Virus, this is malicious software. Typically, that the key with the virus is it needs a host system to run on just like a biological virus. So it seeks a host to infect and then, once it hijack that host it replicates itself somehow, in order for a virus to run, it requires a user interaction of some kind. If each host it infects somebody has to click something. So you receive an email with a virus attachment, if you click on the attachment, your machine is infected, it may now take your address book and send the virus replicate that to everybody in your address book. If you've got 100 people in your address book, 200 people. Then each of those 100 people, if they click on the attachment, it's activated on their machine and so on. Email, a very common attack vector, removable media, things like USB drives again, very common attack vector. Antivirus products sometimes called EDR, Endpoint Detection and Response to products. They don't typically just deal with viruses anymore, these products deal with viruses but they do so much more and we'll look at the more as we move through the next few slides. But they typically learn what the threat looks like, somebody has created a signature a way of recognizing a virus. If they recognize the virus, if it isn't a zero day threat, they can recognize it and hopefully isolate contain and remove. But again it doesn't, I'd stress that point about user training with zero day threats. Antivirus products they are going to be partially effective or even ineffective, we need our users to be part of this security journey for us, don't just rely on technical controls. A worm, then a worm is another piece of malicious software. But the key difference is that a worm is self replicating. It relies on a weakness in a network protocol and these are seen less often, but they are completely debilitating, these are devastating. The reason for this is once a user activates them on one system, any other network device with the same technical vulnerability can be infected, without user interaction. So let's say, you have a network with 10,000 devices on, a user receives an email with a worm in an attachment. One user clicks on the attachment on the payload, activates the worm. The worm can now infect all 10,000 machines, assuming that they are vulnerable, assuming that they've got the same weakness. This is what created, so this is typically what creates problems on a massive scale. And we have seen this take down national networks, pretty impressive in terms of the capability. Just thinking about the difference then between a virus, when we said that virus comes in that one user is infected with a virus that would then be distributed by the address book to everybody on the network. But each individual would need to click on it to activate it. Attack vectors then, usually, this comes in via an email. And the example I gave of a worm being accompanied by another threat, could be something like, want to cry. That was delivered via email, it had a worm element and a ransomware element. On the first users on a network that clicked on the payload it deployed, ransomware, started encrypting the local files and any network files but with want to cry, what made it so very effective is that there was a worm component. And the worm components spread via one of those network file sharing protocols across all connected devices on the network. That's why want to Cry made such big headlines at the time. So, yeah, enters the network usually via email. Antivirus products can help or what we said at EDI, Endpoint Detection Response products can help if the threat is one that's recognized. We may need to make sure our patches are up to date. want to cry is a really good example of a worm. The worm element was ineffective, even if the ransomware was deployed, if your EDR didn't pick it up. The worm was ineffective if you had patched your Windows platform because want to Cry relied on a compromised file sharing protocol SMB. And if you'd patched your Windows device, that weakness was no longer present. The worm could not spread across your network. So typically, I saw two types of scenario where want to Cry took place, either one machine was infected because the user had clicked on the attachment. But the worm didn't work, in which case it was pretty easy to solve or where they did not patch their systems the entire network was compromised. Such a big difference. So these file sharing protocols are updated through patches and it goes to the importance of regular proactive maintenance, those patches, not just relying on antivirus products, but again, coming back to the importance of users and training. Trojans, trojans try to avoid detection. These are stealthy things. What they tried to do is to create, typically they tried to create remote access, the prime function is to hide to be evasive. If you think about the Trojan war, the word Trojan comes from the picture in the image of the Trojan horse, some attackers couldn't break into the city of Troy, the Greeks couldn't break into the city of Troy. So they said, we give up, we're going home and the left behind the present. The present was a giant wooden horse. The Trojans foolishly took the horse into the city and that night what happened was, everybody, I'm guessing had a big party to celebrate the end of the war. Out of the wooden horse came a few Greek soldiers who provided remote access. They opened the city gates. This is a really good metaphor for what a Trojan does on a technical basis. They try to avoid detection, gaining access to your network kind of like the Trojan horse. And then, once they're in usually what they're trying to do is to provide remote access, some way for people to gain remote access to your network. Now, in order to provide remote access, there are lots of malicious tools out there that will allow the attacker to do this. But we also have the concept of living off the land and living off the land is where we can use building capabilities of the target system. So in Windows we have the remote assistance capability, you can provide remote desktop access to somebody else by clicking three or four different mouse clicks. I think start programs, accessories, system tools, remote assistance. But there are other products on Linux or UNIX platforms. You have SSH, which can be misused, misconfigured and also Net Cat, which may be installed. And again, both can be used to facilitate remote access. And with SSH, it can be very hard sometimes to identify the misuse of SSH because it's one of those common secure protocols as we saw in the last module, people expect to see it. We have the idea of an On Path or In Path Attack and what you're doing here is sitting in line of communications, there's a man in the middle attack. Which elements of the CIA could be compromised, well, we've kind of answered this? If you're sitting in between two, if you're sitting in the middle of a conversation, you could compromise the confidentiality by reading the messages. You could alter the messages instead of a Yes. You could change it to a No, that's affecting the integrity or you could delete some of the messages affecting availability. Just think back to our layer one and layer two devices, HUBs, HUBs send everything to everybody. This is a pretty poor way of working, switch as we said and much more secure because they filter the collision domains. They only connect those directly addressed parties from one Mac address to another. We have the idea of an Evil Twin Attack. An Evil Twin Attack is where you take some of the information that clients broadcast. When you walk into an area with your smartphone, your cell phone or your laptop, your device is sending out what are called probe requests. And basically, they work their way down all the wireless networks that you have the key for. Your corporate network, education network, your home wireless network, anything that you've ever connected to. And these probe requests say, hey, I'm looking for Corporate Network SSID, a Corporate Network wireless name or whatever. And if you device knows about 20 wireless networks, it's going to keep issuing those different probe requests for all 20 networks. I'm looking for somebody that can provide me with wireless access, that's what your device is saying. Now an attacker, what they can do is pick up these probe requests and say, what you're looking for this network. They can then create that network and there are devices there are hardware devices like the WIFI pineapple that will do this automatically. They look for networks that are being requested or sought and they will automatically create that network. And when you connect, you're not connecting to the legitimate network, you're connecting to a copy of that network, connecting to the attacker's machine. And this is a really good way of facilitating an On Path Attack or a man in the middle attack. They're connecting to your machine, they are using your machine and trusting your machine for things like domain name lookups. What's the IP address of a social media site or the attacker could give the response. It's my machine, I'm my attacker's machine, he is the social media website and they can create a fake portal to capture your credentials and so on. Possibilities are almost endless.
