There are a number of different methods that the bad guys can use to attack your systems. In this video, you’ll learn how to recognize and protect yourself from the most well-known security threats.
<< Previous: Mobile Device SynchronizationNext: Physical Security Prevention Methods >>
In today’s computing environments, there are a number of different ways that the bad guys can gain access to your system. So in this video, I’ll give you an overview of some of the most common security threats.
One very broad category of malicious software is called malware. There are a lot of different types of malicious software that fall into this malware category, but none of these are good for your system. Some of this malware can collect information from your computer and gather keystrokes. Other types of malware might have your computer participate in a much larger botnet. So somebody else is really controlling what your computer is doing. Other types of malware may go directly to your wallet. It might hold your system hostage, and require that you pay them before you gain access to your computer again. And of course, you’re probably also familiar with malware that takes the form of viruses and worms, and every day is trying to infect all of our computing devices.
One type of malware that’s very profitable to the bad guys is spyware. This is malware that’s on your computer, and it’s watching everything you do. It may be clicking links that you, yourself, aren’t clicking. Or it may be gathering information about what you’re doing on your computer. These are usually types of malware that trick you into installing. And once it’s installed onto your system, it sits quietly in the background and watches everything you do.
One good example of this is to watch where you go and what you browse, being able to capture the surfing habits and be able to report back with what types of sites your computer may be going to. Or it might have key loggers on your system that’s watching everything you type in your keyboard and reporting all of this information back to a central database.
A virus is a type of malware that’s able to replicate itself from system to system, or across the network, by simply running an application. It needs you to run the program, and it uses that process to be able to move across the network and throughout all of your systems. There are many different kinds of viruses. Some that cause significant problems on your computers and others that sit in the background, and you may not even know they’re installed onto your computer.
An anti-virus application is one of the most important security tools you can have running on your computer. So you want to make sure you have downloaded the latest signature updates, and you’ve installed them on your system.
A worm is a type of malware that’s able to replicate itself from system to system, but it doesn’t need you to run a particular program. In fact, it doesn’t need a human at all. It’s simply self-replicates it across many different computers. This is, obviously, a very bad piece of malicious software. When you have this type of software that’s able to replicate itself very quickly to many systems simultaneously, it can be a significant security concern.
Most of the worms you run into are performing some type of malicious function on your computer. But there have been worms, in the past, that have tried to mitigate or fix problems that were created by other worms. Nachi was a good example of this, that went from system to system automatically, without your permission, and tried to fix problems with the operating system that made it susceptible to a worm called the Blaster worm. Although this probably isn’t the best way to deal with these types of worm infestations, it certainly speaks to the power that worms have to automatically replicate themselves across the network.
In many organizations, it’s not unusual to have a firewall or an intrusion-prevention system at the edge of the network that are watching for some of these well-known worms to come through. And if it identifies that that worm is in that network traffic, it can drop it before it ever gets on the inside of your network.
The traditional story of a Trojan horse is one of a large wooden horse that Greek soldiers hid inside, and the horse was presented to the city of Troy. The horse was brought inside the city gates, at which point the Greek soldiers were able to then take the city, without having to go through the security methods that were in place at the city walls. The same thing happens on the digital side. We’re tricked into running a particular application because we thought the application was going to do one thing, but in reality it’s performing some other, malicious function.
In the case of a Trojan horse, you don’t have to worry about a virus replicating itself or a worm automatically replicating itself, because you’re the one who’s doing the replication. The Trojan horse is relying on you to run the application, at which time it then takes over your computer. It’s getting around your anti-virus. It’s getting around your security systems in place, because all of those systems trust that you know what you’re doing. And because you’ve now been tricked into running this program, your computer is now infected with this malware.
These Trojan horse applications are often very small, so that they can easily get inside of your system. And then once they’re installed, they then open the doors for other malicious software to get into your computer and take over your system.
Another very dangerous type of malicious software is a rootkit. The name rootkit comes from the Unix user root, who is the super user in the Linux or Unix operating system. This is a type of malicious software that is dangerous because it’s completely invisible to the operating system. It’s one that hides itself. So you won’t see this appear in Task Manager or any of your process lists, because the operating system has no idea this malicious software happens to be there.
Rootkits will use a number of different techniques to hide itself. One common method is to modify the core system files of the operating system, itself. Once you become part of the kernel, you’re effectively invisible to the rest of the operating system. Since you’re invisible to the operating system, anti-virus and anti-malware applications won’t see these rootkit applications.
Sometimes a rootkit may be hiding in plain sight. For example, on our Windows computers, if you go to your Windows System Directory, there might be 2000 files that are inside of that folder, that are used to run your operating system. And by simply adding another file that looks like one of the legitimate files– but instead of run32dll, it’s run32dl1. And that single file in this midst of 2000 files can be easily overlooked. In that particular case, it’s almost the same as if it’s invisible, even though it can be clearly seen by looking at the files on your computer.
Ransomware is a particularly nasty form of malware. And it’s nasty because it’s one that holds your system hostage until you pay the ransom, or the money they want. Ransomware commonly goes after your very important data files. So it finds your pictures, and your documents, and your music, and your movies, and it encrypts all of these files with very strong encryption. The operating system continues to operate, so that you can start your machine. But you don’t have any access to your personal files.
The only hope you might have to regain access to your files is to pay the bad guys, so that you can then get the decryption key. This is usually done through an untraceable payment system, so there’s no way to know where this money might be going. And unfortunately, this may be the only way that you can then gain access to your personal files.
This is another great reason to always have a backup of all of your files. That way if you’re infected with ransomware, you can simply delete everything on your computer and restore from backup. Phishing is when the bad guys are getting information from you by presenting you with a screen that looks like one thing, but in reality it’s something very different.
A good example, for instance, is this PayPal screen, which looks like a normal PayPal login page– except you’ll notice, some of the graphics on the page aren’t working properly. And the URL at the top is absolutely not the PayPal URL. But if you were presented with this page, you might commonly put in your email address and your PayPal password– and, effectively, be handing over all of those credentials to the bad guy.
Usually you can find something that’s not quite right. There might be a misspelling, or there might be something on the screen that’s not looking quite the way it normally would be. There’s a very specific type of phishing called spear phishing, where the bad guys are going after a particular organization, or perhaps somebody within the organization who may have access to very important files.
A very common security technique that the bad guys use is called spoofing. This is when you pretend to be someone who you are not, on the network. One very common way to perform a spoofing attack is to modify your MAC address to duplicate the MAC address of a known, trusted device on the network.
Another type of spoofing is done, where you can change your IP address to somebody else on the network, make a request, and then the response to that request goes to the third party rather than going back to you. This is very commonly done with distributed denial of service attacks, where you can make a request with one machine, but the response goes back to one or a number of different devices on the network.
One type of security attack that cannot be identified by any electronic means is called social engineering. This is when you are using people to try to get around security techniques. You might get a suspicious telephone call, telling you that it’s someone calling from the help desk and they need assistance with correcting something inside of your computer– and won’t you just provide them with your username and password, and they’ll correct this problem. Or it may be somebody who’s walking around your place of business. They don’t have a badge. Maybe they’re not following the correct processes, and they’re trying to gain access to your computing systems.
You should always know how to handle one of these possible threats. Make sure that you know how to ask questions. Or if you think there might be a problem, make sure you know who to contact on your security team.
Shoulder surfing is one of the easiest ways to see what might be happening on somebody’s computer. You don’t need to gain access to their operating system. You don’t need to infect them with a piece of malware. You simply need to stand over their shoulder and watch exactly what they’re doing. This is very easy to do in airports, in coffee shops, or anywhere there might be a lot of people around. Some people can even do this from afar, by using binoculars or telescopes, and simply looking in the window of a building to see exactly what you are doing on your computer.
Many of the operating systems and applications that we use every day have security vulnerabilities inside of them. The problem is that nobody has identified the security vulnerabilities yet, so we have no way to correct the security vulnerabilities. There’s always a race to find where that vulnerability might be. The bad guys want to find this vulnerability first, so they can gain access to your system. And of course, the good guys want to find these vulnerabilities so they can patch these before they become a problem.
If the bad guys find these vulnerabilities first, they’re not going to tell anybody that it exists. Instead, they’re going to use it for their own personal gain. If we discover that a bad guy is now taking advantage of one of these unknown vulnerabilities, and it’s something that has never been published and nobody knew about until this moment, we call this a Zero-day vulnerability. A Zero-day vulnerability is, obviously, something that needs to be addressed immediately. We need to be sure that we have some method to either mitigate or patch the problem, so that the bad guys no longer have access to this vulnerability.
If you’d like to see a list of the vulnerabilities that are publicly known, you can look at the common vulnerabilities and exposures database– or the CVE database– and you can access that at cve.mitre.org.
Our computer systems and networks have a finite number of resources available, and if we overwhelm those systems, we have performed what’s called a denial-of-service attack. If this denial-of-service attack is coming from many different locations, then it’s a distributed denial-of-service attack. It’s very common to have a large number of computing devices out on the internet that can all work together to overwhelm and take down other resources that may be on the network.
This is one of the reasons the bad guys are working so hard to infect your machine with malware, so that your computer can now be one of these bots in one of these distributed denial-of-service attacks. A good example of this is the Zeus botnet, which infected over 3.6 million computers at its peak. The bad guys are able to send messages to these computers and have them perform many different kinds of functions on the internet, including having your computer participate in one of these denial-of-service attacks. In many cases, you may not even realize your computer is participating in this denial-of-service attack, because the bad guys are using so many different computers in so many places, they’re able to send very little traffic from all of them to overwhelm the single point that they are attacking.
In most of the resources that we access over the network, we’re providing a username and a password to gain access. This is usually a secret phrase or word that you’re using. And it’s often stored as a hash, so that the plaintext password is not stored in any database. For the bad guys to gain access to these resources, they need your password. And since you can’t reverse engineer from a hash, the bad guys, instead, go through every possible password combination until they find the right one. This is called a brute force attack. And it’s one where someone is trying every possible combination to see if they can find the one that you happen to use.
Most online brute force attacks don’t work, because we know that if somebody’s trying the same username, but a different password, and getting it wrong, the account will lock after a certain number of times. To get around this lockout problem, the bad guys perform an offline brute force attack.
To be able to do this, the bad guys will have first needed to get into a system, to gain access to the authorization file that has your username and the hashed password inside of it. At that point, they can then start calculating hashes based on every possible scenario. And they don’t have to worry about locking out your system, because they already have access to the username and the hash.
This is something that, obviously, takes a large amount of calculations. And it takes a lot of time to be able to do this. But eventually, if somebody goes through every possible combination, they will, eventually, run across your password.
Instead of going through every possible password scenario, what if you only went through the most popular passwords people used, or instead, went through every possible word that might be used? And you can do this by referring to a dictionary. A dictionary attack is performing this brute force, but it’s only using well-known words as part of the password. So you’ll use things that people commonly use as a password phrase, such as the word password, the word ninja, the word football. There are a number of word lists available on the internet that you can download, and they will contain the most popular passwords that people tend to use.
This is very easy to do. Most people are using some type of well-known word as their password. And it may be very quick to be able to go through this subset of words and quickly find the password you’re looking for.
With all of these different vulnerabilities and types of attacks, it’s important that your IT organization knows exactly how secure your system might be. And that’s why they, usually, will have something called a standard operating environment, or an SOE. This is a set of tested and approved software and hardware that is able to protect your system from all of the latest security vulnerabilities. This is also why you may not be able to install your own software onto computers at work, because there’s no telling what type of security issue may be created by installing that software on your work device.
To be able to stay in compliance, your system will occasionally need operating system updates. You may see that your anti-virus signatures are updated, occasionally. And all of these software updates have to be checked and verified before they’re rolled out to all of your compliant systems.
As you can tell just by the topics we’ve discussed in this video, there are many different techniques that a bad guy can use to gain access to your system. That’s why you always have to stay up to date with the latest security best practices, and you always have to maintain vigilance to make sure that all of these best practices are being followed.
Your security team’s probably using a number of different security techniques to keep the bad guys out. Data loss prevention, encryption, spam filters, firewalls, and much more can be used to help protect against some of these well-known attacks on your systems. You also have to constantly perform audits on all of the systems in your computing environment, to make sure that everybody is up to date with all of these patches. Every time somebody misses installing a piece of security software or updating an anti-virus signature, this may be an opportunity for the bad guys to gain access to your computer.
In many businesses, it’s common to have an ID card that is also an access card that activates an electronic lock on the doors to your building. One of the things that you may see is a sign in the wall that says, no tailgating, which requires that everybody badge in individually as they’re coming through the door. And you prevent anyone from coming in behind you.
One great description of tailgating is in Johnny Long’s book No Tech Hacking, where he dresses up as the people in a particular building. Or he might dress up as a third party that’s trusted by the people in the building. In his case, he even took up smoking so that he could sit in the smoking area and simply follow people in when they were done with their smoking break.
And one of my favorite techniques is to get a big box of donuts and sweets. And because your hands are full, you can ask somebody to let you in the door. And who doesn’t want to let somebody in, who’s bringing in something good to eat? Of course, once you get on the inside, there’s very little security controls. It’s that first door lock that’s preventing the bad guys from coming in. And now that you’re on the inside, you may have complete access to the rest of the building.
One very crafty kind of attack is a man-in-the-middle attack. This is where someone can sit in the middle of your network conversation and see everything that may be going back and forth. In some cases, they can even change the data or redirect the information. You’ll send everything to this man in the middle, and the man in the middle will continue the conversation to the end point. And then the conversation reverses itself, on the way back.
One good example of a man-in-the-middle attack is something called ARP poisoning. This Address Resolution Protocol has no security mechanism inside of it, and it becomes a very easy way to redirect devices on your network. One way to help avoid these man-in-the-middle problems is to use encryption of the data going back and forth. Because everything is encrypted, the man in the middle can’t see any of the data, effectively rendering it useless.