Network Security


 Hey there! Loons here!

Today's post is a longer one, so we're going to dive right in. We'll be talking about network security and the different ways nefarious entities try to keep the upper hand.

In today’s world, with our reliance on computers at an all-time high, it is no wonder that criminals and nefarious entities have turned to attacks on computer systems to get what they seek. This can come in the form of direct attacks on individuals to steal sensitive information or larger-scale attacks on businesses or networks meant to do as much financial damage as possible. Sometimes, this is for financial gain or perhaps to convince a company or individual to do or not do something. This paper will give some details on a few types of attacks, what symptoms will help you know you are being attacked, and what options we have to attempt to prevent these types of attacks.

The first example we will review here is the DoS attacks or denial of service attacks. These attacks can be executed using ping commands. In a denial-of-service attack, a massive number of pings are sent to a particular website, which causes that website’s server to become overloaded. This makes it impossible for requests from actual people to be handled by the web server. A massive number of pings are usually sent at once using an array of infected computers. These attacks usually hold a website in limbo so that whoever is running it cannot make money or continue their business as usual, thus denying service to those trying to access that site. 

Another example of a computer security incident would be the act of phishing. Computer systems are vulnerable to this type of attack because the weak point is not the system itself but the end user. If the end users are not educated enough to recognize a phishing attempt when it is happening, that is when damage can be done. Phishing is done in multiple ways, but the concept is the same. The point is to get the end user to provide the information needed by tricking them into thinking the person or program asking for the information is legitimate. This is nothing new; in fact, in a book published in 2005 titled “Phishing Exposed,” James Lance goes into detail about some of the different types of phishing attacks. In fact, according to Lance, one of the earlier phishing methods was using popups and tricking people into clicking somewhere while the actual box was behind the popup. (Lance 2005) This is interesting because it is something that simply would not work today. Every browser available now has some sort of pop-up blocker, and even if they did not, antivirus programs have gotten much better at detecting these sorts of things. Phishing can be the easiest to defend against while also causing considerable damage if someone is successful in one of these attacks. With a phishing attempt, the person making an attempt can gain access to the credentials of anyone who makes the mistake of falling for it, so unlike other attacks, it’s not just entry-level information that could be accessed; one could get security credentials from the CEO of a company and do a lot of damage. They could get the credentials of an IT person and gain access to all systems that an IT person has access to. This could snowball into access to financial records or important business secrets such as the formula for Coke or the Krabby Patty secret formula. The best defense for protecting against phishing attacks is education. If the entirety of an employee base understands how to spot phishing attempts and is educated on the damage they can cause, then phishing becomes useless. Phishing is effective because of a lack of education, but it is also effective because of carelessness. Even those educated on phishing can get hit with an attack if they have too much on their plate or they are careless when opening emails. If I were to make another recommendation other than education regarding preventing phishing attacks, it might be to have reminders on all email programs when opening to be sure to check where emails are coming from. Things like this might even benefit from the use of white hat hackers to see who in your company might fall for such an attack and use targeted education to help these people.

The last type of attack we will go over here is one I deal with in the customer service industry. The type of attack I am referring to is called social engineering. Social engineering is performed directly between the person trying to gain information and the person who might let that information slip. This includes the practice of phishing that was mentioned earlier in the paper. This could be something as simple as making up an extreme story meant to garner sympathy so that an employee might let the rules bend or break a single time. Everyone has heard stories of the Nigerian prince scams. According to Hadnagy, these scams were so common that they gained the name “419” fraud, named after the article of Nigerian Law, which deals with fraud. (Hadnagy 2018) One example we were shown in a specific training about social engineering was using a baby’s cry to get an employee to break the rules. In that example, the caller calls in, distraught with her baby, crying extremely loud beside the phone. She tells the employee that she does not have her PIN but needs it to access something on the account that will help her help her child. Seeing this on paper, it may seem obvious that it is a poor attempt to break through, but in the moment when you’re disoriented by the loud noises and the intensity of the person, you might not act like you normally would, and that’s the entire point of their actions. It is essential to understand that social engineering is not just something that affects dumb people or people who do not care. Social engineers play on your emotions and perceived understanding to get you to be the weak point in security. They create different triggers that may be specific to you if they have gained enough information about you. 

According to Hadnagy, these attacks affect CEOs and college professors just as much as they do frontline employees.  One professor fell for a 419 scam so severely that he stole from his school's treasury, and even after being caught by the FBI, he accused agents of trying to take the money for themselves(Hadnagy 2018). Once they had that pin, they could access the customer's account as if they owned it. They do not need complicated computer systems or underground lairs; they have gained access to the only thing they need. Why learn to lockpick when you can simply ask for the key? One recommendation for protecting against this type of attack is having an extremely strict set of rules and iterating to yourself or your employees that the rules are not to be broken even in the most extreme circumstances. Like phishing attempts, education is another vital component of protecting against these attacks. Since watching that video about the crying baby, I have been hyper-vigilant when someone has some insane story to tell. It may feel weird at the moment, but in most cases, whoever you are speaking with has an alternative. Most notably, those claiming to be in emergency situations can simply call 911. I am always wary of someone who tells me there is an emergency, but they chose to call their phone company instead of 911.

It's a wild world out there, folks, but if you stay aware, you can be sure you never have to face the hardships of being a victim of one of these attacks.

Until next time! Thank you for reading!


Comments

Post a Comment

Popular posts from this blog

Java and Object Oriented Programing (OOP)

  What is Object Oriented Programming? Object-oriented programming is a form of programming that is more in tune with how we view things in other aspects of our lives. Rather than using functions or specific logic to create code, it centers software design around "objects" or data. It has been easier to wrap my head around because I can relate certain aspects of it to parts of my everyday life. In today's post, I'll go over a few of the core concepts of object-oriented programming, and you'll have a better understanding of what I'm getting at by the end.  What are the core concepts of object-oriented programming? In object-oriented programming, there are four core concepts. These concepts include encapsulation, inheritance, polymorphism, and abstraction. Encapsulation:  Encapsulation is the idea of bundling attributes and functions that operate on data into units called classes. There are different types of classes, but we won't dive too far into that here...
Read more

Algorithmic Design and Data Structures For Newbies

  Hello, fellow loons! If you're here, it's because you have a hunger for more knowledge like me, so just know you're in a welcoming space! For this week's blog post, we're going to get into some of the basic ideas and ways to approach algorithmic design to build programs you can be proud of! Planning your approach to algorithmic design is no different than planning anything else. It involves organizing the tools you have at your disposal in a way that provides the easiest path forward to what you're trying to achieve. Algorithmic Design: The Plan for the Plan While that header may seem a bit redundant, it's also appropriate. An algorithm itself is a list of step-by-step instructions meant to solve a problem. The type of problems it can solve is only limited by your ability and imagination. Think of it as a recipe. With that said, think of algorithmic design as gathering the ingredients you have to figure out what kind of recipe you can make and plan for it....
Read more

Operating Systems Concepts

Image
 Hello friends! This week's blog post is going to be a long one! I’ll be including a quick overview of many of the different concepts regarding the components of an operating system! Operating Systems   Operating Systems Major Functions Operating systems essentially act as the manager and translator for the entire computer. Operating systems are essentially here to ensure that when someone wants to do something on their computer, they aren't forced to sit down and treat the function as if they were doing math on an abacus. This management is essential to getting the end product you see when sitting down to a personal computer. That said, we can get into more specifics.   1. Process Management- At the very base, we have the section that requires the most "translation." The OS creates and terminates different processes, allocates CPU time and memory, and manages the communication flow between different processes. In simpler term...
Read more