Malware: Software with malicious intent

Virus: Malware where the program attaches itself to another file in order to infect a computer.

Worm: A small program that exploits a network security weakness to replicate itself through computer networks.

Trojan: A program that hides in or masquerades as desirable software, such as utility or game.

Ransomware: A type of malicious software designed to block access to a computer system until a sum of money is paid.

Vulnerability: Weakness

Threat: Event/activity which could potentially exploit vulnerability

Risk: Likelihood of attack / consequences

Confidentiality

• Prevents unauthorised access/disclosure of sensitive information
• e.g. Eavesdropping on communications channels/theft of passwords from server via web attack. Theft of cred’s via phishing malware.

Integrity

• Prevents unauthorised modification of information
• e.g. Attacks using cracked passwords to login to systems and change data/software integrity

Availability

• Prevents loss of authorised access to assets
• e.g. DoS attacks against servers/communications links.

Eavesdropping - Packet Sniffing

A hacker intercepts, deletes or modifies data that is transmitted between two devices. Relies on unsecured network communications to access data in transit between devices.

Wireshark Packet Sniffing/Analysis

The practice of gathering, collecting and logging some or all packets that pass through a computer network, regardless of how the packet is addressed. 

Wireshark can be used to analyse these traffic captures through various tools and filters.

Social Engineering

Use social methods to deceive users to get information or do something they wouldn't normally do

Very difficult to defend against

Phishing

The fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.

Host Discovery/Network Sweeping

Send packets to entire network address range and the active machines will reply.

Use tools such as nmap and Nessus to scan target host for open services on well known ports

• Encrypt sensitive traffic
• A switched network, with VLANs, helps segment traffic and can help prevent eavesdropping
• Firewalls and Intrusion detection systems can monitor and block unwanted reconnaissance traffic
• Employees should be educated on a regular basis about the dangers of social engineering
• Employees should be educated about thinking about links/email attachments before clicking
• Email sand boxing and link/attachment content filtering/analysis

Online Password Guessing

Attack password authentication online by attempting to login and actually authenticate with the service by 'guessing passwords'. Many attempts are carried out until the authentication succeeds. Services may lock out or disable the account after a threshold is reached to try and combat this.

Offline Password Cracking

The attacker has access to the encrypted material or a password hash and can try key combinations without the risk of discovery or interference.

IP Spoofing

The act of falsifying the content in the source IP header, usually with randomised numbers, either to mask the sender's identity or to launch a reflected DDoS attack. It can also be used to pretend to be another user.

Man-in-the-Middle

Hijack a conversation to gain access to resources, steal data masquerading as a server or deliver malicious software masquerading as a download site or scraped web page.

• Always use strong passwords
• Disable accounts after a certain number of unsuccessful login attempts
• Enforce regular password changing
• Trust model should be created in such a way that the systems inside the firewall do not trust systems outside, or on a DMZ network
• Use encrypted VPNs for sensitive communications
• Patch systems regularly
• Application layer inspection by Firewalls and Intrusion Detection systems
• Device hardening - remove unneeded services/commands

SYN Flood

Attacker sends a flood of TCP packets with the SYN flag set - from a single attacking machine

Distributed DoS

Involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a target website with fake traffic.

Reflection / Amplification DoS Attacks

Intermediate devices are used to reflect and amplify the attack traffic (reflectors)

UDP-based network protocols

• Firewalls, Routers & Switches can be configured to monitor and block traffic above certain rate-based thresholds
• Directed broadcasts and similar should not be allowed on network devices
• Online service providers such as CloudFlare have worldwide large data centres which can absorb DDoS attacks
• Be aware that some DDoS attacks can not be mitigated against! If attacker sends 15Gbps of traffic to your 10Gbps connection...
• Bring down botnets - remove c&c servers
• Google Project Shield - New DoS protection

Malware 

Software with malicious intent, and typically performs actions the user did not intend

Viruses

Malicious parasitic code

• Executable code attached / inserted into another program / file
• User interaction to replicate / spread

Worms

Self-contained / replicating malware

• Typically no user interaction needed
• Scan for other systems to infect

Trojan Horses

Entire applications written to look like something else such as an application, but contain malicious code

• Doesn't replicate

Rootkits

• Typically low level malware replacing system files
• Typically allows remote access to system

Ransomware

Used to extort money from users to unlock / decrypt files

• Deny access to system
• Encrypts files on the victim machine/device

Defend against known vulnerabilities

• Defend Perimeters mitigating spread, using Firewalls/Network Intrusion Detection/Proxies
• Antivirus use/Signature updating
• Patch Systems OS and Software
• Content filtering to identify/remove known malware from network traffic
• Digital Signatures can authenticate active code

Defend against known/unknown attacks

• Monitor Integrity of Systems – Host-based Intrusion Detection by comparing against a baseline. It can detect for files being added/changed
• Monitor Integrity of Network Traffic using Network Intrusion Detection (Advanced Anomaly-based detection – changes to normal traffic)
• Harden Devices and Systems by removing unwanted services/applications to reduce the attack surface
• Separation of Services to defend against trust attacks

Security Policies are important to protect the organisation, its assets, and people and detail what must be done to protect those assets.

People have to perform tasks and make decisions regarding information and assets which are at risk. Policy should help reduce risk while also minimising user liability.

Virus detection software checks files against a database of known viruses.

Computer users must regularly update the database on their system so that files are checked against all known viruses.

If an infected file cannot be deleted, it will be quarantined (kept in a separate area of the hard disk where it can’t infect other files).