Yonker 1

Jonah Yonker
Steffen Guenzel
ENC1102H
27 April 2016
Cybersecurity: Attack and Defense
With the advent of computers and their centrality in our everyday lives, thousands of
different methods of attacks on those computers have been devised, executed, and fixed, as
much as they can be. This research looks into three of the most commonly used attack methods
and then discusses how they can best be defeated. The three main attack methods that will be
discussed are phishing, ddos attacks, and SQL injections. This paper also examines the inclusion
of backdoors in operating systems, due to the relevance of it with the FBIs request that Apple
install such a backdoor, and Apples efforts in the fight against it. With regards to backdoors, the
push to include them in operating systems is analyzed, due to it being a hot-button issue.
Proponents of backdoor inclusion cite the need of governments to be able to get into any device
they obtain, in order to investigate crimes, or possible planned crimes. Opponents of backdoor
inclusion state that any hacker could gain access to the backdoor once it is included, and here the
merits of both of these arguments are examined. On February 16th, Apple released a statement
regarding the US government's request that they include backdoors in the Iphone operating
system. The F.B.I. was unable to get into the Iphone used by Syed Rizwan Farook, who was
killed by the police after he attacked and killed many of his co-workers at a holiday gathering in
San Bernardino, California. The F.B.I. asked Apple to Make a new version of the iPhone
operating system, circumventing several important security features, and install it on [the] iPhone
recovered during the investigation. Apple denied this request, citing security concerns, and the

Yonker 2

F.B.I. took it to court. The issue at hand was essentially whether or not the government could be
trusted with access to a backdoor. In the past, gaffes such as the leaking of the TSA luggage keys
have led to concerned groups discussing whether or not the government should have backdoor
access to secure systems, while other groups cite recent terror attacks as the basis for the
governments right to these backdoors. When it comes to cyber security, backdoors are generally
frowned upon. Every entry point into an operating system is another point that hackers can
potentially use to gain unauthorized access into a system, and part of the reason Apple was
hesitant is due to the potential liabilities they could encounter if a high-profile customers data
were to be stolen via this backdoor. The F.B.I. managed to crack the Iphone without Apples
help, and now it remains to be seen whether they will disclose how they did so to Apple. Overall,
the inclusion of security backdoors creates a hole in a secure system that hackers could attack
using a wide variety of methods, and if the backdoor were to be compromised, the consequences
would be catastrophic. For this reason, operating systems should not have backdoors included in
them. However, this is from a design perspective. Regardless of whether or not a system is
designed in a secure manner, cyberattacks can and will be conducted against it. A huge amount of
cyber attacks are conducted on various targets worldwide every day, and this paper explores the
mechanics behind some of them, as well as how they can best be defended against.
Ddos Attacks
A Ddos attack is a Distributed Denial Of Service attack, which involves sending tons of
illegitimate requests to a server or application in order to stop legitimate users from accessing it.
The most common method used is a botnet, where a large group of computers that have been
infected with a virus will be temporarily taken over in order to send a huge volume of these
illegitimate requests from a multitude of different locations, thus making it hard to track, prevent,

Yonker 3

or mitigate. The primary issue with Ddos attacks, and why they are so difficult to prevent or
mitigate, is that the illegitimate traffic is nigh-indistinguishable from the legitimate traffic. This
leaves the owner of the server with the decision to axe a certain portion of the traffic, thereby
denying legitimate users access, or to wait the attack out and do essentially the same thing as the
server stalls and freezes due to the heavy volume of incoming traffic. Because of this inherent
issue with Ddos attacks, prevention mechanisms are often multi-layered in nature, simply
because having one checkpoint or way to attempt to distinguish between real and fake traffic is
often insufficient. This is a very current issue, as Ddos attacks are conducted regularly against
high-profile targets such as government entities, or large corporations.
There are a variety of approaches one can take to stopping a Ddos attack. Matt Watkins, a
security consultant at MWR InfoSecurity, provides a great summary of ddos attacks in The
growth and evolution of DDoS. He describes the way they work, and how they have evolved
over time. According to Watkins, Many specialist providers offer cloud-based mitigation
services whereby traffic can be redirected to specialist scrubbing centres which are specifically
designed to deal with these attacks. The important thing is to not rely on traditional network
defences such as firewalls or IPS/IDS as these systems can easily be overwhelmed (qtd. in
Mansfield-Devine, 17). Alternatively, Kane Hardy, VP EMEA at Hexis Cyber Solutions states
that By being able to understand what is happening on the endpoint and what is happening
within the network, organizations can respond to potential threats at machine-speed and quickly
prevent damage(33). These statements suggest that due to the scope, frequency, and relative
ease of conducting Ddos attacks, having automated systems to prevent them entirely is no longer
feasible, and a detection-response method should be employed instead.

Yonker 4

However, in Two Layer Defending Mechanism Against Ddos Attacks, the author,
Kiruthika Subramanian, argues that a two-layer mechanism should be used in defense against
Ddos attacks. Subramanian provides the view that an automated system is effective, and that
provided multiple methods of defense are used in tandem, an automated system can be effective
enough to sufficiently mitigate most incoming attacks. Subramanian states that From the
results, it is seen that the network performance is improved for legitimate node and the legitimate
packets make their way into the network even under the DoS and DDoS attack and finally [this
system can] survive a critical attack (322). Subramanian cites various reliable sources and
statistics in his work, strengthening his argument greatly. Finally, a third perspective is given by
the security firm Cloudware, which states that No amount of intelligent software or hardware
will allow you to stop the attack if the network link is completely saturated. Their argument
should be taken with a grain of salt, however, as they are selling an anti-Ddos service. Overall, if
the traffic that a server is receiving exceeds its bandwidth, automated systems will not be able to
do much, because filtering and examining traffic implies that a system can handle said traffic in
the first place. The best prevention method for Ddos attacks then, is to route the traffic to an
external service with a large amount of bandwidth once an attack is detected using a variety of
methods.
Phishing
Phishing is the act of impersonating an individual or representative of a corporation
online with the intent to defraud another individual. The phisher can send their target emails, chat
messages, or even word files that contain links to harmful websites. Other times, the phisher will
simply pretend to be someone who the target has an interest in doing business with, or someone
who wishes to give the target money. A common example of this is the Nigerian Prince scam,

Yonker 5

where an individual will claim to be a prince from Nigeria who needs money routed to them in
order to send back a larger amount of money. These attacks are incredibly common, and target a
wide variety of individuals. Attackers will often ask for personal information that can be used in
identity theft, or attempt to trick the user into downloading malicious software. The reason
phishing attacks are particularly dangerous is because, according to Jason Hong, an associate
professor in the school of Computer science at Carnegie Mellon university, It doesnt matter
how many firewalls, encryption softwares, certificates, or two-factor authentication mechanisms
an organization has if the person behind the keyboard falls for a phish (76). Hong advocates for
a three-part solution to the issue of phishing; namely make things invisible, so users do not have
to do anything different; provide better user interfaces that either make the situation more
obvious to users or offer additional protection; and train end users to proactively recognize and
avoid phishing attacks (80). This evidence shows that user education is very important when
defending against phishing attempts. Another perspective is given by Mohamed Alsharnouby, a
member of the School of Computer Science at Carleton University in Ottowa, Canada.
Alsharnouby discusses phishing at length in his piece, "Why Phishing Still Works: User
Strategies For Combating Phishing Attack", outlining the process and a mechanism which could
be used to stop it. He states that automating the process of identifying phishing attempts as much
as possible is the best way to prevent phishing attacks, because experienced or highly-skilled
phishers are unable to be detected by the average user. He came to this conclusion based off of a
study where users had to differentiate between legitimate and fake (phishing) websites. His
reasoning for the automation is that We found that even in our controlled lab environment,
participants had an average success rate of 53% for identifying phishing websites (74). He also
states that variables such as users general technical proficiency did not correlate with improved

Yonker 6

performance scores (75), suggesting that even the technologically-savvy can succumb to
phishing attempts, and thus phishing prevention measures should be automated. Overall,
automated phishing prevention systems seem to be the way to go, due to the findings of
Alsharnoubys study, as well as the simple fact that expecting all users to be constantly vigilant is
setting oneself up for failure. However, an automated system cannot be relied upon entirely, as
user education is also very important, for those phishing attempts that might get through an
automated system.
SQL Injections
A SQL injection is when an attack is made on a website that uses some form of
Structured Query Language (which most all websites do) via user input. Rather than entering a
legitimate search in a search bar, for example, an attacker uses the way SQL code is written to try
to inject their own code into the website. The most common way this is achieved is via the use
of escape characters, which are special characters such as the backslash(\) or the apostrophe ()
that SQL interprets as the beginning of a new command. Any field where the user enters data can
be used in this way to launch an attack on a website, and if the websites code does not filter its
input (by disallowing the inclusion of escape characters, for example), the attack can be used
with devastating effect. A user could easily use such a tactic to elevate their permissions to that
of an administrator, and gain access to sensitive data, such as that of other users, or gain access to
the inner workings of the website, where weak points can be located and other forms of attack
can be launched. Disha Parekhs paper, Live Experiments Depicting SQL Injection Attacks",
outlines the steps of a hypothetical SQL attack in a logical, fairly easy-to-understand format. In
his work, Parekh discusses a test attack he and his colleagues launched on an undisclosed
website, where they were able to rapidly gain access to the admin username and password

Yonker 7

through a series of SQL injections. The conclusion Parekh draws is that The security protocols
of the deployed project should be made as dynamic as possible to avoid SQL [injection attacks]
(82). SQL attacks are unique in that they are fairly preventable in most cases. Provided one
sanitizes ones inputs via some method, one should be safe from SQL injection attacks. The most
common way to do this, according to the Open Web Application Security Project, is to
parameterize queries, which essentially just means adding code to force a website to take any
data entered by a user literally, regardless of whether the data entered is username123 or
user\print_admin_passwords.
Another perspective is provided by Hossain Shariar, a member of the Department of
Computer Engineering at Kennesaw State University in Georgia. Shariar advocates for a multilayered approach, stating that in his method First, server-side script code is pre-processed to
identify HMTL forms that contain input fields. Then the SQL queries present in the script code is
extracted and we find the relevant set of input fields in forms that contribute values during
dynamic query generation process (58). This illustrates that multi-layered approaches are more
effective than single-method approaches when it comes to SQL injection attacks, because both
user knowledge and automated filtering are required to stop them.
Conclusion
Backdoors in operating systems create a huge weak point that hackers can exploit. It is
important that technology companies band together to fight the push to include them. However,
collaboration between the government and tech companies also needs to be done with regards to
preventing other forms of attack, and a multi-layered approach should be used for preventing
most forms of cyber attack. Overall, due to the complexity of computer systems themselves,
there are a stunning number of ways attacks can be conducted on said systems. However, for

Yonker 8

each attack, there is at least one viable method of defense. The issue is that while these methods
may be viable, every method is going to have its weaknesses. Ddos prevention methods are
limited in scope when only one is used, SQL prevention methods need to be comprehensive and
multi-layered in nature in order to be effective, and phishing prevention methods must both filter
phishing attempts and educate users in order to succeed. In general, single-layered or singleapproach defense mechanisms are not sufficient in preventing these problems. Based off of the
findings presented in this paper, I propose that cybersecurity threats be handled with a multilayered defense approach. With the three issues that were examined (SQL injection, Ddos, and
phishing), systems are most secure when they use multiple methods to defend against these
attacks, because multiple methods often cover each others weaknesses.

Works Cited

"Affordable Advanced DDoS Protection." Cloudflare. N.p., n.d. Web. 11 Apr. 2016.
Alsharnouby, Mohamed, Furkan Alaca, and Sonia Chiasson. "Why Phishing Still Works: User
Strategies For Combating Phishing Attacks."International Journal Of Human-Computer
Studies 82.(2015): 69-82. Academic Search Premier. Web. 11 Apr. 2016.
"Customer Letter - Apple." Apple. Apple, n.d. Web. 11 Apr. 2016.
Greenburg, Andy."Lockpickers 3-D Print TSA Master Luggage Keys From Leaked

Yonker 9

Photos."Wired.com. Conde Nast Digital, n.d. Web. 11 Apr. 2016.

Hong, Jason. "The State Of Phishing Attacks." Communications Of The ACM 55.1 (2012):
74-81. Business Source Premier. Web. 11 Apr. 2016.
Mansfield-Devine, Steve. "Feature: The Growth And Evolution Of Ddos." Network Security
2015.(2015): 13-20. ScienceDirect. Web. 11 Apr. 2016.
Parekh, Disha H., Dhaivat, Dave, and R.Sridaran. "Live Experiments Depicting SQL Injection
Attacks." International Journal Of Advanced Networking & Applications (2014): 91-93.
Applied Science & Technology Source. Web. 11 Apr. 2016.

Shariar, Hossain. Early Detection of SQL Injection Attacks. International Journal of Network
Security & Its Applications. 2013. 53-65. Web. 11 Apr. 2016.
"SQL Injection Prevention Cheat Sheet." - OWASP. N.p., n.d. Web. 11 Apr. 2016.