Ascend Education Security+ - Module 1

Hoax

-A virus hoax is an attempt to trick users by circulating a false warning about a new virus and suggesting that users either delete specific files or modify their system configuration -The hoax is usually distributed through chain email, asking recipients to forward the hoax mail to others. Attackers may also distribute it through a note in an organization's internal network

Improperly configured accounts

-Administrators implement account access controls to control where users can log on from and when. They also control what functions users can perform when they access a particular account. Principles such as least privilege need to be strictly followed when configuring accounts. -Improperly configured accounts are those that have been configured without implementing these principles. Least privileges help to reduce risks. For example, a person who has read only access to one or more folders on a server cannot modify or steal any data. -When the principle of least privilege is not followed, users have access to all data and can perform any function. This can result in data theft, data loss, and data modification. -Service and application accounts also need to be configured using the principle of least privilege. This prevents attackers from performing administrative functions on a service or application they have compromised. If the attackers gain full administrative privileges, they can disrupt the network.

Consensus

-Attackers exploit the human inclination to purchase a product or service if it has received many favorable reviews. Some people do not realize that not all positive reviews for a particular product or service are genuine -Attackers sometimes use this principle for Trojan and hoax attacks -AKA as social proof

Rogue AP

-Attackers use rogue AP to capture and steal data. -Unlike a secure AP, which bars access to unauthorized users, a rogue AP permits unauthorized users.

Misconfiguration/weak configuration, Default configuration

-It is important to check for misconfigurations, weak configurations and default configurations and to address them to prevent attacks. -Misconfigurations or weak configurations can disrupt a network, interfere with email, or cause a server crash. In some cases misconfiguration can result in total network unavailability. -An attacker can gain unauthorized access to the network, systems and data if the default configuration has not been changed. -Administrators need to ensure operating systems and applications are hardened or securely configured. Default configurations are not usually secure. Administrators are advised to change default usernames and passwords and create customized configurations at the outset. -Misconfigurations and default configurations have been discussed earlier in this module.

Resource exhaustion

-Resource exhaustion refers to a situation wherein a computer is overloaded with an abnormally high number of requests per second. This exerts excessive pressure on computer resources. Resource exhaustion occurs as a result of DoS and DDoS attacks. When a computer's resources are exhausted, it will eventually slow down to such an extent that applications or services become unavailable to genuine users. In some cases, resource exhaustion can even cause a system crash. -DoS and DDoS attacks and resource exhaustion have been discussed earlier in this module.

Vulnerabilities due to End-of-life systems, Embedded systems, Lack of vendor support

-Security professionals and administrators need to be aware of vulnerabilities associated with end- of-life systems and lack of vendor support. Implementing effective policies for sanitization of end-of-life systems is important. Valuable data should be removed from a system once it reaches the end of its life. Systems with sensitive or relevant data on them should not be disposed of. -Vendors stop supporting some operating systems or applications after a number of years. Microsoft recently announced it will no longer support Windows 7 after January 14, 2020. This means Microsoft will stop releasing regular monthly updates, security patches, and technical updates for Windows 7 from January 15, 2020 onward. -When a vendor withdraws support for an OS or application, replacing it with a current version is important. Using a no longer supported OS or application poses a security risk, as newly discovered vulnerabilities will not be fixed. -Operating system and application vendors regularly examine their products for vulnerabilities and exploits and will develop and release patches to resolve security issues. Embedded system vendors, however, do not review security of their products regularly. This is why patches are not regularly released for embedded systems. This makes embedded systems susceptible to attacks. Also, embedded systems are often used with default credentials, enabling attackers to access them and exploit vulnerabilities within these devices.

Improper error handling

-To protect the stability and security of the operating system and to maintain functionality and availability of applications, applications need to have proper error- and exception-handling routines. These routines enable applications to manage errors. Proper error-handling procedures can tackle errors and offer useful feedback to the user. An application can fail if it is unable to catch an error. In some cases, improper error-handling methods can cause an operating system failure. -Improper error handling can help attackers by revealing debugging information about an application. Attackers can use this to exploit the application. Proper error handling processes ensure the user sees only generic information regarding the error. Detailed information should not be made available to general users because attackers can analyze the information and discern system details. -Proper error handling techniques provide for detailed information, including debugging data, to be logged. This data can be utilized by developers to identify and solve the issue.

Untrained users

-Untrained users pose a security risk for any organization. Serious attacks can occur just because users don't know about the risks associated with social engineering attacks such as phishing. A user may click a link in a phishing email not knowing it is malicious mail and cause a network infection. -All organizations ought to conduct effective security training programs for users. They need to be made aware of different types of attacks, the methods attackers employ, and current security trends.

Improper input handling

-When an input is not properly validated, it is known as improper input handling. Proper input handling or validation refers to the technique of checking whether data is valid before it is used. This security issue often occurs with web applications. Improper input validation can leave the door open for attacks, such as cross-site scripting, SQL and command injection, and buffer overflow attacks. -Developers need to incorporate proper input validation techniques when they write code. Input validation checks include verification of proper characters, rejection of HTML code, blocking the use of certain characters, and checking whether data is within range. Some character sequences are used as escape characters to run commands rather than as normal input.

Dumpster diving

-the practice of rummaging through trash, looking for employee or client names and contact information or classified data in documents that have been tossed out -Attackers use personal information for financial fraud, whaling attacks against c-suite executives, and social engineering

Brute force

A brute force attack is a type of password attack. The attacker tries to guess the password, using multiple character combinations and can be online or offline

Zero Day

A bug or weakness unknown to the public, and even sometimes to antivirus vendors In a zero-day attack, the attacker exploits a vulnerability that has not yet been documented. Often, OS and antivirus vendors are not aware of zero-day vulnerabilities. When the vendor learns about a vulnerability, it creates a patch to neutralize the threat The threat continues to be classified as a zero-day vulnerability until the vendor releases the patch

Disassociation

A disassociation attack is when an attacker manages to disconnect a client from a wireless network. The attacker does this by sending a disassociation frame with a spoofed MAC address of the target to the AP. When the AP receives the frame, it disconnects the victim, causing the victim to authenticate again in order to reconnect.

Hacktivist

A hacktivist is someone who launches an attack to publicize a cause or as an expression of activism. The hacktivist could be a member of an activist group. Hacktivists normally don't carry out these attacks for personal profit.

Rainbow tables

A rainbow table is a large database containing passwords and their computed hashes. In a rainbow table attack, the attackers try to get the password from the hash. Rainbow tables are different sizes and the very large ones contain hashes for a slew of character combinations of eight characters and more The attackers use an application that performs a comparison of the hash of the actual password with hashes stored in the rainbow table. If and when the application finds an identical match for the actual password hash, it identifies the character combination from which the hash was generated. Password salting can help to prevent rainbow table and dictionary attacks. The technique of adding two random characters to a password before it is hashed is known as password salting. The concept is to increase password complexity and produce a hash that differs from what would be generated for the actual password. In this case, the attacker would not be able to discover a password by comparing hashes.

Intrusive vs. non-intrusive

A vulnerability scan is non-intrusive; it does not exploit vulnerabilities. Penetration testing is intrusive because it includes interaction with targets.

Watering-hole attack

A watering-hole attack refers to an attack on a group of users through websites they trust. The attackers first identify websites that a specific group of users frequent and then install malware on those sites with the purpose of infecting visitors' computers and gaining access to the network of the organization where they work, such as a bank or a government department

IV

A wireless Initiation Vector (IV) attack is designed to reveal the pre-shared key from the IV An IV is a numeric value used by some wireless protocols to encrypt data moving over the network. This encryption method uses an IV in combination with the pre-shared key An IV attack has a higher chance of success if the same IV is used again by the encryption system. This can happen if the protocol uses a low number of bits. The WEP uses a 24-bit number, resulting in the same IV being reused by wireless networks In some IV attacks, attackers inject additional data packets in order to increase responses from the AP. This makes it likely that a key will be used again. The packet injection method enables attackers to quickly discover a key, often in a minute or less

Cross-site request forgery

AKA XSRF or CSRF an attacker deceives the user into unknowingly performing an action on a website by making him click an HTML link created specifically for this purpose Such attacks are possible on any website that includes actions via HTML links. The attacker can modify passwords, charge victims' credit cards, and steal money from their accounts authentication information can be stored on the user's system in the browser cache or in the form of a cookie. If attackers manage to steal the cookie, they can gain access to the password

Active reconnaissance

Active reconnaissance involves the use of tools to communicate with a target. The penetration tester sends data packets to target systems and performs an analysis of the replies from these systems. Active reconnaissance can start with a scan of the network or the system. Penetration testers use tools for active reconnaissance, such as network scanners, including Nmap, Nagios, and Nessus, and vulnerability scanners. Legal implications exist because active reconnaissance involves interaction with a target. A penetration tester must obtain authorization before conducting tests that engage targets.

Internal/external

An attacker who is a part of an organization is an insider, or internal attacker. External attackers are not part of the target organization.

Script kiddies

An attacker who tries to launch attacks using existing code or scripts is known as a script kiddie. A script kiddie is a novice among attackers. Though script kiddies are not highly skilled or well-funded, they can occasionally gain access to malicious code and launch serious attacks. Script kiddies launch these attacks because they are tempted to see what their attacks can do or they are simply bored.

Domain hijacking

An incident where the attacker modifies the domain name registration without the domain owner's permission is known as domain hijacking Attackers resort to domain hijacking in order to capture the domain and prevent the original owner from accessing the website The attacker first tries to gain access to the email account of the domain owner by observing the owner's comments and behavior on social media The attacker then uses this information to launch a brute force password attack on the owner's email account. Once unauthorized access to the email account is gained, the attacker resets the password at the site of the domain registrar and changes the ownership of the domain, thereby preventing the owners from accessing their own website

Improper certificate and key management

An invalid or compromised certificate can lead to security issues. An attacker might spoof a trusted host by means of a MITM attack. To prevent attacks from arising from improper certificate and key management, private keys need to be encrypted and kept confidential. They should never be publicly shared. Certificates holding private keys can be compromised if they are not properly managed. A Certifying Authority (CA) can revoke a certificate if the private key is in the public domain. In such a case, the certificate cannot provide effective security because the private key is no longer private.

Application/service attacks

Application and service attacks are attacks programmed to corrupt an application or service, resulting in the application or service becoming unavailable

DLL injection

Applications normally make use of one or more Dynamic link Libraries (DLL). In a DLL injection attack, the attacker injects a DLL into the target system's memory and makes it execute malicious functions. The attacker can assign memory within a running application process, connect the malicious DLL to this memory location, and cause the DLL to execute arbitrary functions.

Insiders

As the name indicates, insiders are part of an organization and have authorized access to the organization's assets. An insider attack could result in resource unavailability, and loss of integrity and confidentiality. Not all employees have the same level of access. Employees with a higher level of access can do more damage.

Identify common misconfigurations

Attackers also exploit misconfigurations. Some vulnerability scanners are capable of identifying misconfigurations that commonly occur. A scanner can compare the system's existing configuration with security and configuration baselines to identify whether any incorrect or unauthorized changes have been made.

Scarcity

Attackers can exploit this tendency to respond to scarcity. The scarcity principle can increase the effectiveness of Trojan and phishing attacks

Impersonation

Attackers can impersonate an authorized person in order to obtain user credentials and private information then used for financial fraud or other malicious purposes

Shimming

Attackers can use shimming for malicious purposes. If they have advanced coding skills, they can write shims to manipulate drivers and embed malicious code in them. If attackers succeed in making an operating system use a manipulated driver, they can infect the OS and make it execute malicious code

Memory and buffer vulnerabilities

Attackers exploit memory or buffer vulnerabilities to launch application attacks. Applications programmed without incorporating effective memory management techniques can malfunction and cause overflow or a memory leak. A memory leak is a technical flaw in an application. As a result of which, the application's memory consumption continues to increase as long as it is in operation. In some cases, an application's memory consumption can be so high that it can make the operating system crash. Often, a memory leak can result from an application failing to release memory that it has reserved for use over a short period of time. An integer overflow attack results from using or inserting a number that is far too big for the application to process. The application then returns incorrect results. An integer overflow attack can also occur if an application programmed to process a positive number receives a negative number instead of a positive one. This type of attack can be avoided if proper input handling and error handling techniques are followed. Integer overflow attacks can be prevented by checking the size of buffers and ensuring they have the capacity to process any information that the applications generate.

Buffer overflow

Attackers exploit vulnerabilities in a computer's memory When an application works normally, it can access only its buffer. However, when an application receives different input, or input in excess of what it is programmed to receive, it returns an error that opens up access to memory areas beyond the buffer. This gives attackers an opportunity to embed malicious code in the area of memory exposed by the application error a security incident can occur if a hacker spots the vulnerability caused by the overflow and succeeds in damaging that area of memory with malicious code A successful buffer overflow attack can result in a DoS attack. Attackers may use the NOP slide or NOP sled command to identify the area where malicious code has been inserted; Once the malicious code is identified, the hacker can make the system execute it Application developers need to implement security management methods when they write application code to prevent buffer overflow and memory leaks The practice of validating inputs helps to prevent buffer overflow attacks

Principles (reasons for effectiveness)

Attackers make use of principles based on human psychology to make their attacks more effective

Use of open-source intelligence

Attackers obtain data from publicly available information that are on social media and company websites. This is known as open-source intelligence.

Persistence

Attackers sometimes prowl around a network for weeks and months without anyone knowing. Occasionally, an attacker may even stay for a year or more. Attackers use a number of methods to enable them to persist within a network. Penetration testers use similar methods to see how long they can persist without being detected. Hackers use the backdoor technique to support persistence.

Familiarity

Attackers sometimes try to develop a relationship with a target before they initiate a shoulder surfing or tailgating attack

Cryptographic attacks

Birthday Known plain text/cipher text Rainbow tables Dictionary Brute force Online vs. offline Collision Downgrade, Replay, Weak implementations

Three categories of penetration testing

Blackbox testing - no prior knowledge of environment prior to launching an attack White box testing - tester is fully informed about the environment before launching an attack Gray box testing - somewhere in the middle

Bluejacking

Bluejacking is a type of Bluetooth attack. The attacker sends data to Bluetooth devices within range. Usually, the messages from the attacker are composed of text. Occasionally, an attacker may send image or audio messages Bluejacking is not known to be damaging, but these attacks can disturb or confuse recipients

Competitors

Competitors usually carry out attacks in order to gain access to confidential information about another organization

DNS poisoning

DNS also matches IP addresses to host names. This is known as reverse lookup. To some extent, reverse lookup can detect whether a system has been compromised with a fake identity. If a reverse lookup is available on the DNS server, it can be used to check whether the IP address on the TCP/IP packets in a conversation is the same as the legitimate name of the system. A difference in names means an attacker has faked the system's identity is a DNS service attack goal is to alter or distort DNS results. There have been quite a few successful DNS attacks in recent years If a DNS attack is effective, IP addresses can be modified by the compromised DNS server and users can be directed to malicious websites instead of legitimate websites. One way to prevent DNS poisoning is to use Domain Name System Security Extensions (DNSSEC). DNSSECs can prevent DNS records from being modified

DoS

Denial of Service (DoS) attack refers to a service attack launched by a single attack source on a single target purpose of a DoS attack is to interrupt a service provided by the target system by applying a very high load on that service or application

Benefits of Vulnerability Scanners

Detecting weak passwords Identifying default usernames and passwords still in effect Finding open ports on servers Detecting security controls that are in use or others that may be missing Detecting system and security configurations that may lead to exploitation Searching for unknown weaknesses or vulnerabilities that may be open for exploitation Run with credential or non-credential scanning.

DDoS

Distributed Denial of Service (DDoS) attack is launched by more than one computer on one target DDoS attackers direct unusually high network traffic toward the compromised computer continuously, pushing resource consumption beyond capacity. When a DDoS attack occurs, the network card, memory, and processor usage is extremely high. As a result, the service becomes inaccessible to end users

Application/service attacks

DoS DDoS Man-in-the-middle Buffer overflow Injection Cross-site scripting Cross-site request forgery Privilege escalation ARP poisoning Amplification DNS poisoning Domain hijacking Man-in-the-browser Zero day Replay Pass the hash Hijacking and related attacks (Clickjacking, Session hijacking, URL hijacking, Typo squatting) Driver manipulation (Shimming, Refactoring) MAC spoofing IP spoofing

Architecture/design weaknesses

Effective asset management practices help to control vulnerabilities such as architecture and design weaknesses. Asset management in this context includes not just a cost comparison but also an evaluation of the proposed purchase to assess whether it can be integrated into the existing network architecture. All asset purchases should be approved in order to prevent architecture and design weaknesses and security issues from arising from unmanaged assets.

Nation states/APTs

Governments of nation states can also organize groups of hackers to launch attacks on another country's resources. An attack aimed at a particular network is known as an Advanced Persistent Threat (APT). Groups that carry out APTs are normally well-organized and technologically capable. The danger with APTs is that they can persist over a long duration of time, giving the attackers ample time to steal large volumes of data.

Resources/funding

Groups organized by governments, large organized criminal groups, and some competitors have substantial funding and advanced technology. Individual hackers, script kiddies, hacktivists, and small groups usually lack funding.

Symptoms of malware

If a system suddenly starts rebooting at random running processes that haven't been initiated Emails being sent out from a system without the owners knowledge A slow system

Bluesnarfing

In a bluesnarfing attack, the attacker steals or gains access to data from a Bluetooth device. This can be confidential information, such as emails and text messages, lists of contacts, and other private data. Bluesnarfing tools used by attackers include obexftp and hcitool. In order to prevent such attacks, a device should require a user to pair a device manually

Dictionary

In a dictionary attack, the hacker tries various words and character combinations from a list or a dictionary compiled for password attacks. Password dictionaries have been updated over the years and they now include many passwords that uninformed users tend to use. Using complex passwords can protect against dictionary attacks

Downgrade and Weak implementations

In a downgrade attack, the attacker causes a system to downgrade its security controls. The attacker then takes advantage of the system's weak defenses to compromise it further and gain access to confidential data. Downgrade attacks often occur with cryptographic attacks. This is more likely to happen if implementation of cipher suites isn't strong. In most implementations, Transport Layer Security (TLS) has replaced Secure Sockets Layer (SSL) because SSL has vulnerabilities. However, SSL is still installed along with TLS on some servers. Such servers may downgrade a client's security to SSL if the client lacks the capability to use TLS. Attackers can modify a system's configuration and render it unable to use TLS. They then launch SSL attacks. In order to prevent a site from using SSL, users can disable SSL by modifying the server's protocol list. It is best to disable weak cipher suites.

ARP poisoning

In an Address Resolution Protocol (ARP) poisoning attack, the attacker modifies the Media Access Control (MAC) address, creates forged ARP requests and reply packets and uses them to poison the target computer's ARP cache The target computer unknowingly transmits data packets to the attacker's system instead of the legitimate destination ARP is vulnerable because it accepts any ARP reply packet, giving hackers the opportunity to forge ARP reply packets and poison the ARP cache of computers uses both MITM and DoS attacks; MITM attack can cause data packets to be redirected to the hacker; An MITM attacker can also embed malicious code in network traffic In ARP DoS attacks, an attacker can poison the cache of all the computers with a false MAC address in place of the legitimate IP address of the router connection where traffic moves out of the network In ARP DoS attacks, an attacker can poison the cache of all the computers with a false MAC address in place of the legitimate IP address of the router connection where traffic moves out of the network. In such a case, all network traffic destined to move out of the network via the default gateway is blocked because ARP poisoning prevents the computers from reaching the default gateway

IP spoofing

In an IP spoofing attack, the attacker modifies the source IP address in order to make it appear as if the IP packet is from another source

Online vs. offline

In an online attack, the attackers try to guess a password from an online system. They may make repeated attempts to log on using guesswork. Attackers can use automated password cracker tools such as ncrack for online brute force attacks. Account lockout policies help prevent such attacks. An account is automatically locked out if an incorrect password is entered a predefined number of times. In an offline attack, the hackers try to discover the password from captured data or a database. When an endpoint or network is breached, the hackers can download full databases. Once one or more databases have been downloaded, the attackers can try to crack passwords offline. Encryption and using strong passwords can help prevent the success of offline attacks. Passwords should be long and complex, comprising of a combination of upper and lowercase letters, numbers, and other characters. It's best to avoid dictionary words.

Initial exploitation

In the initial exploitation phase, vulnerabilities that have been detected during active reconnaissance are put to the test. The purpose of this is to assess how far an attacker can penetrate a system, application or network and which critical processes or assets might be targeted without being detected. This phase is intended to reveal the extent of access an attacker can gain and the impact it can have on the company. For example, a penetration tester will likely use methods employed by hackers to exploit vulnerabilities that have been detected. If authorized, they will have access to the entire system and be able to install additional code as a hacker might do. Normally, the scope of testing will be established at the outset. The pen tester will only proceed as far as the guidelines defined during scoping. For example, a company might not permit simulations of zero-day attacks. This phase would also include documentation of exploitation methods, tactics and procedures employed to gain access to critical targets. The documentation would also include the results of exploits.

False positive

In this context, a false positive is similar to a false alarm. It refers to the identification of a vulnerability when no such vulnerability exists in the system, network, or application. Sometimes, vulnerability scanners can generate such false reports. Other tools, such as antivirus applications and Intrusion Detection Systems (IDS), also occasionally generate false positives. The problem with false positives is that IT administrators or security professionals have to spend time investigating vulnerabilities that don't really exist.

Injection

Injections are aimed at web applications. In an injection attack, the attacker injects unauthorized input into a program. This can happen if input validation is not thorough. This unauthorized input is processed as a query or command and can modify the way a program works Injection attacks can cause serious harm, including denial of service, data loss, loss of integrity of data, and data theft. They can even compromise the entire system Using reliable vulnerability scanning tools to identify vulnerabilities in web applications can help protect against injection attacks

Level of sophistication

Levels of sophistication vary among threat actors. Some organized criminal groups and attackers who launch APTs are considerably sophisticated whereas smaller groups are often less advanced. Script kiddies normally lack capability and sophistication.

Pass the hash

MD5 Online, that hackers can use to launch hash attacks the hacker discovers the hashed password and uses it to access the user's system the hacker discovers the hashed password and uses it to access the user's system This is why a hash should not be transmitted over a network in unencrypted form. Pass the hash attacks tend to occur with some older security protocols such as Microsoft NT LAN Manager (NTLM) and LAN Manager (LM) To prevent pass the hash attacks, Kerberos or NTLMv2 is recommended prudent to define Group Policy settings as per Microsoft's recommendation that configuring clients should use only NTLMv2 for responses and configuring authenticating servers should not accept the use of LM or NTLM

Man-in-the-Middle

Man-in-the-Middle (MITM) attack is an act of snooping or interception. In an MITM attack, the attacker positions a compromised system between two computers communicating on a network The MITM system can intercept traffic, insert malware, and forward it to both computers

NFC

Mobile devices use Near Field Communications (NFC) to connect with other mobile gadgets when they are nearby. In an NFC attack, the attacker intercepts data in transit between two NFC devices. The attacker uses an NFC reader to seize the data

MAC spoofing

Network hosts are each assigned a MAC address, which is embedded in the Network Interface Card (NIC) a MAC spoofing attack, attackers modify the source MAC address in order to impersonate a user or system. They use software techniques to connect another MAC address to the NIC

New threats/zero day

New threats, such as zero-day attacks, are vulnerabilities that have not yet been documented. Attackers look for zero-day vulnerabilities in order to exploit them before the vendor releases a patch to resolve the issue. Zero-day attacks have been discussed earlier in this module.

Weak cipher suites and implementations

Normally, old and weak cipher suites are disabled by default. Some old cipher suites use the Deprecated Encryption Algorithm (DES). Leaving deprecated and weak algorithms enabled on servers renders them vulnerable to downgrade attacks. Administrators need to ensure old and weak cipher suites are disabled on servers. Developers need to be aware of different cryptographic algorithms and avoid using weak and deprecated encryption algorithms such as DES. They should also be familiar with different modes of operation and not use those that have weaknesses. Weak implementations and downgrade attacks have been discussed earlier in this module.

Organized crime

Organized groups of cyber attackers can vary in size and capability. Symantec had exposed a well-organized criminal group, named Butterfly, that was involved in corporate espionage. They had successfully exfiltrated sensitive data from several corporates. The prime motive of organized groups of hackers is greed. They sell stolen information to whoever pays the highest amount.

Passive reconnaissance

Passive reconnaissance is the process of gathering data from information available in the public domain, such as company websites, social media and mainstream media. This is also known as open-source intelligence. Another source of information could be the company's wireless networks. Passive reconnaissance does not include exploits and is not against the law. Passive reconnaissance does not include communication with targets. It could include data collection from non-target systems also.

Black box, White box, and Gray box

Penetration testing can be classified based on the extent of the environment's information ethical hackers have. Based on this classification, the three types of testing are black-box, white-box, and gray-box. In black-box testing, pen testers have no knowledge of the environment before they begin the testing process. This is the same situation many attackers are in before they launch an attack. Black-box testers use certain techniques, including fuzzing, to discover vulnerabilities. In white-box testing, an ethical hacker is fully informed about the environment prior to testing. Information that a white-box tester would have can include source code, application and network details, and account access details. In gray-box testing, pen testers have some information about the network, hosts, and applications prior to testing.

Authority

People are inclined to do what someone in a position of authority says they should. Attackers use this principle of authority when they launch vishing, whaling and impersonation attacks

Penetration testing

Phases of Ethical Hacking: 1. Reconnaissance 2. Initial Exploitation 3. Persistence 4. Escalate Privileges Note: These types of work requires "constantly assessing the situation and making decisions based on those assessments.

Social engineering

Phishing Spear phishing Whaling Vishing Tailgating Impersonation Dumpster diving Shoulder surfing Hoax Watering hole attack Principles (reasons for effectiveness) -Authority, Intimidation, Consensus, Scarcity , Familiarity, Trust, Urgency

Known plain text/cipher text

Plain text is data readable by humans. Cipher text is data scrambled by an encryption algorithm. Hackers can launch a known plain text attack if they have access to both the plain text message and the encrypted data or cipher text. They can examine both messages and try to detect the method of encryption and decryption In a chosen plain text attack, attackers can choose plain text at random and see the encrypted version. The purpose of a chosen plain text attack is to obtain more information about the encryption method in order to compromise the security of the method used. In a known plain text attack, the attackers just need to capture both versions of the message. However, to succeed in a chosen plain text attack, it is the attackers need to have either direct or indirect access to the encryption algorithm In a cipher-text-only attack, the attackers have only encrypted versions of messages, not the plain text messages. Unless the encryption algorithm is weak, it is unlikely a cipher-text-only attack will be successful. To prevent such attacks, users should not use old and weak algorithms

Pointer dereference

Pointers are used by some programming languages such as Pascal, C, and C++. The function of pointers is to store a reference. They are also called references. Pointer dereferencing is used to reduce memory consumption. It is a process by which a pointer or reference is used to access data in the memory location pointed to by the pointer. Attackers use it to manipulate data. Unsuccessful dereferencing can corrupt memory or make an application inaccessible. Dereferencing can fail due to a coding error causing a pointer to point to data or a value that doesn't exist.

Race conditions

Race conditions can result from a programming error. A race condition refers to a conflict occurring when a number of applications or modules of an application try to access the same resource simultaneously. -Experienced application developers know about race conditions and include measures, such as procedures to control concurrency, when writing application code. However, new developers sometimes don't know about race conditions or forget to incorporate processes to avoid them when they write code

RFID

Radio-frequency Identification (RFID) systems use RFID tags to manage assets, including inventory and livestock. In an RFID attack, an attacker can eavesdrop and also perform a replay attack. The attacker uses a receiver that has the same frequency as the RFID system. Attackers can also interfere with transmission by transmitting noise if they know the frequency of the RFID system.

Refactoring

Refactoring refers to the technique of rewriting the internal working of a program without altering its external output Developers normally refactor code in order to address software design issues sometimes used to manipulate drivers

RAT

Remote Access Trojan programmed to give hackers remote access to a system and enable them to control it and install other malicious software onto it usually distributed through drive-by downloads can log keystrokes, passwords, usernames, email messages, and other confidential data and pass it on to hackers also enable attackers to perform network scans using the legitimate user's credentials and detect vulnerabilities, which they then exploit to infect the larger network

Wireless attacks

Replay IV Evil twin Rogue AP Jamming WPS Bluejacking Bluesnarfing RFID NFC Disassociation

Replay

Replay attacks have been discussed earlier in this module. To sum up, applications should be developed using secure coding concepts. This helps prevent application attacks. Understanding the importance of creating and deploying applications using secure practices is crucial for developers

Shoulder surfing

Shoulder surfing is peering over someone's shoulder to furtively obtain confidential information, such as a password, PIN, or other user credentials

System sprawl/undocumented assets

System sprawl refers to a situation where an organization has systems in excess of what it requires and some systems are not fully utilized. All computers in an organization need to be recorded in the asset management tracking system. Effective asset management policies can help to prevent system sprawl and undocumented assets.

Penetration testing vs. vulnerability scanning

Testing includes both invasive, or intrusive, and non-invasive, or non-intrusive, methods. Intrusive methods can interrupt production operations and result in system and data unavailability. However, non-invasive testing, such as vulnerability scanning, will not compromise hosts or the network and will not disrupt operations. Penetration testing is intrusive whereas vulnerability scanning is non-intrusive. As discussed earlier, penetration testing includes exploits and can potentially interrupt operations and even crash a system.

Birthday and Collision

The birthday attack takes its name from the birthday paradox in probability theory. According to the birthday paradox, it's 50% likely that two people in a random group of 23 people will have the same birthday in any year. In this type of attack, the attacker creates a password that generates a hash identical to that of the user's password. This is also called a hash collision. It happens when a hashing algorithm produces the same hash for different passwords. For example, 'pickle' and 'chutney' could have the same hash. To prevent birthday attacks, a hashing algorithm using many bits such as the SHA-3, which uses 512 bits is advisable. The MD5 algorithm uses only 128 bits and is vulnerable to birthday attacks

Escalation of privilege

The goal of the pen tester during this phase is to assess whether the target application or system has vulnerabilities that enable a user to escalate roles and privileges. If a user is able to modify those privileges, an attacker would be able to launch a privilege escalation attack. Testers may begin with user-level access and use tools and techniques to test the possibility for a user to gain access to functions they are not permitted to perform. Ethical hackers often employ tactics attackers are known to use. The extent to which a penetration tester can go depends on the scope of the test and authorization.

Vulnerability Scanning Concepts

The purpose of a vulnerability scan is to examine systems, applications, and networks, and to detect weaknesses and documented security issues that can be exploited by hackers. Vulnerability scanners normally offer multiple functions, such as identification of vulnerabilities, identification of misconfigurations, passive testing of security controls, and identification of lack of security controls.

Pivot

The technique of using a compromised host to attack other systems on the network is known as pivoting. Penetration testers can obtain information about other hosts on the network from the compromised system. They can collect data and transfer it out of the network from the exploited system.

URL hijacking and Typo squatting

This attack involves the purchase of a domain name almost identical to a legitimate domain name. The goal of the attacker is to mislead users into visiting a malicious website instead of the genuine site. Users may miss the slight difference in spelling and accidentally go to the malicious site An attacker may buy a similar domain name in order to get visitors to unknowingly download malicious software, profit handsomely from reselling the domain name to the owner of the legitimate site, or earn revenues from pay-per-click advertisements

Intent/motivation

Threat actors can be driven by different motives. With script kiddies, the reason may be boredom, curiosity, or the desire to see what they are capable of. Hacktivists act for a cause or for a movement. Organized criminals are driven by greed.

Types of Malware

Viruses Crypto-malware Ransomware Worm Trojan Rootkit Keylogger Adware Spyware Bots RAT Logicbomb Backdoor

Identify lack of security controls

Vulnerability scanners are designed to detect whether required security controls are missing. For example, a scanner can identify whether a system is protected by antivirus software or whether the latest patches have been installed.

Credentialed vs. non-credentialed

Vulnerability scanners can run both credentialed and non-credentialed scans. A credentialed scan runs using account credentials whereas a non-credentialed scan runs without user credentials. Attackers scan systems to detect weaknesses they can exploit. These scans are usually non-credentialed because attackers normally do not have access to user credentials of hosts on an internal network. A credentialed scan run with administrator credentials can probe deeper, perform a thorough scan, and identify deep-rooted security issues. Therefore, credentialed scans are more comprehensive, generate few false positives, and produce the most accurate results. Though attackers initially do not have access to user credentials and run non-credentialed scans to begin with, different techniques are employed to gain higher permissions and can perform a credentialed scan on a network if they succeed in obtaining unauthorized administrator access. Security personnel and administrators also run non-credentialed scans to be aware of what attackers can see when they run a non-credentialed scan.

Identify vulnerability

Vulnerability scanners detect known vulnerabilities. These tools use a database of documented weaknesses and recognize threats based on this database. There are a number of vulnerability standards, including the MITRE Corporation's Common Vulnerabilities and Exposures (CVE) list and the National Vulnerability Database (NVD) used by Security Content Automation Protocol (SCAP). The CVE is supported by the U.S. Government. Scanners can detect vulnerabilities including weak passwords, open ports, unusual traffic patterns pertaining to confidential data, and default passwords. Most scanners have a password cracker that can identify weak passwords. Network components, operating systems and applications often have factory or vendor default usernames and passwords. These should be changed on first access because attackers can exploit default credentials to gain unauthorized access to systems, applications, or the network. A vulnerability scanner can identify default usernames and passwords. Open ports on a server can make it susceptible to attacks. For example, if port 23, which is used by Telnet, is left open, an attacker might use it to access the server. Vulnerability scanners are capable of detecting open ports. Some vulnerability scanners also use Data Loss Prevention (DLP) methods to identify traffic patterns relating to proprietary or other sensitive information.

Passively test security controls

Vulnerability scanning is a passive testing process. A vulnerability scan only detects weaknesses, it does not exploit them. Hence, a vulnerability scan does not disrupt operations.

Vulnerable business processes

Vulnerable business processes are those processes supporting essential functions for a business to fulfill its objective. For example, online ecommerce businesses will lose business if customers are unable to see products online, choose a product, key in their details, including credit or debit card information, and finalize their purchase. If this occurs frequently, the business will lose customers. If vulnerable business processes are inaccessible over a length of time, the company could find it difficult to remain in business. It is necessary for an organization to develop and document a Business Impact Analysis (BIA), which determines core functions for the business. No company should wait until a crisis occurs to perform a BIA. Dependencies pertaining to business-critical operations, different incidents that can affect these functions, maximum downtime for these operations, and the financial impact of downtime should be outlined in the BIA. Attacks on vulnerable business processes can have serious consequences for companies. An organization would incur enormous costs if an attacker gained access to the company's database containing confidential customer data, including financial information. An attack on Target saw the company lose business and customers as well as suffer a significant reduction in profit compared to the previous year.

Session hijacking

When logging onto a site, a cookie, which is a file with a session ID, may be automatically stored on a system for users' convenience the next time they visit. The cookie will remain active as long as users are logged in. However, attackers can take advantage of this by using the session ID to impersonate the users. Attackers are able to do this because a web server identifies a user based on only the session ID. A web server cannot distinguish between a legitimate user and an impersonator if the same session ID is used. Once the session IDs are known, an attacker can embed them in the HTTP header and transmit them to the website. If the legitimate users are logged on using these session IDs the next time they visit, the hijacker gains access to the users' account

Tailgating

When one person follows another into a secured area, with only the first person displaying access credentials, the second person is tailgating

Urgency

When something is urgent, people act immediately; This principle is employed by attackers during ransomware, hoax, whaling, phishing, and vishing attacks.

Cross-site scripting

a common injection attack, AKA XSS attacks can enable an attacker to impersonate the user, modify the application, and execute arbitrary JavaScript in the target's web browser In this type of injection attack, the attacker injects a malicious script, often in JavaScript, into a web application or website

Evil Twin

a compromised wireless AP that bears the same SSID as a genuine AP. When a user unknowingly connects to an evil twin, traffic passes through the evil twin, not the actual AP. Attackers seize data packets from this connection and examine the data to see if it contains any confidential data, such as passwords which can be used for malicious purposes. Users can carry out site surveys using wireless scanners to identify rogue access points.

Logic bomb

a malicious program that embeds in a script, code, or file is designed to execute when a specific event occurs Like a time bomb, a logic bomb might be activated on a certain date or time Another event that can trigger a logic bomb is user action it will execute when a user runs a particular application

Penetration testing

also called ethical hacking or pen testing, examines a web application, system, or network for weaknesses that hackers might exploit. This practice tests the strength and adequacy of security controls deployed in applications, computers, or networks. Ethical hacking employs both active and passive reconnaissance methods of testing

Man-in-the-browser

an attacker employs a proxy Trojan to compromise a web browser that has vulnerabilities. If the attack is successful, the attacker can seize information from a browser session, including keystrokes enables the attacker to access confidential data such as users' log on credentials for their bank accounts. Once attackers obtain unauthorized access to the users' bank accounts, they can transfer money to other accounts

Intimidation

an attacker may intimidate the target into performing an action. Attackers often resort to impersonation to make their intimidation tactics work. Intimidation can be effective in vishing and impersonation attacks

Trust

another principle attackers use to dupe victims, particularly in vishing attacks

Replay

attacks have been discussed earlier in this module; Some protocols, including WPA with TKIP, are susceptible to replay attacks. WPA using AES and CCMP is not susceptible to these attacks

Spear phishing

attacks that are aimed at specific groups, including employees of an organization or customers of a certain company - occasionally aims at a particular individual spear phishing attackers are known to pose as senior executives of a company and send emails to employees asking for user credentials and other confidential data to protect against attacks, many companies now require electronic messages from the CEO and other personnel to be digitally signed.

Replay

can be launched on wired and wireless networks The hacker intercepts authentication credentials of the clients in that session. During a replay attack, the attacker tries to impersonate one of the legitimate clients from the captured session Replay attacks can be prevented by using protocols that have sequence numbers and timestamps. One such protocol is Kerberos

Clickjacking

clickjacking attack, the attacker tricks users into clicking a link other than what they intend to click. Attackers normally use HTML frames because frames make it possible for a web page to show another page within a frame or iframe Web developers are not unaware of this, and they come up with new techniques to thwart clickjacking attacks An effective method of protecting against these attacks is to break frames or make them unworkable so that attackers are not able to display another web page on their page

Driver manipulation

developers can write code that can be run in place of the driver. This is called a driver shim and the process of running the shim is called shimming. Developers create shims to provide a solution to incompatibility issues between older drivers and new operating systems

Amplification

employs the DDoS approach. In this type of attack, traffic to and from the target computer is increased to a very high extent. The target system could be a single host computer as well as DNS and NTP servers The attacker targets a computer, spoofs its IP address, and sends DNS requests to DNS servers using the spoofed IP address This kind of attack asks the target DNS servers to send much more data than normal. The attack can be launched from multiple sources at the same time. As a result, the target computer is flooded with requests, leading to capacity exhaustion Reflection attack - when a Network Time Protocol (NTP) attack, a publicly-accessible NTP server is exploited by the attacker. The attacker sends an unusually high volume of User Datagram Protocol (UDP) traffic to a target network or server. The UDP packets bearing a spoofed IP address are sent to an NTP server that has the monlist command enabled. The NTP server then sends responses to the spoofed IP address, thereby flooding the target computer and overburdening the network. This results in a denial of service

Pen testing

enables organizations to implement robust security policies

Backdoor

enables unauthorized access to a system from a remote location are designed to circumvent legitimate authentication procedures Developers code backdoors in order to access the system for maintenance reasons Hackers scan applications, looking for vulnerabilities such as backdoors, which they can use to gain unauthorized access A company's user account administration policy must include robust measures to pre-empt ex-personnel from creating backdoor for themselves.

Bots

independent programs operating on the Internet software robots operating on the Internet include chatroom bots, web crawlers, and malicious bots Web crawlers are bots that scour the Internet looking for web pages Search engines, including Google, rely on bots some bots are programmed to run without user action, others can perform specific actions only when they receive information from another source Attackers use botnets to control computers and launch Distributed Denial of Service (DDoS) attacks Attackers use botnets to install spyware Attackers use botnets to install other malicious programs Attackers use botnets to collect data without the user's consent Attackers use botnets to distribute spam botnet refers to a group of robots that operate together on a network Attackers use Trojans to infect devices and control them hey organize these devices, or zombies, into a network and use servers, also known as masters of the zombie network, to control these botnets Computers intercepted by these attackers carry out instructions received from the servers The biggest DDoS attacks - carried by botnets 3ve Mirai is malware that infects Internet devices, such as home routers and digital cameras running outdated versions of Linux, and converts them into bots Devices that still carry the factory default name and password are vulnerable because Mirai can access them In 2016, attackers made the Mirai source code public Methbot Grum Mariposa

Adware

initially intended to observe users' online activity in order to send them advertising banners matching their behavior some attackers use adware to spy on user companies and internet marketers use analytics to keep track of a user's behavior on the web and network post targeted advertisements based on those analytics Free software often comes with baggage such as advertisements users know that advertisements will be displayed if they download a free application. The user has the option of downloading the free software or paying for an ad-free version

Ransomware

is designed to hold users at ransom by locking them out of their systems or data files and demanding a ransom be paid to an anonymous online source to restore access to the data or system often distributed via phishing emails or drive-by downloads from compromised websites AKA cryptoviral extortion Some ransomware even threaten to publish confidential data of individuals and organizations Doxing a recent development in the ransomware category Attackers blackmail the victim by threatening to publish valuable and confidential data, along with credentials, if the individual or organization doesn't pay the ransom

Viruses

malicious program designed to attach itself to host files and programs a virus cannot execute an application on its own activated when a user executes an infected application replicates by inserting code into legitimate applications A virus can delete or distort a file disable an operating system connect a device to a botnet make a system reboot at random modify applications activate backdoors for hackers to exploit Some viruses replicate first and then do damage Polymorphic viruses When some viruses are programmed to modify their own code in order to avoid being detected by antivirus software

Spyware

malicious software designed to spy on users Attackers install spyware on users' computers without their knowledge and collect information about them information can be sent to other hackers If confidential information is recorded, the users suffer a breach of privacy modify systems to the extent of slowing it down capturing financial information can do serious damage. Cybercriminals can use the users' credentials to access bank accounts and steal money Attackers often use other malware such as Trojans or drive-by downloads to deliver spyware A visit to a compromised website can result in spyware being downloaded on a system without consent

Worm

malicious software that can replicate by itself and traverse the entire network independently doesn't need a host file or program or user action embeds in memory and moves across the network using different protocols bandwidth guzzlers have a high replication rate and can infect all systems on a network affects network performance and can slow down a network to a major extent

Trojan

malware designed to deceive users into thinking it is useful or entertaining to encourage the mistake of downloading it often spread through compromised websites Hackers intercept websites and embed Trojans infecting the system of any user who visits such a website An email link is a common method attackers use to deceive users into visiting harmful websites drive-by download method by which an infected website can download and install a Trojan on a website visitor's system AKA Rogueware Attackers make it look like a free antivirus program and try to trick unsuspecting users into downloading it Some are programmed to enable attackers to control the user's system Some are embedded with Trojans that can corrupt a browser and force users to compromised websites AKA scareware Attackers make it look like a free antivirus program and try to trick unsuspecting users into downloading it appears as a pop-up or a message on some websites visitors may come across a message saying their system is infected, encouraging them to download and install a free antivirus program offered by the site

Penetration testers

need to define the extent of a test and conduct it at an appropriate time to prevent interference with business operations or result in system unavailability or damage. The management and all concerned employees need to be informed about a test in advance. Some tests are executed on test systems instead of live systems

Vishing

phishing attack delivered over the phone, using VoIP technology goal of vishing attackers is to obtain financial and other personal information attackers prefer VoIP technology because they can fake caller ID and deceive people into thinking the call is from a legitimate organization partly or fully automated

Rootkit

programmed to conceal malware infection from antivirus software usually comprises a number of programs that are designed to work together to modify system files and processes, and even prevent administrative users from accessing the system Antivirus scans can fail to detect infection if a rootkit effectively hides OS processes are programmed to work at the root- or kernel-level of the system They employ hooks, or programs designed to intercept system calls, to modify system functions Rootkit attackers can control a system and instruct it to join other computers on the Internet and send confidential data to those computers Rootkit infection can be detected by antivirus applications that have the ability to scan RAM and identify hooks installed in memory

Privilege escalation

purpose of a privilege escalation attack is to gain higher rights and permissions Privilege escalation attacks can be prevented by implementing a security policy that requires administrators to use an account with administrator privileges as well as one with standard user privileges

Crypto-malware

ransomware that is coded to encrypt a user's data

Penetration testers

reveal and document vulnerabilities within applications, systems, and networks to make an organization aware of security threats. This enables the company to assess the likely impact of each threat

Keylogger

software or hardware designed to collect and log a user's keystrokes usually software programmed to capture keystrokes and file them. Attackers may have the file sent to them automatically or they may steal it manually

Whaling

spear phishing targeted at top management executives another purpose of whaling is to mislead a high-profile executive into transferring funds to the attacker's account

Jamming

the attacker deliberately disturbs wireless transmissions by transmitting high-range radio signals. This interferes with communication and can disrupt performance. A type of DoS attack The attacker occupies the wireless network and prevents other nodes from communicating on the network. Users experience frequent disconnections and have to make repeated attempts to reconnect. Countermeasures include using other wireless channels that are available on that wireless standard. If excessive noise is on one channel, it is best to switch to another channel. Another way to counteract jamming attacks is to raise the power level of the access point.

Phishing

type of email attack purpose: to con users into clicking on a link to a malicious website or disclose credentials and other private information emails are made to resemble email messages from legitimate senders (i.e. banks, widely-used online payment systems, or popular ecommerce sites) common phishing email asks recipients to click on a link attackers also impersonate co-employees and friends, and send emails with sender names identical to friends' or colleagues'. to avoid being tricked into clicking on a link to a compromised website and unintentionally downloading malware, users should always look closely at the email address before opening it - email address will be slightly different from that of a genuine colleague or friend distributed wholesale

WPS

vulnerable to brute force attacks In a WPS attack, attackers try to discover the PIN using a PIN discovery tool. Once the attackers know the PIN, they can discover the passphrase for WPA and WPA2 networks