James cook University, brisbane
Include any grant/funding information and a complete correspondence address.
Table of Contents
TOC o “1-3” h z u Abstract PAGEREF _Toc524734202 h 4INTRODUCTION PAGEREF _Toc524734203 h 5WHAT IS CYBER SECURITY? PAGEREF _Toc524734204 h 5TYPES OF CYBERATTACKS PAGEREF _Toc524734205 h 51. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks PAGEREF _Toc524734206 h 5TCP SYN flood attack PAGEREF _Toc524734207 h 6Teardrop attack PAGEREF _Toc524734208 h 6Smurf attack PAGEREF _Toc524734209 h 6Ping of death attack PAGEREF _Toc524734210 h 7Botnets PAGEREF _Toc524734211 h 72. Man-in-the-middle (MitM) attack PAGEREF _Toc524734212 h 8Session hijacking PAGEREF _Toc524734213 h 8IP Spoofing PAGEREF _Toc524734214 h 10Replay PAGEREF _Toc524734215 h 103. Phishing and spear phishing attacks PAGEREF _Toc524734216 h 114. Drive-by attack PAGEREF _Toc524734217 h 125. Password attack PAGEREF _Toc524734218 h 136. SQL injection attack PAGEREF _Toc524734219 h 137. Cross-site scripting (XSS) attack PAGEREF _Toc524734220 h 148. Eavesdropping attack PAGEREF _Toc524734221 h 169. Birthday attack PAGEREF _Toc524734222 h 1610. Malware attack PAGEREF _Toc524734223 h 16TYPES OF CYBER SECURITY PAGEREF _Toc524734224 h 19References PAGEREF _Toc524734225 h 21Footnotes PAGEREF _Toc524734226 h 22Tables PAGEREF _Toc524734227 h 23Figures PAGEREF _Toc524734228 h 24
AbstractData is the most valuable and vulnerable asset of yours.
INTRODUCTIONAs our daily lives become more and more dependent on Internet-based tools and services, and as those platforms accumulate more of our most sensitive data, the demand grows for experts in the field of cybersecurity.
WHAT IS CYBER SECURITY?Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at accessing, changing, or destroying sensitive information; extorting money from users; or interrupting normal business processes.
Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, and attackers are becoming more innovative. CITATION CISWh l 1033 (CISCO, 2017)TYPES OF CYBERATTACKS1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacksA denial-of-service attack overwhelms a system’s resources so that it cannot respond to service requests. A DDoS attack is also an attack on system’s resources, but it is launched from a large number of other host machines that are infected by malicious software controlled by the attacker.
There are different types of DoS and DDoS attacks.
TCP SYN flood attackAn attacker exploits the use of the buffer space during a Transmission Control Protocol (TCP) session initialization handshake. The attacker’s device floods the target system’s small in-process queue with connection requests, but it does not respond when the target system replies to those requests. This causes the target system will time-out while waiting for the response. This will make the system crash or become unusable when the connection queue fills up.
Solutions: Place servers behind a firewall configured to stop inbound SYN packets. Increase the size of the connection queue and decrease the timeout on open connections.
Teardrop attackThis attack causes the length and fragmentation offset fields in sequential Internet Protocol (IP) packets to overlap one another on the attacked host; the attacked system attempts to reconstruct packets during the process but fails. The target system then becomes confused and crashes.
Solution : disable SMBv2 and block ports 139 and 445.
Smurf attackThis attack involves using IP spoofing and the ICMP to saturate a target network with traffic. This attack method uses ICMP echo requests targeted at broadcast IP addresses. These ICMP requests originate from a spoofed “victim” address. For instance, if the intended victim address is 10.0.0.10, the attacker would spoof an ICMP echo request from 10.0.0.10 to the broadcast address 10.255.255.255. This request would go to all IPs in the range, with all the responses going back to 10.0.0.10, overwhelming the network. This process is repeatable, and can be automated to generate huge amounts of network congestion.
Solution : Disable IP-directed broadcasts at the routers. This will prevent the ICMP echo broadcast request at the network devices. Another option would be to configure the end systems to keep them from responding to ICMP packets from broadcast addresses.
Ping of death attackThis attack uses IP packets to ‘ping a target system with an IP size over the maximum of 65,535 bytes. IP packets of this size are not allowed, so attacker fragments the IP packet. Once the target system reassembles the packet, it can experience buffer overflows and other crashes.
Solution : Can be blocked by using a firewall that will check fragmented IP packets for maximum size.
BotnetsA botnet is a network of devices that has been infected with malicious software, such as a virus. Attackers can control a botnet as a group without the owner’s knowledge with the goal of increasing the magnitude of their attacks. CITATION Cisnd l 1033 (Cisco, n.d)These bots or zombie systems are used to carry out attacks against the target systems, often overwhelming the target system’s bandwidth and processing capabilities. These DDoS attacks are difficult to trace because botnets are located in differing geographic locations.
2. Man-in-the-middle (MitM) attackA MitM attack occurs when a hacker inserts itself between the communications of a client and a server. Below are the common types: Session hijacking
An attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for the trusted client while the server continues the session, believing it is communicating with the client. For instance, the attack might unfold like this:
A client connects to a server.
The attacker’s computer gains control of the client.
The attacker’s computer disconnects the client from the server.
The attacker’s computer replaces the client’s IP address with its own IP address andspoofs the client’s sequence numbers.
The attacker’s computer continues dialog with the server and the server believes it is still communicating with the client.
IP SpoofingIP spoofing is used by an attacker to convince a system that it is communicating with a known, trusted entity and provide the attacker with access to the system. The attacker sends a packet with the IP source address of a known, trusted host instead of its own IP source address to a target host. The target host might accept the packet and act upon it.
ReplayA replay attack occurs when an attacker intercepts and saves old messages and then tries to send them later, impersonating one of the participants. This type can be easily countered with session timestamps or nonce (a random number or a string that changes with time).
3. Phishing and spear phishing attacksThis attack is enacting the trusted source and sending emails to gain personal information or influences the user to do something. It combines social engineering and technical trickery. It could involve an attachment to an email that loads malware onto your computer. It could also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information.
Spear phishing is a very targeted type of phishing activity. Attackers take the time to conduct research into targets and create messages that are personal and relevant. Because of this, spear phishing can be very hard to identify and even harder to defend against. One of the simplest ways that a hacker can conduct a spear phishing attack is email spoofing, which is when the information in the “From” section of the email is falsified, making it appear as if it is coming from someone you know, such as your management or your partner company. Another technique that scammers use to add credibility to their story is website cloning — they copy legitimate websites to fool you into entering personally identifiable information (PII) or login credentials.
To reduce the risk of being phished, you can use these techniques:
Critical thinking — Do not accept that an email is the real deal just because you’re busy or stressed or you have 150 other unread messages in your inbox. Stop for a minute and analyze the email.
Hovering over the links — Move your mouse over the link, but do not click it! Just let your mouse cursor h over over the link and see where would actually take you. Apply critical thinking to decipher the URL.
Analyzing email headers — Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email.
Sandboxing — You can test email content in a sandbox environment, logging activity from opening the attachment or clicking the links inside the email.
4. Drive-by attackDrive-by download attacks are a common method of spreading malware. Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by downloads can happen when visiting a website or viewing an email message or a pop-up window. A drive-by download can take advantage of an app, operating system or web browser that contains security flaws due to unsuccessful updates or lack of updates.
Solution: You need to keep your browsers and operating systems up to date and avoid websites that might contain malicious code. Stick to the sites you normally use — although keep in mind that even these sites can be hacked. Don’t keep too many unnecessary programs and apps on your device. The more plug-ins you have, the more vulnerabilities there are that can be exploited by drive-by attacks.
5. Password attackBecause passwords are the most commonly used mechanism to authenticate users to an information system, obtaining passwords is a common and effective attack approach. Access to a person’s password can be obtained by looking around the person’s desk, ”sniffing” the connection to the network to acquire unencrypted passwords, using social engineering, gaining access to a password database or outright guessing. The last approach can be done in either a random or systematic manner:
Brute-force ATTACK password guessing means to look for logical passwords (persons name, date of birth) and keep on attempting.
dictionary attack, a dictionary of common passwords is used to attempt to gain access to a user’s computer and network. One approach is to copy an encrypted file that contains the passwords, apply the same encryption to a dictionary of commonly used passwords, and compare the results.
In order to protect yourself from dictionary or brute-force attacks, you need to implement an account lockout policy that will lock the account after a few invalid password attempts.
6. SQL injection attackSQL injection has become a common issue with database-driven websites. It occurs when a malefactor executes a SQL query to the database via the input data from the client to server. SQL commands are inserted into data-plane input (for example, instead of the login or password) in order to run predefined SQL commands. A successful SQL injection exploit can read sensitive data from the database, modify (insert, update or delete) database data, execute administration operations (such as shutdown) on the database, recover the content of a given file, and, in some cases, issue commands to the operating system.
For example, a web form on a website might request a user’s account name and then send it to the database in order to pull up the associated account information using dynamic SQL like this:
“SELECT * FROM users WHERE account = ‘” + userProvidedAccountNumber +”‘;”
While this works for users who are properly entering their account number, it leaves a hole for attackers. For example, if someone decided to provide an account number of “‘ or ‘1’ = ‘1’”, that would result in a query string of:
“SELECT * FROM users WHERE account = ” or ‘1’ = ‘1’;”
Because ‘1’ = ‘1’ always evaluates to TRUE, the database will return the data for all users instead of just a single user.
The vulnerability to this type of cyber security attack depends on the fact that SQL makes no real distinction between the control and data planes. Therefore, SQL injections work mostly if a website uses dynamic SQL. Additionally, SQL injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. J2EE and ASP.NET applications are less likely to have easily exploited SQL injections because of the nature of the programmatic interfaces available.
Solution : Apply least0privilege model of permissions in your databases. Stick to stored procedures (make sure that these procedures don’t include any dynamic SQL) and prepared statements (parameterized queries). The code that is executed against the database must be strong enough to prevent injection attacks. In addition, validate input data against a white list at the application level.
To defend against XSS attacks, developers can sanitize data input by users in an HTTP request before reflecting it back. Make sure all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. Convert special characters such as ?, ;, /, ;, ; and spaces to their respective HTML or URL encoded equivalents. Give users the option to disable client-side scripts.
8. Eavesdropping attackEavesdropping attacks occur through the interception of network traffic. By eavesdropping, an attacker can obtain passwords, credit card numbers and other confidential information that a user might be sending over the network. Eavesdropping can be passive or active:
Passive eavesdropping — A hacker detects the information by listening to the message transmission in the network.
Active eavesdropping — A hacker actively grabs the information by disguising himself as friendly unit and by sending queries to transmitters. This is called probing, scanning or tampering.
Detecting passive eavesdropping attacks is often more important than spotting active ones, since active attacks requires the attacker to gain knowledge of the friendly units by conducting passive eavesdropping before.
Data encryption is the best countermeasure for eavesdropping.
9. Birthday attackBirthday attacks are made against hash algorithms that are used to verify the integrity of a message, software or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the length of the input message; this MD uniquely characterizes the message. The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. If an attacker calculates same MD for his message as the user has, he can safely replace the user’s message with his, and the receiver will not be able to detect the replacement even if he compares MDs.
10. Malware attackMalicious software can be described as unwanted software that is installed in your system without your consent. It can attach itself to legitimate code and propagate; it can lurk in useful applications or replicate itself across the Internet.
Macro viruses — These viruses infect applications such as Microsoft Word or Excel. Macro viruses attach to an application’s initialization sequence. When the application is opened, the virus executes instructions before transferring control to the application. The virus replicates itself and attaches to other code in the computer system.
File infectors — File infector viruses usually attach themselves to executable code, such as .exe files. The virus is installed when the code is loaded. Another version of a file infector associates itself with a file by creating a virus file with the same name, but an .exe extension. Therefore, when the file is opened, the virus code will execute.
System or boot-record infectors — A boot-record virus attaches to the master boot record on hard disks. When the system is started, it will look at the boot sector and load the virus into memory, where it can propagate to other disks and computers.
Polymorphic viruses — These viruses conceal themselves through varying cycles of encryption and decryption. The encrypted virus and an associated mutation engine are initially decrypted by a decryption program. The virus proceeds to infect an area of code. The mutation engine then develops a new decryption routine and the virus encrypts the mutation engine and a copy of the virus with an algorithm corresponding to the new decryption routine. The encrypted package of mutation engine and virus is attached to new code, and the process repeats. Such viruses are difficult to detect but have a high level of entropy because of the many modifications of their source code. Anti-virus software or free tools like Process Hacker can use this feature to detect them.
Stealth viruses — Stealth viruses take over system functions to conceal themselves. They do this by compromising malware detection software so that the software will report an infected area as being uninfected. These viruses conceal any increase in the size of an infected file or changes to the file’s date and time of last modification.
Trojans — A Trojan or a Trojan horse is a program that hides in a useful program and usually has a malicious function. A major difference between viruses and Trojans is that Trojans do not self-replicate. In addition to launching attacks on a system, a Trojan can establish a back door that can be exploited by attackers.
Logic bombs — A logic bomb is a type of malicious software that is appended to an application and is triggered by a specific occurrence, such as a logical condition or a specific date and time.
Worms — Worms differ from viruses in that they do not attach to a host file, but are self-contained programs that propagate across networks and computers. Worms are commonly spread through email attachments; opening the attachment activates the worm program. A typical worm exploit involves the worm sending a copy of itself to every contact in an infected computer’s email address. In addition to conducting malicious activities, a worm spreading across the internet and overloading email servers can result in denial-of-service attacks against nodes on the network.
Droppers — A dropper is a program used to install viruses on computers. In many instances, the dropper is not infected with malicious code and, therefore might not be detected by virus-scanning software. A dropper can also connect to the internet and download updates to virus software that is resident on a compromised system.
Ransomware — Ransomware is a type of malware that blocks access to the victim’s data and threatens to publish or delete it unless a ransom is paid. While some simple computer ransomware can lock the system in a way that is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim’s files in a way that makes them nearly impossible to recover without the decryption key.
Adware — Adware is a software application used by companies for marketing purposes; advertising banners are displayed while any program is running. Adware can be automatically downloaded to your system while browsing any website and can be viewed through pop-up windows or through a bar that appears on the computer screen automatically.
Spyware — Spyware is a type of program that is installed to collect information about users, their computers or their browsing habits. It tracks everything you do without your knowledge and sends the data to a remote user. It also can download and install other malicious programs from the internet. Spyware works like adware but is usually a separate program that is installed unknowingly when you install another freeware application. CITATION Jef18 l 1033 (Melnick, 2018)TYPES OF CYBER SECURITYApplication security: This constitutes the measures and countermeasures meant to tackle threats and vulnerabilities that arise in the development stage of an application such as design application, development, deployment, maintenance, upgrade, etc. Some of the techniques used include input parameter validation, session management, user authentication and authorization, etc.
Information security: This refers to the protection of information and data from theft, unauthorized access, breaches, etc. in order to uphold user privacy and prevent identity theft.
Disaster recovery: This involves planning and strategizing to enable organizations to recover from cybersecurity/ IT disasters. This includes risk assessment, analysis, prioritizing and establish disaster response and recovery mechanisms in place. This enables organizations to recover faster from disasters and minimize losses.
Network security: This constitutes monitoring and preventing authorized access and exploitation of internal networks of an organization. By leveraging both hardware and software technologies, network security ensures that internal networks are safe, reliable and usable. Antivirus and anti-spyware software, VPN, IPS, Firewall, etc. are used to prevent cyber-threats facing the organization.
Website security: This is used to prevent and protect websites from cybersecurity risks on the internet. Holistic website security programs will cover the website’s database, applications, source codes and files. There has a steady rise in the number of data breaches on websites in the past few years resulting in identity thefts, downtime, financial losses, loss of reputation and brand image, etc. The main reason for this has been the misconception among website owners that their website is protected by website hosting provider. Thus, leaving them vulnerable to cyber-attacks. Some of the important techniques and tools used for website security are website scanning and malware removal, website application firewall, application security testing, etc.
Endpoint security: This enables organizations to protect their servers, workstations and mobile devices from remote and local cyber-attacks. Since devices on a network are interconnected, it creates entry points for threats and vulnerabilities. Endpoint security effectively secures the network by blocking attempts made to access these entry points. File integrity monitoring, antivirus and anti-malware software, etc. are major techniques used. CITATION Sau18 l 1033 (Saumil, 2018).
The Biggest Cyber Attacks in 2017-18
WannaCry was a ransomware attack that spread rapidly in May of 2017. Like all ransomware, it took over infected computers and encrypted the contents of their hard drives, then demanded a payment in Bitcoin in order to decrypt them. The malware took particular root in computers at facilities run by the United Kingdom’s NHS.
Malware isn’t anything new, though. What made WannaCry significant and scary was the means it used to propagate: it exploited a vulnerability in Microsoft Windows using code that had been secretly developed by the United States National Security Agency. Called EternalBlue, the exploit had been stolen and leaked by a hacking group called the Shadow Brokers. Microsoft had already patched the vulnerability a few weeks before, but many systems hadn’t upgraded. Microsoft was furious that the U.S. government had built a weapon to exploit the vulnerability rather than share information about the hole with the infosec community.
Petya was just another piece of ransomware when it started circulating via phishing spam in 2016; its main claim to fame was that it encrypted the master boot record of infected machines, making it devilishly difficult for users to get access to their files.
Then, abruptly in June of 2017, a much more virulent version of the malware started spreading. It was different enough from the original that it was dubbed NotPetya; it originally propagated via compromised Ukrainian accounting software and spread via the same EternalBlue exploit that WannaCry used. NotPetya is widely believed to be a cyberattack from Russia against Ukraine, though Russia denies it, opening up a possible era of states using weaponized malware.
Petya ransomware and NotPetya malware: What you need to know now
While this one might not have been as high-profile as some of the others on this list, it deserves a spot here due to the sheer amount of money involved. Ether is a Bitcoin-style cryptocurrency, and $7.4 million in Ether was stolen from the Ethereum app platform in a manner of minutes in July. Then, just weeks later came a $32 million heist. The whole incident raised questions about the security of blockchain-based currencies.
The massive credit rating agency announced in July of 2017 that “criminals exploited a U.S. website application vulnerability to gain access to certain files,” getting personal information for nearly 150 million people. The subsequent fallout enraged people further, especially when the site Equifax set up where people could see if their information had been compromised seemed primarily designed to sell Equifax services.
Ed Szofer, CEO of SenecaGlobal, says the Equifax breach is particularly bad “because they had already been told about the fix — it needed to be implemented in a tool called Apache Struts that they use — well before the breach even happened. And yet they failed to do so fully in a timely manner. To prevent such breaches from happening requires a shift in culture and resources; this was not a technical issue, as the technical fix was already known. Equifax certainly had the resources, but it clearly did not have the right culture to ensure the right processes were in place and followed.”
5. Yahoo (revised)
This massive hack of Yahoo’s email system gets an honorable mention because it actually happened way back in 2013 — but the severity of it, with all 3 billion Yahoo email addresses affected, only became clear in October 2017. Stolen information included passwords and backup email addresses, encrypted using outdated, easy-to-crack techniques, which is the sort of information attackers can use to breach other accounts. In addition to the effect on the account owners, the breach could spawn a revisiting of the deal by which Verizon bought Yahoo, even though that deal had already closed.
The truly scary thing about this breach is that the culture of secrecy that kept it under wraps means that there’s more like it out there. “No one is excited to share a breach, for obvious PR reasons,” says Mitch Lieberman, director of research at G2 Crowd. “But the truth eventually comes out. What else do we not know?”
On February 28, 2018, the version control hosting service GitHub was hit with a massive denial of service attack, with 1.35 TB per second of traffic hitting the popular site. Although GitHub was only knocked offline intermittently and managed to beat the attack back entirely after less than 20 minutes, the sheer scale of the assault was worrying; it outpaced the huge attack on Dyn in late 2016, which peaked at 1.2 TB per second.
More troubling still was the infrastructure that drove the attack. While the Dyn attack was the product of the Mirai botnet, which required malware to infest thousands of IoT devices, the GitHub attack exploited servers running the Memcached memory caching system, which can return very large chunks of data in response to simple requests.
Memcached is meant to be used only on protected servers running on internal networks, and generally has little by way of security to prevent malicious attackers from spoofing IP addresses and sending huge amounts of data at unsuspecting victims. Unfortunately, thousands of Memcached servers are sitting on the open internet, and there has been a huge upsurge in their use in DDoS attacks. Saying that the servers are “hijacked” is barely fair, as they’ll cheerfully send packets wherever they’re told without asking questions.
Just days after the GitHub attack, another Memecached-based DDoS assault slammed into an unnamed U.S. service provider with 1.7 TB per second of data. CITATION Jos181 l 1033 (Fruhlinger, 2018)Bibliography
BIBLIOGRAPHY Last Name, F. M. (Year). Article Title. Journal Title, Pages From – To.
Last Name, F. M. (Year). Book Title. City Name: Publisher Name.
CISCO. (2017, – -). What is cybersecurity – CISCO. Retrieved from CISCO: https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html
Melnick, J. (2018, May 15). Top 10 Most Common Types of Cyber Attacks. Retrieved from NETWRIX Blog: https://blog.netwrix.com/2018/05/15/top-10-most-common-types-of-cyber-attacks/
Saumil. (2018, Jul -). What are the different types of Cyber Security. Retrieved from Youthkiawaaz: https://www.youthkiawaaz.com/2018/07/different-types-of-cyber-security/
Cisco. (n.d, n.d n.d). Cyber Attack – What are the most common cyberthreats?-Cisco. Retrieved from Cisco: https://www.cisco.com/c/en/us/products/security/common-cyberattacks.html
Fruhlinger, J. (2018, March 7). What is a cyber attack? Recent examples show disturbing trends. Retrieved September 16, 2018, from CSO: https://www.csoonline.com/article/3237324/cyber-attacks-espionage/what-is-a-cyber-attack-recent-examples-show-disturbing-trends.html