Layer 2 Attacks (38.3.6)
Layer 2 refers to the data link layer in the Open Systems Interconnection (OSI) data communication model.
This layer is used to move data across a linked physical network. IP addresses are mapped to each physical device address (also known as media access control [MAC] address) on the network, using a procedure called Address Resolution Protocol (ARP).
In its simplest terms, the MAC address identifies the intended receiver of an IP address sent over the network, and ARP resolves IP addresses to MAC addresses for transmitting data.
Attackers often take advantage of vulnerabilities in Layer 2 security, as the following two attacks demonstrate.
Spoofing
Spoofing, or poisoning, is a type of impersonation attack that takes advantage of a trusted relationship between two systems:
- MAC address spoofing occurs when an attacker disguises their device as a valid one on the network and can therefore bypass the authentication process.
- ARP spoofing sends spoofed ARP messages across a LAN. This links an attacker’s MAC address to the IP address of an authorized device on the network.
- IP spoofing sends IP packets from a spoofed source address in order to disguise the packet origin.
Devices on a network are connected via a network switch by using packet switching to receive and forward data to the destination device. MAC flooding compromises the data transmitted to a device. An attacker floods the network with fake MAC addresses, compromising the security of the network switch.
Man-in-the-Middle and Man-in-the-Mobile Attacks (38.3.8)
Attackers can intercept or modify communications between two devices to steal information from or to impersonate one of the devices, as the following describes.
A MitM attack, also known as an on-path attack, happens when a cybercriminal takes control of an intermediate device without the user’s knowledge. With this level of access, an attacker can intercept, manipulate, and relay false information between the sender and the intended destination.
A variation of man-in-the-middle, MitMo is a type of attack used to take control over a user’s mobile device. When infected, the mobile device is instructed to exfiltrate user-sensitive information and send it to the attackers.
ZeuS is one example of a malware package with MitMo capabilities. It allows attackers to quietly capture two-step verification SMS messages sent to users.
A zero-day attack, or zero-day threat, exploits software vulnerabilities before they become known or before they are disclosed by the software vendor.
A network is extremely vulnerable to attack between the time an exploit is discovered (zero hour) and the time it takes for the software vendor to develop and release a patch that fixes the vulnerability.
Defending against such fast-moving attacks requires network security professionals to adopt a more sophisticated and holistic view of any network architecture.
As the name suggests, keyboard logging, or keylogging, refers to recording or logging every key struck on a computer’s keyboard.
Cybercriminals log keystrokes via software installed on a computer system or through hardware devices that are physically attached to a computer. The keylogger software sends the log file to the criminal. Because it has recorded all keystrokes, this log file can reveal usernames, passwords, websites visited, and other sensitive information.
Many anti-spyware suites can detect and remove unauthorized key loggers.
Practice Item—Confirm Your Details (38.3.11)
Refer to the online course to complete this activity.