *Internet service misconfiguration* - *Default password and settings* - *Network device misconfiguration* **Security Policy Vulnerabilities:** - Unwritten Policy: Difficult to implement - Lack of Continuity - Politics: Challenges for implementing a consistent security policy - Lack of awareness Define Vulnerability Assessment =============================== Vulnerability Research ---------------------- The process of analyzing protocols, services, and configurations to identify vulnerabilities and design flaws. Vulnerabilities are classified depending on the severity level (low, medium, high) and the exploit range (local, remote). *An administrator needs vulnerability research to:* - Gather information about [security trends, threats, attack surfaces] and so on. - Discover [weaknesses] in the OS and applications. - Gather info to [prevent of security issues]. - Know [how to recover] from an attack What is Vulnerability Assessment? --------------------------------- [Examination of the ability of a system or application] to withstand (противостоять) exploitation. Recognizes, measures, and classifies security vulnerabilities in a [computer system], [network], and [communication channels]. Used for: - Identify weaknesses - Predict the effectiveness of additional security measures Vulnerability Scanning ---------------------- *Obtained Info:* - OS version - Open ports - Apps and services vulnerabilities - Apps and services configuration errors - Accounts with weak passwords - Missing patches and hotfix *Approaches:* **Active** Scanning -- [interact] directly **Passive** Scanning -- [without] directly interacting Vulnerability Scoring Systems and Databases ------------------------------------------- **Common Vulnerability Scoring System (CVSS)**: an open framework for [communicating] (передача информации) the [characteristics] and [impacts] of vulnerabilities. Allows to view the vulnerability [characteristics used to generate the scores]. **Common Vulnerabilities and Exposures (CVE)**: list or dictionary of standardized identifiers of common vulnerabilities. **National Vulnerability Database (NVD)**: - U.S. government repository for vulnerability management data using Security Content Automation Protocol (SCAP). - Automates vulnerability management, security measurement, and compliance (соблюдение требований). - Includes databases on security checklists, software flaws, misconfigurations, and impact metrics. **Common Weakness Enumeration (CWE)**: A system for categorizing software vulnerabilities and weaknesses. Contains over [600 weakness categories] for identification and mitigation (смягчение последствий). Types of Vulnerability Assessment --------------------------------- **Active**: Scans networks for hosts, services, and vulnerabilities. **Host-based**: Checks system configurations for potential compromises. **External**: Identifies vulnerabilities accessible from outside the network. **Application**: Tests web infrastructure for misconfigurations and vulnerabilities. **Passive**: Used to sniff the network traffic. **Internal**: Scans the internal infrastructure. **Network-based**: Determines possible network security attacks. **Database**: Testing databased for the presence of data exposure (раскрытие) or injection. **Wireless Network**. **Distributed**: Assesses the distributed organization assets (client and server apps) **Credential**: Assesses (оценивает) the network by obtaining the credentials (учетные данные) of all machines present in the network. **Non-Credential**: Without any credentials. **Manual**. **Automated**: Use various vulnerability assessment tools (Nessus, Qualys, etc.) Vulnerability-Management Life Cycle ----------------------------------- - Identify Assets and Create a Baseline - Vulnerability Scan - Risk Assessment - Remediation - Verification - Monitor Vulnerability Assessment Tools ------------------------------ **Qualys Vulnerability Management**: Cloud-based service providing visibility into IT vulnerabilities and helping protect against threats. **OpenVAS**: A powerful framework for vulnerability scanning and management. **GFI LanGuard**: Scans, detects, and fixes security vulnerabilities in networks and devices. Vulnerability Exploitation -------------------------- The steps involved are as follows: - Identify the vulnerability - Assess risks - Determine capabilities - Develop exploits - Selecting delivery methods (local/remote) - Generate and deliver the payload - Gain remote access

Use Quizgecko on...
Browser
Browser