Introduction to Cybersecurity
Chapter 2
Categorizing Security Vulnerabilities
Buffer overflow – This vulnerability occurs when data is written beyond the limits of a buffer. Buffers are memory areas
allocated to an application. By changing data beyond the boundaries of a buffer, the application accesses memory
allocated to other processes. This can lead to a system crash, data compromise, or provide escalation of privileges.
Non-validated input – Programs often work with data input. This data coming into the program could have malicious
content, designed to force the program to behave in an unintended way. Consider a program that receives an image for
processing. A malicious user could craft an image file with invalid image dimensions. The maliciously crafted dimensions
could force the program to allocate buffers of incorrect and unexpected sizes.
Race conditions – This vulnerability is when the output of an event depends on ordered or timed outputs. A race
condition becomes a source of vulnerability when the required ordered or timed events do not occur in the correct
order or proper timing.
Weaknesses in security practices – Systems and sensitive data can be protected through techniques such as
authentication, authorization, and encryption. Developers should not attempt to create their own security algorithms
because it will likely introduce vulnerabilities. It is strongly advised that developers use security libraries that have
already created, tested, and verified.
Access-control problems – Access control is the process of controlling who does what and ranges from managing
physical access to equipment to dictating who has access to a resource, such as a file, and what they can do with it, such
as read or change the file. Many security vulnerabilities are created by the improper use of access controls.
Nearly all access controls and security practices can be overcome if the attacker has physical access to target equipment.
For example, no matter what you set a file’s permissions to, the operating system cannot prevent someone from
bypassing the operating system and reading the data directly off the disk. To protect the machine and the data it
contains, physical access must be restricted and encryption techniques must be used to protect data from being stolen
or corrupted.
Types of Malware
Spyware – This malware is designed to track and spy on the user. Spyware often includes activity trackers, keystroke
collection, and data capture. In an attempt to overcome security measures, spyware often modifies security settings.
Spyware often bundles itself with legitimate software or with Trojan horses.
Adware – Advertising supported software is designed to automatically deliver advertisements. Adware is often installed
with some versions of software. Some adware is designed to only deliver advertisements but it is also common for
adware to come with spyware.
Bot – From the word robot, a bot is malware designed to automatically perform action, usually online. While most bots
are harmless, one increasing use of malicious bots are botnets. Several computers are infected with bots which are
programmed to quietly wait for commands provided by the attacker.
Ransomware – This malware is designed to hold a computer system or the data it contains captive until a payment is
made. Ransomware usually works by encrypting data in the computer with a key unknown to the user. Some other
versions of ransomware can take advantage of specific system vulnerabilities to lock down the system. Ransomware is
spread by a downloaded file or some software vulnerability.
1
�Scareware – This is a type of malware designed to persuade the user to take a specific action based on fear. Scareware
forges pop-up windows that resemble operating system dialogue windows. These windows convey forged messages
stating the system is at risk or needs the execution of a specific program to return to normal operation. In reality, no
problems were assessed or detected and if the user agrees and clears the mentioned program to execute, his or her
system will be infected with malware.
Rootkit – This malware is designed to modify the operating system to create a backdoor. Attackers then use the
backdoor to access the computer remotely. Most rootkits take advantage of software vulnerabilities to perform privilege
escalation and modify system files. It is also common for rootkits to modify system forensics and monitoring tools,
making them very hard to detect. Often, a computer infected by a rootkit must be wiped and reinstalled.
Virus - A virus is malicious executable code that is attached to other executable files, often legitimate programs. Most
viruses require end-user activation and can activate at a specific time or date. Viruses can be harmless and simply display
a picture or they can be destructive, such as those that modify or delete data. Viruses can also be programmed to
mutate to avoid detection. Most viruses are now spread by USB drives, optical disks, network shares, or email.
Trojan horse - A Trojan horse is malware that carries out malicious operations under the guise of a desired operation.
This malicious code exploits the privileges of the user that runs it. Often, Trojans are found in image files, audio files or
games. A Trojan horse differs from a virus because it binds itself to non-executable files.
Worms – Worms are malicious code that replicate themselves by independently exploiting vulnerabilities in networks.
Worms usually slow down networks. Whereas a virus requires a host program to run, worms can run by themselves.
Other than the initial infection, they no longer require user participation. After a host is infected, the worm is able to
spread very quickly over the network. Worms share similar patterns. They all have an enabling vulnerability, a way to
propagate themselves, and they all contain a payload.
Worms are responsible for some of the most devastating attacks on the Internet. In 2001 the Code Red worm had
infected 658 servers. Within 19 hours, the worm had infected over 300,000 servers.
Man-In-The-Middle (MitM) – MitM allows the attacker to take control over a device without the user’s knowledge. With
that level of access, the attacker can intercept and capture user information before relaying it to its intended
destination. MitM attacks are widely used to steal financial information. Many malware and techniques exist to provide
attackers with MitM capabilities.
Man-In-The-Mobile (MitMo) – A variation of man-in-middle, MitMo is a type of attack used to take control over a
mobile device. When infected, the mobile device can be instructed to exfiltrate user-sensitive information and send it to
the attackers. ZeuS, an example of an exploit with MitMo capabilities, allows attackers quietly to capture 2-step
verification SMS messages sent to users.
Types of social engineering attacks
Pretexting - This is when an attacker calls an individual and lies to them in an attempt to gain access to privileged data.
An example involves an attacker who pretends to need personal or financial data in order to confirm the identity of the
recipient.
Tailgating - This is when an attacker quickly follows an authorized person into a secure location.
Something for Something (Quid pro quo) - This is when an attacker requests personal information from a party in
exchange for something, like a free gift.
2
�Techniques used in password cracking
Social engineering – The attacker manipulates a person who knows the password into providing it.
Brute-force attacks – The attacker tries several possible passwords in an attempt to guess the password. If the password
is a 4-digit number, for example, the attacker would have to try every one of the 10000 combinations. Brute-force
attacks usually involve a word-list file. This is a text file containing a list of words taken from a dictionary. A program then
tries each word and common combinations. Because brute-force attacks take time, complex passwords take much
longer to guess. A few password brute-force tools include Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and
Medusa.
Network sniffing – By listening and capturing packets sent on the network, an attacker may be able to discover the
password if the password is being sent unencrypted (in plain text). If the password is encrypted, the attacker may still be
able to reveal it by using a password cracking tool.
Phishing is when a malicious party sends a fraudulent email disguised as being from a legitimate, trusted source. The
message intent is to trick the recipient into installing malware on their device, or into sharing personal or financial
information. An example of phishing is an email forged to look like it was sent by a retail store asking the user to click a
link to claim a prize. The link may go to a fake site asking for personal information, or it may install a virus.
Spear phishing is a highly targeted phishing attack. While phishing and spear phishing both use emails to reach the
victims, spear phishing emails are customized to a specific person. The attacker researches the target’s interests before
sending the email. For example, an attacker learns the target is interested in cars, and has been looking to buy a specific
model of car. The attacker joins the same car discussion forum where the target is a member, forges a car sale offering
and sends email to the target. The email contains a link for pictures of the car. When the target clicks on the link,
malware is installed on the target’s computer.
Vulnerability exploitation
Exploiting vulnerabilities is another common method of infiltration. Attackers will scan computers to gain information
about them. Below is a common method for exploiting vulnerabilities:
Step 1. Gather information about the target system. This could be done in many different ways such as a port scanner or
social engineering. The goal is to learn as much as possible about the target computer.
Step 2. One of the pieces of relevant information learned in step 1 might be the operating system, its version, and a list
of services running on it.
Step 3. When the target’s operating system and version is known, the attacker looks for any known vulnerabilities
specific to that version of OS or other OS services.
Step 4. When a vulnerability is found, the attacker looks for a previously written exploit to use. If no exploits have been
written, the attacker may consider writing an exploit.
Advanced Persistent Threats
One way in which infiltration is achieved is through advanced persistent threats (APTs). They consist of a multi-phase,
long term, stealthy and advanced operation against a specific target. Due to its complexity and skill level required, an
APT is usually well funded. An APT targets organizations or nations for business or political reasons.
Usually related to network-based espionage, APT’s purpose is to deploy customized malware on one or multiple of the
target’s systems and remain undetected. With multiple phases of operation and several customized types of malware
3
�that affect different devices and perform specific functions, an individual attacker often lacks the skill-set, resources or
persistence to carry out APTs.
Denial-of-Service (DoS) attacks are a type of network attack. A DoS attack results in some sort of interruption of network
service to users, devices, or applications. There are two major types of DoS attacks:
Overwhelming Quantity of Traffic - This is when a network, host, or application is sent an enormous quantity of data at a
rate which it cannot handle. This causes a slowdown in transmission or response, or a crash of a device or service.
Maliciously Formatted Packets - This is when a maliciously formatted packet is sent to a host or application and the
receiver is unable to handle it. For example, an attacker forwards packets containing errors that cannot be identified by
the application, or forwards improperly formatted packets. This causes the receiving device to run very slowly or crash.
A Distributed DoS Attack (DDoS) is similar to a DoS attack but originates from multiple, coordinated sources. As an
example, a DDoS attack could proceed as follows: An attacker builds a network of infected hosts, called a botnet. The
infected hosts are called zombies. The zombies are controlled by handler systems. The zombie computers constantly
scan and infect more hosts, creating more zombies. When ready, the hacker instructs handler systems to make the
botnet of zombies carry out a DDoS attack.
SEO, short for Search Engine Optimization, is a set of techniques used to improve a website’s ranking by a search engine.
While many legitimate companies specialize in optimizing websites to better position them, a malicious user could use
SEO to make a malicious website appear higher in search results. This technique is called SEO poisoning. The most
common goal of SEO poisoning is to increase traffic to malicious sites that may host malware or perform social
engineering. To force a malicious site to rank higher in search results, attackers take advantage of popular search terms.
