Okay, now that we've talked about the S I model, let's go back and kind of reviews and threats to network security, and we'll add in a few others. But I think this is a very testable element because, really, why are we here is because there are so many threats to our network security,
and if we don't put the protective mechanisms in place, we could fall prey to them.
So Carl's the next couple of slides. Just a variety of common attacks. Ah, speaking about a virus, first of all. So particularly with a virus. Obviously it's malicious code, but they're two main elements. It requires users interaction to spread. So,
ah, lot of times these things come in email attachments, Vehbi script and word or excel, whatever.
So it takes that user opening up the attachment to really get the system infected. The second thing is the virus needs a host in which to operate. So, like I said, it might operate in ah, word processing application or in some sort of application of of some sort of email attachment. Whatever.
Now, that's different than a worm. Also malicious. But words can be really nasty because
you don't have to do anything for your system to be infected. You just part of the network that the worm has gotten on and it essentially just kind of bounces around from system to system to system. Ah, and it's self replicating. So doesn't have to have a host just, uh, purely hitting systems on a specific network. Nimda
Code Red. Those were some examples of their little dated, but those were some examples coming to mind,
All right. Logic bomb.
The thing about a logic bomb is it lays dormant until, ah, some sort of logical activity. So maybe I write a little application that scans the HR payroll database for the name Kelly Hander hand and its longest Kelly hander hands in the payroll database just lays dormant.
And then once that name is missing for two weeks in a row, maybe it unlocks, unleashes some sort of virus or some sort of attack on the network.
So that would be a logic bomb waiting for logical within
ah, very similar to time bombs, which would happen at a specific day. Christmas Day, April foolsday, whatever. Trojan horse often referred to Justus Trojans. So it's anything that looks benign but actually is its payload is something malicious.
So a lot of times these Trojans air sort of vessels to deliver malicious code backdoor software
download this game or this screen saver, and when you install it, it also in stores, backdoor software and all backdoor software really is is it's a network application that opens up a port where is listening on a particular port on your system. And that's what allows the attacker access to that system
and, you know, just a sum it up. It's a means of bypassing normal access control mechanisms.
All right, a salami attack. Ah, salami attack is based on the idea that if I'm back in the deli slicing salami and I steal one little piece nobody'll ever know. So it's all about underneath the threshold. Ah, lots of little attacks can equal a large attack.
I'd rather stand steal a dollar from 1000 people, cause it's less likely to be detected,
that kind of thought. And if you ever watched the movie office space
and let's admit it, we're all I t people. Everybody watched the movie office space, but it was all about stealing just fractions of a penny,
Uh, data diddling and I do not need the time. Just the teacher. Don't kill the messenger. Some of these air ridiculous data diddling is about, um let me manipulate input.
how do I say? Rather than me stealing money from the till at work, for instance, I'm gonna manipulate the input. So maybe I get into work early at Taco Bell, and when I push the button for a taco, it brings up his 50 cents. All right, so you come to the drive thru order taco and I push it brings up 50 cents
and I charge you $5.
So I put the 50 cents in the till in my pocket, the other 4 50 that with the end of the night, my till comes up fine. But obviously I've committed fraud. That's dabbing diddling session hijacking. All right, so you know, a lot of times we talk about active versus passive attacks. A man in the middle attack
is sniffing, you know, is
passive by nature. For instance, sniffing the network is passive. I'm not injecting anything into the data stream. I'm really just watching. It becomes an active attack through TCP or session hijacked. And basically, what happens at that level is I escalate and I impersonate one of the communicating host.
Maybe I'll steal the session i d. Number and other identifying characteristics.
Maybe I denial of service one of the host someone in so that I can just step in and immediately continue this session. When we talked about things like, um uh, cross site request forgery.
Ah, that would be That would be an example. Kind of a session. Hijack. What happens with cross site request? Forgery is, um
it is like, for instance, let's say I send you a message to your email, and I say you're banking account has been compromised. Please click on this link and enter your information. Okay, so of course, you click on this link. Maybe that links starts a chat session
with with the two of us. All right. And then during the chat session, I say, Hey, go open up your capital one account or go open up this account of that account. And so you've got me on a chat in one window, and you've loved into your banking server in another.
So a lot of times or certainly used to be that that session information between you and your bank might be stored as a cookie on your hard drive.
So I've got this one kind of conduit into your system while you're, um,
connecting to a bank. And maybe I can steal information from the cookie, but you can see that that's a very active attack. I'm stepping in and then I'm going to impersonate you. And again, that's called cross site request forgery.
That might be testable as well. So even though it's not on here, you might add that to the list of things you know.
Okay, um, so that's a type of session hijacking. It's a means of session hijacking,
war dialing. I don't know if any of you guys remember the movie or gains from 100 years ago, where math Matthew Broderick was in it and he was about eight years old. It looks like as I saw this movie recently, and I couldn't believe it, how dated it waas. But at any rate, he was trying to get into a government system
and used war dialing. He would call 85 to 4000 1 8000 to 4003
looking for remote access server and motive to pick up. And once he gets that connection, he knows that's the pathway into the network. Okay, It was a bit contrived because he was connecting to the Pentagon servers that way. Ah, and there was no authentication or anything like that. So,
oddly enough, sometimes movies air, not 100% factual.
You heard it. Here, folks
are its mother attacks denial of service versus distributed denial of service. Those attacks are specifically directed at, uh, uh, denying surface
at taking a service offline, making it un accessible. And really, you know, you could just slow the service down. Today we're in,
You know, we demand such high speed and good performance. If I go to a Web site that doesn't load in two seconds, I'm on to somewhere else. So you can significantly hurt an organization's ability to do business just by slowing it now. So the denial of service attack would be one
attacker. The distributed denial of service attack generally commandeer some unsuspecting systems out on the Internet or at this network or another, and uses them to launch the attack.
Ah Ping of Death and Ping flooding. These were both exploits of icy and P. Ah, and most of time operating systems defend against these now. But the pink of death is about sending a very large pink packet. And when we talk about a protocol,
you know, part of the protocols, the rules on how we're gonna transmit what's acceptable and
and had a process or how to read that data that's coming. So if a ping came in that violated the maximum transmission unit size
that would be considered a ping of death,
ping flooding means I'm going to send you a whole bunch of little pings looking to overwhelm the system.
All right, tear, draw, buffer, overflow these air probably. Well, the teardrop is a mouth form packet in a buffer. Overflow is really, um,
me sending you more than you can process a ping flood is a type of buffer overload.
Later, when we talk about software development, security will talk about putting more information in the field that's anticipated. That's a buffer overflow or an integer overflow, which is very comparable
where maybe you're expecting a range of numbers between one and five, and I give you nine more,
whatever that might be. Values that aren't anticipated, you know, kind of go in That same realm of buffer overflow ended your overflow.
I wouldn't worry so much about Bonk or Land. Although they're here, Um, might be worth knowing. Sim Flood. We talk about this later. Four. It's an exploit of the three way handshake of TCP.
That famous Smurf attack is all about a distributed denial of service and, ah, block distributing broad cat distributed broadcasts on routers with the defensive mechanism but also blocking ICMP from the outside. In Frankel, attacks are very similar, but they use UDP
And we would have a lot less success blocking UDP coming into our networks of big thing block directed broadcasts. And then Loki, um, it's a type of covert channel. Information is stored where information should be stored in the ICMP header in this instance.
So those are your common attacks?
I would review those. I think they're very testable. And I didn't read every word for you know, of course, on here, on the areas where I have given you a layer of the O s I model, I would know that
also If there's anything that I gave you
sort of a mitigating strategy, I would know that as well. So it might be worth going back across the last couple of slides and just looking at those a little bit deeper.