CYSA+ Chapter 5: Analyzing Vulnerability Scans

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Privilege Escalation

Attacks seek to increase the level of access that an attacker has to a target system. They exploit vulnerabilities that allow the transformation of a normal user account into a more privileged account, such as the root superuser account. Linux kernel vulnerability dubbed Dirty COW was an exploit.

CVSS metrics - Availability Metric

Availability Metric Describes the type of disruption. None (N) Low (L) Degraded High (H) Completely shut down

CVSS metrics - Attack Vector Metric and Attack Complexity Metric

Attack Vector Metric Describes how an attacker would exploit the vulnerability Physical (P) Local (L) Adjacent Network (A) Network (N) Attack Complexity Metric Describes the difficulty of exploiting the vulnerability High (H) Low (L)

Interpreting the CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector: Network (score: 0.85) Attack Complexity: Low (score: 0.77) Privileges Required: None (score: 0.85) User Interaction: None (score: 0.85) Scope: Unchanged Confidentiality: High (score: 0.56) Integrity: None (score: 0.00) Availability: None (score: 0.00)

Cross-Site Scripting (XSS)

Attacker embeds scripting commands on a website that will later be executed by an unsuspecting visitor accessing the site. The idea is to trick a user visiting a trusted site into executing malicious code placed there by an untrusted third party.

VM Escape

Attacker has access to a single virtual host and then manages to leverage that access to intrude on the resources assigned to a different VM.

DNS amplification

Attacker sends spoofed DNS requests to a DNS server that are carefully designed to elicit responses that are much larger in size than the original requests.

Man-in-the-Middle

Attacks occur when an attacker is able to interfere in the communication flow between two systems.

Buffer Overflows

Attacks occur when an attacker manipulates a program into placing more data into an area of memory than is allocated for that program's use.

Session Hijacking

Focuses on taking over an already existing session, either by acquiring the session key or cookies used by the remote server to validate the session or by causing the session to pass through a system the attacker controls, allowing them to participate in the session. Attacker needs to acquire to hijack the session, either via encrypting network sessions or links or on the local system, can help limit opportunities for session hijacking.

Virtual Guest and Virtual Network Issue Remediation

Guest operating systems and applications running on the guest OS must be promptly patched to correct security vulnerabilities. Use of virtual firewalls to control the flow of information between systems

Rootkits

Hacking tools designed to automate privilege escalation attacks. An attacker who gains access to a normal user account may use a rootkit to exploit a vulnerability and perform a privilege escalation attack, seeking to gain administrative privileges.

Password Reuse

Impersonation attacks occur when an attacker takes on the identity of a legitimate user. Security issues like OAuth open redirects, can allow impersonation to occur.

Other data sources to reconcile scan results with

Logs from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities Security information and event management (SIEM) Configuration management systems that provide information on the operating system and applications installed on a system

Cause of internal IP Disclosure

NAT Servers that are not properly configured may leak their private IP addresses to remote systems.

Vulnerability Scan Report Sections

Name of the vulnerability Overall severity (Low, Med, High, Critical) Solution References (Links or more details) Output (Detailed info returned when probed) Port/Hosts Vulnerability Info Risk Information (Usually CVSS scores)

IoT - Controller Area Network bus (CAN bus)

Networks are specialized networks designed to facilitate communication between embedded systems without the overhead of a TCP/IP network.

Injection attacks

Occur when an attacker is able to send commands through a web server to a backend system, bypassing normal security controls and fooling the backend system into believing that the request came from the web server. The most common form of this attack is the SQL injection attack Can happen with: Extensible Markup Language (XML) documents and Lightweight Directory Access Protocol (LDAP) queries.

CVSS metrics - Privileges Required Metric

Privileges Required Metric Describes the type of account access that an attacker would need to exploit High (H) Admin Low (L) User None (N) No Authentication

IoT - Field-programmable gate arrays (FPGAs)

Computer chips that allow the end user to reprogram their function, making them quite useful for embedded systems.

IoT - Embedded systems

Computers integrated into the operation of another device, such as a vehicle, camera, or multifunction printer.

CVSS metrics - Confidentiality Metric

Confidentiality Metric Describes the type of information disclosure that might occur if an attacker successfully exploits. None (N) Required (R)

Management Interface Access (For VM's)

The management interface for a virtual infrastructure is used to configure the virtualization environment, set up new guest machines, and regulate access to resources. This interface is extremely sensitive from a security perspective, and access should be tightly controlled to prevent unauthorized individuals from gaining access.

Ways to protect from SQL injection

The two best ways to protect against SQL injection attacks are input validation and the enforcement of least privilege restrictions on database access.

Insecure Cipher Use

When a client/server wish to communicate using SSL/TLS, they exchange a list of ciphers that each system supports and agree on a mutually acceptable cipher. Some ciphers contain vulnerabilities like RC4.

Negative report

When a scanner reports that a vulnerability is not present. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).

Positive report

When a vulnerability scanner reports a vulnerability. This report may either be accurate (a true positive report) or inaccurate (a false positive report).

Web Application Vulnerabilities

-Injection attacks -Cross-Site Scripting -Directory Traversal -Authentication Vulnerabilities

Certificate Problems

-Mismatch Between the Name on the Certificate and the Name of the Server -Expiration of the Digital Certificate -Unknown Certificate Authority (CA)

Network Vulnerabilities

-Missing Firmware Updates -SSL and TLS Issues -Outdated SSL/TLS Versions -Insecure Cipher Use -Certificate Problems

Common Vulnerabilities

-Missing Patches -Mobile Device Security -Unsupported OS and Apps (End of Life) -Buffer Overflows -Privilege Escalation -Arbitrary code execution -Insecure Protocol Use -Debugging Modes

Integer overflow

A variant of a buffer overflow where the result of an arithmetic operation attempts to store an integer that is too large to fit in the specified buffer.

IoT - system on a chip (SoC)

An entire embedded system packaged onto a single chip, often including a processor, memory, networking interfaces, and power management on the chip.

Debugging Modes

Debug mode typically provides detailed information on the inner workings of an application and a server, as well as supporting databases. Although this information can be useful to developers, it can inadvertently assist an attacker

Common Vulnerability Scoring System (CVSS)

Industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures.

CVSS metrics - Integrity Metric

Integrity Metric Describes the type of information alteration that might occur if an attacker successfully exploits None (N) No integrity impact Low (L) No control of what is modified High (H) Total Compromise

Insecure Protocol Use

Older protocols like tenlet and FTP that fail to use encryption to protect usernames, passwords, and the content sent over an open network, exposing the users of the protocol to eavesdropping attacks.

Outdated SSL/TLS Versions

Outdated versions of SSL and TLS may be subject to eavesdropping attacks. Support only newer protocols, such as TLS version 1.2

Cross-site scripting attacks arise in three different forms:

Persistent XSS attacks occur when the attacker is able to actually store the attack code on a server. This code remains on the server, waiting for a user to request the affected content. These attacks are also known as stored XSS attacks. Reflected XSS attacks occur when the attacker tricks a user into sending the attack to the server as part of a query string or other content. The server then sends the attack back to the user (reflecting it), causing the code to execute. Document Object Model (DOM)-based XSS attacks occur within a database maintained by the user's web browser. These attacks are particularly insidious because they occur entirely on the user's computer and are never seen by the remote web server.

CVSS metrics - Scope Metric

Scope Metric Describes whether the vulnerability can affect system components beyond the scope of the vulnerability. Unchanged (U) Changed (C)

IoT - Real-time operating systems (RTOSs)

Slimmed-down operating systems designed to work quickly on IoT devices in a low-power environment.

IoT - Programmable logic controllers (PLCs)

Specialized hardware controllers designed to operate in an IoT environment. PLCs often use a specialized communication protocol called Modbus to communicate with sensors and other IoT components over wired serial interfaces.

Buffer Overflow Targetted memory

Stack overflows target the stack, which stores variable values and is managed by the operating system. Heap overflows target the heap, which stores objects created by code and must be managed by application developers.

CVSS metrics - User Interaction Metric

User Interaction Metric Describes whether the attacker needs to involve another human in the attack. None (N) Required (R)

Arbitrary code execution

Vulnerabilities allow an attacker to run software of their choice on the targeted system. Remote code execution Subset of code execution because the attacker can exploit over a network connection without having physical or logical access to the target system.


Kaugnay na mga set ng pag-aaral

00 Avancems 1.2.9 Where do you go (ir)

View Set

Health 2 Factors that Affect Intoxication

View Set

AP CSP FINAL [INCLUDES ALL UNITS]

View Set

Quiz: Identifying the substance of the gene

View Set

Unit 1 Module 3 cont.:Stages of Psychosocial Development

View Set

Chap 3: The Accounting Information System

View Set

Data Science Interview Questions

View Set