Intrusion Detection and

Hacker Exploits

INCS-745
Summer 2021

by
Yasir Malik Ph.D.
Guide to Firewalls and VPNs, 3rd Edition 1
 Course details
❑ Prerequisites:
– INCS 615 Network Security and Perimeter Protection
– CSCI 620 Operating System Security

❑ Lab sessions will be conducted during class time. Teaching

Assistant will help with performing the lab assignments

❑ Main topics
- Network Security
- Software Security
- Web Security
- Operating System Security

2
 Course objective
❑ Methods used in computer and network hacking are studied with
the intention of learning how better to protect systems from such
intrusions.

❑ Methods used by hackers include reconnaissance techniques,

system scanning, and gaining system access by network and
application-level attacks, and denial of service attacks.

❑ The course will extensively study Internet related protocols,

methods of traffic analysis, tools and techniques for implementing
traffic filtering and monitoring, and intrusion techniques.

❑ Combining various hacker techniques to provide common methods

and procedures used in a compromising system are studied.

3
 Recommended resources
❑ Notes and lecture slides are available in Blackboard.
❑ Textbooks
1. Computer Security and Penetration Testing, 2nd Edition by Alfred Basta,
Nadine Basta, Mary Brown.

2. Penetration Testing: A Hands-On Introduction to Hacking Paperback by

Georgia Weidman

❑ Lab Exercise:
1. Seed Project: Network security Labs available at
http://www.cis.syr.edu/~wedu/seed/lab_env.html

2. Tutorials To Learn Kali Linux for Pentesting

4
❑ There will be 5 lab assignments. Lab demos will be performed
individually. Lab sessions will be conducted by TA and is
strongly recommended to attend. One or two lab demos will
be provided for bonus.

❑ Student's projects can be done in group of max size 3.

Proposal and project report structure will be provided.

❑ Extra Learning Tutorials from Kali Linux and Seed project Labs
are recomended.

5
 Assessment Elements

Assessment Elements Weight Criteria

You are expected to actively present and participate in every
Attendance and Participation 10%
class
There are Labs from course topics, Due on time with no
Practical Labs 50%
extension. Practical Labs will be evaluated with demo
10% Project proposal, (-2 per week if late submission)
Term Project 40% 20% Implementation,
10% Documendation and Presentation
Total 100%

6
 Grading Policy
Percentage Graduate grade

90 – 100 A
85 – 89 A-
80 – 84 B+
70 – 79 B
65 – 69 B-
60 – 64 C+
55 – 59 C
0 – 54 F

7
 • Security
• protection of a person, building, organization, or country against
threats such as crime or attacks by foreign countries:
• the fact that something is not likely to fail or be lost:
• Cambridge English Dictionary

• Computer Security
• The protection afforded to an automated information system in order
to attain the applicable objectives of preserving the integrity,
availability and confidentiality of information system resources
(includes hardware, software, firmware, information/data, and
telecommunications) NIST 1995
What Is Cybersecurity

Cybersecurity is the practice of protecting systems,

networks, and programs from digital attacks. These
cyberattacks are usually aimed at accessing,
changing, or destroying sensitive information;
extorting money from users; or interrupting normal
business processes.

Ref: https://www.cisco.com/c/en/us/products/security/what-is-cybersecurity.html

9
Classes of Intruders- Cyber Criminals

• Individuals or members of an organized crime group with a goal of

financial reward
• Their activities may include:
• Identity theft
• Theft of financial credentials
• Corporate espionage
• Data theft
• Data ransoming
• They meet in underground forums to trade tips and data and
coordinate attacks
Classes of Intruders - Activists
• Are either individuals, usually working as insiders, or members of a
larger group of outsider attackers, who are motivated by social or
political causes
• Also know as hacktivists
• Skill level is often quite low
• Aim of their attacks is often to promote and publicize their cause
typically through:
• Website defacement
• Denial of service attacks
• Theft and distribution of data that results in negative
publicity or compromise of their targets
Classes of Intruders –
State-Sponsored Organizations

Groups of hackers
sponsored by
governments to
conduct espionage or
sabotage activities

Also known as Advanced

Persistent Threats (APTs) due
to the covert nature and
persistence over extended
periods involved with any
attacks in this class

Widespread nature and

scope of these activities by
a wide range of countries
from China to the USA, UK,
and their intelligence allies
Classes of Intruders – Others

• Hackers with motivations other than those previously listed

• Include classic hackers or crackers who are motivated by technical
challenge or by peer-group esteem and reputation
• Many of those responsible for discovering new categories of buffer
overflow vulnerabilities could be regarded as members of this class
• Given the wide availability of attack toolkits, there is a pool of
“hobby hackers” using them to explore system and network
security
Intruder Skill Levels – Apprentice

•Hackers with minimal technical skill who

primarily use existing attack toolkits
•They likely comprise the largest number of
attackers, including many criminal and activist
attackers
•Given their use of existing known tools, these
attackers are the easiest to defend against
•Also known as “script-kiddies” due to their
use of existing scripts (tools)
Intruder Skill Levels – Journeyman

•Hackers with sufficient technical skills to

modify and extend attack toolkits to use newly
discovered, or purchased, vulnerabilities
•They may be able to locate new vulnerabilities
to exploit that are similar to some already
known
•Hackers with such skills are likely found in all
intruder classes
•Adapt tools for use by others
Intruder Skill Levels – Master

•Hackers with high-level technical skills capable

of discovering brand new categories of
vulnerabilities
•Write new powerful attack toolkits
•Some of the better known classical hackers are
of this level
•Some are employed by state-sponsored
organizations
•Defending against these attacks is of the
highest difficulty
Examples of Intrusion
•Remote root compromise
•Web server defacement
•Guessing/cracking passwords
•Copying databases containing credit card numbers
•Viewing sensitive data without authorization
•Running a packet sniffer
•Distributing pirated software
•Using an unsecured modem to access internal network
•Impersonating an executive to get information
•Using an unattended workstation
 Intruder Behavior

Target acquisition
Privilege
and information Initial access
escalation
gathering

Information
Maintaining
gathering or Covering tracks
access
system exploit
Definitions

• Security Intrusion:
Unauthorized act of bypassing the security
mechanisms of a system

• Intrusion Detection:
A hardware or software function that gathers and
analyzes information from various areas within a
computer or a network to identify possible
security intrusions
Challenges of computer security

1. Computer security is not simple

2. One must consider potential (unexpected) attacks
3. Procedures used are often counter-intuitive
4. Must decide where to deploy mechanisms
5. Involve algorithms and secret info (keys)
6. A battle of wits between attacker / admin
7. It is not perceived on benefit until fails
8. Requires constant monitoring
9. Too often an after-thought (not integral)
10. Regarded as impediment to using system
Standards

•Standards have been developed to cover

management practices and the overall
architecture of security mechanisms and
services
•The most important of these organizations are:
• National Institute of Standards and Technology (NIST)
• Internet Society (ISOC)
• International Telecommunication Union (ITU-T)
• International Organization for Standardization (ISO)
Introduction

• Network security
• Critical activity for almost every organization
• Perimeter defense
• Cornerstone of most network security programs
• Effective firewall
• Properly configured to be safe and efficient

22
Security Perimeter and Defense in
Depth
• Security perimeter
• Defines the boundary between the outer limit of an
organization’s security and the beginning of the
outside network
• Perimeter does not protect against internal attacks
• Organization may choose to set up security domains
• Defense in depth
• Layered implementation of security
• Redundancy
• Implementing technology in layers

23
Security Perimeter and Defense in
Depth (cont’d.)

Figure 1-3 Security Perimeter

@ Cengage Learning 2012

24
Security Perimeter and Defense in
Depth (cont’d.)

Figure 1-4 Defense in Depth

@ Cengage Learning 2012

25
What Is Information Security?

• Information security (InfoSec)

• Protection of information and its critical elements,
• Includes the systems and hardware that use, store,
and transmit that information
• Unified process encompasses
• Network security
• Physical security
• Personnel security
• Operations security
• Communications security

26
What Is Information Security?
(cont’d.)
• C.I.A. triangle
• Industry standard for computer security
• Based on the three characteristics of information that
make it valuable to organizations:
• Confidentiality
• Integrity
• Availability

27
Key Security Concepts

Confidentiality Integrity Availability

• Preserving
• Guarding against • Ensuring timely
authorized
improper and reliable access
restrictions on
information to and use of
information access
modification or information
and disclosure,
destruction,
including means
including ensuring
for protecting
information
personal privacy
nonrepudiation
and proprietary
and authenticity
information
Critical Characteristics of
Information
• Availability
Information is accessible by authorized users without
interference or obstruction, and they receive it in the required
format.
• Accuracy
Information is free from mistakes or errors and it has the
value that the end user expects.
• Authenticity
• Information is genuine or original rather than a
reproduction or fabrication.
• Confidentiality
Information is protected from disclosure or exposure to
unauthorized individuals or systems.

29
Critical Characteristics of
Information (cont’d.)
• Integrity
• Information remains whole, complete, and
uncorrupted
• Utility
• Information has value for some purpose or end
• Possession
• Information object or item is owned or controlled by
somebody

30
Balancing Information Security
and Access
• Information security
• Process, not an end state
• Balance protection of information and information
assets with the availability of that information to
authorized users
• Security must allow reasonable access
• Yet protect against threats

31
Business Needs First

• Protect the organization’s ability to function

• Enable the safe operation of applications implemented
on the organization’s IT systems
• Protect the data the organization collects and uses
• Safeguard the technology assets in use at the
organization

32
Data

• Data owners
• Responsible for the security and use of a particular
set of information
• Data custodians
• Responsible for the storage, maintenance, and
protection of the information
• Data users
• Allowed by the data owner to access and use the
information to perform their daily jobs

33
Key Information Security
Terminology
• Security professional must be familiar with common
terms
• To effectively support any information security effort
including the design, implementation, and
administration of an effective perimeter defense

34
Threats and Attacks

• Threat
• Category of object, person, or other entity that poses a potential risk of
loss to an asset
• Asset
• Anything that has value for the organization
• Can be physical or logical
• Attack
• Intentional or unintentional action that could represent the
unauthorized modification, damage, or loss of an information asset

35
Threats and Attacks (cont’d.)

• Subject of an attack
• Used as an active tool to conduct the attack
• Object of an attack
• Entity being attacked
• Direct attack
• Hacker uses a personal computer to break into a
system
• Indirect attack
• System is compromised and used to attack other
systems

36
 Passive and Active Attacks

Passive Attack Active Attack

• Attempts to learn or make use of • Attempts to alter system
information from the system but resources or affect their operation
does not affect system resources • Involve some modification of the
data stream or the creation of a
• Eavesdropping on, or monitoring false stream
of, transmissions
• Four categories:
• Goal of attacker is to obtain 1. Replay
information that is being 2. Masquerade
transmitted 3. Modification of messages
4. Denial of service
• Two types:
1. Release of message contents
2. Traffic analysis
Attack Surface Categories

Network Software Human Attack

Attack Surface Attack Surface Surface
Vulnerabilities over an
Vulnerabilities in
enterprise network,
application, utility, or
wide-area network, or Vulnerabilities created
operating system code
the Internet by personnel or
outsiders, such as
social engineering,
denial-of-service attack, human error, and
disruption of trusted insiders
Particular focus is Web
communications links, and
various forms of intruder server software
attacks
Levels of Impact

Low Moderate High

The loss could be
The loss could be The loss could be
expected to have a
expected to have a expected to have a
severe or
limited adverse serious adverse
catastrophic
effect on effect on
adverse effect on
organizational organizational
organizational
operations, operations,
operations,
organizational organizational
organizational
assets, or assets, or
assets, or
individuals individuals
individuals
Vulnerabilities and Exploits

• Threat agent
• Specific instance of a general threat
• Well-known vulnerabilities
• Vulnerabilities that have been examined,
documented, and published
• Exploit
• Threat agents attempt to exploit a system or
information asset
• Specific recipe that an attacker creates to formulate
an attack

40
Vulnerabilities and Exploits
(cont’d.)
• Controls, safeguards, or countermeasures
• Synonymous terms
• Security mechanisms, policies, or procedures that
can successfully counter attacks, reduce risk, resolve
vulnerabilities, and generally improve the security
within an organization

41
Risk

• State of being unsecure, either partially or totally, and

thus susceptible to attack
• Described in terms of likelihood
• Risk management
• Involves risk identification, risk assessment or
analysis, and risk control
• Risk appetite or risk tolerance
• Amount of risk an organization chooses to live with

42
Risk (cont’d.)

• Residual risk
• Amount of risk that remains after an organization
takes precautions, implements controls and
safeguards, and performs other security activities
• To control risk:
• Self-protection
• Risk transfer
• Self-insurance or acceptance
• Avoidance

43
Other Ways to View Threats
• Perspectives:
• Intellectual property
• Software piracy
• Shoulder surfing- watching other person password or
data.
• Hackers
• Script kiddies-hackers with limited skills
• Packet monkeys
• Cracker
• Phreaker-person who hacks public phone net for free
calls.
• Hacktivist or cyberactivist
• Cyberterrorist

44
Other Ways to View Threats
(cont’d.)
• Malicious code, malicious software, or malware
• Computer virus: macro virus, boot virus
• Worms
• Trojan horses
• Backdoor, trapdoor, maintenance hook
• Rootkit

45
Attacks on Information Assets

• Attacks occur through a specific act that may cause a

potential loss
• Each of the major types of attack used against
controlled systems discussed here are:

46
Malicious Code

• Malicious code
• Includes viruses, worms, Trojan horses, and active
Web scripts
• Executed with the intent to destroy or steal
information
• Polymorphic, multivector worm
• Constantly changes the way it looks
• Uses multiple attack vectors to exploit a variety of
vulnerabilities in commonly used software

47
Compromising Passwords

• Bypass access controls by guessing passwords

• Cracking
• Attempting to guess a password
• Brute force attack
• Application of computing and network resources to
try every possible combination of options
• Dictionary attack
• Variation on the brute force attack
• Narrows the field by selecting specific target accounts
and using a list of commonly used passwords

48
Denial-of-Service (DoS) and
Distributed Denial-of-Service (DDoS)

• Denial-of-service (DoS) attack

• Attacker sends a large number of connection or
information requests to a target
• So many requests are made that the target system
cannot handle them along with other, legitimate
requests for service
• Distributed denial-of-service (DDoS)
• Coordinated stream of requests against a target from
many locations at the same time
• Any system connected to the Internet is a potential
target for denial-of-service attacks

49
Spoofing
• Intruder sends messages to IP addresses that indicate to
the recipient that the messages are coming from a trusted
host

Figure 1-6 IP Spoofing

50
Man-in-the-Middle

• Attacker monitors (or sniffs) packets from the network

• Modifies them using IP spoofing techniques
• Inserts them back into the network
• Allows the attacker to eavesdrop, change, delete,
reroute, add, forge, or divert data

51
E-mail Attacks

• E-mail
• Vehicle for attacks rather than the attack itself
• Spam
• Used as a means to make malicious code attacks
more effective
• Mail bomb
• Attacker routes large quantities of e-mail to the
target system

52
Sniffers

• Sniffer
• Program or device that can monitor data traveling
over a network
• Used both for legitimate network management
functions and for stealing information from a
network
• Impossible to detect
• Can be inserted almost anywhere
• Packet sniffers
• Work on TCP/IP networks

53
Social Engineering

• Process of using social skills to convince people to

reveal access credentials or other valuable information
to the attacker

54
Buffer Overflow

• Application error
• Occurs when more data is sent to a buffer than it can
handle
• Attacker can make the target system execute
instructions
• Attacker can take advantage of some other
unintended consequence of the failure

55
Summary

• Treat: object, person, or other entity that represents a

constant danger to an asset
• Attack: act that takes advantage of a vulnerability to
compromise a controlled system
• Organization must establish a functional and well-
designed information security program

56
 Homework
1. Introduction to Linux and Kali Linux
• Self-Paced Basic Linux course at Edx. @
https://courses.edx.org/courses/course-
v1:LinuxFoundationX+LFS101x+3T2018/course/
• Kali Linux @ https://www.udemy.com/kali-linux-101/
• Set up your machines for Course Labs
• http://www.cis.syr.edu/~wedu/seed/lab_env.html

• Watch Movie Snowden if you get time

57