Security+ Guide to Network Security Fundamentals, 2e
Chapter 2
Attackers and Their Attacks
At a Glance
Instructor’s Notes

Chapter Overview

Chapter Objectives

Technical Notes

Lecture Notes

Quick Quizzes

Discussion Questions

Additional Activities
2-1
Security+ Guide to Network Security Fundamentals, 2e
2-2
Instructor’s Notes
Chapter Overview
In this chapter, students will discover who is responsible for attacking information and the systems that store,
process, and exchange that information. They will examine some of the motives attackers have for striking and
damaging computer systems and explore the types of attacks that attackers unleash. With this information, students
can begin to organize a sound defense to attempt to thwart their attacks.
Chapter Objectives
After reading this chapter, students will be able to:





Develop attacker profiles
Describe basic attacks
Describe identity attacks
Identify denial of service attacks
Define malicious code (malware)
Technical Notes
HANDS-ON
PROJECTS
Project 2-1
HARDWARE
DEVICES REQUIRED
Computer PC
OPERATING SYSTEM
REQUIRED
Windows XP
Project 2-2
Project 2-3
Project 2-4
Computer PC
Computer PC
Computer PC
Windows XP
Windows XP
Windows XP
Project 2-5
Computer PC
Linux
OTHER RESOURCES
Windows XP Professional
Backup utility and floppy
disks, CD, tape, or other
high-capacity storage device
None
Internet connectivity
Advanced Word 2000
Password Recovery
(AW2000PR) tool
Internet connectivity
This chapter should not be completed in one class session. It is recommended that you split the chapter into at least
two class sessions, if possible. The amount of subject matter to be covered can be covered in anywhere between a 2to 4-hour period, plus any at-home exercises you wish to assign.
Lecture Notes
Developing Attacker Profiles
Six categories of people violate network and computer systems: hackers, crackers, script kiddies, spies, employees,
and cyberterrorists. Table 2-1 on page 30 of the text summarizes the attackers, their skill level, and their motivations
for attacks.
Hackers
A hacker is described as a person who uses his or her advanced computer skills to attack computers, but not with a
malicious intent. Instead, hackers use their skills to expose security flaws.
Security+ Guide to Network Security Fundamentals, 2e
2-3
Crackers
A cracker is a person who violates system security with malicious intent. Like hackers, crackers have advanced
knowledge of computers and networks and the skills to exploit them. Crackers destroy data, deny legitimate users of
service, or otherwise cause serious problems on computers and networks.
Script Kiddies
Much like crackers, script kiddies want to break into computers to create damage. However, whereas crackers have
an advanced knowledge of computers and networks, script kiddies are unskilled users. Script kiddies do their work
by downloading automated hacking software from Web sites and then using it to break into computers. Script
kiddies tend to be young computer users who have almost unlimited amounts of leisure time, which they can use to
attack systems.
Spies
A computer spy is a person who has been hired to break into a computer and steal information. Spies do not
randomly search for unsecured computers to attack as script kiddies, crackers, and hackers do. Rather, spies are
hired to attack a specific computer that contains sensitive information.
Employees
One of the largest information security threats to a business actually comes from an unlikely source: its employees.
Employees break into their company’s computer for various reasons.
Quick Reference
Discuss some of the reasons employees break into their company’s computer as
listed on page 33 of the text.
Cyberterrorists
Many security experts fear that terrorists will turn their attacks to the network and computer infrastructure to cause
panic. Known as cyberterrorists, their motivation may be defined as ideology, or attacking for the sake of their
principles or beliefs. One of the targets highest on the list of cyberterrorists is the Internet itself.
Quick Reference
Discuss the report distributed by the Institute for Security Studies at Dartmouth
College, which lists the three goals of a cyberattack as listed on page 33 of the
text.
Understanding Basic Attacks
Today, the global computing infrastructure is the most likely target of attacks. In general, attackers are becoming
more sophisticated and are moving away from searching for bugs in specific software applications and toward
probing the underlying software and hardware infrastructure itself.
Social Engineering
The easiest way to attack a computer system requires almost no technical ability and is usually highly successful.
Social engineering relies on tricking and deceiving someone to access a system.
Security+ Guide to Network Security Fundamentals, 2e
Quick Reference
2-4
Discuss the examples of social engineering as listed on pages 35 and 36 of the
text.
Social engineering is not limited to telephone calls or dated credentials. One popular technique, called dumpster
diving, involves digging through trash receptacles to find computer manuals, printouts, or password lists that have
been thrown away. Another approach is known as phishing, which involves sending people electronic requests for
information that appear to come from a valid source.
Social engineering is best defeated in two ways. First, you should develop strong procedures in the form of
instructions or company policies regarding when passwords are given out, who can enter the premises, and what to
do when asked questions by another employee that may reveal protected information. The second way to default
social engineering is by educating all employees about the policies and ensuring that these policies are followed.
Password Guessing
A password is a secret combination of letters and numbers that validates or authenticates a user. Passwords are used
with usernames to log on to a system, using a dialog box such as the one shown in Figure 2-1 on page 37 of the text.
Quick Reference
Discuss some of the characteristics of weak passwords as listed on page 37 of
the text.
Attackers attempt to exploit weak passwords by password guessing. Password-guessing attacks fall into three
categories. The first type of attack is brute force, in which an attacker attempts to create every possible password
combination by systematically changing one character at a time in a hypothetical password and then using each
newly generated password to access the system.
The second type of password guessing is a dictionary attack. Unlike a brute force attack, in which all possible
combinations are used, a dictionary attack takes each word from a dictionary and encodes it (called hashing) in the
same way the computer encodes a user’s password. Figure 2-2 on page 38 of the text shows a dictionary attack.
The third type of attack is software exploitation. This attack takes advantage of any weakness in software to bypass
security that requires a password. One of the most common exploitations is a buffer overflow, which occurs when a
computer program attempts to stuff more data into a temporary storage area (a buffer) than it can hold. In Figure 2-3
on page 39 of the text, the buffer for a program is six characters and is adjacent to another computer storage area that
contains instructions for the computer.
Quick Reference
Discuss some of the policies that can minimize password-guessing attacks as
illustrated on page 40 of the text.
Weak Keys
Cryptography, from two Greek words—crypto, meaning hidden, and graph, meaning writing—is the science of
transforming information so that it is secure while it is being transmitted or stored. Cryptography does not attempt to
hide the existence of the data; instead, it “scrambles” the data so that it cannot be viewed by unauthorized users.
Security+ Guide to Network Security Fundamentals, 2e
2-5
Changing the original text to a secret message using cryptography is known as encryption. The success of
cryptography depends on the process used to encrypt and decrypt messages. This process is based on a procedure
called an algorithm. The algorithm is given a value known as a key that it uses to encrypt the message. However,
any mathematical key that creates a detectable pattern or structure provides an attacker with valuable information to
break the encryption. Keys that create this type of repeating pattern are known as weak keys.
Mathematical Attacks
Cryptanalysis is the process of attempting to break an encrypted message. One type of cryptanalysis is a
mathematical attack, which often develops a statistical analysis of the characters in an encrypted text and then
analyzes the statistics to discover the keys and decrypt the data.
Birthday Attacks
When you meet someone for the first time, you have a 1 in 365 chance—0.27%—that he has the same birthday as
you. If you meet 60 people, the probability leaps to over 99% that you will share the same birthday with one of these
people. This phenomenon is called the birthday paradox. A birthday attack is an attack on a cryptographical
system that exploits the mathematics underlying the birthday paradox.
Quick Quiz
1.
____________ tend to minimize or misconstrue the consequences of their activities. ANSWER: Ethical
hackers
2.
____________ are hired to attack a specific computer that contains sensitive information. ANSWER: Spies
3.
_____________ involves sending people electronic requests for information that appear to come from a valid
source. ANSWER: Phishing
4.
A(n) _____________ attack takes advantage of any weakness in software to bypass security that requires a
password. ANSWER: software exploitation
5.
_____________ attacks can best be resisted by NOT sending the same encrypted message more than once.
ANSWER: Mathematical
Examining Identity Attacks
Another category of attacks are those in which the attacker attempts to assume the identity of a valid user.
Man-in-the-Middle Attacks
Man-in-the-middle attacks on computer information are common attacker tools. This type of attack makes it seem
that two computers are communicating with each other, when actually they are sending and receiving data with a
computer between them, or the “man in the middle.” In Figure 2-5 on page 43 of the text, Computer A and
Computer B are communicating without recognizing that an attacker, as the man in the middle, is intercepting their
transmissions.
Man-in-the-middle attacks can be active or passive. In a passive attack, the attacker captures the sensitive data that is
being transmitted and then sends it on to the original recipient without his presence being detected. In an active
attack, the contents of the message are intercepted and altered before they are sent on.
Security+ Guide to Network Security Fundamentals, 2e
2-6
Replay
A replay attack is similar to an active man-in-the-middle attack. However, whereas an active man-in-the-middle
attack changes the contents of a message before sending it on, a replay attack only captures the message and then
sends it again later. A replay attack takes advantage of the communications between a network device and a file
server. Figure 2-6 on page 44 of the text illustrates a replay attack.
TCP/IP Hijacking
With wired networks, TCP/IP hijacking uses a technique known as spoofing, which is the act of pretending to be the
legitimate owner when in reality you are not. One particular type of spoofing is Address Resolution Protocol
(ARP) spoofing. To understand ARP spoofing, remember that each computer using TCP/IP must have a unique IP
address. In addition, certain types of local area networks (LANs), such as Ethernet, must also have another address,
called the media access control (MAC) address, to move information around the network. Computers on a
network keep a table that links an IP address with the corresponding address, as shown in Figure 2-7 on page 45 of
the text. In an ARP spoofing attack, a hacker changes the table so that packets are redirected to his computer, as
shown in Figure 2-8 on page 45 of the text.
Identifying Denial of Service Attacks
In contrast to a normal network situation, a denial of service (DoS) attack attempts to make a server or other
network device unavailable by flooding it with requests, such as to display a Web page or access a stored file. After
a short time, the server runs out of resources and can no longer function. This is known as a SYN attack because it
exploits the SYN/ACK “handshake.” Figure 2-10 on page 47 of the text shows a server waiting for a response
during a DoS attack.
Another DoS attack tricks computers into responding to a false request. An attacker can send a request to all
computers on the network that makes it appear as if a server is asking for a response. Each of the computers then
responds to the server, overwhelming it, and causing the server to crash or be unavailable to legitimate users. This is
called a Smurf attack.
Understanding Malicious Code (Malware)
Malicious code, or malware, consists of computer programs designed to break into computers or to create havoc on
computers. The most common types of malware are viruses, worms, logic bombs, Trojan horses, and back doors.
According to the security organization Sandvine, Internet service providers (ISPs) in North America spend more
than $245 million annually to combat malware.
Viruses
A computer virus is a program that secretly attaches itself to another document or program and executes when that
document or program is opened. A virus might cause problems ranging from displaying an annoying message to
erasing files from a hard drive or causing a computer to crash repeatedly. After it infects one computer, the virus
seeks another computer to attack.
Security+ Guide to Network Security Fundamentals, 2e
2-7
Today, viruses spread primarily through e-mail attachments. Modern viruses can send themselves to all the contacts
listed in an e-mail address book. The recipients, seeing they have received a message from a friend or business
associate, might unsuspectingly open the attachment, infect their computers, and send the virus to others.
According to Sophos, an antivirus software vendor, more than 89,000 known viruses attack computers and, on
average, one new virus is written and released every hour.
The defense against viruses is antivirus software. The drawback of antivirus software is that it must be updated to
recognize new viruses. Known as definition files or signature files, these updates can be downloaded automatically
from the Internet to a user’s computer.
Worms
Another type of malicious code is known as a worm. Although similar in nature, worms are different from viruses in
two regards. First, a virus attaches itself to a computer document, such as an e-mail message, and is spread by
traveling along with the document. A second difference is that a virus needs the user to perform some type of action,
such as starting a program or reading an e-mail message, to start the infection.
Worms are usually distributed via e-mail attachments as separate executable programs. In many instances, reading
the e-mail message starts the worm. However, if the worm does not start automatically, attackers can trick the user
to start the program and launch the worm.
Quick Reference
Discuss the tricks listed on page 50 of the text on how worms can get started.
Logic Bombs
Logic bombs are another type of malicious code. A logic bomb is a computer program that lies dormant until it is
triggered by a specific event, such as a certain date being reached on the system calendar or a person’s rank in an
organization dropping below a specified level.
Quick Reference
Discuss the suggestions to protect an organization from logic bombs as
illustrated on pages 50 and 51 of the text.
Trojan Horses
A Trojan horse is a program that hides its true intent and then reveals itself when activated. A Trojan horse might
disguise itself as a free calendar program or other interesting software. Once installed on the user’s computer,
however, it can launch into action.
One of the simplest Trojan horse strategies involves giving a malicious program the name of a file associated with a
benign program. Another Trojan horse technique is to combine two or more executable programs into a single
filename. You can defend against Trojan horses with the following products:



Antivirus tools, which are one of the best defenses against combination programs
Special software that alerts you to the existence of a Trojan horse program
Anti-Trojan horse software that disinfects a computer containing a Trojan horse
Security+ Guide to Network Security Fundamentals, 2e
Back Doors
A back door is a secret entrance into a computer of which the user is unaware. Many viruses and worms install a
back door that allows a remote user to access a computer without the legitimate user’s knowledge or permission.
Quick Quiz
1.
With __________, the attacker uses ARP spoofing to send information from the user’s computer to the
attacker’s computer instead of to a valid computer. ANSWER: TCP/IP hijacking
2.
A special “Are you there?” message is called a(n) __________ using the Internet Control Message Protocol
(ICMP) that the receiving computer immediately replies to if it is available. ANSWER: ping
3.
The user of the __________ has no indication that his or her computer has malicious software installed.
ANSWER: zombie
4.
__________ are often designed into computer systems to help during the testing phase of the program.
ANSWER: Back doors
Discussion Questions
1.
Why are certain people so intrigued by gaining access to any computer system?
2.
How has information theft changed how we develop new technology?
Additional Activities
1.
Have students conduct research looking for software and hardware that can be used to hack into a computer
system and summarize what they find.
2.
Have students configure firewall software and hardware and document the procedures used.
2-8