Most Common Cyber-Attacks

1. Denial-of-service (DoS) and Distributed Denial-of-Service (DDoS) Attacks: Attacks flood a server or network with traffic to make it inoperative. Botnets are often used to launch various types of attacks, including TCP SYN Flood, Teardrop, Smurf, and Ping-of-Death.

1.1. TCP SYN Flood: Attacks overwhelm servers by sending a large number of SYN packets without completing the three-way handshake. This keeps connections open and consumes server resources, making it hard for legitimate clients to connect. Attackers can use a single or multiple computers, IP spoofing, and botnets to launch the attack. The following can be used to defend:

  • Increase the size of the connection queue and decrease the timeout on open connections, such as this Python code:
import socket
# Increase the size of the connection queue
backlog = 100
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind(('localhost', 8080))
sock.listen(backlog)
# Decrease the timeout on open connections
timeout = 10  # in seconds
sock.settimeout(timeout)
  • Limit the number of requests from a single IP address within a certain time frame, such as this Python code:

from flask import Flask, request, abort
import time
app = Flask(__name__)
# dictionary to store IP addresses and their request timestamps
ip_dict = {}
# maximum number of requests allowed within the time frame
max_requests = 10
# time frame for the maximum number of requests (in seconds)
time_frame = 60
@app.route('/')
def index():
    # get the IP address of the request
    ip_address = request.remote_addr
    # get the current timestamp
    current_time = int(time.time())
    # check if the IP address is already in the dictionary
    if ip_address in ip_dict:
        # get the last timestamp for the IP address
        last_time = ip_dict[ip_address]
        # calculate the difference between the current time and the last timestamp
        time_diff = current_time - last_time
        # check if the time difference is within the time frame
        if time_diff <= time_frame:
            # increment the number of requests for the IP address
            ip_dict[ip_address] += 1
            # check if the number of requests exceeds the maximum allowed
            if ip_dict[ip_address] > max_requests:
                # deny the request and return a 429 status code (Too Many Requests)
                abort(429)
        else:
            # reset the number of requests and update the last timestamp
            ip_dict[ip_address] = 1
            ip_dict[ip_address] = current_time
    else:
        # add the IP address to the dictionary with the current timestamp
        ip_dict[ip_address] = current_time
    return 'Hello, World!'

  • Place servers behind a firewall configured to stop inbound SYN packets. 
  • Use rate-limiting and traffic filtering tools to detect and block malicious traffic from known sources.
  • Implement SYN cookies, as in the Python code below, to validate legitimate connection requests and mitigate the effects of a flood attack:
import socket
def validate_connection_request():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    s.setsockopt(socket.IPPROTO_TCP, socket.TCP_SYNCOOKIES, 1)
    s.bind(('0.0.0.0', 1234))
    s.listen(10)
    while True:
        conn, addr = s.accept()
        print('Connection request from:', addr)
        # Validate the connection request
        if validate_request(conn):
            # Process the connection request
            process_request(conn)
        else:
            # Drop the connection request
            conn.close()
def validate_request(conn):
    # Check if the SYN cookie option is set in the TCP header
    options = conn.getsockopt(socket.IPPROTO_TCP, socket.TCP_OPTIONS)
    for opt in options:
        if isinstance(opt, tuple) and opt[0] == socket.TCP_SYNCOOKIES:
            return True
    return False
def process_request(conn):
    # Handle the connection request
    pass
if __name__ == '__main__':
    validate_connection_request()

1.2. Teardrop Attack: Attacker manipulates the length and fragmentation offset fields in a sequential series of IP packets to overlap on the targeted system, causing it to become confused and crash. The following can be used to defend: 

  • Implement security measures checking the validity of IP packets and discard any that appear to be malformed or potentially malicious, such as:
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -m state --state NEW -m recent --set --name IP_PACKETS --rsource
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -m state --state NEW -m recent --update --seconds 10 --hitcount 5 --name IP_PACKETS --rsource -j DROP
  • Additionally, encryption protocols like TLS 1.3 (Transport Layer Security) can be used to protect data from tampering during transmission and reduce the risk of a successful attack.  
  • Disable SMBv2, a Server Message Block version 2 is a protocol used for file sharing and remote administration of computers over a network, and block ports 139 and 445.
# Disable SMBv2 of web server running on Windows by setting the corresponding registry key
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" -Name "SMB2" -Value 0 -Type DWORD
# Disable the SMBv2 driver service
Set-Service -Name "mrxsmb20" -StartupType Disabled

1.3. Smurf Attack: Attackers spoof the source IP address of ICMP packets and floods a network broadcast address with ICMP echo requests. This results in a flood of ICMP echo replies that overwhelms the target network, causing it to be unavailable to legitimate traffic. The following can be used to defend: 

  • Configure the end systems to stop them from responding to ICMP packets from broadcast addresses, such as:
netsh interface ipv4 set interface "Local Area Connection" igmpversion=3
  • Keep network equipment firmware and software with the latest security patches to mitigate the risk of DoS attacks.
  • Disable broadcast ICMP requests to block incoming ICMP traffic as the following example on Windows:
netsh advfirewall firewall add rule name="Block Broadcast ICMP Requests" dir=in interface=any action=block protocol=icmpv4:8,any

1.4. Ping of Death AttackMalformed ICMP packets (ping packets) are sent to a target system, causing buffer overflows and crashes as the target system tries to reassemble them. The following can be used to defend: 

  • Keep network equipment firmware and software with the latest security patches to mitigate the risk of DoS attacks.
  • Configure firewall checking oversized fragmented IP packets, such as:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1:500 -j DROP


1.5. Botnets: Large networks of compromised devices controlled by an attacker to conduct various malicious activities such as DDoS attacks, stealing sensitive information, sending spam emails, and cybercrime. The following can be used to defend: 

  • Implement RFC3704 (Ingress Filtering for Multihomed Networks) to filter incoming traffic on the Internet, deny traffic from spoofed addresses. For example, on a router or switch you can use the following commands:
enable
configure terminal
interface <interface>
ip verify unicast source reachable-via any allow-default
exit
  • Use black hole filtering to drop undesirable traffic before it enters a protected network. The following CSS example configuring a BGP router to send a route for each victim IP address to a null interface:
enable
configure terminal
router bgp <your-AS-number>
neighbor <neighbor-IP-address> remote-as <ISP-AS-number>
!
address-family ipv4
 network <victim-IP-address>/32
 neighbor <neighbor-IP-address> activate
 neighbor <neighbor-IP-address> route-map BLACKHOLE out
exit-address-family
!
ip access-list standard BLACKHOLE
 permit host <victim-IP-address>
exit
!
route-map BLACKHOLE deny 10
 match ip address BLACKHOLE
!
route-map BLACKHOLE permit 20
 set ip next-hop <null-interface>

2. Man-In-The-Middle (MitM) AttackAttackers intercepts communication between two parties and impersonates one or both to gain access to sensitive information. The attacker steals sensitive information or manipulates the communication to achieve nefarious purposes. The following can be used to defend: 

  • Use TLS 1.3 (Transport Layer Security) to protect communication between parties. 
  • Be cautious when using public networks, such as Wi-Fi hotspots, and avoid accessing sensitive information or conducting financial transactions when connected to untrusted networks. 
  • Regularly updating firmware, software and using anti-malware software can also help to prevent MitM attacks.

 

3. Phishing AttacksPhishing is a type of social engineering attack that uses fraudulent emails or websites to trick users into revealing sensitive information or downloading malwares. Phishing attacks exist in many forms, including:

3.1. Email phishing: Attackers' emails appeared to be from a legitimate source asking the recipient to click on a link or download an attachment.

3.2. Spear phishing: Attackers create a personalized message appeared to be from a trusted source, such as a colleague or friend, and asks the recipient to provide ID, banking, and login information.

3.3. Smishing: Use SMS or text messages to trick individuals into providing their personal information.

3.4. Vishing: Use voice calls to trick individuals into providing their personal information.

The following measures can be used to defend against Phishing and Spear Phishing Attacks:

  • Critical thinking: Be wary of emails or messages from unknown senders. Analyze email and downloaded data.
  • Hovering over the links: Move your mouse over the link, but do not click it! Just let your mouse cursor hovers over the link and see where would actually take you. Apply critical thinking to decipher the URL.
  • Analyzing email headers: Email headers define how an email got to your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email.
  • Use two-factor authentication whenever possible to add an extra layer of security.
  • Keep your software, firmware and operating system up to date to ensure that you have the latest security patches.
  • Use antivirus software to protect your computer from malware and other threats.
  • Sandboxing: You can test email content in a sandbox environment, logging activity from opening the attachment or clicking the links inside the email.

 

4. Ransomware: Malwares encrypt victim's files and demands payment for the decryption key. It can infect a computer or network through various means and paying the ransom is not recommended.

The defenses against ransomware are the following:

  • Keep your software and operating system up to date with the latest security patches.
  • Use antivirus software to detect and remove malicious programs.
  • Be cautious when opening email attachments, especially from unknown senders.
  • Backup your important files regularly and keep them in a separate location from your main computer or network.
  • Educate yourself and your employees about ransomware and how to avoid it.
  • Consider using a reputable security solution that includes anti-ransomware protection.

 

5. MalwareUnwanted software, installed in your system, designed to disrupt computer systems, steal sensitive information, or gain unauthorized access to networks or devices. Malware can take many forms, including viruses, Trojans, worms, spyware, and ransomware, and can be delivered to a victim's computer or network through a variety of channels, including email attachments, malicious websites, and infected software downloads. The following can be used to defend:

  • Keep your software and operating system up to date with the latest security patches.
  • Use antivirus software and keep it updated to detect and remove malware.
  • Be cautious when opening email attachments, especially from unknown senders.
  • Avoid downloading software from untrusted sources or clicking on suspicious links.
  • Use strong and unique passwords (at least 14-character length with characters, numbers and special characters) for all accounts and consider using two-factor authentication whenever possible.
  • Backup important files regularly and keep them in a separate location from your main computer or network.

 

6. Password Attacks: Trying every possible combination of characters via automated tools until the correct password is guessed. These attacks can be:

6.1. Brute force attacks: Trying every possible combination of characters until the correct password is found. This is a time-consuming process but can be effective if the password is weak.

6.2. Dictionary attacks: Using a list of common words or phrases to try and guess the password. This can be effective if the user has used a common or easy-to-guess password.

6.3. Phishing attacks: Tricking the user into revealing their password by impersonating a legitimate website or service.

6.4. Keylogging: Installing malware on a victim's computer that records their keystrokes, including their passwords.

The defenses against Password Attacks are the following:

  • Use strong (at least 14-character length with characters, numbers and special characters) and unique passwords for each account.
  • Enable two-factor authentication whenever possible and avoid using easily guessable information such as your name, date of birth, or address in your passwords. 
  • Be wary of phishing attempts and only enter your password on trusted websites.
  • To prevent keylogging attacks, it is important to keep your antivirus software up to date, avoid downloading software from untrusted sources, and be cautious when opening email attachments or clicking on links. 
  • Monitor your accounts for any unusual activity and change your passwords regularly to minimize the impact of a potential password attack.

 

7. SQL Injection AttacksA type of attack that exploits vulnerabilities in web applications to gain unauthorized access to databases or steal sensitive information. An example using the following dynamic SQL like this: 

`SELECT * FROM users WHERE account = " + userProvidedAccountNumber +"`

While this works for users who are properly entering their account number, it leaves a hole for attackers. For example, if someone decided to provide an account number of  " or ‘1’ = ‘1’", that would result in a query string of:

`SELECT * FROM users WHERE account = '' or ‘1’ = ‘1’`

Because ‘1’ = ‘1’ always evaluates to TRUE, the database will return the data for all users instead of just a single user.

The vulnerability to this type of cyber security attack depends on the fact that SQL makes no real distinction between the control and data planes. Therefore, SQL injections work mostly if a website uses dynamic SQL. Additionally, SQL injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces.

The defenses against SQL Injection Attacks are the following:

  • Use parameterized queries to avoid the need for direct user input into SQL statements.
  • Use input validation to ensure that user input is restricted to expected values.
  • Use secure coding practices to minimize the risk of vulnerabilities in your web application.
  • Keep your firmware, software and operating system up to date with the latest security patches.
  • Use a web application firewall to detect and block SQL injection attacks.
  • Regularly scan your web application for vulnerabilities using a reputable vulnerability scanner. 


8. Insider Attacks: Attacks carried out by individuals with authorized access to systems or data who abuse their privileges for personal gain or to cause harm. Intentional attacks involve stealing sensitive information, modifying data, or disrupting systems. Unintentional attacks occur when an employee or contractor accidentally shares sensitive information or falls for a scam. The following can be used to defend:

  • Implement access controls and limit access to sensitive information and systems to only those who need it; and regularly remove access for those who are no longer need it.
  • Train employees and contractors on proper security practices, including how to identify and report suspicious activity.
  • Monitor network activity and use tools to detect and prevent unauthorized access and data exfiltration.
  • Conduct background checks and security screenings for employees and contractors.
  • Implement security policies and procedures for data handling, including data encryption, backup, and destruction.
  • Regularly review and audit access logs and activity to identify any suspicious behavior.
If an Insider Attack occurs, investigate, and immediately revoke access to affected accounts or systems, restore backups of affected data, and notify law enforcement or regulatory authorities as necessary. It is important to identify the cause of the attack and take steps to prevent future incidents.

 

9. Zero-Day ExploitsAttacks that exploit previously unknown vulnerabilities in software or systems that have not been patched or fixed. These attacks occur on the same day the vulnerability is discovered, giving software vendors no time to develop and release a patch. Attackers use zero-day exploits to gain unauthorized access to systems or to steal or modify sensitive information, using various methods to discover vulnerabilities. The following can be used to defend:

  • Keep your software and operating systems up to date with the latest security patches and updates.
  • Use security software, such as antivirus and firewalls, to detect and prevent attacks.
  • Be cautious when opening email attachments or clicking on links, as these can be used to deliver zero-day exploits.
  • Use network segmentation and access controls to limit the impact of any successful attack.
  • Conduct regular vulnerability assessments and penetration testing to identify potential vulnerabilities before they can be exploited.
  • Implement strong security policies and procedures to protect sensitive information and limit the potential impact of a successful attack.
  • If a zero-day exploit is suspected or detected, immediately isolate the affected system or network segment, disable compromised user accounts, and restore backups of the affected data. It is also important to notify the software vendor and law enforcement or regulatory authorities as necessary.

 

10. Advanced Persistent Threats (APTs)Sophisticated attacks carried out by well-funded organizations with the aim of stealing sensitive information or disrupting operations over an extended period. APTs use various techniques, including spear phishing, malware, and social engineering, and are difficult to detect and can remain undetected for long periods. The following can be used to defend:

  • Implement a multi-layered approach to security, including network segmentation, access controls, and intrusion detection and prevention systems.
  • Use strong authentication methods, such as two-factor authentication, to limit unauthorized access.
  • Regularly update firmware, software and operating systems with the latest security patches and updates.
  • Conduct regular security audits, assessments, penetration testing to identify potential vulnerabilities.
  • Train employees on security best practices, including how to identify and report suspicious activity.
  • Implement security policies and procedures for data handling, including data encryption, backup, and destruction.

If an APT is suspected or detected, immediately isolate the affected system or network segment, disable compromised user accounts, and restore backups of the affected data. It is also important to notify law enforcement or regulatory authorities as necessary. A comprehensive incident response plan should be in place to address APTs and other types of cyber-attacks.

 

11.  Birthday Attack (Birthday Paradox): A statistical phenomenon where the probability of two people sharing the same birthday is greater than 50% in a group of 23 or more people. In cybersecurity, it refers to a type of cryptographic attack that exploits this probability to compromise a hashing algorithm and find a collision. 

To protect against birthday attacks, use strong cryptographic algorithms and hash functions with long hash values, and avoid weak or outdated ones. Keep firmware, software, and operating systems up to date with the latest security patches and updates to mitigate risks.

 

12. Eavesdropping Attack (aka Sniffing or Snooping)Attackers use packet sniffers, wiretapping or man-in-the-middle attacks targeting both wired and wireless networks to intercept network traffic to steal sensitive information. The following can be used to defend:

  • Use strong encryption methods, such as TLS 1.3 when transmitting sensitive data over a network. 
  • Network segmentation and access controls can also be used to limit the impact of a successful attack. 
  • Wireless networks should be secured using strong passwords, WPA2 encryption, and other security measures.
  • Use security software, such as antivirus and firewalls, to detect and prevent eavesdropping attacks.
  • Conduct regular security audits, assessments, penetration testing to identify potential vulnerabilities.
  • Train employees on security best practices, including how to identify and report suspicious activity.
  • Implement security policies and procedures for data handling, including data encryption, backup, and destruction.

If an Eavesdropping attack is suspected or detected, immediately isolate the affected system or network segment, disable compromised user accounts, and restore backups of the affected data. It is also important to notify law enforcement or regulatory authorities as necessary.

 

13. Cross-Site Scripting (XSS):  Injecting malicious code into a web page to steal sensitive information or perform unauthorized actions on behalf of the user. Attackers can exploit vulnerabilities in web applications or trick users into clicking on a malicious link or attachment. The following can be used to defend:

  • Use secure coding practices when developing web applications, such as input validation and output sanitization to prevent untrusted data from being displayed on a web page. 
  • Add Content Security Policy (CSP) in HTTP header with directives such as default-src, script-src, style-src, and others to specify the allowed sources for different types of contents.
  • Use Web application firewalls to detect and block malicious code injection attempts.
  • Be cautious when clicking on links or opening attachments, and by using browser extensions that can block scripts and prevent malicious code from executing. 
  • Keep web browsers and other software up to date with the latest security patches.

If an XSS attack is suspected or detected, immediately isolate the affected system or network segment, disable compromised user accounts, and restore backups of the affected data. It is also important to notify law enforcement or regulatory authorities as necessary.

 

14. Drive-By AttackMalware downloaded on a user's computer after visiting a compromised website or clicking on a malicious link, exploiting vulnerabilities in the browser or other software. Various techniques, including malicious scripts and hidden iframes, can bypass security controls to infect the user's system. The following can be used to defend:

  • Use security software, such as antivirus and firewalls, to detect and prevent the installation of malicious software. 
  • Keep your firmware, software and operating system up to date with the latest security patches.
  • Be cautious when clicking on links or visiting websites, particularly if they are unfamiliar or appear suspicious. 
  • Browser extensions that can block scripts and prevent the execution of malicious code can also be used to protect against drive-by attacks.

If a drive-by attack is suspected or detected, immediately isolate the affected system or network segment, disable compromised user accounts, and restore backups of the affected data. It is also important to notify law enforcement or regulatory authorities as necessary.

 

15. AI Cyber Security ThreadAI can cause the following significant cybersecurity threats due to its ability to automate tasks and learn from data with bad intentions, such as:

  • Adversarial attacks: AI deceives other AI systems or humans into believing something is authentic and bypassed security measures like spam filters, malware detection, and biometric authentication.
  • Automated cyberattacks: AI automates and enhances cyberattacks, increasing speed, efficiency, and targeting. Personalized phishing attacks exploit victims' interests for higher success rates.
  • Deepfakes: AI-generated fake videos and audio spread disinformation and defamation. Impersonation hampers authentication and detection of fraud.
  • Data breaches: AI analyzes large data volumes for cybercriminals to identify and exploit system vulnerabilities. Social media analysis aids in social engineering attacks.
  • Malware: AI creates sophisticated, evasive malware. Adapts to environments, making detection and removal challenging.

The protection against AI Cyber Security threads involves establishing muti-layer security protocols as mentioning above.

Comments

Post a Comment

Popular posts from this blog

QUALITY MANAGEMENT PRINCIPLES & PRACTICES

Image
  I.       QUALITY MANAGEMENT PRINCIPLES 1.      Meeting Customer Expectations : o    Detail : Quality is defined by how well a product or service meets the needs and expectations of customers. This means understanding what your customers value and ensuring your offerings align with those values. o    Example : If you are developing a software product, quality means delivering a bug-free, user-friendly application that performs the functions your customers need. Regularly gathering customer feedback and making improvements based on their input is crucial.   2.      Everyone's Responsibility : o    Detail : Quality is not just the responsibility of the quality assurance team; it involves every employee in the organization. Each person must ensure that their work meets the required standards and contributes to the overall quality. o    Example : In yo...
Read more

KPIs EXAMPLES

  Corporate Quality, Security, Software Development Life Cycle, Hardware Development Life Cycle, Manufacturing KPIs (Key Performance Indicators) Examples Key  Performance Indicators (KPIs) are specific metrics that are used to evaluate the performance of an organization, team, or individual in achieving their objectives. These metrics are quantifiable and directly linked to strategic goals, allowing for monitoring progress and making informed decisions. KPIs usually include primary owners, secondary owners, key objectives, measurements, due dates, status updates, percentage completions, comments etc. Here are some examples of KPIs: I.                QUALITY KPIs:   1. Customer Satisfaction Index (CSI):    - Definition: CSI measures how satisfied customers are with a company's products or services.    - Calculation: CSI can be calculated through surveys, feedback forms, o...
Read more

Firmware Development and Debugging

An Approach To Firmware Development and Debugging 1. Understand the Hardware: Before writing firmware, you need a deep understanding of the hardware you're working with. Study the datasheets, reference manuals, and schematics for the microcontroller or embedded system you're using. This will help you understand the available peripherals, memory layout, and other hardware-specific details. 2. Choose a Programming Language: Firmware can be written in various programming languages, with C and C++ being the most common due to their low-level capabilities and efficiency. Choose a language that is supported by the microcontroller's toolchain and suits the project's requirements. 3. Set Up the Development Environment: - Install the necessary Integrated Development Environment (IDE) or text editor. - Install the toolchain (compiler, linker, debugger) that supports your microcontroller. - Set up any necessary drivers for programming and debugging hardware. 4. Start Writing Code:...
Read more