Implementing Detective
and Preventive Measures
747
We’ve attempted to avoid duplication of specific attacks but also provide
a comprehensive coverage of different types of attacks throughout this
book. In addition to this chapter, you’ll see different types of attacks in
other chapters. For example, Chapter 14, “Controlling and Monitoring
Access,” discusses some specific attacks related to access control;
Chapter 12, “Secure Communications and Network Attacks,” covers differ-
ent types of network-based attacks; and Chapter 21
covers various types of
attacks related to malicious code and applications.
Botnets
Botnets are quite common today. The computers in a botnet are like robots (referred to as
bots
and sometimes
zombies
). Multiple bots in a network form a botnet and will do what-
ever attackers instruct them to do. A bot herder is typically a criminal who controls all the
computers in the botnet via one or more command-and-control servers. The bot herder
enters commands on the server, and the zombies check in with the command-and-control
server to receive instructions. Zombies can be programmed to contact the server periodi-
cally or remain dormant until a specifi c programmed date and time,
or in response to an
event, such as when specifi c traffi c is detected. Bot herders commonly instruct the bots
within a botnet to launch a wide range of attacks, send spam and phishing emails, or rent
the botnets out to other criminals.
Computers are typically joined to a botnet after being infected with some type of mali-
cious code or malicious software. Once the computer is infected, it often gives the bot
herder remote access to the system and additional malware is installed. In some cases, the
zombies install malware that searches for fi les including passwords or other information of
interest to the attacker or include keyloggers to capture user keystrokes. Bot herders often
issue
commands to the zombies, causing them to launch attacks.
Botnets of more than 40,000 computers are relatively common, and botnets controlling
millions of systems have been active in the past. Some bot herders control more than one
botnet.
There are many methods of protecting systems from being joined to a botnet, so it’s best
to use a defense-in-depth strategy, implementing multiple layers of security. Because sys-
tems are typically joined to a botnet after becoming infected with malware, it’s important
to ensure that systems and networks are protected with up-to-date anti-malware software.
Some malware takes advantage of unpatched fl aws in operating systems and applications,
so keeping a system up-to-date with patches helps keep them protected. However, attack-
ers are increasingly creating new malware that bypasses
the anti-malware software, at least
temporarily. They are also discovering vulnerabilities that don’t have patches available yet.
Educating users is extremely important as a countermeasure against botnet infections.
Worldwide, attackers are almost constantly sending out malicious phishing emails. Some
include malicious attachments that join systems to a botnet if the user opens it. Others
include links to malicious sites that attempt to download malicious software or try to trick
the user into downloading the malicious software. Others try to trick users into giving up
748
Chapter 17
■
Preventing and Responding to Incidents
their passwords, and attackers then use these harvested passwords to infiltrate systems
and networks. Training users about these attacks and maintaining a high level of security
awareness can often help prevent many attacks.
Many malware infections are browser based, allowing user systems to become infected
when the user is surfing the Web. Keeping browsers and their
plug-ins up-to-date is an
important security practice. Additionally, most browsers have strong security built in, and
these features shouldn’t be disabled. For example, most browsers support sandboxing to
isolate web applications, but some browsers include the ability to disable sandboxing. This
might improve performance of the browser slightly, but the risk is significant.
Botnets, IoT, and embedded Systems
Attackers have traditionally infected desktop and laptop computers with malware and
joined them to botnets. While this still occurs, attackers have been expanding their reach
to the Internet of Things (IoT).
As an example, attackers used the Mirai malware in 2016 to
launch a distributed denial-
of-service (DDoS) attack on Domain Name System (DNS) servers hosted by Dyn. Most of
the devices involved in this attack were Internet of Things (IoT) devices such as internet-
connected cameras, digital video recorders, and home-based routers that were infected
and added to the Mirai botnet. The attack effectively prevented users from accessing
many popular websites such as Twitter, Netflix, Amazon, Reddit, Spotify, and more.
Embedded systems include any device with a processor, an operating system, and one or
more dedicated apps. Some examples include devices that control traffic lights,
medical
equipment, automatic teller machine (ATM), printers, thermostats, digital watches, and
digital cameras. Many automobiles include multiple embedded systems such as those
used for cruise control, backup sensors, rain/wiper sensors, dashboard displays, engine
controls and monitors, suspension controls, and more. When
any of these devices have
connectivity to the internet, they become part of the IoT.
This explosion of embedded systems is certainly improving many products. However,
if they have internet access, it’s just a matter of time before attackers figure out how to
exploit them. Ideally, manufacturers will design and build them with security in mind and
include methods to easily update them. The Mirai DNS attack indicates they haven’t done
so, at least by 2016.
Do'stlaringiz bilan baham: 
