7The methodology of the attackers การตรวจหา (Surveillance)find hosts (IP address search)find type of host (os fingerprint), firewalls tooFind KNOWN bugs (known to them)Exploitation post break-inescalation of privilege, user attacks rootHiding their tracks post Or pre break-inroot shells on UNIX
8Scanning is one basic methodology finding ip dst addressessingle sourcemultiple sourcesscanning one ip dstfor tcp ports/udp ports openthen launch an exploitlauncher may be human or program
9Finding ip dst addresses There are many tool on the internet you may download and use to find available IP in one subnet worksectools.orgSuperScan, LaySurveror, IPScan, etc.
10Scanning one ip dstRight after discover a target IP, port scanning software can be employed.i.e. nmap, NetworkActivPortScann, etcOr nessus
11email: another methodology send program viauser naively executes attachmentor perhaps it is auto-launched in some casessocial engineering may be of use» “hi handsome ...”» “I love u …”malware uses address book to launch itself at next targetspossibly with fake sender
12Define some terms (Must Know) exploit - a piece of code that exploits a software bug leading to a security holevirus - a malware program that somehow rides on the back of another vehiclebut doesn’t move itselfworm - a malware program that provides its own transittrojan-horse - a malware program that somehow appears as something else entirely
13Define some terms (Must Know) cont. footprint/signature: some log entry or other trace left behind by an attacksignature(in IDS sense): some way to identity a particular virus/worm/exploit attackperhaps use pattern matching to id that a file/ /packet has a known attack in itforensics: the process of figuring out just how an attack occured after the attack succeededpossibly may include collecting evidence for criminal case against criminal defendent
14Define some terms (Must Know) cont. forensics again:important idea: if we can’t figure out how they got in, how can we keep them out next time?counter-measures: just what the whitehats do to keep the blackhats outor what you do to WATCH for them» on your network or hostswhat did you do to make your webserver safer?
15Define some terms (Must Know) cont. define “secure”:maybe we should all say: “safer”backdoorsocial engineering attackbuffer overflowdictionary attackoh wait, we have the Morris worm for those terms
16Security Principles and Component Asset and Risk Based INFOSEC (Information Security) Lifecycle model (ARBIL)A model represent an information security life cycle that can work for any organization