Businesses are afraid of what’s out there on the Internet. And rightfully so. Hackers lurk around every network just waiting for the right opportunity to get in. And according to IBM Security’s Cost of A Data Breach 2019 report, the average cost of an incident was $5.11 million globally for companies with over 25,000 employees. The average cost was more than one and a half times as much for U.S. companies overall.
Various compliance organizations have tried to set the standard for how to lock your network down and configure it to prevent this from happening. But it just takes one bug in an application or a slip in a patch and you’re compromised. NIST, CMMC, PCI DSS, GDPR, HIPAA, HITRUST, and other compliance frameworks mandate specific network security controls for these very reasons.
If you’re in an industry that requires certification to a standard, you need to understand security as a fundamental requirement. It’s helpful to start with a basic knowledge of how a network works and the inherent vulnerabilities it has because of its exposure to the Internet.
Back to Basics
Networks at their simplest are made up of machines capable of sending and receiving communications to and from other machines and the wires or other technologies that direct and carry those communications back and forth. There are many different kinds of machines in a network. A basic network could consist of desktops and laptops, a departmental server that houses the information for an organization, a database server that stores and serves up information when queried, a web server that displays web pages when directed to do so, and printers, faxes, and scanners.
These machines are easy to connect because these days, they’re designed to be connected to and communicate with each other. Together, inside of an organization without connecting to the Internet, they are called an Intranet. And if this Intranet never came in contact with the big bad world of the Internet, this story would be over.
Non-Secure by Nature
Most people in the business world and pretty much everyone else want to connect to the Internet. This is because the Internet already has the connections in place to allow your computer to talk to another computer outside of your organization. Other machines on the Internet have things you want: customers, information, money. You pay for that connection, just like you pay for phone service so that the wires and devices on the Internet are maintained and replaced when necessary.
But what you don’t get in that service is protection from other users on the Internet. These other users find ways to connect to you or have you connect to them, and they can infect your systems with worms, viruses and other types of malware or worse yet, exfiltrate your data. According to Verizon’s 2019 Data Breach Investigations Report, the targets for these attacks include POS controller Servers, POS terminals, Mail Servers, Desktops, ATM Kiosks, Web Application Servers, Database Servers, and people (most commonly through Phishing Attacks).
You need to secure your network so your company retains customer trust and remains profitable and in compliance so it can do business in the first place. Hackers are just waiting to get at your network or lure you into one of their traps. There are many ways they do this, and there’s no way to include all methods in one blog. But a shortlist of the more prevalent threats you might encounter is covered here.
Common types of attacks are:
- SYN Flood Attacks
- DoS and DDoS Attacks
- Privilege Escalation
- Man-In-the-Middle Attacks
- ARP Poisoning Attacks
- DNS Attacks
- Amplification Attacks
- Password Attacks
- Replay Attacks
- Driver Manipulation Attacks
- Zero-Day Attacks
- and the exploitation of Memory Buffer Vulnerabilities
SYN Flood Attacks
The SYN Flood Attack exploits vulnerabilities in the SYN-SYN/ACK-ACK TCP handshake that must occur for a client to establish a session with a server. Instead of completing the handshake, in an SYN flood attack, the client leaves the server hanging. The client sends out the initial SYN packet, actually many many SYN packets, but never completes the handshake. It’s as if the client extends its hand for the handshake and then pulls it back before the server can complete the handshake. The server keeps its hand extended, though, still waiting for the handshake, and the server has only so many hands or open connections, it can do this with. Ultimately, just like a DoS or DDoS attack, this attack brings the server down by overwhelming it with this particular kind of request.
DoS and DDoS
You probably know what Denial of Service and Distributed Denial of Service attacks are already. A hacker bombards a server with requests like ICMP using one or many machines to do this, machines which she/he may have hacked, and tries to cause the server to fail. Usually, the server just stops responding to requests at all, and this can stop a website or another service from functioning for a long time, costing the hosting company, if applicable, and the business who owns the server lots of money.
Privilege Escalation is simply the escalation from the status of a user on a network to the admin on a network. Hackers usually get into the network on one machine as a user and then use that machine to pivot to another more important target, watching and waiting very patiently to capture admin credentials. Then slowly and without as much notice as possible, they exfiltrate the target data or sabotage systems, whichever is the goal.
This attack is just what it sounds like. A hacker intercepts data along its trajectory path and attempts to use that data for bad purposes. Neither party at either end of the conversation has any idea that the “evil” computer is between them. This MITM is then able to change data and send it to each of the computers whatever requests or data it wishes. It can also capture and decode credentials required to get into your network. Attackers can use techniques like ARP poisoning to launch this kind of attack over a non-secure network. However, protocols that require mutual authentication can put a stop to this by making sure anyone in the conversation has to verify their identity.
In this kind of attack, the hacker intercepts an ARP request and replies with a spoofed MAC address, poisoning the ARP cache on a switch or a victim’s computer by incorrectly associating an IP address with the wrong MAC address. This is a good way for a hacker to launch a MITM attack and get onto a target network. ARP Poisoning can also be used to create a DoS attack by changing the MAC address for the default gateway on a switch thereby obscuring the path out of the network. In this instance, no one can reach the Internet.
There are many types of DNS Attacks. In DNS poisoning, just like in ARP poisoning, the hacker tries to create a wrong association, this time between the domain name and the IP address of a website. In this way, a hacker can insert an “evil” IP address for a malicious website and redirect traffic to that website from legitimate sites commonly sought by users. Domain Name System Security Extensions (DNSSE) prevent this type of attack by adding a digital signature to records, ensuring IP addresses are not spoofed.
DNS Pharming Attacks attempt to change the host file located in C:\Windows\System32\drivers\etc\. This folder doesn’t include mappings by default, but in a Pharming Attack, the hacker maps the wrong IP address to the domain name there and voila! Entering the domain name into the client URL field of the browser now takes you to the “evil” IP address.
A DNS server can also be the victim of Denial of Service and Distributed Denial of Service attacks. See DoS and DDoS for how this type of attack occurs and what the results are. It’s just a small thing to translate a domain name to an IP address, but taking down the DNS server system can effectively take down the Internet.
Spoofing is central to an Amplification Attack. Basically, the hacker gets into your network or in some other way gets the IP address of the client victim she/he wants to target. Then the hacker can spoof her/his address to be the victim’s address. The amplification part is how the hacker overwhelms the victim. For example, instead of sending out a typical unicast ping request to another client on a subnet, the hacker will broadcast it so that every other computer on the subnet sends the ping replies back to the victim’s computer. This can be done using DNS server requests or NTP server requests or any other type of request that sends information back to one client — the victim.
There are many ways to try to hack a password to get the credentials needed to enter a network. Brute Force attacks are exactly as they sound, dumb guesses made by going through every single alphanumeric combination possible one at a time. Still, they are effective if there isn’t a lockout policy in place. Dictionary attacks are similar to Brute Force attacks but instead go through a dictionary of likely word and numeric combinations one at a time to see what works. This is why your users need to create complex passwords.
In a Birthday Attack, the hacker comes up with a password that makes the same hash as a legitimate password. Increasing the length of the hash increases the number of possible hashes and makes it harder to guess. A Rainbow table attack compares the password’s hash to a table of precomputed hashes. Salting passwords before you hash them can help prevent them from being easily cracked.
A Replay Attack is exactly what it sounds like. A hacker, usually a MITM, captures authentication credentials from a session established between users and later tries to replay that data back to one of the users in the session to try to establish a connection to that user’s machine. There are easy ways to prevent this from happening, though, such as using session IDs and timestamping.
There are many ways malicious software can find its way onto your network by infecting a user’s machine first. In Driver Manipulation a hacker who is a skilled coder writes a shim or refactors the code of an old device driver and deceives the OS into running the malicious code. This is equivalent to running an executable and installs the software designed by the hacker, which can capture keystrokes and determine credentials to log into other higher-value targets on your network.
A Zero-Day attack exploits unknown (to its creators and AV software) flaws in an OS that existed from the moment the OS was created. These can create backdoors into a system and allow privilege escalation on a system inside your network. Once the OS vendor learns of the flaw and codes a patch, it is critical that you patch your system.
But not everyone keeps up with system updates and patches that protect against these vulnerabilities. Sometimes, it’s years before the creators know of the vulnerability and systems continue to be exploited. Implementing the principle of least privilege is your only defense in this case so you make sure the clients on your network only have access to the information, services, and equipment they require to do their jobs.
Memory Buffer Attacks
The best way to prevent Buffer Overflow attacks is to keep application patches up to date. A good application includes error-handling and input validation that will prevent the types of strings a hacker can use to expose memory by overwhelming an application’s buffer. Hackers are great at finding bugs in programs that allow them to do this. Once they expose memory, they can also get the system to execute malicious code, potentially bringing down a critical component on your network or your network in its entirety.
So, what’s a business to do about the malware and hackers working relentlessly, some sponsored by nation-states like Russia and China? Most businesses don’t have the resources available to an entire country. But what they do have is the brainpower of private industry.
Companies like RSI Security know how to secure your network from the evils of the Internet so you can use it to your advantage. RSI Security is an expert in the area of compliance frameworks, as well, and knows intimately the security controls required to lock down your network. RSI Security can quickly and efficiently evaluate your current security posture, recommend the required controls, and help you with implementation so you can get back to business.
Contact RSI Security today to schedule a free consultation!