SEC+ Chapter Seven

regulatory framework

Based on relevant laws and regulations. HIPPA is an example. HIPPA has the SRA (Security Risk Assessment Tool)

Dev life cycle methods

SDLC, software dev life cycle, models attempt to give structure to software dev projects. The two popular models are water and agile.

Man in the middle attacks

MITM is a form of active interception or eavesdropping. Two computers communicating are not aware of the MITM computer listening in. ARP (Address Resolution Protocol) poisoning is one way that an attacker an launch a MITM attack. Kerberos helps prevent MITM attacks with mutual authentication, it does not allow a malicious system to insert itself into the middle of a conversation without knowledge of the other two systems.

Identifying Application Attacks

Many attacks target server apps such as those hosted on web servers. Web servers are highly susceptible to several types of attacks, such as buffer overflow and SQL injection attacks, because they commonly accept data from users. Other servers are susceptible to some types of command line injection attacks.

Industry-specific

Some frameworks only apply to certain industries. For example, orgs that handle credit cards typically comply with the Payment Card Industry Data Security Standard (PCI DSS). This includes over 12 requirements and over 220 sub requirements that orgs follow to protect credit card data.

Sanitizing HTML code

Some input validation techniques attempt to sanitize HTML code before sending it to a web browser. This is sometimes referred to as as escaping HTML code or encoding the HTML code. ASCII can use > to replace >. This helps prevent many web attacks. Most languages include libraries to help sanitize HTML

Code testing methods

Static code analyzers: Examines the code without executing it. Automated tools can analyze the code and mark potential problems. Kind of like a spell checker. Dynamic analysis: Checks the code as it is running. A common method is fuzzing. Fuzzing uses a computer program to send random data to an app, sometimes this random data can crash the app. If that happens the devs can see what data crashed it and fix the bug. Stress testing: Attempts to simulate a live environment and determine how effective or efficient an application operates with a load. A stress test can simulate a DDoS attack and determine what it does to the app. Sandboxing: The code is placed in an isolated area for testing programs. VMs are often used for this. The code can be tested here without worry of it impacting outside systems. Model verification: The process of ensuring that software meets the specs and fulfills its intended purpose.

Birthday Attack

Statistical probabilities of a collision are more likely than one thinks. The birthday paradox is that if for any random group of 23 people, there is a 50% chance that two of them have the same birthday date of the 365 days. In a birthday attack, an attacker is able to create a password that matches the produces the same hash as the users actual password. Also known as a hash collision. A hash collision occurs when the hashing algorithm creates the same hash from different passwords. This is not desirable. Birthday attacks on hashes are prevented by increasing the number of bits used in the hash to increase the number of possible hashes. MD5 uses 128 bits and is susceptible to birthday attacks. SHA3 uses 512 bits and is not susceptible to birthday attacks.

Code Obfuscation

Technique used to disguise the appearance of source code running on a system. Commonly employed to reduce the overall size of the software code or application. Instead of giving variables clear name, a weird string might be given. Most security experts think it is not a reliable security method. It also makes the code difficult to understand for everyone.

First Normal Form (1NF)

The first stage in the normalization process. It describes a relation depicted in tabular format, with no repeating groups and a primary key identified. All nonkey attributes in the relation are dependent on the primary key. A database is 1NF if it meets the following three criteria: - Each row within a table is unique and identified with a primary key -Related data is contained in a separate table. =None of the columns include repeating groups.

SQL injection trick

The phrase or'1'='1' is used to create a true condition. For example, if the database allows you to search a customers table looking for a specific record, it might expect you to enter a name. If you enter the 1=1 phrase instead of a name, which can cause the statement to retrieve all names from the database.

Second Normal Form (2NF)

The second stage in the normalization process, in which a relation is in 1NF and there are no partial dependencies (dependencies in only part of the primary key). Only applies to tables that have a composite primary key, where two or more columns make up the full primary key. 2NF must meet the following criteria: -It is in 1NF -Non-primary key attributes are completely dependent on the composite key.

Web server attacks

The two primary applications used for web servers are: Apache: The most popular web server used on the internet. It's free and can run Unix, Linux, and Windows systems. Internet Information Services (IIS): A Microsoft web server, included free with any Windows Server product

Agile SDLC

- Constant continuous iteration of all the phases quickly is the essence of agile. Instead of strict phases, the agile model uses iterative cycles. Each cycle creates a working, if not complete, product. Testers verify the product works with the current features, and devs move onto the next cycle. The next cycle adds additional features, often adding small, incremental changes from the previous cycle. The agile model emphasizes interaction between customers, devs, and testers during each cycle. The waterfall model only does this during the requirments stage and maintenance stage.

Database concepts

A database is a structured set of data. Typically includes multiple tables and each table holds columns and rows. Normalization of a database refers to organizing the tables and columns to reduce redundant data and improve overall database performance. There are three main normal forms: First normal form Second normal form Third normal form

Non-regulatory framework

A framework not required by law, but instead it typically identifies common standards or best practices that an organization can follow. COBIT (Control Objectives for Information and Related Technologies) is a framework that many orgs use to ensure that business goals and IT security goals are linked together

What is normalization?

A process used to optimize databases. There are several forms available, but a database is considered normalized with it conforms to the first three normal forms.

Buffer overflow attack example

An app might be expecting to receive a string of a 15 character username. If it receives more than 15 characters it can cause a buffer overflow and expose system memory. The following HTTP GET command shows an example of sending a long string to the system to great a buffer overflow: GET /index.php?username=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ The buffer overflow exposes a vulnerability, but it doesn't necessarily cause damage by itself. However, once attackers discover it, they can exploit it and overwrite memory locations with their own code. If the attacker uses the buffer overflow to crash the system or disrupt its services, it is a DoS attack. More often the goal is to insert malicious code in a memory location that the system will execute. It's not easy for an attacker to know the exact location where the malicious code is stored, making it difficult to get the computer to execute it. They can make educated guesses. A popular method that makes guessing easier is with no operation (NOP, pronounced as "no op") commands, written as a NOP slide or NOP sled. Many Intel processors use hexadecimal 90 (often written as x90) as a NOP command, so a string of x90 characters is a NOP sled. The attacker writes a long string of x90 instructions into memory, followed by malicious code. When a computer is executing code from memory and it comes to a NOP, it just goes to the next memory location. With a long string of of NOPs, the computer simply slides through all of them until it gets to the last one and executes the code in the next instruction. If the attacker can get the computer to execute code from a memory location anywhere in the NOP slide, the system will execute the attacker's malicious code. The malicious code varies. Sometimes it is to spread a worm through the servers network. Other times the code modifies a web app so that the app tries to infect every user who visits the web site with other malware. Endless attack possibilities. Sometimes the attacker writes a malicious script to discover buffer overflow vulnerabilities, using JavaScript to send random data to another service on the same system for example. Error handing routines and input validation go a long way to prevent buffer overflows, but they don't prevent them all. Attackers occasionally discover a bug allowing them to send a specific string of data to an app, causing a buffer overflow. When vendors discover buffer overflow vulnerabilities, they are usually quick to release a patch or hotfix. For an admin, all they can do is keep up to date with patches.

Amplification Attack

An attack instigated using small, simple requests that trigger very large responses from the target. DNS, NTP, ICMP, and SNMP lend themselves to being used in these kinds of attacks. A type of DDoS attack. Typically uses a method that signficantly increases the amount of traffic sent to, or requested from, a victim. For example, a smurf attack spoofs the source address of a directed broadcast ping packet to flood a victim with ping replies. A ping is normally unicast, sent to a single computer from a single computer. A ping sends an ICMP echo request to one computer, and that one responds with an ICMP echo response. A smurf attack sends the ping out as a broadcast, not to just one computer but all others in that subnet. The smurf attack spoofs the IP source of the ping ICMP request, and the computers receiving it all respond to the fake IP address with ICMP echo replies. DNS amplification attacks send DNS requests to DNS servers with a spoofed IP address, the victims. The spoofed request asks for as much data as possible, not just a single record. This amplifies the amount of data sent back to the victim, one simple request for a massive amount of info. And done to multiple DNS servers, it can overwhelm the system. Amplification can use other protocols.

ARP DoS Attack

Attacker can send an ARP reply with a bogus MAC address for the default gateway (If all the computers cache a bogus MAC address for the default gateway, none of them can reach it, which stop all traffic out of the network)

Injection attacks

Attacks where attackers supply craft malicious input that is syntactically correct according to the interested language being used in order to break the applications normal intended functionality. Not just for SQL, but from any web page that accepts input from users, can be a potential threat.

Password attacks, dictionary

Attempts all words in the dictionary. Also now include common passwords, such as 1234567.

What is DNS poisoning?

Attempts to corrupt DNS data. - can point to an alternate website. The DNS server would respond with the incorrect IP address from the user query. Most current DNS servers use DNSSEC (Domain Name System Security Extensions) to protect DNS records and prevent poisoning attacks.

Password attacks, name some common ones

Brute force Dictionary Password Hashes Pass the Hash Birthday Attacks Rainbow Table

Password attacks, brute force

Brute force is obvious, it just attempts to guess all possible character combos. Two main types are offline and online. Online uses tools such as ncrack that can run brute force attacks online. Free tool! Account lockout procedures such as those in Window Systems are effective against online brute force password attacks. Setting a lockout after a certain number of attempts is standard. Individual services often have their own settings against brute force attacks. SSH, for example, can disconnect an attacker if that person has not logged on within 60 seconds and can limit the number of attempts per connection. Offline password attacks attempt to discover passwords from a captured database or captured packet scan. For example a system hacked and the database stolen, offline password attacks can discover the passwords within this database. One of the best ways to find this is to use long, complex passwords and store the passwords in an encrypted or hashed format.

Client side vs server side input validation

Client side, such as in the browser, is faster. Server side input validation is more secure. Users can disable JavaScript in their browser and bypass validation checks. It is possible to set up a proxy to capture the data and modify it before reaching the server. Using both client and server side is bet. Client side prevents data from being sent to the server until it is correct, and the server side is the final check

What are the three DNS attacks?

DNS poisoning, pharming, and DDoS

DoS vs DDoS

A DoS attack is from a single source. A DDoS (Distributed Denial of Service) attack is from two or more sources. DDoS attacks are often sustained, high volume network traffic. The goal of both is to bring down the site and prevent others from access it.

pointer dereference

A programming practice that uses a pointer to reference a memory area. A failed dereference operation can corrupt memory and sometimes even cause an application to crash. Programming languages such as C, C++, and Pascal use pointers (Java calls them references). These simply store a reference to something. Instead of passing an entire array of data, programs can pass a pointer to it, that references where that array is stored. This consumes less memory, because you only have to store one array in the memory. This is called pointer dereference. Dereferencing is the process of using the pointer to access the data array. A failed dereference operation can cause an application to crash. In some programming languages it can subtly corrupt memory, which can be worse than crash. The small subtle random changes result in the app using incorrect data, which is often difficult to detect and troubleshoot. The cause of a failed dereference operation is a pointer that references a nonexistent pointee.

What is a replay attack?

A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. Data that was already part of communication between two computers is replayed in an attempt to impersonate one of them. Timestamps and sequence numbers are effective against this. Kerberos uses timestamps.

DDoS DNS attacks.

A shit ton of queries sent to the DNS server with the intent of overwhelming it. Sent from a botnet of IoT, cameras, printers, baby monitors, fridges. A malware called Mirai was used, which forced systems to become bots within a botnet. On the same day an attack was launched on certain DNS servers, and prevented users that were using those servers from resolving URIs into IP addresses.

Spoofing Attack

A situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. MAC spoofing: A switch can be overwhelmed with a MAC flood attack using a spoofed MAC address. Flood guards can prevent this. IP spoofing: An attacker spoofs the source address so that it looks like the IP packet originated from a different source. An attacker can launch an attack and make it appear as though it is coming from a different IP address.

Secure DevOps

A software development process using an agile-aligned methodology. It considers security through the lifetime of the project. Includes extensive communication between software devs and operations personnel. Security is considered throughout the project. Secure automation: Uses automated tools to check code. When modifying code it's important to test it an ensure the modification did not introduce software bugs or security flaws. Continuous integration: Merging code changes into a central repo from each part of the team is done during the whole process, with testing of each code merge. Baselining: When the baseline code is changed it should be merged back into the main code daily. If not five different devs might be modifying the baseline code in their own repo, and when it is all merged back into the main branch things do not work properly because of interactions. Immutable systems: It is possible to create and test systems in a controlled environment. Once they are created, they can be deployed into a production environment. Infrastructure as code: Refers to managing and provisioning data centers with code that defines VMs.

Third Normal Form (3NF)

A table is in 3NF when it is in 2NF and no nonkey attribute is functionally dependent on another nonkey attribute; that is, it cannot include transitive dependencies. -All in 2NF, which means also 1NF -All columns that are not primary keys are only dependent on the primary key

Cross-Site Scripting (XSS)

A vulnerability in dynamic web pages that allows an attacker to bypass a browser's security mechanisms and instruct the victim's browser to execute code, thinking it came from the desired website. Usually HTML or JavaScript that executes on the users browser when they visit a site. The primary protection is input validation techniques. Devs should avoid any methods that allow the web page to display untrusted data. Also a security encoding library to to sanitize code and prevent XSS attacks. XSS attacks allow attackers to capture user info such as cookies. XSS attacks can be sent in emails, with links that try the attack if the user clicks the link.

Rainbow Table attacks

An attack that attempts to discover the password from the hash. A rainbow table is a huge database of precomputed hashes. If the attacker has the hash of the password they can: 1: Run an app to guess a password. 2: Hash that password guess. 3. Compared the hashed guess password to the real hash. 4. If they are not the same, repeat the steps. The most time consuming part is creating a hash of the guessed password. Rainbow tables try to eliminate this step. Rainbow tables are huge databases of passwords and their hashed values. Rainbow tables can be huge, 160gb, of hashed passwords. Every single one up to 8 characters long. So the rainbow attack app just compares the stolen hash against the table of hashes and looks for a match. Salting passwords is a common method of preventing rainbow attacks, along with dictionary attacks. Salt is set of random data, such as two additional characters. Password salting adds these additional characters to the password before hashing it, which produces a different hash.

XSRF (cross-site request forgery)

An attack that causes users to perform actions on websites without their knowledge. In some cases, attackers use header manipulation to steal cookies and harvest passwords. For example, creating a link that changes the users password by entering the input in the HTML link. When a user logs on and the website knows them, these types of attacks are possible because it will usually not ask for authorization again once logged on. Can also make purchases this way. The primary burden of XSRF protection is on developers to not allow. Otherwise all you can do is educate your users on not clicking suspicious links, such as in emails.

Domain Hijacking

An attack that changes the registration of a domain name without permission from the owner. Changing domain ownership through theft. Accessing a users email account and resetting the password for the domain registrar.

ARP poisoning

An attack that convinces the network switch or computer that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine. The ARP resolves the IP address of systems to their hardware (MAC) address and stores the result in the ARP cache. TCP/IP uses the IP address to get a packet to a destination network. Once the packet arrives on the destination network, it uses the MAC address to get to the correct host. ARP uses two primary messages: ARP request: The ARP broadcasts the IP address, asking "who has this IP?". ARP reply: The computer with that IP address on the network responds with it's MAC address. The computer that sent the ARP request caches the MAC address for that IP, so now it won't have to ask again the next time it needs to send a packet addressed to that MAC address. On some systems all computers that hear the ARP reply also cache that MAC address. The problem here is that ARP will believe any ARP reply packet. Attackers can easily create fake ARP reply packets with spoofed or bogus MAC addresses, and poison the ARP cache on systems in the network. Two possible attack from ARP poising are MITM and a DoS attack.

Man-in-the-browser

An attack that infects vulnerable web browsers. It can allow the attacker to capture browser session data, including keystrokes.

DLL injection

An attack that injects a Dynamic Link Library (DLL) into memory and runs it. Attackers rewrite DLL, inserting malicious code. A DLL is a compiled set of code that an app can use without recreating the code. As an example, most programming languages include math based DLLs. Instead of writing code to discover the square root of a number, they can include the correct DLL and use the square root function of it. A DLL injection attack is an attack that injects a DLL into a systems memory and causes it to run. For example, creating a DLL and attaching it to an already running process, allocates memory for it within the running process, connects the DLL within the allocated memory, and executes the DLL.

SYN flood attack

An attack that takes advantage of the procedures for initiating a TCP/IP session. Attacker sends out SYN messages, gets the SYN/ACK back, but instead of sending out an ACK to close the three way handshake, sends out another SYN. Linux supports an iptables command that can set a threshold for SYN packets, blocking them after that is met. Can be a DoS, DDoS, and/or using spoofed IP addresses.

Pass the Hash Attack

An exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network. Any network sending hashes out unencrypted can be attacked this way, however it is mostly associated with Microsoft LAN Manager (LM) and NT LAN Manger (NTLM). Any system using LM or NTLM is susceptible to pass the hash attacks. The solution is to use NTLMv2 or Kerberos instead. NTLMv2 uses a number used once (nonce) on both the client and authentication server.

Cryptographic Techniques

Apps need to make sure they encrypt any sensitive data before transit on a network. Apps need to decrypt data before processing. Apps need to store encrypt this data again before storing it. Apps need to ensure all remnants of the data are flushed from memory. Certificates can be used here, to validate and authenticate software code. Devs can purchase a certificate and associate it with an app or code. This is the code signing process, and provides a digital signature for the code. The certificate includes a hash of the code. The certificate identifies the author. The hash verifies the code has not been modified. If malware modifies the code, the hash will not match.

ARP MITM Attack

Attacker can redirect network traffic (In some cases can insert malicious code) (Uses IP forwarding to send the traffic to the router so that the victim is unaware of the attack). The victims ARP cache would be poisoned so that traffic from that user to the router/switch would be sent to the attacker. Users ARP cache would show the MAC address of the attacker The attacker captures the data, and can use IP forwarding to send the packets on normally so that the victim is not aware of the attack (everything is working normally).

Provisioning and Deprovisioning

Commission/Decommission of assets from the time it is installed, until the time it is decommissioned and disposed. This usually refers to user accounts. When an employee starts working at an org, admins create an account and give that account privileges. This way the user user can the account as authorization to access various resources. This is provisioning. Deprovisioning an account refers to removing access to these resources, can just be disabling that account. Within devops, these terms apply to the app. Provisioning an app refers to preparing and configuring the app to launch on different app services. Deprovisioning an app refers to removing it from a device. For example if a user decides to delete the app, the app should be able to be removed completely without any remnants of the app left on the device.

Compiled VS runtime code

Compiled code has been optimized by an app (called a compiler) and converted into an executable file. The compiler check the program for errors and provides a report on items the devs might want to check. Runtime code is code that is evaluated, interpreted, and executed when the code is run. HTML web pages are interpreted at run time. Many languages use a cross between compiled and run time code. Python is an example of this, it is an interpreted language. When first run the Python interpreter compiles it. The server will then use the compiled version each time it runs. If the system detects a change in the Python source code, it will recompile it.

Code reuse and SDKs

Copying old code that has been tested saves time, and can improve security. However, only the useful parts of the code should be copied. If parts of the code are never used, that is called dead code. SDKs are tools to help develop software.

known plaintext attack

Cryptanalysis attack where the attacker is assumed to have access to sets of corresponding plaintext and ciphertext. If an attacker has samples of both the plaintext and ciphertext, they can discover the encryption method and use that to decrypt other encrypted messages? For example, if an encrypted email is sent and the attackers knows that company ends all company emails with the same legal disclosure., he can try various encryption methods to see if he can recreate the encrypted email ending. If he can, he can use the same method to decrypt the rest of the email.

Proper Error Handling

Error-handling and exception handling insure that an app can handle an error gracefully, without crashing or spitting out a default error message. It should provide friendly feedback to the user about what went wrong and how to correct it. Improper error handling can give an attacker more info about an app. When an app error is not caught, it often provides debugging information. Attackers can sometimes find useful information here and exploit it for fun and profit. Errors to users should be general: No detailed information. Detailed error information should be logged: This is for the devs to go back over and figure out what went wrong. Error handling helps protect the integrity of the app and shows only general error messages to the user, but log the details for devs.

Privilege Escalation

Exploiting a vulnerability in software to gain access to resources that the user would normally be restricted from obtaining.

SQL Queries, injection attacks

In an SQL injection attack, the attack enters additional data into the web page form to generate different SQL statements. SQL query languages use a semicolon ; to indicate the end of the SQL line and use two dashes -- as an ignored command. With this knowledge, the attacker could enter different information into the web form such as: Lisa Anderson'; SELECT * FROM Customers;-- If the web application plugged this string of data directly into the select statement surrounded by the same singe quotes, it would appear as this: SELECT * FROM Books WHERE Author ='Lisa Anderson'; SELECT * FROM Customers; --' The first line retrieves data from the database, however the semicolon signals the end of the line and the database will accept another command. The next line reads all the data in the Customers table, which can give the attacker access to names, credit cards, etc. The last line comments out the second single quote to prevent an SQL error.

Memory Buffer Vulnerabilities

Memory leak: A bug in a computer app that causes the app to consume more and more memory the longer it runs. In bad cases it can consume so much that the OS crashes. Memory leaks are typically caused by an app that reserves memory for short term use, but never releases it. Integer overflow: An integer overflow attack attempts to create a numeric value that is too big for an app to handle. This can cause the app to give inaccurate results. An 8 bits is reserved to store a number, it can store any value between 0 and 255 (256 numbers). Buffer overflows: A buffer overflow occurs when an app receives more input, or different input, than it expects. The result is an error that exposes system memory that would otherwise be protected and inaccessible. Normally an app will have access to only a specific area of memory, called a buffer. The buffer overflow allows access to memory locations beyond the apps buffer, enabling an attacker to write malicious code into this area of memory.

Password Hashes

Most systems do not store the actual password itself, instead they store a hash of the password. Created using a hashing algorithm such as MD5 or SHA3. So the system stores a hash of the users password. When the user logs on and enters a password, the system runs the hash program and if the hash matches the hash in the database, allows entry. Hashes are supposed to be one way, but now there are tools to discover the passwords from hashes. md5online returns passwords from hashes. It uses a database of hashed dictionary words. Passwords are usually not sent over a network. Instead, the password is hashed on the users system after entering it and that hash is sent. However, if the hash is sent unencrypted the attack might be able to intercept the hash and use it to log onto the system.

Amplification attack example

NTP (Network Time Protocol), when used normally this sends a list of the last 600 hosts that connected to the NTP server. In an NTP amplification attack, the monlist command is used with a spoofed IP address as the source, and the NTP server sends the 600 hosts to that IP address.

input validation

One of the most important things developers can do for security is input validation. This is the practice of checking data for validity before using it. Input validation prevents an attacker from sending malicious code that an app will either sanitize and use or reject. Improper input validation handling is one of the most common security issues on web based apps. It allows buffer overflow attacks, SQL, injection, command injection, cross site scripting. Common input validation checks: Verifying proper characters: Such as numbers only for a zip code. Implementing boundary or range checking: Ensure that the values entered are within the expected range. For example if the maximum purchase total for an item is through, input validation to check and make sure. Blocking HTML code: Blocking characters such as < and > to prevent HTML from being sent as input. Preventing certain characters: SQL injection attacks use specific characters such as the - dash and ' and =. Blocking these helps prevent SQL attacks

DNS Pharming Attacks

Pharming attacks try to either corrupt the DNS server or the the client. It also redirects traffic when successful. Pharming attacks on the client modify the hosts files on WIndows systems. This file is located at : C:\Windows\System32\drivers\etc and can include the IP address along with host mappings. By default, it currently does not have anything other than comments on current Windows computers. A mapping might look like: 127.0.0.1 localhost 13.207.21.200 google.com The first entry maps the name of the local host to the loopback IP address. The second maps the google.com to the IP address of 13.207.200 which is for bing.com Could be done as joke or it could point to a server that downloads malware, or a server that looks like google but really steals your password.

How to prevent SQL attacks

Proper error handling and input validation. Database devs can also use stored procedures, which is a group of SQL statements that executes as a whole. Instead of copying the users input directly into an SQL SELECT statement, the input is passed to the stored procedure as a parameter. The stored procedure performs data validation, but also handles the data (parameter) differently and prevents SQL injection attacks.

Waterfall SDLC model

Requirements: The devs work with the customer to understand what is needed. The output at this stage is to document requirements. Design: The desv begin to design the software architecture in this stage. No detailed coding, just an overall picture/blueprint of what the code will eventually do. Implementation: Developers write the code at this stage, based on requirements and design. Verification: This stage ensures the code meets the requirements Maintenance: This stage implements changes and updates as needed. The waterfall model lacks flexibility, it is difficult to revise anything from previous stages. If midway through a change is wanted by the customer, it can't be implemented until the maintenance stage.

Driver manipulation, Refactoring (application/service attacks)

Shimming provides a solution that makes it appear old drives are compatible. A driver shim is additional code that can be run instead of the original driver. When an app attempts to call an older driver, the OS intercepts the call and redirects it to the shim code instead. Refactoring code is the process of rewriting the internal processing of the code without changing its external behavior. Usually done to correct software design problems. When a driver is no longer compatible, they can write as shim to make it work or rewrite the driver to refactor the relevant code. Attackers with strong programming skills can use their knowledge to manipulate drivers by either creating shims or rewriting the internal code. If the attacker can fool the OS to use this, they can run the malicious code contained within the manipulated driver.

National vs. International frameworks

Some frameworks are used within a single country, NIST created the Cybersecurity framework, which focuses on cybersecurity in the US. The ISO (International Organization for Standardization) and the IEC (International Electrotechnical Commission) create and publish international standards. ISO/IEC 27002 provides a framework for IT security

Hijacking attacks

Typo squatting (also called URL hijacking) occurs when someone buys a domain name that is close to real domain name, such as common typo or misspelling of another company. A person might go to that website instead thinking it was the real one. They could host a site at that domain that tried to install drive by software, or earn ad revenue from clicks, or reselling the domain for lots of money. Clickjacking tricks the user into clicking on a link that is not what they think it is. For example, a more info button that takes them to an ad. Session hijacking takes advantage of session IDs stored in cookies. A session hijacking the attacker uses a stolen session ID to impersonate the user on a website. Attackers can read cookies installed on your system through different methods. Once they have your session ID they can insert it into the HTTP header and send it to the website. If that website uses the session ID to log the user on automatically, the attacker now has access

What is a hash collision?

When a hashing algorithm creates the same hash from different passwords/data. Try to prevent by using more bits used in the hash, to increase the number of possible hashes.

What is a buffer overflow?

When an application receives more data than it can handle or unexpected data - it exposes system memory. Buffer overflow attacks often include NOP instructions such as x90 followed by the malicious code. Input validation and up to date patches help prevent these attacks.

Avoiding Race Conditions

When two or more modules of app, or two or more applications attempt to access a resource at the same time it can cause a conflict called a race condition. Most devs are aware of this and code around it, but some new devs are not. An example is two people reserving the same seat on an airplane at the same time. You could both end up with a ticket for the same seat. Most online ticketing services lock your seat selection in for a set amount of time before you pay, so during that time no one else can begin booking it.