Security+ Chapter 5 - Terms
malvertising (malicious advertising)
Also called a poisoned ad attack. Threat actors have turned to using these third-party advertising networks to distribute their malware to unsuspecting users who visit a well-known website. The threat actors may infect the third-party advertising networks so that their malware is distributed through ads sent to users' web browsers. Or the threat actors might promote themselves as reputable third-party advertisers while in reality they are distributing their malware through the ads.
Media Access Control (MAC) Address
An address that is permanently "burned" into a network interface card (NIC) so that there is not a means of altering the MAC address on a NIC.
session hijacking
An attack in which an attacker attempts to impersonate the user by using the user's session token. An attacker can attempt to obtain the session token in several different ways. One of the most common methods is to use XSS or other attacks to steal the session token cookie from the victim's computer and then use it to impersonate the victim. Other means include eavesdropping on the transmission or even guessing the session token. Guessing is successful if the generation of the session tokens is not truly random. In such a case, an attacker can accumulate multiple session tokens and then make a guess at the next session token number.
denial of service (DoS)
An attack that attempts to prevent a system from performing its normal functions by overwhelming the system with requests.
ARP poisoning
An attack that corrupts the ARP cache. Because the MAC address is stored in a software ARP cache, it can be changed there, which would then result in the corresponding IP address pointing to a different computer.
privilege escalation
An attack that exploits a vulnerability in software to gain access to resources that the user normally would be restricted from accessing.
cross-site scripting (XSS)
An attack that injects scripts into a web application server to direct attacks at clients. The threat actor takes advantage of web applications that accept user input without validating it before presenting it back to the user.
man-in-the-browser (MITB)
An attack that intercepts communication between a browser and the underlying computer. Specifically, a MITB attack seeks to intercept and then manipulate the communication between the web browser and the security mechanisms of the computer. A MITB attack usually begins with a Trojan infecting the computer and installing an "extension" into the browser configuration, so that when the browser is launched the extension is activated. When a user enters the URL of a site, the extension checks to determine if this is a site that is targeted for attack. After the user logs in to the site, the extension waits for a specific webpage to be displayed in which a user enters information, such as the account number and password for an online financial institution (a favorite target of MITB attacks). When the user clicks "Submit" the extension captures all the data from the fields on the form and may even modify some of the entered data.
man-in-the-middle (MITM)
An attack that intercepts legitimate communication and forges a fictitious response to the sender. A network-based MITM attack involves a threat actor who inserts himself into a conversation between two parties. The actor impersonates both parties to gain access to information they are sending to each other. Neither of the legitimate parties is aware of the presence of the threat actor and thus communicate freely, thinking they are talking only to the authentic party.
injection attack
An attack that introduces new input to exploit a vulnerability. One of the most common injection attacks, called SQL injection, inserts statements to manipulate a database server. SQL stands for Structured Query Language, a language used to view and manipulate data that is stored in a relational database. SQL injection targets SQL servers by introducing malicious commands into them.
replay
An attack that makes a copy of the transmission before sending it to the recipient. It is a variation of a MITM attack. Whereas a MITM attack alters and then sends the transmission immediately, a replay attack makes a copy of the legitimate transmission before sending it to the recipient. This copy is then used at a later time (the MITM "replays" the transmission). A simple replay would involve the MITM capturing logon credentials between the user's computer and the server. Once that session has ended, the MITM would attempt to log on and replay the captured user credentials.
domain hijacking
An attack that occurs when a domain pointer that links a domain name to a specific web server is changed. When a domain name is first registered, the owner is given access to a domain control panel. From this panel the owner can point the domain name to the physical web server that contains the website's data, such as the webpages, photos, scripts, etc. When a domain name is hijacked, a threat actor gains access to the domain control panel and redirects the registered domain to a different physical web server.
buffer overflow attack
An attack that occurs when a process attempts to store data in RAM beyond the boundaries of a fixed-length storage buffer. This extra data overflows into the adjacent memory locations (a buffer overflow). Because the storage buffer typically contains the "return address" memory location of the software program that was being executed when another function interrupted the process, an attacker can overflow the buffer with a new address pointing to the attacker's malware code.
integer overflow attack
An attack that occurs when an attacker changes the value of a variable to by using an integer overflow. On a computer, an integer overflow is the condition that occurs when the result of an arithmetic operation—like addition or multiplication—exceeds the maximum size of the integer type used to store it. When this integer overflow occurs, the interpreted value then wraps around from the maximum value to the minimum value.
DNS poisoning
An attack that substitutes DNS addresses so that the computer is automatically redirected to an attacker's device. DNS poisoning can be done in two different locations: the local host table, or the external DNS server. TCP/IP still uses host tables stored on the local computer. When a user enters a symbolic name, TCP/IP first checks the local host table to determine if there is an entry; if no entry exists, then the external DNS system is used. Attackers can target a local HOSTS file to create new entries that will redirect users to a fraudulent site.
distributed denial of service (DDoS)
An attack that uses many computers to perform a DoS attack.
DNS amplification attack
An attack that uses publicly accessible and open DNS servers to flood a system with DNS response traffic.
cross-site request forgery (XSRF)
An attack that uses the user's web browser settings to impersonate that user. If a user is currently authenticated on a website and is then tricked into loading another webpage, the new page inherits the identity and privileges of the victim to perform an undesired function on the attacker's behalf.
URL hijacking (typo squatting)
Fake sites that are spelled similarly to actual sites (also called typo squatting). Today most often the user will be directed to a fake look-alike site filled with ads for which the attacker receives money for traffic generated to the site.
clickjacking
Hijacking a mouse click. Clickjacking often relies upon threat actors who craft a zero-pixel IFrame. IFrame (short for inline frame) is an HTML element that allows for embedding another HTML document inside the main document. A zero-pixel IFrame is virtually invisible to the naked eye, making it easier to overlay a button in a webpage.
IP spoofing
Imitating another computer by means of changing the IP address.
MAC spoofing
Imitating another computer by means of changing the MAC address.
domain name resolution
Mapping computer and device names to IP addresses.
Scripting Code
One means of adding dynamic content is for the web server to download a "script" or series of instructions in the form of computer code that commands the browser to perform specific actions. JavaScript is the most popular scripting code. Because JavaScript cannot create separate "stand-alone" applications, the JavaScript instructions are embedded inside HTML documents. Visiting a website that automatically downloads code to run on a local computer can obviously be dangerous: an attacker could write a malicious script and have it downloaded and executed on the user's computer.
Address Resolution Protocol (ARP)
Part of the TCP/IP protocol for determining the MAC address based on the IP address. If the IP address for a device is known but the MAC address is not, the sending computer sends an ARP packet to all computers on the network that in effect says, "If this is your IP address, send me back your MAC address." The computer with that IP address sends back a packet with the MAC address so the packet can be correctly addressed. This IP address and the corresponding MAC address are stored in an ARP cache for future reference. In addition, all other computers that hear the ARP reply also cache that data.
Domain Name System (DNS)
When TCP/IP was developed, the host table concept was expanded to a hierarchical name system for matching computer names
web applications
a web server provides services that are implemented through software applications running on the server.
Add-Ons
add a greater degree of functionality to the entire browser and not just to a single webpage as with a plug-in. In contrast to plug-ins, add-ons can do the following: Create additional web browser toolbars, Change browser menus, Be aware of other tabs open in the same browser process, Process the content of every webpage that is loaded
Plug-Ins
adds new functionality to the web browser so that users can play music, view videos, or display special graphical images within the browser that normally it could not play or display. Technically a plug-in is a third-party binary library that lives outside of the "space" that a browser uses on the computer for processing and serves as the link to external programs that are independent of the browser.
Smurf attack
an attacker broadcasts a network request to multiple computers but changes the address from which the request came (called IP spoofing because it imitates another computer's IP address) to the victim's computer. This makes it appear as if it is asking for a response. Each of the computers then sends a response to the victim's computer so that it is quickly overwhelmed.
zero day attacks
attacks give victims no time—zero days—to defend against the attacks by exploiting previously unknown vulnerabilities.
Extensions
expand the normal capabilities of a web browser for a specific webpage. Most extensions are written in JavaScript so that the browser can support dynamic actions. Because extensions act as part of the browser itself, they generally have wider access privileges than JavaScript running in a webpage.
SYN flood attack
takes advantage of the procedures for initiating a session. Under normal network conditions using TCP/IP, a device contacts a network server with a request that uses a control message, called a synchronize message (SYN), to initialize the connection. The server responds with its own SYN along with an acknowledgment (ACK) that it received the initial request, called a SYN+ACK. The server then waits for a reply ACK from the device indicating that it received the server's SYN. To allow for a slow connection, the server might wait for a period of time for the reply. In an SYN flood attack the attacker sends SYN segments in IP packets to the server but modifies the source address of each packet to computer addresses that do not exist or cannot be reached. The server continues to "hold the line open" and wait for a response (which is never coming) while receiving more false requests and keeping more lines open for responses. After a period of time, the server runs out of resources and can no longer respond to legitimate requests or function properly.
vertical privilege escalation
when a user with a lower privilege uses privilege escalation to grant herself access to functions reserved for higher-privilege users
horizontal privilege escalation
when a user with restricted privileges accesses the different restricted functions of a similar user