Course sections

Security Concepts, Lecture 1

Lesson 1: Explain common threats against on-premises and cloud environments

On-premises: viruses, trojans, DoS/DDoS attacks, phishing, rootkits, man-in-the-middle attacks, SQL injection, cross-site scripting, malware

It is crucial to understand that the global cost of a malware is staggering. With cybercrime on the rise, the cost is expected to reach $6T by 2021.

Malware is taking an increasingly large toll.

The amount of monetary damage caused by cybercrimes has exponentially risen over the past two decades, surpassing $1.5T today.

 

The Threats Against Businesses

Viruses

The virus is a type of malware attached to another file and can replicate and spread once a user on the target machine executes it. The terms Virus and malware are often used interchangeably, but they don’t mean the same thing. Malware is a broad term that is used to describe all sorts of unwanted and malicious code. All viruses are a form of malware, but not all malware are viruses, i.e., malware can also be spyware, trojan, or worm. Viruses are now a thing of the past. Worms are also rare but can’t be completely ruled out.

Trojans

A trojan or a trojan horse is neither a virus nor a worm. Unlike a virus, a trojan appears as a bona fide application and requires a user action for execution. Trojans can take various forms, such as free software, or music, even legit apps. If you visit shady websites or download cracked applications or some unknown free programs or any other social engineering method that takes advantage of a recent trend. In late 2017, when Intel announced that most of its x86 processors are vulnerable to Meltdown or Spectre attack, which allowed a rogue process to read all system memory, even when it is not supposed to. Hackers used that panic and released patches (e.g., Smoke loader), which did nothing to fix the problem but helped install a Trojan.

In most recent incidents, trojans have been used to target financial institutions with the aim of opening a permanent backdoor, which can be used to connect to a command-and-control (C2) server primarily for the purposes of data and identity thefts.

Let’s review some of the recent statistics on the distribution of malware by type and applications.

The Threats Against Regular Users

The Threats Against Regular Users

DoS/DDoS Attacks

Denial of Service (or DoS) is a type of cyber-attack in which the attacker tries to disrupt regular traffic directed to a server, service, or even an entire network by overwhelming the target with malicious traffic. The aim is to make the service unavailable to legitimate users. Distributed DoS (or DDoS) is a type of DoS where multiple systems (or botnets) target a single service and bombard it with traffic from various locations.

There are several types of DDoS attacks. The most prevalent form is a volume-based attack, where the target service is flooded with massive amounts of UDP or ICMP traffic. DDoS attacks can also target a protocol such as TCP by swamping the target service with SYN floods, fragmented packets, etc. The DDoS attack can also be orchestrated by exploiting a certain vulnerability within the application software stack.

The most recent examples of DDoS include GitHub, where the service was flooded with about 1.3 Tbps of traffic. The attackers didn’t use botnets but instead exploited vulnerable web servers on the internet with spoofed traffic, which in turn flooded GitHub servers. Despite the enormity of the traffic volume and the clever exploit of the mem cached databases, GitHub services were impacted for only about 20 minutes.

The traffic graph below shows real-time traffic while the biggest DDoS in the history of the internet, was underway.

ALL NORDER Bits per Second

Here is the list of hosting countries with the largest DDoS weapons, China, USA and then Russia make the top three.

DDoS attack stats and facts 2019

The statistics below shows that large and very large DDoS attacks are on the rise.

DDoS attacks facts and stats 2019

DDoS attacks facts and stats 2019

As per A10 Networks, the top 5 BGP ASNs with infected IP addresses include China, Brazil, Russia and S. Korea.

  • China Unicom
  • China Telecom
  • TIM Cellular S.A. (Brazil)
  • Rostelecom (Russia)
  • Korea Telecom (South Korea)

Phishing

Phishing attack uses social engineering methods such as duping a target into opening an email or a message such as WhatsApp or SMS. When orchestrating phishing attacks, the attacker pretends to be a trusted entity. As per Verizon Data Break Report, 93% of social attacks were phishing related.

It seems Dropbox, Microsoft Excel, and Google drive are amongst the most popular click-baits.

Image result for phishing attack statistics

Rootkits

Rootkits are a type of malware that remains hidden from other apps on a computer by maintaining privileged access to the OS. Rootkits aim to subvert built-in OS access control by taking advantage of vulnerabilities so it can run without restrictions.

With the ability to hide and run, the attacker can use a rootkit to steal user credentials and provide a full access backdoor that can be used to install more malware. Rootkits often take the form of loadable modules or device drivers.

Man-in-the-Middle (MiTM) Attacks

Man-in-the-Middle (or MiTM) is a type of attack where a perpetrator listens for and alter messages between two parties who believe they are securely communicating with each other. It is a form of active eavesdropping. Most crypto protocols use some of the mutual endpoint authentication to prevent MiTM attacks. The notable instances of MiTM include Comcast injecting JS code to 3rd party web pages with the aim of showing its own ads and messages and NSA’s impersonation of Google.

SQL Injection (SQLI)

The SQL injection is a type of attack that uses malicious SQL code and targets a web backend database to get access to information that was not supposed to be displayed. An attacker manipulates a standard SQL query to exploit non-validated inputs to a database.

Let’s say we want to display a specific product, such as SCOR course (product #5), from the CCIEin8Weeks.com course catalog. In order to accomplish our goal, we browse to the following URL.

https://www.cciein8weeks.com/courses/courses.asp?courseid=5

Behind the scenes, the web server executes the following SQL query to pull SCOR course information.

SELECT CourseName, CourseDescription

FROM Courses

WHERE CourseNumber = 5

Now, let’s say we purposefully modify our URL to the following.

https://www.cciein8weeks.com/courses/courses.asp?courseid=5or3=3

If successful, the corresponding SQL query would look like the following.

SELECT CourseName, CourseDescription

FROM Courses

WHERE CourseNumber = 5 OR 3=3

Since 3 is always equal to 3 or always resolve to TRUE, this may result in displaying course information for all of the published or even unpublished or hidden courses.

To take this to the next level, an attacked may attempt to delete the entire User database by padding a semicolon and a “DROP TABLE USERS” to the end of the URL.

You can protect against SQLI attacks by validating or sanitizing input to your SQL database. You may also use a web application firewall (or WAF) to filter out malicious SQL queries.

Cross-site Scripting (XSS)

Cross-site Scripting (or XSS) attacks are a type of injection attack in which an attacker injects malicious code in the form of client-side scripts, which can then be executed and viewed by other users. XSS vulnerability allows attackers to bypass safety controls such as the same-origin policy.

There are three types of XSS attacks.

  • Reflected XSS, where the malicious script is contained within the current HTTP transaction. It is a server-side attack.
  • Stored XSS, where the malicious script comes from within the webserver’s database. It is a server-side attack.
  • DOM-based XSS, where the vulnerability lies in the front-end or client-side software

Cross-Site Scripting (or XSS) is by far the most popular type of attack.

Figure 12. Vulnerabilities allowing attacks against users

Malware

Malicious software (or the malware) is any software that was written with the malicious intent of damaging, stealing, or extorting. Viruses, trojans, spyware, ransomware, and rootkits are all different forms of malware.

Malware has increased exponentially over the past decade.

A screenshot of a cell phone Description automatically generated

Cloud: data breaches, insecure APIs, DoS/DDoS, compromised credentials

Data Breaches

Cloud data breaches are often the result of human errors than a software vulnerability exploited by hackers. Regardless of the cause, data breaches are costly. Each breach negatively impacts customer trust, and that leads to loss of business. As per an IBM report published in 2019, the cost of an average global data breach has risen to $4M. In the US, on average, has the highest cost pegged at about $8.19M and healthcare sector has the highest average cost of any other industry at $6.45M. Over the past ten years, Microsoft, LinkedIn, Dropbox, and Yahoo has all witnessed data breaches involving user accounts information.

Insecure APIs

Cloud service providers provide the APIs to software developers so they can interface with the cloud services. Cloud APIs are mostly based on REST and SOAP frameworks. In addition to cloud APIs, there can also be some open APIs as well as vendor-specific APIs that help manage various infrastructure resources inside the cloud.

API security is more than just access control since APIs are used to transfer data to and from your cloud resources. Thus, it holds keys to protect against data security and privacy, data leakage, and data integrity. OWASP Top 10 vulnerability report also notes the importance of API security.

DoS/DDoS

The primary goal of the DoS/DDoS attack remains the same regardless of where the data and resources are placed, on-premise, or in the cloud. We discussed GitHub DDoS before; however cloud DoS/DDoS have also been carried out against Cloudflare, Spamhaus, and various US Banks over the past few years.

Compromised Credentials

Credentials are compromised on a regular basis, and the worst part is that more than half of the companies cannot even detect compromised credentials. Let me share with you some of the recent hacks where user or account information was stolen.

Year Breach Occurred Organization No. of Accounts/Records Compromised
2007 TJ Maxx 94M
2010 Sony PSN 77M
2013 Evernote 50M
2014 Ebay 145M
2014 Home Depot 56M
2014 JPMC 76M
2015 Anthem 80M