JOURNAL OF TELECOMMUNICATIONS, VOLUME 28, ISSUE 2, DECEMBER 2014

Data Network Threats and Penetration

Testing
Vladimir Sanchez Padilla
AbstractCurrently data communications are available to many members of the society, such as children in a school learning
environment to adults who access networks for work or entertainment issues, both from different locations, as in home
environments or shared networks. Whether accessing a browser application or sharing data online, from the moment a person
validates their accounts by users and passwords is already prone to share network resources with many other users, some of
them trying to obtain such information. The intent of this paper is to show types of threats, as denial of service and malware
which could harm a data networks, and tools and recommendations that may be useful to prevent access of information from
unauthorized or unprivileged agents.
Index Terms Cryptography, denial of service, ethical hacking, privacy.

1 INTRODUCTION

HE information security should always be an aspect

considered as essential in every organization. It
should be examined the vulnerabilities and all kinds
of potential attacks that concern physical or logical part of
the data networks. A threat can be defined generically as
an attempt to access a data network, compromising from
that moment the integrity of proprietary information, due
to the violator has at his/her disposal as many privileges
and permits for such purposes, which may cause either a
reversible or irreversible damage. Today, many attacks to
data networks come not only from organizations, but also
from individuals with some non-professional knowledge,
which makes more demanding the needs to protect security and data privacy.

2 PRIVACY
A definition of privacy according to the American Institute of Certified Public Accountants and the Canadian
Institute of Chartered Accountants in the Generally Accepted Privacy Principles standard is: The right and obligations of individuals and organizations with respect to
the collection, use, retention and disclosure of personal
information [1]. Privacy is essential for information protection. The advent of data networks and the growth of
many applications with access from the Internet make
privacy protection an important issue when a provider
offers web-based services components. Violations of privacy can be of different order, coming by interference or
interception, which would lead providers to strengthen
their security systems to prevent the entry of third-party
network in order to achieve a high level of privacy. In
turn, many applications by individuals should not be re

V. Snchez Padilla is with the Faculty of Electrical and Computer Engineering, Escuela Superior Politecnica del Litoral, at Guayaquil, Ecuador

stricted by the provider [2].

Protective measures by the provider often come to the
connectivity point. The organization must also adjust its
own security features to protect the information. It is also
the responsibility of the organization to set security policies among the employees [1]. Policies must define which
information belongs to the employer and which to the
employee; which devices can be used for storage information of personal nature or corporate nature; the organizations information availability in case of audits regarding
to incoming or outgoing data on their servers. These policies may vary according to the country in which the organization or individual is operating [3].
It should be emphasized that protection is not related
to a device, but to the information. The latest potential
threats that could result in negative consequences, and
the knowledge and counterfactual legal obligations between parties are an imperative situation [1].
Privacy and data security are constantly evolving,
adapting to changes in identity and access issue, availing
of agreements or laws that protect the users with data
structures and rules which are compatible. Authentication systems should be vital to system access from remote
locations. The preservation and access to data are important given the rapid changes in technical formats [4].

3 THREATS
Several types of attacks have emerged (e.g., viruses and
Trojan horses, worms). A specialist in attack defined as
hacker" can break network securities to access a system
in which he/she is not allowed to. Years ago hacker
attacks were meant to corrupt data or demonstrate
vulnerabilities in operating systems. Nowadays,
unauthorized access can lead to sabotage, access to bank
accounts or financial reports, economical fraud, terrorism,
denial of supplies or services (e.g., energy, supply chain,

2014 JOT
www.journaloftelecommunications.co.uk

phone systems) [5].

Attacks come from either the outside or inside the organization. Internal threats occur within the organization
when a trusted individual from the information systems
area or a server administrator abuses about the information [5]. Security experts have designed methods to frustrate hackers long enough that they go away in search of
another target, in order to have an opportunity to detect
their position [6]. This paper presents two of the most
common threats in data security: Denial of Service and
malicious software.

3.1 Denial of Service and Distributed Denial of

Service
Denial of service (DoS) is a type of attack that prevents
users to access network resources, by flooding a network
connection for a targeted host through a more powerful
host. Distributed denial service (DDoS) attacks use the
same principle, but amplifying the attack using multiple
intermediaries hosts which generate network traffic jam
to disrupt servers or network segments. [7].
DoS attacks act breaking into thousands of computers,
installing software on these devices to use for attacking,
and then using them to continue with one or more DDoS
attacks, resulting in a significant amount of damage that
was spread out over a large number of sites in many
places and over an extended time period. Reasons to do it
are varied: people or communities against some
organization; groups that made political statements; to
get financial advantage from others; to blackmail an
individual; or just to gain recognition in some hacker
community. Attacks can last from few minutes to few
days [8].
One type of DDoS attack is controlling a large number
of zombies systems using one or more widespread
vulnerabilities to install attack software on them, then
make the systems send large numbers of packets to the
victim, preferably using randomly spoofed source
addresses of different characteristics. Unlike a single
source attack, with a DDoS is much harder dealing with
the attack by applying filter rules [7]. DDoS architecture is
showed in Figure 1.
Amplification attack is another type of DDoS attack. It
works by sending a single ping packet to the network
broadcast address, causing a large number of echo
responses to be received. The source address is spoofed to
the victim (see Figure 2) [7].
Traceback could turn difficult in DoS attacks. Whether
damages are spread out, evidence clues would appear.
Specialists collect these evidences to pursue whether
criminal or civil prosecution. Network traffic associated
with the attack helps to recognize what tool was used and
how the denial of service network was controlled. Once
the denial of service ceases functioning, nothing left to
capture because there is no more traffic to trace [8].
Large companies can afford investments to handle
protection of huge traffic loads with techniques such as
load balancing or content distribution networks. Smaller
organizations are not able to do the same, due to the costs
it takes; when the demand for some service or content

rises to a much higher level than usual, their systems

cannot keep up and eventually ends up inaccessible. This
is the Slashdot effect phenomenon, after how small
websites would often be overwhelmed when the popular
Slashdot website linked to them. Programmers
establishing attacks with distributed denial of service are
going to find ways to pretend the network traffic as
legitimate, so networking engineers will not realize about
it to filter out the attacks. Operators should be prepared
to identify a DDoS attack from a veritable increase in the
traffic network [9].

Fig. 1. DDoS architecture [3].

Fig. 2. Amplification attack [7].

3.2 Malicious Software

Malicious software, known also as malware, continues to
be a big security problem for most organizations,
individuals, and home users. This paper mentions two of
the most common types of malwares: Viruses and Trojan
horses.
Code designed software that runs through other
executable programs is a definition for virus. It typically
spread out and does not exist by itself, requiring a host
for its action purposes. A virus code launches when a
virus infected program is executed, attaching copies of
the virus code to other programs or storage external units.
Among its actions are deleting files, corrupt clusters or
disable systems [3].
A Trojan horse program hides in applications that
could become of interest for users. It is a self-contained
program designed to perform some type of malicious
action, presenting itself as something flashy, coming in a
non suspicious format using non-executable files or
emails as bearer. Trojan horses can spread by themselves,
causing similar damage as viruses. Vulnerabilities in
systems are essentials for the development and spreading
out of malicious software. Once executed they can find
more security gaps or compromise the information (e.g.,
complementing attacks as denial of services) [3].
Detection and eradication of malware can be
accomplished by monitoring the local hosts boot sector,
memory, and file system for signatures. Conjunction with
database of malware signatures, behavior patterns
analysis frequently associated with malware is another
detection mechanism used. Antivirus software can be
useful to establish in-depth security architecture. Current
antivirus products limit its effectiveness detecting
malware mutations. Antivirus could detect and display
warnings in case of a known Trojan, but if a byte in the
Trojans executable is modified using a text editor it will
be enough to prevent antivirus actions. Many packers
that compress and encrypt executables are used to mutate
a malware. The encoded version of the executable is
autonomous and contains a small decoding routine that is
triggered during runtime to extract the original program
into memory. Individuals who possess the source code
for malicious software can modify it directly with the
specific goal of bypassing signature-matching antivirus
engines. Malware mutations are not as effective against
behavior-based scanners, but behavior-based techniques
are not as accurate at identifying known threats as
signature matching [6].

4 FIGHTING AGAINST THE THREATS

There are several websites with useful information
helping to manage network security issues and
preventions, recommending free software, executables
and scripts to delete harmful or corrupted files for
different devices that run with operating systems.
Different techniques and methods have appeared as well.
This paper mentions three of them: Cryptography, public
key infrastructure, and virtual private network.

4.1 Cryptography and Encryption Keys

Cryptography refers to the secret of the communications
as a science in order to keep information secure while it is
saved or being transmitted. Encryption is one of the
components used for the purpose of keeping secret
communications. Encrypted information is only useful
either for the sender and receiver during a transmission.
They are supposed to know the technique to decode the
information. "Keys" are codes that are used to accomplish
the privacy and security in the information and are used
by the sender to encrypt a message, as well as the receiver
to decrypt it. This technique does not help to prevent
denial of service attacks, but helps providing
confidentiality and integrity to the information of the
original message in case the attempt to decrypt fails. It
can provide authentication and non-repudiation in the
form of a digital signature as well. Hackers have been
able to crack weak encryption schemes using highperformance computers and mathematics algorithms.
There are several encryption tools that are practically
impossible to crack. Encryption is generally supported by
public key infrastructure and virtual private networks to
maximize its potential [10].
4.2 Public Key Infrastructure
Private Key Infrastructure (PKI) allows on-line users
connected to a public network to exchange data
information in a secure and private way through the use
of a public and a private cryptography key pair obtained
and shared through a trusted authority. PKI provides
digital certificates to identify either individuals or
organizations and directory services that can store and
revokes the certificates if it is necessary. PKI uses the
public key cryptography as method on the Internet for
authenticating a message sender or encrypting a message.
Traditional cryptography involved the creation and
sharing of a secret or private key for the encryption and
decryption of messages. It has a defect in which messages
will be easily decrypted if the key is discovered or
intercepted, being this a reason why public key
cryptography and the PKI infrastructure are the preferred
approach on the Internet [11].
4.3 Virtual Private Network
Virtual Private Network (VPN) can be used to create a
private tunnel to connect remote locations, allowing
organizations to communicate over shared Internet
resources securely for a fraction of the cost of private
networks. This technique uses encryption to shield both
the message and the information about the sender from
the intruders. Once the message reaches the gateway of
its intended destination, both the intended recipients
address and contents of the message are decrypted at the
receiver side on the protected private network. VPNs are
used in conjunction with firewalls to allow only filtered
and anonymous traffic between the private network and
the public Internet. Privileged access from an
authenticated source though a firewall is called
tunneling [10]. VPNs are recommended to hide or mask

10

IP addresses to provide a secure connectivity and reduce

the risk from a DoS attack.

5 PENETRATION TEST
To reduce vulnerabilities, networking devices that run
along operating systems have bugs that require periodically patching and upgrading. Generally, vendors update
their devices asking to the end users operators or engineers to access to online tools. Patches and updates are
installed automatic as well. These tools are not necessarily
strong enough to keep save a network. Controlled attack
would be an excellent approach to know the vulnerabilities of the network.
Penetration test is the organizations ability to respond
a legal and authorized simulated intrusion. This test is
also known as ethical hacking, and the name can vary
according to the region or country. This type of
assessment is conducted with the intent of testing a
particular portion of the organizations security program
and is performed only against organizations with mature
security programs [3]. The process probes vulnerabilities
with backtrack tools and proper penetration testing will
end with recommendations for addressing and fixing the
failures or problems that were discovered during the test
[12].
Penetration testing results will come accompanied
with a report to show the performance of several steps in
the project. Documentation has to be explained with the
findings, explanations, and suggestions to improve or
increase the level of security [13].
Stages for this purpose have different classifications.
Most commons testing, but not limited, starts with a
planning to detail a controlled attack analyzing security
policies, postures, and risks. Then, a reconnaissance focus
comes to understand the viable threats to the
organization, in order to know the potential attacker. In
this stage, the expert has to define how information
gathering could be made by the attacker. Social
engineering is a way to obtain data assuming a possible
identity known for the victim, collecting information in
many forms, as phone calls, emails requesting data, faceto-face interaction [14], or even leaving an external unit of
data storage to produce the person who found it a
sensation to know what is inside. Once the person
introduced this unit to a USB port for example, a threat as
a virus can be spread out across a network target. [12].
Scanning comes as a technical stage during the
penetration test process to identify vulnerabilities and
determine a level of risk based on the potential of the
vulnerability. Well knowledge of command and its
functions is needed. As the hacker establishes a
connection with the target, a port scan using command
line or graphical user interface is imminent. There are
65,536 ports either TCP or UDP in the computers [12].
Hackers work trying to break the most frequently used
ports to access victims network.
Next, exploitation appears as a process of gaining
control over a system. This is an attempt to control the

target network or computer, to execute commands

according to the will of the attacker to simulate
vulnerability [12].
A last stage is the maintaining access. When access has
been achieved on a target system is necessary to maintain
that access. It is common for system maintenance
windows to occur during the penetration test. If part of
the scheduled maintenance is to patch the vulnerability
exploited, access might be terminated. In case of system
reboot or failing connection, remote access may be
permanently lost [13].
The use of backdoors is very common to access servers.
There is often a need to find ways around defense
obstacles (e.g., access control lists or firewalls). Backdoors
can provide the professional penetration access with non
restrictions to the compromised system. An advantage of
having access to the target system is once inside the target
network an specialist has freedom to scan and attack
because network defenses often look for the outsider
attack, and attacks coming from inside the network may
go unnoticed. The attack will hide better if there is
established a backdoor using encryption [13].

6 CONCLUSIONS
It is important to balance the requirements of the
network, knowing resources that are useful or
demanding for determined group of users will have
different specifications or privileges for others. A
complementing approach can be the separation of
services in different levels with the help of risks analysis.
Logical and hardware access filters plus firewalls are
necessary to maintain security on top. Security policies
and procedures must compromise all members involved
to allow preparation for certificates and rules to keep up
to date the efforts of all of them to prevent attacks in the
network resources and infrastructure.
Hackers can spoof identities or mutate mediums to do
effective attacks. There are ways to avoid hacker attacks:
not clicking in links coming from suspicious or unknown
electronic mail senders, not installing software
disregarding a virus scan, keeping updated antivirus
software or firewalls running, just to mention some of
them. No one can guarantee websites or data transfer
resources are reliable at all, although a valid option to
prevent unauthorized access is to hire a security expert to
hack the organization (or individual) to test security
strengths and weaknesses.

ACKNOWLEDGMENT
The author wishes to thank Lt. Leigh G. Cotterell for his
reviews and comments regarding to the present paper.

REFERENCES
[1]
[2]

T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and Privacy,

OReilly Media Inc., 2009, ISBN 978-0-596-80276-9.
J. M. Kizza, Computer Network Security and Cyber Ethics, McFarland

11

[3]
[4]
[5]

[6]

[7]
[8]

[9]
[10]
[11]
[12]

[13]

[14]

& Company, Inc., 2006, ISBN-13: 978-0-7864-2595-2.

E. Maiwald, Network Security: A Beginners Guide, McGraw-Hill,
2013, ISBN 978-0-07-179570-8.
K. Andreasson, Cybersecurity: Public Sector Threats and Responses,
CRC Press, 2012, ISBN: 978-1-4398-4663-6.
V. Kumar, J. Srivastava, and A. Lazarevic, Managing Cyber Threats:
Issues, Approaches, and Challenges, Springer, 2005, ISBN-10: 0-38724226-0.
S. Northcutt, L. Zeltser, S. Winters, K. Frederick, and R. Ritchey, Inside
Network Perimeter Security, first edition, New Riders, 2003, ISBN 073571-232-8.
K. Lam, D. LeBlanc, and B. Smith, Assessing Network Security, Microsoft Press, 2004, ISBN: 0-7356-2033-4.
J. Mirkovic, S. Dietrich, D. Dittrich, and P. Reiher, Internet Denial of
Service: Attack and Defense Mechanisms, Pearson Education, Inc.,
2005, ISBN 0-13-147573-8.
Y. Chung, Distributed denial of service is a scalability problem,
Computer Communication Review, Volume 42, Number 1, Jan. 2012
L. Volonino, S. Robinson, Principles and Practice of Information Security, Pearson Education, Inc., 2004, ISBN 0-13-184027-4.
H. Carr, C. Snyder, Data Communications and Network Security,
McGraw-Hill, 2007, ISBN-13: 978-0-07-297604-5.
P. Engebretson, The Basics of Hacking and Penetration Testing: Ethical
Hacking and Penetration Testing Made Easy, Elsevier Inc., 2011, ISBN
978-1-59749-655-1.
T. Wilhelm, Professional Penetration Testing, Elsevier Inc., 2010, ISBN
978-1-59749-425-0.
J. Tiller, The Ethical Hack: A Framework for Business Value Penetration
Testing, CRC Press, 2005, ISBN 0-8493-1609-X.

V. Snchez Padilla received his Engineering degree in electronics

and telecommunications from the Escuela Superior Politecnica del
Litoral, Ecuador, and his Master of Science degree in telecommunications from George Mason University, VA, USA. He is a consultant
for wireless solutions and collaborates by term as adjunct lecturer at
the Escuela Superior Politecnica del Litoral. His research interests
include wireless transmission, information security and telecommunication policy. He is member of the CRIEEL, IEEE-ComSoc and
IAENG.