How I may help
LinkedIn Profile Email me!
Call me using Skype client on your machine

Reload this page Information Security Threats and Vulnerabilities

These notes on information security vulnerabilities are based on the ISC2 Common Body of Knowledge [CBK]A website external to this site.

“Danger, Will Robinson, Danger” —robot in movie "Lost In Space"
wav sound "Phew! All this computer hacking is making me thirsty!" —Homer Simpson in the Simpsons TV series


Topics this page:

  • Definitions
  • The Players
  • Attack Targets
  • Loss Expectancy
  • Physical Security
  • Threats to Computers
  • Phases of Attack
  • Your comments???


    Site Map List all pages on this site 
    About this site About this site 
    Go to first topic Go to Bottom of this page


    Go to top of page Definitions: Risk = Threat X Vulnerability

    • Being “at risk" is being exposed to threats.
    • Risks are subjective -- the potential to incur consequences of harm or loss of target assets.
    • A Risk Factor is the likelihood of resources being attacked.
    • Threats are dangerous actions that can cause harm. The degree of threat depends on the attacker's Skills, Knowledge, Resources, Authority, and Motives.
    • Vulnerabilities are weaknesses in victims that allow a threat to become effective.


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Who They Are

    • A rogue user is an authorized user who, without permission, accessing restricted assets.
    • A bogie is an unauthorized user who subverts security systems.
    • A cracker breaks into others' computing facilities for their own personal gain - be it financial, revenge, or amusement.
    • A hacktivist is a cracker with a cause. (Example of hactivism: Building Peekabooty to get around governments blocking websites)
    • A terrorist uses fear to blackmail others into doing what they want.
    • White Hats are also called “ethical" hackers, such as the Axent (now Symantec) Tiger Team
    • Black Hats disregard generally accepted social conventions and laws.

    • Script kiddie is a derogatory term for a wannabe cracker who lacks programming skills and thus relies on prewritten scripts and toolkits for their exploits.
    • Journeyman is an experienced hacker: someone who has collected many tools and made many connections.
    • A Puppet Master (wizard) produces exploits.
    • Malware is a generic term for malicious software such as trojan horses, worms, and viruses.
    • Warez is a nickname for pirated software (illegal copies of copyrighted software).
    • Serialz are serial numbers illegally shared used to unlock software.

    • Espionage
    • steganography
    Hackers congregate on the webpage article AntiCode site and A website external to this site Blackhat Conferences.

    A website external to this site McAfee's virus and malicious code dictionary provides a concise yet thorough explanations of key terms.

    Kevin Metnick,the world's most notorious hacker, is now out of jail and plays a CIA computer expert on the ABC spy drama, Alias.

    Defenders of networks go to A website external to this site Defcon

    webpage article The Hacker Crackdown from Bruce Sterling of MIT.

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Target Assets (What's To Steal?)

      Assets on machines and network servers.
    • End Users' Information (trade secrets, customer data, personnel data, product plans, marketing plans, financial data, etc.).
    • Application Services (ports, memory to infect)
    • Registry settings (keys, values controlling
      service initiation and operation)
    • Audit settings
    • Group memberships and privileges
    • Permissions stored in ACLs


    • Disclosure of trade secrets, customer data.
    • Modification
    • Destruction - Cost of cleanup (renentry of data if lost)
    • Denial - Cost of litigation with affected customers, partners, shareholders, etc.
    • Loss of reputation of customer trust.
    • Loss of sales and customers to competitors.

    • Repetition of errors
    • Cascading of errors

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Loss Expectancy

    • Improper use of technology
    • Inability to control technology
    • Inability to react quickly enough
    • Concentration of data
    • Incorrect Data entry

      The Customers of Hackers

      • Current or past staff,
      • Private Investigators
      • Competitors, trade associations
      • Rivals in a takeover
      • Opposing litigants
      • The press
      • Criminals
      • Regulatory agencies
      • Foreign government intelligence agencies

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Physical Facilities Security: Prevention, Detection, Suppression

      Category Threat Preventive
      Suppression (Stop Loss) Response & Recovery


      Earth Movement (Earthquakes, Slides, Volcanos)Tie downs
      Fire Floor Slab flame spread rating <=25, 2 hr. rating on Walls/Ceilings, Positive pressure from AC Smoke alarms, Inspect for elec. code violations Sprinklers, Extinguishers
      Water (Falling rain, Rising Floods) Shut-off valves
      Storms (Wind, Rain, Snow, Sleet, Ice)


      Telephone Alternative: Cell phones
      Electrical Power UPS
      Equipment Failure
      Personnel Illness Health info library/classes, Health club, membership discounts Health screenings, Medical exams First aid kits, Wheelchairs, Guerneys
      Personnel Loss (Strikes, access, transport)


      Petty Theft (Breaking & Entering), Vandalism Fences, gates Lighting, Guards, Escorts, CCTV, Motion detectors, Facial recognition Turnstiles, Mantraps
      Seige (Armed robbery, Bombing) Barriers, Bullet-proof glass Detectors of metal and explosives Armed guards with radios
      Human Error Job Rotations Access Logs, Change Logs, Audits
      Sabotage, Tampering Restricted areas, Pre-employment background reference checks, Separation of Job Duties Post-employment Security clearances, Credit checks, Supervisory Ratings, Employee Satisfaction Surveys, Sting operations,
      Toxic Hazmat (Hazardous materials) spills & Radiation Label product, MSDS Signs, Safety Education Carbon Monoxide detectors, Fire Dept. Inspections FD Hazmat Team

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page Threats to Electronic Data

      Intrusion & Attack Modality Dimension of Involvement Attack Type (examples)


    • Spam with junk mail (such as chain letters) to inform or annoy.
    • Denial of Service: Overwhelm (ala IP Syn flooding, mail bombing, or Smurf with ICMP Echo Requests); Take advantage of software bugs (ala Buffer overflow, Ping of death, LAND)
    • Bacteria: corrupt live data or destroy boot sector; Make back up data unrecoverable
    • Passive
    • Worms are self-propagating malicious code that executes unauthorized computer instructions. They can infect any component (boot record, registry, .exe & .com program files, macro scripts, etc.) They do not destroy data.
    • Viruses are worms that harm data.
    • Rabbits - runaway applications that consume all resources (memory on machines or bandwidth on networks).
    • Interception

      of message stream
    • Connection/Session hijacking: Active Telnet session seized
    • Spoofing: Altering DNS namespace to setup Web Page Redirection
    • Passive
    • Eavesdropping with a wiretap: capture data in transit. Using a packet Sniffer (Protocol Analyzer) for network traffic analysis (see patterns in text flow, packet size, etc.).
    • Compromised Key Disseminate sensitive information for illicit gain or to embarrass organizations and individuals. [Sircam]
    • Impersonation

    • IP Address Spoofing -- when a rogue site intercepts authenticated communications between legitimate users and presents altered content as legitimate.
    • Man-in-the-middle spoofing: captured packets are tampered and reinserted into an active session pipe
    • Crack (decrypt passwords and cyphertext by brute force or other means)
    • Replay reusing a captured authenticator
    • DDoS (Distributed Denial of Service) attack
    • DNS Name Server cache loading
    • Passive
    • Trap doors (such as Sub7, NetBus patch, or Back Orafice) to bypass noraml security and allow unauthorized/undetected entry.
    • Trojan horses inserted to reconfigure network settings or grant root access and permissions to an unauthorized person.
    • A LAND DoS attack puts TCP into a loop by sending it a TCP SYN packet with the source IP address and port number spoofed to be the same as the destination IP address and port.
    • A Smurf attack occurs by changing the return address of ICMP echo request message. They are amplified when they are broadcasted in the victim's IP network. This results in a flood of ICMP reply messages. ISPs are vulnerable if they do not set firewalls to drop ICMP messages and set external Cisco routers with no ip directed-broadcast.
    • Others: invalid UDP Teardrop datagram attack
    • Others: fraggle attacks

      A website external to this site The UC Davis Vulnerbilities Project

    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Go to top of page The Five Phases of Attack/Intrusion/Incursion

      Corporate Security Policy typically define these activities as unacceptable:
      1. Outside Reconnaissance Probing
      2. Penetration - Inside Reconnaissance
      3. Escalate Priviledge - Gain Foothold and Pillage
      4. Expand Influence - Exploit and Cleanup to cover tracks
      5. Profit

    1. Outside Reconnaissance
    2. Like a burglar casing the joint, obtain publicly available information as a normal anonymous user or potential customer.

      Network Reconnaissance of the footprint of the target system:

      • traceroute to present potential access paths and vulnerable entry points through the target network.
      • Look for Web server version information using.tool Grinder to scan a series of IP addresses.

      Network enumeration - listing domain names and networks related to an organization from:

      Telecom devices (such as PhoneSweep) programmatically dial large banks of phone numbers, log valid data connections, attempt to identify the system on the other end of the phone, and optionally attempt logon by guessing common usernames and passphrases.

      DNS Interrogation - If zone transfers are enabled over a network, a hacker can intercept it.

      OS and Service Detection - Use NMAP from Phrack to determine what OS and services are active on a subnet.

      IP stack signatures reveal the vendors, each with their own vulnerabilities (exploitable bugs).

      The LSA secrets hack exploits reg key HKLM\Security\policy\secrets which stores cached credentials, web/ftp passwords, and the machine account password as well as service accts. References include and HEW2K Stealing Passwords from Microsoft Operating Systems by Marcus H. Sachs March 14, 2001

    3. Inside Reconnaissance
    4. eTrust from Computer Associates can capture the packets of all protocols on a network and save (non SSL) pages viewed on desktops. Scary.

      Use techniques which do not harm target machines.

      Identify which machine names are alive with a ping sweep.

      Identify which services are available on each machine using a UDP/TCP port scan/strobe.

      Look for CGI scripts by walking through and capturing web pages.

      DNS zone transfer

      Identify which machines have NetBIOS vulnerabilities. Traditionally, attacks against Windows 2000 have been against the SMB service. More recently, is through IIS web service, installed by default.

      List Folder Contents

    5. Exploit
    6. Take advantage of vulnerabilities to break into target systems:
      • Crack logon passwords using dictionary or brute-force attempts using

      • Obtain elevated privileges (root) by taking advantage of buffer-overrun holes or determine NIDS thresholds by sending large amounts of data.

      • Modifying cookies to access other accounts.
      • Sending shell commands in input fields.
      • Modifying SQL query strings in GET commands.
      • Initiate emails infected with worms and Trojan horse viruses

    7. Foot hold (Got Root!)
    8. Once elevated privilege is obtained:
      1. Hide evidence of intrusion in log files. Security Log Event ID
        • 612 - The audit policy has changed, perhaps maliciously.
        • 640 - A change has been made to the SAM database. (Was it you?)
        • 531 - An attempt was made to log on using a disabled account. (Why would anyone want to do this?)
        • 539 - A logon attempt was made and rejected because the account was locked out. (Why would anyone want to do this?)
        • 529 - An attempt was made to log on using an unknown user account or using a valid user account but with an invalid password. (An unexpected increase in the number of these audits might indicate an attempt to guess passwords.)
        • 517 - The audit log has been cleared. (Is an attacker attempting to cover her tracks?)
        • 624 - A user account has been created. (Was it created by a trusted person?)
        • 628 - A user account's password has been set. (Was this done by a trusted person?)

      2. Reduce detection during future incursions:
        • Replace services with backdoor trojan horses such as “Back Orafice” Example: the Melissa virus installed a program named “Explore".
        • Create accounts with full Privileges
        • Install a rootkit

      3. Provide services to other hackers, such as storing files on the compromised machine for others to obtain files. This is done by announcing availabiilty on IRC (Internet Relay Chat).

      4. Use infected system to launch Distributed Denial of Service attacks on another target. This is done by installing zombies (evilbots) such as sub7 which enable infected machines to inflect other machines - achieving a “snowball effect" chain reaction.

        Note: A DDoS attack can be made more lethal by coding the attack to strike at a single time (such as April 1st) and/or address (such as

      5. To reduce the chance of being filtered and to make it more likely that intermediate targets get themselves infected, a virus may be coded to
        • Masquerade as the actual user and send emails from the address books of infected hosts. This is because most email filters do not filter out email specifically address to the recipient.
        • Use enticing subjects (such as "naked wife", celebrity names, or - in the case of Sircam - words extracted from the intermediate host's personal files.
        • Generate a list of 100 random IP addresses to scan for new servers to infect.

    9. Profit from Attack
      1. Steal information (such as credit card numbers and passwords). On Windows client machines, sensitive files are typically stored in the default “My Documents” folder.

      2. Run up charges by using the modem to dial and reach a 900 number at a remote country such as Trinidad

      3. On client browsers, point the default website to a malicious site.

      4. Deface web pages served on web servers (such as IIS). Examples:


    Go to Top of this page.
    Previous topic this page
    Next topic this page

    Portions ©Copyright 1996-2014 Wilson Mar. All rights reserved. | Privacy Policy |


  • Security Countermeasures
  • ITSec Pro Certs
  • Certificate Authorities and S/MIME X.509 Certificates
  • Kerberos
  • Why backup?
  • Windows 2000 Install
  • windows 2000 Policy Admin
  • Active Directory Trusts

  • Free Training!
  • Tech Support

  • How I may help

    Send a message with your email client program

    Your rating of this page:
    Low High

    Your first name:

    Your family name:

    Your location (city, country):

    Your Email address: 

      Top of Page Go to top of page

    Thank you!