Comptia SY0-501 - 1.0 Threats, Attacks and Vulnerabilities
a mathematical and cryptographic term for a random number. to increase security by reducing predictability and repeatability.
Initialization Vector (IV)
is any exploitation that allows an attacker to submit code to a target system in order to modify its operations and/or poison and corrupt its data set.
Injection
Gathers information about users and uses it to direct advertisements to the user.
Adware
attack the amount of work or traffic generated by an attacker is multiplied in order to cause a significant volume of traffic to be delivered to the primary victim.
Amplification
is collecting information about a target through interactive means. By directly interacting with a target, a person can quickly collect accurate and detailed information, but at the expense of potentially being identified as an attacker rather than just an innocent, benign, random visitor.
Active Reconnaissance
is an effective technique because most people are likely to respond to authority with obedience. The trick is to convince the target that the attacker is someone with valid ______.
Authority
Software code that gives access to a program or a service that circumvents normal security protections.
Backdoor
involves sending messages to Bluetooth-capable devices without the permission of the owner/user. These messages often appear on a device's screen automatically.
Bluejacking
is the unauthorized access of data via a Bluetooth connection.
Bluesnarfing Attack
a network of robots or malicious software agents controlled by a hacker in order to launch massive attacks against targets.
Botnets
attack occurs when an attacker submits data to a process that is larger than the input variable is able to contain. Unless the program is properly coded to handle excess input, the extra data is dropped into the system's execution stack and may execute as a fully privileged operation.
Buffer Overflow
is a web page-based attack that causes a user's click to link someplace other than the user intended. This is often accomplished by using hidden or invisible layovers, frame sets, or image maps. When a user sees such an item or link, and then clicks their mouse pointer, the click is intercepted by the invisible or hidden layer, and thus the request is for something other than what the user actually intended.
Clickjacking
is the act of taking advantage of a person's natural tendency to mimic what others are doing or are perceived as having done in the past. For example, bartenders often seed their tip jar with money to make it seem as if previous patrons were appreciative of the service.
Consensus / Social proof
he attack is focused on the visiting user's web browser more than the website being visited. trick the user or the user's browser into performing actions they had not intended or would not have authorized. This could include logging out of a session, uploading a site cookie, changing account information, downloading account details, making a purchase.
Cross-site request forgery (XSRF)
in a penetration test or a real-world malicious attack is the event that grants the attacker/tester access to the system. It is the first successful breach of the organization's security infrastructure that grants the attacker/tester some level of command control or remote access to the target.
Initial Exploitation
Weak Implementations
Most failures of modern cryptography systems are due to poor or
Denial of service attack committed using dozens of computers, usually zombies on a botnet.
DDoS
Where DNS look up have been manipulated by a hacker to point websites to the wrong DNS. For eg "www.google.com" DNS could be "poisoned" with a DNS to malicious site set up by the hacker.
DNS poisoning
is a form of attack that has the primary goal of preventing the victimized system from performing legitimate activity or responding to legitimate traffic.
Denial of service (DoS)
is one of the many types of wireless management frames. Can be used in several forms of wireless attacks, including the following: - An attack can send repeated frames to a client - A session hijack - A man-in-the-middle attack .
Disassociation
is the malicious action of changing the registration of a domain name without the authorization of the valid owner. This may be accomplished by stealing the owner's logon credentials; using XSRF, session hijacking, or MitM; or exploiting a flaw in the domain registrar's systems.
Domain hijacking
attempts to prevent a client from successfully negotiating robust high-grade encryption with a server. This attack may be performed using a real-time traffic manipulation technique or through a man-in-the-middle attack
Downgrade Attack
Some forms of malicious code or attacker intrusions will take advantage of a form of software manipulation
Driver Manipulation
is the act of digging through trash, discarded equipment, or abandoned locations in order to obtain information about a target organization or individual. Although discovering confidential documentation or secret information would be a welcomed bonus to attackers, they are looking for more mundane documentation.
Dumpster Diving
is any attack or exploit that grants the attacker greater privileges, permissions, or access than may have been achieved by the initial exploitation or that a legitimate user was assigned.
Escalation of Privilege
is the transmission of radio signals to prevent reliable communications by decreasing the effective signal-to-noise ratio.
Jamming
a form of malware that records the keystrokes typed into a system's keyboard.
Keylogger
is a form of malicious code that remains dormant until a triggering event occurs. The triggering event can be a specific time and date, the launching of a specific program, or the accessing of a specific URL.
Logic Bomb
is any form of cyberattack that is able to continually exploit a target over a considerable period of time. Often takes advantage of unknown flaws (that is, not publicly known) and tries to maintain stealth throughout the attack.
Nation States/Advanced Persistent Threat(APT)
is a standard that establishes radio communications between devices in close proximity. It lets you perform a type of automatic synchronization and association between devices by touching them together or bringing them within inches of each other.
Near field communication (NFC)
is the gathering of information from any publicly available resource. This includes websites, social networks, discussion forums, file services, public databases, and other online sources. It also includes non-Internet sources, such as libraries and periodicals.
Open-source intelligence
is involved in cybercrime activities because it is yet another area of exploitation that may allow criminals to gain access, power, or money.
Organized crime
is a form of social engineering attack focused on stealing credentials or identity information from any potential target. It is based on the concept of fishing for information.
Phishing
Social engineering works so well because we're human. The principles of social engineering attacks are designed to focus on various aspects of human nature and take advantage of them. Although not every target succumbs to every attack, most of us are vulnerable to one or more of the following common social engineering principles.
Principles (Reasons for Effectiveness)
occurs when a user is able to obtain greater permissions, access, or privileges than they're assigned by an organization.
Privilege escalation
is a tracking technology based on the ability to power a radio transmitter using current generated in an antenna when placed in a magnetic field.
RFID (Radio Frequency Identification)RFID (Radio Frequency Identification)
an attack on a password that uses a large pre-generated data set of hashes from nearly every possible password, take advantage of a concept known as a hash chaidictionary attack
Rainbow Tables
a form of malware that aims to take over a computer system in order to block its use while demanding payment.
Ransomware
is a restricting or reorganizing of software code without changing its externally perceived behavior or produced results.
Refactoring
This form of DRDoS uses ICMP echo reply packets (ping packets). The attacker sends ICMP Type 8 echo request packets to several intermediary networks' broadcast addresses with the source IP address set to the primary victim. This causes multiple ICMP Type 0 replies to be sent to the victim.
Smurf
is a form of attack that exploits human nature and human behavior
Social engineering
is a more targeted form of phishing where the message is crafted and directed specifically to a group of individuals, rather than being just a blind broadcast to anyone. Often, attackers will first compromise an online or digital business in order to steal their customer database. Then, false messages are crafted to seem like a communication from the compromised business, but with falsified source addresses and incorrect URLs. The hope of the attack is that someone who already has an online/digital relationship with an organization is more likely to fall for the false communication.
Spear phishing
Gathers information about users and may employ that information to customize advertisements or steal identities.
Spyware
First phase is to observe the target's habits. Second phase is to plant malware on watering hole systems. Third phase is to wait for members of the target to revisit the poisoned watering hole and then bring the infection back into the group.
Three phases of Watering Hole Attack
a form of malicious software that is disguised as something useful or legitimate
Trojan Horses
a social engineering principle involves an attacker working to develop a relationship with a victim. This may take seconds or months, but eventually the attacker attempts to use the value of the relationship to convince the victim to reveal information or perform an action that violates company security.
Trust
designed to try every possible valid combination of characters to create possible passwords, starting with single characters and adding characters as it churns through the process, in an attempt to discover the specific passwords used by user accounts. Such attacks are always successful, given enough time.
brute force
brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. In probability theory, the birthday paradox or birthday problem considers the probability that some paired people in a set of n randomly chosen of them, will have the same birthday.
brute force or birthday attack
companies in the same industry that sell similar products or services to customers, many organizations still elect to perform corporate espionage and sabotage against their competition while it is widely known that such actions are illegal.
competitors
performs password guessing by using a preexisting list of possible passwords. Password lists can include millions of possible passwords.
dictionary attack
is someone who uses their hacking skills for a cause or purpose. commits criminal activities to further their cause.
hacktivist
IDS (Intrusion Detection System)
main defense against these wireless attacks is to operate a wireless
is the person or entity who is responsible for causing or controlling any security-violating incidents experienced by an organization or individual.
threat actor
is the act of falsifying data. Usually the falsification involves changing the source address of network packets. As a result of the changed source address, victims are unable to locate the true attackers or initiators of a communication.
IP Spoofing
Many vulnerability scanners can determine whether or not you have improper, poor, or misconfigured systems and protections. If a vulnerability scanner is able to detect this issue, so can an attacker. Be sure to correct any discovered misconfigurations immediately
Identify Common Misconfigurations
identify any necessary or best-practice security controls that are not present in the evaluated target. Such a report may indicate that updates and patches are not applied or that a specific security mechanism is not present, such as encryption, antivirus scanning, a firewall, and so on.
Identify Lack of Security Controls
to inform you of any potential weaknesses or attack points on your network
Identify Vulnerability
is the act of taking on the identity of someone else. This can take place in person, over the phone, or through any other means of communication. The purpose of impersonation is to fool someone into believing you have the claimed identity so you can use the power or authority of that identity.
Impersonation
Most of the failures of a cryptosystem are based on improper key management rather than on the algorithms.
Improper Certificate and Key Management
allow for the leaking of essential information to attackers or enable attackers to force a system into an insecure state. Not handled properly, they may disclose details about a flaw or weakness that will enable an attacker to fine-tune their exploit.
Improper Error Handling
One of the biggest risks at any organization is its own internal personnel. Hackers work hard to gain what insiders already have: physical presence within the facility or a working user account on the IT infrastructure.
Insiders
The intent or motivation of an attacker can be unique to the individual or overlap with your own. Some attackers are motivated by the obvious benefit of money and notoriety. Others attack from boredom or just to prove to themselves that they can
Intent/motivation (attributes of actors)
Threats can originate from inside your organization as well as outside. All too often, companies focus most of their analysis and security deployment efforts on external threats without providing sufficient attention to the threats originating from inside.
Internal/External Actors
can sometimes be seen as a derivative of the authority principle. Uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions.
Intimidation
scan also known as active evaluation attempts to exploit any flaws or vulnerabilities detected.
Intrusive Vulnerability Scan
focused on encryption systems that use the same key repeatedly or that select keys in a sequential or otherwise predictable manner. The goal is to discover the key or a key of the series, and then use that key to determine other keys and thus be able to decrypt most or all of the data protected by the flawed encryption system.
Known Plain Text/Cipher Text
Threat actors can vary greatly in their skill level and level of sophistication. Some attackers are highly trained professionals who are applying their education to malicious activities, whereas others are simply bad guys who learned how to perform cyberattacks just to expand theirexisting repertoire.
Level of sophistication (attributes of actors)
is used to impersonate another system, often a valid or authorized network device, in order to bypass port security
MAC Spoofing
attack is a communications eavesdropping attack. Attackers position themselves in the communication stream between a client and server (or any two communicating entities). The client and server believe that they're communicating directly with each other—they may even have secured or encrypted communication links. However, the attacker can access and potentially modify the communications.
Man-in-the-Middle
When a system is not set up correctly and put into a nonsecure state.
Misconfiguration/weak configuration
is one where no user accounts are provided to the scanning tool, so only those vulnerabilities that don't require credentials are discovered.
Non-Credentialed Scan
only discovers the symptoms of flaws and vulnerabilities and doesn't attempt to exploit them.
Non-Intrusive Vulnerability Scan
hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.
Pass the Hash
is the activity of gathering information about a target without interacting with the target. Instead, information is collected from sources not owned and controlled by the target (other websites and services) as well as by eavesdropping on communications from the target.
Passive Reconnaissance
performed when an automated vulnerability scanner is being used that seeks to identify weaknesses without fully exploiting discovered vulnerabilities. In most cases, automated vulnerability scanners detect the security control as it attempts a test. Additionally, because the security controls are operating while the automated vulnerability scan is being performed, the security controls get a workout at the same time the actual targets are the focus of the scan.
Passively Test Security Controls
is the characteristic of an attack that maintains remote access to and control over a compromised target. Some attacks are quick one-off events where the initial compromise triggers some result, such as stealing data, planting malware, destroying files, or crashing the system.
Persistence
is the action or ability to compromise a system, and then use the privileges or access gained through the attack to focus attention on another target that may not have been visible or exploitable initially. It is the ability to adjust the focus or the target of an intrusion after an initial foothold is gained.
Pivot
the attacker is racing with the legitimate process to replace the object before it is used. the attacker is racing with the legitimate process to replace the object before it is used.
Race Conditions
is a form of malicious code that grants an attacker some level of remote-control access to a compromised system.
Remote Access Trojan (RAT)
an attacker captures network traffic and then retransmit the captured traffic in an attempt to gain unauthorized access to a system.
Replay Attack
Some threat actors are well funded with broad resources, whereas others are not. Some threat actors self-fund; others find outside investors or paying customers. Self-funded threat actors might highjack or use advertisement platforms to obtain funds; others may use ransomware to extort money from their victims.
Resources/funding (attributes of actors)
An unauthorized AP. It can be placed by an attacker or an employee who hasn't obtained permission to do so.
Rogue AP
a type of malicious code that fools the OS into thinking that active processes and files don't exist. Rootkits render a compromised system completely untrustworthy.
Rootkits
is a technique used to convince someone that an object has a higher value based on the object's scarcity. For example, shoppers often feel motivated to make a purchase because of a limited-time offer, due to a dwindling stock level, or because an item is no longer manufactured.
Scarcity
is a form of attack in which the attacker takes over an existing communication session. The attacker can assume the role of the client or the server, depending on the purpose of the attack.
Session Hijacking
is a means of injecting alternate or compensation code into a system in order to alter its operations without changing the original or existing code. A rough analogy would be that when a table on a new floor is wobbly
Shimming
occurs when someone is able to watch a user's keyboard or view their display. This could allow them to learn a password or see information that is confidential, private, or simply not for their eyes.
Shoulder Surfing
occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge. This attack can occur when a worker uses their valid credentials to unlock and open a door, then walks on into the building as the door closes
Tailgating
is a practice employed to capture traffic when a user mistypes the domain name or IP address of an intended resource. A squatter predicts URL typos and then registers those domain names to direct traffic to their own site. This can be done for competition or for malicious intent.
URL Hijacking / Typo squatting
often dovetails with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out. Is often used as a method to get a quick response from a target before they have time to carefully consider or refuse compliance.
Urgency
programs that are designed to spread from one system to another through self-replication and to perform any of a wide range of malicious activities.
Viruses
is phishing done via Voice-over-IP (VoIP) services. VoIP is a technology that allows phone call-like conversations to take place over TCP/IP networks.Tailgating
Vishing
used to discover weaknesses in deployed security systems in order to improve or repair them before a breach occurs. By using a wide variety of assessment tools, security administrators can learn about deficiencies quickly.
Vulnerability Scanning
is a type of geek graffiti that some wireless hackers used during the early years of wireless. It's a way to physically mark an area with information about the presence of a wireless network.
War chalking
is the act of using a detection tool to look for wireless networking signals.
War driving
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected.Hacks looking for specific information may only attack users coming from a specific IP address.
Watering Hole Attack
is a form of phishing that targets specific high-value individuals (by title, by industry, from media coverage, and so forth), such as Clevel executives or high-net-worth clients, and sends messages tailored to the needs and interests of those individuals.Vishing
Whaling
A test where the tester has an in-depth knowledge of the network and systems being tested, including network diagrams, IP addresses, and even the source code of custom applications. A device whose internal structure and processing are known and understood
White Box Testing
is a security standard for wireless networks. It is intended to simplify the effort involved in adding new clients to a well-secured wireless network. It operates by auto connecting the first new wireless client to seek the network once the administrator has triggered the feature by pressing the ___ button on the base station
WiFi Protected Setup (WPS)
designed to exploit a single flaw in a system (operating system, protocol, service, or application) and then use that flaw to replicate themselves to other systems with the same flaw.
Worms
attacks are newly discovered attacks for which there is no specific defense. Aims to exploit flaws or vulnerabilities in targeted systems that are unknown or undisclosed to the world in general.
Zero Day
Attack that exploits previously unknown vulnerabilities, so victims have no time to prepare for or defend against the attack.
Zero Day Attack
are mistakes in the overall concept, theory, implementation, or structure of an application. may exist because of a misunderstanding of the problem that was intended to be solved, not understanding the requirements of the solution, violating common or good practice design principles, or failing to account for security measures during initial conception.
architecture/design weaknesses
is a memory exploitation that takes advantage of a software's lack of input length validation.
buffer overflow
tasks, processes, procedures, and functions should be assessed as to their importance to the organization and their relative vulnerabilities.
business processes vulnerability
_________ configurations should never be allowed to remain on a device or within an application
default configuration
is any form of computing component added to an existing mechanical or electrical system for the purpose of providing automation and/or monitoring.
embedded systems
are those that are no longer receiving updates and support from their vendors
end-of-life systems
a malicious event without an alarm
false negative.
Software that allows the user to enter data but does not validate or filter user input to prevent a malicious action.
improper input handling
Account set up for a user that might provide more access than is necessary. Violation of the principle of least privilege.
improperly configured accounts
is the state that occurs when a mathematical operation attempts to create a numeric value that is too large to be contained or represented by the allocated storage space or memory structure.
integer overflow
Any system, whether hardware or software, will become more insecure over time once it lacks __________ .
lack of vendor support
attack is effectively an MitM attack. The only real distinction is that the middleman malware is operating on the victim's system, where it is able to intercept and manipulate communications immediately after they leave the browser and before they exit the network interface.
man-in-the-browser (MitB, MiTB, MiB, MIB)
occurs when a program fails to release memory or continues to consume more memory
memory leaks
eveloped by hackers on a nearly daily basis. It is an essential part of security management to be aware of new _________ .
new threats
is one in which the attacker is not working against a live target system but instead is working on their own independent computers. An attacker will have had to obtain the target's password hashes and then transferred them to their own computers.
offline attack
occurs against a live logon on prompt. In this type of attack, the attacker submits credentials, which are then processed by the authentication service of the target system. If the credentials are correct, then the attacker has successfully impersonated the user. If incorrect, a logon denied error occurs.
online password attack
a form of vulnerability scan that is performed by a special team of trained, white-hat security specialists rather than by an internal security administrator using an automated tool. uses the same tools, techniques, and skills of real-world criminal hackers as a methodology to test the deployed security infrastructure of an organization.
penetration test
the programmatic activity of retrieving the value stored in a memory location by triggering the pulling of the memory based on its address or location as stored in a pointer.
pointer dereference
is the retransmission of captured communications in hope of gaining access to the targeted system.
replay attack
occurs when applications are allowed to operate in an unrestricted and unmonitored manner so that all available system resources are consumed in the attempt to serve the requests of valid users or in response to a DoS attack.
resource exhaustion
are threat actors who are less knowledgeable than a professional skilled attacker. Is usually unable to program their own attack tools and may not understand exactly how the attack operates.
script kiddies
he situation where numerous underutilized servers are operating in your organization's server room.
system sprawl
form of wasted resources and lost opportunity.
undocumented assets
are more likely to make mistakes or abuse a system's resources and capabilities
untrained users
should be avoided and disabled and replaced with stronger cipher suites with few or no issues.
weak cipher suites and implementations
is the act of falsifying the IP-to-MAC address resolution system employed by TCP/IP.
Address Resolution Protocol (ARP) poisoning
any system that cannot be directly observed and easily understood, literally a device whose internal circuits, makeup, and processing functions are unknown but whose outputs in response to various kinds of inputs can be observed and analyzed.
Black Box Testing
occurs when the output of two cryptographic operations produce the same result.
Collision
is one where the logon credentials of a user, typically a domain administrator, must be provided to the scanner in order for it to perform its work.
Credentialed Scan
is a form of malicious code-injection attack in which an attacker is able to compromise a web server and inject their own malicious code into the content sent to other visitors.
Cross-site scripting (XSS)
any form of malware that uses cryptography as a weapon or a defense.
Crypto-Malware
is an advanced software exploitation technique that manipulates a process's memory in order to trick it into loading additional code and thus perform operations the original author did not intend.
DLL injection
is an attack in which a hacker operates a false access point that will automatically clone, or twin, the identity of an access point based on a client device's request to connect.
Evil Twin
is the occurrence of an alarm or alert due to a benign activity being initially classified as potentially malicious.
False Positive
a social-engineering principle attempts to exploit a person's native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target, such as mutual friends or experiences, or uses a facade to take on the identity of another company or person. If the target believes a message is from a known entity, such as a friend or their bank, they're much more likely to trust in the content and even act or respond.
Familiarity/Liking
Security testing that is based on limited knowledge of an application's design.
Gray Box Testing
is a form of social engineering designed to convince targets to perform an action that will cause problems or reduce their IT security.
Hoax
