Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks. Concludes by examining the means of securing and protecting critical systems and information against these types of occurrences.
It is a very unique time in history in the sense that criminals are now using technology to their advantage. Gone are the days of traditional criminals. Technology has enabled for crimes to be committed on a much greater, more sophisticated scale. This paper intends to examine three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks. We will conclude by examining the means of securing and protecting critical systems and information against these types of occurrences.
Whether cyber criminals are looking to infiltrate government, business, or personal use systems, we must now more than ever remain vigilant in defending these attacks According to Mark Ciampa, “information security is intended to protect information that provides value to people and organization” (Ciampa, 2012, p. 12). These efforts are intended to support the information securities CIA triad.
Confidentiality – the C in the CIA triad – is intended to ensure that information is only able to be accessed to authorized individuals. This can be done through implementing different levels authentication is set up to ensure that “the individual is who they claim to be and not an impostor” (Ciampa, 2012 p. 13). Integrity – I in the triad – is meant to prevent any malicious altering of data. The integrity of data can be manipulated by unauthorized individuals accessing and manipulating the data, a disgruntled employee who has authorization, or malicious software. This could be through the introduction of malware. This malware could have unintended results such as making data unavailable, or worse.
Malware, as defined by Ciampa, is “software that enters a computer system without the user’s knowledge or consent and then performs an unwanted – and usually harmful – action” (Ciampa, 2012, p.43). Malware is generally spread through a number of means. Viruses for example, are contained to the system it infects. Unlike worms, viruses cannot spread to other nodes connected to the same network. Viruses can infect a system a number of ways. They can be appended to a file that when opened, “the jump instruction redirects control to the virus” (Ciampa, 2012, p. 44). The virus essentially reproduces itself over and over again and causes such behavior as reformatting hard drives, changing and/or manipulating a systems security settings, deleting folders and files, and a host of other unauthorized activities that can wreak havoc on a system.
Worms are another common type of malware used in malicious attacks. Ciampa defines a worm as “a malicious program designed to take advantage of a vulnerability in an application or an operating system in order to enter a computer” (Ciampa, 2012, p.48). As mentioned previously, the main distinction between a worm and a virus is that worms have the ability to traverse between nodes connected to a single network. This enables them to move from node to node ultimately self-replicating itself on every machine it is able to penetrate. These attacks are able to slow down networks, manipulate data in folders and files on systems, and have an adverse effect on the system and network performance.
These viruses are often called Trojans as they are able to penetrate a system without the use knowing. They often look, feel, and perform like the intended software they are marketed as, however they are infected with malicious code with the hopes of opening a system for transmission of information to the attacker. These types of attacks are “typically executable programs that contain hidden code that launches an attack” (Ciampa, 2012, p. 49).
Other means of gaining access to a system are often also employed by malicious attackers. Rootkits, logic bombs, and backdoors are all commonly employed to gain access to a system. Similar to Trojan attacks, these are employed with the goal of concealing the attack. Backdoors are common practice for developers who intend to “access a program or device on a regular basis” (Ciampa, 2012 (p.52) but these often leave means an opportunity for a malicious attacker to gain access as well.
Web based attacks are generally used to disrupt websites, web applications, and web services. There are a number of methods used to deploy this type of attack. One of the most common types of attacks against web applications is SQL injections. These attacks target relational databases by using Structured Query Language (SQL) scripts to extract or manipulate the stored data. According to the Security Intelligence website, “in 2014, SQL injections, a type of application attack, were responsible for 8.1 percent of all data breaches. That makes it the third most used type of attack, behind malware and distributed denial-of-service attacks (DDoS)” (Ionescu, 2015).
Another common type of web based attack is by using an XML injection. Extensible Markup Language (XML) is designed to “carrying data instead of indicating how to display it” (Ciampa, 2012, p.89). An XML injection can cause the insertion of malicious content into the resulting output. A common type of XML injection is a XPath injection. According to the Web Application Security Consortium, a “XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document” (Auger, 2010).
Symantec defines a network attack as “as an intrusion on your network infrastructure that will first analyze your environment and collect information in order to exploit the existing open ports or vulnerabilities - this may include as well unauthorized access to your resources” (Symantec, n.d.). A common method employed when launching network based attacks is a denial of service (DoS) attack. These attacks can be executed in a myriad of fashions. For example, using a tactic called ping attacking, “a faster, more powerful computer rapidly sends a large number of ICMP echo requests, overwhelming a smaller, slower Web server computer to the extent that the server cannot respond quickly enough and will drop legitimate connections to other clients” (Ciampa, 2012, p.97). This can also be accomplished on a larger scale by using hundreds of compromised systems (known as zombie computers) in a botnet in order to increase the amount of requests on a server. This attack is known as a distributed denial of service attack, or DDoS.
While the above described methods are only a handful of tactics employed by malicious attackers, they make up the majority of how attacks are launched. However, a new form of attacks are on the rise and can prove to be disastrous for almost every system user. Ransomware, as defined by Trend Micro, is “a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back” (Trend Micro, n.d.). This relatively new type of attack is at the forefront of every healthcare security professionals mind. A recent Motherboard article poses a situation in which a person's pacemaker is hacked to create chest pain, afterwards receiving a text message: "Want to keep living? Pay us a ransom now, or you die" (Porup, 2015).
Now that we have examined some of these attacks, the question remains, how does an individual or organization mitigate, defend, and recover? Malware has been the main culprit in how these systems become infected. There are a number of commercial and free programs out there specifically for scanning for malware on a user’s system. These programs scan files, folders, email attachments, downloads, disks, and documents to check for anything that resembles malware. Many of these commercial grade programs come with a suite of utilities to add additional levels of security. For example, McAfee products often have additional protections built in to defend against malware, spyware, Trojans, and hacking attempts. They also incorporate anti-virus, anti-spyware, anti-phishing technologies to offer a more robust security solution. Many also include backup options to improve recovery in the event a system is compromised.
Another tactic for defending against malware attacks is ensuring that the operating system (as well as all anti-virus definitions) are up-to-date. Often times, Microsoft releases security patches to ensure that the operating system is able to defend against different types of malware attacks. Attackers are very proactive in finding new vulnerabilities in security patches. This means that vendors of operating systems need to remain just as, if not more so vigilant in providing their users with the most current updates to thwart these particular attacks.
Using cryptography, 64-bit Windows 7 implemented has values “generated for the module by running its code through an algorithm. Only if the code produces the same hash value as the original code compiled by Microsoft is it loaded and run. Any deviation from the hash value means that the code must have been modified and therefore will not load” (Smith, 2012). Since rootkits hide or remove log-in records, entries, and other related processes, this additional security feature enables the system to better ensure that the authenticity and integrity of the operating system. This further ensures that rootkits have a more difficult time replacing and/or modifying operating system files associated with the operating system processes.
Web application attacks are also becoming more and more prominent. Attackers utilize tools that are developed to scan web applications in order to find vulnerabilities. Many of the tools utilized by attackers and penetration testers can be found build into the Kali Linux suite. One of the tools utilized to scan for web application vulnerabilities that is within the Kali Linux toolset is called Grabber. According to the Kali Linux documentation, “Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.” This tool is great for developers to check and see if their systems are both vulnerable and susceptible to these types of attacks. It is interesting to observe the crossover between the white-hat and black-hat approach. Many of the tactics employed by ethical hackers mirror the techniques used by malicious ones.
When it comes to defending and protecting against SQL attacks, there are tools available that enable for automated scanning for vulnerabilities. While this is only one tactic for defending against these types of attacks, these tools eliminate a lot of labor intensive manual scanning and affords security teams more time to devote to protecting against other risks, vulnerabilities, threats, or attacks. Another tactic is to utilize a Web application firewall. These firewalls (hardware or software based) allow administrators to filter out potentially dangerous requests and to set rules accordingly. One of the most effective ways however, is to restrict database access by assigning roles and permissions. Access control is the most cost-effective and easiest solutions to defend against an unwarranted SQL injection attack. It is also prudent for developers to ensure that SQL queries cannot be accomplished through user input. Lastly, it is also advisable to ensure that anywhere that input can be taken, the characters are monitored to only accept the appropriate characters. Ciampa states that “if the message Server Failure is displayed, it means the user input is not being filtered” (Ciampa, 2012, p.88). This is a perfect catalyst for an attacker to begin their work. This can be accomplished when an attacker uses a single or double quote in their input.
Defending against XPath injection is essentially similar to defending against SQL injection. It is imperative that all of the user input is sanitized. The application must sanitize user input. Specifically, the single and double quote characters should be disallowed. This is accomplished through setting rules in the web application firewall. Additionally, there are plenty of open source tools available to help facilitate this defense.
Defending against denial of service attacks should be a major concern for all information security professionals in today’s networked environment. According to a 2014 article in Security Week Magazine, “survey respondents estimated the cost of a successful DDoS attack at $40,000 per hour. A total of 36% of respondents said the per hour cost of a DDoS attack is between $5,000 and $19,999. Others said the cost of an attack per hour is less than $5,000 (15%), between $20,000 and $59,999 (17%), between $60,000 and $99,999 (17%), and over $100,000 (15%)” (Kovacs, 2014). With these attacks on the rise, it is imperative to operations that systems are put into place to mitigate the risk of these types of attacks and minimize the costs of a successful one.
One of the best ways to protect against a DoS and a DDoS attack is to utilize a content delivery network (CDN) in order to hide an organizations network connection. Amazon Web Services (AWS) is a secure and cost effective solution to delivering web content. Using this distributed server approach is a great way to deliver content that is both secure and highly available.
The goal of this paper was to explore different attack vectors most commonly deployed by malicious attackers. Malware, web application attacks, and network attacks seem to be the most prevalent methods of unauthorized access to user’s and organizations alike. Understanding the threat, learning about the tactics needed to combat them, and staying vigilant and proactive are essential to both the security and integrity of information. These tactics of securing systems are all used for continued support of confidentiality, integrity, and availability of information. It is important for all users to stay up to date with the latest efforts employed to gain access to a system and the technology and tactics available to protect against the threat.
Auger, R. (2010, January 5). XPath Injection. Retrieved December 20, 2015
Ciampa, M. (2012). Security guide to network security fundamentals (4th ed.). Boston, Mass.: Thomson/Course Technology.
Grabber | Penetration Testing Tools. (n.d.). Retrieved December 20, 2015.
Ioescu, P. (2015, April 8). The 10 Most Common Application Attacks in Action. Retrieved December 20, 2015.
Kovacs, E. (2014, November 12). DDoS Attacks Cost $40,000 Per Hour: Incapsula | SecurityWeek.Com. Retrieved December 20, 2015.
Porup, J. (2015, November 19). Ransomware Is Coming to Medical Devices. Retrieved December 20, 2015.
Ransomware. (n.d.). Retrieved December 20, 2015.
Smith, R. (2006, May 14). Defending Against Rootkits. Retrieved December 20, 2015
Z, S. (2013, December 12). Security 1:1 - Part 3 - Various types of network attacks. Retrieved December 20, 2015.
MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email
Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…