Threat Domains and Vulnerabilities

Organizations face an increasing number of cyber threats, emphasizing the need for robust security
solutions. A 'threat domain' refers to areas attackers can exploit for system access. Vulnerabilities
include:

1. Physical Access:

 Unauthorized physical access to systems and networks.

2. Wireless Networking:

 Exploiting vulnerabilities in extended wireless networks.

3. Bluetooth and NFC Devices:

 Security risks associated with Bluetooth and NFC devices.

4. Malicious Emails:

 Threats through email attachments, a common vector for attacks.

5. Supply Chain Weaknesses:

 Exploiting less secure elements in the organizational supply chain.

6. Social Media Accounts:

 Attacks leveraging vulnerabilities in an organization's social media presence.

7. Removable Media:

 Risks posed by removable media like flash drives.

8. Cloud Applications:

 Exploiting security vulnerabilities in cloud-based applications.

Visual cue: A lined globe with an exclamation mark in a red triangle prompts users to flip the card for
more details or examples. Understanding these threat domains is crucial for implementing effective
cybersecurity measures.

Types of Cyber Threats

Natural Disasters

 Severe storms such as hurricanes or tornados.

 Earthquakes.

 Floods.

 Fires.

Utility Interruption

1
  Electrical power outages.

 Water damage resulting from sprinkler failure.

Hardware Failures

 Hard drive crashes.

Theft

 Laptops or equipment being stolen from an unlocked room.

Human Error

 Inadvertent data entry errors.

 A firewall misconfiguration.

Sabotage

 An authorized user successfully penetrating and compromising an organization’s primary

database.

 The defacement of an organization’s website.

Software Errors

 A software bug.

 An application going offline.

 A cross-site script or illegal file server share.

Software Attacks

 A successful denial-of-service (DoS) attack.

 A computer virus.

Internal vs External Threats

 Threats to an organization's security can arise internally and externally, targeting valuable
information like personnel records, intellectual property, and financial data.

 Internal Threats: Internal threats are often posed by current or former employees, as well as
contract partners. These individuals may accidentally or intentionally mishandle confidential
data. Internal threats can involve actions like connecting infected media or accessing malicious
emails or websites, posing risks to server operations and network infrastructure.

 External Threats: External threats, on the other hand, originate from individuals outside the
organization. These may include both amateur and skilled attackers. External threats exploit
vulnerabilities in networked devices and employ social engineering techniques, such as trickery,

2
 to gain unauthorized access to an organization's internal resources. The goal is often to
compromise sensitive information and disrupt operations.

User Threats and Vulnerabilities

No Awareness of Security Users must be aware of and understand an organization’s sensitive data,
security policies and procedures, technologies, and countermeasures that are implemented to protect
information and information systems.

Poorly Enforced Security Policies All users must be aware of and understand an organization’s
security policies, as well as the consequences of non-compliance.

Data Theft Data stolen by users can pose a significant financial threat to organizations, both in terms
of the resulting damage to their reputation and/or the legal liability associated with the disclosure of
sensitive information.

Unauthorized Downloads and Media: Many network and device infections and attacks can be traced
back to users who have downloaded unauthorized emails, photos, music, games, apps, and videos to
their computers, networks, or storage devices, or used unauthorized media such as external hard disks
and USB drives.

Unauthorized Virtual Private Networks (VPNs) VPNs can hide the theft of unauthorized information
because the encryption normally used to protect confidentiality can stop a network administrator from
tracking data transmission (unless they have permission to do so).

Unauthorized Websites Accessing unauthorized websites can pose a risk to a user’s data and
devices, as well as the organization itself. Often, these websites prompt users to download scripts or
plugins that contain malicious code or adware. Some of these sites can even take over user devices like
cameras and applications.

Destruction of Systems, Applications, or Data The accidental or deliberate destruction or sabotage

of systems, applications, and data pose a serious risk to all organizations. Activists, disgruntled
employees, or industry competitors attempt to delete data and destroy or misconfigure devices to make
organizational data and information systems unavailable.

Threats to Devices
Unauthorized Access Risk Any devices left powered on and unattended pose the risk of someone gaining
unauthorized access to network resources.

Malicious Code Execution Downloading files, photos, music, or videos from unreliable sources could lead
to the execution of malicious code on devices.

Exploitation of Software Vulnerabilities Cybercriminals often exploit security vulnerabilities within

software installed on an organization’s devices to launch an attack.

Continuous Malware Threats An organization’s information security teams must try to keep up to date
with the daily discovery of new viruses, worms, and other malware that pose a threat to their devices.

3
Risks from External Media Users who insert unauthorized USB drives, CDs, or DVDs run the risk of
introducing malware or compromising data stored on their device.

Policy Violations Consequences Policies are in place to protect an organization’s IT infrastructure. A user
can face serious consequences for purposefully violating such policies.

Vulnerabilities due to Outdated Systems Using outdated hardware or software makes an organization’s
systems and data more vulnerable to attack.

Securing the Local Area Network (LAN)

The Local Area Network (LAN) is a network of devices connected by cables or airwaves in the same
geographic area. As users can access crucial systems and data within the LAN, robust security measures
and access controls are imperative.

Common Threats to the LAN:

1. Unauthorized Physical Access:

 Access to wiring closets, data centers, and computer rooms without authorization.

2. Unauthorized Access to Systems and Data:

 Breach of security leading to unauthorized access to systems, applications, and data.

3. Network Operating System Vulnerabilities:

 Vulnerabilities in the network operating system or software, highlighting the importance

of regular updates.

4. Rogue Users on Wireless Networks:

 Unauthorized users gaining access to wireless networks.

5. Exploits of Data in Transit:

 Threats targeting data during transit across the LAN.

6. Diversity in LAN Servers:

 Managing servers with different hardware or operating systems poses challenges.

7. Unauthorized Network Probing:

 Illegitimate attempts to probe the network and port scanning.

8. Misconfigured Firewalls:

 Security risks arising from misconfigurations in firewall settings.

Securing the LAN involves addressing these threats to maintain the confidentiality, integrity, and
availability of organizational resources.

4
Threats to the Private Cloud
In the private cloud, comprising private servers, resources, and IT infrastructure accessible to a single
organization via the Internet, security threats persist despite the perceived safety of data. The central
image illustrates a cloud surrounded by icons representing a desktop, a router with a wireless signal, a
server, and a laptop.

Common Threats to the Private Cloud:

 Unauthorized network probing and port scanning.

 Unauthorized access to resources.

 Router, firewall or network device operating system or software vulnerabilities.

 Router, firewall or network device configuration errors.

 Remote users accessing an organization’s infrastructure and downloading sensitive data.

Securing the private cloud requires addressing these threats to ensure the confidentiality, integrity, and
availability of organizational resources within the cloud domain.

Threats to the Public Cloud

Where a private cloud domain hosts computing resources for a single organization, the public
cloud domain is the entirety of computing services hosted by a cloud service or Internet provider,
available to the public and shared across organizations.

Software as a Service (SaaS) Software as a Service (SaaS) is a subscription-based model providing

centrally hosted software accessed by users via a web browser, app, or other software. In other words,
this is software not stored locally but in the cloud.

Platform as a Service (PaaS) Platform as a Service (PaaS) is a subscription-based model offering a

platform for developing, running, and managing applications on the service’s hardware, using provided
tools. This platform is accessed via the public cloud.

Infrastructure as a Service (IaaS) Infrastructure as a Service (IaaS) is a subscription-based model

providing virtual computing resources like hardware, software, servers, storage, and other infrastructure
components over the Internet. Organizations buy access to and use them via the public cloud.

Advanced Persistent Threats (APTs):

 Definition: Continuous, sophisticated attacks utilizing espionage tactics, involving multiple actors
and advanced malware.

5
  Characteristics: Operate covertly, undetected for extended periods, targeting high-profile
entities like governments.

 Consequences: Potentially devastating impacts due to prolonged, stealthy infiltration.

Algorithm Attacks:
 Nature: Exploitation of algorithms in legitimate software for unintended behaviors.

 Example: Using energy tracking algorithms to select targets or trigger false alerts.

 Impact: Can disable computers by exhausting RAM or overworking the CPU.

Conclusion: Vigilance against APTs is crucial, given their sophisticated nature and potential for severe
consequences. Algorithm attacks highlight the importance of securing algorithms within software to
prevent misuse and unintended outcomes.

Bluejacking:

 Nature: Harmless, playful practice.

 Method: Sending unsolicited messages via Bluetooth.

 Intent: Social interaction or communication for fun.

Bluesnarfing:

 Nature: Malicious activity.

 Method: Unauthorized access to device data via Bluetooth vulnerabilities.

 Intent: Stealing sensitive information without user knowledge.

Prevention:

 Bluejacking: Set devices to non-discoverable mode.

 Bluesnarfing: Disable unnecessary Bluetooth connections, use non-discoverable mode, apply

security patches.

Attacking the Foundation

Objectives:

Explain the IPv4 and IPv6 header structure .

Explain how IP vulnerabilities enable network attacks .

Explain how TCP and UDP vulnerabilities enable network attacks .

**Security Threats and Attacks:**

6
1. **Man-in-the-Middle (MitM) Attack:**
- **Description:** In a MitM attack, an attacker intercepts and potentially alters
communication between two parties without their knowledge, eavesdropping or
injecting malicious content.
- **Methods:** Achieved through ARP spoofing, DNS spoofing, or compromised
Wi-Fi networks.

**Man-in-the-Mobile (MitMo):**
- A variation where attackers take control of a user’s mobile device, instructing it
to exfiltrate sensitive information (e.g., Zeus malware with MitMo capabilities
capturing SMS messages).

**Spoofing:**
- Impersonation attack taking advantage of trusted relationships.
- MAC address spoofing bypasses authentication by disguising an attacker's
device.
- ARP spoofing links an attacker’s MAC address to an authorized device's IP
address.
- IP spoofing sends IP packets with a disguised source address.

**MAC Flooding:**
- Compromises data transmission by flooding the network with fake MAC
addresses.

2. **ICMP Attack (Internet Control Message Protocol):**

- **Description:** ICMP is a network layer protocol used for diagnostics and
error reporting.

7
 - **Methods:** ICMP attacks manipulate or exploit ICMP packets, such as Ping
Flood, overwhelming a target with ICMP Echo Request packets, causing resource
consumption and network congestion.

3. **Session Hijacking:**
- **Description:** Attackers take over an established user's session to gain
unauthorized access, stealing session tokens or cookies.
- **Methods:** Techniques like session token interception, session sidejacking,
or session fixation compromise user sessions.

4. **Amplification and Reflection Attacks:**

- **Description:** Amplification generates a large volume of traffic towards a
target, causing a denial-of-service situation. Reflection attacks use third-party
servers to reflect and amplify attack traffic towards the target.
- **Methods:** Examples include DNS amplification attacks, NTP amplification
attacks, and SNMP reflection attacks. Attackers use a vulnerable server with a
spoofed source IP address, amplifying the attack.

**Note:** These attack types are not exhaustive, and attackers continually evolve
their methods. Implementing strong security measures, updating
software/systems, and using encryption can help mitigate associated risks.

**DNS Spoofing:**
- An attack where false data is introduced into a DNS resolver cache, redirecting
traffic to the attacker’s computer.
- Domain hijacking involves wrongfully gaining control of DNS information to
make unauthorized changes.

8
**Uniform Resource Location (URL) Redirects:**
- A URL is a unique identifier for finding a specific resource on the Internet.
- Attackers exploit URL redirects for malicious purposes, directing users to
fraudulent sites.

**Short Message Service Phishing (SMiShing):**

- Attackers use fake text messages to prompt users to visit malicious websites or
call fraudulent numbers, potentially leading to malware downloads or information
sharing.

**IP Vulnerabilities:**
- Address spoofing attacks involve threat actors attempting blind or non-blind
spoofing.
- Man-in-the-middle attacks occur when attackers intercept, capture, and
control communication transparently.
- ICMP unreachable, ICMP mask reply, ICMP redirects, and ICMP router
discovery are techniques used for network reconnaissance, mapping internal IP
networks, luring target hosts, and injecting bogus route entries.

**TCP (Transmission Control Protocol) Basics:**

- TCP provides reliable delivery, flow control, and stateful communication.
- Acknowledgments guarantee data delivery; flow control acknowledges multiple
segments with a single acknowledgment.
- Stateful communication involves the TCP three-way handshake.
- Terminating a TCP session follows a four-way exchange process.

9
In conclusion, understanding these threats and attacks is essential for
implementing effective cybersecurity measures. Regular updates, encryption, and
robust security practices are critical to mitigating risks.
URG - Urgent pointer field significant
ACK - Acknowledgement field significant
PSH - Push function
RST - Reset the connection
SYN - Synchronzse the sequence numbers
FIN - No more data from sender
3.3.5 UDP Attacks
UDP is not protected by any encryption. You can add encryption to UDP, but it is
not available by default. The lack of encryption means that anyone can see the
traffic, change it, and send it on to its destination. Changing the data in the traffic
will alter the 16-bit checksum, but the checksum is optional and is not always
used. When the checksum is used, the threat actor can create a new checksum
based on the new data payload, and then record it in the header as a new
checksum. The destination device will find that the checksum matches the data
without knowing that the data has been altered. This type of attack is not widely
used.
UDP Flood Attacks
You are more likely to see a UDP flood attack. In a UDP flood attack, all the
resources on a network are consumed. The threat actor must use a tool like UDP
Unicorn or Low Orbit Ion Cannon. These tools send a flood of UDP packets, often
from a spoofed host, to a server on the subnet. The program will sweep through
all the known ports trying to find closed ports. This will cause the server to reply
with an ICMP port unreachable message. Because there are many closed ports on
the server, this creates a lot of traffic on the segment, which uses up most of the
bandwidth. The result is very similar to a DoS attack.
4.1.2 ARP Cache Poisoning

10
A tabbed content container. Content can be text, graphic or both.
ARP cache poisoning can be used to launch various man-in-the-middle attacks.
Note: There are many tools available on the internet to create ARP MiTM attacks
including dsniff, Cain & Abel, ettercap, Yersinia, and others.

DNS Attacks
The Domain Name Service (DNS) protocol defines an automated service that
matches resource names, such as www.cisco.com, with the required numeric
network address, such as the IPv4 or IPv6 address. It includes the format for
queries, responses, and data and uses resource records (RR) to identify the type of
DNS response.
Securing DNS is often overlooked. However, it is crucial to the operation of a
network and should be secured accordingly.
DNS attacks include the following:
 DNS open resolver attacks
 DNS stealth attacks
 DNS domain shadowing attacks
 DNS tunneling attacks
Fast Flux
Threat actors use this technique to hide their phishing and malware delivery sites
behind a quickly-changing network of compromised DNS hosts. The DNS IP
addresses are continuously changed within minutes. Botnets often employ Fast
Flux techniques to effectively hide malicious servers from being detected.
Double IP Flux
Threat actors use this technique to rapidly change the hostname to IP address
mappings and to also change the authoritative name server. This increases the
difficulty of identifying the source of the attack.
Domain Generation Algorithms

11
Threat actors use this technique in malware to randomly generate domain names
that can then be used as rendezvous points to their command and control (C&C)
servers.

DHCP servers dynamically provide IP configuration information to clients. The

figure shows the typical sequence of a DHCP message exchange between client
and server.
Normal DHCP Operation

12