1
00:00:02,490 --> 00:00:10,270
In this section we're going to take a look at some of the common and point based attacks buffer overflows

2
00:00:10,300 --> 00:00:16,910
are a potential danger to software programs and is probably the best known software vulnerability.

3
00:00:18,440 --> 00:00:24,710
A buffer overflow is when a computing device as buffer has more data than it can handle or when the

4
00:00:24,710 --> 00:00:27,990
program puts data in memory past the buffer.

5
00:00:29,260 --> 00:00:36,700
If this occurs the program could crash corrupt data or cause the execution of malicious code.

6
00:00:37,030 --> 00:00:44,210
Back in 1988 the Morris worm used this vulnerability to take down most of the Internet.

7
00:00:44,340 --> 00:00:47,080
Wait so the Internet existed back in 1988.

8
00:00:48,870 --> 00:00:58,140
Command and Control is an attack on CNC servers remotely sun malicious commands to a botnet or a compromised

9
00:00:58,140 --> 00:01:06,190
computer CNC is an easy way for an attacker to actually queue a DVOA attack.

10
00:01:06,200 --> 00:01:12,350
Imagine the power someone would have if they were controlling thousands of points across the globe.

11
00:01:12,440 --> 00:01:17,870
They could send commands to all the compromised computers instructing them to send large amounts of

12
00:01:17,870 --> 00:01:26,930
data to targeted hosts CNC connections can be blocked by Cisco fire power devices with the security

13
00:01:26,930 --> 00:01:31,150
intelligence feature here you can see in my lab network.

14
00:01:31,340 --> 00:01:37,940
I have tons of potential CNC connections being blocked from IPs that have been added to the Cisco security

15
00:01:37,940 --> 00:01:42,270
intelligence blacklist in the CNC category.

16
00:01:44,310 --> 00:01:52,080
Now let's learn about the infamous malware aka malicious software.

17
00:01:52,180 --> 00:01:57,940
One of the main goals of an organization is to prevent malware from being downloaded to network devices

18
00:01:59,140 --> 00:02:04,050
once malware has launched numerous attacks can be executed on the installed equipment.

19
00:02:05,420 --> 00:02:10,380
One of the most popular forms of malware today is called ransomware.

20
00:02:10,640 --> 00:02:18,440
Ransomware can be used by attackers to encrypt data on computers and threaten to erase it unless they

21
00:02:18,440 --> 00:02:21,270
are paid to decrypt it.

22
00:02:21,290 --> 00:02:28,190
Let's hop into my lab sandbox and I will show you what happened when the infamous wanna cry Ransomware

23
00:02:28,580 --> 00:02:37,900
is executed on and on point OK so here we are in my sandbox I'm going to launch the WANNA CRY ransomware

24
00:02:38,440 --> 00:02:44,700
software.

25
00:02:44,930 --> 00:02:52,790
Here I have a picture and a test zipped folder currently in my documents and more see what happens when

26
00:02:52,790 --> 00:02:55,580
this Ransomware is launched.

27
00:02:55,610 --> 00:03:01,870
My computer's being kind enough to warn me not to launch this but I'm going to run it anyways.

28
00:03:02,180 --> 00:03:04,320
Since this is a sandbox environment.

29
00:03:05,430 --> 00:03:12,230
This is actually VM so I'm just going to revert to a snapshot once I'm done playing around with this

30
00:03:12,330 --> 00:03:17,060
ransomware here.

31
00:03:17,070 --> 00:03:22,610
OK so now the ransomware has been executed and as you can see it's encrypted.

32
00:03:23,160 --> 00:03:28,310
My picture file as well as my test files zipped folder

33
00:03:33,360 --> 00:03:39,810
so I'm going to try to view this picture that I have in my documents and we'll see what happens.

34
00:03:41,210 --> 00:03:47,760
So as you can see I cannot open this picture up.

35
00:03:47,800 --> 00:03:55,780
Let's try to open the Zip's folder now that I've tried to launch those files you see that they've disappeared

36
00:03:56,350 --> 00:03:57,880
out of my documents folder.

37
00:03:58,920 --> 00:04:02,040
If I read this please read the message.

38
00:04:02,100 --> 00:04:07,500
The attackers were kind enough to leave instructions on how to decrypt my files.

39
00:04:10,720 --> 00:04:12,540
So they're asking for Bitcoin.

40
00:04:14,550 --> 00:04:22,640
And if I launch the other file we give this nice pop up for instructions on how to pay in bitcoin to

41
00:04:23,120 --> 00:04:24,510
decrypt my files.

42
00:04:25,760 --> 00:04:32,270
And then they're even kind enough to have another message in the background saying Oops your important

43
00:04:32,270 --> 00:04:34,670
files are encrypted.

44
00:04:34,960 --> 00:04:41,230
So now you've been able to see for yourself what ransomware can do and how big of a concern it can be

45
00:04:41,230 --> 00:04:43,420
for businesses out there.

46
00:04:43,420 --> 00:04:49,750
If a company's computers happen to be infected with this then they could potentially lose a lot of sensitive

47
00:04:49,750 --> 00:04:50,200
data.

48
00:04:51,690 --> 00:04:58,410
And this is another great example of why you should always have an anti-malware solution on endpoints.

49
00:05:01,370 --> 00:05:09,110
A rootkit is a collection of malicious software designed to enable root access to the computer while

50
00:05:09,110 --> 00:05:16,810
hiding its presence or identity from anti-virus software.

51
00:05:16,990 --> 00:05:23,180
There is soft.

52
00:05:23,740 --> 00:05:30,340
There is software available that can be ran to detect the presence of root kits on an endpoint.

53
00:05:31,180 --> 00:05:34,060
For Windows you can use the system turtle's tool.

54
00:05:34,060 --> 00:05:39,040
Rootkit Revealer and in Linux you can install r.k haunter.