105 Common information security threats

www.huawei.com
Copyright © 2018 Huawei Technologies Co., Ltd. All rights reserved.
Common Information
Security Threats

Foreword
 Information systems are often vulnerable and have sensitive, confidential
information that needs to be communicated. Therefore, they are under
threat in various scenarios and through various means.
 This class uses some case studies about common attacks to introduce
possible threats to the information system.

Objectives
 Upon completion of this course, you will be able to:
 Categorize information security threats.
 Describe common information security threat means.

Contents
1. Current Situation of Information Security Threats
2. Threats to Network Security
3. Threats to Application Security
4. Threats to Data Transmission and Device Security

Endless Security Incidents
 On May 12, 2017, the
WannaCry ransomware
attack broke out at about
8:00 p.m and spread
worldwide. Computers
infected with WannaCry
were vulnerable to
attacks once turned on.
 In 2017, the traffic of users of
multiple software applications
in China was hijacked during
software upgrade. The users
thought they were upgrading
the software while they were
actually installing viruses.
 More than 90% of
telecommunication
fraud is targeted fraud
conducted using precise
information of citizens.
 In Feb. 2018, the popular online
game "Final Fantasy XIV" suffered a
three-hour DDoS attack.
 On Nov. 10, 2016, five major
Russian banks suffered from a
DDoS attack lasting for two days.
Attack through
malicious code
Personal information
breach
Communication
process hijacking
DDoS attack
Security
Incident

Beginning of the Cyberwar - Stuxnet
 In February 2011, Iran suddenly announced it was to unload fuel from its first nuclear power
station. Previously, the industry said Iran needed only one year to be capable of quickly
creating nuclear weapons. However, the Stuxnet attack ruined one fifth of the centrifuges of
Iran, postponing the research for at least two years, during which time the global landscape
changed.
Infected over 45,000
networks worldwide
Computer worm
First worm capable of targeted
attack of physical
(energy) infrastructure facilities
Employed multiple
attack means
Most sophisticated cyber
weapon in history
Stuxnet Exploited mobile media to
implant viruses

Evolution of Information Security Attacks
Forms of attack largely
unchanged
Current attackers still use viruses,
phishing, etc. to target vulnerabilities,
much the same as in the past.
More sophisticated
attack means
A major attack usually requires
sophisticated deployment, long-term
incubation, and a combination of multiple
attack methods to achieve the ultimate
goal.
Diverse attack purposes
The attack targets range from targeting
personal computers to being used to
influence economy, politics, war, energy,
and even the global landscape.

Security Threat Categories
Threats to Data
Transmission and
Device Security
Threats to
Cyber Security
Threats to
Application Security
 OS vulnerabilities
 Viruses (such as Trojan horses
and worms)
 Phishing websites
 Data breaches
 DDoS attacks
 Network intrusion
 Communication traffic hijacking
 Man-in-the-middle (MITM) attacks
 Unauthorized login to the system
 Weak security protection for Wireless Networks

DDoS Attacks Against Dyn DNS Service in the
United States
 On October 21, 2016, the DNS service from Dyn in the U.S. was hit by DDoS attacks from
about 11:00 a.m. to 5:00 p.m. UTC. The attacks paralyzed nearly half the networks in the
United States.
 These large-scale DDoS attacks were launched from botnets formed by IoT devices, which
were infected with Mirai malware.
IPC DVR Router
IoT devices that launch attacks

Process of a Mirai Attack
Scan for open Telnet service ports
(23/2323) on the network
Crack the IoT device passwords through brute force
and implant the Mirai malware into the devices for
remote control
Look for
zombies
Load the
attack
module
Load the DNS DDoS attack module
Launch a DDoS attack trough the botnet,
making customers' websites inaccessible
Build a
botnet
Launch an
attack
What means were used
in this attack?

Scanning
 Scanning is a potential attack action. It does not directly interrupt network
devices. However, it gathers relevant network information before an attack.
Address scanning
An attacker sends ICMP packets
to destination addresses or uses
TCP/UDP packets to initiate
connections with certain IP
addresses. By checking whether
there are response packets, the
attacker can determine which
target systems are alive and
connected to the target network.
Port scanning
An attacker probes the network
structure by scanning ports to
identify ports open to the attack
target, so as to determine the
attack mode. The attacker usually
uses the Port Scan software to
initiate connections to a series of
TCP or UDP ports on a wide
range of hosts. Based on the
response packets, the attacker
can determine whether the hosts
use these ports for providing
services.

Spoofing Attack - Obtaining the Control Permission
 Attackers can obtain the control permission by brute force cracking of
passwords. Also, attackers can launch spoofing attacks such as IP spoofing
to obtain access and control permissions.
 IP spoofing: An attacker may send packets with forged source IP addresses
to target hosts to obtain superior access and control permissions.
B: 192.168.0.6
A: 192.168.0.1
Sniffer
192.168.0.1
Request
Sniffed
Paralyze

 DDoS attacks:
 Exhaust network bandwidth
 Exhaust server resources
Launching a DDoS Attack
Zombies
Control traffic
Attacker
Botnet
Jump
server
Attack traffic
Attack target

Defense Measures for Cyber Attacks
 Firewalls: Deploying firewalls at the intranet egresses of medium- and
large-sized enterprises and data centers can efficiently defend against
common DDoS attacks and traditional single-packet attacks.
 Anti-DDoS devices: Anti-DDoS solutions provide professional anti-DDoS
services for carriers, enterprises, data centers, portal websites, online
games, online videos, and DNS services.
• Anti-DDoS devices
Protection through
professional equipment
• Firewall

Worm Attack Against Weibo
 Sina Weibo (the Chinese Twitter) was once hit by a worm that affected over
30,000 users in less than an hour. The attack process was as follows:
The attacker created a user account,
infected it with the worm, and sent the
malicious link to a public section.
Users clicked the malicious link with
enticing titles and got their accounts
infected.
Exploit a web
page
vulnerability
Spread the
worm
Infected user accounts automatically
posted and sent out private messages to
their followers.
Infected messages increased
exponentially, infecting a large number
of user accounts.
Phishing
Take down the
website

Threats Brought by Vulnerabilities
 Vulnerabilities are defects in the implementation of hardware, software, or
protocols or in system security policies. They allow attackers to access or
damage systems without authorization.
 If system vulnerabilities are not fixed in time, the following attacks may
occur:
Malicious code
propagation
Cross-site
scripting (XSS)
Injection
Data breach

Phishing
 "Phishing" is cyber fraud. It is the fraudulent attempt to obtain users' private information such as bank
or credit card account and password, often for malicious reasons, by using the URL or web page
content of an authentic website as disguise, or exploiting vulnerabilities of authentic website server
programs to insert dangerous HTML code into some web pages of the website.
Before accessing a website, check whether
its address is an encrypted link starting with
https.
What?
Refund?
Dear customer, due to issues
with the payment system,
please log in to the XX
website for a refund.

Malicious Code
 Malicious code is computer code that is deliberately developed or constructed to cause
threats or potential threats to a network or system. The most common malicious code
includes viruses, Trojan horses, worms, and backdoors.
 Malicious code is also called malware, which includes adware, spyware, and malicious
shareware. Malware refers to software that is installed and run on a user's computer or
other devices without explicitly notifying the user or obtaining the user's consent.
Trojan horse Worm
Virus
Backdoor

Defense Measures for Application Attacks
Regular vulnerability
fixing • Patching
• Vulnerability scanning
• Constantly looking out for suspicious websites and links
Improving information
security awareness
• Antivirus software
• WAF
Protection through
professional equipment
• Firewalls
Regular vulnerability fixing
Protection through professional
equipment
Improving information security
awareness

Interception of User Communications
 The National Security Agency (NSA) U.S. listened to encrypted communication
between Google (including Gmail) and Yahoo users on the cloud.
 The NSA exploited the encryption/decryption flaw of Google's front end server to
circumvent the server and directly listen to backend plaintext data.
Google's front end
encryption/decryption
device
Public Internet
Google Cloud

Tumblr User Information Breaches
 More than half of the accounts and passwords of the microblogging website
Tumblr were stolen by hackers.
 Hackers invaded the Tumblr server in a certain way and stole information of
Tumblr users. Tumblr stated that the breach would not cause damage to users
because the database information was encrypted. However, the facts showed that
the user information was encrypted using weak algorithms. After obtaining the
encrypted user information, the hackers were able to quickly crack a large amount
of user information.
Why are information breaches so
frequent?

Threats in Communication Process
User identity not authenticated
Users using weak passwords
Device
security risks
Transmission
security risks
MITM attacks
Data transmission not encrypted
or inadequately encrypted
Servers with vulnerabilities
What security risks will occur during communications?

MITM Attack
 Man-in-the-middle (MITM) attack: A type of indirect intrusion attacks. In MITM
attacks, an attacker uses a variety of technical means to virtually place a controlled
computer between two computers in the network. This controlled computer is
called a man in the middle.
 Consequences of MITM attacks
 Information tampering
 Information theft
Man in the middle
User A User B

Information Not Encrypted or Inadequately
Encrypted
 If information is not encrypted, information security may be compromised.
However, even if data is encrypted, information may also be stolen and
cracked.
Threat prevention suggestions
Encrypt information before storage.
Encrypt information before transmission.
Use strong encryption algorithms.

Authentication Attack
 An attacker obtains a user's identity authentication information by certain
means, and uses the identity information to steal sensitive information or
carry out illegal acts. It is a common form of attack.
 Prevention suggestions
 Install genuine antivirus software.
 Use strong passwords.
 Reduce the relevance between different passwords.

Quiz
1. Which of the following are threats to application security?
A. Injection attack
B. XSS
C. IP spoofing attack
D. Port scanning
2. Which of the following are device security risks?
A. Servers with vulnerabilities
B. Users using weak passwords
C. Data transmission inadequately encrypted
D. User identity not authenticated

Summary
 Current Situation of Information Security Threats
 Threats to Network Security
 Threats to Application Security
 Threats to Data Transmission and Device Security

Thank You
www.huawei.com

105 Common information security threats

Related slideshows

More Related Content

105 Common information security threats