Just a Thought
Threats and Consequences
Threat Sophistication vs Skills Required
The Internet – a hackers reference library
Attack Evolution (Escalation)
Threats, Vulnerabilities and Risk
Something that can cause harm
Susceptible to attack or harm
Without adequate protection
Chance of something happening
Health Related Example
Malaria is a real disease that can kill.
As a human you are vulnerable.
As long as you live in North America the
risk is very low or non-existent.
If you travel to a malaria zone, there are
medications you can take to reduce risk.
Identifying Potential Risks
Complete asset inventory needs to be created
Network devices, software, documents, processes, patents
Components can be prioritized
What is the cost if not protected adequately and loss occurs
Loss of competitive advantage
Could be weaknesses in
All potential threats need to be identified
Related vulnerabilities need to be addressed
To minimize the risk of the threat
No specific target
Example: Email born viruses and worms
Specific target and strategy
Example: Reconnaissance attacks
From within the organization
Example: Sniffer or mapping programs
From outside the organization
Example: Ping sweeps and Port scans
Script Kiddies (kids)
Not particularly sophisticated attackers
Unlikely to know exactly how or why their attacks work
May not recognize the full cost of their attacks
Typically rely on ready-made tools
Just a download away (thank you Internet)
Many hacker web sites and chat room exist
Maturity and social skills have not developed
significantly passed the 8th grade
It might be argued that this definition applies to a large
percentage of those online
Be careful about provoking this group
Any of the above statements made publicly could precipitate
an attack (or series of attacks)
During any attack the target can be investing (and losing) thousands of dollars
per attack (day, hour or minute) – the attacker is expending only time…
What Do Attackers Want?
To impress others by ―outsmarting‖ someone
Use the network devices to attack other networks
―Bot‖ or zombie attacks
Mess up (deny service to) the network
Because they can
Hate – political, religious, nationalism, personal
Financial gain – competitors
Disgruntled employees – past or present
Use the network resources to store files and share
them via IRC, etc.
Music, movies, kiddy porn
Financial gain or competitive advantage
Espionage – competitors, freelancers, opportunists
Four Primary Classes of Attacks
Can be used alone or to assist the other three!
Network or business discovery
Network sweeps (ping scans)
Port scans – what services are open
Where are the vulnerabilities
Man in the middle attacks (recon)
Trojans, Phishing scams, Spyware
Device Detection & Network Mapping
If Visio is installed on
To gain the access to the network
Usernames and passwords
Knowledge of security practices
Used on legitimate system users
Desire to please, be helpful and get ahead
Knowledge of human weaknesses
Loneliness, anger, disillusionment
Humans are the weakest link in network security (any security)
Host A Host B
Data in clear text
Router A Router B
Requires that the hacker have access to network packets that cross a network
Implemented using the following:
Network packet sniffers
Routing and transport protocols
Theft of information
Hijacking of an ongoing session
Corruption of transmitted data
Introduction of new information into network sessions
Packet Sniffing Output
Viruses, Trojan Horses & Worms
Malicious software attached to another program to execute an
unwanted function on a user‘s workstation
End-user workstations are the primary targets
Different only in that the entire application was written to look like
something else to conceal an attack tool
Self-contained programs that attack a system
Exploits a specific vulnerability in the target computer
Enabling vulnerability – A worm installs itself
Propagation mechanism – After gaining access the worm replicates and
selects new targets
Payload – Once infected with a worm, the attacker has access to the
host – often as a privileged user
Attackers use a local exploit to escalate privilege level to administrator
Mitigated by current, strong antivirus software
At both the user level and network level
Spyware / Adware
Takes full or partial control of a computer
Done without the informed consent of the owner/user
Subverts the PC's operation for the benefit of a third party
Watches what users do with their computer
Sends the results over the internet to a third party
Can collect many types of information
Types of websites a user visits – sent to an advertisement agency
Passwords or credit card numbers
The commercial response (rationalization)
Some just launch popup advertisements – prefer the term Adware
Some are more passive in nature by just watching, observing and
collecting information to facilitate commercial transactions –
Many legitimate companies are incorporating into their software
For purposes of advertisement
Monitoring / enforcing copyrights
Spam, Phishing & Other Cons
Abuse of electronic messaging systems to send unsolicited,
undesired bulk messages
Most common is e-mail spam, but spreading to IM, newsgroups,
Web search engines, blogs and cell phone messaging
A criminal activity
Uses social engineering techniques
Attempts to fraudulently acquire sensitive information
Email address harvesting
Stock market scams
Online gambling and facilitating (processing credit cards)
Is now a Federal crime in the US
Most traditional scams and cons have found a home
Spam example that got past UW filters (10/28/060:
From: Piritta Dortch [mailto:firstname.lastname@example.org]
Sent: Saturday, October 28, 2006 2:02 PM
To: Bob Larson
Subject: Re: 513
Well each to their own opinion. Good-by and good luck with your
Cheap Vl x AG x RA http://www.adesunkionmadesunjase.com
From: Igone Bushee [mailto:email@example.com]
Sent: Sunday, September 10, 2006 3:42 PM
Subject: Re: PHAyhkRMACY (misspelling to get past Spam filter)
When you copy the
message into a text
All yo a ur P o HAR l MAC l Y d w ire e ctl f y from the ma g nu d fact t ure b r,
Your c i hanc e e to ec c ono m mi t ze up o to 50 s % wit h h
Malware Example – Caught
From: firstname.lastname@example.org [mailto:email@example.com]
Sent: Saturday, October 28, 2006 11:32 AM
Subject: MCAFEE E-MAIL SCAN ALERT!~TTDT
Attachment file : account-report.zip
Scanner Detected: Generic Malware.a!zip
Action taken : Cleaned...
Dear Bla Member,
We have temporarily suspended your email account firstname.lastname@example.org.
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due
to an internal error within our processors.
See the details to reactivate your Bla account.
Sincerely,The Bla Support Team
+++ Attachment: No Virus (Clean)
+++ Bla Antivirus - www.bla.com
Other Cons – Identity Theft
From: Charlotte Flood [mailto:email@example.com]
Sent: Tuesday, November 28, 2006 12:22 PM
Subject: Part-time employment opportunity
‗What do you mean by that?‘ said Mr. Sikes, looking up in a surly manner.‗She‘ll go, Fagin,‘ said Sikes. ‗Wheres?‘ inquired the young
lady.‗And as I don‘t want ‘em to, neither,‘ replied Nancy in the same composed manner, ‗it‘s rather more no than yes with me,
Bill.‘‗Why, you‘re just the very person for it,‘ reasoned Mr. Sikes: ‗nobody about here knows anything of you.‘
American trading corporation is looking for responsible employees.
COMPANY DESCRIPTION: FlowerLand International is an american trading company. We specialize in all kinds of flowers,
decorative plants and greenery that can be used for home or office/business.
CAREER POSITION: This is an entry level opportunity in the field of financial services.
EMPLOYMENT TYPE: Part-time employment.
REQUIREMENTS FOR CANDIDATES: Concerns:
- Basic knowledge of credit principles, financial services and operations.
- employee must be honest, responsible and dedicated. 1. Unsolicited
- Ability to work on multiple projects simultaneously along with meeting deadlines.
- Ability to work independently or in a team environment.
- Having no problem with the Law.
2. Source address?
- Having a functional bank account. Company account is an advantage.
- Having a cellular phone. 3. Gibberish at top and bottom
- Having a deep desire to achieve financial success.
to slip fast Spam filters
SALARY: $30 000-$60 000/yr
ADVANTAGES: 4. Why do I need a bank
- No sign up fees.
- No investment needed.
account to be an employee?
- Covered expenses.
- Illness\disability friendly team. 5. What info is on a resume?
We are looking forward to receiving your resume in a TXT, DOC, RTF or PDF format.
Please send us your resume to firstname.lastname@example.org
‗That‘s very likely,‘ returned Sikes with a malicious grin. ‗You‘re blowed upon, Fagin.‘‗Perhaps I am,‘ replied Sikes; ‗I should think you
was rather out of sorts too, unless you mean as little harm when you throw pewter pots about, as you do when you blab and—‘
Other Cons – Stock Scams
From: Randolph Norton [mailto:C5f3C6nXtq@mail.ru]
Sent: Friday, September 08, 2006 10:12 AM
Subject: re: Breaking news for EQTD
want to see howdeep understanding of why on your team. a d
Note the return address (stock tips from Russia?)
Body is a graphic to avoid Spam filter software
Attempting to get into the network
Often using recon info
May be ―just looking‖ or profit
When profit motivated
May try to sustain the breach
Conceal evidence of the activities
May even add security features
Trojan horse programs
Denial of Service Attacks
Where Credit is Due…
Two white papers available at
Attack comes into the
ISP undetected, but
buries the local link.
The link is down even
if the device can fend
off the packets.
Distributed Zombie Traffic Aggregation
Your Worst Nightmare
ICMP REPLY D=172.18.1.2 S=126.96.36.199 Overwhelm
ICMP REPLY D=172.18.1.2 S=188.8.131.52 Link to
ICMP REPLY D=172.18.1.2 S=184.108.40.206
ICMP REPLY D=172.18.1.2 S=220.127.116.11
ICMP REPLY D=172.18.1.2 S=18.104.22.168
ICMP REPLY D=172.18.1.2 S=22.214.171.124
ICMP REQ D=126.96.36.199 S= 172.18.1.2